CN111414604A

CN111414604A - Authentication method, device, system and storage medium

Info

Publication number: CN111414604A
Application number: CN201910017052.2A
Authority: CN
Inventors: 王康
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2019-01-08
Filing date: 2019-01-08
Publication date: 2020-07-14
Anticipated expiration: 2039-01-08
Also published as: CN111414604B

Abstract

The embodiment of the application provides an authentication method, equipment, a system and a storage medium. In the embodiment of the application, when the first device is authenticated, a two-factor authentication mechanism is introduced, and visual information or an acoustic wave technology is introduced between the first device and the second device for information interaction in the two-factor authentication process, so that not only can the authentication safety be improved, but also the information interaction is performed by utilizing the visual information or the acoustic wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, the second equipment can be prevented from being monitored, and the authentication safety is further improved.

Description

Authentication method, device, system and storage medium

Technical Field

The present application relates to the field of internet technologies, and in particular, to an authentication method, device, system, and storage medium.

Background

With the development of internet technology, people rely on networks more and more. For example, people use networks to pay online, access websites, etc., and the popularity of these applications puts higher demands on network security. In order to ensure the network security, the identity of the user needs to be authenticated.

In the prior art, the identity of a user is generally authenticated based on a pre-registered account and a password of the user. In practical application, an account number and a password may be leaked, so that the security of identity authentication is not high.

Disclosure of Invention

Aspects of the present disclosure provide an authentication method, device, system, and storage medium for improving security of identity authentication.

The embodiment of the application provides an authentication method, which is applicable to a first device and comprises the following steps:

sending an authentication request to a server, wherein the authentication request carries a first authentication parameter so that the server can perform first factor authentication on the first equipment;

receiving a second authentication parameter returned by the server, wherein the second authentication parameter is generated after the first equipment is authenticated by a first factor;

converting the second authentication parameter into first visual information and outputting the first visual information so that the second equipment signs the second authentication parameter and converts the signature data into second visual information and then outputs the second visual information;

and acquiring the second visual information, analyzing the signature data from the second visual information and sending the signature data to the server so that the server can perform second factor authentication on the first equipment based on the signature data.

The embodiment of the present application further provides an authentication method, which is applicable to a second device, and includes:

acquiring first visual information output by first equipment, wherein the first visual information is obtained by converting according to a second authentication parameter issued by a server after the first equipment is authenticated by a first factor;

analyzing the second authentication parameter from the first visual information, and signing the second authentication parameter to obtain signature data;

and converting the signature data into second visual information and outputting the second visual information so that the first equipment can send the signature data to the server to carry out second factor authentication on the first equipment.

The embodiment of the present application further provides an authentication method, which is applicable to a first device, and includes:

converting the second authentication parameter into a first sound wave signal and outputting the first sound wave signal, so that the second equipment signs the second authentication parameter and converts the signature data into a second sound wave signal and outputs the second sound wave signal;

and acquiring the second acoustic signal, analyzing the signature data from the second acoustic signal and sending the signature data to the server so as to enable the server to perform second factor authentication based on the signature data.

acquiring a first sound wave signal sent by first equipment; the first sound wave signal is obtained by converting a second authentication parameter issued by the server after the first equipment passes the first factor authentication;

analyzing the second authentication parameter from the first sound wave signal, and signing the second authentication parameter to obtain signature data;

and converting the signature data into a second sound wave signal and outputting the second sound wave signal, so that the first equipment sends the signature data to the server to perform second factor authentication on the first equipment.

The embodiment of the present application further provides a login method, which is applicable to a terminal device, and includes:

responding to a login operation sent by a user, and sending a login request to a server, wherein the login request carries an account and a password;

receiving data to be signed returned by the server, wherein the data to be signed is generated by the server after the account and the password are verified;

converting the data to be signed into first two-dimensional code information and displaying the first two-dimensional code so that the token equipment can scan the first two-dimensional code to obtain the data to be signed;

scanning a second two-dimensional code displayed by the token equipment to acquire signature data; the second two-dimensional code is obtained by converting signature data obtained by signing the data to be signed by the token equipment;

and sending the signature data to a server for the server to determine a login result of the terminal device based on the signature data.

The embodiment of the present application further provides a payment method, which is applicable to a terminal device, and includes:

responding to a payment operation sent by a user, and sending a payment request to a server, wherein the payment request carries a payment account and a payment password;

receiving data to be signed returned by the server, wherein the data to be signed is generated by the server after the payment account and the payment password are verified;

converting the data to be signed into a first two-dimensional code and displaying the first two-dimensional code so that the token equipment can scan the first two-dimensional code to obtain the data to be signed;

and sending the signature data to a server for the server to determine whether to deduct fees from the payment account according to the payment password based on the signature data.

The present invention also provides a computer readable storage medium storing a computer program, which when executed by a processor causes the processor to implement the steps in the authentication method performed when the first device converts the second authentication parameter into the first visual information.

The present invention also provides a computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, causes the processor to implement the steps in the authentication method performed when the second device parses the second authentication parameter from the first visual information.

An embodiment of the present application further provides a computer-readable storage medium storing a computer program, wherein when the computer program is executed by a processor, the processor is caused to implement the steps in the authentication method executed when the first device converts the second authentication parameter into the first acoustic wave signal.

The present invention also provides a computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, causes the processor to implement the steps in the authentication method performed when the second device parses the second authentication parameter from the first acoustic signal.

An embodiment of the present application further provides a computer device, including: the device comprises a memory, a processor, a communication assembly and a camera; wherein the content of the first and second substances,

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

sending an authentication request to a server through the communication assembly, wherein the authentication request carries a first authentication parameter so that the server can perform first factor authentication on the first equipment;

receiving a second authentication parameter returned by the server through the communication component, wherein the second authentication parameter is generated after the first equipment is authenticated through a first factor by the server;

and acquiring the second visual information by using the camera, analyzing the signature data from the second visual information and sending the signature data to the server so that the server can perform second factor authentication on the first equipment based on the signature data.

An embodiment of the present application further provides a computer device, including: the device comprises a memory, a processor and a camera;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

acquiring first visual information output by first equipment by using the camera, wherein the first visual information is obtained by converting according to a second authentication parameter issued by a server after the first equipment passes first factor authentication;

An embodiment of the present application further provides an authentication system, including: a first device, a second device and a server; wherein the content of the first and second substances,

the first device to: sending an authentication request to the server, wherein the authentication request carries a first authentication parameter; receiving a second authentication parameter returned by the server; converting the second authentication parameter into first visual information and outputting the first visual information; acquiring second visual information output by the second equipment, analyzing signature data from the second visual information and sending the signature data to the server;

the second device to: collecting first visual information output by the first equipment; analyzing the second authentication parameter from the first visual information, and signing the second authentication parameter to obtain signature data; converting the signature data into second visual information and outputting the second visual information;

the server is configured to: performing first factor authentication on the first equipment based on a first authentication parameter in an authentication request sent by the first equipment, and issuing a second authentication parameter to the first equipment after the first equipment passes the first factor authentication; and performing second factor authentication on the first device based on the signature data sent by the first device.

