KR101033547B1 - Otp authentification device and pc security log-on method using the same - Google Patents

Abstract

PURPOSE: An OTP authentication device and PC security log on method using the same are provided to establish a strong security level by using a OTP pass code as a user authentication method in a domain controller log on state of a client unit. CONSTITUTION: A user inputs a user ID, a logon password, a pass code in a client PC of a user comprising a client unit(140). The client PC requests authentication to an OTP authentication server(110) by using obtained user ID, a log on password and pass code. The OTP authentication server determines coincidence of user authentication information. The OTP authentication server transmits a user authentication result to the client unit. A domain controller(120) checks an authentication of the client unit. The domain controller transmits domain logon authority information to the client unit. The client unit attempts domain log on about a domain controller according to authority information.

Description

OTP authentication device and PC security logon method using same {OTP AUTHENTIFICATION DEVICE AND PC SECURITY LOG-ON METHOD USING THE SAME}

The present invention relates to an authentication device capable of providing a strong level of security through user authentication when a client computer logs on to a directory service, and a PC security logon method using the same.

Directory services, such as Active Directory, are provided in a Windows environment to efficiently manage directories in a complex enterprise computing environment.

Conventionally, when authenticating to a directory service such as Active Directory, user authentication is performed depending on input of a user ID or a user password.

However, the user authentication by inputting the user ID or user password causes a problem that anybody can log on to the Active Directory when the user ID or user password is leaked, thereby causing the data security of the enterprise to be critical.

The present invention has been made to solve the above-mentioned problems, and as a conventional method, the security of the enterprise is added by adding a third security means such as an OTP device, instead of simply logging on to the Active Directory by simply inputting a user ID or user password. It is to provide an OTP authentication device that can establish a level, and a PC security logon method using the same.

In one embodiment, the OTP authentication apparatus of the present invention, OTP device for generating a user-specific OTP passcode; A client unit displaying an OTP authentication dialog box in which the OTP passcode is input, and logging on to a domain controller of an active directory when the user is normally authenticated through the OTP authentication dialog box; User authentication information identical to the OTP passcode generated in the OTP device is stored, and if the OTP passcode generated in the OTP device and entered in the OTP authentication dialog box matches the stored user authentication information, the user is normal. An OTP authentication server determined to be authenticated; It includes.

In one embodiment, the PC security logon method of the present invention comprises the steps of: inputting the OTP passcode and the user ID generated in the OTP device to the client unit; The client unit making a user authentication request to an OTP authentication server using the user ID and the OTP passcode; Determining, by the OTP authentication server, whether the user authentication information is matched by comparing the user ID obtained from the client unit with the OTP passcode owned by the OTP passcode; Transmitting, by the OTP authentication server, the user authentication result to the client unit; Checking, by the domain controller, whether the user authenticates the user of the client unit and transferring domain logon authority information to the client unit; The client unit attempting to log on to the domain controller according to the domain logon authority information; It includes.

In one embodiment, the PC security logon method of the present invention, the user generates an OTP passcode using the OTP device, and enters the OTP passcode in the OTP passcode input window of the OTP authentication dialog box of the client unit, Requesting user authentication and OTP list by clicking the OTP list button of the OTP authentication dialog box; The client unit requesting a user authentication and an OTP list from an OTP authentication server; Generating, by the OTP authentication server, an OTP list containing the OTP passcode for a period of time in preparation for offline logon, and storing the OTP list in the OTP authentication server; Sending, by the OTP authentication server, the OTP list to the client unit; Storing, by the client unit, the OTP list in a local storage of the client unit; It includes.

According to the present invention, a strong security level can be established by using the OTP passcode generated by the OTP device as a user authentication means when logging on to the domain controller of the client unit, and user authentication is performed by using an OTP list downloaded in advance even when offline. There is an advantage to this.

1 is a block diagram showing the principle of time-synchronous OTP authentication.
2 illustrates a computer unlock dialog.
3 shows an OTP authentication dialog.
4 is a block diagram illustrating a configuration of an authentication apparatus of the present invention and a logon process using the same.
5 is a block diagram illustrating a process of downloading an OTP list in preparation for an offline state.
6 is a block diagram illustrating a process of logging on to a domain controller when offline.
FIG. 7 illustrates an authentication embodiment for a case where OTP authentication fails when online or offline.

