EP3062294A1 - Method and devices for upgrading an existing access control system - Google Patents

Method and devices for upgrading an existing access control system Download PDF

Info

Publication number
EP3062294A1
EP3062294A1 EP15156996.9A EP15156996A EP3062294A1 EP 3062294 A1 EP3062294 A1 EP 3062294A1 EP 15156996 A EP15156996 A EP 15156996A EP 3062294 A1 EP3062294 A1 EP 3062294A1
Authority
EP
European Patent Office
Prior art keywords
access
handheld device
mobile handheld
unit
interception unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP15156996.9A
Other languages
German (de)
French (fr)
Other versions
EP3062294B1 (en
Inventor
Johannes Rietschel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qibixx AG
Original Assignee
Kibix AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kibix AG filed Critical Kibix AG
Priority to EP15156996.9A priority Critical patent/EP3062294B1/en
Publication of EP3062294A1 publication Critical patent/EP3062294A1/en
Application granted granted Critical
Publication of EP3062294B1 publication Critical patent/EP3062294B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Lock And Its Accessories (AREA)

Abstract

Method for upgrading an existing access control system. The existing access control system comprises at least one access point which is controlled by a reader unit (1) for reading authorization information from a portable token (6) and a corresponding unlocking device (3), the reader unit (1) is in wired connection via at least one 1st control line (4) communicatively connected to an access controller (2), and said access controller (2) is in wired connection via at least one 2nd control line (5) communicatively connected to said unlocking device (3). The said access controller (2) controls the locking state of said unlocking device (3) via said 2nd control line (5) by verifying identification information transmitted via 1st control line (4) from said reader unit (1). The upgrading method comprises the steps of interposing into the at least one 1st control line (4) an interception unit (9), said interception unit (9) adapted to and allowing for receiving and, if needed after temporarily withholding said identification information from said reader unit (1), only transmitting it to the access control unit (2) once said interception unit (9) has verified permission to access independently via a 2nd communication with a holder of said token (6).

