JP2009104264A - Log-in authentication method, log-in authentication server, and log-in authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a log-in authentication system for quickly performing log-in by reducing the labor of an input operation. <P>SOLUTION: In a log-in authentication system, a server 4 creates a password based on device information unique to a log-in input operation device 2 received with a log-in request from a log-in input operation device 2 by associating it with the device information (S4), and transmits the password to the log-in input operation device 2 (S5), and receives the password from the portable terminal 3 with the terminal information of the portable terminal 3 (S10), and determines whether or not the received terminal information is matched with preliminarily registered terminal information (S11), and determines whether or not the received password is matched with the password (S12), and when the received password is matched with the generated password, notifies the log-in input operation device 2 specified by the device information associated with the created password of an authentication result showing that authentication has succeeded(S13). <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a login authentication method, a login authentication server, and a login authentication program, and more particularly to a login authentication method, a login authentication server, and a login authentication program that use a mobile terminal as a password input device.

Conventionally, a login authentication method using a mobile terminal as a password input device is known (see, for example, Patent Document 1). In the technique described in Patent Document 1, the authentication server generates a one-time password (hereinafter simply referred to as a password), and transmits the generated password to each mobile terminal whose address or the like has been registered in advance in the authentication server. . And a user transmits a password to an authentication server by inputting the password transmitted from each portable terminal to the information utilization apparatus from the login screen displayed on the information utilization apparatus. The authentication server compares the received password with the generated password and determines that the authentication is successful if they match. The password once used for authentication is deleted from the authentication server.
JP 2004-348236 A (paragraphs 0023 to 0039, FIG. 1)

  However, the conventional techniques have the following disadvantages. That is, the authentication server holds information regarding a plurality of destinations that are different for each mobile terminal as a transmission destination of the generated password, and transmits the generated password to each mobile terminal. In order to realize this, when a user of each mobile terminal makes a login request to the authentication server, for example, mobile terminal identification information for identifying his / her mobile terminal, An e-mail address or the like needs to be transmitted to the authentication server in advance. As described above, it takes time to input information (e-mail address or the like) for specifying the recipient of the password to the portable terminal. If the first input operation is assumed, it is also conceivable that information specifying a password receiving destination is once input to the mobile terminal and then stored in the memory of the mobile terminal. In this case, it is possible to use the stored information in the re-login from the same mobile terminal, but when the user changes the mobile terminal, the information specifying the password transmission destination Must be entered anew.

  Therefore, an object of the present invention is to provide a login authentication method, a login authentication server, and a login authentication program that can solve the above-described problems and can quickly log in by reducing the input operation.

  The present invention was devised to achieve the above object, and the login authentication method according to claim 1 of the present invention is a login having terminal information storage means for storing terminal information unique to a portable terminal. An authentication server, a login input operation device that transmits a login request to the login authentication server, and terminal information unique to the terminal information storage means has been registered, and a password is transmitted to the login authentication server following the login request A login authentication method in an authentication system comprising a portable terminal, wherein the device information is based on device information unique to the login input operation device received by the login authentication server from the login input operation device together with the login request. A password generation step of generating a password in association with the password, and A password transmitting step for transmitting to the in-input operating device; a password receiving step for receiving a password from the portable terminal together with terminal information of the portable terminal; and terminal information in which the received terminal information is registered in advance in a terminal information storage means; A terminal discriminating step for discriminating whether or not they match; a password discriminating step for discriminating whether or not the received password matches the generated password; and the received password matches the generated password In this case, an authentication result notification step of notifying an authentication result indicating authentication success to the login input operation device specified by the device information associated with the generated password is executed.

  According to this procedure, the login authentication server generates a password in association with the device information based on the device information unique to the login input operation device that transmitted the login request, and transmits the password to the login input operation device. Here, the password is, for example, a one-time password. Then, when the received password matches the password generated in advance, the login authentication server authenticates that the login input operation device specified by the device information associated with the password generated in advance is successful. Notify the result. Therefore, the user does not need to send information specifying the recipient of the password to the login authentication server, so that the user can log in quickly with less input operation.

  The login authentication method according to claim 2 is the login authentication method according to claim 1, wherein the login input operation device executes a password display step of displaying a password received from the login authentication server, The portable terminal executes a password input step for inputting a password, and a password transmission step for transmitting the input password to the login authentication server together with the terminal information of the portable terminal.

  According to such a procedure, the login input operation device displays the received password. And a portable terminal acquires the password displayed on the login input operation apparatus with a certain method, and inputs a password. Subsequently, the mobile terminal transmits the input password to the login authentication server together with the terminal information of the mobile terminal. Here, the password acquisition method is arbitrary. For example, when the password displayed on the login input operation device is composed of characters and symbols, a method in which the user who sees the password acquires the password by directly inputting the password to the portable terminal by operating a button. Further, for example, when the displayed password consists of an image or a barcode, there is a method in which the user obtains it by performing an operation of taking it in with a mobile terminal with a camera.

  Further, the login authentication method according to claim 3 is the login authentication method according to claim 1, wherein the login input operation device transmits a password received from the login authentication server to the portable terminal. And executing a password receiving step in which the portable terminal receives a password from the login input operation device, and a password transmitting step in which the received password is transmitted to the login authentication server together with terminal information of the portable terminal. It is characterized by.

  According to this procedure, the login input operation device transmits the received password to the mobile terminal. Subsequently, the mobile terminal transmits the received password to the login authentication server together with the terminal information of the mobile terminal. Here, the method of transmitting the password is arbitrary. For example, a mobile terminal can be connected to a login input operation device by wire connection and transmitted. Also, for example, wireless communication such as infrared communication or IC chip communication can be used.

