[go: up one dir, main page]

HK1224789A1 - Access control method and access control system - Google Patents

Access control method and access control system

Info

Publication number
HK1224789A1
HK1224789A1 HK16112511.7A HK16112511A HK1224789A1 HK 1224789 A1 HK1224789 A1 HK 1224789A1 HK 16112511 A HK16112511 A HK 16112511A HK 1224789 A1 HK1224789 A1 HK 1224789A1
Authority
HK
Hong Kong
Prior art keywords
portable electronic
electronic device
access
device identifier
identifier
Prior art date
Application number
HK16112511.7A
Other languages
Chinese (zh)
Other versions
HK1224789B (en
Inventor
弗洛里安‧特洛施
Original Assignee
因温特奥股份公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 因温特奥股份公司 filed Critical 因温特奥股份公司
Publication of HK1224789A1 publication Critical patent/HK1224789A1/en
Publication of HK1224789B publication Critical patent/HK1224789B/en

Links

Description

Access control using portable electronic device
Technical Field
The present disclosure relates to access control systems.
Background
Access control systems typically require a user to present to the system something intended to be used as proof that the user is authorized to receive access from the system. For example, some systems grant access to a user based on indicia (e.g., an identification card or a key fob) in the user's possession. The tag may be an RFID (radio frequency identification) tag or other information storage device. In other systems, access is granted to a user based on information (e.g., a password) provided to the system by the user. Some systems require multiple items of the user, for example, both a token and a password.
US20110291798a1 describes a system in which an electronic device, such as a smartphone, stores a digitally signed physical access rights file. The individual uses the access rights file to gain access to the restricted area only after self-authentication of the device. The physical access control system receives the access rights file, authenticates the file, and determines whether to permit passage through a physical barrier. The access control gateway may transmit the authorization code to the electronic device and the physical barrier system, thereby permitting passage only when the barrier system subsequently receives the authorization code from the electronic device using near field communication.
Disclosure of Invention
Other options for the access control system may be advantageous. This is solved by at least some embodiments covered by the claims.
The access control system may be configured to detect the presence of a portable electronic device carried by a user in the first area. The access control system sends an access code to the device. In the second area, the user presents the portable electronic device to the access terminal, which reads the access code from the device. The access control system grants the user access if the access code read from the device matches an access code that has been sent to the device by the system.
In some embodiments, a method comprises the steps of: determining a first device identifier for a portable electronic device of a user, the determining being performed in response to the portable electronic device entering a first zone; as a result of determining a first device identifier of the portable electronic device, transmitting an access code to the portable electronic device based on a second device identifier of the portable electronic device, wherein the second device identifier has been determined based on the first device identifier; reading an access code from the portable electronic device at the second area using the access terminal; and granting the user access as a result of reading the access code from the portable electronic device. In some cases, the portable electronic device is in a locked state when the first device identifier of the device is determined and when the access code is transmitted to the device, and the portable electronic device is in an unlocked state when the access code is read from the device using the access terminal. In other embodiments, the second zone is a higher security zone, the method further comprising the steps of: reading an access code from the portable electronic device using another access terminal at a third region while the device is in the locked state, the third region being a lower security region and located within the second region; and the user is granted access to the third area. The first device identifier is for a first communication channel and the second device identifier is for a second communication channel. The step of transmitting the access code to the portable electronic device comprises transmitting user information to the portable electronic device. The first device identifier is obtained using a radio frequency signal or radio signal from the portable electronic device, or the access code is read from the portable electronic device using a radio frequency signal or radio signal from the portable electronic device. In some cases, the access terminal uses an optical sensor to read an access code from the portable electronic device, the access code including an optical code. The access code may have a limited validity time. The validity time of the access code may be based on an expected travel time of the user from the first region to the second region, based on a distance between the first region and the second region, or based on a security level of the region. The method may further comprise the steps of: an access terminal is used to determine that an access control program is running on the portable electronic device. The step of determining the first device identifier may comprise: a periodically transmitted device identifier is received from the portable electronic device using the sensor. In some cases, the first device identifier is determined to be a periodically transmitted device identifier, or the periodically transmitted device identifier is used to establish a communication connection with the portable electronic device over which the first device identifier is read from the device. It may also include the following steps: it is determined whether the periodically transmitted device identifier is a known periodically transmitted device identifier. The method may further comprise the steps of: the access terminal is used to read a credential or user identifier from the portable electronic device, and the granting of user access is further based on the credential or user identifier.
