US20170180363A1 - User profile selection using contextual authentication - Google Patents
User profile selection using contextual authenticationDownload PDFInfo
- Publication number
- US20170180363A1 US20170180363A1US15/449,568US201715449568AUS2017180363A1US 20170180363 A1US20170180363 A1US 20170180363A1US 201715449568 AUS201715449568 AUS 201715449568AUS 2017180363 A1US2017180363 A1US 2017180363A1
- Authority
- US
- United States
- Prior art keywords
- computing device
- user
- user profile
- biometric
- profile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/306—User profiles
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Definitions
- the present disclosurerelates to the field of data processing, in particular, to presentation of resource (e.g., content) based at least in part on a user profile selected by contextual authentication.
- resourcee.g., content
- Some computing devicesare dynamically shared between multiple users.
- User profilesallow each user to have a more personalized user experience by allowing each user to have their own set of applications, social logins, bookmarks, and data. They can also be used to create guest profiles, allowing others to borrow a device without worrying about application or social login conflicts and data privacy. Profiles can also be used to restrict content for use by children to allow parental control of browsing, application usage, and in-app purchasing.
- User profilestypically require additional active user input to switch from one profile to another which interrupts the flow of the user experience by requiring extra interaction from the user as they pick a profile to load and/or provide active authentication information such as a password.
- FIG. 1is a block diagram of a computing device in an operating environment, in accordance with various embodiments.
- FIG. 2is a block diagram showing additional components of the computing device shown in FIG. 1 , in accordance with various embodiments.
- FIG. 3is a block diagram of a computing device, in accordance with various embodiments.
- FIG. 4is a flow diagram of an example process that may be implemented on various computing devices described herein, in accordance with various embodiments
- FIG. 5is a flow diagram of an example process that may be implemented on various computing devices described herein, in accordance with various embodiments.
- FIG. 6illustrates an example computing environment suitable for practicing various aspects of the disclosure, in accordance with various embodiments.
- FIG. 7illustrates an example storage medium with instructions configured to enable an apparatus to practice various aspects of the present disclosure, in accordance with various embodiments.
- phrase “A and/or B”means (A), (B), or (A and B).
- phrase “A, B, and/or C”means (A), (B), (C), (A and B), (A and C), (B and C), or (A, B and C).
- logicand “module” may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.
- ASICApplication Specific Integrated Circuit
- modulemay refer to software, firmware and/or circuitry that is/are configured to perform or cause the performance of one or more operations consistent with the present disclosure.
- Softwaremay be embodied as a software package, code, instructions, instruction sets and/or data recorded on non-transitory computer readable storage mediums.
- Firmwaremay be embodied as code, instructions or instruction sets and/or data that are hard-coded (e.g., nonvolatile) in memory devices.
- Circuitrymay comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry such as computer processors comprising one or more individual instruction processing cores, state machine circuitry, software and/or firmware that stores instructions executed by programmable circuitry.
- the modulesmay collectively or individually be embodied as circuitry that forms a part of a computing device.
- the term “processor”may be a processor core.
- computing device 100may include a number of components 102 - 158 , including shared application 144 and trusted execution environment (TEE) 114 , configured to cooperate with each other, to select a user profile using contextual authentication and enable resources (such as contents) to be selectively consumed (viewed, modified, or deleted) by a logged-in user and/or a delegate user based at least in part on the selected user profile, alternatingly with ease.
- TEEtrusted execution environment
- computing device 100may include one or more processors or processor cores 102 , system memory 104 , a display 106 , and a sensor layer including a sensor hub 108 that may be coupled together and configured to cooperate with each other.
- the display 106may be a touch sensitive display that also serves as an input device in various embodiments.
- the terms “processor” and “processor cores”may be considered synonymous, unless the context clearly requires otherwise.
- the sensor layermay include one or more sensor devices, an input/output (TO) subsystem having IO controllers, internet protocol (IP) blocks, and control logic.
- TOinput/output
- IPinternet protocol
- the computing device 100may also include one or more chipsets 110 , one or more execution environments 112 , and one or more trusted execution environments (TEE) 114 .
- the sensor layermay include trusted IO technology that hardens the IO path between the sensor hub 108 and/or sensor devices and the TEE 114 .
- a TEEis a secure environment that may run alongside an operating system and which can provide secure services to that operating system. More information regarding TEEs and the implementation thereof may be found in the TEE client application programming interface (API) specification v1.0, the TEE internal API (application programming interface) specification v1.0, and the TEE system architecture v1.0 issued by GlobalPlatform.
- the devices described hereinmay include a TEE provided using one or more of virtualization technology, enhanced memory page protection, CPU cache as memory page protection, security co-processor technology, and combinations thereof.
- Non-limiting examples of such technologyinclude INTEL® VT-x virtualization technology, INTEL® VT-d virtualization technology, INTEL® trusted execution technology (TXT), Xeon® internet security and acceleration (ISA) “cache as RAM”, converged security engine (CSE) technology, converged security and manageability engine (CSME) technology, a security co-processor, manageability engine, trusted platform module, platform trust technology, ARM TRUSTZONE® technology, combinations thereof, and the like.
- CSEconverged security engine
- CSMEconverged security and manageability engine
- the sensor hub 108may be in signal communication with a motion sensor 116 , a fingerprint sensor 118 , a Bluetooth transceiver 120 , a microphone 122 , a wireless fidelity (WiFi) transceiver 124 , a speaker 126 , a camera 128 , an ultrasonic sensor 130 , and one or more other sensors 140 or input devices 142 .
- the camera 128may be a video camera.
- the motion sensor 116may include an accelerometer or gyroscope in various embodiments.
- the WiFi transceiver 124may operate according to at least one of the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards and the Bluetooth transceiver 120 may operate according to at least one of the standards defined by the Bluetooth Special Interest Group in various embodiments.
- IEEEInstitute of Electrical and Electronics Engineers
- the execution environment 112may include an operating system (OS) 142 , earlier described shared application 144 , and one or more modules 146 .
- the execution environment 112may also include storage 147 for various variables and resources.
- the earlier described TEE 114may include secure modules 150 and data 152 in various embodiments.
- the shared application 144 and operating system 142may, in cooperation with secure modules 150 , enforce respective access rights simultaneously for a plurality of users. In embodiments, a continuous passively authenticated context may be maintained for each of the plurality of users.
- the computing device 100may be in data communication with a local server 160 , a remote content server such as a media server 162 , or a social network server 164 over a network 166 by communicating with a wireless router 168 using the WiFi transceiver 124 .
- the shared application 144may have access to resources that may be consumed (viewed, modified, or deleted) by a logged-in user and/or a delegate user.
- the resourcesmay include local resources 158 stored on the computing device 100 or resources served or streamed by the local server 160 , the media server 162 , or the social network 164 in various embodiments.
- the resourcesmay include other types of resources not shown in embodiments.
- the logged-in usermay access the resources with a first set of resource access rights while a second delegate user may access the resources with a different set of access rights.
- the computing device 100may be a shared device such as a tablet computing device that may be used e.g., by a first user 170 , a second user 174 , or a third user 176 .
- one or more of the usersmay have a Bluetooth enabled device 180 , which may e.g., be a wearable device on the first user 170 .
- the modules 146 of the execution environment 112may include a login module 202 , an access control module 204 , and a presentation module 206 .
- the secure modules 150 of the TEE 114may include a contextual authentication module 210 that includes a sensor processing module 212 , a profile selection module 214 , and a classifier module 216 .
- the classifier module 216may classify data based on sensor output, application usage patterns, or user interface interaction patterns in a manner such that the data may be associated with particular users and the classifications of particular sensor data patterns, application usage patterns, or user interface interaction patterns may be considered to be user characteristics such that when a user characteristic changes it may be inferred that a user of the computing device 100 has changed.
- the classifier module 216may be a machine learning classifier in various embodiments.
- Embodimentsmay also include a user proximity module 218 as a part of the secure modules 150 in the TEE 114 .
- these modules 202 , 204 , 206 , 150 , 210 , 212 , 214 and 216may cooperate with each other to enable the shared application 144 and operating system 142 to enforce respective access rights simultaneously for the plurality of users, including continuous maintenance of a passively authenticated context for each of the plurality of users.
- the data 152 stored in the TEE 114may include a first user profile 230 , a second user profile 232 , a third user profile 234 , a first delegate profile 236 , a second delegate profile 238 , or one or more additional profiles 240 in various embodiments.
- User profilesare a way for users to have a more personalized and streamlined user experience. Profiles allow users to have their own set of applications, social logins, bookmarks, and data in one easily accessible and private place. They may be used to create guest profiles, allowing others to borrow a device without worrying about application or social login conflicts and data privacy. Profiles may also be used to restrict content for use by children to allow parental control of browsing, application usage, and in-app purchasing.
- automatic device state based profile settingsmay be applied on a per-application and a per-service basis.
- the contextual authentication module 210may distinguish user one 170 using social networking application A hosted by social network server 164 , users two and three using video streaming service B hosted by media server 162 , etc., and manage specific profiles for each.
- this automatic management of specific profilesmay be combined with machine learning of user characteristics, interactions, or behaviors during shared and/or single user sessions to tune the profile-controlled behavior for the applications and services to the user or combination of users. Preferences may be inferred for combinations of users, applications, and services from other profiles that involve those users, applications or services in various embodiments.
- the data 152may also include user characteristics templates 242 such as a first template 244 , a second template 246 , or a third template 248 .
- the user characteristics templates 242are based on biometric or behaviometric data generated by a machine learning classifier.
- the user characteristics templates 242may be included as a part of the user profiles.
- the first user profile 230may contain the first template 244
- the second user profile 232may contain the second template 246
- the third user profile 234may contain the third template 248 in embodiments.
- the data 152may also include a user focus identifier 260 in various embodiments.
- a biometrics and/or behaviometrics machine learning (ML) classifier or set of classifiersmay generate reference sample data suitable for establishing a user identity.
- the reference sample datamay be generated during a training process and stored as a biometric and/or behaviometric template such as templates 244 , 246 , or 248 .
- the user characteristics templates 242may be generated and stored by the classifier module 216 during a training process, for example.
- the classifier module 216may use machine learning to associate biometric user characteristics such as hand movement, gait, or image patterns based at least in part on sensor data with particular users.
- Biometric characteristics based on hand movementmay be based at least in part on accelerometers or gyroscopes detecting relatively imperceptible movements and characteristics based on gait may be based at least in part on accelerometers or gyroscopes detecting walking characteristics in various embodiments.
- the classifier module 216may also use machine learning to associate behaviometric user characteristics such as application usage patterns or user interface interaction patterns with particular users.
- the user characteristics templates 242may be generated and stored by other modules or generated by a different computing device and stored on the computing device 100 in other embodiments.
- the login module 202may be operated by the one or more processors 102 to authenticate a user of the computing device 100 .
- an active authentication factorsuch as a thumbprint reading using the fingerprint sensor 118 may be used.
- the access control module 204may be operated to establish an access control state corresponding to a user profile associated with the authenticated user. For example, if the login module 202 authenticates the first user 170 , a first access control state corresponding to the first user profile 230 associated with the first user 170 may be established by the access control module 204 .
- the presentation module 206operated by the one or more processors 102 , may present a resource to the authenticated user based at least in part on the established access control state.
- the contextual authentication module 210may be operated by the one or more processors 102 to detect a user interaction change associated with the computing device 100 that indicates a different user, such as the second user 174 , has device focus.
- the user interaction changemay include a change in biometric or behaviometric characteristics determined by processing sensor data or application or user interface usage data in various embodiments, for example.
- the contextual authentication module 210may continuously monitor passive authentication factors to detect user characteristics as the computing device 100 is being used such that when a change in user characteristics is detected indicating the computing device 100 is being used by a different user, a user profile may be assigned that corresponds to the current rather than the previous user, or alternatively corresponds to a delegate profile of the previous user that may also be based at least in part upon the current user.
- the sensor processing module 212may process a sensor output from the motion sensor 116 and generate the user focus identifier 260 indicating the second user 174 has device focus, for example.
- the profile selection module 214may be operated by the one or more processors 102 to select the second user profile 232 based on the user focus identifier 260 and the second template 246 .