Hereinafter, the embodiment according to the present invention will be described in detail. Terms specifically defined in consideration of the configuration and operation of the present invention may vary depending on the intention or custom of the user or operator. Definitions of these terms should be made based on the contents throughout the specification.

First, a directory can be defined in two ways. One definition is that the space that corresponds to the current folder, which was used since the DOS era, is called a directory. In another definition, a directory is used in the form of an "information repository" in the form of an "address." There are a large number of directories in the general enterprise, and the administrative burden is continuously increasing. It is called a directory service by making a database of information stored in a directory and providing it to users, computers, and applications that need it.

Active Directory is a directory service supported by Windows 2000 Server and above. For example, as a directory service that supports upgraded extensions on Windows NT Server or Windows XP Server, it supports advanced hierarchical directory services. It also supports integrated management of users, user groups and network data.

The purpose of using Active Directory in a corporate group with many user accounts is to manage network resources efficiently. In small workgroups, where each computer acts as a server / client, this is not a problem, but the number of users adding to folders or printers that need to be shared increases the administrative tasks of assigning individual permissions between users. It is very burdensome for the administrator to set the authority for and renew it. Collecting such policy setting information in one or two servers, and receiving this information from the server when necessary to use network resources, the administrator only needs to maintain the contents of the server, thereby facilitating overall resource management.

Active Directory satisfies LDAP, and is implemented on the Internet's DNS, and LDAP-compliant clients can access Active Directory. In addition, it can function in a corporate network composed of different models, and includes other directory services including NDS and NIS +, thus enabling integrated management of directories owned by the corporate network operating system, e-mail system, and groupware. Do.

The protocols supported by Active Directory are listed as follows.

Domain Name System (DNS): A flat NetBIOS domain name is provided for backward compatibility only, and DNS is a service for naming domains. DNS server, not WINS, is used to find domain controller.

② TCP / IP (Transmission Control Protocol / Internet Protocol): By adopting TCP / IP as the basic protocol, it enables the system operation optimized for Internet communication.

③ DHCP (Dynamic Host Configuration Protocol): It solves the error such as failure of client's IP acquisition due to wrong DHCP server by stopping DHCP service that did not get approval from Active Directory.

Kerberos: A secure authentication protocol that replaces NTLM in the domain environment. This provides single sign on and mutual authentication.

X.509: This is the standard protocol for PKI (Public Key Infrastructure) based certificate services. Active Directory supports the X.509 standard and allows users to be authenticated by mapping certificates and user accounts.

⑥ SNTP (Simple Network Time Protocol): When logging on from Windows, the time information of the user logging on is used. If the logon server and client time do not match, the user will fail to log on. The domain controller acts as a time server and provides synchronization with the time of clients that are members of the domain.

⑦ LDAP (Lightweight Directory Access Protocol): This protocol is used to access Active Directory. Active Directory is based on the LDAP protocol. If you want to query Active Directory, you need the LDAP protocol. The domain controller is the LDAP server and your computer is the LDAP client.

LDIF (LDAP Data Interchange Format) is a protocol used for Active Directory Database Replication between domain controllers.

In addition, the structure of the Active Directory can be divided into logical and physical structures.

The logical structure of Active Directory is a concept that is independent of the physical environment, regardless of where or how many servers are installed. The logical structure includes units such as OUs, domains, trees, and forests.

Domain is a unit that logically defines the scope of influence of Active Directory. Servers and client computers in a domain are placed within the scope of the directory service provided by Active Directory in the domain. By default, Active Directory is provided within the domain. If multiple domains were created due to the needs of the enterprise, each domain would have its own Active Directory.

On the other hand, a single domain may not meet the enterprise's computing needs. In this case, two or more domains are used, and two domains create two different security zones. This creates a need to share resources between domains. When using a multi-domain model rather than a single domain like this, two structures, tree and forest, are used depending on how to add a new domain when the first domain exists. Can be.

An organizational unit (OU) is a component of Active Directory for logically grouping and managing resources such as user accounts, computer accounts, printers, and folders that exist in Active Directory. For example, managers can organize resources in the form of Seoul OU, Busan OU, Daejeon OU, reflecting the organizational structure of the company divided into Seoul, Busan and Daejeon. In addition, OUs such as sales OU, management OU, and development team OU can be used to reflect the department. It uses a large unit called a domain and at the same time provides a flexible way of managing it as a smaller unit internally. In fact, one of the main reasons for using OU is to implement differentiated group policies by department, region, and user / PC type. Because the minimum unit for applying Group Policy in Active Directory is an OU, organizing users and computers into OUs can provide differentiated Group Policy. Even if the OU is separated, the overall policy of the domain where the OU belongs is maintained.

