JP2007052489A - User authentication method and user authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a user authentication method and a user authentication program capable of suppressing leakage of a code number or password, improving security, and performing personal authentication. <P>SOLUTION: In performing trading with a banking establishment server 20, a client terminal 10 executes input processing of authentication data with a script program, generates a random number for each character, and performs group assignment. When an assignment reference is satisfied, a group assignment table is output on a display. The client terminal records a group identifier of a selection object selected using the group assignment table. The banking establishment server 20 receives an authentication request including user ID data, group constitution data and selection data. A management computer 21 converts the code number using the group constitution data, and collates it with selection data included in the authentication request. When both match with each other, the management computer 21 permits the trading. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technique for performing personal authentication.

  Today, various banking services can be used via the Internet. For example, when the balance of a credit settlement account is insufficient, information on the balance of the credit settlement account is distributed on the Internet, and a technique for transferring or transferring the shortage is disclosed (for example, patents) Reference 1). In addition, users are required to register in advance login IDs and passwords for Internet services provided by multiple institutions (banks, securities companies, credit card companies, etc.), and information on multiple institutions can be obtained using these IDs and passwords. There is also disclosed a technique for obtaining (such as asset information of a financial institution) and displaying a list on the Internet (for example, see Patent Document 2).

  Normally, when using an online banking service, it is necessary to enter a password or password. This personal identification number and password are important personal information for asset management and must be handled with particular care. For this reason, when entering a personal identification number, financial institution stores take measures such as installing a terminal in consideration of security and providing an enclosure for the personal identification pad. Furthermore, the user himself / herself often draws the password pad close to the user and pays close attention to the surroundings so that the password cannot be viewed by others. Furthermore, a technique for preventing a third party from knowing the password from the movement of the hand for inputting the password is disclosed (for example, see Patent Document 3). In this technique, a character string for inputting a password is displayed on the display device. The input means inputs a password from a character string displayed on the display device. The character string generation unit generates a character string to be displayed on the display device, and the arrangement data generation unit randomly arranges the character string generated by the character string generation unit for each input of a password character. Generate data for The display device displays the character string generated by the character string generation unit based on the arrangement data generated by the arrangement data generation unit. That is, the arrangement of the character string of the display device is changed every time a part of the password is entered.

Furthermore, a technique is disclosed that aims to prevent a user ID or password from being easily guessed even if information exchanged for personal authentication via a network is intercepted by a third party (for example, , See Patent Document 4). In this technique, when a user ID or password is input, a button image that is randomly arranged is input by selecting with a pointing device. Each time you select a button image, the layout changes randomly. The specific image is stored on the server, and the user ID and password character string are not sent to the server as they are, but only the mouse operation information, that is, the coordinates are sent, and even if it is leaked to a third party via the network, it is affected. Make sure there is no.
JP 2002-73999 A (FIG. 2) JP 2001-306804 A (FIG. 1) Japanese Patent Laid-Open No. 2003-67341 (FIG. 1) JP 2004-102460 A (FIG. 1)

  Recently, Internet cafes where computer terminals connected to the Internet are located in the store are also popular, and by using these terminals, it is possible to browse websites and send and receive e-mails.

  However, when using a banking service using various computer terminals, the password may be leaked. Especially today, keyloggers are a big problem. This key logger is originally software that monitors and records input from the keyboard, and was used as a tool for debugging and the like. Specifically, this keylogger is designed to operate transparently while using other software as resident software. The keylogger records all information typed from the keyboard or screen keyboard. For this reason, there is a possibility that it may be misused to collect passwords and credit card numbers that are entered to use the banking service. In particular, when a key logger is set in a computer terminal that is used publicly such as an Internet cafe, a password for Internet transaction may be stolen and the transaction may be performed without knowing it.

  The present invention has been made to solve the above-mentioned problems, and its purpose is to suppress the leakage of a personal identification number and password, improve the security, and perform user authentication and use. Providing a user authentication program.

