The present invention relates to a wireless control token with a wireless transmitter, for example a remote entry key for a vehicle.

It is commonplace to allow for remote keyless entry, in particular for vehicles.

Existing remote central locking systems for vehicles include a lock that uses an electronic remote control as a key. The key is activated by a button on a handheld device or operates automatically by proximity of a handheld device to the vehicle. In vehicles a remote keyless entry system performs the functions of a standard car key without physical contact. The system may also perform other functions, for example opening the trunk or starting the engine. Such devices are types of control tokens. Similar control tokens can be used for other access control situations, as well as for other purposes, for example to actuate an electrical device.

Control tokens such as fobs for vehicle keyless entry systems fobs emit a radio frequency with a designated, distinct digital identity code. When the vehicle receives the code, either transmitted when a button is pressed on the key, or transmitted in response to proximity to the vehicle, then the vehicle will respond by opening the door locks and also optionally by enabling other functions. Some vehicles have so-called master keys or smart keys which are like conventional remote keyless entry keys but with extra features reliant on proximity to the vehicle. If the master key is present close to the vehicle several functions of the vehicle are enabled just by the presence of the master key. The door locks are free, the trunk/boot is free and the engine can be started just by pressing a button somewhere on the dash board or on the centre console.

The way these keys work is typically through an RF transmitter in the key that sends out a uniquely coded message periodically and which is received by an RF unit in the vehicle. The duty cycle of this message is very small so that the battery in the key may last a long time for it is always running. When the vehicle sees the key the functions described above will be active.

Viewed from a first aspect, the invention provides a wireless control token comprising: a radio frequency transmitter for transmitting a radio frequency control signal to provide access to a system external to the control token; a power source; a control module; a biometric sensor for obtaining biometric data from a user; and a biometric authorisation module including a database of biometric data for one or more authorised user(s); wherein the biometric authorisation module is arranged to identify an authorised user by matching the biometric data obtained from the user via the biometric sensor with biometric data stored in the database; wherein the control module is arranged to activate the radio frequency transmitter and enable

transmission of the radio frequency control signal only when an authorised user is identified by the biometric authorisation module; wherein the control token is arranged to enrol an authorised user by obtaining biometric data via the biometric sensor and storing the biometric data in the data base of the biometric authorisation module; and wherein the biometric data is not transmitted or stored outside of the control token and in particular is not transmitted to the system external to the control token.

Thus, the control token is provided with a biometric sensor that will enable the transmitter to emit the radio frequency signal for providing access to the external system only when an authorised user is identified. Existing keyless entry and ignition systems for vehicles and so on do not necessarily provide improvements in security. Although it is no longer possible for unauthorised access to be obtained by purely mechanical means, such as lock picking, the security of the external system protected by the control token is at risk if the control token is obtained by an unauthorised user, for example if it is lost or stolen. The proposed control token provides an increase to security for the external system by requiring identification of an authorised user before the radio frequency transmitter is permitted to transmit the radio frequency signal.

In addition, the authorised user is identified via biometric data stored on the control token itself and this biometric data is not transmitted to or stored on the external system. In fact the biometric authorisation module may be arranged so that it is impossible to extract the biometric data, which may for example be a fingerprint template or the like. The transmission of biometric data outside of the control token is considered to be one of the biggest risks to the security of the control token. This means that unlike many conventional biometrically secured access systems there is no central database of biometric data, and there is no transmission of biometric data. Instead the biometric data remains securely held on the control token. In particular, the biometric data is not transmitted to or accessible by the external system. It is also enrolled directly to the control token rather than via some outside enrolment mechanism. This provides advantages relating to security as well as improving the ease of use of the device and the ease with which external systems such as vehicles may be adapted to have biometric security. Since the external system does not need to be involved with the biometric authorisation process then the user can upgrade the security of the external system by the use of the proposed control token without the need to modify or adapt the external system itself. Thus, for example, a vehicle owner can replace the existing keyless entry key fobs with new biometric control tokens as described herein, and this will add biometric security to the vehicle without any change at all required to the vehicle. A vehicle manufacturer could also offer biometric security as an option in a simple and straightforward manner without any changes to how the vehicle itself is manufactured.

