WO2016001032A1 - User authentication and resource management in a cellular network - Google Patents
User authentication and resource management in a cellular network Download PDFInfo
- Publication number
- WO2016001032A1 WO2016001032A1 PCT/EP2015/064226 EP2015064226W WO2016001032A1 WO 2016001032 A1 WO2016001032 A1 WO 2016001032A1 EP 2015064226 W EP2015064226 W EP 2015064226W WO 2016001032 A1 WO2016001032 A1 WO 2016001032A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- cellular network
- authentication
- user device
- service
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
- H04W12/47—Security arrangements using identity modules using near field communication [NFC] or radio frequency identification [RFID] modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Definitions
- the invention relates to a method of user authentication for accessing a service provided over a cellular network, a user device for communication with a cellular network, an authentication device comprising an interface for providing a communications link with a user device and a network entity of a cellular network.
- the Third Generation Partnership Project (3GPP) has been developing enhancements to cellular systems to allow their operation for public safety or emergency services (ES) communications. These are especially intended to work with the Long Term Evolution (LTE) architecture.
- the service may be overlaid on the cellular network's existing infrastructure, for example as a distinct packet-switched service using one or more specific applications operating on the user device.
- Other services of the cellular network may be provided to the user device at the same time as the ES service and potentially independently.
- Aims of this approach may include: reduced cost; improved functionality; and increased flexibility in comparison with existing public safety communication infrastructure, such as the Terrestrial Trunked Radio (TETRA) network.
- TETRA Terrestrial Trunked Radio
- Such systems are desirably secure and, to effect this, employ user-specific security keys and profiles as part of the communication between a user device and the network or between multiple user devices.
- Existing TETRA technology stores the security keys and profile within the user device.
- the TEA2 (security) algorithm utilised requires the user device to be brought into a secure
- One advantage in the use of a cellular network for providing such services is that devices may be interchangeable between users, which will be lost using this approach.
- SIM Subscriber Identity Module
- a SIM card is at least partially embedded within the device, such that the user would need to change the SIM card whenever they wish to use a different device.
- SIM Subscriber Identity Module
- a user may change devices more often than that of conventional cellular network users. This may be partly because devices can become damaged or run out of power more often (especially where smart devices are utilised). Replacing the battery or switching the device and physically moving the SIM card may then be the only solutions to such problems, which may not be acceptable.
- NFC Near Field Communication
- the user is provided with an NFC device that is separate to the User Equipment (UE) employed for accessing the cellular network.
- the NFC device can act as a processing engine and/or utilised as storage. This may allow the NFC device to store a security credential common to the cellular network and/or service provider, but unknown to the user or UE.
- the NFC device processes a challenge from the service provider using the common security credential and a user-specific credential input by the user to the UE, such as a PIN, to provide an authentication code.
- the authentication code is sent back to the service provider, which verifies it.
- the use of at least one unique identifier associated with the cellular network (such as an IMSI and/or IMEI) in setting the authentication code is particularly advantageous.
- a device-specific and/or subscriber-specific identifier allows the authentication of the user to be traced directly to an individual user device (such as a UE) and/or a specific subscriber and may provide a constantly changing encryption system.
- the use of an authentication device separate from the user device provides security, so that the authentication code may be generated on the basis of information unknown to the user device, together with the ability to interchange user devices, since a specific user device need not be required to access the service.
- this may be seen as the combination of device-specific and/or subscriber-specific identifier with a service credential that is unknown to the user device to provide multi-factor authentication.
- this improvement in security may allow the security requirements inherent to the user device to be relaxed to the extent that, as far as at least security is concerned, the user device may essentially be a dumb terminal.
- the authentication device communicates with the user device using a secondary communication link (preferably, separate from the link between the user device and the cellular network, such as a short-range communication link), so that the two devices require no fixed integration and allow the authentication device to be used in conjunction with a variety of user devices.
- a secondary communication link preferably, separate from the link between the user device and the cellular network, such as a short-range communication link
- the authentication code may allow access to the cellular network or at least a specific service provided by the cellular network.
- the authentication code may be a one-time access key.
- Public Key Infrastructure (PKI) in the cellular network may then determine what the authentication code allow the user device to access within a secure infrastructure.
- PKI Public Key Infrastructure
- the authentication code that is generated by placing the authentication device with the user device to create an authentication session may give the user device access to the network for a specified amount of time, until the session expires. Then the data may be inaccessible until the user creates another authentication session with the authentication device.
- a user profile may be stored with within the authentication device (such as an NFC card). If the user device is changed or lost, the profile information is therefore retained.
- the authentication device such as an NFC card
- a specific lifetime can be applied to the access provided to the service.
- this enables control of access lifetime on a per-device and/or per-subscriber basis. This may further increase security of the access in case of device loss or change, for instance.
- Figure 1 illustrates a schematic diagram of a system in accordance with an embodiment of the invention.
- Figure 2 shows a schematic depiction of an operation of the system of Figure 1 .
- a User Equipment (UE) 10 a User Equipment (UE) 10
- user input 20 a Near Field Communication (NFC) device 30, which may be considered an authentication device
- NFC Near Field Communication
- the UE 10 has a Subscriber Identity Module (SIM) part 1 1 , which may be a SIM card or SIM application embodied in a different form (for example, integrated with the UE 10).
- SIM Subscriber Identity Module
- An application 15 operates on the UE 10 and is particularly used for interfacing with the cellular network 40, for providing a particular service. For example, this may be provided by a service provider that could be logically or physically separate from the cellular network operator.
- the service may be an ES service or another service desiring secure authentication of the user.
- the service may include a communications service provided by the cellular network 40.
- the authentication of the user operates in the following way.
- the user 20 loads the application 15 on the UE 10.
- the application 15 requests a security credential, such as a PIN code, from the user 20.
- a security credential such as a PIN code
- the user 20 brings the NFC device 30 into proximity with the UE 10 (which has an NFC reader), allowing communication between them and handshake occurs to set this up.
- the UE 10 provides security information to the NFC device 30. This is shown as a two-way interaction, but it may be one way only.
