JP6928697B1 - Authentication device and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a telecommunications carrier to authenticate an information terminal using another telecommunications carrier. In an authentication system, an authentication device 1 is based on a storage unit 11 that stores line identification information, a reception unit 121 that receives an authentication request from an information terminal 3, and terminal identification information that can identify the information terminal 3. By referring to the storage unit 11, the determination unit 122 that determines whether or not the communication carrier used by the information terminal 3 is a specific communication carrier, and the communication carrier used by the information terminal make a specific communication. When the determination unit 122 determines that the information is a business operator, the storage unit 11 has the first authentication unit 123 that authenticates the information terminal 3 using the line identification information associated with the terminal identification information of the information terminal 3, and the information. When the determination unit 122 determines that the communication carrier used by the terminal 3 is not a specific communication carrier, the second authentication unit 124 that authenticates the information terminal 3 by a process different from that of the first authentication unit 123. Have. [Selection diagram] Fig. 2

Description

The present invention relates to an authentication device and an authentication method for authenticating an information terminal.

Conventionally, a service for transmitting and receiving messages using RCS (Rich Communication Services) in an information terminal has been provided (for example, Patent Document 1). The telecommunications carrier used by the information terminal authenticates the information terminal using RCS by collating the line identification information such as the telephone number and IP address (Internet Protocol address) of the information terminal with the information stored in advance. ..

Special Table No. 2016-532352

There are multiple telecommunications carriers that can use information terminals. Since the telecommunications carrier normally manages only the line identification information of the information terminal that uses the company, there is a problem that the information terminal that uses another telecommunications carrier cannot be authenticated.

The present invention has been made in view of these points, and an object of the present invention is to enable a telecommunications carrier to authenticate an information terminal using another telecommunications carrier.

The authentication device of the first aspect of the present invention is derived from a storage unit that stores line identification information that can identify whether or not the communication carrier used by the information terminal is a specific communication carrier, and an information terminal to be authenticated. By referring to the storage unit based on the receiving unit that receives the authentication request and the terminal identification information that can identify the authentication target information terminal, the communication company used by the authentication target information terminal can perform the specific communication business. When the determination unit determines whether or not the person is a person and the determination unit determines that the communication operator used by the authentication target information terminal is the specific communication operator, the authentication target in the storage unit. The first authentication unit that authenticates the authentication target information terminal using the line identification information associated with the terminal identification information of the information terminal, and the communication operator used by the authentication target information terminal are the specific communication business. It has a second authentication unit that authenticates the authentication target information terminal by a process different from that of the first authentication unit when the determination unit determines that the person is not a person.

After the first authentication unit transmits a message including the authentication information to the destination of the authentication target information terminal included in the line identification information associated with the terminal identification information of the authentication target information terminal in the storage unit. , The authentication target information terminal may be authenticated by receiving the authentication information from the authentication target information terminal.

The second authentication unit may authenticate the authentication target information terminal by inquiring to an authentication device managed by an external communication carrier different from the specific communication carrier.

The second authentication unit transmits a message including the authentication information to the destination of the authentication target information terminal associated with the terminal identification information of the authentication target information terminal in the authentication device, and then the authentication device causes the authentication device to perform the above. The authentication target information terminal may be authenticated by receiving the authentication information from the authentication target information terminal.

When the authentication device cannot authenticate the authentication target information terminal by the first authentication unit and the second authentication unit, or the authentication of the authentication target information terminal by the first authentication unit and the second authentication unit fails. In this case, it may further have a third authentication unit that authenticates the authentication target information terminal based on whether or not the position of the authentication target information terminal is within a predetermined range.

The third authentication unit may authenticate the authentication target information terminal based on whether or not the position of the authentication target information terminal is within the range in which communication with a predetermined base station device is possible.

The storage unit stores the line identification information in which the terminal identification information is associated with the IMSI (International Mobile Subscriber Identity), and the determination unit stores the terminal identification information of the authentication target information terminal in the storage unit. Based on the associated IMSI, it is determined whether the communication operator used by the authentication target information terminal is the first operator or the second operator, and the second authentication unit determines the authentication target information. The authentication target information terminal is subjected to different processing depending on whether the communication company used by the terminal is the first business operator or the communication business operator used by the authentication target information terminal is the second business operator. You may authenticate.

When the communication business operator used by the authentication target information terminal is the first business operator, the second authentication unit performs authentication information for the destination of the authentication target information terminal designated by the authentication target information terminal. After transmitting a message including, the authentication target information terminal is authenticated by receiving the authentication information from the authentication target information terminal, and the communication operator used by the authentication target information terminal is the second operator. In some cases, the second authentication unit may authenticate the authentication target information terminal by inquiring to the authentication device managed by the second business operator.

In the first authentication unit and the second authentication unit, the SIM (Subscriber Identity Module) is attached to the authentication target information terminal, inserted, and enabled, or the authentication target information terminal does not communicate. The authentication target information terminal may be authenticated when the communication is possible from the enable state.

