JP2008287461A - Authentication apparatus, authentication system, authentication method, and authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication technique for authenticating one-time passwords of a plurality of tokens to increase user convenience. <P>SOLUTION: An authentication apparatus 4 for authenticating the one-time passwords of a plurality of tokens associated with one account has an authentication storage means 48 in which a password creation key is stored for each of the plurality of tokens; a change means 45 for accepting an instruction from a terminal 2 to change the token, and setting a flag for the password creation key of the designated token in the authentication storage means 48; a request acceptance means 41 for accepting an authentication request from the terminal 2 including a first one-time password, and specifying the password creation key with the flag set thereto from the authentication storage means 48; a creation means 42 for creating a second one-time password based on the password creation key specified; and an authentication means 43 for authenticating whether or not the first one-time password matches the second one-time password, and determining that authentication is successful if they match. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an authentication technique for authenticating a user's validity using a one-time password.

In recent years, there has been a problem of identity theft such as user IDs and passwords on the Internet, represented by phishing scams. For this reason, there is a need for a technique that ensures higher security and authenticates the legitimacy of the user. For example, Patent Document 1 describes a one-time password authentication system that performs user authentication using a one-time password.
JP2002-259344

  As a device for generating / issuing a one-time password, for example, there are a hard token and a mobile phone (soft token) having a one-time password generation function. One user uses either one token of a hard token or a mobile phone.

  However, there are cases where the user wants to use both a hard token and a mobile phone and switch between them depending on the situation. For example, when a user who normally uses a mobile phone goes on an overseas business trip, he may want to use a hard token only during the overseas business trip. In addition, there are cases where a user who uses a hard token wants to use a mobile phone because it is troublesome to carry the hard token. In addition, a user who owns two mobile phones for business use and private use usually uses a private use mobile phone, but may want to use a business use mobile phone for a certain period.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an authentication technique capable of authenticating one-time passwords of a plurality of tokens, and to improve user convenience.

  In order to solve the above-described problem, the present invention is an authentication device for authenticating one-time passwords of a plurality of tokens corresponding to one account, and an authentication storage unit in which a password generation key is stored for each of the plurality of tokens Receiving a token change instruction from the terminal, accepting an authentication request including a first one-time password from the terminal, a changing means for setting a flag in the password generation key of the instructed token in the authentication storage means, Request receiving means for specifying the password generation key set with the flag from the authentication storage means, generation means for generating a second one-time password based on the specified password generation key, and the request receiving means The first one-time password and the second one-time password generated by the generating means are one Whether to verify, with an authentication means for determining that the authentication has succeeded if they match.

  The present invention is also an authentication system having an issuing device for issuing a one-time password and an authentication device for authenticating the one-time password, the issuing device generating a first one-time password. An issuance management storage means for storing one password generation key; a first request reception means for receiving a password generation request from the first terminal; and a first password generation key based on the first password generation key of the issuance management storage means. Generating a one-time password and transmitting it to the first terminal, and the authentication device includes a plurality of first terminals that acquire the one-time password from the issuing device An authentication storage unit storing a second password generation key for each token, and a token change instruction from the second terminal, and an instruction from the authentication storage unit Change means for setting a flag in the password generation key of the generated token, and an authentication request including a first one-time password generated from the second terminal or a second one-time password generated by an offline token, and the authentication storage Second request receiving means for specifying the second password generation key set with the flag from the means, and second generation for generating a third one-time password based on the specified second password generation key Verifying whether the means and the first or second one-time password received by the second request receiving means match the third one-time password generated by the second generation means; Authentication means for determining that the authentication is successful when the two match.

  Further, the present invention is an authentication method for authenticating one-time passwords of a plurality of tokens corresponding to one account performed by an authentication device, wherein the authentication device stores a password generation key for each of the plurality of tokens. An authentication storage unit, and a processing unit, wherein the processing unit receives a token change instruction from a terminal and sets a flag in a password generation key of the instructed token of the authentication storage unit; A request receiving step of receiving an authentication request including a first one-time password from a terminal, specifying a password generation key with the flag set from the authentication storage unit, and a second one based on the specified password generation key A generating step for generating a time password; a first one-time password received in the request receiving step; Whether or not the second one-time password generated by the generating step is identical to verify, it performs an authentication step of determining that the authentication succeeds if they match.

