Techniques for voice-based user authentication for mobile access to network services

US 7,158,776 B1
Filed: 09/18/2001
Issued: 01/02/2007
Est. Priority Date: 09/18/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of granting access on a first network providing a network service to a user of a mobile device including a microphone, the method comprising the computer-implemented steps of:

determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user;

determining a second identification uniquely associated with the mobile device;

determining whether to grant access based on the first identification and the second identification; and

if it is determined to grant access, granting access on the first network to the mobile device;

wherein determining the first identification further comprises receiving first data indicating the first identification from a first process executing on a network infrastructure element in the first network, wherein the first process derives the voiceprint of the user from second data indicating a spoken message generated at the microphone of the mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for granting access on a network having a network service to a user of a mobile device having a microphone includes determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user of the mobile device. A second identification uniquely associated with the mobile device is also determined. It is then determined whether to grant access based on the first identification and the second identification. If it is determined to grant access, access is granted on the network to the user. Various aspects of the invention allow a user to be authenticated separately of the mobile device by the voice of the user, and granted access to a network service based on both the user'"'"'s identity and the identity of the mobile device. Both the user'"'"'s voice and the device identity are provided using the current capabilities of wireless telephones. Obtaining the first identification and second identification within a specified time interval makes confidently practical the technique of verifying that a certain user controls a certain mobile device, and then allowing access by that device to protected services.

229 Citations

67 Claims

1. A method of granting access on a first network providing a network service to a user of a mobile device including a microphone, the method comprising the computer-implemented steps of:
- determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user;
  
  determining a second identification uniquely associated with the mobile device;
  
  determining whether to grant access based on the first identification and the second identification; and
  
  if it is determined to grant access, granting access on the first network to the mobile device;
  
  wherein determining the first identification further comprises receiving first data indicating the first identification from a first process executing on a network infrastructure element in the first network, wherein the first process derives the voiceprint of the user from second data indicating a spoken message generated at the microphone of the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method as recited in claim 1, wherein the first process:
    - determines whether the voice print matches the registered voiceprint of the registered user in a data store; and
      
      sends the first data only if the voiceprint matches the registered voiceprint.
  - 3. A method as recited in claim 2, wherein the second data is received by the first process via a telephone call to a router configured to forward voice data to the first process.
  - 4. A method as recited in claim 2, wherein the second data is received by the first process in response to a telephone call to the mobile device placed by the first process.
  - 5. A method as recited in claim 2, wherein the first process further receives third data indicating the first identification.
  - 6. A method as recited in claim 5, wherein the third data indicating the first identification is derived from the second data indicating the spoken message.
  - 7. A method as recited in claim 1, said step of determining the second identification uniquely associated with the mobile device further comprising the step of receiving third data indicating the second identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the second identification.
  - 8. A method as recited in claim 7, wherein the third data indicating the second identification is received from a second process executing on a network infrastructure element in the network, the second process sending the third data in response to receiving the request for the data connection with the network from the mobile device.
  - 9. A method as recited in claim 8, wherein the second process executes on a router connected to a public packet switched network.
  - 10. A method as recited in claim 8, said step of granting access further comprising sending fifth data indicating access granted to the second process, wherein, in response to receiving the fifth data, the second process opens a communication session with the mobile device.
  - 11. A method as recited in claim 8, further comprising, if it determined to not grant access, then denying access by sending fifth data indicating access denied to the second process, wherein, in response to receiving the fifth data, the second process declines to open a communication session with the mobile device.
  - 12. A method as recited in claim 1, said step of determining whether to grant access further comprising:
    - determining whether the first identification is determined within a particular time period around a first time when the second identification is determined; and
      
      determining to not grant access if the first identification is determined beyond the particular time period around the first time.
  - 13. A method as recited in claim 1, said step of determining whether to grant access further comprising:
    - determining whether the first identification uniquely associated with the registered user is associated with the second identification uniquely associated with the mobile device in a first data structure stored on the network; and
      
      determining to grant access if the first identification is associated with the second identification in the first data structure.
  - 14. A method as recited in claim 1, wherein the second identification is at least one of a user identification for an authorized user of the network, a user identification for an authorized user of the mobile device, and a unique identifier or serial number for the mobile device.
  - 15. A method as recited in claim 1, further comprising the step of determining a third identification associated with a user of the mobile device.
  - 16. A method as recited in claim 15, said step of determining the third identification further comprising the step of receiving third data indicating the third identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the third identification.
  - 17. A method as recited in claim 16, said step of determining whether to grant access further comprising:
    - determining whether the first identification uniquely associated with the registered user is associated with at least one of the second identification uniquely associated with the mobile device and the third identification associated with a user of the mobile device in a first data structure stored on the network; and
      
      determining to grant access if the first identification is associated with at least one of the second identification and the third identification in the first data structure.