  The login authentication method according to claim 4 is the login authentication method according to claim 1, wherein the login authentication server receives at least a predetermined notification method of password or user authority from the login input operation device. A login request receiving step for receiving setting information related to one together with the login request and device information unique to the login input operation device; and whether the received setting information is pre-registered setting information. And further executing a setting information determining step for determining, wherein the password generating step generates a password specified by the received setting information, and the password transmitting step includes the generated password together with the received setting information. Sent to the login input operation device, and the login input operation device Depending on the setting information received from the login authentication server, execute either a password display step for displaying the password received from the login authentication server or a password transmission step for transmitting the received password to the mobile terminal. The portable terminal executes either a password input step for inputting a password corresponding to the password display step or a password receiving step for receiving a password from the login input operation device corresponding to the password transmission step. And a password transmission step of transmitting the input password or the received password together with the terminal information of the portable terminal to the login authentication server.

  According to such a procedure, the login authentication server receives not only the login request but also the setting information related to the password notification method and the user authority from the login input operation device, and the received setting information is the registered setting information. It is determined which one of them, and setting information is sent back together with the generated password. Here, the setting information related to the notification method can be determined in correspondence with, for example, a security level or a device that displays a password. Subsequently, the login input operation device displays the received password or transmits it to the mobile terminal according to the received setting information. When displaying the received password, the mobile terminal inputs the password by some method. Further, when the login input operation device transmits the received password to the mobile terminal, the mobile terminal receives the password. Subsequently, the mobile terminal transmits the input password or the received password to the login authentication server together with the terminal information of the mobile terminal. Therefore, the user can set not only the login request but also the setting information regarding the password notification method and the user authority by the login input operation device.

  In order to solve the above problem, a login authentication server according to claim 5, a login authentication server having terminal information storage means for storing terminal information unique to a mobile terminal, and a login request to the login authentication server. The login authentication in an authentication system comprising: a login input operation device to transmit; and a portable terminal in which terminal information unique to the terminal information storage means has been registered and transmits a password to the authentication server following the login request A server that stores terminal information for identifying terminal information for identifying the portable terminal, and generates a password based on device information unique to the login input operation device received together with the login request from the login input operation device Password generating means and a password for storing the password together with the device information Storing means, password transmitting means for transmitting the password to the login input operation device, password receiving means for receiving a password from the portable terminal together with terminal information of the portable terminal, and the received terminal information is stored in the terminal information storage Terminal determination means for determining whether or not the terminal information registered in the means matches, password determination means for determining whether or not the received password matches the password registered in the password storage means, and When the received password is already registered in the password storage means, an authentication result notification for notifying an authentication result indicating successful authentication to the login input operation device specified by the device information stored together with the registered password Means.

  According to such a configuration, the login authentication server registers terminal information for identifying the mobile terminal in advance, generates a password based on device information unique to the login input operation device that transmitted the login request, and generates the generated password. It is registered together with the device information and transmitted to the login input operation device. Then, when the received password matches the registered password, the login authentication server displays an authentication result indicating successful authentication for the login input operation device specified by the device information associated with the registered password. Notice. Therefore, the user does not need to send information specifying the recipient of the password to the login authentication server, so that the user can log in quickly with less input operation.

  Further, the login authentication server according to claim 6 is the login authentication server according to claim 5, wherein the login input operation device receives setting information related to at least one of a predetermined password notification method or user authority. A login request receiving unit that receives the login request and device information unique to the login input operation device, and a setting information determining unit that determines whether the received setting information is pre-registered setting information. The password generation means generates a password specified by the received setting information, and the password transmission means sends the generated password to the login input operation device together with information indicating the type of the password. It is characterized by transmitting.

  According to this configuration, the login authentication server receives not only the login request but also the setting information related to the password notification method and the user authority from the login input operation device, and the received setting information is stored in the registered setting information. It is determined which one of them, and setting information is sent back together with the generated password. Thereby, the login input operation device can display the received password or transmit it to the mobile terminal according to the received setting information. Therefore, for example, by setting the setting information corresponding to the level of the security level or the device that displays the password, the convenience of the user who operates the login input operation device or the mobile terminal can be improved.

The login authentication program according to claim 7 is a login authentication server having a terminal information storage unit for storing terminal information unique to a mobile terminal, a login input operation device for transmitting a login request to the login authentication server, In order to realize the login authentication server in the authentication system including a mobile terminal that has registered terminal information unique to the terminal information storage means and transmits a password to the login authentication server following the login request, Password generation means for generating a password based on device information unique to the login input operation device received together with the login request from the login input operation device; password transmission means for transmitting the password to the login input operation device; Password from the mobile terminal Password receiving means for receiving together with terminal information of the terminal, terminal determining means for determining whether or not the received terminal information matches the terminal information registered in advance in the terminal information storage means, and the received password is generated Password determining means for determining whether or not the password matches, a login input operation device identified by device information associated with the generated password when the received password matches the generated password It is made to function as an authentication result notification means for notifying the authentication result indicating the authentication success.
By being configured in this way, a computer in which this program is installed can realize each function based on this program.

  According to the present invention, since it is not necessary for the user to transmit information specifying the recipient of the password to the login authentication server, it is possible to log in quickly while reducing the input operation. Further, it is not necessary to pre-register the login input operation device with the login authentication server. Therefore, the user can request login and receive user authentication even from a login input operation device that is not pre-registered. Further, since the login input operation device does not transmit the unique information for identifying the individual user to the login authentication server, it is possible to prevent leakage of personal information at the time of login. Therefore, the user can receive secure login authentication anytime and anywhere by using the login request operation device and the portable terminal.

