CN117353951A

CN117353951A - Authentication method, system, equipment and storage medium based on local number login

Info

Publication number: CN117353951A
Application number: CN202210744432.8A
Authority: CN
Inventors: 朱华虹; 李文云; 毛东峰
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-06-27
Filing date: 2022-06-27
Publication date: 2024-01-05
Also published as: WO2024001109A1; WO2024001109A9

Abstract

The invention provides an authentication method, a system, equipment and a storage medium based on local number login, wherein the method comprises the following steps: the operator server adds operator information into an authentication request sent by the application client, and the operator authentication platform generates login credentials based on the authentication request and feeds the login credentials back to the application client; the method comprises the steps that an application client side generates a one-key login request, a server authentication platform decodes the one-key login request and requests corresponding operator information from an operator authentication platform; the operator authentication platform performs first authentication and feeds back operator information to the service side authentication platform; if successful, carrying out login authorization processing; if the biometric feature is abnormal, a biometric feature identification request is sent, and the second authentication is performed through the prestored biometric feature in the operator authentication platform. The invention can establish a baseline model based on the highly-trusted user network information of the operators, intelligently detect abnormal authentication and superimpose secondary authentication of a biological characteristic mode on the abnormal authentication, and has the advantages of safety, convenience and rapidness.

Description

Authentication method, system, equipment and storage medium based on local number login

Technical Field

The invention relates to the field of login authentication, in particular to an authentication method, system, equipment and storage medium based on local number login.

Background

At present, the mobile phone APP provides a 'local number one-key login' authentication function, realizes automatic login of a mobile phone account based on closed loop flows of a terminal, a mobile operator network and an application provider, thereby simplifying the login process, guaranteeing the safety of the user account and avoiding the potential safety hazard of the traditional identity authentication technology. However, the method can only authenticate the real mobile phone number but not the user, and the security risk of logging in the application through the method still exists after the mobile phone is lost and stolen. Therefore, for the identity authentication mode, the security of mobile APP login needs to be further enhanced, and the characteristics of convenience and rapidness are maintained as much as possible. Therefore, the prior art is difficult to simultaneously consider the safety and the rapidness, and the user experience is poor.

In view of the above, the present invention provides an authentication method, system, device and storage medium based on local number login.

It should be noted that the information disclosed in the foregoing background section is only for enhancement of understanding of the background of the invention and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.

Disclosure of Invention

Aiming at the problems in the prior art, the invention aims to provide an authentication method, an authentication system, authentication equipment and an authentication storage medium based on local number login, which overcome the difficulty of the prior art, can establish a baseline model based on highly-trusted user network information of operators, intelligently detect abnormal authentication and perform secondary authentication in a mode of overlapping the abnormal authentication with biological characteristics, and has the advantages of safety, convenience and rapidness and improvement of user experience.

The embodiment of the invention provides an authentication method based on local number login, which comprises the following steps:

the operator server adds the operator information into the authentication request sent by the application client and sends the authentication request to the operator authentication platform;

the operator authentication platform generates login credentials based on the authentication request and feeds the login credentials back to the application client;

the application client generates a one-key login request based on the login credentials and the local number, and sends the one-key login request to the server authentication platform;

the server authentication platform decodes the one-key login request and requests corresponding operator information from the operator authentication platform;

the operator authentication platform performs first authentication based on the one-key login request, and feeds back the operator information to the server authentication platform according to the first authentication; and

If the first authentication is successful, the server authentication platform performs login authorization processing according to the received operator information; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform.

Preferably, the operator server adds operator information to an authentication request sent by an application client and sends the authentication request to an operator authentication platform, and the method comprises the following steps:

the method comprises the steps that an operator server receives an authentication request sent by an application client, wherein the authentication request comprises a local number of the application client; and

adding the operator information into the authentication request and then sending the authentication request to an operator authentication platform, wherein the operator information at least comprises at least one of a general public user identifier, a permanent equipment identifier, a tracking area code, a wireless network positioning identifier and a 5G global unique temporary identifier;

the operator authentication platform establishes a baseline model of user history data based on operator information in each of the authentication requests.

Preferably, the operator authentication platform establishes a baseline model of user history data based on operator information in each authentication request, including:

The operator authentication platform establishes a baseline model of user history data based on the universal public user identity in each of the authentication requests.

Preferably, the operator server adds operator information to an authentication request sent by an application client and sends the authentication request to an operator authentication platform, and the method further includes:

the operator server pre-stores the mobile phone number and the biological characteristics of the user corresponding to the mobile phone number, wherein the biological characteristics comprise at least one of fingerprint information, voiceprint information, iris information and face information.

Preferably, the operator authentication platform generates login credentials based on the authentication request and feeds the login credentials back to the application client, including:

the operator authentication platform generates login credentials corresponding to the application client based on the authentication request;

establishing a temporary mapping relation between the mobile phone number of the application client and the login credential; and

and feeding back the login credentials to the application client.

