CLIAMS:What is claimed is:
1. A method for validating identity of a visitor visiting a host organization , the method comprising:
i. receiving, from the visitor, an authorization message for authorizing access of profile information of the visitor, wherein the authorization message comprises a mobile identifier of the visitor and a host server identifier;
ii. verifying the authorization message with a stored mobile identifier of the visitor;
iii. fetching the profile information of the visitor using the mobile identifier of the visitor on verifying the authorization message; and
iv. transmitting the profile information of the at least one visitor to the host organization, using the host server identifier, for validating the identity of the visitor.
2. The method of claim 1, wherein the receiving the authorization message from the visitor further comprises transmitting mobile identifier of the visitor to the host organization from a visitor organization.
3. The method of claim 1, wherein the receiving the authorization message from the visitor further comprises receiving a request from the host organization for authorizing the access of profile information of the visitor on a mobile device of the visitor.
4. The method of claim 1, where in the mobile identifier is at least one of an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network-Number (MSISDN), a mobile digital signature of a mobile device associated with the at least one visitor.
5. The method of claim 1, wherein fetching the profile information of the visitor further comprises receiving the profile information from a visitor organization, wherein the profile information comprises a photo of the visitor, details of the visitor organization and an employee identifier of the visitor.
6. The method of claim 1, wherein the method further comprises notifying the visitor and a visitor organization on transmitting the profile information to the host organization.
7. A system for validating identity of a visitor visiting a host organization, wherein the system comprising:
a. a receiver, wherein the receiver is configured to receive an authorization message for authorizing access of profile information of the visitor;
b. one or more processors, wherein the one or more processors are configured to:
I. verify the received authorization message based on stored mobile identifier of the visitor; and
II. fetch the profile information of the visitor;
c. a transmitter, wherein the transmitter is configured to transmit the profile information of the visitor for validating the identity of the visitor; and
d. a storage module, wherein the storage module is configured to store the profile information of the visitor.
8. The system of claim 7, wherein the system further comprises a notification module to notify the visitor and a visitor organization on transmitting the profile information to the host organization.
,TagSPECI:METHOD AND SYSTEM FOR VALIDATING IDENTITY OF A VISITOR
FIELD OF THE INVENTION
[001] The present invention relates to physical access control and in particular, it relates to visitor identity validation of the physical access control system.
BACKGROUND
[002] Generally, organizations possess expensive equipments, trade secrets, sensitive information, and other such assets. These assets are of critical importance to the organizations. Therefore, organizations have a need to protect these assets from malicious entities. However, lack of physical access control makes it easier for a malicious entity to gain unauthorized access to these assets. The purpose of physical access control is to prevent transgressing acts like corporate espionage, sabotage, hacking, etc. A crucial step in physical access control relates to authentication of identity of every visitor physically accessing the organization.
[003] Authentication of the visitor identity is challenging when compared with authentication of the identity of a member of the organization. Since, identity information of the member is available with the organization; therefore the authentication of the member can be performed without much hassle. However, the identity information of the visitor is generally unavailable to the organization. Therefore, an effective visitor identity authentication system is needed in the organization.
[004] United States (US) patent application publication number 20130049928 A1 describes a method to authenticate a visitor of a visitor organization visiting a host organization. In this method, the visitor is asked, by the host organization, to enter an identifier of the visitor organization. The identifier is transmitted to the visitor organization over an electronic medium for verification. On receiving the identifier, the visitor organization verifies the visitor using stored identification profile of the visitor. Upon verification of the visitor, the visitor organization sends an acknowledgment regarding the authenticity of the visitor. However, the identifier can be compromised. Therefore, an unauthorized person can gain access to the identifier and enter the physical site of the host organization.
[005] United States (US) patent application publication number 20110078762 A1 describes a method to gather at least one piece of uniquely identifying visitor device information by a host organization. The method checks whether the uniquely identifying visitor device information is mapped to a visitor identity. On successful mapping, the visitor is permitted to enter a physical site of the host organization. However, this method is vulnerable as the visitor device can be compromised. Moreover, the device can be shared and therefore, even an unauthorized visitor can gain access to the device and can enter the host organization.
[006] In light of the above discussion, there is a need for a method and a system that would overcome above mentioned disadvantages.
BRIEF DESCRIPTION OF THE INVENTION
[007] The above-mentioned shortcomings, disadvantages and problems are addressed herein which will be understood by reading and understanding the following specification.
