JP7311721B1 - Information processing device, information processing method, and program - Google Patents

Abstract

An information processing apparatus, an information processing method, and a program capable of preventing unauthorized login by others are provided.
Kind Code: A1 An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated, the second terminal device comprising: generating first code information and second code information and transmitting them to either one of the first terminal device and the second terminal device when a login request is received from the device; The first authentication information obtained by photographing and decoding and the second authentication information obtained by photographing and decoding the second code information are selected from among the first terminal device and the second terminal device. and an information processing device that authenticates the second terminal device based on the first authentication information and the second authentication information.
[Selection drawing] Fig. 3

Description

The present invention relates to an information processing device, an information processing method, and a program.

Conventionally, an authentication service using SMS (Short Message Service) is known. For example, in Patent Document 1, an SMS authentication value is sent to a pre-registered mobile device, an authentication window is displayed for the user to enter the SMS authentication value, and the SMS authentication value entered by the user is displayed. An authentication system has been proposed that performs personal authentication based on

Japanese Patent Application Publication No. 2019-517087

However, with the technology described in Patent Literature 1, if the SMS authentication value is stolen at a phishing site or the like, a phishing criminal may perform unauthorized login.

SUMMARY OF THE INVENTION It is an object of the present invention to provide an information processing apparatus, an information processing method, and a program capable of preventing unauthorized login by others.

One aspect of the present invention is an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated, When there is a login request from the second terminal device, after generating first code information in which the first authentication information is encoded, a second authentication information in which second authentication information different from the first authentication information is encoded is generated. a code information generation unit for generating code information; and transmitting the first code information and the second code information generated by the code information generation unit to either one of the first terminal device and the second terminal device. the first authentication information obtained by capturing and decoding the first code information and the second authentication information obtained by capturing and decoding the second code information from the other of the first terminal device and the second terminal device; and based on the first authentication information and the second authentication information received by the reception unit, the second 2. An information processing device comprising: an authentication unit that authenticates a terminal device.
is.

According to one aspect of the present invention, it is possible to provide an information processing device, an information processing method, and a program capable of preventing unauthorized login by others.

1 is a diagram showing an example of a configuration for realizing an electronic payment service; FIG. 1 is a diagram illustrating a general flow of electronic payment; FIG. 2 is a configuration diagram of a settlement server 100; FIG. 4 is a diagram showing an example of contents of user information 172. FIG. 8 is a flowchart illustrating an example of login authentication processing; FIG. 11 is a sequence diagram showing an example of first authentication processing; It is a figure which shows an example of the display screen of the 1st user terminal device 10A in which the QR code was displayed. FIG. 9 is a sequence diagram showing an example of second authentication processing according to the first embodiment; FIG. 10 is a diagram showing an example of a display screen of the second user terminal device 10B displaying a QR code; FIG. 11 is a sequence diagram showing an example of second authentication processing according to the second embodiment;

Hereinafter, an information processing apparatus, an information processing method, and a program according to the present invention will be described with reference to the drawings. An information processing device is realized by one or more processors. In the following explanation, the information processing device provides an electronic payment service, and is referred to as a "payment server". Any service may be provided. An electronic payment service is a service that supports payment related to purchase of goods and services at a store. A store is, for example, a physical store (actual store) that exists in real space.

<First Embodiment>
[Electronic payment service]
FIG. 1 is a diagram showing an example of a configuration for realizing an electronic payment service. An electronic payment service is implemented centering on the payment server 100 . The settlement server 100 communicates with each of one or more user terminal devices 10 and one or more shop terminal devices 50 via the network NW, for example. The network NW includes, for example, the Internet, a LAN (Local Area Network), wireless base stations, provider devices, and the like.

The user terminal device 10 is, for example, a portable terminal device such as a smart phone or a tablet terminal. The user terminal device 10 is a computer device having at least an optical reading function, a communication function, a display function, an input reception function, and a program execution function. In the following description, configurations for realizing these functions are respectively referred to as a camera, a communication device, a touch panel, a CPU (Central Processing Unit), and the like. In the user terminal device 10, the payment application 20 is executed by a processor such as a CPU, and operates in cooperation with the payment server 100 to provide electronic payment services to the user. The payment application 20 controls a camera, a communication device, a touch panel, and the like.

The store terminal device 50 is installed, for example, in a store. The store terminal device 50 is a computer device having at least a product price acquisition function, an optical reading function, a program execution function, and a communication function. The store terminal device 50 includes a so-called POS (Point of Sale) device, and the POS device may realize the product price acquisition function and the optical reading function. The store code image 60 is placed in a store, and a code image such as a QR code (registered trademark) is printed on a medium such as paper or plastic. Note that the store code image 60 may be displayed on a display placed in the store.