  In order to solve the above-mentioned problem, the invention described in claim 1 includes a user data storage means that records data related to a user password composed of a user identifier and a plurality of specific element symbols, A method for authenticating an individual using display means that can be viewed by a user and control means connected to an input means operated by the user, wherein the control means may constitute a user password Creating and recording a group allocation table in which an element symbol is assigned to a plurality of group identifiers, outputting the group allocation table to the display unit, and a group identifier input using the input unit A step of recording an input string comprising: a user password associated with a user identifier input using the input means from the user data storage means; The user password is converted into a password string by the group allocation table, the step of comparing the password string with the input string, and authentication of the person is permitted only when the two match, and subsequent processing is permitted. The gist is to execute the step.

  The invention according to claim 2 is the user authentication method according to claim 1, wherein the control means determines whether or not two or more groups to which element symbols are allocated are generated in the group allocation table. If all the element symbols are allocated to one group, the gist is to further execute the step of repeating the creation of the group allocation table again.

  According to a third aspect of the present invention, in the user authentication method according to the first or second aspect, the control means includes two or more groups assigned to the group to which at least one element symbol is allocated in the group allocation table. The gist is to confirm whether or not an element symbol is allocated, and when there is a group including only one element symbol, the step of repeating the creation of the group allocation table is further executed.

The invention according to claim 4 is a user data storage means that records data relating to a user password composed of a user identifier and a plurality of specific element symbols, and a display means that can be browsed by the user. A program for authenticating an individual using a control means connected to an input means operated by a user, wherein the control means uses element symbols that may constitute a user password as a plurality of group identifiers. Means for creating and recording an allocated group allocation table; means for outputting the group allocation table to the display means; means for recording an input string composed of a group identifier input using the input means; A user password associated with the user identifier input using the input unit is extracted from the user data storage unit, and this user password is extracted. The password is converted into a password string by the group allocation table, and the password string and the input string are compared with each other, and only when both match, it functions as a means to authenticate the person and permit execution of the subsequent process. This is the gist.

  According to a fifth aspect of the present invention, in the user authentication program according to the fourth aspect, the control means is configured to determine whether or not two or more groups to which element symbols are allocated are generated in the group allocation table. If all the element symbols are allocated to one group, the gist is to further function as a means for repeating the creation of the group allocation table again.

  The invention according to claim 6 is the user authentication program according to claim 4 or 5, wherein two or more element symbols are allocated to a group to which at least one element symbol is allocated in the group allocation table. If there is a group that includes only one element symbol, the gist is to further function as a means for repeating again.

(Function)
According to the first or fourth aspect of the invention, the control means creates a group allocation table in which element symbols that may constitute a user password are allocated to a plurality of group identifiers. Then, the group allocation table is output to the display means. The user inputs an input string composed of group identifiers using this group allocation table. Further, the control means converts the user password into a password string using the group allocation table. Then, the control means compares this password string with the input string. Since the password is converted into a password string by the group allocation table, even if the input key is stolen, the password cannot be uniquely specified. In particular, since the conversion from the personal identification number to the selection data is performed in the human head using the group allocation table, this processing content cannot be recorded in the control means. Therefore, it is possible to improve security and perform personal authentication.

  According to the invention of claim 2 or 5, in the group allocation table, it is confirmed whether or not two or more groups to which element symbols are allocated are generated, and all the element symbols are allocated to one group Repeat the creation of the group allocation table again. For this reason, it is possible to prevent the personal identification numbers from being collected into one selection data, and to ensure the significance of the personal authentication.

  According to the invention of claim 3 or 6, in the group allocation table, it is confirmed whether or not two or more element symbols are allocated to a group to which at least one element symbol is allocated. If there is a group that is not included, creation of the group allocation table is repeated again. For this reason, by assigning two or more numbers to one group, it is possible to prevent a number from being uniquely specified even when the group is specified.

  According to the present invention, it is possible to suppress the leakage of a personal identification number and a password, improve security, and perform personal authentication.

  Hereinafter, an embodiment embodying the present invention will be described with reference to FIGS. In the present embodiment, a description will be given of a user authentication method and a user authentication program used for personal authentication when a user of a net banking service that holds a deposit account in a financial institution conducts a transaction with the financial institution. For example, it is assumed that transactions are performed in financial institutions such as various banks, securities companies and credit card companies.