[008] In embodiments, the present invention provides a method for validating identity of at least one visitor visiting a host organization. The method includes receiving, from the visitor, an authorization message for authorizing access of profile information of the visitor, verifying the authorization message with stored mobile identifier of the visitor, fetching the profile information of the visitor using the mobile identifier of the visitor and transmitting the profile information of the visitor to the host organization for validating the identity of the visitor. The profile information of the visitor is fetched using the mobile identifier of the visitor. The authorization message includes a mobile identifier of the visitor and a host server identifier. The profile information of the visitor is transmitted to the host organization using the host server identifier.
[009] In an embodiment, the method further includes transmitting mobile identifier of the visitor to the host organization from a visitor organization.
[0010] In an embodiment, the method further includes receiving a request from the host organization for authorizing the access of profile information of the visitor on a mobile device of the visitor.
[0011] .In an embodiment, the mobile identifier of the visitor is at least one of an International Mobile Subscriber Identity (IMSI), a Mobile Subscriber Integrated Services Digital Network Number (MSISDN), and a mobile digital signature of a mobile device of the visitor.
[0012] In an embodiment, the method further includes the profile information having a photo of the visitor, details of the visitor organization and an employee identifier of the visitor.
[0013] In an embodiment, the method further includes notifying the visitor and a visitor organization on transmitting the profile information to the host organization.
[0014] In another aspect, the present invention provides a system for validating the identity of the visitor visiting the host organization. The system includes a receiver, a one or more processors, a transmitter, and a storage unit. The receiver is configured to receive an authorization message for authorizing access of the profile information of the visitor. The one or more processors are configured to verify the received the authorization message stored mobile identifier of the visitor and fetch the profile information. The transmitter is configured to transmit the profile information of the visitor for validating the identity of the visitor. The storage unit is configured to store the profile information of the visitor.
[0015] In an embodiment, the system further includes a notification module to notify the visitor and the visitor organization on transmitting the profile information to the host organization.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] Figure 1 illustrates a system for validating identity of at least one visitor visiting a host organization, in accordance with various embodiments of the present invention;
[0017] Figure 2 illustrates a flowchart for validating identity of the at least one visitor visiting the host organization, in accordance with various embodiments of the present invention;
[0018] Figure 3 illustrates a block diagram of a third party system for validating identity of at least one visitor visiting a host organization, in accordance with various embodiments of the present invention;
[0019] Figure 4 illustrates a block diagram of a subscriber identification module (SIM), in accordance with various embodiments of the present invention;
[0020] Figure 5 illustrates a screenshot of a mobile device on receiving an authorization request, in accordance with various embodiments of the present invention;
[0021] Figure 6 illustrates a screenshot of the mobile device on inputting a password to authorize the authorization request, in accordance with various embodiments of the present invention; and
[0022] Figure 7 illustrates a screenshot of the mobile device on sending an authorization response, in accordance with various embodiments of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0023] In the following detailed description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific embodiments, which may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the embodiments, and it is to be understood that other embodiments may be utilized and that logical, mechanical, electrical and other changes may be made without departing from the scope of the embodiments. The following detailed description is, therefore, not to be taken in a limiting sense.
[0024] Figure 1 illustrates a system 100 for validating identity of a visitor 110 visiting a host organization 150, in accordance with various embodiments of the present invention. The visitor 110 belonging to a visitor organization 130 visits the host organization 150. In an embodiment, the visitor organization 130 schedules a visit of the visitor 110 to the host organization 150. The host organization 150 includes a host server. The host server validates the identity of the visitor 110 using a third party system 140.
[0025] In one embodiment, the visitor 110 is a customer of bank PQR visits a bank XYZ. The customer having an account in the bank PQR wishes to withdraw funds from the bank XYZ using the account of the bank PQR. The bank XYZ includes a server. The server of the bank XYZ validates the identity of the customer using the third party system 140.
[0026] In an embodiment, the visitor 110 is an ambassador of a country X visiting an embassy of a country Y. The visitor 110 wishes to enter the embassy of the country Y. The embassy of the country Y includes a server. The server validates the identity of the ambassador of the country of X using the third party system 140.
[0027] In an embodiment, the visitor 110 is a subscriber having a mobile connection of mobile operator A wishing to transfer the mobile connection to a mobile operator B. The mobile operator B includes a server. The server of the mobile operator B validates the identity of subscriber using the third party system 140.