The payment server 100 implements electronic payment based on payment information received from the user terminal device 10 or the store terminal device 50 . The settlement server 100 performs electronic settlement, for example, by increasing or decreasing the charge balance managed in association with the user ID (in other words, depositing and withdrawing electronic money). Electronic payment may include those that enable purchase of a larger amount than the charge balance at the time of purchase by methods such as revolving payment and credit payment.

FIG. 2 is a diagram illustrating a general flow of electronic payment. There may be two types of electronic payment: pattern 1 and pattern 2. In the case of pattern 1, first, the payment application 20 is activated on the user terminal device 10, and a code image such as a QR code or barcode is displayed. The user holds up (presents) the display surface of the user terminal device 10 to the shop terminal device 50 . The shop terminal device 50 decodes the code image with an optical reading function and acquires information such as an account ID. The shop terminal device 50 then generates payment information including the account ID, payment amount, shop ID, etc., and transmits the payment information to the payment server 100 . The information on the payment amount is acquired in advance by reading a bar code, manually inputting it, or the like. Based on the received information, the payment server 100 transfers the payment amount from the user's electronic payment account to the store's electronic payment account, and completes the payment processing.

In the case of pattern 2, the user terminal device 10 with the payment application 20 activated decodes the store code image 60 by the optical reading function. The store code image 60 includes information such as the store name. The user inputs the settlement amount into the user terminal device 10 on the screen on which the store name and the like are displayed. Then, the user terminal device 10 generates payment information including the account ID, payment amount, store ID, etc., and transmits the payment information to the payment server 100 . The payment server 100 performs payment processing based on the received information. It should be noted that electronic payment may be performed only in one of the above patterns. Also, the "account ID" described in FIG. 2 may be other information (such as a telephone number) that can be used as user identification information.

[Settlement server]
FIG. 3 is a configuration diagram of the settlement server 100. As shown in FIG. The payment server 100 includes, for example, a communication unit 110, a payment content providing unit 120, a payment processing unit 122, a code information generation unit 124, a determination unit 126, an authentication unit 128, an information management unit 130, and a storage unit. 170. Components other than communication unit 110 and storage unit 170 are implemented by, for example, a hardware processor such as a CPU executing a program (software). Some or all of these components are hardware (circuit part; circuitry) or by cooperation of software and hardware. The program may be stored in advance in a storage device (a storage device with a non-transitory storage medium) such as a HDD (Hard Disk Drive) or flash memory, or may be stored in a removable storage such as a DVD or CD-ROM. It may be stored in a medium (non-transitory storage medium) and installed in the storage device by loading the storage medium into the drive device.

The storage unit 170 is an HDD, flash memory, RAM (Random Access Memory), or the like. The storage unit 170 may be a NAS (Network Attached Storage) device that can be accessed by the settlement server 100 via a network. Information such as user information 172 and payment content information 174 is stored in the storage unit 170 .

The communication unit 110 is a communication interface for connecting to the network NW. The communication unit 110 is, for example, a network interface card. The communication unit 110 has a function as a transmission unit that transmits information via the network NW and a function as a reception unit that receives information via the network NW.

The payment content providing unit 120 has, for example, a function of a web server, and provides the user terminal device 10 with information (contents) for displaying various screens of the electronic payment service. The payment content providing unit 120 appropriately reads necessary content from the payment content information 174 and provides it to the user terminal device 10 . The user terminal device 10 accepts various inputs from the user while the content is being reproduced by the payment application 20 , and transmits the above-described payment information and the like to the payment server 100 .

The payment processing unit 122 performs payment processing based on the payment information transmitted from the user terminal device 10 or the shop terminal device 50 . The payment processing unit 122 performs payment processing while referring to the user information 172 .

[User information]
FIG. 4 is a diagram showing an example of the contents of the user information 172. As shown in FIG. The user information 172 is an example of user registration information. The user information 172 includes, for example, an account ID (which may be omitted), a minimum necessary telephone number and password for new registration, an e-mail address, a user ID, a device ID, a charge balance, a bank account , credit card number, charge history information, and settlement history information. Information other than the phone number, password, device ID, charge balance, charge history information, and settlement history information is optional setting information. Hereinafter, a user instance (electronic settlement account) associated with these pieces of information will be referred to as an account. A phone number may be used as a login ID for an electronic payment service.

