WO2009153402A1 - Method, arrangement and computer program for authentication data management - Google Patents

Method, arrangement and computer program for authentication data management Download PDF

Info

Publication number
WO2009153402A1
WO2009153402A1 PCT/FI2009/050530 FI2009050530W WO2009153402A1 WO 2009153402 A1 WO2009153402 A1 WO 2009153402A1 FI 2009050530 W FI2009050530 W FI 2009050530W WO 2009153402 A1 WO2009153402 A1 WO 2009153402A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
data
authentication data
identification data
service
Prior art date
Application number
PCT/FI2009/050530
Other languages
French (fr)
Inventor
Juha Siivola
Original Assignee
Berling Finance Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Berling Finance Oy filed Critical Berling Finance Oy
Publication of WO2009153402A1 publication Critical patent/WO2009153402A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Definitions

  • the invention relates to a method and arrangement for managing authentication data of a mobile application service.
  • Mobile terminals are identifiable by their unique identification code, e.g. an IMEI code (International Mobile Equipment Identity).
  • IMEI code International Mobile Equipment Identity
  • mobile devices have often a relatively short life cycle. For example, a mobile terminal may be replaced by a new one e.g. once a year or even more often. If the identifier of the terminal only is used for authenticating the terminal and/or user, the replacement of the terminal will void the established authentication data and will result as termination of use of the software and/or access to the authentication related data and services.
  • Mobile devices are typically also bound to a service provider that provides the data communication services to the device.
  • the service provider furnishes the terminal with an identification module such as a SIM card (Subscriber Identity
  • Each SIM card has a unique identifier, e.g. an IMSI code (International Mobile Subscriber Identity).
  • IMSI code International Mobile Subscriber Identity
  • information stored in a SIM card may be used for authenticating a user.
  • the SIM card may change for various reasons. When the card changes, the IMSI code will change as well. Thus, authentication that relies on the information of the SIM card, will stop working.
  • An individual user who may belong to a business organization typically has access to some application services provided by an application service provider.
  • One such service may be e.g. a hotel reservation service.
  • the service may be available to multiple different terminals, e.g. PCs and mobile terminals such as cellular phones.
  • the individual user or a business organization may have a preference profile within the service. For example, a user or an organization may have a specific discount rate or list of preferred hotels that an individual user or employees of an organization should use.
  • Patent application WO2007/091012 proposes an automated registration process that does not require a user to enter any details manually except for the initial request to subscribe to a service.
  • the process gathers information automatically about the user and the device used, which is then stored and used for user authentication during subsequent service requests following the initial subscription request.
  • the subsequent requests for service also do not require the user to manually input any user data.
  • WO 01/60098 discloses a method and system for obtaining identification information on monitored party in communication network infrastructure, e.g. GSM mobile communications network. Similar functionality that concerns obtaining device and subscription identification information and observing change in such information has also been disclosed in publications WO 2005/032183, US 2003/027581 , EP 1331833 and WO 2005/036916.
  • the invention discloses a method and arrangement for managing authentication data of a mobile application service.
  • An aspect of the invention is a method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
  • the method is characterized in that it comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data.
  • the application service may be e.g. a business application service, e.g. a hotel reservation service.
  • the authentication data is used by the application service to identify a user of the application service.
  • the service subscription identification data may be related e.g. to a data communication service, e.g. GSM or 3G service.
  • the method is executable by means of a computer arrangement.
  • the unchanged authentication data may be e.g. device identification data, service subscription data or other user authentication data comprising e.g. a user ID and a password.
  • the unchanged authentication data may comprise a transaction identifier, e.g. a reservation code of a hotel reservation transaction, of an earlier transaction of the user.
  • the method may further comprise the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
  • the device identification data may comprise e.g. an IMEI code.
  • the service subscription identification data identifies subscription of the telecommunication and/or data communication service established for a user and/or a mobile terminal.