- the contextual authentication module 210may include a biometrics and/or behaviometrics ML classifier or set of classifiers as a part of the classifier module 216 that generate sample data suitable for establishing a user identity based at least in part on user characteristics.
- Reference sample datasuch as may be stored in templates 244 , 246 , or 248 may be used to compare with the sampled data to determine a user match. This may include a match of a first user, a second user, or both users, for example.
- the contextual authentication module 210may also include a first user focus context classifier and a second user focus context classifier that determines when a user has device focus. Device focus may be established when a user is observing content on a display or other content rendering device, or when the user is inputting data through an input device such as a computer keyboard, mouse, microphone or camera.
- the user focus classifiersmay establish to the OS which user is logged-in and which user is a delegate of the first.
- the user proximity module 218may be operated by the one or more processors 102 to determine a proximity status associated with the currently logged in user, such as the first user 170 , after the user interaction change associated with the computing device 100 that indicates a different user has device focus is detected by the contextual authentication module 210 .
- the access control module 204may be operated by the one or more processors 102 to terminate the second access control state if the proximity status reaches a predetermined value.
- the predetermined valuemay correspond to an approximate distance, such as greater than thirty feet, for example. Other distances may also be used.
- An approximate distance of a user from the computing device 100may be determined using power levels associated with a received signal strength indicator (RSSI) or by using a geographic positioning system (GPS) location, for example.
- RSSIreceived signal strength indicator
- GPSgeographic positioning system
- the user proximity module 218may detect a proximity status regardless of whether a user interaction change has been detected.
- a computing device 300may include a host system on a chip (SOC) 302 in data communication with a contextual authentication technology (CAT) system 304 operating in a TEE.
- the host SOC 302may include a processor or processing cores, memory, graphics, virtualization, and other capabilities suitable for hosting an operating system (OS) and applications.
- OSoperating system
- the CAT system 304may be in signal communication with a sensor layer 306 .
- the sensor layer 306may include a sensor hub, one or more sensor devices, an input/output ( 10 ) subsystem that may include IO controllers, internet protocol (IP) blocks, and control logic.
- the sensor layer 306may also include trusted IO technology that hardens the IO path between the sensor hub and/or sensor devices and a TEE subsystem.
- Sensor devicesmay employ a variety of sensing technology and may include a video camera 308 , a microphone 309 , an ultrasonic sensor 310 , a multi-axis motion sensor 312 , a wireless radio 313 , and an RFID sensing device 314 in various embodiments. Additional or alternative sensors may also be included in embodiments.
- the CAT system 304may be implemented in a TEE and be in data communication with one or more user profiles 316 .
- Hosting the CAT system in a TEEmay provide additional protection against malware attacks that may exist on the host system OS or applications.
- the CAT system 304may include biometric and/or behaviometric machine learning (ML) classifiers 318 that may be used to generate sample data suitable for establishing a user identity based at least in part on user characteristics such as biometric or behaviometric information.
- Reference sample data based at least in part on user characteristics and stored in the user profiles 316may be used to compare with the generated sample data to determine a match of a first user, a second user, or both users.
- the CAT system 304may also include a first user focus context classifier 320 and a second user focus context classifier 322 that may determine when a user has device focus.
- Device focusmay be established when a user is observing content on a display or other content rendering device, or when a user is inputting data through an input device such as a computer keyboard, mouse, microphone or camera.
- the user focus context classifiers 320 , 322may establish to the OS which user is logged-in and which user is a delegate of the other.
- biometric and/or behaviometric ML classifiers 318 , the first user focus context classifier 320 , and the second user focus context classifier 322may be included as a part of the contextual authentication module 210 as discussed with respect to FIG. 2 .
- the computing device 300may be a tablet computing device and as a user picks up the computing device 300 , the CAT system 304 employs one or more sensors in combination with the ML classifiers 318 to determine who is attempting to use the computing device 300 .
- the CAT system 304may access the relevant user profile. If an unknown user is detected or the CAT system 304 cannot detect a particular user with a predetermined confidence level, the CAT system 304 may offer access to a guest profile.
- the host SOC 302may host an OS 324 that may allow operation based on user profiles, indicated in FIG. 3 as a logged-in user 326 and a delegate user 328 .
- the host SOC 302may host a shared application 330 that allows for varying access to one or more resources 332 based on access rules such as first user access rules 334 and second user access rules 336 .
- the shared application 330may have access to resources 332 that may be consumed (viewed, modified, deleted) by a logged-in user or by a delegate user.
- a first user 340 and a second user 342may share the computing device 300 and each have a user profile stored with the user profiles 316 as well as a biometric or behaviometric classifier stored with the classifiers 318 .
- the shared application 330 and the operating system 324may enforce the first user access rules 334 and the second user access rules 336 for the first user 340 and the second user 342 .
- the CAT system 304may maintain a continuous authenticated context for both the first and second users using passive authentication based at least in part on user characteristics such as biometric or behaviometric information rather than requiring an active authentication factor for every user switch.
- the logged-in user 326may access the resources 332 with a set of resource access rights while the delegate user 328 may access the resources 332 with a different set of access rights.
- some or all of the components of the computing device 300may be included as a part of the computing device 100 described with respect to FIGS. 1 and 2 .
- FIG. 4depicts an example process 400 for simultaneously managing access rights of multiple users that may be implemented by the computing device 100 or the computing device 300 described with respect to FIGS. 1-3 in accordance with various embodiments.
- the process 400may be performed by the login module 202 , access control module 204 , presentation module 206 , sensor processing module 212 , profile selection module 214 , classifier module 216 and/or user proximity module 218 .
- the process 400may be performed with more or less modules and/or with some operations in different order. As shown, for the embodiments, the process 400 may start at a block 402 .
- a first user log-inmay be facilitated, and user rights corresponding to a user profile associated with the first user may be assigned to a user context. This may be performed by accepting a presentation of the first user's thumbprint at the fingerprint sensor 118 such that the login module 202 may access the first user profile 230 and the access control module 204 may assign user access rights corresponding to the first user profile 230 , for example.
- the first usermay then be able to access resources such as local resources 158 or resources served or streamed from local server 160 , media server 162 , or social network server 164 based at least in part on the user access rights assigned by the access control module 204 .
- the computing device 100may monitor passive authentication factors in a continuous manner. This may be performed by the sensor processing module 212 of the contextual authentication module 210 monitoring the motion sensor 116 and the classifier module 216 generating biometric or behaviometric sample data based at least in part on output from the motion sensor 116 , for example. Multiple sensors may be monitored in embodiments or behavioral factors may be used instead of or in addition to biometric factors. Passive authentication factors may include any combination of biometric or behaviometric authentication factors in various embodiments.
- biometric authentication factorsmay include without limitation hand movement or gait characteristics based at least in part on motion sensor data, image patterns based at least in part on camera data, or user characteristics based at least in part on ultrasonic or infrared sensor data.
- Behaviometric authentication factorsmay include, without limitation, patterns of application usage or patterns of user interface interaction in various embodiments.
- a decision block 408it may be determined whether the first user is observed. This may be performed by the profile selection module 214 comparing biometric data generated by the classifier module 216 or the biometric ML classifier 318 at least partially based on information from the motion sensor 116 or 312 to reference data stored in the template 244 , for example.
- the sample and reference biometric or behaviometric data compared by the profile selection module 214may be based at least in part on any combination of sensor data or behavioral patterns in various embodiments and is not limited to information from the motion sensor 116 or 312 .
- the profile selection module 214may be comparing biometric data generated by the classifier module 216 or the biometric ML classifier 318 to reference data stored in the second template 246 and the third template 248 , for example. If a second user is observed, delegate user rights may be assigned to a second user context at a block 412 in various embodiments. This may be performed by the profile selection module 214 selecting the first delegate profile 236 based at least in part on the reference data in the second template 246 and biometric data generated by the biometric ML classifier 318 , for example.
- the second usermay then be able to consume one or more resources based at least in part on the assigned delegate user rights in various embodiments.
- Resource access rightsmay overlap between a logged-in user and a delegate of the logged-in user to support resource sharing (e.g., both may view a common display while consuming content).
- differential rightsmay also be enforced in some cases such as a delegate user may not be able to modify a file while having an input focus whereas a logged-in user may be able to modify a file while having input focus, for example. If, at the decision block 410 , a second observer was not observed, the process 400 may loop back to the operation 406 such that the monitoring of passive authentication factors continues.
- the first userif at the decision block 408 , the first user is not observed, it may be determined at a decision block 414 whether a second user is observed. If a second user is observed at the decision block 414 , the first user access rights may be rescinded at a block 416 . This may be performed by the access control module 204 based at least in part on data from the profile selection module 210 , for example.
- the block 416may also include logging in the second user and assigning user rights corresponding to a user profile associated with the second user. This may involve an active authentication factor such as a thumbprint presented at the fingerprint sensor 118 , in embodiments.
- the second usermay then, at a block 418 , logically become the first user for purposes of the logic of the process 400 .
- first and second user rightsmay be rescinded at a block 420 . This may be performed by the access control module 204 , in embodiments.
- the process 400may end at a block 422 after the first and second user access rights are rescinded. Although not shown, in embodiments, the process 400 may proceed to a state following the end block 422 where the system monitors for active authentication factors such as a thumbprint or a password as may occur if the process returned to the start block 402 , for example.
- FIG. 5depicts an example process 500 for presenting resources that may be implemented by the computing device 100 or 300 in accordance with various embodiments.
- the process 500may be performed by e.g., earlier described login module 202 , access control module 204 , presentation module 206 , sensor processing module 212 , profile selection module 214 , classifier module 216 and/or user proximity module 218 . In alternate embodiments, the process 500 may be performed by more or less modules, and/or in different order.
- a first user of the computing device 100such as the first user 170 , may be authenticated and a first user profile corresponding to the first user may be selected. This may occur by presentation of a thumbprint to the fingerprint reader 118 or user input of an authentication password in embodiments.
- a first access control state corresponding to a first user profile associated with the first usermay be established.
- a first access control state corresponding to the first user profile 230 associated with the first user 170may be established by the access control module 204 .
- a second user profilemay be selected that indicates a different user, such as the second user 174 , has device focus.
- selecting the second user profilemay include detecting a user characteristic change at a block 508 and selecting a second user profile at a block 510 based at least in part on the detected user characteristic change. Selecting the second user profile at the block 510 may also be based at least in part on the first user profile such that the second user profile may be a delegate profile relating to the first user profile.
- detecting a user characteristic change at the block 508may include monitoring one or more sensors such as the motion sensor 116 , the microphone 122 , the camera 128 , or the ultrasonic sensor 310 , for example. Detecting a user characteristic change may further include receiving a sensor output, such as from the motion sensor 116 at a block 508 and classifying the output such as with the classifier module 216 to determine whether characteristics such as biometric or behaviometric characteristics of the current user have changed. In embodiments, a movement of the computing device 100 or 300 may be detected that indicates the computing device has been picked up or has been passed from one person to another as a part of detecting a user characteristic change at the block 508 .
- Selecting a second user profile at the block 510may also be based at least in part on the sensor output and a previously stored template based at least in part on biometric information associated with the second user, the template generated by a machine learning classifier.
- the templatemay include biometric reference sample data such as that described with respect to template 246 that may be generated by the classifier module 216 during a training process, for example.
- receiving the sensor outputmay be performed by the sensor processing module 212 and selecting the user profile may be performed by the profile selection module 214 , for example.
- a second access control state based at least in part on the second user profilemay be established. This may be performed by the access control module 204 , for example.
- the second access control statemay be based at least in part on a delegate user profile.
- a proximity status associated with the first usermay be determined at a block 514 after establishing the second access control state. This may be performed by the user proximity module 218 based at least in part on information received from the Bluetooth enabled device 180 received by the sensor processing module 212 , for example.
- a decision block 516it may be determined whether the proximity status has reached a predetermined value. For example, it may be determined whether the proximity status has reached a level corresponding to greater than approximately 30 feet away from the computing device 100 . If, at the decision block 516 , it is determined that the proximity status has not reached the predetermined value, a resource may be presented at a block 518 based at least in part on the second access control state. If, at the decision block 516 , it is determined that the proximity status has reached the predetermined value, the second access state may be terminated at a block 520 .
