Patent Application
20220130190
This disclosure generally relates to access control, and more particularly relates to multiple ways to enable access to premises depending on the network available to a user.
Whether a business property, a residential sub-division, a condominium building, or even a single housing unit, owners and occupants place great importance on the physical security of such premises. Yet, occupants also demand convenient, prompt, and reliable access for themselves and their guests. However, the type of access control may be different for different types of occupants and visitors depending on the communication network available to them. Therefore, there is a need for a single, improved premises security system that can enable access to all types of occupants and visitors.
In one aspect, a first request for a first user to access a premises is received by a first server and via a WAN (wide area network). The first request is received from a second server. The first server is configured to determine authorization of access to the premises. The first user is determined to be authorized to access the premises. A second request for a second user to access the premises is received by the first server and via a WLAN (wireless local area network) associated with the first server. The second request is received from a mobile device that is associated with the second user and connected to the WLAN. The second user is determined to be authorized to access the premises. A third request for a third user to access the premises is received by the first server. The third request is received from a physical access system configured to limit physical access to the premises. The third user is determined to be authorized to access the premises.
Implementations may include one or more of the following features. The physical access system may be caused to allow entry to the first user to the premises based on the determining that the first user is authorized to access the premises. The physical access system may be caused to allow entry to the second user to the premises based on the determining that the second user is authorized to access the premises. The physical access system may be caused to allow entry to the third user to the premises based on the determining that the third user is authorized to access the premises.
The second request may comprise an indication that the mobile device associated with the second user is disconnected from a first mobile network enabling connection to the second server. The third request may comprise an indication that a mobile device associated with the third user is disconnected from a second mobile network enabling connection to the second server and an indication that the mobile device associated with the third user is disconnected from the WLAN.
The WLAN may comprise a Wi-Fi network. The first server may be connected to the WLAN. The third request may comprise a matrix barcode. The physical access system may comprise at least one of a barrier, a turnstile, a bulkhead, a lockable door, a gate, and a vehicle lift gate. The physical access system may comprise a matrix barcode reader and a user input device. The physical access system may comprise a vehicle identification system and the third request may comprise an identification of a vehicle associated with the third user.
A user access log may be updated to indicate at least one of: the determination that the first user is authorized to access the premises; the determination that the second user is authorized to access the premises; and the determination that the third user is authorized to access the premises.
A fourth user may be determined to not be authorized to access the premises. A notification that the fourth user is not authorized to access the premises may be sent.
Implementations of any of the described techniques may include a method or process, an apparatus, a device, a machine, a system, or instructions stored on a computer-readable storage device. The details of particular implementations are set forth in the accompanying drawings and description below. Other features will be apparent from the following description, including the drawings, and the claims.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments and together with the description, serve to explain the principles of the methods and systems:
The systems and methods of the present disclosure relate to premises access control. In general, a system may allow a user (e.g., a resident or occupant) access to a premises by use of his or her mobile device. The system may eliminate the need for a user to carry a physical key that would otherwise be necessary to access the premises, although the disclosure is not so limited. The system further provides redundant processes by which a user may access the premises depending upon the connectivity of the user's mobile device to various levels of wireless communication networks.
A user may initially operate his or her mobile device to request access via a mobile network (e.g., cellular network). This request via the mobile network is received by a cloud server. The cloud server relays the request to a control server, which may be local to the premises. The control server determines if the user is authorized to enter the premises. If so, the control server causes the appropriate physical access system (e.g., a door, gate, or the like) to unlock and allow user access.
In some cases, the initial process via the mobile network may be unsuccessful. For example, the user's mobile device may have lost cellular connectivity. The user instead may attempt authorization via a local wireless area network (WLAN) at the premises. In this case, the mobile device transmits the request for access to the control server via the WLAN. The control server again determines the user's authorization. If so authorized, the control server causes the physical access system to grant access to the user.
In yet other cases, both of the above techniques for requesting access via the mobile network and/or the WLAN may be unavailable. For example, the user's mobile device may experience malfunction in all wireless communication channels. In this case, the user may operate his or her mobile device to generate a bar code, such as a matrix bar code, on the mobile device display. The user presents the bar code shown on the display to a bar code reader associated with the physical access system. The bar code reader transmits the bar code or information represented by the bar code to the control server. The control server determines if the user is authorized to access the premises. If the user is so authorized, the control server causes the physical access system to grant entry to the user.
