Field of the invention

The invention relates to systems, methods and devices for implementing access control. In particular, the present invention relates to systems, methods and devices for implementing access control for an automated storage system.

Background

It is now common for the delivery of online purchases to be made to automated storage facilities from which the delivered goods can be collected by the purchaser at a time of their choosing. These automated storage facilities, typically referred to as parcel lockers, smart lockers, or pickup stations, often take the form of a locker unit comprising a number of individual lockers of various sizes. Each locker has an automated locking mechanism that is controlled by a computer system that is an integral part of the locker unit. To access the contents of a locker, a user is required to interact with an interface of the computer system in order to provide some input that can be used to confirm the user's authorization to access the locker (i.e. authentication credentials). For example, the user may be required to use a keypad or touch-screen of the computer system to input a password, pin-code or transaction authentication number (TAN) that has been provided by or registered with the operator of the automated storage facility (e.g. a knowledge factor). Alternatively, the operator can send some form of software token, such as a barcode or QR code, to a registered device (e.g. a smart phone or tablet) of the user that can then be presented to a scanner of the computer system by the user (e.g. as a possession factor).

Whilst such automated storage facilities provide convenience for users, by enabling deliveries to be made to any one of a number of locations and without the need for the user to be present for the delivery, there are restrictions on the types of goods that can be delivered to such facilities. In particular, age-restricted items such as alcohol, tobacco, pharmaceuticals etc. cannot usually be delivered to these facilities as they require the recipient to provide proof of age. Delivery of age- restricted items therefore typically requires that a valid photographic ID with a date of birth is presented upon delivery.

One possible approach that could enable age-restricted items to be delivered to and collected from automated storage facilities is to perform age verification remotely using videotelephony. This approach requires a user to contact the operator of the automated storage facility at the time of collection so that an agent of the operator can check the user against a photographic ID during a live video call. The agent of the operator must then remotely trigger the unlocking of a relevant locker if they are satisfied that the user is of an appropriate age. Implementing this approach requires either that the storage facility is provided with built-in video calling equipment or that the user has a mobile device that is capable of video calling. In either case, this approach also requires that there is a network connection that is sufficient to support a video call. This approach then also becomes only semiautomated, as it requires the operator to employ agents to perform this remote age verification, and consequently introduces a relatively time consuming step into the collection process.

It is against this background that the present invention has been devised.

Summary of the invention

According to a first aspect, there is provided a method of implementing access control at a storage system comprising one or more lockers. The method comprises, at a user access device, using a biometric sensor to capture biometric data for a current user of the user access device, generating user identity verification information using the captured biometric data, and transmitting the user identity verification information to the storage system. The method further comprises, at the storage system, receiving the user identity verification information, using the received user identity verification information together with stored access authorization data to determine if the current user of the user access device is authorized to access a locker of the one or more lockers and, when it is determined that current user of the user access device is authorised to access a locker, unlocking a locking mechanism of the locker.

The user identity verification information may comprise the captured biometric data. The step of using the received user identity verification information together with stored access authorization data to confirm that the current user of the user access device is authorized to access the locker may then comprise comparing the captured biometric data received from the user access device with reference biometric data of a user that is currently authorised to access the locker, the stored access authorization data comprising the biometric reference data, and ,when it is determined that the captured biometric data matches the reference biometric data, authorising access to the locker and unlocking a locking mechanism of the locker.

The user identity verification information may comprise an identity verification credential. The step of using the received user identity verification information together with stored access authorization data to confirm that a current user of the user access device is currently authorized to access the locker may then comprise authenticating the identity verification credentials received from the user access device using authentication data, the stored access authorization data comprising the authentication data, and, when it is determined that the identity verification credentials have been authenticated, authorising access to the locker and unlocking a locking mechanism of the locker.

The step of generating user identity verification information using the captured biometric data may comprise comparing the captured biometric data with reference biometric data of a registered user that is stored on the user access device, and generating the identity verification credentials for the registered user when it is determined that the captured biometric data matches the reference biometric data.

The method may further comprise: at the user access device, transmitting a user identifier for a registered user of the user access device to the storage system; at the storage system, receiving the user identifier, using the received user identifier to identify a locker of the one or more lockers that the identified user is currently authorised to access and for which the users' access to the identified locker requires user identity verification, and transmitting a request for user identity verification to the user access device; and at the user access device, receiving the request for user identity verification, generating user identify verification information for the current user of the user access device, and transmitting the user identify verification information to the storage system in response to the request.

The step of using the received user identifier to identify a locker of the one or more lockers that the identified user is currently authorised to access and for which the users' access to the identified locker requires user identity verification may comprise using the received user identifier to identify a locker of the one or more lockers that the identified user is currently authorised to access, determining if access to the identified locker requires user identify verification, and, when it is determined that access to the identified locker does require user identity verification, transmitting the request for user identity verification to the smart device.

The method may further comprise, at the storage system, when it is determined that access to the identified locker does not require user identity verification, authenticating the device verification data received from the user access device using authentication data, the stored access authorization data comprising the authentication data, and authorising access to the locker when it is determined that the device verification data received has been authenticated. The method may further comprise, at the user access device, transmitting the device verification data when transmitting the user identifier for a registered user of the user access device to the storage system. Alternatively, the method may further comprise: at the storage system, when it is determined that access to the identified locker does not require user identity verification, sending a request for device verification to the smart device; and at the user access device, receiving the request for device verification and responding by transmitting device verification data to the storage system.

Preferably, the communication between the storage system and the user access device is direct (i.e. does not involve any intermediaries). Preferably, the communication between the storage system and the user access device uses a limited range wireless communication protocol. The communication between the storage system and the user access device may be in accordance with any of Near Field Communication (NFC), Radio-frequency identification (RFID), Ultra-wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, and ISO/IEC 14443.

The method may further comprise: at the storage system, transmitting an interrogator signal; and at the user access device, receiving the interrogator signal and using energy provided by the interrogator signal to power the user access device.

The method may further comprise, at the storage system, prior to communicating with the user access device, receiving the access authorization data generated by an operator central server associated with an operator of the storage system, and storing the access authorization data. The method may then further comprise, at the operator central server, generating access authorization data for a delivery to the storage system and communicating the access authorization data to the storage system. The step of communicating the access authorization data to the storage system may comprise, at the operator central server, transmitting the access authorization data to an operator access device associated with the operator of the storage system The method may then further comprise, at the operator access device, storing the access authorization data received from the operator central server and, when in communication range of the storage system, transmitting the access authorization data to the storage system. Preferably, the communication between the storage system and the operator access device is direct (i.e. does not involve any intermediaries). The method may then further comprise only transmitting the access authorization data to the storage system when in direct communication range of the storage system. Preferably, the communication between the storage system and the operator access device uses a limited range wireless communication protocol. The communication between the storage system and the operator access device may be in accordance with any of Near Field Communication (NFC), Radio-frequency identification (RFID), Ultra-wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, and ISO/IEC 14443.

The method may further comprise, at the operator central server, prior to generating access authorization data for a delivery, confirming that identity verification has been completed for a user who is the intended recipient of the delivery. In this regard, implementing age verification (i.e. to enable access to items that are age restricted) implicitly requires verifying the identity of the user. In particular, in order to confirm the age of a user, it will be necessary to match the user against some official form of identification that provides the users age and/or date of birth. References to identify verification are therefore used herein therefore implicitly encompass both identify verification and age verification. The method may further comprise, at the operator central server, determining if access to the delivery is restricted to the user and, if so, only generating access authorization data if identity verification has been completed for the user.