The user ID is an example of user identification information for the settlement server 100 to identify the user, and is information such as the user's nickname that can be arbitrarily set by the user. The device ID is an example of information for identifying the user terminal device 10 by the payment server 100 . For example, the device ID may be information generated by combining information such as IMEI (International Mobile Equipment Identifier), information on the manufacturer of the user terminal device 10, OS (Operating System) ID, and the like.

The charge balance is information indicating the balance of electronic money set by the user transferring money to the account in advance. Methods of remittance include remittance from an ATM (Automatic Teller Machine) of a designated trader (bank), remittance from a registered bank account, and the like. Each of the bank account and credit card number is information (account number, card number) of a bank account or credit card number that can deposit money into the electronic payment service. The charge history information is a history of the user's advance remittance to the electronic payment service to increase the charge balance. The payment history information is information indicating details of payments made by the user (date and time, shop ID of the shop where the purchase was made, payment amount, etc.) for each payment.

[Phishing method]
The user may attempt to log in to the electronic payment service using a terminal device other than the terminal device that has already been authenticated as the terminal device used by the user, such as when changing the model of the smartphone. . In this case, the authentication processing of the new terminal device is performed by the user inputting the authentication information from the existing terminal device. However, if the authentication information is illegally acquired by another person, there is a possibility that the user may illegally log in to the electronic payment service from the other person's terminal device. Therefore, the present embodiment aims to prevent unauthorized login by others (for example, phishing criminals). Therefore, before describing the details of the processing of the present embodiment, the method of phishing will be described.

Phishing is a fraudulent act to obtain information such as a user's login ID, password, and authentication code via the Internet. In recent years, the number of phishing sites has increased rapidly, and there is no end to the number of victims who are deprived of information such as login IDs, passwords, and authentication codes. This embodiment aims to reduce the number of login attempts by phishing criminals and to discourage phishing criminals from setting up a phishing site by increasing the login strength.

Phishers acquire the user's login ID (telephone number, etc.) and password in the following flow.
(1) A phishing criminal makes a user access a fake login site and enter a login ID and password.
(2) The phisher uses the input login ID and password to attempt to log in to the authorized login site from the terminal device of the phisher. At this time, since the access is from a device other than the user's terminal device, a message containing the authentication code is sent to the user's terminal device by SMS (Short Message Service) or the like in order to prevent unauthorized access.
(3) The phishing criminal displays a screen prompting the user to enter the authentication code notified by SMS on the fake login site.
(4) The phisher inputs the authentication code entered by the user into the fake login site into the legitimate login site using the terminal device of the phisher, and completes the login.

The problem with the above-mentioned phishing method is that the user enters the authentication code on the fake login site. Therefore, in the present embodiment, a terminal device that has already been authenticated as a terminal device used by a user (existing environment) and a terminal device that has not yet been authenticated (new environment) are physically close to each other. To enable login with a terminal device in a new environment only in a certain situation. The details of this embodiment will be described below.

[Login authentication process]
FIG. 5 is a flowchart illustrating an example of login authentication processing. The processing according to this flowchart is executed by the settlement server 100 . First, the communication unit 110 of the settlement server 100 receives a login request from the user terminal device 10 (S11). The login request includes information such as login ID (telephone number, etc.), password, and device ID.

Next, the authentication unit 128 compares the login ID (telephone number, etc.) and password included in the login request with the user information 172 to determine whether or not login authentication has succeeded (S12). Specifically, the authentication unit 128 determines that the login ID (telephone number, etc.) included in the login request is registered in the user information 172 and the password included in the login request matches the password included in the user information 172. If so, it is determined that the login authentication has succeeded. On the other hand, the authentication unit 128 determines that the login ID (telephone number, etc.) included in the login request is not registered in the user information 172, or the password included in the login request does not match the password included in the user information 172. In this case, it is determined that login authentication has failed.

If the authentication unit 128 determines that the login authentication has failed, it transmits a login failure notification to the user terminal device 10 (S13), and ends the processing according to this flowchart.

On the other hand, when the authentication unit 128 determines that the login authentication has succeeded, the authentication unit 128 compares the device ID included in the login request with the user information 172 to determine whether the login is from the new environment ( S14). Here, the new environment means a terminal device that has not been authenticated as a terminal device used by the user. Also, the existing environment means a terminal device that has already been authenticated as a terminal device used by the user.

Specifically, when the device ID included in the login request and the device ID included in the user information 172 do not match, the authentication unit 128 determines that the login is from the new environment. On the other hand, when the device ID included in the login request matches the device ID included in the user information 172, the authentication unit 128 determines that the login is from the existing environment.