Description

    TECHNICAL FIELD
  • The present invention relates to a method for upgrading an existing access control system for increasing access control security and functionality. Furthermore it relates to a method of operating such an upgraded access control system, to a correspondingly upgraded access control system and to an interception unit for use in such an access control system or an upgrade of such an access control system.
    • PRIOR ART
  • Many buildings requiring controlled access are equipped with access control systems which do not provide for all the functionality as well as all the security levels as would be desired, however installing a completely new access control system is too costly or even technically impossible.
    • SUMMARY OF THE INVENTION
  • Therefore the need exists for easy upgrade possibilities for existing access control systems as well as for methods of operating such upgraded access control systems and elements for upgrading such access control systems.
  • The present invention proposes such a method for upgrading an existing access control system, a method for operating such an upgraded access control system, as well as elements for such an upgraded access control systems or elements to be used for the upgrade of such access control systems.
  • More specifically, the present invention in a 1st aspect thereof relates to a method for upgrading an existing access control system. Such an existing access control system comprises at least one access point (e.g. a door) which is controlled by a reader unit for reading authorization information from a portable token (a batch, a key or the like) and a corresponding unlocking device (typically a physical device physically locking and unlocking the door). The reader unit is in wired connection via at least one 1st control line (a physical wired line, can be a single line, two or more wired lines) communicatively connected to an access controller, and said access controller is in wired connection via at least one 2nd control line (again a physical wired line, can be a single line, two or more wired lines) communicatively connected to said unlocking device, and said access controller controls the locking state of said unlocking device via said 2nd control line by verifying identification information transmitted via 1st control line from said reader unit. Typically such an access control system comprises one central access control unit and, depending on the access points, a corresponding number of reader units and unlocking units, but it is also possible that for each access point in individual reader unit, access unit and unlocking unit are pre-existing, in both cases the proposed upgrade is possible.
  • Such a pre-existing access control system, which typically works with data exchange by the 1st control line on the basis of serial, Wiegand or clock and data, the proposal is to upgrade as follows:
    • the method comprises the steps of interposing into the at least one 1st control line an interception unit. Said interception unit is adapted to and allowing for receiving and, if needed after temporarily withholding said identification information received from said reader unit, and only transmitting it to the access control unit once said interception unit has verified permission to access independently via a 2nd communication with a holder of said token (i.e. a person carrying the token).
  • In other words the upgrade is realized in that a 2nd identification retrieval mechanism is embedded into the pre-existing access control system. This identification information retrieval mechanism is brought in by an additional interception unit. This interception unit, which can simply be inserted into the communication channel between the reader and the access controller, has the functionality of independently establishing a connection to either the same or another token of the holder desiring to access through the access point. Preferably the idea is to have as a 1st token the batch of the holder, and the 2nd token of the holder is the personal mobile handheld device. The interception unit is adapted for establishing a communication link to the personal mobile handheld device in order to retrieve information there from to allow for increased security access granting. Due to the fact that nowadays basically everyone carries a mobile handheld device with a huge range of functionality, which actually can be used for holder identification information purposes, this is probably the most simple upgrade possibility for an access control system. The idea is to use the functionality of the mobile handheld device for identification purposes, in other words only an app needs to be installed on the mobile handheld device (tablet, smart phone, mobile phone, etc.) and then the interception device uses a communication channel available (Bluetooth, WLAN, smart Bluetooth) for establishing a connection to the mobile handheld device. So basically the function of the interception device is to intercept the data transfer between the reader and the access controller until, after having established a connection between the interception device and the mobile handheld device and after having established further identification information by using the mobile handheld device, only forwarding the data transfer further to the access controller once identification has been verified. For further increased security it's possible to use the telecommunication functionalities of the mobile handheld devices of the holders in order to further verify the input information (pin, fingerprint, etc.) input by the holder into the mobile handheld device by contacting a corresponding central authority (e.g. via cloud-based). Preferably all this data communication is encrypted, and it is possible to basically store the token information using the interception unit and the handheld device the 1st time, on the mobile handheld device so as to avoid to have to use the token (key, batch) each time an access point needs to be released and passed.
  • According to a 1st preferred embodiment of this method, the interception unit comprises at least one radiofrequency interface for establishing a wireless communication channel between said interception unit and a mobile handheld devic of said holder, and said verification by the interception unit involves retrieving information about access permission of said holder via said mobile handheld device.
  • Preferably the radiofrequency interface is a wireless local area network (WLAN) interface, a Bluetooth interface, Bluetooth smart, preferably a low-energy Bluetooth or Bluetooth smart interface.
  • According to yet another preferred embodiment, retrieving information about access permission of said holder via said mobile handheld device includes the steps of identifying said holder and/or said mobile handheld device by means of input given by said holder into said mobile handheld device, and/or by means of readout of an unambiguous identification information from said mobile handheld device. Such identification information can for example be input into the mobile handheld device in a 1st contact with the upgraded access control system, and can be the identification information associated with the personal token of the holder of the personal mobile handheld device, see further description below. Preferably, said input is at least one of: a pin code, a biometric information collected by said mobile device, such as fingerprint, picture, in particular face and/or skin picture, eyepicture, positional information, or a combination thereof.