[0028] In context of the present invention, the third party system 140 refers to a system which validates the visitor 110 visiting the host organization 150.The third party system 140 stores information of the visitor 110 provided by the visitor organization 130. The third party system 140 is connected with the host server of the host organization 150 and a visitor server of the visitor organization 130.The host server of the host organization 150 validates the identity of the visitor 110 based on the information stored on the third party system 140.The third party system 140 communicates with a mobile device 120 of the visitor 110.
[0029] In an embodiment, as mentioned above, the third party system 140 is a web based server. The web based server stores information of the customer provided by the bank PQR. The web based server connects the bank XYZ and the bank PQR. The bank XYZ validates the customer based on the information stored on the web based server. The web based server communicates with the mobile device 120 of the customer visiting the bank XYZ.
[0030] In an embodiment, as mentioned above, the third party system 140 is an Embassy information system. The Embassy information system stores information of the ambassador provided by an embassy of the country X. The embassy of the country Y validates the ambassador based on the information stored on the Embassy information system. The Embassy information system communicates with the mobile device 120 of the ambassador visiting the embassy of the country Y.
[0031] In an embodiment, as mentioned above, the third party system 140 is a telecommunication server. The telecommunication server stores information of the subscriber provided by the mobile operator A. The mobile operator B validates the subscriber based on the information stored on the telecommunication server. The telecommunication server communicates with the mobile 120 of the subscriber.
[0032] In the context of the present invention, the mobile device 120 refers to a handheld electronic device that is associated with the visitor 110. The mobile device 120 of the visitor 110 communicates with the host server of the host organization 150 and the third party system 140. Examples of the mobile device 120 include but may not be limited to a cell phone, a smart phone, a personal digital assistant (PDA), a wireless email terminal, a laptop, and a tablet computer.
[0033] In an embodiment, the host server of the host organization 150 communicates with the mobile device 120 of the visitor 110 to access the information of the visitor 110. The visitor 110 communicates with the third party system 140 using the mobile device 120 to authorize the access to the information of the visitor 110. The host organization 150 receives the information from the third party system 140. Subsequently, the host organization 150 validates the visitor 110. The mobile device 120 communicates with the host server of the host organization 150 and the third party system 140 via a communication network.
[0034] Examples of the types of the communication network include but may not be limited to a local area network (LAN), a wide area network (WAN), a wireless network and a telecommunication network. Examples of the types of telecommunication network include but may not be limited to a global system for mobile communication (GSM) network, a general packet radio service (GPRS) network, a code division multiple access (CDMA) system, enhanced data GSM environment (EDGE) and wideband CDMA (WCDMA).
[0035] Figure 2 illustrates a flowchart 200 for validating identity of the visitor 110 visiting the host organization 150, in accordance with various embodiments of the present invention. At step 210, the flowchart 200 initiates. At step 220, the third party system 140 receives an authorization message from the mobile device 120 of the visitor 110. The authorization message includes a host server identifier and a mobile identifier of the visitor 110. The visitor 110 receives an authorization request to the mobile device 120 of the visitor 110. Subsequently, the visitor 110 sends the authorization message. The host organization 150 sends the authorization request to the mobile device 120 of the visitor 110. The host organization sends the authorization request of access to the information of the visitor 110 stored in the third party system 140. The host server identifier identifies the host server of the host organization 150. Examples of the host server identifier include but may not be limited to an IP address of the host server, a MAC address of the host server and an email id of the host organization.
[0036] In an embodiment, the visitor organization 130 sends the mobile identifier of the visitor 110, scheduled to visit the host organization 150, to the host organization 150. The host organization 150 sends the mobile identifier via the third party system 140. A member of reception department of the host organization 150 receives the visitor 110 on visiting the host organization 150. The member of the reception department of the host organization 150 checks for the mobile identifier of the visitor 110 using the host server of the host organization 150. On finding the mobile identifier, the member of the reception department of the host organization 150 sends the authorization message to the mobile device 120 of the visitor 110.
[0037] In context of the present invention, the mobile identifier refers to a digital identity provided via the mobile device 120 and the communication networks. In an embodiment, the mobile identifier is an identity code unique to the mobile device 120. Examples of the identity code include but may not be limited to an International Mobile Subscriber Identity (IMSI), Mobile Subscriber Integrated Services Digital Network-Number (MSISDN), and a mobile digital signature of the mobile device 120. In an example, a key generator present on the mobile device 120 generates the identity code. The identity code is used to identify the mobile device 120 uniquely. In another embodiment, the mobile identity refers to a biometric signature and a digital signature. The visitor 110 scans visitor 110’s biometric signature on the mobile device 120. The mobile device 120 generates and transmits a response including the digital signature of the visitor 110 and the scanned biometric signature. The digital signature is stored on the subscriber identification module (SIM) card or on the mobile device 120. The third party system 140 stores the mobile identifier of the visitor 110 and the digital signature corresponding to the mobile identifier of the visitor 110.
