CN106161475A - The implementation method of subscription authentication and device - Google Patents
The implementation method of subscription authentication and device Download PDFInfo
- Publication number
- CN106161475A CN106161475A CN201610817540.8A CN201610817540A CN106161475A CN 106161475 A CN106161475 A CN 106161475A CN 201610817540 A CN201610817540 A CN 201610817540A CN 106161475 A CN106161475 A CN 106161475A
- Authority
- CN
- China
- Prior art keywords
- authentication
- mark
- user
- application server
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses implementation method and the device of a kind of subscription authentication, wherein, the method includes: in the case of application server needs to authenticate user, is verified the identity of user by mobile terminal;After user is by the checking of mobile terminal, authentication assistance information is sent to certificate server by mobile terminal, authentication assistance information is for notifying that certificate server assists user to realize authentication operations on the application server, wherein, authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.The present invention is avoided that user remembers account number and the password of numerous application server, and solution user cipher is excessively simple, user uses same password and user in the end side (such as PC) that safety the is poor upper preservation safety issue that also administrator password is brought at multiple application servers.
Description
Technical field
The present invention relates to the communications field, and especially, relate to implementation method and the device of a kind of subscription authentication.
Background technology
At present, (application server herein includes that can accept user logs in and to user to log in application server
Website or the CS server etc. of service are provided) mostly use account number, pin mode.User inputs correct user name and close
After Ma, application server it is determined that this user by authentication, and allow user to log in and follow-up provide a user with various
Service or resource.
But, had a disadvantage in that by the authentication mode of username and password
(1) from security standpoint, on the one hand, the password of user setup should be tried one's best complexity, and should regularly replace close
Code;On the other hand, on different application server, (accounts for different) should arrange different passwords.Along with user uses
Application service get more and more, remember that these account numbers and password become the heavy burden of user undoubtedly, for most users,
Allow user setup complexity password and regularly replacing, hardly possible complete;
(2), in reality, according to investigation and statistics, in order to avoid the password that memory is complicated, a lot of users should for different
Very simple password is only set by the account of registration on server, and phase would generally be set on different application servers
With password, once user's account number on an application server and password are broken through by hacker, it will cause user to lose it
His account, thus there is great potential safety hazard in the interests of user and privacy.
User carries out authentication operations on the application server for convenience, currently mainly proposes following two scheme: (1)
OAUTH (can be described as open mandate) and (2) use Password Management instrument (such as Robo Form, LastPass etc.).
Although these schemes can avoid user to remember substantial amounts of complicated password to a certain extent, but there is also very
Significantly defect.For OAUTH scheme, although user need not input the username and password of registration on application server,
But the verification process of OAUTH scheme is wanted first with account number cipher mode login authentication server, signs in application clothes the most again
Business device, this process need nonetheless remain for user and inputs password.Once this password is cracked, and also results in user at application server
The account of upper registration is lost.It addition, in the scheme using Password Management tool management password, password and enciphering/deciphering program are all
In the end side (such as PC) that safety is poor, once Password Management instrument is cracked, and will cause Password Management instrument institute
All username and passwords of management are all lost, and there is bigger potential safety hazard.Authenticated additionally, based on Password Management instrument
Journey completes completely on single terminal end, is the most easily hacked, and once uses on public computer, is more prone to cause account
Family information leakage.
Arrange the problem being difficult to take into account memory and safety, the most not yet proposition for the password of user in correlation technique to have
The solution of effect.
Summary of the invention
For the problem in correlation technique, the present invention proposes implementation method and the device of a kind of subscription authentication, is avoided that use
Account number and the password of numerous application servers is remembered at family, solves user cipher application server the simplest, multiple and uses identical
Password and user ask in the safety that end side (such as PC) preserves and administrator password is brought that safety is poor
Topic.
To achieve these goals, according to an aspect of the invention, it is provided the implementation method of a kind of subscription authentication.
The implementation method of the subscription authentication according to the present invention includes: need the feelings authenticating user at application server
Under condition, by mobile terminal, the identity of user is verified;After user is by the checking of mobile terminal, mobile terminal will mirror
Power assistance information sends to certificate server, and authentication assistance information is used for notifying that certificate server assists user to realize at application clothes
Authentication operations on business device, wherein, authentication assistance information includes first mark of user, and first is designated user in authentication service
Unique mark on device.
Wherein, above-mentioned authentication assistance information farther includes the proof of identity code of certificate server, and, it is achieved method
Farther include:
In the case of certificate server receives authentication assistance information, the proof of identity code in authentication assistance information is entered
Row verification, and realize authentication operations on the application server in verification by the rear user of assistance.
Additionally, above-mentioned authentication assistance information may further include the mark of application server, this authentication operations
Mark, and, may further include according to the implementation method of the present invention:
In the case of application server needs to authenticate user, the authentication request of this authentication of acquisition for mobile terminal
Information, wherein, authentication request information includes the mark of the mark of application server, this authentication operations, the mark of application server
Know for application server unique identifier on certificate server, this authentication operations be designated this authentication operations only
One identification code.
On the one hand, before the identity of user is verified by mobile terminal, the implementation method according to the present invention is further
Including: user initiates authentication request by PC end;Identification code is generated and at PC in response to authentication request, application server or PC end
End shows this identification code, and wherein, identification code includes the mark of the mark of application server, this authentication operations;Mobile terminal pair
After identification code is identified, initiate the authentication to user.
In the case of user initiates authentication request by PC end, certificate server can assist user real in the following manner
Authentication operations the most on the application server:
Mode one: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;Or
Mode two: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark and application server login password that association preserves, and the second mark and application server login password are sent extremely
PC end, in order to the second mark and application server login password are submitted to application server to complete authentication by PC end;Wherein,
Two are designated user's unique mark on the application server, and application server login password is and this unique corresponding close of mark
Code;Or
Mode three: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to PC end, in order to the second mark and dynamic security identification code are committed to application server to complete authentication by PC end;Wherein,
Second is designated user's unique mark on the application server.
On the other hand, before the identity of user is verified by mobile terminal, the implementation method according to the present invention is permissible
Farther include: user initiates authentication request by the third party APP of mobile terminal;In response to authentication request, third party APP adjusts
With the authentication module of mobile terminal, user is carried out authentication.
