TECHNICAL FIELD

The present disclosure generally relates to the field of authentication. More specifically, the present disclosure relates to methods and systems for authenticating user devices based on ambient electromagnetic signals.

BACKGROUND

Authentication for online accounts such as email accounts, payment accounts, e- commerce accounts, social media accounts, or enterprise VPN (Virtual Private Network) is typically performed using secret codes, Personal Identification Numbers (PINs), email-id, username-password combination, or the like. However, with the increase in unethical hacking and data theft, conventional authentication tokens (i.e., passwords, PINs etc.) can be easily compromised, shared, observed, stolen or forgotten. Therefore, a number of online service providers such as Google, PayPal, Microsoft, Facebook and many others, have started to offer a feature called two- factor authentication (also known as 2FA). 2FA is a technique that employs a second authentication mechanism to complement the first factor of authentication, which is performed using a unique username-password combination. Common 2FA techniques include App-based authentication, SMS-based authentication, physical keys or hardware tokens, email-based authentication, fingerprint-based

authentication, voice-based authentication and others. Different service providers may offer different type of authentication - for example, one may offer SMS-based authentication, while another service provider may implement email-based authentication. Although the above 2FA techniques are widely implemented and accepted by service providers, these techniques seem less effective in light of increasing cybercrimes or other online security threats. For example, these techniques are prone to threats such as SMS forwarding, key logging, and offline phishing and thus, offer sub-par security many a times. Moreover, the techniques are costly as well and offer poor user experience. With the growing need of security and privacy, techniques that can offer (i) high-level of authentication, (ii) seamless user- experience and (iii) that are cost effective, are required. Accordingly, the present disclosure provides improved methods and systems for performing authentication, including, but not limited to, two factor authentication.

SUMMARY

In an embodiment, a method of authenticating a client electronic device to a server computer is provided. Values corresponding to at least one characteristic of each of a plurality of electromagnetic signals may be received. Accordingly, the client electronic device may be configured for sensing the plurality of electromagnetic signals and detecting values corresponding to the at least one characteristic of each of the plurality of electromagnetic signals. Further, the values of the at least one characteristic may be compared with a predetermined electromagnetic signature. Based on a result of the comparing, the client electronic device may be

authenticated.

In another embodiment, an authentication server for facilitating authentication of a client electronic device is provided. The authentication server may include a communication unit, a storage device and a processor. The communication unit may be configured to receive values corresponding to at least one characteristic of each of a plurality of electromagnetic signals. The client electronic device may be configured for sensing the plurality of electromagnetic signals and detecting values corresponding to the at least one characteristic of each of the plurality of

electromagnetic signals. Further, the storage unit may be configured to store a predetermined electromagnetic signature. Accordingly, the processor may be configured to compare values of the at least one characteristic with the

predetermined electromagnetic signature. And the processor may further be configured to authenticate the client electronic device based on a result of the comparing.

In yet another embodiment, an authentication server configured to facilitate two- factor authentication of a client electronic device to a server computer is provided. The authentication server may include a communication unit, a storage device and a processor. The communication unit may be configured to receive an authentication request from the server computer, wherein the authentication request may include each of a credential received from the client electronic device, a server credential associated with the server computer and values corresponding to at least one characteristic of each of a plurality of electromagnetic signals. The client electronic device may be configured for sensing the plurality of electromagnetic signals and detecting the values corresponding to the at least one characteristic of each of the plurality of electromagnetic signals. The client electronic device may be further configured to communicate the values corresponding to the at least one

characteristic to the server computer. Further, the server computer may be configured to communicate the values corresponding to the at least one

characteristic to the authentication server. The storage device may be configured to store a predetermined electromagnetic signature. The processor may be configured to compare values of the at least one characteristic with the predetermined electromagnetic signature. Further, the processor may be configured to generate an authentication response indicative of authentication of the client electronic device. The authentication response may be based on each of a result of the comparing and the credential received from the client electronic device. Additionally, the

communication unit may be further configured to communicate the authentication response to the server computer. Accordingly, the server computer may be configured to provide a service to the client electronic device based on the authentication response.

Further embodiments, features, and advantages, as well as the structure and operation of the various embodiments, are described in detail below with reference to the accompanying drawings.

BRIEF DESCRIPTION OF DRAWINGS

Embodiments are described with reference to the accompanying drawings. In the drawings, like reference numbers can indicate identical or functionally similar elements.

FIGs. 1A and 1 B illustrate exemplary environments in which various embodiments of the invention can be practiced.

FIG. 1C depicts various examples of ambient electromagnetic environment, according to an embodiment.

FIG. 2 shows a sequence flow diagram for client device registration. FIG. 3 shows a sequence flow diagram for client device authentication. FIG. 4 shows a sequence flow diagram for client device authentication, according to another embodiment of the invention.

FIG. 5 is a method flowchart for registering a client device with a server.

