JP2020135377A - Authentication system - Google Patents

Abstract

To provide an authentication system which can be used without going through hassle of pre-registering a portable terminal in use, and which solves the security problem of spoofing that makes use of leaked values used for authentication, so as to offer improved user convenience and higher security.SOLUTION: An authentication server 11 and a user terminal 12 have respective synchronized authentication history databases 25, 61, and hash values of the authentication history databases are compared so that an authentication is deemed successful only when the hash values are identical.SELECTED DRAWING: Figure 1

Description

The present invention relates to authentication that does not require a card reader.

WYK (What You Know) authentication, which uses "information known only to the person" such as an ID and a password, is widely used as an authentication method for the system. On the other hand, apart from that, there is WYH (What You Have) authentication that uses "things that only the person has" such as IC cards and USB tokens. Compared to WYK certification, WYH certification has higher security strength because the actual product is required. On the other hand, since each terminal requires a reading device such as a card reader, there is a problem that initial investment cost and maintenance cost increase.

On the other hand, WYH authentication using smartphones, which have become widespread, is being considered. Most smartphones have a camera and QR code (registered trademark) recognition software, and are equipped with the hardware and software required as a reader. In addition, since it is owned by each individual, it has sufficient discriminating power as "thing that only the individual has".

Several such certification systems have been filed. In Patent Document 1, the QR code displayed on the operation terminal is read by a mobile phone owned by the user to perform pairing between the operation terminal and the mobile phone, and the mobile phone is used as an authentication server. On the other hand, a method of transmitting a one-time pass and identifying a user by combining the unique identification number of the mobile phone and the one-time pass has been proposed.

Further, Patent Document 2 discloses an authentication method using a smartphone owned by a user and a one-time random key (one-time pass).

Japanese Unexamined Patent Publication No. 2011-238036 Special Table 2017-515320

However, in the method of Patent Document 1, since a unique value called a unique identification number of the terminal is used for authentication, there is a security problem that if this value is leaked, spoofing becomes possible easily. Further, in the method of Patent Document 2, since the random key is transmitted from the authentication device side to the user's smartphone, it is necessary to know in advance the user to be authenticated and the smartphone owned by the user to be the transmission destination. I couldn't use it without registering my smartphone in advance.

Therefore, the present invention can be used without the trouble of pre-registering the mobile terminal to be used, and more conveniently by solving the security problem of spoofing due to leakage of the value used for authentication. The purpose is to provide an authentication system with high reliability and security.

This invention
It is an authentication method that uses an authentication server and a user terminal.
The authentication server and the user terminal having a user ID have an authentication history database that shares a synchronized authentication history for each user ID.
The authentication server generates and sends a one-time pass in response to an authentication request.
The user terminal generates authentication information including the one-time pass, the hash value of the authentication history database, and the user ID, and transmits the authentication information to the authentication server.
When the hash value of the authentication history database corresponding to the user ID included in the authentication information and the hash value included in the authentication information match, the authentication server includes the one-time included in the authentication information. Authenticate the authentication request corresponding to the path, send the authentication result, and
The authentication history change information including the authentication result is transmitted to the user terminal, and the authentication result is recorded in the authentication history database on the authentication server side.
The user terminal receives the result of the authentication and records it in the authentication history database on the user terminal side to realize synchronization between the authentication history databases.
The above problem was solved by the authentication method using the user terminal.

The authentication method further uses an operation terminal that receives authentication and operates.
The authentication request is transmitted from the operation terminal to the authentication server.
The authentication server generates a session ID together with the one-time pass, registers the one-time pass and the session ID in the issuance history database together with the authentication request source information of the operation terminal.
When transmitting the one-time pass, it is transmitted to the operation terminal as a code image together with connection information that enables connection to the authentication server.
The operation terminal displays the transmitted code image and displays the code image.
The user terminal captures the code image displayed on the operation terminal with a camera and analyzes it to acquire the one-time pass and the connection information.
When transmitting the authentication information to the authentication server, the user terminal acquires the address of the connection destination from the connection information.
When transmitting the authentication result, the authentication server acquires the session ID corresponding to the one-time pass from the issuance history database, and the authentication request source associated with the session ID corresponding to the session ID. Send the authentication result to the information,
Embodiments can be adopted.

