KR20170053893A - Mobile authentication method using near field communication technology - Google Patents

Mobile authentication method using near field communication technology Download PDF

Info

Publication number
KR20170053893A
KR20170053893A KR1020150156368A KR20150156368A KR20170053893A KR 20170053893 A KR20170053893 A KR 20170053893A KR 1020150156368 A KR1020150156368 A KR 1020150156368A KR 20150156368 A KR20150156368 A KR 20150156368A KR 20170053893 A KR20170053893 A KR 20170053893A
Authority
KR
South Korea
Prior art keywords
authentication
server
user
smartphone
service
Prior art date
Application number
KR1020150156368A
Other languages
Korean (ko)
Other versions
KR101835718B1 (en
Inventor
고하준
고성석
Original Assignee
고하준
고성석
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 고하준, 고성석 filed Critical 고하준
Priority to KR1020150156368A priority Critical patent/KR101835718B1/en
Priority to US15/006,280 priority patent/US20170055146A1/en
Publication of KR20170053893A publication Critical patent/KR20170053893A/en
Application granted granted Critical
Publication of KR101835718B1 publication Critical patent/KR101835718B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • G06K9/00006
    • G06K9/00597
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • H04W4/008
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • G06K2009/00932

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

The present invention relates to a method for mobile authentication and / or mobile payment through short-range wireless communication between a computer device and a smartphone.
The method of the present invention is structurally separated between a service process performed between the computer device 100 and the service server 300 and an authentication process performed between the smartphone 200 and the authentication server 400. [ The service process and the authentication process are connected through a short-range wireless communication between the computer device 100 and the smartphone 200. If the authentication result obtained between the smartphone 200 and the authentication server 400 is successful, the authentication server 400 notifies the service server 300, and the service server 300 returns the result to the screen of the computer device Lt; / RTI >

Description

[0001] MOBILE AUTHENTICATION METHOD USING NEAR FIELD COMMUNICATION TECHNOLOGY [0002]

The present invention relates to user authentication techniques. And more particularly to an authentication method using a mobile device.

Today, people use the Internet to conduct various e-commerce and authentication activities. It primarily runs a web browser through a personal computer to access the target website. Then, the target web site performs a series of authentication procedures. The biggest problem here is security issues caused by malicious hacking. Unique personal information such as credit card number as well as unique information about the individual can be hacked. Several attempts have been made to prevent this. One of the most widely used methods is to install software on a personal computer that blocks hacking and enhances security.

However, this causes severe inconvenience to the user. Users are required to update their software because they need to constantly improve their security vulnerabilities because they are accessing various websites and doing authentication activities, and there are a lot of software to install. In addition, malicious codes are used to mimic or exploit security software And that it can be done. This was because personal computers had authentication information.

If so, you can consider not storing your authentication information on your personal computer. And store it on the server of the certification authority. The personal computer can acquire an identifier capable of identifying it at a minimum and use the authentication information stored in the database of the server based on the identifier. Identifiers include ID, password, and cookie. The authentication information will be representative of the card information. For example, Amazon's one-click technology is typical. A server system related to Amazon One-Click Technology is disclosed in U.S. Patents US 5,960,411 and US 8341036.

According to this technique the user is very convenient. This is because it is not necessary to install the security program on the personal computer, and the authentication and settlement can be performed simultaneously by inputting the simple identifier without going through the complicated process. However, the more convenient the user, the greater the burden on the service provider. Security issues have become more sensitive. User authentication must be assertive. The server system should be protected against malicious attacks. Because there is always the risk of a catastrophic security incident, the service provider must make a wonderful effort and constantly improve security technology. Also, since the user must input information such as card information at least once into the server and must remember the identifier information, user convenience is not completely guaranteed.

The inventors of the present invention have long studied and pondered to solve the authentication problem in the above personal computer. Storing authentication information on a personal computer has the problem of installing complicated security software as described above. Storing and authenticating authentication information in a server system should place a tremendous security burden on service providers. In addition, the user must provide his / her personal information to the server system, and it is also inconvenient to have to remember the identifier information. We have come to the conclusion that we have to make a completely new attempt to solve these problems.

The inventors have explored mobile devices and biometric information technologies. While authentication activities in the Internet environment have become commonplace through personal computers (including notebooks), authentication methods in new environments have become widespread. Mobile authentication technology. You can store your credit card information on your mobile device and use it to make payments. You can also store biometric information, such as fingerprints, on your mobile device. The key point of the biometric information technology is that biometric information unique to each person can be acquired and easily recognized by recognizing the biometric information. Biometric information is unique to humans and can not be separated, so it can not be lost. Such biometric information can include face, voice, and signature, but fingerprints, finger veins, and irregularities are mainly studied. In view of the development of technology, the installation and configuration of equipment, and the ease of recognition, it is preferable to use a finger of a user. Biometric technology utilizing fingerprint or finger vein is typical. But how do you use it?

It is an object of the present invention to propose an authentication technique using biometric information, and to propose a new method that can be achieved through short-distance communication between heterogeneous devices.

Another object of the present invention is to provide a new biometric information authentication method which can completely prevent the risk of security incidents such as malicious access to a server or a device or hacking.

It is still another object of the present invention to provide a methodology for effectively authenticating biometric information even if the server does not have biometric information.

On the other hand, other unspecified purposes of the present invention will be further considered within the scope of the following detailed description and easily deduced from the effects thereof.

According to an aspect of the present invention, there is provided a mobile authentication method using near field wireless communication between disparate devices,

(a) generating an authentication event requesting execution of an authentication process in a service process provided by a service server to a host computer device;

(b) transmitting the authentication event information of the service process to the smartphone through short-range wireless communication through the short-range wireless communication device in which the host computer device is installed to execute the authentication process;

(c) performing a security authentication of a predetermined procedure by the smartphone receiving the authentication event information and transmitting the result to the host computer device through short-range wireless communication; And

(d) verifying the security authentication result of the smartphone received by the authentication server via the host computer device, and ending the authentication process.

In a mobile authentication method according to a preferred embodiment of the present invention, the step (d) comprises:

(1) the host computer device transmitting the security authentication result of the smartphone to the service server;

(2) transmitting the security authentication result of the smartphone to the authentication server by the service server;

(3) the authentication server verifies the security authentication result of the smartphone and transmits the verification result data to the service server; And

(4) If the verification result data corresponds to authentication success, the service server may include a step of continuing the service process according to a predetermined procedure.

Also, in the mobile authentication method according to another preferred embodiment of the present invention, the step (d) includes:

(1) the host computer device directly transmitting the security authentication result of the smartphone to the authentication server;

(2) the authentication server verifies the security authentication result of the smartphone and transmits verification result data to the host computer device;

(3) the host computer device transmitting the verification result data to the service server; And

(4) If the verification result data corresponds to authentication success, the service server may include a step of continuing the service process according to a predetermined procedure.