As shown in FIG. 1, the financial institution server 20 is connected to the client terminal 10 via the Internet I as a network.
The financial institution server 20 is a computer system for authenticating a user and providing various transaction processes (for example, banking service) in response to a request from the user. The financial institution server 20 manages various information related to the deposit account held by the user in order to provide a banking service. Then, when there is an access from the client terminal 10, the financial institution server 20 executes a process for authenticating the user.

  As shown in FIG. 1, the financial institution server 20 includes a management computer 21 as a control means. The management computer 21 includes control means (CPU), storage means (RAM, ROM, hard disk, etc.), data transmission / reception means, and the like.

This management computer 21 converts the user password into a password string by the group allocation table for the authentication process, and compares the password string with the input string, and authenticates the user and permits the subsequent process to be executed. Functions as a means to
Only when the two match, the process described later for authenticating the person and permitting the execution of the subsequent process is executed.

Furthermore, a user data storage unit 22 as user data storage means is connected to the management computer 21.
As shown in FIG. 2, user data 220 is recorded in the user data storage unit 22 regarding users who use the banking service. This user data 220 is set when there is a banking service use request from a user. In the present embodiment, in the user data 220, data related to the user ID and the password is recorded in association with each other for each user.

  In the user ID data area, data relating to a user identifier for specifying a banking service user is recorded. By using this user ID, it is possible to extract various attribute information such as the name and address of the account holder registered in another data storage unit.

  In the personal identification number data area, data related to a user password for authenticating the user when using the banking service is recorded. This personal identification number is composed of numbers (element symbols) of “1-9, 0” as element symbols.

  Furthermore, the client terminal 10 connected to the financial institution server 20 via the Internet I is a computer terminal used when a user makes a transaction with the financial institution server 20. As shown in FIG. 3, the client terminal 10 includes a CPU (Central Processing Unit) 11 as control means, a RAM (Random Access Memory) 12 as storage means, and a ROM (Read Only Memory) 13.

  Further, the CPU 11 is connected via a bus line to a display 15 as a display unit, a keyboard 16, a pointing device 17 as an input unit, a hard disk device 18 as a storage unit, and a communication IF unit 19 as a communication unit.

The hard disk device 18 stores a browser program.
The RAM 12 is a memory that stores programs and data necessary for the CPU 11 to perform various processes. The ROM 13 is a read-only memory in which basic programs and parameters for causing the client terminal 10 to function are stored. A script program is stored in the RAM 12, and when this program is executed by the CPU 11, the CPU 11 creates and records a group allocation table, a means for outputting to a display means, a means for recording an input string, etc. It functions as each means.

The display 15 displays various screens downloaded from the financial institution server 20 or displays the results input from a keyboard or the like.
The keyboard 16 is an input means for performing various key operations for inputting character data and the like. The pointing device 17 is used when the pointer is moved or clicked to designate and click a specific area such as an icon or button displayed on the display. The communication IF unit 19 is used when communication is performed via the Internet I.

  The CPU 11 functions as a pointing device control unit that controls a pointer as an instruction unit on the display 15. The pointing device control unit includes a pointer position control unit and a click control unit. The pointer position control unit controls the position of the pointer displayed on the display. When a click is performed on the object display area, data associated with the object is sequentially stored in a memory area provided in the RAM 12.

Next, processing when using the banking service using the financial institution server 20 and the client terminal 10 configured as described above will be described with reference to FIG.
First, the user accesses the financial institution server 20 using the client terminal 10 (step S1-1). Specifically, the browser program stored in the client terminal 10 is activated and the URL of the financial institution server 20 is input. In this case, the client terminal 10 transmits an access request via the Internet I.

  The management computer 21 of the financial institution server 20 that has received this access request transmits authentication request screen data to the client terminal 10 (step S1-2). The authentication request screen data includes a script program executed on the client terminal 10.

