MOBILE DEVICE, AND ACCESS-CONTROL SYSTEMS

Background

[0001] This disclosure relates to the field of security systems used to control access to secure premises and computer systems. More specifically, the disclosure relates to systems for controlling access to secure premises, computer systems and applications available from such systems to operate on mobile devices.

[0002] Persons authorized to access and use computers or computer systems for which access is restricted only to those authorized by the computer or computer system operator, require that a prospective user be authenticated as a user. Authentication known in the art includes a user-worn badge or the like with simple ID information on it, biometric scan (fingerprint) by a sensor on signal communication with the computer or computer system and/or password (single or multiple factor) user entry. All the foregoing authentication methods require that the computer or computer system stores personal information about authorized users in order to associate a prospective user with such information to confirm that the prospective user is in fact the person attempting to gain access to the computer or computer system.

[0003] In certain instances, storage of personal information concerning prospective users is limited or denied by law or regulation, or exposes the computer or computer system operator to liability in the event of improper disclosure of such personal information.

Summary

[0004] One aspect of the present disclosure is a method for providing user access to a secure resource comprising information or physical premises. A method according to this aspect includes receiving, at a first access-control system controlling access to a first secure resource, a first request from a user to access the first secure resource. The first request has a first user authentication credential. A second request is received, at a second access-control system (i) different from the first access-control system and (ii) controlling access to a second secure resource different from the first secure resource, from the user to access the second secure resource. The second request has a second user authentication credential different from the first user credential. Then it is determined whether to accord the user access to the second resource based on at least (a) the second user credential and (b) whether the first access-control system accorded the user access to the first secure resource based on the first user authentication credential.

[0005] In some embodiments, the second user credential comprises at least one biometric measurement.

[0006] In some embodiments, the at least one biometric measurement corresponds to a health condition of the user.

[0007] In some embodiments, the health condition comprises infection by a communicable disease.

[0008] In some embodiments, the first user credential is transmitted from a smartphone.

[0009] In some embodiments, the second user credential is transmitted from a user worn security device.

[0010] In some embodiments, the user worn security device comprises at least one biometric sensor.

[0011] Other aspects and possible advantages will be apparent from the description and claims that follow.

Brief Description of the Drawings

[0012] FIG. 1 shows a flow chart of an example embodiment of a method according to the present disclosure.

Detailed Description

[0013] In a method according to the present disclosure, a user (i.e., a natural person) communicates with a server, computer or computer system. The server, computer or computer system has resident on it, in any form of data storage medium, data and/or applications to be accessed only by particular authorized users. The server, computer or computer system may also control access, such as by operating electronic locks or gates, to a controlled access or otherwise secure facility.

[0014] The communication between the user and the server, computer or computer system may be edge based, cloud based or otherwise, such as by a user terminal proximate entry point to a secure area. The user in a method according to the present disclosure will have in his possession a mobile device, such as a smartphone, to operate applications and/or to access data stored on the computer system, computer or server. When the user requests access through the server, computer or computer system (e.g., by accessing a user terminal), the server, computer or computer system may return a session registration query. The user then registers the mobile device for an authenticated session by responding to the session registration query. Such response may be made by using the mobile device to scan an optical identification code, such as a QR code, generated and displayed by the server, computer or computer system in response to the user communication.

[0015] By scanning the optical identification code, the mobile device will generate a signal in response, e.g., a pattern or code on the device’s display (which may be optically scanned by the server, computer or computer system), or by communicating a specific SMS text message or radio signal, which when communicated to the computer, computer system or server, temporarily authenticates the mobile device to an access session within the computer, computer system or server. The foregoing device registration may be temporary. The server, computer or computer system operator may set a fixed time duration for the access session and/or close the registration when the access session on the server, computer or computer system is terminated by the user. The server, computer or computer system operator may also program the system (including the server and/or computer system) to terminate the access session registration after a predetermined timeout period in which no user input or commands are entered into the mobile device by the user. [0016] The mobile device may be further authenticated by entry into a data input field (whether on the mobile device or other session data entry facility) the user’s passwords, passcodes, user’s biometric information (e.g., fingerprint scan) or other multi-factor authentication methods already set up by the user with respect to the particular mobile device. Such authentication replaces the need for the computer system, computer or server to store user passwords or other authentication data for the particular user or any other user.

[0017] Mobile device authentication can also be performed by linking the authentication method to the user’s employer site (company) login facility, a user Google (or social media) account login, a user Microsoft account login, linked or other third party mobile device authentication service. The purpose of the foregoing mobile device authentication is to identify the mobile device as belonging to the particular user, and thus authenticating the user without the need to store personal identification information concerning the user. Only the user would be expected to know the authentication code(s) or have the required biometric properties or information to satisfy any of the foregoing authentication methods. Thus, after the user has authenticated the mobile device to the server, computer or computer system, the authenticated mobile device can then be used to authenticate the optical identification (e.g., QR) code when such code is transmitted by the server, computer or computer system.