- computer 600may include one or more processors or processor cores 602 , and system memory 604 .
- processorsor processor cores 602
- system memory 604for the purpose of this application, including the claims, the terms “processor” and “processor cores” may be considered synonymous, unless the context clearly requires otherwise.
- computer 600may include one or more graphics processors 605 , mass storage devices 606 (such as diskette, hard drive, compact disc read only memory (CD-ROM) and so forth), input/output devices 608 (such as display, keyboard, cursor control, remote control, gaming controller, image capture device, and so forth), sensor hub 609 that may function in a similar manner as that described with respect to sensor hub 108 of FIG. 1 , and communication interfaces 610 (such as network interface cards, modems, infrared receivers, radio receivers (e.g., Bluetooth), and so forth).
- the elementsmay be coupled to each other via system bus 612 , which may represent one or more buses. In the case of multiple buses, they may be bridged by one or more bus bridges (not shown).
- system memory 604 and mass storage devices 606may be employed to store a working copy and a permanent copy of the programming instructions implementing the operations associated with the computing device 100 or the computing device 300 , e.g., operations described for modules 146 , 150 , 202 , 204 , 206 , 210 , 212 , 214 , 216 , 218 , 318 , 320 , and 322 shown in FIGS. 1-3 , or operations shown in process 400 of FIG. 4 or process 500 of FIG. 5 , collectively denoted as computational logic 622 .
- the system memory 604 and mass storage devices 606may also be employed to store a working copy and a permanent copy of the programming instructions implementing the operations associated with the OS 142 , the application 144 , the OS 324 , and the application 330 .
- the system memory 604 and mass storage devices 606may also be employed to store the data 152 , the local resources 158 , the user profiles 316 , and the resources 332 .
- the various elementsmay be implemented by assembler instructions supported by processor(s) 602 or high-level languages, such as, for example, C, that can be compiled into such instructions.
- the permanent copy of the programming instructionsmay be placed into mass storage devices 606 in the factory, or in the field, through, for example, a distribution medium (not shown), such as a compact disc (CD), or through communication interface 610 (from a distribution server (not shown)). That is, one or more distribution media having an implementation of the agent program may be employed to distribute the agent and program various computing devices.
- a distribution mediumsuch as a compact disc (CD)
- CDcompact disc
- communication interface 610from a distribution server (not shown)
- the number, capability and/or capacity of these elements 608 - 612may vary, depending on whether computer 600 is a stationary computing device, such as a set-top box or desktop computer, or a mobile computing device such as a tablet computing device, laptop computer or smartphone. Their constitutions are otherwise known, and accordingly will not be further described.
- FIG. 7illustrates an example at least one non-transitory computer-readable storage medium 702 having instructions configured to practice all or selected ones of the operations associated with the computing device 100 or the computing device 300 , earlier described, in accordance with various embodiments.
- at least one computer-readable storage medium 702may include a number of programming instructions 704 .
- the storage medium 702may represent a broad range of persistent storage medium known in the art, including but not limited to flash memory, dynamic random access memory, static random access memory, an optical disk, a magnetic disk, etc.
- Programming instructions 704may be configured to enable a device, e.g., computer 600 , computing device 100 , or computing device 300 , in response to execution of the programming instructions, to perform, e.g., but not limited to, various operations described for modules 146 , 150 , 202 , 204 , 206 , 210 , 212 , 214 , 216 , 218 , 318 , 320 , and 322 shown in FIGS. 1-3 , or operations of process 400 of FIG. 4 or process 500 of FIG. 5 .
- programming instructions 704may be disposed on multiple computer-readable storage media 702 .
- processors 602may be packaged together with memory having computational logic 622 configured to practice aspects described for modules 146 , 150 , 202 , 204 , 206 , 210 , 212 , 214 , 216 , 218 , 318 , 320 , and 322 shown in FIGS. 1-3 , or operations of process 400 or FIG. 4 or process 500 of FIG. 5 .
- processors 602may be packaged together with memory having computational logic 622 configured to practice aspects described for modules 146 , 150 , 202 , 204 , 206 , 210 , 212 , 214 , 216 , 218 , 318 , 320 , and 322 shown in FIGS. 1-3 , or operations of process 400 of FIG. 4 or process 500 of FIG. 5 to form a System in Package (SiP).
- SiPSystem in Package
- processors 602may be integrated on the same die with memory having computational logic 622 configured to practice aspects described for modules 146 , 150 , 202 , 204 , 206 , 210 , 212 , 214 , 216 , 218 , 318 , 320 , and 322 shown in FIGS. 1-3 , or operations of process 400 of FIG. 4 or process 500 of FIG. 5 .
- processors 602may be packaged together with memory having computational logic 622 configured to practice aspects of process 400 of FIG. 4 or process 500 of FIG. 5 to form a System on Chip (SoC).
- SoCSystem on Chip
- the SoCmay be utilized in, e.g., but not limited to, a mobile computing device such as a computing tablet and/or a smartphone.
- Machine-readable mediaincluding non-transitory machine-readable media, such as machine-readable storage media
- methods, systems and devices for performing the above-described techniquesare illustrative examples of embodiments disclosed herein. Additionally, other devices in the above-described interactions may be configured to perform various disclosed techniques.
- Example 1may include a computing device comprising: one or more processors; a memory coupled with the one or more processors; a login module operated by the one or more processors to authenticate a first user of the device and establish a first access control state corresponding to a first user profile associated with the first user; a contextual authentication module operated by the one or more processors to select a second user profile based at least in part on a changed user characteristic; and a presentation module operated by the one or more processors to present a resource based at least in part on the second user profile.
- Example 2may include the subject matter of Example 1, wherein the computing device further comprises a sensor, and wherein the contextual authentication module comprises: a profile selection module operated by the one or more processors to select the second user profile based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.
- the contextual authentication modulecomprises: a profile selection module operated by the one or more processors to select the second user profile based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.
- Example 3may include the subject matter of Example 2, wherein the sensor is a motion sensor and wherein the profile selection module comprises a biometric machine learning classifier, wherein the profile selection module is to perform a biometric information classification of the output of the sensor and select the second user profile based at least in part on the biometric information classification and the previously stored template.
- Example 4may include the subject matter of any one of Examples 1-3, wherein the login module is to authenticate the first user of the device based at least in part on an active authentication factor.
- Example 5may include the subject matter of any one of Examples 1-4, wherein the computing device further comprises: an access control module operated by the one or more processors to establish a second access control state based at least in part on the second user profile; and a user proximity module operated by the one or more processors to determine a proximity status associated with the first user , wherein the access control module is operated by the one or more processors to terminate the second access control state if the proximity status reaches a predetermined value.
- Example 6may include the subject matter of any one of Examples 1-5, wherein the computing device further comprises a trusted execution environment operated by one of the processors to host operation of the contextual authentication module.
- Example 7may include the subject matter of any one of Examples 1-6, wherein the contextual authentication module is operated by the one or more processor to select a delegate profile as the second user profile.
- Example 8may include the subject matter of any one of Examples 1-5, wherein the computing device is a tablet computing device, wherein the contextual authentication module comprises a profile selection module operated by the one or more processors in a trusted execution environment to select a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- the computing deviceis a tablet computing device
- the contextual authentication modulecomprises a profile selection module operated by the one or more processors in a trusted execution environment to select a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- Example 9may include a computer implemented method comprising: authenticating, by a computing device, a first user of the device; establishing, by the computing device, a first access control state corresponding to a first user profile associated with the first user; selecting, by the computing device, a second user profile based at least in part on a changed user characteristic; and presenting, by the computing device, a resource based at least in part on the second user profile.
- Example 10may include the subject matter of Example 9, wherein selecting, by the computing device, the second user profile comprises: receiving, by the computing device, a sensor output; performing a classification of the sensor output to generate sample data; and selecting, by the computing device, the second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 11may include the subject matter of Example 10, wherein receiving comprises receiving a sensor output from a motion sensor, wherein performing comprises performing a biometric classification of the motion sensor output to generate biometric sample data, and wherein selecting comprises selecting the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 12may include the subject matter of any one of Examples 9-11, wherein authenticating, by the computing device, the first user of the device is based at least in part on an active authentication factor.
- Example 13may include the subject matter of any one of Examples 9-12, further comprising: establishing, by the computing device, a second access control state based at least in part on the second user profile; determining, by the computing device, a proximity status associated with the first user; and terminating, by the computing device, the second access control state if the proximity status reaches a predetermined value.
- Example 14may include the subject matter of any one of Examples 9-13, wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic is performed in a trusted execution environment.
- Example 15may include the subject matter of any one of Examples 9-14, wherein the second user profile is a delegate profile.
- Example 16may include the subject matter of any one of Examples 9-13, wherein the computing device is a tablet computing device, wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic comprises selecting in a trusted execution environment, by the computing device, a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- Example 17may include at least one non-transitory computer-readable medium comprising instructions stored thereon that, in response to execution of the instructions by a computing device, cause the computing device to: authenticate a first user of the device; establish a first access control state corresponding to a first user profile associated with the first user; select a second user profile based at least in part on a changed user characteristic; and present a resource based at least in part on the second user profile.
- Example 18may include the subject matter of Example 17, wherein to select the second user profile, the computing device is caused to: perform a classification of a sensor output to generate sample data; and select a second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 19may include the subject matter of Example 18, wherein the computing device is caused to perform a biometric classification of a motion sensor output to generate biometric sample data and wherein the computing device is caused to select the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 20may include the subject matter of any one of Examples 17-19, wherein the computing device is caused to authenticate the first user of the device based at least in part on an active authentication factor.
- Examplemay include the subject matter of any one of Examples 17-20, wherein the computing device is further caused to: establish a second access control state based at least in part on the second user profile; determine a proximity status associated with the first user; and terminate the second access control state if the proximity status reaches a predetermined value.
- Examplemay include the subject matter of any one of Examples 17-21, wherein the computing device is further caused to select the second user profile in a trusted execution environment.
- Example 23may include the subject matter of any one of Examples 17-22, wherein the computing device is further caused to select a delegate profile as the second user profile.
- Example 24may include the subject matter of any one of Examples 17-21, wherein the computing device is a tablet computing device, wherein the tablet computing device is caused to select the second user profile in a trusted execution environment of the tablet computing device based at least in part on a previously stored template generated by a machine learning classifier.
- Example 25may include a computing device comprising: means for authenticating a first user of the device; means for establishing a first access control state corresponding to a first user profile associated with the first user; means for selecting a second user profile based at least in part on a changed user characteristic; and means for presenting a resource based at least in part on the second user profile.
- Example 26may include the subject matter of Example 25, wherein the means for selecting the second user profile comprises: means for receiving a sensor output; means for performing a classification of the sensor output to generate sample data; and means for selecting the second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 27may include the subject matter of Example 26, wherein the means for receiving comprises means for receiving a sensor output from a motion sensor, wherein the means for performing comprises means for performing a biometric classification of the motion sensor output to generate biometric sample data, and wherein the means for selecting comprises means for selecting the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 28may include the subject matter of any one of Examples 25-27, wherein the means for authenticating the first user of the device is based at least in part on an active authentication factor.
- Example 29may include the subject matter of any one of Examples 25-28, further comprising: means for establishing a second access control state based at least in part on the second user profile; means for determining a proximity status associated with the first user; and means for terminating the second access control state if the proximity status reaches a predetermined value.
- Example 30may include the subject matter of any one of Examples 25-29, wherein the means for selecting the second user profile based at least in part on the changed user characteristic is in a trusted execution environment.
- Example 31may include the subject matter of any one of Examples 25-30, wherein the second user profile is a delegate profile.
- Example 32may include the subject matter of any one of Examples 25-29, wherein the computing device is a tablet computing device, wherein the means for selecting the second user profile based at least in part on the changed user characteristic comprises means for selecting in a trusted execution environment a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Biomedical Technology (AREA)
- Social Psychology (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
Description
- The present application is a continuation of U.S. application No. 14/581,659, filed Dec. 23, 2014, entitled, “USER PROFILE SELECTION USING CONTEXTUAL AUTHENTICATION”. The application is hereby incorporated by reference herein in its entirety for all purposes.