The transmitter is controlled by the control module and transmits a radio frequency signal from the control token. This signal may be received and acted upon by the external system if the external system is in range. It is important to note that the radio frequency transmitter is not an RFID antenna and it does not rely on the presence of a reader for transmission of the signal to be activated. Instead the signal is transmitted in response to activation via the control module once suitable authorisation has been provided via the biometric authorisation module, and this transmission will occur irrespective of proximity to the external system. Thus, the transmitter may be arranged to transmit the signal even if the external system is not present, and there is no requirement for a reader or the like as is the case with RFID type systems. The radio frequency transmitter may operate in the VHF or UHF bands i.e. at a frequency in the range 30-3000 MHz. Alternatively the transmitter may operate in GHz and be arranged for communications with a telephone or wireless router.

The biometric authorisation module may store biometric data for multiple authorised users, thereby allowing the control token and hence the external system to be used by multiple people with the same enhanced security. The multiple users may be given different levels of access to the external system. For example, an administrator/owner level access may be given to a single authorised user, and this may include the ability to add further authorised users, optionally with a lower level of access. The lower level of access might include access to basic functions of the external device and/or reduced capabilities of the control token, for example it may exclude the ability to add further new authorised users.

The control token self-enrols and uses biometric data obtained by the onboard biometric sensor rather than biometric data obtained from outside of the control token. Preferably the control token is arranged to only use such self-enrolled biometric data, such that there is no possibility for biometric data to be transmitted to or from the control token. In one example the control token may be provided with an enrolment mode in which one or more authorised user may be added. The control token may be in the enrolment mode when it is first provided to the user, so that the user can immediately enrol their biometric data. The first enrolled user may be provided with the ability to later prompt an enrolment mode for subsequent users to be added, for example via input on an input device of the control token after identification has been confirmed. Thus, the first enrolled user may be given administrator/owner status as discussed above.

For some applications the control token may demand additional identity checks before full access is provided to the external system. This may be done via a second biometric authorisation or via some other interaction with the device such as a PIN entry. For example, where the control system is a vehicle then the control token may require one identity check to open the vehicle and a second identity check before the vehicle can be started. It is envisaged that this may be of benefit for aircraft and other vehicles where there is a desire for extra security in relation to who can control the vehicle.

The control token may be a single-purpose device, i.e. a control token for controlling access to a single external system or network, wherein the control token does not have any other purpose.

The control token may for example be a keyless entry key for a vehicle, in which case the external system may be the locking/access system of the vehicle and/or the ignition system. The vehicle could be a road vehicle, such as a car with 'central locking ^' , or it may be any other type of vehicle, including an aircraft for example. The external system may more broadly be a control system of a vehicle. The control token may act as a master key or smart key, with the radio frequency signal giving access to the vehicle features only being transmitted in response to biometric identification of an authorised user. Alternatively the control token may act as a remote locking type key, with the signal for unlocking the vehicle only being able to be sent if the biometric authorisation module identifies an authorised user. In this case the identification of the authorised user may have the same effect as pressing the unlock button on prior art keyless entry type devices, and the signal for unlocking the vehicle may be sent automatically upon biometric identification of an authorised user, or sent in response to a button press when the control token has been activated by biometric authentication of an authorised user.

In the example of a vehicle keyless entry system the radio frequency transmitter may operate on a frequency used as standard for such systems as used on road vehicles, for example the radio frequency transmitter may transmit a radio frequency signal at a frequency of about 315 MHz (as used for North America-made cars) or at about 433.92 MHz (as used for cars made elsewhere, including European and Asian cars). With these frequencies the external system (i.e. the vehicle in this example) should be within 5-20 metres for the signal to be received.

The control module has the function of controlling the transmitter. The biometric authorisation module may be implemented partially or entirely as a part of the control module, for example as a software module in the same hardware as other elements of the control module. The database may be stored in h a rd wa re/sof twa re elements associated with the control module or in separate hardware/software.

There is no particular restriction on the implementation of the control module, the biometric authorisation module and the database in terms of distribution of their respective functions across the hardware and software of the control token.

The control token may remain active (i.e. with transmission of the signal ongoing or at least permitted) for a defined period of time after biometric identification of the authorised user, i.e. with the radio frequency transmitter being permitted to transmit the radio frequency signal for a period of time. This period may be between 30 minutes and 24 hours, for example. The control token may hence be used to access to the system external to the control token for several hours or optionally a day. This means that the user is not required to re-authenticate when repeated access to the external system is needed within the defined time frame, for example in the case where a vehicle is the external system and the control token allows for unlocking of the doors and/or access to other vehicle functions the user may make several journeys within a relatively short space of time without the need for biometric authentication for each journey.

