Patent Application
20160092665
Related fields include wearable electronics, monitoring of vital signs, and security, particularly continuous or periodic automated verification of a user's authentication.
The following terms have the following meanings for this document's purposes.
Approximate Contact: Direct contact with the skin, or direct contact with clothing covering the skin through which the vital sign may still be monitored, or intermittent contact wherein the periods of non-contact are very short (e.g. less than 10 seconds).
Authentication: Verifying that prospective users are who they claim to be before granting access. Authentications may be strong (biometric, multi-factor), moderate (password, pass-gesture) or weak (badges, cards, etc.)
BTLE: Bluetooth Low Energy: Bluetooth type wireless communication over a range about the same as that of Bluetooth Classic (less than 100 m) while consuming between 1/100 and 1/20 as much energy.
Wirelessly connected: Configured so that a signal transmitted by at least one of the components can be received by at least one of the other components.
DL-L: Digital Leash-Length; a maximum distance between a PD and a WD at which a user wearing the WD is treated as continuing to use the PD.
Interruption (of Approximate Contact): A loss of approximate contact lasting longer than a threshold time.
Liveness: Generic for vital signs associated with a living person such as heartbeat, breathing state, body temperature, skin conductivity, and the like.
Lock: Deny access until unlocked; may or may not include logging out the most recent user.
Multi-factor authentication: establishment of the identity of a prospective user of a PD by at least two factors; factors may be passwords, pass-gestures, answers to security questions, biometric measurements, or any suitable method.
NFC: Near Field Communication; a protocol standard to cause RF communication between devices (usually mobile devices) when they touch each other or are closer together than a few cm.
Operable to: Capable of performing the function described, whether or not originally designed specifically for that function.
Present (a Token): Make the token available, detectable, or readable (generic for transmitting, emitting, displaying, etc.).
Programmable Memory: Memory that can be erased and rewritten many times.
PD: Protected Device; a device configured to restrict access to authorized users.
RF: Radio-frequency; typically 3 kHz to 300 GHz.
RSSI: Received signal strength indication (in arbitrary units). May be used in a wireless environment to determine when the amount of radio energy in a channel is below a certain threshold. For example, RSSI will decrease with distance from the source.
SDR: Software Defined Radio: uses software to perform radio communication functions traditionally performed by hardware which may use an RF front end connected to an A/D converter. General purpose processors do most of the signal processing.
Stop Presenting (a Token): Delete, disable, or otherwise invalidate the token.
Token: An object or signal representing the holder's right to cause a machine to perform a particular operation. Such operations may include unlocking and granting the user access to software on the machine.
Unlock: Grant access; may or may not include logging in an authenticated user.
Wearable Device: A device that can be attached to a user's body or clothing without the user needing to constantly grasp or hold it.
Electronic devices are available in a very wide variety. Some devices are very complex. For the sake of clarity, this Description will omit components or processes that may be included in the device but not necessarily used to practice the subject matter herein.
If the device has an active transmitting or receiving element, a visible indicator, or display, it may be located in a module 102 on the outside of the wearable article. If the device interacts with the wearer's skin, as in a vital-sign detector or a haptic interface, those components may be located on the skinward side 112 of the wearable article.
In
Token presenter 232 may be a radio transmitter, a light or ultrasound emitter, a display, or any other component that can present a piece of information sufficiently complex to serve the purpose. For example, if a computer or communication station must grant access only to users with a certain security clearance or other authorization, the token may need to be unique to each user and thus fairly complex. If, instead, an alcohol booth at an all-ages festival must serve only those who have shown an ID at the entry gate that proves they are legal drinking age, the token need not be unique to each individual and may be less complex.
To prevent fraudulent use or “spoofing” of tokens, at least one liveness detector 212, and optionally one or more liveness detectors 213, monitor the continued liveness of the user wearing the WD. A vital sign, especially one that varies in a predictable way such as a heartbeat, is more difficult to simulate than mere proximity; in some devices, proximity may be spoofed by covering the proximity sensor(s) with paper, plastic, or the like. Even biometric authenticators may sometimes be fooled by precisely reproduced, or even deceased and detached, body parts of authorized users, but replicating dynamic vital signs in such parts is expected to be challenging.