In the case of user initiates authentication request by the third party APP of mobile terminal, certificate server can pass through
In the following manner assistance user's realization authentication operations on the application server:
Mode four: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;Or
Mode five: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to third party APP, in order to the second mark and dynamic security identification code are committed to application server with complete by third party APP
Become authentication;Wherein, second it is designated user's unique mark on the application server.
Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations
Send to application server;Further, when application server receives authentication License Info, if application server determines PC end
This authentication operations carried in the mark of this authentication operations sent when request is by authentication and authentication License Info
Identify identical, then allow this user corresponding to the second mark by authentication on this PC end;
For mode two, before certificate server sends the second mark and application server login password, wrap further
Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to the second mark and application server are logged in
Password sends to PC end;
For mode three, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this
The mark of authentication operations sends to certificate server, determines that at certificate server the mark of this this authentication operations is assisted with authentication
In the case of the mark of this authentication operations carried in information is identical, it is allowed to the second mark and dynamic security identification code are sent out
Deliver to PC end;
For mode four, before application server allows the user of the second mark correspondence to be authenticated by this, further
Comprise the following steps: third party APP asks by authentication to application server, and when request by the mark of this authentication operations
Send to application server;Further, when application server receives authentication License Info, if application server determines the 3rd
APP mark of this authentication operations of transmission when asking by authentication in side is grasped with authenticating this authentication carried in License Info
The mark made is identical, then allow this user corresponding to the second mark by authentication on this third party APP;
For mode five, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: third party APP identifies and dynamic security identification code to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to by the second mark and dynamic security identification
Code sends to third party APP.
Additionally, application server needs the situation authenticating user to include: user initiates logging request, user initiates
Obtaining the request of resource, the operation that user initiates in the case of having logged on needs to carry out secondary authentication.
Alternatively, the mode that the identity of user is verified by mobile terminal includes: iris verification, fingerprint authentication, password
Checking and/or pattern checking.
According to a further aspect in the invention, it is provided that a kind of subscription authentication realize device.
The device that realizes of subscription authentication according to embodiments of the present invention includes:
Authentication module, in the case of application server needs to authenticate user, is carried out the identity of user
Checking;
Communication module, after user by the checking of mobile terminal, sends authentication assistance information to authentication service
Device, authentication assistance information is for notifying that certificate server assists user to realize authentication operations on the application server, wherein, mirror
Power assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.
Wherein, above-mentioned authentication assistance information farther includes the proof of identity code of certificate server, and, take in certification
In the case of business device receives authentication assistance information, the proof of identity code in authentication assistance information is checked, and in verification
Authentication operations on the application server is realized by the rear user of assistance.
Additionally, above-mentioned authentication assistance information may further include the mark of application server, this authentication operations
Mark, and, in the case of application server needs to authenticate user, the authentication of this authentication of acquisition for mobile terminal please
Seeking information, wherein, authentication request information includes the mark of the mark of application server, this authentication operations, application server
Be designated application server unique identifier on certificate server, this authentication operations be designated this authentication operations
Unique identifier.
On the one hand, user can initiate authentication request by PC end;Raw in response to authentication request, application server or PC end
Becoming identification code and show this identification code at PC end, wherein, identification code includes the mark of the mark of application server, this authentication operations
Know;After identification code is identified by mobile terminal, initiate the authentication to user.
In the case of user initiates authentication request by PC end, certificate server assists user to realize in the following manner
Authentication operations on the application server:
Mode one: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;Or
Mode two: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark and application server login password that association preserves, and the second mark and application server login password are sent extremely
PC end, in order to the second mark and application server login password are submitted to application server to complete authentication by PC end;Wherein,
Two are designated user's unique mark on the application server, and application server login password is and this unique corresponding close of mark
Code;Or
Mode three: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to PC end, in order to the second mark and dynamic security identification code are committed to application server to complete authentication by PC end;Wherein,
Second is designated user's unique mark on the application server.
On the other hand, user can initiate authentication request by the third party APP of mobile terminal;In response to authentication request,
Third party APP calls the authentication module of mobile terminal and user is carried out authentication.
In the case of user initiates authentication request by the third party APP of mobile terminal, certificate server can pass through
In the following manner assistance user's realization authentication operations on the application server:
Mode four: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;
Mode five: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to third party APP, in order to the second mark and dynamic security identification code are committed to application server with complete by third party APP
Become authentication;Wherein, second it is designated user's unique mark on the application server.
Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations
Send to application server;Further, when application server receives authentication License Info, if application server determines PC end
This authentication operations carried in the mark of this authentication operations sent when request is by authentication and authentication License Info
Identify identical, then allow this user corresponding to the second mark by authentication on this PC end;
For mode two, before certificate server sends the second mark and application server login password, wrap further
Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to the second mark and application server are logged in
Password sends to PC end;
For mode three, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this
The mark of authentication operations sends to certificate server, determines that at certificate server the mark of this this authentication operations is assisted with authentication
In the case of the mark of this authentication operations carried in information is identical, it is allowed to the second mark and dynamic security identification code are sent out
Deliver to PC end;
For mode four, before application server allows the user of the second mark correspondence to be authenticated by this, further
Comprise the following steps: third party APP asks by authentication to application server, and when request by the mark of this authentication operations
Send to application server;Further, when application server receives authentication License Info, if application server determines the 3rd
APP mark of this authentication operations of transmission when asking by authentication in side is grasped with authenticating this authentication carried in License Info
The mark made is identical, then allow this user corresponding to the second mark by authentication on this third party APP;
For mode five, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: third party APP identifies and dynamic security identification code to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to by the second mark and dynamic security identification
Code sends to third party APP.
Additionally, application server needs the situation authenticating user to include: user initiates logging request, user initiates
Obtaining the request of resource, the operation that user initiates in the case of having logged on needs to carry out secondary authentication.
Alternatively, the mode that the identity of user is verified by authentication module includes: iris verification, fingerprint authentication, password
Checking and/or pattern checking.
By means of the present invention, it is possible at mobile terminal, user is carried out authentication, in the case of user is by checking
Informed that certificate server assists user to complete authentication operations on the application server by mobile terminal, user can either be avoided to remember
Recall and input password, also ensure that the safety of account simultaneously;Moreover, owing to assisting user complete by certificate server
Become the authentication operations at application server, it is possible to avoid user to preserve in the end side (such as PC) that safety is poor
And manage username and password, reduce further potential safety hazard.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment
The accompanying drawing used is needed to be briefly described, it should be apparent that, the accompanying drawing in describing below is only some enforcements of the present invention
Example, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtains according to these accompanying drawings
Obtain other accompanying drawing.
