[go: up one dir, main page]

WO2018013108A1 - Restriction d'accès - Google Patents

Restriction d'accès Download PDF

Info

Publication number
WO2018013108A1
WO2018013108A1 PCT/US2016/042110 US2016042110W WO2018013108A1 WO 2018013108 A1 WO2018013108 A1 WO 2018013108A1 US 2016042110 W US2016042110 W US 2016042110W WO 2018013108 A1 WO2018013108 A1 WO 2018013108A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
biometric
access
authentication
authorized user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2016/042110
Other languages
English (en)
Inventor
Mohit Gupta
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to PCT/US2016/042110 priority Critical patent/WO2018013108A1/fr
Priority to TW106110606A priority patent/TW201802720A/zh
Publication of WO2018013108A1 publication Critical patent/WO2018013108A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2139Recurrent verification
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • FIG. 1 illustrates an example mobile device associated with access restriction.
  • FIG. 2 illustrates a flowchart of example operations associated with access restriction
  • FIG. 3 illustrates another flowchart of example operations associated with access restriction.
  • FIG. 4 illustrates an example device associated with access restriction.
  • FIG. 6 illustrates an example computing device in which example systems, and methods, and equivalents, may operate.
  • biometrics may include, for example, facial recognition, or iris recognition.
  • biometrics may include, for example, facial recognition, or iris recognition.
  • the biometrics associated with that user may be periodically compared to biometrics associated with a profile of a known authorized user. While the two sets of biometrics match, access to a set of device features and contents associated with that user may be granted. When the biometrics do not match, access to those features may be limited. In one example, access may be limited by hiding those features and/or contents from the unauthorized user.
  • the attorney's biometric data may match the biometric data stored in the phone, allowing use of that application. If the attorney passes their phone to their child to play a game during a car trip, the biometrics may not match, and consequently, access to the application may be restricted by hiding the application from view, thereby preventing accidental or intentional launch of the sensitive application.
  • Figure 1 illustrates an example mobiie device associated with access restriction, it should be appreciated that the items depicted in figure 1 are illustrative examples, and many different systems, devices, and so forth, may operate in accordance with various examples.
  • Figure 1 illustrates an example mobile device 100.
  • Mobile device 100 may be, for example, a cell phone, a tablet, and so forth.
  • Mobile device 100 is illustrated in two states. On the left, mobile device is illustrated as it is being viewed by an authorized user 130. On the right, mobile device 100 is illustrated as it is viewed by an unauthorized user 135.
  • certain sensitive applications 125 may be hidden from unauthorized user 135, preventing unauthorized user 135 from accessing the sensitive applications 125 and/or knowing the sensitive applications 125 are on the phone.
  • Mobile device 100 includes a front facing camera 1 10, Mobile device TOO also includes a set of applications 120, Some of the applications 120 are sensitive applications 125.
  • the sensitive applications may be, for example, applications that a user (e.g., authorized user 130), or other party (an employer of authorized user 130) does not want to be accessible by parties other than authorized user 130, This may be because, for example, authorized user 130 does not want other people to know these sensitive applications 125 are on mobile device 100, the sensitive applications 125 provide access to data important to authorized user 130, and so forth.
  • features of mobiie device 100 e.g.. device settings, camera
  • data stored on mobile device 100 e.g., specific documents or Images
  • mobiie device 100 may employ biomefric based authentication techniques. These biometrics may be based on, for example, facial images of authorized user 130, iris scans of authorized user 130, fingerprints of authorized user 130, and so forth.
  • authorized user 130 may trigger an active authentication on mobiie device 100.
  • An active authentication may be an authentication triggered by some action taken by a user (e.g., authorized user 130). This may be, for example, an authentication that occurs when turning on mobile device 100, waking mobile device 100 from a power save mode, when a specific feature of mobiie device 100 Is accessed, and so forth.
  • An active authentication may be triggered by, for example, an input received from a user (e.g., a button press, a swipe), mobile device 100 sensing authorized user has removed mobile devsce 100 from a storage location (e.g., based on accelerometer data, based on detecting removal of a power connector), and so forth.
  • Mobile device 100 may authenticate authorized user 130 using the biometric information, or another technique (e.g., password, pin, an authenticating device). A successful authentication by authorized user 130 may then unlock mobile device 100 for use.
  • Mobile device 100 may then begin passively authenticating the user of mobile device 100 whiie mobile device 100 is in use. Passive authentication may occur automatically without being initiated by or requesting an input from the user of mobile devsce 100. Consequently, the passive authentication may be based on the biometric of the authorized user 130, which may be automatically detected. While the user passes the passive authentication attempts by mobile devsce 100, the user may be considered authorized user 130, and therefore be given access to sensitive apps 125 configured for use by authorized user 130. If an unauthorized user 135 attempts to use the phone, and fails the passive authentication attempts by mobile device 100, mobile device 100 may prevent the access to the sensitive applications 125 on mobile device 100.
  • mobile device 100 may restrict access to sensitive applications until after that user passes a biometric based authentication,
