WO2017082969A1 - Authorized areas of authentication - Google Patents
Authorized areas of authentication Download PDFInfo
- Publication number
- WO2017082969A1 WO2017082969A1 PCT/US2016/038592 US2016038592W WO2017082969A1 WO 2017082969 A1 WO2017082969 A1 WO 2017082969A1 US 2016038592 W US2016038592 W US 2016038592W WO 2017082969 A1 WO2017082969 A1 WO 2017082969A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- aaa
- mobile device
- access
- secure
- server
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/082—Access security using revocation of authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/021—Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/02—Services making use of location information
- H04W4/029—Location-based management or tracking services
Definitions
- the present invention relates to computer data security. BACKGROUND OF THE INVENTION
- Enterprises store sensitive and private company and customer data on secure file servers. As users become more mobile, it is becoming common for users to remotely access files on these file servers via their mobile computing devices. Typically, a user can login to an enterprise file server using a basic user ID and password, over a secure network such as a virtual private network. This is a relatively weak form of security, and data breaches often occur where sensitive data is accessed and used by unauthorized people.
- Embodiments of the present invention provide modules, systems and methods for an additional layer of security for remote access to file servers via mobile devices of authorized users. Access to a file server is granted only if a mobile device is verified to be located within an authorized area of authentication (AAA). If the mobile device is not within the AAA, a temporary AAA, including the current location of the mobile device, may be authorized.
- AAA authorized area of authentication
- a system for secure access including a stationary computing device that controls access to secure data over a secure network, including an AAA generator, generating an AAA for administering the secure data, an AAA validator, validating a mobile computing device that submits an access request for the secure data via a connection over the secure network, by verifying that a current location of the mobile device is within the AAA, and an access controller, enabling the mobile device to access the secure data, only in response to the validator affirmatively validating the mobile device, and a mobile computing device in communication with the stationary device, including a location identifier, dynamically identifying a current location of the mobile device, a connection controller for logging in to and out of the secure network, and an access requestor, submitting to the access controller via the secure network (i) an access request for the secure data, and (ii) the current location of the mobile device.
- a secure access server computer including an authorized area of authentication (AAA) generator, generating an AAA for administering secure data, access to which is controlled by the server over a secure network, an AAA validator, validating a mobile device that submits an access request for the secure data via a connection over the secure network, by verifying that a current location of the mobile device is within the AAA; and an access controller, enabling the mobile device to access the secure data over the secure network only in response to the AAA validator affirmatively validating the mobile device.
- AAA authorized area of authentication
- a mobile device for accessing secure data including a location identifier, dynamically identifying a current location of the mobile device, a connection controller logging in to and out of a secure network, and an access requestor, submitting to a server computer via a connection over the secure network, both (i) an access request for secure data, access to which is controlled by the server, and (ii) the current location of the mobile device, wherein the server enables access to the secure data only when the current location of the mobile device is within an authorized area of authentication.
- a method for secure access including generating, by a stationary computing device, an authorized area of authentication (AAA) for administering secure data, access to which is controlled by the stationary device over a secure network, submitting, by a mobile computing device to the stationary device via a connection over a secure network, a request to access the secure data, further submitting, by the mobile device to the stationary device, a current location of the mobile device, validating, by the stationary device, the mobile device, including verifying that the current location of the mobile device is within the AAA, and granting the mobile device access to the secure data, only in response to the validating being affirmative.
- AAA authorized area of authentication
- a method for a secure access server including generating an authorized area of authentication (AAA), for administering secure data, access to which is controlled by a server computer over a secure network, receiving, from a mobile computing device via a connection over the secure network, a request to access the secure data, further receiving, from the mobile device over the secure network, a current location of the mobile device, validating the mobile device, comprising verifying that the current location of the mobile device is within the AAA, and enabling the mobile device to access to the secure data, only in response to the validating being affirmative.
- AAA authorized area of authentication
- a method for secure access by a mobile computer device including identifying a current location of a mobile computing device, submitting, to a server computer via a connection over a secure network, a request to access secure data, access to which is controlled by the server, further submitting to the server over the secure network, the current location, and only when the current location is within an authorized area of authentication (AAA) for the server, receiving, from the server, an enablement to access the secure data.
- AAA authorized area of authentication
- FIG. 1 is a simplified block diagram of a system for secure access, in accordance with an embodiment of the present invention
- FIG. 2 is a simplified flowchart of a method for secure access, in accordance with an embodiment of the present invention
- FIG. 3 is a screen shot of a mobile device prompting a user for his username and password for logging in to a secure network, and acquiring the user's current location, in accordance with an embodiment of the present invention
- FIG. 4 is a screen shot showing the user's current location on a map, in accordance with an embodiment of the present invention.
- FIG. 5 is a screen shot showing the mobile device logging in to the secure network with the username and password, and with the user's current location, in accordance with an embodiment of the present invention
- FIG. 6 is a screen shot showing the mobile device informing that user that he is located in an unauthorized area, and prompting the user to request a temporary authorized area of authentication (AAA), in accordance with an embodiment of the present invention.
- AAA temporary authorized area of authentication
- FIG. 7 is a screenshot showing an area centered about the user's current location, in accordance with an embodiment of the present invention.
- FIG. 8 is a screen shot showing fingerprint identification prior to setting a temporary AAA, in accordance with an embodiment of the present invention.
- FIG. 9 is a screen shot showing that a temporary AAA has been set for the user, in accordance with an embodiment of the present invention.
- FIG. 10 is a screen shot of the user logging out of the secure network, in accordance with an embodiment of the present invention.
- FIG. 11 is a screen shot showing an exemplary log report for an administrator, generated by an access log recorder, in accordance with an embodiment of the present invention
- FIG. 12 is a screen shot of a temporary AAA being reported to an the administrator, in accordance with an embodiment of the present invention.
- FIG. 13 is a screen shot showing an exemplary log report generated for an administrator, by an access log recorder, in accordance with an embodiment of the present invention.
