CN105119722A

CN105119722A - Identity verification method, equipment and system

Info

Publication number: CN105119722A
Application number: CN201510484179.7A
Authority: CN
Inventors: 沈明星
Original assignee: Hangzhou Langhe Technology Co Ltd
Current assignee: Hangzhou Netease Zhiqi Technology Co Ltd
Priority date: 2015-08-07
Filing date: 2015-08-07
Publication date: 2015-12-02
Anticipated expiration: 2035-08-07
Also published as: CN105119722B

Abstract

Embodiments of the invention provide an identity verification method. The method comprises the following steps that when a preset operation is not triggered by a user on a client for the first time, the client sends a request of the preset operation to an APP server which the client belongs to, wherein the preset operation is an operation of carrying out identity verification on the user; the APP server responds to the request of the preset operation so as to generate an identity verification request and sends the identity verification request to a verification server, wherein the request of the preset operation is sent by the client; the verification server responds to the identity verification request sent by the APP server, automatically carries out identity verification on the user and returns a verification result to the APP server. Through information interaction among the client, the APP server which the client belongs to and the verification server, by using the method in the invention, the identity verification can be automatically performed on the user so that an identity verification operation is greatly simplified and a good experience is brought for the user. In addition, the embodiments of the invention provide equipment and a system of the identity verification.

Description

A kind of auth method, equipment and system

Technical field

Embodiments of the present invention relate to communication technical field, and more specifically, embodiments of the present invention relate to a kind of auth method, equipment and system.

Background technology

This part embodiments of the present invention be intended to for stating in claims provide background or context.Description is not herein because be included in just admit it is prior art in this part.

Along with the development of Internet technology, the Internet businessman provides various client (such as: online game, instant messaging, browser etc.), to provide better service to user to user.Client is the computer program that can complete one or more specific operation.

User is when using client, can perform in described client much need authentication critical operations (such as: log in, pay, exchange), in order to the fail safe of the personal information and fund information that ensure user, user is when performing above-mentioned critical operations, and user needs to input authentication information on the authentication interface of described client.By described authentication information, the server be sent to belonging to described client carries out authentication to described client.Return after the information that authentication passes through until the server belonging to described client, user could perform corresponding critical operations in described client.

At present, existing authentication mode comprises: short message verification code is verified, dynamic hardware token authentication and dynamically handset token checking etc.Described short message verification code checking, when user needs to perform critical operations, the sending short message by mobile phone identifying code that server is bound to user account, user inputs received short message verification code and carries out authentication on the authentication interface of described client.Described dynamic hardware token authentication, dynamic hardware token refreshes the disposable effective dynamic verification code of generation one in every 60 seconds, when user needs to perform critical operations, the dynamic verification code that user inputs the generation of dynamic hardware token on the authentication interface of described client carries out authentication.Described dynamic handset token checking, dynamic handset token program on mobile phone refreshes the disposable effective dynamic verification code of generation one in every 60 seconds, when user needs to perform critical operations, the dynamic verification code that user inputs the generation of dynamic handset token on the authentication interface of described client carries out authentication.

Summary of the invention

But the authentication mode provided in prior art, before user performs critical operations, needs the interim effective identifying code of acquisition one at every turn.User needs on the authentication interface of described client, manually input described identifying code and carries out authentication, causes user to perform authentication process itself complex operation.In addition, when user adopts short message verification code verification mode, user end to server is needed to send authentication request, server gives the sending short message by mobile phone identifying code of binding again, and user manually inputs received short message verification code again, and the time that above-mentioned authentication process itself expends is long, and, when unstable networks, mobile phone often cannot receive short message verification code, cannot complete authentication.When adopting dynamic hardware token authentication mode, user also needs to carry extra hardware device, and when adopting dynamic handset token verification mode, also need to switch between the client belonging to dynamic handset token program and critical operations, the required operation performed of user is more complicated, causes poor user experience.

Therefore, in the prior art, before user performs critical operations at every turn, need the interim effective identifying code of acquisition one, and manually input described identifying code on the authentication interface of described client, this is very bothersome process.

For this reason, being starved of a kind of auth method of improvement, equipment and system, is not before first time performing key operation on the client to make user, automatically authentication is carried out, obtain and manual input validation code without the need to user, simplify user operation, promote Consumer's Experience.

In the present context, embodiments of the present invention are expected to provide a kind of auth method, equipment and system.

In the first aspect of embodiment of the present invention, provide a kind of method of authentication, comprise: client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, described predetermined registration operation is the operation needing to carry out described user authentication; Described client judges whether first time is triggered predetermined registration operation by described user to described client; When described client is not that when first time being triggered predetermined registration operation by described user, described client obtains authentication information; Described client generates the request of described predetermined registration operation, and the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information; The request of described predetermined registration operation is sent to the application software APP server belonging to described client by described client, so that described APP server generates authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information, Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, perform described predetermined registration operation, return the execution result of described predetermined registration operation to described client.

In the second aspect of embodiment of the present invention, provide a kind of auth method, comprise: application software APP server receives the request of the predetermined registration operation of the client transmission belonging to described APP server, the request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by described user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, described predetermined registration operation is the operation needing to carry out described user authentication, described APP server generates authentication request, and described authentication request carries the mark of described user and described authentication information, described authentication request is sent to authentication server by described APP server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server, when described APP server receives the result of authentication that described authentication server sends for being verified, described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

In the second aspect of embodiment of the present invention, optionally,

Described authentication information comprises dynamic password OTP;

Described OTP is the mark of described client to the equipment at described client place, seed and described timestamp adopt the first hash function to calculate the cryptographic Hash obtained, described seed is when described client first time being triggered predetermined registration operation by described user, described authentication server is to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates, the hardware information of described client to the equipment at described client place that be designated of described equipment adopts the second hash function to calculate the cryptographic Hash of gained.

In the second aspect of embodiment of the present invention, optionally,

Described authentication information comprises the geographical location information at OTP and described user place;

Or,

Described authentication information comprises OTP, the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing;

In the third aspect of embodiment of the present invention, provide a kind of auth method, described authentication server is connected with multiple application software APP server, comprise: when client is not when first time being triggered predetermined registration operation by user, authentication server receives the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates; Described authentication server obtains the obligate information corresponding to the mark of described user, verifies whether described obligate information mates with described authentication information; When described obligate information mates with described authentication information, described authentication server sends the result of authentication for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.