18. A method of obtaining access on a network having a network service by a user of a mobile device including a microphone, the method comprising the steps of:
- establishing a connection between the mobile device and the network that forwards the user'"'"'s voice to a first process associated with the network service;
  
  speaking into the mobile device to provide a voiceprint of the user in the first process;
  
  sending data from the mobile device indicating a unique identification for the mobile device to a second process associated with the network service; and
  
  obtaining access on the network only if a registered user associated with the voiceprint by the first process is also associated with the unique identification in a data structure stored on the network.
- View Dependent Claims (19, 20, 21)
- - 19. A method as recited in claim 18, whereinsaid step of establishing the connection further comprises establishing a circuit-switched voice connection with a first router on the network;
    - the method further comprises establishing a packet-switched data connection with a second router on the network; and
      
      said step of establishing the packet-switched data connection includes said step of sending the data indicating the unique identification for the mobile device.
  - 20. A method as recited in claim 18, said step of obtaining access for the network service further comprising obtaining access for the network service only if a first time when a registered user is associated with the voiceprint is within a particular time period around a second time when the data indicating the unique identification is sent to the second process.
  - 21. A method as recited in claim 18, further comprising the step of registering the user to create and store data indicating a registered user.

22. A method of granting access on a first network having a network service to a user of a mobile device including a microphone, the method comprising the computer-implemented steps of:
- receiving first data generated at the microphone of the mobile device;
  
  deriving a first voiceprint from the first data;
  
  determining whether to send second data indicating the user is a registered user to a first process on the network based at least in part on the first voiceprint; and
  
  if it is determined to send the second data, sending the second data to the first process for determining whether to authorize the user for access on the first network;
  
  wherein the steps are performed by one or more processes executing on a network infrastructure element in the first network.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. A method as recited in claim 22, said step of determining whether to send the second data further comprising:
    - determining whether the first voiceprint matches a registered voiceprint stored in a first data structure; and
      
      determining to send the second data only if the first voiceprint matches the registered voiceprint.
  - 24. A method as recited in claim 23, wherein the first data is received via a telephone call to a router configured to forward voice data.
  - 25. A method as recited in claim 23, wherein:
    - the method further comprises the step of placing a telephone call to the mobile device; and
      
      the first data is received in response to said step of placing the telephone call.
  - 26. A method as recited in claim 23, wherein:
    - the method further comprises the step of receiving a unique identification for the mobile device from the first process; and
      
      said step of placing the telephone call is performed in response to said step of receiving the unique identification for the mobile device.
  - 27. A method as recited in claim 23, further comprising receiving third data from the mobile device indicating a unique identification for the registered user.
  - 28. A method as recited in claim 27, wherein the third data indicating the unique identification for the registered user is derived from the first data generated at the microphone.
  - 29. A method as recited in claim 27, wherein:
    - the unique identification is stored in association with a registered voiceprint in a first data structure; and
      
      said step of determining whether to send the second data further comprisesretrieving the registered voiceprint stored in the first data structure based on the third data indicating the unique identification for the registered user;
      
      determining whether the first voiceprint matches the registered voiceprint, anddetermining to send the second data only if the first voiceprint matches the registered voiceprint.
  - 30. A method as recited in claim 22, wherein the second data indicates a unique identification for the registered user.
  - 31. A method as recited in claim 22, further comprising the step of registering the user to create and store a registered voiceprint associated with the registered user.
  - 32. A method as recited in claim 31, said step of registering the user further comprises the steps of:
    - receiving third data generated by the user at the microphone;
      
      receiving fourth data indicating a unique identification associated with the user;
      
      receiving fifth data indicating a personal identification number;
      
      retrieving from a first data structure a certain time for which the personal identification number is valid;
      
      determining whether the third data is received during the certain time for which the personal identification number is valid,if the fifth data is received during the certain time for which the personal identification number is valid, thenderiving the registered voiceprint from at least one of the third data and the fourth data and the fifth data, andstoring the registered voiceprint in association with the unique identification in a second data structure.