  • According to a further preferred embodiment further increasing the security level of the upgrade retrieving information about access permission of said holder via said mobile handheld device includes the step of establishing an external wireless communication using a WLAN or telecommunication channel by said mobile handheld device to an overall control authority (i.e. the central data control unit, e.g. established cloud-based) which verifies access permission independently and transmits, provided access granted, a corresponding permission back to said mobile handheld device and directly and/or in directly via said radiofrequency interface to the interception unit.
  • The interception unit, after having verified permission to access, preferentially transmits said identification information from said reader unit identical to the one as initially received from said reader unit. However it's also possible to transmit specifically modified data to the access controller.
  • Verifying permission to access is possible either by the interception unit autonomously and/or by an overall control authority via communication therewith by means of the mobile handheld device and may involve authorizing at least one of: access time, access frequency, access number, access permission status of holder, trust status of holder, compliance of data about or from holder retrieved by said mobile handheld device with an internal database, or a combination thereof.
  • According to yet another preferred embodiment, the radio frequency interface automatically establishes a radiofrequency connection to said mobile handheld device once it is in sufficient proximity to the interception unit , and, if needed, once connection established, increases the power level from low level stand by to high-level.
  • The interception unit can be provided with means for determining the distance between the interception unit and the mobile handheld device, and this distance can also be taken into account as a parameter for granting access.
  • Further preferably, the interception unit comprises an independent CPU, RAM, ROM, volatile and/or non-volatile data storage elements, an encryption unit, standalone and/or grid based power supply. If need be also a real-time clock element, and optionally a secondary CPU, RAM/ROM, data storage element can be present.
  • Although the interception unit can be put into the same housing as the reader, and the access controller, it's however also possible to put the interception unit only into a housing of the reader or into a separate housing.
  • According to yet another preferred embodiment, the data transmitted via said 1st communication line is serial, Wiegand (3 wires, one common ground and D0 and D1) or clock and data. The 2nd communication line is often just a power line.
  • Further preferably communication via at least one of said 1st control line, said 2nd control line, between the interception unit and the mobile handheld device, between the mobile handheld device and the overall control, is encrypted.
  • Once authorized by at least one of token or handheld mobile device, independent verification by overall control or a combination thereof access can be granted without need of the token in each case and only by said handheld mobile device. Like that it's for example possible to only require the holder to show the token the 1st time he/she is accessing the corresponding building or area, and after that the mobile phone will automatically allow to authorize and unlock the corresponding access point. If however for example the usual working hours have passed, this non-token-based authorization can be revoked so as to increase security.
  • According to a 2nd aspect of the present invention, it relates further to an access control system upgraded using a method as detailed above and comprising the structural elements as outlined above.
  • According to yet another aspect of the present invention, it relates to a method of operating an upgraded access control system as detailed in the preceding paragraph including the steps of:
    • keeping the interception unit at low energy and/or range level for broadcast only;
    • establishing an encrypted communication between the interception unit and the mobile handheld device by said radiofrequency interface, if need be after verifying distance information between the 2 units;
    • requesting input information from the holder on said mobile handheld device by corresponding optical and/or acoustic signal emitted by said mobile handheld device ;
    • collecting input by said mobile handheld device , wherein preferably said input is a pin code, and/or a biometric information;
    • transmitting said input information, either directly in an encrypted way or after a verification in said mobile handheld device and/or after a verification of the input information by establishment of a communication between said mobile handheld device and the overall control and permission of the overall control, to the interception unit;
    • forwarding of permission information received by the interception unit from the reader unit via the 2nd control line to the access controller for unlocking the unlocking device.
  • According to yet another aspect of the present invention, it relates to a method of setting up a holder in an upgraded access control system as outlined above including the steps of:
    • a new holder installs a respective app on the personal mobile handheld device ;
    • for a 1st time approaches the access point;
    • the app connects to the interception unit in learning mode;
    • the holder uses the personal token on the reader unit;
    • token information transmitted from the reader to the interception unit is transmitted to the mobile handheld device and is stored therein in an encrypted and unreadable for the holder way.
  • Last but not least the present invention relates to a particularly tailored interception unit for a method as outlined above or to be part of or used in an access control system as outlined above and preferably comprising at least one radiofrequency interface for establishing a wireless communication channel between said interception unit and a mobile handheld device of said holder, and wherein said verification by the interception unit involves retrieving information about access permission of said holder via said mobile handheld device, wherein preferably the radiofrequency interface is a wireless local area network (WLAN) interface, a Bluetooth interface, Bluetooth smart, preferably a low-energy Bluetooth interface.
  • Further embodiments of the invention are laid down in the dependent claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Preferred embodiments of the invention are described in the following with reference to the drawings, which are for the purpose of illustrating the present preferred embodiments of the invention and not for the purpose of limiting the same. In the drawings,
    • Fig. 1
    shows a schematic representation of a pre-existing access control system including one central access controller and to exemplary access points with reader and unlocking unit;
    Fig. 2
    shows a schematic representation of such an access control system upgraded in accordance with the present invention; and
    Fig. 3
    shows a schematic representation of an interception unit according to the present invention.
    DESCRIPTION OF PREFERRED EMBODIMENTS