An embodiment of the present application further provides a computer device, including: a memory, a processor, a communication component, and an audio component;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

converting the second authentication parameter into a first sound wave signal and outputting the first sound wave signal through the audio component, so that the second equipment signs the second authentication parameter and converts the signature data into a second sound wave signal and outputs the second sound wave signal;

An embodiment of the present application further provides a computer device, including: a memory, a processor, and an audio component;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

acquiring a first sound wave signal sent by first equipment by using the audio component; the first sound wave signal is obtained by converting a second authentication parameter issued by the server after the first equipment passes the first factor authentication;

and converting the signature data into a second sound wave signal and outputting the second sound wave signal through the audio component, so that the first device sends the signature data to the server to perform second factor authentication on the first device.

In the embodiment of the application, when the first equipment is authenticated, a two-factor verification mechanism is introduced, and visual information or sound wave technology is introduced between the first equipment and the second equipment for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing visual information or sound wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1a is a schematic structural diagram of an authentication system according to an embodiment of the present application;

fig. 1b is a schematic signaling flow diagram of an authentication process according to an embodiment of the present application;

fig. 1c is a schematic view of a state where bar codes are scanned by the first device and the second device according to an embodiment of the present application;

fig. 2 is a schematic structural diagram of another authentication system according to an embodiment of the present application;

fig. 3a is a schematic flowchart of an authentication method according to an embodiment of the present application;

FIG. 3b is a schematic flow chart of a computer apparatus according to an embodiment of the present application;

fig. 4a is a schematic flowchart of an authentication method according to another embodiment of the present application;

FIG. 4b is a schematic flow chart of a computer apparatus according to another embodiment of the present application;

fig. 5a is a schematic flowchart of an authentication method according to another embodiment of the present application;

FIG. 5b is a schematic flow chart of a computer apparatus according to another embodiment of the present application;

fig. 6a is a schematic flowchart of another authentication method according to an embodiment of the present application;

FIG. 6b is a schematic flow chart of another computer apparatus according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a login method according to an embodiment of the present application;

fig. 8 is a schematic flowchart of a payment method according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Aiming at the technical problem that the existing authentication method is low in safety, in the embodiment of the application, a two-factor verification mechanism is introduced when the first equipment is authenticated, and visual information or sound wave technology is introduced between the first equipment and the second equipment for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing visual information or sound wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Fig. 1a is a schematic structural diagram of an authentication system according to an embodiment of the present application. As shown in fig. 1a, the system comprises: a first device 10a, a second device 10b and a server 10 c. The implementation forms of the first device 10a, the second device 10b, and the server 10c shown in fig. 1a are only exemplary and are not limited thereto.

In this embodiment, the first device 10a and the server 10c may be wirelessly connected, optionally, the first device 10a may be communicatively connected to the server 10c through a mobile network, and accordingly, the network format of the mobile network may be any one of 2G (gsm), 2.5G (gprs), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (L TE), 4G + (L TE +), WiMax, and the like, optionally, the first device 10a may also be communicatively connected to the server 10c through bluetooth, WiFi, infrared, and the like.

In this embodiment, the first device 10a may be a terminal device; the second device 10b may be a terminal device, a token device, etc. Further, in the present embodiment, the first device 10a and the second device 10b each have a visual information recognition function, wherein the second device 10b also has a signature function. Further, cameras may be disposed on the first device 10a and the second device 10b for collecting visual information output from each other.

The terminal device in this embodiment is a device used by a user and having functions of internet access, communication, payment and the like required by the user, and may be, for example, a smart phone, a tablet computer, a personal computer, a wearable device and the like. The terminal device typically comprises at least one processing unit and at least one memory. The number of processing units and memories depends on the configuration and type of terminal equipment. The memory may include volatile, such as RAM, non-volatile, such as Read-only memory (ROM), flash memory, etc., or both. The memory typically stores an Operating System (OS), one or more application software programs, and may also store program data and the like. Besides the processing unit and the memory, the terminal device also includes basic configurations such as a network card chip, an IO bus, an audio/video component, and the like. Optionally, depending on the implementation of the terminal device, the terminal device may also include some peripheral devices, such as a keyboard, a mouse, a stylus, a printer, etc. These peripheral devices are well known in the art and will not be described in detail herein.

Further, if the second device 10b is a token device, it can be implemented as a U shield, a Universal second Factor (Universal2nd Factor, U2F) token device, etc., but is not limited thereto. In the present embodiment, the U shield and U2F token devices are different from the conventional U shield and U2F token devices, and the U shield and U2F token devices of the present embodiment have not only a signature function but also a visual information identification and output function. In order to have the visual information identification and output functions, the U shield and the U2F token device of the present embodiment may have a camera for identifying the visual information output by other devices (e.g., the first device), and may further have a display screen or a signal light, etc. for outputting the visual information to the outside.

Further, if the second device 10b is an intelligent terminal, it can be implemented as a portable device carried or used by a user, such as a smart phone, a smart bracelet, and the like, and it is not necessary to configure a corresponding U2F token device, and it is possible to directly use the portable device to perform information interaction with the first device 10 a. Since the portable device is convenient for the user to carry, the convenience of authentication can be improved.

In the present embodiment, the server 10c refers to a hardware infrastructure that authenticates the first device 10 a. One or more servers 10c may be provided. The present embodiment does not limit the implementation form of the server 10 c. For example, the server may be a conventional server, a cloud host, a virtual center, or the like server device. The server device mainly includes a processor, a hard disk, a memory, a system bus, and the like, and is similar to a general computer architecture.

In this embodiment, the first device 10a is a device that needs to be authenticated, and the server 10c and the second device 10b cooperate with the first device 10a to complete authentication. The authentication process of the first device 10a is as follows:

the first device 10a sends an authentication request to the server 10c, where the authentication request carries the first authentication parameter. Accordingly, the server 10c receives the authentication request and performs the first factor authentication on the first device 10c based on the first authentication parameter therein. Alternatively, the first authentication parameter may be an account number and a password, but is not limited thereto. After the first device 10a is authenticated by the first factor, the server 10c generates a second authentication parameter and returns the second authentication parameter to the first device 10 a. Accordingly, the first device 10a receives the second authentication parameter returned by the server 10c, and converts the second authentication parameter into the first visual information and outputs the first visual information.