The step of confirming that identity verification has been completed for the user may then comprises, at the operator central server, receiving an indication that identity verification has been completed for the user, and verifying that the indication has been received from an authorized agent of the operator of the storage system. The method may further comprise, if it is verified that the indication has been received from an authorized agent, storing the indication at the operator central server. Then, when the operator central server is required to generate access authorization data for a delivery for which the user is the intended recipient, and access to the delivery is restricted to the user, then the method may further comprise, at the operator central server, confirming that the indication is stored for the user. The method may further comprise, after verifying that the indication has been received from an authorized agent, implementing the storage of reference biometric data for the user. In particular, the method may comprise only allowing storage of reference biometric data for the user if it has been confirmed that identity verification has been completed for the user. The presence of stored reference biometric data may therefore be taken as the indication that identity verification has been completed for the user. The method may further comprise, at the operator central server, prior to generating access authorization data, communicating with the user access device to enable reference biometric data of the registered user of the user access device to be stored by the access control system.

The method may further comprise, at the operator central server, receiving captured biometric data of the registered user from the user access device, generating reference biometric data using the captured biometric data, and storing the reference biometric data. Alternatively, the method may further comprise, at the operator central server, authorizing storage of reference biometric data by the user access device for the current user. The method may then further comprise, at the user access device, after receiving authorization from the operator central server to store reference biometric data, using the biometric sensor to capture biometric data of the current user, generating reference biometric data using the captured biometric data, and storing the reference biometric data.

The method may further comprise, at the storage system, after authorising access to the locker, storing a last verification time for the authorized user, the last verification time being indicative of a time at which user identity verification was performed for the user, and subsequently re-authorising access to the locker if the user access device attempts to access the locker within a predefined time period after the last verification time.

According to a second aspect there is provided a computer program comprising computer program code means adapted to perform any of the steps of the method according to the first aspect. According to a third aspect there is provided a computer program product comprising a computer- readable medium bearing computer program code embodied therein for use with a computer, the computer program code comprising instructions which, when the program is executed by a computer, cause the computer to carry out any of the steps of the method according to the first aspect.

According to a second aspect there is provided an access control system. The access control system comprises

(i) a storage system comprising: one or more lockers each comprising an automated locking mechanism, a storage system transceiver, a storage system memory storing access authorization data and computerexecutable instructions, and one or more storage system processors in communication with the storage system memory and configured to control each automated locking mechanism, and

(ii) a user access device comprising: a biometric sensor, a user access device transceiver, a user access device memory storing computer-executable instruction, and one or more user access device processors in communication with the user access device memory.

The one or more user access device processors are configured to execute the computer-executable instructions to at least use the biometric sensor to capture biometric data for a current user of the user access device, generate user identity verification information using the captured biometric data, and transmit the user identity verification information to the storage system. The one or more storage system processors are configured to execute the computer-executable instructions to at least receive the user identity verification information, use the received user identity verification information together with stored access authorization data to determine if the current user of the user access device is authorized to access a locker of the one or more lockers and, when it is determined that current user of the user access device is authorised to access a locker, unlock a locking mechanism of the locker.

The one or more user access device processors may be configured to execute computer-executable instructions to at least generate user identity verification information that comprises the captured biometric data. The one or more storage system processors may then be configured to execute computer-executable instructions to at least compare the captured biometric data received from the user access device with reference biometric data of a user that is currently authorised to access the locker, the stored access authorization data comprising the biometric reference data, and, when it is determined that the captured biometric data matches the reference biometric data, authorise access to the locker and unlock a locking mechanism of the locker.

The one or more user access device processors may be configured to execute computer-executable instructions to at least generate user identity verification information that comprises identity verification credentials for the current user. The one or more storage system processors may then be configured to execute computer-executable instructions to at least authenticate the identity verification credentials received from the user access device using authentication data, the stored access authorization data comprising the authentication data, and, when it is determined that the identity verification credentials have been authenticated, authorise access to the locker and unlock a locking mechanism of the locker. The one or more user access device processors may be configured to execute further computerexecutable instructions to at least compare the captured biometric data with reference biometric data of a registered user that is stored on the user access device, and generate the identity verification credentials for the registered user when it is determined that the captured biometric data matches the reference biometric data.

The one or more user access device processors may be configured to execute further computerexecutable instructions to at least transmit a user identifier for a registered user of the user access device to the storage system, receive a request for user identity verification from the storage system, and transmit the user identify verification information to the storage system in response to the request. The one or more storage system processors may then be configured to execute computerexecutable instructions to at least receive the user identifier, use the received user identifier to identify a locker of the one or more lockers that the identified user is currently authorised to access and for which the users access to the identified locker requires user identity verification, and transmit a request for user identity verification to the user access device.

The one or more storage system processors may be configured to execute computer-executable instructions to at least use the received user identifier to identify a locker of the one or more lockers that the identified user is currently authorised to access, determine if access to the identified locker requires user identify verification, and, when it is determined that access to the identified locker does require user verification, transmit the request for user identity verification to the smart device.

The one or more storage system processors may be configured to execute computer-executable instructions to at least, when it is determined that access to the identified locker does not require user verification, authenticate the device verification data received from the user access device using authentication data, the stored access authorization data comprising the authentication data, and authorise access to the locker when it is determined that the device verification data received has been authenticated.

The one or more storage system processors may be configured to execute computer-executable instructions to at least, when it is determined that access to the identified locker does not require user verification, sending a request for device verification to the smart device. The one or more user access device processors may then be configured to execute further computer-executable instructions to at least receive the request for device verification and respond by transmitting device verification data to the storage system.

The one or more user access device processors may be configured to execute further computerexecutable instructions to at least transmit the device verification data when transmitting the user identifier for a registered user of the user access device to the storage system.

Preferably, the storage system and the user access device are configured to communicate directly (i.e. without involving any intermediaries). Preferably, the storage system and the operator access device may be configured to communicate using a limited range wireless communication protocol. The storage system and the user access device may be configured to communicate in accordance with any of Near Field Communication (NFC), Radio-frequency identification (RFID), Ultra-wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, and ISO/IEC 14443.

The user access device may further comprises a transducer that is arranged to convert radio frequency energy received by user access device into electrical energy that can be used to power the user access device. The one or more storage system processors may then be configured to execute computerexecutable instructions to at least transmit an interrogator signal. The one or more user access device processors may then be configured to execute further computer-executable instructions to at least receive the interrogator signal and use the transducer to convert energy provided by the interrogator signal to power the user access device.

The one or more storage system processors may be configured to execute computer-executable instructions to at least, prior to communicating with the user access device, receive the access authorization data generated by an operator central server associated with an operator of the storage system, and store the access authorization data.

The access control system may further comprise an operator central server. The operator central server comprising an operator central server transceiver, an operator central server memory storing computer-executable instructions, and one or more operator central server processors in communication with the operator central server memory. The one or more operator central server processors may be configured to execute the computer-executable instructions to at least generate access authorization data for a delivery to the storage system and communicate the access authorization data to the storage system and transmit the access authorization data to an operator access device associated with the operator of the storage system.

The one or more operator central server processors may be configured to execute the computerexecutable instructions to at least, confirm that identity verification has been completed for a user who is the intended recipient of the delivery. The one or more operator central server processors may be configured to execute the computer-executable instructions to at least, upon receiving an indication that identity verification has been completed for the user, verify that the indication has been received from an authorized agent of the operator of the storage system. The one or more operator central server processors may be configured to execute the computer-executable instructions to at least, determine if access to the delivery is restricted to the user and, if so, only generating access authorization data if identity verification has been completed for the user.

The one or more operator central server processors may be configured to execute the computerexecutable instructions to at least, prior to generating access authorization data, communicate with the user access device to enable reference biometric data of the registered user of the user access device to be stored by the access control system.