FIG. 6 is a method flowchart for authenticating the client device using ambient electromagnetic data, according to an embodiment.

FIG. 7 illustrates exemplary system components for authenticating the client electronic device based on ambient electromagnetic data, according to an embodiment.

DETAILED DESCRIPTION

In the disclosure herein, consideration or use of a particular element number in a given FIG. or corresponding descriptive material can encompass the same, an equivalent, or an analogous element number identified in another FIG. or descriptive material corresponding thereto.

In the Detailed Description herein, references to "one embodiment", "an

embodiment", "an example embodiment", etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic may be described in connection with an embodiment, it may be within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. The following detailed description refers to the accompanying drawings that illustrate exemplary embodiments. Other embodiments are possible, and modifications can be made to the embodiments within the spirit and scope of this description. Those skilled in the art with access to the teachings provided herein will recognize additional modifications, applications, and embodiments within the scope thereof and additional fields in which embodiments would be of significant utility. Therefore, the detailed description is not meant to limit the embodiments described below.

Overview

In today's world, users access their online accounts for every task they perform in their day-to-day lives - be it professional or personal. For example, users access their email accounts, social media accounts, bank accounts, shopping accounts, or the like. Few examples of such accounts include, Gmail, Yahoo, Facebook, Twitter, Linkedln, Dropbox, Instagram, Amazon, Google Drive, PayPal, etc. With the increase in online security threats and the need to access online accounts by the users, protecting online accounts is very essential. Thus, the present invention provides an advanced level of authentication for protecting online accounts.

The present invention relates to methods and systems for authenticating user devices to access online accounts based on electromagnetic signals. Specifically, the invention provides authentication methodology that utilizes ambient

electromagnetic signals in the vicinity of registered user devices. Few examples of the user devices includes, but not limited to, mobile devices, smart phones, PDA (Personal Digital Assistants), tablet computers, smartphones, personal computers, e- readers and so forth. Various characteristic of the electromagnetic signals in the ambient environment surrounding the user's device may be captured and then compared to predetermined stored characteristic of the signals. Based on the comparison, the user device may be authenticated to use online services. In this manner, the improved level authentication offers high level of security and thus, prevents the misuse, modification or unauthorized access of online accounts.

Exem lary Terms

For better understanding, various terms will be described here. However, for a person skilled in the art, it is understood the terms should not limit the scope of the disclosure.

2FA refers to Two-Factor Authentication.

Service Provider (SP) refers to an Online Service Provider which provides various services to users upon successful authentication (e.g. PayPal, Amazon, enterprise VPN or the like.)

User (U) refers to a user requesting services from a service provider. One such example may include logging into PayPal to transfer money. The identity of the user is to be established by the SP via 2FA. The user may also be referred to as a client.

Server Computer indicates a server hosted by the service provider for facilitating various services to users. The server computer is also referred to as a service provider server or server.

Mobile Device (Mu) is a personal smart device of the user for using services of the service provider. The mobile device is also referred to a client electronic device or a user device.

Authentication Server (S _A E2FA) refers to an entity that performs Ambient

Electromagnetic Two-Factor Authentication (AE2FA) of the mobile device. Application (MA) refers to an app/software/program installed on the user device which, together with S _AE2 FA is responsible for completing AE2FA.

Electromagnetic Signal (ES) refers to an electromagnetic signal such as a Wi-Fi signal.

Electromagnetic Signal Attribute (ESA) refers to an electromagnetic signal's attribute such as signal strength, frequency, wavelength, network name etc.

{ES} denotes a set of one or more electromagnetic signals, each signal identified by one or more ES _A .

Ambient Electromagnetic Environment refers to all electromagnetic signals generated by other devices in the vicinity of a mobile device/ user device.

F () refers to any function that takes the set of one or more electromagnetic signals {ES} as input and produces an output.

O indicates Output of function F ().

Exemplary Environment

The present invention relates to methods and systems for authenticating an electronic device to use online services, based on ambient electromagnetic radiation (environmental EM fingerprint). Signals (such as Wi-Fi, Bluetooth, Cellular phone and others) surrounding the electronic device as well as various characteristic (e.g. signal strength) of the corresponding signals are captured and then used to authenticate the electronic device.

FIG. 1A illustrates an exemplary environment 100 in which various embodiments of the disclosure can be practiced. While discussing FIGs. 1 A and 1 B, references to various figures may be made. FIG. 1 A is shown to include a client electronic device 104 (smart phone), and a server computer 106 communicatively coupled to the client electronic device 104 via a suitable communication link 108. The environment 100 as shown may be a business set-up or a personal set-up where a user 102 as shown typically carries the client electronic device 104 for various purposes. In some embodiments, the environment 100 may also include other places like, but not limited to, friend's place, Cafes, Restaurants, coffee shops, stores, subway-stations or any outdoor places. Further, the environment 100 may include any place where the user 102 typically visits and carries a device (for example, the device 104) for accessing his account.