The authentication method of the second aspect of the present invention is a step of storing in a storage unit line identification information executed by a computer, which can identify whether or not the communication carrier used by the information terminal is a specific communication carrier. The communication carrier used by the authentication target information terminal by referring to the storage unit based on the step of receiving the authentication request from the authentication target information terminal and the terminal identification information that can identify the authentication target information terminal. Is determined in the step of determining whether or not is the specific communication operator and the step of determining that the communication operator used by the authentication target information terminal is the specific communication operator. The step of authenticating the authentication target information terminal in the first authentication process using the line identification information associated with the terminal identification information of the authentication target information terminal in the storage unit, and the step of being used by the authentication target information terminal. When it is determined in the step of determining that the telecommunications carrier is not the specific telecommunications carrier, it has a step of authenticating the authentication target information terminal by a second authentication process different from the first authentication process. ..

According to the present invention, there is an effect that a telecommunications carrier can authenticate an information terminal using another telecommunications carrier.

It is a schematic diagram of the authentication system which concerns on embodiment. It is a block diagram of the authentication system which concerns on embodiment. It is a schematic diagram of the line identification information stored in the storage unit. It is a schematic diagram for demonstrating the method which an authentication apparatus authenticates by sending a message. It is a schematic diagram for demonstrating the method which the authentication apparatus authenticates based on the line identification information. It is a schematic diagram for demonstrating the method which the authentication apparatus authenticates based on the position of an information terminal. It is a sequence diagram of the authentication method executed by the authentication system which concerns on embodiment. It is a sequence diagram of the authentication method executed by the authentication system which concerns on embodiment. It is a sequence diagram of the authentication method executed by the authentication system which concerns on embodiment. It is a sequence diagram of the authentication method executed by the authentication system which concerns on a modification.

[Overview of Authentication System S]
FIG. 1 is a schematic diagram of the authentication system S according to the present embodiment. The authentication system S includes an authentication device 1, an external authentication device 2, an information terminal 3, and a message management device 4. The number of the external authentication device 2, the information terminal 3, and the message management device 4 included in the authentication system S is not limited, and a plurality of the external authentication device 2, the information terminal 3, and the message management device 4 may be provided. The authentication system S may include other devices such as servers and terminals.

The authentication device 1 is a computer managed by a telecommunications carrier. The telecommunications carrier is, for example, an MNO (Mobile Network Operator) that provides a communication service using a communication line owned or operated by the telecommunications carrier to the information terminal 3. The authentication device 1 authenticates the information terminal 3 so as to enable the use of, for example, RCS. The authentication device 1 performs wireless communication or wired communication with the external authentication device 2, the information terminal 3, and the message management device 4.

The external authentication device 2 is a computer managed by an external communication carrier different from the communication carrier. The external communication operator is, for example, an MVNO (Mobile Virtual Network Operator) that provides a communication service using a communication line provided by the MNO to the information terminal 3. The external authentication device 2 authenticates the information terminal 3 when receiving an inquiry from the authentication device 1.

The information terminal 3 is an information terminal associated with a user, such as a personal computer, a smartphone, or a tablet terminal. The user is, for example, a customer who has a contract with a telecommunications carrier or an external telecommunications carrier to use a communication line in the information terminal 3. The information terminal 3 has a display unit such as a liquid crystal display that displays information and an operation unit such as a touch panel that accepts operations by the user. Further, the information terminal 3 has a function of transmitting and receiving a message using RCS.

The message management device 4 is a computer managed by the business operator, and manages information related to messages sent and received by the information terminal 3. The business operator that manages the message management device 4 may be the same as or different from the communication business operator that manages the authentication device 1 or the external communication business operator that manages the external authentication device 2.

The message management device 4 is, for example, a relay device that relays messages such as SMS (Short Message Service) transmitted and received by the information terminal 3. The authentication device 1 or the external authentication device 2 may have the function of the message management device 4.

The outline of the process executed by the authentication system S according to the present embodiment will be described below. The authentication device 1 stores in advance the line identification information of the communication line used by the plurality of information terminals 3 in the storage unit. The line identification information is, for example, information in which the terminal identification information (for example, an IP address) assigned to the information terminal 3 and the IMSI (International Mobile Subscriber Identity) (including a telephone number) are associated with each other. The authentication device 1 stores line identification information managed by a specific telecommunications carrier (for example, MNO) in a storage unit. Therefore, in the authentication device 1, when the line identification information associated with the terminal identification information of the information terminal 3 is stored in the storage unit, the communication carrier used by the information terminal 3 is a specific communication carrier. If not, it can be determined that the telecommunications carrier used by the information terminal 3 is not a specific telecommunications carrier.

When using the RCS, the information terminal 3 transmits an authentication request to the authentication device 1 to enable the use of the RCS (a). The authentication device 1 receives an authentication request from the information terminal 3 (also referred to as an authentication target information terminal).

The authentication device 1 identifies the communication carrier used by the information terminal 3 by referring to the storage unit based on the terminal identification information (for example, IP address) of the information terminal 3 that is the source of the received authentication request. It is determined whether or not the user is a telecommunications carrier (for example, MNO) (b). When the authentication device 1 determines that the communication carrier used by the information terminal 3 is a specific communication carrier, the first authentication device 1 uses the line identification information associated with the terminal identification information of the information terminal 3 in the storage unit. The information terminal 3 is authenticated by the authentication process (c). For example, as the first authentication process, the authentication device 1 authenticates by transmitting a message to the destination (for example, a telephone number) of the information terminal 3 including the line identification information.

