RELATED APPLICATION

This application claims the benefit of U.S . Provisional Patent Application Serial No. 62502774 filed May 8, 2017, which is hereby incorporated by reference in its entirety.

FIELD OF THE INVENTION

[0001] The present disclosure relates to network enabled entities and connected devices in general and to sharing access permissions or resources with such entities, both online and offline, in particular. BACKGROUND OF THE INVENTION

[0002] User identity authentication is becoming one of the major challenges in computer security. As more of our assets and actions become digital, identifying a person becomes the key to connect people with their assets and the actions they are allowed to take. Access to your phone, your computer, your devices, your bank account, your money and anything you own and are, depends on identity authentication. This raised the need for a continuous form of authentication, one in which a system, a service or a device can be sure it is communicating with the same user that it knows, while freeing the user from the burden of multiple logins. Latest research and implementations focus on complex sensors and behavioral patterns. One such example is ECG tracking. However, these methods are expensive and are difficult to apply on commonly used devices (such as smartwatches, phones etc.) and may be inaccurate and exposed to replay attacks. A number of different types of systems, devices and/or methods that may be used to provide an adaptive enablement of one or more communications modes based on distant/proximity and either online and/or offline are available in the prior art.

[0003] Prior art document, US20160078697 discloses a wearable device capable of integrating fingerprint recognition and pulse recognition. Another prior art document, CN204808876 discloses an identity recognition device, including discernment wrist strap and transmitter, the inside ID card draw -in groove harmony line collector that is provided with of discernment wrist strap. Yet another prior art document, US20140282962 discusses a trusted communication device may generate and display a single use user ID and/or password to be utilized for one-time validation of a communication session between an unsecure communication device and a secure communication device. Yet another prior art document, US20060033606 discloses methods and devices are provided for determining the status of a networked device, e.g., a networked RFID device. Yet another prior art document, US20090131015 discloses an apparatus and methods are disclosed for authenticating users of wireless telecommunications terminals. Yet another prior art document, WO2016170005 discloses one or more sensors are configured for detection of characteristics of moving objects and living subjects for human identification or authentication. Yet another prior art document discusses wearable wristbands such as the Nymi introduce another parameter that can be used in authentication systems - the ECG shape (morphology) that is specific for each user (see: https://www.nymi.com/).

[0004] However, above mentioned references and many other similar references has one or more of the following shortcomings: (i) expensive devices; and (ii) not made for daily routine use and; (iii) Not suited for continuous identification and (iv) Do not allow the user to control the level of exposure to other entities.

[0005] There remains a constant need for a continuous user authentication that is simple, and can be made available with today's commodity devices, coupled with an access control management system.

SUMMARY OF THE INVENTION

[0006] The present invention discloses a system and method for authenticating user identity. In an embodiment, the system comprises, a wearable device configured to sense at least one data of a user. The system further comprises a network and user authentication device communicatively coupled to the wearable device and at least one second device. The network and user authentication device according to the present invention, configured to authenticate and allow the user to use the at least one second device until the wearable device sends a preset characteristic of the at least one data of a user to the network and user authentication device.

[0007] In one embodiment, the wearable device is attachable or implantable to the user's body. The wearable device is initiated by the user via a standard authentication means including one or combination of login process via password, or biometric factor. The wearable device sends a sequence of one-time passwords (OTPs) based on a seed network device identified to this device. [0008] In some embodiments, at least one data of a user is heartbeat or pulse rate of the user. In some embodiments, at least one second device is a computer, a smartphone, a tablet or a handheld computing device of the user. In one embodiment, at least one second device is configured to detect the at least one pre-set characteristics of the at least one data of the user. In one embodiment, at least one second device is configured to detect proximity of the user's body.

[0009] In some embodiments, the pre-set characteristic of the at least one data of the user is a threshold value of time between two heartbeat or pulse rate of the user. In one embodiment, the authentication and user access to the at least one second device is disabled on variation in the pre-set characteristic of the at least one data of the user.