Controller 222 controls the operation of, and receives the information from, at least one liveness detector 212, and optionally one or more liveness detectors 213. For example, one of the liveness detectors may measure heartbeat or pulse, and another may measure breath, body temperature, or skin conductivity. If there is an interruption in the vital-sign signal, the controller trips a switch 242 (or optional 243) that causes token presenter 232 to immediately stop presenting the token. Therefore, if an unauthorized person takes the WD from its rightful wearer, the vital-sign signal is interrupted during the transfer, automatically causing the token-presenter to stop presenting the token. Without detecting a valid token, none of the protected devices (PDs) requiring a token will unlock. In the festival example, an underage person who acquires an adult's WD will not be able to use it to buy alcohol because, when the adult took off the WD, the interruption in the liveness signal from sensor 212 tripped a control switch 242 or 243, causing the WD to stop presenting the adult's token.
On the inside surface of wristband 302 adjacent to the user scan, the light sources 322 and 324 illuminate the blood vessel 314. The photodetector 326 detects the reflected and/or scattered light and interior processors and the WD (not shown) track its behavior over time. In some embodiments, light sources 322 and 324 emit at red or infrared wavelengths. These wavelengths are typically transmitted through the skin and the blood vessel wall to be absorbed by hemoglobin cells in the blood. Because the speed of the blood flowing past the illuminated part of the blood vessel varies with a heartbeat, so does the number of hemoglobin cells in the path of light, and thereby the amount of light that is absorbed.
Some embodiments of WD do not need constant, full contact with the user's skin. The sensors may continue to work acceptably through a layer of clothing were for a small air gap between the sensor and the skin. Likewise, some embodiments may tolerate intermittent separations of short duration by introducing a delay between sensing the interruption and causing the token-presenter to stop presenting the token.
In some embodiments, the WD includes measures to prevent false detection of interruption. If WDs constantly shut themselves off while users were still wearing them, the cost in user time and wear and tear on equipment could increase. Some embodiments may have two or more sensors, either of the same type or different types. Some embodiments may use algorithms to measure the exact timing and behavior of interruption-like events and ignore those that last for less than a threshold duration (e.g. 1 second), such as what happens when a person wearing a pendant walks or leans over to pick something up. The pendant may temporarily lose contact with the skin and come back into contact with a short time. Some embodiments, similarly to the example in
Clearly, this application presents different challenges than the use of liveness detectors for health evaluation. Unlike the health-monitoring type of WD, the processors described here need not necessarily look for problems, store results over very long periods, or compare results with normalized standards. Also unlike health-monitoring WDs, these devices need to recognize and react to interruptions. Some embodiments need to discriminate between an interruption that signifies removal of the device and one that does not. Therefore, an unmodified existing health-monitoring WD might not be satisfactory for this application.
In some embodiments, the authenticator may begin by distinguishing the authenticating user's WD from other WDs that happen to be within authentication range (step 401). This is a precaution against having two or more WDs with the same token in applications where each token needs to be unique. In an environment where additional WDs may or may not be in the range, the system may alert the authenticating user to ask other users to step out of range until the authentication is complete. Alternatively, in a higher-density environment where 2 or more WDs are likely to be within range of the authenticator at any given time, each WD may be associated with a particular authorized user. The association may be set up in the infrastructure or by pairing the WD to a trusted device, e.g., via Bluetooth.
In some embodiments, the WD sends the authenticator a signal verifying that the vital-sign measurements appear acceptable (step 403). This enables the authenticator to sense any possible malfunctions in the WD and warn the user that there may be a problem that needs to be addressed before beginning the authentication (step 404).
If the authentication is unsuccessful, the authenticator displays or otherwise transmits an error message (step 408) and does not send a token to the WD. If the authentication is successful, the authenticator sends a token to the WD's receiver (step 410) and the WD stores the token in memory (step 412). Alternatively, the authenticator may transmit a command for the WD to generate the token using its own processor, and the WD may generate the token and store it in memory. Using either approach, if the tokens need to be unique, a step may be included to check other currently-valid tokens on the network to ensure that no two are the same. Alternatively, a similar type of algorithm may be used to generate the tokens that is used to generate strong passwords; i.e., so many variables are included that duplication is extremely unlikely. In situations where some tokens may be the same, these precautions may not be necessary. Either the authenticator (step 414) or the WD (alternatively) copies the token to the network onto a roster of valid tokens for reference by PDs with token-readers.
During this process, the WD continues monitoring the user's liveness (step 416). If at any time the WD recognizes an interruption signifying that the user has removed the WD, in invalidates the token if present (step 420) or alternatively refuses to accept a token, triggering an error message from the authenticator. If the liveness is uninterrupted, the WD may continuously present the token. Alternatively (e.g., in embodiments where the WD's onboard power must be conserved and presenting the token is a power-hungry process) the WD may scan the environment for a nearby token-reader (step 417) and only present the token when it finds one (step 419).