Further, in the mobile authentication method according to any one of the preferred embodiments of the present invention, the authentication event may include authentication for performing a predetermined subsequent process, authentication for authenticating an already performed process, Or may be an event requesting mobile authentication regarding one or more personal authentication.

Further, in the mobile authentication method according to the preferred embodiment of the present invention, the step (c) may further include biometric authentication using the biometric image data of the bio object.

Further, in the mobile authentication method according to any of the preferred embodiments of the present invention, the biometric object used in the biometric authentication may be any one of a fingerprint, finger vein, and iris.

In addition, in the mobile authentication method according to a preferred embodiment of the present invention, the short-range wireless communication device may be an NFC device.

According to a preferred embodiment of the present invention, there is an advantage that the service process and the authentication process are completely separated systematically. This has the great advantage that the service provider can configure the system and manage resources from the viewpoint of service provisioning. Since the service providing system does not have the information necessary for authentication or settlement, there is no object of security accident caused by malicious attack. This brings great benefits to users. It is not necessary to install various security programs on the user's device when accessing the system of the service provider, and there is no need for the user to provide personal information such as credit card information to the service provider.

According to the present invention, all the processes can be automatically terminated by pressing a button for requesting mobile authentication or mobile payment. In short, it has the advantage of providing users with the most convenient payment methods.

Further, according to the present invention, there is an advantage that authentication can be performed more securely from the attack of a malicious third party. Although the authentication process uses the smartphone biometric authentication method in the authentication process, since the biometric information is not stored in the device or the server, even if the user loses the device, the authentication server loses or hacks the DB information even if the third party maliciously hacks it. The biometrics information inherent to the user can be intrinsically blocked.

The present invention provides a complete and secure authentication method for all commercial or administrative procedures requiring authentication.

On the other hand, even if the effects are not explicitly mentioned here, the effect described in the following specification, which is expected by the technical features of the present invention, and its potential effects are treated as described in the specification of the present invention.

1 is a diagram showing a system configuration according to a preferred embodiment of the present invention.
FIG. 2 is a diagram schematically showing a concept according to a preferred embodiment of the present invention.
FIG. 3 is a view schematically showing a concept according to another preferred embodiment of the present invention.
4 is a schematic view illustrating a concept according to another preferred embodiment of the present invention.
5 is a diagram conceptually showing the relationship and configuration between heterogeneous devices performing near field wireless communication according to the present invention.
6 is a diagram showing various forms of examples of the host computer device 100 of the present invention.
7 is a view showing an example of various bio-objects performed in the smart phone 200 of the present invention.
8 to 11 are diagrams illustrating various scenarios to which the technical idea of the present invention is applied.
* The accompanying drawings illustrate examples of the present invention in order to facilitate understanding of the technical idea of the present invention, and thus the scope of the present invention is not limited thereto.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may obscure the subject matter of the present invention.

1 shows a system configuration according to a preferred embodiment of the present invention. A preferred system of the present invention comprises four elements. A host computer device 100, a service server 300, a smart phone 200, and an authentication server 400. A user of the host computer device 100 utilizes a service provided by the service server 300. [ The service at this time may be a web service provided through the Internet site 310. It may also be a platform service that connects and executes specific application software in another embodiment. However, in order for the user to completely use the service provided by the service server 300, the user authentication process may be required.

In this case, in the prior art, it was common to authenticate through the security program and the authentication software installed in the host computer device 100. There has been a case where hardware existing separately from the host computer device 100 is used, and the first method uses an OTP (One Time Password) terminal. The second method is to transmit a specific code to a user's mobile phone through a mobile communication network. Both of these methods require the user to enter the OTP or enter the code number received from the user screen of the host computer device. Whether in any way, whether using separate hardware or not, the service server 300 had to keep a database of the customer's unique data for security issues and accurate authentication. He was vulnerable to malicious attacks. To compensate for this vulnerability, the service server 300 has forced the user to install various security software on his / her device. This deteriorates the user environment in the host computer device 100.

In the context of the present invention, the security and / or authentication software installed in the host computer device 100 is minimally installed or not required. The service server 300 may be structurally minimal or non-existent with hardware / software means for security and / or authentication. This is because the service process and the authentication process are structurally separated.

[Separation of service process and authentication process 1]

The present invention systematically separates the service process and the authentication process. Figure 2 schematically depicts the process of a system according to some preferred embodiments of the present invention.

The service process is performed through communication between the host computer device 100 and the service server 300. On the other hand, the authentication process is performed through wireless communication between the smartphone 200 and the authentication server 400. It may be a mobile communication network and may be a wireless Internet network such as Wifi. The communication route between the service process and the authentication process is completely different. Also, communication subjects are completely different from each other. Therefore, in the system of the present invention, a malicious attack using the communication network and equipment of the service process is fundamentally blocked. Information about the user authentication can not be obtained even if the host computer device 100 is hacked or the service server 300 is attacked.

The connection between the service process and the authentication process is as follows. First, on the user side, a near field communication (NFC) device 110 installed in the host computer device 100 and a NFC device 210 embedded in the smart phone 200 are connected via short-range wireless communication. In addition, on the server side, it is performed through wired or wireless communication between the service server 300 and the authentication server 400. The authentication process is started on the user side and the authentication process is terminated on the server side.

The smartphone 200 receives authentication event information generated in the service process through short-range wireless communication with the host computer device 100. For example, the authentication event information between the host computer device 100 and the service server 200 can be received from the computer device 100 through the short-range wireless communication of the smartphone 200. At this time, the smartphone 200 acquires, from the host computer device 100 via the NFC communication, the identifier data capable of specifying the service process to be authenticated between the service server and the host computer device.

Then, real-time authentication is performed between the smartphone 200 and the authentication server 400 in a completely security-controlled manner. Most preferably, authentication is performed using biometric information of the user. This is because the system of the present invention is configured on the assumption that the user of the host computer device 100 and the user of the smartphone 200 are the same. Therefore, it should be ensured that the user of the smartphone 200 is obviously a person and that authentication of the authentication server 400 is not affected by theft or malicious attack. The best solution is to use biometric information. It is not excluded from various authentication methods provided by the smart phone 200. [ This will be described again below.

On the other hand, since the service process and the authentication process are separated, as described above, the service server 300 providing the service does not make a security request to the host computer device 100 in connection with communication with the host computer device 100 Also, you do not need to build a database for authentication. This guarantees that you can provide optimal service without using system tools that make users uncomfortable.

The service server 300 has hardware / software equipment for providing services and can have databases 301 and 303 necessary for service provision. These databases 301 and 303 are not necessarily databases required for user authentication at least. On the other hand, at least one of the databases 401 and 403 built in the authentication server 400 must be a database necessary for user authentication. Authentication server 400 has hardware / software equipment for authentication.