The authentication server that executes the authentication method according to the present invention is
Each user ID has a server-side authentication history database in which the authentication history is synchronized with the user terminal used for authentication by the user ID.
A one-time pass generator that generates a one-time pass for the sent authentication request,
A one-time pass transmitter that transmits information including the one-time pass to the user terminal,
An authentication information receiving unit that acquires a one-time pass and a user ID included in the authentication information transmitted from the user terminal and a hash value of the authentication history included in the authentication history database on the user terminal side.
A server-side hash generator that generates a hash value of the authentication history included in the authentication history database corresponding to the acquired user ID included in the authentication information.
An authentication information analysis unit that compares the hash value of the authentication history included in the authentication information with the hash value of the authentication history generated by the authentication server and authenticates if they are the same.
A server-side authentication history update unit that records the authentication result, which is the result of the authentication, in the authentication history database on the authentication server side, and
An authentication result transmission unit that transmits the authentication result to the source of the authentication request and transmits authentication history change information including the authentication result to the user terminal to synchronize the authentication history databases with each other.
To execute.

The authentication server further receives from the operation terminal that has transmitted the authentication request, and receives the authentication request.
An issuance history registration unit that generates a session ID together with the one-time pass and registers the one-time pass and the session ID in the issuance history database together with the authentication request source information of the operation terminal.
A code image generator that uses the one-time path as a code image together with connection information that enables connection to the authentication server.
And
The code image is transmitted to the operation terminal as information including the one-time pass to be transmitted by the one-time pass transmission unit.
When the authentication result transmission unit transmits the authentication result, the session ID corresponding to the one-time pass is acquired from the issuance history database, and then linked to the session ID corresponding to the session ID. The authentication result is transmitted to the operation terminal indicated by the authentication request source information.
Embodiments can be adopted.

The user terminal that executes the authentication method according to the present invention is
It has a user ID, which is an identification code in the authentication server, and an authentication history synchronized between the authentication history database that the authentication server has for each user ID.
An image acquisition unit that reads a code image including the one-time path and connection information generated by the authentication server,
An image analysis unit that analyzes the code information and acquires the one-time path and the connection information.
A terminal-side hash generator that obtains the hash value of the authentication history,
An authentication information generation unit that generates authentication information from the one-time pass, the hash value, and the user ID.
An authentication information transmission unit that transmits the authentication information to the connection destination specified from the connection information,
A terminal-side authentication history update unit that receives the authentication result sent from the authentication server and records it in the authentication history database.
To execute.

The authentication method and authentication system according to the present invention synchronize an authentication history database between the authentication server and the user terminal, compare hash values of the authentication history of the authentication history database, and use the authentication history database for authentication. Therefore, even if the authentication history at a certain point is leaked from either side, even if a third party tries to authenticate using the authentication history, if the authentication history synchronized after that is changed, the authentication is performed. Since it will not be used, it provides higher security than using a unique value. Since recent smartphone software is easy to reverse engineer, spoofing can be easily performed by using a value unique to user authentication, but the authentication method according to the present invention can prevent this.

If you simply use a different authentication code for each authentication, you will have to deliver a new authentication code from the server each time you authenticate, but there is a risk of eavesdropping each time. On the other hand, in the authentication method according to the present invention, since the authentication using the information already shared at the stage where the authentication server and the user terminal try to authenticate is used, the authentication code distributed from the authentication server is eavesdropped. It is possible to perform highly secure authentication using a different value each time authentication is performed.

In addition, since the authentication request is sent from the operation terminal or the user terminal to the authentication server and the authentication server sends information to the operation terminal or the user terminal as a reply to the request, the authentication server grasps the address of the operation terminal or the user terminal in advance. You don't have to keep it. By reading the code image with the camera of the user terminal even through the operation terminal, the user terminal can acquire information such as a one-time pass and connection information and send the necessary information to the authentication server.