When the authentication device 1 determines that the telecommunications carrier used by the information terminal 3 is not a specific telecommunications carrier (for example, when it is an MVNO), the information terminal 3 is subjected to a second authentication process different from the first authentication process. Authenticate. The authentication device 1 authenticates the information terminal 3 by inquiring to the external authentication device 2 as the second authentication process (d). The authentication device 1 determines whether or not the authentication is successful based on the inquiry result received from the external authentication device 2.

The authentication device 1 transmits an authentication result indicating whether or not the authentication by the first authentication process or the second authentication process is successful to the information terminal 3.

In this way, in the authentication system S, the authentication device 1 determines whether or not the telecommunications carrier used by the information terminal 3 is a specific telecommunications carrier based on the line identification information transmitted by the information terminal 3. Depending on the determination result, either the first authentication process for authenticating the information terminal 3 using the information stored in the storage unit of the authentication device 1 itself or the second authentication process different from the first authentication process is performed. Run. As a result, the authentication device 1 can not only authenticate the information terminal 3 that uses the specific telecommunications carrier that manages the authentication device 1, but also the information terminal that uses another telecommunications carrier. 3 certifications can be made.

[Configuration of authentication system S]
FIG. 2 is a block diagram of the authentication system S according to the present embodiment. In FIG. 2, the arrows indicate the main data flows, and there may be data flows other than those shown in FIG. In FIG. 2, each block shows not a hardware (device) unit configuration but a functional unit configuration. Therefore, the block shown in FIG. 2 may be mounted in a single device, or may be mounted separately in a plurality of devices. Data can be exchanged between blocks via any means such as a data bus, a network, or a portable storage medium.

The authentication device 1 has a storage unit 11 and a control unit 12. The external authentication device 2 has a storage unit 21 and a control unit 22. The authentication system S is not limited to the specific configuration shown in FIG. The authentication device 1 and the external authentication device 2 may be configured by connecting two or more physically separated devices, respectively, by wire or wirelessly. Further, the authentication device 1 and the external authentication device 2 may each be configured by a cloud, which is a set of computer resources.

The storage unit 11 of the authentication device 1 is a storage medium including a ROM (Read Only Memory), a RAM (Random Access Memory), a hard disk drive, and the like. The storage unit 11 stores in advance the program executed by the control unit 12. The storage unit 11 may be provided outside the authentication device 1, and in that case, data may be exchanged with the control unit 12 via a network.

The control unit 12 of the authentication device 1 includes a reception unit 121, a determination unit 122, a first authentication unit 123, a second authentication unit 124, a third authentication unit 125, and a transmission unit 126. The control unit 12 is, for example, a processor such as a CPU (Central Processing Unit), and by executing a program stored in the storage unit 11, the reception unit 121, the determination unit 122, the first authentication unit 123, and the second authentication unit It functions as 124, a third authentication unit 125, and a transmission unit 126. At least some of the functions of the control unit 12 may be performed by an electric circuit. Further, at least a part of the functions of the control unit 12 may be realized by the control unit 12 executing a program executed via the network.

The storage unit 21 of the external authentication device 2 is a storage medium including a ROM (Read Only Memory), a RAM (Random Access Memory), a hard disk drive, and the like. The storage unit 21 stores in advance the program executed by the control unit 22. The storage unit 21 may be provided outside the external authentication device 2, and in that case, data may be exchanged with the control unit 22 via a network.

The control unit 22 of the external authentication device 2 has an authentication unit 221. The control unit 22 is, for example, a processor such as a CPU (Central Processing Unit), and functions as an authentication unit 221 by executing a program stored in the storage unit 21. At least a part of the function of the control unit 22 may be performed by an electric circuit. Further, at least a part of the functions of the control unit 22 may be realized by the control unit 22 executing a program executed via the network.

Hereinafter, the authentication process executed by the authentication device 1 and the external authentication device 2 will be described in detail. The storage unit 11 of the authentication device 1 and the storage unit 21 of the external authentication device 2 store the line identification information of the plurality of information terminals 3 in advance.

FIG. 3 is a schematic diagram of line identification information stored in the storage units 11 and 21. The line identification information is information that can identify whether or not the telecommunications carrier used by the information terminal 3 is a specific telecommunications carrier. The line identification information is, for example, information in which the IP address and the IMSI are associated with each other. The IMSI includes an MCC (Mobile Country Code) representing a country, an MNC (Mobile Network Code) representing a business operator, and an MSIN (Mobile Station Identification Number) representing a telephone number assigned to the information terminal 3.

The authentication device 1 stores the line identification information of the information terminal 3 that uses a specific communication carrier (for example, MNO) in the storage unit 11. On the other hand, the external authentication device 2 managed by an external communication carrier different from the specific communication carrier stores the line identification information of the information terminal 3 that uses the external communication carrier in the storage unit 21. Therefore, the authentication device 1 can identify whether or not the telecommunications carrier used by the information terminal 3 is a specific telecommunications carrier, depending on whether or not the line identification information is stored in the storage unit 11. The line identification information is not limited to the specific information shown in FIG. 3, and may be other information that can identify whether or not the telecommunications carrier is a specific telecommunications carrier.