In a possible refinement of this, the control token may remain active whilst it is able to detect interaction with the external system, and for a defined period of time after interaction with the external system, optionally with a maximum time permitted between biometric re-authorisation, the maximum time being larger than the defined period of time. Thus, where the external system is used regularly then no re- authentication is required until the external system has not been accessed for a period of time, for example a number of hours, and optionally until the maximum time has expired, for example a number of days. The control token may be arranged to receive an indication of on-going use of the external system, for example when the external system is a car and the user is driving then the control token may remain active, thereby enabling the user to take a short break and then continue to use the car without the need for re-authentication.

The user may be able to set the time periods for re-authentication. Thus, for example, again with reference to a vehicle as the external system, a user may decide that they wish to be able to use the vehicle freely provided they used it within the past 12 hours, thereby enabling a regular commute or similar driving pattern without repeated daily authentication. Alternatively the user may specify a higher level of security, requiring authentication at any point when they have not accessed the vehicle within the past hour.

In some examples biometric authorisation is not required to lock the external system. The control token may automatically revert to a locked state thereby releasing the access and allowing the external system to lock itself. Alternatively or additionally the control token may be able to transit a locking signal, for example in response to a button or other input device being actuated by the user.

The biometric authorisation module and biometric sensor could use any suitable biometric to check the identity of the user. For example, EKG or fingerpringt sensors may be used. In some embodiments fingerprint authorisation is used. This can be implemented with low power usage and without increasing the size of the control token compared to existing similar control tokens, such as vehicle key fobs.

The biometric authorisation module may hence include a fingerprint authentication engine including a processing unit and a fingerprint sensor. In a preferred embodiment the fingerprint authentication engine is capable of performing both an enrolment process and a matching process on a fingerprint of a finger presented to the fingerprint sensor.

With fingerprint biometrics, one common problem has been that it is difficult to obtain repeatable results when the initial enrolment takes place in one place, such as a dedicated enrolment terminal, and the subsequent enrolment for matching takes place in another, such as the terminal where the matching is required. The mechanical features of the housing around each fingerprint sensor must be carefully designed to guide the finger in a consistent manner each time it is read by any one of multiple sensors. If a fingerprint is scanned with a number of different terminals, each one being slightly different, then errors can occur in the reading of the fingerprint. Conversely, if the same fingerprint sensor is used every time then the likelihood of such errors occurring is reduced.

In accordance with the proposed device, both the matching and enrolment scans are performed using the same fingerprint sensor and within the same control token. As a result, scanning errors can be balanced out because, for example, if a user tends to present their finger with a lateral bias during enrolment, then they are likely to do so also during matching. Thus, the use of the onboard fingerprint sensor for all scans used with the control token significantly reduces errors in the enrolment and matching, and hence produces more reproducible results.

Furthermore, by performing all processing in the fingerprint authentication engine, security can be improved because the fingerprint data of the user need not be made available to another device (as is the case with separate enrolment).

In prior art systems, fingerprint sensors have not been included in control tokens themself, but rather as part of a separate terminal. For example, vehicles have been provided with fingerprint sensors, but their keys have not. Further, the enrolment process with prior art fingerprint sensing devices is often performed separately with a different device. The proposed control token provides clear advantages compared to these systems.

It will be appreciated that a fingerprint sensor as described herein is capable of taking a scan of any digit, including a thumb as well as a finger. It is common in this field to refer mainly to "finger" and to "fingerprint" when it is understood that a thumb/thumbprint could readily be substituted. Hence, any reference herein to a fingerprint sensor and obtaining fingerprint scans/data should be seen as also encompassing the use of a thumb in place of the finger.

The transmitter may be a transceiver and/or the control token may include a separate receiver for receiving a transmission from the external system. This allows the control token to interact with the external system, for example to determine if use of the external system is on-going as discussed above.

The power source is integral to the control token. This is required so that the transmitter can be provided with power to transmit the signal to the external system. A battery can be used as the power source. The power source also provides power to the biometric authorisation module.