  • As illustrated in figure 1, a pre-existing access control system typically involves, at each access point, a reader unit 1 and an unlocking device 3, the latter normally being an electric motor controlled to withdraw or bring forward a locking pin or the like. As illustrated in this figure, there is one central access controller 2 in case of several, in this case two different access points each with reader unit 1 and unlocking device 3.
  • Such a pre-existing access control system furthermore typically includes a management unit 7, e.g. a central computer or server, which is also linked to the access controller 2, and which can be used to manage and control the access permissions in the access controller 2. Access is controlled in this case by a personal token 6, which can be a batch, or a key, which would then be a combination of a mechanical and an electrical/electronic access device, which can be used for accessing a certain access point. As illustrated on the left side of figure 1, the token 6 is approached to the reader unit 1 for access, and the reader unit typically communicates via radiofrequency with the token, which basically then acts as an RFID. Typically this communication is encrypted. The corresponding token information, typically in encrypted form, is subsequently transferred via a 1st physical control line 4 from the reader unit 1 to the access controller 2. In the access controller 2 the token information, is compared with corresponding authorization codes, or databases, and if there the required access permission can be established by this comparison, an unlocking signal is transmitted from the access controller 2 to the unlocking device 3 for unlocking the door of the access point.
  • Typically these access control systems date back into the 80s and 90s and have a certain security standard, which is certainly good, but very often not sufficient for nowadays standards. However upgrading such an access control system involves uninstalling the existing structure and building in a new structure, which is costly, time-consuming and sometimes even essentially impossible.
  • This is where the present invention provides for an unexpectedly simple but very efficient and at the same time very safe upgrade as shall be outlined herein below.
  • All that needs to be done for upgrading such an access control system is one basically inserts an interception unit 9 into the 1st control line 4 between the reader and the access controller 2. So basically this 1st line 4 is split into a 1st part line 4' between the reader unit 1 and the interception unit 9, and a 2nd part line 4" between the interception unit 9 and the access controller.
  • In a nutshell, the interception unit acts to intercept the data transfer and only forward the data received from the reader if corresponding access granting or identification is established in the interception unit 9.
  • To this end the interception unit 9 is provided with communication means to communicate with a portable handheld device 10 carried by the person also carrying the token 6 and desiring to pass the access point. Once the handheld device 10 is in sufficient proximity to the interception unit 9, a preferably encrypted data connection is established between the interception unit 9 and the mobile handheld device 10. An app installed on the mobile handheld device 10 after establishment of this data connection for example request the user to input a pin, to present the finger to a fingerprint sensor on the handheld device, to make a picture of the face or of the eye or the like, in the sense of biometric data, and only if this data is then verified to be correct, the interception unit 9 forwards the data, initially received from the reader unit via line 4', for which via line 4" to the access controller 2, which will then, without having to be modified at all basically, trigger the corresponding unlocking signal for the unlocking device 3. In order to increase identification verification what can and preferably is done is that the information retrieved by the mobile handheld device is further verified by establishment of a mobile data connection of the mobile handheld device 10 to the Internet, where on the Internet then, by corresponding communication between the app on the handheld device and the corresponding Internet site, preferably using an encrypted protocol, the information is verified, and if positively verified the corresponding access granting approval is transmitted to the app on the handheld device, the handheld device will transmit the approval to the interception unit 9, and in turn the interception unit 9 will then basically release the signal to the access controller 2.
  • The essential elements of the interception unit 9 required for actually carrying out this function are schematically illustrated in figure 3. The interception unit 9, which can be in a separate housing, which however can also be put into the housing of the reader for example, comprises a reader interface 14 for communicating with the reader by line 4' , and a controller interface 15 for communicating with the access controller 2 by line 4". There is a central processing unit with RAM and ROM as well as volatile and/or non-volatile additional memory, and an additional power supply 12, typically grid based and in case of grid failure, including a battery or the like for backup. Furthermore the interception device 9 comprises a radiofrequency interface for communication with the mobile handheld device 10. This is preferably a low-energy Bluetooth interface, so as to save energy and to avoid unnecessary radiofrequency emission.
  • More specifically, the main electronics of the interception unit shall be outlined as follows: there is provided a usual intelligent controller, often SoC or single chip, like, comprising CPU, ROM to hold program storage, RAM for temporary data storage (volatile) and stack, data storage nonvolatile, an encryption unit, typically in the hardware, supports accelerated Advanced Encryption Standard (AES) calculation, RTC - Realtime clock to maintain time in case of power outage (battery powered), RF interface 13 - here: Bluetooth low energy (BLE, bluetooth smart) protocol engine, radio, HF amplifiers etc.
  • In the hardware, one can for example use the CC2540 TI specialized microcontroller which contains all above (no RTC, but a counter).
  • Connected to such a main controller is
    the eader interface 14, which behaves like the usual "controller side" interfaces a reader is connected to. In case of "wiegand", there are min. 2 inputs for "D0" and D1" data lines, typically a reader block or LED indication output, a buzzer control output (optional). Alternative versions can use different interfaces like Omron Magstripe (clock&Data) interface, serial RS-485 or other interfaces
    a controller-side interface 15, which behaves like the usual "wiegand" or other access reader. In case "wiegand", there are min. 2 outputs for D0 and D1 data lines, typically reader block or LED indication INPUTS, buzzer control input.
  • Alternative versions might have other outputs or interfaces.
  • A key is that 14 and 15 are "inverse function" interfaces, so while a reader can be connected to 14, 15 actually SIMULATES a reader to the controller.
  • Other components might include a higher level application CPU with more memory, encryption, decision making capabilities.
  • Power supply circuitry will generally be needed also, as illustrated by reference numeral 12.
  • Another important part of the solution is a smart phone 10, which can communicate with the main electronics via Bluetooth or Bluetooth Smart or Wifi.
  • A cloud based service can be used also to enhance functionality in the communication 19. The invention can be used as a standard BLE based ID reader.
