JP2007193762A - User authentication system, providing server device used in it, portable communication device, portable communication device for user, portable communication device for approver, authentication server device, program for these devices - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent leakage of authentication information for securing enhanced security while reducing a burden of a user. <P>SOLUTION: An authentication screen generation part 111 and an authentication screen output part 112 transmit bar codes representing terminal identification information and service identification information to a terminal device 2. A camera part 33 and a bar-code decode part 311 read the terminal identification information and the service identification information from the bar codes, and an authentication information management part 312 transmits authentication information, which is stored in an authentication information storage part 321 in association with the service identification information, to a server device 4. An authentication processing part 412 authenticates a service use right based on the authentication information sent from the portable communication device 3. An authentication result management part 413 sends notification information showing permission/prohibition of provision of a service to the terminal device 2 to the providing server device 1 based on the authentication result. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a user authentication system that authenticates a user of a service, a providing server device used in the user authentication system, a portable communication device, a portable communication device for a user, a portable communication device for an approver, and an authentication server. The invention relates to devices and programs for these devices.

  When user authentication is performed from a terminal device such as a personal computer, a mechanism that uses a user name and password that the user inputs to the terminal device is widely used. In addition, for user authentication used in terminal devices in general, there are known mechanisms for combining cards and passwords, and for using cards or mobile phones using proximity wireless, as found in automated teller machines (ATMs). It has been.

  A mechanism using a two-dimensional code as a means for transmitting authentication information is known from Patent Document 1 and Patent Document 2.

Also, Patent Document 3 discloses a mechanism for acquiring registration data using an existing registered mobile terminal and inputting it to the newly registered mobile terminal when registering a new mobile terminal on the system. It has been.
JP 2003-242116 A JP 2004-72312 A JP 2005-269571 A

  In the case of a mechanism in which a user inputs a user name and password to a terminal device, the user needs to manage various combinations of user names and passwords, and services can be provided due to forgetting or authentication failure due to wrong memory. There was no fear.

  In order to avoid this, there are cases where the same user name and password are used for a plurality of different user authentications, and means such as writing on paper are used. It leads to unauthorized use and becomes a security problem.

  In a mechanism using a card or proximity wireless communication, a dedicated reading device is required on the terminal device side, which increases the scale and costs on the terminal device side, which is a major obstacle to widespread use other than for specific purposes.

  Also, a two-dimensional code representing authentication information is not suitable for application to user authentication because the authentication information is easily read by decoding the two-dimensional code.

  The present invention has been made in view of such circumstances, and its purpose is to prevent leakage of authentication information while ensuring a high level of security while reducing the burden on the user. is there.

  To achieve the above object, the present invention provides a providing server device that provides a service to a terminal device, a portable communication device possessed by a user of the terminal device, the providing server device, and the portable device. Each device in the user authentication system including the authentication server device capable of communicating with the communication device has the following configuration.

  The providing server device sends terminal identification information for identifying the terminal device and service identification information for identifying the service to the terminal device so that reading information can be read from the terminal device to the mobile communication device. Read information sending means was provided.

  The portable communication device includes an authentication information storage unit that stores authentication information in association with the service identification information, and a reading device that reads the terminal identification information and the service identification information from the reading information sent to the terminal device. And authentication information sending means for sending the authentication information stored in the authentication information storage means in association with the read service identification information to the authentication server device together with the terminal identification information and the service identification information. Equipped with.

  The authentication server device, based on the authentication information sent from the mobile communication device, authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device; Based on the result of the authentication, the server for providing notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the authentication Notification information sending means for sending to the device.

  In order to achieve the above object, the present invention provides a providing server device that provides a service to a terminal device, a portable communication device possessed by a user of the terminal device, the providing server device, and the A program for each device in a user authentication system including an authentication server device capable of communicating with a portable communication device is as follows.

  The terminal device comprises a mobile communication device possessed by a user of the terminal device and an authentication server device that authenticates the user based on authentication information sent from the mobile communication device. A program for causing a computer to operate as a providing server device that provides a service to the computer includes the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device. It is assumed to function as reading information sending means for sending reading information that can be read by the communication device to the terminal device.

  Mobile communication possessed by a user of the terminal device, which constitutes a user authentication system together with a providing server device that provides a service to the terminal device and an authentication server device that authenticates the user of the terminal device A computer that controls the operation of the apparatus, the authentication information storage means for storing authentication information in association with service identification information for identifying the service, and the reading information sent from the providing server apparatus to the terminal apparatus Reading means for reading terminal identification information for identifying a terminal device and the service identification information, and authentication information stored in the authentication information storage means in association with the read service identification information as the terminal identification information and the service Functioning as authentication information sending means for sending to the authentication server device together with identification information; It was.

  A program that causes a computer to operate as an authentication server device that constitutes a user authentication system together with a providing server device that provides a service to a terminal device and a portable communication device possessed by a user of the terminal device, Authentication means for authenticating the use authority of the service identified by the service identification information sent from the portable communication device based on the authentication information sent from the portable communication device, and the authentication based on the result of the authentication As notification information sending means for sending notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the provision server device It was supposed to function.

  In order to achieve the above object, the present invention provides a providing server device that provides a service to a terminal device, a mobile communication device for a user possessed by a user of the terminal device, and the user An approver portable communication device possessed by an approver who approves the use of the service, an authentication server device capable of communicating with the providing server device, the user mobile communication device, and the approver mobile communication device; The providing server device, the user mobile communication device, the authentication server device, and the approver mobile communication device in the user authentication system comprising the following are configured as follows.

  In the providing server device, the terminal identification information for identifying the terminal device and the service identification information for identifying the service are read from the terminal device to the mobile communication device for user so that the reading information can be read. Read information sending means for sending to the terminal device is provided.

  The mobile communication device for user includes authentication information storage means for storing the authentication information in association with service identification information for identifying the service, and the reading information sent from the providing server device to the terminal device Reading means for reading the terminal identification information and the service identification information from the authentication information stored in the authentication information storage means in association with the read service identification information together with the terminal identification information and the service identification information Authentication information sending means for sending to the authentication server device.

  The authentication server device authenticates the use authority of the service identified by the service identification information sent from the user mobile communication device, based on the authentication information sent from the user mobile communication device. And a user related to the authentication information sent from the user mobile communication device request an approver to approve the use of the service identified by the service identification information sent from the user mobile communication device Approval request information sending means for sending approval request information to be sent to the approver mobile communication device, and notification information indicating whether or not to provide the service determined based on the authentication result and the approval result represented by the approval result information Is sent to the providing server device.

  The approval mobile communication device is provided with approval result information sending means for sending the approval result information representing the result of approval by the approver based on the approval request information to the authentication server device.

  In order to achieve the above object, the present invention provides a providing server device that provides a service to a terminal device, a mobile communication device for a user possessed by a user of the terminal device, and the user An approver portable communication device possessed by an approver who approves the use of the service, an authentication server device capable of communicating with the providing server device, the user mobile communication device, and the approver mobile communication device; The programs for the providing server device, the user mobile communication device, the authentication server device, and the approver mobile communication device in the user authentication system are as follows.

