WO2009153402A1 - Method, arrangement and computer program for authentication data management - Google Patents
Method, arrangement and computer program for authentication data management Download PDFInfo
- Publication number
- WO2009153402A1 WO2009153402A1 PCT/FI2009/050530 FI2009050530W WO2009153402A1 WO 2009153402 A1 WO2009153402 A1 WO 2009153402A1 FI 2009050530 W FI2009050530 W FI 2009050530W WO 2009153402 A1 WO2009153402 A1 WO 2009153402A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- data
- authentication data
- identification data
- service
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004590 computer program Methods 0.000 title claims description 4
- 238000013523 data management Methods 0.000 title description 3
- 230000008859 change Effects 0.000 claims abstract description 16
- 238000012790 confirmation Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 13
- 230000008520 organization Effects 0.000 description 7
- 230000001413 cellular effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
Definitions
- the invention relates to a method and arrangement for managing authentication data of a mobile application service.
- Mobile terminals are identifiable by their unique identification code, e.g. an IMEI code (International Mobile Equipment Identity).
- IMEI code International Mobile Equipment Identity
- mobile devices have often a relatively short life cycle. For example, a mobile terminal may be replaced by a new one e.g. once a year or even more often. If the identifier of the terminal only is used for authenticating the terminal and/or user, the replacement of the terminal will void the established authentication data and will result as termination of use of the software and/or access to the authentication related data and services.
- Mobile devices are typically also bound to a service provider that provides the data communication services to the device.
- the service provider furnishes the terminal with an identification module such as a SIM card (Subscriber Identity
- Each SIM card has a unique identifier, e.g. an IMSI code (International Mobile Subscriber Identity).
- IMSI code International Mobile Subscriber Identity
- information stored in a SIM card may be used for authenticating a user.
- the SIM card may change for various reasons. When the card changes, the IMSI code will change as well. Thus, authentication that relies on the information of the SIM card, will stop working.
- An individual user who may belong to a business organization typically has access to some application services provided by an application service provider.
- One such service may be e.g. a hotel reservation service.
- the service may be available to multiple different terminals, e.g. PCs and mobile terminals such as cellular phones.
- the individual user or a business organization may have a preference profile within the service. For example, a user or an organization may have a specific discount rate or list of preferred hotels that an individual user or employees of an organization should use.
- Patent application WO2007/091012 proposes an automated registration process that does not require a user to enter any details manually except for the initial request to subscribe to a service.
- the process gathers information automatically about the user and the device used, which is then stored and used for user authentication during subsequent service requests following the initial subscription request.
- the subsequent requests for service also do not require the user to manually input any user data.
- WO 01/60098 discloses a method and system for obtaining identification information on monitored party in communication network infrastructure, e.g. GSM mobile communications network. Similar functionality that concerns obtaining device and subscription identification information and observing change in such information has also been disclosed in publications WO 2005/032183, US 2003/027581 , EP 1331833 and WO 2005/036916.
- the invention discloses a method and arrangement for managing authentication data of a mobile application service.
- An aspect of the invention is a method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
- the method is characterized in that it comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data.
- the application service may be e.g. a business application service, e.g. a hotel reservation service.
- the authentication data is used by the application service to identify a user of the application service.
- the service subscription identification data may be related e.g. to a data communication service, e.g. GSM or 3G service.
- the method is executable by means of a computer arrangement.
- the unchanged authentication data may be e.g. device identification data, service subscription data or other user authentication data comprising e.g. a user ID and a password.
- the unchanged authentication data may comprise a transaction identifier, e.g. a reservation code of a hotel reservation transaction, of an earlier transaction of the user.
- the method may further comprise the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
- the device identification data may comprise e.g. an IMEI code.
- the service subscription identification data identifies subscription of the telecommunication and/or data communication service established for a user and/or a mobile terminal.
- the service subscription identification data may thus comprise e.g. data stored in a SIM card, e.g. an IMSI code.
- the method may yet further comprise the step of prompting user for a confirmation before updating the authentication data.