  The CPU 11 of the client terminal 10 that has received this request stores the received script program in the RAM 12 and executes it. With this script program, the CPU 11 executes authentication data input processing (step S1-3). The authentication data input process will be described with reference to FIG.

  First, the CPU 11 of the client terminal 10 outputs a login screen based on the authentication request screen data (step S2-1). In this case, a display screen 510 shown in FIG. This display screen includes a user ID input field and an OK button. A pointer P is displayed on the display screen 510. This pointer P can be operated using the pointing device 17.

  Next, the CPU 11 of the client terminal 10 generates a random number RND (x) for each number (an integer of x = 1, 2,..., 0) that may constitute a personal identification number and performs group allocation. Perform (step S2-2). Specifically, the CPU 11 first generates random numbers RND (1), RND (2)... RND (9), RND (0). This random number is a three-digit number from 0 to 1.

  Each number is grouped by this random number. In the present embodiment, “0 to 0.249”, “0.25 to 0.499”, “0.5 to 0.724”, and “0.7525 to 1” are respectively set as groups as the first to fourth groups. And Each group is given a group identifier (G1 to G4), and is assigned a different display color.

  That is, using the generated random numbers RND (1), RND (2)... RND (9), RND (0), numbers “1, 2,... 9, 0” are allocated to the first to fourth groups. For example, when RND (1) is “0.126”, the number “1” is assigned to the first group (G1). For example, when RND (2) becomes “0.260”, the number “2” is allocated to the second group (G2). In this way, numbers n (n = 1, 2,..., 0) are assigned to each group using RND (n).

  Then, group configuration data is generated by arranging the assigned group identifiers of the numbers “1, 2,..., 0” in order. For example, “1, 4, 7” is the first group (G1), “2, 6, 9” is the second group (G2), “3, 5” is the third group (G3), and “8, 0”. Is assigned to the fourth group (G4), the group configuration data is “G1, G2, G3, G1... G4, G2, G4” in which the group identifiers are arranged in the order of “1, 2,. Become.

  Next, the CPU 11 executes a confirmation process as to whether or not the result assigned to each group satisfies a predetermined allocation standard. In the present embodiment, the following two criteria (“group number” criterion and “allocation number” criterion) are used.

  First, the CPU 11 confirms whether or not two or more groups to which numbers are assigned have been generated (step S2-3). For example, if the random numbers RND (1), RND (2)... RND (9), RND (0) are all “0.249” or less, all the numbers are assigned to the first group. Specifically, the number of types of group identifiers included in the group configuration data is counted, and it is confirmed whether or not two or more group identifiers are included. When the group configuration data includes only one type of group identifier and all the numbers are assigned to one group (in the case of “NO” in step S2-3), the allocation is inappropriate. Repeat the allocation again. For example, as described above, when the random numbers RND (1), RND (2)... RND (9), RND (0) are all “0.249” or less, the process returns to step S2-2 again.

  On the other hand, when each number is allocated to two or more groups (in the case of “YES” in step S2-3), the CPU 11 allocates two or more numbers to the group to which at least one number is allocated. (Step S2-4). Specifically, the number of group identifiers included in the group configuration data is counted for each group identifier, and it is confirmed whether the number of all group identifiers is two or more. If there is only one group identifier in the group configuration data and there is a group to which only one number is allocated (in the case of “NO” in step S2-4), it is determined that the allocation is inappropriate and step S2- Return to 2 and repeat the allocation again.

  When there is no group to which only one number is allocated (in the case of “YES” in step S2-4), the above two allocation criteria are satisfied. In this case, the CPU 11 outputs a group allocation table to the display 15 (step S2-5). In this embodiment, as described above, “1, 4, 7” is the first group, “2, 6, 9” is the second group, “3, 5” is the third group, and “8, 0” is the second group. Assume that 4 groups are allocated. In this case, the CPU 11 generates group configuration data (“G1, G2, G3, G1... G4, G2, G4”) in which group identifiers are arranged in the order of “1, 2,.

