System and method for implementing a two-person access rule using mobile devices

US 10,419,435 B2
Filed: 02/24/2017
Issued: 09/17/2019
Est. Priority Date: 11/21/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A method for granting access to a resource, comprising:

by a central access authorization system, receiving from an access control broker agent a request for a grant of authorization for a requestor to access a resource, the request including request information about the requestor and the resource;

by the central access authorization system, in response to the receiving the request for the grant of authorization, applying a set of stored authorization rules covering the request information;

wherein the set of stored authorization rules being based at least in part on a sensitivity of the resource;

wherein applying the set of stored authorization rules being to select a type of person-to-person communication session between a mobile device of the requestor and a mobile device of an authorizing user required for the grant of authorization;

wherein the type of person-to-person communication session required for the grant of authorization is selected from a group including a texting communication session used for resources of routine sensitivity, a real-time audio communication session used for resources of intermediate sensitivity, and a real-time video communication session used for resources of critical sensitivity;

by the central authorization system, establishing a person-to-person communication session for the grant of authorization between the mobile devices of the requestor and the authorizing user;

providing to the authorizing user additional information not covered by the set of stored authorization rules;

by the central access authorization system, after the providing the additional information to the authorizing user, receiving from an authorizer mobile app running on the mobile device of the authorizing user, a manual request to establish a real-time video person-to-person communications session between the mobile device of the requestor and the mobile device of the authorizing user;

by the central access authorization system, in response to the manual request, establishing the real-time video person-to person communications connection between the mobile device of the requestor and the mobile device of the authorizing user, permitting the requestor and the authorizing user to communicate in real-time;

by the central access authorization system, subsequent to the establishing the real-time video person-to-person communications session, receiving an authorization message from the authorizer mobile app; and

by the central access authorization system, based on the authorization message and based on the set of stored authorization rules, transmitting to the access control broker agent a message granting access to the resource by the requestor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system using mobile devices and a network provides access authentication, authorization and accounting to computing resources using a two-person access rule solution approach. A central access control server coordinates a rule-based authorization process in which a requesting user and one or more authorizing users are engaged in real-time communications to facilitate approved access to a sensitive resource. The technique utilizes mobile cellular interfaces and location service technologies, while also providing traditional security control measures of voice and visual verification of user identities.

28 Citations

13 Claims

1. A method for granting access to a resource, comprising:
- by a central access authorization system, receiving from an access control broker agent a request for a grant of authorization for a requestor to access a resource, the request including request information about the requestor and the resource;
  
  by the central access authorization system, in response to the receiving the request for the grant of authorization, applying a set of stored authorization rules covering the request information;
  
  wherein the set of stored authorization rules being based at least in part on a sensitivity of the resource;
  
  wherein applying the set of stored authorization rules being to select a type of person-to-person communication session between a mobile device of the requestor and a mobile device of an authorizing user required for the grant of authorization;
  
  wherein the type of person-to-person communication session required for the grant of authorization is selected from a group including a texting communication session used for resources of routine sensitivity, a real-time audio communication session used for resources of intermediate sensitivity, and a real-time video communication session used for resources of critical sensitivity;
  
  by the central authorization system, establishing a person-to-person communication session for the grant of authorization between the mobile devices of the requestor and the authorizing user;
  
  providing to the authorizing user additional information not covered by the set of stored authorization rules;
  
  by the central access authorization system, after the providing the additional information to the authorizing user, receiving from an authorizer mobile app running on the mobile device of the authorizing user, a manual request to establish a real-time video person-to-person communications session between the mobile device of the requestor and the mobile device of the authorizing user;
  
  by the central access authorization system, in response to the manual request, establishing the real-time video person-to person communications connection between the mobile device of the requestor and the mobile device of the authorizing user, permitting the requestor and the authorizing user to communicate in real-time;
  
  by the central access authorization system, subsequent to the establishing the real-time video person-to-person communications session, receiving an authorization message from the authorizer mobile app; and
  
  by the central access authorization system, based on the authorization message and based on the set of stored authorization rules, transmitting to the access control broker agent a message granting access to the resource by the requestor.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - receiving from the authorizer mobile app geolocation data pertaining to the mobile device of the authorizing user; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the authorizing user before the access to the resource is granted.
  - 3. The method of claim 1 wherein the method further comprises:
    - receiving geolocation data pertaining to the mobile device of the requestor; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the requestor before the access to the resource is granted.
  - 4. The method of claim 1 further comprising:
    - by the central access authorization system, determining a biometric indicator from the person-to-person communication session between the mobile device of the requestor and the mobile device of the authorizing user; and
      
      wherein the set of stored authorization rules include a rule requiring the biometric indicator to identify one of the requestor and the authorizing user before the access to the resource is granted.
  - 5. The method of claim 1, further comprising:
    - by the central access authorization system, generating an authorization request session identifier for processing the request for the grant of authorization;
      
      transmitting to the authorizer mobile app a digitally signed contact message including the authorization request session identifier.