  • unauthorized user 135 may be a person whom authorized user would seek to not have access to mobile device 100 at all. For example, if a thief steals mobile device 100, and somehow is able to guess a password used by authorized user 130, sensitive applications 125 may still be protected by mobile device 100 by the passive authentication. In other examples, unauthorized user 135 may be a temporary user of mobile devsce 100 to whom authorized user 135 has handed mobile device 100. By way of illustration, authorized user 130 may hand mobile device 130 to their child to watch a video or play a game. In this example, authorized user 130 may seek to allow unauthorized user 135 access to certain features of mobile device 130, but not access to sensitive applications 125. Consequently, passively authenticating users based on a biometric may facilitate preventing undesired access of the sensitive applications by unauthorized user 135.
  • Additional scenarios, functionality, and examples may further take advantage of passive biomeirie authentication to enhance usability of mobile device 100, For example, in some situations, authorized user 130 may seek to allow unauthorized user 135 to access a sensitive application 125. Consequently, mobile device may provide a process for authorized user 130 to temporarily disable passive authentication by mobile device 100. This may allow unauthorized user 135 to access sensitive applications 125 without supervision by authorized user 130.
  • mobile device 100 may store Diometric profiles of multiple authorized users 130. This may be desirable when mobile device 100 is shared between multiple users (e.g., family members). Different profiles may be configured to allow access to different applications and/or device features of mobile device 100. For example, a parent may be allowed to view ail applications on mobile device 100, while a young child may be prevented from using chatting applications or the camera on mobile device 100. Consequently, profiles associated with users may include both biomeirie information, as weli as a set of applications, features, and so forth accessible when corresponding users are detected by mobile device 100.
  • mobile device 100 may take different actions regarding sensitive applications 125 or features of mobile device 100, in a restrictive setting where mobile device iOO stores confidential information, mobile device 100 may restrict access to sensitive applications 125 when multiple users are detected.
  • sensitive applications 125 may be made accessible because it is assumed that authorized user 130 can effectively control access to these applications themselves. This may be appropriate, for example, when family members share mobile device 100, including a young child normally restricted from using camera features.
  • an authorized user e.g., a parent
  • the camera features may be made accessible to allow a supervised video call with another person .
  • Module includes but is not limited to hardware, firmware, software stored on a computer-read able medium or in execution on a machine, and/or combinations of each to perform a functions) or an action(s), and/or to cause a function or action from another module, method, and/or system.
  • a module may include a software controlled microprocessor, a discrete module, an analog circuit, a digital circuit, a programmed module device, a memory device containing instructions, and so on. Modules may include gates, combinations of gates, or other circuit components. Where multiple logical modules are described, it may be possible to incorporate the multiple logical modules into one physical module. Similarly, where a single logical module is described, It may be possible to distribute that single logical module between multiple physical modules.
  • Figure 2 illustrates an example method 200 associated with access restriction
  • Method 200 may be embodied on a non-transitory processor-readable medium storing processor-executable instructions. The instructions, when executed by a processor, may cause the processor to perform method 200. In other examples, method 200 may exist within logic gates and/or RAM of an application specific integrated circuit (ASIC).
  • ASIC application specific integrated circuit
  • Method 200 includes storing an authentication profile in a device at 210,
  • the authentication profile may be associated with an approved user.
  • the authentication profile may include a biometric identifier of the approved user.
  • the biometric identifier may be, for example, an image based identifier.
  • the image based identifier may be, a face of the approved user, an iris scan of the approved user, and so forth, in some examples, the authentication profile may also include access settings that may be used to identify what applications are associated with the approved user.
  • Method 200 also includes actively authenticating a user of the device at 220.
  • the user may be authenticated using the biometric identifier of the approved user.
  • an active authentication is an authentication that occurs in response to an input received from a user. This input may be, for example, a press of a button, a triggering motion of the device (e.g., shaking the device, picking up the device), an action taken on an input of the device (e.g., a swipe or other gesture on a touch screen), and so forth.
  • the device may provide access to a device feature at action 230.
  • the device feature may be, for example, an application on the device, a set of data stored on the device, and so forth, in some examples, the authentication profile may include a set of authentication identifiers including the biometric identifier.
  • the active authentication may be passed when the member of the set of authentication identifiers is provided by the user of the device.
  • Other authentication identifiers may include, passwords, gesture inputs, an authentication device (e.g., dangle) associated with the authorized user, and so forth.
  • Method 200 also includes periodicaiiy passively authenticating the user of the device at 240.
  • passive authentication may occur without an action taken by a user. Further, passive authentication may occur without the user noticing that the passive authentication is occurring. Consequently, passive authentication may be performed without requesting an input (e.g., a password, a swipe gesture) from the user.
