阅读说明：本技术 电子设备的接近解锁和锁定操作 (Proximity unlocking and locking operation of electronic device ) 是由 R·R·尤尔里奇 J-P·库达德 K·N·阿姆斯特朗 A·W·温德克尔 C·M·费得里吉 于 2015-05-07 设计创作，主要内容包括：本发明涉及电子设备的接近解锁和锁定操作。本发明所描述的实施例执行接近解锁操作。对于接近解锁操作,处于锁定操作状态的第一电子设备检测到被授权的第二电子设备接近第一电子设备。基于检测到被授权的第二电子设备接近第一电子设备,该第一电子设备从锁定操作状态转变到解锁操作状态。在所述实施例中,转变到解锁操作状态是在无需用户执行在现有电子设备中所执行的手动认证步骤来使得从锁定操作状态转变到解锁操作状态的情况下进行的。(The invention relates to proximity unlocking and locking operations for electronic devices. The described embodiments of the present invention perform a proximity unlocking operation. For a proximity unlocking operation, a first electronic device in a locked operating state detects proximity of an authorized second electronic device to the first electronic device. The first electronic device transitions from the locked operating state to the unlocked operating state based on detecting that an authorized second electronic device is proximate to the first electronic device. In the embodiment, the transition to the unlock operation state is performed without the user performing a manual authentication step performed in the existing electronic device to cause the transition from the lock operation state to the unlock operation state.)

1. A method for unlocking, comprising:

in a first electronic device, performing the following operations:

receiving a connection request message including a connection request from a second electronic device;

determining that the second electronic device is an authorized device, wherein the determining comprises decrypting information in the connection request message using a key obtained during a preliminary pairing operation between the first electronic device and the second electronic device;

determining that a distance of a second electronic device from a first electronic device is within a threshold distance, wherein the threshold distance is within a signal range of the second electronic device; and

transitioning the first electronic device from a locked operational state to an unlocked operational state based at least in part on a determination that the second electronic device is an authorized device, a determined distance of the second electronic device from the first electronic device being within the threshold distance, and a verification of at least one of a voice scan, a fingerprint scan, or an image capture associated with an authorized user.

2. The method of claim 1, further comprising:

in a first electronic device, performing the following operations:

maintaining the first electronic device in the locked operating state when a timeout period elapses without receiving a second connection request message from another electronic device; and

presenting an interface for unlocking the first electronic device on a display of the first electronic device based at least in part on the holding.

3. The method of claim 1, further comprising:

in a first electronic device, performing the following operations:

broadcasting a periodic notification message after the first electronic device transitions to the unlocked operational state; and

transitioning the first electronic device from the unlocked operating state to the locked operating state when a timeout period elapses without receiving a second connection request message from the second electronic device after broadcasting the periodic advertisement message.

4. The method of claim 1, further comprising:

in a first electronic device, performing the following operations:

receiving an activation input while the first electronic device is in the locked operational state, wherein receiving the activation input comprises receiving input via one or more input devices of the first electronic device; and

an announcement message is broadcast.

5. The method of claim 4, wherein broadcasting the announcement message comprises:

generating the notification message, the notification message including an identification of the first electronic device; and

the advertisement message is transmitted via a respective network interface of the first electronic device.

6. The method according to claim 5, wherein the operations of broadcasting the advertisement message and receiving the connection request message from the second electronic device are performed using a Bluetooth Low Energy (BLE) network interface in the first electronic device.

7. The method of claim 1, wherein in the locked operational state, one or more functions of the first electronic device are disabled, and in the unlocked operational state, the one or more functions are enabled.

8. The method of claim 1, wherein the preliminary pairing operation between the first electronic device and the second electronic device is triggered by the service provider electronic device.

9. A first electronic device, comprising:

a processing subsystem; and

a networking subsystem;

wherein the processing subsystem and the networking subsystem are configured to:

receiving a connection request message including a connection request from a second electronic device;

determining that the second electronic device is an authorized device, wherein the determining comprises decrypting information in the connection request message using a key obtained during a preliminary pairing operation between the first electronic device and the second electronic device;

determining that a distance of a second electronic device from a first electronic device is within a threshold distance, wherein the threshold distance is within a signal range of the second electronic device; and

transitioning the first electronic device from a locked operational state to an unlocked operational state based at least in part on a determination that the second electronic device is an authorized device, a determined distance of the second electronic device from the first electronic device being within the threshold distance, and a verification of at least one of a voice scan, a fingerprint scan, or an image capture associated with an authorized user.

10. The first electronic device of claim 9, wherein the processing subsystem and the networking subsystem are further configured to:

maintaining the first electronic device in the locked operating state when a timeout period elapses without receiving a second connection request message from another electronic device; and

presenting an interface for unlocking the first electronic device on a display of the first electronic device based at least in part on the holding.

11. The first electronic device of claim 9, wherein the processing subsystem and the networking subsystem are further configured to:

broadcasting a periodic notification message after the first electronic device transitions to the unlocked operational state; and

transitioning the first electronic device from the unlocked operating state to the locked operating state when a timeout period elapses without receiving a second connection request message from the second electronic device after broadcasting the periodic advertisement message.

12. The first electronic device of claim 9, wherein the processing subsystem and the networking subsystem are further configured to:

receiving an activation input while the first electronic device is in the locked operational state, wherein receiving the activation input comprises receiving input via one or more input devices of the first electronic device; and

an announcement message is broadcast.

13. The first electronic device of claim 12, wherein the processing subsystem and the networking subsystem are further configured to:

generating the notification message, the notification message including an identification of the first electronic device; and

the advertisement message is transmitted via a respective network interface of the first electronic device.

14. The first electronic device of claim 9, wherein in the locked operational state, one or more functions of the first electronic device are disabled, and in the unlocked operational state, the one or more functions are enabled.

15. The first electronic device of claim 9, wherein the preliminary pairing operation between the first electronic device and the second electronic device is triggered by the service provider electronic device.

Technical Field

The disclosed embodiments relate to electronic devices. More particularly, the disclosed embodiments relate to a proximity unlocking operation of an electronic device.

Background

Many modern electronic devices (e.g., desktop computers, laptop computers, smart phones, etc.) enable a user to transition the electronic device from an unlocked operating state, in which the user has normal access to the functions of the electronic device, to a locked operating state, in which the user has limited access to the various functions of the electronic device. For example, in a locked operational state, some electronic devices present a lock screen on a display of the electronic device and prevent a user from performing nearly all functions of the electronic device, such that the user cannot access applications running on the electronic device and/or use electronic device features such as cellular phones, cameras, and the like. By placing the electronic device in a locked operational state, a user can protect sensitive files stored on the electronic device, prevent unauthorized access to the electronic device (and possibly other devices on a network to which the electronic device is connected), and the like. However, the transition from the lock operation state to the unlock operation state may be inconvenient because the user needs to perform a manual authentication operation to cause the transition. For example, a user may be required to enter a password in a password entry dialog presented on a display of the electronic device, scan a fingerprint using a fingerprint scanner, perform a voice unlock, and so forth. This inconvenience may make the user less willing to place the electronic device in a locked operational state, which means that the electronic device is less secure and more susceptible to unauthorized use.

Drawings

FIG. 1 presents a block diagram illustrating an electronic device in accordance with some embodiments.

FIG. 2 presents a block diagram illustrating a network environment in accordance with some embodiments.

Fig. 3 presents a flow diagram illustrating a process for obtaining pairing information, according to some embodiments.

FIG. 4 presents a flowchart illustrating a process for configuring an electronic device to participate in a proximity unlocking operation, in accordance with some embodiments.