Preferably, the server authentication platform decodes the one-key login request, and requests corresponding operator information from the operator authentication platform, including:

the server authentication platform decodes the one-key login request to obtain login credentials and a local number; and

And requesting corresponding operator information from the operator authentication platform based on the login credentials.

Preferably, the operator authentication platform performs first authentication based on the one-key login request, and feeds back the operator information to the server authentication platform according to the first authentication, including:

the operator authentication platform base authenticates the local number;

after the authentication of the local number is successful, the operator authentication platform matches a baseline model of corresponding user history data based on the operator information in the one-key login request;

the operator authentication platform judges whether the operator information in the one-key login request meets a baseline model of the user history data in matching;

if yes, feeding back the corresponding operator information to the server authentication platform;

and if not, requesting the service side authentication platform to feed back the biological characteristics.

Preferably, the operator authentication platform determines whether the operator information in the one-key login request meets the baseline model of the user history data in the matching, and further includes at least one or a combination of the following authentication modes:

performing similarity matching on the GPS location corresponding to the login IP of the historical login data and the GPS location corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication;

Performing similarity matching based on the time corresponding to the login IP of the historical login data and the time corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication;

and if the application client is in the loss reporting state, the authentication is successful, and if the application client is in the loss reporting state, the authentication is abnormal.

Preferably, if the first authentication is successful, the server authentication platform performs login authorization processing according to the received operator information; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform, including:

if the first authentication is successful, the server authentication platform authenticates based on the fed back operator information and the login credentials;

if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client for second authentication;

the application client feeds back the biological characteristics to the server authentication platform according to the biological characteristic identification request;

The server authentication platform uploads the biometric feature to the operator authentication platform;

the operator authentication platform performs a second authentication based on the biological characteristics and pre-stored biological characteristics corresponding to the mobile phone number;

and if the second authentication is successful, the server authentication platform performs login authentication based on the fed back operator information and the login credentials.

Preferably, if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client for second authentication, including:

when the authentication of the server authentication platform is abnormal, matching with an equipment authentication mapping table pre-stored in the server authentication platform according to a permanent equipment identifier of the application client to obtain an authenticatable item corresponding to the application client, and sending a biometric identification request to the application client according to the authenticatable item, wherein the one-key login request comprises the permanent equipment identifier of the application client.

The embodiment of the invention also provides an authentication system based on the local number login, which is used for realizing the authentication method based on the local number login, and comprises the following steps:

The operator information supplementing module is used for adding the operator information into the authentication request sent by the application client and sending the authentication request to the operator authentication platform by the operator server;

the login credential feedback module is used for generating login credentials based on the authentication request by the operator authentication platform and feeding the login credentials back to the application client;

the one-key login request module is used for generating a one-key login request by the application client based on login credentials and a local number and sending the one-key login request to the server authentication platform

The service side authentication platform decodes the one-key login request and requests corresponding operator information from the operator authentication platform;

the first authentication module is used for performing first authentication on the basis of the one-key login request by the operator authentication platform and feeding back the operator information to the server authentication platform according to the first authentication; and

the second authentication module is used for performing login authorization processing according to the received operator information by the server authentication platform if the first authentication is successful; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform.

receiving a one-key login request generated by the application client based on login credentials and a local number;

decoding the one-key login request and requesting corresponding operator information from the operator authentication platform;

receiving the operator information fed back by the operator authentication platform for the first authentication based on the one-key login request; and

if the first authentication is successful, performing login authorization processing according to the received operator information; if the first authentication is abnormal, a biometric identification request is sent to the application client, and the second authentication is performed through the prestored biometric corresponding to the mobile phone number in the operator authentication platform.

the one-key login request module receives a one-key login request generated by the application client based on login credentials and a local number;

the operator information request module decodes the one-key login request and requests corresponding operator information from the operator authentication platform;

The first authentication module is used for receiving the operator information fed back by the operator authentication platform for first authentication based on the one-key login request; and

the second authentication module performs login authorization processing according to the received operator information if the first authentication is successful; if the first authentication is abnormal, a biometric identification request is sent to the application client, and the second authentication is performed through the prestored biometric corresponding to the mobile phone number in the operator authentication platform.

The embodiment of the invention also provides authentication equipment based on the local number login, which comprises the following steps:

a processor;

a memory having stored therein executable instructions of the processor;

wherein the processor is configured to perform the steps of the authentication method described above based on the local number login via execution of the executable instructions.

The embodiment of the invention also provides a computer readable storage medium for storing a program, which when executed, implements the steps of the authentication method based on the local number login.

The invention aims to provide an authentication method, an authentication system, authentication equipment and a storage medium based on local number login, which can establish a baseline model based on highly-trusted user network information of operators, intelligently detect abnormal authentication and perform secondary authentication of a mode of overlapping biological characteristics on the abnormal authentication, and are safe, convenient and quick, and user experience is improved.

