Summary of the invention
For this reason, the invention provides a kind of login authentication method based on recognition of face, Apparatus and system, to try hard to solve or at least alleviate at least one problem existed above.
According to an aspect of the present invention, provide a kind of login authentication method based on recognition of face, the method performs in first server, first server can be connected with mobile terminal, second server, the 3rd server, application server by network, comprise step: receive sent by application server, user asks to log in the logging request of third-party application, generate event identifier, wherein logging request comprises the authentication information with application identities, user ID and auth type, and wherein auth type is recognition of face; Send authentication information to second server, return the user mobile phone number corresponding with user ID by second server; Send propelling movement task to the 3rd server, so that the 3rd server push instruction display authorizes the message at interface to mobile terminal corresponding to user mobile phone number; Send event identifier to application server, and transmission comprises the authentication request of authentication information to mobile terminal; Receive the facial image of user that sent by mobile terminal, that collect on mandate interface; And transmission comprises the authentication information of facial image to second server, user ID and auth type is returned by second server, and associated user mark, event identifier and auth type, so that the authentication result that application server is corresponding with user ID according to event identifier inquiry.
Alternatively, based in the login authentication method of recognition of face, authentication information also comprises signing messages according to of the present invention, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, send authentication information to second server, the step being returned the user mobile phone number corresponding with user ID and auth type by second server comprises: send authentication information to second server, so that whether second server certifying signature information is correct; And if be verified, receive by second server send first checking message, wherein, first checking message comprise user mobile phone number.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, also comprise step: associated user cell-phone number and event identifier, to determine the request type of active user according to the event identifier of user mobile phone number association.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, comprise request type in propelling movement task.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, transmission comprises the authentication information of facial image to second server, the step being returned user ID by second server comprises: transmission comprises the authentication information of facial image to second server, so that whether second server checking facial image is correct; And if be verified, receive by second server send second checking message, wherein second checking message comprise user ID and auth type.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, send propelling movement task to before the step of the 3rd server, also comprise step: carry out to the 3rd server propellings movement and verify, if authentication failed, then send authentication failed message to application server.
According to a further aspect in the invention, provide a kind of login authentication device based on recognition of face, device resides in first server, first server can by network and mobile terminal, second server, 3rd server, application server is connected, device comprises: connection management unit, be suitable for receiving and sent by application server, user asks the logging request logging in third-party application, and to be sent by mobile terminal, authorizing the facial image of the user that interface collects, also be suitable for sending authentication information to second server, and receive the user mobile phone number returned by second server, and transmission comprises the authentication information of facial image to second server, and receive the user ID and auth type that are returned by second server, send event identifier to application server, send authentication request to mobile terminal, and send propelling movement task to the 3rd server, so that the 3rd server push instruction display authorizes the message at interface to mobile terminal corresponding to user mobile phone number, wherein logging request and authentication request all comprise and have application identities, the authentication information of user ID and auth type, and auth type is recognition of face, user mobile phone number is corresponding with user ID, information generating unit, is suitable for after receiving logging request, generates event identifier, and information association unit, be suitable for associated user mark, event identifier and auth type, so that the authentication result that application server is corresponding with user ID according to event identifier inquiry.
Alternatively, based in the login authentication device of recognition of face, authentication information also comprises signing messages according to of the present invention, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, connection management unit is also suitable for sending authentication information to second server, whether correct by its certifying signature information, if be verified, then receive the first checking message, it comprises the user mobile phone number corresponding with user ID.
Alternatively, based in the login authentication device of recognition of face, information association unit is also suitable for associated user cell-phone number and event identifier according to of the present invention, to determine the request type of active user according to the event identifier of user mobile phone number association.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, comprise request type in propelling movement task.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, connection management unit be also suitable for sending comprise facial image authentication information to second server, whether correct by its checking facial image, if be verified, then receive the second checking message, it comprises user ID and auth type.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, also comprise: push authentication unit, be suitable for before transmission propelling movement task is to the 3rd server, carry out propelling movement checking to the 3rd server, if authentication failed, then send authentication failed message to application server.