- the security information comprises a unique identifier for the UE 10 on the cellular network 40.
- this may be an identifier associated with the UE 10 itself, such as an International Mobile Station Equipment Identity (IMEI) and/or an identifier associated with the subscription (that is, SIM 1 1 ), such as an International Mobile Subscriber Identity (IMSI) or a Mobile Subscriber Integrated Services Digital Network-Number (MSISDN). Both the IMSI and MSI DSN could also be used.
- the security information also comprises the security credential from the user 20 (as discussed in steps 1 10 and 120).
- the NFC device 30 checks the security credential against a predetermined value stored on its internal memory (not shown). If the security credential does not match the stored value, the NFC device 30 informs the UE 10 that the security credential is rejected and does nothing more. Otherwise, the NFC device 30 determines an authentication code based on the security information, in particular the identifier associated with the UE 10 or SIM 1 1 .
- authentication code can also be based on other parts of the security information, such as the security credential (such as the PIN code, for instance of 4, 6 or more digits) and/or information stored in the NFC device 30 that is unknown to the UE 10 (and SIM 1 1 and/or user 20), but known to the cellular network 40, such as an encrypted logon key.
- the cellular network can include the service provider (not shown), even though these may be logically or even physically separate.
- the authentication code which will be specific to the UE 10 and/or SIM 1 1 is then communicated to the application 15 at the UE 10 over the NFC link (for example, by the application 15 accessing it within the NFC device 30) and the application 15 communicates the authentication code to the cellular network 40, for authentication. All user-specific service information, such as information on talk groups, users, contacts is stored securely on the NFC device 30 and this may only be accessed if the correct security credential is provided by the user 20.
- the authentication code may be used to generate a one-time key that is used for the UE 10 and valid for a specific time period, such as 24 hours. This may stop lost devices requiring stunning to take them off the network, as the key will expire after an amount of time.
- the access key and/or the user data could then be provisioned to the UE 10.
- the access key is subsequently used by the UE 10 (and more specifically the application 15) to register or access a secure network, such as an emergency services network.
- This embodiment therefore differs from existing security configurations for ES services, which are personal issue, so all programming information is stored on the device when the device is provisioned, including all security information.
- This approach does not require personal issue devices and indeed, a user may authenticate onto any device that supports the technology.
- it may enable a two or three-factor authentication mechanism, where the authentication device 30 is presented to the UE 10, the authentication device 30 is accessed via a security credential, which then allows the UE 10 to read the personalisation information from the authentication device 30 and generate an authentication code (such as a security key). This allows access from this specified device to the network service for at least (or no more than) a defined period of time.
- Role-based authentication may also be used, based on a user's authentication device 30, so that different service functionalities may be activated and/or disabled, based on the user's permissions. If a user changes role, their authentication device 30 may be "upgraded” to update their status.
- the authentication device 30 may be provided in the form of an ID, card allowing them to have one device that can access buildings, log onto infrastructure and access the secure communications network.
- the user device is shown as UE 10, it will be understood that any type of user communication device may be used and this need not be a UE as understood in the conventional sense of a cellular network (which would include a mobile telephone or other portable or fixed communications device, in any case).
- the SIM part 1 1 is equally optional.
- the NFC device 30 may be replaced by any other type of authentication device that is separate from the user device, but which can communicate with the user device over a secondary communications link.
- the secondary communications link may be a fixed or (preferably) wireless link, which will be discussed further below.
- steps 1 10 and 120 can also be understood as optional and the passing of this to the NFC device 30, where it is checked, would then be omitted.
- network enablement may be employed.
- the network may recognise that the MSISDN associated with the SIM 1 1 is attached to a virtual profile or number associated with the user 20 and then redirects the communication to the service provider, initiating authentication.
- the application 15 may continuously or periodically check if the NFC device 30 is in the proximity, if not then automatically disable the service. This check could be carried out only when the service is in active use, for example when a call or message is made or received. Other changes may be made.
- This embodiment can be understood as a method of user authentication for accessing a service provided over a cellular network. It uses a user device for communication with the cellular network and that has at least one unique identifier associated with the cellular network. The method comprises
- a cellular network in this context may include a service provider, that may be separate from and/or external to the cellular network.
- the secondary communications link is beneficially separate from the cellular link, especially in terms of the link interface or technology, and may use a fixed (wired) link or it may use wireless and/or a short range communication technology, such as one or more of: optical communication technology; NFC technology; wireless Local Area Network (LAN) technology; and Personal Area Network technology, including Bluetooth.
- the user device may configured for communication with a second (cellular) network, as well as the cellular network and secondary communication link.
- the method further comprises receiving a user-specific credential as an input to the user device from the user.
- the security information may be further based on the received user-specific credential.
- the user-specific credential (such as a PIN code) may then be passed to the authentication device.
- the user-specific credential may be unknown to the user device.
- the method preferably further comprises checking the user-specific credential against a predetermined value stored on the authentication device. The authentication code only being provided if the user-specific credential matches the predetermined value. Additionally or alternatively, the authentication code is further based on the received user-specific credential. This may increase security further.
- the authentication code is further based on a service credential stored on the authentication device and/or unknown to or not stored on the user device.
- the service credential is specific to the user and this may allow the cellular network or service provider to confirm the user.
- the method preferably further comprises communicating the
- the method may further comprise receiving access information (such as an access key) at the user device from the cellular network in response to communication of the authentication code.
- the access information may allow the user device to access the service.
- the access information optionally allows the user device to access the service for only predetermined time period, which may be a specific duration or a set or range of specific times.
- the method may further comprise detecting the authentication device at the user device, preferably by communication between the authentication device and the user device over the secondary communications link. This may be carried out prior to the step of communicating security information (to confirm that the authentication device is present or even prompt the user device to request the security credential or send the security information). Additionally or alternatively, this may be carried out one time or a plurality of times when the user device is being provided the service by the cellular network. This may allow regular confirmation that the authentication device and user device are still in the possession of the user, so that loss of one or the other can be indicated. The regular confirmation may be achieved by detecting the authentication device at a plurality of times separated by regular or irregular intervals or prompted by an external event, such as an incoming or outgoing call or other type of
- the method may further comprise preventing the user device from accessing the service provided over the cellular network in response to the step of detecting the authentication device resulting in a failure.