The one or more operator central server processors may be configured to execute the computerexecutable instructions to at least, transmit the access authorization data to an operator access device associated with the operator of the storage system.

The access control system may further comprise an operator access device. The operator access device comprising an operator access device transceiver, an operator access device memory storing computer-executable instructions, and one or more an operator access device processors in communication with the operator access device memory. The one or more operator access device processors may be configured to execute the computer-executable instructions to at least store the access authorization data received from the operator central server and, when in communication range of the storage system, transmit the access authorization data to the storage system.

The storage system and the operator access device may be configured to communicate directly (i.e. without involving any intermediaries). The storage system and the operator access device may be configured to communicate using a limited range wireless communication protocol. The storage system and the operator access device may be configured to communicate in accordance with any of Near Field Communication (NFC), Radio-frequency identification (RFID), Ultra-wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, and ISO/IEC 14443.

The one or more operator access device processors may be configured to execute computerexecutable instructions to at least receive access authorization data for the storage system from an operator central server, store the received access authorization data, and transmit the access authorization data to the storage system.

The access control system may further comprise an operator central server. The operator central server comprising an operator central server transceiver, an operator central server memory storing computer-executable instructions, and one or more operator central server processors in communication with the operator central server memory. The one or more operator central server processors may be configured to execute the computer-executable instructions to at least generate access authorization data for the storage system and transmit the access authorization data to the operator access device.

The one or more storage system processors may be configured to execute computer-executable instructions to at least, after authorising access to the locker, store a last verification time for the authorized user, the last verification time being indicative of a time at which user identity verification was performed for the user, and subsequently re-authorise access to the locker if the user access device attempts to access the locker within a predefined time period after the last verification time.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the invention will now be described, by way of example only, and with reference to the accompanying drawings, in which:

Figure 1 is a schematic illustration of an example of an access control system as described herein;

Figure 2 is a flow diagram illustrating an example of a method of implementing access control as described herein;

Figure 3 is a flow diagram illustrating an example of the method in which captured biometric data is sent to a storage system;

Figure 4 is a flow diagram illustrating an example of the method in which captured biometric data is authenticated at a user access device;

Figure 5 is a flow diagram illustrating an example of the method in which access can be authorized without the need to perform identity verification;

Figure 6 is a flow diagram illustrating an example of the method in which access can be authorized using device authentication data;

Figure 7 is a flow diagram illustrating an example of the method in which access can be re-authorized within a predefined time period;

Figure 8 is a flow diagram illustrating an example of the method in which access authorization data is provisioned to the storage system by an operator access device; and

Figure 9 is a flow diagram illustrating an example of the method in which the user access device 120 comprises a passive IC card.

Detailed description

The following embodiments represent preferred examples of how the invention may be practiced, but they are not necessarily the only examples of how this could be achieved. These examples are described in sufficient detail to enable those skilled in the art to practice the invention. Other examples may be utilised and structural changes may be made without departing from the scope of the invention as defined in the appended claims.

Figure 1 is a schematic illustration of an example of an access control system that is suitable for implementing the methods that are described below. As a schematic illustration, Figure 1 only shows the elements and functional entities that are required for understanding the arrangement with other components having been omitted for the sake of simplicity. Consequently, the implementation of the elements and functional entities may vary from that shown in Figure 1. The connections shown in Figure 1 are logical connections, and the actual physical connections may be different. It is apparent to a person skilled in the field that the arrangement may also comprise other functions and structures.

In Figure 1, the access control system 100 is implemented as a combination of computer hardware and software. The access control system 100 comprises a storage system 110 and a user access device 120.

The storage system 110 comprises one or more lockers 111 each comprising an automated locking mechanism 112, a storage system transceiver 113, a storage system memory 114 and one or more storage system processors 115 that are in communication with the automated locking mechanisms 112, the storage system transceiver 113, and the storage system memory 114. The storage system memory 114 stores the various programs/computer-executable instructions that are implemented by the storage system processors 115. The storage system memory 114 also provides a storage unit for any required data such as access authorization data 116 for the storage system etc. The programs/computer-executable instructions stored in the storage system memory 114, and implemented by the storage system processors, include but are not limited to a verification/authentication unit 117 and a locking mechanism controller unit 118. The storage system processors 115 are then configured to execute the programs/computer-executable instructions stored in the storage system memory 114 and in doing so control the automated locking mechanisms 112 and the storage system transceiver 113. The storage system transceiver 113 is then configured to communicate with the user access device 120 wirelessly, using radio frequency (RF) communication protocols. In a preferred implementation, the storage system transceiver 113 is configured to communicate directly with the user access device 120 (i.e. without involving any intermediaries).

The user access device 120 comprises a biometric sensor 121, a power unit 122, a user access device transceiver 123, a user access device memory 124 and one or more user access device processors 125 that are in communication with the biometric sensor 121, the user access device transceiver 123 and the user access device memory 124. The biometric sensor 121 is configured to capture biometric data for a current user of the user access device 120 (i.e. a user that is currently holding/in possession of the user access device 120). The user access device memory 124 stores the various programs/computer-executable instructions that are implemented by the user access device processors 125. The user access device memory 124 also provides a storage unit for any required data such as device data 126 that comprises a device identifier and any device authentication data, user data 127 that comprises a user identifier for a registered user associated with the user access device 120 and user verification data 128 including either reference biometric data or credential generation data for the registered user etc. The programs/computer-executable instructions stored in the user access device memory 124, and implemented by the user access device processors 125, include a verification generation unit 129. The user access device processors 125 are then configured to execute the programs/computer-executable instructions stored in the user access device memory 124 and in doing so control the biometric sensor 124 and the user access device transceiver 123. The user access device transceiver is then configured to communicate with the storage system wirelessly, using radio frequency (RF) communication protocols. In a preferred implementation, the user access device transceiver 123 is configured to communicate directly with the storage system 110 (i.e. without involving any intermediaries).

As will be described in more detail below, the user access device 120 may be configured as an active device such that the power unit 122 comprises an integral power source, such as battery. Alternatively, the user access device 120 may be configured as a passive device such that the power unit 122 comprises a transducer or coupler that is arranged to convert RF energy received by user access device 120 into electrical energy that can be used to power the user access device 120.

In order to deposit items into the storage system 110, an operator of the storage system 110 will want to allow agents of the operator to access each locker 111. To do so, the access control system 100 may further comprise an operator access device 130 that is configured to communicate with the storage system 110 in order to obtain authorised access to each locker 111 and thereby allow an agent of the operator to deposit content therein. The operator access device 130 may also be configured to provision the storage system 110 with the access authorization data for each locker 111. Such an operator access device 130 may comprise an operator access device transceiver 131, an operator access device memory 132 and one or more operator access device processors 133 that are in communication with the operator access device transceiver 131 and the operator access device memory 132. The operator access device memory 132 stores the various programs/computer- executable instructions that are implemented by the operator access device processors 133. The operator access device memory 132 also provides a storage unit for any required data such as access authorization data 134 that is to be provisioned to the storage system 110, operator verification data 135 that is configured to verify that the operator access device 130 is authorised to access and provision data to the storage system 110 etc. The programs/computer-executable instructions stored in the operator access device memory 132, and implemented by the operator access device processors 133, include a verification-authentication unit 117 and a locking mechanism controller unit 118. The operator access device processors 133 are then configured to execute the programs/computer- executable instructions stored in the operator access device memory 132 and in doing so control the operator access device transceiver 131. The operator access device transceiver 131 is then configured to communicate with the storage system 110. As will be described in more detail below, the operator access device 130 may be either a portable device, such as smart phone, or a stationary device that is fixed in a particular location.