Further, the second device 10b collects the first visual information and parses out the second authentication parameter therefrom. Then, the second device 10b signs the second authentication parameter and converts the signature data into second visual information to output. Accordingly, the first device 10a collects the second visual information and parses signature data therefrom. Thereafter, the first device 10a transmits the signature data to the server 10c for the server 10c to perform the second factor authentication on the first device 10a based on the signature data. The first device 10a and the second device 10b perform information interaction by using the visual information, so that the interoperability can be improved; moreover, the second device 10b does not need to interact with the network, and can be prevented from being monitored, thereby further improving the security of authentication.

Accordingly, when the first device 10a is authenticated by the second factor, the server 10c may perform subsequent operations, such as login, page access, payment, etc.

It should be noted that the implementation forms of the first visualization information and the second visualization information in fig. 1a are only exemplary and are not limited thereto.

In the embodiment, when the first device is authenticated, a two-factor verification mechanism is introduced, and visual information is introduced between the first device and the second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the visual information, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

To facilitate understanding of the working flow of the first device 10a, the second device 10b and the server 10c when the authentication system authenticates the first device, the following describes an exemplary authentication process with reference to the signaling diagram shown in fig. 1 b.

Step 1: the first device 10a sends an authentication request to the server, where the authentication request carries the first authentication parameter.

In step 1, in different actual application scenarios, if the service applications performed by the user using the first device 10a are different, the authentication requests sent by the first device 10a to the server are different, and the first authentication parameters carried in the authentication requests are also different. The following describes an exemplary authentication request and a first authentication parameter carried by the authentication request in conjunction with several specific application scenarios.

Application scenario 1: when the user logs in to the website using the first device 10a, the first device 10a transmits a login request to the server. Correspondingly, the first authentication parameter carried in the login request is a login account and a login password.

Application scenario 2: the user makes an online payment with the first device 10a, the first device 10a sends a payment request to the server 10 c. Correspondingly, the first authentication parameter carried in the payment request is a payment account and a payment password.

Step 2: the server 10c receives the authentication request and performs the first factor authentication on the first device 10a based on the first authentication parameter.

And step 3: after authenticating the first device 10a by the first factor, the server 10c generates a second authentication parameter and returns the second authentication parameter to the first device 10 a.

Alternatively, the server 10c may perform a hash operation on information in the authentication request sent by the first device 10a, and use the obtained hash value as the second authentication parameter. Wherein, the information in the authentication request includes but is not limited to: first authentication parameters, MAC address, IP address, device model, etc. of the first device 10 a.

And 4, step 4: the first device 10a receives the second authentication parameter, converts the second authentication parameter into visual information, and outputs the visual information. For convenience of description and distinction, in the embodiment of the present application, the visual information into which the second authentication parameter is converted by the first device 10a is defined as the first visual information.

And 5: the second device 10b collects the first visual information and parses the second authentication parameter from the first visual information.

Step 6: the second device 10b signs the second authentication parameter, and then obtains corresponding signature data.

Alternatively, the second device 10b may sign the second authentication parameter in different ways depending on the security requirements of the actual application.

Optionally, in some application scenarios with low security requirements, the second device 10b may employ a software encryption manner to sign the second authentication parameter, so as to obtain signature data. For some application scenarios with higher security requirements, such as online payment and login authentication, a security module may be added to the second device 10b, or the second authentication parameter may be signed by using an existing security module on the second device 10b to obtain signature data. The security module may be, but is not limited to, a Trusted Execution Environment (TEE), a Secure Element (SE), and the like. Wherein the SE may be implemented in a chip form. Based on the security module on the second device 10b, the second device 10b may send the second authentication parameter to the security module therein, so that the security module signs the second authentication parameter with the local private key to obtain the signature data. The security module then returns the signature data to the second device 10 b. Accordingly, the second device 10b receives the signature data returned by the security module.

It should be noted that the security module may be set on the second device 10b as an inherent module on the second device 10b when the device is shipped from the factory; the external plug-in module may also be used as an external plug-in module of the second device 10b, and may be plugged into the second device 10b through a USB interface, etc., which is not limited herein.

And 7: the second device 10b converts the signature data into corresponding visual information and outputs it. For convenience of description and distinction, in the embodiment of the present application, the visualization information into which the second device 10b converts the signature data is defined as the second visualization information.

And 8: the first device 10a collects the second visual information and parses the corresponding signature data from the second visual information.

And step 9: the first device 10b transmits the signature data to the server 10 c.

Step 10: the server 10c receives the signature data and performs second factor authentication on the first device 10a based on the signature data.

In step 4, the implementation form of the first visual information can be flexibly set according to the difference of the hardware structure of the first device 10 a. Accordingly, in step 5, the second device 10b collects the first visual information and analyzes the second authentication parameter from the first visual information. Accordingly, the implementation of steps 6-8 is different. Several alternative embodiments of steps 4-8 are exemplified below in connection with the hardware structure of the first device 10a and the second device 10 b.

Embodiment 1:the first device 10a is provided with a screen. The first device 10a may convert the second authentication parameter to a barcode and display the barcode on the screen of the first device 10a in step 4. Correspondingly, the second device 10b has a camera, and in step 5, the second device 10b scans the barcode on the screen of the first device 10a by using the camera thereof, and analyzes the second authentication parameter from the scanned barcode.

Further, the second device 10b is also provided with a screen. In step 6, the second device 10b signs the second authentication parameter, and obtains corresponding signature data. And in step 7 the signature data is converted to a barcode and displayed on its screen. Accordingly, the first device 10a is also provided with a camera. In step 8, the first device 10a uses its camera to capture the barcode on the screen of the second device 10b, and analyzes the corresponding signature data from the scanned barcode.

It should be noted that: the bar code in the embodiment of the application is a group of bar and empty symbols arranged according to a certain coding rule, is used for expressing information consisting of certain characters, numbers and symbols, and is generally a graphical information carrier. From the aspect of the dimension of carrying information, the barcode in the embodiment of the present application may include a one-dimensional code (or barcode), a two-dimensional code, or a three-dimensional code. One-dimensional codes may include, but are not limited to: EAN Code, UPC Code, Code 39, Code 93, etc. The two-dimensional code may include, but is not limited to: PDF417 two-dimensional Code, QR Code two-dimensional bar Code, etc.

It should also be noted that: the relative positions of the first device 10a and the second device 10b may be different in the above-described steps 4 to 8, depending on the positions where the cameras are disposed on the first device 10a and the second device 10b and the positions where the barcodes are displayed. For example, considering that the barcode is generally displayed in the center of the screen, as shown in fig. 1c, when the camera of the first device 10a and the camera of the second device 10b are respectively at the top positions of the two, and are both front cameras, in step 4-8, the screens of the first device 10a and the second device 10b may be opposite, and the second device 10b is turned upside down, so that the barcode scanning of the first device 10a and the barcode scanning of the second device 10b may be facilitated. Particularly, in the case where the barcodes on the screens of each other need to be scanned mutually a plurality of times, it is not necessary to adjust the positions of the first device 10a and the second device 10b each time, which improves the convenience of use.

