Signing in to WiFi via a captive portal is a popular way for businesses and venues to provide internet access to users within their spaces without having a completely open WiFi network. Captive portals allow access to be controlled, or information to be gathered from users before granting them access to the internet or other network resources via the captive portal.

Captive portals today use pin numbers or short passphrases to grant access - in commercial/hotel venues, the passwords are typically displayed inside a venue or provided by a member of staff. This is a relatively labour intensive process, both on the side of the venue having to display the login codes, or the user, having to use their device's keyboard to input long passwords or navigate login forms. There is a desire for an improved system to authenticate devices for use with a WiFi network.

Access to WiFi networks is provided a wireless access point. The wireless access point is often, but not always, provided with a network router in a single apparatus. It is an object of the present invention to provide a method and system for authenticating a device with a wireless access point which overcomes the disadvantages of the prior art, or at least provides a useful alternative. Summary of Invention

According to a first aspect of the invention there is provided a method for authenticating a device with a wireless access point, including:

transmitting a message to the device for generation of a code in audio from a speaker at the device;

processing an audio signal received from the device to extract the code;

verifying the code to authenticate the device, at least in part; and

in response to the authentication, providing access to one or more network services to the device via the wireless access point;

wherein the code is derived from the message.

The message may include the code.

The code may be derived from the message at the device.

The message may include a seed. The code may be derived using the seed within a pseudo-random number generator. The seed used within the pseudo- number generator may be first modified with a time value at the device. The message may include one or more functions to derive the code.

The message may include an audio file encoding the code.

The message may include an encoder module and the encoder module, when executed on the device, may be configured to encode the code into a signal for generation in audio from the speaker at the device. The one or more network services may include Internet services.

The audio signal may be received at a microphone at the wireless access point for the processing.

The audio signal may be received at a microphone at a second device. The second device may perform the processing or the audio signal may transmitted to the wireless access point for the processing. The message may include a user interface module, and the user interface module, when executed on the device, may be configured to generate the code in audio from the speaker. The user interface module may be further configured to generate the code in audio automatically or the user interface module may be further configured to display a user interface element, receive selection of the user interface element by a user of the device, and, in response, to selection, generate the code in audio from the speaker.

The audio may be within an audible frequency range. The audio may be within an ultrasonic frequency range.

The method may further include the step of: prior to transmitting the message, generating the code. The code may be generated using a pseudo-random number generator. The code may be generated by applying a hash function to, at least, the media access control (MAC) address of the device. The hash function may be applied to, at least, a time value.

One or more additional data may be received from the device. The one or more additional data may be also used to authenticate the device. The one or more additional data may be received in audio or the one or more additional data may be received over a wireless network between the wireless access point and the device. The one or more additional data may include information specifically related to the user of the device. The one or more additional data may include an identifier for the user of the device and/or a passcode for the wireless access point. The access may be provided to the one or more network services until expiration of a defined time period or detection of an event.

Code may be verified, at least in part, by matching the code to a lookup table containing a media access control (MAC) address for the device.

The code may be verified, at least in part, by determining that the code is received within a defined time window after the message was transmitted to the device. The code may be verified, at least in part, by matching the code to a hash of, at least, the media access control (MAC) address for the device.

The message may be configured to trigger the captive portal functionality at the device.

According to a further aspect of the invention there is provided a method for method for authenticating a device with a wireless access point by generating audio at the device. According to a further aspect of the invention there is provided a system for authenticating a device with a wireless access point, comprising:

At least one processor; and

A microphone;

wherein the system is configured to provide the method of the first aspect.

According to a further aspect of the invention there is provided a system for providing network services, comprising: A device configured for receiving a message and generating a code derived from the message in audio from a speaker at the device;

At least one processor configured for processing an audio signal received from the device to extract the code and verifying the code to authenticate the device, at least in part;

A microphone configured for receiving audio signals from the device and providing audio signals to at least one processor; and

A wireless access point configured for providing access to one or more network services to an authenticated device.

Other aspects of the invention are described within the claims.

Brief Description of the Drawings Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:

Figure 1 : shows a block diagram illustrating a system in accordance with an embodiment of the invention;

Figure 2: shows a flow diagram illustrating a method in accordance with an embodiment of the invention; and

Figure 3: shows a sequence diagram illustrating a method in accordance with an embodiment of the invention.

Detailed Description of Preferred Embodiments

The present invention provides a method and system for authenticating a device with a wireless access point. The inventors have discovered a message can be transmitted to a device to generate a code in audio at the device. This code, when captured by a microphone, can be used to authenticate the device for a wireless access point so that the device can be provided with access to network services.