If the authentication unit 128 determines that the login is not from the new environment (that is, if it is determined that the login is from the existing environment), the authentication unit 128 transmits a login success notification to the user terminal device 10 (S15). end the processing by

On the other hand, when the authentication unit 128 determines that the login is from the new environment, the determination unit 126 determines whether or not the login is from the payment application 20 (S16). When determining that the login is from the payment application 20, the authentication unit 128 executes a first authentication process, which will be described later (S17). On the other hand, when the authenticating unit 128 determines that the login is not from the payment application 20, the authenticating unit 128 executes a second authentication process, which will be described later (S18). If the login is not from the payment application 20, it is, for example, the login from the WEB browser.

The payment application 20 is installed in a terminal device equipped with a camera, such as a smartphone or a tablet terminal. Therefore, when the login is from the payment application 20, the first authentication process, which is an authentication process using the camera of the user terminal device 10 that has transmitted the login request, is performed. On the other hand, if the login is not from the payment application 20 (for example, if the login is from a WEB browser), the user terminal device 10 may not be equipped with a camera. Therefore, if the login is not from the payment application 20, the second authentication process, which is an authentication process that does not use the camera of the user terminal device 10 that has transmitted the login request, is performed. Details of the first authentication process and the second authentication process will be described below.

[First authentication process]
FIG. 6 is a sequence diagram illustrating an example of first authentication processing. In explaining this sequence diagram, a terminal device that has already been authenticated as a terminal device used by a user (existing environment) is assumed to be the first user terminal device 10A, and a terminal device that has not yet been authenticated (new environment). ) is the second user terminal device 10B. The first authentication process when a login request is made to the settlement server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the settlement server 100 transmits an SMS notification to the first user terminal device 10A in the existing environment (S101). SMS notification is notification by a short message using the user's phone number. The SMS notification contains a URL (Uniform Resource Locator) for activating the payment application 20 .

Upon receiving the SMS notification from the payment server 100, the first user terminal device 10A activates the payment application 20 (S102). For example, the first user terminal device 10A activates the payment application 20 in response to the user selecting the URL included in the SMS notification.

Next, the code information generator 124 of the settlement server 100 generates a QR code in which the authentication information is coded (S103). For example, the authentication information may be time-limited information such as a one-time password. Also, the code information generation unit 124 transmits the generated QR code from the communication unit 110 to the first user terminal device 10A (S104). When receiving the QR code from the payment server 100, the first user terminal device 10A displays the QR code on the screen of the payment application 20 (S105).

FIG. 7 is a diagram showing an example of the display screen of the first user terminal device 10A on which the QR code is displayed. As shown in FIG. 7, on the display screen of the first user terminal device 10A, a QR code C and a message such as "Please read the QR code with the new terminal" are displayed.

Next, the second user terminal device 10B in the new environment captures the QR code displayed on the first user terminal device 10A (S106). Specifically, the user uses the camera of the second user terminal device 10B to photograph the QR code displayed on the first user terminal device 10A.

Also, the second user terminal device 10B acquires the authentication information by decoding the captured QR code (S107). Then, the second user terminal device 10B transmits the acquired authentication information to the settlement server 100 (S108).

When the communication unit 110 of the settlement server 100 receives the authentication information from the second user terminal device 10B, the authentication unit 128 of the settlement server 100 performs verification processing of the authentication information (S109). Specifically, the authentication unit 128 determines whether or not the authentication information included in the QR code sent to the first user terminal device 10A matches the authentication information received from the second user terminal device 10B. . If the authentication information included in the QR code transmitted to the first user terminal device 10A and the authentication information received from the second user terminal device 10B do not match, the authentication unit 128 sends a login disapproval notice to the communication unit 110. to the second user terminal device 10B.

On the other hand, if the authentication information included in the QR code transmitted to the first user terminal device 10A matches the authentication information received from the second user terminal device 10B, the authentication unit 128 sends a login permission notice to the communication unit. 110 to the second user terminal device 10B (S110). As a result, login from the second user terminal device 10B in the new environment is permitted.

After that, the information management unit 130 updates the user information 172 (S111). Specifically, the information management unit 130 converts the device ID included in the login request transmitted from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) into the login request included in the login request. It is written in the user information 172 in association with an ID (telephone number, etc.).

According to the first authentication process described above, it is necessary to photograph the QR code displayed on the first user terminal device 10A with the second user terminal device 10B. In other words, since it is necessary to perform authentication in a situation where the first user terminal device 10A and the second user terminal device 10B are physically close to each other, unauthorized login by a phishing criminal can be prevented.