As shown, the client electronic device 104 may include any wireless personal device of the user 02. Various examples of the client electronic device 104 include, but not limited to, smartphones, tablets, personal computers (PCs), media players, readers, Personal Digital Assistants (PDAs), headsets, cameras, vehicles, wearable devices, health monitoring devices, embedded computing devices, point of sales systems, and so forth. The client electronic device 104 is a device capable of sending or receiving data, processing data and is capable of storing data. The client electronic device 104 may be used by the user 102 to access emails, social networking websites, chatting, business work, or for any other day-to-day tasks.

In the context of current invention, the user 102 may use the client electronic device 104, to access an online account. The account may be accessed by logging into a website of the service provider, while the account may be accessed via a mobile app running on the client electronic device 104. Various examples of the online account may include, but not limited to, a payment account, a social media account, an email account, and so forth. Before allowing access to the online account, the server computer 106 is configured to authenticate the client electronic device 104, based on ambient electromagnetic signals.

In many embodiments, the client electronic device 104 may use various

communication technologies including Wi-Fi, Bluetooth, near-field communication, Zigbee, mobile telephone, GSM, CDMA, satellite, LTE technology, or various other wireless communication technologies as known in the art or later developed technologies.

Here, the client electronic device 104 is configured to sense and capture

electromagnetic signals in the ambient environment surrounding the client electronic device 104. To this end, the client electronic device 104 may include sensors (such as microphones, WiFi and Bluetooth interfaces, GPS receivers etc.,) which can be used for collecting ambient context information and/or ambient electromagnetic environment. According to FIG. 1 , the client electronic device 104 captures electromagnetic signals as generated by devices such as 103 (Laptop), and 105 (PDA), surrounding the device 104. Both the devices 103 and 105 as shown generate Wi-Fi signals, however other type of signals such as Bluetooth, NFC, Zigbee, etc. may be generated. The collected ambient electromagnetic data is the second factor authentication data. Also, the devices such 103 and 105 generating electromagnetic signals form ambient electromagnetic environment, indicated as 107. Further, these devices 103 and 105 may or may not belong to the user 102.

The devices 103 and 105 include devices that produce electromagnetic signals unintentionally as well as devices that produce electromagnetic signals intentionally. Accordingly, the devices 103 and 105 produces electromagnetic signals. The devices 103 and 105 may use electromagnetic signals for communications with other devices, communications services, and the Internet. Each electromagnetic signal has various characteristic such as a signal strength, a frequency, a wavelength, a polarization, a wireless service provider identifier, wireless service network identifier, a Service Set Identifier (SSID), Base Station Service Set Identification (BSSID), a wireless cell identifier, a wireless sector identifier, a communication protocol identifier, encryption status identifier, a bandwidth identifier and a network device identifier. Each of the characteristic as mentioned is known in art thus can be referred to. These characteristic when combined together form electromagnetic signature (EM signature) that identifies the client electronic device 104 present in the environment. In other words, these signals signature allow the receiving devices such as the server computer 106 or authentication server (see FIG. 7) to recognize the client electronic device 104 and address it appropriately. The frequencies of the electromagnetic signals may vary between 1 MHz and 100 GHz, while in other embodiments, other values may also be considered.

Upon collection, the client electronic device 104 transmits the ambient

electromagnetic data to the server computer 106. Along with this, the client electronic device 104 may transmit credentials of the user 102 to the server computer 106.

The server computer 106 refers to any device capable of sending or receiving data, processing data as well as is capable of storing data and so forth. The server computer 106 is the one which is typically hosted by any online service provider for providing various services to their users.

As discussed above, the server computer 106 receives the ambient electromagnetic data as transmitted by the client electronic device 104. Based on the received ambient data, the server computer 106 matches the received signals with

predetermined or pre-stored electromagnetic signals as well as check for the credentials of the user 102. The comparison is performed against predetermined signals stored with the server computer 106. While in other embodiments, the comparison may be performed by obtaining signatures from one or more registered devices (see FIG. 1B) by sending one or more authentication requests. The signature may be obtained from a user selected device by sending an authentication request to the client electronic device 104.

Based on the matching and checking, the server computer 106 allows or denies access to the online account or for the service requested by the client electronic device 104. In this manner, the server computer 106 ensures and further enables the user 102 to initiate any transaction related to the service provider.

In some embodiments, the client electronic device 104 may be registered with the server computer 106 to use services or access accounts, while in other scenarios, the client electronic device 104 may not be registered with the server computer 106.

As discussed, the server computer 106 performs authentication of the client electronic device 104. While in many embodiments, the functionality of

authentication may be performed by other entity such as authentication server (see FIG. 7). Here, the client electronic device 104 is a second factor authentication device.