In this case, the CPU 11 outputs a display screen 520 shown in FIG. On this display screen 520, a group allocation table 521 is displayed. The group allocation table 521 includes selection objects that are color-coded for each group. Each selected object displays the numbers that make up this group. Further, each selected object is associated with data relating to group identifiers (G1 to G4) representing each group. When a selection (click) operation is performed when the pointer P is on the selected object, the CPU 11 reads a group identifier associated with the selected object. Further, a selection group display field 522 is output on the display screen 520.

  Using the pointer P, the user sequentially performs a click operation on the selected object corresponding to his / her personal identification number. In this case, the CPU 11 records the group identifiers of the selected selected objects in the RAM 12 in the clicked order (step S2-6). In the present embodiment, the user's personal identification number is “126485”. Therefore, the user first moves the pointer P onto the first selected object corresponding to “1” and performs a click operation. In this case, as shown in FIG. 10, an input display 531 indicating that the first selected object has been clicked is output to the selected group display field 522. This input display 531 is output in the same color scheme as the first selected object. In this case, the CPU 11 records a group identifier (G1) indicating that the first selected object has been clicked in the RAM 12.

  Next, the user moves the pointer P onto the selected object corresponding to the second number “2” of the personal identification number and performs a click operation. In this case, an input display 541 indicating that the second selected object has been clicked is output to the selected group display field 522 as shown in FIG. This input display 541 outputs the same color scheme as that of the second selected object. In this case, the CPU 11 records a group identifier (G2) indicating that the second selected object has been clicked in the RAM 12 next to the group identifier (G1).

  Similarly, as shown in FIG. 12, the user selects the selection object corresponding to the third number “6” of the personal identification number (screen display 550) and the selection object corresponding to the fourth number “4” (screen Click operations are sequentially performed as shown in the display 560). When the selected object corresponding to all the code numbers is clicked, a screen display 570 is output.

In this case, the personal identification number “126485” is converted into selection data (“G1, G2, G2, G1, G4, G3”) as an input string and recorded in the RAM 12.
Then, the CPU 11 transmits an authentication request to the financial institution server 20 via the Internet I (step S2-7). This authentication request includes user ID data, group configuration data, and selection data. In this embodiment, “G1, G2, G3, G1... G4, G2, G4” are used as group configuration data, and “G1, G2, G2, G1, G4, G3” are used as selection data.

  Upon receiving this authentication request, the management computer 21 of the financial institution server 20 executes user authentication processing as shown in FIG. 1 (step S1-4). This process will be described with reference to FIG. Here, first, the management computer 21 extracts user data (step S3-1). Specifically, the user data 220 is extracted from the user data storage unit 22 using the user ID included in the authentication request, and the personal identification number of this user is specified.

  Next, the management computer 21 converts the specified personal identification number (step S3-2). Specifically, as shown in FIG. 7, the numbers constituting the personal identification number identified in step S3-2 are converted in turn using the group configuration data included in the authentication request, and the personal identification number as a password string is obtained. Generate conversion data. For example, “1” is converted into the first group identifier “G1” according to the group configuration data “G1, G2, G3, G1... G4, G2, G4”, and “8” is the eighth group identifier “G4”. Is converted to.

Then, the management computer 21 collates the password conversion data with the selection data included in the authentication request (step S3-3). That is, it is confirmed whether or not the received selection data (here, “G1, G2, G2, G1, G4, G3”) and the password conversion data completely match. If the password conversion data matches the selected data (“YES” in step S3-3), the management computer 21 permits the transaction (step S3-4). In this case, the personal authentication is completed and access to the next stage is permitted.

  On the other hand, if the password conversion data and the selection data do not match (in the case of “NO” in step S3-3), the management computer 21 rejects the transaction (step S3-5). In this case, the client terminal 10 is notified to that effect and the communication is terminated.

  Thus, the user authentication process is completed. If the transaction is permitted, the subsequent processing is executed. In the present embodiment, as shown in FIG. 4, transaction processing is performed between the client terminal 10 and the financial institution server 20 (step S1-5). In this way, transaction processing can be performed after identity authentication.