  The best mode for carrying out the login authentication method and login authentication server of the present invention (hereinafter referred to as “embodiment”) will be described in detail below with reference to the drawings.

[Configuration of authentication system]
FIG. 1 is a diagram schematically showing a configuration of an authentication system including a server according to the first embodiment of the present invention. The authentication system 1 includes a login input operation device 2, a mobile terminal 3, and a server (login authentication server) 4 having terminal information storage means 31 for storing terminal information unique to the mobile terminal 3. In FIG. 1, one login input operation device 2, one portable terminal 3, and one server 4 are shown, but the number of these devices is arbitrary.

[Login input operation device]
The login input operating device 2 transmits a login request to the server 4. For example, a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), a NIC (Network Interface Card). The login input operation device 2 includes, for example, a personal computer (hereinafter simply referred to as a PC), a mini-panel for entering / exiting management, and the like. In the following description, it is assumed that the login input operation device 2 is a PC. This login input operation device 2 is connected to a network N such as the Internet or a LAN (Local Area Network), for example, and as shown in FIG. 1, an input means 10, a communication means 11, a storage means 12, Display means 13, output means 14, and control means 15 are provided.

The input unit 10 performs an input operation for requesting the server 4 to log in, and includes, for example, a general input device such as a keyboard, a mouse, and a touch panel.
The communication unit 11 exchanges various types of information with the server 4 via the network N under the control of the control unit 15 and is configured by, for example, a NIC.
The storage unit 12 includes, for example, a ROM that stores a predetermined program, a RAM that is used for arithmetic processing by the control unit 15, a hard disk, and the like. In the present embodiment, device information of the login input operation device 2 is stored in advance in the memory of the storage unit 30. The device information is unique information of the login input operation device 2, such as a product number and a MAC address.

  The display unit 13 displays information input by the input unit 10 and information (screen display information, password, authentication result) acquired from the server 4 via the communication unit 11 under the control of the control unit 15. It is. This display means 13 is comprised from a liquid crystal display (LCD: Liquid Crystal Display), CRT (Cathode Ray Tube), PDP (Plasma Display Panel) etc., for example.

  Here, an example of the login screen will be described. FIG. 2 is a diagram showing an example of a login screen displayed on the display means of the login input operation device shown in FIG. The login screen 200 includes a server name input field 210, a send button 220, and a return button 230, as shown in FIG. When the login screen 200 is displayed, the user inputs the server 4 that performs login authentication in the server name input field 210 and presses the send button 220. When the user presses the transmission button 220, the login input operation device 2 transmits a login request to the server 4 by the login request transmission unit 16 (see FIG. 1).

Returning to FIG. 1, the description of the configuration of the login input operation device 2 is continued.
The output unit 14 outputs the received password to the portable terminal 3 under the control of the control unit 15. In the present embodiment, it is assumed that the communication between the output unit 14 and the mobile terminal 3 is wireless communication. Here, examples of the communication method that can be adopted as the wireless communication include infrared communication, communication between IC chips such as FeliCa (registered trademark), Bluetooth (registered trademark), and the like. For the output means 14, a configuration corresponding to the employed communication method can be employed as appropriate. When communication with the mobile terminal 3 is wired communication, the output unit 14 can include a connector to which a cable or the like connected to the mobile terminal 3 can be attached.

The control means 15 is composed of, for example, a CPU, and includes a login request transmission means 16, a password reception means 17, an authentication result reception means 18, and a password transmission means 19.
The login request transmission unit 16 transmits a login request together with device information to the server 4 via the communication unit 11.

  The password receiving unit 17 receives a one-time password (hereinafter simply referred to as a password) from the server 4 via the communication unit 11. Hereinafter, as an example, the password receiving unit 17 will be described as displaying the received password on the display unit 13 as it is, and an example in which the received password is transmitted to the portable terminal 3 via the output unit 14 will be described as a modified example. Will be described later. In this modification, the password transmission unit 19 transmits the password received from the server 4 to the mobile terminal 3.

  The authentication result receiving unit 18 receives the authentication result from the server 4 via the communication unit 11. The authentication result receiving unit 18 displays the received authentication result on the display unit 13. The login request transmission unit 16, the password reception unit 17, the authentication result reception unit 18, and the password transmission unit 19 have their functions realized by the CPU developing and executing a predetermined program stored in the hard disk or the like on the RAM. It is what is done.

[Mobile devices]
The mobile terminal 3 has terminal information unique to the terminal information storage means 31 of the server 4 registered, and transmits a password to the server 4 following the login request from the login input operation device 2. It is comprised from a telephone, PHS, an information portable terminal (PDA: Personal Digital Assistants), etc. In the present embodiment, the mobile terminal 3 inputs a password based on the user's input operation, and the network N is sent to the server 4 together with the terminal information of the mobile terminal 3 based on the user's transmission operation. Send through. In the modification, the mobile terminal 3 receives the password from the login input operation device 2 and transmits the received password to the server 4 through the network N together with the terminal information of the mobile terminal 3.

  The user of the mobile terminal 3 registers the mobile terminal 3 in the server 4 prior to the use of login authentication (mobile terminal registration). Information to be registered at the time of mobile terminal registration is information such as a product number and a contractor number unique to the mobile terminal 3 (hereinafter, this information is referred to as terminal information). Therefore, destination information such as an e-mail address, which is conventionally required, is not registered. This is a significant difference from the conventional login method. In the present embodiment, the password generated by the server 4 is not transmitted to the mobile terminal 3.