- the user device can optionally still access other services over the cellular network. Alternatively, the user device may not access any service over the cellular network in such a case.
- the method may further comprise transferring user- specific data between the user device and the authentication device.
- the user- specific data may relate to the service being provided over the cellular network (such as a user profile).
- the step of transferring user-specific data may be based on the step of checking the user-specific credential.
- the user-specific data is downloaded from the authentication device to the user device.
- User-specific data may additionally or alternatively be transferred from the user device to the authentication device.
- the application 15 may add, change or replace profile information in the NFC device 30, thereby reducing the amount of information coming over the network.
- the service may be one that is provided by the cellular network 40 and not another service provider.
- the authentication device 30 may store at least one user-specific credential for accessing a service provided by the cellular network 40.
- the user device (UE 10) may provide the authentication device 30 with an identifier specific to the cellular network, such as an IMEI and this may then be used together with the at least one user-specific credential stored on the authentication device 30.
- the authentication code may allow the UE 10 to interact with an "on air" profile management system, for example using Open Mobile Alliance (OMA) Device Management (DM) or a similar protocol. This interaction may allow the UE 10 to download a phone identity specific to the at least one user-specific credential encoded within the authentication code.
- OMA Open Mobile Alliance
- DM Device Management
- the UE 10 and/or a subscription associated with it may therefore be provisioned for operation on the cellular network 40 accordingly.
- the subscription identity is stored on the authentication device 30 in this case and the UE 10 need not have a SIM part 1 1 as a result.
- the authentication device 30 may store a SIM profile corresponding with the at least one user-specific credential. This may allow the UE 10 to download the SIM profile from the authentication device 30 (for example, to attach an IMSI and/or MSISDN associated with the authentication device 30 to the UE 10).
- the UE 10 can download user-specific data for the UE 10 from a cloud service, via the cellular network 40. This may include UE-configuration data, contact information, stored data (such as message information) or other similar UE-specific data.
- a computer program (such as application 15), configured when operated by a processor to carry out the method as described herein may also be provided.
- a user device for communication with a cellular network and having at least one unique identifier associated with the cellular network and/or an authentication device comprising an interface for providing a communications link with a user device, either or both of which may have features configured to implement the method described herein may also be provided.
- a system combining the user device and the authentication device configured for communication with one another is also conceived.
- a network entity of the cellular network configured to receive and check the authentication code and further configured to communicate access information to the user device in response the authentication code being validated may also be included. The access information may allow the user device to access the service.
- FIG. 2 there is shown a schematic depiction of an operation of the system of Figure 1 , especially with reference to the cellular network.
- the user 20 provides the authentication device 30 (in the form of an NFC card) and a PIN code.
- the key stored on the authentication device 30 and PIN code are combined and hashed against both the IMEI and IMSI of the UE 10 to generate a user authentication key which is sent to the cellular network 40 in step 150.
- a PDP context is set up between the UE 10 and the cellular network 40 for communication of the user authentication key and this is verified by an authentication server 45 at the cellular network 40.
- This allows access to the secure services cloud 50, as shown. Lost devices can be immediately switched off by blocking the service key on the back end infrastructure, at the services cloud.
- the skilled person will understand that the cellular network architecture and mechanisms for transferring data and/or authenticating the user may vary, though.
- the method comprises: receiving an authentication code for accessing the service at the cellular network from a user device, the user device having at least one unique identifier associated with the cellular network and the authentication code being based on the at least one unique identifier of the user device associated with the cellular network and a service credential that is unknown to the user device; and checking the received authentication code at the cellular network on the basis of the at least one unique identifier of the user device associated with the cellular network and a service credential that is unknown to the user device.
- a service credential that is unknown to the user device which may a (user-specific) security credential and/or security data (such as a key) that may be stored on a separate authentication device.
- the service credential is preferably specific to a user.
- the method may further comprise receiving a user identification in association with the authentication code.
- the step of checking the received authentication code may be further based on the user identification.
- the authentication code is optionally further based on a user-specific credential that is provided to the user device.
- the step of checking the received authentication code at the cellular network may be further carried out on the basis of the user-specific credential.
- the method may further comprise communicating access information from the cellular network to the user device in response to the step of checking the received authentication code resulting in the authentication code being validated.
- the access information may allow the user device to access the service.
- the method further comprises providing the user device with the service over the cellular network in response to the step of checking the received authentication code resulting in the authentication code being validated.
- the service may be a first service and the method may further comprise providing the user device with a second service over the cellular network irrespective of a result of the step of checking the authentication code.
- the second service may be distinct from the first service.
- the method further comprises identifying at the cellular network that the user device may access the service on the basis of the at least one unique identifier associated with the cellular network. Then, the method may further comprise communicating a request for an authentication code from the cellular network to the user device, in response to the step of identifying.
- the authentication system may allow access to different applications on the basis of the provided key or keys. This can be understood more generally as permitting access to one or some of a plurality of applications or services dependent on an indication within the received authentication code.
- Another functionality may allow new information to be sent to the NFC device 30 over the air through the UE 10 to deprecate key information, for instance. More generally, this can be seen as communicating user-specific information from the cellular network to the user device for transferring from the user device to an authentication device interfaced with the user device.
- the approach shown may be adapted and/or varied to implement Over the air' UE and/or subscription provisioning as discussed above. This may allow interaction between the authentication server 45 and a provisioning server (not shown). In some embodiments, the authentication server 45 and the provisioning server may be combined. Optional features as disclosed herein with respect to any other aspect (for example the method carried out at the user device and/or authentication device discussed above) may be used together with this aspect.
- the embodiment shown in Figure 2 should also be understood as an example, and the skilled person will appreciate that variations and modifications may be possible.
- a computer program configured when operated by a processor to carry out the method as described herein may also be provided.