Fig. 1 is the flow chart of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 2 is the signalling diagram of the specific embodiment 1 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 3 is the signalling diagram of the specific embodiment 2 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 4 is the signalling diagram of the specific embodiment 3 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 5 is the signalling diagram of the specific embodiment 4 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 6 is the signalling diagram of the specific embodiment 5 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 7 is the signalling diagram of the specific embodiment 6 of the implementation method of subscription authentication according to embodiments of the present invention;
Fig. 8 is the block diagram realizing device of subscription authentication according to embodiments of the present invention.
Detailed description of the invention
Hereinafter in connection with accompanying drawing, the one exemplary embodiment of the present invention is described.For clarity and conciseness,
All features of actual embodiment are not the most described.It should be understood, however, that in any this actual enforcement of exploitation
Must make during example much specific to the decision of embodiment, in order to realize the objectives of developer, such as, symbol
Close those restrictive conditions relevant to system and business, and these restrictive conditions may have along with the difference of embodiment
Changed.Additionally, it also should be appreciated that, although development is likely to be extremely complex and time-consuming, but to having benefited from the disclosure
For those skilled in the art of content, this development is only routine task.
Here, also need to explanation a bit, in order to avoid having obscured the present invention because of unnecessary details, in the accompanying drawings
Illustrate only and according to the closely-related apparatus structure of the solution of the present invention and/or process step, and eliminate and the present invention
Other details that relation is little.
According to embodiments of the invention, it is provided that the implementation method of a kind of subscription authentication.
As it is shown in figure 1, the implementation method of subscription authentication according to embodiments of the present invention includes:
Step S101, in the case of application server needs to authenticate user, by mobile terminal to user's
Identity is verified;
Step S103, after user is by the checking of mobile terminal, authentication assistance information is sent to certification by mobile terminal
Server, authentication assistance information is used for notifying that certificate server assists user to realize authentication operations on the application server, its
In, authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.
Wherein, mobile terminal in its this locality to the purpose of the authentication that user is carried out is whether checking active user is machine
Master in person, not judges that user the most directly can be by the authentication of application server.
The authentication implementing method that the present invention proposes can apply to several scenes, such as, when user sends out to application server
When playing logging request, or (include obtaining media resource, request application server carries when user initiates the request obtaining resource
For service or information etc.), the operation that user initiates in the case of having logged on needs to carry out secondary authentication (such as, including using
Family, after logging in application server, needs to carry out the important operations such as payment).
In one embodiment, above-mentioned authentication assistance information may further include the proof of identity of certificate server
Code.So, in the case of certificate server receives authentication assistance information, it will to the proof of identity in authentication assistance information
Code is checked, and realizes authentication operations on the application server in verification by the rear user of assistance.By means of this identity school
Test code, it is possible to allow certificate server that mobile terminal to be verified, prevent other illegal terminals from pretending to be user to log in.
In one embodiment, in the case of application server needs to authenticate user, mobile terminal can be first
First obtain this authentication authentication request information, wherein, authentication request information include application server mark, this authenticate behaviour
Make mark, application server be designated application server unique identifier on certificate server, this authentication operations
The unique identifier being designated this authentication operations;
After obtaining authentication request information, mobile terminal sends will enter one to the authentication assistance information of certificate server
Step includes: the mark of application server, the mark of this authentication operations.
In one embodiment, user can be by PC end to requests such as application server initiation login or resource uses.
Now, authentication request is initiated by PC end by user;In response to authentication request, application server or PC end generate identification code and
PC end shows this identification code (this identification code can be Quick Response Code, it is also possible to be other similar techniques), and wherein, identification code includes should
With the mark of server (application server unique identifier on certificate server, such as, station address) and this mirror
The unique identification information of power request;After identification code is identified by mobile terminal, can obtain application server mark and
The unique identification information of this authentication request, and, mobile terminal will initiate the authentication to user in this locality, such as, and can
Allow user carry out iris or fingerprint authentication with prompting, or user can be allowed to input password with pop-up dialogue box, it is also possible to display
Pattern allows user input pattern password.Whether by iris, fingerprint, password, pattern or other modes, user is carried out body
Part checking, its checking can ensure the safety of user account.Wherein, the safety of iris and fingerprint authentication is best, it is possible to
Ensure that only owner can be by checking to the full extent.
It should be noted that, password as described herein or pattern checking are set when registering on the application server with user
The password put or pattern are mutually independent.Here checking is to ensure that user can be by the local identity of mobile terminal
Checking, upon checking, mobile terminal will be notified that certificate server assists user to complete the follow-up mirror at application server
Power operation.
When user initiates authentication request by PC end, certificate server can assist user to complete in several ways
The authentication operations of application server, specifically can be found in mode one to mode three which will be described.
Mode one: in one embodiment, authentication License Info is sent to application server by certificate server, wherein,
Authentication License Info comprises the mark of the first mark, this authentication operations;Application server receive authentication License Info after, root
Second mark corresponding with the first mark, and root is searched according to the corresponding relation between the first mark pre-saved and the second mark
The user allowing the second mark corresponding according to the mark of this authentication operations is authenticated by this;Wherein, second it is designated user and exists
Unique mark on application server.In the present embodiment, once user is taken by the authentication of mobile terminal this locality, certification
Business device will directly inform that this user of application server can be by authentication.This scheme needs existing application server is done one
Setting the tone whole, whole authentication process user is without memory and inputs complicated password, simultaneously both will not be by user at application server
The password of upper setting preserves and management in end side, without transmitting this password, it is to avoid password is trapped in transmitting procedure
Problem, there is the highest safety.
Mode two: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first
Ground is searched and is associated the second mark and the application server login password preserved with ID, and by the second mark and application service
Device login password send to PC end, in order to PC end by second mark and application server login password submit to application server with
Complete authentication;Wherein, second is designated user's unique mark on the application server, and application server login password is and this
The password that unique mark is corresponding.In the present embodiment, PC end is equally without preserving the user that user registers on the application server
Name and the password arranged, but managed by certificate server and these contents are provided, even if so user is in application service
The account password arranged on device is extremely complex, and user is without memory and input, while user-friendly, it is ensured that account
The safety at family, the most most the most compatible application servers.