According to a further aspect in the invention, provide another login authentication method based on recognition of face, method performs in second server, second server can by network and mobile terminal, first server, 3rd server, application server is connected, comprise step: receive the first checking request that first server sends, comprise in first checking request and there is application identities, the authentication information of user ID and auth type, authentication information is sent from application server by first server, user asks to obtain in the logging request of login third-party application, and first server also generates the event identifier associated with logging request, whether authentication verification information is correct, if be verified, return the user mobile phone number corresponding with user ID to first server, so that first server sends event identifier to application server and send propelling movement task to the 3rd server, display is indicated to authorize the message at interface to mobile terminal corresponding to user mobile phone number by the 3rd server push, receive the second checking request that first server sends, also facial image is comprised in second checking request, wherein first server transmission comprises the authentication request of authentication information to after mobile terminal, after receiving the facial image of user that sent by mobile terminal, that collect on mandate interface, send the second checking request, and whether checking facial image is correct, if be verified, return user ID and auth type to first server, identified by first server associated user, event identifier and auth type so that the authentication result that application server is corresponding with user ID according to event identifier inquiry.
Alternatively, based in the login authentication method of recognition of face, authentication information also comprises signing messages according to of the present invention, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, the step that whether authentication verification information correct after receiving the first checking request comprises: whether correctly carry out certifying signature information by cryptographic algorithm.
Alternatively, according to of the present invention based in the login authentication method of recognition of face, the step that whether identifier's face image is correct after receiving the second checking request comprises: extract the characteristic information in facial image, mate with the facial image feature templates of this preset user, if similarity is greater than threshold value, think that checking is correct.
According to a further aspect in the invention, provide another login authentication device based on recognition of face, device resides in second server, second server can by network and mobile terminal, first server, 3rd server, application server is connected, device comprises: connection management unit, be suitable for receiving the first checking request sent by first server, comprise in first checking request and there is application identities, the authentication information of user ID and auth type, authentication information is sent from application server by first server, user asks to obtain in the logging request of login third-party application, and first server is also suitable for generating the event identifier associated with logging request, user mobile phone number be returned to first server when being verified, so that first server transmission event identifier is to application server and send propelling movement task to the 3rd server, display is indicated to authorize the message at interface to mobile terminal corresponding to user mobile phone number by the 3rd server push, also be suitable for receiving the second checking request sent by first server, facial image is comprised in second checking request, wherein first server transmission comprises the authentication request of authentication information to after mobile terminal, reception is sent by mobile terminal, authorizing the facial image of the user that interface gathers, send the second checking request, user ID and auth type be returned to first server when being verified, identified by first server associated user, event identifier and auth type, so that the authentication result that application server is corresponding with user ID according to event identifier inquiry, and Information Authentication unit, be suitable for authentication verification information and whether facial image is correct.
Alternatively, based in the login authentication device of recognition of face, authentication information also comprises signing messages according to of the present invention, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, whether Information Authentication unit is also suitable for carrying out certifying signature information by cryptographic algorithm correct.
Alternatively, according to of the present invention based in the login authentication device of recognition of face, Information Authentication unit is also suitable for extracting the characteristic information in facial image, and mate with the facial image feature templates of this preset user, if judge, similarity is greater than threshold value, thinks that checking is correct.
According to another aspect of the present invention, provide a kind of accession authorization system based on recognition of face, system comprises: have as above based on the first server of the login authentication device of recognition of face; Have as above based on the second server of the login authentication device of recognition of face; 3rd server, is suitable for the PUSH message of propelling movement first server to mobile terminal; The application server be connected with third-party application; And mobile terminal, be suitable for analyzing by the PUSH message of the 3rd server push, and obtain authentication request to first server, and be sent in and authorize the facial image of the user that interface gathers to first server.