[server]
The server (login authentication server) 4 performs login authentication, and includes, for example, a CPU, ROM, RAM, HDD (Hard Disk Drive), NIC, and the like, and includes a communication unit 20, a storage unit 30, and a control unit. 40. In the present embodiment, it is assumed that the server 4 provides (distributes) service information (for example, text such as news, content such as images, videos, and music) to the login input operation device 2 after login authentication. The server 4 can also provide a search service and services such as writing to and managing data stored in the server 4. The service by the server 4 is not limited to providing various information to the login input operation device 2. For example, when the login input operation device 2 is an entry / exit management mini-panel, locking or releasing of the corresponding room (permission of entry / exit) is a service, and an operation command is output to the device that locks or releases Is the provision of services.

  The communication means 20 is composed of a NIC or the like, and transmits / receives various information (login request, password, etc.) to / from the login input operation device 2 via the network N, or receives a password from the portable terminal 3 via the network N. Or receive it.

  The storage unit 30 includes, for example, a ROM that stores a predetermined program or the like, a RAM that is used for arithmetic processing or the like by the control unit 40, or stores information acquired through the communication unit 20, or the like. The storage unit 30 includes a terminal information storage unit 31, a password storage unit 32, and a service information storage unit 33.

The terminal information storage unit 31 stores terminal information for identifying the mobile terminal 3 and is configured by a general memory, a hard disk, or the like.
The password storage means 32 is for storing a password generated by the server 4 together with device information (product number, MAC address, etc.) of the login input operation device 2 and managing various login information. Etc.
The service information storage means 33 stores service information (for example, text such as news, content such as images, videos, music, etc.), and is constituted by a general hard disk or the like.

  The control means 40 is composed of, for example, a CPU or the like, and includes a login request reception means 41, a password generation means 42, a password transmission means 43, a password reception means 44, a terminal determination means 45, a password determination means 46, Authentication result notifying means 47 and service providing means 48 are provided.

The login request receiving unit 41 receives a login request from the login input operation device 2 through the communication unit 20 together with device information unique to the login input operation device 2.
The password generation unit 42 generates a password based on the device information received by the login request reception unit 41. The password generation unit 42 registers the generated password in the password storage unit 32 together with the device information. Here, the method for generating the password is not particularly limited, and a known technique can be used. For example, when generating a password composed of numbers and symbols, it can be obtained by calculation based on a product number as device information and a random number.

The password transmission unit 43 sends the password generated by the password generation unit 42 back to the login input operation device 2 that transmitted the login request via the communication unit 20.
The password receiving unit 44 receives the password from the portable terminal 3 through the communication unit 20 together with the terminal information (for example, product number and contractor number) of the portable terminal 3.

The terminal determination unit 45 determines whether the received terminal information matches the terminal information registered in the terminal information storage unit 31. In this embodiment, this determination result is output to the password determination means 46.
The password determination unit 46 determines whether or not a password that matches the received password is registered in the password storage unit 32. This determination result is output to the authentication result notifying means 47. In the present embodiment, the password determination unit 46 determines that the password that matches the received password is the password when it is determined that the received terminal information is already registered based on the determination result acquired from the terminal determination unit 45. It is determined whether or not it is registered in the storage means 32. If it is determined that the received terminal information is unregistered, information indicating that the authentication has failed without checking the password is displayed as an authentication result. The information is output to the notification means 47.

  When the received password is already registered in the password storage unit 32, the authentication result notifying unit 47 responds to the login input operation device 2 specified by the device information stored together with the registered password via the communication unit 20. Thus, an authentication result indicating successful authentication is notified. Specifically, the authentication result notification means 47 notifies predetermined screen display data indicating successful authentication as an authentication result when the password determination means 46 determines that a password has already been registered. Here, the screen display data indicating successful authentication is, for example, screen display data indicating permission to use the service. The authentication result notifying unit 47 notifies predetermined screen display data indicating an authentication failure as an authentication result when the password determining unit 46 determines that the password is not registered. Furthermore, when the authentication result notification unit 47 acquires information indicating that the authentication has failed from the password determination unit 46, the authentication result notification unit 47 notifies the screen display data indicating the authentication failure as the authentication result.

  The service providing means 48 reads the service information desired by the user from the service information storage means 33 and provides it via the communication means 20 in accordance with the user service request after login authentication. The login request receiving means 41, the password generating means 42, the password transmitting means 43, the password receiving means 44, the terminal determining means 45, the password determining means 46, the authentication result notifying means 47 and the service providing means 48 means are provided by the CPU. The function is realized by developing and executing a predetermined program stored in a hard disk or the like on a RAM.

Here, an operation example according to the type of password will be described.
[Operation example of displaying password in characters and symbols]
First, when displaying a password with characters and symbols, the user performs an operation of inputting the read characters and symbols into the mobile terminal 3. In this case, the operation by a plurality of users is convenient as described below.
As a first example of operation by a plurality of users, when only the user A possesses the portable terminal 3 among the two users (user A, user B) who use the login input operation device 2, User B can easily teach user A by reading the password displayed on display means 13. The relationship between the two pairs can be various relationships such as a parent and child, a caregiver, and a care recipient.