When the same carrier provides two different communication services, the first communication service provided by the carrier (for example, the communication service as an MNO) is set as a specific carrier, and the carrier The second communication service to be provided (for example, a communication service as an MVNO) may be an external communication carrier.

The information terminal 3 transmits an authentication request for enabling the use of the RCS to the authentication device 1 when the predetermined start condition is satisfied. As a condition for starting authentication, the information terminal 3 has, for example, that the SIM (Subscriber Identity Module) is attached to the information terminal 3, the SIM is inserted, the SIM is enabled, or the information terminal 3 communicates. An authentication request is sent when the communication becomes possible from the impossible state. Further, in the information terminal 3, the software for using RCS is first started, the setting information of the software is updated, and the setting information of the software is transferred at the time of MNP (Mobile Number Portability). The authentication request may be transmitted when a predetermined period has elapsed from the time when the software was last used, or when the information terminal 3 roams the communication.

Further, the information terminal 3 may send an authentication request when a service used by RCS (for example, an inquiry to a financial institution, a transfer request, etc.) requires a certain degree of security or more. .. The degree of security required by a service is predefined for each service. The degree of security that triggers the authentication request may be set for each destination (corporation, etc.) of the message by RCS. As a result, the authentication system S can flexibly set the balance between convenience and security according to the service used by the user.

In the authentication device 1, the receiving unit 121 receives an authentication request from the information terminal 3 (also referred to as an authentication target information terminal). The determination unit 122 refers to the storage unit 11 based on the terminal identification information (for example, IP address) of the information terminal 3 that is the source of the authentication request received by the reception unit 121, so that the communication used by the information terminal 3 is used. Determine if the carrier is a specific carrier.

In the determination unit 122, for example, when the line identification information associated with the terminal identification information of the information terminal 3 that is the source of the authentication request is stored in the storage unit 11, the communication operator is a specific communication operator. If the line identification information associated with the terminal identification information of the information terminal 3 that is the source of the authentication request is not stored in the storage unit 11, it is determined that the communication operator is not a specific communication operator. That is, the determination unit 122 communicates when the storage unit 11 stores the line identification information (IP address and IMSI) including the terminal identification information (IP address) of the information terminal 3 which is the transmission source of the authentication request. It is determined that the operator is a specific carrier (MNO).

When the telecommunications carrier used by the information terminal 3 is an MVNO, the information terminal 3 transmits an authentication request to the authentication device 1 managed by the MNO, which is a series of the MVNO. Therefore, when the determination unit 122 determines that the telecommunications carrier is not a specific telecommunications carrier (MNO), it can be said that the telecommunications carrier used by the information terminal 3 is the MVNO.

When the determination unit 122 determines that the telecommunications carrier used by the information terminal 3 is a specific telecommunications carrier, the first authentication unit 123 uses the storage unit 11 to connect the line associated with the terminal identification information of the information terminal 3. The information terminal 3 is authenticated by the first authentication process using the identification information. For example, as the first authentication process, the first authentication unit 123 refers to the destination of the information terminal 3 including the line identification information associated with the terminal identification information of the information terminal 3 in the storage unit 11 via the message management device 4. The information terminal 3 is authenticated by sending a message. In the present embodiment, the destination of the information terminal 3 is a telephone number, but it may be an e-mail address or the like. In this case, the line identification information stored in the storage unit 11 includes a destination such as an e-mail address.

FIG. 4 is a schematic diagram for explaining a method in which the authentication device 1 authenticates by transmitting a message. The first authentication unit 123 transmits a message including the authentication information to the information terminal 3 via the message management device 4. The message is transmitted by, for example, SMS, but may be transmitted by other methods such as MMS (Multimedia Messaging Service) and e-mail. The authentication information is, for example, a character string generated at random or according to a predetermined rule.

The information terminal 3 displays the message received from the authentication device 1 on the display unit. The information terminal 3 receives the input of the authentication information included in the message from the user in the operation unit, and transmits the input authentication information to the authentication device.

In the authentication device 1, when the authentication information received from the information terminal 3 matches the authentication information included in the transmitted message, or the received authentication information and the authentication information included in the transmitted message are preliminarily stored in the first authentication unit 123. If it has a defined relationship, it is determined that the authentication was successful, and if it does not match or it does not have a predetermined relationship, it is determined that the authentication has failed.

As a result, the first authentication unit 123 transmits a message to the destination including the line identification information stored in the storage unit 11 for the information terminal 3 using the communication carrier which is the MNO that manages the authentication device 1. By doing so, it is possible to promptly authenticate without requiring the user to input the destination.

When the determination unit 122 determines that the communication carrier used by the information terminal 3 is not a specific communication carrier (that is, in the case of MVNO), the second authentication unit 124 is executed by the first authentication unit 123. The information terminal 3 is authenticated by a second authentication process different from the authentication process. The second authentication unit 124 executes either an inquiry to the external authentication device 2 or a message transmission to the information terminal 3 as the second authentication process.

FIG. 5 is a schematic diagram for explaining a method in which the authentication device 1 authenticates by inquiring to the external authentication device 2. The second authentication unit 124 attempts to authenticate the information terminal 3 by transmitting an inquiry to the external authentication device 2. The inquiry is, for example, information including terminal identification information of the information terminal 3 that is the source of the authentication request.