On the other hand, the physical structure of the Active Directory includes a unit such as a domain controller (DC), a site, and the like, serving the Active Directory.

The domain controller has a database named Active Directory, which contains common information that can be used within the realm of the domain. If the domain controller is damaged after the domain is configured, the domain's Active Directory is a serious problem. To prepare for this, it is possible to set up additional domain controllers in a domain. This added domain controller also has a separate Active Directory, but not a new Active Directory, but rather a replica of the first created domain controller's Active Directory. As a result, there is only one Active Directory in a domain. In this case, two domain controllers should propagate the contents of the newly created contents to other domain controllers to ensure consistency in the domain. This task is called "Active Directory replication." This duplication is also the work done within the domain.

In addition, Active Directory can store various information such as users, groups, computers, shared folders, printers, contacts, and organizational units (OUs) as objects. As such, when various objects such as a computer, a shared folder, and a printer are included in a directory, it becomes a base for providing a considerable convenience to an administrator.

Thus, Active Directory can serve as an integrated corporate directory by placing it centrally in the corporate network to reflect various requirements and solutions.

Next, OTP (One Time Password) will be described. OTP is a one-time password that is used for the user's identity online. The user must use a new OTP every time he wants to authenticate himself, and can only use it once and cannot reuse it. Once used, OTP cannot be used again, and it is difficult to add numbers. Therefore, OTP cannot be used even if OTP is exposed by various spyware or various hacking attacks, thus providing strong security.

Among them, the time synchronous OTP generates a number using a time value. If the time identified by the OTP device 100 and the OTP authentication server 110 matches, the same number is generated. To determine whether it is approved.

1 illustrates the principle of time-synchronous OTP authentication. Referring to this, for example, if the OTP token code displayed on the OTP device 100 when the OTP device 100 is turned on at 9:30 is 999428, a time defined from 9:30 (for example, 1 minute) The user enters the authentication request number 999428 within the Windows login screen. The OTP authentication server 110 that reads the input value already knows that the OTP token code at the time corresponding to 9:30 is 999428, and compares it with the authentication request number input from the client side to perform the authentication operation. do. As described above, the time-synchronous OTP has a shorter authentication validity time even when the security of the authentication number is leaked because the OTP token code is simultaneously changed in the OTP device 100 and the OTP authentication server 110 for each authentication validity time set to 1 minute. There is a safe advantage.

Hereinafter, various concepts related to OTP authentication of the present invention will be described.

The OTP device 100 is a personal hardware device that generates an OTP token code and has a unique serial number for each device. The OTP device 100 is unregistered at the time of shipment, and after the OTP device 100 is purchased by a user or an enterprise, personal information including a serial number, a specific user's name, and OTP PIN information to be used for authentication of a specific user. Are matched and registered by the administrator. Accordingly, when the owner is designated so that the OTP device 100 is used for authentication of a specific user, the OTP device 100 is assigned.

An OTP PIN (Personal Identification Number) is an identification number registered by a user when using the OTP device 100 for the first time.

The OTP token code is a series of numbers generated by the OTP device 100 and is updated every time (for example, one minute) as an authentication valid time in the case of time synchronization. The OTP token code is also stored in the OTP authentication server 110.

The passcode is a practical code used for authenticating a user using the OTP device 100. In the case of the software PIN method, the passcode is a combination of a four-digit PIN number (for example, 2579) and a six-digit OTP token code (for example, 999428). It is a digit number (for example, 2579 999428), and in the case of a hardware PIN method, a 6 digit number (for example, 999428) corresponding to a 6 digit OTP token code (for example, 999428).

2 illustrates a computer unlock dialog. The Unlock Computer dialog box is a dialog box that is displayed after the user has given a lock option to the client computer or after a screen saver runs. In the present invention, the interactive logon policy is applied to display user information (HEERIM \ 0001 in FIG. 2) when the session is locked.

Pressing the Ctrl + Alt + Del keys unlocks the computer and displays the OTP Authentication dialog 150, which shows the OTP Authentication dialog 150. FIG. In the illustrated embodiment, the user logs on to the Active Directory through an authentication process by inputting a user ID, a logon password, and an OTP passcode.