- modules, systems and methods are provided for an additional layer of security for remote access to file servers via mobile devices.
- These modules, systems and methods are implemented using computing systems including inter alia servers, clients, network devices, and combinations of such devices.
- FIG. 1 is a simplified block diagram of a system for secure access, in accordance with an embodiment of the present invention.
- FIG. 1 shows a stationary computing device 100 and a mobile computing device 200.
- Stationary device 100 controls access to an organization's file server 150 that stores secure data .
- file server 150 represents any type of server that allows one or more users of mobile devices to access content of the organization.
- Access to file server 150 via stationary device 100 is managed by an administrator computer 160.
- File server 150 is remotely accessible over a secure network, such as a virtual private network (VPN).
- An access log recorder 170 logs each access to file server 150 and each attempt to access file server 150, and report the logs to administrator 160.
- Stationary device 100 may be inter alia a server, a network device, and a combination of such devices. Administrator 160 may be a desktop computer, a laptop computer, a network device, or such other computing device. Administrator 160 manages user accounts and their associated remote devices. In accordance with an embodiment of the present invention, each user and account must be authorized by stationary device 100 before a user may access files on file server 150.
- Stationary device 100 includes a processor 110, an authorized area of authentication (AAA) generator 120, an AAA validator 130, and an AAA access controller 140.
- An "authorized area of authentication" is one or more geographic areas that provide an additional layer of security to supplement conventional user authentication credentials such as username and password.
- a user In order to access file server 150, a user must be authenticated by his current location, in additional to conventional authentication. If the user is not located in an AAA, then his access to file server 150 is denied. The user may request a temporary authentication, as explained in detail below, but otherwise he is not granted access.
- AAA generator 120 AAA validator 130, and AAA access controller 140 reside in administrator 160 instead of stationary device 100.
- AAA validator 130 is able to determine whether or not a user of mobile device 200 is located in an AAA.
- Mobile device 200 also includes a connection controller 230, for connection to stationary device 100 and to file server 150 over a secure network, and an access requestor 240 for requesting temporary authentication.
- connection controller 230 for connection to stationary device 100 and to file server 150 over a secure network
- access requestor 240 for requesting temporary authentication.
- mobile device 200 may be inter alia on a VPN connection with stationary device 100 and file server 150.
- Mobile device 200 also includes a biometric/passcode scanner 250, which scans a biometric, such as a fingerprint or an iris, or scans a passcode, such as a PIN, of a user who is currently using mobile device 200; and a biometric/passcode validator 260, which validates the user's biometric/passcode that was scanned by scanner 250.
- a biometric/passcode scanner 250 which scans a biometric, such as a fingerprint or an iris, or scans a passcode, such as a PIN, of a user who is currently using mobile device 200.
- a biometric/passcode validator 260 which validates the user's biometric/passcode that was scanned by scanner 250.
- Mobile device 200 may be inter alia a smartphone, a tablet computer, a laptop computer and such other remote access device.
- Stationary device 100, file server 150, administrator 160 and mobile device 200 are not limited to any particular operating system.
- Administrator 160 and mobile device 200 may each be implemented inter alia using an application program interface (API) that communicates with stationary device 100.
- API application program interface
- FIG. 2 is a simplified flowchart of a method 1000 for secure access, in accordance with an embodiment of the present invention.
- the flowchart of FIG. 2 is divided into two columns.
- the left column includes operations performed by stationary device 100
- the right column includes operations performed by mobile device 200.
- AAA generator 120 generates an AAA for accessing an organization's secure data stored on file server 150.
- the AAA is set by an organization administrator 160, and includes one or more geographical areas.
- the AAA may include various office locations of the organization, and various home locations of employees who work for the organization from their homes.
- Individual AAAs may be set up by AAA generator 120 for different users on a per-user basis, for different groups of users on a per-group basis, or for an entire enterprise.
- AAA 120, which performs operation 1005 is a component of administrator 160 instead of stationary device 100.
- connection controller 230 attempts to log in to a secure network of the organization, such as a virtual private network (VPN), to access file server 150.
- a secure network of the organization such as a virtual private network (VPN)
- the user presents his credentials, such as username and password, for authentication.
- the user's current location is identified by location identifier 220, and submitted to AAA validator 130.
- FIG. 3 is a screen shot of mobile device 200 prompting a user for his username and password for logging in to the secure network, and acquiring the user's current location, in accordance with an embodiment of the present invention.
- FIG. 4 is a screen shot showing the user's current location on a map, in accordance with an embodiment of the present invention.
- FIG. 4 is a screen shot showing mobile device 200 logging in to the secure network with the username and password, and with the user's current location, in accordance with an embodiment of the present invention.
- AAA validator 130 authenticates mobile device 200 by checking credentials such as username and password. AAA validator 130 also verifies that the location submitted at operation 1020 is within an AAA that was generated at operation 1005. At decision 1030, AAA validator 130 decides whether or not the authentication at operation 1025 is verified. If so, then at operation 1035 mobile device 200 is granted access to file server 150, and mobile device 200 is then enabled to access file server 150 such as via SSH FTP. Otherwise, if authentication is not verified at decision 1030, then at operation 1040 mobile device 200 is denied access to file server 150. In either case, the grant of or denial of access is logged by access log recorder 170 at operation 1045, for reporting to administrator 160.
- FIG. 6 is a screen shot showing mobile device 200 informing the user that he is located in an unauthorized area, and prompting the user to request a temporary AAA, in accordance with an embodiment of the present invention.
- FIG. 7 is a screenshot showing an area centered about the user's current location, in accordance with an embodiment of the present invention.
- biometric/passcode scanner 250 scans a biometric, such as inter alia a fingerprint or iris, of a user who is currently using mobile device 200, or a passcode, such as inter alia a PIN code, for the user.