In the third aspect of embodiment of the present invention, optionally, described method also comprises:

When described client is when first time being triggered predetermined registration operation by described user, described authentication server receives the mark of described user of described client transmission and the mark of the equipment at described client place;

Described authentication server verifies that whether the mark of the mark of described user and described equipment is registered;

When the mark of described user and described equipment be identified at described authentication server registered time, described authentication server sends seed to described client;

When the mark of described user and the mark of described equipment be not in described authentication server registration, described authentication server receives the mark of the described user that described client sends, the short message verification code of the mark of the equipment at described client place and described user input;

Described authentication server verifies described short message verification code;

When described authentication server is verified described short message verification code, described authentication server to the identifier register of the equipment at the mark of described user and described client place, and sends described seed to described client.

In the third aspect of embodiment of the present invention, optionally,

Described authentication information is dynamic password OTP;

Described OTP is the mark of described client to described equipment, described seed and described timestamp adopt the first hash function to calculate the cryptographic Hash obtained, and the hardware information of described client to the equipment at described client place that be designated of described equipment adopts the second hash function to calculate the cryptographic Hash of gained.

In the third aspect of embodiment of the present invention, optionally,

Or,

In the fourth aspect of embodiment of the present invention, provide a kind of client of authentication, comprise: the first receiving element, for receiving the predetermined registration operation that user triggers, described predetermined registration operation carries the mark of described user, and described predetermined registration operation is the operation needing to carry out described user authentication; Judging unit, for judging whether first time is triggered predetermined registration operation by described user to described client; Acquiring unit, for when described client be not first time triggered predetermined registration operation by described user time, obtain authentication information; Generation unit, for generating the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information; First transmitting element, for the request of described predetermined registration operation being sent to the application software APP server belonging to described client, so that described APP server generates authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information, Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, perform described predetermined registration operation, return the execution result of described predetermined registration operation to described client.

In the fourth aspect of embodiment of the present invention, optionally,

Described judging unit, specifically for, judge whether the seed seed storing described user, when described client stores described seed, described client is not first time triggered predetermined registration operation by described user, described seed is described client first time when being triggered predetermined registration operation by described user, described authentication server to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates.

In the fourth aspect of embodiment of the present invention, optionally, described client also comprises:

Second transmitting element, for when described client does not store described seed, described client is triggered predetermined registration operation by described user at first time, the mark of the equipment at the mark of described user and described client place is sent to described authentication server, so that described authentication server verifies that whether the mark of the mark of described user and the equipment at described client place is registered;

Second receiving element, for when the mark of described user and described equipment be identified at described authentication server registered time, receive the described seed that described authentication server sends;

3rd transmitting element, for when the mark of the mark of described user and the equipment at described client place is not in described authentication server registration, by the mark of described user, the short message verification code of the mark of the equipment at described client place and described user input is sent to described authentication server, so that after described authentication server is verified described short message verification code, to the identifier register of the mark of described user and the equipment at described client place, and send described seed to described client;

3rd receiving element, for receiving the described seed that described authentication server sends.

In the fourth aspect of embodiment of the present invention, optionally, described acquiring unit comprises:

First obtains subelement, for obtaining the mark of the equipment at described client place, the seed that described client stores, and described client is triggered the timestamp of described predetermined registration operation, the hardware information of described client to the equipment at described client place that be designated of the equipment at described client place adopts the second hash function to calculate the cryptographic Hash of gained;

First Hash subelement, for the mark to described equipment, described seed and described timestamp adopt the first hash function to calculate and obtain dynamic password OTP, using described OTP as described authentication information.

Second obtains subelement, for obtaining the mark of the equipment at described client place, the seed that described client stores, and described client is triggered the timestamp of described predetermined registration operation, the hardware information of described client to the equipment at described client place that be designated of the equipment at described client place adopts the second hash function to calculate the cryptographic Hash of gained;

Second hash units, for the mark to described equipment, described seed and described timestamp adopt the first hash function to calculate and obtain dynamic password OTP;

3rd obtains subelement, for obtaining the geographical location information at described OTP and described user place as described authentication information;

Or,

4th obtains subelement, for obtaining the time interval of predetermined registration operation described in described OTP, the geographical location information at described user place and described client executing as described authentication information.

In in the 5th of embodiment of the present invention the, provide a kind of APP server of authentication, described APP server side is connected with at least one client belonging to described APP server respectively, the other end is connected with authentication server, comprise: receiving element, for receiving the request of the predetermined registration operation of the client transmission belonging to described APP server, the request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, described predetermined registration operation is the operation needing to carry out described user authentication, generation unit, for generating authentication request, described authentication request carries the mark of described user and described authentication information, transmitting element, for described authentication request is sent to described authentication server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server, performance element, during for receiving the result of authentication that described authentication server sends when described APP server for being verified, performing described predetermined registration operation, and returning the execution result of described predetermined registration operation to described client.

In in the 5th of embodiment of the present invention the, optionally,

Described authentication information comprises dynamic password OTP;

In in the 5th of embodiment of the present invention the, optionally,

Or,

Described OTP is the mark of described client to the equipment at described client place, seed and described timestamp adopt the first hash function to calculate the cryptographic Hash obtained, described seed is when described client first time being triggered predetermined registration operation by described user, described authentication server is to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described client generates, the hardware information of described client to the equipment at described client place that be designated of described equipment adopts the second hash function to calculate the cryptographic Hash of gained.

In in the 6th of embodiment of the present invention the, provide a kind of authentication server of authentication, described authentication server is connected with at least one application software APP server, comprise: the first receiving element, for when client be not first time triggered predetermined registration operation by user time, receive the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates; First authentication unit, for obtain described user mark corresponding to obligate information, verify whether described obligate information mates with described authentication information; First transmitting element, for when described obligate information mates with described authentication information, the result of authentication is sent for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.