- The present disclosure relates to the field of data processing, in particular, to presentation of resource (e.g., content) based at least in part on a user profile selected by contextual authentication.
- The background description provided herein is for the purpose of generally presenting the context of the disclosure. Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
- Some computing devices, such as tablet computers, are dynamically shared between multiple users. User profiles allow each user to have a more personalized user experience by allowing each user to have their own set of applications, social logins, bookmarks, and data. They can also be used to create guest profiles, allowing others to borrow a device without worrying about application or social login conflicts and data privacy. Profiles can also be used to restrict content for use by children to allow parental control of browsing, application usage, and in-app purchasing. User profiles typically require additional active user input to switch from one profile to another which interrupts the flow of the user experience by requiring extra interaction from the user as they pick a profile to load and/or provide active authentication information such as a password.
- Embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings. To facilitate this description, like reference numerals designate like structural elements. Embodiments are illustrated by way of example, and not by way of limitation, in the Figures of the accompanying drawings.
FIG. 1 is a block diagram of a computing device in an operating environment, in accordance with various embodiments.FIG. 2 is a block diagram showing additional components of the computing device shown inFIG. 1 , in accordance with various embodiments.FIG. 3 is a block diagram of a computing device, in accordance with various embodiments.FIG. 4 is a flow diagram of an example process that may be implemented on various computing devices described herein, in accordance with various embodimentsFIG. 5 is a flow diagram of an example process that may be implemented on various computing devices described herein, in accordance with various embodiments.FIG. 6 illustrates an example computing environment suitable for practicing various aspects of the disclosure, in accordance with various embodiments.FIG. 7 illustrates an example storage medium with instructions configured to enable an apparatus to practice various aspects of the present disclosure, in accordance with various embodiments.- In the following detailed description, reference is made to the accompanying drawings which form a part hereof wherein like numerals designate like parts throughout, and in which is shown by way of illustration embodiments that may be practiced. It is to be understood that other embodiments may be utilized and structural or logical changes may be made without departing from the scope of the present disclosure. Therefore, the following detailed description is not to be taken in a limiting sense, and the scope of embodiments is defined by the appended claims and their equivalents.
- Various operations may be described as multiple discrete actions or operations in turn, in a manner that is most helpful in understanding the claimed subject matter. However, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations may not be performed in the order of presentation. Operations described may be performed in a different order than the described embodiment. Various additional operations may be performed and/or described operations may be omitted in additional embodiments.
- For the purposes of the present disclosure, the phrase “A and/or B” means (A), (B), or (A and B). For the purposes of the present disclosure, the phrase “A, B, and/or C” means (A), (B), (C), (A and B), (A and C), (B and C), or (A, B and C).
- The description may use the phrases “in an embodiment,” or “in embodiments,” which may each refer to one or more of the same or different embodiments. Furthermore, the terms “comprising,” “including,” “having,” and the like, as used with respect to embodiments of the present disclosure, are synonymous.
- As used herein, the term “logic” and “module” may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality. The term “module” may refer to software, firmware and/or circuitry that is/are configured to perform or cause the performance of one or more operations consistent with the present disclosure. Software may be embodied as a software package, code, instructions, instruction sets and/or data recorded on non-transitory computer readable storage mediums. Firmware may be embodied as code, instructions or instruction sets and/or data that are hard-coded (e.g., nonvolatile) in memory devices. “Circuitry”, as used in any embodiment herein, may comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry such as computer processors comprising one or more individual instruction processing cores, state machine circuitry, software and/or firmware that stores instructions executed by programmable circuitry. The modules may collectively or individually be embodied as circuitry that forms a part of a computing device. As used herein, the term “processor” may be a processor core.
- Referring now to
FIG. 1 , acomputing device 100, incorporated with the resource presentation teaching of the present disclosure, in accordance with various embodiments, is illustrated. As shown,computing device 100 may include a number of components102-158, including sharedapplication 144 and trusted execution environment (TEE)114, configured to cooperate with each other, to select a user profile using contextual authentication and enable resources (such as contents) to be selectively consumed (viewed, modified, or deleted) by a logged-in user and/or a delegate user based at least in part on the selected user profile, alternatingly with ease. In embodiments,computing device 100 may include one or more processors orprocessor cores 102,system memory 104, adisplay 106, and a sensor layer including asensor hub 108 that may be coupled together and configured to cooperate with each other. Thedisplay 106 may be a touch sensitive display that also serves as an input device in various embodiments. For purposes of this application, including the claims, the terms “processor” and “processor cores” may be considered synonymous, unless the context clearly requires otherwise. In embodiments, the sensor layer may include one or more sensor devices, an input/output (TO) subsystem having IO controllers, internet protocol (IP) blocks, and control logic. In embodiments, as shown, thecomputing device 100 may also include one ormore chipsets 110, one ormore execution environments 112, and one or more trusted execution environments (TEE)114. The sensor layer may include trusted IO technology that hardens the IO path between thesensor hub 108 and/or sensor devices and theTEE 114. - Generally, a TEE is a secure environment that may run alongside an operating system and which can provide secure services to that operating system. More information regarding TEEs and the implementation thereof may be found in the TEE client application programming interface (API) specification v1.0, the TEE internal API (application programming interface) specification v1.0, and the TEE system architecture v1.0 issued by GlobalPlatform. In some embodiments, the devices described herein may include a TEE provided using one or more of virtualization technology, enhanced memory page protection, CPU cache as memory page protection, security co-processor technology, and combinations thereof. Non-limiting examples of such technology include INTEL® VT-x virtualization technology, INTEL® VT-d virtualization technology, INTEL® trusted execution technology (TXT), Xeon® internet security and acceleration (ISA) “cache as RAM”, converged security engine (CSE) technology, converged security and manageability engine (CSME) technology, a security co-processor, manageability engine, trusted platform module, platform trust technology, ARM TRUSTZONE® technology, combinations thereof, and the like. The nature, advantages and limitations of each of these technologies are well understood and are therefore not described herein.
- In various embodiments, the
sensor hub 108 may be in signal communication with amotion sensor 116, afingerprint sensor 118, a Bluetoothtransceiver 120, amicrophone 122, a wireless fidelity (WiFi)transceiver 124, aspeaker 126, acamera 128, anultrasonic sensor 130, and one or moreother sensors 140 orinput devices 142. In embodiments, thecamera 128 may be a video camera. Themotion sensor 116 may include an accelerometer or gyroscope in various embodiments. TheWiFi transceiver 124 may operate according to at least one of the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards and the Bluetoothtransceiver 120 may operate according to at least one of the standards defined by the Bluetooth Special Interest Group in various embodiments. - In embodiments, the
execution environment 112 may include an operating system (OS)142, earlier described sharedapplication 144, and one ormore modules 146. Theexecution environment 112 may also includestorage 147 for various variables and resources. The earlier described TEE114 may includesecure modules 150 anddata 152 in various embodiments. The sharedapplication 144 andoperating system 142 may, in cooperation withsecure modules 150, enforce respective access rights simultaneously for a plurality of users. In embodiments, a continuous passively authenticated context may be maintained for each of the plurality of users. - In embodiments, the
computing device 100 may be in data communication with alocal server 160, a remote content server such as a media server162, or asocial network server 164 over anetwork 166 by communicating with awireless router 168 using theWiFi transceiver 124. The sharedapplication 144 may have access to resources that may be consumed (viewed, modified, or deleted) by a logged-in user and/or a delegate user. The resources may includelocal resources 158 stored on thecomputing device 100 or resources served or streamed by thelocal server 160, the media server162, or thesocial network 164 in various embodiments. The resources may include other types of resources not shown in embodiments. The logged-in user may access the resources with a first set of resource access rights while a second delegate user may access the resources with a different set of access rights. - In various embodiments, the
computing device 100 may be a shared device such as a tablet computing device that may be used e.g., by afirst user 170, asecond user 174, or athird user 176. In embodiments, one or more of the users may have a Bluetooth enableddevice 180, which may e.g., be a wearable device on thefirst user 170. - Referring now to
FIG. 2 , components of theexecution environment 112 andTEE 114 are illustrated in further details, in accordance with various embodiments. Themodules 146 of theexecution environment 112 may include alogin module 202, anaccess control module 204, and apresentation module 206. Thesecure modules 150 of theTEE 114 may include acontextual authentication module 210 that includes asensor processing module 212, aprofile selection module 214, and aclassifier module 216. In various embodiments, theclassifier module 216 may classify data based on sensor output, application usage patterns, or user interface interaction patterns in a manner such that the data may be associated with particular users and the classifications of particular sensor data patterns, application usage patterns, or user interface interaction patterns may be considered to be user characteristics such that when a user characteristic changes it may be inferred that a user of thecomputing device 100 has changed. Theclassifier module 216 may be a machine learning classifier in various embodiments. Embodiments may also include auser proximity module 218 as a part of thesecure modules 150 in theTEE 114. Together, thesemodules application 144 andoperating system 142 to enforce respective access rights simultaneously for the plurality of users, including continuous maintenance of a passively authenticated context for each of the plurality of users. - In embodiments, the
data 152 stored in theTEE 114 may include afirst user profile 230, asecond user profile 232, athird user profile 234, afirst delegate profile 236, asecond delegate profile 238, or one or moreadditional profiles 240 in various embodiments. User profiles are a way for users to have a more personalized and streamlined user experience. Profiles allow users to have their own set of applications, social logins, bookmarks, and data in one easily accessible and private place. They may be used to create guest profiles, allowing others to borrow a device without worrying about application or social login conflicts and data privacy. Profiles may also be used to restrict content for use by children to allow parental control of browsing, application usage, and in-app purchasing. In embodiments, automatic device state based profile settings may be applied on a per-application and a per-service basis. For example, thecontextual authentication module 210 may distinguish user one170 using social networking application A hosted bysocial network server 164, users two and three using video streaming service B hosted by media server162, etc., and manage specific profiles for each. In embodiments, this automatic management of specific profiles may be combined with machine learning of user characteristics, interactions, or behaviors during shared and/or single user sessions to tune the profile-controlled behavior for the applications and services to the user or combination of users. Preferences may be inferred for combinations of users, applications, and services from other profiles that involve those users, applications or services in various embodiments. - The
data 152 may also includeuser characteristics templates 242 such as afirst template 244, asecond template 246, or athird template 248. In embodiments, theuser characteristics templates 242 are based on biometric or behaviometric data generated by a machine learning classifier. In various embodiments, theuser characteristics templates 242 may be included as a part of the user profiles. For example, thefirst user profile 230 may contain thefirst template 244, thesecond user profile 232 may contain thesecond template 246, and/or thethird user profile 234 may contain thethird template 248 in embodiments. Thedata 152 may also include auser focus identifier 260 in various embodiments. - In embodiments, a biometrics and/or behaviometrics machine learning (ML) classifier or set of classifiers may generate reference sample data suitable for establishing a user identity. In various embodiments, the reference sample data may be generated during a training process and stored as a biometric and/or behaviometric template such as
templates user characteristics templates 242 may be generated and stored by theclassifier module 216 during a training process, for example. During the training process, theclassifier module 216 may use machine learning to associate biometric user characteristics such as hand movement, gait, or image patterns based at least in part on sensor data with particular users. Biometric characteristics based on hand movement may be based at least in part on accelerometers or gyroscopes detecting relatively imperceptible movements and characteristics based on gait may be based at least in part on accelerometers or gyroscopes detecting walking characteristics in various embodiments. Theclassifier module 216 may also use machine learning to associate behaviometric user characteristics such as application usage patterns or user interface interaction patterns with particular users. Alternatively, theuser characteristics templates 242 may be generated and stored by other modules or generated by a different computing device and stored on thecomputing device 100 in other embodiments. - In various embodiments, the
login module 202 may be operated by the one ormore processors 102 to authenticate a user of thecomputing device 100. In embodiments, an active authentication factor such as a thumbprint reading using thefingerprint sensor 118 may be used. Theaccess control module 204 may be operated to establish an access control state corresponding to a user profile associated with the authenticated user. For example, if thelogin module 202 authenticates thefirst user 170, a first access control state corresponding to thefirst user profile 230 associated with thefirst user 170 may be established by theaccess control module 204. Thepresentation module 206, operated by the one ormore processors 102, may present a resource to the authenticated user based at least in part on the established access control state. - The