  • the service subscription identification data may thus comprise e.g. data stored in a SIM card, e.g. an IMSI code.
  • the method may yet further comprise the step of prompting user for a confirmation before updating the authentication data.
  • the prompting may comprise e.g. requesting a user ID and/or password e.g. of a business application or a transaction id of an earlier transaction of the user.
  • a log entry may be created about the update transaction of the authentication data.
  • the step of identifying the user using unchanged authentication data may comprise e,g. requesting the user to enter a user ID and/or password.
  • Another aspect of the invention is an arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
  • the arrangement is characterized in that the arrangement comprises means for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the user with the changed device or service subscription identification data.
  • Yet another aspect of the invention is computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data.
  • the product is characterized in that it comprises computer executable instructions for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged device or subscription identification data, and updating the authentication data of the user with the changed device or service subscription identification data.
  • Figure 2 shows a flow chart about registering a new user to an authentication system of an embodiment of the present invention
  • Figure 3 presents an exemplary flow chart of updating an IMSI code according to an embodiment of the invention.
  • Figure 4 presents an exemplary flow chart of updating an IMEI code according to an embodiment of the invention.
  • FIG. 1 depicts an arrangement of computing devices suitable for implementing an embodiment of the present invention.
  • the arrangement comprises at least one mobile terminal 100, e.g. a cellular phone.
  • the terminal comprises means for storing and accessing a unique identifier, e.g. an IMEI code, identifying the terminal device.
  • the terminal further comprises means for accessing a unique identifier, e.g. an IMSI code, of a subscription service.
  • the IMSI code may be stored e.g. in a detachable SIM card located inside the terminal device.
  • the terminal device is communicatively coupled 104 to a server computer 102 using a data communication network that is suitably a cellular phone network capable of packet data communication, e.g.
  • the communication protocol used in the data communication between the terminal and the server 102 may be e.g. secure HTTP (HTTPS) over TCP/IP.
  • HTTPS secure HTTP
  • the mobile terminal 100 is suitably, although not necessarily, capable of storing and executing custom made program software, e.g. a client application of the application service, e.g. a business application service, e.g. a hotel reservation service.
  • the server computer 102 comprises a data storage that contains, among other data, information about user accounts of the service.
  • the user authentication information of the user account information comprises the IMSI code and the IMEI code of the mobile terminal of a user.
  • the user account information may naturally contain also other data that is relevant to the user and the application service.
  • the arrangement may also comprise a workstation 101 , e.g. a personal computer that is also communicatively coupled 103 with the server computer 102 using a suitable wireline or wireless data communication network, e.g. Ethernet, WLAN or 3G network.
  • a suitable wireline or wireless data communication network e.g. Ethernet, WLAN or 3G network.
  • SMS Short Message Service
  • the workstation comprises suitable software, e.g. a web browser, for providing the application functionality of the application service to the user of the workstation 101.
  • the user of the workstation 101 may for example define new user accounts to the application service or maintain data of existing user accounts.
  • the exemplary flow chart of figure 2 depicts a method of registering a new user 200 to the application service.
  • An administrator user of e.g. a business application e.g. a travel manager of a corporation using a hotel reservation service
  • the data of the user account may comprise e.g. name of the user, phone number of the user, user ID and password of the user (usable e.g. when the user accesses the application service from a PC workstation or when an alternative or additional authentication method is required from the mobile user of the application service), organization of the user and permissions and preferences of the user in the application service.
  • the IMEI code of the terminal of the user is provided.
  • client software related to the application service may be installed on the mobile terminal of the new user 202 and started.
  • the client software may extract the IMSI and IMEI codes of the terminal and SIM card 203 and send the codes to the application server 204.
  • the application server may update the user account data identified by the IMEI code using the IMSI code received 205. This completes the creation and registration of a new user account.