  As a second example of operation by a plurality of users, there are two users (user C, user D) in the office, and the user C manages the login input operation device 2 (for example, PC) and has been registered. Suppose that the user D is trying to use the login input operation device 2 when the user C is absent. At this time, when the user D makes a login request to the login input operation device 2 (for example, a PC), the password displayed on the display means 13 is read, and the user C is verbally taught using a mobile phone, and the user D is in a remote place. The user D can log in by inputting the password taught by the user C into the mobile terminal 3 (can perform proxy login).

[Operation example of displaying password as image or barcode]
Next, when the mobile terminal 3 is, for example, a camera-equipped mobile phone, the password can be displayed as an image or a barcode. In this case, for example, the password can be displayed as a QR code (registered trademark), and the user can capture the QR code (registered trademark) as a password with the camera of the mobile terminal 3. As a result, it is possible to save time and labor for inputting the password.

[Operation of authentication system]
The operation of the authentication system shown in FIG. 1 will be described with reference to FIG. 3 (see FIGS. 1 and 2 as appropriate). FIG. 3 is a sequence diagram showing an example of the operation of the authentication system shown in FIG. The user registers the mobile terminal 3 in the server 4 in advance. That is, the server 4 stores the terminal information of the portable terminal 3 in the terminal information storage unit 31 together with the user name. First, the user performs an input operation and a transmission operation for requesting login using the login input operation device 2. That is, the login input operation device 2 inputs a login request by the input means 10 (step S1), and the login request transmission means 16 transmits the login request to the server 4 together with the device information via the communication means 11 (step S1). S2).

  Next, the server 4 receives the login request together with the device information through the communication unit 20 by the login request receiving unit 41 (step S3). Then, the server 4 generates a password based on the received device information by the password generation unit 42, registers the password in the password storage unit 32 together with the device information (step S4: password generation step), and the password transmission unit 43. Thus, the password is transmitted to the login input operation device 2 via the communication means 20 (step S5: password transmission step).

  Next, the login input operation device 2 receives the password via the communication unit 11 by the password receiving unit 17 (step S6), and displays the received password on the display unit 13 (step S7: password display step). A user who operates the login input operation device 2 confirms the password displayed on the screen and performs an operation of inputting to the portable terminal 3 and an operation of transmitting. That is, the mobile terminal 3 inputs a password based on the user's input operation (step S8: password input step), and transmits the input password together with the terminal information of the mobile terminal 3 to the server 4 via the network N. (Step S9: Password transmission step).

  Next, the server 4 receives the password together with the terminal information of the portable terminal 3 through the communication unit 20 by the password receiving unit 44 (step S10: password receiving step), and matches the received terminal information by the terminal determination unit 45. It is determined whether or not terminal information to be registered is registered in the terminal information storage means 31 (step S11: terminal determination step). When the received terminal information is already registered (step S11: Yes), the server 4 determines whether or not a password that matches the received password is registered in the password storage unit 32 by the password determination unit 46 (step S11). S12: Password discrimination step). Then, the server 4 notifies the login result input device 2 of the authentication result via the communication unit 20 by the authentication result notification unit 47 (step S13: password determination step). Thereby, the login input operation device 2 receives the authentication result via the communication unit 11 by the authentication result receiving unit 18 (step S14), and displays the received authentication result on the display unit 13 (step S15).

  Here, if the password received by the server 4 is already registered in step S12 (step S12: Yes), the authentication is successful. In step S13, the server 4 uses the screen display data indicating the authentication success as the authentication result. Notice. Thereby, a screen indicating successful authentication is displayed on the login input operation device 2. Subsequently, the server 4 reads out and provides the service information desired by the user from the service information storage unit 33 according to the service request of the user by the service providing unit 48 (step S16).

  On the other hand, if the password received by the server 4 is unregistered in step S12 (step S12: No), it is an authentication failure. Therefore, in step S13, the server 4 notifies screen display data indicating the authentication failure as an authentication result. . Thereby, a screen indicating authentication failure is displayed on the login input operation device 2. If the terminal information received by the server 4 is unregistered in step S11 (step S11: No), the server 4 skips step S12 and displays a screen indicating authentication failure in step S13 because the authentication has failed. Notify the data as the authentication result.

  According to the present embodiment, in the authentication system 1, the user does not need to send information specifying the password receiving destination to the login authentication server as in the conventional case, so that the user can log in quickly with reduced input operations. be able to. In the authentication system 1, it is not necessary to pre-register the login input operation device 2 in the server 4, and the user can request login and receive user authentication even from the login input operation device 2 that is not pre-registered. Further, the login input operation device 2 does not transmit to the server 4 unique information (terminal information of the portable terminal 3) registered in advance in the server 4 by the user. That is, the user does not need to input unique information that can identify an individual to the login input operation device 2. Therefore, leakage of personal information at the time of login can be prevented. Therefore, if the user uses the login input operation device 2 and the portable terminal 3, the user can receive secure login authentication anytime and anywhere. In the authentication system 1, when the user inputs the password to the server 4 using the mobile terminal 3, both the login input operation device 2 and the mobile terminal 3 are used, and therefore only one device is used. Security can be increased compared to.

(Modification)
In the above description, as an example of the first embodiment, the password receiving unit 17 of the login input operation device 2 has been described as displaying the received password on the display unit 13 as it is, but the received password is output to the output unit 14. It is also possible to transmit to the portable terminal 3 via. This example will be described as a modification. In this case, the configuration of each device of the authentication system 1 is the same as that shown in FIG.

