The content of the invention
For this reason, the present invention provides a kind of login authentication method based on recognition of face, apparatus and system, to try hard to solve or
Person at least alleviates existing at least one problem above.
According to an aspect of the invention, there is provided a kind of login authentication method based on recognition of face, this method is
Performed in one server, first server can by network and mobile terminal, second server, the 3rd server, using clothes
Business device is connected, including step:Sent by application server, user is received to ask to log in the logging request of third-party application, it is raw
Into event identifier, wherein logging request includes the authentication information with application identities, user identifier and auth type, wherein certification
Type is recognition of face;Authentication information is sent to second server, user corresponding with user identifier is returned to by second server
Cell-phone number;Push task is sent to the 3rd server, gives and uses so as to the message at the 3rd server push instruction display mandate interface
The corresponding mobile terminal of family cell-phone number;Event identifier is sent to application server, and sends the certification request for including authentication information
To mobile terminal;Receive the facial image of user being sent by mobile terminal, being collected on interface is authorized;And send bag
The authentication information of facial image is included to second server, user identifier and auth type are returned to by second server, and associate use
Family mark, event identifier and auth type, so that application server inquires about certification corresponding with user identifier according to event identifier
As a result.
Alternatively, according to the present invention based in the login authentication method of recognition of face, authentication information is also comprising signature
Information, signing messages are that algorithm is encrypted to the transmission data including application identities, user identifier and auth type to obtain
Arrive.
Alternatively, authentication information according to the present invention based in the login authentication method of recognition of face, is being sent to second
Server, is included by the step of second server return user mobile phone number corresponding with user identifier and auth type:Transmission is recognized
Information is demonstrate,proved to second server, so that whether second server verification signing messages is correct;And if be verified, receive by
The first verification message that two servers are sent, wherein, the first verification message includes user mobile phone number.
Alternatively, based in the login authentication method of recognition of face, step is being further included according to the present invention:Association user
Cell-phone number and event identifier, to determine the request type of active user according to the associated event identifier of user mobile phone number.
Alternatively, based in the login authentication method of recognition of face, request is being included in push task according to the present invention
Type.
Alternatively, according to the present invention based in the login authentication method of recognition of face, transmission includes facial image
Authentication information is included to second server by the step of second server return user identifier:Send recognizing comprising facial image
Information is demonstrate,proved to second server, so that whether second server verification facial image is correct;And if be verified, receive by
The second verification message that two servers are sent, wherein the second verification message includes user identifier and auth type.
Alternatively, push task according to the present invention based in the login authentication method of recognition of face, is being sent to the 3rd
Before the step of server, step is further included:Push verification is carried out to the 3rd server, if authentication failed, verification is sent and loses
Message is lost to application server.
According to another aspect of the present invention, there is provided a kind of login authentication device based on recognition of face, device reside in
In first server, first server can pass through network and mobile terminal, second server, the 3rd server, application service
Device is connected, and device includes:Connection management unit, asks login third party should suitable for receiving sent by application server, user
Logging request, and sent by mobile terminal, the facial image of user that is collected on interface is authorized, be further adapted for sending out
Authentication information is sent to include face figure by the user mobile phone number and transmission of second server return to second server and reception
The authentication information of picture is to second server and receives the user identifier returned by second server and auth type, sends event
Identify to application server, send certification request to mobile terminal and transmission push task to the 3rd server, so as to the 3rd
Server push instruction display authorizes the message at interface to give user mobile phone number corresponding mobile terminal, wherein logging request and certification
Request all includes the authentication information with application identities, user identifier and auth type, and auth type is recognition of face, uses
Family cell-phone number is corresponding with user identifier;Information generating unit, suitable for after logging request is received, generating event identifier;With
And information association unit, suitable for association user mark, event identifier and auth type, so that application server is according to event identifier
Inquiry authentication result corresponding with user identifier.
Alternatively, in the login authentication device based on recognition of face according to the present invention, authentication information is also comprising signature
Information, signing messages are that algorithm is encrypted to the transmission data including application identities, user identifier and auth type to obtain
Arrive.
Alternatively, in the login authentication device based on recognition of face according to the present invention, connection management unit is further adapted for
Authentication information is sent to second server, verifies whether signing messages is correct by it, if being verified, receives the first verification and disappear
Breath, it includes user mobile phone number corresponding with user identifier.