33. A computer-readable medium carrying one or more sequences of instructions for granting access on a network having a network service to a user of a mobile device including a microphone, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user;
  
  determining a second identification uniquely associated with the mobile device;
  
  determining whether to grant access based on the first identification and the second identification; and
  
  if it is determined to grant access, granting access on the first network to the user;
  
  wherein of determining the first identification further comprises receiving first data indicating the first identification from a first process executing on a network infrastructure element in the first network, wherein the first process derives the voiceprint of the user from second data indicating a spoken message generated at the microphone of the mobile device.

34. An apparatus for granting access on a first network having a network service to a user of a mobile device including a microphone, comprising:
- means for determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user;
  
  means for determining a second identification uniquely associated with the mobile device;
  
  means for determining whether to grant access based on the first identification and the second identification; and
  
  means for granting access on the first network to the user if it is determined to grant access;
  
  wherein said means for determining the first identification further comprises means for receiving first data indicating the first identification from a first process executing on a network infrastructure element in the first network, wherein the first process comprises means for deriving the voiceprint of the user from second data indicating a spoken message generated at the microphone of the mobile device.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 35. An apparatus as recited in claim 34, wherein the means for deriving the voiceprint comprises:
    - means for determining whether the voice print matches the registered voiceprint of the registered user in a data store; and
      
      means for sending the first data only if the voiceprint matches the registered voiceprint.
  - 36. An apparatus as recited in claim 35, comprising means for receiving the second data by the first process via a telephone call to a router configured to forward voice data to the first process.
  - 37. An apparatus as recited in claim 35, comprising means for receiving the second data by the first process in response to a telephone call to the mobile device placed by the first process.
  - 38. An apparatus as recited in claim 34, comprising means for receiving at the first process third data indicating the first identification.
  - 39. An apparatus as recited in claim 38, comprising means for deriving the third data indicating the first identification from the second data indicating the spoken message.
  - 40. An apparatus as recited in claim 34, wherein said means for determining the second identification uniquely associated with the mobile device further comprises means for receiving third data indicating the second identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the second identification.
  - 41. An apparatus as recited in claim 40, comprising means for receiving the third data indicating the second identification from a second process executing on a network infrastructure element in the network, and means for sending the third data from the second process in response to receiving the request for the data connection with the network from the mobile device.
  - 42. An apparatus as recited in claim 41, wherein the second process is on a router connected to a public packet switched network.
  - 43. An apparatus as recited in claim 41, wherein said means for granting access further comprises means for sending fifth data indicating access granted to the second process, and means for the second process opening a communication session with the mobile device in response to receiving the fifth data.
  - 44. An apparatus as recited in claim 41, further comprising means for denying access by sending fifth data indicating access denied to the second process when access is not granted, and means for declining to open a communication session with the mobile device in response to receiving the fifth data.
  - 45. An apparatus as recited in claim 34, wherein said means for determining whether to grant access further comprises:
    - means for determining whether the first identification is determined within a particular time period around a first time when the second identification is determined; and
      
      means for determining to not grant access if the first identification is determined beyond the particular time period around the first time.
  - 46. An apparatus as recited in claim 34, wherein said step of determining whether to grant access further comprises:
    - means for determining whether the first identification uniquely associated with the registered user is associated with the second identification uniquely associated with the mobile device in a first data structure stored on the network; and
      
      means for determining to grant access if the first identification is associated with the second identification in the first data structure.
  - 47. An apparatus as recited in claim 34, wherein the second identification is at least one of a user identification for an authorized user of the network, a user identification for an authorized user of the mobile device, and a unique identifier or serial number for the mobile device.
  - 48. An apparatus as recited in claim 34, further comprising means for determining a third identification associated with a user of the mobile device.
  - 49. An apparatus as recited in claim 48, said means for determining the third identification further comprising means for receiving third data indicating the third identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the third identification.
  - 50. An apparatus as recited in claim 49, said means for determining whether to grant access further comprising:
    - means for determining whether the first identification uniquely associated with the registered user is associated with at least one of the second identification uniquely associated with the mobile device and the third identification associated with a user of the mobile device in a first data structure stored on the network; and
      
      means for determining to grant access if the first identification is associated with at least one of the second identification and the third identification in the first data structure.