FIG. 5 presents a flowchart illustrating a process of a proximity unlocking operation, in accordance with some embodiments.

Fig. 6 presents a flow diagram illustrating a multi-factor authentication process in accordance with some embodiments.

Fig. 7 presents a flow diagram illustrating a multi-factor authentication process in accordance with some embodiments.

FIG. 8 presents a flowchart illustrating a process of a proximity locking operation in accordance with some embodiments.

FIG. 9 presents a swim lane diagram that illustrates messages exchanged between electronic devices, in accordance with some embodiments.

FIG. 10 presents a block diagram illustrating electronic devices in proximity to each other, in accordance with some embodiments.

Fig. 11 presents a block diagram that illustrates a packet containing a message in accordance with some embodiments.

In the drawings, like reference numerals refer to the same drawing elements.

Detailed Description

The following description is presented to enable any person skilled in the art to make and use the embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the described embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the described embodiments. Thus, the described embodiments are not limited to the embodiments shown, but are to be accorded the widest scope consistent with the principles and features disclosed herein.

In some embodiments, an electronic device (e.g., electronic device 100 in fig. 1 and/or some portion thereof) uses code and/or data stored on a computer-readable storage medium to perform some or all of the operations described herein. More specifically, the electronic device reads code and/or data from the computer-readable storage medium and executes the code and/or uses the data when performing the operations. In these embodiments, the computer-readable storage medium may be any device or medium or combination thereof that stores code and/or data for use by an electronic device. For example, a computer-readable storage medium may include, but is not limited to, volatile memory or non-volatile memory, such as semiconductor memory (e.g., flash memory, random access memory (eDRAM, RAM, SRAM, DRAM, DDR2/DDR3/DDR4SDRAM, etc.) and/or magnetic or optical storage media (e.g., disk drives, tape, CDs, DVDs). In the described embodiments, the computer-readable storage media does not include non-quorum computer-readable storage media such as transient signals.

In some embodiments, one or more hardware modules are configured to perform the operations described herein. For example, a hardware module may include, but is not limited to, one or more processors/cores/Central Processing Units (CPUs), Application Specific Integrated Circuit (ASIC) chips, Field Programmable Gate Arrays (FPGAs), cache/cache controllers, memory management units, computing units, embedded processors, Graphics Processors (GPUs)/graphics cores, pipelines, and/or other programmable logic devices. When such a hardware module is activated, the hardware module performs some or all of the operations. In some embodiments, a hardware module includes one or more general-purpose circuits that can be configured by executable instructions (program code, firmware, etc.) to perform operations.

In this description, functional blocks may be involved in describing some embodiments. Generally, a functional block includes one or more associated circuits that perform the recited operations. In some embodiments, the circuitry in the functional block includes circuitry to execute program code (e.g., microcode, firmware, application programs, etc.) to perform the operations.

SUMMARY

In the described embodiment, the electronic device performs a proximity unlocking operation. For a proximity unlocking operation, a first electronic device in a locked operating state detects proximity of an authorized second electronic device to the first electronic device. The first electronic device transitions from the locked operating state to the unlocked operating state based on detecting that an authorized second electronic device is proximate to the first electronic device. In these embodiments, the transition to the unlock operation state is made without the user performing a manual authentication step on the first electronic device to cause the transition (i.e., a manual authentication step performed in an existing electronic device).

In some embodiments, detecting that the second electronic device is proximate to the first electronic device includes the first electronic device broadcasting an advertisement message using a wireless network interface (e.g., Bluetooth Low Energy (BLE), ZigBee, etc.). The second electronic device monitors for such announcement messages and, when a broadcasted announcement message is detected, responds by sending a connection request message to the first electronic device, the connection request message comprising a connection request (i.e. a request to form a wireless network connection with the first electronic device). The first electronic device then determines that the second electronic device is proximate to the first electronic device based on the information from the connection request.

In some embodiments, the first electronic device performs one or more operations for approving the connection request prior to transitioning from the locked operational state to the unlocked operational state based on the connection request. For example, in some embodiments, information from the connection request is encrypted and the first electronic device decrypts the information using a key obtained during a preliminary pairing operation (e.g., a "cloud pairing" operation as described below) between the first electronic device and the second electronic device. As another example, in some embodiments, the first electronic device compares information (e.g., a device identifier) from the connection request to the record of authorized devices to determine that there is a match between the information from the connection request and the devices in the record of authorized devices. For another example, in some embodiments, in addition to the operations described above, the first electronic device may verify that one or more secondary authentication procedures have been successfully completed. For example, the secondary authentication procedure may include an authorized user performing a voice and/or fingerprint scan of one of the first electronic device or the second electronic device, an image capture of a verification by the authorized user's first electronic device (via a camera coupled to the first electronic device), entering a password or code on the first electronic device or the second electronic device, and so forth. As another example, in some embodiments, the secondary authentication procedure may include verifying that the second electronic device is within a threshold distance of the first electronic device (e.g., within N feet, where N is 10, 50, or another number).

In some embodiments, the first electronic device also supports proximity locking operations. Generally, in these embodiments, a first electronic device that transitions to a near unlocked state using a near unlock operation monitors the continued proximity/presence of a second electronic device (i.e., a device that enables the near unlock operation). The first electronic device transitions from the unlocked operating state to the locked operating state when the first electronic device is no longer able to detect the proximity of the second electronic device to the first electronic device. In these embodiments, the transition to the locked operating state is made without the user having to perform a manual locking step to cause the transition (i.e., a manual locking step performed in existing electronic devices).

By performing the proximity unlocking and locking operations as described above, the embodiments enable the user to avoid performing the manual authentication step and the manual locking step to initiate the transition from the locked operation state to the unlocked operation state and the transition from the unlocked operation state to the locked operation state, respectively. This increases user satisfaction with the user experience of the electronic device and encourages the user to place the electronic device in a locked operational state (thereby protecting the device/connected device, files, etc.).

Electronic device

Fig. 1 presents a block diagram illustrating an electronic device 100, in accordance with some embodiments. Electronic device 100 includes a processing subsystem 102, a memory subsystem 104, a networking subsystem 106, and a display subsystem 108.

Processing subsystems 102 are functional blocks that perform computing operations in electronic device 100. Processing subsystem 102 includes one or more Central Processing Units (CPUs)/CPU cores, Graphics Processing Units (GPUs)/GPU cores, embedded processors, Application Specific Integrated Circuits (ASICs), and/or other computing mechanisms.

Memory subsystem 104 is a functional block that stores data and/or instructions for use by other functional blocks in electronic device 100 (e.g., processing subsystem 102, etc.). The memory subsystem 104 includes volatile memory circuitry such as Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), and/or other types of memory for storing instructions and data, as well as mechanisms for controlling the memory circuitry. In some embodiments, memory subsystem 104 includes a memory hierarchy having one or more caches coupled to storage circuitry. In some of these embodiments, processing subsystem 102 also includes one or more caches that are part of the memory hierarchy.

In some embodiments, the memory subsystem 104 is coupled to one or more non-volatile high capacity mass storage devices (not shown). For example, the memory subsystem 104 may be connected to a magnetic or optical disk drive, a solid state drive, or another type of mass storage device. In these embodiments, the memory subsystem 104 may be used by the electronic device 100 as a fast access storage for frequently used data, while the mass storage device is used to store less frequently used data.