In in the 6th of embodiment of the present invention the, optionally, described authentication server also comprises:

Second receiving element, for being when first time being triggered predetermined registration operation by described user when described client, receives the mark of described user of described client transmission and the mark of the equipment at described client place;

Second authentication unit, whether the mark for the mark and described equipment of verifying described user is registered;

Second transmitting element, for when the mark of described user and described equipment be identified at described authentication server registered time, send seed to described client;

3rd receiving element, for when the mark of described user and the mark of described equipment be not in described authentication server registration, receive the mark of the described user that described client sends, the short message verification code of the mark of the equipment at described client place and described user input;

3rd authentication unit, for verifying described short message verification code;

Registering unit, for when described authentication server is verified described short message verification code, to the identifier register of the mark of described user and the equipment at described client place, and sends described seed to described client.

In in the 6th of embodiment of the present invention the, optionally, it is characterized in that,

Described authentication information is dynamic password OTP;

Or,

In in the 7th of embodiment of the present invention the, provide a kind of system of authentication, comprising: the client described at least one fourth aspect, at least one APP server described in the 5th aspect and the authentication server described in the 6th aspect; Each client is connected with the APP server belonging to this client, and each described APP server is connected with at least one client, and all APP servers are connected with described authentication server.

According to embodiment of the present invention, for the method, apparatus and system of authentication, the predetermined registration operation that client end response triggers in user, can not being, when first time being triggered predetermined registration operation by described user, send the request of predetermined registration operation to the APP server belonging to described client; The request of the described predetermined registration operation that described APP server sends in response to described client generates authentication request, and described authentication request is sent to authentication server; The authentication request that described authentication server sends in response to described APP server, carries out authentication to user automatically, and the result is returned to described APP server; When described APP server receives the result of authentication that described authentication server sends for being verified, described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.As can be seen here, because authentication server can in response to the authentication request of APP server, automatically authentication is carried out to user, and obtain and manual input validation code without the need to user, thus simplify user operation significantly, reduce the triviality of authentication, for user brings better experience.

summary of the invention

The present inventor finds, user is when using client, and described user performs critical operations at every turn all to be needed to carry out authentication.What provide in prior art mainly comprises three kinds to the method that described user carries out authentication: short message verification code is verified, dynamic hardware token authentication and dynamically handset token checking.When described user performs critical operations at every turn, all need manual input validation code on the client, cause user to perform authentication process itself complex operation.Further, adopt short message verification code verification mode, during unstable networks, mobile phone often cannot receive short message verification code, cannot complete authentication.Adopt dynamic hardware token authentication mode, user also needs to carry extra hardware device.When adopting dynamic handset token verification mode, also need to switch between the client belonging to dynamic handset token program and critical operations, the required operation performed of user is more complicated, causes poor user experience.

Based on above-mentioned discovery, basic thought of the present invention is: when client is not needed to carry out the predetermined registration operation of authentication to described user by user's first time triggering, pass through client, APP server belonging to client and the information interaction between authentication server, automatically authentication is carried out to described user, simplify the operation of authentication.When described client is not when first time being triggered predetermined registration operation by described user, described client obtains authentication information, generate the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information, be sent to the APP server belonging to described client by the request of described predetermined registration operation.Described APP server receives the request of described predetermined registration operation, and generate authentication request, described authentication request carries the mark of described user and described authentication information, and described authentication request is sent to authentication server.Described authentication server receives described authentication information, obtain the obligate information corresponding to mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information mates with described authentication information, send the result of authentication for being verified to described APP server.Thus realize carrying out authentication automatically to described user, without the need to the manual input validation code of described user, thus simplify user operation significantly, reduce the triviality of authentication, for user brings better experience.

After describing general principle of the present invention, lower mask body introduces various non-limiting embodiment of the present invention.

application scenarios overview

First be the block schematic illustration of an exemplary application scene of embodiments of the present invention with reference to figure 1, Fig. 1.Wherein, user by client respectively with the APP server belonging to client, authentication server carries out alternately.As shown in Figure 1, each customer end A 1 is connected with the APP server B 1 belonging to this client.The client (A1 ~ An, n are positive integer) that APP server B 1 can belong to this APP server B 1 with at least one is connected.Described authentication server 101 can be connected with at least one APP server (B1 ~ Bm, m are positive integer).It will be understood by those skilled in the art that the block schematic illustration shown in Fig. 1 is only the example that embodiments of the present invention can be achieved wherein.The scope of application of embodiment of the present invention is not subject to the restriction of any aspect of this framework.

It should be noted that, client herein can be existing, research and develop or in the future research and development, can by any type of wired or wireless connection (such as, Wi-Fi, LAN, WAN, internet etc.) with any interactive device of APP server interaction, include but not limited to: existing, research and develop or research and development in the future, desktop computer, laptop computer, mobile terminal (comprising smart mobile phone, non intelligent mobile phone, various panel computer) etc.

It is also to be noted that APP server herein and authentication server be only existing, research and develop or research and development in the future, an example that the equipment of any one network english teaching can be provided to user.Embodiments of the present invention are unrestricted in this regard.

In the exemplary application scene shown in Fig. 1, with between customer end A 1, APP server B 1 and authentication server 101 alternately for example is described.When described client is not that when first time being triggered predetermined registration operation by described user, the predetermined registration operation that customer end A 1 triggers in response to user, generates the request of predetermined registration operation, and be sent to APP server B 1.APP server B 1 generates authentication request in response to the request of described predetermined registration operation, and is sent to authentication server.Described authentication server, in response to described authentication request, carries out authentication to described user automatically.Mutual and foregoing description between client on other branch roads shown in Fig. 1, APP server and authentication server is similar, no longer repeats here.

illustrative methods

Below in conjunction with the application scenarios of Fig. 1, with reference to figure 2 ~ Fig. 7, the method for authentication according to exemplary embodiment of the invention is described.It should be noted that above-mentioned application scenarios is only that embodiments of the present invention are unrestricted in this regard for the ease of understanding spirit of the present invention and principle and illustrating.On the contrary, embodiments of the present invention can be applied to applicable any scene.

See Fig. 2, show the flow chart of auth method one embodiment in the present invention.The present embodiment is applied to client, such as, specifically can comprise the steps:

201: client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, described predetermined registration operation is the operation needing to carry out described user authentication.

Client is normal operations to a part of application operating that user provides, and such as, the list of application that browsing client provides or application brief introduction, check historical viewings record, uses search to search interested information etc.When client receives the normal operations of user's triggering, the normal operations that described user triggers can be corresponded directly to, perform described normal operations, return the result performing described normal operations to described user.