  • an input e.g., a password, a swipe gesture
  • access to the feature of the device may be restricted at action 250.
  • access to the feature of the device may be restricted by biding tbe feature from the user.
  • access to an application on a ceil phone may be restricted by not showing the user that the application is on the cell phone, or causing the application to disappear from a user interface when the user fails the passive authentication.
  • Figure 3 illustrates, a method 300 associated with access restriction. Method 300 includes several actions similar to those described above with reference to method 200 (figure 2).
  • method 300 includes storing an authentication profile at 310, actively authenticating a user at 320, providing access to a device feature at 330, periodically passiveiy authenticating the user at 340, and restricting access to the device feature when the user fails authentication at 350.
  • Method 300 also includes re-providing access to the device feature at 380, Access may be re-provided when the user passes an authentication.
  • This authentication may be an active authentication, a passive authentication, and so forth. Consequently, method 300 provides for, for example, overriding a failed authentication by the entering of a master password, re-providing access to device features when the approved user is once again detected, and so forth.
  • FIG. 4 illustrates a device 400 associated with access restriction.
  • Device 400 includes a data store 410.
  • Data store 410 may store a biometric identifier.
  • the biometric identifier may be associated with an authorized user of device 400.
  • the biometnc identifier may be, for example, iris information associated with the authorized user.
  • Other biometric identifiers may include, facial information, fingerprint information, and so forth.
  • Data store 410 may also store, for example, access control information describing features, data, applications, and so forth, associated with device 100 that should have access restrictions when the authorized is not detected,
  • Device 400 also includes a biometric scanner 420.
  • biometric scanner 430 may be an iris scanner.
  • the iris scanner may be implemented using a camera embedded in device 400 combined with a set of modules within device 400 that compare features of irises.
  • Biometric scanner 420 may passively scan a biometric of a current user of device 400.
  • passively scanning the bsometric may mean that biometric scanner periodically obtains a biometric associated with the current user without an action taken by the user,
  • Devsce 400 also includes a biometric comparison module 430.
  • Biometric comparison module 430 may compare the biometric of the current user obtained by biometric scanner 420 to the biometric identifier associated with the authorized user stored in data store 410.
  • Device 400 also includes an access restriction module 440.
  • Access restriction module may restrict access to a feature 499 of device 400 while biometric comparison module 430 indicates that the biometric of the current user differs from the biometric identifier associated with the authorized user. This information may be obtained from comparisons performed by biometric comparison module 430.
  • device 400 may also include a restriction disabling module (not shown).
  • the restriction disabling module may disable access restriction module 440 in response to an input.
  • Method 500 includes receiving a profile associated with a user at 510.
  • the profile may be received in a device.
  • the profile may include a biometric associated with an authorized user.
  • the biometric associated with the authorized user may be, for example, iris information associated with the authorized user.
  • the profile may also include an access setting.
  • Method 500 also includes continuously comparing a biometric associated with a current user of the device to the biometric associated with the authorized user at 520.
  • the continuous comparison of the biometrics may be temporarily disabled in response to receiving an input.
  • Method 500 also includes restricting access to an entity on the device at 530. Access may be restricted when the biometrtc associated with the current user differs from the biometric associated with the authorized user, as determined at action 520. Access may be restricted based on the access setting.
  • the entity may be, for example, an application, a device feature, a specific file, a set of data, and so forth.
  • Method 500 also includes providing access to the entity on the device according to the access setting at 540. Access may be provided while the biometric associated with the current user matches the biometric associated with the authorized user, as determined at action 520.
  • Figure 6 illustrates an example computing device in which example systems and methods, and equivalents, may operate.
  • the example computing device may be a computer 800 that includes a processor 810 and a memory 820 connected by a bus 630.
  • Computer 800 includes an access restriction module 640.
  • Access restriction module 640 may perform, alone or in combination, various functions described above with reference to the example systems, methods, and so forth.
  • Access restriction module 840 may be implemented as a non- transitory computer-readable medium storing processor-executable instructions, in hardware, software, firmware, an application specific integrated circuit, and/or combinations thereof.
  • the instructions may also be presented to computer 600 as data 850 and/or process 660 that are temporarily stored in memory 520 and then executed by processor 610.
  • the processor 610 may be a variety of processors including dual microprocessor and other multi-processor architectures.
  • Memory 620 may include non-volatile memory (e.g., read only memory) and/or volatile memory (e.g., random access memory), Memory 620 may also be, for example, a magnetic disk drive, a solid state disk drive, a floppy disk drive, a tape drive, a flash memory card, an optical disk, and so on. Thus, memory 620 may store process 660 and/or data 650.
  • Computer 600 may also be associated with other devices including other computers, devices, peripherals, and so forth in numerous configurations (not shown).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Telephone Function (AREA)