Although the service server 300 and the authentication server 400 are shown as one server device in the figure, the server server 300 and the authentication server 400 may be constituted by a plurality of server devices, a server set for providing services, . Therefore, it should be noted that even if various server devices are added to the service server 300 and / or the authentication server 400, it is not deviated from the protection scope of the present invention. Hereinafter,

[Separation of service process and authentication process 2]

Figure 3 schematically illustrates the process of a system according to another preferred embodiment of the present invention. In the above-described embodiment, all procedures related to authentication between the smartphone 200 and the authentication server 400 have been performed, and the authentication server 400 has notified the authentication server 400 of the authentication success event. On the contrary, the present embodiment emphasizes a configuration in which the service server 300 requests the authentication server 400 to verify the authentication results of the smartphone 200.

First, the service process is performed through communication between the host computer device 100 and the service server 300. In this service process, the smart phone 200 is excluded as in FIG. On the other hand, the authentication process is performed by the host computer device 100 requesting authentication of the smartphone 200 through short-range wireless communication. The smart phone 200 returns the result of authentication of the user to the host computer device 100 by short-range wireless communication. The authentication result is transmitted to the service server 300, and the service server 300 transmits a verification request for the authentication result to the authentication server 400. The authentication server (400) returns the verification result to the service server (300). Even in this embodiment, the host computer device 100 and the service server 300 do not store the authentication data because they merely transmit data. Therefore, in the system of the present invention, a malicious attack using the communication network and equipment of the service process is fundamentally blocked. Information about the user authentication can not be obtained even if the host computer device 100 is hacked or the service server 300 is attacked.

The configuration related to the connection of the service process and the authentication process is slightly different from the embodiment of Fig. First, on the user side, a near field communication (NFC) device 110 installed in the host computer device 100 and a NFC device 210 embedded in the smart phone 200 are connected via short-range wireless communication. In addition, in the server side, it is the same as that through the wired or wireless communication between the service server 300 and the authentication server 400. However, since the smart phone 200 and the authentication server 400 are not directly connected, different. Of course, the authentication process is initiated on the user side and the authentication process is terminated on the server side.

The smartphone 200 receives authentication event information generated in the service process through short-range wireless communication with the host computer device 100. For example, when an authentication event request between the host computer device 100 and the service server 200 occurs, the computer device 100 communicates with the smartphone 200 by the NFC module and requests authentication of the user. Unlike the embodiment of FIG. 2, the smartphone 200 does not necessarily acquire identifier data that can specify a service process to be authenticated between the service server and the host computer device from the host computer device 100. This is because the role of the smartphone 200 is to perform authentication and transmit the authentication result data to the host computer device 100 only.

Then, the smart phone 200 performs authentication in a completely security-controlled manner. Most preferably, authentication is performed using biometric information of the user. This is because the system of the present invention is configured on the assumption that the user of the host computer device 100 and the user of the smartphone 200 are the same. Therefore, it should be ensured that the user of the smartphone 200 is obviously the person himself. The best solution is to use biometric information. It is not excluded from various authentication methods provided by the smart phone 200. [ For example, in this embodiment, a predetermined method for additional authentication may also be added through the communication of the authentication server 400. [ However, it is preferable to consider that this embodiment may cause a situation where communication between the smartphone 200 and the authentication server 400 is impossible.

The encrypted authentication result data in the smartphone 200 is transmitted to the host computer device 100 and then to the service server 300 again. The service server 300 transmits the identifier data and the encrypted authentication result data that can identify the service process to be authenticated between the host computer device 100 and the service server 200 to the authentication server 400. The authentication server 400 decrypts and verifies the encrypted authentication result data in the host computer smartphone 200. Then, the log data is stored and the verification result data is transmitted to the service server 300. For verification, authentication data information such as user information, encryption key information, and hash values related to the user's biometric characteristic must be built in advance in the database of the authentication server 400. [

If the verification result data corresponds to authentication success, the service server 300 continues the service process through the screen of the host computer device 100 according to a predetermined procedure.

On the other hand, since the service process and the authentication process are separated, as described above, the service server 300 providing the service does not make a security request to the host computer device 100 in connection with communication with the host computer device 100 And a database for authentication may not be constructed in the service server 300. This guarantees that you can provide optimal service without using system tools that make users uncomfortable.

The service server 300 has hardware / software equipment for providing services and can have databases 301 and 303 necessary for service provision. These databases 301 and 303 are not necessarily databases required for user authentication at least. On the other hand, at least one of the databases 401 and 403 built in the authentication server 400 must be a database necessary for user authentication.

[Separation of service process and authentication process 3]

Figure 4 schematically depicts the process of a system according to another preferred embodiment of the present invention. In the above-described embodiment, the service server 300 requests the authentication server 400 to verify the identity authentication result performed by the smartphone 200. However, in this embodiment, the host computer device, not the service server 300, emphasizes the configuration in which a verification request is directly sent to the authentication server 400 via the communication network.

First, the service process is performed through communication between the host computer device 100 and the service server 300. In this service process, the smart phone 200 is excluded as in FIG. On the other hand, the authentication process is performed by the host computer device 100 requesting authentication of the smartphone 200 through short-range wireless communication. The smart phone 200 returns the result of authentication of the user to the host computer device 100 by short-range wireless communication. The host computer device 100 transmits the authentication result to the authentication server 400 via the Internet to request verification. The authentication server 400 returns the verification result to the host computer device 100. [ Then, the host computer device 100 notifies the service server 300 of the success / failure of the verification.

In this embodiment as well, the service server 300 does not intervene in the authentication process. Therefore, the authentication data is not stored. In addition, the host computer device 100 and the service server 300 do not store authentication data because they merely transmit data. Therefore, in the system of the present invention, a malicious attack using the communication network and equipment of the service process is fundamentally blocked. Information about the user authentication can not be obtained even if the host computer device 100 is hacked or the service server 300 is attacked.

This is the configuration related to the connection between the service process and the authentication process. First, on the user side, a near field communication (NFC) device 110 installed in the host computer device 100 and a NFC device 210 embedded in the smart phone 200 are connected via short-range wireless communication. The server side is different from the embodiment of FIG. 3 in that the connection between the service server 300 and the authentication server 400 is connected via the host computer device 100. It is usually connected via the Internet. 2 in that the smartphone 200 and the authentication server 400 are not directly connected to each other. Of course, the authentication process is initiated on the user side and the authentication process is terminated on the server side.

The smartphone 200 receives authentication event information generated in the service process through short-range wireless communication with the host computer device 100. For example, when an authentication event request between the host computer device 100 and the service server 200 occurs, the computer device 100 communicates with the smartphone 200 by the NFC module and requests authentication of the user. Unlike the embodiment of FIG. 2, the smartphone 200 does not necessarily acquire identifier data that can specify a service process to be authenticated between the service server and the host computer device from the host computer device 100. This is because the role of the smartphone 200 is to perform authentication and transmit the authentication result data to the host computer device 100 only.