The access control system 100 may then further comprise an operator central server 140 that is configured to store data associated with each registered user of the storage system 110 and the deliveries that are to be made to the storage system 110. From this information, the operator central server 140 can generate the access authorization data for the storage system 110 and communicate the access authorization data to the storage system 110. Such an operator central server 140 may comprise an operator central server transceiver 141, an operator central server memory 142 and one or more operator central server processors 143 that are in communication with the operator central server transceiver 141 and the operator central server memory 142. The operator central server memory 142 stores the various programs/computer-executable instructions that are implemented by the operator central server processors 143. The operator central server memory 142 also provides a storage unit for any required data such as registered user data 144 that comprises information associated with each registered user of the access control system 100, planned delivery data 145 that comprises information relating to any deliveries that are to be made to the storage system 110 etc. The programs/computer-executable instructions stored in the operator central server memory 142, and implemented by the operator central server processors 143, include an access controller unit 146 that is configured to use the registered user data 144 and the planned delivery data 145 to generate access authorization data for the storage system 110. The operator central server processors are then configured to execute the programs/computer-executable instructions stored in the operator central server memory and in doing so control the operator central server transceiver.

Figure 2 is a flow diagram illustrating one example of a method 200 of implementing access control at a storage system 110 comprising one or more lockers 111. At step 210, a user access device 120 uses a biometric sensor 121 to capture biometric data for a current user of the user access device 120, generates user identity verification information using the captured biometric data, and sends the user identity verification information to the storage system 110. At step 220, the storage system 110 receives the user identity verification information from the user access device 120 and uses the received user identity verification information together with stored access authorization data 116 to determine if the current user of the user access device 120 is currently authorized to access a locker of the one or more lockers 111. When the storage system 110 determines that current user of the user access device 120 is authorised to access the locker 111, then the method proceeds to step 230 and the storage system 110 unlocks a locking mechanism 112 of the locker 111. When the storage system 110 determines that current user of the user access device 120 is not authorised to access the locker 111, then the method proceeds to step 240 and the storage system 110 keeps the locking mechanism 112 of the locker 111 locked. The method may then proceed on to further steps some examples of which will be described below.

The process of determining if the current user of the user access device 120 is currently authorized to access a locker of the one or more lockers 111 can be implemented in a number of different ways. Figure 3 and 4 are therefore flow diagrams illustrating two example methods 300, 400 of implementing this process.

In the method illustrated in Figure 3, the biometric data captured by the biometric sensor 121 for the current user of the user access device 120 is sent to the storage system 110. The storage system 110 is configured to store access authorization data 116 that comprises reference biometric data for any users that are currently authorised to access the lockers 111 of the storage system 110. Then, upon receiving captured biometric data from the user access device 120, the storage system 110 compares the captured biometric data received from the user access device 120 with reference biometric data of any user that is currently authorised to access the locker 111.

Consequently, at step 310, the user access device 120 generates user identity verification information that comprises the biometric data captured by the biometric sensor 121 for the current user of the user access device 120 and sends the captured biometric data to the storage system 110. At step 320, the storage system 110 uses the captured biometric data received from the user access device 120 together with reference biometric data stored as part of the access authorization data 116 to determine if the current user of the user access device 120 is currently authorized to access a locker of the one or more lockers 111. When the storage system 110 determines that current user of the user access device 120 is authorised to access the locker 111, then the method proceeds to step 330 and the storage system 110 unlocks a locking mechanism 112 of the locker 111. When the storage system 110 determines that current user of the user access device 120 is not authorised to access the locker 111, then the method proceeds to step 340 and the storage system 110 keeps the locking mechanism 112 of the locker 111 locked. The method may then proceed on to further steps some examples of which will be described below.

In the method illustrated in Figure 4, rather than sending the captured biometric data to the storage system 110, the user access device 120 is configured to perform on-device biometric identity verification. To do so, the user access device 120 is configured to store reference biometric data (e.g. as part of the user verification data 128) for a verified user of the user access device 120 (i.e. any registered user whose identity has been verified by the operator of the access control system 100) and to compare the biometric data captured by the biometric sensor 121 for the current user of the user access device 120 with this reference biometric data in order verify the identity of the current user. Then, when the user access device 120 confirms that the current user is a verified user, the user access device 120 generates and sends identity verification credentials to the storage system 110. This approach provides that an encoded form of the users' biometric data (i.e. the reference biometric data) is only stored on the user access device 120, and does not need to be stored on a separate server of the operator nor transferred across an additional infrastructure to the storage system 110, which may be preferable for a privacy conscious user.

Consequently, at step 410 the user access device 120 captures biometric data for the current user of the user access device 120. At step 420, the user access device 120 uses the captured biometric data together with reference biometric data stored on the user access device 120 to determine if the current user of the user access device 120 is a verified user. When the user access device 120 determines that the current user of the user access device 120 is a verified user, then the method proceeds to step 430 and the user access device 120 generates identity verification credentials and sends these to storage system 100. When the user access device 120 determines that the current user of the user access device 120 is not a verified user, then the method proceeds to step 440 and the user access device 120 does not generate and send the identity verification credentials. The method may then proceed on to further steps some examples of which will be described below.

At step 440, the storage system 110 authenticates the identity verification credentials received from the user access device 120 using authentication data stored as part of the access authorization data 116 and determines if the current user of the user access device 120 is currently authorized to access a locker of the one or more lockers 111. When the storage system 110 determines that current user of the user access device 120 is authorised to access the locker 111, then the method proceeds to step 450 and the storage system 110 unlocks a locking mechanism 112 of the locker 111. When the storage system 110 determines that current user of the user access device 120 is not authorised to access the locker 111, then the method proceeds to step 460 and the storage system 110 keeps the locking mechanism 112 of the locker 111 locked. The method may then proceed on to further steps some examples of which will be described below.

In the method of Figure 4, the identity verification credentials are configured to enable the storage system 110 to authenticate these credentials (i.e. to confirm the origin and integrity of the data). As a result, and given that the user access device 120 is configured to only send the identity verification credentials if the current user has had their identity biometrically verified, the storage system 110 can rely on the authentication of the identity verification credentials to verify the users' identity. By way of example, the authentication of the identity verification credentials can be implemented using encryption and/or certification techniques. Specifically, the identity verification credentials could comprise one or more of operator, device and user specific data that is encrypted and/or certified using a shared secret key or a private key. The access authorization data 116 stored by the storage system 110 would then comprise authentication data such as the shared secret or a corresponding public key that can be used to authenticate the identity verification credentials.

In the methods described above, the step in which the storage system 110 uses the user identity verification information received from the user access device 120 to determine if the current user of the user access device 120 is currently authorized to access a locker 111 can be implemented in a number of different ways. In one possible implementation, the user access device 120 can send to the storage system 110 a user identifier for a registered user that is associated with the user access device 120. The storage system 110 can then use the received user identifier to identify a locker 111 that the identified user is currently authorized to access. To do so, the access authorization data 116 stored by the storage system 110 would include, for each locker 111, the user identifier for each user that is currently authorized to access the locker 111, and the storage system 110 would then perform a lookup in the access authorization data 116 using the received user identifier.

By way of example, the user access device 120 could be configured to send an access request to the storage system 110, the access request comprising a user identifier for a registered user that is associated with the user access device 120 together with the user identity verification information for the current user. Upon receiving the access request, the storage system 110 could then perform a lookup in the access authorization data 116 to identify a locker 111 that the identified user is authorized to access and then use the accompanying user identity verification data to determine if the current user of the user access device 120 is the authorized user (i.e. to determine if the current user is the registered user of the user access device 120). This implementation could minimise the number of messages that are sent between the user access device 120 and the storage system 110, but would require that the user identity verification data is generated before the storage system 110 has confirmed that this data is required.