[0038] In an embodiment, the visitor 110 signs the authorization message with the digital signature of the visitor 110 corresponding to the mobile identifier of the visitor 110.
[0039] In an embodiment, the visitor organization 130 creates a profile of the visitor 110. The profile of the visitor 110 may include information but not be limited to the mobile identifier of the visitor 110, a photo of the visitor 110, an employee identifier of the visitor 110 and personal details of the visitor 110. The visitor organization 130 stores the profile of the visitor 110 on the third party system 140. The third party system 140 communicates with the visitor organization 130 to store the profile of the visitor 110. The host organization 150 sends the authorization request to the visitor 110 on visiting the host organization 150 for access to the profile of the visitor 110 corresponding to the received mobile identifier of the visitor 110.
[0040] At step 230, the third party system 140 verifies the authorization response received from the mobile device 110 of the visitor 110. The third party system 140 verifies the digital signature of the visitor 110 corresponding to the mobile identifier of the visitor 110 using the stored digital signature of the visitor 110.
[0041] In an embodiment, the third party system 140 transmits an approval request to the visitor server of the visitor organization 130. The approval request includes the mobile identifier of the visitor 110 and the host server identifier of the host server. The visitor organization 130 verifies the visitor 110 and the host organization 150 based on the mobile identifier of the visitor 110 and the host server identifier of the host server. On verifying the visitor 110 and the host organization 150, the visitor server of the visitor organization 130 transmits an approval response to the third party system 140. The third party system 140 receives the approval response from the visitor organization 130. Subsequently the third party system 140 verifies the digital signature of the visitor 110.
[0042] At step 240, the third party system 140 fetches the profile of the visitor 110.
[0043] At step 250, the third party system 140 transmits the profile of the visitor 110 to the host server of the host organization 150 using the host server identifier. The host organization 150 receives the profile of the visitor 110. Subsequently, the host organization validates the identity of the visitor 110.
[0044] In an embodiment, the member of the reception department of the host organization 150 accesses the profile of the visitor 110. The member of the reception department of the host organization 150 verifies the photo of the visitor 110, included in the profile of the visitor 110, with the visitor visiting the host organization 150.
[0045] In an embodiment, the third party system 140 sends a notification message to the visitor server of the visitor organization 130 on transmitting the profile of the visitor 110 to the host server of the host organization 150. The notification message includes the mobile identifier of the visitor 110 and the host server identifier of the host organization 150.
[0046] At step 260, the flowchart 200 terminates.
[0047] Figure 3 illustrates a block diagram 300 of the third party system 310, in accordance with the various embodiments of the present invention. The includes a receiver 320, a transmitter 330, a storage module 340 and one or more processors 350.
[0048] The receiver 320 receives the authorization message from the mobile device 120 of the visitor 110. The visitor sends the authorization message on receiving the authorization request from the host organization 130 to access the profile of the visitor 110. The authorization message includes the mobile identifier of the visitor 110 and the host server identifier of the host organization 150. In an embodiment, the receiver 320 receives the profile of the visitor 110 from the visitor organization 130.
[0049] The storage module 340 stores the received profile of the visitor 110. The profile of the visitor may include but not to be limited to the mobile identifier of the visitor 110, the photo of the visitor 110, employee id of the visitor 110 and the personal details of the visitor 110.
[0050] Further, the one or more processors 350 verifies the authorization message received from the visitor 110. The one or more processors verifies the digital signature corresponding to the received mobile identifier of the visitor 110 using the stored digital signature corresponding to the mobile identifier of the visitor 110. On verification, the one or processors 350 fetches the profile of the visitor 110.
[0051] The transmitter 330 transmits the fetched profile of the visitor to the host server of the host organization 150. The host organization validates the identity of the visitor 110 using the fetched profile of the visitor 110.
[0052] In an embodiment, the third party system 140 includes a notification module. The notification module sends a notification message to the visitor server of the visitor organization 130 on transmitting the profile of the visitor 110 to the host server of the host organization 150.
[0053] In an embodiment, the transmitter 330 transmits the approval request to the visitor server of the visitor organization 130. The approval request includes the mobile identifier of the visitor 110 and the host server identifier of the host server. The visitor organization 130 verifies the visitor 110 and the host organization 150 based on the mobile identifier of the visitor 110 and the host server identifier of the host server. The receiver 320 receives the approval response from the visitor server of the visitor organization 130. The one or processors 350 verifies the authorization message on receiving the approval response from the visitor server of the visitor organization 130.