- the prompting may comprise e.g. requesting a user ID and/or password e.g. of a business application or a transaction id of an earlier transaction of the user.
- a log entry may be created about the update transaction of the authentication data.
- the step of identifying the user using unchanged authentication data may comprise e,g. requesting the user to enter a user ID and/or password.
- Another aspect of the invention is an arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
- the arrangement is characterized in that the arrangement comprises means for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the user with the changed device or service subscription identification data.
- Yet another aspect of the invention is computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
- the product is characterized in that it comprises computer executable instructions for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged device or subscription identification data, and updating the authentication data of the user with the changed device or service subscription identification data.
- Figure 2 shows a flow chart about registering a new user to an authentication system of an embodiment of the present invention
- Figure 3 presents an exemplary flow chart of updating an IMSI code according to an embodiment of the invention.
- Figure 4 presents an exemplary flow chart of updating an IMEI code according to an embodiment of the invention.
- FIG. 1 depicts an arrangement of computing devices suitable for implementing an embodiment of the present invention.
- the arrangement comprises at least one mobile terminal 100, e.g. a cellular phone.
- the terminal comprises means for storing and accessing a unique identifier, e.g. an IMEI code, identifying the terminal device.
- the terminal further comprises means for accessing a unique identifier, e.g. an IMSI code, of a subscription service.
- the IMSI code may be stored e.g. in a detachable SIM card located inside the terminal device.
- the terminal device is communicatively coupled 104 to a server computer 102 using a data communication network that is suitably a cellular phone network capable of packet data communication, e.g.
- the communication protocol used in the data communication between the terminal and the server 102 may be e.g. secure HTTP (HTTPS) over TCP/IP.
- HTTPS secure HTTP
- the mobile terminal 100 is suitably, although not necessarily, capable of storing and executing custom made program software, e.g. a client application of the application service, e.g. a business application service, e.g. a hotel reservation service.
- the server computer 102 comprises a data storage that contains, among other data, information about user accounts of the service.
- the user authentication information of the user account information comprises the IMSI code and the IMEI code of the mobile terminal of a user.
- the user account information may naturally contain also other data that is relevant to the user and the application service.
- the arrangement may also comprise a workstation 101 , e.g. a personal computer that is also communicatively coupled 103 with the server computer 102 using a suitable wireline or wireless data communication network, e.g. Ethernet, WLAN or 3G network.
- a suitable wireline or wireless data communication network e.g. Ethernet, WLAN or 3G network.
- SMS Short Message Service
- the workstation comprises suitable software, e.g. a web browser, for providing the application functionality of the application service to the user of the workstation 101.
- the user of the workstation 101 may for example define new user accounts to the application service or maintain data of existing user accounts.
- the exemplary flow chart of figure 2 depicts a method of registering a new user 200 to the application service.
- An administrator user of e.g. a business application e.g. a travel manager of a corporation using a hotel reservation service
- the data of the user account may comprise e.g. name of the user, phone number of the user, user ID and password of the user (usable e.g. when the user accesses the application service from a PC workstation or when an alternative or additional authentication method is required from the mobile user of the application service), organization of the user and permissions and preferences of the user in the application service.
- the IMEI code of the terminal of the user is provided.
- client software related to the application service may be installed on the mobile terminal of the new user 202 and started.
- the client software may extract the IMSI and IMEI codes of the terminal and SIM card 203 and send the codes to the application server 204.
- the application server may update the user account data identified by the IMEI code using the IMSI code received 205. This completes the creation and registration of a new user account.
- the client application of the mobile terminal sends the IMSI and IMEI codes to the server computer (102 in figure 1 ) providing the application service.
- the application server then authenticates the user based on the IMSI and/or IMEI codes received.
- the network communication messages containing IMSI and/or IMEI codes are encrypted e.g. by the HTTPS protocol used.
- FIG. 3 shows an exemplary method for performing such update 300.
- the user of the mobile terminal inserts a new SIM card into the terminal 301 and starts the client application 302 of the application service.