Mode three: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first
Ground is searched and associate second preserved with ID and identify, after finding the second mark, certificate server identify second with
And dynamic security identification code sends to PC end, in order to the second mark and dynamic security identification code are committed to application server by PC end
To complete authentication;Wherein, second it is designated user's unique mark on the application server.In the present embodiment, PC end is same
Without preserving and managing user name and the password of setting that user registers on the application server, user is without remembering and defeated
Enter;Moreover, on the basis of a upper embodiment, the present embodiment additionally uses dynamic security identification code identification, evades further
The risk that password is trapped in transmitting procedure.
Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations
(being assumed to be mark A) sends to application server;Further, authentication License Info (authentication license letter is received at application server
Breath also comprises the mark of this authentication operations, it is assumed that for mark A ') time, if application server determines at PC end logical in request
The mark A of this authentication operations sent when crossing authentication and mark A authenticating this authentication operations carried in License Info ' phase
With, then allow this user corresponding to the second mark by authentication on this PC end;
For mode two, before certificate server sends the second mark and application server login password, wrap further
Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request
The mark (being assumed to be mark A) of this authentication operations sends to certificate server;Authentication assistance information is received at certificate server
Time (authentication assistance information comprising the mark of this authentication operations equally, it is assumed that for mark A '), if it is determined that receive before
Mark A of this authentication operations carried in the mark A of this authentication operations and authentication assistance information ' identical, then allow the
Two marks and application server login password send to PC end;
For mode three, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this
The mark (being assumed to be mark A) of authentication operations sends to certificate server, receives authentication assistance information (authentication at certificate server
Assistance information comprises the mark of this authentication operations equally, it is assumed that for mark A ') time, if it is determined that this mirror before received
The mark A of power operation and mark A authenticating this authentication operations carried in assistance information ' identical, then allow to identify second
And dynamic security identification code sends to PC end.
In embodiment listed above, user initiates authentication request by PC end.Additionally, in other embodiments, use
Family can initiate authentication request by the third party APP of mobile terminal to application server.Specifically, application server can be by
Authentication request information is supplied to third party APP, and this authentication request information includes the mark of application server, this authentication operations
Mark, wherein, application server be designated application server unique identifier on certificate server, this authentication operations
The unique identifier being designated this authentication operations;In response to authentication request (such as, when receiving authentication request information), the
Tripartite APP calls the authentication module of mobile terminal and user is carried out authentication.Here user is carried out the mode of authentication
Equally use the modes such as iris verification, fingerprint authentication, password authentification or pattern checking.
If user has passed through the authentication of mobile terminal, certificate server can assist user in several ways
Complete the authentication at application server, specifically can be found in mode four to mode five which will be described.
Mode four: in one embodiment, authentication License Info is sent to application server by certificate server, wherein,
Authentication License Info comprises the mark of the first mark, this authentication operations;Application server receive authentication License Info after, root
Second mark corresponding with the first mark, and root is searched according to the corresponding relation between the first mark pre-saved and the second mark
The user allowing the second mark corresponding according to the mark of this authentication operations is authenticated by this;Wherein, second it is designated user and exists
Unique mark on application server.In the present embodiment, once user is taken by the authentication of mobile terminal this locality, certification
Business device will directly inform that this user of application server can be by authentication.This scheme needs existing application server is done one
Setting the tone whole, whole authentication process user is without memory and inputs complicated password, simultaneously both will not be by user at application server
The password of upper setting preserves and management in end side, without transmitting this password, it is to avoid password is trapped in transmitting procedure
Problem, there is the highest safety.
Mode five: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first
Ground is searched and associate second preserved with ID and identify, after finding the second mark, certificate server identify second with
And dynamic security identification code sends to third party APP, in order to the second mark and dynamic security identification code are submitted to by third party APP
To application server to complete authentication;Wherein, second it is designated user's unique mark on the application server.At the present embodiment
In, by the safety that can effectively ensure that user account information of dynamic security code, prevent the appearance of the situations such as illegal login,
And again without the password arranged on the application server transmission over networks user, it is to avoid password is cut in transmitting procedure
The probability obtained.
Wherein, for mode four, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: third party APP asks by authentication to application server, and when request by this authentication operations
Mark sends to application server;Further, when application server receives authentication License Info, if application server determines
This mirror carried in the mark of this authentication operations that third party APP sends when request is by authentication and authentication License Info
The mark of power operation is identical, then allow this user corresponding to the second mark by authentication on this third party APP;
For mode five, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: third party APP identifies and dynamic security identification code to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to by the second mark and dynamic security identification
Code sends to third party APP.
Several specific embodiments of the present invention are described below in conjunction with application scenarios.
Embodiment 1: exempt from password login
As in figure 2 it is shown, when user wish by PC end log in certain application server (can be website or CS server, letter
It is referred to as AppServerA, lower same) time, idiographic flow is as follows:
Step 1: user initiates logging request (that is, authentication request) by PC end;
Step 2:AppServerA shows this Quick Response Code logged in (send this Quick Response Code to PC end and show), two
Dimension code comprises the information such as unique mark of application server identifier that user to be logged in, this authentication request, and user uses hands
Machine app scans this Quick Response Code;
Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner);
Specifically, checking can be realized by the authentication module (not shown in Fig. 2) of mobile phone side;
Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request
Operation (that is, sends authentication assistance information);Specifically, can be sent by the communication module (not shown in Fig. 2) of mobile phone side
Authentication assistance information;
Step 5: authentication result is notified that AppServerA (that is, sends authentication license to AppServerA by certificate server
Information), AppServerA is after receiving this authentication License Info, it is not necessary to allow user input username and password further,
Current PC end is allowed to log in;
Step 6:AppServerA notifies that user logins successfully.
In the present embodiment, it is only necessary to AppServerA is carried out a certain degree of change, can transmit there is no password
In the case of complete the authentication to user, there is the highest safety (avoiding password to be trapped), and owing to user is without note
Recall and input its username and password registered on the application server, so largely decreasing the workload of user,
There is good Consumer's Experience.