The site 100 includes an outer perimeter boundary 102, such as a wall or fence, that secures a community space 101. Access through the outer perimeter boundary 102 to the community space 101 may be controlled by a physical access system 114 and/or a physical access system 122. The physical access system 114 may be realized as a gate or door, for example. The physical access system 122 may be configured to control vehicle access to the community space 101. As such, the physical access system 122 may be configured as a vehicle gate or lifting barrier. A license plate reader 112 may be situated proximate the physical access system 122 to detect the presence of a vehicle at the physical access system 122 and identify the vehicle's license plate numbers and/or characters. The license plate reader 112 may be considered part of the physical access system 122.
The community space 101 comprises a multi-unit dwelling 104. The multi-unit dwelling 104 may include an apartment or condominium building. Although not show in
The site 100 also includes a pool area 119, with pool 120, within the community space 101. The pool area 119 is bound by a fence 118 and a portion of the outer perimeter boundary 102. A physical access system 116, such as a lockable gate, may secure the pool area 119.
The site 100 includes several security kiosks 110a,b configured to facilitate secure access through the physical access system 114 and physical access system 122, respectively. Each security kiosk 110a,b is, accordingly, situated proximate the respective physical access system 114, 122. The security kiosks 110a,b may be considered a component of the respective physical access system 114, 122. Each security kiosk 110a,b is configured with a control panel 124a,b. Each control panel 124a,b may, in turn, be configured with a touchscreen and a bar code reader. Each control panel 124a,b may be further configured with a camera, speaker, and/or a keypad or other input device. Although not shown in
The security kiosks 110a,b may serve as an alternative or backup system for a resident or visitor to access the community space 101. For example, a resident may use one of the security kiosks 110a,b if she does not have her mobile device on her person. As another example, a resident may use one of the security kiosks 110a,b if his mobile device is not functioning correctly and is unable to connect to either the mobile network or the premises WLAN. As an example operation, a resident or visitor may present a bar code displayed on his or her mobile device to the bar code reader of the control panel 124a,b to gain access through the corresponding physical access system 114, 122. As another example operation, a resident or visitor may enter a PIN or other personal credentials via the control panel 124a,b to gain access to the community space 101.
The system 200 includes a user's mobile device 202, a cloud server 204, and a control server 206. The mobile device 202, the cloud server 204, and the control server 206 may be interconnected, at various times and in various capacities, via a mobile network 208, a wide area network (WAN) 210, and/or a WLAN 220. The mobile network 208 may be implemented as a cellular network, for example. The WAN 210 may include the Internet. In some aspects, the mobile network 208 may be integrated within the WAN 210. The WLAN 220 may be implemented according to the IEEE 802.11 standard. The WLAN may include a Wi-Fi network, for example. The WLAN 220 may also include wired connections in addition to wireless communication channels.
In some implementations, the system 200 may include two WLANs. One WLAN may be used for communication between the on-premises security system components, at the exclusion of user devices, such as the mobile device 202. Another WLAN may be made available for public use, such as by the user and his or her mobile device. The control server 206 may bridge communications between the two WLANs.
The mobile device 202 may be realized as a smartphone, tablet computer, portable gaming device, or other similar computing device designed for carry on a user's person. The mobile device 202 may be configured with one or more communication interfaces, including wireless and wired. For example, the mobile device 202 may include a cellular interface configured to connect to and communicate via the mobile network 208. As another example, the mobile device 202 may include a radio transceiver configured to connect to and communicate via the WLAN 220.
The mobile device 202 may be further configured with one or more processors and memory, volatile and non-volatile. The memory may store instructions that, when executed by the one or more processors, effectuate any of the methods and techniques described herein. The memory may further store instructions to execute, by the one or more processors, an operating system and one or more applications. Such applications may include one or more applications configured to interact with the system 200 and components thereof. For example, an application may be configured to request access to a premises, present a barcode or other authentication information via a display of the mobile device 202, and/or receive feedback responsive to the request for access.
The mobile device 202 may include one or more output components, such as a display and/or speaker. The mobile device 202 may further include one or more input components, such as a touchscreen, keypad, and/or a microphone.