Some embodiments of the system include: a sensor, an access terminal, a wireless communication network, a database, and a computer-based control unit connected to the sensor, the access terminal, the wireless communication network, and the database, the control unit comprising a processor and a computer-readable storage medium, the computer-readable storage medium comprising a plurality of instructions that cause the processor to perform the method steps of: determining, using a sensor, a first device identifier of a portable electronic device of a user, the determining performed in response to the portable electronic device entering a first zone; as a result of determining a first device identifier of the portable electronic device, transmitting an access code to the portable electronic device based on a second device identifier of the portable electronic device, wherein the second device identifier has been determined based on the first device identifier; reading an access code from the portable electronic device using an access terminal, the access terminal being located in the second area; and access is granted to the user as a result of reading the access code from the portable electronic device.
Further method embodiments include the steps of: bringing the portable electronic device within range of a sensor of the first area so that the sensor can determine a first device identifier of the portable electronic device; receiving an access code using the portable electronic device as a result of bringing the device within range of the sensor, the access code being transmitted to the device using a second device identifier of the device, wherein the second device identifier has been determined based on the first device identifier; the portable electronic device is presented at the access terminal at the second area, the access terminal being programmed to read the access code from the portable electronic device and grant access as a result of presentation of the portable electronic device at the access terminal. The method may further comprise the steps of: an indication is received from a portable electronic device of the device that has received the access code.
Further embodiments include computer-based apparatuses configured to perform one or more of the disclosed methods.
At least some embodiments of the disclosed methods may be implemented using a computer or computer-based device having read instructions for performing one or more method steps from one or more computer-readable storage media. The computer-readable storage medium may include, for example, one or more optical disks, volatile memory components (e.g., DRAM or SRAM), or non-volatile memory components (e.g., hard disk, flash memory, or ROM). The computer readable storage medium does not include a pure transient signal. The methods disclosed herein are not performed solely in the human brain.
Drawings
The present disclosure relates to the following figures, wherein:
FIG. 1 illustrates a plan view of an exemplary embodiment of an area using an access control system.
Fig. 2 shows a block diagram of an exemplary embodiment of an access control system.
Fig. 3 shows a block diagram of an exemplary embodiment of an access control method.
Fig. 4 shows a block diagram of another exemplary embodiment of an access control method.
Fig. 5 shows a block diagram of another exemplary embodiment of an access control method.
Fig. 6 is a signal diagram illustrating an exemplary exchange of signals between different components including multiple components of an access control system.
FIG. 7 shows a block diagram of an exemplary embodiment of a computer.
Detailed Description
FIG. 1 illustrates a plan view of an exemplary embodiment of an area using an access control system or an access control system. One or more of the disclosed techniques may be used in an arrangement similar to that of fig. 1; however, at least some embodiments may also be used in other settings. Fig. 1 shows region 110 and region 112. In this case, the entry area 110 is not generally managed or controlled by the access control system at some time. One possible example of an area 110 is a building lobby that the public generally has access to from outside building gates. On the other hand, the entry area 112 is generally managed or controlled by an access control system. Thus, the area 112 is considered a "safe or protected" area. One possible example is an office area that is intended to be accessible or accessed only by employees and clients of the company. In the particular case shown in fig. 1, zone 112 is separated from zone 110 by a set of physical obstacles 120, 122 and a movable obstacle 130. In other embodiments, there are no physical and moveable barriers, but rather, one or more of the boundaries between the zones 110, 112 are monitored electronically. When a demarcation or barrier is crossed by an unauthorized person, the access control system does not open a door or barrier, or the system initiates a countermeasure or counter-measure (e.g., notifying security). Although not shown in fig. 1, the area 112 may represent other building areas (e.g., a room, a staircase, an elevator, an escalator, a warehouse area, or other location). In at least some instances, the area 110 includes an entrance 140 through which a user 150 may enter or exit the area 110. Fig. 1 also shows a sensor 160 for detecting a portable electronic device 170 carried by the user 150. Although FIG. 1 shows sensor 160 as being located in region 110, it may also be located elsewhere (e.g., in region 112) and configured to detect activity in region 110. Fig. 1 also shows an access terminal 180, the function of which will be explained in more detail below. Generally, the access terminal 180 is located at or near the boundary between the regions 110, 112.
Fig. 2 shows a block diagram of an exemplary embodiment of an access control system 200. The system 200 includes a computer-based control unit 210. The control unit 210 comprises, for example, a processor configured to perform one or more of the method steps described in the present application. The processor reads the corresponding instructions for the method steps from the memory means.
The control unit 210 is connected to a first sensor 220, which first sensor 220 may correspond to the sensor 160 in fig. 1. The sensor 220 may detect the presence of the portable electronic device 230 and communicate with the portable electronic device 230. The portable electronic device 230 is, for example, a smartphone, mobile phone, tablet, smart watch, or other mobile device. The sensors 220 detect and communicate with the devices 230 using a detection device 230 of a radio frequency or radio based technology such as bluetooth, bluetooth low energy, Wi-Fi (wireless network), ZigBee, GPRS (general packet radio service), or other technology. The control unit 210 is also connected to a second sensor 240, which second sensor 240 also detects the presence of the portable electronic device 240 and communicates with the portable electronic device 240.
In some embodiments, the second sensor 240 is omitted and only the first sensor 230 is present. In some systems having first and second sensors, both sensors 220, 240 may use the same communication technology (e.g., they both use bluetooth low energy). However, in other systems, each sensor uses a different communication technology. In embodiments with only one sensor, the sensor may be used to detect portable electronic devices in multiple areas. For example, referring to fig. 1, the sensor may be configured to detect the portable electronic device in an area proximate to the access terminal 180 and an area remote from the access terminal 180. For example, the sensors may detect the portable electronic device 170 at the location shown in FIG. 1 and the portable electronic device at the access terminal 180. In particular, the sensor may determine which of these locations the device 170 is currently located. Monitoring of both areas using one sensor may be achieved, for example, using software or electronics that control the operation of the sensor accordingly.