According to the login authentication scheme based on recognition of face of the present invention, guaranteed the fail safe of user account by re-authentication, when especially having needed the sensitive operation such as payment transaction user, adopt the mode of recognition of face to carry out certification and log in; Further, communicated by user ID between first server with application server, so first server can not obtain the accounts information of user in third-party application, ensured the account number safety of user further.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 is mobile terminal 100 organigram according to an embodiment of the invention.With reference to Fig. 1, mobile terminal 100 comprises: memory interface 102, one or more data processor, image processor and/or CPU 104, and peripheral interface 106.Memory interface 102, one or more processor 104 and/or peripheral interface 106 both can be discrete components, also can be integrated in one or more integrated circuit.In the mobile terminal 100, various element can be coupled by one or more communication bus or holding wire.Transducer, equipment and subsystem can be coupled to peripheral interface 106, to help to realize several functions.Such as, motion sensor 110, optical sensor 112 and range sensor 114 can be coupled to peripheral interface 106, to facilitate the functions such as orientation, illumination and range finding.Other transducers 116 can be connected with peripheral interface 106 equally, such as navigation system (such as GPS), temperature sensor, biometric sensor or other sensor devices, can help thus to implement relevant function.
Camera sub-system 120 and optical pickocff 122 may be used for the realization of the camera function of convenient such as recording photograph and video clipping, and wherein said camera sub-system and optical pickocff can be such as charge coupled device (CCD) or complementary metal oxide semiconductors (CMOS) (CMOS) optical pickocff.Can help realize communication function by one or more radio communication subsystem 124, wherein radio communication subsystem can comprise radio-frequency transmitter and transmitter and/or light (such as infrared) Receiver And Transmitter.The particular design of radio communication subsystem 124 and execution mode can depend on one or more communication networks that mobile terminal 100 is supported.Such as, mobile terminal 100 can comprise the communication subsystem 124 being designed to support GSM network, GPRS network, EDGE network, Wi-Fi or WiMax network and BlueboothTM network.Audio subsystem 126 can be coupled with loud speaker 128 and microphone 130, such as, to help the function of implementing to enable voice, speech recognition, speech reproduction, digital record and telephony feature.
I/O subsystem 140 can comprise touch screen controller 142 and/or other input control devices 144 one or more.Touch screen controller 142 can be coupled to touch-screen 146.For example, what this touch-screen 146 and touch screen controller 142 can use any one in multiple touch-sensing technology to detect to carry out with it contact and movement or time-out, and wherein detection technology is including, but not limited to capacitive character, resistive, infrared and surface acoustic wave technique.Other input control devices 144 one or more can be coupled to other input/control devicess 148, the indication equipment of such as one or more button, rocker switch, thumb wheel, infrared port, USB port and/or stylus and so on.Described one or more button (not shown) can comprise the up/down button for control loudspeaker 128 and/or microphone 130 volume.
Memory interface 102 can be coupled with memory 150.This memory 150 can comprise high-speed random access memory and/or nonvolatile memory, such as one or more disk storage device, one or more optical storage apparatus, and/or flash memories (such as NAND, NOR).Memory 150 can storage operation system 152, the operating system of such as Android, IOS or WindowsPhone and so on.This operating system 152 can comprise the instruction of the task of depending on hardware for the treatment of basic system services and execution.Memory 150 can also store application 154.When these are applied in operation, can be loaded into processor 104 from memory 150, and run on the operating system run by processor 104, and the function that the various user of the Interface realization utilizing operating system and bottom hardware to provide expects, as instant messaging, web page browsing, pictures management etc.Application can provide independent of operating system, also can be that operating system carries.
According to one embodiment of present invention, provide a kind of mobile terminal 100 with login authentication function based on recognition of face, can by arranging that the client application had based on the login authentication function of recognition of face realizes this function, this client application is stored in application 154.
Fig. 2 shows the accession authorization system 200 based on recognition of face according to an embodiment of the invention.This system 200 comprises mobile terminal 100, first server 210, second server 220, the 3rd server 230 and application server 240, server can be such as the remote cloud server being physically located at one or more place, and the said equipment is interconnected by network.According to one embodiment of present invention, the said equipment can be bound by the mode scanning Quick Response Code.And the 3rd server 230 has APN pushing module, such as this APN pushing module contains the propelling movement based on iOS, Android, WindowsPhone; Application server 240, as third-party server, is connected with third-party application.