As shown, the client electronic device 104 is communicatively coupled to the server computer 106 via a communication link 108. The communication link 108 may be a wired or wireless (such as WIFI, Wi-Max, or other wireless technologies) or a combination of these. Few examples may include a LAN or wireless LAN connection, an Internet connection, a point-to-point connection, or other network connection and combinations thereof. The communication link 108 can be any other type of network that is capable of transmitting or receiving data to/from host computers, personal devices, telephones or any other electronic devices. Further, the communication link 108 is capable of transmitting/sending data between the mentioned devices.

Additionally, the communication link 108 may be a local, regional, or global communication network, for example, an enterprise telecommunication network, the Internet, a global mobile communication network, mobile telephone, GSM, CDMA, satellite, LTE technology, or any combination of similar networks. The

communication link 08 may be a combination of an enterprise network (or the Internet) and a cellular network, in which case, suitable systems and methods are employed to seamlessly communicate between the two networks. In such cases, a mobile switching gateway may be utilized to communicate with a computer network gateway to pass data between the two networks. The communication link 108 may include any software, hardware, or computer applications that can provide a medium to exchange signals or data in any of the formats known in the art, related art, or developed later.

FIG. 1B shows another exemplary environment 101, where the user 102 uses or registers multiple devices such as 104-1 , 104-2, 104-3 to use services provided by various providers. Each provider has a respective server computer 106-1 , 106-2, and 106-3 to authenticate the client electronic device 104-1, 104-2, and 104-3. For example, the client electronic device 104-1 may be used to access Amazon services hosted by the server computer 106-1 , here the server computer 106-1 authenticates the client electronic device 104-1. In another example, the client electronic device 104-2 may be used to access PayPal services hosted by the server computer 106-2, here the server computer 106-2 authenticates the client electronic device 104-2. In further example, the client electronic device 104-3 may be used to access VPN services hosted by the server computer 106-3, here the server computer 106-3 authenticates the client electronic device 104-3. Each of the devices 104-1 , 104-2, and 104-3 may be communicatively coupled to the server computer 106-1 , 106-2, and 106-3 via respective communication links such as 108-1 , 108-2, and 108-3.

In some embodiments (although not shown), the user 102 may register multiple devices such as 104-1 , 104-2 and 104-3 to access services of a single service provider for example, 106-1.

FIG. 1C shows various examples of ambient environment in the form of snapshots for better understanding of the invention. The snapshot 110 shows a home environment, the snapshot 120 shows a friend's place, the snapshot 130 shows a coffee shop and the snapshot 140 depicts a business environment. According to the snapshot 110, it can be considered that the device which is to be authenticated is a device 112 carried by a user 111 and signals generated by surrounding devices 114 and 116 constitute ambient electromagnetic signals or data. The signals (although now shown) are captured by the device 112 for authentication purposes.

According to the snapshot 20, it considered that a user 121 is at his or her friends place. The user 121 has a device 122 which is to be authenticated for an online account and signals generated by surrounding devices such as a mobile device 124 of his friend constitutes ambient electromagnetic environment signals or data. The signals generated by the device 124 are captured by the device 122 for

authentication purposes. According to a further snapshot 130, it considered that a user 131 typically visits a cafe shop and carries his laptop 132 for accessing his online account. The laptop 132 is the device which is to be authenticated and signals generated by near-by devices such as 134, 136, and 138 are captured by the device 132 and are sent to the service provider for authentication purposes. The device 132 may also capture signals generated by other near-by devices such as cafe's Wi-Fi router or other devices of visitors (although are not shown).

The snapshot 140 is of business environment, where a number of users use devices for their daily tasks. Here, a user 141 carries a device 142 which is to be

authenticated and near-by devices surrounding the device 142 include 144, 146 and 148. The device 142 captures the signals generated by these devices 144, 146 and 148 and transmits remotely for authentication purposes.

In all the snapshots above, it can be considered that the devices 112, 122, 132, and 142 also capture near-by electromagnetic signals generated by devices which are not shown in the snapshots.

FIG. 2 shows a sequence flow diagram 200 for client device registration - in this case mobile device M _u 104 of the user U 102. While discussing FIG. 2, references to various figures may be made. In particular, FIG. 2 shows an interaction between the mobile device M _u 104, an authentication server 202 and the server computer 106 (also can be referred to as service provider, SP). As illustrated, the mobile device M _u 104 is communicatively coupled to the service provider SP 106. The connection may be any wired or wireless connection as discussed above. The mobile device M _u 104 may be connected to the service provider SP 106 for the typical log-in process, the user U 102 enters username/password and logs into the service provider SP 106 for using its services.

The user U 102 proceeds to register the mobile device M _u 104-3 as a second factor authentication device. The registration procedure occurs when the service provider SP 106 prompts the user U 102 to carry out the registration when the service provider SP 106 website is accessed by the user U 102. While in some

embodiments, the user U 102 himself or herself initiates the registration process. Further, the registration process is triggered via clicking on a link as provided the service provider SP 106 or any other method as employed by the service provider SP 106.