Networking subsystem 106 is a functional block that includes one or more devices configured to couple to and communicate (i.e., perform network operations) over a wired and/or wireless network. For example, networking subsystem 106 may include Bluetooth^TMNetworking systems, cellular networking systems (e.g., 3G/4G networks such as UMTS, LTE, etc.), Universal Serial Bus (USB) networking systems, networking systems based on standards described in IEEE 802.11, 802.15A system (e.g., a ZigBee or WiFi networking system, etc.), an ethernet networking system, and/or another networking system. Networking subsystem 106 includes processors, controllers, radios/antennas, jacks/plugs, and/or other devices for coupling with, communicating over, and processing data and events with each supported networking system. In the following description, mechanisms for coupling to, communicating on, and processing data and events on the network for each network system are collectively referred to as "interfaces" or "network interfaces" for the network systems.

Display subsystem 108 is a functional block that includes one or more devices configured to display information on a visual interface of electronic device 100. For example, in some embodiments, display subsystem 108 includes a Graphics Processor (GPU), a graphics card, and/or a display screen for displaying information.

In some embodiments, communication paths (including one or more buses, wires, and/or connections) are coupled between functional blocks (processing subsystem 102, memory subsystem 104, etc.) of electronic device 100, as indicated by the arrowed lines between the elements. The communication paths are used to transmit commands, data, and/or other information between the elements.

Although specific components are used to describe electronic device 100, in some embodiments, different components and/or subsystems may be present in electronic device 100. For example, electronic device 100 may include one or more additional processing subsystems 102, memory subsystems 104, and the like. In addition, one or more of the subsystems may not be present in the electronic device 100 or some or all of the subsystem functionality may be combined with other subsystems. Further, in some embodiments, electronic device 100 may include one or more additional subsystems not shown in fig. 1. For example, electronic device 100 may include, but is not limited to, a data collection subsystem, an audio and/or video subsystem, an alarm subsystem, a media processing subsystem, and/or an input/output (I/O) subsystem.

Electronic device 100 may be or be included in any device that performs computing operations. For example, the electronic device 100 may be or be included in a desktop computer, a laptop computer, a wearable computing device, a tablet computer, a smartphone, a server, a network appliance, a toy, an audiovisual device, a set-top box (e.g., Apple television available from Apple, inc. of Cupertino CA), an automobile (e.g., an interface system in an automobile), a home appliance, a controller, and/or the like, and/or combinations thereof.

Network environment

Fig. 2 presents a block diagram illustrating a network environment 200 in accordance with some embodiments. As can be seen in fig. 2, network environment 200 includes electronic device 202, authorized electronic device 204, unauthorized electronic device 206, and service provider electronic device 210 (which may be collectively referred to as "electronic devices"), as well as access point 208 and network 212. In some embodiments, each of the electronic devices (and possibly access point 208) is an electronic device similar to electronic device 100, i.e., has subsystems similar to electronic device 100. However, this is not essential; the embodiments may use any electronic device capable of performing the operations described herein.

In some embodiments, the electronic device 202 is an electronic device that supports a locked operational state and an unlocked operational state. In the locked operating state, one or more functions of the electronic device 202 are disabled. For example, in the locked operational state, the locked screen may be presented when the user activates the electronic device 202 (e.g., presses a button on a keyboard of the electronic device 202, touches a touch-sensitive display of the electronic device 202, etc.), but the user may not be able to access a home screen/desktop presented on a display of the electronic device 202, access some or all applications provided by the electronic device 202, access some or all files stored in the electronic device 202, access functions performed by the electronic device 202 (e.g., cellular telephone functions, camera functions, etc.), and/or otherwise interact with the electronic device 202. In the unlocked operating state, one or more of the above-described functions of electronic device 202 are enabled. For example, the user can access a home screen/desktop, etc. As described herein, while in the locked operating state, the electronic device 202 may transition to the unlocked operating state by performing a proximity-to-unlock operation. Further, when in the unlock operational state after the proximity unlock operation, the electronic device 202 may transition to the lock operational state by performing the proximity lock operation.

Authorized electronic device 204 and unauthorized electronic device 206 are electronic devices that participate in a communication exchange with electronic device 202 that is associated with a proximity unlocking operation and/or a proximity locking operation. In some embodiments, an "authorized" electronic device 204 is one that is "recognized" by electronic device 202 and is therefore allowed to enable proximity unlocking operations. For example, electronic device 202 and authorized electronic device 204 may engage in an inter-device exchange of identification factors (encryption keys, device information, etc.) such that electronic device 202 and authorized electronic device 204 subsequently identify each other based on inter-device communication. In some embodiments, for inter-device exchange, electronic device 202 and authorized electronic device 204 perform a preliminary pairing operation to create/exchange keys and other information based on logging into an account with service provider electronic device 210 (the preliminary pairing operation may also be referred to as "cloud pairing," which is described in more detail below). Further, in some embodiments, a user may configure electronic device 202 to identify authorized electronic device 204, as described herein. In contrast, an "unauthorized" electronic device 206 is an electronic device that is not recognized by electronic device 202 and is therefore not authorized to enable a proximity unlocking operation. For example, electronic device 202 and unauthorized electronic device 206 may generally be unknown to each other (belonging to a different user, associated with a different user account, have not performed a preliminary pairing operation, etc.).

Access point 208 is an electronic device that provides a Wireless Local Area Network (WLAN) (e.g., a WiFi network) that electronic device 202 can join. In some embodiments, one or both of authorized electronic device 204 and unauthorized electronic device 206 are also capable of joining a WLAN and thus capable of communicating with electronic device 202 via a WLAN. In some embodiments, access point 208 is coupled to a Wide Area Network (WAN)212 (e.g., the internet) and provides access to network 212 to electronic devices coupled to the WLAN.

The service provider electronic device 210 is an electronic device such as an authentication server, a login server, an account access server, etc., that is operated by a service provider (e.g., a company, etc.) to host/provide account services for user devices. In some embodiments, service provider electronic device 210 facilitates information exchange that enables electronic devices (e.g., electronic device 202 and authorized electronic device 204) to recognize each other so that these electronic devices can participate in proximity unlocking operations. For example, in some embodiments, the service provider electronic device 210 facilitates the preliminary pairing operations described herein. As shown in fig. 2, in some embodiments, the service provider electronic device 210 is located in the internet-i.e., it is a "cloud" based device that provides the above-described services via a dedicated application, website interface, or the like.

Within network environment 200, electronic device 202 may communicate with authorized electronic device 204 and unauthorized electronic device 206 using wireless communication signals 214 (shown using the sawtooth lines in FIG. 2). Generally, the communication signals 214 are radio signals formatted (i.e., header and payload content, etc.) according to a corresponding wireless protocol and exchanged (broadcast, transmitted/received, etc.) at a corresponding frequency, power level, time, etc. For example, the wireless protocol may be bluetooth, ZigBee, and/or another wireless protocol. In the following description, when various messages are described as being broadcast, transmitted, sent, received, etc. by an electronic device, the messages may be broadcast, transmitted, sent, received, etc. using the communication signals 214. Note that although the communication path between access point 208 and electronic device 202 is not limited to

The double-headed arrows in fig. 2 indicate, however, that access point 208 and electronic device 202 may also communicate with each other using corresponding wireless communication signals.

In some embodiments, the above-described proximity unlocking operations and proximity locking operations rely on electronic device 202 and authorized electronic device 204 being sufficiently close to one another to enable communication signals 214 (and thus contained information) transmitted by each electronic device to be received by the other electronic device. In other words, electronic device 202 and authorized electronic device 204 are "in proximity" to each other, thereby allowing for the exchange of messages between the electronic devices. Thus, "proximate" as used herein refers to one or more distances at which a message broadcast/transmitted from a given electronic device can be received by one or more other electronic devices. The distance depends on the radio (antenna, receiver/transmitter etc.) in the electronic device and the specific radio protocol/signal used for broadcasting/sending the message, as limited by factors such as environmental conditions (electromagnetic interference etc.), intermediate objects (furniture, walls, clothing/bags etc.). For example, in some embodiments, communication signals 214 are exchanged between electronic device 202 and authorized electronic device 204 using a protocol within a desired range of 30 meters, so devices are "close" when they are within a range of 30 meters of each other (note, however, that the desired range may vary significantly from the factors described above).