This workflow based on the accession authorization system 200 of recognition of face will be introduced in detail below.User inputs account name and password on third-party application, selects to confirm, as shown in Figure 7 A.In response to the logging request of user, third-party application generates login request message and sends to first server 210 by application server 240.According to an embodiment of the invention, comprise in this login request message: application identities, user ID, auth type and signing messages.According to one embodiment of present invention, application identities, user ID and auth type are referred to as authentication information.Wherein application identities is used for the identity identifying this application uniquely; Auth type is the type determining this login authentication, according to some execution mode, auth type can comprise the modes such as recognition of face, gesture identification, Application on Voiceprint Recognition, a key login, even more meticulously, it can be the living things feature recognition such as iris recognition, fingerprint recognition mode, in embodiments of the present invention, auth type refers to recognition of face; Signing messages comprises application identities, user ID and auth type to authentication information to be encrypted algorithm in interior transmission data and to obtain, in order to ensure the mutual safety of system, all transmission data all need to calculate a signing messages incidentally in the request through special algorithm.According to one embodiment of present invention, the generation principle of signing messages is: by the interface parameters outside signing messages by after the sequence of parameter name dictionary, be spliced into character string by following form:
$ parameter name 1=$ parameter value 1 $ parameter name 2=$ parameter value 2... $ parameter name n=$ parameter value n $ app_key
Wherein, app_key signs to request each time, to guarantee the fail safe of data.Again the character string of having spelled is used md5 encryption.
Such as, when supposing that certain is once mutual, the data of transmission have:
$ app_id='Fqlw4Z2KCqHzvw3YN0eUpM9KgTQ47iWf'; // application identities
$ app_key='qms7LwYXgw3FbnVdwYyA'; // application signature
$ uid='2384249'; // user ID
$ auth_type='3'; // auth type, such as representing auth type with 3 is recognition of face
Except signing messages, also have other three parameter: application identities app_id, user ID uid and auth type auth_type, by the sequence of parameter name dictionary, app_id is front, and auth_type the second, uid, rear, then splices character string:
'app_id='.$app_id.'auth_type='.$auth_type.'uid='.$uid.$app_key
Then, use the character string of MD5 to splicing to be encrypted, just obtain signing messages:
md5('app_id='.$app_id.'auth_type='.$auth_type.'uid='.$uid.$app_key)
It should be noted that, the mapping relations between the account name (such as username) of third-party application and user ID (such as uid) are prestored in application server 240, like this, after user inputs username and password on third-party application, the user ID of its correspondence searched automatically by application server 240, and user ID is sent to first server 210 together with login request message, complete subsequent step.That is, first server 210 can not obtain the accounts information of user in third-party application, is communicated between first server 210 with application server 240 by user ID, has ensured user account safety further.
When first server 210 receives logging request, generate event identifier.Event identifier is used to the request event identified each time, according to an embodiment, when after acquisition event identifier, can by calling/v1/event_result obtains event result corresponding to event identifier.
The authentication information received is sent to second server 220 by first server 210, verifies that whether this authentication information is correct, if be verified, then sends the first checking message to first server 210.Similarly, also signing messages can be accompanied with in this authentication information, second server 220 adopts same md5 encryption algorithm to obtain a signing messages to the encrypted authentication information received, contrast with the signing messages received again, if two signing messages are consistent, so be verified, transmission comprises the first checking message of user mobile phone number and auth type to first server 210, and user mobile phone number and user ID are corresponding.Such as, user mobile phone number and application identities are obtained a character string by certain principle combinations, is user ID.In the present invention, the method calculating user mobile phone number and user ID corresponding relation is not restricted.
First server 210 is after obtaining user mobile phone number, on the one hand, the mobile terminal logged in online that inquiring user cell-phone number is corresponding in a database, such as mobile phone, Pad etc., then the information of the mobile terminal inquired is write propelling movement task by first server 210, then propelling movement task is sent to the 3rd server 230.Such as, the device id of the mobile terminal that prestores in first server 210, just can by the device id of online mobile terminal write propelling movement task; On the other hand, user mobile phone number be associated with event identifier, according to description above, event identifier can identify the request type of this request event, so, according to incidence relation, just can determine the request type of active user.