  Further, the present invention is an authentication program for authenticating a one-time password of a plurality of tokens executed by an authentication apparatus corresponding to one account, and the authentication apparatus stores a password generation key for each of the plurality of tokens. An authentication storage unit, and a processing unit, wherein the processing unit accepts a token change instruction from a terminal and sets a flag in the password generation key of the instructed token in the authentication storage unit; and A request receiving step of receiving an authentication request including a first one-time password from a terminal, specifying a password generation key with the flag set from the authentication storage unit, and a second one based on the specified password generation key A generation step for generating a time password, and a first one-time password received in the request reception step When the second one-time password generated by said generating step to verify whether the match, the authentication step to determine that the authentication has succeeded if they match, thereby executing.

  In the present invention, it is possible to provide an authentication technique capable of authenticating one-time passwords of a plurality of tokens, thereby further improving user convenience.

  Embodiments of the present invention will be described below.

  FIG. 1 is an overall configuration diagram of an authentication system to which an embodiment of the present invention is applied. The user of this authentication system possesses at least one mobile phone 1 and a hard token 5 (offline token) as a device (token) for acquiring or generating a one-time password. And a user shall acquire a one-time password using the token of either the mobile telephone 1 or the hard token 5 according to a condition. Further, it is assumed that the user uses the one-time password acquired using the mobile phone 1 or the hard token 5 when logging in to the Web site of the authentication server 4 from a terminal 2 such as a PC (Personal Computer).

  It is assumed that the user is a user who can use the website service provided by the authentication server 4 and has registered in advance on the website of the authentication server 4 and has acquired a user ID (account).

  In the illustrated authentication system, it is assumed that one user owns two mobile phones 1 (for example, for business use and private use). The mobile phone 1 is a browser-type token that acquires a one-time password from the issuing server 3 via a network 8 such as a mobile phone network. The mobile phone 1 includes an instruction receiving unit that receives user instructions and a display unit that displays various information and screens, and has the same function as a browser. The mobile phone 1 is assumed to store a mobile phone ID (terminal identification information) such as a machine identification number in advance in a storage device such as a memory (not shown). The memory or the like in which the mobile phone ID is stored may be an IC card that can be detached from the mobile phone 1.

  In addition to the mobile phone 1, the user owns an offline token 5 that generates a one-time password. The offline token is a token other than the case of acquiring a one-time password issued by the issuing server 3 from the mobile phone 1, such as a hard token 5 or a soft token. In the present embodiment, the hard token 5 is used as the offline token. The hard token 5 includes a generation unit that generates a one-time password, a display unit that displays the generated one-time password, and a storage unit such as a memory that stores information for generating the one-time password.

  The terminal 2 is connected to the authentication server 4 via a network 9 such as the Internet. The terminal 2 includes an instruction receiving unit that receives user instructions and a display unit that displays various types of information and screens, and has the same function as a browser.

  The issuing server 3 generates a one-time password in response to a request from the mobile phone 1 and transmits it to the mobile phone 1. The issuance server 3 shown in the figure changes a setting of the issuance management table 35 by receiving a request reception unit 31 that receives a request from the mobile phone 1, a generation unit 32 that generates a one-time password, and a change notification from the authentication server 4. And a change management table 35. In the issue management table 35, various types of information necessary for issuing a one-time password are registered.

  The authentication server 4 authenticates the one-time password input from the terminal 2 and provides a predetermined service when the authentication is successful. The illustrated authentication server 4 includes a request reception unit 41 that receives an authentication request such as a login request, a generation unit 42 that generates a one-time password, an authentication unit 43 that authenticates a one-time password, and a task that performs various business processes. A processing unit 44, a changing unit 45 that receives a request to change the token used from the terminal 2 and changes the setting of the authentication table 48, a requesting unit 46 that requests the one-time password generated by the hard token 5, and an authentication table 48 A correction unit 47 that corrects the counter and an authentication table 48. Various types of information necessary for one-time password authentication are registered in the authentication table 48.

  Next, the issue management table 35 of the issue server 3 and the authentication table 48 of the authentication server 4 will be described.

