Policy-managed physical access authentication

US 10,404,714 B1
Filed: 08/11/2015
Issued: 09/03/2019
Est. Priority Date: 08/11/2015
Status: Active Grant

First Claim

Patent Images

1. An access control system associated with an access-controlled area of a distributed site of an electric power delivery system, the system comprising:

a credential input interface configured to receive first authentication credentials from a first user and second authentication credentials from a second user;

a communications interface communicatively coupled to an access control device associated with the access-controlled area;

processing circuitry communicatively coupled to the credential input interface and the communications interface;

a non-transitory computer-readable storage medium communicatively coupled to the processing circuitry, the computer-readable storage medium storing instructions that when executed by the processing circuitry cause the processing circuitry to;

retrieve an access control policy, the access control policy comprising first authentication requirements and second authentication requirements, wherein the second authentication requirements have at least one factor of authentication and the second authentication requirements have at least one factor of authentication less than the first authentication requirements when the second authentication credentials are received within a defined period following receipt of the first authentication credentials to enforce a physical presence requirement between the first user and the second user;

determine that the first authentication credentials satisfy the first authentication requirements;

send, based on the determination that the first authentication credentials satisfy the first authentication requirements, a first access control signal to cause the access control device to allow the first user physical access to the access-controlled area;

determine that the second authentication credentials satisfy the second authentication requirements; and

send, based on the determination that the second authentication credentials satisfy the second authentication requirements, a second access control signal to cause the access control device to allow the second user physical access to the same access-controlled area with the at least one factor of authentication less than the first user while enforcing the physical presence requirement between the first user and the second user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed that provide for physical access management of an access-controlled area of a distributed site of an electric power delivery system using one or more one or more articulated access control policies. In some embodiments, to authenticate rights to access an access-controlled area, a first user may provide an associated access control system with credentials satisfying first authentication requirements based on an applicable policy. In connection with subsequent access authentication requests, the access control system may accept credentials satisfying second authentication requirements that may be different than the first authentication requirements. In this manner, access control requirements to the access-controlled area may be managed based on an associated articulated policy.

Citations

18 Claims

1. An access control system associated with an access-controlled area of a distributed site of an electric power delivery system, the system comprising:
- a credential input interface configured to receive first authentication credentials from a first user and second authentication credentials from a second user;
  
  a communications interface communicatively coupled to an access control device associated with the access-controlled area;
  
  processing circuitry communicatively coupled to the credential input interface and the communications interface;
  
  a non-transitory computer-readable storage medium communicatively coupled to the processing circuitry, the computer-readable storage medium storing instructions that when executed by the processing circuitry cause the processing circuitry to;
  
  retrieve an access control policy, the access control policy comprising first authentication requirements and second authentication requirements, wherein the second authentication requirements have at least one factor of authentication and the second authentication requirements have at least one factor of authentication less than the first authentication requirements when the second authentication credentials are received within a defined period following receipt of the first authentication credentials to enforce a physical presence requirement between the first user and the second user;
  
  determine that the first authentication credentials satisfy the first authentication requirements;
  
  send, based on the determination that the first authentication credentials satisfy the first authentication requirements, a first access control signal to cause the access control device to allow the first user physical access to the access-controlled area;
  
  determine that the second authentication credentials satisfy the second authentication requirements; and
  