Drawings

Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings.

Fig. 1 is a flow chart of one embodiment of the present invention of a local number login based authentication method.

Fig. 2 is a schematic diagram of steps of an authentication method based on local number registration according to the present invention.

Fig. 3 is a flowchart of step S110 in the authentication method based on local number registration according to the present invention.

Fig. 4 is a flowchart of step S120 in the authentication method based on local number registration according to the present invention.

Fig. 5 is a flowchart of step S140 in the authentication method based on local number registration according to the present invention.

Fig. 6 is a flowchart of step S150 in the authentication method based on local number registration according to the present invention.

Fig. 7 is a flowchart of step S160 in the authentication method based on local number registration according to the present invention.

Fig. 8 is a schematic diagram of another implementation step of the authentication method based on local number registration according to the present invention.

Fig. 9 is a schematic block diagram of an authentication system based on local number registration according to the present invention.

Fig. 10 is a schematic block diagram of an operator information supplementing module in an authentication system based on local number login according to the present invention.

Fig. 11 is a schematic block diagram of a login credential feedback module in an authentication system based on local number login according to the present invention.

Fig. 12 is a schematic block diagram of an operator information request module in an authentication system based on local number login according to the present invention.

Fig. 13 is a schematic block diagram of a first authentication module in an authentication system based on local number login according to the present invention.

Fig. 14 is a schematic block diagram of a second authentication module in an authentication system based on local number login according to the present invention.

Fig. 15 is a flow chart of another embodiment of the authentication method based on local number registration of the present invention.

Fig. 16 is a schematic block diagram of another authentication system based on local number registration according to the present invention.

Fig. 17 is a schematic diagram of an authentication device based on local number registration according to the present invention.

Detailed Description

Other advantages and effects of the present application will be readily apparent to those skilled in the art from the present disclosure, by describing embodiments of the present application with specific examples. The present application may be embodied or applied in other specific forms and details, and various modifications and alterations may be made to the details of the present application from different points of view and application without departing from the spirit of the present application. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.

The embodiments of the present application will be described in detail below with reference to the drawings so that those skilled in the art to which the present application pertains can easily implement the same. This application may be embodied in many different forms and is not limited to the embodiments described herein.

In the description of the present application, reference to the terms "one embodiment," "some embodiments," "examples," "particular examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials, or characteristics may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the various embodiments or examples, and features of the various embodiments or examples, presented herein may be combined and combined by those skilled in the art without conflict.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the context of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.

For the purpose of clarity of the description of the present application, components that are not related to the description are omitted, and the same or similar components are given the same reference numerals throughout the description.

Throughout the specification, when a device is said to be "connected" to another device, this includes not only the case of "direct connection" but also the case of "indirect connection" with other elements interposed therebetween. In addition, when a certain component is said to be "included" in a certain device, unless otherwise stated, other components are not excluded, but it means that other components may be included.

When a device is said to be "on" another device, this may be directly on the other device, but may also be accompanied by other devices therebetween. When a device is said to be "directly on" another device in contrast, there is no other device in between.

Although the terms first, second, etc. may be used herein to connote various elements in some instances, the elements should not be limited by the terms. These terms are only used to distinguish one element from another element. For example, a first interface, a second interface, etc. Furthermore, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," and/or "including" specify the presence of stated features, steps, operations, elements, components, items, categories, and/or groups, but do not preclude the presence, presence or addition of one or more other features, steps, operations, elements, components, items, categories, and/or groups. The terms "or" and/or "as used herein are to be construed as inclusive, or meaning any one or any combination. Thus, "A, B or C" or "A, B and/or C" means "any of the following: a, A is as follows; b, a step of preparing a composite material; c, performing operation; a and B; a and C; b and C; A. b and C). An exception to this definition will occur only when a combination of elements, functions, steps or operations are in some way inherently mutually exclusive.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the language clearly indicates the contrary. The meaning of "comprising" in the specification is to specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but does not preclude the presence or addition of other features, regions, integers, steps, operations, elements, and/or components.

Although not differently defined, including technical and scientific terms used herein, all terms have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The term addition defined in the commonly used dictionary is interpreted as having a meaning conforming to the contents of the related art document and the current hint, so long as no definition is made, it is not interpreted as an ideal or very formulaic meaning too much.

Fig. 1 is a flow chart of one embodiment of the present invention of a local number login based authentication method. As shown in fig. 1, the present invention relates to the field of network configuration, and is a method for authenticating a mobile terminal based on local number login, wherein the process of the present invention includes:

S110, the operator server adds operator information into an authentication request sent by the application client and sends the authentication request to an operator authentication platform;

s120, the operator authentication platform generates login credentials based on the authentication request and feeds the login credentials back to the application client;

s130, the application client generates a one-key login request based on the login credentials and the local number, and sends the one-key login request to the server authentication platform.