  FIG. 2 is a diagram illustrating an example of the issue management table 35 of the issue server 3. The issue management table shown in the figure includes a user ID 201, a PIN (Personal Identification Number) 202, a counter 203, a token type 204, a mobile phone ID 205, a password generation key 206, and a flag 207. Since the user of this embodiment has two mobile phones 1, the issue management table 35 shown in the figure has a mobile phone ID 205, a password generation key 206, and a flag 207 for each mobile phone 1.

  The PIN 202 is a personal identification number arbitrarily set by the user. The counter 203 is set with variable information for generating a different one-time password each time. In this embodiment, since the one-time password is generated using the counter synchronization method, the counter 203 is set with the number of one-time password generation times. However, the number of generations is not limited. For example, when a one-time password is generated using a time synchronization method, the value of variable information may be changed using time information (time stamp) or the like.

  As the mobile phone ID 205, for example, it is conceivable to use the machine identification number of the mobile phone 1, the phone number of the mobile phone, user information stored in the IC memory of the mobile phone, and the like. The password generation key 206 is a predetermined character string (so-called seed) for generating a one-time password, and a unique character string is assigned to each mobile phone 1 in this embodiment. Information for determining the token currently used by the user is set in the flag 207. In the present embodiment, it is assumed that a token whose flag 207 is set to “ON” is currently used, and a token whose “OFF” is set is not currently used. That is, the issuing server 3 issues a one-time password only for a token for which “ON” is set in the flag 207 and does not issue a one-time password for a token for which “OFF” is set. .

  FIG. 3 is a diagram illustrating an example of the authentication table 48 of the authentication server 4. The illustrated authentication table 48 includes a user ID 301, a counter 302, a token type 303, a password generation key 304, a flag 305, and a one-time password 306 at the time of change. In this embodiment, since one user owns three tokens, that is, two mobile phones 1 and a hard token 5, the illustrated authentication table 48 has a password generation key 304 and a flag 305 for each token.

  The counter 302 is set with variable information for generating a different one-time password each time (in this embodiment, the number of times a one-time password is generated). Note that the value set in the counter 302 is corrected by a process described later every time the token to be used is changed. The password generation key 304 is a predetermined character string (so-called seed) for generating a one-time password, and a unique character string is assigned to each token. When the token is the mobile phone 1, the information set in the password generation key 304 is the same as the information set in the corresponding password generation key 206 in the issue management table 35. When the token is the hard token 5, the information set in the password generation key 304 is the same as the information stored in the storage unit of the hard token 5 owned by the user with the corresponding user ID.

  Information for determining the token currently used by the user is set in the flag 305. In the present embodiment, it is assumed that a token whose flag 305 is set to “ON” is currently used, and a token whose “OFF” is set is not currently used. In the present embodiment, it is assumed that one user selects any one token according to the situation, and logs in to the authentication server 4 from the terminal 2 using the one-time password acquired with the token.

  The changed one-time password 306 is set with the one-time password generated by the hard token 5 when the token is changed to a hard token in the token changing process described later.

  The mobile phone 1, terminal 2, issue server 3, and authentication server 4 described above all include a CPU 901, a memory 902, an external storage device 903 such as an HDD, a keyboard, a mouse, and the like as shown in FIG. 4, for example. A general-purpose computer system including an input device 904, an output device 905 such as a display or a printer, and a communication control device 906 for connecting to a network can be used. In this computer system, the CPU 901 executes a predetermined program loaded on the memory 902, thereby realizing each function of each device.

  For example, the functions of the issuing server 3 and the authentication server 4 are executed by the CPU 901 of the issuing server 3 in the case of the program for the issuing server 3, and the CPU 901 of the authentication server 4 in the case of the program for the authentication server 4, respectively. It is realized by doing.

  Note that the issue management table 35 of the issue server 3 uses the memory 902 or the external storage device 903 of the issue server 3. It is assumed that the memory 902 or the external storage device 903 of the authentication server 4 is used for the authentication table 48 of the authentication server 4. In addition, regarding the input device 904 and the output device 905, each device is provided as necessary.