contextual authentication module 210 may be operated by the one ormore processors 102 to detect a user interaction change associated with thecomputing device 100 that indicates a different user, such as thesecond user 174, has device focus. The user interaction change may include a change in biometric or behaviometric characteristics determined by processing sensor data or application or user interface usage data in various embodiments, for example. Thecontextual authentication module 210 may continuously monitor passive authentication factors to detect user characteristics as thecomputing device 100 is being used such that when a change in user characteristics is detected indicating thecomputing device 100 is being used by a different user, a user profile may be assigned that corresponds to the current rather than the previous user, or alternatively corresponds to a delegate profile of the previous user that may also be based at least in part upon the current user. Thesensor processing module 212 may process a sensor output from themotion sensor 116 and generate theuser focus identifier 260 indicating thesecond user 174 has device focus, for example. Theprofile selection module 214 may be operated by the one ormore processors 102 to select thesecond user profile 232 based on theuser focus identifier 260 and thesecond template 246. In embodiments, thecontextual authentication module 210 may include a biometrics and/or behaviometrics ML classifier or set of classifiers as a part of theclassifier module 216 that generate sample data suitable for establishing a user identity based at least in part on user characteristics. - Reference sample data such as may be stored in
templates contextual authentication module 210 may also include a first user focus context classifier and a second user focus context classifier that determines when a user has device focus. Device focus may be established when a user is observing content on a display or other content rendering device, or when the user is inputting data through an input device such as a computer keyboard, mouse, microphone or camera. The user focus classifiers may establish to the OS which user is logged-in and which user is a delegate of the first. - In various embodiments, the
user proximity module 218 may be operated by the one ormore processors 102 to determine a proximity status associated with the currently logged in user, such as thefirst user 170, after the user interaction change associated with thecomputing device 100 that indicates a different user has device focus is detected by thecontextual authentication module 210. Theaccess control module 204 may be operated by the one ormore processors 102 to terminate the second access control state if the proximity status reaches a predetermined value. The predetermined value may correspond to an approximate distance, such as greater than thirty feet, for example. Other distances may also be used. An approximate distance of a user from thecomputing device 100 may be determined using power levels associated with a received signal strength indicator (RSSI) or by using a geographic positioning system (GPS) location, for example. In embodiments, theuser proximity module 218 may detect a proximity status regardless of whether a user interaction change has been detected. - Referring now to
FIG. 3 , various embodiments of acomputing device 300 may include a host system on a chip (SOC)302 in data communication with a contextual authentication technology (CAT)system 304 operating in a TEE. Thehost SOC 302 may include a processor or processing cores, memory, graphics, virtualization, and other capabilities suitable for hosting an operating system (OS) and applications. In embodiments, some or all elements ofSOC 302 may be implemented as separate components rather than being integrated on a SOC. TheCAT system 304 may be in signal communication with asensor layer 306. - In embodiments, the
sensor layer 306 may include a sensor hub, one or more sensor devices, an input/output (10) subsystem that may include IO controllers, internet protocol (IP) blocks, and control logic. Thesensor layer 306 may also include trusted IO technology that hardens the IO path between the sensor hub and/or sensor devices and a TEE subsystem. Sensor devices may employ a variety of sensing technology and may include avideo camera 308, amicrophone 309, anultrasonic sensor 310, amulti-axis motion sensor 312, a wireless radio313, and anRFID sensing device 314 in various embodiments. Additional or alternative sensors may also be included in embodiments. - In various embodiments, the
CAT system 304 may be implemented in a TEE and be in data communication with one or more user profiles316. Hosting the CAT system in a TEE may provide additional protection against malware attacks that may exist on the host system OS or applications. TheCAT system 304 may include biometric and/or behaviometric machine learning (ML)classifiers 318 that may be used to generate sample data suitable for establishing a user identity based at least in part on user characteristics such as biometric or behaviometric information. Reference sample data based at least in part on user characteristics and stored in the user profiles316 may be used to compare with the generated sample data to determine a match of a first user, a second user, or both users. TheCAT system 304 may also include a first user focus context classifier320 and a second user focus context classifier322 that may determine when a user has device focus. Device focus may be established when a user is observing content on a display or other content rendering device, or when a user is inputting data through an input device such as a computer keyboard, mouse, microphone or camera. The user focus context classifiers320,322 may establish to the OS which user is logged-in and which user is a delegate of the other. In embodiments, the biometric and/orbehaviometric ML classifiers 318, the first user focus context classifier320, and the second user focus context classifier322 may be included as a part of thecontextual authentication module 210 as discussed with respect toFIG. 2 . - In various embodiments, the
computing device 300 may be a tablet computing device and as a user picks up thecomputing device 300, theCAT system 304 employs one or more sensors in combination with theML classifiers 318 to determine who is attempting to use thecomputing device 300. When the user is authenticated, theCAT system 304 may access the relevant user profile. If an unknown user is detected or theCAT system 304 cannot detect a particular user with a predetermined confidence level, theCAT system 304 may offer access to a guest profile. - The
host SOC 302 may host anOS 324 that may allow operation based on user profiles, indicated inFIG. 3 as a logged-in user326 and a delegate user328. Thehost SOC 302 may host a sharedapplication 330 that allows for varying access to one ormore resources 332 based on access rules such as firstuser access rules 334 and second user access rules336. The sharedapplication 330 may have access toresources 332 that may be consumed (viewed, modified, deleted) by a logged-in user or by a delegate user. Afirst user 340 and asecond user 342 may share thecomputing device 300 and each have a user profile stored with the user profiles316 as well as a biometric or behaviometric classifier stored with theclassifiers 318. The sharedapplication 330 and theoperating system 324 may enforce the firstuser access rules 334 and the second user access rules336 for thefirst user 340 and thesecond user 342. TheCAT system 304 may maintain a continuous authenticated context for both the first and second users using passive authentication based at least in part on user characteristics such as biometric or behaviometric information rather than requiring an active authentication factor for every user switch. The logged-in user326 may access theresources 332 with a set of resource access rights while the delegate user328 may access theresources 332 with a different set of access rights. In various embodiments, some or all of the components of thecomputing device 300 may be included as a part of thecomputing device 100 described with respect toFIGS. 1 and 2 . FIG. 4 depicts anexample process 400 for simultaneously managing access rights of multiple users that may be implemented by thecomputing device 100 or thecomputing device 300 described with respect toFIGS. 1-3 in accordance with various embodiments. In various embodiments, theprocess 400 may be performed by thelogin module 202,access control module 204,presentation module 206,sensor processing module 212,profile selection module 214,classifier module 216 and/oruser proximity module 218. In other embodiments, theprocess 400 may be performed with more or less modules and/or with some operations in different order. As shown, for the embodiments, theprocess 400 may start at ablock 402. At operation,404, a first user log-in may be facilitated, and user rights corresponding to a user profile associated with the first user may be assigned to a user context. This may be performed by accepting a presentation of the first user's thumbprint at thefingerprint sensor 118 such that thelogin module 202 may access thefirst user profile 230 and theaccess control module 204 may assign user access rights corresponding to thefirst user profile 230, for example. The first user may then be able to access resources such aslocal resources 158 or resources served or streamed fromlocal server 160, media server162, orsocial network server 164 based at least in part on the user access rights assigned by theaccess control module 204.- At
operation 406, thecomputing device 100 may monitor passive authentication factors in a continuous manner. This may be performed by thesensor processing module 212 of thecontextual authentication module 210 monitoring themotion sensor 116 and theclassifier module 216 generating biometric or behaviometric sample data based at least in part on output from themotion sensor 116, for example. Multiple sensors may be monitored in embodiments or behavioral factors may be used instead of or in addition to biometric factors. Passive authentication factors may include any combination of biometric or behaviometric authentication factors in various embodiments. For example, in embodiments, biometric authentication factors may include without limitation hand movement or gait characteristics based at least in part on motion sensor data, image patterns based at least in part on camera data, or user characteristics based at least in part on ultrasonic or infrared sensor data. Behaviometric authentication factors may include, without limitation, patterns of application usage or patterns of user interface interaction in various embodiments. - At a
decision block 408, it may be determined whether the first user is observed. This may be performed by theprofile selection module 214 comparing biometric data generated by theclassifier module 216 or thebiometric ML classifier 318 at least partially based on information from themotion sensor template 244, for example. The sample and reference biometric or behaviometric data compared by theprofile selection module 214 may be based at least in part on any combination of sensor data or behavioral patterns in various embodiments and is not limited to information from themotion sensor - If the first user is observed, it may be determined at a
decision block 410 whether a second user is observed. This may be performed by theprofile selection module 214 comparing biometric data generated by theclassifier module 216 or thebiometric ML classifier 318 to reference data stored in thesecond template 246 and thethird template 248, for example. If a second user is observed, delegate user rights may be assigned to a second user context at ablock 412 in various embodiments. This may be performed by theprofile selection module 214 selecting thefirst delegate profile 236 based at least in part on the reference data in thesecond template 246 and biometric data generated by thebiometric ML classifier 318, for example. The second user may then be able to consume one or more resources based at least in part on the assigned delegate user rights in various embodiments. Resource access rights may overlap between a logged-in user and a delegate of the logged-in user to support resource sharing (e.g., both may view a common display while consuming content). However, differential rights may also be enforced in some cases such as a delegate user may not be able to modify a file while having an input focus whereas a logged-in user may be able to modify a file while having input focus, for example. If, at thedecision block 410, a second observer was not observed, theprocess 400 may loop back to theoperation 406 such that the monitoring of passive authentication factors continues. - In embodiments, if at the
decision block 408, the first user is not observed, it may be determined at adecision block 414 whether a second user is observed. If a second user is observed at thedecision block 414, the first user access rights may be rescinded at ablock 416. This may be performed by theaccess control module 204 based at least in part on data from theprofile selection module 210, for example. Theblock 416 may also include logging in the second user and assigning user rights corresponding to a user profile associated with the second user. This may involve an active authentication factor such as a thumbprint presented at thefingerprint sensor 118, in embodiments. The second user may then, at ablock 418, logically become the first user for purposes of the logic of theprocess 400. In embodiments, if, at thedecision block 414, a second user is not observed, first and second user rights may be rescinded at ablock 420. This may be performed by theaccess control module 204, in embodiments. Theprocess 400 may end at ablock 422 after the first and second user access rights are rescinded. Although not shown, in embodiments, theprocess 400 may proceed to a state following theend block 422 where the system monitors for active authentication factors such as a thumbprint or a password as may occur if the process returned to thestart block 402, for example. FIG. 5 depicts anexample process 500 for presenting resources that may be implemented by thecomputing device process 500 may be performed by e.g., earlier describedlogin module 202,access control module 204,presentation module 206,sensor processing module 212,profile selection module 214,classifier module 216 and/oruser proximity module 218. In alternate embodiments, theprocess 500 may be performed by more or less modules, and/or in different order. Atoperation 502, a first user of thecomputing device 100, such as thefirst user 170, may be authenticated and a first user profile corresponding to the first user may be selected. This may occur by presentation of a thumbprint to thefingerprint reader 118 or user input of an authentication password in embodiments. Atblock 504, a first access control state corresponding to a first user profile associated with the first user may be established. For example, a first access control state corresponding to thefirst user profile 230 associated with thefirst user 170 may be established by theaccess control module 204.- At
operation 506, a second user profile may be selected that indicates a different user, such as thesecond user 174, has device focus. In various embodiments, selecting the second user profile may include detecting a user characteristic change at ablock 508 and selecting a second user profile at ablock 510 based at least in part on the detected user characteristic change. Selecting the second user profile at theblock 510 may also be based at least in part on the first user profile such that the second user profile may be a delegate profile relating to the first user profile. - In embodiments, detecting a user characteristic change at the
block 508 may include monitoring one or more sensors such as themotion sensor 116, themicrophone 122, thecamera 128, or theultrasonic sensor 310, for example. Detecting a user characteristic change may further include receiving a sensor output, such as from themotion sensor 116 at ablock 508 and classifying the output such as with theclassifier module 216 to determine whether characteristics such as biometric or behaviometric characteristics of the current user have changed. In embodiments, a movement of thecomputing device block 508. - Selecting a second user profile at the