- the client application sends a log-in message to the application server (102 in figure 1 ).
- the log-in message contains the IMEI code of the terminal and the IMSI code of the new SIM card.
- the application service running in the application server When the application service running in the application server receives the message, it detects a change in the authentication data 304, i.e. an unknown IMSI code that is accompanied with a known IMEI code.
- the application service is capable of identifying the user 305 using the known IMEI code.
- the application service may optionally query from the user 306 whether the authentication information should be updated with the new IMSI code. Such query may be accompanied by a request of e,g, an application specific User ID and password or some other application specific data, e.g. a transaction ID (confirmation number) of a completed transaction. If the update is confirmed, the application server updates the IMSI code of the user account 307.
- the application service may have access to a list of allowable IMSI codes.
- such list may contain the IMSI codes of all SIM cards of a business organization.
- the application service may check if the IMSI code of the new SIM card may be found from the list of allowable IMSI codes before the IMSI code of the user account is updated. This feature makes it possible to avoid e.g. the execution of step 306 which would require user interaction. In mobile systems, avoiding unnecessary user interaction is often desired because of the limited user interface capabilities of a mobile device.
- FIG. 4 shows an exemplary method for performing such update 400.
- the user of the mobile terminal inserts an old SIM card into the new terminal 401 , installs the client application in the new terminal 402 and starts the client application 403 of the application service.
- the client application sends a log-in message 404 to the application server (102 in figure 1 ).
- the log-in message contains the IMEI code of the new terminal and the IMSI code of the old SIM card.
- the application service running in the application server receives the message, it detects a change in the authentication data 405, i.e. an unknown IMEI code that is accompanied with a known IMSI code.
- the application service is capable of identifying the user 406 using the known IMSI code.
- the application service may have access to a list of allowable IMEI codes. Such list may contain for example the IMEI codes of all mobile terminals of a business organization. In such cases, the application service may check 407 if the IMEI code of the new terminal may be found from the list of allowable ("pre-approved") IMEI codes before the IMEI code of the user account is updated. If the IMEI code is found from the list of allowable IMEI codes, the application server may now go ahead and update the IMEI code information of the user account 408. On the other hand, if the IMEI code is not found from the list of allowed mobile terminals of the application service, the update of the user account may be refused or the application may request additional confirmation from the user e.g. in the form of a application specific user ID and password.
- the list of allowable IMEI codes together with the list of allowable IMSI codes form together a set of trusted combinations of terminals and service subscriptions.
- the user In order to be a trusted user of a business application, the user must, in an embodiment, have a trusted terminal and a trusted service subscription.
- the application service may request the user to confirm the change of IMSI and/or IMEI code using another user authentication method, e.g. by entering the user ID and password of the user.
- the user ID and the password may be defined e.g. in the business application, e.g. a hotel reservation system.
- a log entry may be created about each update transaction of IMSI or IMEI codes.
- the update log provides a convenient way to check terminal and SIM update activities of the users of the application service.
- the invention provides a method for maintaining with minimal administration work a sufficient degree of login security for applications such as mobile hotel reservation systems.
- the embodiments of the invention further allow flexible exchange of mobile terminals or telecom service subscriptions without disturbing access to a mobile application service.
- the convenience of logging on to the service using mobile terminal is at high level as no user ID or password is needed for the regular login process of a business application service, even when some of the authentication data changes.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for managing authentication data of a user of a mobile application service, the authentication data comprising device identification data and service subscription identification data. The method is characterized in that the method comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user based on unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data. Also an arrangement and a computer executable program product are disclosed.
Description
METHOD, ARRANGEMENT AND COMPUTER PROGRAM FOR AUTHENTICATION DATA MANAGEMENT
TECHNICAL FIELD OF INVENTION
The invention relates to a method and arrangement for managing authentication data of a mobile application service.
