DESC:EARLIEST PRIORITY DATE:
This Application claims priority from a provisional patent application filed in India having Patent Application No. 202321055544, filed on August 18, 2023, and titled “AUTHARC –ZERO TRUST PHYGITAL IDENTITY & ACCESS MANAGEMENT PLATFORM”.
FIELD OF INVENTION
[0001] Embodiments of the present disclosure relate to the field of access management and security systems, and more particularly, a system and a method for identity and access management of physical and digital assets in an organization.
BACKGROUND
[0002] In today’s organizational security, there exists a significant split between mechanisms that govern physical access (such as door entry, attendance systems) and those that control access to digital environments (including web applications, software, mobile apps, desktops, laptops, and servers).
[0003] Common technologies for physical access include biometrics, facial recognition, and radio frequency identification (RFID) cards, often relying on personally identifiable information (PII) or easily manipulated tools. For instance, RFID cards, are widely used for entry into physical assets, can be borrowed or stolen, allowing unauthorized individuals to gain access. This lack of secure integration compromises the security of physical assets.
[0004] Further, on the digital side, access to systems typically hinges on passwords, biometric authentication, or one-time passwords (OTPs) for two-factor authentication. The heavy reliance on passwords, known for their vulnerability to theft, phishing, and forgetting, undermines the security and efficiency of digital access management.
[0005] Furthermore, there's a clear absence of synchronization between the authentication mechanisms for entering a physical office space and logging into digital applications. Once an individual gains physical entry, they are required to separately log into each digital system or application they need to access. This lack of integration fails to leverage the initial physical access authentication to streamline subsequent digital access, resulting in a disjointed and cumbersome user experience.
[0006] Additionally, the lack of a unified system for monitoring an individual's application usage becomes challenging.
[0007] Hence, there is a need for an improved system and method for identifying and managing access of physical and digital assets which addresses the aforementioned issue(s).
OBJECTIVES OF THE INVENTION
[0008] The primary objective of the invention is to provide a system for managing access to physical and digital assets within an organization for various user types including employees, vendors, and visitors, through a unified system.
[0009] Another objective of the invention is to implement a zero-trust security model with password-less access mechanisms that does not inherently trust any user inside or outside a network, requiring verification for every access attempt.
[0010] Yet another objective of the invention is to authenticate users through dynamic digital identities that are generated using security pins, thereby adding an additional layer of security.
[0011] Additionally, another objective of the invention is to automatically block virtual identities upon detecting suspicious activities and promptly notify a concerned personnel.
BRIEF DESCRIPTION
[0012] In accordance with an embodiment of the present disclosure, a system for identifying and managing access of physical and digital assets is provided. The system includes a processing subsystem hosted on a server. The processing subsystem is configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes a user registration module. The user registration module is configured to receive user information from a user upon initiating an onboarding process via a link shared by an authority of an organization. The user information includes mobile number, name, email id, password, and date of birth, and Aadhaar identification number. The processing subsystem includes an activation module operatively coupled to the user registration module. The activation module is configured to send an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application. The processing subsystem includes an application setup module operatively coupled to the activation module. The application setup module is configured to enable the user to input the one-time activation code for accessing the user application. The application setup module is configured to allow the user to create a primary key and secondary activation key upon providing the one-time activation code. The application setup module is configured to generate a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification. The virtual identification employs zero trust principles and password-less access to ensure a high level of security. The processing subsystem includes a security module. The security module operatively coupled to the application setup module. The security module is configured to allow download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices. The security module is configured to enable the user to establish an authentication personal identification number (PIN) for accessing the encoder. The processing subsystem includes an access module operatively coupled to the security module. The access module is configured to generate virtual identification through the encoder upon accessing the encoder. The virtual identification is a dynamic and one-time virtual identification. The access module is configured to provide secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response codes, token input, emergency radio frequency identification, and emergency universal serial bus (USB) charging, based on the generated virtual identification. The processing subsystem includes a monitoring module operatively coupled to the access module. The monitoring module is configured to track a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior. The processing subsystem includes a device management module operatively coupled to the monitoring module. The device management is configured to detect the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets. The processing subsystem includes a security response module operatively coupled to the device management module. The security response module is configured to auto-block a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity. The security response module is configured to alert the authority upon detection of suspicious activity.