Embodiment 2: log in general Websites
As it is shown on figure 3, when user wishes to be logged in without any change by the browser plug-in of PC end
During AppServerA, handling process is as follows:
Step 1: user initiates logging request (that is, authentication request) by PC end;
The browser plug-in of step 2:PC end gets this solicited message, generates and shows the two dimension comprising this solicited message
Code, solicited message includes the unique of application server identifier (such as, station address) that user to be logged in and this request
Marks etc., user uses mobile phone app to scan this Quick Response Code;
Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner);
Specifically, checking can be realized by the authentication module (not shown in Fig. 3) of mobile phone side;
Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request
Operation (that is, sends authentication assistance information);Specifically, can be sent by the communication module (not shown in Fig. 3) of mobile phone side
Authentication assistance information;
Step 5: user is handed down to clear at account number and the password of AppServerA by escape way by certificate server
Look at device plug-in unit;
Step 6: browser plug-in uses account, password automatically to fill the login page of AppServerA, and user confirms
Rear click login button can complete the login to AppServerA;
Step 7:AppServerA notice browser logins successfully.
In the present embodiment, it is not necessary to transform website, user account number password leaves certificate server, certification in
Server is issued to browser plug-in by escape way, and is filled out by browser plug-in generation, and user is without memory and inputs user
Name and password, ensureing on the basis of safety, also allows certificate server hold concurrently with the server such as existing website well
Hold.
Embodiment 3:CS logs in
As shown in Figure 4, wish that the desktop application by PC end (includes the program run on PC, such as, shopping network as user
The programmatic client stood, network game client etc.) when logging in AppServerA, handling process is as follows:
Step 1: user initiates logging request (that is, authentication request) by PC end;
The desktop application of step 2:PC end gets this solicited message, generates and shows the two dimension comprising this solicited message
Code, solicited message includes application server identifier, unique mark etc. of this request that user to be logged in, and user uses mobile phone
Scanning Quick Response Code;
Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner);
Specifically, checking can be realized by the authentication module (not shown in Fig. 4) of mobile phone side;
Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request
Operation (that is, sends authentication assistance information);Specifically, can be sent by the communication module (not shown in Fig. 4) of mobile phone side
Authentication assistance information;
Step 5: certificate server will be identified at account number and the dynamic security of AppServerA user by escape way
The information such as code are handed down to desktop application;
Step 6: desktop application uses account and dynamic security identification code to log in AppServerA;
Step 7:AppServerA notice desktop application logins successfully.
The present embodiment and the 2nd embodiment are similar to, all without website is transformed (or transforming on a small quantity) so that
Application server has good system compatibility;It addition, desktop is answered by means of dynamic security identification code (non-password)
With verifying, it is possible to that avoids in the case of without user's memory and input password that password is trapped in transmitting procedure can
Energy property, has more preferable safety.
Embodiment 4: the secondary authentication of important operation
As it is shown in figure 5, when user has logged on, if the user desired that carry out the important operations such as payment, permissible
When carrying out this operation, user being carried out secondary authentication, handling process is as follows:
Step 1 a: critical function (being called for short Func1, can be the functions such as payment) of user AppServerA to be used
Time, initiate authentication request to AppServerA;
Step 2:AppServerA shows the Quick Response Code comprising this solicited message, request letter by webpage or desktop application
Breath includes unique mark (Func1 mark) etc. of application server identifier, this request;User use mobile phone app scan this two
Dimension code;
Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner);
Specifically, checking can be realized by the authentication module (not shown in Fig. 5) of mobile phone side;
Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request
Operation (that is, sends authentication assistance information);Specifically, can be sent by the communication module (not shown in Fig. 5) of mobile phone side
Authentication assistance information;
Step 5: authentication result is notified that AppServerA (that is, send out to AppServerA by certificate server by certificate server
Send authentication License Info), AppServerA confirms the legitimacy of this operation, it is not necessary to allow user input password, Ji Keyun further
Family allowable performs current important operation;
The notice user operation success of step 6:AppServerA.
The present embodiment is similar to Example 1, can allow user performs important behaviour in the case of not having password transmission
The authentication made, and owing to whole flow process is without transmitting the password of user, further increase safety;User during whole
Without remembering and inputting password, so having good Consumer's Experience.
Embodiment 5: third party's mobile phone A pp exempts from password login
As shown in Figure 6, when user directly logs in AppServerA by third party App on mobile phone, handling process is as follows:
Step 1: when user uses third party App to log in AppServerA, sends to third party app and logs in authentication request;
Step 2: third party App calls authentication module, verifies user identity by fingerprint recognition or other security means
(that is, user is owner);
Step 3: after subscriber authentication is passed through, (not shown in Fig. 6, communication module is permissible for the communication module of mobile phone side
Authentication module and certificate server communication with mobile phone side, it is achieved the transmission of information) send authentication assistance to certificate server
Information, comprises the information such as application server identifier, this unique mark asked;
Step 4: authentication result is notified that (that is, certificate server sends authentication license letter to AppServerA by certificate server
Cease to AppServerA);
Complete to log in (that is, completing the authentication to user) after the verification of step 5:AppServerA, and notify that third party App steps on
Record successfully.
In the present embodiment, need existing application server and mobile phone A PP are all modified, thus avoid authenticating
Journey is avoided transmit password, improve safety.
Embodiment 6: third party's mobile phone A pp safety code logs in
As it is shown in fig. 7, user can by directly by the third party APP of mobile phone with safety code in the way of log in, place
Reason flow process is as follows:
Step 1: when user uses third party App to log in AppServerA, sends to third party app and logs in authentication request;
Step 2: third party App calls authentication module, verifies user identity by fingerprint recognition or other security means
(that is, user is owner);
Step 3: after subscriber authentication is passed through, (not shown in Fig. 7, communication module is permissible for the communication module of mobile phone side
Authentication module and certificate server communication with mobile phone side, it is achieved the transmission of information) send authentication assistance to certificate server
Information, comprises the information such as application server identifier, this unique mark asked;
Step 4: certificate server issues account number, dynamic security identification to the communication module (not shown in Fig. 7) of mobile phone side
Code;
Step 5: third party App uses account number, dynamic security identification code to log in AppServerA;
Step 6:AppServerA notifies that third party APP logins successfully.
In the present embodiment, only need to be modified mobile phone APP, application server side can be changed less even without changing
Dynamic, not only avoid avoiding transmitting in authentication process password, and safety can be ensured by safety code, additionally aid certification
Server and the compatibility of existing system.
Additionally, according to embodiments of the invention, additionally provide a kind of subscription authentication realizes device.