  A program for causing a computer to operate as the providing server device causes the computer to transmit the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device to the mobile communication device for users. The reading information that can be read is made to function as reading information sending means for sending to the terminal device.

  A computer for controlling the operation of the mobile communication device for user is sent from the providing server device to the terminal device, authentication information storage means for storing the authentication information in association with service identification information for identifying the service. Reading means for reading the terminal identification information and the service identification information from the read information, and authentication information stored in the authentication information storage means in association with the read service identification information. And it shall function as an authentication information sending means which sends to the said server apparatus for authentication with the said service identification information.

  A program for operating a computer as the authentication server device identifies the computer based on service identification information sent from the user portable communication device based on authentication information sent from the user portable communication device. An authentication means for authenticating the use authority of the service, and a service in which a user related to the authentication information sent from the user mobile communication device is identified by the service identification information sent from the user mobile communication device Approval request information sending means for sending approval request information to the approver to approve the use of the approver to the approver mobile communication device, the authentication result and the approval result represented by the approval result information It functions as notification information sending means for sending notification information indicating permission / prohibition of service provision to the providing server device. It was a shall.

  A computer that controls the operation of the approval portable communication device functions as an approval result information sending unit that sends the approval result information representing a result of approval by the approver based on the approval request information to the authentication server device. It was supposed to be.

  According to the present invention, it is possible to prevent leakage of authentication information and ensure high security while reducing the burden on the user.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram showing a schematic configuration of a service providing system to which a user authentication system according to the first embodiment is applied.

  The service providing system according to the first embodiment includes a providing server device 1, a terminal device 2, a mobile communication device 3, and an authentication server device 4. The providing server device 1, the terminal device 2, the mobile communication device 3, and the authentication server device 4 can appropriately communicate via the computer network 5 and the mobile communication network 6. The computer network 5 may be any network that allows computers to communicate with each other, but is typically the Internet. The mobile communication network 6 may be any communication network that enables communication of the mobile communication device 3, but is typically a personal digital cellular (PDC) network or a code-division multiple access (CDMA) network. . The providing server device 1, the terminal device 2, the mobile communication device 3, and the authentication server device 4 may each include a plurality.

  The providing server device 1 provides a service to the user via the terminal device 2. The providing server device 1 can use, for example, a general-purpose server device as basic hardware, and includes a CPU 11, a storage unit 12, and a communication processing unit 13. And CPU11 performs control for implement | achieving the various well-known functions with which a known web server is provided, etc. by running the program memorize | stored in the memory | storage part 12. FIG. Further, the CPU 11 performs user authentication support described later by executing a user authentication support program. Here, the user authentication support program may be installed in the storage unit 12 in advance, or may be recorded on a removable recording medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or via a network. What is distributed may be installed in the storage unit 12 as appropriate. The storage unit 12 stores various types of information in addition to the above programs. As the storage unit 12, a storage device such as a memory or a hard disk device built in the general-purpose server device, a storage device such as a memory or a hard disk device externally attached to the general-purpose server device, a magnetic disk, A removable recording medium such as a magneto-optical disk or an optical disk can be used as appropriate. The communication processing unit 13 performs processing for data communication via the computer network 5.

  The terminal device 2 includes a browser 21 and a display unit 22. The browser 21 performs processing for browsing information provided via the computer network 5. The display unit 22 displays a screen created by the browser 21. The terminal device 2 is typically a personal computer. However, various devices having a browsing function such as a portable communication device and a personal digital assistant (PDA) can be applied.

  The mobile communication device 3 includes a CPU 31, a storage unit 32, a camera unit 33, a communication processing unit 34, a display unit 35, and an operation unit 36. The CPU 31 executes a program stored in the storage unit 32 to perform control for realizing various well-known functions included in the well-known portable communication device. Further, the CPU 31 performs user authentication support described later by executing a user authentication support program stored in the storage unit 32. The user authentication support program may be installed in the storage unit 32 in advance, or a program recorded in a removable recording medium such as a semiconductor memory or distributed via a network is stored in the storage unit 32. It may be installed as appropriate. The storage unit 32 stores various information in addition to the above programs. The camera unit 33 captures a subject and outputs image data. The communication processing unit 34 performs processing for wireless communication with the mobile communication network 6 and data communication via the mobile communication network 6. The display unit 35 displays various information to be presented to the user under the control of the CPU 31. The operation unit 36 inputs various instructions from the user. The mobile communication device 3 is typically a mobile phone device having an Internet communication function. However, various devices having an Internet communication function such as a personal digital assistant (PDA) can be applied.

  The authentication server device 4 authenticates whether or not the user of the terminal device 2 has the authority to use the service provided by the providing server device 1. The authentication server device 4 can use, for example, a general-purpose server device as basic hardware, and includes a CPU 41, a storage unit 42, a clock unit 43, and a communication processing unit 44. And CPU41 performs the process mentioned later for user authentication by running the program for user authentication memorize | stored in the memory | storage part 42. FIG. Here, the user authentication program may be installed in the storage unit 42 in advance, or may be recorded on a removable recording medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or via a network. The distributed one may be installed in the storage unit 42 as appropriate. The storage unit 42 stores various types of information in addition to the above programs. As the storage unit 42, a storage device such as a memory or a hard disk device built in the general-purpose server device, a storage device such as a memory or a hard disk device externally attached to the general-purpose server device, a magnetic disk, A removable recording medium such as a magneto-optical disk or an optical disk can be used as appropriate. The clock unit 43 performs a constant clock time and outputs time information indicating the current date and time. The communication processing unit 44 performs processing for data communication via the computer network 5.

  FIG. 2 is a block diagram showing functional units provided for user authentication in each device shown in FIG. 1 and how these functional units cooperate. 2 that are the same as those in FIG. 1 are denoted by the same reference numerals, and detailed description thereof is omitted.

  In the providing server device 1, the CPU 11 operates as the authentication screen creation unit 111, the authentication screen output unit 112, and the service providing unit 113 illustrated in FIG. 2.

  The authentication screen creation unit 111 creates authentication screen information for causing the terminal device 2 to display an authentication screen when it is necessary to authenticate the user of the terminal device 2 that has accessed to use the service. The authentication screen output unit 112 outputs authentication screen information to the terminal device 2. The service providing unit 113 outputs the service content to the terminal device 2 that has been successfully authenticated.

  In the mobile communication device 3, the CPU 31 operates as the barcode decoding unit 311 and the authentication information management unit 312 shown in FIG. A part of the storage area of the storage unit 32 is used as the authentication information storage unit 321 shown in FIG.

  The authentication information storage unit 321 stores authentication information in association with the service identifier. The service identifier is identification information for identifying a service provided by the providing server device 1. The authentication information is information managed by the user in order to authenticate the service use authority. The authentication information storage unit 321 can store a plurality of sets of service identifiers and authentication information. The service identifier and the authentication information stored in the authentication information storage unit 321 are registered by the user of the mobile communication device 3 and can be arbitrarily edited.

  The barcode decoding unit 311 controls the camera unit 33 to capture a barcode, and decodes information represented by the barcode from the image data obtained by the camera unit 33. The authentication information management unit 312 transmits the information decoded by the barcode decoding unit 311 and the authentication information read from the authentication information storage unit 321 based on this information to the authentication server device 4.

  In the authentication server device 4, the CPU 41 operates as the barcode creation unit 411, the authentication processing unit 412, and the authentication result management unit 413 illustrated in FIG. 2. A part of the storage area of the storage unit 42 is used as an authentication information management database (authentication information management DB) 421 and an authentication result management database (authentication result management DB) 422 shown in FIG.

  The authentication information management database 421 stores, for each service provided by the providing server device 1, authentication information of a user who has authority to use the service. The authentication result management database 422 stores information related to successful authentication.

  In response to a request from the authentication screen creation unit 111, the barcode creation unit 411 receives information sent from the authentication screen creation unit 111, information stored in the authentication information management database 421, and time information output by the clock unit 43. Are used to generate connection information, which will be described later, and a barcode representing the connection information is created. The barcode creation unit 411 transmits the created barcode to the authentication screen creation unit 111. The authentication processing unit 412 performs user authentication using information transmitted from the authentication information management unit 312, information stored in the authentication information management database 421, and time information output from the clock unit 43. The authentication result management unit 413 transmits the authentication result from the authentication processing unit 412 to the service providing unit 113. Further, the authentication result management unit 413 updates the authentication result management database 422 based on the authentication result in the authentication processing unit 412.

  Next, the operation of the service providing system configured as described above will be described.

  When the user operates the terminal device 2 to use a certain service and requests an authentication operation, the CPU 11 in the providing server device 1 starts the process shown in FIG. Note that steps Sa1 to Sa5 in FIG. 3 realize the operation as the authentication screen creation unit 111, and step Sa6 realizes the operation as the authentication screen output unit 112.

  In step Sa1, the CPU 11 determines the service identifier of the service that the user is going to use. In step Sa <b> 2, the CPU 11 issues a session key for identifying the connection with the terminal device 2. In subsequent processing related to authentication, this session key is used as terminal identification information for identifying the terminal device 2. However, the terminal identification information may be information that can identify the terminal device 2, and a line number or the like of a direct dedicated line may be used.

  In step Sa <b> 3, the CPU 11 transmits a barcode request to the authentication server device 4. This barcode request includes a service identifier and terminal identification information. After that, the CPU 11 waits for a reply from the authentication server device 4.

  In the authentication server device 4, when a barcode request arrives, the CPU 41 starts the processing shown in FIG. Note that the processing in FIG. 4 realizes the operation as the barcode creating unit 411.

  In step Sb1, the CPU 41 receives the incoming barcode request. In step Sb2, the CPU 41 reads out service information including the service identifier included in the barcode request from the authentication information management database 421. In the authentication information management database 421, service attribute information and user information are stored for each service as shown in FIG. The service attribute information includes service information including, for example, a service identifier, a service notation name, or an authentication server address (URL), and valid period information. The user information includes a plurality of pieces of authentication information related to users who have authority to use the service. The content of the authentication information may be arbitrary, but typically includes a user name and a password as shown in FIG. The service attribute information may include authentication determination conditions such as whether or not multiple authentication is possible.

  In step Sb3, the CPU 41 acquires time information output from the clock unit 43 as issue time information. In step Sb4, the CPU 41 generates a unique issue ID number for each barcode request. In step Sb5, the CPU 41 generates connection information as shown in FIG. 6 including the terminal identification information, service information, issue time information, and issue ID number, and generates a barcode representing the connection information. The barcode may be of any type, but is typically a two-dimensional barcode such as a QR code (registered trademark). The connection information represented by the barcode may be encrypted or plain text.

  Finally, in step Sb6, the CPU 41 transmits the created barcode to the providing server device 1 and completes the processing of FIG.

  If the barcode transmitted from the authentication server device 4 arrives at the providing server device 1 in this way, the CPU 11 receives this barcode in step Sa4. Subsequently, in step Sa5, the CPU 11 creates authentication screen information representing the authentication screen including the barcode. FIG. 7 shows an example of the authentication screen. In the authentication screen shown in FIG. 7, a barcode 71 is arranged at the lower right.

  Finally, in step Sa6, the CPU 11 outputs the authentication screen information to the terminal device 2 and ends the processing of FIG.

  In the terminal device 2, the authentication screen information is displayed on the display unit 22 by the browser 21 processing the authentication screen information. Therefore, the user activates the operation based on the authentication support program of the mobile communication device 3, and then positions the barcode included in the authentication screen displayed on the display unit 22 within the shooting range of the camera unit 33. In this state, a shutter button prepared on the operation unit 36 is pressed.

  When the mobile communication device 3 starts an operation based on the authentication support program, the CPU 31 starts processing as shown in FIG. Note that steps Sc1 to Sc4 in FIG. 8 realize the operation as the barcode decoding unit 311 and steps Sc5 to Sc13 realize the operation as the authentication information management unit 312.

  In step Sc1, the CPU 31 waits for a shooting instruction. If a shooting instruction is issued by pressing the shutter button or the like, the CPU 31 proceeds from step Sc1 to step Sc2. In step Sc2, the CPU 31 drives the camera unit 33 to photograph the barcode. In step Sc3, the CPU 31 extracts a barcode from the image data output from the camera unit 33, and further decodes the barcode to obtain connection information. In step Sc4, the CPU 31 confirms whether connection information has been acquired. If the connection information cannot be acquired, the CPU 31 restarts the process from step Sc2. If the connection information can be acquired, the CPU 31 proceeds from step Sc4 to step Sc5.

  In step Sc5, the CPU 31 reads out authentication information associated with the service identifier included in the connection information from the authentication information storage unit 321. In step Sc <b> 6, the CPU 31 causes the display unit 35 to display an authentication screen reflecting the contents of the read authentication information. FIG. 9 shows an example of the authentication screen. On this authentication screen, a box 91 for inputting the authentication number of the mobile communication device 3 and a send button 92 are prepared.

  In step Sc7 and step Sc8, the CPU 31 waits for an authentication number to be entered in the box 91 or for a transmission instruction to be made. If the operation of inputting the authentication number in the box 91 is performed on the operation unit 36, the CPU 31 proceeds from step Sc7 to step Sc9. In step Sc9, the CPU 31 obtains an input authentication number. Thereafter, the CPU 31 returns to the standby state of steps Sc7 and Sc8. When the authentication number is repeatedly input, the CPU 31 acquires the authentication number in step Sc9 each time. Then, the CPU 31 validates the last acquired authentication number.

  If a transmission instruction is made by clicking the transmission button 92 or the like, the CPU 31 proceeds from step Sc8 to step Sc10. In step Sc10, the CPU 31 authenticates the user based on the authentication number acquired in step Sc9. Note that only one authentication number is registered in the mobile communication device 3 and is irrelevant to authentication information for service authentication. In addition, you may make it perform biometric authentication by the face etc. which used the camera part 33 for user authentication here. Alternatively, if the mobile communication device 3 includes another biometric information sensor such as a fingerprint sensor or a microphone, biometric authentication based on other biometric information such as a fingerprint or voice can be performed.

  In step Sc11, the CPU 31 confirms whether or not the authentication is successful. If the authentication fails, the CPU 31 proceeds from step Sc11 to step Sc12. In step Sc12, the CPU 31 causes the display unit 35 to display an error screen indicating that the authentication number has not been correctly input. Thereafter, the CPU 31 repeats the processes after step Sc6.

  If the authentication in step Sc10 is successful, the CPU 31 proceeds from step Sc11 to step Sc13. In step Sc13, the CPU 31 transmits the connection information decoded from the barcode in step Sc3 and the authentication information read in step Sc5 to the authentication server device 4, and receives the end response from the authentication server device 4 to perform the processing of FIG. Exit. If an error message is sent from the authentication server device 4 at this time, an error message is displayed. The CPU 31 can access the authentication server device 4 using the authentication server address included in the connection information. Access to the authentication server device 4 may be performed using an address registered in advance in the mobile communication device 3. When performing the above-described biometric authentication, the CPU 31 may transmit the biological information acquired for the purpose to the authentication server device 4 and use it as history information in the authentication server device 4. Communication between the mobile communication device 3 and the authentication server device 4 may be encrypted and protected by SSL (secure sockets layer) or the like as necessary.

  In response to the transmission of the connection information and the authentication information from the mobile communication device 3, in the authentication server device 4, the CPU 41 starts processing as shown in FIG. Note that steps Sd1 to Sd5 in FIG. 10 realize the operation as the authentication processing unit 412, and steps Sd6 to Sd10 realize the operation as the authentication result management unit 413.

  In step Sd1, the CPU 41 receives connection information and authentication information.

  In step Sd2, the CPU 41 determines the expiration date of the connection information. Specifically, the CPU 41 searches the authentication information management database 421 for service attribute information including the service identifier included in the connection information, and reads the validity period information included in the service attribute information. Then, the validity period of the connection information is determined based on the validity period indicated by the validity period information and the issue time indicated by the issue time information in the connection information.

  In step Sd3, the CPU 41 confirms whether or not the current time represented by the time information output by the clock unit 43 is within the above expiration date. If it is within the expiration date, the CPU 41 proceeds from step Sd3 to step Sd4. In step Sd4, the CPU 41 makes an authentication judgment by searching whether or not the authentication information is included in the user attribute that forms a pair with the service attribute information including the service identifier included in the connection information. In step Sd5, the CPU 41 confirms whether or not the authentication is successful. If the authentication is successful, the CPU 41 proceeds from step Sd5 to step Sd6.

  In step Sd6, the CPU 41 confirms whether or not it is multiple authentication. Specifically, the CPU 41 searches the authentication result management database 422 for an issue ID number included in the connection information, and determines that multiple authentication is performed when the same issue ID number is found in the authentication result management database 422. If it is not multiple authentication, the CPU 41 proceeds from step Sd6 to step Sd7. In step Sd7, the CPU 41 transmits result information indicating successful authentication and connection information to the providing server apparatus 1. When there are a plurality of providing server devices 1, the CPU 41 selects the providing server device 1 as a transmission destination based on the service identifier and the terminal identification information included in the connection information. Thereafter, in step Sd8, the CPU 41 registers a new data record relating to the current authentication in the authentication result management database 422, and the process of FIG. FIG. 11 is a diagram showing the configuration of a data record related to one authentication stored in the authentication result management database 422. As can be seen from FIG. 11, the authentication result management database 422 stores a data record describing a recording time, an issue ID number, a service identifier, and a user name for each successful authentication. The data record may include information for identifying the mobile phone as information for investigating the cause when an abnormality such as multiple authentication occurs.

  By the way, when the connection information is out of the validity period, when authentication fails, or when multiple authentication is performed, the CPU 41 proceeds from step Sd3, step Sd5, or step Sd6 to step Sd9. In step Sd9, the CPU 41 transmits an error message to the mobile communication device 3. Further, in step Sd10, the CPU 41 transmits the result information indicating the authentication failure and the connection information to the providing server device 1, and the processing of FIG.

  In response to the connection information and the result information being transmitted from the authentication server device 4, the CPU 11 in the providing server device 1 starts processing as shown in FIG. 12. The operation as the service providing unit 113 is realized by the processing shown in FIG.

  In step Se1, the CPU 11 receives connection information and result information. In step Se2, the CPU 11 confirms whether the result information indicates successful authentication. If the result information indicates successful authentication, the CPU 11 proceeds from step Se2 to step Se3. In step Se <b> 3, the CPU 11 performs a service providing process such as providing service content to the terminal device 2. As a result, the display on the display unit 22 of the terminal device 2 is switched from the authentication screen as shown in FIG. 7 to a screen representing the contents of the service content. If the service provision is completed, the CPU 11 ends the process shown in FIG.

  However, if the result information indicates an authentication failure, the CPU 11 proceeds from step Se2 to step Se4. In step Se4, the CPU 11 transmits to the terminal device 2 error screen information for causing the display unit 22 to display an error screen indicating that user authentication has failed, and the processing in FIG.

  As described above, according to the first embodiment, the user can finish inputting the authentication information by photographing the barcode displayed on the terminal device 2 with the mobile communication device 3. Input work is greatly simplified, reducing the burden on the user. Further, the authentication information only needs to be registered in the mobile communication device 3 and does not need to be remembered by the user. Therefore, it is possible to avoid a situation in which service provision cannot be received due to reasons such as forgetting or wrong memory. And since it becomes unnecessary to write out authentication information on paper, the leakage of authentication information by it can be prevented. Further, since authentication information is not input to the terminal device 2, even if spyware or key logger software enters the terminal device 2, the authentication information is not stolen, and it is possible to cope with password leakage due to peeping of key operations. .

  Further, according to the first embodiment, when transmitting authentication information from the mobile communication device 3 to the authentication server device 4, the user is authenticated by the authentication number of the mobile communication device 3. It is possible to prevent spoofing by theft. In addition, it is necessary for the user to input an authentication number into the mobile communication device 3, but this authentication number is always constant regardless of the service to be used. This is simpler than the operation of inputting authentication information for each service. Therefore, the burden on the user is not greatly increased. If biometric authentication is used, the burden on the user is hardly increased.

  In addition, according to the first embodiment, since the connection information to the mobile communication device 3 is input by the barcode, the terminal device 2 only needs to have the display unit 22 that can display the barcode. The terminal device 2 can be used as it is. Also for the mobile communication device 3, a mobile phone device having a camera function can be used. Thus, a dedicated device such as a card reader or a proximity wireless device is not required, and the system can be realized with a simple configuration.

(Second Embodiment)
FIG. 13 is a block diagram showing a schematic configuration of a service providing system to which the user authentication system according to the second embodiment is applied. In FIG. 13, the same parts as those in FIG. 1 are denoted by the same reference numerals, and detailed description thereof is omitted.

  The service providing system according to the second embodiment includes a providing server device 1, a terminal device 2, a mobile communication device 3, an authentication server device 7, and a mobile communication device 8. The providing server device 1, the terminal device 2, the mobile communication device 3, the authentication server device 7, and the mobile communication device 8 can appropriately communicate via the computer network 5 and the mobile communication network 6. The providing server device 1, the terminal device 2, the mobile communication device 3, the authentication server device 7, and the mobile communication device 8 may each include a plurality.

  The authentication server device 7 authenticates whether the user of the terminal device 2 has the authority to use the service provided by the providing server device 1. The authentication server device 7 can use, for example, a general-purpose server device as basic hardware, and includes a CPU 71, a storage unit 72, a clock unit 73, and a communication processing unit 74. Then, the CPU 71 executes a user authentication program stored in the storage unit 72 to perform processing to be described later for user authentication. Here, the user authentication program may be installed in the storage unit 72 in advance, or may be recorded on a removable recording medium such as a magnetic disk, a magneto-optical disk, an optical disk, or a semiconductor memory, or via a network. The distributed one may be installed in the storage unit 72 as appropriate. The storage unit 72 stores various types of information in addition to the above programs. As the storage unit 72, a storage device such as a memory or a hard disk device built in the general-purpose server device, a storage device such as a memory or a hard disk device externally attached to the general-purpose server device, a magnetic disk, A removable recording medium such as a magneto-optical disk or an optical disk can be used as appropriate. The clock unit 73 performs a constant clock time, and outputs time information indicating the current date and time. The communication processing unit 74 performs processing for data communication via the computer network 5.

  The mobile communication device 8 is used by an approver who approves service use by the user. In the second embodiment, the service provided by the providing server device 1 is a service that requires approval by an approver for use, such as a confidential document browsing service. In the case of such a service, the approver is assumed to be a manager of the company to which the user belongs or an information manager. A CPU 81, a storage unit 82, a communication processing unit 83, a display unit 84, and an operation unit 85 are included. The CPU 81 executes a program stored in the storage unit 82 to perform control for realizing various well-known functions included in the well-known portable communication device. Further, the CPU 81 executes an approval process program stored in the storage unit 82 to perform an approval process described later. The approval processing program may be installed in the storage unit 82 in advance, or a program recorded in a removable recording medium such as a semiconductor memory or distributed via a network is appropriately stored in the storage unit 82. May be installed. The storage unit 82 stores various information in addition to the above programs. The communication processing unit 83 performs processing for wireless communication with the mobile communication network 6 and data communication via the mobile communication network 6. The display unit 84 displays various information to be presented to the user under the control of the CPU 81. The operation unit 85 inputs various instructions from the user. The mobile communication device 8 is typically a mobile phone device having an Internet communication function. However, various devices having an Internet communication function such as a personal digital assistant (PDA) can be applied.

  FIG. 14 is a block diagram illustrating a functional unit provided for user authentication in each device illustrated in FIG. 13 and a state of cooperation between the functional units. In FIG. 14, the same parts as those in FIG. 1, FIG. 2, or FIG. 13 are denoted by the same reference numerals, and detailed description thereof is omitted.

In the authentication server device 7, the CPU 71 operates as a barcode creation unit 411, an authentication result management unit 413, an authentication processing unit 711, and a mail transmission unit 712 illustrated in FIG. 14. A part of the storage area of the storage unit 72 is used as an authentication information management database 421, an authentication result management database 422, and an approver management database (approver management DB) 721 shown in FIG. That is, the authentication server device 7 includes an authentication processing unit 711 in place of the authentication processing unit 412 in the authentication server device 4, and newly includes a mail transmission unit 712 and an approver management database 721. Stores the mail address of the mobile communication device owned by the approver in association with each user who has the authority to use the service provided by the providing server device 1.

  The authentication processing unit 711 includes information transmitted from the authentication information management unit 312, an approval result in the mobile communication device 8, information stored in the authentication information management database 421, and time information output from the clock unit 73. User authentication is used. The mail transmission unit 712 transmits an electronic mail (hereinafter referred to as an approval mail) for prompting the approver to approve the mobile communication device 8 via the mobile communication network 6.

  In the mobile communication device 8, the CPU 81 operates as the mail processing unit 811 and the approval information processing unit 812 shown in FIG.

  The mail processing unit 811 receives incoming electronic mail via the mobile communication network 6. The approval information processing unit 812 approves / approves the approver based on the approval request information included in the approval mail received by the mail processing unit 811 and the detailed information of the service provided or the user requesting the approval. Rejection is designated, and approval result information representing this result is transmitted to the authentication server device 7. Detailed information is acquired from the authentication server device 7 as necessary.

  Next, the operation of the service providing system configured as described above will be described.

  When the user operates the terminal device 2 to use a certain service and requests an authentication operation, the providing server device performs processing similar to the processing shown in FIGS. 3, 4 and 8 in the first embodiment. 1. Performed by the terminal device 2 and the portable communication device 3.

  In response to the transmission of the connection information and the authentication information from the mobile communication device 3, in the authentication server device 7, the CPU 71 starts processing as shown in FIG. In FIG. 15, the same processes as those in FIG. 10 are denoted by the same reference numerals, and detailed description thereof is omitted. In FIG. 15, steps Sd1 to Sd4 are not shown. In FIG. 15, steps Sd1 to Sd5 and steps Sf1 to Sf7 realize the operation as the authentication processing unit 711, and steps Sd6 to Sd10 realize the operation as the authentication result management unit 413.

  The CPU 71 authenticates the user by performing steps Sd1 to Sd5 in the same manner as in the first embodiment. If the authentication is successful, the CPU 71 proceeds from step Sd5 to step Sf1.

  In step Sf1, the CPU 71 acquires from the approver management database 721 the approver mail address associated with the user who has succeeded in the authentication. In the approver management database 721, for each registered user, as shown in FIG. 16, the mail address of the mobile communication device 8 owned by the approver is stored in advance as the mail address for the approver. . As shown in FIG. 16, the approver management database 721 can store a plurality of approver mail addresses for one user.

  In step Sf 2, the CPU 71 transmits the obtained approval mail addressed to the approval mail address to the mobile communication network 6. The approval mail is an electronic mail representing the approval request information including the user name in the authentication information received in step Sd1 and the service information in the connection information. The authentication request information may be expressed as text data in the body of the electronic mail, or an arbitrary data file may be attached as an attached file. The approval mail is delivered to the mobile communication device 8 by the mobile communication network 6.

  If any electronic mail is delivered from the mobile communication network 6, the CPU 81 of the mobile communication device 8 starts the process shown in FIG. Step Sg1 in FIG. 17 realizes the operation as the mail processing unit 811 and steps Sg2 to Sg7 realize the operation as the approval information processing unit 812.

  In step Sg1, the CPU 81 receives the electronic mail delivered as described above. Then, the CPU 81 notifies the owner of the portable communication device 8 that the electronic mail has arrived by using a vibrator function or a bell sound. Furthermore, the CPU 81 displays the contents of the electronic mail on the display unit 84 in response to an operation on the operation unit 85. At this time, if the received electronic mail is an approval mail, the approval request information is displayed.

  When the authenticator confirms that the received electronic mail is an approval mail, the authenticator requests activation of an approval process by an operation on the operation unit 85. Therefore, in step Sg2, the CPU 81 confirms whether activation of the approval process is requested. If activation of the approval process is not requested, the CPU 81 ends the process shown in FIG.

  When the activation of the approval process is requested, the CPU 81 proceeds from step Sg2 to step Sg3. In step Sg3, the CPU 81 confirms whether detailed information is necessary. If the approver inputs on the operation unit 85 that detailed information is required, the CPU 81 proceeds from step Sg3 to step Sg4. In step Sg4, the CPU 81 accesses the authentication server device 7 and requests detailed information.

  The CPU 71 of the authentication server device 7 waits for the request for detailed information or the arrival of approval result information in steps Sf3 and Sf4 after transmitting the approval mail in step Sf2. . If the detailed information is requested as described above, the process proceeds from step Sf3 to step Sf5, and the detailed information is transmitted to the mobile communication device 8.

  In step Sg5, the CPU 81 of the mobile communication device 8 receives the detailed information transmitted from the authentication server device 7 as described above. Then, the CPU 81 causes the display unit 84 to display the details of the detailed information. FIG. 18 is a diagram showing an example of a display screen based on detailed information. Thereafter, the CPU 81 proceeds to step Sg6. If the detailed information is not required, the CPU 81 proceeds from step Sg3 to step Sg6.

  Based on the approval request information displayed in step Sg1 or the detailed information displayed in step Sg5, the approver confirmed visually that the user is performing the corresponding operation on the terminal device 2 if necessary. Above, the operation of approval or rejection is performed on the operation unit 85.

  In step Sg6, the CPU 81 inputs the above operation as an approval result. In step Sg7, the CPU 81 transmits the approval result information obtained by combining the input authentication result and the approval request information to the authentication server device 7, and the process of FIG.

  The CPU 71 of the authentication server device 7 proceeds from step Sf4 to step Sf6 when the approval result information transmitted from the mobile communication device 8 arrives as described above. In step Sf6, the CPU 71 confirms whether or not the approver has approved based on the approval result information. If the approver approves, the CPU 71 performs the processing after step Sd6 in the same manner as in the first embodiment. On the other hand, if the approver rejects, the CPU 71 proceeds from step Sf7 to step Sd9, and performs steps Sd9 and Sd10 in the same manner as in the first embodiment.

  When a plurality of approver mail addresses are registered for the user to be authenticated, an approval mail is transmitted to each of the plurality of approver mail addresses. In this case, as the condition for determining the approval in step Sf7, any one of the following may be fixedly applied, or may be selectively applied according to the setting for each user. Also good.

  (1) Approve if all the approvers approve, otherwise reject.

  (2) Approve if a majority of approvers approve, otherwise reject.

  (3) Approve if the prescribed number of approvers approve, otherwise reject.

  As described above, according to the second embodiment, similarly to the first embodiment, it is possible to reduce the burden on the user and further prevent leakage of authentication information.

  Furthermore, according to the second embodiment, the service is provided only when both the first-stage authentication based on the user authentication information and the second-stage authentication based on the approval intention of the approver are successful. For example, it is possible to properly authenticate use authority related to a service that requires approval by an approver for use, such as a confidential document browsing service. According to the second embodiment, since the user does not need to perform any operation in the second stage authentication, the burden on the user is not increased.

  In addition, a personal computer is required for activation of an approval act by a mail for a personal computer to an approver as has been conventionally performed, and a browser or special software is activated on the personal computer, and the approver The login operation of was necessary. However, according to the second embodiment, it is possible to reduce the burden on the approver by sending a mail requesting approval to the mobile communication device, to reduce the burden on the approver, and to enable an approval act in a short time. . As a result, every time a user uses the service, it is possible to provide an environment in which the burden of both the user and the approver can be reduced and the electronic approval action can be performed while reducing the waiting time of the user. .

  This embodiment can be variously modified as follows.

  In each of the embodiments, the connection information may be read by the mobile communication device 3 from the terminal device 2 via a general-purpose wireless communication interface such as infrared communication or Bluetooth (registered trademark).

  In each of the above embodiments, the providing server device 1 may create the barcode.

  In each of the above embodiments, the connection information includes the expiration date information instead of the issue time information, and the authentication server devices 4 and 7 confirm whether or not the expiration date is indicated by the expiration date information. It is also good to do.

  In each of the above-described embodiments, the function of the providing server device 1 and the functions of the authentication server devices 4 and 7 can be realized by the same server device.

  In the second embodiment, a different approval mail address may be set for each service including the service identifier included in the connection information in the approver management database 721.

  Note that the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the components without departing from the scope of the invention in the implementation stage. Various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the respective embodiments. For example, some components may be deleted from all the components shown in each embodiment.

1 is a block diagram showing a schematic configuration of a service providing system to which a user authentication system according to an embodiment of the present invention is applied. The block diagram which showed the mode of a cooperation of those function parts with which each apparatus shown by FIG. 1 is provided for user authentication, and those function parts. The flowchart which shows the process sequence by CPU11 in FIG. The flowchart which shows the process sequence by CPU41 in FIG. The figure which shows the structure of the service attribute information and user information which are memorize | stored in the authentication information management database 421 in FIG. The figure which shows the structure of connection information. The figure which shows an example of the authentication screen displayed on the display part 22 in FIG. 1 and FIG. The flowchart which shows the process sequence by CPU31 in FIG. The figure which shows an example of the authentication screen displayed on the display part 35 in FIG. The flowchart which shows the process sequence by CPU41 in FIG. The figure which shows the structure of the data record regarding one authentication memorize | stored in the authentication result management database 422 in FIG. The flowchart which shows the process sequence by CPU11 in FIG. The block diagram which shows schematic structure of the service provision system with which the user authentication system which concerns on 2nd Embodiment was applied. FIG. 14 is a block diagram illustrating a functional unit included in each device illustrated in FIG. 13 for user authentication and a state of cooperation between the functional units. The flowchart which shows the process sequence by CPU71 in FIG. The figure which shows the structure of the information memorize | stored in the approver management database 721 in FIG. The flowchart which shows the process sequence by CPU81 in FIG. The figure which shows an example of the display screen based on detailed information.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Server apparatus for provision, 2 ... Terminal device, 3, 8 ... Mobile communication apparatus, 4, 7 ... Server apparatus for authentication, 5 ... Computer network, 6 ... Mobile communication network, 11, 31, 41, 71, 81 ... CPU, 12, 32, 42, 72, 82 ... storage unit, 13, 34, 44, 74, 83 ... communication processing unit, 21 ... browser, 22, 35, 84 ... display unit, 33 ... camera unit, 36, 85 ... operation unit, 43 ... clock unit, 111 ... authentication screen creation unit, 112 ... authentication screen output unit, 113 ... service providing unit, 311 ... bar code decoding unit, 312 ... authentication information management unit, 321 ... authentication information storage unit, 411 ... Barcode creation unit, 412, 711 ... Authentication processing unit, 413 ... Authentication result management unit, 421 ... Authentication information management database, 422 ... Authentication result management database, Mail transmission unit 712, Approver management Database 721, mail processing unit 811, approved the information processing section 812.

Claims (26)

From a providing server device that provides a service to a terminal device, a portable communication device possessed by a user of the terminal device, the providing server device, and an authentication server device that can communicate with the portable communication device A user authentication system,
The providing server device includes:
Read information sending means for sending to the terminal device reading information that allows the terminal device to read terminal identification information for identifying the terminal device and service identification information for identifying the service from the terminal device to the mobile communication device,
The portable communication device is
Authentication information storage means for storing authentication information in association with the service identification information;
Reading means for reading the terminal identification information and the service identification information from the reading information sent to the terminal device;
Authentication information sending means for sending authentication information stored in the authentication information storage means in association with the read service identification information to the authentication server device together with the terminal identification information and the service identification information. ,
The authentication server device includes:
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the portable communication device based on the authentication information sent from the portable communication device;
Based on the result of the authentication, the server for providing notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the authentication A user authentication system comprising notification information sending means for sending to a device.   2. The user authentication system according to claim 1, wherein the reading information is information that causes the terminal device to display a barcode representing the terminal identification information and the service identification information. The providing server device includes:
Means for sending the terminal identification information and the service identification information to the authentication server device;
The authentication server device includes:
Means for creating the reading information representing the terminal identification information and the service identification information sent from the providing server device;
The user authentication system according to claim 1, further comprising means for sending the reading information to the providing server device.   The user authentication system according to claim 1, wherein session identification information for identifying a session between the providing server device and the terminal device is used as the terminal identification information. The reading information includes address information indicating an address of the authentication server device,
The reading means reads the address information from the reading information sent to the terminal device,
The user authentication system according to claim 1, wherein the authentication information sending unit sends the authentication information to the authentication server device using an address represented by the read address information. The portable communication device is
A means for authenticating the user;
2. The user authentication system according to claim 1, wherein the authentication information sending means sends the authentication information to the authentication server device only when the user is successfully authenticated. Time information for determining the validity of the reading information over time is included in the reading information,
The reading means reads the time information from the reading information sent to the terminal device,
The authentication information sending means sends the read time information together with the authentication information to the authentication server device,
2. The user authentication system according to claim 1, wherein the authentication unit makes an authentication failure when it cannot be determined that the reading information is valid based on the time information. The reading information includes reading information identification information for identifying the reading information,
The reading means reads the reading information identification information from the reading information sent to the terminal device,
The authentication information sending means sends the read information identification information for reading together with the authentication information to the authentication server device,
The authentication server device further includes identification information storage means for storing the read information identification information sent together with authentication information that has already been authenticated,
2. The user authentication system according to claim 1, wherein the authentication unit makes an authentication failure when the sent read information identification information is stored in the identification information storage unit. The user authentication system includes a plurality of the providing server devices,
The result information sending means selects the providing server device that provides the service identified by the service identification information sent from the portable communication device from among the plurality of providing server devices, and the selected server device The user authentication system according to claim 1, wherein the result information is sent to a providing server device. The providing server device includes:
The user authentication system according to claim 1, further comprising means for starting provision of a service to the terminal device when the notification information represents permission of the service provision to the terminal device. Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information A portable communication device comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information;
Based on the authentication information sent from the mobile communication device, authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device, and based on the result of the authentication, Notification information sending means for sending notification information for notifying permission / prohibition of provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for authentication to the providing server device Comprising the authentication server device comprising a user authentication system and providing the service to the terminal device, the providing server device comprising:
Reading information sending means for sending the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device to the portable communication device so that the reading information can be read to the terminal device. A providing server device comprising: The reading information, which provides a service to the terminal device, enables the mobile communication device to read the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device. A providing server device comprising reading information sending means for sending to the terminal device;
Based on authentication information sent from the mobile communication device, authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device, and authentication based on the result of the authentication Notification information sending means for sending notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the provision server device; The mobile communication device comprises a user authentication system together with an authentication server device, and is possessed by a user of the terminal device,
Authentication information storage means for storing the authentication information in association with service identification information for identifying the service;
Reading means for reading the terminal identification information and the service identification information from the reading information sent from the providing server device to the terminal device;
Authentication information sending means for sending the authentication information stored in the authentication information storage means in association with the read service identification information to the authentication server device together with the terminal identification information and the service identification information. A portable communication device. The reading information, which provides a service to the terminal device, enables the mobile communication device to read the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device. A providing server device comprising reading information sending means for sending to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information An authentication server comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and constituting a user authentication system together with a portable communication device possessed by a user of the terminal device A device,
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device based on the authentication information;
Based on the result of the authentication, the server for providing notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the authentication An authentication server device comprising: notification information sending means for sending to the device. Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information A portable communication device comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information;
Based on the authentication information sent from the mobile communication device, authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device, and based on the result of the authentication, Notification information sending means for sending notification information for notifying permission / prohibition of provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for authentication to the providing server device Comprising a user authentication system together with the authentication server device comprising: a program for operating a computer as the providing server device for providing the service to the terminal device,
The computer is caused to function as reading information sending means for sending the reading information that enables the terminal identification information and the service identification information to be read from the terminal device to the portable communication device. Program to do. The reading information, which provides a service to the terminal device, enables the mobile communication device to read the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device. A providing server device comprising reading information sending means for sending to the terminal device;
Based on authentication information sent from the mobile communication device, authentication means for authenticating the use authority of the service identified by the service identification information sent from the mobile communication device, and authentication based on the result of the authentication Notification information sending means for sending notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the provision server device; A computer that configures a user authentication system together with the authentication server device provided and controls the operation of the portable communication device possessed by a user of the terminal device,
Authentication information storage means for storing the authentication information in association with the service identification information;
Reading means for reading the terminal identification information and the service identification information from the reading information sent from the providing server device to the terminal device;
The authentication information stored in the authentication information storage unit in association with the read service identification information is made to function as an authentication information sending unit that sends the authentication information together with the terminal identification information and the service identification information to the authentication server device. A program characterized by that. The reading information, which provides a service to the terminal device, enables the mobile communication device to read the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device. A providing server device comprising reading information sending means for sending to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information An authentication server comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and constituting a user authentication system together with a portable communication device possessed by a user of the terminal device A program for operating a computer as a device,
The computer,
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the portable communication device based on the authentication information sent from the portable communication device;
Based on the result of the authentication, the server for providing notification information for notifying permission / prohibition of the provision of the service to the terminal device identified by the terminal identification information sent together with the authentication information used for the authentication A program characterized by functioning as notification information sending means for sending to a device. It is possessed by a providing server device that provides a service to a terminal device, a mobile communication device for a user possessed by a user of the terminal device, and an approver who approves the use of the service by the user. A user authentication system comprising an approver mobile communication device, the providing server device, the user mobile communication device, and an authentication server device communicable with the approver mobile communication device,
The providing server device includes:
Reading information sending means for sending reading information enabling the terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to the user portable communication device. With
The mobile communication device for users is
Authentication information storage means for storing authentication information in association with the service identification information;
Reading means for reading the terminal identification information and the service identification information from the reading information sent to the terminal device;
Authentication information sending means for sending authentication information stored in the authentication information storage means in association with the read service identification information to the authentication server device together with the terminal identification information and the service identification information. ,
The authentication server device includes:
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user mobile communication device based on the authentication information sent from the user mobile communication device;
The user related to the authentication information sent from the user mobile communication device requests the approver to approve the use of a service identified by the service identification information sent from the user mobile communication device. Approval request information sending means for sending approval request information to the mobile communication device for approver,
The approver mobile communication device is:
Approval result information sending means for sending approval result information representing the result of approval by the approver based on the approval request information to the authentication server device;
The authentication server device further includes:
User authentication comprising: notification information sending means for sending notification information indicating permission / prohibition of provision of the service determined based on the authentication result and the approval result represented by the approval result information to the providing server device system.   18. The user authentication system according to claim 17, wherein the approval request information sending means sends the approval request information to the approver's portable communication device by electronic mail. Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information A mobile communication device for a user comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user portable communication device based on the authentication information sent from the user portable communication device; and the authentication The authentication server device comprising notification information sending means for sending notification information indicating permission / prohibition of the provision of the service determined based on the result of the notification to the providing server device;
A user authentication system is configured together with a mobile communication device for approval provided with an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device, and the terminal device includes The providing server device that provides the service to the service,
The terminal identification information for identifying the terminal device and the service identification information for identifying the service are read for sending the reading information from the terminal device to the user mobile communication device to the terminal device. A providing server device comprising information sending means. The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user portable communication device based on the authentication information sent from the user portable communication device, and the authentication An authentication server device comprising notification information sending means for sending notification information indicating permission / prohibition of the provision of the service determined based on a result to the providing server device;
A user authentication system is configured together with an approval portable communication device including an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device, and A portable communication device for a user possessed by a user,
Authentication information storage means for storing the authentication information in association with service identification information for identifying the service;
Reading means for reading the terminal identification information and the service identification information from the reading information sent from the providing server device to the terminal device;
Authentication information sending means for sending the authentication information stored in the authentication information storage means in association with the read service identification information to the authentication server device together with the terminal identification information and the service identification information. A portable communication device for a user characterized by the above. The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information Comprising an authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and a portable communication device for a user possessed by a user of the terminal device;
An authentication server device that constitutes a user authentication system together with an approval portable communication device having an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device. There,
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user mobile communication device based on the authentication information sent from the user mobile communication device;
The user related to the authentication information sent from the user mobile communication device requests the approver to approve the use of a service identified by the service identification information sent from the user mobile communication device. Approval request information sending means for sending the approval request information to the mobile communication device for approver;
And a notification information sending means for sending notification information indicating permission / prohibition of the provision of the service determined based on the authentication result and the approval result represented by the approval result information to the providing server device. Server device for authentication. The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information Comprising an authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and a portable communication device for a user possessed by a user of the terminal device;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user mobile communication device based on the authentication information sent from the user mobile communication device;
The user related to the authentication information sent from the user mobile communication device requests the approver to approve the use of a service identified by the service identification information sent from the user mobile communication device. Approval request information sending means for sending approval request information to the approver's mobile communication device, and notification information indicating whether or not to provide the service determined based on the authentication result and the approval result represented by the approval result information, A mobile communication device for approval constituting a user authentication system together with the authentication server device comprising notification information sending means for sending to a providing server device,
An approval portable communication device comprising: approval result information sending means for sending the approval result information representing the result of approval by the approver based on the approval request information to the authentication server device. Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information A mobile communication device for a user comprising authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user portable communication device based on the authentication information sent from the user portable communication device; and the authentication The authentication server device comprising notification information sending means for sending notification information indicating permission / prohibition of the provision of the service determined based on the result of the notification to the providing server device;
A user authentication system is configured together with a mobile communication device for approval provided with an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device, and the terminal device includes A program for operating a computer as the providing server device for providing the service to the service,
The reading information for enabling the computer to read the terminal identification information for identifying the terminal device and the service identification information for identifying the service from the terminal device to the mobile communication device for users. A program that functions as a reading information sending means for sending. The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user portable communication device based on the authentication information sent from the user portable communication device, and the authentication An authentication server device comprising notification information sending means for sending notification information indicating permission / prohibition of the provision of the service determined based on a result to the providing server device;
A user authentication system is configured together with an approval portable communication device including an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device, and A computer for controlling the operation of the mobile communication device for a user possessed by a user;
Authentication information storage means for storing the authentication information in association with service identification information for identifying the service;
Reading means for reading the terminal identification information and the service identification information from the reading information sent from the providing server device to the terminal device;
Causing authentication information stored in the authentication information storage means to be associated with the read service identification information and functioning as authentication information sending means for sending to the authentication server device together with the terminal identification information and the service identification information. A program characterized by The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information Comprising an authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and a portable communication device for a user possessed by a user of the terminal device;
As an authentication server device constituting a user authentication system together with an approval portable communication device provided with an approval result information sending means for sending approval result information representing an approval result by an approver based on approval request information to the authentication server device A program for operating a computer,
The computer,
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user mobile communication device based on the authentication information sent from the user mobile communication device;
The user related to the authentication information sent from the user mobile communication device requests the approver to approve the use of a service identified by the service identification information sent from the user mobile communication device. Approval request information sending means for sending the approval request information to the mobile communication device for approver;
A program for causing notification information indicating permission / prohibition of provision of the service determined based on the authentication result and the approval result represented by the approval result information to function as notification information sending means for sending to the providing server device . The reading device, which provides a service to a terminal device, enables terminal identification information for identifying the terminal device and service identification information for identifying the service to be read from the terminal device to a mobile communication device for a user. A providing server device comprising reading information sending means for sending information to the terminal device;
Authentication information storage means for storing authentication information in association with service identification information;
Reading means for reading terminal identification information and service identification information from reading information sent from the providing server device to the terminal device, and authentication stored in the authentication information storage means in association with the read service identification information Comprising an authentication information sending means for sending information to the authentication server device together with the terminal identification information and the service identification information, and a portable communication device for a user possessed by a user of the terminal device;
Authentication means for authenticating the use authority of the service identified by the service identification information sent from the user mobile communication device based on the authentication information sent from the user mobile communication device;
The user related to the authentication information sent from the user mobile communication device requests the approver to approve the use of a service identified by the service identification information sent from the user mobile communication device. Approval request information sending means for sending approval request information to the approver's mobile communication device, and notification information indicating whether or not to provide the service determined based on the authentication result and the approval result represented by the approval result information, A computer for controlling the operation of the mobile communication device for authorization that constitutes the user authentication system together with the authentication server device comprising notification information sending means for sending to the providing server device;
A program which functions as an approval result information sending means for sending the approval result information representing a result of approval by the approver based on the approval request information to the authentication server device.

Images