FIG. 10 presents a block diagram illustrating electronic devices in proximity to each other, in accordance with some embodiments. As can be seen in fig. 10, authorized electronic device 204 is within range 1002 of the radio signal (e.g., communication signal 214) of electronic device 202, meaning that authorized electronic device 204 can receive the radio signal transmitted from electronic device 202. Further, electronic device 202 is within range 1004 of the radio signal (e.g., communication signal 214) of authorized electronic device 204, meaning that electronic device 202 can receive radio signals transmitted from authorized electronic device 204. As described above, therefore, electronic device 202 and authorized electronic device 204 are "in proximity" to one another, thereby allowing for the communication of messages (and corresponding operations) described herein. However, neither electronic device 202 nor authorized electronic device 204 are within range 1006 of the radio signals of electronic device 1000, meaning that neither electronic device 202 nor authorized electronic device 204 are proximate to electronic device 1000. Note that the range 1002 and 1006 of fig. 10 are shown using an irregular shape, so that it is shown that the radio signal from the electronic device has an irregular range according to the electronic device (antenna arrangement, etc.), the above-described factors, and the like.

As described below, in some embodiments, an electronic device includes a mechanism for determining whether another electronic device is within a threshold distance of the electronic device. For example, a given electronic device may use radio signal properties (e.g., signal strength, frequency, timing, etc.) of the radio signals used to transmit the messages (as compared to previously known signal properties). In these embodiments, one or more operations may depend not only on being close to each other (e.g., within ranges 1002 and 1004), but also within a specified distance from each other.

Although various electronic devices are shown in fig. 2, in some embodiments, different arrangements of electronic devices are used to perform some or all of the operations described herein. For example, in some embodiments, one or more of access point 208, service provider electronic device 210, and unauthorized electronic device 206 are not present. Generally, the embodiments include sufficient devices to transition the electronic device 202 from a locked operational state to an unlocked operational state (and vice versa) as described herein.

Obtaining pairing information

In some embodiments, an electronic device participating in a proximity unlocking operation and/or a proximity locking operation performs one or more operations to obtain pairing information such as encryption keys, device information, network details, and the like. The pairing information is then used to enable communication between the electronic devices using a corresponding network protocol (e.g., bluetooth protocol, Zigbee protocol, etc.) and/or to verify that the devices identify each other (e.g., by encrypting messages, etc.). In some embodiments, the operations performed to obtain pairing information are performed via the network 212 and/or the communication signal 214 and are interchangeably referred to herein as preliminary pairing, predefined pairing, or "cloud pairing. For example, in some embodiments, the electronic device performs Predefined Pairing operations described in pending U.S. patent application XXX entitled "Predefined Wireless Pairing" and having attorney docket No. APL-P22642US1, filed on even date herewith by the inventors Jason c.

Fig. 3 presents a flow diagram illustrating a process for obtaining pairing information, according to some embodiments. More specifically, during the process shown in fig. 3, the electronic device 202 associated with the user account communicates with the service provider electronic device 210 and other electronic devices associated with the user account (e.g., authorized electronic device 204) to obtain pairing information. It is noted that the operations shown in FIG. 3 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, while certain mechanisms (e.g., electronic device 202, service provider electronic device 210, etc.) are used to describe operations, in some embodiments other mechanisms perform the operations. For example, authorized electronic device 204 may perform similar operations to obtain pairing information for communication with electronic device 202 (rather than electronic device 202 performing the operations).

Note that for the example in fig. 3, assume that the electronic device 202 is logging into an account with the service provider electronic device 210 for the first time. Thus, the service provider electronic device 210 identifies the electronic device 202 as a "new" device for the account. However, although the operations are described as being performed during a first login, in some embodiments the processes are performed during a different login. Further, assume that authorized electronic device 204 has logged into an account with service provider electronic device 210, and thus becomes a device associated with the account provided by service provider electronic device 210.

The process shown in fig. 3 begins when the electronic device 202 first logs into an account on a service provider via the service provider electronic device 210 (step 300). For example, a user of the electronic device 202 may access and log into an account using an application configured to communicate with the service provider electronic device 210 (e.g., an online store application, a configuration application, etc.). As another example, a user of the electronic device 202 may access and log into an account via a web page provided by the service provider electronic device 210.

When the electronic device 202 logs into the account, the service provider electronic device 210 identifies the electronic device 202 as a new device (step 302). For example, the service provider electronic device 210 may obtain device information, such as a unique identifier, MAC address, etc., from the electronic device 202, compare the obtained information to records of known electronic devices, and determine that the electronic device 202 is not yet known to the service provider electronic device 210 (and thus is a new device). The service provider electronic device 210 then adds the electronic device 202 to the record of known devices (step 304).

In addition to adding the electronic device 202 to the record of the known device, the service provider electronic device 210 also sends messages to the other devices in the record of the known device to cause each of the other devices to perform a preliminary pairing operation with the electronic device 202 (step 306). Recall that authorized electronic device 204 has been associated with an account provided by service provider electronic device 210 and is therefore in record of a known device, and thus one of the messages is sent to authorized electronic device 204. During the preliminary pairing operation, the aforementioned pairing information is typically information for performing communication between the electronic devices using a corresponding network protocol and enabling the electronic devices to identify each other, which is exchanged between the electronic device 202 and the authorized electronic device 204 (step 308). In some embodiments, the pairing information exchanged during the preliminary pairing operation includes one or more of information such as a public address of each of the electronic devices 202 and authorized electronic device 204, a protocol version of a network interface used for communication between the electronic device 202 and authorized electronic device 204, a desired pairing encryption and/or identification key (sometimes referred to as a "pairing key"), a desired long-term encryption key LTK length (sometimes referred to as a "key length"), a human-readable device name, a device identifier (UUID, MAC address, etc.), and/or other information.

Electronic device 202 and each other device (e.g., authorized electronic device 204) then store the pairing information for subsequent use, as described herein (step 310).

Configuration device

In some embodiments, to enable the proximity unlocking operation, one or more electronic devices participating in the proximity unlocking operation are first configured. FIG. 4 presents a flowchart illustrating a process for configuring an electronic device to participate in a proximity unlocking operation, in accordance with some embodiments. More specifically, during the process shown in fig. 4, electronic device 202 communicates with authorized electronic device 204 to configure electronic device 202 such that authorized electronic device 204 can enable proximity unlocking operations. It is noted that the operations shown in FIG. 4 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, while certain mechanisms (e.g., electronic device 202, authorized electronic device 204, etc.) are used to describe operations, in some embodiments other electronic devices perform the operations.

In some embodiments, electronic device 202 is a laptop computer and authorized electronic device 204 is a device such as a smartphone or wearable computing device. Thus, for the operations described below, a user may access a configuration interface on a user's laptop and may configure the laptop to allow the smartphone/wearable computing device to enable a proximity unlocking operation.