Embodiment 2:the first device 10a is provided with a screen. The first device 10a converts the second authentication parameter into screen flash control information and controls the screen of the first device 10a to flash according to the screen flash control information in step 4. Correspondingly, in step 5, the second device 10a acquires the screen flashing information of the first device 10a by using the camera thereof, and analyzes the second authentication parameter according to the acquired rule of the screen flashing information of the first device 10a according to the mapping relationship between the preset screen flashing rule and the authentication parameter.

Further, the second device 10b is also provided with a screen. In step 6, the second device 10b signs the second authentication parameter, and obtains corresponding signature data. In step 7, the second device 10b converts the signature data into screen flash control information, and controls the screen thereof to flash according to the screen flash control information. Accordingly, the first device 10a is also provided with a camera. In step 8, the first device 10a acquires the screen flashing information of the second device 10b by using its camera, and analyzes the signature data from the acquired screen flashing information of the second device 10b according to the mapping relationship between the preset screen flashing rule and the signature data and the acquired rule of the screen flashing information of the second device 10 b.

Embodiment 3:the first device 10a and the second device 10b are each provided with a signal lamp and a camera. The first device 10a converts the second authentication parameter into the beacon control information and controls the beacon of the first device 10a to blink according to the beacon control information in step 4. Correspondingly, in step 5, the second device 10a acquires the signal light flicker information of the first device 10a by using the camera thereof, and analyzes the second authentication parameter from the acquired signal light flicker rule of the first device 10a according to the mapping relationship between the preset signal light flicker rule and the authentication parameter.

Further, in step 6, the second device 10b signs the second authentication parameter, and then obtains corresponding signature data. In step 7, the second device 10b converts the signature data into traffic light control information, and controls the traffic light thereof to blink according to the traffic light control information. Correspondingly, in step 8, the first device 10a acquires the signal light flicker information of the second device 10b by using its camera, and analyzes the signature data from the acquired signal light flicker information of the second device 10b according to the preset mapping relationship between the signal light flicker rule and the signature data.

In an alternative embodiment, it is contemplated that different computer programs will typically be installed on the first device 10a, with different computer programs implementing different functions. These computer programs may include system class software, application class software. Further, the Application software may include various forms such as a client, an Application (APP), a plug-in, an SDK, and the like. Among these computer programs, some computer programs need to authenticate the first device 10a during operation to ensure the security of the first device 10a and/or the security of a peer device interacting with the first device 10 a. Based on this, the main subjects of execution of the authentication flow described above are mainly these computer programs on the first device 10 a. Among these computer programs, some computer programs themselves have the functions of converting the second authentication parameter into the first visual information and collecting and parsing the second visual information, and in step 4 above, the first device 10a may convert the second authentication parameter into the first visual information directly by using the conversion function of these computer programs themselves; and in step 8, a camera of the user is called to collect second visual information output by the second device 10b, and signature data is analyzed from the second visual information.

For example, assume that the first device 10a is a mobile phone on which a chat APP having functions of generating a two-dimensional code and scanning and parsing the two-dimensional code is installed. When logging in the chat APP, in order to ensure the security of the server and the user, the first device 10a needs to be authenticated, and when logging in the chat APP, the first device 10a may carry its login account and password in the login request and send the login request to the server 10 c. Accordingly, the server 10c receives the login request, and generates a second authentication parameter after the login account and the password are verified, and returns the second authentication parameter to the first device 10 a. The first device 10a receives the second authentication parameter, and converts the second authentication parameter into a corresponding two-dimensional code by using a two-dimensional code generation function of the chat APP, and displays the two-dimensional code on a screen of the first device. Correspondingly, when the second device 10a collects the two-dimensional code and analyzes the second authentication parameter therefrom, the second authentication parameter is signed to obtain signature data, and the signature data is converted into another two-dimensional code and displayed. Further, the first device 10a may utilize its "scan" function of the chat APP itself to scan the two-dimensional code displayed by the second device 10b and parse the signature data therefrom.

However, for some computer programs that do not have the functionality of converting the second authentication parameter into the first visual information and collecting and parsing the second visual information themselves, a computer program that is capable of converting the second authentication parameter into the first visual information and collecting and parsing the second visual information may be installed on the first device 10 a. In this case, a computer program that initiates authentication of the first device 10a may be denoted as a main program, and a computer program that can convert the second authentication parameter into the first visual information and collect and analyze the second visual information may be denoted as an auxiliary program, based on which, the main execution body of the authentication procedure is mainly the main program on the first device 10a, and then in step 4, after receiving the second authentication parameter, the main program in the first device 10a sends an HID request on a Human Interface Device (HID) interface of the first device 10 a; correspondingly, the auxiliary program monitors the HID interface, and when the HID request is monitored, the second authentication parameter is converted into the first visual information and output.

Accordingly, in step 8, the auxiliary program calls the camera on the first device 10a to capture the second visual information output by the second device 10b, and analyzes the signature data therefrom. The accessory then writes the signature data to the HID interface of the first device 10 a. The main program of the first device 10a sends the signature data on the HID interface to the server 10 c.

Further, the auxiliary program may be implemented in various forms according to the implementation form of the first device 10a and the difference of the application scenario. For example, the first device 10a is a smart phone, a wearable device, etc., and various APPs are installed on these devices, and the user uses the APPs on these devices to perform mailbox login, online shopping login, instant messaging software login or payment, etc., so that the auxiliary program can be implemented as a plug-in for the relevant APPs. For another example, the first device 10a is a desktop computer, a tablet computer, a notebook computer, or the like, various clients are installed on the devices, and the user can perform mailbox login, online shopping login, instant messaging software login, payment, or the like by using the clients installed on the devices, and the auxiliary program can be implemented as a plug-in of the relevant client. No matter the first device 10a is a smart phone, a wearable device, a desktop computer or a tablet computer, the user can perform website login, mailbox login, online shopping login, instant messaging software login or payment through the browser installed thereon, and the auxiliary program can be implemented as a plug-in of the relevant browser. In addition, the auxiliary program can be implemented as a separate application or client.

In addition to the above-mentioned configuration of using the cameras of the first device and the second device to collect and analyze the visual information of each other to form a dual communication channel between the first device and the second device, the embodiment of the present application further provides another communication method between the first device and the second device based on the sound wave, so as to implement another authentication system based on the sound wave.