Further, the operation terminal does not need to be equipped with a dedicated device such as a card reader, and authentication by relaying information to the user terminal by displaying on the display becomes possible. Further, since it is not necessary to input an ID or the like into the operation terminal, it is possible to prevent the risk that personal information remains in the web browser or the like when the operation terminal is a shared PC or the like.

As a user terminal, the authentication method of the present invention can be used by using a dedicated application other than the method via a web browser. As a result, the service distribution company can be a platform that allows the user to provide further services by providing the application with the functions required for other businesses.

Functional block diagram of a first embodiment of a system that implements the authentication method according to the present invention. A table showing an example of a user information database in the first embodiment. A table showing an example of the server-side authentication history database in the first embodiment. A table showing an example of the issuance history database in the first embodiment A table showing an example of the terminal-side authentication history database in the first embodiment. The first half of the processing flow example in the first embodiment The latter half of the processing flow example in the first embodiment Functional block diagram of a second embodiment of a system that implements the authentication method according to the present invention. The first half of the processing flow example in the second embodiment The latter half of the processing flow example in the second embodiment

Hereinafter, the present invention will be described in detail. The present invention is an authentication method of WYH authentication that authenticates using a user terminal owned by a user, an authentication system that realizes the authentication system, an authentication server that constitutes the authentication server, a user terminal, and a program for executing a computer as them. is there.

The authentication server may be a single server or may be composed of a plurality of servers. It may have only the function as an authentication server according to the present invention, or may process the functions as other servers in parallel. It is necessary to be connected to an external network as a server, and it is desirable to be connected to the Internet. It also has a storage device and an arithmetic unit as a server. The parts and databases described below are the information recorded in these storage devices, the programs executed by the arithmetic units, or both.

The user terminal is a network-compatible terminal owned by an individual. A mobile phone capable of data communication with a mobile communication network is preferable. It is also preferable to have a camera and software for reading a one-dimensional or two-dimensional code. From the above, a smartphone on which software can be installed is preferably used.

The authentication method according to the present invention may be used for authentication performed by the user terminal, or may be used for authentication performed by an operation terminal provided separately from the user terminal. Such an operation terminal can be used as a shared client for offices that can be used in cooperation with the authentication server, or if it is installed in a public space and has a pay-as-you-go system or a time limit. Examples include shared personal computers. It may also be a bank or other ATM, or an issuing machine for membership services such as point services. These terminals can be used by being authenticated. In any case, it is desirable that the operation terminal has a display. The code image can be recognized by the user terminal through the display. In addition, it may have a device capable of transmitting information to the user terminal in the form of short-range wireless communication or the like. The method is not particularly limited as long as the information received from the authentication server can be passed to the user terminal. However, among them, if information is passed via the display, it is not directly connected to the user terminal, which is preferable in terms of security.

The authentication server connected from one of the operation terminals is not limited to one. For example, when the operation terminal installed in a department store is shared by tenant users, it is conceivable that different authentication servers are prepared for each company that manages the tenant. On the contrary, in the case of an operation terminal for a specific bank, the authentication server to be connected is fixed to one.

Further, the present invention relates to the authentication when a web browser, a dedicated application, game client software, or the like is started as the user terminal on a computer managed by an individual rather than shared, and a specific service is received via the software. An authentication method may be applied.

An example of the first embodiment of the authentication system that executes the authentication method according to the present invention will be described together with the functional block diagram of FIG.

The authentication server 11 has a user information database 21 (hereinafter, the database is abbreviated as "DB" in the figure. The same applies to other databases). The user information database 21 registers users who use the authentication method according to the present invention. It is necessary to have a user ID in order to identify individual users. This user ID is a unique key for the authentication server 11 or the entire authentication system. Further, the contact e-mail address and the possibility of authentication by the user terminal 12 may be registered in cooperation with the user ID. An example of this user information database 21 is shown in FIG.