The control unit 210 is also connected to an access terminal 250, which access terminal 250 may correspond to the access terminal 180 in fig. 1. In some cases, the sensor 240 and the terminal 250 are integrated into a single unit; in other cases, they are separate components. In a particular embodiment, the terminal 250 is a PORT terminal device from SchindlerGroup, switzerland. The control unit 210 is also connected to a wireless communication network 260, which wireless communication network 260 can communicate with the portable electronic device 230. The wireless communication network 260 includes, for example: long-range cellular communication networks (e.g., 1G, 2G, 3G, 4G, or other types), Wi-Fi networks, bluetooth networks, or other types of wireless networks. The control unit 210 communicates with various components of the system 200 via a network 270 (e.g., the internet, a local area network, or other type of network).
In other embodiments, the control unit 210 is also connected to one or more safety system components 280. These components may include, for example, alarms, cameras, sensors, locks, obstacles (e.g., movable obstacle 130), or other components.
In an additional embodiment, the control unit 210 is also connected to an elevator control system 290. The elevator control system 290 can use the information provided by the control unit 210 to operate the elevator system. For example, the elevator control system 290 can use such information to set elevator calls, including destination calls.
Fig. 3 shows a block diagram of an exemplary embodiment of an access control method 300. Although the method 300 is described herein in the context of the system 200 of fig. 2, the method 300 may also be used with other system embodiments. In method step 310, the system 200 detects the presence of a portable electronic device, such as portable electronic device 230, in a first area (e.g., area 110). The device is sensed using a sensor such as the first sensor 230. As part of the detection, the sensor determines a first device identifier of the portable electronic device. A first device identifier, as used in this application and in the claims, is a piece of information that allows the system to distinguish the portable electronic device from one or more other devices. For example, if the sensor is a bluetooth or bluetooth low energy sensor, the sensor may obtain a bluetooth MAC device address of the portable electronic device and use the address as the first device identifier. In a particular embodiment, the first device identifier comprises a unique identifier assigned by the system 200 when the portable electronic device previously registered with the system 200. Other examples of the first device identifier may include: a MAC (media access control) address of the device, a Wi-Fi address of the device, a tag of the device, a phone number of the device, an IMEI number (international mobile identity) of the device, or another piece of information.
In some embodiments, the first device identifier is read directly from the portable electronic device. In other embodiments, the first device identifier is determined based on other information received from the portable electronic device.
In a particular embodiment, the portable electronic device periodically propagates an identifier, referred to herein as an initial identifier. For bluetooth or Wi-Fi implementations, the initial identifier may be a MAC address. The access control system receives the identifier using a sensor. In the case where the initial identifier of the device is rarely or never changed, the initial identifier may be used as the first device identifier. Alternatively, the initial identifier may be used to refer to the first device identifier in a database. Thus, the first device identifier cannot be explicitly read from the device, but is passively received from the device (in the form of an initial identifier), or determined based on information passively received from the device.
In other embodiments, the device propagates the initial identifier, which is typically a change. In such embodiments, the access control system may confirm the presence of the device when passively receiving the initial identifier. The system may then use the initial identifier to establish a connection with the device, and then read the first device identifier from the device over the connection. Possibly, the reading is performed using an access control software program running on the device.
In other embodiments, the device propagates identifiers that change occasionally. When the initial identifier is passively received, the access control system may determine whether the initial identifier is already known to the system. If the initial identifier is already known, it may be used as the first device identifier for the device. In such a case, the system does not have to read the first device identifier from the device. If the system does not know the initial identifier (perhaps because the initial identifier has recently changed), the system may establish a connection with the device and read the first device identifier from the device. In future connections of the device, the system may then use the initial identifier as the first device identifier.
Using passively received initial identifiers is advantageous in situations where the sensor is only able to maintain a limited number of simultaneous and valid connections with devices in its sensing region.
Based on the first device identifier, the system may consult a database (e.g., database 212) and determine whether the device is associated with a user that is known to the system and authorized to use the system. If the device is associated with a known, authorized user, then the access control system sends an access code to the portable electronic device in method step 320. According to this embodiment, the access code is generated by the database 212, a server (e.g., a web server, security or protection server) connected to the system 200, or other device. The system will send the access code to the portable electronic device based on the second device identifier, which is obtained via the database. The second device identifier is another piece of information that allows the system to distinguish the portable electronic device from one or more other devices. It also allows the system to process information for the device. In some embodiments, the second device identifier is a globally unique identifier. Depending on the particular technology used, the second device identifier may include, for example: a bluetooth device address, an e-mail address of an e-mail account accessible through the portable electronic device, a telephone number associated with the device, an address for a push notification service, or other piece of information. In at least some cases, the second device identifier is a global identifier of a communication system external to the access control system.