Alternatively, in the login authentication device based on recognition of face according to the present invention, information association unit is further adapted for
Association user cell-phone number and event identifier, to determine the request class of active user according to the associated event identifier of user mobile phone number
Type.
Alternatively, in the login authentication device based on recognition of face according to the present invention, request is included in push task
Type.
Alternatively, in the login authentication device based on recognition of face according to the present invention, connection management unit is further adapted for
The authentication information comprising facial image is sent to second server, verifies whether facial image is correct by it, if being verified,
The second verification message is received, it includes user identifier and auth type.
Alternatively, in the login authentication device based on recognition of face according to the present invention, further include:Push verification is single
Member, suitable for before push task is sent to the 3rd server, push verification is carried out to the 3rd server, if authentication failed,
Authentication failed message is sent to application server.
According to another aspect of the present invention, there is provided another login authentication method based on recognition of face, method is
Performed in two servers, second server can by network and mobile terminal, first server, the 3rd server, using clothes
Business device is connected, including step:The first checking request that first server is sent is received, being included in the first checking request has application
The authentication information of mark, user identifier and auth type, authentication information is sent by first server from application server, user
Request logs in be obtained in the logging request of third-party application, and first server also generates and the associated event mark of logging request
Know;Whether authentication verification information is correct, if being verified, returns to user mobile phone number corresponding with user identifier to first service
Device, so that first server sends event identifier to application server and sends push task to the 3rd server, by the 3rd
Server push instruction display authorizes the message at interface to give user mobile phone number corresponding mobile terminal;First server is received to send
The second checking request, facial image is also included in the second checking request, wherein first server is sent comprising authentication information
After certification request is to mobile terminal, the facial image of user being sent by mobile terminal, being collected on interface is authorized is received
Afterwards, the second checking request is sent;And whether verification facial image is correct, if being verified, user identifier and certification class are returned to
Type is to first server, by first server association user mark, event identifier and auth type, so as to application server according to
Event identifier inquires about authentication result corresponding with user identifier.
Alternatively, according to the present invention based in the login authentication method of recognition of face, authentication information is also comprising signature
Information, signing messages are that algorithm is encrypted to the transmission data including application identities, user identifier and auth type to obtain
Arrive.
Alternatively, based in the login authentication method of recognition of face, asked according to the present invention receiving the first verification
The step for asking rear authentication verification information whether correct includes:Verify whether signing messages is correct by Encryption Algorithm.
Alternatively, based in the login authentication method of recognition of face, asked according to the present invention receiving the second verification
The step for asking rear identifier's face image whether correct includes:The characteristic information in facial image is extracted, with preset the user's
Facial image feature templates are matched, and think that verification is correct if similarity is more than threshold value.
According to another aspect of the present invention, there is provided another login authentication device based on recognition of face, device are resident
In second server, second server can by network and mobile terminal, first server, the 3rd server, using clothes
Business device is connected, and device includes:Connection management unit, suitable for receiving the first checking request sent by first server, first tests
Card request in include with application identities, user identifier and auth type authentication information, authentication information by first server from
Application server is sent, user asks to obtain in the logging request of login third-party application, and first server is further adapted for giving birth to
Into with the associated event identifier of logging request, when being verified return user mobile phone number to first server, so as to first service
Device sends event identifier to application server and sends push task to the 3rd server, is indicated by the 3rd server push aobvious
Show that the message for authorizing interface gives user mobile phone number corresponding mobile terminal, be further adapted for receiving and tested by the second of first server transmission
Card request, include facial image in the second checking request, wherein first server send the certification request that includes authentication information to
After mobile terminal, the facial image of user being sent by mobile terminal, being gathered on interface is authorized is received, sends the second verification
Request, returns to user identifier and auth type to first server, by first server association user mark, thing when being verified
Part identifies and auth type, so that application server inquires about authentication result corresponding with user identifier according to event identifier;And
Information Authentication unit, it is whether correct suitable for authentication verification information and facial image.
Alternatively, in the login authentication device based on recognition of face according to the present invention, authentication information is also comprising signature
Information, signing messages are that algorithm is encrypted to the transmission data including application identities, user identifier and auth type to obtain
Arrive.