- a network entity of a cellular network configured to operate in accordance with the method as described herein.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
User authentication for accessing a service provided over a cellular network is provided. A user device for communication with the cellular network has at least one unique identifier associated with the cellular network. An authentication code for accessing the service over the cellular network is used, the authentication code being based on security information that is based on the at least one unique identifier and may also be based on a service credential that is unknown to the user device. The security information may be communicated from the user device to an authentication device separate from the user device over a secondary communications link. The authentication code may be generated at the authentication device.
Description
USER AUTHENTICATION AND RESOURCE MANAGEMENT IN A CELLULAR NETWORK
Field of the Invention
The invention relates to a method of user authentication for accessing a service provided over a cellular network, a user device for communication with a cellular network, an authentication device comprising an interface for providing a communications link with a user device and a network entity of a cellular network.
Background to the Invention
The Third Generation Partnership Project (3GPP) has been developing enhancements to cellular systems to allow their operation for public safety or emergency services (ES) communications. These are especially intended to work with the Long Term Evolution (LTE) architecture. The service may be overlaid on the cellular network's existing infrastructure, for example as a distinct packet-switched service using one or more specific applications operating on the user device. Other services of the cellular network may be provided to the user device at the same time as the ES service and potentially independently. Aims of this approach may include: reduced cost; improved functionality; and increased flexibility in comparison with existing public safety communication infrastructure, such as the Terrestrial Trunked Radio (TETRA) network.
Such systems are desirably secure and, to effect this, employ user-specific security keys and profiles as part of the communication between a user device and the network or between multiple user devices. Existing TETRA technology stores the security keys and profile within the user device. The TEA2 (security) algorithm utilised requires the user device to be brought into a secure
environment and loaded with the keys and the user's profile information. Thus, the device must be issued specifically to an individual user. One advantage in the use of a cellular network for providing such services is that devices may be interchangeable between users, which will be lost using this approach.
It is known to use enterprise computing principles to store the user profile on the network. Then when the user logs onto the device, the user settings may be transferred to it. This process is useful for "transient" data, such as role
profile, control information or similar. However, it is undesirable to transfer security policy information and/or keys over the air (radio interface) as this may lead to security breaches through various enterprise IT attacks on the
infrastructure.
Another approach is to use Subscriber Identity Module (SIM) cards to store security policy information and/or keys for the ES service. A SIM card is at least partially embedded within the device, such that the user would need to change the SIM card whenever they wish to use a different device. For these applications, a user may change devices more often than that of conventional cellular network users. This may be partly because devices can become damaged or run out of power more often (especially where smart devices are utilised). Replacing the battery or switching the device and physically moving the SIM card may then be the only solutions to such problems, which may not be acceptable.
Secure authentication techniques have been considered for other applications, such as banking or transport systems. Some of these use short range communication technology, such as Near Field Communication (NFC). The user is provided with an NFC device that is separate to the User Equipment (UE) employed for accessing the cellular network. The NFC device can act as a processing engine and/or utilised as storage. This may allow the NFC device to store a security credential common to the cellular network and/or service provider, but unknown to the user or UE. Then, the NFC device processes a challenge from the service provider using the common security credential and a user-specific credential input by the user to the UE, such as a PIN, to provide an authentication code. The authentication code is sent back to the service provider, which verifies it. This type of approach is discussed in "Enhancing Authentication in eBanking with NFC-Enabled Mobile Phones", D A Ortiz- Yepes, M Baentsch, LAM Schoenmakers, et al, ERCIM News 76, 63-64, 2009, for example. In this document, the cellular network is not used for communicating with the service provider and the UE is simply used as an interface with the NFC device, but more recent implementations of this technique use the UE to communicate with the service provider over the cellular network. Such a system
may significantly improve security of the authentication. Nevertheless,
authentication to provision a secure service over a cellular network remains a challenge. Summary of the Invention
Against this background, there is provided a method of user authentication for accessing a service provided over a cellular network in accordance with claim 1 . There is also provided a computer program in line with claim 16, a user device for communication with a cellular network as defined by claim 17 and an authentication device in accordance with claim 18. A system for user
authentication to access a service provided over a cellular network according to claim 19 is further provided.
This may add an additional layer of security to the existing security stack of the cellular network. The use of at least one unique identifier associated with the cellular network (such as an IMSI and/or IMEI) in setting the authentication code is particularly advantageous. A device-specific and/or subscriber-specific identifier allows the authentication of the user to be traced directly to an individual user device (such as a UE) and/or a specific subscriber and may provide a constantly changing encryption system. The use of an authentication device separate from the user device provides security, so that the authentication code may be generated on the basis of information unknown to the user device, together with the ability to interchange user devices, since a specific user device need not be required to access the service. In another sense, this may be seen as the combination of device-specific and/or subscriber-specific identifier with a service credential that is unknown to the user device to provide multi-factor authentication. In fact, this improvement in security may allow the security requirements inherent to the user device to be relaxed to the extent that, as far as at least security is concerned, the user device may essentially be a dumb terminal.
The authentication device communicates with the user device using a secondary communication link (preferably, separate from the link between the user device and the cellular network, such as a short-range communication link),
so that the two devices require no fixed integration and allow the authentication device to be used in conjunction with a variety of user devices. Thus, the combination of the advantages provided by the user device and those provided by the authentication device results in improved security and flexibility in comparison with existing approaches. Following authentication, the user device may then be provisioned for access to the service.
The authentication code may allow access to the cellular network or at least a specific service provided by the cellular network. The authentication code may be a one-time access key. Public Key Infrastructure (PKI) in the cellular network may then determine what the authentication code allow the user device to access within a secure infrastructure. The authentication code that is generated by placing the authentication device with the user device to create an authentication session may give the user device access to the network for a specified amount of time, until the session expires. Then the data may be inaccessible until the user creates another authentication session with the authentication device.
A user profile may be stored with within the authentication device (such as an NFC card). If the user device is changed or lost, the profile information is therefore retained.
A specific lifetime can be applied to the access provided to the service.