[Second authentication process]
FIG. 8 is a sequence diagram illustrating an example of second authentication processing according to the first embodiment. In the first authentication process described above, the settlement server 100 transmits the QR code to the first user terminal device 10A. shall be sent. This is because the camera may not be installed in the second user terminal device 10B. The second authentication process when a login request is made to the settlement server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the settlement server 100 transmits an SMS notification to the first user terminal device 10A in the existing environment (S201). As described above, the SMS notification is a short message notification using the user's phone number, and includes the URL for activating the payment application 20 .

Upon receiving the SMS notification from the payment server 100, the first user terminal device 10A activates the payment application 20 (S202). For example, the first user terminal device 10A activates the payment application 20 in response to the user selecting the URL included in the SMS notification.

Next, the code information generator 124 of the settlement server 100 generates a QR code in which the authentication information is coded (S203). For example, the authentication information may be time-limited information such as a one-time password. Also, the code information generation unit 124 transmits the generated QR code from the communication unit 110 to the second user terminal device 10B (S204). When the second user terminal device 10B in the new environment receives the QR code from the settlement server 100, it displays the QR code on the display section of the second user terminal device 10B (S205).

FIG. 9 is a diagram showing an example of the display screen of the second user terminal device 10B on which the QR code is displayed. As shown in FIG. 9, on the display screen of the second user terminal device 10B, a QR code C and a message such as "Please read the QR code with an existing terminal" are displayed.

Next, the first user terminal device 10A in the existing environment captures the QR code displayed on the second user terminal device 10B (S206). Specifically, the user uses the camera of the first user terminal device 10A to photograph the QR code displayed on the second user terminal device 10B.

Also, the first user terminal device 10A acquires authentication information by decoding the captured QR code (S207). The first user terminal device 10A then transmits the acquired authentication information to the settlement server 100 (S208).

When the communication unit 110 of the settlement server 100 receives the authentication information from the first user terminal device 10A, the authentication unit 128 of the settlement server 100 performs verification processing of the authentication information (S209). Specifically, the authentication unit 128 determines whether or not the authentication information included in the QR code sent to the second user terminal device 10B matches the authentication information received from the first user terminal device 10A. . If the authentication information included in the QR code sent to the second user terminal device 10B does not match the authentication information received from the first user terminal device 10A, the authentication unit 128 sends a login disapproval notification to the communication unit 110. to the second user terminal device 10B.

On the other hand, if the authentication information included in the QR code transmitted to the second user terminal device 10B matches the authentication information received from the first user terminal device 10A, the authentication unit 128 sends the login permission notification to the communication unit. 110 to the second user terminal device 10B (S210). As a result, login from the second user terminal device 10B in the new environment is permitted.

After that, the information management unit 130 updates the user information 172 (S211). Specifically, the information management unit 130 converts the device ID included in the login request transmitted from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) into the login request included in the login request. It is written in the user information 172 in association with an ID (telephone number, etc.).

According to the second authentication process described above, it is necessary to photograph the QR code displayed on the second user terminal device 10B with the first user terminal device 10A. In other words, since it is necessary to perform authentication in a situation where the first user terminal device 10A and the second user terminal device 10B are physically close to each other, unauthorized login by a phishing criminal can be prevented. In addition, unauthorized login can be prevented even if the camera is not installed in the second user terminal device 10B in the new environment.

As described above, the payment server 100 (information processing device) of the first embodiment includes the code information generation unit 124, the communication unit 110, the authentication unit 128, and the determination unit 126. The code information generation unit 124 generates a QR code (code information) in which authentication information is coded when a login request is received from the second user terminal device 10B. The communication unit 110 transmits the generated QR code to either one of the first user terminal device 10A and the second user terminal device 10B, and obtains by capturing and decoding the QR code. The authentication information received is received from the other of the first user terminal device 10A and the second user terminal device 10B. The authentication unit 128 authenticates the second user terminal device 10B based on the received authentication information. The determination unit 126 determines to which of the first user terminal device 10A and the second user terminal device 10B the QR code is to be sent according to the login method of the second user terminal device 10B. This makes it possible to prevent unauthorized login by others.