[0010] In another embodiment of the present invention, the method for authenticating user identity, comprising the steps of: (a) initiating a wearable device to sense at least one data of a user; (b) choosing a user identity authentication method and enabling the user to access wearable device; (c) sending the at least one data of a user to the network and user authentication device; (d) authenticating and enabling a user to access at least one second device coupled to the network and user authentication device based on a pre-set characteristic of the at least one data of a user, and (e) terminating the user access and authentication automatically on recognizing variation in the pre-set characteristic of the at least one data of the user. [0011] Other objects, features and advantages of the present invention will become apparent from the following detailed description. It should be understood, however, that the detailed description and the specific examples, while indicating specific embodiments of the invention, are given by way of illustration only, since various changes and modifications within the spirit and scope of the invention will become apparent to those skilled in the art from this detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS [0012] The present disclosed subject matter will be understood and appreciated more fully from the following detailed description taken in conjunction with the drawings in which corresponding or like numerals or characters indicate corresponding or like components. Unless indicated otherwise, the drawings provide exemplary embodiments or aspects of the disclosure and do not limit the scope of the disclosure. In the drawings:

[0013] FIG. 1 illustrates a system for authenticating user identity, in accordance with some exemplary embodiments of the disclosed subject matter;

[0014] FIG. 2 shows a flowchart diagram of a method for authenticating the user identity, in accordance with some exemplary embodiments of the disclosed subject matter.

[0015] FIG. 3 shows a flowchart diagram of a method for communicating and identifying unconditioned data in the system, in accordance with some exemplary embodiments of the subject matter

DETAILED DESCRIPTION OF EMBODIMENTS

[0016] A description of embodiments of the present invention will now be given with reference to the Figures. It is expected that the present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes that come within the meaning and range of equivalency of the claims are to be embraced within their scope.

[0017] The proposed invention has mainly two aspects: (1) A management system for user identity authentication in proximity - to whom to identify, with which identifying data and under which circumstances, (2) A specific use case in which one of the devices is a wearable or an implant and can detect heart rate. In this case, the user authenticates via a standard authentication means such as a password or a fingerprint on one device, while another device is used to detect both heart beat and the user's body proximity, assuming that while these two last, it is safe to assume that this is the same user.

[0018] The term computing device refers herein to a device that includes a processing unit. Examples for such device are a personal computer, a laptop, a server, a tablet a smartphone, a smart wearable item and IOT (internet of things) devices.

[0019] The term wireless communication refers herein to communication between devices through any standard wireless communication protocol, such as NFC, Bluetooth, BLE, Wifi, Wifi-Direct and so forth. [0020] The term network enabled entity refers herein to an entity that can be accessed via the internet network, a local network or through wireless communication. Examples of a network enabled entity are vehicle ignition system, a private house or a hotel room door lock system, a computer lock screen and its locking system, a file, a folder, a specific application or a user account, such as a banking account or a service account.

[0021] The term user refers herein to a person who has successfully registered to the system. The user could register through an internet website or an application. Such a user could share a network enabled entity that he owns. The user could also gain administrative permission from an owner of a network enabled entity for sharing the network enabled entity with other users. Such a user will get temporary access to a network enabled entity. [0022] The term end user refers herein to a user who gains an access to a network enabled entity for using the network enabled entity. In some cases, the access is temporal.

[0023] The term owner refers herein to a user of the system that gained ownership privileges over a network enabled entity, either by creating it or by entering an activation and ownership code provided by the creator or a previous owner.

[0024] The term administrator refers herein to a user of the system entity that has the authority to share the network enabled entity with other users. The administrator is the owner of the network enabled entity or a user that is authorized by the owner.

[0025] The term authenticating computing device refers herein to a computing device with which the user is authenticated to the system. Examples for such authenticating computing device are a Smartphone and a smart watch.

[0026] The term system refers herein to an application and server or servers that is used to register users, entities and the relations between them, as well as to enable communication and logging. It should be notified, that once a user's registration is completed, usage of such a system is not mandatory and communications can take place peer to peer.

[0027] The term system entity refers herein to a computing device of a user, to the server of the system and to the network enabled entity.

[0028] The term access request refers herein to a request made by a computing device of user, to receive access and thus share a network enabled entity.