The access code is transmitted over a wireless communication network, such as network 260 of fig. 2, using the second device identifier. In various embodiments, the access code includes: such as a number, a string of characters, an image, a set of images (possibly including time-varying images, such as a movie) or an optical code. The access code may be transmitted as user information to the portable electronic device. The user information may include, for example, a text message (SMS), a push notification, an e-mail message, or a message sent using other messaging techniques. The access code is stored by an access control program running on the device. In some cases, the program generates a message notification to notify the user: the device has received the access code or the user can verify or "unlock" the device (the concept of unlocking the device will be explained below). The program may run as part of the operating system of the device or as a separate application program (e.g., an "app" for a mobile phone).
In some cases, the first device identifier is for a first communication channel and the second device identifier is for a second communication channel. In this application and in the claims, a "communication channel" refers to a technique or device for communicating information between two components (e.g., between an access control system and a portable electronic device). Possible examples of communication channels may include: a bluetooth or bluetooth low energy connection, a Wi-Fi connection, a cellular phone connection, a connection for a push messaging system, or other types of connections. In some embodiments, the first and second communication channels are the same channel or the same type of channel. For example, each is a bluetooth or bluetooth low energy connection between the portable electronic device and a sensor of the access control system. In other embodiments, the first and second channels are different types of communication channels. In one example, the first communication channel is a bluetooth or bluetooth low energy connection between the portable electronic device and a sensor of the access control system; the second communication channel is a cellular telephone connection between the portable electronic device and a wireless communication network.
At method step 330, the user presents the device at an access terminal, such as terminal 250, in a second area, such as area 112.
In method step 340, a sensor located at the terminal or accessory (e.g., the second sensor 240) senses the portable electronic device. The sensor reads the access code from the portable electronic device. The sensor may also read additional data from the device, such as: a digital certificate, a first device identifier, a Wi-Fi address of the device, a MAC address of the device, user identification information, historical information of the device or user (e.g., elsewhere where the device has appeared, the time the device last appeared at the location), or other information. In certain embodiments, the sensor reads this information by communicating with an access control program that is running on the device.
If the access code read from the device matches the code previously sent to the device, then the system grants the user access in method step 350.
In some embodiments, at method step 310, the device is in a "locked" state when the system reads the first device identifier from the portable electronic device. In method step 320, the device is also in a locked state when the system sends an access code to the device. In method step 330, the device is in an "unlocked" state when the user presents the device to the terminal. In the present application and claims, a device is "locked" means that at least some functions of the device or some information stored in the device are not available unless the user "unlocks" the device by authenticating the device. For example, with some smart phones, the user must type a PIN or enter other information into the phone to access programs or data stored in the phone. Other devices may be unlocked using a combination of biometric data (e.g., a fingerprint), gestures on a touch area, or types of input. In particular embodiments, the terminal may determine that the mobile electronic device is in the unlocked state based on information received from an application running on the device. For example, the application may indicate that the user is currently using the application. In other embodiments, whether the device is locked or unlocked is not relevant to the operation of the technique.
FIG. 3 provides an example of an "overview" of particular embodiments of the disclosed technology. Fig. 4, on the other hand, illustrates a block diagram of an exemplary embodiment of an access control method 400 performed by an access control system, such as system 200 of fig. 2. In method step 410, the system detects the portable electronic device using a first sensor, such as the first sensor 220. As part of the detection, the sensor determines a first device identifier of the portable electronic device.
Similar to the method 300, based on the first identifier, the system may query a database to determine whether the device is associated with a user that is known to the system and authorized to use the system. If the device is associated with a known, authorized user, then the access control system sends the access code to the portable electronic device at method step 420. The system transmits the access code to the portable electronic device based on a second device identifier, which may be obtained through a database. At method step 430, the system uses the second sensor to read the access code from the portable electronic device. The second sensor may be located at or near the access terminal. If the access code read from the device matches the code previously sent to the device, then the system grants the user access at method step 410.
In some embodiments of method 400, the portable electronic device is in a locked state during method steps 410 and 420; during method step 430, the portable electronic device is in an unlocked state, the device having been unlocked by the user prior to the user presenting the device to the access terminal.
Fig. 5 shows a block diagram of another exemplary embodiment of an access control method (method 500). The method 500 is performed by a user of a portable electronic device. At method step 510, a user brings a portable electronic device within range of a sensor located in a first area. By way of example, the first area may be a building lobby, or other area. The sensor may determine a first device identifier of the device when the device is within range of the sensor.