Fig. 2 is a schematic structural diagram of another authentication system according to an embodiment of the present application. As shown in fig. 2, the system includes: a first device 20a, a second device 20b, and a server 20 c. For the implementation forms of the first device 20a, the second device 20b, and the server 20c, and the description of the communication manner between the first device 20a and the server 20c, reference may be made to the related description in fig. 1a, and details are not repeated here.

In the present embodiment, the first device 20a and the second device 20b are each provided with an audio component for outputting a sound wave signal and also for acquiring sound wave signals output from each other. For convenience of description and distinction, in the embodiment of the present application, the acoustic wave signal output by the first device 20a is defined as a first acoustic wave signal, and the acoustic wave signal output by the second device 20b is defined as a second acoustic wave signal.

In this embodiment, the first device 20a is a device that needs to be authenticated, and the server 20c and the second device 20b cooperate with the first device 20a to complete authentication. The authentication process of the first device 20a is as follows:

the first device 20a sends an authentication request to the server 20c, where the authentication request carries the first authentication parameter. Accordingly, the server 20c receives the authentication request and performs the first factor authentication on the first device 20c based on the first authentication parameter therein. Alternatively, the first authentication parameter may be an account number and a password, but is not limited thereto. After the first device 20a is authenticated by the first factor, the server 20c generates a second authentication parameter and returns the second authentication parameter to the first device 20 a. Accordingly, the first device 20a receives the second authentication parameter returned by the server 20c, converts the second authentication parameter into the first acoustic wave signal, and outputs the first acoustic wave signal.

Further, the second device 20b collects the first acoustic signal and parses a second authentication parameter therefrom. Then, the second device 20b signs the second authentication parameter and converts the signature data into a second acoustic signal to output. Accordingly, the first device 20a acquires the second acoustic signal and parses signature data therefrom. Thereafter, the first device 20a transmits the signature data to the server 20c for the server 20c to perform the second factor authentication on the first device 20a based on the signature data. The first device 20a and the second device 20b perform information interaction by using the sound wave technology, so that the interoperability can be improved; moreover, the second device 20b does not need to interact with the network, and can be prevented from being monitored, thereby further improving the security of authentication.

Accordingly, when the first device 20a is authenticated by the second factor, the server 20c may perform subsequent operations, such as login, page access, payment, etc.

For a specific implementation of the second device 20b signing the second authentication parameter, reference may be made to the related description of step 6, which is not described herein again.

In the embodiment, when the first device is authenticated, a two-factor verification mechanism is introduced, and an acoustic wave technology is introduced between the first device and the second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the sound wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

In addition to the above-described authentication system embodiments, the embodiments of the present application also provide various authentication methods. The authentication method provided by the embodiment of the present application is exemplarily described below from the perspective of the first device and the second device, respectively, based on the above two communication methods between the first device and the second device.

In an embodiment of communication between a first device and a second device based on mutual visual information shown in fig. 1a, an embodiment of the present application provides an authentication method. Fig. 3a is a schematic flowchart of an authentication method according to an embodiment of the present application. The authentication method is applicable to the first device shown in fig. 1a, wherein for the description of the implementation form of the first device, reference may be made to the related description in the above system embodiment, and details are not repeated here. As shown in fig. 3a, the authentication method includes:

301. and sending an authentication request to the server, wherein the authentication request carries a first authentication parameter so that the server can perform first factor authentication on the first equipment.

302. And receiving a second authentication parameter returned by the server, wherein the second authentication parameter is generated after the first equipment is authenticated by the first factor.

303. And converting the second authentication parameter into first visual information and outputting the first visual information so that the second equipment signs the second authentication parameter and converts the signature data into second visual information and then outputs the second visual information.

304. And acquiring second visual information, analyzing signature data from the second visual information and sending the signature data to the server so that the server can perform second factor authentication on the first equipment based on the signature data.

In this embodiment, a camera is disposed on the first device, and is used to collect the second visual information output by the second device in step 304. The second device may be a smart terminal or a U2F token device. In this embodiment, the second device is provided with a camera, and specific description thereof may refer to relevant contents of fig. 1a and fig. 1b, which are not described herein again.

In an optional embodiment, the implementation form of the first visual information may be flexibly set according to different hardware structures of the first device. Accordingly, the implementation of step 303 and step 304 are different. Several alternative embodiments of step 303 and step 304 are exemplarily described below in connection with the hardware structures of the first device and the second device.

Based on the foregoing embodiment 1, an optional implementation manner of step 303 is: the first device may convert the second authentication parameter to a barcode and display the barcode on a screen of the first device.

Correspondingly, the second equipment is provided with a camera, and the second equipment scans the bar code on the screen of the first equipment by using the camera and analyzes a second authentication parameter from the scanned bar code.

Further, the second device is also provided with a screen. And the second equipment signs the second authentication parameter to obtain corresponding signature data, converts the signature data into a bar code and displays the bar code on a screen of the second equipment.

Accordingly, an alternative implementation of step 304 is: and scanning the bar code on the screen of the second equipment by using the camera of the first equipment, and analyzing corresponding signature data from the scanned bar code.

For the description of the barcode and the relative position relationship between the first device and the second device, reference may be made to the related description in embodiment 1, and details are not repeated here.

Based on the foregoing embodiment 2, another optional implementation manner of step 303 is: and converting the second authentication parameter into screen flash control information, and controlling the screen of the first equipment to flash according to the screen flash control information.

Correspondingly, the second device converts the signature data into screen flash control information, and controls the screen of the second device to flash according to the screen flash control information, namely the second visual information is the screen flash information of the second device. Based on this, another alternative implementation of step 304 is: and acquiring screen flash information of the second equipment by using a camera of the device, and analyzing the signature data according to the acquired rule of the screen flash information of the second equipment according to the mapping relation between the preset screen flash rule and the signature data.

Based on the foregoing embodiment 3, another optional implementation manner of step 303 is: and converting the second authentication parameter into signal lamp control information, and controlling a signal lamp of the first device to flicker according to the signal lamp control information.

Correspondingly, the second equipment converts the signature data into signal lamp control information and controls the signal lamp of the second equipment to flicker according to the signal lamp control information. Based on this, another alternative implementation of step 304 is: and acquiring signal lamp flicker information of the second equipment by using a camera of the first equipment, and analyzing the signature data according to a preset mapping relation between a signal lamp flicker rule and the signature data and the acquired rule of the signal lamp flicker information of the second equipment.

In another alternative embodiment, a corresponding auxiliary program may be installed on the first device, taking into account that the first device itself may not have the functionality to convert the second authentication parameter into the first visual information and to collect and parse the second visual information. In this case, the first device has a main program and an auxiliary program installed thereon. Based on this, an alternative implementation of step 303 is: after receiving the second authentication parameter, the main program sends an HID request on an HID interface of the first equipment; correspondingly, the auxiliary program monitors the HID interface, and when the HID request is monitored, the second authentication parameter is converted into the first visual information and output.