  Next, the one-time password acquisition process will be described. The user acquires a one-time password using the mobile phone 1 or the hard token 5 before logging in to the authentication server 4 website using the terminal 2, and inputs the acquired one-time password together with the user ID from the terminal 2. To do. First, a first process of acquiring a one-time password from the issuing server 3 using the mobile phone 1 that is a browser type token will be described.

  FIG. 5 is a sequence diagram of the first one-time password issuing process. FIG. 6 shows an example of various screens (screen transitions) displayed on the output device of the mobile phone 1.

  First, the mobile phone 1 receives a user instruction, specifies a predetermined URL (Uniform Resource Locator), accesses the issuing server 3, and displays, for example, a menu screen 61 shown in FIG. 6 on the output device. Then, the mobile phone 1 accepts the user instruction and transmits a one-time password issue request to the issue server 3 (S11). In the illustrated example, it is assumed that the user clicks an OTP issue button on the menu screen 61.

  When receiving the one-time password issuing request, the request receiving unit 31 of the issuing server 3 transmits a PIN input screen to the mobile phone 1 (S12). For example, the mobile phone 1 displays a PIN input screen 62 shown in FIG. 6 on the output device. The user inputs a PIN registered in advance in the issuing server 3 on the PIN input screen 62. Then, the cellular phone 1 transmits the input PIN to the issuing server 3 (S13). It is assumed that the mobile phone 1 also transmits the mobile phone ID stored in the memory or the like of the mobile phone 1 when transmitting information to the issuing server 3.

  The request receiving unit 31 of the issuing server 3 specifies the PIN corresponding to the mobile phone ID received from the issue management table 35 (see FIG. 2), and whether the PIN and the PIN transmitted from the mobile phone match. Validate. Then, the request reception unit 31 refers to the issue management table 35 and, when the flag corresponding to the received mobile phone ID is “ON”, the generation unit generates a password generation key for the mobile phone ID and a corresponding counter. 32 (S16).

  If the PINs do not match, the request reception unit 31 determines that the request is from an unauthorized user and transmits an error message to the mobile phone 1. When the received mobile phone ID flag is “OFF”, the request receiving unit 31 determines that the request is a one-time password issue request from a token that is not currently used, and transmits an error message to the mobile phone 1. .

  The generation unit 32 generates a one-time password by a predetermined algorithm (for example, a one-way function such as a hash function) based on the transmitted password generation key and counter (S15). Then, the generation unit 32 increments the value of the counter 203 in the issue management table 35 by one, and changes the value of the counter (S16).

  Then, the generation unit 32 of the issuing server 3 transmits a one-time password display screen including the generated one-time password to the mobile phone 1 (S17). For example, the mobile phone 1 displays the one-time password display screen 63 of FIG. 6 on the output device. When the user logs in to the website from the terminal 2, the user inputs the one-time password displayed on the mobile phone 1.

  Next, the second one-time password issuing process using the hard token 5 will be described.

  In the storage unit of the hard token 5, a password generation key of a user ID assigned to a user who uses the hard token 5 is set. The same password generation key stored in the hard token 5 and the password generation key of the corresponding user ID in the authentication table 48 are set. In this embodiment, in order to generate a one-time password using the counter synchronization method, the storage unit of the hard token 5 is provided with a counter that stores the number of times the one-time password is generated.

  When the user logs in to the Web site of the authentication server 4, the user inputs a one-time password generation instruction by operating the input device of the hard token 5. Thereby, the generation unit of the hard token 5 is based on the password generation key stored in the storage unit and the counter, and a predetermined algorithm similar to the generation unit 32 of the issuing server 3 (for example, one-way such as a hash function) The one-time password is generated by the sex function, and the counter value is incremented by one. Then, the display unit of the hard token 5 displays the generated one-time password on a display device such as a display.

  Next, a one-time password authentication process and a process for changing a token to be used will be described.

  FIG. 7 is a sequence diagram of the one-time password authentication process and the token change process. FIG. 8 shows an example of various screens (screen transitions) of the terminal 2 when changing from the mobile phone 1 which is a browser type token to a hard token. FIG. 9 shows an example of various screens of the terminal 2 when changing from a hard token to the mobile phone 1 which is a browser type token.

  First, with reference to FIG. 8, a process of logging in to the authentication server 4 using the one-time password acquired by the mobile phone 1 and then changing the token to be used to the hard token 5 will be described. In order to ensure security, in the present embodiment, it is assumed that the token can be changed after successful authentication of the one-time password.