Alternatively, the user access device 120 could be configured to send an access request to the storage system 110, the access request comprising a user identifier for a registered user that is associated with the user access device 120 and without the user identity verification information. Upon receiving the access request, the storage system 110 could then perform a lookup in the access authorization data 116 to identify a locker 111 that the identified user (i.e. the registered user of the user access device 120) is authorized to access, and then explicitly request that the user access device 120 provide identity verification. Only upon receiving a user identity verification request from the storage system 110 would the user access device 120 then respond with the user identity verification information. This implementation could result in an increased number of messages being sent between the user access device 120 and the storage system 110, but would provide that the user identity verification data is only generated when required. This approach would also provide for the inclusion of dynamic elements in the response from the user access device 120. For example, the storage system 110 could be configured to include some dynamic data in the user identity verification request that can be then used by the user access device 120 to generate a unique response to each request, thereby improving the security of the process.

In an alternative implementation of the above described method, the access control system 100 could be configured to allow an authorised user to access a locker 111 of the storage system 110 without the need to perform identity verification. For example, this would be useful if the storage system 110 were used to provide unattended collection for both restricted and unrestricted items. In this regard, restricted items could be items whose distribution are restricted by law, such as age-restricted items or items for which the end purchaser must be identifiable, and/or items for which the operator of the storage system and/or the supplier of the items has chosen to restrict their distribution, as may be the case with high value items. To access a locker 111 that currently contains restricted items, the access control system 100 would require biometric user identity verification of the current user of the user access device 120. In contrast, to access a locker 111 that currently only contains unrestricted items, the access control system 100 would only require authentication of the user access device 120 as being that associated with a registered user who is currently authorized to access the locker 111, without being required to perform biometric user identity verification of the current user of the user access device 120.

Such an implementation would improve user convenience by only requiring direct physical interaction with the user access device 120 when accessing restricted items (i.e. in order to perform biometric identity verification), whilst allowing users to access unrestricted items based merely on the presence of an appropriate user access device 120 (i.e. a user access device 120 associated with a registered user who us authorised to access the items) within range of the storage system 110. Such an implementation would then also allow the operator of the storage system 110 to split a single delivery (e.g. intended for a single recipient) comprising both restricted items and unrestricted items between separate lockers 111, with restricted items stored separately from unrestricted items. Doing so would then allow users to access the unrestricted items even in the absence of biometric identity verification.

To illustrate such an alternative implementation, Figure 5 is a flow diagram showing a further example of an access control method 500. At step 510, the user access device 120 sends an access request comprising a user identifier for a registered user of the user access device 120 to the storage system 110. At step 520, the storage system 110 uses the received user identifier to identify a locker 111 that the identified user is currently authorized to access. At step 530, the storage system 110 determines if access to the identified locker 111 requires user identity verification. For example, this step may involve processing the access authorization data 116 to determine if it includes any of (i) a distinct indicator that explicitly indicates whether access to the locker requires user identity verification, (ii) reference biometric data of a user that is currently authorised to access the locker, and (iii) authentication data for a user that is currently authorised to access the locker.

When the storage system 110 determines that access to the identified locker 111 does require user identity verification, then the method proceeds to step 540 and the storage system 110 sends a request for user identity verification to the user access device 120. The method may then proceed according to the process outlined above for any of Figures 2, 3 or 4, wherein the user access device 120 responds with user identity verification data for the current user of the user access device 120.

When the storage system 110 determines that access to the identified locker does not require user identity verification, then the method proceeds to step 550 and the storage system 110 sends a request for device authentication to the user access device 120. At step 560, the user access device 120 receives the request for device authentication from the storage system 110 and in response generates and sends device authentication data to the storage system 110. At step 570, the storage system 110 authenticates the device authentication data using authentication data stored as part of the access authorization data 116 and thereby determines if the registered user of the user access device 120 is currently authorized to access the identified locker 111.

When the storage system 110 determines that the registered user of the user access device 120 is currently authorized to access the identified locker 111, then the method proceeds to step 580 and the storage system 110 unlocks a locking mechanism 112 of the locker 111. When the storage system 110 determines that the registered user of the user access device 120 is not authorised to access the locker 111, then the method proceeds to step 590 and the storage system 110 keeps the locking mechanism 112 of the locker 111 locked.

Figure 6 is a flow diagram showing a yet further example of an access control method 600. At step 610, the user access device 120 generates device authentication data and sends an access request to the storage system 110 that comprises both the device authentication data and a user identifier for the registered user of the user access device 120. At step 620, the storage system 110 uses the received user identifier to identify a locker 111 that the identified user is currently authorized to access. At step 630, the storage system 110 determines if access to the identified locker 111 requires user identity verification.

When the storage system 110 determines that access to the identified locker 111 does require user identity verification, then the method proceeds to step 640 and the storage system 110 sends a request for user identity verification to the user access device 120. The method may then proceed according to the process outlined above for any of Figures 2, 3 or 4, wherein the user access device 120 responds with user identity verification data for the current user of the user access device 120.

When the storage system 110 determines that access to the identified locker 111 does not require user identity verification, then the method proceeds to step 650 and the storage system 110 authenticates the device authentication data, received in the access request from the user access device 120, using authentication data stored as part of the access authorization data 116 and thereby determines if the registered user of the user access device 120 is currently authorized to access the identified locker 111. When the storage system 110 determines that the registered user of the user access device 120 is currently authorized to access the identified locker 111, then the method proceeds to step 670 and the storage system 110 unlocks a locking mechanism 112 of the locker 111. When the storage system 110 determines that the registered user of the user access device 120 is not authorised to access the locker 111, then the method proceeds to step 680 and the storage system 110 keeps the locking mechanism 112 of the locker 111 locked.

In the method of Figures 5 and 6, the device authentication data is configured to enable the storage system 110 to authenticate the data received from user access device 120 (i.e. to confirm the origin and integrity of the data). As a result, the storage system 110 can rely on the authentication of the device authentication data to verify that the user access device 120 is legitimately associated with a registered use of the storage system 110 (i.e. is not being spoofed). By way of example, the authentication of the device authentication data can be implemented using encryption and/or certification techniques. Specifically, the device authentication data could comprise one or more of operator, device and user specific data that is encrypted and/or certified using a shared secret key or a private key. The access authorization data stored by the storage system would then comprise authentication data such as the shared secret key or a corresponding public key that can be used to authenticate the device authentication data.

In an optional implementation of the above described methods, the access control system 100 may be configured to allow a user access device 120 to access a locker 111 without performing user identity verification if user identity verification has previously been performed within a predefined time period. By way of example, the storage system 110 could be configured to store a last verification time for a user, the last verification time being indicative of the last time at which user identity verification was performed for the user. Then, if the storage system 110 subsequently receives an access request for the same user, the storage system 110 determines if the time that has elapsed since the last verification time exceeds this predefined time period (i.e. a verification duration limit). If the elapsed time has exceeded the verification duration limit, then the storage system 110 determines that user identity verification is required and sends a request for user identity verification to the user access device 120. However, if the elapsed time has not exceeded the verification duration limit, then the storage system 110 authorises access without performing user identity verification. To illustrate such an optional implementation, Figure 7 is a flow diagram showing another example of an access control method 700. At step 710, a user access device 120 sends an access request to the storage system 110, the access request comprising a user identifier for a registered user of the user access device 120. At step 720, the storage system 110 receives the access request and determines if a last verification time is stored for the identified user. When no last verification time is stored for the identified user, then the method proceeds to step 730 and the storage system 110 sends a request for user identity verification to the user access device 120. The method may then proceed according to the process outlined above for any of Figures 2, 3 or 4, wherein the user access device 120 responds with user identity verification data for the current user of the user access device 120.