  • In this mode of operation, the device 9 can receive credentials from a smart phone and deliver these to the controller, effectively emulating a Wiegand Reader.
  • However, the invention offers currently unknown possibilities due to the additional interfaces and software.
  • Some of the following functions can be used independently and work well together.
  • The two main functions the invention can provide are
    • increasing the level of security of an existing, installed access control system with minimal changes to the system;
    • increasing the usability and convenience of an existing, installed access control system.
  • In addition, use of the invention can also provide online reporting and even decision making for currently offline, installed access control systems, which generally also results in higher security and monitorability.
  • One key idea of the invention is that it can "intercept" the credentials coming from a reader 1, and only forwarding these to the controller 2 after certain additional security checks, logging or validation of personal security credentials (pin, password, fingerprint, face contour etc) have been conducted.
  • Only once these checks are finished, the original (or modified credentials are released to the controller.
  • Possibilities include time or other criteria based additional checks (for example, if an employee comes in the morning, he also needs to do a face recognition check on his mobile, but later he does not need to do this).
  • One other key idea is that the intercepted credentials can be stored into the memory of the RF connected mobile phone, so that the user has no access, the data is safely encrypted, and can be released at the next reader (door).
  • As an example, an employee arriving in the morning to the premises of a military or industrial location will "badge" to open the door, with all other security steps involved. The credentials of his card can be captured into the memory of the mobile phone, and for any further access within the premises, no ID card or batch is needed any more ("hands free" operations) because the ID of the employee has now entered the memory of the smart phone, potentially has been online validated, and can be transmitted through the inventions port 15 to door controllers 9 as if the employee would use his hands and his ID/batch manually (which he still may do).
  • Such intercepted credentials need to be kept secure. So one aspect of the invention can be that by use of location data, the ID information can be erased from the mobile phone once it leaves the perimeter of the location (geo fencing), so a lost phone outside of the area can not be used for entry.
  • It is also possible to go completely "badge free" in that the mobile phone 10 connects to a server to get the ID credentials (userid/password can be used to secure that data, and the phone can then get a local copy of the ID data), and instead of presenting a badge, carrying the mobile phone will be enough to be identified.
  • Range reading: The BLE standard preferably used in the present device includes the possibility to transmit at different RF levels, and also include the actual transmit energy level in announcements.
  • On the other side, standard mobile phone, bluetooth BLE stack implementations, API and libraries support "ranging" by reading the RSSI level from the RF receivers, and calculating, based on that information PLUS the transmitted RSSI level, the approximate distance.
  • Using this functionality, it can be assured that a user with a mobile phone is only recognized when within a certain defined distance (20cm, 50cm etc).
  • For example - this functionality can be used to make sure the above mentioned "copy ID into local memory" function can only be used if the mobile is within very close proximity of the device 9, however, later, for the "hands free" solution (sending back the ID for entry), a larger distance is allowed.
  • The following functions can be added, individually or in any combination, to already installed, legacy access control systems without the need to update these with anything else but the interception unit according to the invention:
    • increase security by adding pin functionality (using the mobile phone as the pin pad)
    • pin requirement may be time schedule controlled
    • alternatively, fingerprint can be required (on mobile phones which have a fingerprint id mechanism)
    • alternatively, face recognition, voice recognition, or any other way to identify the user can be used
    • increase security by just checking for the availability of the mobile with the user
    • increase security by automatically going online and checking that the mobile (identified by MAC, user name or whatever) matches the ID card in the pocket of the user
    • increase security by checking that the user has the right at this time, date, to enter the site (important for remote infrastructure maintenance, train, truck use etc)
    • logging of the access attempts to the central website can be enabled by using the mobile phone as an internet access device for the invention
    • online validation of the credentials/access attempts can be added before the ID is forwarded
    • a new ID management system can be built up online, where the system has a different set of credentials/IDs, and only if the user's presented ID is authorized by
    the online system, a "simple" ID to unlock the system is provided to the controller The system can even be used as a modern "immobilizer" or locking system for trucks, machines etc. A "driver" can safely go to a coffee break, because without his mobile phone, the truck will not start.
  • When he returns to his car, the mobile phone will "see" the truck, and go online to request an authorization key that the user may operate the truck, which then, upon approval, is encrypted with the car's security credentials and sent via the invention into the truck to unlock it.
  • Same can be used for loading decks etc an electronic lock in addition to any mechanical locks on which any access attempt can be monitored, logged and prohibited in case there is no rights.
  • However, main use of the invention is the upgrade of current access control installations using readers, to increase security or usability, by adding the mobile phone component with its readers and interfaces, and the possibility to go online for recording and decision making at a central location.
  • The invention enables legacy access control systems to be part of the "internet of things" without the central controllers to be touched.
  • It can also be used to monitor the "door enable" relay/ door strike power, so that the effective "entry ok" signal can be locked in addition. LIST OF REFERENCE SIGNS
    1 reader unit 11 wireless communication between interception unit and mobile handheld device
    2 access controller
    3 unlocking device
    4 1st control line between reader unit and access controller 12 power supply unit
    13 radiofrequency interface, Bluetooth low energy
    5 2nd control line between access controller and unlocking device 14 reader interface
    15 controller interface
    16 housing
    6 token (batch, key) 17 central control unit
    7 management unit 18 wireless communication between interception unit and mobile handheld device
    8 communication between access controller and management unit
    19 wireless communication
    9 interception unit between mobile handheld
    10 mobile handheld device device and overall control