In method step 520, the user receives an access code using the portable electronic device. In some embodiments, an access control software program running on the device notifies the user that the access code has been received. The notification may include, for example: a visual indication (e.g., "access code has been received", an icon or other visual indication), a vibration indication, a sound indication, or other indication on the display of the device, including a combination of several indication types. In some embodiments, the notification indicates that the device should be unlocked.
At method step 530, the user presents the device at the access terminal. The access terminal reads the access code from the device. At method step 540, the system grants the user access (e.g., access to a secured or protected area).
Fig. 6 is a signal diagram illustrating an exemplary exchange of signals between different components including multiple components of an access control system. The system may be, for example, a version of system 200 or it may be another system. In the example of fig. 6, the first device identifier is transmitted by the user's portable electronic device and received by the access control system (signal 610). This information travels to the control unit through a sensor, such as sensor 220. After receiving the first device identifier, the control unit sends the first device identifier to the database (signal 620). The control unit may receive the second device identifier from the database (signal 630), among other possible information. Based on the second device identifier, the control unit determines an access code and instructs the wireless communication network to transmit the access code to the portable electronic device (signal 640). The wireless communication network then transmits the access code to the portable electronic device (signal 650). The portable electronic device transmits the access code to the control unit via a sensor, such as sensor 240 (signal 660). After verifying that the access code is valid, the control unit grants the user access (signal not shown).
In particular embodiments, the access code is generated by a network server (not shown in FIG. 6). The network server sends the access code to the database, the control unit and the portable electronic device. In other embodiments, the access code is generated by a database, which then sends the access code to the control unit and the portable electronic device. The access code may also be generated by the control unit.
For clarity, fig. 6 shows a high-level representation of signals exchanged between various components. Thus, fig. 6 does not show all possible signals that may be exchanged between the illustrated components. For example, the handshake protocol or handshaking protocol (handshakprotocols) between the portable electronic device and other components, e.g. of a wireless communication network, is not shown in detail.
In any of the disclosed embodiments, the validity of the access code may be limited to a certain amount of time (e.g., 1 minute, 2 minutes, 5 minutes, 10 minutes) after the access code is transmitted to the portable electronic device, to a certain period of time (e.g., between 9AM and 10AM on wednesday), or to a certain number of uses (e.g., the access code may only be used once, twice, five times, ten times, or other times).
In some cases, the validity time of the access code is based on a distance between the first region and the second region. For example, if the first and second regions are in close proximity, the validity time is shorter than for a system in which the two regions are far apart. In other cases, the validity time is based on a travel time for anticipation between the first region and the second region. The expected travel time may be personalized for different users. For example, a user who may be moving slowly due to age or mobility difficulties may be allocated more time to travel from a first area to a second area.
At least some versions of the disclosed technology may be used in settings where multiple zones within a zone have different security levels or requirements. For example, in one embodiment, a user is authorized to access a secure area by presenting a portable electronic device having a corresponding access code stored therein to an access terminal, the user having previously unlocked the device. The validity of the access code is limited to a certain amount of time (e.g., 1 minute, 2 minutes, 5 minutes, 10 minutes, half a day, one day, or other amount of time) after the access code is sent to the device.
In yet another embodiment, the user is authorized to access the secure area by presenting the portable electronic device having the access code stored therein to the access terminal. Access may be granted even if the user does not unlock the device. While the access code may be valid for a limited amount of time, the time limit may be a relatively long period of time (e.g., a half hour, half day, one day, several days, or other amount of time). This embodiment may allow a user to enter a secure area (and move between different secure areas) by simply bringing the portable electronic device within range of the access terminal. The user does not have to unlock the device to receive access to the secure area. This may be more convenient for the user than embodiments that require unlocking the device each time the user wishes to receive access to another area. This embodiment may be combined with embodiments where it is sufficient to initially present the unlocked device with the access code and thereafter present the locked device with the access code. Presenting an unlocked device may be sufficient to gain access for only within a particular area (e.g., within a particular floor of a building). After a selected period of time (e.g., half a day, one day, or other period of time), the access control system may require the user to again present the unlocked portable electronic device to the access terminal even if the user does not leave the particular area.
In certain embodiments, the user is authorized to access the secure area after unlocking the portable electronic device and presenting the device to the access terminal. The access code is stored in the device so that the user is authorized to access the secure area. Thus, in order to gain access to a secure area, the user needs to hold the portable electronic device (with an access code) and unlock the device. However, within a secure area, the user is granted access to other secure areas based only on one or more characteristics of the device. In other words, the user does not need to unlock the device in order to gain access to other secure areas. Instead, the access control system obtains an identifier (e.g., a MAC address, a Wi-Fi address, an IMEI code, a flag, a phone number, or another piece of information) from the device and grants access based on the identifier. Such an arrangement may provide a somewhat lower level of secure access control to the secure area while improving user convenience within the secure area.