Then, the smart phone 200 performs authentication in a completely security-controlled manner. Most preferably, authentication is performed using biometric information of the user. This is because the system of the present invention is configured on the assumption that the user of the host computer device 100 and the user of the smartphone 200 are the same. Therefore, it should be ensured that the user of the smartphone 200 is obviously the person himself. The best solution is to use biometric information. It is not excluded from various authentication methods provided by the smart phone 200. [ For example, in this embodiment, a predetermined method for additional authentication may also be added through the communication of the authentication server 400. [ However, it is preferable to consider that the present embodiment can also cause a situation where communication between the smartphone 200 and the authentication server 400 is impossible.

The encrypted authentication result data in the smartphone 200 is transferred to the host computer device 100. [ The host computer device 100 transmits to the authentication server 400 the identifier data and the encrypted authentication result data that can identify the service process to be authenticated among the service servers 200. [ The authentication server 400 decrypts and verifies the encrypted authentication result data in the host computer smartphone 200. And stores the log data and transfers the verification result data to the host computer device 100. [ For verification, authentication data information such as user information, encryption key information, and hash values related to the user's biometric characteristic must be built in advance in the database of the authentication server 400. [ The host computer device 100 also terminates the authentication procedure by transmitting the authentication verification result to the service server 300. [

If the verification result data corresponds to authentication success, the service server 300 continues the service process through the screen of the host computer device 100 according to a predetermined procedure.

On the other hand, since the service process and the authentication process are separated, as described above, the service server 300 providing the service does not make a security request to the host computer device 100 in connection with communication with the host computer device 100 And a database for authentication may not be constructed in the service server 300. This guarantees that you can provide optimal service without using system tools that make users uncomfortable.

The service server 300 has hardware / software equipment for providing services and can have databases 301 and 303 necessary for service provision. These databases 301 and 303 are not necessarily databases required for user authentication at least. On the other hand, at least one of the databases 401 and 403 built in the authentication server 400 must be a database necessary for user authentication.

Now, the configuration and relationship of the user side device, which is the starting point at which the service process and the authentication process are connected, will be described. Figure 5 shows the heterogeneous devices used by the user.

The host computer device 100 connects to the service server and performs a series of network behaviors such as requesting, using, or purchasing a service. In short, they participate in the service process. The host computer device 100 includes a processor 101 and an NFC device 110. Of course, although not shown, other electronic configurations capable of network communication and functioning as a computer electronic device are of course included.

The host application 150 installed in the host computer device 100 is executed to access the service server. The application 150 may be a web browser in general, but other types of software may be used depending on the computer environment. The processor 101 processes a series of services on the user side through a user screen. In particular, in the present invention, the authentication user interface 155 is displayed on the user screen of the host computer device 100. When the authentication start event is executed in the authentication user interface 155, the processor 101 calls and controls the NFC device 110 to perform short-range wireless communication with the smartphone 200. Preferably, software is provided on the host computer device 110 to assist in driving the NFC device 110 and controlling the processor 101.

Although the authentication user interface 155 is shown in the drawing as being stored in the host computer device 100, this is for illustrative purposes only. The normal authentication user interface 155 is stored in the service server and can be provided only through the device screen of the user in real time communication.

In some preferred embodiments of the present invention, the host application 150 may be a web browser. The user can access the Internet site provided by the service server by executing a web browser. For example, a user may purchase a product through an Internet site of a service server. In that case, the service server must determine whether the purchase request is a true user action and execute the payment procedure accordingly. The user will first execute the authentication event via the authentication user interface 155. [

In another preferred embodiment of the present invention, the host application 150 may be application software installed by the user or embedded in the device. It can be displayed as a widget or icon on the user's device and can be executed when the user selects it as an input means and can access the service server through the communication network.

The host computer device 100 of the present invention is not limited by its kind and specification. The host computer device 100 has a function of accessing the service server through a communication network, that the NFC device 110 is installed, and when the service server requests authentication from the NFC device 110 in communication with the service server, 110 to provide an identifier of the service process by performing short-range wireless communication with the smartphone 200, and a computer apparatus satisfying these three technical requirements suffices.

FIG. 6 illustrates various types of host computer device 100. 6 (a) is a desktop computer 103. Fig. NFC device 110 is installed. 6 (b) is a notebook computer 104. Fig. 6 (c) shows an embodiment in which the NFC device 110 is installed in the TV device 105. Fig. 6 (d) shows a case where the tablet PC 106 functions as a host computer device. For example, the smartphone 200 owned by the user can be used for the authentication operation required for payment while the Internet is shopping on the tablet PC 106. 6 (e) shows a case where the Internet of Things (IOT) device is the host computer device of the present invention. For example, if an electronic device installed in a vehicle, various electronic devices in a home, a public space (e.g., a subway platform, etc.) can communicate with the Internet, and an NFC device 110 is installed, The host computer device 100 may be capable of functioning as a host computer device 100 to which the present invention may be applied.

In some preferred embodiments of the present invention, the NFC device 110 may be embedded in the host computer device 100. In another preferred embodiment of the present invention, the NFC device 110 may be installed externally to the host computer device 100. In such a case, for example, the host computer device 100 can be connected to the USB port of the host computer device 100 and released.

Referring back to FIG. 5, the smartphone 200 of the present invention also has an NFC device 210 in a chip form. Particularly, in the present invention, since the smartphone 200 is the main body of the authentication process, it is necessary to install application software which can clearly certify that the smartphone 200 is the principal. Preferably, the mobile application software 250 is provided with a biometric authentication module 255. In the present invention, the communication between the host computer device 100 and the service server 300 may have no security and authentication configuration. In this case, the security and authentication configuration through the smart phone 200 should be enhanced. The biometric authentication module 255 assures this.

In some preferred embodiments of the present invention, after the smartphone executes the mobile application software 250, the NFC device 110 of the host computer device 100 is connected to the smartphone 200 for short- can do.

In another preferred embodiment of the present invention, when the smartphone initiates an authentication event at the host computer device 100 and thus initiates NFC communication between the disparate devices in proximity to the NFC device 110, Can be automatically executed.

The mobile application software 250 of the present invention may include a configuration tool of a mobile application, a user interface, a database module, and the like. In particular, the mobile application software 250 includes a function for supporting NFC communication and a function for executing a procedure for authentication . In addition, in a preferred embodiment of the present invention, it may include a function of receiving an identifier of a service process from a host computer device through NFC communication, and may also include a function of performing wireless communication with an authentication server.

In addition, since the configuration of an application processor, an input / output device, a memory, a wireless communication modem, a battery, and a power supply device of a smart phone supports the technical features of the present invention and ensures the implementation of the present invention, detailed description thereof is omitted here . Such components may employ conventional techniques, and future improved techniques may be freely applied to the technical idea of the present invention.