  First, the terminal 2 receives a user instruction, designates a predetermined URL, accesses the Web site of the authentication server 4, and displays a login screen provided by the authentication server 4 on the output device. A login screen 81 shown in FIG. 8A displays a user ID input field and a password input field. The user inputs the user ID registered in advance on the website and the one-time password acquired using the mobile phone 1 in the respective input fields. The terminal 2 transmits a login request including the user ID and the one-time password to the authentication server 4 (S31).

  The request reception unit 41 of the authentication server 4 acquires a password generation key whose flag and the flag corresponding to the received user ID are turned on from the authentication table 48 (see FIG. 3), and sends the password generation key to the generation unit 42. . Further, when the password generation key whose issue flag is ON is that of the hard token 5 and the first login request after changing to the hard token 5 (S32: YES), the request reception unit 41 will be described later. Counter correction is performed (S33). The request receiving unit 41 determines that it is the first login request after changing to the hard token 5 when a one-time password is set in the OTP at the time of changing the authentication table 48.

  Here, since it is a browser type token of the mobile phone 1 (S32: NO), the process proceeds to S34. If the received user ID does not exist in the authentication table 48, the request receiving unit 41 determines that the request is from an unregistered or unauthorized user and transmits an error message to the terminal 2.

  The generation unit 42 generates a one-time password based on the transmitted password generation key and counter using the same algorithm as the generation unit 32 of the issuing server 3 and the generation unit of the hard token 5 (S34). Then, the generation unit 42 increments the counter value of the record in the authentication table 48 by one (S35).

  Then, the authentication unit 43 verifies whether or not the one-time password specified in the login request in S31 matches the one-time password generated by the generation unit 42 (S36). If the one-time passwords match, the authentication unit 43 authenticates that the request is a login request from a legitimate user, and if the authentication is successful, transmits a screen after authentication to the terminal 2 (S37). If the one-time passwords do not match, the authentication unit 43 transmits an error message indicating that the authentication has failed to the terminal 2.

  For example, the terminal 2 displays a post-authentication screen 82 illustrated in FIG. 8A on the output device. The illustrated post-authentication screen 82 displays various services provided by the authentication server 4 and includes a “token change” service. The user selects “token change”, whereby the terminal 2 transmits a token change request to the authentication server 4 (S38). When a service other than “change token” is selected, the business processing unit 44 of the authentication server 4 provides the selected service to the user.

  When receiving the token change request, the changing unit 45 of the authentication server 4 transmits, for example, a token change screen 83 illustrated in FIG. 8A to the terminal 2 (S39). The changing unit 45 refers to the authentication table 48 and sets the radio button of the token whose flag is “ON” (in the screen 83, the mobile phone (1)) to the selected state.

  The terminal 2 displays the token change screen 83 on the output device. The user inputs an instruction to change to the hard token 5 from the token change screen 83. As a result, the token change screen 83 becomes the state of the token change screen 84 in which the hard token is selected. The terminal 2 transmits an instruction to change to the hard token 5 selected on the token change screen 84 to the authentication server 4 (S40).

  The changing unit 45 of the authentication server 4 that has received the change instruction updates the flag of the authentication table 48 (S41). In the case illustrated in FIG. 8A, the changing unit 45 changes the flag of the mobile phone (1) in the authentication table 48 from “ON” to “OFF” and changes the hard token flag from “OFF” to “ON”. Change to As a result, for the one-time password other than the hard token, authentication by the authentication server 4 fails.

  Then, the changing unit 45 transmits a token change notification including the changed token and the user ID to the issuing server 3 (S42). The changing unit 33 of the issuing server 3 updates the flag of the issuing management table 35 based on the token change notification. In the case illustrated in FIG. 8A, the changing unit 33 changes the flag of the mobile phone (1) of the corresponding user ID in the issue management table 35 from “ON” to “OFF”. As a result, the issuing server 3 stops issuing the one-time password for the mobile phone (1). Then, the changing unit 33 notifies the authentication server 4 that the changing process of the issue management table 35 has been completed (S43).