- biometric/passcode validator 260 validates the identity of the user, based on the user's scanned biometric/passcode, to ensure that the user who is currently using mobile device 200 is indeed authorized to use mobile device 200 and request a temporary AAA.
- FIG. 8 is a screen shot showing fingerprint identification prior to setting a temporary AAA, in accordance with an embodiment of the present invention.
- mobile device 200 decides whether or not the validation at operation 1060 is affirmative. If not, then at operation 1070 the request for the temporary AAA is denied, and the user is denied access to file server 150. Denial of access is then logged by access log recorder 170 at operation 1045, for reporting to administrator 160. Otherwise, if decision 1065 decides that the validation is affirmative, then at operation 1075 the request for the temporary AAA is submitted to stationary device 200, and at operation 1080 AAA access controller 140 sets a temporary AAA for the user, at his current location. Reference is made to FIG. 9, which is a screen shot showing that a temporary AAA has been set for the user, in accordance with an embodiment of the present invention.
- mobile device 200 is granted access to file server 150, and mobile device 200 is then enabled to access file server 150 such as via SSH FTP. Access to file server 150 via the temporary AAA is logged by access log recorder 170 at operation 1045, for reporting to administrator 160.
- FIG. 10 is a screen shot of the user logging out of the secure network by use of a side-bar menu, in accordance with an embodiment of the present invention.
- the temporary AAA may expire after a designated time period.
- operations 1060 - 1075 relating to validating the identity of the user via fingerprint or such other biometric, or via passcode or via another PIN-based mechanism, may be performed by stationary device 100 or alternatively by administrator 160, instead of mobile device 200.
- mobile device 200 transmits the scanned biometric/passcode to stationary device 100 or administrator 160 after performing operation 1055, and stationary device 100 or administrator 160 performs the validation, and the denial or grant of access.
- FIG. 11 is a screen shot showing an exemplary log report generated by access log recorder 170 for administrator 160, in accordance with an embodiment of the present invention.
- the log report lists authorized logins to file server 160 and unauthorized logins that were blocked, with dates and times, according to username.
- FIG. 12 is a screen shot of a temporary AAA being reported to administrator 160, in accordance with an embodiment of the present invention.
- FIG. 13 is a screen shot showing an exemplary log report generated by access log recorder 170 for administrator 160, in accordance with an embodiment of the present invention.
- Valid user logins are indicated with a check mark, and invalid login attempts are indicated with a dash.
- the log report identifies locations, including latitude and longitude and addresses of users who logged into file server 150 and attempted to login to file server 150, according to dates and times.
- embodiments of the present invention provide modules, systems and methods for data security whereby a remote device is granted access to a file server only when it is currently located in an authorized area of authentication.
- an AAA is modeled by the following class definition and table.
- an access attempt is modeled by the following class definition and table.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
A secure access system, including a stationary computing device that controls access to secure data over a secure network, including an authorized area of authentication (AAA) generator, generating an AAA for administering the secure data, an AAA validator, validating a mobile computing device that a request to access the secure data over the secure network, by verifying that a current location of the mobile device is within the AAA, and an access controller, enabling the mobile device to access the secure data, only in response to the validator affirmatively validating the mobile device, and a mobile computing device including a location identifier, dynamically identifying a current location of the mobile device, a connection controller for logging into the secure network, and an access requestor, submitting to the access controller via the secure network (i) an access request for the secure data, and (ii) the current location of the mobile device.
Description
AUTHORIZED AREAS OF AUTHENTICATION
PRIORITY REFERENCES
[0001] This application claims benefit of and hereby incorporates by reference US Provisional Application No. 62/254,229, entitled METHOD AND SYSTEM USING GEO-LOCATION DATA AND INFORMATION FOR ADDED LAYER OF SECURITY, and filed on November 12, 2015 by inventors Alex Lin, Geoff House, Lee McDole, Michael Godlewski, Rudolph Mutter, Timothy Shipman and Jules Panopoulos.
[0002] This application also claims benefit of and hereby incorporates by reference US Patent Application No. 15/084,969, entitled AUTHORIZED AREAS OF AUTHENTICATION, and filed on March 30, 2016 by inventors Alexander Lin Kremer, Geoffrey House, Lee McDole, Michael Godlewski, Rudolph Mutter, Timothy Shipman and Jules Panopoulos.
FIELD OF THE INVENTION
[0004] The present invention relates to computer data security. BACKGROUND OF THE INVENTION
[0005] Enterprises store sensitive and private company and customer data on secure file servers. As users become more mobile, it is becoming common for users to remotely access files on these file servers via their mobile computing devices. Typically, a user can login to an enterprise file server using a basic user ID and password, over a secure network such as a virtual private network. This is a relatively weak form of security, and data breaches often occur where sensitive data is accessed and used by unauthorized people.
[0006] As such, it would be of great advantage to provide an additional layer of security for remote access to file servers via mobile devices.
SUMMARY
[0007] Embodiments of the present invention provide modules, systems and methods for an additional layer of security for remote access to file servers via mobile devices of authorized users. Access to a file server is granted only if a mobile device is verified to be located within an authorized area of authentication (AAA). If the mobile device is not within the AAA, a temporary AAA, including the current location of the mobile device, may be authorized.
[0008] There is thus provided in accordance with an embodiment of the present invention a system for secure access, including a stationary computing device that controls access to secure data over a secure network, including an AAA generator, generating an AAA for administering the secure data, an AAA validator, validating a mobile computing device that submits an access request for the secure data via a connection over the secure network, by verifying that a current location of the mobile device is within the AAA, and an access controller, enabling the mobile device to access the secure data, only in response to the validator affirmatively validating the mobile device, and a mobile computing device in communication with the stationary device, including a location identifier, dynamically identifying a current location of the mobile device, a connection controller for logging in to and out of the secure network, and an access requestor, submitting to the access controller via the secure network (i) an access request for the secure data, and (ii) the current location of the mobile device.