In some embodiments, liveness is represented by its own token, which operates independently of other tokens. Time-stamps and other metadata may be compared or correlated between the multiple tokens, enabling each token set to enforce multiple policies (e.g., granting or denying access).
The authentication may be single-factor or multi-factor. The multi-factor authentication may use any suitable combination of factors appropriate to the situation. Both biometric and non-biometric factors may be used. Non-limiting examples of biometric factors include face recognition, voice recognition, fingerprint or palm-vein analysis, or various ocular scans. In some embodiments, the user may be offered a choice of biometric measurements in case of temporary problems (fingertip injury, laryngitis, and the like). Non-limiting examples of non-biometric factors include passwords, pass-gestures, and detachable credentials such as smart cards and key fobs. Some factors are less secure than others; the number and choice of factors for each embodiment depends on the security needs and budget of the situation and the tolerance of the user group. In some embodiments, the token may include an attribute of a biometric measurement. In some embodiments where the liveness detection is a separate token, it may be used as an authentication factor.
The token presented by the WD after a successful authentication will grant the user access to one or more PDs (protected devices) as long as the token remains valid. The token only remains valid as long as the user does not remove the WD. Other events that could end the validity include a loss of power to the WD, a malfunction of the WD, or an administrative system-wide reset. For example, administrators of some secure environments may choose to reset the system and require users to re-authenticate every 24 hours. Another option is to require users to re-authenticate if they seek access to a PD outside their normal working hours.
Non-limiting examples of PDs include computers with access to sensitive data; secure communication devices; intelligent electronic locks on doors, cabinets, cases, vehicles, and enclosed compartments containing non-user-serviceable parts of a purchased item. PDs may also be computer-controlled instruments or tools in a laboratory, shop, or factory, where access needs to be restricted to persons trained to operate them correctly and safely. Human-attended cash transfer points, such as cash registers and bank-teller drawers, may also benefit from this type of automated security. In some embodiments, a personal computer may require authentication to use stored credit card numbers for online purchases. Token-presenting wearables may also be issued to hospital patients, individually identified voters, members of a VIP list, or holders of press passes.
Controller 508 also controls one or more multi-factor authentication inputs 512, such as a keyboard, a mouse, a touchscreen, a camera, a microphone, or a high-resolution scanner. Likewise, controller 508 controls an output 514 to transmit token information (e.g., the actual token, a compressed form of the token to be extracted by the WD, or instructions to the WD on how to generate the token). Optionally, controller 508 may control a WD liveness information receiver 513 which receives communications from the WD, e.g., that the user's liveness measurements are acceptable or that the WD is in good working order. Optionally (for example, if the authenticator host device has other, restricted uses as a PD), host device 502 may also include a token-reader 515 to grant access to previously-authenticated users. Token-reader 515 may include, or be connected to, a distance sensor to enable automatic locking (which will be discussed below with reference to
In
NFC and SDR are two examples of technologies that provide flexibility in setting the DL-L. In some embodiments, the desired DL-L may only be a few feet, while in others it may be an entire lab or section of factory floor, as when the user's task requires moving back and forth to sequentially use several PDs. The decrease in signal strength (e.g., RSSI) with distance from the source is well characterized for a number of protocols. Therefore, the BTLE RSSI corresponding to the PD's DL-L may be used as a threshold for the log off/locking process. If the WD is presenting the token as a BTLE (or NFC, or other short-range protocol) RF signal, the distance sensor can be integrated with the token-reader.
In some embodiments, the token-reader may scan for other valid tokens within the DL-L after the distance sensor reports that the correct user has moved outside the DL-L. If the token-reader finds another valid token within the DL-L, the associated user may be given the option of keeping the session open. This would allow, for example, lab partners to cover for each other on breaks.
At the beginning the PD is locked, but its token-reader may scan for a valid tokens within the DL-L (step 752) or alternatively the token-reader may be in sleep mode until receiving a wake-up signal from the WD within the DL-L. Upon detecting that a valid token is within the DL-L (step 754), the token-reader unlocks the PD and either automatically logs the user in or permits the user to log him- or herself in (step 756). The token-reader then continuously (or very frequently) monitors the WD to confirm that the token is still valid (step 758), while the associated distance sensor monitors the WD to confirm that the WD is still located within the DL-L (step 760). As long as both conditions are true, the PD allows the user to continue access. If either condition becomes untrue, the PD will go back to a locked state (return to step 752), optionally after logging the user out (step 761) and/or saving any unsaved work.
In
In
In
The preceding Description and accompanying Drawings describe example embodiments in some detail to aid understanding. However, the scope of the claims may cover equivalents, permutations, and combinations that are not explicitly described herein.