In the external authentication device 2, when the authentication unit 221 receives an inquiry from the authentication device 1, for example, the line identification information (IP address and IMSI) associated with the terminal identification information (IP address) included in the inquiry is stored in the storage unit. It is determined whether or not it is stored in 21. When the line identification information associated with the terminal identification information is stored in the storage unit 21, the authentication unit 221 stores the line identification information associated with the terminal identification information in the storage unit 21 in the same manner as in FIG. The information terminal 3 is authenticated by transmitting a message to the destination of the including information terminal 3 via the message management device 4.

When the authentication by transmitting the message is successful, the authentication unit 221 determines that the authentication of the information terminal 3 is successful. On the other hand, when the line identification information associated with the terminal identification information is not stored in the storage unit 21, or when the authentication by transmitting a message fails, the authentication unit 221 determines that the authentication of the information terminal 3 has failed. do.

The authentication unit 221 transmits an inquiry result indicating whether or not the authentication is successful to the authentication device 1. In the authentication device 1, the second authentication unit 124 determines whether or not the authentication is successful based on the inquiry result received from the external authentication device 2. Here, the external authentication device 2 sends a message for authentication to the information terminal 3, but the external authentication device 2 sends the destination of the information terminal 3 to the authentication device 1, and the authentication device 1 is sent from the external authentication device 2. A message for authentication may be sent to the received destination.

As a result, the second authentication unit 124 sends a message to the destination including the line identification information stored in the storage unit 21 of the external communication carrier for the information terminal 3 using the external communication carrier such as the MVNO. By transmitting, authentication can be performed promptly without requiring the user to input the destination.

When the second authentication unit 124 cannot make an inquiry to the external authentication device 2 (for example, when the external authentication device 2 does not exist or the external authentication device 2 cannot be used), the information terminal 3 to the information terminal 3 Accepts input of recipients (phone number, email address, etc.). Then, the second authentication unit 124 authenticates the information terminal 3 by transmitting a message to the destination of the information terminal 3 input in the information terminal 3 via the message management device 4 in the same manner as in FIG. do.

As a result, the second authentication unit 124 transmits a message to the destination input by the user for the information terminal 3 using the external communication carrier such as the MVNO even when the external authentication device 2 cannot be used. By doing so, the information terminal 3 can be authenticated.

By the way, there are cases where the MVNO telecommunications carrier can be determined based on the IMSI indicated by the line identification information stored in the storage unit 11. Therefore, the second authentication unit 124 may change the second authentication process to be executed according to the telecommunications carrier determined based on the IMSI. In this case, a telecommunications carrier is previously associated with each of at least a portion of the IMSI (ie, MCC, MNC, and MSIN) number bands. The determination unit 122 determines whether the communication carrier used by the information terminal 3 is the first carrier or the second carrier based on the IMSI associated with the line identification information included in the authentication request in the storage unit 11. judge.

The second authentication unit 124 is subjected to different processing depending on whether the telecommunications carrier used by the information terminal 3 is the first telecommunications carrier or the telecommunications carrier used by the information terminal 3 is the second telecommunications carrier. Authenticate the information terminal 3.

For example, the second authentication unit 124 accepts input of the destination (telephone number, e-mail address, etc.) of the information terminal 3 from the information terminal 3 when the communication carrier used by the information terminal 3 is the first business operator. Then, the second authentication unit 124 authenticates the information terminal 3 by transmitting a message to the destination of the information terminal 3 input in the information terminal 3 via the message management device 4 in the same manner as in FIG. do.

On the other hand, when the communication carrier used by the information terminal 3 is the second carrier, the second authentication unit 124 tells the external authentication device 2 the terminal identification information of the information terminal 3 which is the source of the authentication request. The information terminal 3 is authenticated by making an inquiry using.

As a result, the second authentication unit 124 can authenticate the information terminal 3 by an appropriate method according to the communication carrier used by the information terminal 3.

When the information terminal 3 cannot be authenticated by the first authentication unit 123 and the second authentication unit 124, or when the authentication of the information terminal 3 by the first authentication unit 123 and the second authentication unit 124 fails, the third authentication unit 125 Authenticates the information terminal 3 by the third authentication process based on the position of the information terminal 3.

FIG. 6 is a schematic diagram for explaining a method in which the authentication device 1 authenticates based on the position of the information terminal 3. The information terminal 3 communicates with the base station device 5 when it is located within the communicable range R of the base station device 5 provided with an antenna for wireless communication. The information terminal 3 transmits communication information that can identify the base station device 5 being communicated to the authentication device 1 periodically or when requested by the authentication device 1. The communication information includes, for example, a cell ID (Identification).

In the authentication device 1, the third authentication unit 125 identifies the base station device 5 corresponding to the cell ID included in the communication information received from the information terminal 3 as the base station device 5 with which the information terminal 3 is communicating. Then, the third authentication unit 125 determines whether or not the information terminal 3 is communicating with the predetermined base station device 5, that is, whether or not the position of the information terminal 3 is within the communicable range R of the predetermined base station device 5. The information terminal 3 is authenticated based on the above. The third authentication unit 125 authenticates, for example, when the information terminal 3 is communicating with the predetermined base station device 5, that is, when the position of the information terminal 3 is within the communicable range R of the predetermined base station device 5. Is determined to be successful, and if the position of the information terminal 3 is not within the communicable range R of the predetermined base station device 5, it is determined that the authentication has failed.