Upon initiation, the mobile device M _u 104 transmits credentials (marked as 204) of the user U 102 to the service provider SP 106. The service provider SP 106 further transmits the credentials (marked as 204) of the user U 102 to the authentication server 202. The credentials 204 may include username, email id, profile information and so forth. Along with this, the service provider SP 106 transmits its details such as service provider name, service provider id, etc. The authentication server 202 stores the received credentials 204 of the user U 102 as well as the credentials of the service provider SP 106 and returns registration data (marked as 206).

The registration data 206 may be in the form of a code, QR codes, text boxes, a series of strings etc. The registration data 206 is transmitted to the service provider SP 106 and the data 206 is further shared with the user U 102 by the service provider SP 106. As a next step, the user U 102 launches the service provider app on the device M _u 104. The registration data is then fed into the device M _u 104 by a QR code scanner, manual entry or any other form of data entry. The application transmits the fed registration data 206 along with other data 208 such as push id, name of the device M _u 104, and data entered by the user U 102 in response to prompt by the application etc., to the authentication server 202.

The authentication server 202 further validates the received data from the device _u 104. In some embodiments, the device M _u 104 and the authentication server 202 stores data received from each other. Upon successful validation, the device M _u 104 is considered as a registered device for the user U 102 to use services offered by the service provider SP 106. In this manner, the registration process of the device M _u 104 with service provider SP 106 is completed to access the services of the service provider SP 106.

Similar to the registration of the device M _u 104 to the service provider SP 106, the user U 102 can do registration for other service providers (that the user U 102 can derive service from). The registration can be done using the same device M _u 104 or can also be done using other devices such as 104-1 , 104-2, and 104-3. Upon completion of the registration process, the user U 102 can be considered as authenticated via the device M _u 104 on behalf of the service provider SP 106 that requests such an authentication.

FIG. 3 shows a sequence flow diagram 300 for client device authentication - in this case mobile device M _u 104 of the user U 102, according to an embodiment of the disclosure. Here, the flow diagram 300 shows an interaction between the device M _u 104, the authentication server 202 and the service provider SP 106. The

authentication server 202 receives an authentication request from the service provider SP 106 to authenticate the user U 102 or the device M _u 104. The request is initially sent by the user U 102 to the service provider SP 106. The request includes details of the user U 102 and the mobile device M _u 104. Along with this, credential of the service provider SP 106 such as service provider name, etc. may also be sent. In the context of the present invention, the request includes a set of one or more electromagnetic signals {ES} 304 in the ambient environment (for example 107) surrounding the mobile device M _u 104 from which the user U 102 is being

authenticated to avail services offered by the service provider SP 106. In the shown example of FIG. 1 , the electromagnetic signals include Wi-Fi from both the devices 103 and 105. However, various other examples of the electromagnetic signals include Bluetooth, Audio, GPS signals, Cellular, or the like. As an example, the set of electromagnetic signals may be in the format as follows but other formats may also be employed:

{Wifi:[(myWifi, 95),(officeWiFi, 100)], Bluetooth: [(Audio, 50), Cellular: [(Reliance, 85)], GPS: [(32,60)]}

The example above shows an ambient electromagnetic environment containing one or more signals such as Wi-Fi, Bluetooth, Cellular and GPS signals along with their respective name and signal strength. The authentication server 202 computes function F ({ES}) and stores the output O.

In embodiments where multiple devices such as M _u 104-1, M _u 104-2, and M _u 104-3 are registered under the user U 102, the list of these devices is generated for by the authentication server 202, the list is generated for choice by the user U 102. This list can be a complete or partial list of devices registered under the user U 102. Further, the list may be in form of a drop-down box or any other form of entry selection and may also be generated even if only one mobile device M _u 104-1 is registered under the user U 102. Here, the list is transmitted from the service provider SP 106 and is displayed to the user U 102. The user U 102 is prompted to select a device i.e., M _u 104 from the above list to choose a device for authentication and the selected device is transmitted to the authentication server 202. While in other embodiments, the authentication server 202 may select one device M _u 104 is on behalf of the user U 102 without prompting the user U 102 to make a selection.

As shown in FIG. 3, the authentication server 202 transmits an authentication request 302 to one or more devices such as M _u 104-1, and M _u 104-2 and in response receives one or more electromagnetic signals. Each signal corresponds to the ambient electromagnetic environment (although not shown) of the respective device. As an example, the authentication server 202 receives respective

electromagnetic signals from the devices such as M _u 104-1 and M _u 104-2 and are as follows:

EM Signal from the device M _u 104-1

{Wifi:[(myWifi, 95),(officeWiFi, 100)], Bluetooth: [(Audio, 50), Cellular: [(Reliance, 85)], GPS: [(32,60)]}

EM Signal from the device M _u 104-2

{Wifi:[(homeWifi, 90)], Cellular: [(Singtel, 100)]}

For each electromagnetic signal obtained from the devices 104-1 and 104-2, the authentication server 202 computes F ({ES}) 306 forming a set of outputs {O}. The user U 102 is considered as authenticated user if O is within {O}. Suitable methods, such as, but not limited to, statistical, probabilistic, pattern matching etc. may be employed by the authentication server 202 to find if the output O is within {O}. If O is not within {O}, the user U 102 is deemed to have failed authentication. Based on the output, the result of the authentication is transmitted to the service provider SP 106 by the authentication server 202. As a result, the service provider SP 106 may take any pertinent action depending on the authentication result. In one example, the service provider SP 106 may deny the transaction initiated by the user U 102. In another example, the service provider SP 106 may deny log-in for the user U 102 etc.