51. A system for granting access on a first network to a user, comprising:
- a mobile device including a microphone employed by the user for communicating with a public network;
  
  a network device that is coupled to the first network and the public network for limiting access to the first network;
  
  one or more processors connected to the first network;
  
  one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
  
  determining a first identification uniquely associated with a registered user having a registered voiceprint that matches a voiceprint of the user;
  
  determining a second identification uniquely associated with the mobile device;
  
  determining whether to grant access based on the first identification and the second identification; and
  
  if it is determined to grant access, causing the network device to grant access to the user for the first network;
  
  wherein determining the first identification further comprises receiving first data indicating the first identification from a first process executing on a network infrastructure element in the first network, wherein the first process derives the voiceprint of the user from second data indicating a spoken message generated at the microphone of the mobile device.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67)
- - 52. A system as recited in claim 51, wherein the first process comprises instructions which when executed cause the first process to determine whether the voice print matches the registered voiceprint of the registered user in a data store and to send the first data only if the voiceprint matches the registered voiceprint.
  - 53. A system as recited in claim 52, comprising instructions which when executed cause receiving the second data by the first process via a telephone call to a router configured to forward voice data to the first process.
  - 54. A system as recited in claim 52, comprising instructions which when executed cause receiving the second data by the first process in response to a telephone call to the mobile device placed by the first process.
  - 55. A system as recited in claim 51, comprising instructions which when executed cause the first process receiving third data indicating the first identification.
  - 56. A system as recited in claim 55, comprising instructions which when executed cause deriving the third data indicating the first identification from the second data indicating the spoken message.
  - 57. A system as recited in claim 51, wherein the instructions for determining the second identification uniquely associated with the mobile device further comprise instructions which when executed cause receiving third data indicating the second identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the second identification.
  - 58. A system as recited in claim 57, comprising instructions which when executed cause receiving the third data indicating the second identification from a second process executing on a network infrastructure element in the network, and cause the second process sending the third data in response to receiving the request for the data connection with the network from the mobile device.
  - 59. A system as recited in claim 58, wherein the second process is on a router connected to a public packet switched network.
  - 60. A system as recited in claim 58, the instructions for granting access further comprising instructions which when executed cause sending fifth data indicating access granted to the second process, and cause the second process opening a communication session with the mobile device in response to receiving the fifth data.
  - 61. A system as recited in claim 58, further comprising instructions which when executed by the one or more processors cause performing:
    - denying access by sending fifth data indicating access denied to the second process if it determined to not grant access;
      
      the second process declining to open a communication session with the mobile device in response to receiving the fifth data.
  - 62. A system as recited in claim 51, wherein the instructions for determining whether to grant access further comprise instructions which when executed cause performing:
    - determining whether the first identification is determined within a particular time period around a first time when the second identification is determined; and
      
      determining to not grant access if the first identification is determined beyond the particular time period around the first time.
  - 63. A system as recited in claim 51, wherein the instructions for determining whether to grant access further comprise instructions which when executed cause performing:
    - determining whether the first identification uniquely associated with the registered user is associated with the second identification uniquely associated with the mobile device in a first data structure stored on the network; and
      
      determining to grant access if the first identification is associated with the second identification in the first data structure.
  - 64. A system as recited in claim 51, wherein the second identification is at least one of a user identification for an authorized user of the network, a user identification for an authorized user of the mobile device, and a unique identifier or serial number for the mobile device.
  - 65. A system as recited in claim 51, further comprising instructions which when executed by the one or more processors cause determining a third identification associated with a user of the mobile device.
  - 66. A system as recited in claim 65, wherein the instructions for determining the third identification further comprise instructions which when executed cause receiving third data indicating the third identification in response to a request for a data connection with the network, wherein the request includes fourth data indicating the third identification.
  - 67. A system as recited in claim 66, wherein the instructions for determining further comprise instructions which when executed cause performing:
    - determining whether the first identification uniquely associated with the registered user is associated with at least one of the second identification uniquely associated with the mobile device and the third identification associated with a user of the mobile device in a first data structure stored on the network; and
      
      determining to grant access if the first identification is associated with at least one of the second identification and the third identification in the first data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Roethlisberger, Albert, Guel, Michele, Scarbrough, Robert, Lu, Wen-Pai, Huegen, Craig, Estes, Robert S.
Primary Examiner(s)
Gary; Erika A.

Application Number

US09/956,204
Time in Patent Office

1,932 Days
Field of Search

455/411, 455/410, 455/435.1, 380/247, 380/249, 380/275
US Class Current

455/411
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0861   using biometrical features,...

H04L 63/0892   by using authentication-aut...

H04W 12/08   Access security

Techniques for voice-based user authentication for mobile access to network services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

229 Citations

67 Claims

Specification

Use Cases

Quick Links

Others

Techniques for voice-based user authentication for mobile access to network services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

67 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others