  Next, the operation of the authentication system according to the modification will be described with reference to FIG. 4 (refer to FIGS. 1 and 2 as appropriate). FIG. 4 is a sequence diagram showing another example of the operation of the authentication system shown in FIG. Steps S21 to S26 and Steps S30 to S36 shown in FIG. 4 are the same as Steps S1 to S6 and Steps S10 to S16 shown in FIG. Subsequent to step S26, the login input operation device 2 transmits the password received from the server 4 to the portable terminal 3 by the password transmission unit 19 (step S27: password transmission step). The portable terminal 3 receives the password from the login input operation device 2 (step S28: password reception step), and transmits the received password together with the terminal information of the portable terminal 3 to the server 4 (step S29: password transmission step).

  In this modification, since the password is transferred by direct communication between the login input operation device 2 and the portable terminal 3 and the password is transmitted from the portable terminal 3 to the server 4, the following superiority to the conventional login authentication method is obtained. There is an effect. (1) It is possible to make it difficult for another user to see the password. (2) It is possible to reduce the trouble of the user inputting a password. For example, this is particularly effective when the password is a long code made up of numbers and symbols, or when the numbers and symbols change from time to time. (3) Strong resistance to spyware such as keyloggers and viruses.

(Second Embodiment)
[Configuration of authentication system]
FIG. 5 is a diagram schematically showing a configuration of an authentication system including a server according to the second embodiment of the present invention. The authentication system 1A shown in FIG. 5 enables password notification selection type login authentication. This password notification selection type login authentication is login authentication based on the premise that there are a plurality of password notification methods (hereinafter simply referred to as notification methods) from the login input operation device 2 to the portable terminal 3.

  In the prior art, the password input method is fixedly determined for each device that inputs a password. Also, in the prior art, when a user wants to set service usage authority after login (hereinafter referred to as user authority), it is set only after a user with administrator authority (system administrator) has logged in Can not do it. In the second embodiment, even a user who does not have administrator authority can freely set user authority by the login input operation device 2 that performs login authentication. However, it is not possible to set more than the authority determined by the administrator.

  The authentication system 1A shown in FIG. 5 includes the setting information discrimination means 50 in the control means 40 of the server 4A, and the other configurations are the same as those in the authentication system 1 shown in FIG. Therefore, the description is omitted as appropriate. In addition, the present embodiment is characterized in that when a user makes a login request from the login input operation device 2, the user selects setting information related to a notification method and user authority and notifies the server 4A.

  Here, an example of a login screen of the login input operation device 2 will be described with reference to FIG. 6 is a diagram showing an example of a login screen displayed on the display means of the login input operation device shown in FIG. As shown in FIG. 6, the login screen 600 includes a server name input field 610, a notification method selection field 620, a user authority selection field 630, a send button 640, and a return button 650. When the login screen 600 is displayed, the user not only inputs the server 4A for performing login authentication in the server name input field 610 but also selects a notification method in the notification method selection field 620 as necessary. The user authority can be selected in the user authority selection field 630. When the user presses the transmission button 640 on the login screen 600, the login input operation device 2 causes the login request transmission unit 16 (see FIG. 5) to send the login request and the setting information regarding the notification method and the user authority to the server. Send to 4A. In the present embodiment, the security level is set for each user authority. However, the password notification method may be set for each user authority.

Returning to FIG. 5, the configuration of the server 4A will be described.
In the present embodiment, in the server 4 </ b> A, the login request receiving unit 41 receives setting information related to a predetermined password notification method and user authority from the login input operation device 2 together with the login request and device information. Note that the setting information does not necessarily have to relate to both the notification method and the user authority, and may relate to either one.

In the server 4A, setting information is registered in advance in the memory of the storage unit 30.
The setting information discriminating unit 50 discriminates which of the setting information registered in advance is the received setting information. The determination result is output to the password generation means 42.
The password generation unit 42 generates a password specified by the received setting information. The setting information and the password type are associated in advance.
The password transmission unit 43 transmits the generated password to the login input operation device 2 together with the received setting information. In the present embodiment, the login input operation device 2 is configured to be able to switch the method for notifying the mobile terminal 3 of the received password according to the received setting information.

[Association of setting information and password]
Password notification methods can be broadly classified into low security notification methods and high security notification methods. The password notified by the low-security notification method is an image such as a symbol or character that can be easily understood by a person who sees the expression of the password, or a simple figure. In other words, the low-security notification method refers to a method in which a password can be easily taught to other users. As an example of this low-security notification method, a password is simply displayed on the display unit 13 of the login input operation device 2 on the screen.

  On the other hand, a password notified by a high-security notification method is an image such as a complex figure or a barcode that cannot be easily understood by a person who sees the expression of the password. In other words, the high-security notification method refers to a method that makes it difficult to steal passwords. As an example of this high security notification method, a password is transmitted from the login input operation device 2 to the mobile terminal 3 by wireless communication such as wired connection or inter-IC chip communication.

  In general, the level of security and the level of user authority are often linked. That is, as the user authority is higher, information with a higher security level can be accessed, and damage caused when information leaks increases, so a notification method with a higher security level is required. Therefore, in this embodiment, the user authority is expressed by the level of security (see FIG. 6). In addition, since it does not necessarily respond | correspond depending on the method of setting target information and user authority, it is not limited to this example.

[Operation of authentication system]
Next, the operation of the authentication system according to the second embodiment will be described with reference to FIG. 7 (see FIGS. 5 and 6 as appropriate). FIG. 7 is a sequence diagram showing an example of the operation of the authentication system shown in FIG. Hereinafter, detailed description of operations similar to those described with reference to FIG. 3 will be omitted as appropriate.