As described above, in the preferred embodiment of the present invention, enhanced mobile authentication can be ensured by using biometric information of a bio-object (i.e., human body). In this embodiment, the mobile application software 250 supports biometric authentication using biometric image data. As shown in Fig. 7, the bio-object may be a fingerprint, an iris, or a finger. The biometric image data in the preferred embodiment of the present invention may be the fingerprint image 203 of the biometric object, as shown in Fig. 7 (a). The biometric image data in another preferred embodiment of the present invention may be the iris image 205 of the biometric object, as shown in Fig. 7 (b). Further, the biometric image data in another embodiment of the present invention may be the finger vein image 27 of the finger, as shown in Fig. 7 (c).

Hereinafter, how biometric image data of the bio-object is processed in the mobile authentication in the smartphone 200 will be described as a preferred embodiment.

This is the first biometric authentication method. The authentication server may have a database of the user's biometric information. Preferably, the authentication server does not have the user's biometric image data, but has a hash value corresponding to the biometric image data. It can also hold a reference value that modifies the biometric source data to a specific rule. If the authentication server has the biometric image data or the biometric original data, there are legal problems related to personal information protection and malicious attacks such as hacking.

The authentication server can construct a database of vector sets as hash values related to the user ID and the user biometric characteristic. The smart phone can scan the biometric image data to transmit the feature vector set, and compare it with the vector set of the authentication server to authenticate. Communication between the authentication server and the smartphone can be performed through a dynamic communication encryption key. Hereinafter, the first biometric authentication method will be described.

The biometric information database of the authentication server previously stores a user ID and a biometric feature vector set decrypted by the user. The user ID can be used to specify the user. The feature vector set of the biometric image decrypted using the cryptographic hash function is referred to as a first feature vector set for convenience. This first feature vector set can be used to determine whether biometric authentication is successful or unsuccessful. Thus, in order to attempt authentication using the authentication server, the user must register his ID and his or her hashed biometric feature vector set in the authentication server in advance.

This feature vector can be set in the form of a direct password, for example, by the user himself who hides it. Also, it is a secret that only the user knows is unknown to the authentication server to be secreted. The user scans his or her biometric information with a smartphone, and extracts feature vectors from the biometric image data. These feature vectors are hashed using secret secrets. The hashized feature vector set at this time is expressed as a second feature vector set. And transmit the second set of feature vectors to the authentication server.

The authentication server compares the first feature vector set and the second feature vector set, and determines that authentication is successful when a predetermined number or more of hash values are matched with the feature vector values. This is because biometric information causes a slight error in each measurement.

The smartphone application software can control to delete the second set of feature vectors used once, the biometric image data, and the secret key. By deleting both the biometric image, the hashed second feature vector, and the secret key in the smartphone, it is possible to prevent the biometric information from being stolen by using the smart phone.

The basic framework of the authentication process is to compare the biometric information scanned by the smartphone and the biometric information held by the authentication server with the encrypted feature vectors. In addition to this, it is possible to add mobile payment by using information related to the credit card built in the smart phone, adding a protocol for authentication between the authentication server and the smart phone, or employing various biometric authentication algorithms.

This is the second biometric authentication method. Unlike the first biometric authentication method, a hash value related to biometric information or a user's unique secret information required for mobile authentication or mobile settlement is encrypted using a biometric value as an encryption key without storing the modified reference value of the biometric information in the server, It can be stored on the phone (re-encryption of the password value). When the heterogeneous device moves from the service process to the authentication process through short-range wireless communication between the heterogeneous devices, the user can communicate with the authentication server by decrypting the unique information necessary for the authentication using the biometric information of the user as a key.

Let us explain the second biometric authentication method in more detail. Stores various secret data of the user such as a password and credit card information (expressed as " user-specific information for authentication ") in the data store of the smartphone. However, this means that biometric data such as biometric data such as fingerprint, finger vein, iris, and the like is used as a cryptographic key to be stored in an encrypted state. In short, in this embodiment, the encryption key of the user-specific information for authentication can be generated by the user's biometric data. For example, a fuzzy extraction algorithm may be used. The fuzzy extraction algorithm is based on a symmetric key having the same encryption key and decryption key for each data. For example, the user's secret data d is encrypted using the user's biometric data value k as an encryption key, . When decoding the corresponding data e, e is decoded using the biometric data value k 'obtained by scanning the biometric data of the user who has requested decryption. When k' is similar to k within a predefined approximation range, decoding k ' Key to decode e to d exactly. To measure the success or failure of the decryption, e and h (d) are stored in the smartphone's storage, where h (d) is a value obtained by encrypting the user data source. Therefore, when d is obtained by attempting to decode e by k ', decryption succeeds when the value of h (d') is equal to h (d), and decryption failure is determined when it is not. Therefore, only the value of each user secret data d (e, h (d)) is stored in the user database. Therefore, even if the database is attacked or the smartphone is stolen, the user's biometric information and original secret data are safely protected .

If you use this method, you can encrypt the authentication secret value for authenticating the server to the server as above. Thus, when a smartphone user logs in to the service server or purchases an article by authenticating himself or herself, he or she inputs his or her biometric value to his / her smartphone, decrypts the encrypted identity authentication secret value, Or may perform short-range wireless communication with the host computer device and transmit the authentication information to the authentication server via the host computer device to authenticate. In this case, authentication can be performed without storing the hash value (or template) of the user's biometric information on the authentication server.

As described above, the basic framework of the authentication process of the present embodiment is such that the user extracts the encrypted user-specific information stored in the smart phone using his / her biometric information as a key key, and then authenticates between the authentication server and the smartphone . The biometric image data scanned on the smart phone is deleted after being used as a key key for authentication user information. If a virus is already hidden in your smartphone to steal biometric information, your smartphone may scan your biometrics and delete it from memory before it is used to intercept or steal biometric data There is a possibility. To prevent this, a security program can be installed that restricts programs that scan the user's biometric information from being controlled by other programs, including viruses, in the smartphone.

This is the third biometric authentication method. Information such as the user's biometric data and credit card information and the server authentication value (the value at which the server authenticates the user) are transmitted to the server via a module secure from software and / or hardware attacks, such as a crypto-processor or a hardware security module It is stored in a special hardware security module. In this case, the user's smartphone assumes that the module is mounted. In the smart phone, only one or a plurality of specific programs whose security has been verified can communicate with the module.

When the third biometric authentication method is used, the user scans his or her biometric information with a program that scans the biometric information provided in the smartphone. This program transmits the biometric information of the user to the program communicable with the security module or directly transmits the biometric information of the user to the security module when the program itself is the program. The security module determines the similarity between the scanned biometric information of the user and the stored biometric information, and then determines authentication success and failure. Alternatively, if the program communicating with the security module is a secure trusted program, the program requests the biometric information stored in the security module to be transmitted, and the program can compare the biometric information with the scanned biometric information. When the two pieces of biometric information match, the program receives the secret information of the user stored in the security module from the program, the program transmits the information directly to the authentication server, or the smart phone Lt; / RTI > The secret information of the user of the programs is then deleted in the smartphone. However, the user biometric data and secret information stored in the security module are not deleted.