Alternatively, in the login authentication device based on recognition of face according to the present invention, Information Authentication unit is further adapted for
Verify whether signing messages is correct by Encryption Algorithm.
Alternatively, in the login authentication device based on recognition of face according to the present invention, Information Authentication unit is further adapted for
The characteristic information in facial image is extracted, is matched with the facial image feature templates of preset the user, if judging similar
Degree then thinks that verification is correct more than threshold value.
According to another aspect of the present invention, there is provided a kind of accession authorization system based on recognition of face, system include:
First server with the login authentication device based on recognition of face as described above;With as described above based on face knowledge
The second server of other login authentication device;3rd server, suitable for pushing the PUSH message of first server to mobile whole
End;The application server being connected with third-party application;And mobile terminal, disappeared suitable for analysis by the push of the 3rd server push
Breath, and certification request is obtained to first server, and the facial image of the user gathered on mandate interface is sent in first
Server.
Login authentication scheme based on recognition of face according to the present invention, the safety of user account is ensured by re-authentication
Property, especially when user needs to complete payment transaction when sensitive operation, logged in by the way of recognition of face come certification;Into one
Step ground, is communicated between first server and application server by user identifier, so first server will not obtain use
Account information of the family in third-party application, has further ensured the account number safety of user.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Fig. 1 is 100 organigram of mobile terminal according to an embodiment of the invention.With reference to Fig. 1, mobile terminal
100 include:Memory interface 102, one or more data processor, image processor and/or central processing unit 104, with
And peripheral interface 106.Memory interface 102, one or more processors 104 and/or peripheral interface 106 are either discrete member
Part, can also be integrated in one or more integrated circuits.In the mobile terminal 100, various elements can pass through one or more
Bar communication bus or signal wire couple.Sensor, equipment and subsystem may be coupled to peripheral interface 106, to help reality
Existing multiple functions.For example, motion sensor 110, optical sensor 112 and range sensor 114 may be coupled to peripheral interface
106, to facilitate the functions such as orientation, illumination and ranging.Other sensors 116 can equally be connected with peripheral interface 106, such as fixed
Position system (such as GPS receiver), temperature sensor, biometric sensor or other sensor devices, it is possible thereby to help reality
Apply relevant function.
Camera sub-system 120 and optical sensor 122 can be used for the camera of convenient such as recording photograph and video clipping
The realization of function, wherein the camera sub-system and optical sensor for example can be charge coupling device (CCD) or complementary gold
Belong to oxide semiconductor (CMOS) optical sensor.It can help to realize by one or more radio communication subsystems 124
Communication function, wherein radio communication subsystem can include radio-frequency transmitter and transmitter and/or light (such as infrared) receiver
And transmitter.The particular design and embodiment of radio communication subsystem 124 can depend on mobile terminal 100 is supported one
A or multiple communication networks.For example, mobile terminal 100 can include being designed to support GSM network, GPRS network, EDGE nets
The communication subsystem 124 of network, Wi-Fi or WiMax network and BlueboothTM networks.Audio subsystem 126 can be with raising one's voice
Device 128 and microphone 130 are coupled, to help to implement the function of enabling voice, such as speech recognition, speech reproduction, number
Word records and telephony feature.
I/O subsystems 140 can include touch screen controller 142 and/or other one or more input controllers 144.
Touch screen controller 142 may be coupled to touch-screen 146.For example, the touch-screen 146 and touch screen controller 142 can be with
The contact carried out therewith and movement or pause are detected using any one of a variety of touch-sensing technologies, wherein sensing skill
Art includes but is not limited to capacitive character, resistive, infrared and surface acoustic wave technique.Other one or more input controllers 144
May be coupled to other input/control devicess 148, for example, one or more buttons, rocker switch, thumb wheel, infrared port,
The pointer device of USB port, and/or stylus etc.One or more of button (not shown)s can include being used to control
The up/down button of 130 volume of loudspeaker 128 and/or microphone.
Memory interface 102 can be coupled with memory 150.The memory 150 can be deposited including high random access
Reservoir and/or nonvolatile memory, such as one or more disk storage equipments, one or more optical storage apparatus, and/
Or flash memories (such as NAND, NOR).Memory 150 can store an operating system 152, for example, Android, IOS or
The operating system of Windows Phone etc.The operating system 152 can include being used to handle basic system services and execution
Instruction dependent on the task of hardware.Memory 150 can also be stored using 154.These applications in operation, can be from memory
150 are loaded on processor 104, and are run on the operating system run via processor 104, and utilize operating system
And the interface that bottom hardware provides realizes the desired function of various users, such as instant messaging, web page browsing, pictures management.