When a last verification time is stored for the identified user, then the method proceeds to step 740 and the storage system 110 determines if the time that has elapsed since the last verification time exceeds a verification duration limit. When the elapsed time has exceeded the verification duration limit, then the method proceeds to step 730 and the storage system 110 determines that user identity verification is required and sends a request for user identity verification to the user access device 120. When the elapsed time has not exceeded the verification duration limit, then the method proceeds to step 750 and the storage system 110 authorises access without performing user identity verification. For example, if the storage system 110 has already performed authentication of the user access device 120, and thereby confirmed that the identified user is a registered user, then the storage system 110 can immediately unlock the locker 111. Alternatively, if the storage system 110 has not yet performed authentication of the user access device 120, then the storage system 110 may proceed to authenticate the user access device 120 in order authorise access.

In an alternative example, the user access device 120 could be configured to store a last verification time for a user of the user access device 120. Then, when user access device 120 subsequently sends an access request for the same user, the user access device 120 includes the last verification time in the access request. The storage system 110 can then user the last verification time received from the user access device 120 to determine if the time that has elapsed since the last verification time exceeds a predefined time period (i.e. a verification duration limit). If the elapsed time has exceeded the verification duration limit, then the storage system 110 determines that user identity verification is required and sends a request for user identity verification to the user access device 120. However, if the elapsed time has not exceeded the verification duration limit, then the storage system 110 authorises access without performing user identity verification. Storing the last verification time on the user access device 120 provides that this can then be used with any individual storage system 100, and not just a previously accessed storage system, without the need for communication between the separate storage systems. In addition, where the access control system 100 is configured such that identity verification is performed on the user access device 120 (i.e. using reference biometric data stored on the user access device), then storing the last verification time on the user access device 120 could enable the user to perform identity verification prior to their being within range of a storage system 110. This would allow a user to be completely hands-free when accessing a storage system 110. In this case the user access device may keep separate records of the last verification times for those verifications that have been performed within range of a storage system 110 and those performed outside of the range of a storage system 110, to allow operators to configure their storage systems 110 with alternative access control logic depending on the use case.

In order to ensure that access control is implemented using reference biometric data whose origin and integrity has been confirmed by the operator of the storage system 110, the identity of a user should be verified by the operator of the storage system 110 prior to enabling the user access device 120 to be used for accessing restricted content. This could be achieved by requiring that a user visit an agent of the operator, participate in a remote video call with an agent of the operator, or that the user receive an in-person delivery from an agent of the operator, such that the agent of the operator can perform live identity and/or age verification using photo identification of the user, before allowing reference biometric data of the verified user to be stored by the access control system 100 (e.g. on the user access device 120 or in a central server 140 of the operator). The operator can therefore ensure that the reference biometric data used to perform biometric identity verification belongs to an individual for whom the operator has performed identity and/or age verification.

In a preferred configuration, when an authorized agent of the operator has verified the identify of a user (and, if required, verified the age of the identified user) this is recorded in the operator central server 140 such that the operator central server 140 can authorize the user to access restricted items via the storage system 110. To do so, the operator central server 140 may be configured to receive an indication that identity verification has been completed for a user and to verify that the indication has been received from an authorized agent of the operator of the storage system 110. For example, the operator central server 140 may be configured to only allow an authorized agent of the operator to submit an indication that identity verification has been completed (e.g. by requiring authentication of the agent in order to access/communicate with the operator central server 140) or to require that the indication is accompanied by agent authentication information that can be used to confirm the agent's authorization. Prior to generating access authorization data for a delivery, the operator central server 140 may then confirm that identity verification has been completed for a user who is the intended recipient of the delivery. In particular, when the operator central server 140 is required to generate access authorization data for a delivery for which the user is the intended recipient, and access to the delivery is restricted to the user, the operator central server 140 may then only generate access authorization data if identity verification has been completed for the user.

To ensure that this user identity verification is implemented, the access control system 100 is preferably configured to ensure that only the operator can implement or initiate storage of the reference biometric data by the access control system 110. By way of example, the user access device 120 could be configured to require operator authorisation in order to allow biometric reference data to be stored on the user access device 120. Alternatively, the operator could use data authentication techniques to ensure the integrity and origin of any stored reference biometric data. As an alternative example, if the reference biometric data is to be stored centrally by the operator and only distributed to the storage system 110 when required, then the operator could implement procedures that require an agent of the operator to perform identity and/or age verification before the reference biometric data of a user can be stored. This approach provides that identity and/or age verification of users need only be performed once. The subsequent identity verification of the user using the reference biometric data can then be used to confirm the identity of the current user of a user access device 120 and in doing so confirm that the current user has been age verified.

As detailed above, the operator of the storage system 110 preferably maintains an operator central server 140 that is configured to store registered user data 144. At a minimum, this registered user data 144 should identify those users whose identities have been verified by the operator and for whom reference biometric data has been stored by the access control system 100. For example, the registered user data may at least comprise a user identifier for each registered user of the storage system. However, the registered user data 144 may also include information identifying each user access device 120 that is associated with the user. In this way, authentication of a user access device 120 could be used to implicitly identify the registered user of the user access device 120. Conversely, the verification or authentication of user data provided by the user access device 120 could be used to implicitly authenticate a user access device 120 as being associated with a registered user. In an optional implementation, the registered users of the access control system 100 comprise all users who have been provided with a user access device 120 by the operator of the storage system 110, irrespective of whether or not those users identities have been verified by the operator. Those users whose identities have not been verified by the operator may then still be able to access a locker 111 of the storage system 110 provided that the contents of the locker 111 does not include any restricted items. The registered user data 144 stored by the operator central server 140 then comprises information identifying all registered users of the storage system 110 and, for those users for whom the operator has performed identity verification, the registered user data 144 will further comprise a verified user indicator. For example, this verified user indicator could comprise any of (i) a distinct indicator that explicitly indicates that operator identity verification has been completed, (ii) reference biometric data for the registered user, and (iii) authentication data for authenticating user identity credentials for the user.

In this case, the access authorization data generated by the operator central server 140 may comprise an indication that identity verification of the authorized user is required. If the user access requires identity verification of the authorized user, then the generated access authorization data may comprise either reference biometric data for the registered user or authentication data for authenticating user identity credentials for the user. Alternatively, if the user access does not require identity verification of the authorized user, then the access authorization data may comprise authentication data for authenticating the user access device of the registered user.