Both the first biometric authentication method and the second biometric authentication method do not store the biometric information by the device. Therefore, even if you lose your smartphone or have a malicious hacking attack, you can rest assured. Even in the case of the third biometric authentication method, a special hardware security module is used, so that it can be relieved from an external attack.

8 to 11 illustrate various types and scenarios of the contents using the authentication method of the present invention. First, FIG. 8 shows an example of a procedural configuration of a scenario relating to authentication of authentication between an authentication event between the host computer device 100 and the service server 300 to execute a predetermined subsequent process or to log in to a service server.

First, the host computer device 100 accesses the service server 300 (S10). For example, the user can access the Internet site of the service server 300 through a web browser.

In this embodiment, the host computer device 100 may request the service server 300 to log in by authenticating itself (S20). Through the user screen of the host computer device, the user inputs the normal ID and password and logs in. It may log in using the certificate stored in the memory of the computer device 100. [ From time to time, national governments or financial settlements may request enhanced logins. In such a case, ID and password alone may be unstable, and certificates stored in memory are very vulnerable to hacking. In that case, the advantages of the present invention shine.

Preferably, there will be a < mobile authentication > button on the user screen, and an authentication event is generated by selecting it. Then, the NFC device installed in the host computer device 100 enters the standby state for the short-range wireless communication, and the short-range wireless communication is performed by approaching the smart phone with the built-in NFC chip (S30). Through this step, the service process executes as an authentication process.

The authentication process is executed between the smartphone 200 and the authentication server 400 that received the event information requesting the mobile authentication (S40). The authentication process can be executed using the biometric authentication as described above. According to the first biometric authentication method, the smart phone receives the authentication event information of the service process in the NFC, and then scans the user's biometric object to obtain the biometric image data. Then, the biometric image data is decrypted and tries to connect to the authentication server. All the data packets encrypted and transmitted between the authentication server 400 and the smartphone 200 can use the PKI (Public Key Infrastructure) of the SSL / TLS / DTLS protocol. The authentication server 400 performs biometric authentication using a hash value (or a modulated reference value of biometric information, hereinafter) of the biometric information received from the smart phone, and transmits the biometric authentication result to the service server 300 ). Meanwhile, the user's biometric information and hash value are deleted from the memory of the smart phone.

3 and 4, the above-described authentication process is not a direct communication between the smartphone 200 and the authentication server 400 but is performed by the communication via the host device computer 100 A process may be performed. This statement applies equally to the following embodiments. For convenience of description, the embodiments of Figs. 8 to 11 basically apply the three biometric authentication methods using the authentication process concept of Fig. 2, respectively.

This is true if the second biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. And decrypts the encrypted server authentication value stored in the device using the biometric image data. And connects to the server using the decrypted data. The authentication server 400 receives the server authentication value and authentication event information decrypted from the smartphone. The authentication server 400 authenticates with the server authentication value and informs the service server 300 of the biometric authentication result using the authentication event information. On the other hand, the biometric information / decryption key / decrypted server authentication value of the user is deleted from the memory of the smart phone.

This is the case if the third biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. Then, the server authentication value stored in the security module in the device is read using the biometric image data. Connect to the server using this data. The authentication server 400 receives the server authentication value and authentication event information decrypted from the smartphone. The authentication server 400 authenticates with the server authentication value and informs the service server 300 of the biometric authentication result using the authentication event information. Meanwhile, the biometric information / server authentication value of the user is deleted from the memory of the smart phone.

Mobile authentication including verification of server is performed by various procedures like this. The authentication server 400 transmits the verification result data to the service server 300. That is, if the verification is successful, the authentication server 400 notifies the service server 300 that the authentication event requested by the service process is successful (S50). The service server 300 continues the service process on the screen of the host computer device 100 according to a predetermined procedure. For example, the service server 300 directly informs the user of the success of the authentication through the user screen of the host computer device 100 or performs the following procedure (S60). This results in a successful login. Then, the host computer device 100 uses the service provided by the service server 200. [

The scenario of FIG. 9 relates to a scenario in which the host computer device 100 connects to the service server 200 to perform a series of actions, and then approves and validates the actions. Can be carried out together with the scenario of Fig. In the case of handling important business, for example, when using the service of a financial institution or an administrative institution, the user is required to authenticate himself or herself when logging in, and even when accepting a certain application legitimately. For example, the scenario shown in FIG. 8 is performed when the user logs in to the bank, and the scenario shown in FIG. 9 can be performed when the user requests the account transfer from the bank site.

First, a series of services is performed through communication between the host computer device 100 and the service server 300 (S100). For example, assume that a user accesses an Internet site of the service server 300 through a web browser of his / her computer device and performs an <application> task while using the service provided by the service server 300.

An approval procedure to approve the work is required (S110). Preferably, there will be a < Mobile Authentication > button on the user screen, and an authentication event can be generated by selecting it. Then, the NFC device installed in the host computer device 100 enters a standby state for short-range wireless communication, and a short-range wireless communication is performed by accessing a smart phone having an embedded NFC chip (S120). Through this step, the service process executes as an authentication process.

The authentication process is executed between the smartphone 200 and the authentication server 400 that received the event information requesting the mobile authentication (S130). The authentication process can be executed using the biometric authentication as described above. According to the first biometric authentication method, the smart phone receives the authentication event information of the service process in the NFC, and then scans the user's biometric object to obtain the biometric image data. Then, the biometric image data is decrypted and tries to connect to the authentication server. The smartphone 200 can authenticate the PKI-based server certificate in order to authenticate the authentication server 400. [ The authentication server 400 performs biometric authentication using the hash value of the biometric information received from the smart phone, and informs the service server 300 of the biometric authentication result using the authentication event information. Meanwhile, the user's biometric information and hash value are deleted from the memory of the smart phone.

This is true if the second biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. And decrypts the encrypted server authentication value stored in the device using the biometric image data. And connects to the server using the decrypted data. The authentication server 400 receives the server authentication value and authentication event information decrypted from the smartphone. The authentication server 400 authenticates with the server authentication value and informs the service server 300 of the biometric authentication result using the authentication event information. On the other hand, the biometric information / decryption key / decrypted server authentication value of the user is deleted from the memory of the smart phone.

This is the case if the third biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. Then, the server authentication value stored in the security module in the device is read using the biometric image data. Connect to the server using this data. The authentication server 400 receives the server authentication value and authentication event information decrypted from the smartphone. The authentication server 400 authenticates with the server authentication value and informs the service server 300 of the biometric authentication result using the authentication event information. Meanwhile, the biometric information / server authentication value of the user is deleted from the memory of the smart phone.