In Figure 1 , a system 100 in accordance with an embodiment of the invention is shown.

A wireless access point 101 is shown. The wireless access point may be configured to broadcast a SSID (Service Set IDentifier) over a wireless protocol such as 802.1 1 .

A processor 102 is shown. A microphone 103 is shown. The processor and microphone may be collocated and connected via a communication bus or may be connected via a wired or wireless connection.

In one embodiment, the microphone and/or processor exist within the same apparatus as the wireless access point. In one embodiment, the microphone and/or processor exist within a second device. The second device may be configured to communicate with the wireless access point (e.g. via a wireless or wired connection), for example, to transmit received audio signals to the processor at the wireless access point or to transmit messages for wireless transmission by the wireless access point when the processor exists at the second device. The second device may be fixed or mobile.

A router 104 is shown. The router may be configured for mediating connections between devices across a network 105. The router and wireless access point may be collocated within the same apparatus. A device 106 is shown. The device may include or be connected to a speaker 107. The device may be a mobile user device such as a portable computer, smartphone, or tablet. The device 106 may include a processor and memory configured for executing an operating system. The device 106 and/or operating system may include a wireless communications module for receiving messages over a wireless protocol from, for example, the wireless access point. The operating system may be configured for providing a captive portal framework for providing wireless access for applications executing on the device 106.

The processor 102 may be configured for transmitting messages to devices (such as device 106), across, for example, a wireless protocol provided by the wireless access point. Each message may be configured for generating a code (that is, the code is derived from the message) in audio from a speaker at the receiving device. The processor may be further configured to process audio signals received from the device (e.g. via the microphone) to extract the code. The processor may be further configured to verify the code to authenticate the device, at least in part. The processor may be further configured to provide network services to the device via the wireless access point and/or the router and network.

It will be appreciated that the functionality of the processor 102 may exist within a plurality of processors which may be distributed within the system (for example, one processor at the wireless access point, another at a second device).

It will also be appreciated by those skilled in the art that the above embodiments of the invention may be deployed on different devices and in differing architectures. The functionality of the device 106 and/or processor 102 may be implemented, at least in part, by computer software stored on an intangible computer-readable medium. Referring to Figure 2, a method 200 for authenticating a device (such as device 106) with a wireless access point (e.g. 101 ) in accordance with an embodiment of the invention will be described.

In step 201 , a message is transmitted to a device (e.g. 106) for generation of a code in audio from a speaker at the device. The message may be transmitted over a wireless protocol (such as 802.1 1 ) by, for example, a wireless access point (e.g. 101 ).

The message may include the code or a means (such as an algorithmic function) to create the code at the device. The means may be, for example, a function to generate the code from, for example, a seed and/or time value. The time value may be calculated from a time at the device (e.g. nearest 10 seconds to the current time). The function may be a pseudo-random number generator function and the seed for the pseudo-random number generator may be created from the time value or from a seed provided within the message.

The function may be a hash function. The function (e.g. the hash function) may utilise device and/or user identifier information to generate the code. For example, the device identifier information may be a media access control (MAC) address for the device.

Where the message includes the code, the code may be encoded within the message as a string or value, or it may be encoded within the message as an audio file for immediate playback at the device. The message may include an encoder module, such as instructions in Javascript, to encode the code into audio at the device, for example, by converting the code into an audible signal or an ultrasonic signal. The audible signal may be encoded as a series of musical tones (such as described in US Patent Publication No. 2012/084131 A1 ). The signal may include header information, and/or error correction information. The message may include a user interface module for generating the code in audio from the speaker. The user interface module may generate the code automatically or it may wait for user actuation of a user interface element (e.g. a "Connect" button).

Where the message includes the code, it may be first created (e.g. at processor 102), for example, by a pseudo-random number generator, selected from a table of unused/expired codes, or generated from the MAC address of the device (i.e. by a hash function). The code may be stored and associated with the device for later verification. The message may be configured to trigger captive portal functionality at the device.

The message may be transmitted in response to the device connecting to the wireless access point and/or attempting to connect to network services via the wireless access point. The wireless access point may activate a captive portal by, for example, a HTTP redirect, an ICMP redirect or a DNS redirect.

In step 202, an audio signal received from the device may be processed (e.g. at processor 102) to extract the code. For example, the audio signal may be decoded from audio and the code retrieved. It will be appreciated that the code may be encrypted within the audio signal (for example, via a key provided within the message). The code may be encrypted via PKI (Public Key Infrastructure) such as RSA or via a symmetric key system such DES. The audio signal may be received at a microphone (e.g. 103).