  • the client application of the mobile terminal sends the IMSI and IMEI codes to the server computer (102 in figure 1 ) providing the application service.
  • the application server then authenticates the user based on the IMSI and/or IMEI codes received.
  • the network communication messages containing IMSI and/or IMEI codes are encrypted e.g. by the HTTPS protocol used.
  • FIG. 3 shows an exemplary method for performing such update 300.
  • the user of the mobile terminal inserts a new SIM card into the terminal 301 and starts the client application 302 of the application service.
  • the client application sends a log-in message to the application server (102 in figure 1 ).
  • the log-in message contains the IMEI code of the terminal and the IMSI code of the new SIM card.
  • the application service running in the application server When the application service running in the application server receives the message, it detects a change in the authentication data 304, i.e. an unknown IMSI code that is accompanied with a known IMEI code.
  • the application service is capable of identifying the user 305 using the known IMEI code.
  • the application service may optionally query from the user 306 whether the authentication information should be updated with the new IMSI code. Such query may be accompanied by a request of e,g, an application specific User ID and password or some other application specific data, e.g. a transaction ID (confirmation number) of a completed transaction. If the update is confirmed, the application server updates the IMSI code of the user account 307.
  • the application service may have access to a list of allowable IMSI codes.
  • such list may contain the IMSI codes of all SIM cards of a business organization.
  • the application service may check if the IMSI code of the new SIM card may be found from the list of allowable IMSI codes before the IMSI code of the user account is updated. This feature makes it possible to avoid e.g. the execution of step 306 which would require user interaction. In mobile systems, avoiding unnecessary user interaction is often desired because of the limited user interface capabilities of a mobile device.
  • FIG. 4 shows an exemplary method for performing such update 400.
  • the user of the mobile terminal inserts an old SIM card into the new terminal 401 , installs the client application in the new terminal 402 and starts the client application 403 of the application service.
  • the client application sends a log-in message 404 to the application server (102 in figure 1 ).
  • the log-in message contains the IMEI code of the new terminal and the IMSI code of the old SIM card.
  • the application service running in the application server receives the message, it detects a change in the authentication data 405, i.e. an unknown IMEI code that is accompanied with a known IMSI code.
  • the application service is capable of identifying the user 406 using the known IMSI code.
  • the application service may have access to a list of allowable IMEI codes. Such list may contain for example the IMEI codes of all mobile terminals of a business organization. In such cases, the application service may check 407 if the IMEI code of the new terminal may be found from the list of allowable ("pre-approved") IMEI codes before the IMEI code of the user account is updated. If the IMEI code is found from the list of allowable IMEI codes, the application server may now go ahead and update the IMEI code information of the user account 408. On the other hand, if the IMEI code is not found from the list of allowed mobile terminals of the application service, the update of the user account may be refused or the application may request additional confirmation from the user e.g. in the form of a application specific user ID and password.
  • the list of allowable IMEI codes together with the list of allowable IMSI codes form together a set of trusted combinations of terminals and service subscriptions.
  • the user In order to be a trusted user of a business application, the user must, in an embodiment, have a trusted terminal and a trusted service subscription.
  • the application service may request the user to confirm the change of IMSI and/or IMEI code using another user authentication method, e.g. by entering the user ID and password of the user.
  • the user ID and the password may be defined e.g. in the business application, e.g. a hotel reservation system.
  • a log entry may be created about each update transaction of IMSI or IMEI codes.
  • the update log provides a convenient way to check terminal and SIM update activities of the users of the application service.
  • the invention provides a method for maintaining with minimal administration work a sufficient degree of login security for applications such as mobile hotel reservation systems.
  • the embodiments of the invention further allow flexible exchange of mobile terminals or telecom service subscriptions without disturbing access to a mobile application service.
  • the convenience of logging on to the service using mobile terminal is at high level as no user ID or password is needed for the regular login process of a business application service, even when some of the authentication data changes.

