The invention relates to a method for access control to a computer by means of a mobile end device, according to the preamble of claim 1, in particular as described in DE 10 2004 036 366 A1. A mobile end device is understood to be a mobile phone, smart phone or similar device.
For safeguarding the access to a computer, e.g. workstation computer, PC, server, notebook, tablet PC or the like, there is normally requested an authentication of the user to the computer, for example by entering a PIN (personal identification number). Upon the successful authentication the user is granted access to the computer.
A PIN must be remembered by the user and is thus often forgotten or trifled with, e.g. noted down in a fashion that can be spied out.
In favor of the user-friendliness, compared to the usage of a PIN, it is proposed in the prior art to employ mobile phones for access control to computers.
DE 10 2004 036 366 A1 and DE 10 2004 036 374 A1 disclose methods for accessing resources or firmware of a computer, wherein as soon as a Bluetooth-capable mobile phone is brought into the capture region of a Bluetooth radio-interface (e.g. USB Bluetooth stick) of the computer an authentication is carried out and access is granted. Theft of the switched-on mobile phone makes possible abusive access to the computer. DE 10 2004 036 366 A1 is assumed to be the closest prior art.
EP 2 063 380 A2 discloses a user-friendly method for access control to a PC or similar device having an RFID reader by means of a mobile phone having an NFC module (referred to as “third application possibility”). A user brings the mobile phone in a primary response region of the PC, authenticates himself and removes the mobile phone from the primary response region. As long as the mobile phone is outside the primary, but within a larger, secondary response region of the PC, the user is assumed to be present at the PC. Only upon leaving also the secondary response region e.g. the keyboard of the PC is blocked or the screen saver is activated and for the access to the PC a new authentication is required. If the user inadvertently leaves the secondary response region, e.g. when he walks back and forth with the mobile phone in the room during a phone call, a new authentication is required.
Under the designation ARM trustzone architecture there is known a two-part runtime architecture of the company ARM for a microprocessor system, which architecture comprises two runtime environments. A first insecure runtime environment, referred to as “normal zone” or “normal world”, is controlled by a normal operating system. A second secured or trustworthy runtime environment, referred to as “trustzone” or “trusted world” or “secure world”, is controlled by a security operating system.
The normal operating system can be for example a common operating system, such as Android, Windows Phone, Symbian or the like.
The applicant of the present patent application manufactures and sells under the brand name MOBICORE a security operating system for chips to be implemented into mobile end devices.