Client is predetermined registration operation to another part application operating that user provides, described predetermined registration operation is the operation needing to carry out user authentication, and namely described predetermined registration operation refers to the operation that can affect user account or fund security, such as: delivery operation, change Password Operations, register etc.When client receives the predetermined registration operation of user's triggering, the predetermined registration operation that described user triggers can not be corresponded directly to, the user to triggering described predetermined registration operation is needed to carry out authentication, after the authentication of described user is passed through, described predetermined registration operation could be performed, return the execution result of described predetermined registration operation to described user.

202: described client judges that whether first time is triggered predetermined registration operation by described user to described client, if not, performs step 203.

203: described client obtains authentication information.

Described client judges whether that first time is triggered predetermined registration operation by described user, generally, described predetermined registration operation comprises multiple needs carry out authentication operation to described user, and described client judges described user any one operation whether in described client in triggered described predetermined registration operation.

Described client is not first time triggered predetermined registration operation by described user, i.e. any one or the multiple operation of described user once in described client in triggered described predetermined registration operation.Described client is triggered predetermined registration operation by described user at first time, and namely described user is less than any one in described client in triggered described predetermined registration operation or multiple operation.

Concrete, described client judges whether described client is triggered predetermined registration operation by described user for the first time and comprise: described client judges whether to store the seed of described user, when described client stores described seed, described client is not first time triggered predetermined registration operation by described user, described seed is when described client first time being triggered predetermined registration operation by described user, described authentication server to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates.

Seed is that described user first time is when described client triggers predetermined registration operation, the mark of described user and the equipment at described client place be identified on described authentication server after registration, the random string that described authentication server generates to the described user of described client is seed.A seed is corresponding with a user, namely when a user once triggered described predetermined registration operation time, store the seed corresponding with described user in this client; If a user does not have triggered described predetermined registration operation, then this client does not store the seed corresponding with described user.

That is, client receives the predetermined registration operation that user triggers, and described client searches whether store seed corresponding to described user, and when described client stores seed corresponding to described user, described user is not that first time is in the described predetermined registration operation of triggering; When described client does not store seed corresponding to described user, described user triggers described predetermined registration operation first time.

Optionally, described method also comprises:

When described client does not store described seed, described client is triggered predetermined registration operation by described user at first time, the mark of the equipment at the mark of described user and described client place is sent to described authentication server, so that described authentication server verifies that whether the mark of the mark of described user and the equipment at described client place is registered by described client;

When the mark of described user and described equipment be identified at described authentication server registered time, described client receives the described seed that described authentication server sends;

When the mark of the mark of described user and the equipment at described client place is not in described authentication server registration, described client is by the mark of described user, the short message verification code of the mark of the equipment at described client place and described user input is sent to described authentication server, so that after described authentication server is verified described short message verification code, to the identifier register of the mark of described user and the equipment at described client place, and send described seed to described client

Described client receives the described seed that described authentication server sends.

When described client is triggered predetermined registration operation by described user first time, the mark of the equipment at the mark of described user and described client place is sent to authentication server by described client.Described authentication server verifies that whether the mark of the mark of described user and the equipment at described client place is registered, if, described authentication server directly generates seed corresponding to a described user, seed corresponding for described user is sent to described client and stores, if not, described authentication server also needs the short message verification code receiving described user's input that described client sends, described short message verification code is verified, after described short message verification code is verified, to the identifier register of the mark of described user and the equipment at described client place, and generate seed corresponding to a described user, seed corresponding for described user is sent to described client store, if checking is not passed through, then not to the identifier register of the mark of described user and the equipment at described client place, and, do not generate the seed that described user is corresponding.

Optionally, when described client is not that when first time being triggered predetermined registration operation by described user, described client obtains authentication information, wherein, described client acquisition authentication information comprises at least three kinds of possible execution modes:

The first possible execution mode, described authentication information comprises dynamic password (One-timePassword, OTP):

Described client obtains the mark of the equipment at described client place, the seed that described client stores, and described client is triggered the timestamp of described predetermined registration operation, the hardware information of described client to the equipment at described client place that be designated of the equipment at described client place adopts the second hash function to calculate the cryptographic Hash of gained; Described client is to the mark of described equipment, and described seed and described timestamp adopt the first hash function to calculate and obtain OTP, using described OTP as described authentication information.

The execution mode that the second is possible, described authentication information comprises the geographical location information at OTP and described user place:

Described client obtains the mark of the equipment at described client place, the seed that described client stores, and described client is triggered the timestamp of described predetermined registration operation, the hardware information of described client to the equipment at described client place that be designated of the equipment at described client place adopts the second hash function to calculate the cryptographic Hash of gained;

Described client is to the mark of described equipment, and described seed and described timestamp adopt the first hash function to calculate and obtain OTP;

Described client obtains the geographical location information at described OTP and described user place as described authentication information.

The third possible execution mode, described authentication information comprises the time interval of predetermined registration operation described in OTP, the geographical location information at described user place and described client executing:

Described client obtains the time interval of predetermined registration operation described in described OTP, the geographical location information at described user place and described client executing as described authentication information.

Be understandable that, when described authentication information only comprises OTP, described authentication server is only verified OTP, when OTP is verified, passes through the authentication of described user.When described authentication information comprises the geographical location information at OTP and described user place, described authentication server not only needs to verify OTP, also need the geographical location information verifying described user place, when the geographical location information at OTP and described user place is all verified, the authentication of described user is passed through, there is a checking obstructed out-of-date in the geographical location information at OTP and described user place, the authentication of user is not passed through.When described authentication information comprises OTP, during the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, described authentication server not only needs to verify OTP, also need to verify the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, OTP, when described in the geographical location information at described user place and described client executing, the time interval of predetermined registration operation is all verified, the authentication of described user is passed through, OTP, there is a checking obstructed out-of-date in the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, the authentication of user is not passed through.

Wherein, OTP is the mark of described client to described equipment, and described seed and described timestamp adopt the first hash function to calculate and obtain OTP.The mark of described equipment, the sequencing of described seed and the arrangement of described timestamp does not specifically limit.Described first hash function can be chosen according to actual conditions, concrete, and described first hash function can be SHA384.The mark of described equipment refers to the mark of the equipment at described client place, is to adopt the second hash function to calculate the cryptographic Hash of gained by the hardware information of described client to the equipment at described client place.The hardware information of equipment can comprise CPU information, mainboard information, and interface message etc., specifically set according to actual conditions.Described second hash function can be chosen according to actual conditions, concrete, and described second hash function can be SHA256.