Advantageously, this enables control of access lifetime on a per-device and/or per-subscriber basis. This may further increase security of the access in case of device loss or change, for instance.
Further preferred features of the invention are set out in the accompanying claims and will further become apparent from a consideration of the following specific description of a particularly preferred embodiment. Additional advantages will also be discussed below.
Brief Description of the Drawings
The invention may be put into practice in a number of ways, and a preferred embodiment will now be described by way of example only and with reference to the accompanying drawings, in which:
Figure 1 illustrates a schematic diagram of a system in accordance with an embodiment of the invention; and
Figure 2 shows a schematic depiction of an operation of the system of Figure 1 .
Detailed Description of a Preferred Embodiment
Referring first to Figure 1 , there is illustrated a schematic diagram of a system in accordance with an embodiment of the invention. There is shown: a User Equipment (UE) 10; user input 20; a Near Field Communication (NFC) device 30, which may be considered an authentication device; and a cellular network 40. The UE 10 has a Subscriber Identity Module (SIM) part 1 1 , which may be a SIM card or SIM application embodied in a different form (for example, integrated with the UE 10). An application 15 operates on the UE 10 and is particularly used for interfacing with the cellular network 40, for providing a particular service. For example, this may be provided by a service provider that could be logically or physically separate from the cellular network operator. The service may be an ES service or another service desiring secure authentication of the user. In some examples, the service may include a communications service provided by the cellular network 40.
The authentication of the user operates in the following way. The user 20 loads the application 15 on the UE 10. In a first step 1 10, the application 15 requests a security credential, such as a PIN code, from the user 20. This is provided in second step 120. The user 20 brings the NFC device 30 into proximity with the UE 10 (which has an NFC reader), allowing communication between them and handshake occurs to set this up. In third step 130, the UE 10 provides security information to the NFC device 30. This is shown as a two-way interaction, but it may be one way only. The security information comprises a unique identifier for the UE 10 on the cellular network 40. In practice, this may be an identifier associated with the UE 10 itself, such as an International Mobile Station Equipment Identity (IMEI) and/or an identifier associated with the subscription (that is, SIM 1 1 ), such as an International Mobile Subscriber Identity (IMSI) or a Mobile Subscriber Integrated Services Digital Network-Number
(MSISDN). Both the IMSI and MSI DSN could also be used. The security information also comprises the security credential from the user 20 (as discussed in steps 1 10 and 120).
The NFC device 30 checks the security credential against a predetermined value stored on its internal memory (not shown). If the security credential does not match the stored value, the NFC device 30 informs the UE 10 that the security credential is rejected and does nothing more. Otherwise, the NFC device 30 determines an authentication code based on the security information, in particular the identifier associated with the UE 10 or SIM 1 1 . The
authentication code can also be based on other parts of the security information, such as the security credential (such as the PIN code, for instance of 4, 6 or more digits) and/or information stored in the NFC device 30 that is unknown to the UE 10 (and SIM 1 1 and/or user 20), but known to the cellular network 40, such as an encrypted logon key. In this context, the cellular network can include the service provider (not shown), even though these may be logically or even physically separate.
The authentication code, which will be specific to the UE 10 and/or SIM 1 1 is then communicated to the application 15 at the UE 10 over the NFC link (for example, by the application 15 accessing it within the NFC device 30) and the application 15 communicates the authentication code to the cellular network 40, for authentication. All user-specific service information, such as information on talk groups, users, contacts is stored securely on the NFC device 30 and this may only be accessed if the correct security credential is provided by the user 20. The authentication code may be used to generate a one-time key that is used for the UE 10 and valid for a specific time period, such as 24 hours. This may stop lost devices requiring stunning to take them off the network, as the key will expire after an amount of time. The access key and/or the user data could then be provisioned to the UE 10. The access key is subsequently used by the UE 10 (and more specifically the application 15) to register or access a secure network, such as an emergency services network.
When logging on to the network from a second device, having already logged on from another device makes the previous key invalid. This means that
a user should not be logged onto the service twice and is an additional advantage in generating the authentication code using a unique identifier associated with the user device. Steps taken at the network will be discussed below.
This embodiment therefore differs from existing security configurations for ES services, which are personal issue, so all programming information is stored on the device when the device is provisioned, including all security information. This approach does not require personal issue devices and indeed, a user may authenticate onto any device that supports the technology. Moreover, it may enable a two or three-factor authentication mechanism, where the authentication device 30 is presented to the UE 10, the authentication device 30 is accessed via a security credential, which then allows the UE 10 to read the personalisation information from the authentication device 30 and generate an authentication code (such as a security key). This allows access from this specified device to the network service for at least (or no more than) a defined period of time.
"Role-based" authentication may also be used, based on a user's authentication device 30, so that different service functionalities may be activated and/or disabled, based on the user's permissions. If a user changes role, their authentication device 30 may be "upgraded" to update their status. The authentication device 30 may be provided in the form of an ID, card allowing them to have one device that can access buildings, log onto infrastructure and access the secure communications network.
The embodiment shown in Figure 1 should be understood as an example, and the skilled person will appreciate that variations and modifications may be possible. Although the user device is shown as UE 10, it will be understood that any type of user communication device may be used and this need not be a UE as understood in the conventional sense of a cellular network (which would include a mobile telephone or other portable or fixed communications device, in any case). The SIM part 1 1 is equally optional. Similarly, the NFC device 30 may be replaced by any other type of authentication device that is separate from the user device, but which can communicate with the user device over a secondary communications link. The secondary communications link may be a fixed or (preferably) wireless link, which will be discussed further below. The
order of steps may be varied in practice, for example the UE 10 may detect the NFC device 30 and load the application 15 in response. The security credential (in steps 1 10 and 120) can also be understood as optional and the passing of this to the NFC device 30, where it is checked, would then be omitted.
Optionally, network enablement may be employed. For example, the network may recognise that the MSISDN associated with the SIM 1 1 is attached to a virtual profile or number associated with the user 20 and then redirects the communication to the service provider, initiating authentication. The application 15 may continuously or periodically check if the NFC device 30 is in the proximity, if not then automatically disable the service. This check could be carried out only when the service is in active use, for example when a call or message is made or received. Other changes may be made.