block 510 may also be based at least in part on the sensor output and a previously stored template based at least in part on biometric information associated with the second user, the template generated by a machine learning classifier. The template may include biometric reference sample data such as that described with respect totemplate 246 that may be generated by theclassifier module 216 during a training process, for example. In embodiments, receiving the sensor output may be performed by thesensor processing module 212 and selecting the user profile may be performed by theprofile selection module 214, for example. At ablock 512, a second access control state based at least in part on the second user profile may be established. This may be performed by theaccess control module 204, for example. In embodiments, the second access control state may be based at least in part on a delegate user profile. - In various embodiments, a proximity status associated with the first user may be determined at a
block 514 after establishing the second access control state. This may be performed by theuser proximity module 218 based at least in part on information received from the Bluetooth enableddevice 180 received by thesensor processing module 212, for example. At adecision block 516, it may be determined whether the proximity status has reached a predetermined value. For example, it may be determined whether the proximity status has reached a level corresponding to greater than approximately 30 feet away from thecomputing device 100. If, at thedecision block 516, it is determined that the proximity status has not reached the predetermined value, a resource may be presented at ablock 518 based at least in part on the second access control state. If, at thedecision block 516, it is determined that the proximity status has reached the predetermined value, the second access state may be terminated at ablock 520. - Referring now to
FIG. 6 , anexample computer 600 suitable to practice the present disclosure as earlier described with reference toFIGS. 1-3 is illustrated in accordance with various embodiments. As shown,computer 600 may include one or more processors orprocessor cores 602, andsystem memory 604. For the purpose of this application, including the claims, the terms “processor” and “processor cores” may be considered synonymous, unless the context clearly requires otherwise. Additionally,computer 600 may include one ormore graphics processors 605, mass storage devices606 (such as diskette, hard drive, compact disc read only memory (CD-ROM) and so forth), input/output devices608 (such as display, keyboard, cursor control, remote control, gaming controller, image capture device, and so forth),sensor hub 609 that may function in a similar manner as that described with respect tosensor hub 108 ofFIG. 1 , and communication interfaces610 (such as network interface cards, modems, infrared receivers, radio receivers (e.g., Bluetooth), and so forth). The elements may be coupled to each other viasystem bus 612, which may represent one or more buses. In the case of multiple buses, they may be bridged by one or more bus bridges (not shown). - Each of these elements may perform its conventional functions known in the art. In particular,
system memory 604 and mass storage devices606 may be employed to store a working copy and a permanent copy of the programming instructions implementing the operations associated with thecomputing device 100 or thecomputing device 300, e.g., operations described formodules FIGS. 1-3 , or operations shown inprocess 400 ofFIG. 4 orprocess 500 ofFIG. 5 , collectively denoted ascomputational logic 622. Thesystem memory 604 and mass storage devices606 may also be employed to store a working copy and a permanent copy of the programming instructions implementing the operations associated with theOS 142, theapplication 144, theOS 324, and theapplication 330. Thesystem memory 604 and mass storage devices606 may also be employed to store thedata 152, thelocal resources 158, the user profiles316, and theresources 332. The various elements may be implemented by assembler instructions supported by processor(s)602 or high-level languages, such as, for example, C, that can be compiled into such instructions. - The permanent copy of the programming instructions may be placed into mass storage devices606 in the factory, or in the field, through, for example, a distribution medium (not shown), such as a compact disc (CD), or through communication interface610 (from a distribution server (not shown)). That is, one or more distribution media having an implementation of the agent program may be employed to distribute the agent and program various computing devices.
- The number, capability and/or capacity of these elements608-612 may vary, depending on whether
computer 600 is a stationary computing device, such as a set-top box or desktop computer, or a mobile computing device such as a tablet computing device, laptop computer or smartphone. Their constitutions are otherwise known, and accordingly will not be further described. FIG. 7 illustrates an example at least one non-transitory computer-readable storage medium 702 having instructions configured to practice all or selected ones of the operations associated with thecomputing device 100 or thecomputing device 300, earlier described, in accordance with various embodiments. As illustrated, at least one computer-readable storage medium 702 may include a number ofprogramming instructions 704. Thestorage medium 702 may represent a broad range of persistent storage medium known in the art, including but not limited to flash memory, dynamic random access memory, static random access memory, an optical disk, a magnetic disk, etc. Programminginstructions 704 may be configured to enable a device, e.g.,computer 600,computing device 100, orcomputing device 300, in response to execution of the programming instructions, to perform, e.g., but not limited to, various operations described formodules FIGS. 1-3 , or operations ofprocess 400 ofFIG. 4 orprocess 500 ofFIG. 5 . In alternate embodiments, programminginstructions 704 may be disposed on multiple computer-readable storage media 702.- Referring back to
FIG. 6 , for an embodiment, at least one ofprocessors 602 may be packaged together with memory havingcomputational logic 622 configured to practice aspects described formodules FIGS. 1-3 , or operations ofprocess 400 orFIG. 4 orprocess 500 ofFIG. 5 . For an embodiment, at least one ofprocessors 602 may be packaged together with memory havingcomputational logic 622 configured to practice aspects described formodules FIGS. 1-3 , or operations ofprocess 400 ofFIG. 4 orprocess 500 ofFIG. 5 to form a System in Package (SiP). For an embodiment, at least one ofprocessors 602 may be integrated on the same die with memory havingcomputational logic 622 configured to practice aspects described formodules FIGS. 1-3 , or operations ofprocess 400 ofFIG. 4 orprocess 500 ofFIG. 5 . For an embodiment, at least one ofprocessors 602 may be packaged together with memory havingcomputational logic 622 configured to practice aspects ofprocess 400 ofFIG. 4 orprocess 500 ofFIG. 5 to form a System on Chip (SoC). For at least one embodiment, the SoC may be utilized in, e.g., but not limited to, a mobile computing device such as a computing tablet and/or a smartphone. - Machine-readable media (including non-transitory machine-readable media, such as machine-readable storage media), methods, systems and devices for performing the above-described techniques are illustrative examples of embodiments disclosed herein. Additionally, other devices in the above-described interactions may be configured to perform various disclosed techniques.
- Some non-limiting examples are:
- Example 1 may include a computing device comprising: one or more processors; a memory coupled with the one or more processors; a login module operated by the one or more processors to authenticate a first user of the device and establish a first access control state corresponding to a first user profile associated with the first user; a contextual authentication module operated by the one or more processors to select a second user profile based at least in part on a changed user characteristic; and a presentation module operated by the one or more processors to present a resource based at least in part on the second user profile.
- Example 2 may include the subject matter of Example 1, wherein the computing device further comprises a sensor, and wherein the contextual authentication module comprises: a profile selection module operated by the one or more processors to select the second user profile based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.
- Example 3 may include the subject matter of Example 2, wherein the sensor is a motion sensor and wherein the profile selection module comprises a biometric machine learning classifier, wherein the profile selection module is to perform a biometric information classification of the output of the sensor and select the second user profile based at least in part on the biometric information classification and the previously stored template.
- Example 4 may include the subject matter of any one of Examples 1-3, wherein the login module is to authenticate the first user of the device based at least in part on an active authentication factor.
- Example 5 may include the subject matter of any one of Examples 1-4, wherein the computing device further comprises: an access control module operated by the one or more processors to establish a second access control state based at least in part on the second user profile; and a user proximity module operated by the one or more processors to determine a proximity status associated with the first user , wherein the access control module is operated by the one or more processors to terminate the second access control state if the proximity status reaches a predetermined value.
- Example 6 may include the subject matter of any one of Examples 1-5, wherein the computing device further comprises a trusted execution environment operated by one of the processors to host operation of the contextual authentication module.
- Example 7 may include the subject matter of any one of Examples 1-6, wherein the contextual authentication module is operated by the one or more processor to select a delegate profile as the second user profile.
- Example 8 may include the subject matter of any one of Examples 1-5, wherein the computing device is a tablet computing device, wherein the contextual authentication module comprises a profile selection module operated by the one or more processors in a trusted execution environment to select a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- Example 9 may include a computer implemented method comprising: authenticating, by a computing device, a first user of the device; establishing, by the computing device, a first access control state corresponding to a first user profile associated with the first user; selecting, by the computing device, a second user profile based at least in part on a changed user characteristic; and presenting, by the computing device, a resource based at least in part on the second user profile.
- Example 10 may include the subject matter of Example 9, wherein selecting, by the computing device, the second user profile comprises: receiving, by the computing device, a sensor output; performing a classification of the sensor output to generate sample data; and selecting, by the computing device, the second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 11 may include the subject matter of Example 10, wherein receiving comprises receiving a sensor output from a motion sensor, wherein performing comprises performing a biometric classification of the motion sensor output to generate biometric sample data, and wherein selecting comprises selecting the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 12 may include the subject matter of any one of Examples 9-11, wherein authenticating, by the computing device, the first user of the device is based at least in part on an active authentication factor.
- Example 13 may include the subject matter of any one of Examples 9-12, further comprising: establishing, by the computing device, a second access control state based at least in part on the second user profile; determining, by the computing device, a proximity status associated with the first user; and terminating, by the computing device, the second access control state if the proximity status reaches a predetermined value.
- Example 14 may include the subject matter of any one of Examples 9-13, wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic is performed in a trusted execution environment.
- Example 15 may include the subject matter of any one of Examples 9-14, wherein the second user profile is a delegate profile.
- Example 16 may include the subject matter of any one of Examples 9-13, wherein the computing device is a tablet computing device, wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic comprises selecting in a trusted execution environment, by the computing device, a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- Example 17 may include at least one non-transitory computer-readable medium comprising instructions stored thereon that, in response to execution of the instructions by a computing device, cause the computing device to: authenticate a first user of the device; establish a first access control state corresponding to a first user profile associated with the first user; select a second user profile based at least in part on a changed user characteristic; and present a resource based at least in part on the second user profile.
- Example 18 may include the subject matter of Example 17, wherein to select the second user profile, the computing device is caused to: perform a classification of a sensor output to generate sample data; and select a second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 19 may include the subject matter of Example 18, wherein the computing device is caused to perform a biometric classification of a motion sensor output to generate biometric sample data and wherein the computing device is caused to select the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 20 may include the subject matter of any one of Examples 17-19, wherein the computing device is caused to authenticate the first user of the device based at least in part on an active authentication factor.
- Example may include the subject matter of any one of Examples 17-20, wherein the computing device is further caused to: establish a second access control state based at least in part on the second user profile; determine a proximity status associated with the first user; and terminate the second access control state if the proximity status reaches a predetermined value.
- Example may include the subject matter of any one of Examples 17-21, wherein the computing device is further caused to select the second user profile in a trusted execution environment.
- Example 23 may include the subject matter of any one of Examples 17-22, wherein the computing device is further caused to select a delegate profile as the second user profile.
- Example 24 may include the subject matter of any one of Examples 17-21, wherein the computing device is a tablet computing device, wherein the tablet computing device is caused to select the second user profile in a trusted execution environment of the tablet computing device based at least in part on a previously stored template generated by a machine learning classifier.
- Example 25 may include a computing device comprising: means for authenticating a first user of the device; means for establishing a first access control state corresponding to a first user profile associated with the first user; means for selecting a second user profile based at least in part on a changed user characteristic; and means for presenting a resource based at least in part on the second user profile.
- Example 26 may include the subject matter of Example 25, wherein the means for selecting the second user profile comprises: means for receiving a sensor output; means for performing a classification of the sensor output to generate sample data; and means for selecting the second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
- Example 27 may include the subject matter of Example 26, wherein the means for receiving comprises means for receiving a sensor output from a motion sensor, wherein the means for performing comprises means for performing a biometric classification of the motion sensor output to generate biometric sample data, and wherein the means for selecting comprises means for selecting the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
- Example 28 may include the subject matter of any one of Examples 25-27, wherein the means for authenticating the first user of the device is based at least in part on an active authentication factor.