Abstract

The invention discloses a method for managing authentication data of a user of a mobile application service, the authentication data comprising device identification data and service subscription identification data. The method is characterized in that the method comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user based on unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data. Also an arrangement and a computer executable program product are disclosed.

Description

METHOD, ARRANGEMENT AND COMPUTER PROGRAM FOR AUTHENTICATION DATA MANAGEMENT
TECHNICAL FIELD OF INVENTION
The invention relates to a method and arrangement for managing authentication data of a mobile application service.
BACKGROUND OF THE INVENTION
Many services in a data communication network require authentication of user and/or terminal device before granting access to the service. Typically, authentication is done by prompting the user to provide a user ID and password. In mobile devices, entering text, e.g. a user ID or a password, is rather inconvenient as the device may lack a proper input device such as a QWERTY keyboard.
Mobile terminals are identifiable by their unique identification code, e.g. an IMEI code (International Mobile Equipment Identity). However, mobile devices have often a relatively short life cycle. For example, a mobile terminal may be replaced by a new one e.g. once a year or even more often. If the identifier of the terminal only is used for authenticating the terminal and/or user, the replacement of the terminal will void the established authentication data and will result as termination of use of the software and/or access to the authentication related data and services.
Mobile devices are typically also bound to a service provider that provides the data communication services to the device. The service provider furnishes the terminal with an identification module such as a SIM card (Subscriber Identity
Module). Each SIM card has a unique identifier, e.g. an IMSI code (International Mobile Subscriber Identity). According to prior art, information stored in a SIM card may be used for authenticating a user. However, the SIM card may change for various reasons. When the card changes, the IMSI code will change as well. Thus, authentication that relies on the information of the SIM card, will stop working.
An individual user who may belong to a business organization typically has access to some application services provided by an application service provider. One such service may be e.g. a hotel reservation service. The service may be available to multiple different terminals, e.g. PCs and mobile terminals such as cellular phones. The individual user or a business organization may have a preference profile within the service. For example, a user or an organization may have a specific discount rate or list of preferred hotels that an individual user or employees of an organization should use.
Patent application WO2007/091012 proposes an automated registration process that does not require a user to enter any details manually except for the initial request to subscribe to a service. The process gathers information automatically about the user and the device used, which is then stored and used for user authentication during subsequent service requests following the initial subscription request. The subsequent requests for service also do not require the user to manually input any user data.
WO 01/60098 discloses a method and system for obtaining identification information on monitored party in communication network infrastructure, e.g. GSM mobile communications network. Similar functionality that concerns obtaining device and subscription identification information and observing change in such information has also been disclosed in publications WO 2005/032183, US 2003/027581 , EP 1331833 and WO 2005/036916.
The various disclosures of prior art fail to teach a method of managing authentication data of a mobile application service efficiently and with minimum effect on the user and/or usability of the service in environments comprising mobile terminals where either the device or subscription identification data of the user of the mobile application service may change relatively often.
OBJECT OF THE INVENTION
The object of the present invention is to provide a method and system for managing authentication data for mobile application services in an environment where the identity of a mobile terminal or identity of a data communication service subscription may change. Another object of the invention is to provide an authentication data management method of a mobile application service that requires little input from the user for login purposes even when information used for login changes.
SUMMARY OF THE INVENTION
The invention discloses a method and arrangement for managing authentication data of a mobile application service.
An aspect of the invention is a method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The method is characterized in that it comprises steps of observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the identified user with the changed device or service subscription identification data. The application service may be e.g. a business application service, e.g. a hotel reservation service. Suitably, the authentication data is used by the application service to identify a user of the application service.
The service subscription identification data may be related e.g. to a data communication service, e.g. GSM or 3G service.
Suitably, the method is executable by means of a computer arrangement.
The unchanged authentication data may be e.g. device identification data, service subscription data or other user authentication data comprising e.g. a user ID and a password. In some embodiments, the unchanged authentication data may comprise a transaction identifier, e.g. a reservation code of a hotel reservation transaction, of an earlier transaction of the user.
The method may further comprise the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
The device identification data may comprise e.g. an IMEI code.