In addition, the registered user data 144 stored by the operator central server 140 may further comprise, for those users for whom the operator has performed identity verification, information specifying a category for the verified user. For example, the verified user category information could specify whether the age of the user has been verified and/or a verified age group for the user (e.g. over 16, over 18, over 21, over 25 etc.). This could be implemented by configuring the registered user data 144 such that the verified user indicator comprises the verified user category information (e.g. the presence or absence of verified user category information functions as the verified user indicator) or by configuring the registered user data 144 to further comprise a distinct verified user category indicator. Alternatively, the verified user category information could be included as part of the user data 127 that is stored on the user access device 120. The user access device 120 could then be configured to include the verified user category information as part of the user identity verification data sent by the user access device 120 to a storage system 110. This would remove the need for even this reduced form of personal data to be stored and managed centrally. The operator central server 140 may then be configured to use this verified user category information, as part of the registered user data 144, when generating the access authorization data for a delivery associated with the user

The operator central server 140 is also configured to store planned delivery data 145, wherein this planned delivery data comprises delivery location information identifying the storage system 110, delivery content information identifying items that are to be included in the delivery to the storage system 110 and whether or not any of these items are restricted, and delivery recipient information identifying each registered user that is authorized to access the delivery. The operator central server 140 is configured to use the planned delivery data 145 and the registered user data 144 to generate access authorization data for the storage system 110, wherein the access authorization data comprises information identifying the registered user who is the intended recipient of a delivery, and who is therefore authorized to access a locker 111 into which the delivery is to be made, and any information required to authorize the users' access to the locker 111. The operator central server 140 can then communicate this access authorization data to the storage system 110. For example, if the storage system 110 were provided as part of an autonomous delivery vehicle, then the operator central server 140 could communicate the access authorization data to the storage system 110 when the autonomous delivery vehicle is located in an area with sufficient mobile network connectivity. In an alternative example, the access control system 100 can comprise an operator access device 130, and the operator central server 140 provide the access authorization data to the operator access device 130 so that this data can be transported to the storage system 110 by a delivery agent of the operator.

In another optional implementation, each registered user could be provided with multiple user access devices 120 thereby allowing the registered user to distribute these user access devices 120 to other individuals whom they wish to be able to access the contents of a locker 111 on their behalf. These other individuals will then be able to access a locker 111 for which access does not require user identity verification based on their possession of a user access device 120 that is associated with a registered user who is authorised to access the locker 111.

In a further optional implementation, if a user access device 120 is configured to store a last verification time, then the registered user associated with the user access device 120 could perform remote biometric identity verification using biometric reference data stored on the user access device 120, and then pass the user access device 120 to another individual. This individual would then be able to access restricted items on behalf of the registered user provided that they reach the storage system within the verification duration limit. In a yet further optional implementation, the registered user data 144 stored by the operator central server 140 could further comprise, for each registered user, information identifying alternative registered users who are authorised to access items on their behalf. The access authorization data generated for a particular delivery would then comprise information that enables any one of multiple users to access the locker(s) storing that delivery, including any reference biometric data or authentication data for authenticating identity verification credentials. The alternative registered user could then access the lockers using either their own user access device 120 or, if the access control system 100 is configured to implement biometric identity verification at the storage system 110, by using a user access device 120 that has been shared with them by the registered user who is the intended recipient.

As detailed above, it may be possible to perform identity and/or age verification remotely using videotelephony. However, these approaches require a network connection between either a user's device or the storage system and some centralised systems of the operator, and the provision of such a network connection may not always be possible or could be a limiting factor on the locations at which such storage systems can be used. By way of example, it might not be practical to provide a network connection to a storage system that is located in a rural location, where sufficient wireless and wired connectivity may not be available. As a further example, the storage system could be provided as part of an autonomous delivery vehicle that would preferably be able to make deliveries to any accessible locations, including rural locations, underground car parks etc. where wireless connectivity may be limited or unavailable.

Consequently, the access control system described 100 herein is configured to use access authorization data that is stored locally on the storage system 110 such that a connection to the centralised systems of the operator is not required. To do so, the access control system 100 may be configured such that access authorization data is provisioned to the storage system 110 by an operator access device 130 when the operator access device is at least in the vicinity of the storage system 110. To do so, the access control system 100 may be configured such that communication between the storage system 100 and the operator access device 130 is direct (i.e. does not involve any intermediaries) and uses a limited range wireless communication protocol. For example, the communication between the storage system 110 and the operator access device 130 may be in accordance with any of Near Field Communication (NFC), Radio-frequency identification (RFID), Ultra- wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, and ISO/IEC 14443. The operator access device 130 may then also be configured to receive this access authorization data 134 for the storage system 110 from an operator central server 140.

By way of example, the storage system 110 may be stationary (e.g. in a fixed location) and the operator access device 130 may then be provided as a portable device, such as a smart phone or other portable computer device, that is transported to the storage system 110 by an agent of the operator. In this case, when an agent of the operator visits a pick-up location of the operator in order to collect a delivery that is intended for the storage system 110, the agent can connect the operator access device 130 to an operator central server 140 in order to download the access authorization data for the delivery. Then, when making the delivery to the storage system 110, the agent can connect the operator access device 130 to the storage system 110 in order to provision the storage system with current access authorization data 116 for the current content of the storage system 110. The operator access device 130 therefore acts as an intermediary, passing the access authorization data from the operator central server 140 to the storage system 110 without the need for a direct communication channel between them.

In another example, the storage system 110 may be provided as part of an autonomous delivery vehicle and the operator access device 130 may then be located at a pick-up location or distribution site that is attended by the autonomous delivery vehicle. In this case, the operator access device 130 may be configured to frequently connect to an operator central server 140 (e.g. over an internet connection) in order to download the access authorization data for a delivery. Then, when the autonomous delivery vehicle visits the pick-up location or distribution site in order to collect the delivery, the operator access device 130 can connect to the storage system 110 in order to provision the storage system with current access authorization data 116 for the content of the storage system 110. The operator access device 130 therefore again acts as an intermediary, passing the access authorization data from the operator central server 140 to the storage system 110 without the need for a direct communication channel between them.

Figure 8 is a flow diagram showing another example of an access control method 800 in which the access authorization data is provisioned to the storage system by an operator access device 130. At step 810, the operator of the storage system 110 provides the user with a user access device 120. At step 820, the operator of the storage system 110 performs identity verification for a user of the storage system 110. Whilst step 820 is shown as taking place sequentially after step 810, step 820 can take place prior to, at the time of, or subsequent to step 810. At step 830, after performing identity verification for the user, the operator stores registered user data 144 for the user at an operator central server 140 of the operator. At step 840, when a delivery intended for the user is due to be made to the storage system 111, the operator central server 140 uses the registered user data 144 of the user and planned delivery data 145 for the delivery to generate corresponding access authorization data. At step 850, the operator central server 140 transmits the access authorization data to an operator access device 130 that is due to be within range of the storage system 110 (e.g. that is carried by a delivery agent of the operator or that is located at a pick-up location for an autonomous vehicle). At step 860, when the operator access device 130 is within communication range of the storage system 110 (i.e. when content is being deposited into the storage system 110), the operator access device 130 transmits the access authorization data to the storage system 100. At step 870, the storage system 110 then stores the access authorization data for use in implementing access control for the current contents of the storage system 110.

The user access device 120 may comprise any portable device that is capable of capturing biometric data for a user and communicating wireless. For example, the user access device 120 could be any of a smart card, smart fob, smart wearable, smart phone and any portable computing device.

Whilst many smart phones are now capable of performing on-device biometric user authentication (e.g. using a fingerprint sensor or facial recognition), this authentication is typically implemented using reference biometric data that is registered on and for the device, and is entirely under the control of any individual who can access the device settings without any need for the user's identity or age to be verified. Consequently, whilst this biometric authentication implemented by a smart phone can be used to confirm that the user is registered on the device, it cannot be used to verify the identity or age of the user.

It may therefore preferable that the user access device 120 is provided to users of the storage system 110 by the operator, rather than by a third party (such as a smart phone manufacturer or a mobile network operator), thereby allowing the operator to ensure that they can configure the user access device 120 to implement the required functionality and to control the data stored thereon. However, it may be possible to configure a third party device, such as a smart phone, tablet or smart wearable, to implement the required biometric identity verification. For example, a third party device with a built-in biometric sensor could be configured with a mobile app that makes use of the biometric sensor to capture biometric data for the current user and then implements the methods described herein using this captured biometric data, rather than merely implementing biometric authentication for any user registered solely on the device.