In advance, setting information related to the notification method and user authority is registered in the server 4A. The user selects a user authority and a password notification method when inputting a login request.
That is, the login input operation device 2 inputs a login request and setting information by the input means 10 (step S41), and transmits the login request and setting information together with the device information to the server 4A by the login request transmission means 16 (step S41). S42).

  Next, the server 4A receives the login request and setting information together with the device information by the login request receiving unit 41 (step S43: login request receiving step), and the received setting information is registered in advance by the setting information determining unit 50. The setting information is determined (step S44: setting information determination step). Then, the server 4A uses the password generation unit 42 to generate a password based on the received device information and setting information, and registers the password in the password storage unit 32 together with the device information (step S45: password generation step). The transmission means 43 transmits the password and the setting information to the login input operation device 2 (step S46: password transmission step).

  Next, the login input operation device 2 receives the password and the setting information by the password receiving unit 17 (step S47), and switches the method of notifying the mobile terminal 3 of the received password according to the received setting information. For example, when the setting information corresponds to low security, the login input operation device 2 displays the password received from the server 4A (step S48a: password display step), and the portable information is input based on the user input operation. The terminal 3 inputs the password (step S49a: password input step), and transmits the input password to the server 4A together with the terminal information of the portable terminal 3 (step S50: password transmission step).

  For example, when the setting information corresponds to high security, the login input operation device 2 transmits the password received from the server 4A to the portable terminal 3 by the password transmission unit 19 (step S48b: password transmission). Step), the portable terminal 3 receives the password from the login input operation device 2 (Step S49b: password reception step), and transmits the received password to the server 4A together with the terminal information of the portable terminal 3 (Step S50: password transmission). Step). After that, steps S51 to S57 shown in FIG. 7 are the same as steps S10 to S16 shown in FIG.

  According to the present embodiment, the user can change the setting of the user authority and password notification method according to the scene as shown below. For example, when the login input operation device 2 is installed in a shared space where many people can go in and out (for example, a place where a plurality of PCs are arranged), the user authority is restricted (the user authority is made high security). Set). Alternatively, the password is notified from the login input operation device 2 to the mobile terminal by communication, and the password is displayed on the screen of the mobile terminal 3. In addition, for example, when the login input operation device 2 is installed in a restricted space where people can enter and exit (for example, an in-house or home private room where a single PC is placed), the user authority is not restricted. (Set user permissions to low security). Alternatively, the password is displayed on the login input operation device 2, and the user simply inputs the displayed password to the portable terminal.

  As mentioned above, although preferred embodiment of this invention was described, this invention is not limited to each above-described embodiment. For example, the server 4 (or server 4A) can be realized by operating a general computer by a program (authentication management program) that functions as each of the above-described means. This program can be distributed via a communication line, or can be written on a recording medium such as a CD-ROM for distribution. A computer in which this program is installed can achieve an effect equivalent to that of the server 4 (or server 4A) when the CPU expands the program stored in the ROM or the like in the RAM.

  In each embodiment, the login input operation device 2 is described as a PC. However, the present invention is not limited to this and may be a mini-panel for entering / exiting management. In this case, the user can use the mobile terminal 3 as an entrance ticket or a ticket when entering or leaving a room where a mini-panel of a predetermined facility is installed or entering or leaving a train vehicle. In each embodiment, the information pre-registered in the server 4 (or server 4A) is the terminal information (product number or contractor number) of the mobile terminal 3, but in addition to that, the user billing information Etc. may be registered. In this case, if the login input operation device 2 is a mini-panel for entrance / exit management, when the user uses the mobile terminal 3 as an admission ticket or a boarding ticket, the user pre-pays the mobile terminal 3 (the fee or boarding fee). It is also possible to use it instead of the status (identification) of (payment has been paid).

  Further, in the second embodiment, it has been described that the password notification method and the user authority can be selected when a login request is sent from the login input operation device 2 to the server 4A. It is also possible to set from the mobile terminal 3. In this case, the portable terminal 3 can be configured to transmit information regarding the change of the user authority together when transmitting the password to the server 4A. As described above, when the user authority can be appropriately changed from the portable terminal 3, the following operation is possible. For example, the login input operation device 2 is a mini-panel for managing entry / exit. And several mini-panels are installed everywhere in predetermined facilities (buildings, premises) such as factories and laboratories, and passers-by such as managers, workers, transporters, visitors, etc. User authority (security level) corresponding to is set in advance. As the security level, for example, the administrator is variable between levels 1 to 4. Similarly, the operator can be determined to be variable at levels 2 to 4, the carrier is variable at levels 3 to 4, and the visitor can be determined to be fixed at level 4. When each passer-by receives an admission permit, each passerby pre-registers his / her own portable terminal 3 in the server 4A. Each passer-by can set the initial value of the user authority to level 4 and move to a desired place in the facility, and can enter and exit the administrator room only when the administrator changes the user authority to level 1. It can also be done. In other words, the area that can be accessed with the admission permit can be set in more detail. Furthermore, in this case, unlike the prior art, it is not necessary to prepare a separate entrance permit for each restricted area.

It is a figure which shows typically the structure of the authentication system containing the server which concerns on 1st Embodiment of this invention. It is a figure which shows an example of the login screen displayed on the display means of the login input operation apparatus shown in FIG. It is a sequence diagram which shows an example of operation | movement of the authentication system shown in FIG. It is a sequence diagram which shows the other example of operation | movement of the authentication system shown in FIG. It is a figure which shows typically the structure of the authentication system containing the server which concerns on 2nd Embodiment of this invention. It is a figure which shows an example of the login screen displayed on the display means of the login input operation apparatus shown in FIG. It is a sequence diagram which shows an example of operation | movement of the authentication system shown in FIG.