The service subscription identification data identifies subscription of the telecommunication and/or data communication service established for a user and/or a mobile terminal. The service subscription identification data may thus comprise e.g. data stored in a SIM card, e.g. an IMSI code.
The method may yet further comprise the step of prompting user for a confirmation before updating the authentication data. The prompting may comprise e.g. requesting a user ID and/or password e.g. of a business application or a transaction id of an earlier transaction of the user.
A log entry may be created about the update transaction of the authentication data. The step of identifying the user using unchanged authentication data may comprise e,g. requesting the user to enter a user ID and/or password.
Another aspect of the invention is an arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The arrangement is characterized in that the arrangement comprises means for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged authentication data, and updating the authentication data of the user with the changed device or service subscription identification data.
Yet another aspect of the invention is computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data. The product is characterized in that it comprises computer executable instructions for observing a change in device identification data or in service subscription identification data, identifying the user using unchanged device or subscription identification data, and updating the authentication data of the user with the changed device or service subscription identification data.
Some embodiments of the invention are described herein, and further applications and adaptations of the invention will be apparent to those of ordinary skill in the art.
BRIEF DESCRIPTION OF DRAWINGS
In the following, the invention is described in greater detail with reference to the accompanying drawings in which Figure 1 shows an exemplary network of various computer devices usable in an embodiment of the present invention,
Figure 2 shows a flow chart about registering a new user to an authentication system of an embodiment of the present invention,
Figure 3 presents an exemplary flow chart of updating an IMSI code according to an embodiment of the invention and
Figure 4 presents an exemplary flow chart of updating an IMEI code according to an embodiment of the invention.
DETAILED DESCRIPTION OF THE DRAWINGS
Figure 1 depicts an arrangement of computing devices suitable for implementing an embodiment of the present invention. The arrangement comprises at least one mobile terminal 100, e.g. a cellular phone. The terminal comprises means for storing and accessing a unique identifier, e.g. an IMEI code, identifying the terminal device. The terminal further comprises means for accessing a unique identifier, e.g. an IMSI code, of a subscription service. The IMSI code may be stored e.g. in a detachable SIM card located inside the terminal device. The terminal device is communicatively coupled 104 to a server computer 102 using a data communication network that is suitably a cellular phone network capable of packet data communication, e.g. a GSM/GPRS network or a 3G network. The communication protocol used in the data communication between the terminal and the server 102 may be e.g. secure HTTP (HTTPS) over TCP/IP. The mobile terminal 100 is suitably, although not necessarily, capable of storing and executing custom made program software, e.g. a client application of the application service, e.g. a business application service, e.g. a hotel reservation service. The server computer 102 comprises a data storage that contains, among other data, information about user accounts of the service. In an embodiment, the user authentication information of the user account information comprises the IMSI code and the IMEI code of the mobile terminal of a user. The user account information may naturally contain also other data that is relevant to the user and the application service.
The arrangement may also comprise a workstation 101 , e.g. a personal computer that is also communicatively coupled 103 with the server computer 102 using a suitable wireline or wireless data communication network, e.g. Ethernet, WLAN or 3G network. In some embodiments, SMS (Short Message Service) communication may be used. The workstation comprises suitable software, e.g. a web browser, for providing the application functionality of the application service to the user of the workstation 101. The user of the workstation 101 may for example define new user accounts to the application service or maintain data of existing user accounts.
The exemplary flow chart of figure 2 depicts a method of registering a new user 200 to the application service. An administrator user of e.g. a business application (e.g. a travel manager of a corporation using a hotel reservation service) creates a new user account using a workstation (101 in figure 1 ) 201. The data of the user account may comprise e.g. name of the user, phone number of the user, user ID and password of the user (usable e.g. when the user accesses the application service from a PC workstation or when an alternative or additional authentication method is required from the mobile user of the application service), organization of the user and permissions and preferences of the user in the application service. Typically also the IMEI code of the terminal of the user is provided. Then, client software related to the application service may be installed on the mobile terminal of the new user 202 and started. Now the client software may extract the IMSI and IMEI codes of the terminal and SIM card 203 and send the codes to the application server 204. Now the application server may update the user account data identified by the IMEI code using the IMSI code received 205. This completes the creation and registration of a new user account. Subsequently, when the user wants to use the application service, the client application of the mobile terminal sends the IMSI and IMEI codes to the server computer (102 in figure 1 ) providing the application service. The application server then authenticates the user based on the IMSI and/or IMEI codes received. Suitably, although not necessarily, the network communication messages containing IMSI and/or IMEI codes are encrypted e.g. by the HTTPS protocol used.