Using can be independently of operating system offer or operating system carries.
According to one embodiment of present invention, there is provided a kind of movement with the login authentication based on recognition of face
Terminal 100, can be by arranging that the client application with the login authentication based on recognition of face realizes the function, the visitor
Family end application memory is in application 154.
Fig. 2 shows the accession authorization system 200 according to an embodiment of the invention based on recognition of face.The system
200 include mobile terminal 100, first server 210, second server 220, the 3rd server 230 and application server
240, server for example can be the remote cloud server for being physically located at one or more places, and the said equipment passes through network phase
Connect.According to one embodiment of present invention, the said equipment can be bound by way of scanning the two-dimensional code.And the
Three servers 230 have an APN pushing modules, for example, the APN pushing modules contain based on iOS, Android,
The push of WindowsPhone;Application server 240 is used as third-party server, is connected with third-party application.
The workflow of the accession authorization system 200 based on recognition of face is described in detail below.User is in third party
Using upper input account name and password, selection confirms, as shown in Figure 7 A.In response to the logging request of user, third-party application life
First server 210 is sent to by application server 240 into login request message.According to embodiment of the present invention,
Included in the login request message:Application identities, user identifier, auth type and signing messages.One according to the present invention
Embodiment, authentication information is referred to as by application identities, user identifier and auth type.Wherein application identities are used to uniquely identify
The identity of the application;Auth type is to determine the type of this login authentication, and according to certain embodiments, auth type can wrap
Can be iris recognition, fingerprint even more meticulously containing modes such as recognition of face, gesture identification, Application on Voiceprint Recognition, key logins
The living things feature recognition modes such as identification, in embodiments of the present invention, auth type refers to recognition of face;Signing messages is to certification
The transmission data that information includes including application identities, user identifier and auth type are encrypted what algorithm obtained, in order to protect
The interaction safety of card system, all transmission data are required for calculating that a signing messages is subsidiary to ask by special algorithm
In.According to one embodiment of present invention, the generation principle of signing messages is:Interface parameters outside signing messages is pressed into parameter
After name dictionary sequence, character string is spliced into by following form:
1 $ parameter name 2=$ parameter value 2... $ parameter name n=$ parameter value n $ app_key of $ parameter name 1=$ parameter values
Wherein, app_key is signed to request each time, to ensure the security of data.The word that will have been spelled again
Symbol string uses md5 encryption.
For example, it is assumed that when certain is once interacted, the data of transmission have:
$ app_id='Fqlw4Z2KCqHzvw3YN0eUpM9KgTQ47iWf';// application identities
$ app_key='qms7LwYXgw3FbnVdwYyA';// application signature
$ uid='2384249';// user identifier
$ auth_type='3';// auth type, such as it is recognition of face to represent auth type with 3
In addition to signing messages, there is the other three parameter:Application identities app_id, user identifier uid and auth type
Auth_type, sorts by parameter name dictionary, and app_id is preceding, and auth_type second, uid are rear, then splicing character string:
' app_id='. $ app_id.'auth_type='. $ auth_type.'uid='. $ uid. $ app_key
Then, the character string of splicing is encrypted using MD5, has just obtained signing messages:
Md5 (' app_id='. $ app_id.'auth_type='. $ auth_type.'uid='. $ uid. $ app_
key)
It is worth noting that, the account name (such as username) of third-party application is prestored in application server 240
With the mapping relations between user identifier (such as uid), in this way, when user inputs username and password on third-party application
Afterwards, application server 240 searches its corresponding user identifier automatically, and user identifier is sent together with login request message
To first server 210, subsequent step is completed.That is, first server 210 will not obtain user in third-party application
Account information, communicated between first server 210 and application server 240 by user identifier, further ensure
User account safety.
When first server 210 receives logging request, event identifier is generated.Event identifier is for identifying each time
Request event, according to one embodiment, after event identifier is obtained, can obtain thing by calling/v1/event_result
The corresponding event result of part mark.