The authentication server 11 has a server-side authentication history database 25. The server-side authentication history database 25 records the past authentication history for each user ID. It is not necessary to save all the past authentication results as the authentication history, but it is preferable in terms of security that the authentication results are saved for a plurality of times and can be used. The information to be stored needs to be discriminating information as an authentication history. FIG. 3 shows an example of an authentication history table stored in the server-side authentication history database 25. For each user ID, the one-time pass used for login and the authentication time are recorded. This information is synchronized for each user ID with the terminal-side authentication history database 61 recorded in the user terminal 12 held by the user of the user ID, which will be described later.

The authentication server 11 has connection information 22. This connection information includes an address for the operation terminal 13 and the user terminal 12 to connect via the network, such as the FQDN (Fully Qualified Domain Name) of the authentication server 11. In addition, other information such as information for permitting access to the authentication server 11 may be included. However, when the authentication server 11 used in the entire authentication method is fixed and the destination of the user terminal 12 is fixed, it is not necessary to include the connection information 22 in the code image described later.

The authentication server 11 has an issue history database 23. The issuance history database 23 temporarily records the one-time pass and session ID to be generated when an authentication request is received from the operation terminal 13 or the user terminal 12, and the authentication server 11 indicates that the terminal is being authenticated. Holds information to identify. An example of this issuance history database 23 is shown in FIG. The session ID and the one-time pass are unique keys for the authentication server 11 or the entire authentication system. The expiration date is the expiration date for accepting a series of authentication processes according to the authentication request. Since data reciprocates between the authentication server 11 and the user terminal 12, a longer time than the normal authentication expiration date may be secured.

As described above, the operation terminal 13 has a display 51 that displays an image as hardware. The display 51 may be the screen of a monitor or the like used when using the operation terminal 13, or may be some kind of sub-display. Further, it is connected to the authentication server 11 via a network, and information can be transmitted and received to the authentication server 11. Further, in addition to receiving the information for authentication from the authentication server 11, it is necessary to be able to execute the received service using the operation terminal 13. This is because authentication is performed in order to perform some work using the operation terminal 13. Therefore, although not shown, it may be connected to a server other than the authentication server 11. Further, the authentication server 11 may have other functions of providing the above service.

The user terminal 12 has a user ID 62. This is a code for the user who owns the user terminal 12 to identify an individual with respect to the authentication server 11 to be used, and corresponds to the code recorded in the user information database 21 described above. It is preferable that the data is recorded in the storage device of the user terminal 12 and can be read out as needed.

The user terminal 12 has a terminal-side authentication history database 61. In the terminal-side authentication history database 61, information synchronized with the authentication history recorded in the server-side authentication history database 25 is recorded for each user ID. Since the hash value to be described later is calculated, the information recorded in the server-side authentication history database 25, excluding the corresponding user ID of the user of the user terminal 12, should match the information related to the user ID. In addition, synchronization is achieved at the timing described later. FIG. 5 shows an example of the table held by the terminal-side authentication history database 61.

The user terminal 12 has an image acquisition unit 63. Specifically, it may be a camera. This is a device for reading the code image displayed on the display 51 of the operation terminal 13. The read code image is analyzed and extracted from the coded information as a one-dimensional bar code or a two-dimensional code, and is used by the user terminal 12.

6 and 7 show an example of a flow when the authentication method is executed by the authentication system consisting of the above hardware. Each processing unit will be described with reference to this flow example.

First, the user operates the operation terminal 13 and starts the authentication process in order to receive the service on the operation terminal 13 (S101). The login screen may be opened from the beginning or may be opened according to an operation (S102). When the operation terminal 13 can use a plurality of services, it is preferable to select the service to be used here. When the setting is to connect to a plurality of authentication servers 11, the authentication server 11 as the connection destination is selected according to the service. Of course, it may be fixedly connected to one authentication server 11. In any case, the authentication request transmission unit 52 of the operation terminal 13 transmits the authentication request to the authentication server 11 (S103).