The operations shown in fig. 4 begin when the electronic device 202 receives an indication that a device for enabling a proximity unlocking operation is found (step 400). For example, in some embodiments, the operation includes the user accessing a configuration interface provided by the electronic device 202 and selecting/enabling a corresponding configuration operation. For example, the user can select a designated icon presented on the display screen of the electronic device 202 (such as by positioning a mouse pointer over a "settings" icon and clicking on the selection, tapping on the "settings" icon on the touch-sensitive display with a finger, and so forth), which causes the laptop to display the settings interface with various menu items, icons, and so forth for accessing the laptop's corresponding control interface (e.g., wireless network controls, application-specific controls, and so forth). In accordance with the settings interface, the user can select an icon, select a menu item, or the like to cause the electronic device 202 to display a configuration interface, which is a display window/screen that includes various control options (clickable option buttons/sliders, or the like) for controlling the proximity unlock/lock operations described herein.

The electronic device 202 then broadcasts an announcement message requesting a proximity to unlock operation service (step 402). For example, the electronic device 202 can transmit an advertisement message that includes data (a service identifier, a request flag, a header or payload field, etc.) indicating that the advertisement message is requesting a response from the device that provides a proximity unlock operation service. In some embodiments, some or all of the information in the announcement message is encrypted using a corresponding key from the pairing information. In this way, it is known that the devices identify each other (because the devices are involved in the preliminary pairing operation described above).

In response to the request, electronic device 202 receives a connection request message from authorized electronic device 204 (step 404). The connection request includes data (a service identifier, a response flag, and the like) indicating that the connection response is from the device providing the proximity unlocking operation service. In some embodiments, some or all of the information in the connection request message is encrypted using a corresponding key from the pairing information. Thus, authorized electronic device 204 may decrypt the information in the notification message using the corresponding key prior to sending the connection request to determine that authorized electronic device 204 is authorized to participate in the proximity unlocking operation.

Electronic device 202 processes the data from the connection request message and determines that authorized electronic device 204 provides the proximity unlocking operation service. For example, electronic device 202 may decrypt information in the connection request message using the corresponding key and process the decrypted information from the connection request message to determine that authorized electronic device 204 provides the proximity unlocking operation service. In some embodiments, the electronic device 202 also performs one or more operations to verify/certify the authorized electronic device 204 with the service provider electronic device 210 and/or another third party electronic device.

Electronic device 202 then presents an identifier of authorized electronic device 204 in a list of devices that may enable access to the unlocking operation (step 406). For example, electronic device 202 can present a list of devices in a configuration interface that includes human-readable names for authorized electronic devices 204 retrieved from connection requests, pairing information, or otherwise (e.g., "Susan's smartphone," "Bob's smart watch," etc.). The electronic device 202 then receives a selection of an authorized electronic device 204 from the list of devices (step 408). For example, the user may mouse-over and click on a device identifier of an authorized electronic device 204 in the list of devices in the configuration interface, select an authorized electronic device 204 in the list of devices and click on an input button in the configuration interface, and so on. In some embodiments, the electronic device 202 stops broadcasting the advertisement message upon receiving a selection of an authorized electronic device 204.

Electronic device 202 then adds the selected authorized electronic device 204 to a list of devices that are allowed to enable proximity unlocking operations (step 410). For example, electronic device 202 can obtain information (e.g., a device identifier, a MAC address, a human-readable name, etc.) from the connection request message, pairing information, etc., and add the obtained information to a list configured to enable subsequent identification of authorized electronic device 204 as being allowed to enable proximity unlocking operations.

Although embodiments are described in which only one advertisement message is broadcast, in some embodiments, multiple advertisement messages may be sent. For example, in some embodiments, the electronic device 202 advertises a predetermined duration, such as M (where M is a number such as 10, 30, etc.), by periodically sending advertisement messages and then monitoring for responses to each message for a period of time. If no electronic device responds within the predetermined length of time, the electronic device 202 stops searching and, in some embodiments, notifies the user that no electronic device providing the proximity unlocking operation service can be found.

Further, although embodiments are described in which only authorized electronic devices 204 respond to broadcasted advertisement messages, in some embodiments two or more devices respond to advertisement messages. In these embodiments, the list of devices presented in operation 406 includes an identifier for each responding device and the received selection is for one or more of the responding devices.

Approach to unlock operation

As described above, in the depicted embodiment, electronic device 202 and authorized electronic device 204 perform a proximity-to-unlock operation to transition electronic device 202 from a locked operating state to an unlocked operating state. FIG. 5 presents a flowchart illustrating a process of a proximity unlocking operation, in accordance with some embodiments. More specifically, during the process shown in fig. 5, electronic device 202 communicates with authorized electronic device 204 to enable a proximity unlocking operation. It is noted that the operations shown in FIG. 5 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, although operations are described using certain mechanisms (e.g., electronic device 202, authorized electronic device 204, etc.), in some embodiments other electronic devices perform the operations.

In some embodiments, electronic device 202 is a laptop computer, authorized electronic device 204 is a smartphone, and unauthorized electronic device 206 is a wearable electronic device (e.g., a smart watch, a head-mounted electronic device, etc.). Thus, for the following operations, the laptop may be in an area (e.g., a room) that is in a locked operational state. A first user carrying an authorized electronic device 204/smart phone may enter the area in which the locked laptop is located and initiate a proximity unlock operation (e.g., press a key on the locked laptop). Further, a second user wearing the unauthorized electronic device 206/wearable electronic device may be in the area. The locking laptop may communicate with the first user's smartphone to enable a proximity unlocking operation during which the laptop is automatically unlocked. However, the laptop may ignore communications from the second user's (unauthorized) wearable electronic device related to the broadcasted notification message, which is for the proximity unlocking operation, because the wearable electronic device is unauthorized.

The process illustrated in FIG. 5 begins with the electronic device 202 in a locked operating state. Recall that in the locked operational state, one or more functions of electronic device 202 are disabled (prevented from access, turned off, etc.). While in the locked operating state, the electronic device 202 receives an activation input from a user (step 500). The activation input is received via one or more input devices of the electronic device 202. For example, the user may press a key on a keyboard of the electronic device 202, swipe a touch-sensitive screen or input device located on/coupled to the electronic device 202, speak a given command to the electronic device 202, move an input device such as a mouse coupled to the electronic device 202, and/or perform another operation for inputting an activation input.

Based on receiving the activation input, the electronic device 202 initiates a proximity unlock operation by generating and broadcasting an announcement message (step 502). In some embodiments, the notification message generated by the electronic device 202 includes an indication that the electronic device 202 is searching for an electronic device that provides a proximity unlocking operation service. In these embodiments, the indication may be included in an encoded format, such as represented by one or more bits set to a predetermined value in a particular portion of the header and/or payload of the announce message to indicate that the near unlock operation service is the service being searched. In some embodiments, the notification message is encrypted using the aforementioned encryption key from the pairing information.

In some embodiments, the electronic device 202 uses a low power protocol, such as Bluetooth Low Energy (BLE), ZigBee, etc., to broadcast the advertisement message with the corresponding communication signal 214. The advertisement message is formatted and processed according to the underlying protocol (e.g., limited to a corresponding number of bits/byte, broadcast of a particular schedule, etc.). Devices such as authorized electronic device 204 may thus monitor for advertisement messages broadcast from electronic device 202 using a corresponding low-power mechanism, such as a baseband processor within a corresponding network interface. In some embodiments, an initial communication between electronic device 202 and an electronic device, such as authorized electronic device 204, is processed by authorized electronic device 204 using only a baseband processor, meaning that authorized electronic device 204 may otherwise be in an idle state (e.g., with subsystems such as processing subsystems in a low power state). For example, in some embodiments, authorized electronic device 204 can be a smartphone in a user's pocket that is in an idle state, wherein the baseband processor monitors for notification messages when the processing subsystem (and, generally, authorized electronic device 204) is in a low power state. In some embodiments, when an announce message is identified in this manner, the baseband processor wakes up the processing subsystem (and may generally cause authorized electronic devices 204 to transition from an idle operating state to a high power/more active operating state) to perform subsequent operations. For example, in some embodiments, authorized electronic device 204 monitors for and reacts to received notifications, as described in co-pending U.S. patent application XXX entitled "operating mode Transitions based on Adverting Information" and having attorney docket number APL-P22643US1, filed on even date herewith by the inventors Craig P.Dooley, Akshay Mangalium Srivatsa, Anjali S.Sandesara, and Michael Giles, which is incorporated by reference above. In these embodiments, the authorized electronic device 204/smartphone portion may not need to be retrieved and/or activated from the user's pocket to perform the authorized electronic device 204/proximity locking operation.