  Here, for the change process to the hard token 5 (S44: YES), the request unit 46 of the authentication server 4 requests the terminal 2 for the one-time password generated by the hard token 5 (S45). That is, the request unit 46 transmits, for example, the one-time password input screen 85 shown in FIG.

  The terminal 2 displays a one-time password input screen 85 on the output device. The user inputs a one-time password generation instruction to the hard token 5. As a result, the hard token generates a one-time password and displays the generated one-time password on the display unit. The user inputs the one-time password generated by the hard token on the one-time password input screen 85. Then, the terminal 2 transmits the input one-time password to the authentication server 4 (S46).

  The request unit 46 of the authentication server 4 sets the transmitted one-time password in the OTP when changing the hard token in the authentication table 48 (S47). The one-time password of the hard token 5 set in the OTP at the time of change is used to correct the counter of the authentication table 48 at the next login. Then, the changing unit 45 transmits, for example, the change completion screen 86 of FIG. 8A to the terminal 2 (S48), and the terminal 2 displays the change completion screen 86.

  After the token change in FIG. 8A, the user inputs the one-time password generated by the hard token 5 to the login screen 87 when logging in to the Web site of the authentication server 4 as shown in FIG. 8B. To do. Then, the terminal 2 transmits the user ID and the one-time password input on the login screen 87 to the authentication server 4 (S31). Here, the request accepting unit 41 of the authentication server 4 has a password generation key whose user ID flag is turned on in the authentication table 48 that is a hard token, and a one-time password in the OTP at the time of change. Is set, it is determined that this is the first login request after changing to a hard token (S32: YES).

  In this case, the correction unit 47 is based on two one-time passwords generated successively from the one-time password set in the OTP at the time of change of the authentication table 48 and the one-time password input in the login request in S31. Then, the counter of the user ID in the authentication table 48 is corrected (S33).

  In the generation of one-time passwords using the counter synchronization method, the counter value (number of one-time password generations) is calculated by inputting two consecutively generated one-time passwords into a predetermined simultaneous equation. be able to. The correction unit 47 counters the hard token 5 from the one-time password input on the one-time password input screen 85 in FIG. 8A and the continuous one-time password input on the login screen 87 in FIG. And the calculated value is set in the counter of the authentication table 48. Thereby, the counter of the authentication table 48 can be synchronized with the counter of the hard token 5. It is assumed that the correction unit 47 deletes the one-time password set in the OTP when the authentication table 48 is changed after correcting the counter.

  Then, the authentication server 4 generates a one-time password using the hard token password generation key and the corrected counter (S34), counts up the counter of the authentication table 48 (S35), and determines the one-time password. Authentication is performed (S36), and the post-authentication screen 88 is transmitted to the terminal 2 (S37).

Next, referring to FIG. 7 and FIG. 9, a process of logging in to the authentication server 4 using the one-time password generated by the hard token 5 and then changing the token to be used to the browser type token of the mobile phone 1. explain.
First, the terminal 2 accesses the Web site of the authentication server 4 and displays, for example, the login screen 91 of FIG. 9A on the output device. The user inputs the user ID and the one-time password generated by the hard token 5. The terminal 2 transmits a login request including the user ID and the one-time password to the authentication server 4 (S31).

  The request reception unit 41 of the authentication server 4 acquires a password generation key whose flag and the flag corresponding to the received user ID are turned on from the authentication table 48 (see FIG. 3), and sends the password generation key to the generation unit 42. . Here, it is assumed that the password generation key that is turned on is a hard token and is not the first login request after changing to a hard token (S32: NO).

  The generation unit 42 generates a one-time password by the same algorithm as the hard token 5 based on the transmitted password generation key and counter (S34), and increments the counter value of the authentication table 48 by one (S35). ).

  Then, the authentication unit 43 verifies whether the one-time password specified in the login request in S31 matches the one-time password generated by the generation unit 42 (S36). The post-authentication screen 92 shown in FIG. 9A is transmitted to the terminal 2 (S37). The terminal 2 accepts the user instruction and transmits a token change request to the authentication server 4 (S38).