Further, in the first embodiment, the determination unit 126 determines whether the login request from the second user terminal device 10B is a login request from the payment application 20 or not. It was determined to which of the two user terminal devices 10B the QR code should be transmitted. Specifically, when the login request from the second user terminal device 10B is the login request from the payment application 20, the determining unit 126 determines to transmit the QR code to the first user terminal device 10A. If the login request from the user terminal device 10B is not the login request from the payment application 20, the determination unit 126 determines to transmit the QR code to the first user terminal device 10A. If the login request is from the payment application 20, it is assumed that the second user terminal device 10B is a mobile terminal device having a camera function. This is because the second user terminal device 10B is presumed to be a PC (Personal Computer) or the like that does not have a camera function. As a result, the QR code is reliably captured by the user terminal device 10 equipped with a camera, and the authentication process can be reliably performed.

Further, in the first embodiment, the communication unit 110 sends an SMS notification including an address for starting the payment application 20 to the first user terminal device 10A before the code information generation unit 124 generates the QR code. decided to send to As a result, the payment application 20 can be activated without delay in the first user terminal device 10A.

<Second embodiment>
In the first embodiment described above, authentication by QR code is performed only once. On the other hand, in the second embodiment, security is further strengthened by performing authentication using the QR code multiple times.

As shown in S205 of FIG. 8, in the second authentication process of the first embodiment, a QR code is displayed on the second user terminal device 10B. However, if a phisher displays this QR code on a fake login site and the user takes a picture of the displayed QR code with a user terminal device in the existing environment, there is a possibility that the phisher's terminal device will be illegally logged in. be. Therefore, when displaying the QR code on the second user terminal device 10B, it is preferable to display the QR code multiple times in as short a time as possible. In addition, since the first authentication process of the second embodiment is the same as the first authentication process of the first embodiment, the description thereof is omitted. Details of the second embodiment will be described below.

FIG. 10 is a sequence diagram illustrating an example of second authentication processing according to the second embodiment. The second authentication process when a login request is made to the settlement server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the settlement server 100 transmits an SMS notification to the first user terminal device 10A in the existing environment (S301). As described above, the SMS notification is a short message notification using the user's phone number, and includes the URL for activating the payment application 20 .

Upon receiving the SMS notification from the payment server 100, the first user terminal device 10A activates the payment application 20 (S302). For example, the first user terminal device 10A activates the payment application 20 in response to the user's selection of the URL included in the SMS notification.

Next, the code information generator 124 of the settlement server 100 generates a first QR code in which the first authentication information is coded (S303). For example, the first authentication information may be time-limited information such as a one-time password. Also, the code information generation unit 124 transmits the generated first QR code from the communication unit 110 to the second user terminal device 10B (S304).

When the second user terminal device 10B in the new environment receives the first QR code from the settlement server 100, it displays the first QR code on the display section of the second user terminal device 10B (S305). At this time, the second user terminal device 10B displays the first QR code for a first time (for example, 30 seconds). For example, in S304, the second user terminal device 10B receives information about the first time together with the first QR code from the settlement server 100, and displays the first QR code for the time corresponding to the received information about the first time. you can

Next, the first user terminal device 10A in the existing environment captures the first QR code displayed on the second user terminal device 10B (S306). Specifically, the user uses the camera of the first user terminal device 10A to photograph the first QR code displayed on the second user terminal device 10B.

Also, the first user terminal device 10A acquires the first authentication information by decoding the photographed first QR code (S307). Then, the first user terminal device 10A transmits the acquired first authentication information to the settlement server 100 (S308).

When the communication unit 110 of the settlement server 100 receives the first authentication information from the first user terminal device 10A, the authentication unit 128 of the settlement server 100 performs verification processing of the first authentication information (S309). Specifically, the authentication unit 128 determines whether the first authentication information included in the first QR code transmitted to the second user terminal device 10B matches the first authentication information received from the first user terminal device 10A. determine whether or not If the first authentication information included in the first QR code transmitted to the second user terminal device 10B does not match the first authentication information received from the first user terminal device 10A, the authentication unit 128 does not permit login. The notification is transmitted from the communication unit 110 to the second user terminal device 10B.

On the other hand, when the first authentication information included in the first QR code transmitted to the second user terminal device 10B matches the first authentication information received from the first user terminal device 10A, the code information generation unit 124 , a second QR code encoded with second authentication information different from the first authentication information is generated (S310). For example, the second authentication information may be time-limited information such as a one-time password. Also, the code information generation unit 124 transmits the generated second QR code from the communication unit 110 to the second user terminal device 10B (S311).