This embodiment can be understood as a method of user authentication for accessing a service provided over a cellular network. It uses a user device for communication with the cellular network and that has at least one unique identifier associated with the cellular network. The method comprises
communicating security information from the user device to an authentication device separate from the user device over a secondary communications link, the security information being based on the at least one unique identifier of the user device associated with the cellular network; and communicating an authentication code for accessing the service over the cellular network from the separate authentication device to the user device over the secondary communications link, the authentication code being based on the security information.
As noted above, a cellular network in this context may include a service provider, that may be separate from and/or external to the cellular network. The secondary communications link is beneficially separate from the cellular link, especially in terms of the link interface or technology, and may use a fixed (wired) link or it may use wireless and/or a short range communication technology, such as one or more of: optical communication technology; NFC technology; wireless Local Area Network (LAN) technology; and Personal Area Network technology, including Bluetooth. The user device may configured for communication with a
second (cellular) network, as well as the cellular network and secondary communication link.
Optionally, the method further comprises receiving a user-specific credential as an input to the user device from the user. The security information may be further based on the received user-specific credential. In other words, the user-specific credential (such as a PIN code) may then be passed to the authentication device. The user-specific credential may be unknown to the user device. The method preferably further comprises checking the user-specific credential against a predetermined value stored on the authentication device. The authentication code only being provided if the user-specific credential matches the predetermined value. Additionally or alternatively, the authentication code is further based on the received user-specific credential. This may increase security further.
In some embodiments, the authentication code is further based on a service credential stored on the authentication device and/or unknown to or not stored on the user device. Advantageously, the service credential is specific to the user and this may allow the cellular network or service provider to confirm the user.
The method preferably further comprises communicating the
authentication code to the cellular network from the user device. Then, the method may further comprise receiving access information (such as an access key) at the user device from the cellular network in response to communication of the authentication code. The access information may allow the user device to access the service. The access information optionally allows the user device to access the service for only predetermined time period, which may be a specific duration or a set or range of specific times.
The method may further comprise detecting the authentication device at the user device, preferably by communication between the authentication device and the user device over the secondary communications link. This may be carried out prior to the step of communicating security information (to confirm that the authentication device is present or even prompt the user device to request the security credential or send the security information). Additionally or
alternatively, this may be carried out one time or a plurality of times when the user device is being provided the service by the cellular network. This may allow regular confirmation that the authentication device and user device are still in the possession of the user, so that loss of one or the other can be indicated. The regular confirmation may be achieved by detecting the authentication device at a plurality of times separated by regular or irregular intervals or prompted by an external event, such as an incoming or outgoing call or other type of
communication over the service. Optionally, the method may further comprise preventing the user device from accessing the service provided over the cellular network in response to the step of detecting the authentication device resulting in a failure. The user device can optionally still access other services over the cellular network. Alternatively, the user device may not access any service over the cellular network in such a case.
In embodiments, the method may further comprise transferring user- specific data between the user device and the authentication device. The user- specific data may relate to the service being provided over the cellular network (such as a user profile). The step of transferring user-specific data may be based on the step of checking the user-specific credential. In some embodiments, the user-specific data is downloaded from the authentication device to the user device. User-specific data may additionally or alternatively be transferred from the user device to the authentication device. For example, the application 15 may add, change or replace profile information in the NFC device 30, thereby reducing the amount of information coming over the network.
Although the examples given above mostly relate to accessing a service provided by a service provider that is logically separate from the cellular network
40, it may be possible for the service to be one that is provided by the cellular network 40 and not another service provider. For example, the authentication device 30 may store at least one user-specific credential for accessing a service provided by the cellular network 40. The user device (UE 10) may provide the authentication device 30 with an identifier specific to the cellular network, such as an IMEI and this may then be used together with the at least one user-specific credential stored on the authentication device 30. The authentication code may
allow the UE 10 to interact with an "on air" profile management system, for example using Open Mobile Alliance (OMA) Device Management (DM) or a similar protocol. This interaction may allow the UE 10 to download a phone identity specific to the at least one user-specific credential encoded within the authentication code. The UE 10 and/or a subscription associated with it may therefore be provisioned for operation on the cellular network 40 accordingly. Effectively, the subscription identity is stored on the authentication device 30 in this case and the UE 10 need not have a SIM part 1 1 as a result. Additionally or alternatively, the authentication device 30 may store a SIM profile corresponding with the at least one user-specific credential. This may allow the UE 10 to download the SIM profile from the authentication device 30 (for example, to attach an IMSI and/or MSISDN associated with the authentication device 30 to the UE 10). In some embodiments, the UE 10 can download user-specific data for the UE 10 from a cloud service, via the cellular network 40. This may include UE-configuration data, contact information, stored data (such as message information) or other similar UE-specific data.
A computer program (such as application 15), configured when operated by a processor to carry out the method as described herein may also be provided. A user device for communication with a cellular network and having at least one unique identifier associated with the cellular network and/or an authentication device comprising an interface for providing a communications link with a user device, either or both of which may have features configured to implement the method described herein may also be provided. A system combining the user device and the authentication device configured for communication with one another is also conceived. A network entity of the cellular network, configured to receive and check the authentication code and further configured to communicate access information to the user device in response the authentication code being validated may also be included. The access information may allow the user device to access the service.
Referring next to Figure 2, there is shown a schematic depiction of an operation of the system of Figure 1 , especially with reference to the cellular network. Where the same features are shown as a previous drawing, identical
reference numerals have been used. The user 20 provides the authentication device 30 (in the form of an NFC card) and a PIN code. The key stored on the authentication device 30 and PIN code are combined and hashed against both the IMEI and IMSI of the UE 10 to generate a user authentication key which is sent to the cellular network 40 in step 150. A PDP context is set up between the UE 10 and the cellular network 40 for communication of the user authentication key and this is verified by an authentication server 45 at the cellular network 40. This allows access to the secure services cloud 50, as shown. Lost devices can be immediately switched off by blocking the service key on the back end infrastructure, at the services cloud. The skilled person will understand that the cellular network architecture and mechanisms for transferring data and/or authenticating the user may vary, though.