- Example 29 may include the subject matter of any one of Examples 25-28, further comprising: means for establishing a second access control state based at least in part on the second user profile; means for determining a proximity status associated with the first user; and means for terminating the second access control state if the proximity status reaches a predetermined value.
- Example 30 may include the subject matter of any one of Examples 25-29, wherein the means for selecting the second user profile based at least in part on the changed user characteristic is in a trusted execution environment.
- Example 31 may include the subject matter of any one of Examples 25-30, wherein the second user profile is a delegate profile.
- Example 32 may include the subject matter of any one of Examples 25-29, wherein the computing device is a tablet computing device, wherein the means for selecting the second user profile based at least in part on the changed user characteristic comprises means for selecting in a trusted execution environment a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
- Although certain embodiments have been illustrated and described herein for purposes of description, a wide variety of alternate and/or equivalent embodiments or implementations calculated to achieve the same purposes may be substituted for the embodiments shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the embodiments discussed herein. Therefore, it is manifestly intended that embodiments described herein be limited only by the claims.
- Where the disclosure recites “a” or “a first” element or the equivalent thereof, such disclosure includes one or more such elements, neither requiring nor excluding two or more such elements. Further, ordinal indicators (e.g., first, second or third) for identified elements are used to distinguish between the elements, and do not indicate or imply a required or limited number of such elements, nor do they indicate a particular position or order of such elements unless otherwise specifically stated.
Claims (24)
1. A computing device comprising:
one or more processors;
a memory coupled with the one or more processors;
a login module operated by the one or more processors to authenticate a first user of the device and establish a first access control state corresponding to a first user profile associated with the first user;
a contextual authentication module operated by the one or more processors to select a second user profile based at least in part on a changed user characteristic; and
a presentation module operated by the one or more processors to present a resource based at least in part on the second user profile.
2. The computing device ofclaim 1 , wherein the computing device further comprises a sensor, and wherein the contextual authentication module comprises:
a profile selection module operated by the one or more processors to select the second user profile based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.
3. The computing device ofclaim 2 , wherein the sensor is a motion sensor and wherein the profile selection module comprises a biometric machine learning classifier, wherein the profile selection module is to perform a biometric information classification of the output of the sensor and select the second user profile based at least in part on the biometric information classification and the previously stored template.
4. The computing device ofclaim 1 , wherein the login module is to authenticate the first user of the device based at least in part on an active authentication factor.
5. The computing device ofclaim 1 , wherein the computing device further comprises:
an access control module operated by the one or more processors to establish a second access control state based at least in part on the second user profile; and
a user proximity module operated by the one or more processors to determine a proximity status associated with the first user , wherein the access control module is operated by the one or more processors to terminate the second access control state if the proximity status reaches a predetermined value.
6. The computing device ofclaim 1 , further comprising a trusted execution environment operated by one of the processors to host operation of the contextual authentication module.
7. The computing device ofclaim 1 , wherein the contextual authentication module is operated by the one or more processor to select a delegate profile as the second user profile.
8. The computing device ofclaim 1 , wherein the computing device is a tablet computing device, wherein the contextual authentication module comprises a profile selection module operated by the one or more processors in a trusted execution environment to select a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
9. A computer implemented method comprising:
authenticating, by a computing device, a first user of the device;
establishing, by the computing device, a first access control state corresponding to a first user profile associated with the first user;
selecting, by the computing device, a second user profile based at least in part on a changed user characteristic; and
presenting, by the computing device, a resource based at least in part on the second user profile.
10. The method according toclaim 9 , wherein selecting, by the computing device, the second user profile comprises:
receiving, by the computing device, a sensor output;
performing a classification of the sensor output to generate sample data; and
selecting, by the computing device, the second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
11. The method according toclaim 10 , wherein receiving comprises receiving a sensor output from a motion sensor, wherein performing comprises performing a biometric classification of the motion sensor output to generate biometric sample data, and wherein selecting comprises selecting the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
12. The method according toclaim 9 , wherein authenticating, by the computing device, the first user of the device is based at least in part on an active authentication factor.
13. The method according toclaim 9 , further comprising:
establishing, by the computing device, a second access control state based at least in part on the second user profile;
determining, by the computing device, a proximity status associated with the first user; and
terminating, by the computing device, the second access control state if the proximity status reaches a predetermined value.
14. The method according toclaim 9 , wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic is performed in a trusted execution environment.
15. The method according toclaim 9 , wherein the second user profile is a delegate profile.
16. The method according toclaim 9 , wherein the computing device is a tablet computing device, wherein selecting, by the computing device, the second user profile based at least in part on the changed user characteristic comprises selecting in a trusted execution environment, by the computing device, a second user profile based at least in part on a previously stored template generated by a machine learning classifier.
17. At least one non-transitory computer-readable medium comprising instructions stored thereon that, in response to execution of the instructions by a computing device, cause the computing device to:
authenticate a first user of the device;
establish a first access control state corresponding to a first user profile associated with the first user;
select a second user profile based at least in part on a changed user characteristic; and
present a resource based at least in part on the second user profile.
18. The at least one non-transitory computer-readable medium ofclaim 17 , wherein to select the second user profile, the computing device is caused to:
perform a classification of a sensor output to generate sample data; and
select a second user profile based at least in part on the sample data and a previously stored template generated by a machine learning classifier.
19. The at least one non-transitory computer-readable medium ofclaim 18 , wherein the computing device is caused to perform a biometric classification of a motion sensor output to generate biometric sample data and wherein the computing device is caused to select the second user profile based at least in part on the biometric sample data and a previously stored biometric template generated by a biometric machine learning classifier.
20. The at least one non-transitory computer-readable medium ofclaim 17 , wherein the computing device is caused to authenticate the first user of the device based at least in part on an active authentication factor.
21. The at least one non-transitory computer-readable medium ofclaim 17 , wherein the computing device is further caused to:
establish a second access control state based at least in part on the second user profile;
determine a proximity status associated with the first user; and
terminate the second access control state if the proximity status reaches a predetermined value.
22. The at least one non-transitory computer-readable medium ofclaim 17 , wherein the computing device is further caused to select the second user profile in a trusted execution environment.
23. The at least one non-transitory computer-readable medium ofclaim 17 , wherein the computing device is further caused to select a delegate profile as the second user profile.
24. The at least one non-transitory computer-readable medium ofclaim 17 , wherein the computing device is a tablet computing device, wherein the tablet computing device is caused to select the second user profile in a trusted execution environment of the tablet computing device based at least in part on a previously stored template generated by a machine learning classifier.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US15/449,568US20170180363A1 (en) | 2014-12-23 | 2017-03-03 | User profile selection using contextual authentication |
| US15/812,956US20180069855A1 (en) | 2014-12-23 | 2017-11-14 | User profile selection using contextual authentication |
| US15/813,823US20180103034A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
| US15/813,789US20180077154A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/581,659US9628477B2 (en) | 2014-12-23 | 2014-12-23 | User profile selection using contextual authentication |
| US15/449,568US20170180363A1 (en) | 2014-12-23 | 2017-03-03 | User profile selection using contextual authentication |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/581,659ContinuationUS9628477B2 (en) | 2014-12-23 | 2014-12-23 | User profile selection using contextual authentication |
Related Child Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US15/812,956ContinuationUS20180069855A1 (en) | 2014-12-23 | 2017-11-14 | User profile selection using contextual authentication |
| US15/813,789ContinuationUS20180077154A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
| US15/813,823ContinuationUS20180103034A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20170180363A1true US20170180363A1 (en) | 2017-06-22 |
Family
ID=56130849
Family Applications (5)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/581,659ActiveUS9628477B2 (en) | 2014-12-23 | 2014-12-23 | User profile selection using contextual authentication |
| US15/449,568AbandonedUS20170180363A1 (en) | 2014-12-23 | 2017-03-03 | User profile selection using contextual authentication |
| US15/812,956AbandonedUS20180069855A1 (en) | 2014-12-23 | 2017-11-14 | User profile selection using contextual authentication |
| US15/813,823AbandonedUS20180103034A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
| US15/813,789AbandonedUS20180077154A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US14/581,659ActiveUS9628477B2 (en) | 2014-12-23 | 2014-12-23 | User profile selection using contextual authentication |
Family Applications After (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US15/812,956AbandonedUS20180069855A1 (en) | 2014-12-23 | 2017-11-14 | User profile selection using contextual authentication |
| US15/813,823AbandonedUS20180103034A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
| US15/813,789AbandonedUS20180077154A1 (en) | 2014-12-23 | 2017-11-15 | User profile selection using contextual authentication |
Country Status (1)
| Country | Link |
|---|---|
| US (5) | US9628477B2 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210056226A1 (en)* | 2019-08-23 | 2021-02-25 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| US11526745B2 (en) | 2018-02-08 | 2022-12-13 | Intel Corporation | Methods and apparatus for federated training of a neural network using trusted edge devices |
| US11556730B2 (en) | 2018-03-30 | 2023-01-17 | Intel Corporation | Methods and apparatus for distributed use of a machine learning model |
| US11985132B2 (en) | 2018-05-02 | 2024-05-14 | Samsung Electronics Co., Ltd. | System and method for resource access authentication |
| US12111895B2 (en) | 2020-07-09 | 2024-10-08 | Veracity, Inc. | Group-based authentication technique |
Families Citing this family (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9888119B2 (en) | 2014-03-05 | 2018-02-06 | Cisco Technology, Inc. | Contacts service for call center |
| US9754093B2 (en)* | 2014-08-28 | 2017-09-05 | Ncr Corporation | Methods and a system for automated authentication confidence |
| US9628477B2 (en)* | 2014-12-23 | 2017-04-18 | Intel Corporation | User profile selection using contextual authentication |
| US10757216B1 (en) | 2015-02-20 | 2020-08-25 | Amazon Technologies, Inc. | Group profiles for group item recommendations |
| US11363460B1 (en) | 2015-03-03 | 2022-06-14 | Amazon Technologies, Inc. | Device-based identification for automated user detection |