Claims (15)

  1. Method for upgrading an existing access control system, said existing access control system comprising at least one access point which is controlled by a reader unit (1) for reading authorization information from a portable token (6) and a corresponding unlocking device (3), wherein the reader unit (1) is in wired connection via at least one 1st control line (4) communicatively connected to an access controller (2), wherein said access controller (2) is in wired connection via at least one 2nd control line (5) communicatively connected to said unlocking device (3), and wherein said access controller (2) controls the locking state of said unlocking device (3) via said 2nd control line (5) by verifying identification information transmitted via 1st control line (4) from said reader unit (1),
    wherein the method comprises the steps of interposing into the at least one 1st control line (4) an interception unit (9), said interception unit (9) adapted to and allowing for receiving and, if needed after temporarily withholding said identification information from said reader unit (1), only transmitting it to the access control unit (2) once said interception unit (9) has verified permission to access independently via a 2nd communication with a holder of said token (6).
  2. Method according to claim 1, wherein the interception unit (9) comprises at least one radiofrequency interface (13) for establishing a wireless communication channel (18) between said interception unit (9) and a mobile handheld device (10) of said holder, and wherein said verification by the interception unit (9) involves retrieving information about access permission of said holder via said mobile handheld device (10), wherein preferably the radiofrequency interface (13) is a wireless local area network (WLAN) interface, a Bluetooth interface, Bluetooth smart, preferably a low-energy Bluetooth interface.
  3. Method according to claim 2, wherein retrieving information about access permission of said holder via said mobile handheld device (10) includes the steps of identifying said holder and/or said mobile handheld device (10) by means of input given by said holder into said mobile handheld device (10), and/or by means of readout of an unambiguous identification number from said mobile handheld device (10), wherein said input is preferably at least one of: a pin code, a biometric information collected by said mobile device, such as fingerprint, picture, in particular face picture, positional information, or a combination thereof.
  4. Method according to claim 2 or 3, wherein retrieving information about access permission of said holder via said mobile handheld device (10) includes the step of establishing an external wireless communication (19) using a WLAN or telecommunication channel by said mobile handheld device (10) to an overall control authority which verifies access permission independently and transmits, if access granted, a corresponding permission back to said mobile handheld device (10) and directly and/or in directly via said radiofrequency interface (13) to the interception unit.
  5. Method according to any of the preceding claims, wherein the interception unit (9), after having verified permission to access, transmits said identification information from said reader unit (1) identical to the one as initially received from said reader unit (1) or in a modified way.
  6. Method according to any of the preceding claims, wherein verifying permission to access either by the interception unit (9) autonomously and/or by an overall control authority via communication there with by means of the mobile handheld device (10) involves authorizing and/or determining at least one of: access time, access frequency, access number, access permission status of holder, trust status of holder, compliance of data about or from holder retrieved by said mobile handheld device (10) with an internal database, location of the mobile handheld device determined via GPS (geo-fencing) or a combination thereof.
  7. Method according to any of the preceding claims, wherein the radio frequency interface (13) automatically establishes a radiofrequency connection to said mobile handheld device (10) once it is in sufficient proximity to the interception unit (9), and, if needed, once connection established, increases the power level from low level stand by to high-level.
  8. Method according to any of the preceding claims, wherein the interception unit (9) is provided with means for determining the distance between the interception unit (9) and the mobile handheld device (10), and wherein this distance is taken into account as a parameter for granting access.
  9. Method according to any of the preceding claims, wherein the interception unit (9) comprises an independent CPU, RAM, ROM, volatile and/or non-volatile data storage elements, an encryption unit, standalone and/or grid based power supply, if need be a real-time clock element, and optionally a secondary CPU, RAM/ROM, data storage element.
  10. Method according to any of the preceding claims, wherein the transmission via said 1 st communication line (4) is serial, Wiegand or clock and data, and/or wherein communication via said 1st control line (4), and/or via said 2nd control line (5), and/or between (18) the interception unit (9) and the mobile handheld device (10) and/or between (19) the mobile handheld device (10) and the overall control is encrypted.
  11. Method according to any of the preceding claims, wherein once authorized by at least one of token (9), handheld mobile device (10), independent verification by overall control or a combination thereof access can be granted without need of the token (9) and only by said handheld mobile device (10).
  12. Access control system upgraded using a method according to any of the preceding claims.
  13. Method of operating an access control system according to claim 12 including the steps of:
    keeping the interception unit (9) at low energy and/or range level for broadcast only;
    establishing an encrypted communication between the interception unit (9) and the mobile handheld device (10) by said radiofrequency interface (13), if need be after verifying distance information between the 2 units;
    requesting input information from the holder on said mobile handheld device (10) by corresponding optical and/or acoustic signal emitted by said mobile handheld device (10);
    collecting input by said mobile handheld device (10), wherein preferably said input is a pin code, and/or a biometric information;
    transmitting said input information, either directly in an encrypted way or after a verification in said mobile handheld device (10) and/or after a verification of the input information by establishment of a communication between said mobile handheld device (10) and the overall control and permission of the overall control, to the interception unit (9);
    forwarding of permission information received by the interception unit (9) from the reader unit (1) via the 2nd control line (5) to the access controller for unlocking the unlocking device (3).
  14. Method of setting up a holder in an access control system according to claim 12 including the steps of:
    a new holder installs a respective app on the personal mobile handheld device (10);
    for a 1 st time approaches the access point;
    the app connects to the interception unit (9) in learning mode;
    the holder uses the personal token (6) on the reader unit (1);
    token information transmitted from the reader to the interception unit (9) is transmitted to the mobile handheld device (10) and is stored therein in an encrypted and unreadable for the holder way.
  15. Interception unit (9) for a method according to any of the preceding claims or for an access control system according to claim 12 comprising at least one radiofrequency interface (13) for establishing a wireless communication channel (18) between said interception unit (9) and a mobile handheld device (10) of said holder, and wherein said verification by the interception unit (9) involves retrieving information about access permission of said holder via said mobile handheld device (10), wherein preferably the radiofrequency interface (13) is a wireless local area network (WLAN) interface, a Bluetooth interface, Bluetooth smart, preferably a low-energy Bluetooth interface.
EP15156996.9A 2015-02-27 2015-02-27 Method and devices for upgrading an existing access control system Active EP3062294B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP15156996.9A EP3062294B1 (en) 2015-02-27 2015-02-27 Method and devices for upgrading an existing access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP15156996.9A EP3062294B1 (en) 2015-02-27 2015-02-27 Method and devices for upgrading an existing access control system