The authentication information received is sent to second server 220 by first server 210, whether verifies the authentication information
Correctly, if being verified, the first verification message is sent to first server 210.Similarly, can also be attached in the authentication information
There is signing messages, second server 220 docks received encrypted authentication information using same md5 encryption algorithm and obtains a label
Name information, then contrasted with the signing messages received, if two signing messages are consistent, then be verified, transmission includes
User mobile phone number and the first verification message of auth type are to first server 210, and user mobile phone number is with user identifier
It is corresponding.It is user's mark for example, user mobile phone number is combined to obtain a character string with application identities by certain rule
Know.In the present invention, it is not restricted to calculating user mobile phone number and the method for user identifier correspondence.
First server 210 is after user mobile phone number is obtained, on the one hand, it is corresponding to inquire about user mobile phone number in the database
The mobile terminal logged in online, mobile phone, Pad etc., then first server 210 information of the mobile terminal inquired is write
Enter push task, push task is then sent to the 3rd server 230.For example, it is mobile whole to prestore in first server 210
The device id at end, it is possible to by the device id write-in push task of online mobile terminal;On the other hand, by user mobile phone number with
Event identifier is associated, and as described above, event identifier can identify the request type of this request event, then, root
According to incidence relation, it is possible to determine the request type of active user.
According to an embodiment, first server 210, be to before push task is sent to the 3rd server 230
3rd server carries out push verification, to ensure subsequently to push successfully.If authentication failed, send authentication failed message and taken to application
Business device 240.
After 3rd server 230 receives push task, PUSH message is pushed to by corresponding shifting by APN pushing modules
Dynamic terminal 100.According to one embodiment, PUSH message includes 3 kinds:Verification message, user gesture change message and other disappear
Breath.Considered for propelling data security, the type of push is only carried in PUSH message, without specific data.Example
Such as, the type of PUSH message can be:Whether consenting user logging request, kick out of user to login page and display push away
Send message.In the present invention, the type of PUSH message is not limited, can be determined according to the demand of third-party application
Justice.As described above, APN pushing modules contain the push based on iOS, Android, WindowsPhone, it is pushed
The code of message is as follows:
iOS:
Android:
// use homing pigeon SDK
PushSingleDevice(data.did,msg,xinge.XingeApp.ENV_DEV)
WindowsPhone:
Headers=' ContentType':'text/xml','X-WindowsPhone-Target':'toast','
X-NotificationClass':' 2'} // setting connection WindowsPhone push message formats
Headers [' ContentLength']=len (msg) // setting PUSH message length
R=requests.post (data.did, headers=headers, data=msg) // PUSH message
Also, first server 210 can also send event identifier to application server 240.Mobile terminal 100 receives
After stating PUSH message, the type of PUSH message is analyzed, for example current push-type can be:Whether agreement logs in, mobile terminal
100 get the certification request of the transmission of first server 210, then show and authorize interface, are equally contained in the certification request
Authentication information.Mobile terminal 100 can call camera sub-system 120 at this time, and collection user's face figure is shown on interface is authorized
The mark of picture, as shown in Figure 7 B.When user is in the coverage of mobile terminal, camera sub-system 120 can be searched for automatically
And the facial image of user is photographed, then, which is sent to first server 210 by mobile terminal 100.First clothes
Device 210 be engaged in after facial image is received, the authentication information with facial image can be sent to second server 220, verifies
Whether the facial image is correct, if being verified, sends the second verification message to first server 210.According to the present invention
Embodiment, second server 220 verify whether facial image can correctly be divided into detection human face region, face image is located in advance
Reason, 4 step of face image feature extraction and images match.First, human face region is detected according to the facial image collected, obtained
Face image, i.e., accurate calibration goes out position and the size of face in the picture.In some embodiments, human face region is detected
Belong to the preprocessing process of recognition of face, the present invention is not limited this.Then face image is pre-processed, the pretreatment
Process is namely based on Face datection as a result, being handled face image and finally serving the process of feature extraction.Due to adopting
The image collected may be subject to limitation and the random disturbances of various conditions, tend not to directly use, it is necessary to first carry out it
The image preprocessings such as gray correction, noise filtering.For face image, its preprocessing process mainly includes facial image
Light compensation, greyscale transformation, histogram equalization, normalization, geometric correction, filtering and sharpening etc..Following face is special
Sign extraction is exactly that the process of feature modeling is carried out to face.Face is locally made of eyes, nose, mouth, chin etc., to these
Local and structural relation between them geometric description, can be referred to as geometry as the key character of identification face, these features
Feature.After extracting the characteristic in face image, matched with the feature templates of preset the user, calculate it is similar
Degree, when similarity is more than threshold value, then it is assumed that successful match, is verified.If being verified, user identifier is returned to first
Server 210.According to one embodiment of present invention, user is required prior typing face image, passes through identical processing side
Method, obtains preset facial image feature templates, and is stored in second server, for being completed in this step to user's facial image
Verification., can be with it should be noted that can not also be completed for the verification process of facial image in second server 220
Arrangement one is stored with facial image feature templates, when second dedicated for facial image identification and matched background server
After server 220 receives facial image, the background server is sent it to, by the process of its completion verification, verification is tied
Fruit returns to second server 220.In addition, the identification and matching for facial image have had the algorithm of many comparative maturities
Refer to, the present invention is not intended to limit specifically verifies whether facial image is correct using which kind of algorithm.