BACKGROUND OF THE INVENTION
Many services in a data communication network require authentication of user and/or terminal device before granting access to the service. Typically, authentication is done by prompting the user to provide a user ID and password. In mobile devices, entering text, e.g. a user ID or a password, is rather inconvenient as the device may lack a proper input device such as a QWERTY keyboard.
Mobile terminals are identifiable by their unique identification code, e.g. an IMEI code (International Mobile Equipment Identity). However, mobile devices have often a relatively short life cycle. For example, a mobile terminal may be replaced by a new one e.g. once a year or even more often. If the identifier of the terminal only is used for authenticating the terminal and/or user, the replacement of the terminal will void the established authentication data and will result as termination of use of the software and/or access to the authentication related data and services.
Mobile devices are typically also bound to a service provider that provides the data communication services to the device. The service provider furnishes the terminal with an identification module such as a SIM card (Subscriber Identity
Module). Each SIM card has a unique identifier, e.g. an IMSI code (International
Mobile Subscriber Identity). According to prior art, information stored in a SIM card may be used for authenticating a user. However, the SIM card may change for various reasons. When the card changes, the IMSI code will change as well. Thus, authentication that relies on the information of the SIM card, will stop working.
An individual user who may belong to a business organization typically has access to some application services provided by an application service provider. One such service may be e.g. a hotel reservation service. The service may be available to multiple different terminals, e.g. PCs and mobile terminals such as cellular phones. The individual user or a business organization may have a preference profile within the service. For example, a user or an organization may have a specific discount rate or list of preferred hotels that an individual user or employees of an organization should use.
Patent application WO2007/091012 proposes an automated registration process that does not require a user to enter any details manually except for the initial request to subscribe to a service. The process gathers information automatically about the user and the device used, which is then stored and used for user authentication during subsequent service requests following the initial subscription request. The subsequent requests for service also do not require the user to manually input any user data.
WO 01/60098 discloses a method and system for obtaining identification information on monitored party in communication network infrastructure, e.g. GSM mobile communications network. Similar functionality that concerns obtaining device and subscription identification information and observing change in such information has also been disclosed in publications WO 2005/032183, US 2003/027581 , EP 1331833 and WO 2005/036916.
The various disclosures of prior art fail to teach a method of managing authentication data of a mobile application service efficiently and with minimum
effect on the user and/or usability of the service in environments comprising mobile terminals where either the device or subscription identification data of the user of the mobile application service may change relatively often.
OBJECT OF THE INVENTION
The object of the present invention is to provide a method and system for managing authentication data for mobile application services in an environment where the identity of a mobile terminal or identity of a data communication service subscription may change. Another object of the invention is to provide an authentication data management method of a mobile application service that requires little input from the user for login purposes even when information used for login changes.
SUMMARY OF THE INVENTION
The invention discloses a method and arrangement for managing authentication data of a mobile application service.
An aspect of the invention is a method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The method is characterized in that it comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data.
The application service may be e.g. a business application service, e.g. a hotel reservation service. Suitably, the authentication data is used by the application service to identify a user of the application service.
The service subscription identification data may be related e.g. to a data communication service, e.g. GSM or 3G service.
Suitably, the method is executable by means of a computer arrangement.
The unchanged authentication data may be e.g. device identification data, service subscription data or other user authentication data comprising e.g. a user ID and a password. In some embodiments, the unchanged authentication data may comprise a transaction identifier, e.g. a reservation code of a hotel reservation transaction, of an earlier transaction of the user.
The method may further comprise the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
The device identification data may comprise e.g. an IMEI code.
The service subscription identification data identifies subscription of the telecommunication and/or data communication service established for a user and/or a mobile terminal. The service subscription identification data may thus comprise e.g. data stored in a SIM card, e.g. an IMSI code.
The method may yet further comprise the step of prompting user for a confirmation before updating the authentication data. The prompting may comprise e.g. requesting a user ID and/or password e.g. of a business application or a transaction id of an earlier transaction of the user.
A log entry may be created about the update transaction of the authentication data.
The step of identifying the user using unchanged authentication data may comprise e,g. requesting the user to enter a user ID and/or password.