Publications (2)

Publication Number Publication Date
EP3062294A1 true EP3062294A1 (en) 2016-08-31
EP3062294B1 EP3062294B1 (en) 2021-04-14

Family

ID=52648826

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15156996.9A Active EP3062294B1 (en) 2015-02-27 2015-02-27 Method and devices for upgrading an existing access control system

Country Status (1)

Country Link
EP (1) EP3062294B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3371789A4 (en) * 2015-11-04 2019-07-31 Latchable, Inc. Systems and methods for controlling access to physical space
EP3624072A1 (en) * 2018-09-17 2020-03-18 Astra Gesellschaft Für Asset Management MbH&Co. Kg Identification adapter and identification device
US11151816B2 (en) 2014-01-04 2021-10-19 Latch, Inc. Methods and systems for access control and awareness management
US11222495B2 (en) 2017-05-17 2022-01-11 Latch Systems, Inc. Scalable systems and methods for monitoring and concierge service

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5679945A (en) * 1995-03-31 1997-10-21 Cybermark, L.L.C. Intelligent card reader having emulation features
US20030197593A1 (en) * 2002-04-19 2003-10-23 Cross Match Technologies, Inc. Systems and methods utilizing biometric data
US20030200446A1 (en) * 2002-04-19 2003-10-23 Cross Match Technologies, Inc. System and methods for access control utilizing two factors to control access
US20040041019A1 (en) * 2002-08-27 2004-03-04 Ultra-Scan Corporation Biometric factor augmentation method for identification systems
WO2005001777A1 (en) * 2003-06-16 2005-01-06 Scm Microsystems Gmbh Access system
US20120280783A1 (en) * 2011-05-02 2012-11-08 Apigy Inc. Systems and methods for controlling a locking mechanism using a portable electronic device
EP2738707A1 (en) * 2012-11-29 2014-06-04 HID Global GmbH Interactive reader commander