Explanation of symbols

1, 1A authentication system 2 login input operation device 3 mobile terminal 4, 4A server (login authentication server)
DESCRIPTION OF SYMBOLS 10 Input means 11 Communication means 12 Storage means 13 Display means 14 Output means 15 Control means 16 Login request transmission means 17 Password reception means 18 Authentication result reception means 19 Password transmission means 20 Communication means 30 Storage means 31 Terminal information storage means 32 Password storage Means 33 Service information storage means 40 Control means 41 Login request receiving means 42 Password generating means 43 Password sending means 44 Password receiving means 45 Terminal judging means 46 Password judging means 47 Authentication result notifying means 48 Service providing means 50 Setting information judging means N network

Claims (7)

A login authentication server having terminal information storage means for storing terminal information unique to the mobile terminal, a login input operation device for transmitting a login request to the login authentication server, and terminal information unique to the terminal information storage means have been registered A login authentication method in an authentication system comprising a mobile terminal that transmits a password to the login authentication server following the login request,
The login authentication server is
A password generation step of generating a password in association with the device information based on the device information unique to the login input operation device received together with the login request from the login input operation device;
A password transmission step of transmitting the password to the login input operation device;
A password receiving step of receiving a password from the mobile terminal together with the terminal information of the mobile terminal;
A terminal determination step of determining whether or not the received terminal information matches the login authentication server terminal information;
A password determination step for determining whether or not the received password matches the generated password;
If the received password matches the generated password, an authentication result for notifying an authentication result indicating successful authentication to the login input operation device specified by the device information associated with the generated password A login authentication method comprising: performing a notification step. The login input operation device includes:
Executing a password display step for displaying the password received from the login authentication server;
The portable terminal is
A password entry step for entering a password;
The login authentication method according to claim 1, further comprising: executing a password transmission step of transmitting the input password to the login authentication server together with terminal information of the mobile terminal. The login input operation device includes:
Execute a password transmission step of transmitting the password received from the login authentication server to the mobile terminal;
The portable terminal is
A password receiving step of receiving a password from the login input operation device;
The login authentication method according to claim 1, further comprising: executing a password transmission step of transmitting the received password together with terminal information of the mobile terminal to the login authentication server. The login authentication server includes:
A login request receiving step for receiving, from the login input operation device, setting information related to at least one of a predetermined password notification method or user authority, together with the login request and device information unique to the login input operation device;
A setting information determination step for determining which of the setting information received in advance is the setting information determination step;
The password generation step includes
Generate a password specified by the received setting information,
The password transmission step transmits the generated password to the login input operation device together with the received setting information,
The login input operation device includes:
Depending on the setting information received from the login authentication server, execute either a password display step for displaying the password received from the login authentication server or a password transmission step for transmitting the received password to the mobile terminal. ,
The portable terminal is
Performing either one of a password input step for inputting a password corresponding to the password display step and a password reception step for receiving a password from the login input operation device corresponding to the password transmission step;
The login authentication method according to claim 1, further comprising a password transmission step of transmitting the input password or the received password together with the terminal information of the portable terminal to the login authentication server. A login authentication server having terminal information storage means for storing terminal information unique to the mobile terminal, a login input operation device for transmitting a login request to the login authentication server, and terminal information unique to the terminal information storage means have been registered The login authentication server in an authentication system having a portable terminal that transmits a password to the login authentication server following the login request,
Password generating means for generating a password based on device information unique to the login input operation device received together with the login request from the login input operation device;
Password storage means for storing the password together with the device information;
Password transmitting means for transmitting the password to the login input operation device;
Password receiving means for receiving a password from the portable terminal together with terminal information of the portable terminal;
Terminal determination means for determining whether or not the received terminal information matches the terminal information registered in the terminal information storage means;
Password determination means for determining whether or not the received password matches a password registered in the password storage means;
If the received password is already registered in the password storage means, an authentication result for notifying an authentication result indicating successful authentication to the login input operation device specified by the device information stored together with the registered password A login authentication server comprising a notification means. Login request receiving means for receiving, from the login input operation device, setting information related to at least one of a predetermined password notification method or user authority, together with the login request and device information unique to the login input operation device;
A setting information discriminating means for discriminating which of the setting information received in advance is the received setting information;
The password generation means includes
Generate a password specified by the received setting information,
The login authentication server according to claim 5, wherein the password transmission unit transmits the generated password to the login input operation device together with information indicating a type of the password. A login authentication server having terminal information storage means for storing terminal information unique to the mobile terminal, a login input operation device for transmitting a login request to the login authentication server, and terminal information unique to the terminal information storage means have been registered In order to realize the login authentication server in an authentication system comprising a mobile terminal that transmits a password to the login authentication server following the login request,
Password generating means for generating a password based on device information unique to the login input operation device received together with the login request from the login input operation device;
Password transmission means for transmitting the password to the login input operation device;
Password receiving means for receiving a password from the portable terminal together with the terminal information of the portable terminal;
Terminal determination means for determining whether or not the received terminal information matches the terminal information registered in advance in the terminal information storage means;
Password discrimination means for discriminating whether or not the received password matches the generated password;
If the received password matches the generated password, an authentication result for notifying an authentication result indicating successful authentication to the login input operation device specified by the device information associated with the generated password Notification means,
Login authentication program characterized by functioning as

Images