  The change unit 45 of the authentication server 4 transmits, for example, the token change screen 93 of FIG. 9A to the terminal 2 (S39). The user inputs a change instruction to the mobile phone (1) from the token change screen 93. Thereby, the token change screen 93 becomes the state of the token change screen 94 in which the mobile phone (1) is selected. The terminal 2 transmits a change instruction to the mobile phone (1) selected on the token change screen 94 to the authentication server 4 (S40).

  The changing unit 45 of the authentication server 4 updates the flag of the authentication table 48 (S41). That is, the changing unit 45 changes the flag of the hard token in the authentication table 48 from “ON” to “OFF”, and changes the flag of the mobile phone (1) from “OFF” to “ON”. As a result, for the one-time password other than the cellular phone (1), the authentication by the authentication server 4 fails.

  Then, the changing unit 45 transmits a token change notification including the changed token and the user ID to the issuing server 3 (S42). The changing unit 33 of the issuing server 3 updates the flag of the issuing management table 35 based on the token change notification. That is, the changing unit 33 changes the flag of the mobile phone (1) of the corresponding user ID in the issue management table 35 from “OFF” to “ON”. As a result, the issuing server 3 starts issuing a one-time password for the mobile phone (1). Then, the changing unit 33 notifies the authentication server 4 that the changing process of the issuance management table 35 has been completed, and the number of one-time password generations set in the counter of the corresponding user ID in the issuance management table 35 is It transmits to the authentication server 4 (S43).

  Here, for the change process to the mobile phone (S44: NO), the correction unit 47 of the authentication server 4 sets the number of generations acquired from the issuing server 3 in the counter of the user ID of the authentication table 48. Thereby, the counter of the authentication table 48 and the counter of the issue management table 35 can be synchronized. Then, the changing unit 45 transmits, for example, the change completion screen 95 in FIG. 9A to the terminal 2 (S48).

  After the token change in FIG. 9A, the user logs in the login screen 97 with the one-time password acquired by the mobile phone (1) when logging in to the Web site of the authentication server 4 as shown in FIG. 9B. To enter. Then, the terminal 2 transmits the user ID and one-time password input on the login screen 97 to the authentication server 4 (S31). Then, the authentication server 4 generates a one-time password using the password generation key of the mobile phone (1) and the corrected counter (the counter acquired from the issuing server 3) (S34), and the counter of the authentication table 48 Is counted up (S35), the one-time password is authenticated (S36), and the post-authentication screen 98 is transmitted to the terminal 2 (S37).

  Note that the process for changing the token to be used from the mobile phone (1) to the mobile phone (2) is the same as the processing described so far.

  The authentication server 4 according to the present embodiment described above receives a token change request from the terminal 2 and changes the setting of the authentication table 48, and notifies the issue server 3 of the change information and sets the issue management table 35. Change it. Thereby, in this embodiment, the one-time password of the some token which one user uses can be authenticated, and a user's convenience can be improved more. That is, the user can use both a hard token and a mobile phone by switching between them according to the situation. For example, a user who uses a mobile phone that is a browser-type token can acquire a one-time password overseas by changing to a hard token when going overseas.

  In the present embodiment, when changing to a hard token (see FIG. 8), the one-time password generated by the hard token is stored in the authentication table 48. Then, the counter of the authentication table 48 is corrected using the one-time password stored in the authentication table 48 and the one-time password input at the next login. Thereby, the counter of the authentication server and the counter of the hard token can be synchronized.

  In this embodiment, when changing to a mobile phone (see FIG. 9), the counter value of the issue management table is acquired from the issue server, and the authentication table counter of the authentication server is corrected. As a result, the counter of the authentication server and the counter of the issuing server can be synchronized.

  In addition, this invention is not limited to said embodiment, Many deformation | transformation are possible within the range of the summary.

1 is a diagram illustrating an overall configuration of an authentication system to which an embodiment of the present invention is applied. It is a figure which shows an example of an issue management table. It is a figure which shows an example of an authentication table. It is a figure which shows the hardware structural example of each apparatus. It is a sequence diagram of a one-time password issuing process. It is an example of the screen transition of the mobile phone in the one-time password issuing process. It is a sequence diagram of an authentication process and a token change process. It is an example of the screen transition of the terminal in the change process to a hard token. It is an example of the screen transition of the terminal in the change process to a mobile phone.