[0013] In accordance with another embodiment of the present disclosure, a method for identifying and managing access of physical and digital assets is provided. The method includes receiving, by a user registration module, user information from a user upon initiating an onboarding process via a link shared by an authority of an organization. The user information includes mobile number, name, email id, password, and date of birth, and Aadhaar identification number. The method includes sending, by an activation module, an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application. The method includes enabling, by an application setup module, the user to input the one-time activation code for accessing the user application. The method includes allowing, by the application setup module, the user to create a primary key and secondary activation key upon providing the one-time activation code. The method includes generating, by the application setup module, a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification. The virtual identification employs zero trust principles and password-less access to ensure a high level of security. The method includes allowing, by a security module, download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices. The method includes enabling, by the security module, the user to establish an authentication PIN for accessing the encoder. The method includes generating, by an access module, the virtual identification through the encoder upon accessing the encoder. Virtual identification is dynamic and one-time virtual identification. The method includes providing, by the access module, secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response codes, token input, emergency radio frequency identification, and emergency USB charging, based on the generated virtual identification. The method includes tracking, by a monitoring module, a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior. The method includes detecting, by a device management module, the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets. The method includes auto-blocking, by a security response module, a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity. The method includes alerting, by the security response module, the authority upon detection of suspicious activity.
[0014] To further clarify the advantages and features of the present disclosure, a more particular description of the disclosure will follow by reference to specific embodiments thereof, which are illustrated in the appended figures. It is to be appreciated that these figures depict only typical embodiments of the disclosure and are therefore not to be considered limiting in scope. The disclosure will be described and explained with additional specificity and detail with the appended figures.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] The disclosure will be described and explained with additional specificity and detail with the accompanying figures in which:
[0016] FIG. 1 is a block diagram representation of a system for identifying and managing access of physical and digital assets in accordance with an embodiment of the present disclosure;
[0017] FIG. 2 is a block diagram representation of an exemplary embodiment of a system for identifying and managing access of physical and digital assets of FIG. 1 in accordance with an embodiment of the present disclosure;
[0018] FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure;
[0019] FIG. 4(a) illustrates a flow chart representing the steps involved in a method for identifying and managing access of physical and digital assets in accordance with an embodiment of the present disclosure; and
[0020] FIG. 4 (b) illustrates continued steps of the method of FIG. 4 (a) in accordance with an embodiment of the present disclosure.
[0021] Further, those skilled in the art will appreciate that elements in the figures are illustrated for simplicity and may not have necessarily been drawn to scale. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the figures by conventional symbols, and the figures may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the figures with details that will be readily apparent to those skilled in the art having the benefit of the description herein.
DETAILED DESCRIPTION
[0022] For the purpose of promoting an understanding of the principles of the disclosure, reference will now be made to the embodiment illustrated in the figures and specific language will be used to describe them. It will nevertheless be understood that no limitation of the scope of the disclosure is thereby intended. Such alterations and further modifications in the illustrated system, and such further applications of the principles of the disclosure as would normally occur to those skilled in the art are to be construed as being within the scope of the present disclosure.
[0023] The terms “comprises”, “comprising”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such a process or method. Similarly, one or more devices or subsystems or elements or structures or components preceded by “comprises... a” does not, without more constraints, preclude the existence of other devices, sub-systems, elements, structures, components, additional devices, additional sub-systems, additional elements, additional structures or additional components. Appearances of the phrase “in an embodiment”, “in another embodiment” and similar language throughout this specification may, but not necessarily do, all refer to the same embodiment.
[0024] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the art to which this disclosure belongs. The system, methods, and examples provided herein are only illustrative and not intended to be limiting.
[0025] In the following specification and the claims, reference will be made to a number of terms, which shall be defined to have the following meanings. The singular forms “a”, “an”, and “the” include plural references unless the context clearly dictates otherwise.