After first server 210 receives the user identifier of return, the user's mark is associated into foundation with auth type and is reflected
Relation is penetrated, based on description before, user mobile phone number can be drawn according to user identifier, therefore, stored in first server
Contingency table on user mobile phone number, event identifier and auth type.Application server 240 can basis at predetermined time intervals
Event identifier is to 210 query event of first server as a result, and being obtained according to the mapping relations between user identifier and event identifier
To the corresponding user identifier of the event result, due to prestoring user identifier and third-party application account in application server 240
The mapping relations of name in an account book, so, application server 240 has finally just obtained the result that active user asks login authentication.So far,
User asks the operation of login authentication just to complete.
Login authentication scheme based on recognition of face according to the present invention, the safety of user account is ensured by re-authentication
Property, especially when user needs to complete payment transaction when sensitive operation, logged in by the way of recognition of face come certification;Into one
Step ground, is communicated between first server and application server by user identifier, so first server will not obtain use
Account information of the family in third-party application, has further ensured the account number safety of user.
Fig. 3 shows the flow chart of the login authentication method 300 according to an embodiment of the invention based on recognition of face.
This method performs in first server 210, and first server 210 can pass through network and mobile terminal 100, second server
220th, the 3rd server 230, application server 240 are connected, and this method starts from step S310, receives and is sent out by application server 240
Send, user asks to log in the logging request of third-party application, generates event identifier, and wherein logging request, which includes, has application mark
The authentication information of knowledge, user identifier and auth type.According to one embodiment of present invention, authentication information also includes A.L.S.
Breath, according to the description of Fig. 2, signing messages be to the transmission data including application identities, user identifier and auth type into
Row Encryption Algorithm obtains.According to an embodiment of the invention, auth type is recognition of face.
Then in step s 320, authentication information is sent to second server 220, is returned and is used by second server 220
Family identifies corresponding user mobile phone number, and association user cell-phone number and event identifier, so as to associated according to user mobile phone number
Event identifier determines the request type of active user.Specifically, authentication information is sent to second server 220, so as to the second clothes
Business device 220 verifies whether signing messages is correct;If being verified, the first verification message sent by second server 220 is received,
Wherein, the first verification message includes user mobile phone number.
Then in step S330, push task is sent to the 3rd server 230, so that the push of the 3rd server 230 refers to
Show that display authorizes the message at interface to give user mobile phone number corresponding mobile terminal 100.According to one embodiment of present invention, push
Request type is included in task.It should be noted that in order to ensure push task can be pushed smoothly, push task is being sent to the
Before three servers 230, first server 210 first can carry out push verification to the 3rd server, if authentication failed, transmission is tested
Failed message is demonstrate,proved to application server 240.
Then in step S340, event identifier is sent to application server 240, and send the certification for including authentication information
Ask to mobile terminal 100.
Then in step S350, the face of user being sent by mobile terminal, being collected on interface is authorized is received
Image.
Then in step S360, the authentication information comprising facial image is sent to second server 220, by second service
Device 220 returns to user identifier and auth type, and association user mark, event identifier and auth type, so as to application server
240 inquire about authentication result corresponding with user identifier according to event identifier.