In some embodiments, the electronic device 202 is configured to perform a search for electronic devices supporting the proximity unlocking operation service within a predetermined time, and to stop the search if no such electronic device is found. For example, in some embodiments, the electronic device 202 starts a timer when an activation input is received. If a timeout occurs before receiving the connection request message from the other electronic device (e.g., if a timer expires) (step 504), the electronic device 202 presents an unlock interface on a display of the electronic device 202 (step 506). The unlock interface is an interface presented to enable a user to perform manual authentication steps for transitioning the electronic device 202 from the locked operational state to the unlocked operational state. For example, a user may be required to enter a password in a password entry dialog presented on the device display, scan a fingerprint using a fingerprint scanner, perform a voice unlock, and so forth.

In some embodiments, the electronic device 202 does not wait for a timeout period (step 504), but instead presents an unlock interface on a display screen of the electronic device 202 upon receiving an activation input. In this way, the electronic device 202 enables the user to immediately perform a manual authentication step (i.e., possibly before the near unlocking operation has been completed), if so selected by the user. In these embodiments, as described in fig. 5, the electronic device 202 continues to present the unlock interface while the remainder of the proximity unlock operation is performed. In these embodiments, the electronic device 202 stops/terminates the proximity unlocking operation when the user performs a manual authentication step before the proximity unlocking operation has been completed.

Note that step 504 and 506 are performed when the proximity unlocking operation is unsuccessful-in some embodiments, the manual authentication step is not performed when the proximity unlocking operation is successful. However, in some embodiments (described below), during the proximity unlocking operation, the manual authentication step may be performed as a secondary authentication operation.

After broadcasting the advertisement message (step 502), the electronic device 202 may responsively receive a connection request message from the unauthorized electronic device 206. Generally, the unauthorized electronic device 206 is not recognized by the electronic device 202 (at least for the purpose of the proximity unlocking operation), and thus is not authorized to enable the proximity unlocking operation. Thus, the unauthorized electronic device 206 has not been selected by the user during the configuration process (see fig. 4), and therefore does not appear in the list of devices of the electronic devices 202 that are allowed to enable the proximity unlocking operation. The connection request received from the unauthorized electronic device 206 may or may not be encrypted using a key from a corresponding preliminary pairing operation. When the connection request cannot be decrypted into identifiable information (i.e., decrypted into unrecognizable information), the electronic device 202 may ignore the connection request (i.e., disapprove or otherwise perform an operation based on the connection request). Otherwise, when the connection request can be decrypted to identifiable information, the electronic device 202 can extract some or all of the information from the connection request, determine that the unauthorized electronic device 206 is unidentified using the list of devices allowed to enable proximity unlocking operations, and ignore the connection request. In this way, the electronic device 202 does not perform the proximity unlocking operation based on the connection request from the unauthorized electronic device. In some embodiments, in such a case, the electronic device 202 presents the aforementioned unlocking interface on the display of the first electronic device.

After broadcasting the advertisement message (step 502), electronic device 202 receives a connection request message that includes a connection request from authorized electronic device 204 (step 508). As described above, the electronic device 202 monitors for connection request messages from authorized electronic devices 204 using a low power protocol such as BLE or ZigBee. The connection request message is formatted and processed according to the underlying protocol (e.g., limited to a corresponding number of bits/byte, broadcast of a particular schedule, etc.). In some embodiments, the electronic device 204 encrypts the connection request message using the corresponding key from the pairing information.

Upon receiving the connection request message, the electronic device 202 may extract information (e.g., a device identifier, a user account identifier, credentials, etc.) from the connection request. For example, in some embodiments, the electronic device 202 decrypts the connection request message using the corresponding key from the pairing information and extracts the information from the decrypted connection request message. Electronic device 202 can then compare the extracted information to information in a list of devices allowed to enable proximity unlocking operations (recall that the list of devices allowed to enable proximity unlocking operations includes information added during the configuration operations shown in fig. 4) and determine that authorized electronic device 204 is allowed to enable proximity unlocking operations. Based on determining that authorized electronic device 204 is allowed to enable the proximity unlocking operation, electronic device 202 can approve the connection request. When the connection request is approved, the electronic device 202 transitions from the locked operating state to the unlocked operating state (step 510). Recall that in the unlocked operational state, one or more functions of electronic device 202 are enabled (accessible, open, etc.).

Note that in some embodiments, it is intended that no connection be formed between electronic device 202 and authorized electronic device 204 (rather than for communication of the above-described announce message and connection request). In these embodiments, therefore, a connection request is requested (via an announcement message) from authorized electronic device 204 and received to determine whether authorized electronic device 204 is proximate to electronic device 202. Thus, electronic device 202 can ignore connection requests received from authorized electronic devices 204, can respond with a rejection message notifying authorized electronic devices 204 that a connection has not been formed, and/or can otherwise process connection requests received from authorized electronic devices 204.

In some embodiments, when transitioning to the unlock operational state, the electronic device 202 presents an information message to the user indicating that the electronic device 202 has been automatically unlocked using a proximity unlock operation. For example, electronic device 202 can present a pop-up message on a display screen in display subsystem 108 that indicates that electronic device 202 is unlocked by authorized electronic device 204 (e.g., using identity information obtained from the connection request message and/or from a list of devices that are allowed to enable proximity unlocking operations). As another example, the electronic device 202 may emit a particular sound or vibrate in a predetermined pattern to indicate that a proximity unlocking operation has occurred.

In some embodiments, after transitioning to the unlocked operational state, the electronic device 202 does not broadcast a subsequent advertisement message even though the time period (see step 504) has not expired.

Although embodiments are described in which the electronic device 202 receives an activation input (step 500), in some embodiments, the electronic device 202 does not receive an activation input. Rather, in these embodiments, the electronic device 202 periodically (and continuously) broadcasts the advertisement message while in the locked operating state. In these embodiments, the operations performed by the electronic device 202 are otherwise similar to those shown in fig. 5, except for step 500 (which is not performed) and step 504 and 506, because there is no timeout period (i.e., the electronic device 202 periodically advertises and does not use a timeout period). In these embodiments, when a user brings authorized electronic device 204 in proximity to electronic device 202 without user input to electronic device 202 (i.e., there is no key press, mouse movement, touch to a touch screen, etc.), electronic device 202 is unlocked (i.e., a proximity unlock operation is performed).

Secondary authentication

Although a single-factor authentication process (i.e., an authentication process based only on information from the connection request) is shown in fig. 5, in some embodiments, the electronic device 202 uses two or more additional authentication factors to determine whether to approve the connection request. In some of these embodiments, with authentication based on the connection request, one or more secondary authentication operations need to be successfully performed before the connection request is approved and, thus, before the electronic device 202 transitions from the locked operating state to the unlocked operating state.