As shown in Figure 8, the device that realizes of subscription authentication according to embodiments of the present invention includes:
Authentication module 81, in the case of application server needs to authenticate user, enters the identity of user
Row checking;
Communication module 82, after user by the checking of mobile terminal, takes authentication assistance information transmission to certification
Business device, authentication assistance information is for notifying certificate server assistance user's realization authentication operations on the application server, wherein,
Authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.
Wherein, above-mentioned authentication assistance information farther includes the proof of identity code of certificate server, and, take in certification
In the case of business device receives authentication assistance information, the proof of identity code in authentication assistance information is checked, and in verification
Authentication operations on the application server is realized by the rear user of assistance.
Additionally, above-mentioned authentication assistance information may further include the mark of application server, this authentication operations
Mark, and, in the case of application server needs to authenticate user, the authentication of this authentication of acquisition for mobile terminal please
Seeking information, wherein, authentication request information includes the mark of the mark of application server, this authentication operations, application server
Be designated application server unique identifier on certificate server, this authentication operations be designated this authentication operations
Unique identifier.
On the one hand, user can initiate authentication request by PC end;Raw in response to authentication request, application server or PC end
Becoming identification code and show this identification code at PC end, wherein, identification code includes the mark of the mark of application server, this authentication operations
Know;After identification code is identified by mobile terminal, initiate the authentication to user.
In the case of user initiates authentication request by PC end, certificate server assists user to realize in the following manner
Authentication operations on the application server:
Mode one: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;Or
Mode two: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark and application server login password that association preserves, and the second mark and application server login password are sent extremely
PC end, in order to the second mark and application server login password are submitted to application server to complete authentication by PC end;Wherein,
Two are designated user's unique mark on the application server, and application server login password is and this unique corresponding close of mark
Code;Or
Mode three: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to PC end, in order to the second mark and dynamic security identification code are committed to application server to complete authentication by PC end;Wherein,
Second is designated user's unique mark on the application server.
Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations
(being assumed to be mark A) sends to application server;Further, authentication License Info (authentication license letter is received at application server
Breath also comprises the mark of this authentication operations, it is assumed that for mark A ') time, if application server determines at PC end logical in request
The mark A of this authentication operations sent when crossing authentication and mark A authenticating this authentication operations carried in License Info ' phase
With, then allow this user corresponding to the second mark by authentication on this PC end;
For mode two, before certificate server sends the second mark and application server login password, wrap further
Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request
The mark (being assumed to be mark A) of this authentication operations sends to certificate server;Authentication assistance information is received at certificate server
Time (authentication assistance information comprising the mark of this authentication operations equally, it is assumed that for mark A '), if it is determined that receive before
Mark A of this authentication operations carried in the mark A of this authentication operations and authentication assistance information ' identical, then allow the
Two marks and application server login password send to PC end;
For mode three, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this
The mark (being assumed to be mark A) of authentication operations sends to certificate server, receives authentication assistance information (authentication at certificate server
Assistance information comprises the mark of this authentication operations equally, it is assumed that for mark A ') time, if it is determined that this mirror before received
The mark A of power operation and mark A authenticating this authentication operations carried in assistance information ' identical, then allow to identify second
And dynamic security identification code sends to PC end.
On the other hand, user can initiate authentication request by the third party APP of mobile terminal;In response to authentication request,
Third party APP calls the authentication module of mobile terminal and user is carried out authentication.
In the case of user initiates authentication request by the third party APP of mobile terminal, certificate server can pass through
In the following manner assistance user's realization authentication operations on the application server:
Mode four: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises
First mark, the mark of this authentication operations;Application server is after receiving authentication License Info, according to first pre-saved
Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations
The user that mark allows the second mark corresponding is authenticated by this;Wherein, second it is designated user the most only
One mark;Or
Mode five: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information
The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code
Send to third party APP, in order to the second mark and dynamic security identification code are committed to application server with complete by third party APP
Become authentication;Wherein, second it is designated user's unique mark on the application server.
Wherein, for mode four, before application server allows the user of the second mark correspondence to be authenticated by this, enter
One step comprises the following steps: third party APP asks by authentication to application server, and when request by this authentication operations
Mark sends to application server;Further, when application server receives authentication License Info, if application server determines
This mirror carried in the mark of this authentication operations that third party APP sends when request is by authentication and authentication License Info
The mark of power operation is identical, then allow this user corresponding to the second mark by authentication on this third party APP;
For mode five, before certificate server sends the second mark and dynamic security identification code, farther include
Following steps: third party APP identifies and dynamic security identification code to certificate server acquisition request second, and will when request
The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server
In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to by the second mark and dynamic security identification
Code sends to third party APP.
Additionally, application server needs the situation authenticating user to include: user initiates logging request, user initiates
Obtaining the request of resource, the operation that user initiates in the case of having logged on needs to carry out secondary authentication.
Alternatively, the mode that the identity of user is verified by authentication module 81 includes: iris verification, fingerprint authentication, close
Code checking and/or pattern checking.
In sum, by means of technical scheme, by user being carried out authentication at mobile terminal, with
By mobile terminal, family is by informing that certificate server is assisted user to complete authentication on the application server and grasped in the case of checking
Make, user can either be avoided to remember and input password, also ensure that the safety of account simultaneously;Moreover, due to user's
Application server account number and password are saved on the higher certificate server of safety, it is possible to be prevented effectively from because using public computer
Or the security risk that PC keeping or input password are easily brought by assault, further increases user account
Safety.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.
Claims (10)
1. the implementation method of a subscription authentication, it is characterised in that including:
In the case of application server needs to authenticate user, by mobile terminal, the identity of described user is tested
Card;
After described user is by the checking of described mobile terminal, authentication assistance information is sent to certification clothes by described mobile terminal
Business device, described authentication assistance information is used for notifying that described certificate server assists the real presently described application server of described user
Authentication operations, wherein, described authentication assistance information include described user first mark, described first is designated described user
Unique mark on described certificate server.
Implementation method the most according to claim 1, it is characterised in that described authentication assistance information farther includes described
The proof of identity code of certificate server, and, described implementation method farther includes:
In the case of described certificate server receives described authentication assistance information, to the identity school in described authentication assistance information
Test code to check, and in verification by the authentication operations on the real presently described application server of the described user of rear assistance.