[0026] Embodiments of the present disclosure relate to a system for identifying and managing access of physical and digital assets. The system includes a processing subsystem hosted on a server. The processing subsystem is configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes a user registration module. The user registration module is configured to receive user information from a user upon initiating an onboarding process via a link shared by an authority of an organization. The user information includes mobile number, name, email id, password, and date of birth, and Aadhaar identification number. The processing subsystem includes an activation module operatively coupled to the user registration module. The activation module is configured to send an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application. The processing subsystem includes an application setup module operatively coupled to the activation module. The application setup module is configured to enable the user to input the one-time activation code for accessing the user application. The application setup module is configured to allow the user to create a primary key and secondary activation key upon providing the one-time activation code. The application setup module is configured to generate a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification. The virtual identification employing zero trust principles and password-less access to ensure a high level of security. The processing subsystem includes a security module. The security module operatively coupled to the application setup module. The security module is configured to allow download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices. The security module is configured to enable the user to establish an authentication PIN for accessing the encoder. The processing subsystem includes an access module operatively coupled to the security module. The access module is configured to generate virtual identification through the encoder upon accessing the encoder. The virtual identification is a dynamic and one-time virtual identification. The access module is configured to provide secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response codes, token input, emergency radio frequency identification, and emergency USB charging, based on the generated virtual identification. The processing subsystem includes a monitoring module operatively coupled to the access module. The monitoring module is configured to track a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior. The processing subsystem includes a device management module operatively coupled to the monitoring module. The device management is configured to detect the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets. The processing subsystem includes a security response module operatively coupled to the device management module. The security response module is configured to auto-block a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity. The security response module is configured to alert the authority upon detection of the suspicious activity.
[0027] FIG. 1 is a block diagram of a system (100) for identifying and managing access of physical and digital assets in accordance with an embodiment of the present disclosure. Examples of physical assets in an organization include, but are not limited to, access-controlled room doors, workstations, equipment, and the like. Examples for digital assets include, but are not limited to, software applications, web applications, databases, and the like. The system (100) includes a processing subsystem (105) hosted on a server (108). In one embodiment, the server (108) may include a cloud-based server. In another embodiment, parts of the server (108) may be a local server coupled to a user device. The processing subsystem (105) is configured to execute on a network (115) to control bidirectional communications among a plurality of modules. In one example, the network (115) may be a private or public local area network (LAN) or Wide Area Network (WAN), such as the Internet. In another embodiment, the network (115) may include both wired and wireless communications according to one or more standards and/or via one or more transport mediums. In one example, the network (115) may include wireless communications according to one of the 802.11 or Bluetooth specification sets, or another standard or proprietary wireless communication protocol. In yet another embodiment, the network (115) may also include communications over a terrestrial cellular network, including, a global system for mobile communications (GSM), code division multiple access (CDMA), and/or enhanced data for global evolution (EDGE) network.
[0028] The processing subsystem (105) includes a user registration module (120). The user registration module (120) is configured to receive user information from a user upon initiating an onboarding process via a link shared by an authority of the organization. The user is one of the employees, vendors, and visitors in the organization to access physical and digital assets. Examples of authority within the organization includes, but is not limited to, a human resources manager, IT administrator, security officer and the like. The user information mobile number, name, email id, password, and date of birth, Aadhaar identification number and the like.
[0029] In one embodiment, the user registration module (120) incorporates biometric data registration as part of the user onboarding process, where the user provides fingerprints, facial recognition data and the like via compatible devices.
[0030] The processing subsystem (105) includes an activation module (122) configured to send an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application. The user application is accessible via mobile devices, desktop computers, and web browsers.
[0001] In one embodiment, the activation link provides a direct link for downloading the user application. This allows users to easily download the user application following the activation process.
[0002] The processing subsystem (105) includes an application setup module (124) operatively coupled to the activation module (122). The application setup module (124) is configured to enable the user to input the one-time activation code for accessing the user application. The application setup module (124) is configured to allow the user to create a primary key and secondary activation key upon providing the one-time activation code. The primary key and the secondary activation key is a custom string or alphanumeric combination selected by the user. The application setup module (124) is configured to generate a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification.
[0003] The virtual identification employs zero trust principles and password-less access to ensure a high level of security. The zero trust principles operate on the assumption that threats may originate from anywhere, both outside and inside the network and, therefore, no entity including user, device, application and the like should be automatically trusted. Instead, every access request must be rigorously verified before granting access. Password-less access mechanisms enhance security and user convenience by utilizing alternative methods for verifying identity. The alternative methods include biometric authentication, personal identification numbers (PINs) and the like. The virtual identification generated for accessing the physical and digital assets is unique for each access attempt.