[0009] There is additionally provided in accordance with an embodiment of the present invention a secure access server computer, including an authorized area of authentication (AAA) generator, generating an AAA for
administering secure data, access to which is controlled by the server over a secure network, an AAA validator, validating a mobile device that submits an access request for the secure data via a connection over the secure network, by verifying that a current location of the mobile device is within the AAA; and an access controller, enabling the mobile device to access the secure data over the secure network only in response to the AAA validator affirmatively validating the mobile device.
[0010] There is further provided in accordance with an embodiment of the present invention a mobile device for accessing secure data, including a location identifier, dynamically identifying a current location of the mobile device, a connection controller logging in to and out of a secure network, and an access requestor, submitting to a server computer via a connection over the secure network, both (i) an access request for secure data, access to which is controlled by the server, and (ii) the current location of the mobile device, wherein the server enables access to the secure data only when the current location of the mobile device is within an authorized area of authentication.
[0011] There is yet further provided in accordance with an embodiment of the present invention a method for secure access, including generating, by a stationary computing device, an authorized area of authentication (AAA) for administering secure data, access to which is controlled by the stationary device over a secure network, submitting, by a mobile computing device to the stationary device via a connection over a secure network, a request to access the secure data, further submitting, by the mobile device to the stationary device, a current location of the mobile device, validating, by the stationary device, the mobile device, including verifying that the current location of the mobile device is within the AAA,
and granting the mobile device access to the secure data, only in response to the validating being affirmative.
[0012] There is moreover provided in accordance with an embodiment of the present invention a method for a secure access server, including generating an authorized area of authentication (AAA), for administering secure data, access to which is controlled by a server computer over a secure network, receiving, from a mobile computing device via a connection over the secure network, a request to access the secure data, further receiving, from the mobile device over the secure network, a current location of the mobile device, validating the mobile device, comprising verifying that the current location of the mobile device is within the AAA, and enabling the mobile device to access to the secure data, only in response to the validating being affirmative.
[0013] There is additionally provided in accordance with an embodiment of the present invention a method for secure access by a mobile computer device, including identifying a current location of a mobile computing device, submitting, to a server computer via a connection over a secure network, a request to access secure data, access to which is controlled by the server, further submitting to the server over the secure network, the current location, and only when the current location is within an authorized area of authentication (AAA) for the server, receiving, from the server, an enablement to access the secure data.
BRIEF DESCRIPTION OF TH E DRAWINGS
[0015] The present invention will be more fully understood and appreciated from the following detailed description, taken in conjunction with the drawings in which :
[0016] FIG. 1 is a simplified block diagram of a system for secure access, in accordance with an embodiment of the present invention;
[0017] FIG. 2 is a simplified flowchart of a method for secure access, in accordance with an embodiment of the present invention;
[0018] FIG. 3 is a screen shot of a mobile device prompting a user for his username and password for logging in to a secure network, and acquiring the user's current location, in accordance with an embodiment of the present invention;
[0019] FIG. 4 is a screen shot showing the user's current location on a map, in accordance with an embodiment of the present invention;
[0020] FIG. 5 is a screen shot showing the mobile device logging in to the secure network with the username and password, and with the user's current location, in accordance with an embodiment of the present invention;
[0021] FIG. 6 is a screen shot showing the mobile device informing that user that he is located in an unauthorized area, and prompting the user to request a temporary authorized area of authentication (AAA), in accordance with an embodiment of the present invention; and
[0022] FIG. 7 is a screenshot showing an area centered about the user's current location, in accordance with an embodiment of the present invention;
[0023] FIG. 8 is a screen shot showing fingerprint identification prior to setting a temporary AAA, in accordance with an embodiment of the present invention;
[0024] FIG. 9 is a screen shot showing that a temporary AAA has been set for the user, in accordance with an embodiment of the present invention;
[0025] FIG. 10 is a screen shot of the user logging out of the secure network, in accordance with an embodiment of the present invention;
[0026] FIG. 11 is a screen shot showing an exemplary log report for an administrator, generated by an access log recorder, in accordance with an embodiment of the present invention;
[0027] FIG. 12 is a screen shot of a temporary AAA being reported to an the administrator, in accordance with an embodiment of the present invention; and
[0028] FIG. 13 is a screen shot showing an exemplary log report generated for an administrator, by an access log recorder, in accordance with an embodiment of the present invention.
[0029] For reference to the figures, the following index of elements and their numerals is provided. Similarly numbered elements represent elements of the same type, but they need not be identical elements.
[0030] Elements numbered in the 1000's are operations of flow charts.
DETAILED DESCRIPTION
[0031] In accordance with embodiments of the present invention, modules, systems and methods are provided for an additional layer of security for remote access to file servers via mobile devices. These modules, systems and methods are implemented using computing systems including inter alia servers, clients, network devices, and combinations of such devices.
[0032] Reference is made to FIG. 1, which is a simplified block diagram of a system for secure access, in accordance with an embodiment of the present invention. FIG. 1 shows a stationary computing device 100 and a mobile computing device 200. Stationary device 100 controls access to an organization's file server 150 that stores secure data . More generally, file server 150 represents any type of server that allows one or more users of mobile devices to access content of the organization.
[0033] Access to file server 150 via stationary device 100 is managed by an administrator computer 160. File server 150 is remotely accessible over a secure network, such as a virtual private network (VPN). An access log recorder 170 logs each access to file server 150 and each attempt to access file server 150, and report the logs to administrator 160.
[0034] Stationary device 100 may be inter alia a server, a network device, and a combination of such devices. Administrator 160 may be a desktop computer, a laptop computer, a network device, or such other computing device. Administrator 160 manages user accounts and their associated remote devices. In accordance with an embodiment of the present invention, each user and account must be authorized by stationary device 100 before a user may access files on file server 150.
