Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
SYSTEM AND METHOD FOR MOBILE BASE STATION AUTHENTICATION
TECHNICAL FIELD
[0001] The disclosed systems and methods relate to using location information
to determine
whether to grant a user physical and/or logical access to a location, an
object or a system. In
particular, the disclosed systems and methods relate to providing location-
based authentication
using connectivity information from mobile base stations.
BACKGROUND
[0002] Some previous attempts to use mobile device location information to
make decisions
regarding security access have drawbacks.
[0003] GPS systems are commonly used to provide location information, however,
those
systems require GPS to run, which uses battery power to operate and require
additional
processes, such as a GPS application, to operate. Moreover, GPS may not
operate well in
buildings or vehicles due to poor transmission of GPS signals. In many cases,
a GPS signal is not
available due to some sort of interference (naturally occurring or man-made).
[0004] Running GPS may also compromise an end user's privacy. Mobile device
OEMs and
many application developers often make use of GPS function for uses that
invades an
individual's privacy without the end user's explicit knowledge. Moreover, if a
mobile device is
impacted by malware, the GPS function could add more info details for
attackers to locate the
end user and thus compromise their security. Many mobile apps demand/require
access to GPS
data which again weakens one's ability to limit who is tracking them.
[0005] Other systems for providing location information rely on systems such
as WiFi
connection (or WLAN), a wireless beacon or a relay device in the immediate
vicinity of the
access location, such as at the ground floor entrance of a building. These
types of systems
generally require some form of digital ID on the mobile device, such as a
smartphone, to be
mapped or authenticated to the local wireless network which implies WiFi app
or modem needs
to be enabled by the end user. Users may often not have their mobile device
set to have WiFi
1
CA 2993713 2018-02-01
enabled or "ON", and the use of WiFi will often drain battery usage. This is
the similar scenario
when attempting to use another wireless technology such as Bluetooth and
Bluetooth Low
Energy as both these wirelesses technologies also require apps on the device,
an enabled modem
and a pairing to the local Bluetooth server. In all of these types of systems,
the smartphone itself,
loaded and configured apps, and a specific modem turned "ON" are necessary to
enable access.
[0006] Applications that use wireless connections to determination location
generally require the
smartphone to have an installed application on the device to communicate with
the wireless
service provider to transmit its position. The service provider needs to
provide an API of some
kind that would define how to receive the coordinates from the smartphone and
where/how to
transmit them to the electronic access control unit. Additionally, in this
type of system, the geo-
location info is often the sole method provided to enable door access without
requiring additional
identification of the individual. This also may mean added complexity for
providing access
services and additional drain on the mobile device since an app and other
mobile modules are
required to establish connectivity.
[0007] Other systems require a mobile device to provide identification
information to an external
service which uses the information to locate the individual. This type of
solution is invasive
since the end user's devices are required to communicate with an external
tracking system to
enable location services. These types of system will similarly often require
an invasion of the end
user's privacy.
[0008] Some previous location verification systems require a user to call an
authentication server
which then verifies their voice print, and then the authentication server
queries the wireless
provider to acquire the location of the phone. Requesting a person's location
from a wireless
provider may not be permissible in various jurisdictions due to privacy laws
which often forbids
providers from tracking customers unless there is a request by law
enforcement.
[0009] Other systems may attempt to use triangulation through cellular signal
strength
measurements, but will also often require the installation of an application
on the mobile device.
2
CA 2993713 2018-02-01
SUMMARY
[0010] There is provided in one embodiment a method of authenticating an end
user's access to
a resource at a physical location using a mobile device associated with the
end user. The mobile
device is connected to a mobile network including a plurality of base
stations. A request is
received from the end user asking to be permitted to access the resource. The
method determines
whether the end user has access credentials to access the resource.
Information is requested and
received from a subscriber server for the mobile network including subscriber
data associated
with the mobile device, the subscriber data including information on which of
the one of the
plurality of base stations to which the mobile device is currently connected.
A current location of
the mobile device is verified based on the one of the plurality of base
stations to which the
mobile device is connected. Access to the resource is allowed only if the end
user has access
credentials to access the resource and the physical location matches the
current location of the
mobile device.
[0011] In another embodiment there is also a system for providing user access
to a secure
resource using a mobile device. There is a backend access system and an access
database
connected to and accessible by the backend access system. A resource access
system is in
communication with the backend access system, the resource access system
configured to
receive a request from a user to access the secure resource. The backend
access system is
configured to communicate with a mobile network database to obtain subscriber
data associated
with the mobile device in response to the resource access system receiving a
request from the
user to access the secure resource. The subscriber data includes information
on the specified base
station to which the mobile device is currently connected.
[0012] In one embodiment, smart card technology, smartphone and Telecom
Service Provider
base station data/information is used and mapped together with a backend
access system
(physical or logical oriented) for the sole purpose of increasing
authentication sources for
physical and/or logical access, thus increasing the security level for access.