From this aspect, there is therefore provided a method of user
authentication for accessing a service provided over a cellular network. The method comprises: receiving an authentication code for accessing the service at the cellular network from a user device, the user device having at least one unique identifier associated with the cellular network and the authentication code being based on the at least one unique identifier of the user device associated with the cellular network and a service credential that is unknown to the user device; and checking the received authentication code at the cellular network on the basis of the at least one unique identifier of the user device associated with the cellular network and a service credential that is unknown to the user device. Thus, the combination of a service credential that is unknown to the user device, which may a (user-specific) security credential and/or security data (such as a key) that may be stored on a separate authentication device.
The service credential is preferably specific to a user. Then, the method may further comprise receiving a user identification in association with the authentication code. The step of checking the received authentication code may be further based on the user identification. The authentication code is optionally further based on a user-specific credential that is provided to the user device.
Then, the step of checking the received authentication code at the cellular network may be further carried out on the basis of the user-specific credential.
The method may further comprise communicating access information from the cellular network to the user device in response to the step of checking the received authentication code resulting in the authentication code being validated. The access information may allow the user device to access the service.
Advantageously, the method further comprises providing the user device with the service over the cellular network in response to the step of checking the received authentication code resulting in the authentication code being validated. The service may be a first service and the method may further comprise providing the user device with a second service over the cellular network irrespective of a result of the step of checking the authentication code. The second service may be distinct from the first service.
In some embodiments, the method further comprises identifying at the cellular network that the user device may access the service on the basis of the at least one unique identifier associated with the cellular network. Then, the method may further comprise communicating a request for an authentication code from the cellular network to the user device, in response to the step of identifying.
The authentication system may allow access to different applications on the basis of the provided key or keys. This can be understood more generally as permitting access to one or some of a plurality of applications or services dependent on an indication within the received authentication code.
Another functionality may allow new information to be sent to the NFC device 30 over the air through the UE 10 to deprecate key information, for instance. More generally, this can be seen as communicating user-specific information from the cellular network to the user device for transferring from the user device to an authentication device interfaced with the user device.
The approach shown may be adapted and/or varied to implement Over the air' UE and/or subscription provisioning as discussed above. This may allow interaction between the authentication server 45 and a provisioning server (not shown). In some embodiments, the authentication server 45 and the provisioning server may be combined.
Optional features as disclosed herein with respect to any other aspect (for example the method carried out at the user device and/or authentication device discussed above) may be used together with this aspect. The embodiment shown in Figure 2 should also be understood as an example, and the skilled person will appreciate that variations and modifications may be possible.
A computer program, configured when operated by a processor to carry out the method as described herein may also be provided. There may also be provided a network entity of a cellular network, configured to operate in accordance with the method as described herein. Combinations of any specific features disclosed in respect of any aspect may be provided, even if that combination is not explicitly discussed.
Claims
1 . A method of user authentication for accessing a service provided over a cellular network, using a user device for communication with the cellular network and that has at least one unique identifier associated with the cellular network, the method comprising:
communicating security information from the user device to an
authentication device separate from the user device over a secondary
communications link, the security information being based on the at least one unique identifier of the user device associated with the cellular network; and
communicating an authentication code for accessing the service over the cellular network from the separate authentication device to the user device over the secondary communications link, the authentication code being based on the security information.
2. The method of claim 1 , further comprising:
receiving a user-specific credential as an input to the user device from the user; and
wherein the security information is further based on the received user- specific credential.
3. The method of claim 2, further comprising:
checking the user-specific credential against a predetermined value stored on the authentication device, the authentication code only being provided if the user-specific credential matches the predetermined value.
4. The method of any preceding claim, wherein the user device comprises: a User Equipment, UE, part; and a subscriber identification part, the at least one unique identifier of the user device associated with the cellular network comprising one or more of: at least one identifier associated with the UE part; and at least one identifier associated with the subscriber identification part.
5. The method of claim 4, wherein one or both of:
the at least one identifier associated with the subscriber identification part comprises one or both of: an International Mobile Subscriber Identity, IMSI ; and a Mobile Subscriber Integrated Services Digital Network-Number, MSISDN; and the at least one identifier associated with the UE part comprises an
International Mobile Station Equipment Identity, IMEI.
6. The method of any preceding claim, wherein the authentication code is further based on a service credential stored on the authentication device.
7. The method of claim 6, wherein the service credential is specific to the user.
8. The method of any preceding claim, wherein the secondary
communications link for communication with the authentication device uses wireless and/or a short range communication technology.
9. The method of claim 8, wherein the wireless and/or a short range communication technology comprises one or more of: optical communication technology; Near Field Communication, NFC, technology; wireless Local Area Network technology; and Personal Area Network technology.
10. The method of any preceding claim, further comprising:
communicating the authentication code to the cellular network from the user device;
receiving access information at the user device from the cellular network in response to communication of the authentication code, the access information allowing the user device to access the service.
1 1 . The method of claim 10, wherein the access information allows the user device to access the service for only predetermined time period.
12. The method of any preceding claim, further comprising:
detecting the authentication device at the user device by communication between the authentication device and the user device over the secondary communications link.
5
13. The method of claim 12, wherein the step of detecting the authentication device is carried out at one or more of: prior to the step of communicating security information; and one time or a plurality of times when the user device is being provided the service by the cellular network.
0
14. The method of claim 13, further comprising:
preventing the user device from accessing the service provided over the cellular network in response to the step of detecting the authentication device resulting in a failure.
5
15. The method of any preceding claim, further comprising:
transferring user-specific data between the user device and the authentication device, the user-specific data relating to the service being provided over the cellular network.
o (based on the step of checking the user-specific credential)
1 6. A computer program, configured when operated by a processor to carry out the method of any preceding claim. 5
17. A user device for communication with a cellular network and having at least one unique identifier associated with the cellular network, configured to operate in accordance with any one of claims 1 to 15.