Mobile authentication including verification of server is performed by various procedures like this. The authentication server 400 transmits the verification result data to the service server 300. That is, if the verification is successful, the authentication server 400 notifies the service server 300 that the authentication event requested by the service process is successful (S140). Then, the service server 300 continues the service process on the screen of the host computer device 100 according to a predetermined procedure. For example, the service server 300 directly informs the user of the success or failure of the authentication through the user screen of the host computer device 100 (S150). Thus, the <request> task requested by the user to the service server 300 has been approved. For example, the bank accepts applications for wire transfer. The administrative agency issues the proof of family relationship.

FIG. 10 is an application example of FIG. When a user purchases a commodity (meaning 'commodity' in the Internet shopping mall includes the object of a sales act that is performed in various online including services, it should be interpreted as the best), the mobile payment is made using the method of the present invention . That is, it is an example of a scenario of the present invention for online settlement. Unlike the scenario of Fig. 9, there are few cases where it is implemented together with Fig.

First, a series of shopping services are performed through communication between the host computer device 100 and the service server 300 (S200). The shopping service provided by the service server 300 may be an Internet shopping mall connected by executing a web browser of the host computer device 100. [ Also, the shopping service may be an online shopping mall connected through a dedicated application installed in the device 100. The user will select the merchandise he / she intends to purchase and then make a payment.

The payment user screen provided by the service server 300 preferably has a < mobile payment > button, and a payment event may occur by the user selecting it. Then, the NFC device installed in the host computer device 100 is activated, and a smart phone having an NFC chip is accessed to perform near field wireless communication (S220). Through this step, the shopping service process executes as a mobile payment process.

The mobile payment process is executed between the smartphone 200 and the authentication server 400 that received the event information requesting the mobile authentication (S230). The authentication process can be executed using the biometric authentication as described above. According to the first biometric authentication method, the smart phone receives the authentication event information of the service process in the NFC, and then scans the user's biometric object to obtain the biometric image data. Then, the biometric image data is decrypted and tries to connect to the authentication server. The smartphone 200 can authenticate the PKI-based server certificate to authenticate the authentication server 400. [ The authentication server 400 performs biometric authentication using the hash value of the biometric information received from the smart phone. Credit card information for payment is stored in the smartphone 100 and / or the authentication server 400. The biometrics authentication is successful and the payment can be made using the credit card information registered in advance. In another embodiment, the biometrics authentication is successful and real-time account transfer is possible. Of course, the mobile application software installed in the user device must have a corresponding payment module. In addition, the authentication server 400 informs the service server 300 of the payment result using the authentication event information. Meanwhile, the user's biometric information and hash value are deleted from the memory of the smart phone.

This is true if the second biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. And decrypts the encrypted server authentication value stored in the device using the biometric image data. And connects to the server using the decrypted data. The authentication server 400 receives the server authentication value and authentication event information from the smartphone. The authentication server 400 authenticates with the server authentication value. Like the first biometric authentication method, the smartphone 100 and / or the authentication server 400 stores the payment credit card information. The biometrics authentication is successful and the payment can be made using the credit card information registered in advance. In another embodiment, the biometrics authentication is successful and real-time account transfer is possible. Of course, the mobile application software installed in the user device must have a corresponding payment module. The authentication server 400 informs the service server 300 of the payment result using the authentication event information received from the smartphone. On the other hand, the biometric information / decryption key / decrypted server authentication value of the user is deleted from the memory of the smart phone.

This is the case if the third biometric authentication method is used. The smart phone receives the authentication event information of the service process by the NFC, and then scans the user's bio-object to obtain the biometric image data. Then, the server authentication value stored in the security module in the device is read using the biometric image data. Connect to the server using this data. The authentication server 400 receives the server authentication value and authentication event information from the smartphone. The authentication server 400 authenticates with the server authentication value. Like the first biometric authentication method, the smartphone 100 and / or the authentication server 400 stores the payment credit card information. The biometrics authentication is successful and the payment can be made using the credit card information registered in advance. In another embodiment, the biometrics authentication is successful and real-time account transfer is possible. Of course, the mobile application software installed in the user device must have a corresponding payment module. The authentication server 400 informs the service server 300 of the payment result using the authentication event information received from the smartphone. Meanwhile, the biometric information / server authentication value of the user is deleted from the memory of the smart phone.

If the mobile payment is successful in this procedure, the authentication server 400 notifies the service server 300 that the payment procedure is successful (S240). Then, the service server 300 notifies the user of the success of settlement through the user screen of the host computer device 100 (S250). The user's purchase of the product is completed.

If the mobile payment method of the present invention is used, payment by the computer can be ended simply by clicking the < mobile payment > button. It is also possible to perform a simple settlement in a state in which perfect security is ensured. There is no need to input a card number in a conventional method, that is, to enter a card number on a computer screen, to make a payment by calling a certificate having weak security, or to use an OTP device. Users only need to biometrics on their favorite smartphone. The rest of the communication is done only by a predetermined procedure.

All FinTech technologies require infrastructure changes. This is the biggest barrier to implementing the new PinTech technology. FIG. 11 shows a scenario in which the existing infrastructure is used as it is but the characteristics of the present invention can be exhibited.

Online shopping (S300, S310) performed through communication between the host computer device 100 and the service server 300 can use the conventional payment method. The certificate program stored in the device 100 may be used or the credit card information held by the server 300 may be used or the user may input the credit card number. Once you have performed the payment procedure in step S310, it is finally necessary to add the identity of the user who is indeed the true user's payment. This conventional authentication method is a method in which a user inputs a mobile phone number, transmits an authentication code to the mobile phone number, and allows the user to input the authentication code again. The embodiment of Figure 11 improves this identity.

The payment user screen provided by the service server 300 preferably has a &quot; mobile authentication &quot; button, and the user can select it. Then, the NFC device installed in the host computer device 100 is activated and a short-range wireless communication is performed by accessing a smart phone having an embedded NFC chip (S320).

The smartphone 200 receiving the authentication event information transmits the smartphone information through NFC communication (S330). This smart phone information refers to device information that can identify a user. For example, the telephone number of the subscriber. In other embodiments, it may be a telephone number and a name. In another embodiment, it may be a telephone number, a name, and a biometric result.

The host computer device 100 can receive the smartphone information by NFC communication and transmit it to the service server 200 (S340). At this time, the host computer device 100 can not read the user information because the user information to be transmitted is encrypted by the encryption key shared between the smart phone and the service server 200. The service server 200 can compare the user information registered in advance with the smartphone information, and if the user authentication is successful, the service server 200 can approve the payment in step S310 (S350).

The service server 200 may request the notification server 500 to transmit a message to the smartphone through the communication network at step S360 and the notification server 500 may transmit a notification message indicating that the payment has been approved to the smart phone at step S370, . In another preferred embodiment, the step S350 may be performed after the step S370.