Fig. 7 illustrates a block diagram of an exemplary embodiment of a computer 700 (e.g., a portion of a control unit of an access control system, a portion of a portable electronic device, a portion of an access terminal, a portion of an elevator control unit, a portion of a database, a portion of a wireless communication network) that may be used with one or more of the techniques disclosed herein. The computer 700 includes one or more processors 710. Processor 710 is coupled to memory 720, which memory 720 includes one or more computer-readable storage media that store software instructions 730. When executed by processor 710, software instructions 730 cause processor 710 to perform one or more method steps disclosed herein. Other embodiments of computer 700 may include one or more other components. The computer 700 may be connected to one or more other computers or electronic devices through input/output components (not shown). In at least some embodiments, the computer 700 can be connected to other computers or electronic devices through a network 740. In particular embodiments, computer 700 operates with one or more other computers, which may be local, remote, or both. Accordingly, one or more of the disclosed methods may be performed using a distributed computing system.
At least some of the disclosed embodiments may provide more convenient and user-friendly access control. For example, to access a secure area, the user does not have to carry a badge in addition to the portable electronic device, which may be something the user carries with him for other purposes, such as a smartphone. Furthermore, during operation of the system, the user does not need to manually enter or even know the access code.
At least some of the disclosed embodiments may provide increased security compared to, for example, single-factor authentication methods in which only one token or only one password is required. Embodiments require a user to hold a portable electronic device and be able to unlock the device, which can be used as a multi-factor authentication method.
The specifically disclosed embodiments may provide increased security by using different types of first and second communication channels. Any combination of techniques may be used for the communication channel. For example, the first device identifier may be read from the portable electronic device using a bluetooth or bluetooth low energy connection while the access code is sent to the device using a telephone connection (e.g., as a text message). If the bluetooth or bluetooth low energy device address has been tampered with by a third party (e.g., such that the third party's device appears to be the user's device), the access system will still transmit the access code to the user's device over the second communication channel. The user's device will receive the access code even if the user's device is not in close proximity to the sensor of the access control system. The user may then recognize that a third party is attempting to mimic the user's device.
In one non-limiting example, a user enters a building with a smartphone and walks into a lobby. By means of the sensor, the access control system detects that the smartphone has entered the entrance hall and that a specific access control software program is running on the smartphone. The smartphone is in a locked state. The access control system determines a first device identifier of the smartphone, which in this case is a bluetooth device address or a Universal Identifier (UID). The access system uses the first device identifier to determine from the database whether the device belongs to an authorized user. After determining that the device does belong to the authorized user, the access system retrieves the second device identifier to the smartphone from the database. In this case, the second device identifier is a push notification address. Using the push notification address, the access control system instructs the wireless communication network (in this case, the cellular telephone network) to send the access code to the smartphone in the form of a push notification. The smartphone receives a push notification. As a result, the software program running on the smartphone displays a notification that the smartphone has received the access code. The user moves through the lobby and approaches an access control terminal located at an obstruction of the lobby. The user unlocks the smart phone by typing a PIN in the phone. The user carries the smart phone to be close to the access control terminal. A bluetooth sensor in the terminal detects the smartphone, determines that the smartphone is in an unlocked state, and communicates with a software program to read an access code from the smartphone. The sensor also reads the digital certificate from the smartphone. The access control system confirms that the access code read from the smartphone is the same code that the system previously sent using the push notification, and that the access code corresponds to a digital certificate. The access control system then opens a lobby barrier to grant the user access to the secure area.
Although some embodiments of the various methods disclosed herein are described as including a certain number of method steps, other embodiments of the given methods may include more or less method steps than those explicitly disclosed herein. In other embodiments, the method steps are performed in an order different than that disclosed herein. In some cases, two or more method steps may be combined into one method step. In some cases, a method step may be divided into two or more method steps.
Although various disclosed embodiments of an access system are generally described as controlling access to a physical area, any of the embodiments may be adapted to control access to information (e.g., information stored in a computer).
Unless otherwise indicated, the term "at least one" in reference to a list of items indicates any combination of those items. As an example, "at least one of a, b, or c" is intended to cover: a; b; c; a and b; a and c; b and c; and a, b and c. As other examples, "at least one of a, b, and c" is intended to cover: a; b; c; a and b; a and c; b and c; and a, b and c.
As used herein, a "for" can be a person, a group of people, a machine, an object, or an animal.
While principles of the disclosed technology have been illustrated and described, it will be apparent to those skilled in the art that the disclosed embodiments can be modified in arrangement and detail without departing from such principles. In view of the many possible embodiments to which the principles of the disclosed technology may be applied, it should be understood that the illustrated embodiments are only examples of the technology and should not be taken as limiting the scope of the invention. Rather, the scope of the invention is defined by the following claims and their equivalents. Accordingly, the applicants hereby claim as our invention all that comes within the scope of the claims that follow.