18. An authentication device comprising an interface for providing a
0 communications link with a user device, the authentication device being
configured to operate in accordance with any of claims 1 to 15.
19. A system for user authentication to access a service provided over a cellular network, comprising:
a user device in accordance with claim 17; and
an authentication device in accordance with claim 18, wherein the authentication device and the user device are configured for communication with one another.
20. The system of claim 19, further comprising:
a network entity of the cellular network, configured to receive and check the authentication code and further configured to communicate access information to the user device in response the authentication code being validated, the access information allowing the user device to access the service.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1411923.4 | 2014-07-03 | ||
GB1411923.4A GB2527831B (en) | 2014-07-03 | 2014-07-03 | Security authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016001032A1 true WO2016001032A1 (en) | 2016-01-07 |
Family
ID=51410621
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2015/064226 WO2016001032A1 (en) | 2014-07-03 | 2015-06-24 | User authentication and resource management in a cellular network |
Country Status (2)
Country | Link |
---|---|
GB (1) | GB2527831B (en) |
WO (1) | WO2016001032A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IT201600115265A1 (en) * | 2016-11-15 | 2018-05-15 | Seecod S R L | Process and computer system for the identification and authentication of the digital identity of a subject in possession of a personal telecommunication device. |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001031840A1 (en) * | 1999-10-29 | 2001-05-03 | Nokia Corporation | Method and arrangement for reliably identifying a user in a computer system |
US20100304670A1 (en) * | 2009-05-26 | 2010-12-02 | Shuo Jeffrey | Portable personal sim card |
EP2530631A1 (en) * | 2011-05-31 | 2012-12-05 | Gemalto SA | A method for accessing at least one service, corresponding communicating device and system |
US20130331063A1 (en) * | 2012-06-11 | 2013-12-12 | Research In Motion Limited | Enabling multiple authentication applications |
WO2014089576A1 (en) * | 2012-12-07 | 2014-06-12 | Chamtech Technologies Incorporated | Techniques for biometric authentication of user of mobile device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE602005001555T2 (en) * | 2005-05-13 | 2008-03-13 | Research In Motion Ltd., Waterloo | Apparatus and method for optical transmission by means of LCD optical transmitters and receivers |
US8365249B1 (en) * | 2007-01-30 | 2013-01-29 | Sprint Communications Company L.P. | Proxy registration and authentication for personal electronic devices |
KR101597849B1 (en) * | 2011-04-12 | 2016-03-08 | 엘에스산전 주식회사 | Apparatus and method for authentication of mobile terminal |
-
2014
- 2014-07-03 GB GB1411923.4A patent/GB2527831B/en active Active
-
2015
- 2015-06-24 WO PCT/EP2015/064226 patent/WO2016001032A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001031840A1 (en) * | 1999-10-29 | 2001-05-03 | Nokia Corporation | Method and arrangement for reliably identifying a user in a computer system |
US20100304670A1 (en) * | 2009-05-26 | 2010-12-02 | Shuo Jeffrey | Portable personal sim card |
EP2530631A1 (en) * | 2011-05-31 | 2012-12-05 | Gemalto SA | A method for accessing at least one service, corresponding communicating device and system |
US20130331063A1 (en) * | 2012-06-11 | 2013-12-12 | Research In Motion Limited | Enabling multiple authentication applications |
WO2014089576A1 (en) * | 2012-12-07 | 2014-06-12 | Chamtech Technologies Incorporated | Techniques for biometric authentication of user of mobile device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IT201600115265A1 (en) * | 2016-11-15 | 2018-05-15 | Seecod S R L | Process and computer system for the identification and authentication of the digital identity of a subject in possession of a personal telecommunication device. |
Also Published As
Publication number | Publication date |
---|---|
GB201411923D0 (en) | 2014-08-20 |
GB2527831B (en) | 2021-08-11 |
GB2527831A (en) | 2016-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111107543B (en) | Cellular service account transfer and authentication | |
US10917790B2 (en) | Server trust evaluation based authentication | |
US10516540B2 (en) | Management of profiles in an embedded universal integrated circuit card (eUICC) | |
CN106211122B (en) | Method for managing multiple profiles in a SIM module, SIM module and computer readable medium | |
KR101904338B1 (en) | Method and apparatus for user authentication and human intention verification in a mobile device | |
CN110798833B (en) | Method and device for verifying user equipment identification in authentication process | |
KR102040231B1 (en) | Security and information supporting method and apparatus for using policy control in change of subscription to mobile network operator in mobile telecommunication system environment | |
US9706512B2 (en) | Security method and system for supporting re-subscription or additional subscription restriction policy in mobile communications | |
KR101692171B1 (en) | Establishing a device-to-device communication session | |
EP3539324A1 (en) | Open access points for emergency calls | |
US10506439B2 (en) | Secure control of profile policy rules | |
KR20160114620A (en) | Methods, devices and systems for dynamic network access administration | |
KR20130089651A (en) | Authentication of access terminal identities in roaming networks | |
CN101248644A (en) | Management of user data | |
JP2014524073A (en) | Service access authentication method and system | |
KR20160143333A (en) | Method for Double Certification by using Double Channel | |
EP3306969B1 (en) | Terminal authentication method and device | |
US8989380B1 (en) | Controlling communication of a wireless communication device | |
CN107659935B (en) | Authentication method, authentication server, network management system and authentication system | |
US9747432B1 (en) | Remotely enabling a disabled user interface of a wireless communication device | |
WO2016001035A1 (en) | Security authentication | |
KR102185215B1 (en) | Operating method of authentication apparatus, system for network access and uthentication, operating method of end terminal and operating method of access terminal | |
EP3105900B1 (en) | Method and system for determining that a sim and a sip client are co-located in the same mobile equipment | |
WO2016001032A1 (en) | User authentication and resource management in a cellular network | |
EP3219066B1 (en) | Radio device hardware security system for wireless spectrum usage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15730815 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15730815 Country of ref document: EP Kind code of ref document: A1 |