When the second user terminal device 10B in the new environment receives the second QR code from the settlement server 100, it displays the second QR code on the display section of the second user terminal device 10B (S312). At this time, the second user terminal device 10B displays the second QR code for a second time (for example, 5 seconds) that is shorter than the first time. For example, in S311, the second user terminal device 10B receives information about the second time together with the second QR code from the settlement server 100, and displays the second QR code for the time corresponding to the received information about the second time. you can

Note that when the first QR code is captured in S306, the first QR code is displayed for a relatively long time (for example, 30 seconds) in consideration of the activation time of the camera function because it is the first time the image is captured. . On the other hand, when the second QR code is photographed in S313, the camera function has already started, so the second QR code is displayed for a short time (for example, 5 seconds). This makes it possible to more reliably prevent the second authentication information from being illegally acquired by a phishing criminal.

Next, the first user terminal device 10A in the existing environment captures the second QR code displayed on the second user terminal device 10B (S313). Specifically, the user uses the camera of the first user terminal device 10A to photograph the second QR code displayed on the second user terminal device 10B.

Also, the first user terminal device 10A acquires the second authentication information by decoding the captured second QR code (S314). Then, the first user terminal device 10A transmits the acquired second authentication information to the settlement server 100 (S315).

When the communication unit 110 of the settlement server 100 receives the second authentication information from the first user terminal device 10A, the authentication unit 128 of the settlement server 100 performs collation processing of the second authentication information (S316). Specifically, the authentication unit 128 determines whether the second authentication information included in the second QR code transmitted to the second user terminal device 10B matches the second authentication information received from the first user terminal device 10A. determine whether or not If the second authentication information included in the second QR code transmitted to the second user terminal device 10B does not match the second authentication information received from the first user terminal device 10A, the authentication unit 128 does not permit login. The notification is transmitted from the communication unit 110 to the second user terminal device 10B.

On the other hand, if the second authentication information included in the second QR code transmitted to the second user terminal device 10B and the second authentication information received from the first user terminal device 10A match, the authentication unit 128 performs login. A notification of permission is transmitted from the communication unit 110 to the second user terminal device 10B (S317). As a result, login from the second user terminal device 10B in the new environment is permitted.

After that, the information management unit 130 updates the user information 172 (S318). Specifically, the information management unit 130 converts the device ID included in the login request transmitted from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) into the login request included in the login request. It is written in the user information 172 in association with an ID (telephone number, etc.).

According to the second embodiment described above, as in the first embodiment, unauthorized login by others can be prevented. Further, according to the second embodiment, after the code information generation unit 124 generates the first QR code (first code information) in which the first authentication information is encoded, the second authentication information different from the first authentication information is generated. A second QR code (second code information) in which information is encoded is generated, and the authentication unit 128 is used by the user when both the authentication based on the first QR code and the authentication based on the second QR code are successful. The second user terminal device 10B is authenticated as a terminal device that This makes it possible to more reliably prevent unauthorized logins by phishing criminals.

Further, according to the second embodiment, the time during which the second QR code (second code information) can be captured is shorter than the time during which the first QR code (first code information) can be captured. This makes it possible to more reliably prevent the second authentication information from being illegally acquired by a phishing criminal.

In addition, according to the second embodiment, as an example, authentication based on the first QR code and the second QR code is performed in the second authentication process, but the present invention is not limited to this. For example, authentication based on the first QR code and the second QR code may be performed in the first authentication process. Even if a phishing criminal can take a picture of the QR code displayed on the first user terminal device 10A in the existing environment, it is difficult to display the QR code multiple times in as short a time as possible. This is because it is effective in preventing unauthorized login. In this case, the communication unit 110 of the settlement server 100 transmits the first QR code and the second QR code to the first user terminal device 10A, and the second user terminal device 10B is displayed on the first user terminal device 10A. The first QR code and the second QR code are photographed, and the authentication unit 128 of the settlement server 100 selects the terminal device used by the user when both the authentication based on the first QR code and the authentication based on the second QR code are successful. The second user terminal device 10B may be authenticated as follows.

Note that in the first and second embodiments, the communication unit 110 first sends an SMS notification including an address for starting the payment application 20 prior to the code information generation unit 124 generating the QR code. Although it was decided to transmit to the user terminal device 10A, it is not limited to this. For example, the communication unit 110 may transmit a push notification for activating the payment application 20 to the first user terminal device 10A before the code information generation unit 124 generates the QR code. A push notification is a message that can be sent directly to the first user terminal device 10A, and is displayed on the first user terminal device 10A along with a notification sound. In this case, the user activates the payment application 20 on the first user terminal device 10A based on the push notification.

Further, in the first embodiment and the second embodiment, the description has been given on the premise that the payment application 20 is installed in the first user terminal device 10A. However, if the payment application 20 is not installed on the first user terminal device 10A, the communication unit 110 may send an SMS notification for installing the payment application 20 to the first user terminal device 10A. As a result, the payment application 20 can be used in the first user terminal device 10A, and the camera function can be activated from the payment application 20, for example.