[0004] The processing subsystem (105) includes a security module (126) to allow download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices. The security module (126) is configured to enable the user to establish an authentication PIN for accessing the encoder. The authentication PIN includes at least one of a numerical PIN, a biometric fingerprint, or facial recognition, enhancing the security and flexibility of the system (100).
[0005] In one embodiment, authentication PIN can be 4 digits or 5 digits.
[0006] It must be noted that the modules are part of the initial setup process required for users to begin using the user application. Every user must follow these steps if the user wishes to utilize the user application. Once the application setup process is complete, users are required to follow functions of subsequent modules for each time the user accesses physical and digital assets.
[0007] The processing subsystem (105) includes an access module (128) operatively coupled to the security module (126). The access module (128) is configured to generate virtual identification through the encoder upon accessing the encoder. The virtual identification is a dynamic and one-time virtual identification. The access module (128) is configured to provide secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response (QR) codes, token input, emergency radio frequency identification (RFID), and emergency universal serial bus (USB) charging, based on the generated virtual identification. The quick response codes, token input, emergency RFID, and emergency USB charging serve as a physical token for accessing physical assets thereby providing an additional layer of security.
[0008] In one embodiment, the physical assets are equipped with QR codes that are affixed to them or displayed in their vicinity. The user, aiming to access the physical asset, scans the QR code using the user device capable of reading it. The scanned QR code prompts the user to input the virtual identification. Upon verification of the correct virtual identification, access to the physical asset is granted. On other hand, using the token input, the user receives a unique token, which is linked to their virtual identification. By entering this token into the system (100) associated with the physical asset, and subsequently verifying their virtual identification, the user is granted access. In one embodiment, physical assets may be accessed through RFID technology or RFID tags. RFID tags, which carry encrypted data linked to the virtual identification, are provided to the users. To access the physical asset, the user presents the RFID tag near an RFID reader installed with the physical asset. The reader decrypts the data from the RFID tag, verifies the virtual identification, and if correct, allows access to the physical asset. Using the USB charging, physical assets are equipped with USB ports. When the user connects a USB device to the USB ports, the system (100) reads the encrypted data from the USB, verifies the virtual identification, and upon successful verification, grants access to the physical asset.
[0009] The processing subsystem (105) includes a monitoring module (130) operatively coupled to the access module (128). The monitoring module (130) is configured to track a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior. The plurality of user activities includes, but is not limited to, the entry and exit times of physical locations, the duration of access to digital platforms, and nature of the activity.
[0010] In one embodiment, the monitoring module (130) employs an artificial intelligence model for tracking the plurality of user activities post-access to physical and digital assets.
[0011] The processing subsystem (105) includes a device management module (132) operatively coupled to the monitoring module (130). The device management is configured to detect the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets. This process is critical in scenarios where the plurality of devices attempt to access the physical and digital assets simultaneously, as it enables the system (100) to differentiate between authorized and unauthorized devices effectively.
[0012] The processing subsystem (105) includes a security response module (134) operatively coupled to the device management module (132). The security response module (134) is configured to auto-block a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity. The security response module (134) is configured to alert the authorities within the organization, such as IT security teams or system administrators upon detection of suspicious activity.
[0013] It is to be noted that the user device may comprise, but is not limited to, a mobile phone, desktop computer, portable digital assistant (PDA), smart phone, tablet, ultra-book, netbook, laptop, multi-processor system, microprocessor-based or programmable consumer electronic system, or any other communication device that a user may use. In some embodiments, the user device may comprise a display module (not shown) to display information (for example, in the form of user interfaces). In further embodiments, the user device may comprise one or more of touch screens, accelerometers, gyroscopes, cameras, microphones, global positioning system (GPS) devices, and so forth.
[0014] In one embodiment, the various functional components of the system may reside on a single computer, or they may be distributed across several computers in various arrangements. The various components of the system may, furthermore, access one or more databases, and each of the various components of the system may be in communication with one another. Further, while the components of FIG. 1 are discussed in the singular sense, it will be appreciated that in other embodiments multiple instances of the components may be employed.