The control token described herein should be differentiated from RFID type devices, such as contactless payment cards and RFID access cards, which interact with a reader via an antenna and voltage induced across the antenna of the RFID device due to a signal transmitted from an antenna of the RFID reader. Such devices may use NFC technology, for example, and they do not need an internal power source since the reader can provide the power to activate the RFID load in the RFID device. It is also possible for power to be harvested from the reader for other purposes. The control token described herein does not rely on a transmission from the external system for power or to be able to operate to confirm the identity of the user and to transmit a signal for access to the external system. It operates in a considerably different manner to the prior art RFID devices. The transmitter of the control token can transmit the radio frequency signal without interaction with the external system, i.e. such that transmitting the radio frequency signal can be done even if the external system is not within range.

In a second aspect the invention provides an access controlled system comprising at least one control token as described above along with the external system. The access control system may include multiple control tokens, optionally with different authorised users. The multiple control tokens may include control tokens with differing levels of access to the external system, for example a master control token may have full access to the external system, and may be able to permit addition of new control tokens, whereas a standard access control token may have lesser access to the external system, and may not be able to permit addition of new control tokens. As noted above, it is straightforward to realise an access controlled system using the proposed control token since there is no requirement for any change to the external system. Instead, an existing access controlled system, such as a vehicle with a wireless entry system, can be adapted to augment it with biometric security simply by replacing the existing control tokens (e.g. vehicle keyless entry key fobs) with the control tokens described herein.

The present invention also provides, in a fourth aspect, a method for control of access to a system, the method comprising: providing a wireless control token as described above, and using the control token to provide access to the system by permitting the transmitter to transmit the radio frequency signal only when an authorised user is identified by the biometric authorisation module matching biometric data obtained from the user with biometric data stored in the database.

The control token in this method may have any or all features as discussed above and the method may include use of the control token as discussed above. In particular, the method may include enrolment of the authorised user(s) directly via the control token by obtaining biometric data via the biometric sensor.

This disclosure has been illustrated by one valuable application but one skilled in the art will recognize that it could be used in any other control situations where an additional layer of security is required and access to a system is obtained by means of a transmitter in a control token. Thus, the external system may be an access control system for a building or parts of a building, an access control system for activating machinery or other devices, an access control system for a computer and so on. Certain preferred embodiments of the present invention will now be described in greater detail, by way of example only and with reference to the accompanying Figure, which is a block diagram for a control token incorporating a fingerprint scanner.

Figure 1 thus shows the basic architecture of a wireless control token 102 and an external system or device 104. The control token 102 may for example be a vehicle key fob and the external system 104 may hence be a vehicle.

The external system 104 includes a transceiver 106 for receiving a

transmission from the control token 102. It is necessary that the external device include a radio frequency receiver, and optional that it also have a transmitting capability as provided by the transceiver 106. The external system 104 also includes access controlled elements 1 18 in communication with the transceiver 106. When the transceiver 106 receives an appropriate signal then it will permit access to the access controlled elements 1 18 and/or actuate certain features of the access controlled elements 1 18. In the example where the external system 104 is a vehicle then the access controlled elements 1 18 may include door locks, the vehicle ignition system, and so on. The control token 102 may permit the user to actuate and/or access features of a vehicle, acting as the external system 104, in accordance with known usage of keyless systems for vehicles.

The wireless control token 102 includes a transceiver 108 for transmitting a radio frequency signal to the transceiver of the external system 104. It is necessary that the wireless control token 102 include a radio frequency transmitter, and optional that it also have a receiving capability as is provided by the transceiver 108. The wireless control token 102 further includes a control module 1 12 and a biometric authorisation module in the form of a fingerprint authentication engine 120. The power source (not shown) such as a battery is used to power the transceiver 108 the control module 1 12 and the fingerprint authentication engine 120.

The fingerprint authentication engine 120 includes a processing unit 128 and a fingerprint reader 130, which may be an area fingerprint reader 130. The processing unit 128 comprises a microprocessor that is chosen to be of very low power and very high speed, so as to be able to perform biometric matching in a reasonable time and to maximise the lifespan of the power source. The processing unit 128 could be a part of the control module, i.e. implemented on common hardware and/or using common software elements.

The fingerprint authentication engine 120 is arranged to scan a finger or thumb presented to the fingerprint reader 130 and to compare the scanned fingerprint of the finger or thumb to stored reference fingerprint data using the processing unit 128. The stored reference fingerprint data could be stored in encrypted form in a non-volatile memory within the processing unit 128 or the control module 1 12. A determination is then made as to whether the scanned fingerprint matches the reference fingerprint data. Ideally, the time required for capturing a fingerprint image and accurately recognising an enrolled finger is less than one second.