[0035] Stationary device 100 includes a processor 110, an authorized area of authentication (AAA) generator 120, an AAA validator 130, and an AAA access controller 140. An "authorized area of authentication" is one or more geographic areas that provide an additional layer of security to supplement conventional user authentication credentials such as username and password. In order to access file server 150, a user must be authenticated by his current location, in additional to conventional authentication. If the user is not located in an AAA, then his access to file server 150 is denied. The user may request a temporary authentication, as explained in detail below, but otherwise he is not granted access.
[0036] In alternative embodiments of the present invention, one or more of AAA generator 120, AAA validator 130, and AAA access controller 140 reside in administrator 160 instead of stationary device 100.
[0037] Use of AAA is of particular advantage when an organization has mobile users, with mobile computing devices 200 that include a processor 210 and a location identifier 220, such as inter alia a GPS tracker or an agent that provides location data, that dynamically determines a device's current geographic location. By transmitting an identifier of the location to stationary device 100, AAA validator 130 is able to determine whether or not a user of mobile device 200 is located in an AAA. Mobile device 200 also includes a connection controller 230, for connection to stationary device 100 and to file server 150 over a secure network, and an access requestor 240 for requesting temporary authentication. Regarding the secure network, mobile device 200 may be inter alia on a VPN connection with stationary device 100 and file server 150. Stationary device 100 and file server 150 may be on that same secure network as well.
[0038] Mobile device 200 also includes a biometric/passcode scanner 250, which scans a biometric, such as a fingerprint or an iris, or scans a passcode, such as a PIN, of a user who is currently using mobile device 200; and a biometric/passcode validator 260, which validates the user's biometric/passcode that was scanned by scanner 250.
[0039] Operation of the various components of stationary device 100 and mobile device 200 is described below with regards to FIGS. 2 - 13.
[0040] Mobile device 200 may be inter alia a smartphone, a tablet computer, a laptop computer and such other remote access device. Stationary device 100, file server 150, administrator 160 and mobile device 200 are not limited to any particular operating system. Administrator 160 and mobile device 200 may each be implemented inter alia using an application program interface (API) that communicates with stationary device 100.
[0041] Reference is made to FIG. 2, which is a simplified flowchart of a method 1000 for secure access, in accordance with an embodiment of the present invention. The flowchart of FIG. 2 is divided into two columns. The left column includes operations performed by stationary device 100, and the right column includes operations performed by mobile device 200. At operation 1005 AAA generator 120 generates an AAA for accessing an organization's secure data stored on file server 150. The AAA is set by an organization administrator 160, and includes one or more geographical areas. E.g., the AAA may include various office locations of the organization, and various home locations of employees who work for the organization from their homes. Individual AAAs may be set up by AAA generator 120 for different users on a per-user basis, for different groups of users on a per-group basis, or for an entire enterprise.
In an alternative embodiment of the present invention, AAA 120, which performs operation 1005, is a component of administrator 160 instead of stationary device 100.
[0042] At operation 1010 connection controller 230 attempts to log in to a secure network of the organization, such as a virtual private network (VPN), to access file server 150. At operation 1015 the user presents his credentials, such as username and password, for authentication. At operation 1020 the user's current location is identified by location identifier 220, and submitted to AAA validator 130. Reference is made to FIG. 3, which is a screen shot of mobile device 200 prompting a user for his username and password for logging in to the secure network, and acquiring the user's current location, in accordance with an embodiment of the present invention. Reference is made to FIG. 4, which is a screen shot showing the user's current location on a map, in accordance with an embodiment of the present invention. FIG. 4 shows the user being located within a circular area between First and Second Street and between 4th and 5th Avenue. Reference is made to FIG. 5, which is a screen shot showing mobile device 200 logging in to the secure network with the username and password, and with the user's current location, in accordance with an embodiment of the present invention.
[0043] At operation 1025, AAA validator 130 authenticates mobile device 200 by checking credentials such as username and password. AAA validator 130 also verifies that the location submitted at operation 1020 is within an AAA that was generated at operation 1005. At decision 1030, AAA validator 130 decides whether or not the authentication at operation 1025 is verified. If so, then at operation 1035 mobile device 200 is granted access to file server 150, and mobile
device 200 is then enabled to access file server 150 such as via SSH FTP. Otherwise, if authentication is not verified at decision 1030, then at operation 1040 mobile device 200 is denied access to file server 150. In either case, the grant of or denial of access is logged by access log recorder 170 at operation 1045, for reporting to administrator 160.
[0044] When access to file server 150 is denied at operation 1040 because mobile device 200 is not within an AAA, then at operation 1050 the user of mobile device 200 requests AAA access controller 140 to instantiate a temporary AAA that includes the current location of mobile device 200, so that the user can temporarily access file server 150. Reference is made to FIG. 6, which is a screen shot showing mobile device 200 informing the user that he is located in an unauthorized area, and prompting the user to request a temporary AAA, in accordance with an embodiment of the present invention. Reference is made to FIG. 7, which is a screenshot showing an area centered about the user's current location, in accordance with an embodiment of the present invention.
[0045] At operation 1055, biometric/passcode scanner 250 scans a biometric, such as inter alia a fingerprint or iris, of a user who is currently using mobile device 200, or a passcode, such as inter alia a PIN code, for the user. At operation 1060, biometric/passcode validator 260 validates the identity of the user, based on the user's scanned biometric/passcode, to ensure that the user who is currently using mobile device 200 is indeed authorized to use mobile device 200 and request a temporary AAA. Reference is made to FIG. 8, which is a screen shot showing fingerprint identification prior to setting a temporary AAA, in accordance with an embodiment of the present invention.