As described above, according to the present embodiment, the following effects can be obtained.
In the above embodiment, the password (here, “126485”) is converted into selection data (here, “G1, G2, G2, G1, G4, G3”) using the group allocation table. Accordingly, the information amount of the selection data with respect to the password is reduced. In addition, since the selection data is changed by changing the group allocation table, the personal identification number cannot be uniquely specified from the input selection data every time. Therefore, even if the input data is stolen by the key logger, there are many combinations, and therefore it is difficult to specify the personal identification number. In particular, since the conversion from the personal identification number to the selection data is performed in the human head using the group allocation table, the processing contents cannot be recorded in the computer. Therefore, it is possible to suppress the theft of a personal identification number or the like via the computer terminal.

  In the above embodiment, the CPU 11 executes confirmation processing for satisfaction of the allocation standard. Specifically, the CPU 11 checks whether or not two or more groups to which numbers are assigned have been generated (step S2-3). When all the numbers are assigned to one group, all the password numbers are collected into one selection data. Since confirmation about satisfaction of this allocation standard is performed, it is possible to prevent the personal identification numbers from being aggregated into one selection data, and to ensure the significance of the personal authentication.

  In the above embodiment, the CPU 11 executes confirmation processing for satisfaction of the allocation standard. Specifically, the CPU 11 checks whether or not two or more numbers are allocated to the group to which at least one number is allocated (step S2-3). If there is one group identifier and there is a group to which only one number is allocated (in the case of “NO” in step S2-4), the allocation is inappropriate and the process returns to step S2-2 to allocate Repeat again. When only one number is assigned to one group, if this group is selected, this number can be specified, so that there is a possibility of partial leakage of the personal identification number. For this reason, by assigning two or more numbers to one group, it is possible to prevent a number from being uniquely specified even when the group is specified.

In the above embodiment, the user sequentially selects and clicks the selection objects corresponding to the personal identification number using the pointer P. In this case, the CPU 11 records the group identifier of the selected selected object (step S2-6). Each time the user clicks on a selected object with a code number, an input display 531 is output. This input display 531 outputs the same color scheme as the first selected object. Thereby, the user can grasp | ascertain which number was input and to what extent. Even if this input display is stolen, a group allocation table is required to convert it into numbers, and conversion into numbers is difficult. Therefore, it is also effective for information leakage due to snooping.

In addition, you may change the said embodiment into the following aspects.
○ In the above embodiment, it is applied to personal authentication when providing banking services provided by financial institutions, but it is not limited to this, and it can also be applied to various transactions that perform personal authentication using a PIN or password. can do. Further, the present invention can be applied not only to transactions on the network such as the Internet, but also to networks and computer terminals in which the possibility of information leakage cannot be denied. This is particularly effective when it is necessary to protect a personal identification number, such as a key logger, or personal information that is inconvenient if a part thereof is specified.

  In the above embodiment, when a click operation is performed on the selected object corresponding to the code number, an input display (531, 541, etc.) indicating that the selected object has been clicked is output in the selected group display field 522. Is done. This input display is output in the same color scheme as the selected object. Instead, as shown in FIG. 13, the number of input numbers may be sequentially displayed with “*”. In this case, display screens 610, 620,... 630) are sequentially output on the display. Thereby, security can be improved more.

  In the above embodiment, the CPU 11 outputs the display screen 520 to the display 15. On this display screen 520, a group allocation table 521 is displayed. The group allocation table 521 includes selection objects that are color-coded for each group. Each selected object displays the numbers that make up this group. Furthermore, each selection object is associated with a group identifier (G1 to G4) representing each group. Instead, as shown in the display screen 700 in FIG. 14, a group allocation table 701 may be displayed in which numbers are arranged in the order of numbers and assigned using random numbers. In this display, the group identifier itself may be displayed, or the color scheme of each group may be displayed as shown in FIG. Further, a selection object 702 for selecting each group is displayed on the display screen 700. In this case, the user converts the number of the personal identification number into a group (here, a color scheme) using the group allocation table 701, and clicks the selection objects 702 corresponding to this group (the same color scheme) in order. When a user's password is selected from many element symbols including alphabets, numbers and alphabet symbols can be arranged in numerical order or alphabetical order, so that it is easy to search for element symbols.