[0054] Figure 4 is a block diagram 400 of a subscriber identification module (SIM) card 410, in accordance with various embodiments of the present invention. In an embodiment, as explained above, the subscriber identification module (SIM) card 410 is for storing the digital signature of the visitor 110. The subscriber identification module (SIM) card 410 follows Java Card specifications. Java-based applets and applications are run on the subscriber identification module (SIM) card 410.
[0055] The subscriber identification module (SIM) card 410 includes a hardware crypto processor 420, a SIM application 430, a symmetric encryption key 440, a secure key storage module 450 and an Integrated Circuit Card Identifier (ICCID) storage module 460. The hardware crypto processor 420 is a true random number generator. The hardware crypto processor 420 generates random numbers for cryptography.
[0056] The SIM application 430 refers to a SIM Application Toolkit (STK) installed on the subscriber identification module (SIM) card 410. The SIM application 430 is responsible for overall control of the subscriber identification module (SIM) card 410 concerning the digital signature. For example, the SIM application 530 generates the digital signature using the hardware crypto processor 520. In another example, as explained above, the SIM application 530 requires the customer 110 to enter a security pin to access the digital signature.
[0057] The symmetric encryption key 540 refers to an encryption key unique to the subscriber identification module (SIM) card 410. The symmetric encryption key 540 is stored in subscriber identification module (SIM) card 410 during the generation of the subscriber identification module (SIM) card 410. The symmetric encryption key 440 is used for secure communication. All incoming and outgoing communication arising from the SIM application 430 is encrypted with the symmetric encryption key 440. In an embodiment, the symmetric encryption key 440 is shared with a messaging server. The messaging server receives communication from the mobile device 120, decrypts the communication using the symmetric encryption key 440 and forwards the decrypted communication in a secure manner. Public key-private key pairs associated with the mobile device. In an embodiment, the secure key storage module 450 includes sixteen key slots. The key slots store two types of keys: a weaker key type for authentication purpose and a stronger key type for non-repudiation purpose.
[0058] The ICCID storage module 460 stores the Integrated Circuit Card Identifier (ICCID). ICCID uniquely identifies Subscriber Identification Module (SIM) card internationally. In an embodiment, the public key is associated with a combination of the ICCID and the MSISDN.
[0059] Figure 5 illustrates a screenshot 500 of the mobile device 510 of the visitor 110 on receiving the authorization request from the host server of the host organization 150, in accordance with various embodiments of the present invention. The host organization sends the authorization request of access to the profile of the visitor 110. On receiving the authorization request, the visitor is prompt to enter a password to sign the digital signature corresponding to the mobile identifier of the visitor 110. A OK button is used authorize the authorization request. A CANCEL button is used to discard the authorization request.
[0060] Figure 6 illustrates a screenshot of the mobile device 610 on inputting the password to authorize the authorization request, in accordance with various embodiments of the present invention. A password field 612 enables the visitor 110 to enter the password. A submit button 614 is used to send the authorization message to the third party system 140.
[0061] Figure 7 illustrates a screenshot 700 of the mobile device 710 of the visitor 110 on sending authorization message to the third party system 140, in accordance with various embodiments of the present invention. The mobile device 710 displays the confirmation message to confirm the sending.
[0062] The present invention overcomes the disadvantages of a conventional visitor identification system by identifying the visitor using the visitor's mobile identifier. In addition, the present invention stores the profile of the visitor using the visitor's mobile identifier. The profile of the visitor is accessible to the host organization only at the visitor's consent and thus, intact visitor's privacy. Furthermore, the present invention increases the efficiency of the visitor identification system by eliminating the scope of any malicious activity caused by a compromised visitor identifier.
[0063] The person skilled in the art appreciates that, the present invention is applicable for a plurality of visitors from a plurality of visitor organizations visiting a plurality host organizations. The third party system 140 is capable of validating a plurality mobile identifiers of the plurality of the visitors. The third party system 140 is capable of fetching plurality of profiles of the plurality of visitors. Furthermore, the third party system is capable of receiving the plurality of profiles of the plurality of visitors from the plurality of visitor organization.
[0064] This written description uses examples to describe the subject matter herein, including the best mode, and also to enable any person skilled in the art to make and use the subject matter. The patentable scope of the subject matter is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.