Wherein, the geographical location information at described user place comprises the believable geographical location information of user described at least one, such as, described user logs in the conventional geographical location information of described client, or the believable geographical location information that described user pre-sets according to actual conditions.The time interval of predetermined registration operation described in described client executing is generally the time interval that can carry out auto authentication that described user is arranged according to actual needs, such as: the morning 9:00 ~ evening 12:00, at this moment outside interval range, described user seldom carries out described predetermined registration operation, can not carry out auto authentication.

204: described client generates the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information.

205: the request of described predetermined registration operation is sent to the APP server belonging to described client by described client.

Described client generates the request of described predetermined registration operation, and the request of described predetermined registration operation is sent to the APP server belonging to described client after obtaining authentication information.

Described APP server receives the request of the described predetermined registration operation that described client sends, generate authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information and described authentication request is sent to described authentication server.Described authentication server carries out authentication according to described authentication request to described user, sends authentication result to described APP server.Described APP server Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, performing described predetermined registration operation, returning the execution result of described predetermined registration operation to described client.Thus realize automatically carrying out authentication to described user, simplify the operation of user.

See Fig. 3, show the flow chart of auth method one embodiment in the present invention.The present embodiment is applied to application software (Application, APP) server, such as, specifically can comprise the steps:

301:APP server receives the request of the predetermined registration operation of the client transmission belonging to described APP server.

The request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by described user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, and described predetermined registration operation is the operation needing to carry out described user authentication.

Each APP server can only receive the request of the predetermined registration operation of the client transmission belonging to this APP server.Client receives the predetermined registration operation that user triggers, when described client is not when first time being triggered predetermined registration operation by described user, described client obtains authentication information, generate the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information.The request of described predetermined registration operation is sent to the APP server belonging to described client by described client.Described client generates the request process of described predetermined registration operation, with reference to the description of the auth method embodiment shown in figure 2, repeats no more here.

302: described APP server generates authentication request, and described authentication request carries the mark of described user and described authentication information.

303: described authentication request is sent to authentication server by described APP server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server.

Described APP server generates authentication request according to the mark of the described user in the request of described predetermined registration operation and described authentication information, and described authentication request is sent to authentication server.

Optionally, described authentication information comprises OTP;

Optionally, described authentication information comprises the geographical location information at OTP and described user place;

Optionally, described authentication information comprises OTP, the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing.

Wherein, described OTP is the mark of described client to the equipment at described client place, and seed and described timestamp adopt the first hash function to calculate the cryptographic Hash obtained.The hardware information of described client to the equipment at described client place that be designated of described equipment adopts the second hash function to calculate the cryptographic Hash of gained.Described seed is described client first time when being triggered predetermined registration operation by described user, described authentication server to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates.For OTP, the mark of described equipment and the specific descriptions of seed, with reference to the auth method embodiment shown in figure 2, repeat no more here.

304: when described APP server receives the result of authentication that described authentication server sends for being verified, described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

When described authentication server is verified described authentication information, described APP server receives the authentication result of described authentication server transmission for being verified, described APP performs described predetermined registration operation, and returns the result of predetermined registration operation to described user.

When described authentication server is obstructed out-of-date to described authentication information checking, the authentication result that described APP server receives the transmission of described authentication server is not passed through for verifying, described APP server does not perform described predetermined registration operation, and informs described subscriber authentication failure.

See Fig. 4, show the flow chart of auth method one embodiment in the present invention.The present embodiment is applied to authentication server, and as shown in Figure 1, described authentication server is connected with multiple APP server, can process, such as, specifically can comprise the steps: the authentication request that multiple APP server sends

401: when client is not when first time being triggered predetermined registration operation by user, authentication server receives the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates.

When client is not that when first time being triggered predetermined registration operation by user, described authentication server receives the authentication request that the APP server that is connected with described authentication server sends.The generating mode of described authentication request, with reference to the description of the auth method embodiment shown in figure 3, repeats no more here.

Optionally, described method also comprises:

When client is when first time being triggered predetermined registration operation by user, described authentication server receives the mark of described user of described client transmission and the mark of the equipment at described client place;

When described client is that when first time being triggered predetermined registration operation by user, described client sends the mark of the mark of described user and the equipment at described client place to authentication server.Described authentication server verifies that whether the mark of the mark of described user and the equipment at described client place is registered.

When the mark of the mark of described user and the equipment at described client place is registered, described authentication server directly generates the seed of a described user, the seed of described user is sent to described client and stores.

When the mark of the mark of described user and the equipment at described client place is unregistered, described client needs the short message verification code that described user inputs to be sent to described authentication server, described authentication server is verified described short message verification code, after being verified, the mark of the mark of described user and the equipment at described client place is registered, and generate the seed of a described user, the seed of described user is sent to described client and stores.If described short message verification code checking is not passed through, then the mark of the mark of described user and the equipment at described client place is not registered, also do not generate the seed of described user, return described short message verification code authentication failed to described client.

Wherein, the hardware information of described client to the equipment at described client place that be designated of described equipment adopts the second hash function to calculate the cryptographic Hash of gained.Described seed is described authentication server after registered to the mark of the mark of described user and the equipment at described client place, to a string random number that the described user of described client generates.The mark of described equipment and the specific descriptions of described seed, with reference to the auth method embodiment shown in figure 2, repeat no more here.

402: described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information.

The obligate information corresponding to mark of registered described user on described authentication server is stored in described authentication server.

Optionally, described authentication information is OTP.Then the obligate information corresponding to mark of described user comprises the mark of the equipment needed for described OTP of generation, seed and timestamp.Wherein, the mark of described equipment is the mark of the equipment at the client place that described user logs in, described seed be described authentication server to the character string of described user's Random assignment, described timestamp is the timestamp that described user triggers described predetermined registration operation.

Optionally, described authentication information comprises the geographical location information at OTP and described user place.Then the obligate information corresponding to mark of described user comprises mark, seed, the timestamp of the equipment generated needed for described OTP, and the geographical location information at described user place.