The authentication server 11 receives the authentication request transmitted from the operation terminal 13 by the authentication request receiving unit 31 (S111). The authentication server 11 that has received the authentication request executes the session ID generation unit 32 and the one-time path generation unit 33. The session ID generation unit 32 generates a session ID associated with the authentication request (S112). This is a code for identifying a series of sessions until the completion or refusal of authentication. The one-time pass generation unit 33 generates a one-time pass (S113). The one-time pass is a code for identification that is transmitted to the operation terminal 13 and the user terminal 12 and is used for associating with the information received by the authentication information receiving unit 41 described later.

The authentication server 11 executes the issuance history registration unit 34 that registers the generated one-time path and the session ID in the issuance history database 23 (S114). This registered record is used when locating the operation terminal 13 for which authentication is requested in S156 later. Therefore, it is desirable to register the address of the operation terminal 13 as the authentication request source information that has sent the authentication request together with the session ID. This address may be an IP address or a port number indicating a session.

Further, the authentication server 11 executes a code image generation unit 35 that generates a code image including the connection information and the one-time path before, after, or in parallel with the issuance history registration unit 34 (S115). By reading the generated code image according to the standard, the connection information and the one-time path can be decoded. Further, the code image may be generated including the connection information and information other than the one-time pass. When the authentication server 11 to be connected to the user terminal 12 is fixed, the connection information previously grasped by the user terminal 12 is used without including the connection information in the code image. It may be in the form.

The authentication server 11 executes the code image transmission unit 36 that transmits the image data of the code image to the operation terminal 13 as the one-time pass transmission unit that transmits the one-time pass to the operation terminal 13 (S116). Specifically, the web server function of the authentication server 11 may be used to transmit the image data and other information such as a document for displaying the image data as a response to the authentication request. However, it can be appropriately selected depending on the setting and application of the operation terminal 13, and the protocol for transmitting the image data and the accompanying data are not particularly limited.

The operation terminal 13 receives the code image at the code image receiving unit 53 (S121). The received code image is displayed on the display 51 according to the image format (S122). As a result, it can be confirmed that the user who is going to be authenticated has received the necessary information.

The user terminal 12 owned by the user who intends to receive the authentication takes a picture of the display 51 on which the code image is displayed by the image acquisition unit 63 which is a camera (S131). The image analysis unit 64 that analyzes the acquired code image and acquires the one-time path and the connection information is executed (S132). In addition, when information other than these is included in the code image, that information is also acquired at the same time.

The user terminal 12 creates the authentication information from the one-time pass among the acquired information, but before that, the terminal-side hash generation unit that generates the hash value of the authentication history from the terminal-side authentication history database 61. 65 is executed (S134). Authentication is performed by matching this hash value with the hash value of the authentication history for the user ID of the user calculated by the server-side hash generation unit 44 described later. That is, although it is identification information for authentication along with the user ID, by using the hash value of the authentication history that is updated every time the user is used, the exchanged and collated values will continue to change. The authentication method for the invention has high security. It may be the entire hash value of the authentication history or a part of the hash value of the authentication history, but in some cases, how far is the authentication server 11 side and the user terminal 12 side? It is necessary to unify the setting of whether to use the history of.

The user terminal 12 generates authentication information from the hash value of the authentication history, the one-time pass acquired by the image analysis unit 64, and the user ID 62 held by the user terminal 12. Is executed (S135). Here, the authentication information is stored in a format in which the hash value, one-time path, and user ID can be retrieved. It is possible to send the data as it is, but it is desirable that the user ID is included and encoded in some form.

Further, the user terminal 12 executes the connection destination determination unit 67 that acquires the address of the authentication server 11 that is the connection destination from the connection information among the acquired information (S133). If the connection information includes necessary port numbers and other information other than the address, the connection destination, the command for connection, the setting value, etc. are determined by reflecting the information.

The user terminal 12 executes the authentication information transmission unit 68 that transmits the authentication information generated by the authentication information generation unit 66 to the connection destination acquired by the connection destination determination unit 67 (S136). When the user terminal 12 is a mobile phone (including a smartphone), it may be transmitted through a mobile phone line or a wireless LAN function, and basically it may be connected to the authentication server 11 via an Internet network. For example, the communication path is not particularly limited. On the other hand, there may be an embodiment in which the user connects to the authentication server 11 provided in the closed network only via the closed network without going through the Internet.