Accordingly, an alternative implementation of step 304 is: and the auxiliary program calls a camera on the first equipment to acquire second visual information output by the second equipment, and the signature data is analyzed from the second visual information. And then, the auxiliary program writes the signature data into the HID interface of the first device, and the main program sends the signature data on the HID interface to the server.

Accordingly, an embodiment of the present application further provides a computer readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the authentication method executed in fig. 3a and the related embodiments.

Correspondingly, the embodiment of the application also provides computer equipment. The computer device may be implemented as the first device in fig. 1 a. Fig. 3b is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 3b, the computer apparatus comprises: memory 30a, processor 30b, communications component 30c, and camera 30 d.

In the present embodiment, the memory 30a is used to store a computer program.

The processor 30b is coupled to the memory 30a for executing computer programs for: sending an authentication request to the server through the communication component 30c, wherein the authentication request carries a first authentication parameter so that the server can perform first factor authentication on the first device; receiving a second authentication parameter returned by the server through the communication component 30c, wherein the second authentication parameter is generated after the first device is authenticated by the first factor; converting the second authentication parameter into first visual information and outputting the first visual information so that the second equipment signs the second authentication parameter and converts the signature data into second visual information and then outputs the second visual information; the camera 30d is used for collecting second visual information, analyzing signature data from the second visual information and sending the signature data to the server, so that the server can perform second factor authentication on the first equipment based on the signature data.

In this embodiment, the second device may be an intelligent terminal (a smart phone, a personal computer, a wearable device, etc.), or a U2F token device, where for the description of the U2F token device, reference may be made to the related contents in fig. 1a and fig. 1b, and details are not repeated here.

In an optional embodiment, the computer device further comprises: and a screen 30 e. Accordingly, when the processor 30b converts the second authentication parameter into the first visual information and outputs the first visual information, it is specifically configured to: converting the second authentication parameter into a bar code, and displaying the bar code on a screen of the first equipment; or converting the second authentication parameter into screen flash control information, and controlling the screen of the first device to flash according to the screen flash control information.

Optionally, the computer device further comprises: and a signal lamp 30 f. Accordingly, the processor 30b, when converting the second authentication parameter into the first visual information and outputting the first visual information, is specifically configured to: and converting the second authentication parameter into signal lamp control information, and controlling a signal lamp of the first device to flicker according to the signal lamp control information.

In an alternative embodiment, the memory 30a stores a main program and an auxiliary program. When the processor 30b converts the second authentication parameter into the first visual information and outputs the first visual information, the processor is specifically configured to: after receiving the second authentication parameter, the main program sends an HID request on an HID interface of the first equipment; and the auxiliary program monitors the HID interface, and when the HID request is monitored, the second authentication parameter is converted into first visual information and output.

In yet another optional embodiment, the second visual information is a barcode, and when the processor 30b acquires the second visual information by using the camera 30d and analyzes signature data from the second visual information, the processor is specifically configured to: and scanning the bar code by using a camera, and analyzing the signature data from the scanned bar code.

Further, as shown in fig. 3b, the computer apparatus further includes: power supply component 30g, audio component 30f, and the like. Only some of the components are schematically shown in fig. 3b, and it is not meant that the computer device comprises only the components shown in fig. 3 b.

The computer device provided by the embodiment is used as a first device, a two-factor verification mechanism is introduced when the computer device is authenticated, and visual information is introduced between the first device and a second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the visual information, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

Fig. 4a is a schematic flowchart of another authentication method according to an embodiment of the present application. The authentication method is suitable for the second device shown in fig. 1a, where the second device may be a smart terminal (smart phone, personal computer, wearable device, etc.), or a U2F token device. For the description of the implementation form of the second device, reference may be made to the related description in the above system embodiment, and details are not repeated here. As shown in fig. 4a, the authentication method includes:

401. the method comprises the steps of collecting first visual information output by first equipment, wherein the first visual information is obtained through conversion according to second authentication parameters issued by a server after the first equipment is authenticated through a first factor.

402. And analyzing a second authentication parameter from the first visual information, and signing the second authentication parameter to obtain signature data.

403. And converting the signature data into second visual information and outputting the second visual information so that the first equipment can send the signature data to the server to carry out second factor authentication on the first equipment.

In this embodiment, a camera is disposed on the second device, and is used to collect the first visual information output by the first device in step 401. The second device may be a smart terminal or a U2F token device. In this embodiment, the second device is provided with a camera, and specific description thereof may refer to relevant contents of fig. 1a and fig. 1b, which are not described herein again.

In this embodiment, the implementation form of the first visual information may be flexibly set according to the difference of the hardware structure of the first device. Accordingly, the embodiment in which the second device collects the first visual information and parses the second authentication parameter from the first visual information in

steps

401 and 402 is different from the embodiment in which the signature data is converted into the second visual information and output in step 403. Which is exemplified below in connection with several alternative embodiments.

Based on the above embodiment 1, the first visualized information is a barcode. An alternative implementation of step 401 is: and scanning the bar code by using a camera. Accordingly, an alternative implementation of step 402 is: and analyzing a second authentication parameter from the scanned bar code, and signing the second authentication parameter to obtain signature data.

Further, an optional implementation manner of step 403 is: and converting the signature data into a bar code, and displaying the bar code on a screen of the second equipment.

For the description of the relative positions of the barcode and the first device and the second device, reference may be made to the related contents in the above embodiment 1, and details are not repeated here.

Based on the above embodiment 2, the first visual information is screen flash information of the first device. Based on this, another alternative implementation of step 401 is: and acquiring screen flashing information of the first equipment by utilizing the camera.

Accordingly, another alternative implementation of step 402 is: and analyzing a second authentication parameter from the mapping relation between the preset screen flashing rule and the authentication parameter according to the acquired rule of the screen flashing information of the first equipment, and signing the second authentication parameter to obtain signature data.

Further, an optional implementation manner of step 403 is: and converting the signature data into screen flash control information, and controlling a screen of the second device to flash according to the screen flash control information.

In embodiment 3, the first visualized information is blinking information such as a signal. Accordingly, another alternative implementation of step 401 is: and acquiring signal lamp flicker information of the first equipment by using a camera of the device.

Accordingly, another alternative implementation of step 402 is: and analyzing a second authentication parameter from the preset mapping relation between the signal lamp flashing rule and the authentication parameter according to the collected signal lamp flashing rule of the first equipment, and signing the second authentication parameter to obtain signature data.