Implementation method the most according to claim 1, it is characterised in that described authentication assistance information farther includes described
The mark of application server, the mark of this authentication operations, and, described implementation method farther includes:
In the case of described application server needs to authenticate user, the authentication of this authentication of described acquisition for mobile terminal
Solicited message, wherein, described authentication request information includes the mark of the mark of described application server, this authentication operations, institute
That states application server is designated described application server unique identifier on described certificate server, this authentication operations
The unique identifier being designated this authentication operations.
Implementation method the most according to claim 3, it is characterised in that the identity of described user is entered at described mobile terminal
Before row checking, described implementation method farther includes:
Described user initiates authentication request by PC end;
Generate identification code in response to described authentication request, described application server or described PC end and show this knowledge at described PC end
Other code, wherein, described identification code includes the mark of the mark of described application server, this authentication operations;
After described identification code is identified by described mobile terminal, initiate the authentication to described user.
Implementation method the most according to claim 4, it is characterised in that described certificate server assists institute in the following manner
State the authentication operations on the real presently described application server of user:
Mode one: authentication License Info is sent to described application server by described certificate server, wherein, described authentication license
Information comprises described first mark, the mark of this authentication operations;Described application server is receiving described authentication License Info
After, search corresponding with described first mark according to the corresponding relation between described first mark pre-saved and the second mark
Second mark, and allow the user of described second mark correspondence to be authenticated by this according to the mark of this authentication operations;Wherein,
Described second is designated the described user unique mark on described application server;Or
Mode two: described certificate server according to described authentication assistance information comprises described first mark this locality search with
The second mark and application server login password that the association of described ID preserves, and by described second mark and described application
Server log password sends to described PC end, in order to described second mark and described application server login password are carried by PC end
Give described application server to complete authentication;Wherein, described second it is designated described user on described application server
Unique mark, described application server login password is uniquely to identify corresponding password with this;Or
Mode three: described certificate server according to described authentication assistance information comprises described first mark this locality search with
The second mark that the association of described ID preserves, after finding described second mark, described certificate server is by described the
Two marks and dynamic security identification code send to described PC end, in order to described second mark and described dynamic security are known by PC end
Other code is committed to described application server to complete authentication;Wherein, described second it is designated described user in described application service
Unique mark on device.
Implementation method the most according to claim 3, it is characterised in that the identity of described user is entered at described mobile terminal
Before row checking, described implementation method farther includes:
Described user initiates authentication request by the third party APP of described mobile terminal;
In response to described authentication request, described third party APP calls the authentication module of described mobile terminal to be carried out described user
Authentication.
Implementation method the most according to claim 6, it is characterised in that described certificate server assists institute in the following manner
State the authentication operations on the real presently described application server of user:
Mode four: authentication License Info is sent to described application server by described certificate server, wherein, described authentication license
Information comprises described first mark, the mark of this authentication operations;Described application server is receiving described authentication License Info
After, search corresponding with described first mark according to the corresponding relation between described first mark pre-saved and the second mark
Second mark, and allow the user of described second mark correspondence to be authenticated by this according to the mark of this authentication operations;Wherein,
Described second is designated the described user unique mark on described application server;Or
Mode five: described certificate server according to described authentication assistance information comprises described first mark this locality search with
The second mark that the association of described ID preserves, after finding described second mark, described certificate server is by described the
Two marks and dynamic security identification code send to described third party APP, in order to described third party APP will described second identify with
And dynamic security identification code is committed to described application server to complete authentication;Wherein, described second it is designated described user and exists
Unique mark on described application server.
8. according to the implementation method described in claim 5 or 7, it is characterised in that
For described mode one, the user allowing described second mark corresponding at described application server authenticates it by this
Before, further include steps of PC end to application server request by authentication, and when request by this authentication operations
Mark sends to application server;Further, when described application server receives described authentication License Info, should if described
Described PC the end mark of this authentication operations of transmission and described authentication license letter when request is by authentication is determined with server
The mark of this authentication operations carried in breath is identical, then allow this user corresponding to the second mark by mirror on this PC end
Power;
For described mode two, described certificate server send described second mark and described application server login password it
Before, further include steps of described PC end to the second mark and described application described in described certificate server acquisition request
Server log password, and when request, the mark of this authentication operations is sent to described certificate server, in described certification
Server determines the mark phase of this authentication operations carried in the mark of this this authentication operations and described authentication assistance information
In the case of Tong, it is allowed to described second mark and described application server login password are sent to described PC end;
For described mode three, before described certificate server sends described second mark and dynamic security identification code, enter
One step comprises the following steps: described PC end is to the second mark and dynamic security identification described in described certificate server acquisition request
Code, and when request, the mark of this authentication operations is sent to described certificate server, determine this at described certificate server
In the case of the mark of this authentication operations is identical with the mark of this authentication operations carried in described authentication assistance information, fair
Permitted to send to described PC end described second mark and described dynamic security identification code;
For described mode four, the user allowing described second mark corresponding at described application server authenticates it by this
Before, further include steps of described third party APP to application server request by authentication, and when request by this
The mark of authentication operations sends to application server;Further, when described application server receives described authentication License Info,
If described application server determine described third party APP request by authentication time send this authentication operations mark with
The mark of this authentication operations carried in described authentication License Info is identical, then allow this user corresponding to the second mark to exist
By authentication on this third party APP;
For described mode five, before described certificate server sends described second mark and dynamic security identification code, enter
One step comprises the following steps: described third party APP to the second mark described in described certificate server acquisition request and dynamically pacifies
Full identification code, and when request, the mark of this authentication operations is sent to described certificate server, at described certificate server
Determine the feelings that the mark of this this authentication operations is identical with the mark of this authentication operations carried in described authentication assistance information
Under condition, it is allowed to described second mark and described dynamic security identification code are sent to described third party APP.
Implementation method the most according to any one of claim 1 to 8, it is characterised in that
Application server needs the situation authenticating user to include: user initiates logging request, and user initiates to obtain resource
Request, the operation that user initiates in the case of having logged on needs to carry out secondary authentication;
The mode that the identity of described user is verified by described mobile terminal includes: iris verification, fingerprint authentication, password are tested
Card and/or pattern checking.