Optionally, described authentication information comprises OTP, the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing.Then the obligate information corresponding to mark of described user comprises mark, seed, the timestamp of the equipment needed for described OTP of generation, the geographical location information at described user place, and the time interval of predetermined registration operation described in described client executing.

Wherein, to described OTP, described in the geographical location information at described user place and described client executing, the specific descriptions of the time interval of predetermined registration operation, with reference to the auth method embodiment shown in figure 2, repeat no more here.

When described authentication information only comprises OTP, described authentication server is only verified OTP, when OTP is verified, passes through the authentication of described user.When OTP checking is obstructed out-of-date, the authentication of described user is not passed through.

When described authentication information comprises the geographical location information at OTP and described user place, described authentication server not only needs to verify OTP, also need the geographical location information verifying described user place, when the geographical location information at OTP and described user place is all verified, the authentication of described user is passed through, there is a checking obstructed out-of-date in the geographical location information at OTP and described user place, the authentication of user is not passed through.

When described authentication information comprises OTP, during the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, described authentication server not only needs to verify OTP, also need to verify the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, OTP, when described in the geographical location information at described user place and described client executing, the time interval of predetermined registration operation is all verified, the authentication of described user is passed through, OTP, there is a checking obstructed out-of-date in the time interval of predetermined registration operation described in the geographical location information at described user place and described client executing, the authentication of user is not passed through.

403: when described obligate information mates with described authentication information, described authentication server sends the result of authentication for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.

When described authentication server verifies that described obligate information mates with described authentication information, the authentication of described user is passed through, then described authentication server returns the result of authentication for being verified to described APP server.When the result that described APP server receives described authentication is for being verified, performs described predetermined registration operation, and returning the execution result of described predetermined registration operation to the client belonging to described APP server.

When described authentication server verifies that described obligate information does not mate with described authentication information, the authentication of described user is not passed through, then the result that described authentication server returns refreshing authentication to described APP server is not passed through for verifying.Described APP server does not perform described default operation, returns described authentication failure to the client belonging to described APP server.

As shown in the above, the present invention has following beneficial effect:

Authentication server can in response to the authentication request of APP server, automatically authentication is carried out to user, and obtain and manual input validation code without the need to user, thus simplify user operation significantly, reduce the triviality of authentication, for user brings better experience.

See Fig. 5, show the scene sequential chart of auth method one embodiment of the present invention, in the scene shown in Fig. 5, client is not first time triggered predetermined registration operation by user, comprises step:

501: client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, described predetermined registration operation is the operation needing to carry out described user authentication.

502: described client stores the seed of described user, described client is not first time triggered predetermined registration operation by described user, described client obtains OTP according to described seed, generate the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described OTP.

503: the request of described predetermined registration operation is sent to the APP server belonging to described client by described client.

504: described APP server generates authentication request according to the request of described predetermined registration operation, and described authentication request carries the mark of described user and described OTP.

505: described authentication request is sent to authentication server by described APP server.

506: described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described OTP.

507: when described obligate information mates with described OTP, described authentication server sends the result of authentication for being verified to described APP server.

508: described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

In scene shown in Fig. 5, step 501 is to the specific implementation of step 508, similar with the description in the auth method shown in Fig. 2 to Fig. 4, referring to figs. 2 to the description in the auth method shown in Fig. 4, repeats no more here.

See Fig. 6, show the scene sequential chart of auth method one embodiment in the present invention, in the scene shown in Fig. 6, client is triggered predetermined registration operation by user at first time, being identified on authentication server of the mark of the equipment at described client place and user is registered, comprises step:

601: client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, described predetermined registration operation is the operation needing to carry out described user authentication.

602: described client does not store the seed of described user, described client is triggered predetermined registration operation by described user at first time, and the mark of the equipment at the mark of described user and described client place is sent to described authentication server by described client.

603: described authentication server verify the mark of described user and described equipment to be identified at described authentication server registered, send seed to described client.

604: described client obtains OTP according to described seed, and generate the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described OTP.

605: the request of described predetermined registration operation is sent to the APP server belonging to described client by described client.

606: described APP server generates authentication request according to the request of described predetermined registration operation, and described authentication request carries the mark of described user and described OTP.

607: described authentication request is sent to authentication server by described APP server.

608: described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described OTP.

609: when described obligate information mates with described OTP, described authentication server sends the result of authentication for being verified to described APP server.

610: described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

In scene shown in Fig. 6, step 601 is to the specific implementation of step 610, similar with the description in the auth method shown in Fig. 2 to Fig. 4, referring to figs. 2 to the description in the auth method shown in Fig. 4, repeats no more here.

See Fig. 7, show the scene sequential chart of auth method one embodiment in the present invention, in the scene shown in Fig. 7, client is triggered predetermined registration operation by user at first time, being identified on authentication server of the mark of the equipment at described client place and user is unregistered, comprises step:

701: client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, described predetermined registration operation is the operation needing to carry out described user authentication.

702: described client does not store the seed of described user, described client is triggered predetermined registration operation by described user at first time, and the mark of the equipment at the mark of described user and described client place is sent to described authentication server by described client.

703: described authentication server verify the mark of described user and described equipment to be identified at described authentication server unregistered, the mark returning the mark of described user and described equipment to described client is unregistered.

704: described client sends short message verification code, the mark of described user and the mark of described equipment of described user input to described authentication server.

705: after described authentication server is verified described short message verification code, described authentication server to the identifier register of the equipment at the mark of described user and described client place, and sends described seed to described client.

706: described client obtains OTP according to described seed, and generate the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described OTP.

707: the request of described predetermined registration operation is sent to the APP server belonging to described client by described client.

708: described APP server generates authentication request according to the request of described predetermined registration operation, and described authentication request carries the mark of described user and described OTP.

709: described authentication request is sent to authentication server by described APP server.

710: described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described OTP.

711: when described obligate information mates with described OTP, described authentication server sends the result of authentication for being verified to described APP server.

712: described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

In scene shown in Fig. 7, step 701 is to the specific implementation of step 711, similar with the description in the auth method shown in Fig. 2 to Fig. 4, referring to figs. 2 to the description in the auth method shown in Fig. 4, repeats no more here.

example devices

After the method describing exemplary embodiment of the invention, next, with reference to figure 8 ~ Figure 11 to exemplary embodiment of the invention, be specifically described for the equipment of authentication and system.