[0013] In some embodiments, this technology could be implemented by a business
or
corporation which mandates this process for access to its premises and/or
computer systems. End
3
CA 2993713 2018-02-01
user employees of the company would then register their device or devices for
this added secure
access service. User access, for physical or logical purposes, would be based
on a primary
function or rule of access always "disabled" until the mobile device connects
to the specific base
station which is identified as the primary and/or closest access point to the
asset, such as a
building door or specific computer terminal.
[0014] In some embodiments, the system and method use mapping information from
two distinct
disparate data sources to increase the authentication factor for access
services.
[0015] These and other aspects of the system and method are set out in the
claims, which are
incorporated here by reference.
BRIEF DESCRIPTION OF THE FIGURES
[0016] Embodiments will now be described with reference to the figures, in
which like reference
characters denote like elements, by way of example, and in which:
[0017] Fig. 1 is a schematic diagram of an authentication system using mobile
base stations.
DETAILED DESCRIPTION
[0018] In an embodiment, the method operates as follows:
a. Smartphones connect to mobile towers and base stations;
b. When a Smartphone is connected to a particular base station, that
information is
known to the backend mobility systems via its IMSI and/or other device
identifying data;
c. If that base station is the primary or closest base station to the targeted
physical
building or computer terminal for access purposes, that base station will be
the
prime mobility node where a connected device's ID would be retrieved from
mobility backend systems and sent the backend access system to be mapped
against a smart card ID and/or user logical access credentials;
d. When the mobile device's ID, retrieved from the specific mobile base
station, is
sent to the access system and mapped to the user ID, the smart card system
4
CA 2993713 2018-02-01
identifies the door which this user has access to (as per his/her access
profile) and
"enables" it for card access, or in the case of logical access, the mobile
device's
ID is mapped to the corporate logical access system to enable access to a
specific
computer terminal.
[0019] The proposed systems and methods may provide certain benefits. No
client app is
required on the mobile devices. This means, unlike many services/solutions for
mobile devices,
battery power is not affected since mobile base station connectivity is always
working
[0020] The system and method may use either a smartphone or a smart card with
a digital ID as
a primary secure access device and the RAN base station is the secondary form
factor that
enables the primary secure device to enable access.
[0021] In an exemplary embodiment, Fig. 1 shows an authentication system 10. A
mobile device
12 is connected to a mobile network through connection 14 to a base station
16, which is shown
as a mobile base station tower. The base station 16 connects to a serving
gateway (SGW)18 and
mobile management entity (MME) 20. A home location register/home subscriber
server 22 is
connected to the SGW and stores subscriber data associated with users of the
mobile network.
The subscriber data can include information regarding the international mobile
subscriber
identity (IMR), the integrated circuit card ID (ICCID) and/or the
international mobile equipment
identity (IMEI) or other information that identifies the mobile device with an
end user.
[0022] The mobile subscriber information is provided to a backend access
system 26 through a
connection 24. The backend access system 26 is connected to an access database
30 through a
connection 28. Primary authentication may be provided using a smart card, in
which case the
backend access system 26 is a backend card access system and the access
database is a smart
card database. Subscriber data from the mobile network may be mapped to smart
card IDs in the
backend card access system 26. The backend access system 26 controls access to
a resource 34.
The resource may be either an object or a place that the user may need
physical access to or may
be a system that the user requires logical access to. For example, the
resource may be a door
which can have access enabled by the backend access system 26.
CA 2993713 2018-02-01
[0023] The resource 34 communicates with the backend access system 26 through
connection
32. A user 38 may request access to the resource and may use access
credentials as a primary
method of authentication, such as a smart card 36. The user 38 may be an
employee of a
corporation that uses the smart card 36 to access building after access has
been granted based on
the location information retrieved from the base station 16 and processed by
the backend access
system 26.
[0024] From the user's perspective, the user 38 attempts to access the
resource 34, which may be
a computer access terminal or a door or other resource having restricted
access. To access the
resource, the user may either enter identification information, such as a
username and password,
or use a security token such as a smart card. The backend access system will
then confirm that
the smart card or other identification information is correct and matches to a
user having security
clearance to access the resource. At the same time, the backend access system
26 will determine
whether the mobile device associated with the user is at a location that is
consistent with the
physical location of the resources. Subscriber information from the mobile
network that allows
for the identification of the location of the mobile device is provided to the
backend access
system 26. This information may include information showing that the mobile
device associated
with the user 38 is connected to a particular base station. If the physical
location is nearest to one
particular base station, then the verification that the user is at the correct
location may be
provided by simply confirming that the mobile device associated with the user
is connected to
the particular base station near the access point.