Claims (16)

1. A method, comprising:
determining a first device identifier for a portable electronic device (170) of a user (150), the determining step being performed in response to the portable electronic device (170) entering the first area (110);
as a result of determining a first device identifier from the portable electronic device (170), transmitting an access code to the portable electronic device (170) based on a second device identifier for the portable electronic device (170), wherein the second device identifier has been determined based on the first device identifier;
reading an access code from the portable electronic device (170) at the second area (112) using the access terminal (180); and
as a result of reading the access code from the portable electronic device (170), access is granted to the user (150).
2. The method of claim 1, the portable electronic device (170) being in a locked state when the first device identifier of the device (170) is determined and the access code is transmitted to the device (170), and the portable electronic device (170) being in an unlocked state when the access code is read from the device (170) using the access terminal (180).
3. The method of claim 2, the second region (112) being a higher security level region, the method further comprising:
reading an access code from the portable electronic device (170) using another access terminal at a third region while the device (170) is in the locked state, the third region being a lower security level region and located within the second region (112); and
the user (150) is granted access to the third area.
4. The method according to any of the preceding claims, further comprising the step of: determining, using the access control system (200), a second device identifier based on the first device identifier.
5. The method of any preceding claim, the second device identifier comprising a global identifier for a communication system, the communication system being external to the access control system.
6. The method of any preceding claim, a first device identifier being used for a first communication channel and a second device identifier being used for a second communication channel.
7. The method according to any of the preceding claims, the step of transmitting the access code to the portable electronic device (170) comprising transmitting user information to the portable electronic device (170).
8. The method according to any of the preceding claims, wherein the first device identifier is obtained using a radio signal from the portable electronic device (170), or the access code is read from the portable electronic device (170) using a radio signal from the portable electronic device (170).
9. The method of any preceding claim, the access code having a limited validity time.
10. The method of claim 9, the validity time of the access code being based on an expected travel time of the user (150) from the first area (110) to the second area (112), based on a distance between the first area (110) and the second area (112), or based on a security level of the areas.
11. The method according to any of the preceding claims, further comprising the step of: an access terminal (180) is used to determine that an access control program is running on a portable electronic device (170).
12. The method of any preceding claim, the step of determining the first device identifier comprising: a periodically transmitted device identifier is received from the portable electronic device (170) using the sensor (160).
13. The method according to claim 12, wherein the first device identifier is determined as the periodically transmitted device identifier, or wherein the periodically transmitted device identifier is used to establish a communication connection with the portable electronic device (170) over which the first device identifier is read from the device.
14. The method of claim 13, further comprising the steps of: it is determined whether the periodically transmitted device identifier is a known periodically transmitted device identifier.
15. A system (200) comprising:
a sensor (220);
an access terminal (250);
a wireless communication network (260);
a database (212); and
a computer-based control unit (210) connected to a sensor (220), an access terminal (250), a wireless communication network (260), and a database (212), the control unit (210) comprising a processor (710) and a computer-readable storage medium (720), the computer-readable storage medium (720) comprising a plurality of instructions (730) that cause the processor (710) to perform the following method steps:
determining, using the sensor (220), a first device identifier for a portable electronic device (230) of the user (150), the determining step being performed in response to the portable electronic device (230) entering the first area (110);
as a result of determining a first device identifier from the portable electronic device (230), transmitting an access code to the portable electronic device (230) based on a second device identifier for the portable electronic device (230), wherein the second device identifier has been determined based on the first device identifier;
reading an access code from the portable electronic device (230) using an access terminal (250), the access terminal (250) being located in the second area (112); and is
As a result of reading the access code from the portable electronic device (230), access is granted to the user (150).
16. A computer-readable storage medium (720) having a plurality of instructions (730) encoded thereon, which when executed by a processor (710) cause the processor (710) to perform a method comprising:
determining a first device identifier for a portable electronic device (170) of a user (150), the determining step being performed in response to the portable electronic device (170) entering the first area (110);
as a result of determining a first device identifier for the portable electronic device (170), transmitting an access code to the portable electronic device (170) based on a second device identifier for the portable electronic device (170), wherein the second device identifier has been determined based on the first device identifier;
reading an access code from the portable electronic device (170) at the second area (112) using the access terminal (180); and
as a result of reading the access code from the portable electronic device (170), access is granted to the user (150).
HK16112511.7A 2013-10-01 2014-09-29 Access control method and access control system HK1224789B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP13186976.0 2013-10-01