See Fig. 8, show the structural representation of client one embodiment of authentication in the present invention, described client comprises:

First receiving element 801, for receiving the predetermined registration operation that user triggers, described predetermined registration operation carries the mark of described user, and described predetermined registration operation is the operation needing to carry out described user authentication;

Judging unit 802, for judging whether first time is triggered predetermined registration operation by described user to described client;

Acquiring unit 803, for when described client be not first time triggered predetermined registration operation by described user time, obtain authentication information;

Generation unit 804, for generating the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information;

First transmitting element 805, for the request of described predetermined registration operation being sent to the application software APP server belonging to described client, so that described APP server generates authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information, Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, perform described predetermined registration operation, return the execution result of described predetermined registration operation to described client.

Optionally, described judging unit 802, specifically for, judge whether the seed seed storing described user, when described client stores described seed, described client is not first time triggered predetermined registration operation by described user, and described seed is when described client first time being triggered predetermined registration operation by described user, described authentication server to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates.

Optionally, described client also comprises:

Optionally, described acquiring unit 803 comprises:

Or,

The client of the authentication shown in Fig. 8 is and the client corresponding to the auth method shown in Fig. 2 that specific implementation, with reference to the description of the auth method shown in figure 2, repeats no more here.

See Fig. 9, show the structural representation of APP server one embodiment of authentication in the present invention, described APP server side is connected with at least one client belonging to described APP server respectively, and the other end is connected with authentication server, and described APP server comprises:

Receiving element 901, for receiving the request of the predetermined registration operation of the client transmission belonging to described APP server, the request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, described predetermined registration operation is the operation needing to carry out described user authentication,

Generation unit 902, for generating authentication request, described authentication request carries the mark of described user and described authentication information;

Transmitting element 903, for described authentication request is sent to described authentication server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server;

Performance element 904, during for receiving the result of authentication that described authentication server sends when described APP server for being verified, performing described predetermined registration operation, and returning the execution result of described predetermined registration operation to described client.

Optionally, described authentication information comprises dynamic password OTP;

Or,

The APP server of the authentication shown in Fig. 9 is and the APP server corresponding to the auth method shown in Fig. 3 that specific implementation, with reference to the description of the auth method shown in figure 3, repeats no more here.

See Figure 10, show the structural representation of authentication server one embodiment of authentication in the present invention, described authentication server is connected with at least one application software APP server, and described authentication server comprises:

First receiving element 1001, for when client be not first time triggered predetermined registration operation by user time, receive the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates;

First authentication unit 1002, for obtain described user mark corresponding to obligate information, verify whether described obligate information mates with described authentication information;

First transmitting element 1003, for when described obligate information mates with described authentication information, the result of authentication is sent for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.

Optionally, described authentication server also comprises:

Optionally, described authentication information is dynamic password OTP;

Or,

The APP server of the authentication shown in Figure 10 is and the APP server corresponding to the auth method shown in Fig. 3 that specific implementation, with reference to the description of the auth method shown in figure 3, repeats no more here.

See Figure 11, show the structural representation of system one embodiment of authentication in the present invention, described system comprises:

Client X1 described at least one Fig. 8 ~ Xp, p is positive integer, and the APP server Y1 ~ Yq described at least one Fig. 9, q are the authentication server 1101 described in positive integer and a Figure 10;

Each client is connected with the APP server belonging to this client, and each described APP server is connected with at least one client, and all APP servers are connected with described authentication server.

Although it should be noted that the some devices or sub-device that are referred to equipment in above-detailed, this division is only not enforceable.In fact, according to the embodiment of the present invention, the Characteristic and function of two or more devices above-described can be specialized in one apparatus.Otherwise, the Characteristic and function of an above-described device can Further Division for be specialized by multiple device.

In addition, although describe the operation of the inventive method in the accompanying drawings with particular order, this is not that requirement or hint must perform these operations according to this particular order, or must perform the result that all shown operation could realize expectation.Additionally or alternatively, some step can be omitted, multiple step be merged into a step and perform, and/or a step is decomposed into multiple step and perform.

Although describe spirit of the present invention and principle with reference to some embodiments, but should be appreciated that, the present invention is not limited to disclosed embodiment, can not combine to be benefited to the feature that the division of each side does not mean that in these aspects yet, this division is only the convenience in order to state.The present invention is intended to contain the interior included various amendment of spirit and scope and the equivalent arrangements of claims.

Accompanying drawing explanation

By reference to accompanying drawing reading detailed description hereafter, above-mentioned and other objects of exemplary embodiment of the invention, feature and advantage will become easy to understand.In the accompanying drawings, show some execution modes of the present invention by way of example, and not by way of limitation, wherein:

Fig. 1 is the block schematic illustration of an exemplary application scene of embodiments of the present invention;

Fig. 2 schematically shows the flow chart of auth method one embodiment of the present invention;

Fig. 3 schematically shows the flow chart of the another embodiment of auth method of the present invention;

Fig. 4 schematically shows the flow chart of an auth method of the present invention embodiment again;

Fig. 5 schematically shows the scene sequential chart of auth method one embodiment of the present invention;

Fig. 6 schematically shows the scene sequential chart of the another embodiment of auth method of the present invention;

Fig. 7 schematically shows the scene sequential chart of an auth method of the present invention embodiment again;

Fig. 8 schematically shows the structural representation of client one embodiment of authentication of the present invention;

Fig. 9 schematically shows the structural representation of APP server one embodiment of authentication of the present invention;

Figure 10 schematically shows the structural representation of authentication server one embodiment of authentication of the present invention;

Figure 11 schematically shows the structural representation of system one embodiment of authentication of the present invention.

In the accompanying drawings, identical or corresponding label represents identical or corresponding part.

Embodiment

Below with reference to some illustrative embodiments, principle of the present invention and spirit are described.Should be appreciated that providing these execution modes is only used to enable those skilled in the art understand better and then realize the present invention, and not limit the scope of the invention by any way.On the contrary, provide these execution modes to be to make the disclosure more thorough and complete, and the scope of the present disclosure intactly can be conveyed to those skilled in the art.

One skilled in the art will appreciate that embodiments of the present invention can be implemented as a kind of system, device, equipment, method or computer program.Therefore, the disclosure can be implemented as following form, that is: hardware, completely software (comprising firmware, resident software, microcode etc.) completely, or the form that hardware and software combines.