According to an execution mode, first server 210, before transmission propelling movement task is to the 3rd server 230, will carry out propelling movement checking, to guarantee follow-up propelling movement successfully to the 3rd server.If authentication failed, send authentication failed message to application server 240.
After 3rd server 230 receives propelling movement task, by APN pushing module, PUSH message is pushed to corresponding mobile terminal 100.According to an embodiment, PUSH message comprises 3 kinds: checking message, user's gesture change message and other message.For considering propelling data fail safe, in PUSH message, only carry the type of propelling movement, not with concrete data.Such as, the type of PUSH message can be: whether consenting user logging request, kick out of user to login page and display PUSH message.In the present invention, the type of PUSH message is not limited, can define according to the demand of third-party application.According to description above, APN pushing module contains the propelling movement based on iOS, Android, WindowsPhone, and the code of its PUSH message is as follows:
Further, first server 210 also can send event identifier to application server 240.After mobile terminal 100 receives above-mentioned PUSH message, analyze the type of PUSH message, whether such as current push-type can be: agree to log in, mobile terminal 100 gets the authentication request that first server 210 sends, then show and authorize interface, in this authentication request, contain authentication information equally.Now mobile terminal 100 can call camera sub-system 120, and is authorizing mark interface showing and gathers user's facial image, as shown in Figure 7 B.When in the coverage that user is in mobile terminal, camera sub-system 120 can automatic search photograph the facial image of user, and then, this facial image is sent to first server 210 by mobile terminal 100.Authentication information with facial image, after receiving facial image, can be sent to second server 220 by first server 210, verifies that whether this facial image is correct, if be verified, then sends the second checking message to first server 210.According to the embodiment of the present invention, second server 220 is verified whether facial image correctly can be divided into and is detected human face region, face image preliminary treatment, face image feature extraction and images match 4 step.First, the facial image according to collecting detects human face region, obtains face image, and namely accurate calibration goes out position and the size of face in the picture.In some embodiments, detect the preprocessing process that human face region also belongs to recognition of face, the present invention does not limit this.Then do preliminary treatment to face image, this preprocessing process is exactly based on Face datection result, carries out processing and finally serve the process of feature extraction to face image.Because the image collected may be subject to restriction and the random disturbances of various condition, often directly can not use, need first to carry out the Image semantic classification such as gray correction, noise filtering to it.For people's face image, its preprocessing process mainly comprises the light compensation of facial image, greyscale transformation, histogram equalization, normalization, geometric correction, filtering and sharpening etc.It is exactly the process of people face being carried out to feature modeling that following face feature extracts.Face is made up of the local such as eyes, nose, mouth, chin, and to these local and the geometric description of structural relation between them, can be used as the key character identifying face, these features are called as geometric properties.After extracting the characteristic in people's face image, carry out mating, calculating similarity with the feature templates of this preset user, when similarity is greater than threshold value, then think that the match is successful, is verified.If be verified, then return user ID to first server 210.According to one embodiment of present invention, user is required prior typing face image, by identical processing method, obtains preset facial image feature templates, and is stored in second server, for the checking completed in this step user's facial image.Should be noted that, proof procedure for facial image also can not complete in second server 220, a background server being specifically designed to facial image identification and coupling can be arranged, store facial image feature templates, after second server 220 receives facial image, send it to this background server, completed the process of checking by it, the result is returned to second server 220.In addition, had the algorithm of a lot of comparative maturity can reference for the identification of facial image and coupling, the present invention limit concrete which kind of algorithm that adopts to verify that whether facial image is correct.
After first server 210 receives the user ID returned, this user ID is associated with auth type and sets up mapping relations, based on description before, user mobile phone number can be drawn according to user ID, therefore, in first server, store the contingency table about user mobile phone number, event identifier and auth type.Application server 240 can every the scheduled time according to event identifier to first server 210 query event result, and obtain user ID corresponding to this event result according to the mapping relations between user ID with event identifier, owing to prestoring the mapping relations of user ID and third-party application account name in application server 240, so application server 240 finally just obtains the result that active user asks login authentication.So far, user asks the operation of login authentication just to complete.