When the SIM card of a user changes, e.g. because of a change of the telecom service provider or because of failure of the old SIM card, the IMSI code related to the user account changes. The authentication data of the user of the application service must in this case be updated. Figure 3 shows an exemplary method for performing such update 300. First, the user of the mobile terminal (100 in figure 1) inserts a new SIM card into the terminal 301 and starts the client application 302 of the application service. Upon starting, the client application sends a log-in message to the application server (102 in figure 1 ). The log-in message contains the IMEI code of the terminal and the IMSI code of the new SIM card. When the application service running in the application server receives the message, it detects a change in the authentication data 304, i.e. an unknown IMSI code that is accompanied with a known IMEI code. The application service is capable of identifying the user 305 using the known IMEI code. In some embodiments, the application service may optionally query from the user 306 whether the authentication information should be updated with the new IMSI code. Such query may be accompanied by a request of e,g, an application specific User ID and password or some other application specific data, e.g. a transaction ID (confirmation number) of a completed transaction. If the update is confirmed, the application server updates the IMSI code of the user account 307.
In some embodiments, the application service may have access to a list of allowable IMSI codes. For example, such list may contain the IMSI codes of all SIM cards of a business organization. In such cases, the application service may check if the IMSI code of the new SIM card may be found from the list of allowable IMSI codes before the IMSI code of the user account is updated. This feature makes it possible to avoid e.g. the execution of step 306 which would require user interaction. In mobile systems, avoiding unnecessary user interaction is often desired because of the limited user interface capabilities of a mobile device.
When the mobile terminal of a user changes, the IMEI code related to the user account changes. The authentication data of the user of the application service must in this case be updated. Figure 4 shows an exemplary method for performing such update 400. First, the user of the mobile terminal (100 in figure 1 ) inserts an old SIM card into the new terminal 401 , installs the client application in the new terminal 402 and starts the client application 403 of the application service. Upon starting, the client application sends a log-in message 404 to the application server (102 in figure 1 ). The log-in message contains the IMEI code of the new terminal and the IMSI code of the old SIM card. When the application service running in the application server receives the message, it detects a change in the authentication data 405, i.e. an unknown IMEI code that is accompanied with a known IMSI code. The application service is capable of identifying the user 406 using the known IMSI code.
In some embodiments, the application service may have access to a list of allowable IMEI codes. Such list may contain for example the IMEI codes of all mobile terminals of a business organization. In such cases, the application service may check 407 if the IMEI code of the new terminal may be found from the list of allowable ("pre-approved") IMEI codes before the IMEI code of the user account is updated. If the IMEI code is found from the list of allowable IMEI codes, the application server may now go ahead and update the IMEI code information of the user account 408. On the other hand, if the IMEI code is not found from the list of allowed mobile terminals of the application service, the update of the user account may be refused or the application may request additional confirmation from the user e.g. in the form of a application specific user ID and password.
The list of allowable IMEI codes together with the list of allowable IMSI codes form together a set of trusted combinations of terminals and service subscriptions. In order to be a trusted user of a business application, the user must, in an embodiment, have a trusted terminal and a trusted service subscription.
In some embodiments, e.g. when both the terminal and the SIM card are changed at the same time or when added security is desired, the application service may request the user to confirm the change of IMSI and/or IMEI code using another user authentication method, e.g. by entering the user ID and password of the user. The user ID and the password may be defined e.g. in the business application, e.g. a hotel reservation system.
In some embodiments, a log entry may be created about each update transaction of IMSI or IMEI codes. The update log provides a convenient way to check terminal and SIM update activities of the users of the application service.
The embodiments described herein illustrate various advantages of the present invention. For example, the invention provides a method for maintaining with minimal administration work a sufficient degree of login security for applications such as mobile hotel reservation systems. The embodiments of the invention further allow flexible exchange of mobile terminals or telecom service subscriptions without disturbing access to a mobile application service. Also the convenience of logging on to the service using mobile terminal is at high level as no user ID or password is needed for the regular login process of a business application service, even when some of the authentication data changes.
To a person skilled in the art, the foregoing exemplary embodiments illustrate the model presented in this application whereby it is possible to design different methods and arrangements, which in obvious ways to the expert, utilize the inventive idea presented in this application.