[0046] At decision 1065, mobile device 200 decides whether or not the validation at operation 1060 is affirmative. If not, then at operation 1070 the request for the temporary AAA is denied, and the user is denied access to file server 150. Denial of access is then logged by access log recorder 170 at operation 1045, for reporting to administrator 160. Otherwise, if decision 1065 decides that the validation is affirmative, then at operation 1075 the request for the temporary AAA is submitted to stationary device 200, and at operation 1080 AAA access controller 140 sets a temporary AAA for the user, at his current location. Reference is made to FIG. 9, which is a screen shot showing that a temporary AAA has been set for the user, in accordance with an embodiment of the present invention. At operation 1035 mobile device 200 is granted access to file server 150, and mobile device 200 is then enabled to access file server 150 such as via SSH FTP. Access to file server 150 via the temporary AAA is logged by access log recorder 170 at operation 1045, for reporting to administrator 160.
[0047] After completion of the user's access to file server 1050, the user logs out and the temporary AAA is canceled. Reference is made to FIG. 10, which is a screen shot of the user logging out of the secure network by use of a side-bar menu, in accordance with an embodiment of the present invention. Alternatively, the temporary AAA may expire after a designated time period.
[0048] There are many variations for division of processing labor between stationary device 100, administrator 160 and mobile device 200, all of which are contemplated by the present invention. Thus inter alia, referring to FIG. 2, operations 1060 - 1075, relating to validating the identity of the user via fingerprint or such other biometric, or via
passcode or via another PIN-based mechanism, may be performed by stationary device 100 or alternatively by administrator 160, instead of mobile device 200. In such case, mobile device 200 transmits the scanned biometric/passcode to stationary device 100 or administrator 160 after performing operation 1055, and stationary device 100 or administrator 160 performs the validation, and the denial or grant of access.
[0049] Reference is made to FIG. 11, which is a screen shot showing an exemplary log report generated by access log recorder 170 for administrator 160, in accordance with an embodiment of the present invention. The log report lists authorized logins to file server 160 and unauthorized logins that were blocked, with dates and times, according to username.
[0050] Reference is made to FIG. 12, which is a screen shot of a temporary AAA being reported to administrator 160, in accordance with an embodiment of the present invention.
[0051] Reference is made to FIG. 13, which is a screen shot showing an exemplary log report generated by access log recorder 170 for administrator 160, in accordance with an embodiment of the present invention. Valid user logins are indicated with a check mark, and invalid login attempts are indicated with a dash. The log report identifies locations, including latitude and longitude and addresses of users who logged into file server 150 and attempted to login to file server 150, according to dates and times.
[0052] It will thus be appreciated that embodiments of the present invention provide modules, systems and methods for data security
whereby a remote device is granted access to a file server only when it is currently located in an authorized area of authentication.
Implementation Details
[0053] In an embodiment of the subject invention in accordance with the Django Python web framework, an AAA is modeled by the following class definition and table.
[0054] In an embodiment of the subject invention in accordance with the Django Python web framework, an access attempt is modeled by the following class definition and table.
[0055] In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made to the specific exemplary embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
Claims
1. A secure access server computer, comprising :
an authorized area of authentication (AAA) generator, generating an AAA for administering secure data, access to which is controlled by the server over a secure network;
an AAA validator, validating a mobile device that submits an access request for the secure data via a connection over the secure network, by verifying that a current location of the mobile device is within the AAA; and
an access controller, enabling the mobile device to access the secure data over the secure network only in response to said AAA validator affirmatively validating the mobile device.
2. The server of claim 1 further comprising an AAA approver approving a request from the mobile device to generate a temporary AAA that includes a current location of the mobile device.
3. The server of claim 2 wherein said AAA generator generates the temporary AAA and monitors the temporary AAA so as to expire after a specified time.
4 The server of claim 2 wherein said AAA generator generates the temporary AAA and monitors the temporary AAA so as to expire after the mobile device closes its connection with the secure network.
5. A mobile device for accessing secure data, comprising :
a location identifier, dynamically identifying a current location of the mobile device;
a connection controller logging in to and out of a secure network; and
an access requestor, submitting to a server computer via a connection over the secure network, both (i) an access request for secure data, access to which is controlled by the server, and (ii) the current location of the mobile device,
wherein the server enables access to the secure data only when the current location of the mobile device is within an authorized area of authentication (AAA).
6. The mobile device of claim 5 wherein said access requestor submits to the server over the secure network a request that the server generate a temporary AAA that includes the current location of the mobile device, when the current location of the mobile device is not within an existing AAA.
7. The mobile device of claim 6, further comprising :
a biometric or passcode scanner, scanning a biometric or passcode of a user who is currently using the mobile device; and
a biometric or passcode validator, validating the biometric data or passcode scanned by said biometric or passcode scanner,
and wherein said access requestor submits to the server the request that the server generate a temporary AAA only in response to said biometric
or passcode validator affirmatively validating the user's biometric or passcode.
8. A method for a secure access server, comprising :
generating an authorized area of authentication (AAA), for administering secure data, access to which is controlled by a server computer over a secure network;
receiving, from a mobile computing device via a connection over the secure network, a request to access the secure data;
further receiving, from the mobile device over the secure network, a current location of the mobile device;
validating the mobile device, comprising verifying that the current location of the mobile device is within the AAA; and
enabling the mobile device to access to the secure data, only in response to said validating being affirmative.
9. The method of claim 8, further comprising :
receiving, from the mobile device over the secure network, a request for a temporary AAA that includes the current location of the mobile device;
determining whether or not to approve the request for the temporary AAA; and
generating a temporary AAA that includes the current location of the mobile device, only in response to said determining being affirmative.
10. The method of claim 9 further comprising monitoring the temporary AAA so as to expire after a specified time.
11. The method of claim 9 further comprising monitoring the temporary AAA so as to expire after the mobile device logs out of the secure network.
12. A method for secure access by a mobile computer device, comprising :
identifying a current location of a mobile computing device;
submitting, to a server computer via a connection over a secure network, a request to access secure data, access to which is controlled by the server;
further submitting to the server over the secure network, the current location; and
only when the current location is within an authorized area of authentication (AAA) for the server, receiving, from the server, an enablement to access the secure data.