Another aspect of the invention is an arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The arrangement is characterized in that the arrangement comprises means for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the user with the changed device or service subscription identification data.
Yet another aspect of the invention is computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The product is characterized in that it comprises computer executable instructions for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged device or subscription identification data, and updating the authentication data of the user with the changed device or service subscription identification data.
Some embodiments of the invention are described herein, and further applications and adaptations of the invention will be apparent to those of ordinary skill in the art.
BRIEF DESCRIPTION OF DRAWINGS
In the following, the invention is described in greater detail with reference to the accompanying drawings in which
Figure 1 shows an exemplary network of various computer devices usable in an embodiment of the present invention,
Figure 2 shows a flow chart about registering a new user to an authentication system of an embodiment of the present invention,
Figure 3 presents an exemplary flow chart of updating an IMSI code according to an embodiment of the invention and
Figure 4 presents an exemplary flow chart of updating an IMEI code according to an embodiment of the invention.
DETAILED DESCRIPTION OF THE DRAWINGS
Figure 1 depicts an arrangement of computing devices suitable for implementing an embodiment of the present invention. The arrangement comprises at least one mobile terminal 100, e.g. a cellular phone. The terminal comprises means for storing and accessing a unique identifier, e.g. an IMEI code, identifying the terminal device. The terminal further comprises means for accessing a unique identifier, e.g. an IMSI code, of a subscription service. The IMSI code may be stored e.g. in a detachable SIM card located inside the terminal device. The terminal device is communicatively coupled 104 to a server computer 102 using a data communication network that is suitably a cellular phone network capable of packet data communication, e.g. a GSM/GPRS network or a 3G network. The communication protocol used in the data communication between the terminal and the server 102 may be e.g. secure HTTP (HTTPS) over TCP/IP. The mobile terminal 100 is suitably, although not necessarily, capable of storing and executing custom made program software, e.g. a client application of the application service, e.g. a business application service, e.g. a hotel reservation service.
The server computer 102 comprises a data storage that contains, among other data, information about user accounts of the service. In an embodiment, the user authentication information of the user account information comprises the IMSI code and the IMEI code of the mobile terminal of a user. The user account information may naturally contain also other data that is relevant to the user and the application service.
The arrangement may also comprise a workstation 101 , e.g. a personal computer that is also communicatively coupled 103 with the server computer 102 using a suitable wireline or wireless data communication network, e.g. Ethernet, WLAN or 3G network. In some embodiments, SMS (Short Message Service) communication may be used. The workstation comprises suitable software, e.g. a web browser, for providing the application functionality of the application service to the user of the workstation 101. The user of the workstation 101 may for example define new user accounts to the application service or maintain data of existing user accounts.
The exemplary flow chart of figure 2 depicts a method of registering a new user 200 to the application service. An administrator user of e.g. a business application (e.g. a travel manager of a corporation using a hotel reservation service) creates a new user account using a workstation (101 in figure 1 ) 201. The data of the user account may comprise e.g. name of the user, phone number of the user, user ID and password of the user (usable e.g. when the user accesses the application service from a PC workstation or when an alternative or additional authentication method is required from the mobile user of the application service), organization of the user and permissions and preferences of the user in the application service. Typically also the IMEI code of the terminal of the user is provided. Then, client software related to the application service may be installed on the mobile terminal of the new user 202 and started. Now the client software may extract the IMSI and IMEI codes of the terminal and SIM card 203 and send the codes to the application server 204. Now the application server may update the user account data identified by the IMEI code using the IMSI
code received 205. This completes the creation and registration of a new user account. Subsequently, when the user wants to use the application service, the client application of the mobile terminal sends the IMSI and IMEI codes to the server computer (102 in figure 1 ) providing the application service. The application server then authenticates the user based on the IMSI and/or IMEI codes received. Suitably, although not necessarily, the network communication messages containing IMSI and/or IMEI codes are encrypted e.g. by the HTTPS protocol used.