[0018] The user will also have in his possession a wearable security device, such as a key fob, wrist band, data card (e.g., photo ID card) on a lanyard, or other wearable security device issued by the system operator entity designated by the system operator. In some embodiments, the wearable security device comprises a biometric sensor such as may be embedded in a wrist-worn band. The wearable security device may have an embedded radio frequency identification (RFID) tag and an embedded optical identification code such as a QR code. The user presents the wearable security device to the authenticated mobile device to scan the optical identification code embedded in the wearable security device or to interrogate the RFID tag. This action authenticates the wearable security device, temporarily “pairing” it with the authenticated mobile device. The wearable security device can at that point be used temporarily to access a secure computer system, computer or server and/or a secure physical premises, whether using the mobile device or the wearable security device to gain physical access.

[0019] These actions provide a minimum of a three-way “triangle” authentication system that reduces the threat of counterfeit access.

[0020] This process may be performed by individually linking multiple devices using sensors and device authentication.

[0021] To gain access to a secure premises or to privileged information, the user must have an active wearable security device and/or confirm the optical identification code or RFID tag on the wearable security device and the mobile device.

[0022] In one embodiment, the wearable security device may be one or more forms of a biometric sensing device sold under the trademark SYMP2PASS, which is a trademark registered in Canada of Idea Capital Inc., Edmonton, AB, Canada. The SYMP2PASS sensor may comprise a radio frequency identification (RFID) tag with an identified, or embedded optical code such as a QR code to identify the specific wearable security device.

[0023] The specific wearable security device may be made to correspond to medical information about the wearer without the requirement to obtain stored medical information about the wearer, that is, a specific individual person for whom stored medical information may not be used for purposes such as personal authentication to access a computer, a computer system or a secure facility.

[0024] In one example, the wearable security device may form part of a kit to perform an olfactory sensitivity test, wherein a scent strip is provided with the wearable security device. In another example, a questionnaire may be answered, for example by accessing an Internet site associated with the provider of the wearable security device to which a user responds. Answers to the questionnaire may then associate certain medical diagnoses, such as exposure to a contagious condition, based on the answers to the questionnaire. Thus, the wearable security device will have associated therewith medical information relevant to the particular user of the wearable security device without access to any personal medical information of such user. In another example, one or more biometric sensors may be associated with the wearable security device, such as, and without limitation, a blood oxygenation sensor, a temperature sensor, a cardiac pulse rate sensor, a sphygmomanometer and a respiration rate sensor. Such sensor(s) may have data stored on any form of electronic data storage medium associated with the wearable security device, which data when communicated to a computer or computer system operated by the provider of the wearable security device, may make one or more inferences about the health condition of the user, for example, infection by a communicable disease. Such inference(s) may be communicated to the computer, server or computer system that has authentication required access, or controls access to a secure facility described above.

[0025] An example embodiment of a method and system components used therewith according to the present disclosure are shown in FIG. 1.

[0026] At 10, a wearable security device 20 such as a wristband has embedded information, e.g., concerning an amount of access to secure information that is available by the user having purchased or otherwise obtained access rights, as explained above. The embedded information may be interrogated and displayed to the user, for example, on a mobile device 30 such as a smartphone, having resident thereon an appropriate application or computer program. At 12, the user may attempt to gain access to the secure information such as at a terminal 40 provided by the system operator. The terminal 40 as explained above may be in communication with a server, computer or computer system or server whereon resides the secure information. The wearable security device 20 may be presented to the terminal 40 for validation, such as by reading an embedded optical identification code such as a QR code. At 14, the mobile device 30 may be paired with the secure computer system or server by the mobile device 30 scanning an optical identification (e.g., QR) code displayed by the terminal 40 in response to the user entering a request for access. At 16, the wearable security device 20 is validated for use with the mobile device 30 as explained above by validating the embedded identification code on the wearable security device 20. A sample display screen on the terminal 40 is shown on the right hand side of FIG. 1. [0027] In light of the principles and example embodiments described and illustrated herein, it will be recognized that the example embodiments can be modified in arrangement and detail without departing from such principles. The foregoing discussion has focused on specific embodiments, but other configurations are also contemplated. In particular, even though expressions such as in “an embodiment," or the like are used herein, these phrases are meant to generally reference embodiment possibilities, and are not intended to limit the disclosure to particular embodiment configurations. As used herein, these terms may reference the same or different embodiments that are combinable into other embodiments. As a rule, any embodiment referenced herein is freely combinable with any one or more of the other embodiments referenced herein, and any number of features of different embodiments are combinable with one another, unless indicated otherwise. Although only a few examples have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible within the scope of the described examples. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined in the following claims.