[0015] FIG. 2 is a block diagram representation of an exemplary embodiment of a system (100) for identifying and managing access of physical and digital assets of FIG. 1 in accordance with an embodiment of the present disclosure. The system (100) includes an algorithm distribution module (136) operatively coupled to the application setup module (124). The algorithm distribution module (136) is configured to ensure the encoder for generating the virtual identification is removed from a cloud network, post-download to the user device for ensuring the power to generate the virtual identification and the security of the algorithm are controlled by the user.
[0016] Let's continue the example where user "X" is in the process of joining an organization. After providing their personal details such as mobile number, name, email ID, password, date of birth, and Aadhaar identification number during the onboarding process, HR sends the onboarding link to "X's" registered mobile number along with a one-time activation key. Upon accessing the onboarding link, "X" is directed to a user interface where they enter the provided activation key. Once the activation key is successfully entered and verified by the system (100), "X" gains access to download the user application specific to the organization's identity and access management system. After downloading and installing the user application, "X" is prompted to complete the setup process. This involves creating a primary key and a secondary activation key, both of which are unique strings or alphanumeric combinations chosen by "X". Additionally, "X" creates an authentication PIN for accessing the encoder, further securing the process. The primary and secondary keys are important in generating "X's" unique virtual identification, utilizing an algorithm within the application. "X" then uses the encoder to generate a virtual identification, effectively completing the system (100) setup. Now, to access the organization's door, "X" scans a QR code located at the entrance. Following this, "X" inputs their virtual identification number, thereby gaining access to the organization's physical and digital assets according to their permissions. Concurrently, the organization's authorities begin monitoring "X's" activities and any suspicious behavior related to both physical and digital assets. Should there be any incorrect identification attempts, the system (100) is designed to automatically block "X's" virtual identity and alert the relevant authorities, ensuring security and compliance within the organization.
[0017] FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure. The server (200) includes processor(s) (230), and memory (210) operatively coupled to the bus (220). The processor(s) (230), as used herein, means any type of computational circuit, such as, but not limited to, a microprocessor, a microcontroller, a complex instruction set computing microprocessor, a reduced instruction set computing microprocessor, a very long instruction word microprocessor, an explicitly parallel instruction computing microprocessor, a digital signal processor, or any other type of processing circuit, or a combination thereof.
[0018] The memory (210) includes several subsystems stored in the form of executable program which instructs the processor (230) to perform the method steps illustrated in FIG. 1. The memory (210) includes a processing subsystem (105) of FIG.1. The processing subsystem (105) further has following modules: a user registration module (120), an activation module (122), an application setup module (124), a security module (126), an access module (128), a monitoring module (130), a device management module (132), and a security response module (134).
[0019] In accordance with an embodiment of the present disclosure, a system (100) for identity and access management of physical and digital assets is provided. The system (100) includes a processing subsystem (105) hosted on a server. The processing subsystem (105) is configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem (105) includes a user registration module (120). The user registration module (120) is configured to receive user information from a user upon initiating an onboarding process via a link shared by an authority of an organization. The user information includes mobile number, name, email id, password, and date of birth, and Aadhaar identification number. The processing subsystem (105) includes an activation module (122) operatively coupled to the user registration module (120). The activation module (122) is configured to send an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application. The processing subsystem (105) includes an application setup module (124) operatively coupled to the activation module (122). The application setup module (124) is configured to enable the user to input the one-time activation code for accessing the user application. The application setup module (124) is configured to allow the user to create a primary key and secondary activation key upon providing the one-time activation code. The application setup module (124) is configured to generate a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification. The virtual identification employs zero trust principles and password-less access to ensure a high level of security. The processing subsystem (105) includes a security module (126). The security module (126) operatively coupled to the application setup module (124). The security module (126) is configured to allow download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices. The security module (126) is configured to enable the user to establish an authentication PIN for accessing the encoder. The processing subsystem (105) includes an access module (128) operatively coupled to the security module (126). The access module (128) is configured to generate virtual identification through the encoder upon accessing the encoder. The virtual identification is a dynamic and one-time virtual identification. The access module (128) is configured to provide secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response codes, token input, emergency radio frequency identification, and emergency USB charging, based on the generated virtual identification. The processing subsystem (105) includes a monitoring module (130) operatively coupled to the access module (128). The monitoring module (130) is configured to track a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior. The processing subsystem (105) includes a device management module (132) operatively coupled to the monitoring module (130). The device management is configured to detect the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets. The processing subsystem (105) includes a security response module (134) operatively coupled to the device management module (132). The security response module (134) is configured to auto-block a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity. The security response module (134) is configured to alert the authority upon detection of suspicious activity.