Explanation of symbols

  1: mobile phone, 2: terminal, 3: issuing server, 31: request receiving unit, 32: generating unit, 33: changing unit, 35: issuing management table, 4: authentication server, 41: request receiving unit, 42: generating Part: 43: authentication part, 44: business processing part, 45: change part, 46: request part, 47: correction part, 48: authentication table, 5: hard token, 8: network, 9: network

Claims (7)

An authentication device for authenticating one-time passwords of a plurality of tokens corresponding to one account,
An authentication storage means in which a password generation key is stored for each of a plurality of tokens;
A change unit that accepts a token change instruction from the terminal, and sets a flag in the password generation key of the instructed token in the authentication storage unit;
A request receiving means for receiving an authentication request including a first one-time password from the terminal, and specifying a password generation key in which the flag is set from the authentication storage means;
Generating means for generating a second one-time password based on the specified password generation key;
Authentication that verifies whether or not the first one-time password received by the request reception unit matches the second one-time password generated by the generation unit, and determines that the authentication is successful if they match And an authentication device. The authentication device according to claim 1,
The authentication storage means further includes variable information for generating a different one-time password each time,
The generating unit changes the variable information stored in the authentication storage unit after generating a one-time password using the password generation key and the variable information. The authentication device according to claim 2,
If the change instruction received by the change means is an instruction to change to an offline token, request means for requesting the terminal a one-time password generated by the offline token;
Correction means for correcting the variable information based on two consecutive one-time passwords, the one-time password requested by the requesting means and the one-time password accepted by the request accepting means for the first time after changing to an offline token. Having further,
An authentication device. The authentication device according to claim 2,
If the change instruction received by the changing means is a change instruction to a mobile phone that acquires a one-time password from a one-time password issuing device, variable information stored in the one-time password issuing device is acquired, and the authentication storage means An authentication device further comprising correction means for setting the variable information. An authentication system having an issuing device for issuing a one-time password and an authentication device for authenticating the one-time password,
The issuing device is:
Issuance management storage means for storing a first password generation key for generating a first one-time password;
First request accepting means for accepting a password generation request from the first terminal;
First generation means for generating a first one-time password based on a first password generation key of the issuance management storage means and transmitting the first one-time password to the first terminal;
The authentication device
Authentication storage means in which a second password generation key is stored for each of a plurality of tokens including a first terminal that obtains a one-time password from the issuing device;
A change unit that accepts a token change instruction from the second terminal and sets a flag in the password generation key of the instructed token in the authentication storage unit;
An authentication request including a first one-time password or a second one-time password generated by an offline token is received from the second terminal, and a second password generation key with the flag set is specified from the authentication storage means Second request accepting means,
Second generation means for generating a third one-time password based on the identified second password generation key;
When verifying whether the first or second one-time password received by the second request receiving means matches the third one-time password generated by the second generation means And an authentication means for determining that the authentication is successful. An authentication method for authenticating one-time passwords of a plurality of tokens corresponding to one account performed by an authentication device,
The authentication device includes an authentication storage unit storing a password generation key for each of a plurality of tokens, and a processing unit.
The processor is
A change step of accepting a token change instruction from the terminal and setting a flag in the password generation key of the instructed token in the authentication storage unit;
A request receiving step for receiving an authentication request including a first one-time password from the terminal, and specifying a password generation key in which the flag is set from the authentication storage unit;
Generating a second one-time password based on the identified password generation key;
Authentication that verifies whether the first one-time password received in the request reception step matches the second one-time password generated in the generation step, and determines that the authentication is successful if they match And an authentication method. An authentication program for authenticating one-time passwords of a plurality of tokens corresponding to one account, executed by an authentication device,
The authentication device includes an authentication storage unit storing a password generation key for each of a plurality of tokens, and a processing unit.
In the processing unit,
A change step of accepting a token change instruction from the terminal and setting a flag in the password generation key of the instructed token in the authentication storage unit;
A request receiving step for receiving an authentication request including a first one-time password from the terminal, and specifying a password generation key in which the flag is set from the authentication storage unit;
Generating a second one-time password based on the identified password generation key;
Authentication that verifies whether the first one-time password received in the request reception step matches the second one-time password generated in the generation step, and determines that the authentication is successful if they match And an authentication program.

Images