Fig. 4 shows the schematic diagram of the login authentication device 400 according to an embodiment of the invention based on recognition of face.
The device 400 is resided in first server 210, and first server 210 can be taken by network and mobile terminal 100, second
Being engaged in, device 220, the 3rd server 230, application server 240 are connected, which includes:Connection management unit 410, information life
Into unit 420 and information association unit 430.
Connection management unit 410 is suitable for receiving sending, user's request login third-party application by application server 240
Logging request.Information generating unit 420 is suitable for after logging request is received, and generates event identifier.One according to the present invention
Embodiment, logging request includes the authentication information with application identities, user identifier and auth type, and authentication information also wraps
Containing signing messages, signing messages is that the transmission data including application identities, user identifier and auth type are encrypted
What algorithm obtained.According to the embodiment of the present invention, auth type is exactly recognition of face.
Connection management unit 410 is further adapted for sending authentication information to second server 220, and whether signing messages is verified by it
Correctly, if being verified, the verification message of first comprising user mobile phone number returned by second server 220 is received, and
User mobile phone number is corresponding with user identifier.Information association unit 430 is suitable for association the user's cell-phone number and event identifier, by upper
State and understand, according to user mobile phone number and the mapping relations of event identifier, it may be determined that the request type of active user.
Then connection management unit 410 sends push task to the 3rd server 230, so that the 3rd server 230 pushes
Indicate that display authorizes the message at interface to give user mobile phone number corresponding mobile terminal 100.Such as the description of Fig. 2, wrapped in push task
Containing request type.According to one embodiment of present invention, which can also include a push authentication unit 440, be suitable for
Before push task is sent to the 3rd server 230, push verification is carried out to the 3rd server 230, if authentication failed, is sent out
Authentication failed message is sent to application server 240.Connection management unit 410 retransmits event identifier after push task is sent
To application server 240 and certification request is sent to mobile terminal 100.Similarly, which also includes certification letter
Breath.
When connection management unit 410 is received by the people of the user sending, being gathered on interface is authorized of mobile terminal 100
During face image, send again and include above-mentioned facial image authentication information to second server 220 and receive by second server
220 user identifiers returned and auth type.Information association unit is suitable for association user mark, event identifier and auth type,
So that application server 240 inquires about authentication result corresponding with user identifier according to event identifier.
Fig. 5 shows the flow of the login authentication method 500 in accordance with another embodiment of the present invention based on recognition of face
Figure.The method performs in second server 220, and second server 220 can pass through network and mobile terminal 100, first
Server 210, the 3rd server 230, application server 240 are connected.This method starts from step S510, receives first server
210 the first checking requests sent, the certification with application identities, user identifier and auth type is included in the first checking request
Information, and authentication information by first server 210 from application server 240 is sending, user asks to log in third-party application
Logging request in obtain, according to one embodiment, authentication information also includes signing messages, and signing messages is to being marked including application
Know, the transmission data including user identifier and auth type are encrypted what algorithm obtained.According to the embodiment of the present invention, recognize
It is exactly recognition of face to demonstrate,prove type.In addition, first server 210 also generates and the associated event identifier of logging request.
Then in step S520, verify whether above-mentioned authentication information is correct, if being verified, return and user identifier pair
The user mobile phone number answered to first server 210, so as to first server 210 send event identifier to application server 240 with
And push task is sent to the 3rd server 230, instruction display is pushed by the 3rd server 230 and authorizes the message at interface to user
The corresponding mobile terminal 100 of cell-phone number.For the verification step of authentication information, consistent with Fig. 2 descriptions, details are not described herein again.
Then in step S530, the second checking request that first server 210 is sent is received, in the second checking request
Comprising authentication information, also comprising facial image.According to a kind of embodiment, authentication information is included when first server 210 is sent
Certification request to mobile terminal 100 after, receive by mobile terminal 100 is sending, user that collected on interface is authorized
After facial image, above-mentioned second checking request is sent.
Then in step S540, whether verification facial image is correct, if being verified, returns to user identifier to the first clothes
Business device 210, by 210 association user of first server mark, event identifier and auth type, so as to 240 basis of application server
Event identifier inquires about testimony of a witness result corresponding with user identifier.Equally, the step of verifying facial image, no longer does and retouches in detail herein
State.