[0025] If the backend access system 26 determines that the user has met the
authentication
requirements to access the resource and the location information determined
from the mobile
network are consistent with the user being at the physical location of the
resource, then access
will be granted. The system does not require the user to install an
application to determine the
location of the mobile device or phone. The mobile device location is
determined directly using
the subscriber information from the mobile network which is communicated to
the backend
access system.
6
CA 2993713 2018-02-01
[0026] An exemplary implementation of the system 10 in Fig. 1 is set out as
follows. The user's
mobile device, such as a phone, connects to the tower and base station 16. The
IMSI data
associated with the user's phone is sent from the HLR to the smart card access
system 26. The
IMSI data is mapped to a smart card ID in the card access system. If the
information associated
with the IMSI data and smart card ID correspond with the required inputs, then
the card access
system sets the access state for the secure resource, such as a door, to
"enabled". The employee
uses the smart card to access building and the access is granted based on the
ID retrieved from
base station. During the operation of the method in this example, the resource
access is always
disabled until input from HLR is received to enable door access for the
specific employee. In this
example, the employee's phone does not communicate directly to the backend
access system and
no private information is communicated directly from the employee's phone.
[0027] The diagram shown in Fig. 1 is a schematic drawing showing an exemplary
implementation of the system. The system can be implemented in various ways,
using various
types of connections that communicate between the various systems and
databases. Different
configurations of the systems may be used to achieve the intended purposes.
The secure resource
may be any access point for which access is restricted, including a door, a
computer terminal, or
any other system that has a specific location or that has an access terminal
at a specific location.
Although the end user is at times described as an employee, the person may be
any end user,
such as a visitor to the building who has been granted appropriate access so
long as the mobile
device associated with that user has been included in the system. The mobile
device may be a
smartphone or any other device that connects to a mobile network. Verifying a
current location
of the mobile device based on the one of the plurality of base stations to
which the mobile device
is connected may not require the backend access system to positively determine
a location of the
mobile device. The backend access system need only verify that the information
representing the
location of the device matches the required credentials specified by the
system. The verification
could, for example, be a Boolean response to an inquiry of whether the base
station to which the
mobile device is connected is the closest base station to the physical
location of the resource. The
location of user may be compared with the location of the specified mobile
base station to which
the end user's mobile device is connected to, and that information is included
in the multi-factor
access configuration that allows the user to access the resource.
7
CA 2993713 2018-02-01
[0028] By providing access to a resource using mobile base station
information, the method and
system can provide location information without the limitations of
interference that may interrupt
a GPS signal. A telecommunications provider can install a cellular antenna to
connect to a base
station for any location that is problematic for a GPS signal.
[0029] In an embodiment, making use of a cellular antenna and base station to
capture location
information could be arranged in advance with the telecom service provider and
the access point
owner (i.e. ¨ private/corporate company or government organization). Use of
this info, albeit
transparent to the end user, would need to be negotiated ahead of time in the
form of a request or
arrangement whereas only when a person's smartphone is in a certain vicinity
of the cellular
antenna/base station would the individual be granted access. Privacy would not
be affected since
info captured from the smartphone is done so only when in that specific
vicinity of the cell
antenna/base station for a specific time-dependent purpose of access and the
info would never be
shared with any other external app (on the smartphone or backend system) for
any other purpose,
and whereas consent would be clear and understood by all parties
using/supporting this service
and this service only. It is intended that there would be no ulterior motive
for this service and no
info acquired from this service would be resold or utilized for any other
reason than providing
another factor of security for access purposes. Only specific pre-determined
mobile devices may
participate and be authorized to access the system.
[0030] The use of information from a mobile base station will not affect
battery life, because
unlike Wifi, Bluetooth, Bluetooth Low Energy or GPS, mobile connectivity is
almost always on
by default. Accordingly, smartphone info flowing through cellular means, from
the mobile
antenna and base station, does not affect the battery life of the smartphone
or end device.
[0031] In some embodiments, the technology could be offered as "AaaS" (Access
as a Service)
to other manufacturers would want to offer augmented security via multi-factor
access for their
equipment or device such as vehicle, a lock to a residence whereas all would
be equipped with
cellular connectivity, and paired with the same base-station info to which
their mobile phones are
connected to in order to grant access.
8
CA 2993713 2018-02-01
[0032] In some embodiments where split knowledge and dual control are
required, a secondary
individual would also make use of this access method whereas both individuals
would be
required to have their mobile device connected to the telco base station to
enhance the secure
access to a particularly sensitive area/system.
[0033] Immaterial modifications may be made to the embodiments described here
without
departing from what is covered by the claims.
[0034] In the claims, the word "comprising" is used in its inclusive sense and
does not exclude
other elements being present. The indefinite articles "a" and "an" before a
claim feature do not
exclude more than one of the feature being present. Each one of the individual
features described
here may be used in one or more embodiments and is not, by virtue only of
being described here,
to be construed as essential to all embodiments as defined by the claims.
9
CA 2993713 2018-02-01