The authentication server 11 receives the authentication information (S141) and executes the authentication information receiving unit 41 that acquires the hash value of the authentication history included in the authentication information, the one-time pass, and the user ID (S141). S142). Basically, it is received via the Internet or the like through a network interface. As a server, it accepts the transmitted information and automatically decrypts it. At this stage, the authentication information is information sent individually and is not yet linked to the session ID.

The authentication server 11 executes the authentication information analysis unit 42 that analyzes the information included in the received authentication information and performs authentication. It consists of multiple stages of processing. First, it is determined whether or not the user ID included in the authentication information is registered in the user information database 21 as a valid user ID (S151). If it is not registered (S151 → No), it is determined that the authentication is performed by an unauthorized user and the authentication is rejected (S155). In addition, even if the information received as the authentication information does not include the information corresponding to the user ID in the first place, the authentication is similarly rejected.

If it is registered in the user information database 21 as a valid user ID (S151 → Yes), the authentication server 11 determines whether or not the one-time pass included in the authentication information exists in the issuance history database 23. Is determined (S152). If the one-time pass does not exist (S152 → No), the authentication is rejected. Since the authentication server 11 determines from which operating terminal 13 the authentication request is requested by the one-time pass, authentication is impossible in the first place if there is no matching one-time pass. If it is known that the user ID and the one-time pass exist (S152 → Yes), it can be determined that the process follows the authentication request made earlier by the existing user. Therefore, the authentication server 11 executes the server-side hash generation unit 44 that generates the hash value of the authentication history recorded in the server-side authentication history database 25 for the user ID confirmed to exist (S153). At this time, the authentication history other than the user ID is not included in the calculation of the hash value. Obtain a hash value for the authentication history of only the user ID that requests authentication. If the authentication history is synchronized between the authentication server 11 and the user terminal 12, the hash values of the same authentication history value are also the same, and the hash values are compared and matched. Whether or not it is determined (S154). If the hash values do not match (S154 → No), authentication fails (S155).

The authentication information analysis unit 42 of the authentication server 11 has the user ID (S151 → Yes), the one-time pass exists in the issuance history database 23 (S152 → Yes), and hashes the authentication history on the authentication server 11 side. If the value and the hash value of the authentication history on the user terminal 12 side match (S154 → Yes), it is processed that the authentication is successful. In that case, the session ID corresponding to the one-time pass is acquired from the issuance history database 23 (S156), and the authentication result is transmitted to the operation terminal 13 corresponding to the authentication request source information associated with the session ID. The authentication result transmission unit 45 is executed (S157). When the operation terminal 13 receives the authentication result of successful authentication, it determines that the service or the like to be provided by the operation terminal 13 has been authenticated, and executes the authentication result receiving unit 54 for starting the provision of the service (S161).

Further, the authentication server 11 also transmits the authentication result to the user terminal 12 as the authentication result transmission unit 45 for transmitting the authentication result (S158). In the embodiment of FIG. 1, it is executed by the same authentication result transmission unit 45 as in S161, but it may be transmitted separately. Here, as the authentication result, the information necessary as a history is transmitted together with the fact that the authentication was successful. In this example, the authentication time is transmitted together with the authentication result as information to be synchronized in both authentication history databases.

The user terminal 12 executes the authentication result receiving unit 71 that receives the authentication result and the authentication time (S171). Along with the received authentication time, the terminal-side authentication history update unit 72 that registers the one-time pass used for authentication in the terminal-side authentication history database 61 is executed (S172). In parallel with this work, the authentication server 11 executes the server-side authentication history update unit 43 that registers the one-time path and the authentication time used when authenticating the user ID in the server-side authentication history database 25. To do. By performing these in parallel, synchronization between the authentication history databases is realized, and when the next authentication is performed, the hash values generated by the respective hash generators (44, 65) become the same, and the authentication continues. It will be possible.