Fig. 6 shows the signal of the login authentication device 600 in accordance with another embodiment of the present invention based on recognition of face
Figure.The device is resided in second server 220, which can pass through network and mobile terminal 100, first
Server 210, the 3rd server 230, application server 240 are connected, and device 600 includes:Connection management unit 610 and information are tested
Demonstrate,prove unit 620.
Connection management unit 610 is suitable for receiving the first checking request sent by first server 210, the first checking request
In include the authentication information with application identities, user identifier and auth type, the authentication information is by first server from application
Server is sent, user asks to obtain in the logging request of login third-party application, and the first server 210 is further adapted for
Generation and the associated event identifier of logging request.
Information Authentication unit 620 is suitable for verifying whether above-mentioned authentication information is correct when receiving the first checking request.Test
User mobile phone number is returned to first server 210 by connection management unit 610 when card passes through, so that first server 210 is sent
Event identifier is to application server 240 and sends push task to the 3rd server 230, is referred to by the push of the 3rd server 230
Show that display authorizes the message at interface to give user mobile phone number corresponding mobile terminal 100.
Connection management unit 610 is further adapted for receiving the second checking request sent by first server 210, and the second verification please
Authentication information and facial image are included in asking.One embodiment according to the present invention, first server 210 send and include authentication information
Certification request to mobile terminal 100 after, receive by mobile terminal 100 is sending, the people of user that gathered on interface is authorized
After face image, above-mentioned second checking request is sent.
Information Authentication unit 620 is suitable for verifying whether above-mentioned facial image is correct when receiving the second checking request.Test
Card by when return to user identifier and auth type (namely recognition of face) and give first server 210, by first server 210
Association user mark, event identifier and auth type, so that application server 240 is according to event identifier inquiry and user identifier pair
The authentication result answered.
According to one embodiment of present invention, Information Authentication unit 620 be by including application identities, user identifier and
After transmission data including auth type are encrypted, to verify whether signing messages is correct, illustrate authentication information if correct
Correctly, it is verified.
On the other hand, Information Authentication unit 620 docks received facial image and preset people by face recognition algorithms
Face image feature templates income matches, and calculates its similarity, thinks to be verified if similarity is more than threshold value.Specific algorithm
Introduction refers to the description section based on Fig. 2 in this specification.
It should be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, it is right above
The present invention exemplary embodiment description in, each feature of the invention be grouped together into sometimes single embodiment, figure or
In person's descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. claimed hair
The bright feature more features required than being expressly recited in each claim.More precisely, as the following claims
As book reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows specific real
Thus the claims for applying mode are expressly incorporated in the embodiment, wherein each claim is used as this hair in itself
Bright separate embodiments.
Those skilled in the art should understand that the module or unit or group of the equipment in example disclosed herein
Part can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned at and the equipment in the example
In different one or more equipment.Module in aforementioned exemplary can be combined as a module or be segmented into addition multiple
Submodule.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
In addition, be described as herein can be by the processor of computer system or by performing for some in the embodiment
The method or the combination of method element that other devices of the function are implemented.Therefore, have and be used to implement the method or method
The processor of the necessary instruction of element forms the device for being used for implementing this method or method element.In addition, device embodiment
Element described in this is the example of following device:The device is used to implement as in order to performed by implementing the element of the purpose of the invention
Function.
As used in this, unless specifically stated, come using ordinal number " first ", " second ", " the 3rd " etc.
Description plain objects are merely representative of the different instances for being related to similar object, and are not intended to imply that the object being so described must
Must have the time it is upper, spatially, in terms of sequence or given order in any other manner.
Although according to the embodiment of limited quantity, the invention has been described, benefits from above description, the art
It is interior it is clear for the skilled person that in the scope of the present invention thus described, it can be envisaged that other embodiments.Additionally, it should be noted that
The language that is used in this specification primarily to readable and teaching purpose and select, rather than in order to explain or limit
Determine subject of the present invention and select.Therefore, in the case of without departing from the scope and spirit of the appended claims, for this
Many modifications and changes will be apparent from for the those of ordinary skill of technical field.For the scope of the present invention, to this
The done disclosure of invention is illustrative and not restrictive, and it is intended that the scope of the present invention be defined by the claims appended hereto.