According to the login authentication scheme based on recognition of face of the present invention, guaranteed the fail safe of user account by re-authentication, when especially having needed the sensitive operation such as payment transaction user, adopt the mode of recognition of face to carry out certification and log in; Further, communicated by user ID between first server with application server, so first server can not obtain the accounts information of user in third-party application, ensured the account number safety of user further.
Fig. 3 shows according to an embodiment of the invention based on the flow chart of the login authentication method 300 of recognition of face.The method performs in first server 210, first server 210 can be connected with mobile terminal 100, second server 220, the 3rd server 230, application server 240 by network, the method starts from step S310, reception is sent by application server 240, user asks the logging request logging in third-party application, generate event identifier, wherein logging request comprises the authentication information with application identities, user ID and auth type.According to one embodiment of present invention, authentication information also comprises signing messages, and according to the description of Fig. 2, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.According to embodiments of the invention, auth type is recognition of face.
Subsequently in step s 320, send authentication information to second server 220, the user mobile phone number corresponding with user ID is returned by second server 220, and associated user cell-phone number and event identifier, to determine the request type of active user according to the event identifier of user mobile phone number association.Particularly, authentication information is sent to second server 220, so that whether second server 220 certifying signature information is correct; If be verified, receive the first checking message sent by second server 220, wherein, described first checking message comprises user mobile phone number.
Subsequently in step S330, send propelling movement task to the 3rd server 230, authorize the message at interface to mobile terminal 100 corresponding to user mobile phone number so that the 3rd server 230 pushes instruction display.According to one embodiment of present invention, request type is comprised in propelling movement task.Should be noted that, can push smoothly in order to ensure propelling movement task, before transmission propelling movement task is to the 3rd server 230, first server 210 first can carry out propelling movement checking to the 3rd server, if authentication failed, then send authentication failed message to application server 240.
Subsequently in step S340, send event identifier to application server 240, and transmission comprises the authentication request of authentication information to mobile terminal 100.
Subsequently in step S350, receive the facial image of user that sent by mobile terminal, that collect on mandate interface.
Subsequently in step S360, transmission comprises the authentication information of facial image to second server 220, user ID and auth type is returned by second server 220, and associated user mark, event identifier and auth type, so that the authentication result that application server 240 is corresponding with user ID according to event identifier inquiry.
Fig. 4 shows according to an embodiment of the invention based on the schematic diagram of the login authentication device 400 of recognition of face.This device 400 resides in first server 210, first server 210 can be connected with mobile terminal 100, second server 220, the 3rd server 230, application server 240 by network, and this device 400 comprises: connection management unit 410, information generating unit 420 and information association unit 430.
Connection management unit 410 is suitable for that reception is sent by application server 240, that user asks to log in third-party application logging request.Information generating unit 420 is suitable for after receiving logging request, generates event identifier.According to one embodiment of present invention, logging request comprises the authentication information with application identities, user ID and auth type, and authentication information also comprises signing messages, signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.According to the embodiment of the present invention, auth type is exactly recognition of face.
Connection management unit 410 is also suitable for sending authentication information to second server 220, whether correct by its certifying signature information, if be verified, then receive the first checking message comprising user mobile phone number returned by second server 220, and user mobile phone number is corresponding with user ID.Information association unit 430 is suitable for associating this user mobile phone number and event identifier, from the above, according to the mapping relations of user mobile phone number and event identifier, can determine the request type of active user.
Then connection management unit 410 sends propelling movement task to the 3rd server 230, authorizes the message at interface to mobile terminal 100 corresponding to user mobile phone number so that the 3rd server 230 pushes instruction display.As the description of Fig. 2, in propelling movement task, comprise request type.According to one embodiment of present invention, this device 400 can also comprise one and push authentication unit 440, is suitable for, before transmission propelling movement task is to the 3rd server 230, carrying out propelling movement checking to the 3rd server 230, if authentication failed, then send authentication failed message to application server 240.Connection management unit 410 after transmission propelling movement task, then sends event identifier to application server 240 and send authentication request to mobile terminal 100.Similarly, this authentication request also includes authentication information.