When the SIM card of a user changes, e.g. because of a change of the telecom service provider or because of failure of the old SIM card, the IMSI code related to the user account changes. The authentication data of the user of the application service must in this case be updated. Figure 3 shows an exemplary method for performing such update 300. First, the user of the mobile terminal (100 in figure 1) inserts a new SIM card into the terminal 301 and starts the client application 302 of the application service. Upon starting, the client application sends a log-in message to the application server (102 in figure 1 ). The log-in message contains the IMEI code of the terminal and the IMSI code of the new SIM card. When the application service running in the application server receives the message, it detects a change in the authentication data 304, i.e. an unknown IMSI code that is accompanied with a known IMEI code. The application service is capable of identifying the user 305 using the known IMEI code. In some embodiments, the application service may optionally query from the user 306 whether the authentication information should be updated with the new IMSI code. Such query may be accompanied by a request of e,g, an application specific User ID and password or some other application specific data, e.g. a transaction ID (confirmation number) of a completed transaction. If the update is confirmed, the application server updates the IMSI code of the user account 307.
In some embodiments, the application service may have access to a list of allowable IMSI codes. For example, such list may contain the IMSI codes of all SIM cards of a business organization. In such cases, the application service may
check if the IMSI code of the new SIM card may be found from the list of allowable IMSI codes before the IMSI code of the user account is updated. This feature makes it possible to avoid e.g. the execution of step 306 which would require user interaction. In mobile systems, avoiding unnecessary user interaction is often desired because of the limited user interface capabilities of a mobile device.
When the mobile terminal of a user changes, the IMEI code related to the user account changes. The authentication data of the user of the application service must in this case be updated. Figure 4 shows an exemplary method for performing such update 400. First, the user of the mobile terminal (100 in figure 1 ) inserts an old SIM card into the new terminal 401 , installs the client application in the new terminal 402 and starts the client application 403 of the application service. Upon starting, the client application sends a log-in message 404 to the application server (102 in figure 1 ). The log-in message contains the IMEI code of the new terminal and the IMSI code of the old SIM card. When the application service running in the application server receives the message, it detects a change in the authentication data 405, i.e. an unknown IMEI code that is accompanied with a known IMSI code. The application service is capable of identifying the user 406 using the known IMSI code.
In some embodiments, the application service may have access to a list of allowable IMEI codes. Such list may contain for example the IMEI codes of all mobile terminals of a business organization. In such cases, the application service may check 407 if the IMEI code of the new terminal may be found from the list of allowable ("pre-approved") IMEI codes before the IMEI code of the user account is updated. If the IMEI code is found from the list of allowable IMEI codes, the application server may now go ahead and update the IMEI code information of the user account 408. On the other hand, if the IMEI code is not found from the list of allowed mobile terminals of the application service, the update of the user account may be refused or the application may request
additional confirmation from the user e.g. in the form of a application specific user ID and password.
The list of allowable IMEI codes together with the list of allowable IMSI codes form together a set of trusted combinations of terminals and service subscriptions. In order to be a trusted user of a business application, the user must, in an embodiment, have a trusted terminal and a trusted service subscription.
In some embodiments, e.g. when both the terminal and the SIM card are changed at the same time or when added security is desired, the application service may request the user to confirm the change of IMSI and/or IMEI code using another user authentication method, e.g. by entering the user ID and password of the user. The user ID and the password may be defined e.g. in the business application, e.g. a hotel reservation system.
In some embodiments, a log entry may be created about each update transaction of IMSI or IMEI codes. The update log provides a convenient way to check terminal and SIM update activities of the users of the application service.
The embodiments described herein illustrate various advantages of the present invention. For example, the invention provides a method for maintaining with minimal administration work a sufficient degree of login security for applications such as mobile hotel reservation systems. The embodiments of the invention further allow flexible exchange of mobile terminals or telecom service subscriptions without disturbing access to a mobile application service. Also the convenience of logging on to the service using mobile terminal is at high level as no user ID or password is needed for the regular login process of a business application service, even when some of the authentication data changes.