When the user first authenticates using the user terminal 12, neither the authentication server 11 side nor the user terminal 12 side has an authentication history database for the user ID of the user. Therefore, when the information not including the hash value is sent from the user terminal 12, the authentication server 11 may perform the initial setting. For the initial setting, an existing method that imposes other authentication information for the initial setting can be used. However, it is necessary that the authentication history databases (25, 61) synchronize the user IDs of the newly set users when the initial settings are completed.

The authentication method according to the present invention is not only used for authentication of an operation terminal 13 different from the user terminal 12 having the synchronized terminal-side authentication history database 61, but also the user terminal 12 itself may receive a service requiring authentication. It can also be used when The functional block diagram of the embodiment in that case is shown in FIG. 8, and the flowchart is shown in FIGS. 9 and 10. This second embodiment is modified as follows as compared to the first embodiment. There is no operation terminal 13, and the authentication request transmission unit 81 is executed by the user terminal 12 (S101a to S103a). Since the authentication request comes directly from the user terminal 12, the user terminal 12 holds the connection information of the authentication server 11 at this stage, and the authentication server 11 does not need the connection information 22. Further, since the one-time pass may be returned to the user terminal 12 as a direct response instead of transmitting the information via the code image, the code image generation unit 35 and the code image transmission unit 36 (S115, S116) Instead, the one-time pass transmission unit 39 that transmits the one-time pass to the user terminal 12 is executed (S116a). The user terminal 12 executes the one-time pass receiving unit 82 that receives the one-time pass (S132a), and does not execute the image acquisition unit 63 and the image analysis unit 64. Further, since the address of the authentication server 11 which is the connection destination is grasped without extracting the connection information from the code image, the connection destination determination unit 67 (S133) becomes unnecessary. There is no difference in comparing the hash values of the respective authentication history databases at the time of authentication (S134a to S136a). However, since the authentication result transmission unit 45 transmits the authentication result only to the user terminal 12 and the authentication request source to be the response destination is known without being acquired from the issuance history database 23, S156 becomes unnecessary and the user. The authentication result is transmitted to the terminal 12 as it is so that the service based on the authentication can be provided (S157a, S170). However, in terms of session management, it is preferable that the issuance history database 23 is managed. Further, in parallel with starting the service that has received the authentication result, the authentication history database is synchronized in the same manner as in the first embodiment.

If the authentication is successful in the present invention, and if the service is subsequently received from the same or linked server as the authentication server 11, the service can be received as it is, but the service is provided from a server separate from the authentication server 11. When receiving authentication for receiving, the authentication server 11 may also notify the authentication result to its separate server.

11 Authentication server 12 User terminal 13 Operation terminal 21 User information database 22 Connection information 23 Issuance history database 25 Server side authentication history database 31 Authentication request receiving unit 32 Session ID generation unit 33 One-time path generation unit 34 Issuance history registration unit 35 Code image Generation unit 36 Code image transmission unit 39 One-time pass transmission unit 41 Authentication information reception unit 42 Authentication information analysis unit 43 Server-side authentication history update unit 44 Server-side hash generation unit 45 Authentication result transmission unit 51 Display 52 Authentication request transmission unit 53 Code Image receiver 54 Authentication result receiver 61 Terminal-side authentication history database 62 User ID
63 Image acquisition unit 64 Image analysis unit 65 Terminal side hash generation unit 66 Authentication information generation unit 67 Connection destination judgment unit 68 Authentication information transmission unit 71 Authentication result reception unit 72 Terminal side authentication history update unit 81 Authentication request transmission unit 82 One-time pass Receiver

Claims (8)