When connection management unit 410 receive sent by mobile terminal 100, when authorizing the facial image of the user that interface gathers, again sending and comprising above-mentioned facial image authentication information to second server 220 and receive the user ID and auth type that are returned by second server 220.Information association unit is suitable for associated user mark, event identifier and auth type, so that the authentication result that application server 240 is corresponding with user ID according to event identifier inquiry.
Fig. 5 shows in accordance with another embodiment of the present invention based on the flow chart of the login authentication method 500 of recognition of face.Described method performs in second server 220, and second server 220 can be connected with mobile terminal 100, first server 210, the 3rd server 230, application server 240 by network.The method starts from step S510, receive the first checking request that first server 210 sends, the authentication information with application identities, user ID and auth type is comprised in first checking request, and authentication information is sent from application server 240 by first server 210, user asks to obtain the logging request of login third-party application, according to an embodiment, authentication information also comprises signing messages, and signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.According to the embodiment of the present invention, auth type is exactly recognition of face.In addition, first server 210 also generates the event identifier associated with logging request.
Subsequently in step S520, verify that whether above-mentioned authentication information is correct, if be verified, return the user mobile phone number corresponding with user ID to first server 210, so that first server 210 sends event identifier to application server 240 and send propelling movement task to the 3rd server 230, push instruction display by the 3rd server 230 and authorize the message at interface to mobile terminal 100 corresponding to user mobile phone number.For the verification step of authentication information, describe unanimously with Fig. 2, repeat no more herein.
Subsequently in step S530, receive the second checking request that first server 210 sends, also comprise authentication information in the second checking request, also comprise facial image.According to a kind of execution mode, when first server 210 send comprise authentication information authentication request to mobile terminal 100 after, receive sent by mobile terminal 100, after the facial image of authorizing the user that interface collects, send above-mentioned second checking request.
Subsequently in step S540, whether checking facial image is correct, if be verified, return user ID to first server 210, by first server 210 associated user mark, event identifier and auth type, so that the testimony of a witness result that application server 240 is corresponding with user ID according to event identifier inquiry.Equally, the step of checking facial image, is no longer described in detail herein.
Fig. 6 shows in accordance with another embodiment of the present invention based on the schematic diagram of the login authentication device 600 of recognition of face.This device resides in second server 220, this second server 220 can be connected with mobile terminal 100, first server 210, the 3rd server 230, application server 240 by network, and device 600 comprises: connection management unit 610 and Information Authentication unit 620.
Connection management unit 610 is suitable for receiving the first checking request sent by first server 210, the authentication information with application identities, user ID and auth type is comprised in first checking request, this authentication information is sent from application server by first server, user asks to obtain the logging request of login third-party application, and described first server 210 is also suitable for generating the event identifier associated with logging request.
Information Authentication unit 620 is suitable for verifying that when receiving the first checking request whether above-mentioned authentication information is correct.User mobile phone number is returned to first server 210 by connection management unit 610 when being verified, so that first server 210 sends event identifier to application server 240 and send propelling movement task to the 3rd server 230, push instruction display by the 3rd server 230 and authorize the message at interface to mobile terminal 100 corresponding to user mobile phone number.
Connection management unit 610 is also suitable for receiving the second checking request sent by first server 210, comprises authentication information and facial image in the second checking request.According to one embodiment of the invention, first server 210 transmission comprises the authentication request of authentication information to after mobile terminal 100, after receiving the facial image of user that sent by mobile terminal 100, that gather on mandate interface, sends above-mentioned second checking request.
Information Authentication unit 620 is suitable for verifying that when receiving the second checking request whether above-mentioned facial image is correct.User ID and auth type (namely recognition of face) be returned to first server 210 when being verified, by first server 210 associated user mark, event identifier and auth type, so that the authentication result that application server 240 is corresponding with user ID according to event identifier inquiry.
According to one embodiment of present invention, Information Authentication unit 620 is by after being encrypted the transmission data comprising application identities, user ID and auth type, whether correctly carry out certifying signature information, if correct, illustrate that authentication information is correct, be verified.