[0029] The term sharing period refers herein to the period or policy in which the end user is given access to the network enabled entity. The sharing period is identical or different than the period that is requested by the end user, according to the administrator's choice. [0030] The term Access Token refers herein to a digital encrypted Access Token provided by an administrator (or an owner) to an end user, allowing to use or access the network enabled entity, without being able to decrypt or modify the sharing period. [0031] The term local storage encryption refers herein to the method of storing of any sensitive data on a computer device of any user. This method involves encryption of the data with the user's private key and further encrypting the private key itself with either a biometric encryption relying on fingerprint, face recognition, retinal or iris scan, ECG and so forth, or using a pattern, a PIN or any combination of these, in such a way that the same combination must be used to decrypt the private key on the Computer Device to allow encryption or decryption of data.

[0032] One exemplary embodiment of the disclosed subject matter is system and network for authenticating the sharing of a network enabled entity. According to some embodiments an owner of the network enabled entity share the network enabled entity with other users. Such a sharing required for a temporal period.

[0033] The present invention discloses a system and method for authenticating user identity. Referring to FIG. 1, the system 100 comprises, a wearable device 102 configured to sense at least one data of a user 104. The system 100 further comprises a network and user authentication device 106 communicatively coupled to the wearable device 102 and at least one second device 108. The network and user authentication device 106 according to the present invention, configured to authenticate and allow the user 104 to use the at least one second device 108 until the wearable device 102 sends a pre- set characteristic of the at least one data of a user 104 to the network and user authentication device 106. In some embodiments, the network and user authentication device 106 is a seed network device, or network device with customized network protocols. In some embodiments, the network and user authentication device 106 could be provisioned with two separate module, such as, authenticating computing device and network enabled entity.

[0034] In one embodiment, the wearable device 102 is attachable or implantable to the user's body 104. The wearable device 102 is initiated by the user 104 via a standard authentication means including one or combination of login process via password, or biometric factor. The wearable device 102 sends a sequence of one-time passwords (OTPs) based on a seed network device identified to this device 102. [0035] In some embodiments, at least one data of a user 104 is heartbeat or pulse rate of the user. In some embodiments, at least one second device 108 is a computer, a smartphone, a tablet or a handheld computing device of the user 104. In one embodiment, at least one second device 108 is configured to detect the at least one pre-set characteristics of the at least one data of the user 104. In one embodiment, at least one second device 108 is configured to detect proximity of the user's body.

[0036] In some embodiments, the pre-set characteristic of the at least one data of the user 104 is a threshold value of time between two heartbeat or pulse rate of the user 104. In one embodiment, the authentication and user access to the at least one second device 108 is disabled on variation in the pre-set characteristic of the at least one data of the user 104.

[0037] Referring to FIG. 2, a method 200 for authenticating the user identity, is illustrated. The method 200 comprises, pairing with one or more devices, for example, by entering code, at step 205. At step 210, user could choose any one user identity authentication method, for example, password or bio-factor, etc. At step 215, the method 200 includes, sending an identified data such as OTP, seed or tag, to an identification software or scanner incorporated in the devices. At step 220, the method 200 further includes, configuring tagged data broadcast type on a remote device. The broadcast type could be continuous or provided upon request. At step 225, the method 200 further includes, configuring tagged data broadcast initiation conditions. For example, the broadcast initiation conditions are heartbeat and reset code. At step 230, the method 200 further includes, configuring tagged data broadcast termination conditions. For example, the broadcast termination conditions as no heartbeat or irregular heartbeat. At step 235, the method 200 further includes, configuring broadcast initiation and termination conditions on local device. At step 240, the method 200 further includes, configuring any additional behaviors of management, for example, lock device or disable device access, if no OTP is received. [0038] In another embodiment, the method for authenticating user identity, comprising the steps of: (a) initiating a wearable device to sense at least one data of a user; (b) choosing a user identity authentication method and enabling the user to access wearable device; (c) sending the at least one data of a user to the network and user authentication device; (d) authenticating and enabling a user to access at least one second device coupled to the network and user authentication device based on a pre-set characteristic of the at least one data of a user, and (e) terminating the user access and authentication automatically on recognizing variation in the pre-set characteristic of the at least one data of the user.