[0020] The bus (220) as used herein refers to internal memory channels or computer network that is used to connect computer components and transfer data between them. The bus (220) includes a serial bus or a parallel bus, wherein the serial bus transmits data in bit-serial format and the parallel bus transmits data across multiple wires. The bus (220), as used herein, may include but not limited to, a system bus, an internal bus, an external bus, an expansion bus, a frontside bus, a backside bus and the like.
[0021] FIG. 4(a) illustrates a flow chart representing the steps involved in a method (300) for identifying and managing access of physical and digital assets in accordance with an embodiment of the present disclosure. FIG. 4 (b) illustrates continued steps of the method (300) of FIG. 4 (a) in accordance with an embodiment of the present disclosure. The method (300) includes receiving, by a user registration module, user information from a user upon initiating an onboarding process via a link shared by an authority of an organization. The user information includes mobile number, name, email id, password, and date of birth, and Aadhaar identification number in step 302. The user is one of the employees, vendor, and visitor in the organization to access physical and digital assets. Examples of authority within the organization include but are not limited to a human resources manager, IT administrator, security officer and the like. The link provided by the authority guides the user to either a web or mobile application, where the user encounters a user interface designed to facilitate corresponding network access.
[0022] In one embodiment, the user registration module incorporates biometric data registration as part of the user onboarding process, where users provide fingerprints, facial recognition data and the like via compatible devices.
[0031] The method (300) includes sending, by an activation module, an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application in step 304. The user application is accessible via mobile devices, desktop computers, and web browsers.
[0023] In one embodiment, the activation link provides a direct link for downloading the user application. This allows users to easily download the user application following the activation process.
[0024] The method (300) includes enabling, by an application setup module, the user to input the one-time activation code for accessing the user application in step 306.
[0025] The method (300) includes allowing, by the application setup module, the user to create a primary key and secondary activation key upon providing the one-time activation code in step 308. The primary key and the secondary activation key is a custom string or alphanumeric combination selected by the user.
[0026] The method (300) includes generating, by the application setup module, a unique algorithm based on the primary key and the secondary activation key on a user device. The unique algorithm includes an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification. The virtual identification employs zero trust principles and password-less access to ensure a high level of security in step 310.
[0027] The virtual identification employs zero trust principles and password-less access to ensure a high level of security. The zero trust principles operate on the assumption that threats may originate from anywhere, both outside and inside the network and, therefore, no entity including user, device, application, and the like should be automatically trusted. Instead, every access request must be rigorously verified before granting access. Password-less access mechanisms enhance security and user convenience by utilizing alternative methods for verifying identity. The method (300) s include biometric authentication, Personal Identification Numbers (PINs) and the like. The virtual identification generated for accessing the physical and digital assets is unique for each access attempt.
[0028] The method (300) includes allowing, by a security module, download of the encoder in the user device upon activation of the unique algorithm thereby preventing the download of the encoder to multiple user devices in step 312.
[0029] The method (300) includes enabling, by the security module, the user to establish an authentication PIN for accessing the encoder in step 314. The authentication PIN includes at least one of a numerical PIN, a biometric fingerprint, or facial recognition, enhancing the security and flexibility of the system.
[0030] In one embodiment, authentication PIN can be 4 digits or 5 digits.
[0031] The method (300) includes generating, by an access module, the virtual identification through the encoder upon accessing the encoder. Virtual identification is dynamic and one-time virtual identification in step 316.
[0032] The method (300) includes providing, by the access module, secure access to physical and digital assets via a mechanism. The mechanism includes use of quick response codes, token input, emergency radio frequency identification, and emergency USB charging, based on the generated virtual identification in step 318. The quick response codes, token input, emergency RFID, and emergency USB charging serve as a physical token for accessing physical assets thereby providing an additional layer of security.
[0033] The method (300) includes tracking, by a monitoring module, a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior in step 320. The plurality of user activities includes but is not limited to the entry and exit times of physical locations, the duration of access to digital platforms, nature of the activity and the like.
[0034] In one embodiment, the monitoring module employs artificial intelligence model for tracking the plurality of user activities post-access to physical and digital assets.