As a result, even if the information terminal 3 cannot be authenticated by the line identification information and the message transmission, the third authentication unit 125 can authenticate as long as it can communicate with the specific base station device 5. , User convenience can be improved.

The transmission unit 126 transmits an authentication result indicating whether or not the authentication by the first authentication unit 123, the second authentication unit 124, or the third authentication unit 125 is successful to the information terminal 3. The information terminal 3 executes or does not execute a predetermined function (for example, RCS) according to the authentication result received from the authentication device 1.

[Sequence of authentication method]
7, 8 and 9 are sequence diagrams of the authentication method executed by the authentication system S according to the present embodiment. The information terminal 3 transmits an authentication request for enabling the use of the RCS to the authentication device 1 when the predetermined start condition is satisfied (S11).

In the authentication device 1, the receiving unit 121 receives an authentication request from the information terminal 3 (also referred to as an authentication target information terminal). The determination unit 122 refers to the storage unit 11 based on the terminal identification information (for example, IP address) of the information terminal 3 that is the source of the authentication request received by the reception unit 121, so that the communication used by the information terminal 3 is used. It is determined whether or not the carrier is a specific telecommunications carrier (S12).

When the determination unit 122 determines that the telecommunications carrier used by the information terminal 3 is a specific telecommunications carrier (for example, when it is an MNO) (YES in S13), the first authentication unit 123 is stored in the storage unit 11. In, the information terminal 3 is authenticated by the first authentication process using the line identification information associated with the terminal identification information of the information terminal 3. For example, the first authentication unit 123 transmits a message including the authentication information to the destination of the information terminal 3 including the line identification information associated with the terminal identification information of the information terminal 3 in the storage unit 11 (S14).

The information terminal 3 displays the message received from the authentication device 1 on the display unit. The information terminal 3 receives the input of the authentication information included in the message from the user in the operation unit, and transmits the input authentication information to the authentication device (S15). In the authentication device 1, the first authentication unit 123 includes a case where the authentication information received from the information terminal 3 to which the message is transmitted matches the authentication information included in the transmitted message, or includes the received authentication information and the transmitted message. If the authentication information has a predetermined relationship defined in advance, it is determined that the authentication is successful, and if they do not match or the authentication information does not have a predetermined relationship, it is determined that the authentication has failed.

If the information terminal 3 cannot be authenticated by the first authentication unit 123 or fails (NO in S16), the authentication device 1 proceeds to step S31 in FIG. When the authentication of the information terminal 3 by the first authentication unit 123 is successful (YES in S16), the transmission unit 126 transmits an authentication result indicating that the authentication is successful to the information terminal 3 (S17).

When the determination unit 122 determines that the communication carrier used by the information terminal 3 is not a specific communication carrier (for example, MVNO) (NO in S13), the second authentication unit 124 performs the second authentication process. Inquiries are transmitted to the external authentication device 2 (S21). The inquiry is, for example, information including terminal identification information of the information terminal 3 that is the source of the authentication request.

In the external authentication device 2, when the authentication unit 221 receives an inquiry from the authentication device 1, for example, the line identification information (IP address and IMSI) associated with the terminal identification information (IP address) included in the inquiry is stored in the storage unit. It is determined whether or not it is stored in 21. When the line identification information associated with the terminal identification information is stored in the storage unit 21, the authentication unit 221 sends the destination of the information terminal 3 including the line identification information associated with the terminal identification information in the storage unit 21. A message including the authentication information is transmitted via the message management device 4 (S22).

The information terminal 3 displays the message received from the authentication device 1 on the display unit. The information terminal 3 receives the input of the authentication information included in the message from the user in the operation unit, and transmits the input authentication information to the authentication device (S23). In the authentication device 1, the authentication unit 221 indicates that the authentication information received from the information terminal 3 to which the message is sent matches the authentication information included in the transmitted message, or the received authentication information and the authentication information included in the transmitted message. If and have a predetermined relationship defined in advance, it is determined that the authentication is successful, and if they do not match or do not have a predetermined relationship, it is determined that the authentication has failed.

The authentication unit 221 transmits an inquiry result indicating whether or not the authentication was successful to the authentication device 1 (S24). In the authentication device 1, the second authentication unit 124 determines whether or not the authentication is successful based on the inquiry result received from the external authentication device 2.

Although omitted in FIG. 8, the second authentication unit 124 transmits a message to the destination of the information terminal 3 input in the information terminal 3 via the message management device 4 as the second authentication process. The information terminal 3 may be authenticated.

When the authentication of the information terminal 3 by the inquiry to the external authentication device 2 is successful (YES in S25), the transmission unit 126 transmits the authentication result indicating that the authentication is successful to the information terminal 3 (S26). If the information terminal 3 cannot be authenticated by inquiring to the external authentication device 2 or fails (NO in S25), the authentication device 1 proceeds to step S31 in FIG.