In some embodiments, the authentication server 202 maintains a white-list - WL of electromagnetic signals, for the user U 102 availing services from the service provider SP 106. Further, the authentication server 202 receives an authentication request from the service provider SP 106 to authenticate the user U 102. The request includes credentials like usemame, email etc., along with SP's credentials like name etc. The request also contains a set of electromagnetic signals {ES} 304 signals, the set of electromagnetic signals in the ambient environment surrounding the device M _u 104 from which U 102 is being authenticated to avail services offered by the service provider SP 106. The authentication server 202 computes F ({ES}) and stores the output as O. For each {ES} 304 in the whitelist, the authentication server 202 computes F ({ES}) forming a set of outputs {O}. The user U 102 is considered as authenticated by the authentication server 202 if O is within {O}. Any suitable methods such as, but not limited to, statistical, probabilistic, pattern matching or a combination of these may be employed by authentication server 202 to find if O is within {O}. If O is not within {O}, the user U 102 is deemed to have failed authentication.

In some embodiments, no involvement of the device M _u 104 may be required and authentication may be handled by the authentication server 202 locally. The result of the authentication is transmitted to the service provider SP 106 by the authentication server 202. Based on the authentication result, the service provider SP 106 can now take any pertinent action such as allowing/denying log-in for the user U 102 etc.

FIG. 4 shows a sequence flow diagram 400 for client device authentication - in this case the mobile device M _u 104 of the user U 102, according to an embodiment of the disclosure. In this embodiment, the authentication server 202 maintains a whitelist (WL) 402 list of a set of electromagnetic signals for the user U 102 availing services from the service provider SP 106.

The authentication server 202 receives an authentication request from the service provider SP 106 to authenticate the user U 102, wherein the request includes user credentials like username, email etc., along with credentials of the service provider SP 106. The request also contains a set of one or more electromagnetic signals 304 {ES} in the ambient environment surrounding the device M _u 104 from which the user U 102 is being authenticated to avail services offered by the service provider SP 106. The authentication server 202 computes F ({ES}) 306 and stores the output as O.

For each electromagnetic signal in the whitelist 402, the authentication server 202 computes function F ({ES}) 306 forming a set of outputs {O}. The user U 102 is considered as authenticated by the authentication server 202 if O is within {O}. Any suitable methods such as, but not limited to, statistical, probabilistic, pattern matching etc. may be employed by the authentication server 202 to find if O is within {O}. If O is not within {O}, and if multiple devices such as WI _U 04-1 , M _u 104-2 and M _u 104-3 are registered under the user U 102 for the request from the service provider SP 106, a device list choice is generated by the authentication server 202. This list can be a complete or partial list of devices M _u 104-1, M _u 104-2 and M _u 104-3 registered under the user U 102 for the request from the service provider SP 106. The list can be in the form of a drop-down box or any other form of entry selection. In many scenarios, the list may be generated even if only one device such as _u 104-1 is registered under the user U 102. The user U 102 is prompted to select a device from the above list, wherein the selection 404 is transmitted to the authentication server 202. In alternate scenarios, the authentication server 202 may select the device such as _u 104-1 on behalf of the user U 102 without prompting the user U 102 to make the selection.

Further, the authentication server 202 transmits an authentication request 302 to one or more devices such as M _u 104-1, M _u 104-2 and _u 104-3 and in response receives one or more of a set of electromagnetic signals 304, each electromagnetic signal {ES} 304 corresponds to the ambient electromagnetic environment of the respective devices _u 104-1 , M _u 104-2 and M _u 104-3.

For each {ES} 304 obtained from M _u 104-1, M _u 104-2 and M _u 104-3, the

authentication server 202 computes F ({ES}) 306 forming a set of outputs {O}. The user is deemed by the authentication server 202 to have passed authentication if O is within {O}. Any suitable methods such as, but not limited to, statistical,

probabilistic, pattern matching etc. may be employed by the authentication server 202 to find if O is within {O}. If O is not within {O}, the user U 102 is deemed to have failed authentication.

In some embodiments, no involvement of devices is required and authentication is handled by authentication server 202 locally. The result of the authentication is transmitted to SP 106 by authentication server 202. The service provider SP 106 can now take any pertinent action depending on the authentication result. This action may include allowing/denying log-in for the user U 102 etc.