Publications (2)

Publication Number Publication Date
HK1224789A1 true HK1224789A1 (en) 2017-08-25
HK1224789B HK1224789B (en) 2019-07-12

Family

ID=

Similar Documents

Publication Publication Date Title
CN105593911B (en) Access control method and access control system
KR102536924B1 (en) Method and system for managing a door entry using beacon signal
US11043054B2 (en) Capturing user intent when interacting with multiple access controls
JP5603398B2 (en) Apparatus and method for access control
US20140019768A1 (en) System and Method for Shunting Alarms Using Identifying Tokens
US20130214902A1 (en) Systems and methods for networks using token based location
WO2017180381A1 (en) Capturing personal user intent when interacting with multiple access controls
WO2017180454A1 (en) Capturing communication user intent when interacting with multiple access controls
US11210880B2 (en) Access control system having radio authentication and password recognition
WO2017180388A1 (en) Capturing behavioral user intent when interacting with multiple access controls
US11551501B2 (en) Access control system having radio and facial recognition
EP3129569B1 (en) Temporarily pairing a mobile device with a peripheral device
EP4196422B1 (en) Building system with elevator call entry via offline qr code credential
HK1224789A1 (en) Access control method and access control system
HK1224789B (en) Access control method and access control system
KR102721310B1 (en) Digital entry logging system using beacon based dynamic authentication information
WO2025042346A1 (en) A system and method for remotely controlling access to electronic locks
JP2025047223A (en) Authentication system and authentication method
HK40025692A (en) Access control system having radio authentication and password recognition
HK40025692B (en) Access control system having radio authentication and password recognition