In some embodiments, the authentication process is associated with a corresponding security level. For example, in some embodiments, the lowest security authentication process is a single factor authentication process, such as the authentication process shown in fig. 5 (i.e., authorized electronic device 204 is in proximity to electronic device 202). A single factor authentication process may be used to replace typical single factor authentication processes (i.e., manual authentication operations such as password entry, fingerprint scanning, etc.) that are convenient for the user-but are relatively less secure than the multi-factor authentication process described in this section. As another example, a higher security level is achieved using a two-factor authentication process such as both: (1) authorized electronic device 204 is in proximity to electronic device 202, and (2) a password is entered into electronic device 202 (or a fingerprint scan is performed using authorized electronic device 204). The two-factor authentication process may be used to augment a typical single-factor authentication process (e.g., a manual authentication operation such as password entry, fingerprint scanning, etc.) requiring that an authorized device (e.g., a smartphone, a wearable device, etc.) of a user be located nearby when the single-factor authentication process is performed (e.g., when a password is entered into electronic device 202, when a fingerprint scan is performed on authorized electronic device 204, etc.). As another example, the highest security level is achieved using a three-factor authentication process such as all of the following: (1) the proximity of authorized electronic device 204 to electronic device 202, (2) entering a password into electronic device 202, and (3) performing a fingerprint scan using authorized electronic device 204. The three-factor authentication process may be used to augment a typical single-factor authentication process (e.g., a manual authentication operation such as password entry, fingerprint scanning, etc.), where it is required that when the single-factor authentication process is performed (e.g., when a password is entered into the electronic device 202), an authorized device (e.g., a smartphone, a wearable device, etc.) of the user be located nearby, and the user performs a corresponding operation (e.g., fingerprint scanning) using the authorized electronic device 204. In some embodiments, due to the corresponding higher security level, the multi-factor authentication operation may be used to enable operations other than performing the proximity unlocking operations described herein (e.g., operations that have a greater security impact than unlocking the electronic device 202), such as network login, account login, file/directory access rights acquisition, application launch, and the like.

As described above, the secondary authentication may occur at the electronic device 202 itself, such as when the user enters a password using a keyboard of the electronic device 202, or may occur on another device, such as when the user scans a fingerprint using a fingerprint scanner of the authorized electronic device 204. In embodiments where a secondary authentication operation is performed on another device, electronic device 202 may communicate with authorized electronic device 204 to cause the secondary operation to occur (using BLE, ZigBee, an infrastructure network such as a WiFi network provided by access point 208, etc.) and obtain the results of the secondary authentication operation.

Fig. 6 presents a flow diagram illustrating a multi-factor authentication process in accordance with some embodiments. More specifically, during the process shown in fig. 6, the electronic device 202 approves the connection request based on: (1) a connection request, and (2) a successful completion of the secondary authentication operation. It is noted that the operations illustrated in FIG. 6 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, although operations are described using certain mechanisms (e.g., electronic device 202, authorized electronic device 204, etc.), in some embodiments, other electronic devices perform the operations.

The process illustrated in fig. 6 begins when electronic device 202 (as part of step 510 of fig. 5) determines whether authorized electronic device 204 is an authorized device based on information associated with a connection request received from authorized electronic device 204 (step 600). As described above, authorized electronic device 204 is an authorized device. (if authorized electronic device 204 is not an authorized device, then electronic device 202 will determine that authorized electronic device 204 is unidentified and ignore the connection request.)

The electronic device 202 also determines whether the secondary authentication operation has been successfully performed (step 602). For example, the electronic device 202 can determine whether the electronic device 202 received a spoken authentication phrase from the user. As another example, the electronic device 202 can determine whether the password was correctly entered in the electronic device 202. As another example, electronic device 202 can communicate with authorized electronic device 204 to determine whether authorized electronic device 204 successfully performs a fingerprint scan. Generally speaking, in these embodiments, the secondary authentication operation may include any secondary authentication operation that can be performed on one or both of electronic device 202 and authorized electronic device 204. It is assumed that the secondary authentication operation is successfully performed. (if not, then electronic device 202 will ignore the connection request.)

After determining that authorized electronic device 204 is an authorized device and that the secondary authentication operation has been successfully performed, electronic device 202 approves the connection request (step 604). As described above, when the connection request is approved, the electronic device 202 transitions from the locked operating state to the unlocked operating state (see step 510).

Fig. 7 presents a flow diagram illustrating a multi-factor authentication process in accordance with some embodiments. More specifically, during the operation illustrated in fig. 7, the electronic device 202 approves the connection request based on: (1) a connection request, and (2) authorized electronic device 204 is in physical proximity to electronic device 202. It is noted that the operations shown in FIG. 7 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, although operations are described using certain mechanisms (e.g., electronic device 202, authorized electronic device 204, etc.), in some embodiments, other electronic devices perform the operations.

The process illustrated in fig. 7 begins when electronic device 202 (as part of step 510 of fig. 5) determines whether authorized electronic device 204 is an authorized device based on information associated with a connection request received from authorized electronic device 204 (step 700). As described above, authorized electronic device 204 is an authorized device. (if authorized electronic device 204 is not an authorized device, then electronic device 202 will determine that authorized electronic device 204 is unidentified and ignore the connection request.)

Electronic device 202 also determines whether authorized electronic device 204 is within a threshold distance of electronic device 202 (e.g., within a room, in a building, etc.) (step 702). In these embodiments, electronic device 202 may use one or more techniques for determining whether authorized electronic device 204 is within a threshold distance. For example, electronic device 202 can determine a distance from electronic device 202 to authorized electronic device 204 using radio signal properties (e.g., signal strength, frequency, timing, etc.) (as compared to previously known signal properties) of the radio signal used to transmit the connection request from authorized electronic device 204 to electronic device 202. As another example, electronic device 202 can communicate with other electronic devices, such as access point 208, to determine whether authorized electronic device 204 is communicating with the other devices, thereby determining whether authorized electronic device 204 is within a threshold distance. As another example, electronic device 202 can request that authorized electronic device 204 play an audible sound, flash a light, or otherwise perform a perceivable action that electronic device 202 can detect using one or more sensors (microphones, photovoltaic sensors, etc.) to determine the location of authorized electronic device 204. Assume that authorized electronic device 204 is within a threshold distance. (if not, then electronic device 202 will ignore the connection request.)

When authorized electronic device 204 is determined to be an authorized device and authorized electronic device 204 is within a threshold distance from electronic device 202, electronic device 202 approves the connection request (step 704). As described above, when the connection request is approved, the electronic device 202 transitions from the locked operating state to the unlocked operating state.

Proximity locking operation

In some embodiments, the electronic device performs a proximity locking operation. For a proximity-locking operation, a first electronic device (e.g., electronic device 202) transitioning to an unlocked operational state using a proximity-unlocking operation monitors continued proximity of a second electronic device (e.g., authorized electronic device 204) that enables the proximity-unlocking operation. The first electronic device transitions from the unlocked operating state to the locked operating state when the first electronic device is no longer able to detect that an authorized second electronic device is proximate to the first electronic device. In these embodiments, the transition to the locked operational state is made without requiring the user to perform a manual locking step on the first electronic device to cause the transition (i.e., a manual locking step performed in existing electronic devices).

FIG. 8 presents a flowchart illustrating a process of a proximity locking operation in accordance with some embodiments. More specifically, during the process illustrated in FIG. 8, electronic device 202 transitions to the locked operating state after transitioning to the unlocked operating state during a proximity-to-unlock operation enabled by authorized electronic device 204. It is noted that the operations illustrated in FIG. 8 are presented as a general example of operations performed by some embodiments. The operations performed by other embodiments may include different operations and/or operations performed in a different order. Additionally, although operations are described using certain mechanisms (e.g., electronic device 202, authorized electronic device 204, etc.), in some embodiments, other electronic devices perform the operations.