[0039] Referring to FIG. 3, a method 300 for communicating and identifying unconditioned data in the system, is illustrated. The method 300 includes, send or request identifying data that is unconditioned at step 305. At step 310, the method 300 analyses whether the initiation conditions are met. The method 300 repeats step 305 at step 315, and analyses whether termination condition is met at step 320. At step 325, the method 300 send or request conditioned identifying data, send or request identifying data that is unconditioned at step 330, and repeat from step 320, for analyzing whether termination condition is met, at step 335. At step 340, the method 300 send or request all identifying data that is unconditioned, and repeat from step 310, at step 345.

[0040] This invention allows a cheap, easy to implement, continuous identification, that can work on today's commodity hardware wearable objects. Additionally, it allows different devices to communicate between themselves and exchange such continuous identification details in a safe way, with full control over when and how much the user is exposed and to whom and managing an overall system behavior for proximity-based identification in various different use-cases.

[0041] According to some embodiments, the owner of the network enabled entity receives ownership privileges by entering an ownership and activation code to the network enabled entity. The ownership code sent from a computing device of the entity authority, a device of a previous owner or, alternatively, it is provided with the network enabled entity. The ownership code is, in a digital or a printed version, such as a serial number, a barcode or a QR code. [0042] The owner uses the ownership code to activate the network enabled entity and to claim ownership over it. Upon granting ownership grant, the owner of the entity and the network enabled entity share one or more cryptographic keys, each having a unique ID. Such keys could be generated either by the system/server or by the owner' s computing device or by the network connected enabled entity. The cryptographic keys are used for encrypting and for decrypting one or more access tokens in such a way that the owner and administrators and the network enabled entity can generate or read such access tokens, while the end user could carry and use such access tokens but cannot read or modify them. The access token is generated by the computing device of the owner or an administrator and is used for allowing an end user to access, use and operate the network enabled entity.

[0043] In some cases, the owner of the network enabled entity delegates the authority to provide access to the network enabled entity to other administrators. The delegating is done by sending one of the cryptographic keys and its ID to the administrator computing device. In some cases, the computer device of the owner of the network enabled entity flags the access token that was shared with an administrator, in order to prevent the owner to use it or to share it with additional administrators. The system server stores the cryptographic keys IDs and flag them as well. [0044] According to some embodiments, the owner of the network enabled entity cancel the authorization of the administrator. The cancellation done by suspending or deleting the cryptographic key provided to an administrator on the network enabled entity. Such suspension or deletion take place through the system, online, or directly, between the owner's computer device and the one of the network enabled entity, via wireless communication. In such case, the cryptographic key and/or the access tokens that have been generated by the administrator is invalidated.

[0045] It should be noted that an owner of a certain network enabled entity is the end user or the administrator of another network enabled entity.

[0046] According to some embodiments the users have to register to the system prior to using the system. The registration includes the providing of identification data. Such data include social network identification, a phone number an email address and a copy of a photo ID and or any other personal identifying information, as well as information about the device and the installed application, in order to allow further communication with that user. [0047] According to some embodiments the verifying process is performed by a registration authority (RA) or a plurality of such RAs.

[0048] The verification process via the social network ("Social Login") or via the validation of the email address through a link sent to it, or via an OTP sent as a text message to the phone number, or via any process, face to face or online, to validate of the registrant's photo ID and any other PII (personal identifying information). The users' attributes are stored with a certificate authority (CA) computing device store the user PII attributes as they are, or as hashed values or any other zero -knowledge mechanism, designed to allow only the validation of these details. Such CA can be a computing device or any number of them, or a cryptographic distributed network such as a Blockchain. The certificate authority computing device generates public key and secret key pair for the user. The CA computing device binds the public key and the secret key with the identity of the registered user. The CA computing device issues a digital certificate for the user. The digital certificate and the public key used for identification and for securing the communication between the registered user and other users of the system and are herein referred to as either "Public key" or "Digital Certificate".

[0049] According to some embodiments the user's identifying details are stored on the user's computing device using local storage encryption. According to some embodiments when an administrator wishes to find a user in order to share a network enabled device with that user, the administrator searches for that user on the system through the user's public key or any PII that the user chose to expose on the system, such as a name or an email. According to some embodiments when the end user wishes to search for an administrator to request permission to use a network enabled entity, the end user receives the network enabled entity identity and public key when in close proximity, via wireless communication. Then the end user search for the network enabled entity's owner and/or its administrators through the system. The search either done by any identification that is available to the end user. Such identification using the entity' s ID and/or its public key, or by using the administrator's ID or any PII, if the user knows them. The end user then requests via his computing device access permission to the network enabled entity.