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008111012A1 (en) * 2007-03-14 2008-09-18 Dexrad (Proprietary) Limited Personal identification device for secure transactions

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5679945A (en) * 1995-03-31 1997-10-21 Cybermark, L.L.C. Intelligent card reader having emulation features
US20030197593A1 (en) * 2002-04-19 2003-10-23 Cross Match Technologies, Inc. Systems and methods utilizing biometric data
US20030200446A1 (en) * 2002-04-19 2003-10-23 Cross Match Technologies, Inc. System and methods for access control utilizing two factors to control access
US20040041019A1 (en) * 2002-08-27 2004-03-04 Ultra-Scan Corporation Biometric factor augmentation method for identification systems
WO2005001777A1 (en) * 2003-06-16 2005-01-06 Scm Microsystems Gmbh Access system
US20120280783A1 (en) * 2011-05-02 2012-11-08 Apigy Inc. Systems and methods for controlling a locking mechanism using a portable electronic device
EP2738707A1 (en) * 2012-11-29 2014-06-04 HID Global GmbH Interactive reader commander

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11151816B2 (en) 2014-01-04 2021-10-19 Latch, Inc. Methods and systems for access control and awareness management
EP3371789A4 (en) * 2015-11-04 2019-07-31 Latchable, Inc. Systems and methods for controlling access to physical space
US10872483B2 (en) 2015-11-04 2020-12-22 Latchable, Inc. Systems and methods for controlling access to physical space
US11222495B2 (en) 2017-05-17 2022-01-11 Latch Systems, Inc. Scalable systems and methods for monitoring and concierge service
EP3624072A1 (en) * 2018-09-17 2020-03-18 Astra Gesellschaft Für Asset Management MbH&Co. Kg Identification adapter and identification device
US11381966B2 (en) 2018-09-17 2022-07-05 Astra Gesellschaft Fuer Asset Management Mbh & Co. Kg Identification adapter and identification device

Also Published As

Publication number Publication date
EP3062294B1 (en) 2021-04-14

Similar Documents

Publication Publication Date Title
US10755507B2 (en) Systems and methods for multifactor physical authentication
CN104966336B (en) Intelligent lock and authorization management method and device of intelligent lock
CN107004314B (en) Remote programming for access control systems using virtual card data
EP2657917B1 (en) Electronic key registration system and corresponding method
CN107005798B (en) Capturing user intent when interacting with multiple access controls
US20180262891A1 (en) Electronic access control systems and methods using near-field communications, mobile devices and cloud computing
US20190340852A1 (en) Access control system with secure pass-through
CA2632298C (en) Integrated access control system and a method of controlling the same
US10171444B1 (en) Securitization of temporal digital communications via authentication and validation for wireless user and access devices
KR102427635B1 (en) Dynamic key access control systems, methods and apparatus
CN110033534B (en) Secure seamless access control
CN110178160B (en) Access control system with trusted third party
US7496948B1 (en) Method for controlling access to a target application
EP3228107A1 (en) Access control system with virtual card data
KR102085975B1 (en) System for Managing Door Lock information of Accommodation And Driving Method Thereof
JP2004528655A (en) Frequency method
EP2659661A1 (en) Electronic physical access control with remote authentication
EP2487652B1 (en) Security device with offline credential analysis
EP3062294B1 (en) Method and devices for upgrading an existing access control system
KR101637516B1 (en) Method and apparatus for controlling entrance and exit
KR20150056711A (en) Access management system using smart access card and method
US11151240B2 (en) Access key card that cancels automatically for safety and security
JP2007308873A (en) System for managing entry into room
CN113763603B (en) Information processing apparatus, information processing method, computer-readable storage medium, and portable terminal
US20190180215A1 (en) Lock audits access to guest for safety and security

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170214

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20180202

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602015068011

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: G07C0009000000

Ipc: G07C0009270000

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: G07C 9/27 20200101AFI20201028BHEP

INTG Intention to grant announced

Effective date: 20201116

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: QIBIXX AG

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602015068011

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1383119

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210515

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1383119

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210414

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20210414

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210714

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210816

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210714

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210814

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210715

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602015068011

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20220117

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210814

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210414

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20220228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220227

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220227

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220228

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230221

Year of fee payment: 9

Ref country code: CH

Payment date: 20230307

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230221

Year of fee payment: 9

Ref country code: DE

Payment date: 20230216

Year of fee payment: 9

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230505

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20150227