The cloud server 204 is realized as one or more networked computing devices and is configured to exchange communications, via the WAN 210, with the mobile device 202. Such communications may include requests for premises access from the mobile device 202, as well as feedback to such requests that are sent to the mobile device 202. The cloud server 204 additionally communicates, via the WAN 210, with the control server 206. The communications with the control server 206 may be further effectuated via the WLAN 220 in some cases. The cloud server 204 may communicate requests for premises access, originated from the mobile device 202, to the control server 206, for example.
The control server 206 is also realized as one or more networked computing devices. The control server 206 is generally configured to manage access control to the premises. For example, the control server 206 may receive a request for premises access and determine if the requesting user is authorized. Depending on whether the user is authorized for access, the control server 206 will execute one or more processes and/or actions accordingly. For example, the control server 206 may cause a physical access system to grant the user access. In some implementations, some or all of the functionality and logic performed by the control server 206 may be shifted to or shared with the cloud server 204. For example, the cloud server 204 may determine if a user is authorized to access the premises and communicate this determination to the control server 206. In some implementations, the control server 206 and the cloud server 204 may be integrated as a single system.
The control server 206 may be directly connected to the WLAN 220, as shown in
In the same or similar manner as the mobile device 202, the cloud server 204 and the control server 206 may be each configured with one or more processors and memory. The memory may store instructions that, when executed by the one or more processors, effectuate any of the methods and techniques described herein.
Also connected to the WLAN 220 are physical access systems 212a-c, a console 214, and a security kiosk(s) 216. The physical access systems 212a-c, console 214, and security kiosk(s) 216 are further connected to the control server 206, such as via the WLAN 220.
The physical access systems 212a-c may comprise a barrier, a turnstile, a bulkhead, a lockable door, a gate, a vehicle lift gate, or other mechanisms to limit physical access. In some implementations, a license plate reader (e.g., the license plate reader 112 in
The console 214 is realized as one or more networked computing devices. The console 214 is used by personnel associated with the premises (e.g., a security guard or administrator). The console 214 may be used to bypass or override an instruction from the control server 206. For example, the console 214 may cause one of the physical access systems 212 to unlock despite a contrary instruction from the control server 206. The console 214 may store logs indicating activity of the system 200. For example, the logs may indicate a time that a request for access was received and the requester. Personnel may operate the console 214 to view the logs. The console 214 further may facilitate invitations for visitors to be allowed access to the premises. The console 214 may be used to register users, including normal occupants, as well as guests or visitors. Upon registration, the user may be issued a personal ID, such as a PIN.
The security kiosk(s) 216 are associated with one or more of the physical access systems 212a-c and facilitate access to the premises via the associated physical access system 212a-c. The security kiosks 110a,b in
The user may be a resident or occupant of the premises. The access request may be associated with a particular physical access system (e.g., the physical access systems 114, 122, 116, 108a-d in
At step 304, a determination is executed as to whether the transmission of the access request via the mobile network was successful. The determination may comprise determining if the mobile device is or was properly connected to the mobile network. The determination may comprise determining if the access request is or was received by the cloud server. The determination may comprise determining if the access request is or was received by the control server via the mobile network. The determination of whether the transmission of the access request via the mobile network was successful may be performed by the mobile device, for example, or other component of the security system such as the cloud server or the control server. If the transmission via the mobile network was successful, the flow chart 300 (e.g., the method) proceeds, indicated by the element A, to the flow chart 400 in
At step 306, the user attempts to transmit the access request via a WLAN (e.g., the WLAN 220) associated with the premises. For example, the user operates her mobile device (e.g., the associated application on her mobile device) to cause the mobile device to attempt to transmit the access request via the WLAN. The user may attempt to transmit the access request, via the WLAN, to the control server. The control server may be directly connected to the WLAN or may be connected via an intermediary computing device that is directly connected to the WLAN. The attempt to transmit the access request may be made according to the 802.11 standard (e.g., Wi-Fi).
In some instances, the WLAN to which the on-premises security components are connected may be different than the WLAN to which the mobile device connects. That is, the security system components are isolated, with respect to on-premises WLAN communication, from user devices. The control server may be connected to both WLANs to receive communications from both the mobile device via a first WLAN and communicate with the physical access systems, security kiosks, etc. via a second WLAN.