If the user ID or logon password is input, and a combination of the PIN number and the value output to the OTP device 100 as the OTP passcode is inputted to 2579 999428 described above, the user is logged on to the Active Directory through the authentication process.

As such, when the user logs in to the domain controller 120 of the Active Directory, an authentication process must be performed. The present invention enhances the security of the logon by allowing the user to input the OTP passcode in the authentication process.

The correlation between the domain controller and the OTP authentication server will be described with reference to Table 1 below.

Initially, the domain controller is not configured to allow authentication through an OTP device.However, if the system administrator or the user wants to log on using a separate security device such as an OTP device or other fingerprint reader, the domain controller can be configured. You can change it. In the setting change operation, a first table corresponding to the user ID and the OTP device identification information may be stored in the domain controller.

Here, the OTP device identification information may be in various forms such as serial information of the OTP device, PIN number of the OTP device, and arbitrary information uniquely designated for each OTP device.

However, OTP authentication server is in principle related to user's personal information or domain logon, such as user's name, user ID, security level at logon of user, domain logon information applied to user at logon of user. There is no information. The OTP authentication server has an OTP pass code synchronized with the OTP device and processes normal authentication data according to whether the OTP pass code matches. As such, the normal authentication data of the OTP authentication server is transferred to the domain controller. The domain controller compares the user's personal information and the company's policy information related to the domain logon with the normal authentication data received from the OTP authentication server. It performs security authentication at logon and sets system logon authority.

In summary, a first table in which the OTP device identification information including the serial number of the OTP device and the user ID, respectively, are stored in the domain controller. The first table is indicated by the red circle of dashed-dotted line in Table 1 above.

A second table in which the OTP device identification information and the OTP passcode are respectively corresponded is stored in the OTP authentication server. The second table is indicated by the blue square of the dashed-dotted line in Table 2 above.

When logging on to the client unit, the domain controller receives the second table from the OTP authentication server, and combines the first table and the second table together to determine whether the user is normally authenticated.

4 is a block diagram illustrating a configuration of an authentication apparatus of the present invention and a logon process using the same. Referring to this, the authentication apparatus of the present invention includes an OTP device 100, a domain controller 120, an OTP authentication server 110, a log recording unit 130, and a client unit 140. The authentication process through the authentication device of the present invention is as follows.

① The user inputs a user ID, a logon password, and a passcode into the client PC of the user constituting the client unit 140.

② The client PC makes an authentication request to the OTP authentication server 110 using the obtained user ID, logon password, and passcode.

③ The OTP authentication server 110 determines whether the user authentication information is matched by comparing the user ID obtained from the client PC with the passcode owned by the client PC. At this time, the authentication history is stored in the log recorder 130.

④ The OTP authentication server 110 sends the user authentication result to the client unit 140.

⑤ The domain controller 120 checks whether the client unit 140 is authenticated and transmits domain logon authority information to the client unit 140. That is, the domain controller 120 is assigned a serial number of the OTP device 100 for each user. For example, the OTP device 100 having the serial number A0001 assigned to Hong Gil-dong is normally authenticated from the OTP authentication server 110. If it is determined, the domain logon authority information of Hong Gil-dong is transmitted to the client unit 140.

When the network connecting the client unit 140, the OTP authentication server 110, and the domain controller 120 is online, and the OTP device 100 is a time synchronous OTP authentication method, the time defined as the authentication valid time ( For example, an OTP token code (e.g. 999428) or passcode (e.g. 2579 999428) that is updated every minute is stored in the OTP authentication server 110 (e.g. 999428) or passcode ( For example, it is determined whether or not authentication is performed according to 2579 999428).

⑥ According to the authority information, the client unit 140 attempts to log on to the domain controller 120.

5 is a block diagram illustrating a process of downloading an OTP list in preparation for an offline state.

When the user connects the client unit 140 in the form of a notebook PC to a remote location due to a vacation or a business trip, and the network connecting the client unit 140 and the OTP authentication server 110 is offline, the user may leave the vacation or business trip. The client unit 140 is connected to the domain controller 120 and the OTP authentication server 110 before the OTP token code or the OTP passcode during the offline period (for example, two weeks) corresponding to the vacation period or the business trip period. Download the list of OTPs included.

The user connects the client unit 140 to the domain controller 120 from a remote location and receives user authentication when logging on to the domain controller 120 using the downloaded OTP list.