10. subscription authentication realize a device, be arranged at mobile terminal side, it is characterised in that this device includes:
Authentication module, in the case of application server needs to authenticate user, is carried out the identity of described user
Checking;
Communication module, for after described user is by the checking of described mobile terminal, sends authentication assistance information to certification
Server, described authentication assistance information is used for notifying that described certificate server assists the real presently described application server of described user
On authentication operations, wherein, described authentication assistance information include described user first mark, described first is designated described use
The family unique mark on described certificate server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610817540.8A CN106161475B (en) | 2016-09-12 | 2016-09-12 | Method and device for realizing user authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610817540.8A CN106161475B (en) | 2016-09-12 | 2016-09-12 | Method and device for realizing user authentication |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106161475A true CN106161475A (en) | 2016-11-23 |
CN106161475B CN106161475B (en) | 2020-06-05 |
Family
ID=57341255
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610817540.8A Active CN106161475B (en) | 2016-09-12 | 2016-09-12 | Method and device for realizing user authentication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106161475B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107241310A (en) * | 2017-05-04 | 2017-10-10 | 北京潘达互娱科技有限公司 | A kind of client identity verification method and device |
CN107948210A (en) * | 2018-01-08 | 2018-04-20 | 武汉斗鱼网络科技有限公司 | A kind of login method, device, client, server and medium |
CN108122112A (en) * | 2017-12-14 | 2018-06-05 | 杨宪国 | Electronic ID card based on authentication device signs and issues certification and safety payment system |
WO2019210759A1 (en) * | 2018-05-04 | 2019-11-07 | 中国银联股份有限公司 | Virtual card generating method, user terminal, and token server |
WO2021083086A1 (en) * | 2019-10-29 | 2021-05-06 | 维沃移动通信有限公司 | Information processing method and device |
CN114299636A (en) * | 2020-09-22 | 2022-04-08 | 云丁网络技术(北京)有限公司 | Method and apparatus for processing device offline password |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101420694A (en) * | 2008-12-16 | 2009-04-29 | 天津工业大学 | WAPI-XG1 access and fast switch authentication method |
CN101662458A (en) * | 2008-08-28 | 2010-03-03 | 西门子(中国)有限公司 | Authentication method |
CN102123033A (en) * | 2011-03-23 | 2011-07-13 | 北京恒光数码科技有限公司 | Identity authentication method and system of dynamic password token as well as mobile terminal of dynamic password token |
EP2817987A1 (en) * | 2012-02-24 | 2014-12-31 | Sony Corporation | Mobile communication using reconfigurable user identification module |
CN104796255A (en) * | 2014-01-21 | 2015-07-22 | 中国移动通信集团安徽有限公司 | A safety certification method, device and system for a client end |
-
2016
- 2016-09-12 CN CN201610817540.8A patent/CN106161475B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101662458A (en) * | 2008-08-28 | 2010-03-03 | 西门子(中国)有限公司 | Authentication method |
CN101420694A (en) * | 2008-12-16 | 2009-04-29 | 天津工业大学 | WAPI-XG1 access and fast switch authentication method |
CN102123033A (en) * | 2011-03-23 | 2011-07-13 | 北京恒光数码科技有限公司 | Identity authentication method and system of dynamic password token as well as mobile terminal of dynamic password token |
EP2817987A1 (en) * | 2012-02-24 | 2014-12-31 | Sony Corporation | Mobile communication using reconfigurable user identification module |
CN104796255A (en) * | 2014-01-21 | 2015-07-22 | 中国移动通信集团安徽有限公司 | A safety certification method, device and system for a client end |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107241310A (en) * | 2017-05-04 | 2017-10-10 | 北京潘达互娱科技有限公司 | A kind of client identity verification method and device |
CN107241310B (en) * | 2017-05-04 | 2020-11-06 | 北京潘达互娱科技有限公司 | Client identity verification method and device |
CN108122112A (en) * | 2017-12-14 | 2018-06-05 | 杨宪国 | Electronic ID card based on authentication device signs and issues certification and safety payment system |
CN107948210A (en) * | 2018-01-08 | 2018-04-20 | 武汉斗鱼网络科技有限公司 | A kind of login method, device, client, server and medium |
WO2019210759A1 (en) * | 2018-05-04 | 2019-11-07 | 中国银联股份有限公司 | Virtual card generating method, user terminal, and token server |
WO2021083086A1 (en) * | 2019-10-29 | 2021-05-06 | 维沃移动通信有限公司 | Information processing method and device |
CN114299636A (en) * | 2020-09-22 | 2022-04-08 | 云丁网络技术(北京)有限公司 | Method and apparatus for processing device offline password |
Also Published As
Publication number | Publication date |
---|---|
CN106161475B (en) | 2020-06-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11405380B2 (en) | Systems and methods for using imaging to authenticate online users | |
CN107332808B (en) | Cloud desktop authentication method, server and terminal | |
US8495720B2 (en) | Method and system for providing multifactor authentication | |
CN108880822B (en) | Identity authentication method, device and system and intelligent wireless equipment | |
US8898749B2 (en) | Method and system for generating one-time passwords | |
US8984621B2 (en) | Techniques for secure access management in virtual environments | |
CN106063308B (en) | Device, identity and event management system based on user identifier | |
CN106161475A (en) | The implementation method of subscription authentication and device | |
CN104283886B (en) | A kind of implementation method of the web secure access based on intelligent terminal local authentication | |
KR101451359B1 (en) | User account recovery | |
CN112953970B (en) | Identity authentication method and identity authentication system | |
US9124571B1 (en) | Network authentication method for secure user identity verification | |
CN107210916A (en) | Condition, which is logged in, to be promoted | |
CN103856332A (en) | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication | |
US20160173473A1 (en) | Method for authenticating a user, corresponding server, communications terminal and programs | |
WO2014048749A1 (en) | Inter-domain single sign-on | |
Beltran | Characterization of web single sign-on protocols | |
Shah et al. | Multi-factor Authentication as a Service | |
CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
CN105681259A (en) | Open authorization method and apparatus and open platform | |
CN110516470A (en) | Access control method, device, equipment and storage medium | |
Laka et al. | User perspective and security of a new mobile authentication method | |
KR20220167366A (en) | Cross authentication method and system between online service server and client | |
US11323431B2 (en) | Secure sign-on using personal authentication tag | |
AU2020273301B2 (en) | Pre-registration of authentication devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230919 Address after: 519000 Office 1501, No. 2202 Xiangjiang Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Xinweilu Technology (Zhuhai) Co.,Ltd. Address before: No. 12B06, Gate 1, 7th Floor, Yuquan Xili Second District, Shijingshan District, Beijing, 100040 Patentee before: Shen Shurong |