6. A central access authorization system comprising:
- a processor;
  
  a wide area network interface connected to the processor; and
  
  a computer readable storage device having stored thereon computer readable instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  receiving from an access control broker agent a request for a grant of authorization for a requestor to access a resource, the request including request information about the requestor and the resource;
  
  retrieving a set of stored authorization rules covering the request information;
  
  in response to the receiving the request for the grant of authorization, applying a set of stored authorization rules covering the request information;
  
  wherein the set of stored authorization rules being based at least in part on a sensitivity of the resource;
  
  wherein applying the set of stored authorization rules being to select a type of person-to-person communication session between a mobile device of the requestor and a mobile device of an authorizing user required for the grant of authorization;
  
  wherein the type of person-to-person communication session required for the grant of authorization is selected from a croup including a texting communication session used for resources of routine sensitivity, a real-time audio communication session used for resources of intermediate sensitivity, and a real-time video communication session used for resources of critical sensitivity;
  
  establishing a person-to-person communication session for the grant of authorization between the mobile devices of the requestor and the authorizing user;
  
  providing to the authorizing user additional information not covered by the set of stored authorization rules;
  
  after the providing the additional information to the authorizing user, receiving from an authorizer mobile app running on the mobile device of the authorizing user, a manual request to establish a real-time video person-to person communications session between the mobile device of the requestor and the mobile device of the authorizing user;
  
  in response to the manual request, establishing the real-time video person-to person communications connection between the mobile device of the requestor and the mobile device of the authorizing user, permitting the requestor and the authorizing user to communicate in real-time;
  
  subsequent to the establishing the real-time video person-to-person communications session, receiving an authorization message from the authorizer mobile app; and
  
  based on the authorization message and based on the set of stored authorization rules, transmitting to the access control broker agent a message granting access to the resource by the requestor.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The central access authorization system of claim 6, wherein the operations further comprise:
    - receiving from the authorizer mobile app geolocation data pertaining to the mobile device of the authorizing user; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the authorizing user before the access to the resource is granted.
  - 8. The central access authorization system of claim 6 wherein the operations further comprise:
    - receiving geolocation data pertaining to the mobile device of the requestor; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the requestor before the access to the resource is granted.
  - 9. The central access authorization system of claim 6 wherein the operations further comprise:
    - by the central access authorization system, determining a biometric indicator from the person-to-person communication session between the mobile device of the requestor and the mobile device of the authorizing user; and
      
      wherein the set of stored authorization rules include a rule requiring the biometric indicator to identify one of the requestor and the authorizing user before the access to the resource is granted.
  - 10. The central access authorization system of claim 6, wherein the operations further comprise:
    - generating an authorization request session identifier for processing the request for the grant of authorization; and
      
      transmitting to the authorizer mobile app a digitally signed contact message including the authorization request session identifier.

11. A tangible computer-readable medium having stored thereon computer readable instructions for granting access to a resource, wherein execution of the computer readable instructions by a processor causes the processor to perform operations comprising:
- receiving from an access control broker agent a request for a grant of authorization for a requestor to access a resource, the request including request information about the requestor and the resource;
  
  in response to the receiving the request for the grant of authorization, applying a set of stored authorization rules covering the request information;
  
  wherein the set of stored authorization rules being based at least in part on a sensitivity of the resource;
  
  wherein applying the set of stored authorization rules being to select a type of person-to-person communication session between a mobile device of the requestor and a mobile device of an authorizing user required for the grant of authorization;
  
  wherein the type of person-to-person communication session required for the grant of authorization is selected from a group including a texting communication session used for resources of routine sensitivity, a real-time audio communication session used for resources of intermediate sensitivity, and a real-time video communication session used for resources of critical sensitivity;
  
  establishing a person-to-person communication session for the grant of authorization between the mobile devices of the requestor and the authorizing user;
  
  providing to the authorizing user additional information not covered by the set of stored authorization rules;
  
  after the providing the additional information to the authorizing user, receiving from an authorizer mobile app running on the mobile device of the authorizing user, a manual request to establish a real-time video person-to person communications session between the mobile device of the requestor and the mobile device of the authorizing user;
  
  in response to the manual request, establishing the real-time video person-to person communications connection between the mobile device of the requestor and the mobile device of the authorizing user, permitting the requestor and the authorizing user to communicate in real-time;
  
  subsequent to the establishing the real-time video person-to-person communications session, receiving via a secure connection an authorization message from the authorizer mobile app; and
  
  based on the authorization message and based on the set of stored authorization rules, transmitting to the access control broker agent a message granting access to the resource by the requestor.
- View Dependent Claims (12, 13)
- - 12. The tangible computer-readable medium of claim 11, wherein the operations further comprise:
    - receiving from the authorizer mobile app geolocation data pertaining to the mobile device of the authorizing user; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the authorizing user before the access to the resource is granted.
  - 13. The tangible computer-readable medium of claim 11 wherein the operations further comprise:
    - receiving geolocation data pertaining to the mobile device of the requestor; and
      
      wherein the set of stored authorization rules include a rule requiring the geolocation data to indicate an expected location of the requestor before the access to the resource is granted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Horton, Michael R.
Primary Examiner(s)
Tacsik, Ernest G

Application Number

US15/441,325
Publication Number

US 20170163656A1
Time in Patent Office

935 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

H04W 12/088   using filters or firewalls

H04W 4/02   Services making use of loca...

System and method for implementing a two-person access rule using mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing a two-person access rule using mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links