Correspondingly, a signal lamp is arranged on the second equipment. Yet another alternative implementation of step 403 is: and converting the signature data into signal lamp control information, and controlling a signal lamp of the second device to flicker according to the signal lamp control information.

Optionally, in some application scenarios with low security requirements, the second device may sign the second authentication parameter in a software encryption manner to obtain signature data. For some application scenarios with higher security requirements, such as online payment and login authentication, a security module may be added to the second device, or the second authentication parameter may be signed by using an existing security module on the second device 10b to obtain signature data. The security module may be, but is not limited to, a TEE, an SE, etc. Wherein the SE may be implemented in a chip form. Based on the security module on the second device, an optional implementation of signing the second authentication parameter in step 402 to obtain the signature data is as follows: the second authentication parameter can be sent to the security module, so that the security module can sign the second authentication parameter by using the local private key to obtain the signature data. The security module then returns the signature data to the second device. Accordingly, the second device receives the signature data returned by the security module.

It should be noted that the security module may be an inherent module on the second device, and is set on the second device when the second device leaves the factory; the USB interface may also be used as an external plug-in module of the second device, and may be plugged into the second device through a USB interface, which is not limited herein.

Accordingly, an embodiment of the present application further provides a computer readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the authentication method executed in fig. 4a and the related embodiments.

Correspondingly, the embodiment of the application also provides computer equipment. The computer device may be implemented as the second device in fig. 1 a. Fig. 4b is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 4b, the computer apparatus includes: memory 40a, processor 40b and camera 40 c.

In the present embodiment, the memory 40a is used for storing a computer program.

A processor 40b, coupled to the memory 40a, for executing a computer program for: acquiring first visual information output by first equipment by using a camera 40c, wherein the first visual information is obtained by converting according to a second authentication parameter issued by a server after the first equipment is authenticated by a first factor; analyzing a second authentication parameter from the first visual information, and signing the second authentication parameter to obtain signature data; and converting the signature data into second visual information and outputting the second visual information so that the first equipment can send the signature data to the server to carry out second factor authentication on the first equipment.

In an optional embodiment, the first visual information is a barcode, and when the processor 40b collects the visual information output by the first device by using the camera, the processor is specifically configured to: the barcode is scanned with a camera. Accordingly, when the processor 40b parses the second authentication parameter from the first visual information, it is specifically configured to: and analyzing a second authentication parameter from the scanned bar code.

In another alternative embodiment, as shown in fig. 4b, the computer device further comprises: a security module 40d and a communication component 40 e. When the processor 40b signs the second authentication parameter to obtain the signature data, the processor is specifically configured to: sending the second authentication parameter to a security module in the second device through the communication component 40e, so that the security module signs the second authentication parameter by using a local private key to obtain signature data; and receive signature data returned by the security module 40d through the communication component 40 e.

In yet another optional embodiment, the computer device further comprises: screen 40 f. Accordingly, the processor 40b, when converting the signature data into the second visual information and outputting the second visual information, is specifically configured to: converting the signature data into a barcode and displaying the barcode on the screen 40f of the second device; or converting the signature data into screen flash control information and controlling the screen 40f of the second device to flash according to the screen flash control information.

Optionally, the computer device further comprises: and a signal lamp 40 g. Accordingly, the processor 40b, when converting the signature data into the second visual information and outputting the second visual information, is specifically configured to: the signature data is converted into the traffic light control information, and the traffic light 40g of the second device is controlled to blink according to the traffic light control information.

Further, as shown in fig. 4b, the computer apparatus further includes: power components 40h, audio components 40i, and the like. Only some of the components are schematically shown in fig. 4b, and it is not meant that the computer device comprises only the components shown in fig. 4 b.

The computer device provided by the embodiment can be used as a second device, when a first device is authenticated, a two-factor verification mechanism is introduced, and visual information is introduced between the first device and the second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the visual information, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

In the embodiment shown in fig. 2, in which the first device and the second device communicate with each other based on the acoustic wave signals, the embodiment of the present application provides an authentication method. Fig. 5a is a schematic flowchart of an authentication method according to an embodiment of the present application. The authentication method is applicable to the first device shown in fig. 2, wherein for the description of the implementation form of the first device, reference may be made to the related description in the above system embodiment, and details are not repeated here. As shown in fig. 5a, the authentication method includes:

501. and sending an authentication request to the server, wherein the authentication request carries a first authentication parameter so that the server can perform first factor authentication on the first equipment.

502. And receiving a second authentication parameter returned by the server, wherein the second authentication parameter is generated after the first equipment is authenticated by the first factor.

503. And converting the second authentication parameter into a first sound wave signal and outputting the first sound wave signal, so that the second equipment signs the second authentication parameter and converts the signature data into a second sound wave signal and outputs the second sound wave signal.

504. And acquiring the second acoustic signal, analyzing the signature data from the second acoustic signal and sending the signature data to the server so as to enable the server to perform second factor authentication based on the signature data.

In this embodiment, an audio component is disposed on the first device for outputting a first sound wave signal in step 503 and acquiring a second sound wave signal output by the second device in step 504. The second device may be a smart terminal or a U2F token device. In this embodiment, the second device is provided with an audio component for outputting a second acoustic signal. For specific description of the first device and the second device, reference may be made to the related contents in fig. 1a and fig. 1b, which are not described herein again.

Accordingly, an embodiment of the present application further provides a computer readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the authentication method executed in fig. 5a and the related embodiments.

Correspondingly, the embodiment of the application also provides computer equipment. The computer device may be implemented as the first device in fig. 2. Fig. 5b is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 5b, the computer apparatus includes: memory 50a, processor 50b, communication component 50c, and audio component 50 d.

In the present embodiment, the memory 50a is used to store a computer program.

The processor 50b, coupled with the memory 50a, is configured to execute the computer program for: sending an authentication request to a server through the communication component 50c, wherein the authentication request carries a first authentication parameter, so that the server performs first factor authentication on the first device; receiving, by the communication component 50c, a second authentication parameter returned by the server, where the second authentication parameter is generated by the server after the first device is authenticated by the first factor; converting the second authentication parameter into a first sound wave signal and outputting the first sound wave signal through the audio component 50d, so that the second device signs the second authentication parameter and converts the signature data into a second sound wave signal and outputs the second sound wave signal; and acquiring the second acoustic signal by using the audio component 50d, analyzing the signature data from the second acoustic signal, and sending the signature data to the server, so that the server performs second factor authentication based on the signature data.

Further, as shown in fig. 5b, the computer apparatus further includes: screen 50e, power supply component 50f, and the like. Only some of the components are schematically shown in fig. 5b, and it is not meant that the computer device comprises only the components shown in fig. 5 b.