If a match is determined then the fingerprint authentication engine 120 communicates this to the control module 1 12. The control module 1 12 may then permit/activate the transmission of a radio frequency signal from the transceiver 108. The radio frequency signal may be continuously transmitted for a certain period of time as soon as an authorised fingerprint has been identified by the fingerprint authentication engine 120. Alternatively, the control module 1 12 may wait for a further action from the user, such as a button press or other input to the control token 102, which may indicate which one of several possible actions are required. For example, in the case of a vehicle the control token 102 may be able to unlock the doors of the vehicle, start the vehicle ^' s engine or alternatively open the trunk/boot of the vehicle, with the action taken depending on a further input to the control token 102 by the user.

By the use of a transceiver for both of the wireless control token 102 and the external system 104 it becomes possible for the external system 104 to interact with the wireless control token 102 and, for example, to return a status of the external system 104. This interaction may be used in various ways, for example to influence a time period for which the wireless control token 102 should remain active after an authorised user has been identified.

Prior to use a new user of the control token 102 must first enrol their fingerprint data onto a "virgin" device, i.e. not including any pre-stored biometric data. In one example the control token 102 may be supplied in an enrolment mode and first user of the control token 102 can automatically enrol their fingerprint. In another example an enrolment mode must be initiated by an authorised external system, such as a computer system operated by the manufacturer. In the enrolment mode the fingerprint authentication engine 120 is used to gather finger print data to form a fingerprint template to be stored on the control token 102. This may be done by presenting the finger to the fingerprint reader 130 one or more times, preferably at least three times and usually five to seven times. An exemplary method of enrolment for a fingerprint using a low-power swipe- type sensor is disclosed in WO 2014/068090 A1 , which those skilled in the art will be able to adapt to the area fingerprint sensor 130 described herein.

The control token 102 may have a housing that includes indicators for communication with the user of the control token 102, such LEDs or an LCD display. During enrolment, the user may be guided by the indicators, which tell the user if the fingerprint has been enrolled correctly. After several presentations of the finger, the fingerprint will have been enrolled and the device 102 will then respond to the fingerprint of the authorised user. The indicators may also be used during

subsequent authentication in order to indicate to the user when their fingerprint is recognised and when access to the access controlled features 1 18 of the external system 104 has been permitted.

With fingerprint biometrics, one common problem has been that it is difficult to obtain repeatable results when the initial enrolment takes place in one place, such as a dedicated enrolment terminal, and the subsequent enrolment for matching takes place in another, such as the terminal where the matching is required. The mechanical features of the housing around each fingerprint sensor must be carefully designed to guide the finger in a consistent manner each time it is read. If a fingerprint is scanned with a number of different terminals, each one being slightly different, then errors can occur in the reading of the fingerprint. Conversely, if the same fingerprint sensor is used every time then the likelihood of such errors occurring is reduced.

As described above, the control token 102 includes a fingerprint

authentication engine 120 having an on-board fingerprint sensor 130 as well as the capability of enrolling the user, and thus both the matching and enrolment scans are be performed using the same fingerprint sensor 130. As a result, scanning errors can be balanced out because, if a user tends to present their finger with a lateral bias during enrolment, then they are likely to do so also during matching.

Thus, the use of the same fingerprint sensor 130 for all scans used with the control token 102 significantly reduces errors in the enrolment and matching, and hence produces more reproducible results.

Furthermore, security is improved by using only a single control token 102 for enrolment and matching, as the biometric data representing the fingerprint never needs to leave the control token 102. This avoids the needs for a central database of biometric data and for transmission of biometric data during use of the system, both of which could be targeted by criminals. The control token 102 may store fingerprint data for multiple users, each of which are advantageously enrolled by means of the fingerprint authentication engine 120 of the control token 102 as explained above. In the case of multiple users the control module 1 12 may be arranged to store the first enrolled user as an

administrator level user with the ability to initiate an enrolment mode of the device during subsequent use, for example through certain inputs to the device including presentation of their fingerprint authentication as the administrator level user.

It will be appreciated that the control token 102 has particular utility when used as a keyless entry device for a vehicle, but that it could also be used in other situations. It will further be appreciated that although fingerprint authentication is a preferred method of biometric authentication of the user, alternative techniques could be used and implemented along similar lines they set out above by substituting the fingerprint sensor and fingerprint authentication engine with an alternative biometric sensing system such as EKG, facial recognition or retinal scan.