  In the above embodiment, the authentication data input process is executed by the client terminal 10. Alternatively, group allocation processing may be performed by a financial institution server. In this case, by executing each processing of steps S2-1 to S5 of the management computer 21 of the financial institution server 20, it also functions as means for creating and recording a group allocation table. For this reason, the client terminal 10 does not need to generate or transmit group configuration data, and the processing load can be reduced.

  In the above embodiment, group identifier data representing each group is associated with each selected object. When a selection (click) operation is performed when the pointer P is on the selected object, the CPU 11 reads a group identifier associated with the selected object. The selection of the group identifier is not limited to the click operation using the pointer P, but may be input using the keyboard 16. Here, when the nth group is selected, “n” is input to the keyboard 16. The input group identifiers are recorded in the RAM 12 in this order.

The system schematic of embodiment of this invention. Explanatory drawing of the data recorded on the user data storage part. The block block diagram of a client terminal. Explanatory drawing of the process sequence of embodiment of this invention. Explanatory drawing of the process sequence of embodiment of this invention. Explanatory drawing of the process sequence of embodiment of this invention. Explanatory drawing of collation of the PIN code of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of embodiment of this invention. Explanatory drawing of the display screen of the client terminal of other embodiment of this invention. Explanatory drawing of the display screen of the client terminal of other embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Client terminal, 11 ... CPU as control means, 15 ... Display as display means, 17 ... Pointing device as input means, 20 ... Financial institution server, 21 ... Management computer as control means, 22 ... User data User data storage unit as storage means, 521, 701 ... group allocation table, I ... Internet as network.

Claims (6)

User data storage means in which data related to a user password composed of a user identifier and a plurality of specific element symbols is recorded in association with each other, display means that can be viewed by the user, and input means operated by the user A method of authenticating the person using a connected control means,
The control means is
Creating and recording a group allocation table in which element symbols that may constitute user passwords are assigned to multiple group identifiers; and
Outputting the group allocation table to the display means;
Recording an input string comprising a group identifier input using the input means;
A user password associated with the user identifier input using the input means is extracted from the user data storage means, and the user password is converted into a password string by the group allocation table. And comparing with the input sequence;
A user authentication method characterized by executing the step of authenticating the person and permitting the execution of the subsequent process only when the two match. The control means is
In the group allocation table, check whether two or more groups to which element symbols are assigned are generated,
2. The user authentication method according to claim 1, further comprising the step of repeating the creation of the group allocation table again when all element symbols are assigned to one group. The control means is
In the group allocation table, check whether two or more element symbols are allocated to a group to which at least one element symbol is allocated;
3. The user authentication method according to claim 1 or 2, further comprising the step of repeating the creation of the group allocation table again when there is a group including only one element symbol. User data storage means in which data related to a user password composed of a user identifier and a plurality of specific element symbols is recorded in association with each other, display means that can be viewed by the user, and input means operated by the user A program for authenticating an individual using a connected control means,
The control means;
Means for creating and recording a group allocation table in which element symbols that may constitute a user password are allocated to a plurality of group identifiers;
Means for outputting the group allocation table to the display means;
Means for recording an input string consisting of group identifiers input using the input means;
A user password associated with the user identifier input using the input means is extracted from the user data storage means, and the user password is converted into a password string by the group allocation table. And means for comparing with the input sequence;
A user authentication program that functions as a means for authenticating an individual and permitting execution of a subsequent process only when the two match. The control means;
In the group allocation table, check whether two or more groups to which element symbols are assigned are generated,
5. The user authentication program according to claim 4, wherein when all the element symbols are assigned to one group, the user authentication program further functions as means for repeating the creation of the group allocation table again. In the group allocation table, check whether two or more element symbols are allocated to a group to which at least one element symbol is allocated;
6. The user authentication program according to claim 4, wherein when there is a group including only one element symbol, the user authentication program further functions as a means for repeating again.

Images