Claims

1. A method for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the method comprises steps of: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the identified user with the changed device and/or service subscription identification data.
2. A method according to claim 1 , characterized in that the method further comprises the step of verifying the new device or subscription identification data against a list of allowable device or subscription identifiers before updating the authentication data.
3. A method according to claim 1 , characterized in that said device identification data comprises an IMEI code.
4. A method according to claim 1 , characterized in that said service subscription identification data comprises data stored on a SIM card.
5. A method according to claim 4, characterized in that said service subscription data comprises an IMSI code.
6. A method according to claim 1 , characterized in that said method further comprises step of prompting user for a confirmation before updating said authentication data.
7. A method according to claim 1 , characterized in that the method further comprises the step of creating a log entry about said update of said authentication data.
8. A method according to claim 1 , characterized in that said step of identifying the user using said unchanged authentication data comprises requesting the user to enter a user ID and/or a password.
9. A method according to claim 1 , characterized in that said step of identifying the user using said unchanged authentication data comprises requesting a transaction identifier of an earlier transaction of the user.
10.An arrangement for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the arrangement comprises means for: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the user with the changed device or service subscription identification data.
11. A computer program product for managing authentication data of a user of a mobile application service, the authentication data comprising at least device identification data and service subscription identification data, characterized in that the program product comprises computer executable instructions for: a. observing a change in device identification data or in service subscription identification data, b. identifying the user using unchanged authentication data, and c. updating the authentication data of the user with the changed device or service subscription identification data.
PCT/FI2009/050530 2008-06-19 2009-06-17 Method, arrangement and computer program for authentication data management WO2009153402A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20085624A FI20085624L (en) 2008-06-19 2008-06-19 Method, system and computer program for handling authentication data
FI20085624 2008-06-19

Publications (1)

Publication Number Publication Date
WO2009153402A1 true WO2009153402A1 (en) 2009-12-23

Family

ID=39589385

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2009/050530 WO2009153402A1 (en) 2008-06-19 2009-06-17 Method, arrangement and computer program for authentication data management

Country Status (2)

Country Link
FI (1) FI20085624L (en)
WO (1) WO2009153402A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012000161A1 (en) * 2010-06-28 2012-01-05 Qualcomm Incorporated System and method for subscription data optimization
EP2579630A3 (en) * 2011-06-01 2013-11-13 BlackBerry Limited Method for managing identity information after a SIM swap
US9154939B2 (en) 2011-06-01 2015-10-06 Blackberry Limited System and method for managing identity information after a SIM swap
EP3219128A4 (en) * 2014-11-13 2018-05-16 BlackBerry Limited System and method for providing service license aggregation across multiple physical and virtual sim cards
EP3219129A4 (en) * 2014-11-13 2018-05-16 BlackBerry Limited System and method for providing service license aggregation across multiple device sim cards

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001060098A1 (en) * 2000-02-11 2001-08-16 Nokia Corporation Method and system for obtaining identification information on a monitored party in a communication network
US20030027581A1 (en) * 2001-07-31 2003-02-06 Nokia Corporation System and method for automatic provisioning detection and notification
EP1331833A1 (en) * 2002-01-24 2003-07-30 Vodafone Group PLC System and process for storing and updating mobile terminal features of the users of a mobile telephone network
WO2005032183A1 (en) * 2003-10-02 2005-04-07 Smarttrust Ab Method and mobile telecommunication network for detection of device information
WO2005036916A1 (en) * 2003-10-03 2005-04-21 Bitfone Corporation Network and method for registration of mobile devices and management of the mobile devices
WO2005053348A2 (en) * 2003-11-27 2005-06-09 Smarttrust Ab Method and network for detection of device information of mobile stations