S140, the server authentication platform decodes the one-key login request and requests corresponding operator information from the operator authentication platform;

s150, the operator authentication platform performs first authentication based on the one-key login request, and feeds back operator information to the service side authentication platform according to the first authentication; and

s160, if the first authentication is successful, the server authentication platform performs login authorization processing according to the received operator information; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform.

Aiming at the problem existing in the prior art, the invention provides a method and a system for enhancing the security of the identity authentication of the 'local number one-key login', which aims at the problem that the 'local number one-key login' identity authentication mode can only authenticate the real mobile phone number which logs in the application, but not the user, so that the mobile phone can still log in the security risk of the application after being lost and stolen, a baseline model is established based on the highly-trusted user network information of an operator, the abnormal authentication is intelligently detected, the secondary authentication of the abnormal authentication overlapped biological characteristic mode is carried out, the security of the 'local number one-key login' identity authentication is further improved, and the convenience and the rapidness of the 'local number one-key login' serving as a main authentication mode are reserved.

The invention provides a method and a system for enhancing the identity authentication security of 'local number one-key login', which mainly comprise the following steps: the mobile core network element (UPF/XGW) inserts the information such as PEI, TAC, CELL ID, 5G-GUTI and the like extracted from the network except GPSI into the authentication request of 'local number one-key login' with the target address being an operator identity authentication capability platform; the carrier identity authentication capability platform establishes a baseline model of the information history data based on GPSI, matches the extracted information with the baseline model when processing a new authentication request, and indicates the third party content provider identity authentication system to perform secondary authentication of a biological characteristic mode after the authentication of the local number is successful for the detected abnormal authentication request. Wherein, GPSI: generic Public Subscription Identifier the common public user identifier is equal to the MSISDN of 4G, the SUPI and the GPSI do not necessarily correspond to each other one by one, if a user accesses different data networks, a plurality of GPSI identifiers exist, and the network needs to establish a relationship between the external network GPSI and the SUPI. The NEF can realize that the External GPSI and the Inter GPSI have a mapping relation, and the UDR stores the mapping relation of the Inter GPSI and the SUPI.

PEI: permanent Equipment Identifier, a permanent device identifier, equivalent to the IMEI of 4G.

The 5G-GUTI is an identification assigned to the UE by an access and mobility management function (Access and Mobility Management Function, abbreviated as AMF) for the 5G globally unique temporary identity (5G Globally Unique Temporary Identifier, abbreviated as 5G-GUTI), the purpose of which is to provide an explicit identification of the UE in the 5G system, without revealing the permanent identity of the UE or user, and allowing for identification of the AMF and network, which can be used to establish the identity of the UE during signaling between the network and the UE in the 5 GS. The AMF may send a new 5G-GUTI to the UE only after successful activation of NAS security, so when the UE is in CM-IDLE, the AMF may delay to provide the new 5G-GUTI to the UE until the next NAS transaction.

TAC (Tracking Area Code ): the mobile user is allocated by the operator, and mainly plays a role in positioning the unique identification of the mobile user.

Cell ID implements the basic principle of positioning: the wireless network reports the cell number (estimated according to the serving base station) where the terminal is located, and the location service platform translates the cell number into longitude and latitude coordinates. The method is simple to realize, does not need to add equipment on the radio access network side, has little change on the network structure, and has the defect of low positioning precision, and can reach 300-500m in urban areas and several kilometers in suburban areas.

The invention can only authenticate the true mobile phone number but not the user itself which logs in the application aiming at the identity authentication mode of 'local number one-key login', so that the mobile phone can still log in the security risk of the application after losing and being stolen, a baseline model is established based on the highly-trusted user network information of an operator, the abnormal authentication is intelligently detected, the secondary authentication of the biological characteristic mode is overlapped with the abnormal authentication, the identity authentication security of 'local number one-key login' is further improved, and the convenient and quick characteristics of 'local number one-key login' as a main authentication mode are reserved. The mobile APP can be provided with unified security enhanced identity authentication opening capability, independent function development of each mobile APP is not needed, development requirements on third-party content providers are reduced, and large-scale deployment on the existing network is facilitated.

As shown in fig. 1, in the present invention, the system mainly includes: mobile APP, carrier authentication capability platform, third party content provider authentication system interface, carrier mobile network, etc.

Mobile APP: the built-in SDK realizes the rapid integration of the function of 'local number one-key login'.

Operator identity authentication capability platform: the functions of 'local number one-key login' and safety enhancement are realized, GPSI, PEI, TAC, CELL ID, 5G-GUTI and other information are stored, different token is allocated based on different requests of different GPSI, and a baseline model is established according to historical information.

Third party content provider authentication system interface: and completing identity authentication based on the mobile phone number, the biological characteristic information and the like.