In all embodiments as discussed above, the device M _u 104-1, from which the user U 102 is availing service from the service provider SP 106 may or may not be a registered device of the user U 102.

In the present invention, the authentication server 202 may create the whitelist 402 via any suitable means. For example, one way may be monitoring a history of successful authentication of the user U 102 and the corresponding electromagnetic signals, which resulted in each such successful authentication. In such cases, the WL 402 may be the list of such electromagnetic signals.

Exemplary Method flowchart - Registration

FIG. 5 shows a method flowchart for performing registration of a client electronic device (for example, the client electronic device 104) with a server computer (say the server computer 106.) While discussing, references to other figures may be made. The method includes steps performed by the server computer 106 or the

authentication server 202.

Initially, the user 102 accesses the server computer 106 to use services offered by the service provider. The user 102 requires to register the client electronic device 104 with the server computer 106 before using the service. At 502, the method includes the step of receiving a credential from the client electronic device 104. The credential is received by the server computer 106 and is further transmitted to the authentication server 202. Based on the credential, registration data is generated at 504, by the authentication server 202. Once generated, at 506, the registration data is transmitted to the client electronic device 104 by the server computer 106. The registration data is then displayed to the user 102 through a display of the client electronic device 104. Thereafter, at 508 the registration data is received from the client electronic device 104, the registration data is received by the server computer 106 and is further transmitted to the authentication server 202. Upon receiving the registration data from the client electronic device 104, the client electronic device 104 is registered with the server computer 106 based on receipt of the registration data from the client electronic device 104, at 510.

In this manner, the user 102 registers the device 104 which is then used to authenticate the online account/services with the service provider or the server computer 106. While FIG. 5 shows the user 102 registers a single device i.e., device 104 with the server computer 106 / service provider, but the user 102 may register multiple devices with the server computer 106 or with other service providers.

Exemplary Method Flowchart - Authentication

FIG. 6 is a method flowchart for authenticating a client electronic device (example the device 104) for using services provided by a service provider. While discussing FIG. 6, references to other figures may be made. The method includes steps performed by the server computer 106 or the authentication server 202. The method focuses on two factor authentication based on electromagnetic data surrounding the client electronic device 104. The method will be discussed considering the client electronic device 04 is already registered by the user 102 as discussed above in FIG. 5.

Initially, the user 102 accesses a website hosted by the service provider and wishes to use various services as offered by the service provider. In some scenarios, the user 102 may access a mobile app to use services provided by the provider. In an example, the service provider may provide online shopping services to the user 102. In another example, the service provider may provide online payment services to the user 102 i.e., transferring money, making bill payments, etc. The services can be accessed by the user 102 through the server computer 106 as hosted by the service provider.

To this end, the user 102 inputs login credentials such as username, password, email id, etc., to access his account with the service provider. Upon receiving, user credentials are checked by the server computer 106. The authentication using user credentials is conventional and is called as a first factor authentication. Upon successful authentication, an additional level of authentication i.e., a second factor authentication is performed.

At 602, a request for authenticating the client electronic device 104 is received, wherein the request is received by the server computer 106 and/or the authentication server 202. The request includes user credentials as well as credentials of the server computer 106. In context of the present invention, the request includes a plurality of electromagnetic signals surrounded by the client electronic device 104 (i.e., ambient electromagnetic data). Values corresponding to various characteristic of the electromagnetic signals is received. The ambient electromagnetic data is captured by the client electronic device 104 and further detects values corresponding to various characteristic of the electromagnetic signals. At 604, the received values are compared to predetermined electromagnetic signature. Based on the comparison, the client electronic device 104 is authenticated at 606. The electromagnetic signature combined with the credential of the client electronic device 104 constitutes the 2 factor authentication. And the combination of the credential of the user 102 with the values of EM signals authenticates the client electronic device 104. The electromagnetic signature is compared with predetermined signatures (which is basically the whitelist WL 402). While in other embodiments, the signatures may be obtained from one or more registered device by sending one or more authentication requests. Or it may also be obtained from a user selected device by sending an authentication request to the device 104.

The step of comparing includes determining a similarity metric between the values of the characteristic and the predetermined electromagnetic signature. The similarity metric may be determined based on one or more techniques including, but not limited to, statistical analysis, probabilistic analysis and pattern matching.

As discussed above, the electromagnetic signals correspond to a plurality of communication protocols. Some examples of the protocols include cellular communication, WiFi, WiMax, satellite communication and near field communication. Various examples of the characteristic of the signals include, but no limited to, signal strength, a frequency, a wavelength, a polarization, a wireless service provider identifier, wireless service network identifier, a Service Set Identifier (SSID), Base Station Service Set Identification (BSSID), a wireless cell identifier, a wireless sector identifier, a communication protocol identifier, encryption status identifier, a bandwidth identifier and a network device identifier. For a person skilled in the art, it is understood that these examples are just for understanding purposes and does not limit the scope of the disclosure.