[0035] The method (300) includes detecting, by a device management module, the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets in step 322.
[0036] The method (300) includes auto-blocking, by a security response module, a virtual identity upon detection of suspicious activity. The suspicious activity includes unauthorized asset access or the binding of multiple devices to a single virtual identity in step 324.
[0037] The method (300) includes alerting, by the security response module, the authority upon detection of suspicious activity in step 326.
[0038] Various embodiments of the system and method for identifying and managing access of physical and digital assets as described above utilize dynamic virtual identifications and password-less authentication methods, including biometrics and one-time activation keys, to offer a more secure and user-friendly mechanism for managing access within organizations. The system not only significantly reduces the risk of unauthorized access but also streamlines user interaction with the system by removing the necessity for separate logins at different access points. Moreover, the system's capabilities for real-time monitoring and alerts, along with customizable access controls and the monitoring of suspicious activities, ensure it can adjust to the changing needs of organizations.
[0039] Additionally, the system and method disclosed herein provides the following benefits:
1. A centralized identity and access management platform with zero trust access to an organization resource at every access point (physical locations or digital assets) thereby eliminating the need for passwords.
2. Eliminates the need for Personally Identifiable Information (PII) by allowing the user to create a unique PIN for registration thereby ensuring privacy in the network. Post successful registration and activation, no PII is stored or processed for any user identification or authentication, thereby reducing the risk of data breaches. The user is identified and authenticated based on their virtual Digital Identity.
3. Offline generation of dynamic virtual identity
4. Hacking is further restricted to the user level thereby eliminating hacking of organization resources. Specifically, the virtual identity is a 16-digit valid for a predetermined time period. Therefore, making it almost impossible to hack the virtual identity.
[0040] The techniques described in this disclosure may be implemented, at least in part, in hardware, software, firmware, or any combination thereof. For example, various aspects of the described techniques may be implemented within one or more processors, including one or more microprocessors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components. The term “processor” or “processing subsystem (105)” may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry. A control unit including hardware may also perform one or more of the techniques of this disclosure.
[0041] Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various techniques described in this disclosure. In addition, any of the described units, modules, or components may be implemented together or separately as discrete but interoperable logic devices. Depiction of different features as modules or units is intended to highlight different functional aspects and does not necessarily imply that such modules or units must be realized by separate hardware, firmware, or software components. Rather, functionality associated with one or more modules or units may be performed by separate hardware, firmware, or software components, or integrated within common or separate hardware, firmware, or software components.
[0042] It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the disclosure and are not intended to be restrictive thereof.
[0043] While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person skilled in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein.
[0044] The figures and the foregoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, the order of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts need to be necessarily performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples.
,CLAIMS:1. A system (100) for identifying and managing access of physical and digital assets comprising:
a processing subsystem (105) hosted on a server and configured to execute on a network to control bidirectional communications among a plurality of modules, wherein the plurality of modules comprising:
a user registration module (120) configured to receive user information from a user upon initiating an onboarding process via a link shared by an authority of an organization, wherein the user information comprises mobile number, name, email id, password, and date of birth, and Aadhaar identification number;
an activation module (122) operatively coupled to the user registration module (120), wherein the activation module (122) is configured to send an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application;
characterized in that,
an application setup module (124) operatively coupled to the activation module (122), wherein the application setup module (124) is configured to:
enable the user to input the one-time activation code for accessing the user application;
allow the user to create a primary key and secondary activation key upon providing the one-time activation code;
and
generate a unique algorithm based on the primary key and the secondary activation key on a user device, wherein the unique algorithm comprises an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification, wherein the virtual identification employing zero trust principles and password-less access to ensure a high level of security;
a security module (126) operatively coupled to the application setup module (124), wherein the security module (126) is configured to:
allow download of the encoder in the user device upon activation the unique algorithm thereby preventing the download of the encoder to multiple user devices; and
enable the user to establish an authentication personal identification number for accessing the encoder;
an access module (128) operatively coupled to the security module (126), wherein the access module (128) is configured to:
generate the virtual identification through the encoder upon accessing the encoder, wherein the virtual identification is a dynamic and one-time virtual identification; and
provide secure access to physical and digital assets via a mechanism, wherein the mechanism comprises use of quick response codes, token input, emergency radio frequency identification, and emergency universal serial bus charging, based on the generated virtual identification;
a monitoring module (130) operatively coupled to the access module (128), wherein the monitoring module (130) is configured to track a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior;
a device management module (132) operatively coupled to the monitoring module (130), wherein the device management is configured to detect the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets; and
a security response module (134) operatively coupled to the device management module (132), wherein the security response module (134) is configured to:
auto-block a virtual identity upon detection of suspicious activity, wherein the suspicious activity comprises unauthorized asset access or the binding of multiple devices to a single virtual identity; and
alert the authority upon detection of the suspicious activity.