Abstract

L'invention concerne des exemples associés à une restriction d'accès. Un exemple de procédé consiste à stocker un profil d'authentification dans un dispositif. Le profil d'authentification est associé à un utilisateur agréé. Le profil d'authentification comprend un identificateur biométrique de l'utilisateur agréé. Un utilisateur du dispositif est authentifié activement à l'aide de l'identificateur biométrique. L'accès à une caractéristique du dispositif est assuré lorsque l'utilisateur du dispositif réussit l'authentification active. L'utilisateur est authentifié périodiquement de manière passive lorsque l'utilisateur utilise le dispositif. L'accès à la caractéristique du dispositif est restreint lorsque l'utilisateur du dispositif échoue à une authentification passive.
PCT/US2016/042110 2016-07-13 2016-07-13 Restriction d'accès Ceased WO2018013108A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/US2016/042110 WO2018013108A1 (fr) 2016-07-13 2016-07-13 Restriction d'accès
TW106110606A TW201802720A (zh) 2016-07-13 2017-03-29 存取限制技術

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2016/042110 WO2018013108A1 (fr) 2016-07-13 2016-07-13 Restriction d'accès

Publications (1)

Publication Number Publication Date
WO2018013108A1 true WO2018013108A1 (fr) 2018-01-18

Family

ID=60951812

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/042110 Ceased WO2018013108A1 (fr) 2016-07-13 2016-07-13 Restriction d'accès

Country Status (2)

Country Link
TW (1) TW201802720A (fr)
WO (1) WO2018013108A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012083456A1 (fr) * 2010-12-21 2012-06-28 Excellium Technologies Inc. Système et méthode d'authentification biométrique
US20130067547A1 (en) * 2011-09-08 2013-03-14 International Business Machines Corporation Transaction authentication management including authentication confidence testing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012083456A1 (fr) * 2010-12-21 2012-06-28 Excellium Technologies Inc. Système et méthode d'authentification biométrique
US20130067547A1 (en) * 2011-09-08 2013-03-14 International Business Machines Corporation Transaction authentication management including authentication confidence testing

Also Published As

Publication number Publication date
TW201802720A (zh) 2018-01-16

Similar Documents

Publication Publication Date Title
US8723643B2 (en) Method and computer program product of switching locked state of electronic device
KR101705472B1 (ko) 모바일 디바이스 애플리케이션을 위한 플러거블 인증 메커니즘
KR101242304B1 (ko) 무선 디바이스의 기능에 대한 제어되는 액세스
US20140283014A1 (en) User identity detection and authentication using usage patterns and facial recognition factors
US10534899B2 (en) Utilizing inputs for accessing devices
US10855678B2 (en) Temporary biometric templates for maintaining a user authenticated state
US12399965B2 (en) Access control classifier training
CN108985024A (zh) 响应于试图访问敏感信息的认证技术
WO2013180793A1 (fr) Authentification du visage et des empreintes digitales
CN107704759A (zh) 敏感操作的控制方法、装置、存储介质及电子设备
US11270544B2 (en) Access control for access restricted domains using first and second biometric data
US11178142B2 (en) Biometric data synchronization devices
US12039021B2 (en) Multi-level classifier based access control
WO2016188230A1 (fr) Procédé et dispositif de déverrouillage
CN111259360B (zh) 终端设备的触摸屏状态控制方法、装置及终端设备
JP2013174955A (ja) セキュリティを解除するための情報の入力が要求される情報処理装置及びログイン方法
US20220156351A1 (en) Access control
EP3555783B1 (fr) Authentification d'utilisateur
CN107391987B (zh) 基于生物特征识别的应用保护方法、装置及电子设备
Stockinger Implicit authentication on mobile devices
WO2018013108A1 (fr) Restriction d'accès
US11500976B2 (en) Challenge-response method for biometric authentication
Furnell Biometric technology and user identity
US20240256642A1 (en) Device actions based on authenticated multi-touch gestures
KR102303258B1 (ko) 생체인식을 이용한 프로그램 접근제어 관리 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16909007

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16909007

Country of ref document: EP

Kind code of ref document: A1