In scenarios where the user 102 registers multiple devices with the server computer 106, the step of receiving a selection from a user device is performed. The selection indicates a client electronic device from a plurality of client electronic devices, using which the user 102 gets authenticated. FIG. 7 shows an exemplary overall system 700, according to an embodiment of the disclosure. The system 700 includes a user device 104, a service provider server 702 which is communicatively coupled to the user device 104 and an authentication server 710 which is communicatively coupled to the service provider server 702. As shown, the service provider server 702 includes a communication unit 704, a storage device 706, and a processor 708, where each of these is coupled to each other via suitable communication protocols, conventional bus or later developed protocols. Similar to the service provider server 702, the authentication server 710 also includes a communication unit 712, a storage device 714 and a processor 716. The user device 104 may be coupled to the service provider serer 702 via communication link 701 , while the service provider server may be coupled to the authentication server 710 via a link 703.

The authentication server 710 is configured to facilitate two-factor authentication of the user device 104, for using services offered by the service provider. The services can be accessed through the service provider server 702 as shown in the figure. In other words, the user device 104 is authenticated to the service provider server 702 using two-factor authentication mechanism.

As shown, the user device 104 is configured to access the services offered by the service provider. Before accessing the services, the user device 104 is authenticated by the authentication server 710. Each time the user 102 accesses the service provider, the request is transmitted to service provider server 702.

The service provider server 702 forwards the request to the authentication server 710 for authenticating the user device 104 for accessing the services. In particular, the service provider server 702 receives the authentication request from the user device 104. Here, the communication unit 712 of the authentication server 710 receives details of the user device 104, the server 702 and values corresponding to various characteristic of ambient electromagnetic environment data. Upon receiving, the storage device 714 is configured to store the received details. The details are then forwarded to the processor 716 of the authentication server 710. The processor 716 compares the value of characteristic with the predetermined electromagnetic signature. Based on the comparison and the received credential of the user device 104, the processor 716 generates an authentication response. The authentication response may be in the form of access to the service or denial to the service.

Similar to the authentication server 710, the communication unit 704 of the service provider server 702 is configured to communicate with the user device 104 and with the authentication server 710 for sending and/or receiving the required data. For example, the communication unit 704 is configured to receive a credential of the user device 104. In another example, the communication unit 704 is further configured to receive a selection from a user device, the selection indicates the client electronic device 104-1 from a plurality of client electronic devices 104-1 , 104-2 and 104-3. The storage device 706 is configured to store details related to the user device 104, authentication response and any other related details during the process of authentication of the user device 104. The processor is further configured to generate values corresponding to each of the electromagnetic signals.

The storage devices 706, and 714 store applications, software, or logic. The storage devices 706, and 714 may include logic include RAM (random access memory), flash memories, ROMS (read-only memories), EPROMS (erasable programmable read-only memories), and EEPROMS (electrically erasable programmable read-only memories). Examples of processors such as 708 and 716 are computer processors (processing units), microprocessors, digital signal processors, controllers and microcontrollers, etc.

It may be understood that in an embodiment of the present invention, the

components 702-716 may be in the form of hardware components, while in another embodiment, the components 702-716 may be in the form of software

entities/modules. In yet another embodiment of the present invention, the

components may be a combination of hardware and software modules. Further, the authentication server 7 0 may be a part of the service provider server 702.

In some embodiments, the present invention may be implemented by various service providers such as payment service providers, email service providers, Internet service providers, e-commerce service providers, bank service providers, cloud/web hosting service providers, network providers, cloud providers, domain name providers, social media providers and so forth. In other words, the invention may be implemented for any online services where authentication is required.

The present invention provides methods and systems for authenticating a user device based on ambient electromagnetic signals, and thus providing improved security over online security threats. For example, the invention is robust to many existing security threats such as SMS forwarding, key logging, offline phishing etc. Further, the invention facilitates seamless user experience as the invention does not deal with SMSs, hardware dongles and user prompts. Moreover, the present invention provides a cost-effective solution and offers an advanced level of security over existing solutions. The brief Summary and Abstract sections may set forth one or more but not all example embodiments and thus are not intended to limit the scope of the present disclosure and the appended claims in any way.

Embodiments have been described above with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed.

The foregoing description of specific embodiments will so fully reveal the general nature of the disclosure that others can, by applying knowledge within the skill of the art, readily modify and/or adapt for various applications such specific embodiments, without undue experimentation, without departing from the general concept of the present disclosure. Therefore, such adaptations and modifications are intended to be within the meaning and range of equivalents of the disclosed embodiments, based on the teaching and guidance presented herein. It is to be understood that the phraseology or terminology herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance.

The breadth and scope of the present disclosure should not be limited by any of the above-described example embodiments, but should be defined only in accordance with the following claims and their equivalents.