| US10078803B2 (en)* | 2015-06-15 | 2018-09-18 | Google Llc | Screen-analysis based device security |
| US10095746B2 (en)* | 2015-12-03 | 2018-10-09 | At&T Intellectual Property I, L.P. | Contextual ownership |
| US20170227995A1 (en)* | 2016-02-09 | 2017-08-10 | The Trustees Of Princeton University | Method and system for implicit authentication |
| US10016896B2 (en)* | 2016-06-30 | 2018-07-10 | Brain Corporation | Systems and methods for robotic behavior around moving bodies |
| CA2972732A1 (en)* | 2016-07-07 | 2018-01-07 | David Franklin | Gesture-based user interface |
| US10274325B2 (en) | 2016-11-01 | 2019-04-30 | Brain Corporation | Systems and methods for robotic mapping |
| US10001780B2 (en) | 2016-11-02 | 2018-06-19 | Brain Corporation | Systems and methods for dynamic route planning in autonomous navigation |
| MY195303A (en)* | 2016-11-10 | 2023-01-12 | Eyeverify Inc | Verified and Private Portable Indentity |
| US10723018B2 (en) | 2016-11-28 | 2020-07-28 | Brain Corporation | Systems and methods for remote operating and/or monitoring of a robot |
| US10885188B1 (en)* | 2016-12-30 | 2021-01-05 | Comodo Security Solutions, Inc. | Reducing false positive rate of statistical malware detection systems |
| US10852730B2 (en) | 2017-02-08 | 2020-12-01 | Brain Corporation | Systems and methods for robotic mobile platforms |
| JP2018136625A (en)* | 2017-02-20 | 2018-08-30 | Kddi株式会社 | Identification device, identification method, and identification program |
| US10366347B2 (en) | 2017-06-02 | 2019-07-30 | At&T Intellectual Property I, L.P. | Methods, systems and devices for monitoring and controlling media content using machine learning |
| US11030603B1 (en) | 2017-06-26 | 2021-06-08 | Wells Fargo Bank, N.A. | Systems and methods for distinguishing between profiles in a passive authentication scheme |
| GB201802615D0 (en)* | 2018-02-18 | 2018-04-04 | Esc Digital Media Ltd | Interactive mirror |
| DE102018214632A1 (en)* | 2018-08-29 | 2020-03-05 | Ford Global Technologies, Llc | Computer-implemented identification procedure |
| US11151254B2 (en)* | 2018-09-11 | 2021-10-19 | Amari.Ai Incorporated | Secure communications gateway for trusted execution and secure communications |
| US12125054B2 (en) | 2018-09-25 | 2024-10-22 | Valideck International Corporation | System, devices, and methods for acquiring and verifying online information |
| KR102758937B1 (en)* | 2019-02-18 | 2025-01-23 | 삼성전자주식회사 | Electronic device for authenticating biometric information and operating method thereof |
| EP3935528A1 (en) | 2019-03-07 | 2022-01-12 | British Telecommunications public limited company | Access control classifier training |
| EP3935526A1 (en) | 2019-03-07 | 2022-01-12 | British Telecommunications public limited company | Multi-level classifier based access control |
| US10863219B2 (en)* | 2019-03-26 | 2020-12-08 | Rovi Guides, Inc. | Systems and methods for identifying unknown users of a device to provide personalized user profiles |
| US11556628B2 (en)* | 2019-04-30 | 2023-01-17 | International Business Machines Corporation | Multidimensional attribute authentication |
| US10652238B1 (en)* | 2019-06-10 | 2020-05-12 | Capital One Services, Llc | Systems and methods for automatically performing secondary authentication of primary authentication credentials |
| US11372474B2 (en)* | 2019-07-03 | 2022-06-28 | Saec/Kinetic Vision, Inc. | Systems and methods for virtual artificial intelligence development and testing |
| EP3999980A1 (en) | 2019-07-16 | 2022-05-25 | British Telecommunications public limited company | User authentication based on behavioural biometrics |
| WO2021018468A1 (en) | 2019-07-30 | 2021-02-04 | British Telecommunications Public Limited Company | Duct blockage risk location prediction |
| GB2586149A (en)* | 2019-08-07 | 2021-02-10 | British Telecomm | Behavioural blometric control policy application |
| US12425193B2 (en) | 2019-09-12 | 2025-09-23 | British Telecommunications Public Limited Company | Resource access control |
| US11392707B2 (en) | 2020-04-15 | 2022-07-19 | Capital One Services, Llc | Systems and methods for mediating permissions |
| US11195170B1 (en)* | 2021-05-31 | 2021-12-07 | BehavioSec Inc | Method and a system for creating a behavioral user profile |
| US20230052407A1 (en)* | 2021-08-12 | 2023-02-16 | Mastercard Technologies Canada ULC | Systems and methods for continuous user authentication |
| US20230095816A1 (en)* | 2021-09-24 | 2023-03-30 | Apple Inc. | Adaptive user enrollment for electronic devices |
| US12141316B2 (en) | 2021-10-11 | 2024-11-12 | International Business Machines Corporation | Obfuscation of sensitive information through non-visual feedback |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070005988A1 (en)* | 2005-06-29 | 2007-01-04 | Microsoft Corporation | Multimodal authentication |
| US20070280225A1 (en)* | 2006-05-31 | 2007-12-06 | Microsoft Corporation | Extended services and recommendations |
| US20080189360A1 (en)* | 2007-02-06 | 2008-08-07 | 5O9, Inc. A Delaware Corporation | Contextual data communication platform |
| US20120204257A1 (en)* | 2006-04-10 | 2012-08-09 | International Business Machines Corporation | Detecting fraud using touchscreen interaction behavior |
| US20120323717A1 (en)* | 2011-06-16 | 2012-12-20 | OneID, Inc. | Method and system for determining authentication levels in transactions |
| US20140096215A1 (en)* | 2012-09-28 | 2014-04-03 | Christian J. Hessler | Method for mobile security context authentication |
| US20140282877A1 (en)* | 2013-03-13 | 2014-09-18 | Lookout, Inc. | System and method for changing security behavior of a device based on proximity to another device |
| US20150033305A1 (en)* | 2013-03-15 | 2015-01-29 | Advanced Elemental Technologies, Inc. | Methods and systems for secure and reliable identity-based computing |
| US20150286813A1 (en)* | 2014-04-04 | 2015-10-08 | Qualcomm Incorporated | Method and apparatus that facilitates a wearable identity manager |
| US20160182502A1 (en)* | 2014-12-23 | 2016-06-23 | Ned M. Smith | User profile selection using contextual authentication |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9003488B2 (en)* | 2007-06-06 | 2015-04-07 | Datavalet Technologies | System and method for remote device recognition at public hotspots |
| US20100281427A1 (en)* | 2009-04-30 | 2010-11-04 | Riddhiman Ghosh | Selecting one of plural user profile personae based on context |
| US9160730B2 (en) | 2013-03-15 | 2015-10-13 | Intel Corporation | Continuous authentication confidence module |
| JP6186080B2 (en)* | 2013-05-29 | 2017-08-23 | ヒューレット パッカード エンタープライズ デベロップメント エル ピーHewlett Packard Enterprise Development LP | Passive application security |
| US9411780B1 (en)* | 2013-06-03 | 2016-08-09 | Amazon Technologies, Inc. | Employing device sensor data to determine user characteristics |
| US9100392B2 (en)* | 2013-09-20 | 2015-08-04 | Verizon Patent And Licensing Inc. | Method and apparatus for providing user authentication and identification based on a one-time password |
| US9747428B2 (en)* | 2014-01-30 | 2017-08-29 | Qualcomm Incorporated | Dynamic keyboard and touchscreen biometrics |
| US9992207B2 (en)* | 2014-09-23 | 2018-06-05 | Qualcomm Incorporated | Scalable authentication process selection based upon sensor inputs |
| US9684775B2 (en)* | 2014-10-15 | 2017-06-20 | Qualcomm Incorporated | Methods and systems for using behavioral analysis towards efficient continuous authentication |
- 2014
- 2014-12-23USUS14/581,659patent/US9628477B2/enactiveActive
- 2017
- 2017-03-03USUS15/449,568patent/US20170180363A1/ennot_activeAbandoned
- 2017-11-14USUS15/812,956patent/US20180069855A1/ennot_activeAbandoned
- 2017-11-15USUS15/813,823patent/US20180103034A1/ennot_activeAbandoned
- 2017-11-15USUS15/813,789patent/US20180077154A1/ennot_activeAbandoned
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070005988A1 (en)* | 2005-06-29 | 2007-01-04 | Microsoft Corporation | Multimodal authentication |
| US8079079B2 (en)* | 2005-06-29 | 2011-12-13 | Microsoft Corporation | Multimodal authentication |
| US20120204257A1 (en)* | 2006-04-10 | 2012-08-09 | International Business Machines Corporation | Detecting fraud using touchscreen interaction behavior |
| US20070280225A1 (en)* | 2006-05-31 | 2007-12-06 | Microsoft Corporation | Extended services and recommendations |
| US20080189360A1 (en)* | 2007-02-06 | 2008-08-07 | 5O9, Inc. A Delaware Corporation | Contextual data communication platform |
| US20120323717A1 (en)* | 2011-06-16 | 2012-12-20 | OneID, Inc. | Method and system for determining authentication levels in transactions |
| US20140096215A1 (en)* | 2012-09-28 | 2014-04-03 | Christian J. Hessler | Method for mobile security context authentication |
| US20140282877A1 (en)* | 2013-03-13 | 2014-09-18 | Lookout, Inc. | System and method for changing security behavior of a device based on proximity to another device |
| US20150033305A1 (en)* | 2013-03-15 | 2015-01-29 | Advanced Elemental Technologies, Inc. | Methods and systems for secure and reliable identity-based computing |
| US20150286813A1 (en)* | 2014-04-04 | 2015-10-08 | Qualcomm Incorporated | Method and apparatus that facilitates a wearable identity manager |
| US20160182502A1 (en)* | 2014-12-23 | 2016-06-23 | Ned M. Smith | User profile selection using contextual authentication |
Non-Patent Citations (1)
| Title |
|---|
| Susan Gauch; personalized based on user search history; IEEE:2005; page: 1-7* |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11526745B2 (en) | 2018-02-08 | 2022-12-13 | Intel Corporation | Methods and apparatus for federated training of a neural network using trusted edge devices |
| US11556730B2 (en) | 2018-03-30 | 2023-01-17 | Intel Corporation | Methods and apparatus for distributed use of a machine learning model |
| US12169584B2 (en) | 2018-03-30 | 2024-12-17 | Intel Corporation | Methods and apparatus for distributed use of a machine learning model |
| US11985132B2 (en) | 2018-05-02 | 2024-05-14 | Samsung Electronics Co., Ltd. | System and method for resource access authentication |
| US20210056226A1 (en)* | 2019-08-23 | 2021-02-25 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| WO2021040840A1 (en)* | 2019-08-23 | 2021-03-04 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| CN114270316A (en)* | 2019-08-23 | 2022-04-01 | 微软技术许可有限责任公司 | Secure and private super-personalization system and method |
| US11568081B2 (en)* | 2019-08-23 | 2023-01-31 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| US20230169209A1 (en)* | 2019-08-23 | 2023-06-01 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| EP4478234A3 (en)* | 2019-08-23 | 2024-12-25 | Microsoft Technology Licensing, LLC | Secure and private hyper-personalization system and method |
| US12353595B2 (en)* | 2019-08-23 | 2025-07-08 | Microsoft Technology Licensing, Llc | Secure and private hyper-personalization system and method |
| US12111895B2 (en) | 2020-07-09 | 2024-10-08 | Veracity, Inc. | Group-based authentication technique |
Also Published As
| Publication number | Publication date |
|---|---|
| US20180077154A1 (en) | 2018-03-15 |
| US20180069855A1 (en) | 2018-03-08 |
| US20160182502A1 (en) | 2016-06-23 |
| US20180103034A1 (en) | 2018-04-12 |
| US9628477B2 (en) | 2017-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9628477B2 (en) | User profile selection using contextual authentication | |
| US20220103432A1 (en) | Systems and methods for workspace continuity and remediation | |
| US11487881B2 (en) | Systems and methods for endpoint context-driven, dynamic workspaces | |
| US11316902B2 (en) | Systems and methods for securing a dynamic workspace in an enterprise productivity ecosystem | |
| US10938743B1 (en) | Systems and methods for continuous evaluation of workspace definitions using endpoint context | |
| US12105609B2 (en) | Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem | |
| TWI793667B (en) | Creating and handling workspace indicators of compromise (ioc) based upon configuration drift | |
| US11537694B2 (en) | Motion-based challenge-response authentication mechanism | |
| US20120167170A1 (en) | Method and apparatus for providing passive user identification | |
| TWI811734B (en) | Trusted local orchestration of workspaces | |
| US20210133298A1 (en) | Systems and methods for dynamic workspace targeting with crowdsourced user context | |
| US20220198043A1 (en) | Systems and methods for securely deploying a collective workspace across multiple local management agents | |
| US11941631B2 (en) | Trust platform | |
| US12405839B2 (en) | Migration of workloads across cloud services based upon endpoint performance | |
| US20230153150A1 (en) | Systems and methods for migrating users and modifying workspace definitions of persona groups | |
| US12141625B2 (en) | Intelligent selection of optimization methods in heterogeneous environments | |
| US11595322B2 (en) | Systems and methods for performing self-contained posture assessment from within a protected portable-code workspace | |
| US10341858B1 (en) | Systems and methods for obscuring user location | |
| US20230195904A1 (en) | Architecture swapping for workspaces | |
| US20220376902A1 (en) | Resource access control | |
| US20250291885A1 (en) | Systems and methods for providing multifactor authentication for immersive environments | |
| US20250245585A1 (en) | Predictive workspace orchestration | |
| US20250301019A1 (en) | Workspace orchestration based on contributor scores | |
| US20250254040A1 (en) | Workspace orchestration with ephemeral hardware attestation | |
| US20250245355A1 (en) | Third-pary evaluation of workspace orchestration services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| STCB | Information on status: application discontinuation | Free format text:ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |