JP2008071233A - Authentication device, authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication system preventing illegal acquisition of information. <P>SOLUTION: When an authentication device communication part 51 receives authentication information and shared information from a user terminal 3, an authentication processing part 53 determines whether the authentication information is legitimate or not. If the authentication information is legitimate, the authentication processing part 53 stores the shared information in an authentication data storage part 52. When the authentication device communication part 51 receives shared information from a pen type authentication device 1, the authentication processing part 53 confirms whether the shared information same as the shared information is stored in the authentication data storage part 52, and authenticates the user terminal 3 as a legitimate user terminal if the shared information same as the shared information is stored in the authentication data storage part 52. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an authentication apparatus, an authentication system, and an authentication method for performing authentication.

  2. Description of the Related Art Conventionally, an authentication device that performs authentication by a user touching a screen such as a touch panel is known. The user performs authentication by touching a software keyboard or software numeric keypad displayed on the screen of the authentication device and entering a password.

  In such an authentication apparatus, when a user inputs a password, another person can see the password and the password may be stolen.

Japanese Patent Application Laid-Open No. 11-149454 describes an authentication device that performs authentication using a pen. The user presses the screen of the authentication device with a pen. The authentication device reads the coordinates on the pressed screen and compares the coordinates with previously registered coordinates to authenticate whether or not the user is a valid user. This can reduce the possibility that other people can see the password.
Japanese Patent Laid-Open No. 11-149454

  Conventionally, a user cannot authenticate whether or not the user terminal is a valid user terminal. For this reason, there is a possibility that the user may acquire information such as a password and an operation history in an unauthorized user terminal.

  In the authentication device described in Patent Literature 1, it was not possible to authenticate whether the user terminal is a valid user terminal.

  An object of the present invention is to provide an authentication device, an authentication system, and an authentication method capable of preventing unauthorized acquisition of information.

  In order to achieve the above object, an authentication apparatus of the present invention is an authentication apparatus connected to a user terminal and a mobile terminal, and receives authentication information and shared information from a storage unit and the user terminal. An authentication communication unit that receives the shared information from the mobile terminal, and when the authentication communication unit receives the authentication information and the shared information from the user terminal, whether the authentication information is valid authentication information or not. When the authentication information is determined to be valid authentication information, the received shared information is stored in the storage unit, and the authentication communication unit receives the shared information from the portable terminal. When receiving, confirm whether or not the same common information as the received common information is stored in the storage unit, and when the same common information as the received common information is stored in the storage unit, User terminal is legitimate Comprising an authentication unit that authenticates that the user terminal.

  The authentication method of the present invention is an authentication method performed by an authentication device connected to a user terminal and a portable terminal, the receiving step for receiving authentication information and shared information from the user terminal, and the authentication method A determination step for determining whether the information is valid authentication information; a storage step for storing the received shared information when the authentication information is determined to be valid authentication information; A reception step of receiving the shared information from the terminal, a confirmation step of confirming whether the same common information as the common information received from the mobile terminal is stored, and the same as the common information received from the mobile terminal An authentication step for authenticating that the user terminal is a valid user terminal when common information is stored.

  The authentication system of the present invention is an authentication system including a user terminal, a mobile terminal, and the user terminal and an authentication device connected to the mobile terminal, wherein the user terminal is used for authentication. A generating unit that generates information and shared information; and a terminal communication unit that transmits the authentication information and the shared information to the authentication device, wherein the mobile terminal generates the shared information; A portable communication unit that transmits the shared information generated by the generating unit to the authentication device, wherein the authentication device receives the authentication information and the shared information from the storage unit and the user terminal, and An authentication communication unit that receives the shared information from a terminal, and when the authentication communication unit receives the authentication information and the shared information from the user terminal, determines whether the authentication information is valid authentication information And When it is determined that the authentication information is valid authentication information, the received shared information is stored in the storage unit, and when the authentication communication unit receives the shared information from the mobile terminal, the received information is received. Whether the same common information as the received common information is stored in the storage unit. If the same common information as the received common information is stored in the storage unit, the user terminal is authorized. An authentication unit that authenticates the user terminal.

  An authentication method performed by the authentication system of the present invention is an authentication method performed by an authentication system including a user terminal, a mobile terminal, and the user terminal and an authentication device connected to the mobile terminal, A creation step in which the user terminal generates shared information; an authentication creation step in which the user terminal generates authentication information; and the user terminal sends the authentication information and the shared information to the authentication device. A communication step of transmitting to the authentication device, a generation step of generating the shared information, a portable communication step of transmitting the generated shared information to the authentication device, and an authentication device Receiving the authentication information and the shared information from the user terminal; and the authentication device determines whether the authentication information is valid authentication information. A determination step; and a storage step for storing the received shared information when the authentication device determines that the authentication information is valid authentication information; and A receiving step for receiving shared information, a confirmation step for confirming whether or not the authentication device stores the same common information as the common information received from the mobile terminal, and the authentication device from the mobile terminal. An authentication step of authenticating that the user terminal is a legitimate user terminal if the same common information as the received common information is stored.

  According to the above invention, if the authentication information received from the user terminal is valid authentication information, the shared information received from the user terminal is stored. Therefore, only shared information transmitted from a legitimate user terminal is stored. In addition, if the same shared information as the shared information received from the mobile terminal is stored, the user terminal having the same shared information as the mobile terminal is authenticated as a valid user terminal, and the user is authorized It can be seen that the user terminal is being operated.

  For this reason, it is possible to prevent unauthorized acquisition of information.

  The authentication information is a one-time password generated based on the unique information and the shared information, the storage unit stores the unique information, and the authentication unit is used by the authentication communication unit. When the one-time password and the shared information are received from the user terminal, an authentication one-time password is generated based on the received shared information and the unique information stored in the storage unit. If the one-time password matches the received one-time password, it is desirable to determine that the authentication information is valid authentication information.

  According to the above invention, the authentication information is a one-time password generated based on the unique information and the shared information. If the authentication one-time password matches the received one-time password, the authentication information is determined to be valid authentication information.

  For this reason, even if the authentication information is stolen, the authentication information can be prevented from being illegally used.

  The authentication device of the present invention is an authentication device that is connected to a mobile terminal and connected to a user terminal through an authentication communication path that has been authenticated in advance, and includes a storage unit and the user terminal. An authentication communication unit that receives shared information via an authentication communication channel and receives the shared information from the portable terminal, and the authentication communication unit receives the shared information from the user terminal, When shared information is stored in the storage unit, and the authentication communication unit receives the shared information from the mobile terminal, whether or not the same common information as the received common information is stored in the storage unit. And an authenticating unit that authenticates that the user terminal is a valid user terminal when the same common information as the received common information is stored in the storage unit.

  The authentication method of the present invention is an authentication method performed by an authentication apparatus connected to a mobile terminal and connected to a user terminal through a previously authenticated authentication channel, from the user terminal to the user terminal An authentication receiving step for receiving shared information via an authentication communication path, a storing step for storing the received shared information, an authentication receiving step for receiving the shared information from the portable terminal, and a received from the portable terminal A confirmation step for confirming whether or not the same common information as the common information is stored, and when the same common information as the common information received from the portable terminal is stored, the user terminal is an authorized user. And an authentication step for authenticating the terminal.

  The authentication system of the present invention includes a mobile terminal, a user terminal, an authentication device connected to the mobile terminal, and connected to the user terminal through a previously authenticated authentication channel. The user terminal includes a generation unit that generates shared information and a terminal communication unit that transmits the shared information to the authentication device, and the mobile terminal generates the shared information And a mobile communication unit that transmits the shared information generated by the generation unit to the authentication device, the authentication device from the storage unit and the user terminal via the authentication communication path An authentication communication unit that receives shared information and receives the shared information from the portable terminal, and when the authentication communication unit receives the shared information from the user terminal, the received shared information is stored in the storage unit. Remember and also before When the authentication communication unit receives the shared information from the mobile terminal, it confirms whether the same common information as the received common information is stored in the storage unit, and the same common information as the received common information Is stored in the storage unit, the authentication unit authenticates that the user terminal is a valid user terminal.

  Further, the authentication method performed by the authentication system of the present invention includes an authentication connected to a mobile terminal, a user terminal, and the mobile terminal, and connected to the user terminal via a previously authenticated authentication channel. An authentication method performed by an authentication system including: a creation step in which the user terminal generates shared information; and a terminal transmission step in which the user terminal transmits the shared information to the authentication device; The mobile terminal generates the shared information; the mobile terminal transmits the generated shared information to the authentication device; and the authentication device receives the user terminal from the user terminal. An authentication receiving step for receiving the shared information via an authentication communication path; a storing step for storing the received shared information in the authentication device; and Authentication acceptance step for receiving the shared information from, a confirmation step for confirming whether the authentication device stores the same common information as the common information received from the mobile terminal, and the authentication device, An authentication step of authenticating that the user terminal is a valid user terminal when the same common information as the common information received from the portable terminal is stored.

  According to the above invention, since the shared information is received from the user terminal through the authentication communication path authenticated in advance, it is understood that the shared information has been transmitted from a valid user terminal, and the shared information is stored. In addition, if the same shared information as the shared information received from the mobile terminal is stored, the user terminal having the same shared information as the mobile terminal is authenticated as a valid user terminal, and the user is authorized It can be seen that the user terminal is being operated.

  For this reason, it is possible to prevent unauthorized acquisition of information.

  In addition, the display device further includes a display unit that displays an authentication image, and when the mobile terminal contacts a part of the authentication image on the display unit, the display unit displays one of the contacted authentication images. A detection unit that detects a position of the unit, and a display communication unit that transmits the position detected by the detection unit to the user terminal, wherein the user terminal receives the position from the display device. And a table in which the display data indicated at each position of the authentication image is associated with each other, and the position received by the connection unit is displayed as the display data associated with the position in the table. A conversion unit that converts, and the creation unit generates the shared information from the display data converted by the conversion unit, and the portable terminal touches a part of the authentication image of the display unit , A part of the contacted authentication image Includes a reading section reads the display data shown in position, the generating unit preferably generates the shared information from the display data in which the reading unit has read.

  According to the above invention, in the user terminal, the shared information is generated from the display data shown at the position of a part of the authentication image touched by the mobile terminal. In the portable terminal, the shared information is generated from the display data.

  For this reason, the user can have the shared information in both the portable terminal and the user terminal simply by contacting the portable terminal with the authentication image. Therefore, it becomes possible to easily provide shared information to both the mobile terminal and the user terminal.

  The portable terminal further includes an output unit that outputs the shared information generated by the generation unit as output information, and the user terminal includes an acquisition unit that acquires the output information output by the output unit, Preferably, the creation unit generates the shared information from the output information created by the acquisition unit.

  According to said invention, a user terminal acquires the shared information which the portable terminal produced | generated. For this reason, shared information can be provided to both the portable terminal and the user terminal without providing a display device. Therefore, the cost can be reduced.

  The authentication communication unit transmits an authentication result by the authentication unit to the mobile terminal, the mobile communication unit receives the authentication result from the authentication device, and the mobile terminal receives the mobile communication unit. It is desirable to include a notification unit for notifying the user of the authentication result.

  Conventionally, in order to know whether or not the authentication has been correctly performed, the user has confirmed the authentication result notified by the user terminal. However, since the user cannot know whether or not the user terminal is an unauthorized user terminal, the user cannot know whether or not the authentication has been performed correctly.

  According to the above invention, the authentication result is notified from the portable terminal. For this reason, the user can know whether or not the authentication has been performed correctly.

  According to the present invention, it is possible to prevent unauthorized acquisition of information.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a block diagram showing an authentication system according to an embodiment of the present invention.

  In FIG. 1, the authentication system includes a pen-type authentication device 1, a display 2, a user terminal 3, a wireless reception device 4, and an authentication device 5.

  The pen type authentication device 1 is an example of a mobile terminal. Note that the mobile terminal is not limited to the pen-type authentication device, and can be changed as appropriate.

  The pen type authentication device 1 is connected to the authentication device 5 via the wireless reception device 4. The pen-type authentication device 1 is connected to the wireless receiving device 4 wirelessly.

  The pen type authentication device 1 includes a scanner unit 11, a user data storage unit 12, a generation unit 13, a wireless communication unit 14, and an authentication success notification unit 15.

  The user of the pen type authentication device 1 brings the scanner unit 11 into contact with a part of the screen of the display 2. On the display 2, an authentication image and a confirmation image are displayed.

  The authentication image is, for example, a color or color pattern image, and is an image in which different display data is shown for each position or predetermined range.

  The confirmation image is an image indicating specific data different from the display data. The specific data is, for example, a color or color not included in the authentication image.

  When the scanner unit 11 comes into contact with a part of the authentication image or the confirmation image displayed on the display 2, the scanner unit 11 reads data shown at a part of the contacted image. The scanner unit 11 is an example of a reading unit.

  Since the scanner unit 11 does not know which of the authentication image and the confirmation image has been touched, it is necessary to determine whether the read data is display data or specific data. For example, the scanner unit 11 holds specific data, and determines whether the read data matches the held specific data. If the read data matches the specific data, the scanner unit 11 determines the read data as specific data. If the read data does not match the specific data, the scanner unit 11 displays the read data as display data. Is determined.

  The user data storage unit 12 stores display data read by the scanner unit 11. When the scanner unit 11 reads a plurality of display data before reading the specific data, the user data storage unit 12 changes the order in which the read display data is read each time the display data is read. Add and remember.

  The user data storage unit 12 stores a user ID and registration information in advance. The user ID identifies the user. The registration information is, for example, a password. The registration information is not limited to a password and can be changed as appropriate.

  When the scanner unit 11 reads the specific data, the generation unit 13 generates shared information from the display data stored in the user data storage unit 12. For example, the generation unit 13 generates information combined with the display data as shared information in the order in which the display data is read.

  The generation unit 13 generates user authentication information for authenticating the user.

  For example, the generation unit 13 generates a one-time password as user authentication information based on the shared information and registration information stored in the user data storage unit 12. In this case, for example, the generation unit 13 generates a hash value of information obtained by combining the shared information and registration information as a one-time password.

  The generation unit 13 may generate information including the user ID and registration information stored in the user data storage unit 12 as user authentication information.

  The wireless communication unit 14 is an example of a mobile communication unit. The wireless communication unit 14 has a wireless communication function such as a wireless LAN or Bluetooth.

  The wireless communication unit 14 transmits the user ID stored in the user data storage unit 12, the shared information generated by the generation unit 13, and user authentication information to the authentication device 5 via the wireless reception device 4. .

  Further, the wireless communication unit 14 receives an authentication result from the authentication device 5 from the authentication device 5 via the wireless reception device 4. The authentication result includes an authentication result for user authentication and an authentication result for user terminal 3 authentication. Hereinafter, when the authentication result for the user authentication and the authentication result for the authentication of the user terminal 3 both indicate success, the authentication result by the authentication device 5 indicates success, and the authentication result for the user authentication and the user terminal If at least one of the authentication results for authentication 3 indicates failure, it indicates failure.

  The authentication success notification unit 15 is an example of a notification unit.

  The authentication success notification unit 15 notifies the user of the received authentication result. For example, the authentication success notification unit 15 notifies the authentication result by emitting light, outputting the authentication result by voice, vibrating, or displaying the authentication result. The authentication success notification unit 15 confirms whether or not the received authentication result indicates a successful authentication, and if the authentication result indicates a successful authentication, the authentication success notification unit 15 notifies the user that the authentication has been successful. If the authentication result indicates that the authentication has failed, the notification may be omitted.

  The display 2 is an example of a display device. The display 2 is connected to the user terminal 3 in a wired or wireless manner.

  The display 2 includes a display communication unit 23, a display unit 24, and a detection unit 25.

  The display communication unit 23 receives image information indicating an authentication image and a confirmation image from the user terminal 3. Further, the display communication unit 23 transmits the position detected by the detection unit 25 to the user terminal 3.

  The display unit 24 is, for example, a CRT, LCD, touch panel, or tablet. The display unit 24 is not limited to a CRT, LCD, touch panel, or tablet, and can be changed as appropriate.

  The display unit 24 displays an authentication image and a confirmation image indicated by the image information received by the display communication unit 23. It is assumed that the place where the authentication image and the confirmation image are displayed is determined in advance.

  In FIG. 1, an authentication screen area 21 and an authentication confirmation icon 22 are shown on the display unit 24. The authentication screen area 21 is an area for displaying an authentication image. The authentication confirmation icon 22 is an example of a confirmation image.

  When the pen-type authentication device 1 touches a part of the authentication image or the confirmation image displayed on the display unit 24, the detection unit 25 detects the position of the part of the touched image. This detection method is, for example, a resistance film method or an electromagnetic induction method. This detection method is not limited to the thin film resistance method or the electromagnetic induction method, and can be changed as appropriate. The position detected by the detection unit 25 indicates, for example, coordinates on the screen of the display unit 24.

  The user terminal 3 is connected to the authentication device 5 via the wireless reception device 4. In addition, the user terminal 3 is connected to the wireless reception device 4 wirelessly or by wire.

  The user terminal 3 includes a connection unit 31, a coordinate data conversion unit 32, a terminal data storage unit 33, a terminal generation unit 34, and a terminal communication unit 35.

  The connection unit 31 receives the detected position from the display 2.

  The coordinate data conversion unit 32 is an example of a conversion unit.

  The coordinate data conversion unit 32 holds image information and transmits the image information to the display 2 via the connection unit 31.

  The coordinate data conversion unit 32 holds a table in which the display data shown at each position of the authentication image is associated with each other, and the position of a part of the authentication image received by the connection unit 31 is set as the position. It is converted into display data associated with the table.

  Note that the coordinate data conversion unit 32 does not know which position of the part of the authentication image or part of the confirmation image the connection unit 31 has received, so that the received position is for authentication. It is necessary to determine whether it is a part of the image or a part of the confirmation image.

  For example, the coordinate data conversion unit 32 holds the confirmation position where the confirmation image is displayed, and determines whether or not the received position is included in the confirmation position. When the received position is included in the confirmation position, the coordinate data conversion unit 32 determines the received position as a partial position of the confirmation image, and the received position is the confirmation position. Otherwise, the received position is determined as a partial position of the authentication image.

  The terminal data storage unit 33 stores the display data converted by the coordinate data conversion unit 32. In addition, when the coordinate data conversion unit 32 converts some positions of the plurality of authentication images to display data before receiving the positions of some of the confirmation images, the positions of some of the authentication images are displayed. Each time is converted into display data, the converted display data is stored in the converted order.

  The terminal data storage unit 33 stores a terminal ID and unique information in advance. The terminal ID identifies the user terminal. The unique information is, for example, a password. The terminal data storage unit 33 is an example of a storage unit.

  The terminal generation unit 34 is an example of a creation unit.

  When the connection unit 31 receives a position of a part of the confirmation image, the terminal generation unit 34 generates shared information from the display data stored in the terminal data storage unit 33. For example, the terminal generation unit 34 generates, as shared information, information obtained by combining the display data in the order in which the display data is converted. Note that the terminal generation unit 34 generates shared information by the same method as the method by which the generation unit 13 of the pen-type authentication system generates shared information.

  In addition, the terminal generation unit 34 generates authentication information for authenticating the user terminal 3.

  For example, the terminal generation unit 34 generates a one-time password as authentication information based on the generated shared information, the shared information, and unique information stored in the terminal data storage unit 33. In this case, for example, the terminal generation unit 34 generates a hash value of information obtained by combining the shared information and unique information as a one-time password.

  The terminal generation unit 34 may generate information including the terminal ID and registration information stored in the terminal data storage unit 12 as user authentication information.

  The terminal communication unit 35 transmits the terminal ID stored in the terminal data storage unit 33 and the shared information and authentication information generated by the terminal generation unit 34 to the authentication device 5 via the wireless reception device 4.

  The wireless receiving device 4 is wirelessly connected to the pen type authentication device 1 and is connected to the user terminal 3 and the authentication device 5 by wire or wirelessly.

  The wireless reception device 4 controls communication between the pen type authentication device 1 and the user terminal 3. For example, when receiving an authentication result indicating a successful authentication from the authentication device 5, the wireless reception device 4 permits the connection between the pen-type authentication device 1 and the user terminal 3. Further, after the wireless receiving device 4 is wirelessly connected to the pen type authentication device 1, the wireless receiving device 4 disconnects the connection when the pen type authentication device 1 comes out of the wireless communication range without disconnecting the connection.

  The authentication device 5 includes an authentication device communication unit 51, an authentication data storage unit 52, and an authentication processing unit 53.

  The authentication device communication unit 51 is an example of an authentication communication unit.

  The authentication device communication unit 51 receives a user ID, user authentication information, and shared information from the pen-type authentication device 1, and receives a terminal ID, authentication information, and shared information from the user terminal 3.

  Further, the authentication device communication unit 5 transmits the authentication result by the authentication processing unit 53 to the pen type authentication device 1 via the wireless reception device 4.

  The authentication data storage unit 52 is an example of a storage unit.

  The authentication data storage unit 52 stores the registration information in association with each user ID in advance. Further, the authentication data storage unit 52 stores the unique information in association with each terminal ID in advance.

  The authentication processing unit 53 is an example of an authentication unit.

  The authentication processing unit 53 determines whether or not the authentication information received by the terminal device communication unit 51 is valid authentication information.

  For example, when the authentication information is a one-time password, first, the authentication processing unit 53 includes unique information associated with the received terminal ID and the authentication data storage unit 52, and the authentication device communication unit 51 is a user terminal. Based on the shared information received from 3, a one-time password for authentication of the user terminal 3 is generated. Note that the authentication processing unit 53 generates a one-time password for authentication of the user terminal 3 by the same method as the method by which the terminal generation unit 34 generates a one-time password.

  Subsequently, the authentication processing unit 53 determines whether or not the generated one-time password for authentication matches the received one-time password. If the generated one-time password for authentication matches the received one-time password, the authentication processing unit 53 determines that the received authentication information is valid authentication information.

  When the authentication information is the terminal ID and the unique information, the authentication processing unit 53 checks whether the same unique information as the unique information is associated with the terminal ID and the authentication data storage unit 52. If the same unique information as the unique information is associated with the terminal ID and the authentication data storage unit 52, the authentication processing unit 53 determines that the received authentication information is valid authentication information.

  If the authentication processing unit 53 determines that the received authentication information is valid authentication information, the authentication data storage unit 52 associates the terminal ID and the shared information received by the authentication device communication unit 51 from the user terminal 3 with each other. To remember.

  The authentication processing unit 53 determines whether the user is a valid user.

  For example, when the user authentication information is a one-time password, first, the authentication processing unit 53 includes the registration information associated with the received user ID and the authentication data storage unit 52, and the authentication device communication unit 51. Based on the shared information received from the pen-type authentication device 1, a one-time password for user authentication is generated. Note that the authentication processing unit 53 generates a one-time password for authentication of the user terminal 3 by the same method as the method by which the generation unit 13 generates a one-time password.

  Subsequently, the authentication processing unit 53 determines whether or not the generated one-time password for authentication matches the received one-time password. If the generated one-time password matches the received one-time password, the authentication processing unit 53 determines that the user is a valid user.

  When the user authentication information is a user ID and registration information, the authentication processing unit 53 determines whether or not the same registration information as the registration information is associated with the user ID and the authentication data storage unit 52. Confirm. If the same registration information as the registration information is associated with the terminal ID and the authentication data storage unit 52, the authentication processing unit 53 determines that the user is a valid user.

  Further, the authentication processing unit 53 authenticates whether or not the user terminal 3 is a valid user terminal.

  Specifically, the authentication processing unit 53 checks whether or not the same shared information as the shared information received from the pen type authentication device 1 by the authentication device communication unit 51 is stored in the authentication data storage unit 52. If the same shared information as the received shared information is stored in the authentication data storage unit 52, the authentication processing unit 53 authenticates that the user terminal 3 is a valid user terminal.

  Next, the operation will be described.

  FIG. 2 is a flowchart for explaining an example of the operation of the authentication system.

  In the following, it is assumed that the user authentication information and the authentication information are one-time passwords.

  The coordinate data conversion unit 32 of the user terminal 3 transmits the held image information to the display communication unit 23 of the display 2 via the connection unit 31. When receiving the image information, the display communication unit 23 transmits the image information to the display unit 24. Upon receiving the image information, the display unit 24 displays an authentication image and a confirmation image indicated by the image information.

  Assume that the user makes the scanner unit 11 of the pen-type authentication device 1 contact a part of the authentication image on the display unit 24 a plurality of times, and then contacts the confirmation image on the display unit 24.

  When the user brings the scanner unit 11 into contact with a part of the authentication image, the scanner unit 11 executes Step A-1, and the detection unit 25 of the display 2 executes Step A-3.

  In step A-1, the scanner unit 11 reads data indicated at a part of the touched authentication image and determines whether the read data is specific data. At this time, since the scanner unit 11 is in contact with the authentication image, the scanner unit 11 determines that the read data is display data.

  The scanner unit 11 transmits the display data to the user data storage unit 12. When the user data storage unit 12 receives the display data, the user data storage unit 12 executes Step A-2.

  In step A-2, the user data storage unit 12 stores the display data.

  Steps A-1 and A-2 are repeated until the scanner unit 11 reads specific data from the confirmation image. Further, each time the display data is received, the user data storage unit 12 stores the display data in the order of reception.

  On the other hand, in step A-3, the detection unit 25 detects the touched position and transmits the position to the display communication unit 23. When the display communication unit 23 receives the position, the display communication unit 23 transmits the position to the connection unit 31 of the user terminal 3. When the connection unit 31 receives the position, the connection unit 31 transmits the position to the coordinate data conversion unit 32. When the coordinate data conversion unit 32 receives the position, the coordinate data conversion unit 32 executes Step A-4.

  In step A-4, the coordinate data conversion unit 32 determines whether or not the received position is a partial position of the confirmation image. At this time, since the scanner unit 11 is in contact with the authentication image, the coordinate data conversion unit 32 determines that the received position is the position where the authentication image is displayed, and determines that position as the position and the self image. Is converted into display data associated with the table held in the table.

  The coordinate data conversion unit 32 transmits the converted display data to the terminal data storage unit 33. When the terminal data storage unit 33 receives the display data, the terminal data storage unit 33 executes Step A-5.

  In step A-5, the terminal data storage unit 33 stores the display data.

  Steps A-3 to A-5 are repeated until the detection unit 25 detects the position where the confirmation image is displayed. Further, every time the display data is received, the terminal data storage unit 33 stores the display data in the order of reception.

  Thereafter, when the user brings the scanner unit 11 into contact with the confirmation image, the detection unit 25 executes Step A-6, and the scanner unit 11 executes Step A-13.

  In Step A-6, the detection unit 25 detects the touched position and transmits the position to the display communication unit 23. When the display communication unit 23 receives the position, the display communication unit 23 transmits the position to the connection unit 31 of the user terminal 3. When the connection unit 31 receives the position, the connection unit 31 transmits the position to the coordinate data conversion unit 32. When the coordinate data conversion unit 32 receives the position, the coordinate data conversion unit 32 executes Step A-7.

  In step A-7, the coordinate data conversion unit 32 determines whether or not the received position is a partial position of the confirmation image. At this time, since the scanner unit 11 is in contact with a part of the confirmation image, the coordinate data conversion unit 32 determines that the received position is the position where the confirmation image is displayed, and authenticates the user terminal 3. A terminal authentication request to the effect is transmitted to the terminal generation unit 34. When receiving the terminal authentication request, the terminal generation unit 34 executes Step A-8.

  In Step A-8, the terminal generation unit 34 transmits a terminal acquisition request for acquiring the terminal ID, the unique information, and the display data to the terminal data storage unit 33. Upon receiving the terminal acquisition request, the terminal data storage unit 33 transmits the stored terminal ID, unique information, and display data to the terminal generation unit 34. When receiving the terminal ID, unique information, and display data, the terminal generation unit 34 executes Step A-9.

  In step A-9, the terminal generation unit 34 generates shared information from the display data. Further, the terminal generation unit 34 generates a one-time password for authentication of the user terminal 3 as authentication information based on the shared information and unique information. The terminal generation unit 34 transmits the authentication information, shared information, and terminal ID to the terminal communication unit 35. Upon receiving the authentication information, shared information, and terminal ID, the terminal communication unit 35 executes Step A-10.

  In Step A-10, the terminal communication unit 35 transmits the authentication information, the shared information, and the terminal ID to the authentication device communication unit 51 of the authentication device 5 via the wireless reception device 4. When the authentication device communication unit 51 receives the authentication information, the shared information, and the terminal ID, it executes Step A-11.

  In step A-11, the authentication device communication unit 51 transmits the authentication information, shared information, and terminal ID to the authentication processing unit 53.

  Upon receiving the authentication information, the shared information, and the terminal ID, the authentication processing unit 53 transmits the terminal ID and a specific acquisition request for acquiring the specific information to the authentication data storage unit 52. When receiving the terminal ID and the unique acquisition request, the authentication data storage unit 52 transmits the unique information stored in association with the terminal ID to the authentication processing unit 53.

  Upon receiving the unique information, the authentication processing unit 53 generates a one-time password for authentication of the user terminal 3 by the same method as the terminal generation unit 34 based on the unique information and the shared information.

  Further, the authentication processing unit 53 determines whether or not the one-time password for authentication of the user terminal 3 matches the one-time password that is the received authentication information.

  When the one-time password for authentication of the user terminal 3 matches the received one-time password, the authentication processing unit 53 determines that the authentication information is valid authentication information.

  If the authentication processing unit 53 determines that the authentication information is valid authentication information, it executes Step A-12. If the authentication processing unit 53 determines that the authentication information is not valid authentication information, the authentication processing unit 53 enters a standby state.

  In Step A-12, the authentication processing unit 53 transmits the terminal ID and shared information to the authentication data storage unit 52. The authentication data storage unit 52 stores the shared information and the terminal ID in association with each other.

  On the other hand, in step A-13, the scanner unit 11 reads the data indicated at a part of the contacted confirmation image, and determines whether or not the read data is specific data. At this time, since the scanner unit 11 is in contact with the confirmation image, the scanner unit 11 determines the read data as specific data.

  When the scanner unit 11 determines that the read data is specific data, the scanner unit 11 transmits an authentication request to the generation unit 13. Upon receiving the authentication request, the generation unit 13 executes Step A-14.

  In Step A-14, the generation unit 13 transmits a device acquisition request for acquiring display data, a user ID, and registration information to the user data storage unit 12. When receiving the device acquisition request, the user data storage unit 12 executes Step A-15.

  In step A-15, the user data storage unit 12 transmits the stored display data, user ID, and registration information to the generation unit 13. When the generation unit 13 receives the display data, the user ID, and the registration information, the generation unit 13 executes Step A-16.

  In Step A-16, the generation unit 13 generates shared information from the display data. Moreover, the production | generation part 13 produces | generates a one-time password as information for user authentication based on the shared information and registration information. The generation unit 13 transmits the user ID, user authentication information, and shared information to the wireless communication unit 14.

  When the wireless communication unit 14 receives the user ID, the user authentication information, and the shared information, the wireless communication unit 14 authenticates the authentication device 5 through the wireless reception device 4 with the user ID, the user authentication information, and the shared information. It transmits to the apparatus communication part 51. Upon receiving the user ID, user authentication information, and shared information, the authentication device communication unit 51 executes Step A-17.

  In step A-17, the authentication device communication unit 51 transmits the user ID, user authentication information, and shared information to the authentication processing unit 53. Upon receiving the user ID, user authentication information and shared information, the authentication processing unit 53 executes Step A-18.

  In step A-18, the authentication processing unit 53 transmits the user ID and a registration acquisition request for acquiring registration information to the authentication data storage unit 52. Upon receiving the user ID and the registration acquisition request, the authentication data storage unit 52 executes Step A-19.

  In step A-19, the authentication data storage unit 52 transmits the registration information stored in association with the user ID to the authentication processing unit 53. Upon receiving the registration information, the authentication processing unit 53 executes Step A-20.

  In step A-20, the authentication processing unit 53 receives the registration information received from the authentication data storage unit 52 and the shared information received from the authentication device communication unit 51 (the authentication device communication unit 51 received from the pen type authentication device 1). Based on the shared information), a one-time password for user authentication is generated by the same method as the generation unit 13. The authentication processing unit 53 determines whether or not the generated one-time password for user authentication matches the one-time password that is the received user authentication information. If the one-time password for authentication of the user matches the received one-time password, the authentication processing unit 53 authenticates that the user is a valid user.

  When the authentication processing unit 53 authenticates that the user is a valid user, the authentication processing unit 53 creates an authentication result for the user indicating that the user has been successfully authenticated, while the user is not authenticated if the user is a valid user. Then, an authentication result for the user indicating the user authentication failure is generated.

  The authentication process part 53 will perform step A-21, if the authentication result with respect to a user is produced | generated.

  In step A-21, the authentication processing unit 53 checks whether or not the same shared information as the shared information is stored in the authentication data processing unit 53.

  Specifically, the authentication processing unit 53 outputs the shared information and an ID acquisition request for acquiring the terminal ID to the authentication data storage unit 52. Upon receiving the ID acquisition request and the shared information, the authentication data storage unit 52 transmits the terminal ID to the authentication processing unit 53 if there is a terminal ID associated with the shared information, and if there is no terminal ID. , It transmits to the authentication processing unit 53 that there is no terminal ID.

  When receiving the terminal ID, the authentication processing unit 53 determines that the same shared information as the received shared information is stored. On the other hand, when receiving that there is no terminal ID, the authentication processing unit 53 is the same as the received shared information. It is determined that there is no shared information.

  If the same shared information as the shared information is stored, the authentication processing unit 53 authenticates the user terminal 3 as a valid user terminal.

  When the user terminal 3 authenticates with a valid user terminal, the authentication processing unit 53 creates an authentication result for the user terminal 3 indicating a successful authentication of the user terminal 3, while the user terminal 3 is valid. If the user terminal is not authenticated, an authentication result for the user terminal 3 indicating the authentication failure of the user terminal 3 is generated.

  In the present embodiment, the authentication processing unit 53 uses the received terminal ID as an authentication result for the user terminal 3 indicating a successful authentication.

  When the authentication processing unit 53 generates an authentication result for the user terminal 3, the authentication processing unit 53 executes Step A-22.

  In Step A-22, the authentication processing unit 53 generates an authentication result including an authentication result for the user and an authentication result for the user terminal.

  The authentication processing unit 53 transmits the authentication result to the authentication device communication unit 51. When the authentication device communication unit 51 receives the authentication result, the authentication device communication unit 51 transmits the authentication result to the wireless reception device 4. When receiving the authentication result, the wireless reception device 4 executes Step A-23.

  In step A-23, when the authentication result indicates success, the wireless reception device 4 is connected to the user terminal (the user terminal 3 in this embodiment) specified by the terminal ID that is the authentication result for the user terminal 3. The communication with the pen type authentication device 1 is permitted. When the wireless reception device 4 permits communication, the wireless reception device 4 executes Step A-24.

  When the authentication result indicates a failure of authentication, the wireless reception device 4 skips step A-23 and executes step A-24 when receiving the authentication result.

  In Step A-24, the wireless reception device 4 transmits the authentication result to the wireless communication unit 14 of the pen type authentication device 1. When receiving the authentication result, the wireless communication unit 14 executes Step A-25.

  In Step A-25, the wireless communication unit 14 transmits the authentication result to the authentication success notification unit 15. When the authentication success communication unit 14 receives the authentication result, the authentication success communication unit 14 notifies the user of the authentication result.

  According to the present embodiment, the generation unit 13 of the pen type authentication device 1 generates shared information, and the wireless communication unit 14 transmits the shared information to the authentication device. Further, the terminal generation unit 34 of the user terminal 3 generates authentication information and shared information, and the terminal communication unit 35 transmits the authentication information and shared information to the authentication device 5.

  When the authentication device communication unit 51 of the authentication device 5 receives the authentication information and the shared information from the user terminal 3, the authentication processing unit 53 determines whether or not the authentication information is valid authentication information. If the authentication information is legitimate authentication information, the authentication processing unit 53 stores the shared information in the authentication data storage unit 52.

  When the authentication device communication unit 51 receives the shared information from the pen-type authentication device 1, the authentication processing unit 53 checks whether the same shared information as the shared information is stored in the authentication data storage unit 52. When the same shared information as the shared information is stored in the authentication data storage unit 52, the user terminal 3 authenticates with a valid user terminal.

  In this case, if the authentication information received from the user terminal 3 is valid authentication information, the shared information received from the user terminal 3 is stored. Therefore, only shared information transmitted from a legitimate user terminal is stored. If the same shared information as the shared information received from the pen type authentication device 1 is stored, the user terminal 3 having the same shared information as the pen type authentication device 1 is authenticated as a valid user terminal. It can be seen that the user is operating a legitimate user terminal.

  For this reason, it is possible to prevent unauthorized acquisition of information.

  In the present embodiment, the terminal generation unit 34 generates a one-time password as authentication information based on the unique information stored in the terminal data storage unit 33 and the generated shared information. The authentication processing unit 53 generates a one-time password for authenticating the user terminal based on the shared information received by the authentication device communication unit 51 and the unique information stored in the authentication data storage unit 52. The authentication processing unit 53 determines whether or not the one-time password for authentication of the user terminal matches the received one-time password. If the one-time password for authentication of the user terminal matches the received one-time password, the authentication processing unit 53 determines that the authentication information is valid authentication information.

  In this case, the authentication information is a one-time password generated based on the unique information and the shared information. Whether or not the one-time password is a valid one-time password is authenticated based on whether or not the one-time password for authentication matches the one-time password.

  For this reason, even if the authentication information is stolen, the authentication information can be prevented from being illegally used.

  In the present embodiment, when the pen-type authentication device 1 contacts a part of the authentication image, the detection unit 25 detects the position of the part of the authentication image. The coordinate conversion unit 32 converts the position into display data displayed at the position. The terminal generation unit 34 generates shared information from the converted display data. Further, the scanner unit 11 reads the display data shown at the contacted position. The generation unit 13 generates shared information from the read display data.

  In this case, the user can have the shared information in both the mobile terminal and the user terminal simply by touching the mobile terminal on the screen. Therefore, it becomes possible to easily provide shared information to both the mobile terminal and the user terminal.

  In this embodiment, the authentication device communication unit 51 of the authentication device 5 transmits the authentication result by the authentication processing unit 53 to the pen type authentication device 1. The wireless communication unit 14 of the pen type authentication device 1 receives the authentication result. The authentication success notification unit 15 notifies the user of the received authentication result.

  Conventionally, in order to know whether or not the authentication has been correctly performed, the user has confirmed the authentication result notified by the user terminal. However, since the user cannot know whether or not the user terminal is an unauthorized user terminal, the user cannot know whether or not the authentication has been performed correctly.

  In this embodiment, since the authentication result is notified from the pen-type authentication device 1, the user can know whether or not the authentication has been performed correctly.

  Next, a second embodiment will be described.

  FIG. 3 is a block diagram showing the authentication system of the second embodiment. In FIG. 3, the authentication system includes a mobile phone 100, a user terminal 200, and an authentication device 300.

  The mobile phone 100 is an example of a mobile terminal. The mobile terminal is not limited to the mobile phone and can be changed as appropriate. In addition, the mobile phone 100 is connected to the user terminal 200 and the authentication device 300. For example, the mobile phone 100 is connected by wireless communication such as a user terminal 200 and an authentication device 300, a mobile phone public network wireless line, a LAN, or Bluetooth. Note that the mobile phone 100 may be connected to the user terminal 200 and the authentication device 300 via a wireless reception device.

  The mobile phone 100 includes an input unit 101, a QR code generation unit 102, a storage unit 103, a password generation unit 104, a communication unit 105, and a display unit 106.

  The input unit 101 receives a generation instruction and an authentication instruction from a user.

  The generation instruction is information for generating a QR code. The authentication instruction is information indicating authentication.

  When the input unit 101 receives a generation instruction, the QR code generation unit 102 generates QR code data indicating a QR code. The QR code generation unit 102 generates different QR code data each time the input unit 101 receives a generation instruction. QR code data is an example of shared information. The shared information is not limited to QR code data and can be changed as appropriate. For example, a random number may be used.

  The storage unit 103 stores the QR code data generated by the QR code generation unit 102. The storage unit 103 stores a user ID and registration information in advance.

  When the input unit 101 receives an authentication instruction, the password generation unit 104 generates a one-time password as user authentication information based on the QR code data and registration information stored in the storage unit 103. In this case, for example, the password generation unit 104 generates a hash value of information combining the QR code data and registration information as a one-time password.

  The communication unit 105 is an example of a mobile communication unit.

  The communication unit 105 transmits the user ID, user authentication information, and QR code data to the authentication device 300.

  In addition, the communication unit 105 receives an authentication result from the authentication device 300.

  The display unit 106 displays the QR code data generated by the QR code generation unit 102 as a QR code. The RQ code is an example of output information.

  Further, the display unit 106 displays the authentication result received by the communication unit 105 and notifies the user.

  In this embodiment, the display unit 106 also serves as a notification unit and an output unit. However, the notification unit and the output unit are not limited to the display unit, and may not be the same. For example, the notification unit may notify the user of the authentication result by light emission, voice output, or vibration, and the output unit uses the QR code data as output information by short-range communication such as infrared communication, and the user terminal 200. May be output. When the output unit outputs output information by short-range communication, the user terminal 200 includes a receiver for the short-range communication instead of the camera unit 201 as an acquisition unit.

  The user terminal 200 and the authentication device 300 are connected to each other via the authentication communication path 400. The authentication communication path 400 is a communication path that has been authenticated in advance, such as a dedicated line or a VPN (Virtual Private Network). Note that the authentication communication path is not limited to a dedicated line and VPN as long as the authentication apparatus 300 is a communication line that connects only to a valid user terminal.

  User terminal 200 includes a camera unit 201, a QR code conversion unit 202, a terminal data storage unit 203, a communication unit 204, and a display unit 205.

  The camera unit 201 acquires the QR code displayed on the display unit 106 of the mobile phone 100. The camera unit 201 is an example of an acquisition unit.

  The QR code conversion unit 202 generates QR code data from the QR code acquired by the camera unit 201. The QR code conversion unit 202 is an example of a creation unit.

  The terminal data storage unit 203 stores a terminal ID.

  The communication unit 204 is an example of a terminal communication path.

  The communication unit 204 transmits the QR code data generated by the QR code conversion unit 202 and the terminal ID stored by the terminal data storage unit 203 to the authentication device 300 via the authentication communication path 400.

  Further, the communication unit 204 receives an authentication result by the authentication device 300 from the authentication device 300 via the authentication communication path 400.

  The display unit 205 displays the authentication result received by the communication unit 204.

  The authentication device 300 includes a communication unit 301, an authentication data storage unit 302, and an authentication processing unit 303.

  The communication unit 301 is an example of an authentication communication unit.

  The communication unit 301 receives a user ID, user authentication information, and QR code data from the mobile phone 100, and receives QR code data and a terminal ID from the user terminal 200.

  In addition, the communication unit 301 transmits the authentication result by the authentication processing unit 303 to the mobile phone 100. Further, the communication unit 301 transmits the authentication result to the user terminal 200 via the authentication communication path 400.

  The authentication data storage unit 302 is an example of a storage unit.

  The authentication data storage unit 302 stores registration information in association with each user ID.

  The authentication data storage unit 302 stores the QR code and the terminal ID received by the communication unit 301 from the user terminal 200 in association with each other.

  The authentication processing unit 303 is based on the user ID received by the communication unit 301 from the mobile phone 100, the registration information associated with the authentication data storage unit 302, and the QR code data received by the communication unit 301 from the mobile phone 100. To generate a one-time password for user authentication. Note that the authentication processing unit 303 generates a one-time password by the same method as the method by which the QR code generation unit 102 generates a one-time password.

  The authentication processing unit 303 determines whether or not the generated one-time password for authentication matches the one-time password received by the communication unit 301. When the generated one-time password for authentication matches the received one-time password, the authentication processing unit 303 authenticates that the user is a valid user.

  Further, the authentication processing unit 303 confirms whether or not the same QR code data as the QR code data received by the communication unit 301 from the mobile phone 100 is stored in the authentication storage unit 302. If the same QR code data as the received QR code data is stored in the authentication storage unit 302, the authentication processing unit 303 authenticates that the user terminal 200 is a valid user terminal.

  Next, the operation will be described.

  FIG. 4 is a flowchart for explaining the operation of the authentication system of the second embodiment.

  First, the user inputs a generation instruction to the mobile phone 100. When the QR code is displayed on the mobile terminal 100, the user brings the QR code closer to the user terminal 200 and causes the user terminal to acquire the QR code. Thereafter, it is assumed that the user inputs an authentication instruction to the mobile phone 100.

  In step B-1, the input unit 101 receives a generation instruction from the user and transmits the generation instruction to the QR code generation unit 102. When receiving the generation instruction, the QR code generation unit 102 executes Step B-2.

  In step B-2, the QR code generation unit 102 generates QR code data, and transmits the QR code data to the storage unit 103 and the display unit 106.

  When the storage unit 103 receives the QR code data, the storage unit 103 stores the QR code data.

  On the other hand, when receiving the QR code data, the display unit 106 executes Step B-3.

  In step B-3, the display unit 106 displays the QR code data as a QR code.

  Thereafter, the user brings the displayed QR code closer to the camera unit 201 of the user terminal 200. When the QR code is brought closer, the camera unit 201 executes Step B-4.

  In step B-4, the camera unit 201 reads the approached QR code. When the camera unit 201 reads the QR code, the camera unit 201 executes Step B-5.

  In step B-5, the camera unit 201 transmits the QR code to the QR code conversion unit 202. When receiving the QR code, the QR code converting unit 202 executes Step B-6.

  In step B-6, the QR code conversion unit 202 generates QR code data from the QR code, and transmits the QR code data to the communication unit 204. When receiving the QR code data, the communication unit 204 executes Step B-7.

  In Step B-7, the communication unit 204 transmits an ID acquisition request for acquiring a terminal ID to the terminal data storage unit 203. Upon receiving the ID acquisition request, the terminal data storage unit 203 transmits the stored terminal ID to the communication unit 204.

  Upon receiving the terminal ID, the communication unit 204 transmits the QR code data and the terminal ID to the communication unit 301 of the authentication device 300. When the communication unit 301 receives the QR code data and the terminal ID, it executes Step B-8.

  In Step B-8, the communication unit 301 transmits the QR code data and the terminal ID to the authentication data storage unit 302. When receiving the QR code data and the terminal ID, the authentication data storage unit 302 stores the QR code data and the terminal ID in association with each other.

  In addition, when the user causes the user terminal 200 to acquire QR code data, the user inputs an authentication instruction to the input unit 101 of the mobile phone 100. Thereafter, the input unit 101 executes Step B-9.

  In step B-9, the input unit 101 receives an authentication instruction and transmits the authentication instruction to the password generation unit 104. When the password generation unit 104 receives the authentication instruction, the password generation unit 104 executes Step B-10.

  In step B-10, the password generation unit 104 notifies the storage unit 103 that QR code data, a user ID, and registration information are to be acquired. Upon receipt of this, the storage unit 103 transmits the stored QR code data, user ID, and registration information to the password generation unit 104.

  Upon receiving the QR code data, the user ID, and the registration information, the password generation unit 104 generates a one-time password as user authentication information based on the QR code data and the registration information. When the password generation unit 104 generates the user authentication information, the password generation unit 104 executes Step B-11.

  In step B-11, the password generation unit 104 transmits the user ID, user authentication information, and QR code data to the communication unit 105. When the communication unit 105 receives the user ID, the user authentication information, and the QR code data, the communication unit 105 executes Step B-12.

  In Step B-12, the communication unit 105 transmits the user ID, user authentication information, and QR code data to the communication unit 301 of the authentication device 300. When the communication unit 301 receives the user ID, the user authentication information, and the QR code data, the communication unit 301 executes Step B-13.

  In Step B-13, the communication unit 301 transmits the user ID, user authentication information, and QR code data to the authentication processing unit 303. Upon receiving the user ID, one-time password, and QR code data, the authentication processing unit 303 executes Step B-14.

  In step B-14, the authentication processing unit 303 transmits the user ID and an information acquisition request for acquiring registration information to the authentication data storage unit 302. When receiving the user ID and the information acquisition request, the authentication data storage unit 302 transmits the registration information stored in association with the user ID to the authentication processing unit 303.

  Upon receiving the registration information, the authentication processing unit 303 generates a one-time password for user authentication based on the registration information and the RQ code data received from the communication unit 301. The authentication processing unit 303 determines whether or not the generated one-time password for authentication matches the received one-time password that is user authentication information. If the one-time password for authentication of the user matches the received one-time password, the authentication processing unit 53 authenticates that the user is a valid user.

  If the authentication processing unit 303 authenticates that the user is a valid user, the authentication processing unit 303 creates an authentication result for the user indicating that the user is successfully authenticated, while the user is not authenticated if the user is a valid user. Then, an authentication result for the user indicating the user authentication failure is generated.

  When the authentication processing unit 303 generates an authentication result for the user, the authentication processing unit 303 executes Step B-15.

  In step B-15, the authentication processing unit 303 confirms whether or not the same QR code data as the QR code data received from the mobile phone 100 is stored in the authentication storage unit 302.

  Specifically, the authentication processing unit 303 outputs an ID acquisition request for acquiring a terminal ID and its QR code data to the authentication data storage unit 302. Upon receiving the ID acquisition request and QR code data, if there is a terminal ID associated with the QR code data, the authentication data storage unit 302 transmits the terminal ID to the authentication processing unit 302, and the terminal ID is If not, it is transmitted to the authentication processing unit 302 that there is no terminal ID.

  When the authentication processing unit 303 receives the terminal ID, the authentication processing unit 303 determines that there is the same QR code data as the received QR code data. On the other hand, if the authentication processing unit 303 receives that there is no terminal ID, the received QR code data It is determined that there is no same QR code data as. If the authentication processing unit 303 determines that there is QR code data, the user terminal 200 authenticates with a valid user terminal.

  When the user terminal 200 authenticates with a valid user terminal, the authentication processing unit 303 creates an authentication result for the user terminal 200 indicating a successful authentication of the user terminal 200, while the user terminal 200 is valid. If the user terminal is not authenticated, an authentication result for the user terminal 200 indicating a failure in authentication of the user terminal 200 is generated. In addition, if the authentication with respect to the user terminal 200 is successful, the authentication processing unit 303 uses the terminal ID as an authentication result for the user terminal indicating success.

  In this embodiment, the authentication processing unit 303 uses the received terminal ID as an authentication result for the user terminal 200 indicating a successful authentication.

  In Step B-16, the authentication processing unit 303 generates an authentication result including an authentication result for the user and an authentication result for the user terminal 200, and transmits the authentication result to the communication unit 31.

  When the authentication processing unit 303 transmits the authentication result to the communication unit 301, the authentication processing unit 303 executes Step B-19.

  On the other hand, the communication part 301 will perform step B-17, if an authentication result is received.

  In Step B-17, the communication unit 301 transmits the authentication result to the communication unit 105 of the mobile phone 100. When the communication unit 105 receives the authentication result, the communication unit 105 executes Step B-18.

  In step B-18, the communication unit 301 transmits the authentication result to the display unit 106. When the display unit 106 receives the authentication result, the display unit 106 displays the authentication result.

  Note that when the authentication result indicates a successful authentication, the communication unit 301 permits communication with the user terminal (the user terminal 200 in this embodiment) specified by the terminal ID that is the authentication result. .

  On the other hand, in step B-19, when the authentication result indicates that the authentication is successful, the authentication processing unit 303 transmits the authentication result to the communication unit 301. Further, when the authentication result indicates that the authentication has failed, the authentication processing unit 303 enters a standby state without transmitting the authentication result.

  The communication part 301 will perform step B-20, if the authentication result is received.

  In Step B-20, the communication unit 301 transmits the authentication result to the communication unit 204 of the user terminal 200. When the communication unit 204 receives the authentication result, the communication unit 204 transmits the authentication result to the display unit 205. When the display unit 205 receives the authentication result, the display unit 205 displays the authentication result.

  According to the present embodiment, the authentication device 300 is connected to the user terminal 200 via the authentication communication path 400. The QR code conversion unit 202 of the user terminal 200 generates QR code data. The communication unit 204 transmits the generated QR code data to the authentication device 300 via the authentication communication path 400. The QR code generation unit 102 of the mobile phone 100 generates QR code data. The communication unit 105 transmits the generated QR code data to the authentication device 301.

  When the communication unit 301 of the authentication device 300 receives QR code data from the user terminal 200 via the authentication communication channel 400, the authentication processing unit 303 stores the QR code data in the authentication data storage unit 302. When the communication unit 301 receives QR code data from the mobile phone 100, the authentication processing unit 303 checks whether the same QR code data as the QR code data is stored in the authentication data storage unit 302 and uses it. It is authenticated whether the user terminal 200 is a legitimate user terminal.

  In this case, QR code data is received from the user terminal 200 via the authentication communication path 400 that has been previously authenticated. Therefore, the authentication apparatus 300 recognizes that the shared information is information transmitted from a valid user terminal, and stores the shared information. When the same shared information as the shared information received from the mobile phone 100 is stored, the user terminal 200 having the same shared information as the mobile terminal 100 is authenticated as a valid user terminal, and the user It can be seen that a legitimate user terminal is being operated.

  For this reason, it is possible to prevent unauthorized acquisition of information.

  In this embodiment, the display unit 106 outputs the QR code data generated by the QR code generation unit 102 as a QR code. The camera unit 201 acquires the QR code. The QR code conversion unit 202 generates QR code data from the QR code.

  In this case, the user terminal 200 acquires QR code data generated by the mobile phone 100. For this reason, it is possible to provide both the portable terminal and the user terminal with RQ code data without providing a display device. Therefore, the cost can be reduced.

  In the embodiment described above, the illustrated configuration is merely an example, and the present invention is not limited to the configuration.

It is the block diagram which showed the authentication system of one Example of this invention. It is a flowchart for demonstrating an example of operation | movement of an authentication system. It is the block diagram which showed the authentication system of the other Example of this invention. It is a flowchart for demonstrating the other operation example of an authentication system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Pen type | mold authentication device 11 Scanner part 12 User data memory | storage part 13 Generating part 14 Wireless communication part 15 Authentication successful communication part 2 Display 21 Authentication screen area 22 Authentication confirmation icon 23 Display communication part 24 Display part 25 Detection part 3 User terminal 31 connection unit 32 coordinate data conversion unit 33 terminal data storage unit 34 terminal generation unit 35 terminal communication unit 4 wireless reception device 5 authentication device 51 authentication device communication unit 52 authentication data storage unit 53 authentication processing unit 100 mobile phone 101 input unit 102 QR Code generation unit 103 Storage unit 104 Password generation unit 105 Communication unit 200 User terminal 201 Camera unit 202 QR code conversion unit 203 Terminal data storage unit 204 Communication unit 205 Display unit 300 Authentication device 301 Communication unit 302 Authentication data storage unit 303 Authentication processing Part 400 Authentication channel

Claims (18)

An authentication device connected to a user terminal and a portable terminal,
A storage unit;
An authentication communication unit that receives authentication information and shared information from the user terminal, and receives the shared information from the mobile terminal;
When the authentication communication unit receives the authentication information and the shared information from the user terminal, the authentication communication unit determines whether the authentication information is valid authentication information, and the authentication information is valid authentication information. If it is determined that there is, the received shared information is stored in the storage unit, and when the authentication communication unit receives the shared information from the portable terminal, the same common information as the received common information is stored in the storage unit. An authentication unit that verifies whether or not the user terminal is a valid user terminal when the same common information as the received common information is stored in the storage unit. And an authentication device. The authentication apparatus according to claim 1,
The authentication information is a one-time password generated based on the unique information and the shared information,
The storage unit stores the unique information,
When the authentication communication unit receives the one-time password and the shared information from the user terminal, the authentication unit authenticates based on the received shared information and unique information stored in the storage unit. An authentication apparatus that generates a one-time password for authentication and determines that the authentication information is valid authentication information when the one-time password for authentication matches the received one-time password. An authentication device connected to a mobile terminal and connected to a user terminal through a previously authenticated authentication channel,
A storage unit;
An authentication communication unit that receives shared information from the user terminal via the authentication communication path and receives the shared information from the mobile terminal;
When the authentication communication unit receives the shared information from the user terminal, the received shared information is stored in the storage unit, and when the authentication communication unit receives the shared information from the mobile terminal, It is confirmed whether the same common information as the received common information is stored in the storage unit. When the same common information as the received common information is stored in the storage unit, the user terminal And an authentication unit that authenticates the user terminal as a valid user terminal. An authentication system that includes a user terminal, a mobile terminal, and an authentication device connected to the user terminal and the mobile terminal,
The user terminal is
A creation unit for generating authentication information and shared information;
A terminal communication unit that transmits the authentication information and the shared information to the authentication device,
The portable terminal is
A generating unit for generating the shared information;
A mobile communication unit that transmits the shared information generated by the generation unit to the authentication device,
The authentication device
A storage unit;
An authentication communication unit that receives the authentication information and the shared information from the user terminal and receives the shared information from the mobile terminal;
When the authentication communication unit receives the authentication information and the shared information from the user terminal, the authentication communication unit determines whether the authentication information is valid authentication information, and the authentication information is valid authentication information. If it is determined that there is, the received shared information is stored in the storage unit, and when the authentication communication unit receives the shared information from the portable terminal, the same common information as the received common information is stored in the storage unit. An authentication unit that verifies whether or not the user terminal is a valid user terminal when the same common information as the received common information is stored in the storage unit. And an authentication system. The authentication system according to claim 4,
The user terminal includes a storage unit that stores unique information;
The creation unit generates a one-time password as the authentication information based on the unique information stored in the storage unit and the generated shared information.
The storage unit stores the unique information,
When the authentication communication unit receives the one-time password and the shared information from the user terminal, the authentication unit authenticates based on the received shared information and unique information stored in the storage unit. An authentication system that generates a one-time password for authentication and determines that the authentication information is valid authentication information when the one-time password for authentication matches the received one-time password. An authentication system including a mobile terminal, a user terminal, an authentication device connected to the mobile terminal and connected to the user terminal via a previously authenticated authentication channel,
The user terminal is
A generation unit for generating shared information;
A terminal communication unit that transmits the shared information to the authentication device,
The portable terminal is
A generating unit for generating the shared information;
A mobile communication unit that transmits the shared information generated by the generation unit to the authentication device,
The authentication device
A storage unit;
An authentication communication unit that receives the shared information from the user terminal via the authentication communication path and receives the shared information from the mobile terminal;
When the authentication communication unit receives the shared information from the user terminal, the received shared information is stored in the storage unit, and when the authentication communication unit receives the shared information from the mobile terminal, It is confirmed whether the same common information as the received common information is stored in the storage unit. When the same common information as the received common information is stored in the storage unit, the user terminal An authentication system including an authentication unit that authenticates a legitimate user terminal. The authentication system according to any one of claims 4 to 6,
A display device,
The display device
A display unit for displaying an authentication image;
When the portable terminal contacts a part of the authentication image on the display unit, a detection unit that detects a position of a part of the contacted authentication image;
A display communication unit that transmits the position detected by the detection unit to the user terminal,
The user terminal is
A connection for receiving the position from the display device;
A conversion that holds a table in which display data indicated by each position of the authentication image is associated with each other and converts the position received by the connection unit into display data associated with the position and the table And
The creation unit generates the shared information from the display data converted by the conversion unit,
The portable terminal includes a reading unit that reads display data indicated at a position of a part of the contacted authentication image when contacting a part of the authentication image of the display unit,
The said production | generation part is an authentication system which produces | generates the said shared information from the display data which the said reading part read. The authentication system according to any one of claims 4 to 6,
The portable terminal further includes an output unit that outputs the shared information generated by the generation unit as output information,
The user terminal includes an acquisition unit that acquires output information output by the output unit,
The said production | generation part is an authentication system which produces | generates the said shared information from the output information which the said acquisition part produced. The authentication system according to any one of claims 4 to 8,
The authentication communication unit transmits an authentication result by the authentication unit to the mobile terminal,
The mobile communication unit receives the authentication result from the authentication device,
The said portable terminal is an authentication system containing the notification part which notifies the said authentication result which the said mobile communication part received to the said user. An authentication method performed by an authentication device connected to a user terminal and a portable terminal,
A receiving step of receiving authentication information and shared information from the user terminal;
A determination step of determining whether or not the authentication information is valid authentication information;
A storage step of storing the received shared information when the authentication information is determined to be valid authentication information;
An accepting step of receiving the shared information from the mobile terminal;
A confirmation step for confirming whether the same common information as the common information received from the mobile terminal is stored;
An authentication method comprising: an authentication step of authenticating that the user terminal is a valid user terminal when the same common information as the common information received from the portable terminal is stored. The authentication method according to claim 10,
The authentication device includes a storage unit that stores unique information,
The authentication information is a one-time password generated based on the unique information and the shared information,
The judgment step is
A verification generation step for generating a one-time password for authentication based on the shared information received from the user terminal and the unique information stored in the storage unit;
And a determination step of determining that the authentication information is valid authentication information when the one-time password for authentication matches the received one-time password. An authentication method that is performed by an authentication device that is connected to a mobile terminal and connected to a user terminal via an authentication communication path that has been authenticated in advance,
An authentication receiving step of receiving shared information from the user terminal via the authentication communication path;
Storing the received shared information;
An authentication acceptance step for receiving the shared information from the mobile terminal;
A confirmation step for confirming whether the same common information as the common information received from the mobile terminal is stored;
An authentication method comprising: an authentication step of authenticating that the user terminal is a valid user terminal when the same common information as the common information received from the portable terminal is stored. An authentication method performed by an authentication system including a user terminal, a mobile terminal, and an authentication device connected to the user terminal and the mobile terminal,
A creation step in which the user terminal generates shared information;
An authentication creation step in which the user terminal generates authentication information;
A terminal communication step in which the user terminal transmits the authentication information and the shared information to the authentication device;
A generating step in which the mobile terminal generates the shared information;
A portable communication step in which the portable terminal transmits the generated shared information to the authentication device;
A receiving step in which the authentication device receives the authentication information and the shared information from the user terminal;
A determination step in which the authentication device determines whether the authentication information is valid authentication information; and
When the authentication device determines that the authentication information is valid authentication information, the storage step stores the received shared information;
An accepting step in which the authentication device receives the shared information from the mobile terminal;
A confirmation step in which the authentication device confirms whether the same common information as the common information received from the mobile terminal is stored;
An authentication method comprising: an authentication step for authenticating that the user terminal is a valid user terminal when the authentication apparatus stores the same common information as the common information received from the portable terminal. The authentication method according to claim 13,
The user terminal includes a storage unit that stores unique information;
The authentication device includes a storage unit that stores the unique information,
The user terminal generates a one-time password as the authentication information based on the unique information stored in the storage unit and the generated shared information,
The judgment step is
A verification generating step in which the authentication device generates a one-time password for authentication based on the shared information received from the user terminal and the unique information stored in the storage unit;
An authentication method comprising: a password determination step in which the authentication device determines that the authentication information is valid authentication information when the one-time password for authentication matches the received one-time password; . An authentication method performed by an authentication system including a mobile terminal, a user terminal, and an authentication apparatus connected to the mobile terminal and connected to the user terminal via a previously authenticated authentication channel. And
A creation step in which the user terminal generates shared information;
A terminal transmission step in which the user terminal transmits the shared information to the authentication device;
A generating step in which the mobile terminal generates the shared information;
A portable transmission step in which the portable terminal transmits the generated shared information to the authentication device;
An authentication receiving step in which the authentication device receives the shared information from the user terminal via the authentication communication path;
A storage step in which the authentication device stores the received shared information;
An authentication accepting step in which the authentication device receives the shared information from the mobile terminal;
A confirmation step in which the authentication device confirms whether the same common information as the common information received from the mobile terminal is stored;
An authentication method comprising: an authentication step for authenticating that the user terminal is a valid user terminal when the authentication apparatus stores the same common information as the common information received from the portable terminal. The authentication method according to any one of claims 13 to 15,
The user terminal includes a conversion unit that holds a table in which display data shown at each position is associated with each position of the authentication image;
A display step in which the display device displays an authentication image;
When the display device makes contact with a part of the authentication image, the detection step of detecting a position of a part of the contacted authentication image;
A position transmitting step in which the display device transmits the detected position to the user terminal; and
A position receiving step in which the user terminal receives the position from the display device;
A conversion step in which the user terminal converts the received position into display data associated with the position in the table;
A reading step of reading display data indicated at a position of a part of the touched authentication image when the portable terminal touches a part of the authentication image;
In the creating step, the user terminal generates the shared information from the converted display data,
In the generating unit step, the mobile terminal generates the shared information from the read display data. The authentication method according to any one of claims 13 to 15,
An output step in which the portable terminal outputs the generated shared information as output information;
The user terminal further includes an acquisition step of acquiring the output information output,
In the creating step, the shared information is generated from the acquired output information. The authentication method according to any one of claims 13 to 17,
A result transmitting step in which the authentication device transmits an authentication result by the authentication device to the mobile terminal;
A result receiving step in which the portable terminal receives the authentication result from the authentication device; and
A notification step in which the portable terminal notifies the user of the received authentication result.

Images