At step 308, a determination is executed as to whether the transmission of the access request via the WLAN was successful. The determination of whether the transmission via the WLAN was successful may comprise determining if the mobile device is or was connected to the WLAN. The determination may comprise determining if the access request was received by the control server. The determination of whether the transmission of the access request via the WLAN was successful may be performed by the mobile device, for example, or other component of the security system such as the control server. If the transmission via the WLAN was successful, the flow chart 300 (e.g., the method) proceeds, indicated by the element B, to the flow chart 500 in
At step 310, the user attempts to request access to the premises via one or more alternative methods. In some cases, these methods may be the default access methods for some users. For example, a visitor may not have a mobile device on his or her person. Or if the visitor does have his or her mobile device, the application associated with the security system may not be installed on the mobile device. As another example, a normal resident may have lost or forgotten his or her mobile device.
As an example, the user may attempt to request access by presenting a bar code (e.g., a matrix barcode, such as a QR barcode) to a bar code reader associated with the security system. The bar code reader may be that of a security kiosk (e.g., the security kiosks 110a,b in
At step 404, the control server receives the access request, via the WAN, from the cloud server. At step 406, the control server determines if the user is authorized to access the premises. The control server may further determine if the user is authorized to access the premises via the physical access system that may be indicated in the access request, if the system is so implemented. In some implementations, a system component other than the control server may determine if the requesting user if authorized. For example, the cloud server may perform this determination and indicate the result to the control server. The control server may receive the authorization result and proceed accordingly.
If the user is authorized, the flow chart 400 proceeds to step 410. If the user is not authorized, the flow chart 400 proceeds to step 408.
At step 408, a notification is generated that indicates that the access request is denied. The notification may be transmitted, such as to the user's mobile device. The mobile device may present the notification via the application executing on the mobile device and associated with the security system. The notification may be transmitted to the mobile device via the mobile network. The notification may be generated and/or transmitted by the control server. The notification may be transmitted to the mobile device by way of the cloud server. In some aspects, the cloud server may originate and transmit the notification to the user's mobile device. In some aspects, the notification of denial may be indicated to the user by presentation on a display or touchscreen proximate the physical access system. In yet other aspects, the denial notification may be communicated to the user via email and/or text message. The denial of the access request may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
At step 410, the physical access system (e.g., the physical access system indicated in the access request) is caused to allow access by the user to the premises. The control server may cause the physical access system to allow access. The control server may transmit an instruction to the physical access system to allow the access. The instruction to the physical access system may comprise an instruction for the physical access system to unlock and/or open. The grant of access may be indicated to the user via the application executing on the mobile device or via a display or touchscreen proximate the physical access system. At step 412, the grant of access may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
At step 504, the control server determines if the user is authorized to access the premises. The control server may further determine if the user is authorized to access the premises via the physical access system that may be indicated in the access request, if the system is so implemented. In some implementations, a system component other than the control server may determine if the requesting user if authorized. For example, the control server may relay the request to the cloud server for the cloud server to determine if the user is authorized. The cloud server may make such a determination and return the result back to the control server. The control server may then proceed accordingly.
If the user is authorized, the flow chart 500 proceeds to step 508. If the user is not authorized, the flow chart 500 proceeds to step 506.
At step 506, a notification is generated that indicates that the access request is denied. The notification may be transmitted, such as to the user's mobile device. The mobile device may present the notification via the application executing on the mobile device and associated with the security system. The notification may be transmitted to the mobile device via the WLAN. The notification may be generated and/or transmitted by the control server. In some aspects, the notification of denial may be indicated to the user by presentation on a display or touchscreen proximate the physical access system. In yet other aspects, the denial notification may be communicated to the user via email and/or text message. The denial of the access request may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
At step 508, the physical access system (e.g., the physical access system indicated in the access request) is caused to allow access by the user to the premises. The control server may cause the physical access system to allow access. The control server may transmit an instruction to the physical access system to allow the access. The instruction to the physical access system may comprise an instruction for the physical access system to unlock and/or open. The grant of access may be indicated to the user via the application executing on the mobile device or via a display or touchscreen proximate the physical access system. At step 510, the grant of access may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
For example, the authorization information may comprise a barcode (e.g., a matrix barcode) shown on a display of the mobile device and read by a barcode reader. The barcode reader may be that of a physical access system or an associated security kiosk. The barcode may identify the user. Additionally or alternatively, the barcode may indicate a passcode, including a dynamically generated passcode. The mobile device and/or application executing thereon may dynamically generate the barcode. The passcode may be derived from a cryptographic key, in a similar manner as implemented in a security token.