An authentication method in which an authentication server and a user terminal have a synchronized authentication history database, compare hash values of the respective authentication history databases, and authenticate when they are the same. It is an authentication method that uses an authentication server and a user terminal.
The authentication server and the user terminal having a user ID have an authentication history database that shares an authentication history synchronized for each user ID.
The authentication server generates and sends a one-time pass in response to an authentication request.
The user terminal generates authentication information including the one-time pass, the hash value of the authentication history database, and the user ID, and transmits the authentication information to the authentication server.
When the hash value of the authentication history database corresponding to the user ID included in the authentication information and the hash value included in the authentication information match, the authentication server includes the one-time included in the authentication information. Authenticate the authentication request corresponding to the path, send the authentication result, and
The authentication history change information including the authentication result is transmitted to the user terminal, and the authentication result is recorded in the authentication history database on the authentication server side.
The user terminal receives the authentication result and records it in the authentication history database on the user terminal side to realize synchronization between the authentication history databases.
Authentication method using a user terminal. Furthermore, using an operation terminal that receives authentication and operates,
The authentication request is transmitted from the operation terminal to the authentication server.
The authentication server generates a session ID together with the one-time pass, registers the one-time pass and the session ID in the issuance history database together with the authentication request source information of the operation terminal.
When transmitting the one-time pass, it is transmitted to the operation terminal as a code image together with connection information that enables connection to the authentication server.
The operation terminal displays the transmitted code image and displays the code image.
The user terminal captures the code image displayed on the operation terminal with a camera and analyzes it to acquire the one-time pass and the connection information.
When transmitting the authentication information to the authentication server, the user terminal acquires the address of the connection destination from the connection information.
When transmitting the authentication result, the authentication server acquires the session ID corresponding to the one-time pass from the issuance history database, and the authentication request source associated with the session ID corresponding to the session ID. Send the authentication result to the information,
The authentication method according to claim 2. Each user ID has a server-side authentication history database in which the authentication history is synchronized with the user terminal used for authentication by the user ID.
A one-time pass generator that generates a one-time pass for the sent authentication request,
A one-time pass transmitter that transmits information including the one-time pass to the user terminal,
An authentication information receiving unit that acquires a one-time pass and a user ID included in the authentication information transmitted from the user terminal and a hash value of the authentication history included in the authentication history database on the user terminal side.
A server-side hash generator that generates a hash value of the authentication history included in the authentication history database corresponding to the acquired user ID included in the authentication information.
An authentication information analysis unit that compares the hash value of the authentication history included in the authentication information with the hash value of the authentication history generated by the authentication server and authenticates if they are the same.
A server-side authentication history update unit that records the authentication result, which is the result of the authentication, in the authentication history database on the authentication server side, and
An authentication result transmission unit that transmits the authentication result to the source of the authentication request and transmits authentication history change information including the authentication result to the user terminal to synchronize the authentication history databases with each other.
Authentication server to run. The authentication server further receives from the operation terminal that has transmitted the authentication request, and receives the authentication request.
An issuance history registration unit that generates a session ID together with the one-time pass and registers the one-time pass and the session ID in the issuance history database together with the authentication request source information of the operation terminal.
A code image generator that uses the one-time path as a code image together with connection information that enables connection to the authentication server.
And
The code image is transmitted to the operation terminal as information including the one-time pass to be transmitted by the one-time pass transmission unit.
When the authentication result transmission unit transmits the authentication result, the session ID corresponding to the one-time pass is acquired from the issuance history database, and then linked to the session ID corresponding to the session ID. The authentication result is transmitted to the operation terminal indicated by the authentication request source information.
The authentication server according to claim 4. A program for operating a computer as the authentication server according to claim 4 or 5. It has a user ID, which is an identification code in the authentication server, and an authentication history synchronized between the authentication history database that the authentication server has for each user ID.
An image acquisition unit that reads a code image including the one-time path and connection information generated by the authentication server, and
An image analysis unit that analyzes the code image and acquires the one-time path and the connection information.
A terminal-side hash generator that obtains the hash value of the authentication history,
An authentication information generation unit that generates authentication information from the one-time pass, the hash value, and the user ID.
An authentication information transmission unit that transmits the authentication information to the connection destination specified from the connection information,
A terminal-side authentication history update unit that receives the authentication result sent from the authentication server and records it in the authentication history database.
User terminal to execute. A program for operating a computer as the user terminal according to claim 7.

Images