To a person skilled in the art, the foregoing exemplary embodiments illustrate the model presented in this application whereby it is possible to design different
methods and arrangements, which in obvious ways to the expert, utilize the inventive idea presented in this application.
Claims
1. A method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the method comprises steps of: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the identified user with the changed device and/or service subscription identification data.
2. A method according to claim 1 , characterized in that the method further comprises the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
3. A method according to claim 1 , characterized in that said device identification data comprises an IMEI code.
4. A method according to claim 1 , characterized in that said service subscription identification data comprises data stored on a SIM card.
5. A method according to claim 4, characterized in that said service subscription data comprises an IMSI code.
6. A method according to claim 1 , characterized in that said method further comprises step of prompting user for a confirmation before updating said authentication data.
7. A method according to claim 1 , characterized in that the method further comprises the step of creating a log entry about said update of said authentication data.
8. A method according to claim 1 , characterized in that said step of identifying the user using said unchanged authentication data comprises requesting the user to enter a user ID and/or a password.
9. A method according to claim 1 , characterized in that said step of identifying the user using said unchanged authentication data comprises requesting a transaction identifier of an earlier transaction of the user.
10.An arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the arrangement comprises means for: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the user with the changed device or service subscription identification data.
11. A computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the program product comprises computer executable instructions for: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the user with the changed device or service subscription identification data.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FI20085624 | 2008-06-19 | ||
| FI20085624A FI20085624L (en) | 2008-06-19 | 2008-06-19 | Method, system and computer program for handling authentication data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2009153402A1 true WO2009153402A1 (en) | 2009-12-23 |
Family
ID=39589385
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/FI2009/050530 WO2009153402A1 (en) | 2008-06-19 | 2009-06-17 | Method, arrangement and computer program for authentication data management |
Country Status (2)
| Country | Link |
|---|---|
| FI (1) | FI20085624L (en) |
| WO (1) | WO2009153402A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012000161A1 (en) * | 2010-06-28 | 2012-01-05 | Qualcomm Incorporated | System and method for subscription data optimization |
| EP2579630A3 (en) * | 2011-06-01 | 2013-11-13 | BlackBerry Limited | Method for managing identity information after a SIM swap |
| US9154939B2 (en) | 2011-06-01 | 2015-10-06 | Blackberry Limited | System and method for managing identity information after a SIM swap |
| EP3219129A4 (en) * | 2014-11-13 | 2018-05-16 | BlackBerry Limited | System and method for providing service license aggregation across multiple device sim cards |
| EP3219128A4 (en) * | 2014-11-13 | 2018-05-16 | BlackBerry Limited | System and method for providing service license aggregation across multiple physical and virtual sim cards |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001060098A1 (en) * | 2000-02-11 | 2001-08-16 | Nokia Corporation | Method and system for obtaining identification information on a monitored party in a communication network |
| US20030027581A1 (en) * | 2001-07-31 | 2003-02-06 | Nokia Corporation | System and method for automatic provisioning detection and notification |
| EP1331833A1 (en) * | 2002-01-24 | 2003-07-30 | Vodafone Group PLC | System and process for storing and updating mobile terminal features of the users of a mobile telephone network |
| WO2005032183A1 (en) * | 2003-10-02 | 2005-04-07 | Smarttrust Ab | Method and mobile telecommunication network for detection of device information |
| WO2005036916A1 (en) * | 2003-10-03 | 2005-04-21 | Bitfone Corporation | Network and method for registration of mobile devices and management of the mobile devices |
| WO2005053348A2 (en) * | 2003-11-27 | 2005-06-09 | Smarttrust Ab | Method and network for detection of device information of mobile stations |