According to the embodiment of the present invention, a kind of method, equipment and system of authentication is proposed.

In this article, it will be appreciated that, what involved term " seed " represented the mark of user that triggers predetermined registration operation and the equipment at client place to be identified on authentication server after registration, described authentication server gives the described user logging in described client the random string generated, namely a seed corresponds to a user, the seed of the same user of different clients is identical, and the seed of the different user of same client is different.In addition, any number of elements in accompanying drawing is all unrestricted for example, and any name is all only for distinguishing, and does not have any limitation.

Below with reference to some representative embodiments of the present invention, explaination principle of the present invention and spirit in detail.

Claims

1. an auth method, is characterized in that, described method comprises:

Client receives the predetermined registration operation that user triggers, and described predetermined registration operation carries the mark of described user, and described predetermined registration operation is the operation needing to carry out described user authentication;

Described client judges whether first time is triggered predetermined registration operation by described user to described client;

When described client is not that when first time being triggered predetermined registration operation by described user, described client obtains authentication information;

Described client generates the request of described predetermined registration operation, and the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information;

The request of described predetermined registration operation is sent to the application software APP server belonging to described client by described client, so that described APP server generates authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information, Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, perform described predetermined registration operation, return the execution result of described predetermined registration operation to described client.

2. method according to claim 1, is characterized in that, described client judges whether described client is triggered predetermined registration operation by described user for the first time and comprise:

Described client judges whether the seed seed storing described user, when described client stores described seed, described client is not first time triggered predetermined registration operation by described user, described seed is when described client first time being triggered predetermined registration operation by described user, described authentication server to after the identifier register of the equipment at the mark of described user and described client place, to the random string that described user generates.

3. method according to claim 2, is characterized in that, described method also comprises:

When the mark of the mark of described user and the equipment at described client place is not in described authentication server registration, described client is by the mark of described user, the short message verification code of the mark of the equipment at described client place and described user input is sent to described authentication server, so that after described authentication server is verified described short message verification code, to the identifier register of the mark of described user and the equipment at described client place, and send described seed to described client;

4. the method according to claim 1-3 any one, is characterized in that, described client obtains authentication information and comprises:

Described client is to the mark of described equipment, and described seed and described timestamp adopt the first hash function to calculate and obtain dynamic password OTP, using described OTP as described authentication information.

5. the method according to claim 1-3 any one, is characterized in that, described client obtains authentication information and comprises:

Described client obtains the geographical location information at described OTP and described user place as described authentication information;

Or,

6. an auth method, is characterized in that, described method comprises:

Application software APP server receives the request of the predetermined registration operation of the client transmission belonging to described APP server, the request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by described user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, described predetermined registration operation is the operation needing to carry out described user authentication,

Described APP server generates authentication request, and described authentication request carries the mark of described user and described authentication information;

Described authentication request is sent to authentication server by described APP server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server;

When described APP server receives the result of authentication that described authentication server sends for being verified, described APP server performs described predetermined registration operation, and returns the execution result of described predetermined registration operation to described client.

7. an auth method, is characterized in that, described authentication server is connected with multiple application software APP server, and described method comprises:

When client is not when first time being triggered predetermined registration operation by user, authentication server receives the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates;

Described authentication server obtains the obligate information corresponding to the mark of described user, verifies whether described obligate information mates with described authentication information;

When described obligate information mates with described authentication information, described authentication server sends the result of authentication for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.

8. a client for authentication, is characterized in that, described client comprises:

First receiving element, for receiving the predetermined registration operation that user triggers, described predetermined registration operation carries the mark of described user, and described predetermined registration operation is the operation needing to carry out described user authentication;

Judging unit, for judging whether first time is triggered predetermined registration operation by described user to described client;

Acquiring unit, for when described client be not first time triggered predetermined registration operation by described user time, obtain authentication information;

Generation unit, for generating the request of described predetermined registration operation, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of described user and described authentication information;

First transmitting element, for the request of described predetermined registration operation being sent to the application software APP server belonging to described client, so that described APP server generates authentication request according to the request of described predetermined registration operation, described authentication request carries the mark of described user and described authentication information, Receipt Validation server carries out the result of authentication to described user, when the result of described authentication is for being verified, perform described predetermined registration operation, return the execution result of described predetermined registration operation to described client.

9. an application software APP server for authentication, is characterized in that, described APP server side is connected with at least one client belonging to described APP server respectively, and the other end is connected with authentication server, and described APP server comprises:

Receiving element, for receiving the request of the predetermined registration operation of the client transmission belonging to described APP server, the request of described predetermined registration operation is the predetermined registration operation that client receives user's triggering, when described client is not when first time being triggered predetermined registration operation by user, described client obtains authentication information, according to described predetermined registration operation, the mark of described user and described authentication information generate, the request of described predetermined registration operation comprises described predetermined registration operation, the mark of user and authentication information, described predetermined registration operation is the operation needing to carry out described user authentication,

Generation unit, for generating authentication request, described authentication request carries the mark of described user and described authentication information;

Transmitting element, for described authentication request is sent to described authentication server, so that described authentication server obtains the obligate information corresponding to the mark of described user, verify whether described obligate information mates with described authentication information, when described obligate information and described authentication information coupling, send the result of authentication for being verified to described APP server;

Performance element, during for receiving the result of authentication that described authentication server sends when described APP server for being verified, performing described predetermined registration operation, and returning the execution result of described predetermined registration operation to described client.

10. an authentication server for authentication, is characterized in that, described authentication server is connected with at least one application software APP server, and described authentication server comprises:

First receiving element, for when client be not first time triggered predetermined registration operation by user time, receive the authentication request that the APP server belonging to described client sends, described authentication request carries mark and the authentication information of user, and described authentication request is that the request of the described predetermined registration operation that described APP server sends according to client generates;

First authentication unit, for obtain described user mark corresponding to obligate information, verify whether described obligate information mates with described authentication information;

First transmitting element, for when described obligate information mates with described authentication information, the result of authentication is sent for being verified to described APP server, so that described APP server receives the result of described authentication, when the result of described authentication is for being verified, perform described predetermined registration operation, and return the execution result of described predetermined registration operation to the client belonging to described APP server.