Operator mobile network: and (3) associating the related interfaces of the core network, acquiring GPSI, PEI, TAC, CELL ID, 5G-GUTI and other information of the authentication request initiating terminal, adding the information into the authentication request information by UPF/XGW, and forwarding the information to an operator identity authentication capability platform.

Fig. 2 is a schematic diagram of steps of an authentication method based on local number registration according to the present invention. As shown in fig. 2, the implementation steps are as follows:

s1, an application client 1 initiates a 'local number one-key login' authentication request and sends the authentication request to a core network.

S2, the operator server 2 of the core network detects that the destination address is the operator authentication platform 3, and the information such as GPSI, PEI, TAC, CELL ID, 5G-GUTI and the like is inserted into the authentication request and then forwarded to the capability platform.

S3, the operator authentication platform 3 distributes login credentials for the requested GPSI, establishes a temporary mapping relation between the login credentials and the mobile phone number, and returns the login credentials to the application client 1.

S4, the application client 1 carries a login credential to carry out an authentication request to the server authentication platform 4 (a third party content provider identity authentication system).

S5, the server authentication platform 4 carries a login credential to request the GPSI from the operator authentication platform 3.

And S6, returning the GPSI by the operator authentication platform 3, and carrying out secondary authentication mode early warning after requesting the biological characteristics from the application client 1 according to the need when the GPSI is abnormal.

And S7, the server authentication platform 4 returns an authentication result after authenticating the application client 1 according to the requirement.

The present invention can be applied in the following cases:

(1) The mobile APP 'local number one-key login' identity authentication function is enhanced, safety is improved, and safety risks that mobile phones are stolen and air interface information is intercepted are reduced.

(2) The mobile APP can be provided with unified identity authentication opening capability based on high-credibility data of operators, each mobile APP does not need to carry out independent function development, development requirements on third-party content providers are reduced, and large-scale deployment on the existing network is facilitated.

The invention provides a method and a system for enhancing the identity authentication security of 'local number one-key login': based on GPSI, PEI, TAC, CELL ID, 5G-GUTI and other operator high-reliability information, a baseline model of historical data is established, abnormal scenes such as theft of the mobile phone and the like are detected intelligently, and early warning is provided for a third-party content provider identity authentication system. The secondary authentication can be triggered under an abnormal scene, and the safety is improved. In addition, the unified identity authentication opening capability can be provided for the mobile APP, independent function development of each mobile APP is not needed, development requirements on third-party content providers are reduced, and the on-site network large-scale deployment is facilitated.

Fig. 3 is a flowchart of step S110 in the authentication method based on local number registration according to the present invention. Fig. 4 is a flowchart of step S120 in the authentication method based on local number registration according to the present invention. Fig. 5 is a flowchart of step S140 in the authentication method based on local number registration according to the present invention. Fig. 6 is a flowchart of step S150 in the authentication method based on local number registration according to the present invention. Fig. 7 is a flowchart of step S160 in the authentication method based on local number registration according to the present invention. Fig. 8 is a schematic diagram of another implementation step of the authentication method based on local number registration according to the present invention. As shown in fig. 3, 4, 5, 6, 7, 8, in the embodiment of fig. 1, step S110 is replaced by S111, S112, S113, step S110 is replaced by S121, S122, S123, step S140 is replaced by S141, S142, step S140 is replaced by S151, S152, S153, S154, S155, step S160 is replaced by S161, S162, S163, S164, S165, S166, and each step is described below:

s111, the operator server receives an authentication request sent by the application client, wherein the authentication request comprises the local number of the application client. In a preferred embodiment, the operator server pre-stores the mobile phone number and the biological characteristics of the user corresponding to the mobile phone number, wherein the biological characteristics comprise at least one of fingerprint information, voiceprint information, iris information and face information.

And S112, adding the operator information into the authentication request and then sending the authentication request to an operator authentication platform, wherein the operator information at least comprises at least one of a general public user identifier, a permanent equipment identifier, a tracking area code, a wireless network positioning identifier and a 5G global unique temporary identifier.

S113, the operator authentication platform establishes a baseline model of the user history data based on the operator information in each authentication request. The operator authentication platform establishes a baseline model of user history data based on the universal public user identification in each authentication request.

S121, the operator authentication platform generates login credentials corresponding to the application client based on the authentication request.

S122, establishing a temporary mapping relation between the mobile phone number of the application client and the login credentials.

S123, feeding back the login credentials to the application client.

S141, the server authentication platform decodes the one-key login request to obtain login credentials and a local number.

S142, requesting corresponding operator information from an operator authentication platform based on the login credentials.

S151, the operator authentication platform performs authentication of the local number.

And S152, after the authentication of the local number is successful, the operator authentication platform matches a baseline model of corresponding user history data based on the operator information in the one-key login request.