On the other hand, Information Authentication unit 620 is mated with preset facial image feature templates income the facial image received by face recognition algorithms, calculates its similarity, if similarity is greater than threshold value, thinks and be verified.Concrete algorithm introduction can with reference to the description part based on Fig. 2 in this specification.
Be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires than the feature more multiple features clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are to be understood that the module of the equipment in example disclosed herein or unit or assembly can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned in one or more equipment different from the equipment in this example.Module in aforementioned exemplary can be combined as a module or can be divided into multiple submodule in addition.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
A4, method as described in A3, also comprise step: associated user cell-phone number and event identifier, to determine the request type of active user according to the event identifier of user mobile phone number association.A5, method as described in A4, wherein, comprise request type in propelling movement task.A6, method according to any one of A2-5, wherein transmission comprises the authentication information of facial image to second server, the step being returned user ID by second server comprises: transmission comprises the authentication information of facial image to second server, so that second server verifies that whether described facial image is correct; And if be verified, receive by second server send second checking message, wherein said second checking message comprise user ID and auth type.A7, method according to any one of A1-6, wherein, send propelling movement task to before the step of the 3rd server, also comprise step: carry out propellings movement checking to the 3rd server, if authentication failed, then transmission authentication failed message is to application server.
B11, device as described in B10, wherein, information association unit is also suitable for associated user cell-phone number and event identifier, to determine the request type of active user according to the event identifier of user mobile phone number association.B12, device as described in B11, wherein, comprise request type in propelling movement task.B13, device according to any one of B9-12, wherein, connection management unit be also suitable for sending comprise facial image authentication information to second server, verify that whether described facial image is correct by it, if be verified, then receive the second checking message, it comprises user ID and auth type.B14, device according to any one of B8-13, also comprise: push authentication unit, is suitable for, before transmission propelling movement task is to the 3rd server, carrying out propellings movement checking to the 3rd server, if authentication failed, then transmission authentication failed message is to application server.
C17, method as described in C16, wherein, the step that whether authentication verification information is correct after receiving the first checking request comprises: whether correctly carry out certifying signature information by cryptographic algorithm.C18, method according to any one of C15-17, wherein, the step that whether identifier's face image is correct after receiving the second checking request comprises: extract the characteristic information in facial image, mate with the facial image feature templates of this preset user, if similarity is greater than threshold value, think that checking is correct.
D20, device as described in D19, wherein, authentication information also comprises signing messages, and signing messages is encrypted algorithm to the transmission data comprising application identities, user ID and auth type to obtain.D21, device as described in D20, wherein, whether Information Authentication unit is also suitable for carrying out certifying signature information by cryptographic algorithm correct.D22, device according to any one of D19-21, wherein, Information Authentication unit is also suitable for extracting the characteristic information in facial image, and mate with the facial image feature templates of this preset user, if judge, similarity is greater than threshold value, thinks that checking correctly.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
In addition, some in described embodiment are described as at this can by the processor of computer system or the method implemented by other device performing described function or the combination of method element.Therefore, there is the device of processor formation for implementing the method or method element of the necessary instruction for implementing described method or method element.In addition, the element described herein of device embodiment is the example as lower device: this device is for implementing the function performed by the element of the object in order to implement this invention.
As used in this, unless specifically stated so, use ordinal number " first ", " second ", " the 3rd " etc. to describe plain objects and only represent the different instances relating to similar object, and be not intended to imply the object be described like this must have the time upper, spatially, sequence aspect or in any other manner to definite sequence.
Although the embodiment according to limited quantity describes the present invention, benefit from description above, those skilled in the art understand, in the scope of the present invention described thus, it is contemplated that other embodiment.In addition, it should be noted that the language used in this specification is mainly in order to object that is readable and instruction is selected, instead of select to explain or limiting theme of the present invention.Therefore, when not departing from the scope and spirit of appended claims, many modifications and changes are all apparent for those skilled in the art.For scope of the present invention, be illustrative to disclosing of doing of the present invention, and nonrestrictive, and scope of the present invention is defined by the appended claims.