As another example, a user may provide a personal identifier and/or an authorization code. The personal identifier and/or authorization code may be entered via a keypad and/or touchscreen. A physical access system and/or an associated security kiosk may supply the keypad and/or touchscreen The personal identifier may have been previously registered in the security system. When the control server receives the personal identifier, it recognizes the associated user and grants the user access. The authorization code may be a static authorization code. Or, like the code that may be indicated by the barcode, the authorization code may be dynamically generated based on a cryptographic key.
As yet another example, a license plate reader may identify the license plate numbers and/or characters of the license plate of the user's vehicle. This may occur when the vehicle pauses or stops upon approaching a vehicle physical access system. The license plate numbers and/or characters may serve as a personal identifier of the user.
At step 604, the control server determines if the user is authorized to access the premises. The control server may further determine if the user is authorized to access the premises via the physical access system from which the user generated the access request. In some implementations, a system component other than the control server may determine if the requesting user if authorized. For example, the control server may relay the request to the cloud server for the cloud server to determine if the user is authorized. The cloud server may make such a determination and return the result back to the control server. The control server may then proceed accordingly.
If the user is authorized, the flow chart 600 proceeds to step 608. If the user is not authorized, the flow chart 600 proceeds to step 606.
At step 606, a notification is generated that indicates that the access request is denied. The notification of denial may be indicated to the user by presentation on a display or touchscreen proximate the physical access system. In yet other aspects, the denial notification may be transmitted. For example, the denial notification may be communicated to the user via email and/or text message. The denial of the access request may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
At step 608, the physical access system (e.g., the physical access system via which access was requested) is caused to allow access by the user to the premises. The control server may cause the physical access system to allow access. The control server may transmit an instruction to the physical access system to allow the access. The instruction to the physical access system may comprise an instruction for the physical access system to unlock and/or open. The grant of access may be indicated to the user via a display or touchscreen proximate the physical access system. At step 610, the grant of access may be recorded in a log, including the time of the access request, the requesting user, and the requested physical access system.
The described system may also be extended to accommodate visitors to the premises. For example, a console (e.g., the console 214 in
The described system may also be extended to control and log exit from a premises. For example, a user may be required to undergo a similar process to exit the premises at that required to enter the premises. The system may log that the user has entered the premises. When the user attempts to leaves the premises (i.e., submits a request to exit) the user must be first authorized. The processes for determining the authorization to exit and effectuating that exit may be implemented in a same or similar manner as those used to authorize entrance to the premises. For example, if the user is not authorized, the user is notified of the denial. If the user is authorized, the system (e.g., the control server) instructs the appropriate physical access system to allow exit. The request to exit, including the time of the request, the requesting user, and the time of exit, may be recorded in a log.
The techniques described herein can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The techniques can be implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device, in machine-readable storage medium, in a computer-readable storage device or, in computer-readable storage medium for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
Method steps of the techniques can be performed by one or more programmable processors executing a computer program to perform functions of the techniques by operating on input data and generating output. Method steps can also be performed by, and apparatus of the techniques can be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, such as, magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as, EPROM, EEPROM, and flash memory devices; magnetic disks, such as, internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in special purpose logic circuitry.
As used in the specification and the appended claims, the singular forms “a,” “an” and “the” include plural referents unless the context clearly dictates otherwise. Ranges may be expressed herein as from “about” one particular value, and/or to “about” another particular value. When such a range is expressed, another embodiment includes from the one particular value and/or to the other particular value. Similarly, when values are expressed as approximations, by use of the antecedent “about,” it will be understood that the particular value forms another embodiment. It will be further understood that the endpoints of each of the ranges are significant both in relation to the other endpoint, and independently of the other endpoint.
Unless otherwise expressly stated, it is not intended that any method set forth herein be construed as requiring that its steps be performed in a specific order. Accordingly, where a method claim does not actually recite an order to be followed by its steps or it is not otherwise specifically stated in the claims or descriptions that the steps are to be limited to a specific order, it is not intended that an order be inferred, in any respect.
It will be apparent to those skilled in the art that various modifications and variations may be made without departing from the scope or spirit of this application. Other embodiments will be apparent to those skilled in the art from consideration of the specification and practice disclosed herein.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/IB2018/057784 | 10/8/2018 | WO | 00 |