And S153, the operator authentication platform judges whether the operator information in the one-key login request meets a baseline model of the matched user history data. Including at least one or a combination of the following authentication means: and performing similarity matching on the GPS location corresponding to the login IP based on the historical login data and the GPS location corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication. And performing similarity matching on the time corresponding to the login IP of the historical login data and the time corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication. Whether the application client is in the loss reporting state or not, if not, the authentication is successful, and if so, the authentication is abnormal.

And S154, if the service information is met, feeding back the corresponding operator information to the service authentication platform.

And S155, if the biometric information is not satisfied, requesting the service authentication platform to feed back the biometric information.

And S161, if the first authentication is successful, the server authentication platform authenticates based on the fed back operator information and the login credentials.

S162, if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client for second authentication; in a preferred embodiment, when authentication of the server authentication platform is abnormal, the server authentication platform is matched with a device authentication mapping table pre-stored in the server authentication platform according to a permanent device identifier of the application client to obtain an authenticatable item corresponding to the application client, and a biometric identification request is sent to the application client according to the authenticatable item, wherein the one-key login request comprises the permanent device identifier of the application client.

And S163, the application client feeds back the biological characteristics to the server authentication platform according to the biological characteristic identification request.

S164, the service side authentication platform uploads the biological characteristics to the operator authentication platform.

And S165, the operator authentication platform performs second authentication based on the pre-stored biological characteristics corresponding to the mobile phone number.

And S166, if the second authentication is successful, the server authentication platform performs login authentication based on the fed back operator information and the login credentials.

This patent possesses following advantage:

(1) At present, the mobile phone APP provides an authentication function of 'local number one-key login', and an authentication mode is convenient and quick. However, the method can only authenticate the real mobile phone number but not the user, and the security risk of logging in the application through the method still exists after the mobile phone is lost and stolen. The method establishes a baseline model based on the highly-trusted user network information of the operator, intelligently detects abnormal authentication and superimposes secondary authentication of a biological characteristic mode on the abnormal authentication, further improves the security of 'local number one-key login' identity authentication, and reserves the convenience and rapidness of 'local number one-key login' as a main authentication mode.

(2) The mobile APP can be provided with unified identity authentication opening capability, independent function development of each mobile APP is not needed, development requirements on third-party content providers are reduced, and large-scale deployment on the existing network is facilitated.

Fig. 9 is a schematic diagram of another implementation step of the authentication method based on local number registration according to the present invention. As shown in fig. 9, the authentication system based on local number login of the present invention includes, but is not limited to:

And the operator information supplementing module 510 is used for adding the operator information into the authentication request sent by the application client by the operator server and sending the authentication request to the operator authentication platform.

The login credential feedback module 520, the operator authentication platform generates login credentials based on the authentication request and feeds the login credentials back to the application client.

The one-key login request module 530 generates a one-key login request by the application client based on the login credentials and the local number, and sends the one-key login request to the server authentication platform.

The operator information request module 540, the server authentication platform decodes the one-key login request and requests the corresponding operator information from the operator authentication platform.

And a first authentication module 550, wherein the operator authentication platform performs first authentication based on the one-key login request, and feeds back operator information to the service authentication platform according to the first authentication.

The second authentication module 560 performs login authorization processing according to the received operator information by the server authentication platform if the first authentication is successful; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform.

The implementation principle of the above module is referred to the related description in the authentication method based on the local number login, and will not be repeated here.

The authentication system based on the local number login can establish a baseline model based on the highly-trusted user network information of the operator, intelligently detect abnormal authentication and perform secondary authentication in a mode of overlapping the abnormal authentication with biological characteristics, and has the advantages of safety, convenience and rapidness and improvement of user experience.

Fig. 10 is a schematic block diagram of an operator information supplementing module in an authentication system based on local number login according to the present invention. Fig. 11 is a schematic block diagram of a login credential feedback module in an authentication system based on local number login according to the present invention. Fig. 12 is a schematic block diagram of an operator information request module in an authentication system based on local number login according to the present invention. Fig. 13 is a schematic block diagram of a first authentication module in an authentication system based on local number login according to the present invention. Fig. 14 is a schematic block diagram of a second authentication module in an authentication system based on local number login according to the present invention. As shown in fig. 10, 11, 12, 13 and 14, on the basis of the embodiment of the apparatus of fig. 9, the authentication system based on local number registration of the present invention replaces the operator information supplementing module 510 by the authentication request receiving module 511, the operator information adding module 512 and the data baseline model module 513. The login-credential generation module 521, the temporary mapping relationship module 522, and the login-credential feedback module 523 replace the login-credential feedback module 520. The one-touch login request module 541, the carrier information request module 542 replace the carrier information request module 540. The local number authentication module 551, the baseline model matching module 552, the baseline model authentication module 553, the operator information feedback module 554, and the biometric request module 555 replace the first authentication module 550. The first authentication module 561, authentication anomaly feedback module 562, biometric feedback module 563, biometric upload module 564, second authentication module 565, and login credential authentication module 566 replace the second authentication module 560. The following is described for each module:

The authentication request receiving module 511 receives an authentication request sent by the application client from the operator server, where the authentication request includes the local number of the application client. In a preferred embodiment, the operator server pre-stores the mobile phone number and the biological characteristics of the user corresponding to the mobile phone number, wherein the biological characteristics comprise at least one of fingerprint information, voiceprint information, iris information and face information.