The process illustrated in FIG. 8 begins with the electronic device 202 broadcasting an announcement message when in the unlocked operational state (step 800). Generally, the announcement message is broadcast to prompt authorized electronic device 204 to respond with a connection request message to confirm that authorized electronic device 204 is proximate to electronic device 202. In some embodiments, an indication is included that electronic device 202 is searching for an electronic device that provides a proximity unlocking operation service (similar to the notification message of the proximity unlocking operation described above). In some embodiments, the announcement message is encrypted using a key from the pairing information described above.

In some embodiments, electronic device 202 is configured to wait for a connection request message from authorized electronic device 204 within a predetermined time in response to the advertisement message and transition to a locked operating state if the connection request message is not received. For example, in some embodiments, the electronic device 202 starts a timer when an announcement message is broadcast. If a timeout occurs before receiving a connection request message from authorized electronic device 204 (e.g., if a timer expires) (step 802), electronic device 202 transitions to a locked operational state (step 804). However, if a connection request message is received (step 806) before the timeout (step 802), the electronic device 202 remains in the unlocked operational state (step 808). In these embodiments, electronic device 202 verifies that the connection request is from authorized electronic device 204 using information associated with the connection request as described above (e.g., using a key from the pairing information to decrypt the connection request and extract information therefrom for verifying that the connection request is from authorized electronic device 204).

Note that in some embodiments, it is intended that no connection be formed between electronic device 202 and authorized electronic device 204 (rather than for communication of the above-described announce message and connection request). In these embodiments, therefore, a connection request is requested (via an announcement message) and received only from authorized electronic device 204 to ensure that authorized electronic device 204 remains/remains in proximity to electronic device 202. Thus, electronic device 202 can ignore connection requests received from authorized electronic devices 204, can respond with a rejection message notifying authorized electronic devices 204 that a connection has not been formed, and/or can otherwise process connection requests received from authorized electronic devices 204.

In some embodiments, the electronic device 202 periodically broadcasts an advertisement message (e.g., every K seconds, where K is a number such as 3, 10, etc.) and the advertisement message is one of the advertisement messages. By periodically broadcasting the announcement message and processing the corresponding connection request from authorized electronic device 204 as shown in fig. 8, electronic device 202 can ensure that authorized electronic device 204 remains proximate to electronic device 202 after the proximity unlocking operation is completed. This may improve the user experience by enabling the user to automatically lock the electronic device 202 simply by moving away from the electronic device 202 and/or may improve security by preventing the user from leaving the area where the electronic device 202 is located without locking the electronic device 202.

Although embodiments are described in which the electronic device 202 only transitions to the locked operating state, in some embodiments, the electronic device 202 may present an alert to the user within a predetermined time before transitioning to the locked operating state. In these embodiments, the user may need to perform a manual authentication step, such as entering a password, to prevent the electronic device 202 from transitioning to the locked operating state.

Further, although it is described that one advertisement message is periodically broadcast, when no response is received, electronic device 202 may broadcast one or more additional advertisement messages (i.e., in addition to any one of the advertisement messages that would be broadcast in any manner) in an attempt to elicit a connection request from authorized electronic device 204. In some of these embodiments, one or more of the advertisement messages may be broadcast with different (e.g., shorter) periods.

Messages exchanged between electronic devices

FIG. 9 presents a swim lane diagram that illustrates messages exchanged between electronic devices, in accordance with some embodiments. As can be seen in fig. 9, messages are exchanged between electronic device 202 and authorized electronic device 204 over a period of time, with the announce message 900 occurring first and the lower message in fig. 9 occurring later. In this figure, the separation of time is indicated by a dashed line, such as the dashed line between the connection request 902 and the announcement message 904, so that some latency may occur between the corresponding messages. Although fig. 9 illustrates messages being exchanged in a particular order, in some embodiments, other messages are exchanged and/or messages are exchanged in a different order. Generally, the electronic devices in the described embodiments exchange sufficient messages to enable the operations described herein.

The messages in fig. 9 are associated with three operations performed by electronic device 202 and/or authorized electronic device 204. The first operation, which is a device configuration operation such as that shown in fig. 4, includes an announcement message 900 and a connection request message 902. During the configuration operation, the electronic device 202 broadcasts at least one advertisement message 900. Upon receiving advertisement message 900, authorized electronic device 204 responds with a connection request 902. In some embodiments, the announcement message 900 and the connection request message 902 are encrypted and decrypted using corresponding keys from the pairing information. In some embodiments, upon receiving connection request message 902, determining that the included connection request is from an authorized device, and receiving a selection of authorized electronic device 204, electronic device 202 adds authorized electronic device 204 to a list of devices that are allowed to enable proximity unlocking operations.

The second operation, which is a proximity unlock operation such as that shown in fig. 5, includes an announcement message 904 and a connection request message 906, and optionally a secondary authentication request message 908 and a secondary authentication response message 910. During the near unlock operation, the electronic device 202 (when receiving the activation input) broadcasts at least one notification message 904. Upon receiving advertisement message 904, authorized electronic device 204 responds with connection request 906. The advertisement message 904 and the connection request message 906 are encrypted and decrypted using the corresponding keys from the pairing information. In some embodiments, the electronic device 202 transitions from the locked operating state to the unlocked operating state upon receiving the connection request message 906, determining that the included connection request is from an authorized device.

In some embodiments, the proximity unlocking operation is modified to include at least one additional authentication factor in addition to the connection request. Some embodiments of the secondary authentication factor are described above in fig. 6-7. In some of these embodiments, enforcing the additional factor includes communicating a command from electronic device 202 to authorized electronic device 204 for enforcing the additional factor, where the additional factor is enforced (fingerprint scan, voice recognition, etc.). In these embodiments, secondary authentication request message 908 is sent from electronic device 202 to authorized electronic device 204. In response, authorized electronic device 204 sends secondary authentication message 910. In these embodiments, the electronic device 202 may transition from the locked operating state to the unlocked operating state (or remain in the locked operating state) based on whether the secondary authentication message 910 indicates that the second factor was successful (and whether the connection request 906 is from an authorized electronic device).

A third operation, such as a proximity lock operation as shown in fig. 8, includes periodic advertisement messages 912 and connection request messages 914. During a proximity locking operation, electronic device 202 broadcasts at least one periodic advertisement message 912 after being enabled during a proximity unlocking operation by authorized electronic device 204. Authorized electronic device 204 responds with a connection request 914 when periodic advertisement message 912 is received. In some embodiments, electronic device 202 remains in the unlocked operating state when connection request message 914 is received and it is determined that the included connection request is from authorized electronic device 204. However, if connection request 914 is not received from authorized electronic device 204 for a sufficient amount of time, electronic device 202 can transition to a locked operating state.

As described above, messages exchanged between electronic device 202 and authorized electronic device 204 include various information configured to enable electronic device 202 or authorized electronic device 204 to determine: the nature of the message (announce message, connection request, etc.), the identity of the device sending the message (e.g., packet header information, information included in the payload of the packet, etc.), details of the communication session, and/or other information about the sender or message. Fig. 11 presents a block diagram that illustrates a packet containing a message in accordance with some embodiments. As can be seen in fig. 11, the packet 1100 includes a header 1102 and a payload 1104. The header 1102 includes information describing the packet, the sending and receiving electronic devices, the communication session, and the like. The payload 1104 includes information based on the message type. For example, payload 1104 may include a message type identifier, device information, information fields, data, and the like. In some embodiments, as described above, a public key in the sending electronic device process is used to encrypt the payload 1104 and a private key in the receiving electronic device process is used to decrypt the payload 1104. In these embodiments, public/private keys are negotiated/established between electronic devices during a preliminary pairing operation.