13. The method of claim 12, further comprising submitting, to the server over the secure network, a request for a temporary AAA that includes the current location, when the current location is not within an existing AAA.
14. The method of claim 13 further comprising :
scanning a biometric or passcode of a user who is currently using said mobile device; and
validating the biometric data or passcode scanned by said scanning,
wherein said submitting the request for a temporary AAA is contingent upon said validating being affirmative.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16864700.6A EP3374852B1 (en) | 2015-11-12 | 2016-06-22 | Authorized areas of authentication |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201562254229P | 2015-11-12 | 2015-11-12 | |
US62/254,229 | 2015-11-12 | ||
US15/084,969 US9554279B1 (en) | 2015-11-12 | 2016-03-30 | Authorized areas of authentication |
US15/084,969 | 2016-03-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017082969A1 true WO2017082969A1 (en) | 2017-05-18 |
Family
ID=57795056
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2016/038592 WO2017082969A1 (en) | 2015-11-12 | 2016-06-22 | Authorized areas of authentication |
Country Status (3)
Country | Link |
---|---|
US (4) | US9554279B1 (en) |
EP (1) | EP3374852B1 (en) |
WO (1) | WO2017082969A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110351230A (en) * | 2018-04-08 | 2019-10-18 | 湖南青普科技有限公司 | A kind of online controller with identity identifying and authenticating function |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017179143A1 (en) * | 2016-04-13 | 2017-10-19 | アライドテレシスホールディングス株式会社 | Communication terminal identifying information determination processing system |
US10665047B1 (en) | 2017-04-28 | 2020-05-26 | 1 Micro, LLC | Methods and apparatus for accessing secured physical assets |
CN109802850B (en) * | 2017-11-17 | 2021-02-09 | 华为技术有限公司 | Communication method and communication device |
EP3547735A1 (en) * | 2018-03-27 | 2019-10-02 | Gemalto Sa | Method for authenticating of a user at a user equipment |
US11004325B2 (en) * | 2019-09-26 | 2021-05-11 | International Business Machines Corporation | Smartphone based reminding system for forgotten objects |
US11658966B2 (en) * | 2019-12-17 | 2023-05-23 | Fisher-Rosemount Systems, Inc. | Personnel profiles and fingerprint authentication for configuration engineering and runtime applications |
EP3958528A1 (en) * | 2020-08-21 | 2022-02-23 | Roche Diagnostics GmbH | Location-based access control of a medical analyzer |
US20220400108A1 (en) * | 2021-06-09 | 2022-12-15 | Capital One Services, Llc | Tokenizing authentication information |
US11935349B2 (en) * | 2021-10-29 | 2024-03-19 | Ricoh Company, Ltd. | Managing access to physical areas based on captured digital data and a database |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110028094A1 (en) | 2009-07-31 | 2011-02-03 | Kabushiki Kaisha Toshiba | Information processing device and device registration method |
US20140053250A1 (en) | 2012-02-10 | 2014-02-20 | University Of Utah Research Foundation | Access to Web Application via a Mobile Computing Device |
US20150121464A1 (en) | 2013-10-29 | 2015-04-30 | Mapquest, Inc. | Systems and methods for geolocation-based authentication and authorization |
US20150264573A1 (en) * | 2014-03-12 | 2015-09-17 | Accenture Global Services Limited | Secure distribution of electronic content |
Family Cites Families (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2560942A1 (en) * | 2004-03-26 | 2005-10-06 | Crystallon Systems Inc. | Referral management method, apparatus and system |
WO2007092946A2 (en) * | 2006-02-08 | 2007-08-16 | Entermedia Corporation | Downloadable server-client collaborative mobile social computing application |
US20070223424A1 (en) * | 2006-03-23 | 2007-09-27 | Lucent Technologies Inc. | System and method for restricting packet data services in a wireless communications network |
US20090235346A1 (en) | 2007-07-19 | 2009-09-17 | Joseph Steinberg | System and method for augmented user and site authentication from mobile devices |
US8295898B2 (en) | 2008-07-22 | 2012-10-23 | Bank Of America Corporation | Location based authentication of mobile device transactions |
US20100024017A1 (en) | 2008-07-22 | 2010-01-28 | Bank Of America Corporation | Location-Based Authentication of Online Transactions Using Mobile Device |
US8869243B2 (en) * | 2008-12-26 | 2014-10-21 | Facebook, Inc. | Authenticating user sessions based on reputation of user locations |
US8621588B2 (en) * | 2009-06-15 | 2013-12-31 | National University Corporation Asahikawa Medical University | Information processing system, terminal device, and server |
US8090351B2 (en) | 2009-09-01 | 2012-01-03 | Elliot Klein | Geographical location authentication method |
US8437742B2 (en) * | 2009-10-16 | 2013-05-07 | At&T Intellectual Property I, L.P. | Systems and methods for providing location-based application authentication using a location token service |
US8799640B2 (en) * | 2010-02-27 | 2014-08-05 | Novell, Inc. | Techniques for managing a secure communication session |
US9729628B2 (en) * | 2011-03-09 | 2017-08-08 | Ortiz And Associates Consulting, Llc | Systems and methods for enabling temporary, user-authorized cloning of mobile phone functionality on a secure server accessible via a remote client |
CN103139182B (en) * | 2011-12-01 | 2016-04-06 | 北大方正集团有限公司 | A kind of method that user of permission accesses, client, server and system |
US20130275303A1 (en) | 2012-04-11 | 2013-10-17 | Mastercard International Incorporated | Method and system for two stage authentication with geolocation |
US9374369B2 (en) * | 2012-12-28 | 2016-06-21 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
US20140214670A1 (en) * | 2013-01-30 | 2014-07-31 | Jason C. McKenna | Method for verifying a consumer's identity within a consumer/merchant transaction |
US9392309B2 (en) * | 2013-05-06 | 2016-07-12 | Verizon Patent And Licensing Inc. | Entitlement management for video customers |