The information terminal 3 transmits communication information that can identify the base station device 5 being communicated to the authentication device 1 on a regular basis or when requested by the authentication device 1 (S31). The communication information includes, for example, a cell ID. In the authentication device 1, the third authentication unit 125 identifies the base station device 5 corresponding to the cell ID included in the communication information received from the information terminal 3 as the base station device 5 in which the information terminal 3 is communicating (S32). ..

The third authentication unit 125 determines whether or not the information terminal 3 is communicating with the predetermined base station device 5, that is, whether or not the position of the information terminal 3 is within the communicable range R of the predetermined base station device 5. Based on this, the information terminal 3 is authenticated (S33). The third authentication unit 125 authenticates, for example, when the information terminal 3 is communicating with the predetermined base station device 5, that is, when the position of the information terminal 3 is within the communicable range R of the predetermined base station device 5. Is determined to be successful, and if the position of the information terminal 3 is not within the communicable range R of the predetermined base station device 5, it is determined that the authentication has failed. The transmission unit 126 transmits an authentication result indicating whether or not the authentication is successful to the information terminal 3 (S34).

[Effect of this embodiment]
In the authentication system S according to the present embodiment, the authentication device 1 determines whether or not the communication carrier used by the information terminal 3 is a specific communication company based on the line identification information transmitted by the information terminal 3, and the determination result. Depending on the situation, either the first authentication process for authenticating the information terminal 3 using the information stored in the storage unit 11 of the authentication device 1 or the second authentication process different from the first authentication process is executed. .. As a result, the authentication device 1 can not only authenticate the information terminal 3 that uses the specific telecommunications carrier that manages the authentication device 1, but also the information terminal that uses another telecommunications carrier. 3 certifications can be made.

[Modification example]
In FIG. 8, the authentication device 1 starts the authentication of the information terminal 3 by the external authentication device 2 by inquiring to the external authentication device 2. However, the information terminal 3 sends an authentication request to the external authentication device 2 to start the authentication of the information terminal 3. The certification of 3 may be started.

FIG. 10 is a sequence diagram of an authentication method executed by the authentication system S according to this modification. The sequence of FIG. 10 is executed in place of the sequence of FIG. In FIG. 7, when the determination unit 122 determines that the communication carrier used by the information terminal 3 is not a specific communication carrier (NO in S13), the second authentication unit 124 attaches the information terminal 3 to the external authentication device 2 The redirect information for redirecting to is transmitted (S41). The redirect information includes, for example, a URL (Uniform Resource Locator) for accessing the external authentication device 2.

The information terminal 3 transmits an authentication request to the external authentication device 2 corresponding to the redirect information received from the authentication device 1. In the external authentication device 2, when the authentication unit 221 receives the authentication request from the information terminal 3, for example, the line associated with the terminal identification information (for example, IP address) of the information terminal 3 that is the source of the authentication request. It is determined whether or not the identification information (IP address and IMSI) is stored in the storage unit 21. When the line identification information associated with the terminal identification information is stored in the storage unit 21, the authentication unit 221 sends the destination of the information terminal 3 including the line identification information associated with the terminal identification information in the storage unit 21. A message including the authentication information is transmitted via the message management device 4 (S43).

The information terminal 3 displays the message received from the authentication device 1 on the display unit. The information terminal 3 receives the input of the authentication information included in the message from the user in the operation unit, and transmits the input authentication information to the authentication device (S44). In the authentication device 1, the authentication unit 221 indicates that the authentication information received from the information terminal 3 to which the message is sent matches the authentication information included in the transmitted message, or the received authentication information and the authentication information included in the transmitted message. If and have a predetermined relationship defined in advance, it is determined that the authentication is successful, and if they do not match or do not have a predetermined relationship, it is determined that the authentication has failed.

The authentication unit 221 transmits an authentication result indicating whether or not the authentication is successful to the authentication device 1 (S45). In the authentication device 1, the second authentication unit 124 determines whether or not the authentication is successful based on the authentication result received from the external authentication device 2.

When the authentication of the information terminal 3 is successful (YES in S46), the transmission unit 126 transmits an authentication result indicating that the authentication is successful to the information terminal 3 (S47). If the information terminal 3 cannot be authenticated or fails (NO in S46), the authentication device 1 proceeds to step S31 in FIG.

In this modification, the second authentication unit 124 redirects the information terminal 3 using an external telecommunications carrier such as MVNO to the external authentication device 2 of the external telecommunications carrier, and stores the external telecommunications carrier. By transmitting a message to the destination including the line identification information stored in 21, authentication can be performed promptly without requiring the user to input the destination.

Although the present invention has been described above using the embodiments, the technical scope of the present invention is not limited to the scope described in the above embodiments, and various modifications and changes can be made within the scope of the gist thereof. be. For example, the specific embodiment of the distribution / integration of the device is not limited to the above embodiment, and all or a part thereof may be functionally or physically distributed / integrated in any unit. Can be done. Also included in the embodiments of the present invention are new embodiments resulting from any combination of the plurality of embodiments. The effect of the new embodiment produced by the combination has the effect of the original embodiment together.