2. The system (100) as claimed in claim 1, wherein the user is one of an employee, vendor, and visitor in the organization to access physical and digital assets.

3. The system (100) as claimed in claim 1, wherein the user application is accessible via mobile devices, desktop computers, and web browsers.

4. The system (100) as claimed in claim 1, wherein the primary key and the secondary activation key is a custom string or alphanumeric combination selected by the user.

5. The system (100) as claimed in claim 1, wherein the virtual identification generated for accessing the physical and digital assets is unique for each access attempt.

6. The system (100) as claimed in claim 1, wherein the authentication personal identification number comprises at least one of a numerical personal identification number, a biometric fingerprint, or facial recognition, enhancing the security and flexibility of the system (100).

7. The system (100) as claimed in claim 1, comprising an algorithm distribution module (136) operatively coupled to the application setup module (124), wherein the algorithm distribution module (136) is configured to ensure the encoder for generating the virtual identification is removed from a cloud network, post-download to the user device for ensuring the power to generate the virtual identification and the security of the algorithm are controlled by the user.

8. The system (100) as claimed in claim 1, wherein the quick response codes, token input, emergency radio frequency identification, and emergency universal serial bus charging serves as a physical token for accessing physical assets thereby providing an additional layer of security.

9. The system (100) as claimed in claim 1, wherein the security response module (134) incorporates a machine learning model to improve response to detected suspicious activities over time.

10. A method (300) for identifying and managing access of physical and digital assets comprising:
receiving, by a user registration module, user information from a user upon initiating an onboarding process via a link shared by an authority of an organization, wherein the user information comprises mobile number, name, email id, password, and date of birth, and Aadhaar identification number; (302)
sending, by an activation module, an activation link and a one-time activation code to at least one of the mobile number and the email id of the user for facilitating the user to access a user application; (304)
characterized in that,
enabling, by an application setup module, the user to input the one-time activation code for accessing the user application; (306)
allowing, by the application setup module, the user to create a primary key and secondary activation key upon providing the one-time activation code; (308)
generating, by the application setup module, a unique algorithm based on the primary key and the secondary activation key on a user device, wherein the unique algorithm comprises an encoder for creating a virtual identification and a decoder corresponding to the encoder for interpreting the virtual identification, wherein the virtual identification employing zero trust principles and password-less access to ensure a high level of security; (310)
allowing, by a security module, download of the encoder in the user device upon activation the unique algorithm thereby preventing the download of the encoder to multiple user devices; (312)
enabling, by the security module, the user to establish an authentication personal identification number for accessing the encoder; (314)
generating, by an access module, the virtual identification through the encoder upon accessing the encoder, wherein the virtual identification is a dynamic and one-time virtual identification; (316)
providing, by the access module, secure access to physical and digital assets via a mechanism, wherein the mechanism comprises use of quick response codes, token input, emergency radio frequency identification, and emergency universal serial bus charging, based on the generated virtual identification; (318)
tracking, by a monitoring module, a plurality of user activities post-access to physical and digital assets for ensuring compliance with organizational policies and detect any suspicious behavior; (320)
detecting, by a device management module, the user device bound to the user virtual identity when a plurality of devices tries to access the physical and digital assets; (322)
auto-blocking, by a security response module, a virtual identity upon detection of suspicious activity, wherein the suspicious activity comprises unauthorized asset access or the binding of multiple devices to a single virtual identity; and (324)
alerting, by the security response module, the authority upon detection of the suspicious activity. (326)
Dated this 23rd day of April 2024
Signature

Jinsu Abraham
Patent Agent (IN/PA-3267)
Agent for the Applicant