The carrier information adding module 512 adds carrier information to the authentication request and sends the carrier information to the carrier authentication platform, where the carrier information includes at least one of a common public user identifier, a permanent device identifier, a tracking area code, a wireless network location identifier, and a 5G globally unique temporary identifier.

The data baseline model module 513, the operator authentication platform builds a baseline model of the user history data based on the operator information in each authentication request. The operator authentication platform establishes a baseline model of user history data based on the universal public user identification in each authentication request. In this embodiment, a baseline model for establishing user history data in the prior art may be used, which is not described herein.

The login credential generation module 521, the operator authentication platform generates login credentials for the application client based on the authentication request.

The temporary mapping relation module 522 establishes a temporary mapping relation between the mobile phone number of the application client and the login credentials.

The login credential feedback module 523 will feedback the login credential to the application client.

And a one-key login request module 541, where the server authentication platform decodes the one-key login request to obtain login credentials and a local number.

The operator information request module 542 requests corresponding operator information from the operator authentication platform based on the login credentials.

The local number authentication module 551, and the operator authentication platform performs authentication of the local number.

The baseline model matching module 552 matches the baseline model of the corresponding user history data based on the operator information in the one-key login request by the operator authentication platform after the authentication of the local number is successful.

The baseline model authentication module 553, the operator authentication platform determines whether the operator information in the one-key login request meets the baseline model of the user history data in the matching. Including at least one or a combination of the following authentication means: and performing similarity matching on the GPS location corresponding to the login IP based on the historical login data and the GPS location corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication. And performing similarity matching on the time corresponding to the login IP of the historical login data and the time corresponding to the login IP of the current login request, if the similarity meets a preset threshold, successful authentication, and if the similarity does not meet the preset threshold, abnormal authentication. Whether the application client is in the loss reporting state or not, if not, the authentication is successful, and if so, the authentication is abnormal.

And the operator information feedback module 554 is used for feeding back corresponding operator information to the service side authentication platform if the operator information is satisfied.

And the biological feature request module 555 requests the service side authentication platform to feed back the biological feature if the biological feature is not satisfied.

And a first authentication module 561, wherein if the first authentication is successful, the server authentication platform authenticates based on the fed back operator information and the login credentials.

The authentication anomaly feedback module 562 sends a biometric identification request to the application client for second authentication if the first authentication anomaly; in a preferred embodiment, when authentication of the server authentication platform is abnormal, the server authentication platform is matched with a device authentication mapping table pre-stored in the server authentication platform according to a permanent device identifier of the application client to obtain an authenticatable item corresponding to the application client, and a biometric identification request is sent to the application client according to the authenticatable item, wherein the one-key login request comprises the permanent device identifier of the application client.

The biometric feedback module 563, the application client, according to the biometric identification request, feeds back the biometric to the server authentication platform.

The biometric upload module 564, the server authentication platform uploads the biometric to the operator authentication platform.

And a second authentication module 565, the operator authentication platform performs a second authentication based on the pre-stored biometric feature corresponding to the mobile phone number.

And a login credential authentication module 566, wherein if the second authentication is successful, the server authentication platform authenticates based on the fed back operator information and the login credential.

Fig. 15 is a flow chart of another embodiment of the authentication method based on local number registration of the present invention. As shown in fig. 1, the present invention relates to the field of network configuration, and is a method for authenticating a mobile terminal based on local number login, which is mainly applied to a service side authentication platform of a third party service provider, and the flow of the present invention includes:

The receiving application client generates a one-key login request based on the login credentials and the local number.

And decoding the one-key login request and requesting corresponding operator information from the operator authentication platform.

And receiving the operator information fed back by the operator authentication platform for the first time based on the one-key login request.

The invention can establish a baseline model based on the highly-trusted user network information of the operators, intelligently detect abnormal authentication and superimpose secondary authentication of the biological characteristic mode on the abnormal authentication, and has the advantages of safety, convenience and rapidness and improvement of user experience.

Fig. 16 is a schematic block diagram of another authentication system based on local number registration according to the present invention. As shown in fig. 16, another authentication system based on local number login of the present invention is mainly applied to a service side authentication platform of a third party service provider, including but not limited to:

and the one-key login request module is used for receiving a one-key login request generated by the application client side based on the login credentials and the local number.

And the operator information request module decodes the one-key login request and requests corresponding operator information from the operator authentication platform.

And the first authentication module is used for receiving the operator information fed back by the operator authentication platform for the first authentication based on the one-key login request.