The processors of the authentication device 1, the external authentication device 2, and the information terminal 3 are the main constituents of each step included in the authentication methods shown in FIGS. 7, 8, 9, and 10. That is, the processors of the authentication device 1, the external authentication device 2, and the information terminal 3 read the program for executing the authentication method shown in FIGS. 7, 8, 9, and 10 from the storage unit, and execute the program. By doing so, the authentication methods shown in FIGS. 7, 8, 9 and 10 are executed. Some of the steps included in the authentication methods shown in FIGS. 7, 8, 9 and 10 may be omitted, the order between the steps may be changed, or a plurality of steps may be performed in parallel. good.

S Authentication system 1 Authentication device 11 Storage unit 12 Control unit 121 Reception unit 122 Judgment unit 123 1st authentication unit 124 2nd authentication unit 125 3rd authentication unit 126 Transmission unit 2 External authentication device 3 Information terminal 5 Base station device

Claims (10)

A storage unit that stores line identification information that can identify whether or not the telecommunications carrier used by the information terminal is a specific telecommunications carrier.
A receiver that receives an authentication request from the authentication target information terminal, and
By referring to the storage unit based on the terminal identification information that can identify the authentication target information terminal, it is determined whether or not the communication carrier used by the authentication target information terminal is the specific communication carrier. Judgment unit and
When the determination unit determines that the communication carrier used by the authentication target information terminal is the specific communication carrier, the line associated with the terminal identification information of the authentication target information terminal in the storage unit. The first authentication unit that authenticates the authentication target information terminal using the identification information,
When the determination unit determines that the communication carrier used by the authentication target information terminal is not the specific communication carrier, the second authentication unit authenticates the authentication target information terminal by a process different from that of the first authentication unit. Certification department and
Has an authentication device. After the first authentication unit transmits a message including the authentication information to the destination of the authentication target information terminal included in the line identification information associated with the terminal identification information of the authentication target information terminal in the storage unit. , The authentication target information terminal is authenticated by receiving the authentication information from the authentication target information terminal.
The authentication device according to claim 1. The second authentication unit authenticates the authentication target information terminal by inquiring to an authentication device managed by an external communication carrier different from the specific communication carrier.
The authentication device according to claim 1 or 2. The second authentication unit transmits a message including the authentication information to the destination of the authentication target information terminal associated with the terminal identification information of the authentication target information terminal in the authentication device, and then the authentication device causes the authentication device to perform the above. Authenticate the authentication target information terminal by receiving the authentication information from the authentication target information terminal.
The authentication device according to claim 3. When the authentication target information terminal cannot be authenticated by the first authentication unit and the second authentication unit, or when the authentication of the authentication target information terminal by the first authentication unit and the second authentication unit fails, the above. It further has a third authentication unit that authenticates the authentication target information terminal based on whether or not the position of the authentication target information terminal is within a predetermined range.
The authentication device according to any one of claims 1 to 4. The third authentication unit authenticates the authentication target information terminal based on whether or not the position of the authentication target information terminal is within the range in which communication with a predetermined base station device is possible.
The authentication device according to claim 5. The storage unit stores the line identification information in which the terminal identification information and the IMSI (International Mobile Subscriber Identity) are associated with each other.
In the determination unit, the communication carriers used by the authentication target information terminal are the first business operator and the second business operator based on the IMSI associated with the terminal identification information of the authentication target information terminal in the storage unit. Determine which is
The second authentication unit includes a case where the communication carrier used by the authentication target information terminal is the first business operator and a case where the communication carrier used by the authentication target information terminal is the second business operator. Authenticate the authentication target information terminal by different processes between
The authentication device according to any one of claims 1 to 6. When the communication business operator used by the authentication target information terminal is the first business operator, the second authentication unit performs authentication information for the destination of the authentication target information terminal designated by the authentication target information terminal. After transmitting the message including, the authentication target information terminal is authenticated by receiving the authentication information from the authentication target information terminal.
When the telecommunications carrier used by the authentication target information terminal is the second business operator, the second authentication unit makes an inquiry to the authentication device managed by the second business operator to inquire about the authentication target information terminal. Authenticate
The authentication device according to claim 7. The first authentication unit and the second authentication unit, the reception unit, wherein the at authentication target information terminal SIM (Subscriber Identity Module) is mounted, it has been inserted, it is now activated, or the authentication When the authentication request sent when the target information terminal changes from the incommunicable state to the communicable state is received, the authentication target information terminal is authenticated.
The authentication device according to any one of claims 1 to 8. Computer runs,
A step of storing line identification information in a storage unit that can identify whether or not the telecommunications carrier used by the information terminal is a specific telecommunications carrier.
Steps to receive an authentication request from the authentication target information terminal,
By referring to the storage unit based on the terminal identification information that can identify the authentication target information terminal, it is determined whether or not the communication carrier used by the authentication target information terminal is the specific communication carrier. Steps and
When it is determined in the step of determining that the telecommunications carrier used by the authentication target information terminal is the specific telecommunications carrier, the storage unit is associated with the terminal identification information of the authentication target information terminal. The step of authenticating the authentication target information terminal in the first authentication process using the line identification information, and
When it is determined in the step of determining that the telecommunications carrier used by the authentication target information terminal is not the specific telecommunications carrier, the authentication target information terminal is subjected to a second authentication process different from the first authentication process. Steps to authenticate and
An authentication method that has.

Images