For reference, the mobile authentication method according to various preferred embodiments of the present invention may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs, DVDs, magneto-optical media such as floptical disks, A hard disk drive, a flash memory, and the like. Examples of program instructions include high-level language code that can be executed by a computer using an interpreter, as well as machine accords such as those produced by a compiler. A hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

The authentication event using the technical idea of the present invention may have various modifications. There is a personal authentication for executing a predetermined subsequent process. This also includes identity verification for logging in to the service server. In addition, there is a personal authentication for approving a process that has already been done. Such is the service provided by financial institutions and administrative agencies. There is also a self-certification to approve payment. The outstanding advantages of the present invention are, for example, such. I shopped on the desktop, but the payment method does not use the desktop, it can just be done by pressing a button on the screen. This is because the service (e.g., shopping) process and the authentication (including billing) process are completely separate. There is a much less systematic effort to 'prevent' malicious attacks.

In addition, the above embodiments of the present invention have proposed a method using an NFC module embedded in a heterogeneous device. However, it goes without saying that other types of devices and communication technologies can be employed as long as the module supports short-range wireless communication.

In implementing the method of the present invention, it is most likely if a user is a member of both a service server and an authentication server. Because the user's unique identifier is available, the authentication process is easy to identify the service process (and vice versa). However, if the authentication session generated on the user screen of the service server can be specified through the NFC communication between the same user's computer and the smartphone, the user does not always have to be subscribed to the service server.

In the specification of the present invention, the service server 300 and the authentication server 400 are written as if they are different businesses. However, business entities can be transformed in various ways. The business entity of the service server 300 and the business entity of the authentication server 400 may be the same and the technical idea of the present invention is not limited thereby. This is because the service server 300 and the authentication server 400 are distinguished from each other either physically or conceptually, even if the providers are the same.

The scope of protection of the present invention is not limited to the description and the expression of the embodiments explicitly described in the foregoing. It is again to be understood that the present invention is not limited by the modifications or substitutions that are obvious to those skilled in the art.

Claims (7)

(a) generating an authentication event requesting execution of an authentication process in a service process provided by a service server to a host computer device;
(b) transmitting the authentication event information of the service process to the smartphone through short-range wireless communication through the short-range wireless communication device in which the host computer device is installed to execute the authentication process;
(c) performing a security authentication of a predetermined procedure by the smartphone receiving the authentication event information and transmitting the result to the host computer device through short-range wireless communication; And
(d) verifying the security authentication result of the smartphone received by the authentication server via the host computer device, and ending the authentication process. The method according to claim 1,
Wherein step (d) comprises:
(1) the host computer device transmitting the security authentication result of the smartphone to the service server;
(2) transmitting the security authentication result of the smartphone to the authentication server by the service server;
(3) the authentication server verifies the security authentication result of the smartphone and transmits the verification result data to the service server; And
(4) If the verification result data corresponds to authentication success, the service server continues the service process according to a predetermined procedure, and the mobile authentication method using the near field wireless communication between the dissimilar devices. The method according to claim 1,
Wherein step (d) comprises:
(1) the host computer device directly transmitting the security authentication result of the smartphone to the authentication server;
(2) the authentication server verifies the security authentication result of the smartphone and transmits verification result data to the host computer device;
(3) the host computer device transmitting the verification result data to the service server;
(4) If the verification result data corresponds to authentication success, the service server continues the service process according to a predetermined procedure, and the mobile authentication method using the near field wireless communication between the dissimilar devices. The method according to claim 1,
Wherein the authentication event is an event for requesting a mobile authentication regarding at least one of authentication of a user to perform a predetermined subsequent process, a user authentication for approving a process already performed, and a user authentication for approving a payment, A method for mobile authentication using short range wireless communication between mobile devices. The method according to claim 1,
Wherein the step (c) further comprises biometric authentication using the biometric image data of the body object by the smartphone. 6. The method of claim 5,
Wherein the bio-object used in the biometric authentication is any one of a fingerprint, a finger vein, and an iris entity. The method according to claim 1,
Wherein the short-range wireless communication device is an NFC device, using a short-range wireless communication between different types of devices.
KR1020150156368A 2015-08-19 2015-11-09 Mobile authentication method using near field communication technology KR101835718B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150156368A KR101835718B1 (en) 2015-11-09 2015-11-09 Mobile authentication method using near field communication technology
US15/006,280 US20170055146A1 (en) 2015-08-19 2016-01-26 User authentication and/or online payment using near wireless communication with a host computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150156368A KR101835718B1 (en) 2015-11-09 2015-11-09 Mobile authentication method using near field communication technology

Publications (2)

Publication Number Publication Date
KR20170053893A true KR20170053893A (en) 2017-05-17
KR101835718B1 KR101835718B1 (en) 2018-03-07

Family

ID=59048854

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150156368A KR101835718B1 (en) 2015-08-19 2015-11-09 Mobile authentication method using near field communication technology

Country Status (1)

Country Link
KR (1) KR101835718B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10727285B2 (en) 2017-07-04 2020-07-28 Samsung Electronics Co., Ltd. Near-infrared light organic sensors, embedded organic light emitting diode panels, and display devices including the same

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102585875B1 (en) 2018-11-16 2023-10-11 삼성전자주식회사 Image display device and operating method for the same

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10727285B2 (en) 2017-07-04 2020-07-28 Samsung Electronics Co., Ltd. Near-infrared light organic sensors, embedded organic light emitting diode panels, and display devices including the same
US11469277B2 (en) 2017-07-04 2022-10-11 Samsung Electronics Co., Ltd. Near-infrared light organic sensors, embedded organic light emitting diode panels, and display devices including the same

Also Published As

Publication number Publication date
KR101835718B1 (en) 2018-03-07

Similar Documents

Publication Publication Date Title
US11663578B2 (en) Login using QR code
CN106575326B (en) System and method for implementing one-time passwords using asymmetric encryption
JP6701364B2 (en) System and method for service-assisted mobile pairing for passwordless computer login
US10057763B2 (en) Soft token system
EP3138265B1 (en) Enhanced security for registration of authentication devices
US20220122088A1 (en) Unified login biometric authentication support
CN113474774A (en) System and method for approving a new validator
US20170055146A1 (en) User authentication and/or online payment using near wireless communication with a host computer
CN106575281B (en) System and method for implementing hosted authentication services
US20160189136A1 (en) Authentication of mobile device for secure transaction
US20130185210A1 (en) Method and System for Making Digital Payments
EP3662430B1 (en) System and method for authenticating a transaction
WO2019226115A1 (en) Method and apparatus for user authentication
KR20220167366A (en) Cross authentication method and system between online service server and client
KR101659847B1 (en) Method for two channel authentication using smart phone
KR101835718B1 (en) Mobile authentication method using near field communication technology
KR101875257B1 (en) Mobile authentication and/or moile payment method using near wireless communication with host computer
Kreshan THREE-FACTOR AUTHENTICATION USING SMART PHONE
GB2607282A (en) Custody service for authorising transactions

Legal Events

Date Code Title Description
A201 Request for examination
E701 Decision to grant or registration of patent right