The embodiment of the invention also provides authentication equipment based on the local number login, which comprises a processor. A memory having stored therein executable instructions of a processor. Wherein the processor is configured to perform the steps of the authentication method based on local number entry via execution of the executable instructions.

As shown above, the authentication system based on the local number login can establish a baseline model based on the highly-trusted user network information of the operator, intelligently detect abnormal authentication and superimpose secondary authentication of a biological characteristic mode on the abnormal authentication, and has the advantages of safety, convenience and rapidness and improvement of user experience.

Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" platform.

Fig. 17 is a schematic diagram of an authentication device based on local number registration according to the present invention. An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 17. The electronic device 600 shown in fig. 17 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.

As shown in fig. 17, the electronic device 600 is in the form of a general purpose computing device. Components of electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 connecting the different platform components (including memory unit 620 and processing unit 610), a display unit 640, etc.

Wherein the storage unit stores program code executable by the processing unit 610 such that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention described in the above-described electronic prescription flow processing method section of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1.

The storage unit 620 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 6201 and/or cache memory unit 6202, and may further include Read Only Memory (ROM) 6203.

The storage unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: processing systems, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

Bus 630 may be a local bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or using any of a variety of bus architectures.

The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 600, and/or any device (e.g., router, modem, etc.) that enables the electronic device 600 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 650. Also, electronic device 600 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 600, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage platforms, and the like.

The embodiment of the invention also provides a computer readable storage medium for storing a program, and the steps of the authentication method based on the local number login are realized when the program is executed. In some possible embodiments, the aspects of the present invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the electronic prescription stream processing method section of this specification, when the program product is run on the terminal device.

The program product 800 for implementing the above-described method according to an embodiment of the present invention may employ a portable compact disc read-only memory (CD-ROM) and include program code and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out processes of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

In summary, the invention aims to provide an authentication method, an authentication system, an authentication device and a storage medium based on local number login, which can establish a baseline model based on highly-trusted user network information of an operator, intelligently detect abnormal authentication and overlay secondary authentication of a biological characteristic mode on the abnormal authentication, and has the advantages of safety, convenience and rapidness and improvement of user experience.

The foregoing is a further detailed description of the invention in connection with the preferred embodiments, and it is not intended that the invention be limited to the specific embodiments described. It will be apparent to those skilled in the art that several simple deductions or substitutions may be made without departing from the spirit of the invention, and these should be considered to be within the scope of the invention.

Claims

1. An authentication method based on local number login is characterized by comprising the following steps:

2. The authentication method based on local number login according to claim 1, wherein the operator server adds operator information to an authentication request sent from an application client and sends the authentication request to an operator authentication platform, and the method comprises the steps of:

3. The authentication method based on local number login of claim 2, wherein the operator authentication platform builds a baseline model of user history data based on operator information in each of the authentication requests, comprising:

4. The authentication method based on local number login according to claim 1, wherein the operator server adds operator information to an authentication request sent from an application client and sends the authentication request to an operator authentication platform, and the authentication method further comprises:

5. The authentication method based on local number login of claim 1, wherein the operator authentication platform generates login credentials based on the authentication request and feeds back to the application client, comprising:

and feeding back the login credentials to the application client.

6. The authentication method based on local number registration according to claim 1, wherein the server authentication platform decodes the one-touch registration request and requests corresponding operator information from the operator authentication platform, comprising:

7. The authentication method based on local number login as claimed in claim 1, wherein the operator authentication platform performs a first authentication based on the one-key login request, and feeds back the operator information to the server authentication platform according to the first authentication, comprising:

the operator authentication platform base authenticates the local number;

8. The authentication method based on local number registration according to claim 7, wherein the operator authentication platform determines whether operator information in the one-touch registration request satisfies a baseline model of the user history data in matching, and further comprises at least one or a combination of the following authentication methods:

9. The authentication method based on local number login according to claim 1, wherein if the first authentication is successful, the server authentication platform performs login authorization processing according to the received operator information; if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client, and performs a second authentication through a pre-stored biometric corresponding to the mobile phone number in the operator authentication platform, including:

10. The authentication method based on local number registration according to claim 9, wherein if the first authentication is abnormal, the server authentication platform sends a biometric identification request to the application client for second authentication, including:

11. An authentication system based on local number login, for implementing the authentication method based on local number login as claimed in claim 1, comprising:

12. An authentication method based on local number login is characterized by comprising the following steps:

13. An authentication system based on local number login, for implementing the authentication method based on local number login as claimed in claim 1, comprising:

14. An authentication device based on local number login, comprising:

a processor;

a memory having stored therein executable instructions of the processor;

wherein the processor is configured to perform the steps of the local number login based authentication method of any of claims 1 to 10, 12 via execution of the executable instructions.

15. A computer-readable storage medium storing a program, wherein the program when executed by a processor implements the steps of the authentication method based on local number entry of any one of claims 1 to 10, 12.