US9003196B2 (en) * | 2013-05-13 | 2015-04-07 | Hoyos Labs Corp. | System and method for authorizing access to access-controlled environments |
US20150032621A1 (en) | 2013-07-24 | 2015-01-29 | Mastercard International Incorporated | Method and system for proximity fraud control |
EP3047626B1 (en) * | 2013-09-20 | 2017-10-25 | Oracle International Corporation | Multiple resource servers with single, flexible, pluggable oauth server and oauth-protected restful oauth consent management service, and mobile application single sign on oauth service |
KR102157866B1 (en) * | 2014-01-16 | 2020-09-18 | 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. | Temporary authentication method in case of failure in authentication using external authentication server and image forming apparatus performing the same |
CN105100007A (en) * | 2014-05-08 | 2015-11-25 | 国际商业机器公司 | Method and device used for controlling resource visit |
US20150381610A1 (en) * | 2014-06-30 | 2015-12-31 | Mcafee, Inc. | Location-based data security |
CA3186147A1 (en) * | 2014-08-28 | 2016-02-28 | Kevin Alan Tussy | Facial recognition authentication system including path parameters |
US9420464B2 (en) * | 2014-12-15 | 2016-08-16 | Intel Corporation | Technologies for controlling network access based on electronic device communication fingerprints |
US11115417B2 (en) * | 2015-05-19 | 2021-09-07 | Microsoft Technology Licensing, Llc. | Secured access control to cloud-based applications |
US9866545B2 (en) * | 2015-06-02 | 2018-01-09 | ALTR Solutions, Inc. | Credential-free user login to remotely executed applications |
US9866543B2 (en) * | 2015-06-03 | 2018-01-09 | Paypal, Inc. | Authentication through multiple pathways based on device capabilities and user requests |
EP3350738A4 (en) * | 2015-09-18 | 2019-03-27 | First Data Corporation | System for validating a biometric input |
US11122041B2 (en) * | 2015-09-25 | 2021-09-14 | Siemens Industry, Inc. | System and method for location-based credentialing |
-
2016
- 2016-03-30 US US15/084,969 patent/US9554279B1/en active Active
- 2016-06-22 WO PCT/US2016/038592 patent/WO2017082969A1/en active Application Filing
- 2016-06-22 EP EP16864700.6A patent/EP3374852B1/en active Active
- 2016-12-07 US US15/371,396 patent/US9749867B2/en active Active
-
2017
- 2017-08-24 US US15/686,111 patent/US10003975B2/en active Active
-
2018
- 2018-06-19 US US16/012,044 patent/US10623958B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110028094A1 (en) | 2009-07-31 | 2011-02-03 | Kabushiki Kaisha Toshiba | Information processing device and device registration method |
US20140053250A1 (en) | 2012-02-10 | 2014-02-20 | University Of Utah Research Foundation | Access to Web Application via a Mobile Computing Device |
US20150121464A1 (en) | 2013-10-29 | 2015-04-30 | Mapquest, Inc. | Systems and methods for geolocation-based authentication and authorization |
US20150264573A1 (en) * | 2014-03-12 | 2015-09-17 | Accenture Global Services Limited | Secure distribution of electronic content |
Non-Patent Citations (1)
Title |
---|
See also references of EP3374852A4 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110351230A (en) * | 2018-04-08 | 2019-10-18 | 湖南青普科技有限公司 | A kind of online controller with identity identifying and authenticating function |
Also Published As
Publication number | Publication date |
---|---|
EP3374852A1 (en) | 2018-09-19 |
US9749867B2 (en) | 2017-08-29 |
US10003975B2 (en) | 2018-06-19 |
US10623958B2 (en) | 2020-04-14 |
US20170353861A1 (en) | 2017-12-07 |
US20190028895A1 (en) | 2019-01-24 |
US9554279B1 (en) | 2017-01-24 |
EP3374852A4 (en) | 2018-12-05 |
US20170142590A1 (en) | 2017-05-18 |
EP3374852B1 (en) | 2020-01-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10623958B2 (en) | Authorization of authentication | |
US10135835B1 (en) | Passwordless and decentralized identity verification | |
US10462120B2 (en) | Authentication system and method | |
US10440028B1 (en) | Distributed authorization of identities in a dynamic connected environment | |
US10097539B2 (en) | Authentication on a computing device | |
US8918901B2 (en) | System and method for restricting access to requested data based on user location | |
US10922401B2 (en) | Delegated authorization with multi-factor authentication | |
CN107210916B (en) | Conditional access promotion | |
US20090235345A1 (en) | Authentication system, authentication server apparatus, user apparatus and application server apparatus | |
US10206099B1 (en) | Geolocation-based two-factor authentication | |
US20130212653A1 (en) | Systems and methods for password-free authentication | |
CN103827811A (en) | Managing basic input/output system (BIOS) access | |
CN106161348B (en) | Single sign-on method, system and terminal | |
US20140053251A1 (en) | User account recovery | |
US10958670B2 (en) | Processing system for providing console access to a cyber range virtual environment | |
US10218712B2 (en) | Access control using information on devices and access locations | |
KR20160084997A (en) | Apparatus and Method for Allocating Role and Permission based on Password | |
US20160337353A1 (en) | System and method for multi-factor authentication | |
CN102571874A (en) | On-line audit method and device in distributed system | |
US10924481B2 (en) | Processing system for providing console access to a cyber range virtual environment | |
US9906516B2 (en) | Security system for preventing further access to a service after initial access to the service has been permitted | |
CN110869928A (en) | Authentication system and method | |
US20230020445A1 (en) | Systems and methods for controlling access to data records | |
WO2016182555A1 (en) | System and method for multi-factor authentication | |
CN117597886A (en) | Anomaly detection in applications with delegated authorization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16864700 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2016864700 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2016864700 Country of ref document: EP Effective date: 20180612 |