That is, the user downloads the OTP list corresponding to the offline period to the client unit 140 in preparation for the offline state, and the downloaded OTP list is stored in the local storage of the client unit 140. During the offline period, the downloaded list of OTPs is used for logon authentication.

That is, when the network connecting the client unit and the OTP authentication server is online, the client unit is connected to the domain controller and the OTP authentication server, and the OTP list storing the OTP passcode for a predetermined period is downloaded to the local storage of the client unit. When the client unit is connected to a domain controller, the downloaded OTP list is used for user authentication.

As an embodiment, a logon authentication process for an offline state will be described. The OTP list, which stores OTP passcodes for a certain period of time (e.g., 2-3 days) during offline authentication, is downloaded to the local storage of the client portion, and then the downloaded OTP list at the logon portion of the client portion in the offline state. This is used for user authentication at logon.

In addition, when the OTP list download command is input through the client unit after the logon is selected according to a separate menu selection, the OTP list may be downloaded.

This will be described in the order illustrated in FIG. 5.

① The user generates an OTP passcode using the OTP device 100 and inputs the OTP passcode into the OTP passcode input window of the OTP authentication dialog 150 of the client unit 140 shown in FIG. 3. Meanwhile, the authentication and the OTP list request are made through the OTP list download menu.

② The client unit 140 requests the authentication and OTP list from the OTP authentication server 110.

③ The OTP authentication server 110 generates an OTP list containing an OTP passcode of a predetermined period in preparation for offline logon upon the authentication request, and stores the OTP authentication server 110 inside the OTP authentication server 110.

④ The OTP authentication server 110 sends the generated OTP list and other authentication parameters required for authentication to the client unit 140.

⑤ The client unit 140 stores the authentication parameter and the OTP list in a local storage such as a hard disk of the client unit 140.

As described above, the download of the OTP list in preparation for the offline state may be performed by a separate menu selection after logon, or the OTP list may be automatically downloaded to the client unit 140 at any time.

In one embodiment, if the user's menu input to download the OTP list storing the OTP passcode for a certain period of time (for example, 2 to 3 days) to the local storage of the client unit is received by the domain controller through the client unit, the OTP The list is downloaded to the local repository of the client portion, and then the downloaded OTP list is used for user authentication at logon when the client controller's domain controller logs on offline. Here, the 'scheduled period' to receive the OTP passcode can be changed to any period (3-4 weeks) by the user.

In one embodiment, when the client portion is logged on to the domain controller and the OTP authentication server with normal authentication, the OTP list including the OTP passcode is automatically downloaded to the local storage of the client portion, and the network connecting the client portion and the OTP authentication server is offline. When the client unit logs on to the domain controller in the state, the OTP list downloaded to the client unit is used for user authentication.

6 is a block diagram illustrating a process of logging on to the domain controller 120 when offline. This will be described in the order illustrated in FIG. 6.

① The user generates an OTP passcode using the OTP device 100, and the OTP passcode input window of the OTP authentication dialog box 150 of the client unit 140 shown in FIG. Input the generated OTP passcode to request authentication.

② The OTP authentication server 110 checks the existence of the OTP list at the time of the authentication request, and checks whether it belongs to the offline period.

③ The OTP authentication server 110 compares the OTP passcode entered in the OTP authentication dialog box 150 with the OTP list and processes the authentication.

④ The offline logon of the client unit 140 is completed according to the authentication.

FIG. 7 illustrates an authentication embodiment for a case where OTP authentication fails when online or offline. If the authentication of the OTP passcode generated using the OTP device 100 fails, an embodiment in which the client unit 140 and the domain controller 120 are completely blocked may be possible, but in some cases, the operation may be performed within a certain authority range. It is desirable to be able to. 7 is an embodiment for this case. That is, by using the local administrator account (Local Administrator account) of the client unit 140 to be logged in only within a certain range of authority and to induce PC work possible.

Although embodiments according to the present invention have been described above, these are merely exemplary, and it will be understood by those skilled in the art that various modifications and equivalent embodiments of the present invention are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the following claims.