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001060098A1 (en) * 2000-02-11 2001-08-16 Nokia Corporation Method and system for obtaining identification information on a monitored party in a communication network
US20030027581A1 (en) * 2001-07-31 2003-02-06 Nokia Corporation System and method for automatic provisioning detection and notification
EP1331833A1 (en) * 2002-01-24 2003-07-30 Vodafone Group PLC System and process for storing and updating mobile terminal features of the users of a mobile telephone network
WO2005032183A1 (en) * 2003-10-02 2005-04-07 Smarttrust Ab Method and mobile telecommunication network for detection of device information
WO2005036916A1 (en) * 2003-10-03 2005-04-21 Bitfone Corporation Network and method for registration of mobile devices and management of the mobile devices
WO2005053348A2 (en) * 2003-11-27 2005-06-09 Smarttrust Ab Method and network for detection of device information of mobile stations

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012000161A1 (en) * 2010-06-28 2012-01-05 Qualcomm Incorporated System and method for subscription data optimization
EP2579630A3 (en) * 2011-06-01 2013-11-13 BlackBerry Limited Method for managing identity information after a SIM swap
US9154939B2 (en) 2011-06-01 2015-10-06 Blackberry Limited System and method for managing identity information after a SIM swap
EP3219128A4 (en) * 2014-11-13 2018-05-16 BlackBerry Limited System and method for providing service license aggregation across multiple physical and virtual sim cards
EP3219129A4 (en) * 2014-11-13 2018-05-16 BlackBerry Limited System and method for providing service license aggregation across multiple device sim cards

Also Published As

Publication number Publication date
FI20085624L (en) 2009-12-20
FI20085624A0 (en) 2008-06-19

Similar Documents

Publication Publication Date Title
US10834583B2 (en) Automated credential porting for mobile devices
JP4722056B2 (en) Method and apparatus for personalization and identity management
US9661666B2 (en) Apparatus and methods of identity management in a multi-network system
US7703142B1 (en) Software license authorization system
US20190243631A1 (en) Enterprise firmware management
EP1953950B1 (en) A method for protecting network service application account, the system, and the apparatus thereof
US9531835B2 (en) System and method for enabling wireless social networking
EP3125593B1 (en) System and method for automatic detection and activation of a virtual sim on a mobile device
CA2500177C (en) Configuration of enterprise gateways
CN102088691B (en) Mobile phone mobile Internet user application certification recognition system and method
EP2316093B1 (en) System, method and apparatus for security management of an electronic device
CN102111275A (en) User authentication and authorization method and system for implementing user authentication and authorization method
US7853705B2 (en) On demand session provisioning of IP flows
EP2827621B1 (en) Application program distribution method, terminal and server
CN103023856A (en) Single sign-on method, single sign-on system, information processing method and information processing system
CN1795656B (en) Method of safety initialization users and data privacy
WO2009153402A1 (en) Method, arrangement and computer program for authentication data management
CN101640685A (en) Method and system for delivering private attribute information
US20080052771A1 (en) Method and System for Certifying a User Identity
US8751673B2 (en) Authentication apparatus, authentication method, and data using method
JP2016148919A (en) User attribute information management system and user attribute information management method
CN109460647B (en) Multi-device secure login method
JP4979723B2 (en) COMMUNICATION METHOD, COMMUNICATION SYSTEM, SERVICE PROVIDING BASE ACCESS METHOD
KR20150135171A (en) Login processing system based on inputting telephone number and control method thereof
CN109492434A (en) A kind of method for safely carrying out and system of electronics authority

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09765968

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09765968

Country of ref document: EP

Kind code of ref document: A1