In addition, in the first and second embodiments, the communication unit 110 provides location information based on the IP (Internet Protocol) address of the second user terminal device 10B or a log-in purpose (for example, a service to be logged in). The information may be transmitted to the first user terminal device 10A and displayed. This allows the user who owns the first user terminal device 10A to determine whether or not an unauthorized login is attempted by a phishing criminal.

In addition to the authentication processing of the first and second embodiments, the authentication unit 128 acquires the location information of the first user terminal device 10A and the location information of the second user terminal device 10B, If the distance between the user terminal device 10A and the second user terminal device 10B is within the predetermined distance, the same person is operating the first user terminal device 10A and the second user terminal device 10B. can be determined. The location information may be, for example, information obtained by GPS (Global Positioning System). In addition to the position information, the authentication unit 128 also uses sensor information obtained from the first user terminal device 10A and the second user terminal device 10B (degree of tilt of the user terminal device during operation, temperature information, humidity information, etc.). etc.), it may be determined whether or not the same person is operating the first user terminal device 10A and the second user terminal device 10B.

Note that in the first and second embodiments, the settlement server 100 performs the authentication process, but the present invention is not limited to this. For example, separately from the settlement server 100, an authentication server may be constructed as an information processing device that performs authentication processing.

As described above, the mode for carrying out the present invention has been described using the embodiments, but the present invention is not limited to such embodiments at all, and various modifications and replacements can be made without departing from the scope of the present invention. can be added.

10 user terminal device 20 payment application 50 shop terminal device 60 shop code image 100 payment server 110 communication unit (transmitting unit, receiving unit)
120 payment content providing unit 122 payment processing unit 124 code information generation unit 126 determination unit 128 authentication unit 130 information management unit 170 storage unit

Claims (11)

An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. a code information generator that generates 2-code information;
a transmission unit configured to transmit the first code information and the second code information generated by the code information generation unit to one of the first terminal device and the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. and a receiving unit that receives from the other one of the second terminal devices;
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
with
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing equipment. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. a code information generator that generates 2-code information;
a transmission unit configured to transmit the first code information and the second code information generated by the code information generation unit to the first terminal device;
the second authentication information obtained by capturing and decoding the first authentication information obtained by capturing and decoding the first code information and the second authentication information obtained by capturing and decoding the second code information; a receiver that receives from
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
with
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing equipment. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. a code information generator that generates 2-code information;
a transmission unit configured to transmit the first code information and the second code information generated by the code information generation unit to the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. a receiver that receives from
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
with
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing equipment. The timed period of the first authentication information is a period longer than the activation time of the camera function for capturing the first code information.
The information processing apparatus according to any one of claims 1 to 3. The transmission unit transmits the second code information after the authentication unit completes authentication based on the first authentication information.
The information processing apparatus according to any one of claims 1 to 3. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to one of the first terminal device and the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. and received from any other of the second terminal device,
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing methods. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to the first terminal device;
the second authentication information obtained by capturing and decoding the first authentication information obtained by capturing and decoding the first code information and the second authentication information obtained by capturing and decoding the second code information; receive from
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing methods. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, after generating the first code information in which the first authentication information is encoded, the second authentication information in which the second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. receive from
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
Information processing methods. To an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, the first code information in which the first authentication information is encoded is generated, and then the second authentication information different from the first authentication information is encoded. generate second code information;
causing either one of the first terminal device and the second terminal device to transmit the first code information and the second code information;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. and receive from either one of the second terminal devices,
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
program. To an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, the first code information in which the first authentication information is encoded is generated, and then the second authentication information different from the first authentication information is encoded. generate second code information;
cause the first terminal device to transmit the first code information and the second code information;
the second authentication information obtained by capturing and decoding the first authentication information obtained by capturing and decoding the first code information and the second authentication information obtained by capturing and decoding the second code information; receive from
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
program. To an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When there is a login request from the second terminal device, the first code information in which the first authentication information is encoded is generated, and then the second authentication information different from the first authentication information is encoded. generate second code information;
cause the second terminal device to transmit the first code information and the second code information;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transferred to the first terminal device. receive from
authenticating the second terminal device based on the received first authentication information and the second authentication information ;
The first code information is captured before the second code information,
The first authentication information and the second authentication information are time-limited information,
In order to further prevent unauthorized acquisition compared to the first authentication information, the time-limited period of the second authentication information is shorter than the time-limited period of the first authentication information.
program.

Images