-
2008
- 2008-06-19 FI FI20085624A patent/FI20085624L/en not_active Application Discontinuation
-
2009
- 2009-06-17 WO PCT/FI2009/050530 patent/WO2009153402A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001060098A1 (en) * | 2000-02-11 | 2001-08-16 | Nokia Corporation | Method and system for obtaining identification information on a monitored party in a communication network |
| US20030027581A1 (en) * | 2001-07-31 | 2003-02-06 | Nokia Corporation | System and method for automatic provisioning detection and notification |
| EP1331833A1 (en) * | 2002-01-24 | 2003-07-30 | Vodafone Group PLC | System and process for storing and updating mobile terminal features of the users of a mobile telephone network |
| WO2005032183A1 (en) * | 2003-10-02 | 2005-04-07 | Smarttrust Ab | Method and mobile telecommunication network for detection of device information |
| WO2005036916A1 (en) * | 2003-10-03 | 2005-04-21 | Bitfone Corporation | Network and method for registration of mobile devices and management of the mobile devices |
| WO2005053348A2 (en) * | 2003-11-27 | 2005-06-09 | Smarttrust Ab | Method and network for detection of device information of mobile stations |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012000161A1 (en) * | 2010-06-28 | 2012-01-05 | Qualcomm Incorporated | System and method for subscription data optimization |
| EP2579630A3 (en) * | 2011-06-01 | 2013-11-13 | BlackBerry Limited | Method for managing identity information after a SIM swap |
| US9154939B2 (en) | 2011-06-01 | 2015-10-06 | Blackberry Limited | System and method for managing identity information after a SIM swap |
| EP3219129A4 (en) * | 2014-11-13 | 2018-05-16 | BlackBerry Limited | System and method for providing service license aggregation across multiple device sim cards |
| EP3219128A4 (en) * | 2014-11-13 | 2018-05-16 | BlackBerry Limited | System and method for providing service license aggregation across multiple physical and virtual sim cards |
Also Published As
| Publication number | Publication date |
|---|---|
| FI20085624L (en) | 2009-12-20 |
| FI20085624A0 (en) | 2008-06-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12081968B2 (en) | Automated credential porting for mobile devices | |
| JP4722056B2 (en) | Method and apparatus for personalization and identity management | |
| US9661666B2 (en) | Apparatus and methods of identity management in a multi-network system | |
| US7703142B1 (en) | Software license authorization system | |
| EP1953950B1 (en) | A method for protecting network service application account, the system, and the apparatus thereof | |
| US9531835B2 (en) | System and method for enabling wireless social networking | |
| CA2500177C (en) | Configuration of enterprise gateways | |
| CN102088691B (en) | Mobile phone mobile Internet user application certification recognition system and method | |
| EP1690189B1 (en) | On demand session provisioning of ip flows | |
| US20170033823A1 (en) | System and method for automatic detection and enablement of a virtual sim on a mobile device | |
| EP2316093B1 (en) | System, method and apparatus for security management of an electronic device | |
| EP2827621B1 (en) | Application program distribution method, terminal and server | |
| CN103023856A (en) | Single sign-on method, single sign-on system, information processing method and information processing system | |
| CN1795656B (en) | Method for safely initializing user and confidential data | |
| WO2009153402A1 (en) | Method, arrangement and computer program for authentication data management | |
| US8751673B2 (en) | Authentication apparatus, authentication method, and data using method | |
| JP2016148919A (en) | User attribute information management system and user attribute information management method | |
| JP4979723B2 (en) | COMMUNICATION METHOD, COMMUNICATION SYSTEM, SERVICE PROVIDING BASE ACCESS METHOD | |
| CN109460647B (en) | Multi-device secure login method | |
| KR20150135171A (en) | Login processing system based on inputting telephone number and control method thereof | |
| US20080052771A1 (en) | Method and System for Certifying a User Identity | |
| CN109492434A (en) | A kind of method for safely carrying out and system of electronics authority | |
| US20040122687A1 (en) | Wireless LAN roaming using a Parlay gateway | |
| KR101865874B1 (en) | Log-in verification server and operating method therefor | |
| CN105557004B (en) | A kind of processing unit and method of data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09765968 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 09765968 Country of ref document: EP Kind code of ref document: A1 |