[0050] According to some embodiments, the network enabled entity has a private key and public key pair. This pair given to the identity by its owner, upon activation and identical to the owner's keys. Alternatively, it is given to the entity by the system, during a registration process that is technically similar to a user registration. Such registration can take place upon activation or prior to that, by the creator, manufacturer or seller of such a network enabled entity. According to some embodiments a user's request for accessing a network enabled entity is sent to the owner or to any administrator of the network enabled entity either through the system, online, or directly via wireless communication. The request includes the digital certificate that was issued to the user with identifiable details and a public key, network enabled entity's ID or public key and the requested sharing period or privileges. The computing device of the administrator of the network enabled entity authenticates the user and validates the details. The authentication is done via the CA or the CA implementation on a BlockChain infrastructure.

[0051] According to some embodiments, if the administrator chooses to share the network enabled entity with a user, the computing device of the administrator generate an access token. Such access token includes the public key that is associated with the user, the public key or identifier that is associated with the network enabled entity. The public key of the administrator and the permitted sharing period or permitted access policy. The access token enables the user to access the network enabled entity for a predefined sharing period and/or for predefined actions.

[0052] According to some embodiments, the access token is encrypted using secret the cryptographic key, which was provided to the administrator by the owner. The computing device of the administrator sends the access token coupled with the encryption key ID and the network enabled entity ID to the computing device of the end user, either through the system via internet, or directly through a wireless communication. The access token enables the user to access the network enabled entity for a predefined sharing period and/or for a predefined set of actions. [0053] According to some embodiments the computing device of the end user encrypt the access token with local storage encryption. According to some embodiments the end user sends the access token to the network enabled entity through wireless communication. The entity and the end user' s device encrypt the communication asymmetrically using each other' s public key, or they exchange a symmetric key first over such asymmetric encrypted communication and then use such a symmetric key to further communicate and send the access token details.

[0054] According to some embodiments, the network enabled entity decrypts the access token, using its public key or mutually agreed symmetric key first and the secret cryptographic key correlating to the ID. According to some embodiment, if the public key that is used by the end user's computing device matches the one public key that is in the access token, and if the administrator's cryptographic key is valid, a permission to use the network enabled entity has been sufficiently proved and the network enabled entity will allow the end user to use it according to the policy of the sharing period that is in the access token.

[0055] According to some embodiments, when the network enabled entity has internet connectivity, it the network enabled entity will report the transaction, either directly to the owner computing device and or to the relevant administrator computing device, or to the system server. The reporting is for the purpose to store and track transaction details. According to some embodiments, access tokens store financial transaction data, of amounts to be paid or that have been paid to the entity, including details needed to confirm or to enable the transaction, thus allowing the entity to receive money or a verified acknowledgement about a transaction when the entity is offline. In this respect, before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. [0056] These together with other objects of the invention, along with the various features of novelty which characterize the invention, are pointed out with particularity in the disclosure. For a better understanding of the invention, its operating advantages and the specific objects attained by its uses, reference should be had to the accompanying drawings and descriptive matter in which there are illustrated preferred embodiments of the invention.

[0057] It should be noted that, in some alternative implementations, the functions noted in the block of a figure occur out of the order noted in the figures. For example, two blocks shown in succession, in fact, be executed substantially concurrently, or the blocks executed in the reverse order, depending upon the functionality involved.

[0058] It is to be understood that the above description is intended to be illustrative, and not restrictive. For example, the above-discussed embodiments may be used in combination with each other. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description.

[0059] The benefits and advantages which may be provided by the present invention have been described above with regard to specific embodiments. These benefits and advantages, and any elements or limitations that may cause them to occur or to become more pronounced are not to be construed as critical, required, or essential features of any or all of the embodiments.

[0060] While the present invention has been described with reference to particular embodiments, it should be understood that the embodiments are illustrative and that the scope of the invention is not limited to these embodiments. Many variations, modifications, additions and improvements to the embodiments described above are possible. It is contemplated that these variations, modifications, additions and improvements fall within the scope of the invention.