100 ... OTP devices
110 ... OTP Authentication Server
120.Domain Controller
130 Log Log
140.Client part
150 ... OTP Authentication Dialog

Claims (12)

An OTP device for generating a user-specific OTP passcode;
A client unit displaying an OTP authentication dialog box in which the OTP passcode is input, and logging on to a domain controller of an active directory when the user is normally authenticated through the OTP authentication dialog box;
User authentication information identical to the OTP passcode generated in the OTP device is stored, and if the OTP passcode generated in the OTP device and entered in the OTP authentication dialog box matches the stored user authentication information, the user is normal. An OTP authentication server determined to be authenticated; Including;
OTP device identification information including a serial number of the OTP device and a first table corresponding to the user ID are stored in the domain controller,
When the OTP device and the OTP authentication server generate or store the OTP passcode synchronized with each other, a second table corresponding to the OTP device identification information and the OTP passcode is stored in the OTP authentication server.
When the client unit logs on, the domain controller receives the second table from the OTP authentication server, and combines the first table and the second table together to determine whether the user is normally authenticated.
The method of claim 1,
The OTP device and the OTP authentication server generates or stores the OTP passcode in a time synchronous manner,
And the OTP passcode of the OTP device and the OTP authentication server are updated together at the same authentication valid time.
The method of claim 2,
The user authentication information,
And at least one of a serial number of the OTP device, personal information of a specific user corresponding to the serial number, and an OTP PIN of the OTP device.
The method of claim 3,
The OTP authentication server transmits a user authentication result comparing the OTP passcode generated in the OTP device and inputted to the OTP authentication dialog box with the user authentication information stored in the OTP authentication server, to the client unit,
And the domain controller transmits domain logon authority information of the client unit to the client unit according to the user authentication result sent from the OTP authentication server to the client unit when the client unit logs on a request.
The method of claim 4, wherein
A log recorder for storing an authentication history including the user authentication result of the OTP authentication server; OTP authentication device comprising a.
The method of claim 4, wherein
When the network connecting the client unit and the OTP authentication server is online, the client unit is connected to the domain controller and the OTP authentication server so that the OTP list storing the OTP passcode for a predetermined period is downloaded to the local storage of the client unit. Become,
The OTP authentication apparatus wherein the downloaded OTP list is used for the user authentication when the client unit is connected to the domain controller.
The method of claim 4, wherein
When the client unit is logged on to the domain controller and the OTP authentication server in a normal authentication state, an OTP list including the OTP passcode is automatically downloaded to the local storage of the client unit.
And the OTP list downloaded to the client unit is used for the user authentication when the client unit is connected to the domain controller while the network connecting the client unit and the OTP authentication server is offline.
The method of claim 4, wherein
The OTP list is downloaded to the local storage of the client according to a menu input to download the OTP list storing the OTP passcode for a predetermined period to the local storage of the client portion.
The downloaded OTP list is used for the user authentication upon logon to the domain controller of the client unit,
The predetermined time period for receiving the OTP passcode is selectable when the menu input.
The method according to any one of claims 1 to 8,
If the authentication of the OTP passcode fails, OTP authentication device that the client unit is logged in to the domain controller only within a certain authority range by using a local administrator account (Local Administrator account).
delete Inputting an OTP passcode and a user ID generated in the OTP device to the client unit;
The client unit making a user authentication request to an OTP authentication server using the user ID and the OTP passcode;
Determining, by the OTP authentication server, whether the user authentication information is matched by comparing the user ID obtained from the client unit with the OTP passcode owned by the OTP passcode;
Transmitting, by the OTP authentication server, the user authentication result to the client unit;
Checking, by the domain controller, whether the user authenticates the user of the client unit and transferring domain logon authority information to the client unit;
The client unit attempting to log on to the domain controller according to the domain logon authority information; Including;
OTP device identification information including a serial number of the OTP device and a first table corresponding to the user ID are stored in the domain controller,
When the OTP device and the OTP authentication server generate or store the OTP passcode synchronized with each other, a second table corresponding to the OTP device identification information and the OTP passcode is stored in the OTP authentication server.
And the domain controller receives the second table from the OTP authentication server, and combines the first table and the second table together to determine whether the user is normally authenticated.
A user generates an OTP passcode using an OTP device, inputs the OTP passcode in an OTP passcode input window of an OTP authentication dialog of a client unit, and requests a user authentication and an OTP list request through an OTP list download menu. ;
The client unit requesting a user authentication and an OTP list from an OTP authentication server;
Generating, by the OTP authentication server, an OTP list containing the OTP passcode for a period of time in preparation for offline logon, and storing the OTP list in the OTP authentication server;
Sending, by the OTP authentication server, the OTP list to the client unit;
Storing, by the client unit, the OTP list in a local storage of the client unit; PC security logon method comprising a.

Images