In embodiments, one or more additional data is received from the device. The additional data may be extracted from the audio signal or may be received via an alternative channel such as via a wireless protocol channel constructed between the device and the wireless access point. The additional data may include:

• a name of the user of the device

· a user password

• a generic passcode for the wireless access point

• identifying information for the user (i.e. a room number)

In step 203, the code may be verified to authenticate the device. One or more of the additional data may also be verified to authenticate the device.

Verification of the code may include:

• ensuring the code has not expired (e.g. it may be time-limited following transmission);

· ensuring the code matches the associated device (e.g. via a table lookup) ; and/or

• ensuring the code matches a function (e.g. a seed/time value fed to a pseudo-random number generator or a hash function of the MAC address of the device).

Verification (of the code and/or additional data) may authenticate the device for different levels of access to network services.

In step 204, in response to the authentication, access may be provided to one or more network services via the wireless access point. Access may be time- or event-limited. The network services may be provided via a router and may include Internet access.

In embodiments, when the device first connects to the wireless access point, the wireless access point may store the device's MAC address in a look-up table. The wireless access point may then generate a code and associate it with that MAC address in lookup table, and the message sent to the device can include that code. Alternatively, the wireless access point may hash the MAC address and associate it with the MAC address in the lookup table and the message sent to the device can then include a function to generate the code by hashing the recipient device's MAC address. When the wireless access point ultimately receives the code from the device, it can match the code to the lookup table to locate the associated MAC address and provide access to network services to the device connected to it with that MAC address. Referring to Figure 3, a method and system in accordance with an embodiment of the invention will be described. In this embodiment, the system will be termed the Chirp Captive Portal.

301 . The user selects the Chirp Captive Portal's wifi network

302. The Captive Portal login screen is displayed on the user's phone (this is usually done automatically by the OS).

This login screen contains an identifying code that identifies the login session. This code may be displayed to the user or hidden. It is encoded via an audio protocol (such as described in US Patent Publication No. 2012/084131 A1 ) with the ability for this audio to be played from the login screen.

303. The user presses a button, submits an information form or otherwise takes an action to play the encoded audio. This could also be done without any user interaction.

304. A microphone on the router picks up the audio being played and decodes the unique code

In this way the router can be sure that the device it is granting access to is physically close to its microphone. This limits the danger of this captive portal being used by people outside of the venue where the router is installed. 305. The captive portal looks up the device identified by the unique code it has decoded and grants that specific device access to the Internet

It can be seen that, in some embodiments, the device requiring access does not need to be online or have any other software installed. All the necessary components for logging in via sound may be transferred by the captive portal itself, meaning that the device requesting access can be completely offline at the point of connection to the portal. In some embodiments, the sound played by the device could be delivered by the captive portal as a complete sound file (such as WAV), or as source code (such as JavaScript) which can then be used to synthesize the audio.

In some embodiments, the microphone could be in a different location to the router itself (i.e. the wifi hardware and the microphone do not need to be in the same case/product).

In some embodiments, the captive portal could grant access to other network resources, not only the Internet.

Potential advantages of some embodiments of the present invention include:

• Ease of use - for controlled wifi networks, instead of entering a PIN within a captive portal or entering a WPA2 password, the user may merely actuate a button (or, in embodiments, may not need to take any action at all if the audio plays automatically);

• Means of inferring proximity between the device and the hardware router (or wireless access point) - because audio is used, users will not be able to login from adjacent rooms or buildings (even if the range of the wifi network extends to these locations) as the audio from their devices will not be detected at the microphone (e.g. which in some embodiments, is located at the wireless access point) ; • Requires no installation on the user's device - the audio needed to login is provided by the captive portal on the login page; and

• Devices requesting access via the captive portal are not required to have any network access prior to or (in some embodiments) during negotiating access with the portal (i.e. mobile device could login to the captive portal even if it was in airplane mode).

While the present invention has been illustrated by the description of the embodiments thereof, and while the embodiments have been described in considerable detail, it is not the intention of the applicant to restrict or in any way limit the scope of the appended claims to such detail. Additional advantages and modifications will readily appear to those skilled in the art. Therefore, the invention in its broader aspects is not limited to the specific details, representative apparatus and method, and illustrative examples shown and described. Accordingly, departures may be made from such details without departure from the spirit or scope of applicant's general inventive concept.