In any case, it may still be preferable that the user access device 120 is provided by the by the operator rather than by a third party as the access control system 100 is not then reliant on users having access to a suitable third party device and does not require the operator to integrate various different third party devices for operation with the access control system 100.

In addition, it is preferable the user access device 120 is configured to only communicate with a storage system when the user access device 120 is at least within the vicinity of the storage system 110. Restricting communication between the user access device 120 and the storage system 110 to within a limited range of the storage system 110 improves security by ensuring that the lockers 111 of the storage system 110 can only be opened when the user access device 120 is nearby. Doing so reduces the risk of the contents of a locker 111 being stolen/intercepted after the locker 111 has been unlocked and the risk that another user will accidentally/unintentionally take the contents of the wrong locker 111. The user access device 120 may therefore be configured to communicate with a storage system over a maximum distance of no more than 4 metres, and preferably between 0.04 meters and 1.5 meters. For example, the communication between the storage system 110 and the user access device 120 may be in accordance with any of Near Field Communication (NFC), Radiofrequency identification (RFID), Ultra-wideband (UWB), Bluetooth®, ISO/IEC 18000, ISO/IEC 15693, ISO/IEC 14443 and other short-range radio frequency communication technology.

In this regard, the range of a conventional Bluetooth®, connection is typically around 10 meters but, depending upon the specification version and the transmit power, can be up to 240 meters. In comparison, Near Field Communication (NFC) technologies typically have a range of 4cm or less. Use of very short range communication such as those provided by Near Field Communication (NFC) technologies provide improved security by ensuring that the user access device 120 must be within the proximity of the storage system. However, doing so reduces the convenience for the user as it requires the user to ensure that they hold the user access device 120 close to the transmitter 113 of the storage system 110 in order to enable communication. Consequently, it may be preferable to use a communication technology that requires the user access device 120 to merely be within the vicinity of the storage system 110, without the need to be in proximity, such that the user does not need to present the user access device 120 to the transmitter 113 of the storage system 110. For example, this would enable the user to leave the user access device 120 in a pocket whilst accessing the storage system 110, thereby reducing the risk that the user will drop and/or lose the user access device 120, and leaving the user's hands free. In this regard, ISO/IEC 15693 is a standard for 'vicinity' card systems that operate at the 13.56 MHz frequency, and offer maximum read distance of 1 tol.5 meters.

As described above, the user access device 120 may be an active device, such that the power unit 122 comprises an integral power source, such as battery. The power unit 122 may then further comprise a charging connector (not shown) that is configured to enable the user access device 120 to be connected to an external power source for recharging of the integral power source. Alternatively, the user access device 120 could be configured to allow removal and replacement of the integral power source. In such an implementation, the user access device 120 would then need to be large enough to house the integral power source, such that it may be preferable for the user access device 120 to take the form of a fob, wearable or other portable computing device. The biometric sensor 121 could then comprise any of a fingerprint sensor that is configured to capture features of the current users' fingerprint, an image sensor that is configured to capture images of physical features of the current user (e.g. face, iris etc.) and a microphone that is configured to capture the current users' voice. However, it is preferable that the biometric sensor 121 comprise a fingerprint sensor as this can easily be packaged into a portable device, is straightforward to use and can be used without removing the device from the users pocket.

Alternatively, the user access device 120 may be a passive device such that the power unit 122 comprises a transducer or coupler that is arranged to convert RF energy received by user access device 120 into electrical energy that can be used to power the user access device 120. Configuring the user access device 120 to be passive removes the need for the user to maintain the power of the user access device 120, either by charging or changing an integral power source, improving convenience for the user. In addition, configuring the user access device 120 to be passive also ensures that the user access device 120 will only be powered, and therefore only able to communicate, when within the vicinity of the storage system 110. Furthermore, as a passive device is not required to house an integral power source, the user access device 120 can be smaller in size than an active device. For example, the user access device 120 may then comprise an integrated circuit (IC) card, often referred to as a smart card. In such an implementation, it is preferable that the biometric sensor 121 comprises a fingerprint sensor as these can be sufficiently low power for straightforward implementation in a passive device, and can easily be incorporate into a small package such as a smart card. In this regard, ISO/IEC 14443 is an international standard (defined by International Organization of Standardization) for contactless 'proximity' IC cards (i.e. that operate over a maximum of around 10 cm) that provides for these IC cards being passive devices. ISO/IEC 15693 is then an international standard for contactless 'vicinity' IC cards (i.e. that operate at ranges of up to 100 cm) that also provides for these IC cards being passive devices. ISO/IEC 18000 is then an international standard for radio frequency identification (RFID) devices for which typical applications operate at ranges greater than 100 cm and that also provides for these being passive devices. In particular, passive biometric smart cards with built-in fingerprint sensors are widely available.

If the user access device 120 is a passive device, then the storage system 110 may be configured to transmit or broadcast a carrier or interrogator signal. Then, when the user access device 120 moves to within the limited range of the carrier/interrogator signal, the user access device 120 is energized by the carrier/interrogator signal. In particular, a transducer or coupler provided by the power unit 122 of the user access device 120 makes use of energy provided by the carrier/interrogator signal to power the various components of the user access device 120, including the biometric sensor 121 and the processors 125.

To illustrate an implementation, Figure 9 is a flow diagram showing another example of an access control method 900 in which the user access device 120 comprises a passive IC card. At step 910, the storage system 110 transmits a carrier signal. At step 920, the user access device 120 receives the carrier signal and converts energy provided by the carrier signal to power the user access device 120. At step 930, the user access device 120 sends an access request to the storage system 110, the access request comprising a user identifier for a registered user that is associated with the user access device 120. At step 940, the storage system 110 uses the received user identifier to identify a locker 111 that the identified user is currently authorized to access and for which access to the identified locker 111 requires user identity verification. At step 950, the storage system 110 sends a request for user identity verification to the user access device 120.

At step 960, the user access device 120 receives the user identity verification request and in response performs identity verification for the current user by comparing fingerprint data captured by the biometric sensor 121 with reference biometric data stored on the user access device 120. At step 970, the user access device 120 generates identity verification credentials and sends these to storage system 100. At step 980, the storage system 110 authenticates the identity verification credentials received from the user access device 120 using authentication data stored as part of the access authorization data 116 and determines that the current user of the user access device 120 is authorized to access the identified locker. At step 990, the storage system 110 then unlocks a locking mechanism 112 of the locker 111.

As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The above disclosure provides systems, devices, methods, and computer programming products, including non-transient machine-readable instruction sets, for use in implementing such methods and enabling the functionality described previously. Furthermore, the machine-readable instruction sets can take the form of a computer program embodied as a computer-readable medium having computer executable code for use by or in connection with a computer. For the purposes of this description, a computer readable medium can be any tangible apparatus that can contain, store, communicate, propagate, or sort the program for use by or in connection with the computer. Moreover, a computer-readable medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk- read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.

The flow diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods according to various embodiments of the present invention. In this regard, each block in the flow diagram may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be performed substantially concurrently, or the blocks may sometimes be performed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the flow diagrams, and combinations of blocks in the flow diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It will be understood that the above description of is given by way of example only and that various modifications may be made by those skilled in the art. Although various embodiments have been described above with a certain degree of particularity, or with reference to one or more individual embodiments, those skilled in the art could make numerous alterations to the disclosed embodiments without departing from the scope of this invention, which is to be limited only by the claims. For example, those skilled in the art will appreciate that the specific exchanges of information described above may be modified and/or supplemented in order to improve their security and/or for consistency with any appropriate authentication and/or communication protocols.