  send, based on the determination that the second authentication credentials satisfy the second authentication requirements, a second access control signal to cause the access control device to allow the second user physical access to the same access-controlled area with the at least one factor of authentication less than the first user while enforcing the physical presence requirement between the first user and the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the first authentication requirements comprise a multi-factor authentication requirement.
  - 3. The system of claim 1, wherein the second authentication requirements comprise a single-factor authentication requirement.
  - 4. The system of claim 1, wherein the first authentication requirements comprise at least one of an identity requirement, an attribute requirement, a role requirement, a temporal requirement, and a conditional requirement.
  - 5. The system of claim 1, wherein the second authentication requirements comprise at least one of an identity requirement, an attribute requirement, a role requirement, a temporal requirement, and a conditional requirement.
  - 6. The system of claim 1, wherein the first authentication credentials comprise at least one of a personal identification number, a password, a passphrase, a response to a challenge, a pattern, information stored on a card, information stored on a security token, information stored on a hardware token, information stored on a software token, and biometric identification information.
  - 7. The system of claim 1, wherein the second authentication credentials comprise at least one of a personal identification number, a password, a passphrase, a response to a challenge, a pattern, information stored on a card, information stored on a security token, information stored on a hardware token, information stored on a software token, and biometric identification information.
  - 8. The system of claim 1, wherein the access control device comprises at least one of a mechanical lock, an electromechanical lock, and an alarm system.
  - 9. The system of claim 1, wherein the instructions are further configured to cause the processing circuitry to generate audited access information regarding access to the access-controlled area by the first user and the second user.

10. A method for managing physical access to an access-controlled area of a distributed site of an electric power delivery system, the method comprising:
- receiving, via processing circuitry, first authentication credentials from a first user;
  
  retrieving, via the processing circuitry, an access control policy, the access control policy comprising first authentication requirements and second authentication requirements, wherein the second authentication requirements have at least one factor of authentication, and wherein the second authentication requirements have at least one factor of authentication less than the first authentication requirements when the second authentication requirements are received within a defined period following receipt of the first authentication credentials to enforce a physical presence requirement between the first user and the second user;
  
  determining, via the processing circuitry, that the first authentication credentials satisfy the first authentication requirements;
  
  based on the determination that the first authentication credentials satisfy the first authentication requirements, sending, via the processing circuitry, a first access control signal to cause the access control device to allow the first user physical access to the access-controlled area;
  
  receiving, via the processing circuitry, second authentication credentials from a second user;
  
  determining, via the processing circuitry, that the second authentication credentials satisfy the second authentication requirements; and
  
  based on the determination that the second authentication credentials satisfy the second authentication requirements, sending, via the processing circuitry, a second access control signal to cause the access control device to allow the second user physical access to the same access-controlled area with the at least one factor of authentication less than the first user while enforcing the physical presence requirement between the first user and the second user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the first authentication requirements comprise a multi-factor authentication requirement.
  - 12. The method of claim 10, wherein the second authentication requirements comprise a single-factor authentication requirement.
  - 13. The method of claim 10, wherein the first authentication requirements comprise at least one of an identity requirement, an attribute requirement, a role requirement, a temporal requirement, and a conditional requirement.
  - 14. The method of claim 10, wherein the second authentication requirements comprise at least one of an identity requirement, an attribute requirement, a role requirement, a temporal requirement, and a conditional requirement.
  - 15. The method of claim 10, wherein the first authentication credentials comprise at least one of a personal identification number, a password, a passphrase, a response to a challenge, a pattern, information stored on a card, information stored on a security token, information stored on a hardware token, information stored on a software token, and biometric identification information.
  - 16. The method of claim 10, wherein the second authentication credentials comprise at least one of a personal identification number, a password, a passphrase, a response to a challenge, a pattern, information stored on a card, information stored on a security token, information stored on a hardware token, information stored on a software token, and biometric identification information.
  - 17. The method of claim 10, wherein the access control device comprises at least one of a mechanical lock, an electromechanical lock, and an alarm system.
  - 18. The method of claim 10, wherein the method further comprises:
    - generating audited access information regarding access to the access-controlled area by the first user and the second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schweitzer Engineering Laboratories, Incorporated
Original Assignee
Schweitzer Engineering Laboratories, Incorporated
Inventors
Masters, George W., Robinson, Kylan T., Smith, Rhett, Kasztenny, Bogdan Z.
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US14/823,201
Publication Number

US 20190251765A1
Time in Patent Office

1,484 Days
Field of Search

713158
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Policy-managed physical access authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-managed physical access authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links