The computer device provided by the embodiment is used as a first device, a two-factor verification mechanism is introduced when the computer device is authenticated, and an acoustic wave technology is introduced between the first device and a second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the sound wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

Fig. 6a is a schematic flowchart of another authentication method according to an embodiment of the present application. The authentication method is applicable to the second device shown in fig. 2, where the second device may be a smart terminal (smart phone, personal computer, wearable device, etc.), or a U2F token device. For the description of the implementation form of the second device, reference may be made to the related description in the above system embodiment, and details are not repeated here. As shown in fig. 6a, the authentication method includes:

601. acquiring a first sound wave signal sent by first equipment; the first sound wave signal is obtained by converting according to a second authentication parameter issued by the server after the first device is authenticated through the first factor.

602. And analyzing the second authentication parameter from the first sound wave signal, and signing the second authentication parameter to obtain signature data.

603. And converting the signature data into a second sound wave signal and outputting the second sound wave signal, so that the first equipment sends the signature data to the server to perform second factor authentication on the first equipment.

In this embodiment, an audio component is disposed on the second device, and is used to collect the first sound wave signal output by the first device in step 601, and output the second sound wave signal in step 603. The second device may be a smart terminal or a U2F token device. For a detailed description of the implementation forms of the first device and the second device, reference may be made to the related contents of fig. 1a and fig. 1b, which are not described herein again.

For a related description of the optional implementation of step 602, refer to the related content of the signature data obtained by signing the second authentication parameter in step 402, which is not described herein again.

Accordingly, an embodiment of the present application further provides a computer readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the authentication method executed in fig. 6a and the related embodiments.

Correspondingly, the embodiment of the application also provides computer equipment. The computer device may be implemented as the second device in fig. 2. Fig. 6b is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 6b, the computer apparatus includes: a memory 60a, a processor 60b, and an audio component 60 c.

In the present embodiment, the memory 60a is used to store a computer program.

A processor 60b, coupled to the memory 60a, for executing a computer program for: acquiring a first sound wave signal emitted by the first device by using the audio component 60 c; the first sound wave signal is obtained by converting a second authentication parameter issued by the server after the first equipment is authenticated by a first factor; analyzing a second authentication parameter from the first sound wave signal, and signing the second authentication parameter to obtain signature data; the signature data is converted into a second acoustic signal and output through the audio component 60c for the first device to send the signature data to the server for second factor authentication of the first device.

In an alternative embodiment, as shown in fig. 6b, the computer device further comprises: a security module 60d and a communication component 60 e. When the processor 60b signs the second authentication parameter to obtain the signature data, it is specifically configured to: sending the second authentication parameter to a security module in the second device through the communication component 60e, so that the security module signs the second authentication parameter by using a local private key to obtain signature data; and receive signature data returned by the security module 60d through the communication component 60 e.

Further, as shown in fig. 6b, the computer apparatus further includes: a screen 60f, power supply components 60g, and the like. Only some of the components are schematically shown in fig. 6b, and it is not meant that the computer device comprises only the components shown in fig. 6 b.

The computer device provided by the embodiment is used as a second device, when the first device is authenticated, a two-factor verification mechanism is introduced, and an acoustic wave technology is introduced between the first device and the second device for information interaction in the two-factor verification process, so that the authentication safety can be improved; moreover, information interaction is carried out by utilizing the sound wave technology, and the interoperability can be improved; moreover, in the whole authentication process, the second equipment does not need to interact with the network, so that the security risk caused by monitoring the second equipment can be prevented, and the authentication security is further improved.

In fig. 3b, 4b, 5b and 6b above, the memory is used to store computer programs and may be configured to store other various data to support the operations on the computer device. Examples of such data include instructions for any application or method operating on the computing platform, contact data, phonebook data, messages, pictures, videos, and so forth.

The memory may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The communication components of fig. 3b, 4b, 5b and 6b described above are configured to facilitate communication between the device in which the communication component is located and other devices in a wired or wireless manner. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

The screens in FIGS. 3b, 4b, 5b, and 6b above may include a liquid crystal display (L CD) and a Touch Panel (TP). if the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user.

The power supply components of fig. 3b, 4b, 5b and 6b described above provide power to the various components of the device in which the power supply component is located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.

The audio components of fig. 3b, 4b, 5b and 6b described above may be configured to output and/or input audio signals. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.

The authentication method provided by the embodiment of the application is suitable for various application scenes with high requirements on authentication safety. For example, when a user performs login authentication such as website login, mailbox login, shopping platform login, and the like using a terminal device, the login authentication may be performed based on the authentication method provided in the embodiment of the present application. For another example, when the user uses the terminal device to perform online payment, the payment authentication may be performed based on the authentication method provided in the embodiment of the present application, and so on. The authentication request process provided by the embodiment of the present application is exemplarily described below with reference to two common specific application scenarios of code scanning login and code scanning payment.

Fig. 7 is a flowchart illustrating a login method according to an embodiment of the present application. The method is applicable to a terminal device, which may be implemented as the first device in fig. 1 a. As shown in fig. 7, the method includes:

701. and responding to a login operation sent by a user, and sending a login request to the server, wherein the login request carries an account and a password.

702. And receiving data to be signed returned by the server, wherein the data to be signed is generated by the server after the account number and the password pass verification.

703. And converting the data to be signed into first two-dimensional code information and displaying the first two-dimensional code so that the token equipment can scan the first two-dimensional code to obtain the data to be signed.

704. Scanning the second two-dimensional code displayed by the token equipment to acquire signature data; the second two-dimensional code is obtained by converting signature data obtained by signing the data to be signed by the token device.

705. And sending the signature data to the server for the server to determine the login result of the terminal equipment based on the signature data.

In this embodiment, if the terminal device is a smart phone, a wearable device, or the like, the user may trigger an APP icon on the terminal device to open a corresponding login page. Then, the user inputs a pre-registered account and a pre-registered password in an account and password text box of the login page and triggers a corresponding login control; or account and password information which is logged in by the user before is reserved in the account and password text boxes of the login page, and the user can directly trigger the corresponding login control. Or, when the terminal device is a computer, the user may perform a login operation through a browser or a corresponding client. And after the user triggers the login control, in step 701, the terminal device may respond to the login operation sent by the user and send a login request to the server, where the login request carries an account and a password.

And then, the server performs first-factor login authentication on the terminal equipment based on the account and the password in the login request. And when the account number and the password in the login request pass verification, namely the terminal equipment passes the first factor login authentication, the server generates data to be signed, namely a second authentication parameter, based on the login request, and returns the data to be signed to the terminal equipment. Accordingly, in step 702, the terminal device receives the data to be signed returned by the server.

Next, in step 703, the terminal device converts the data to be signed into a corresponding two-dimensional code, and displays the two-dimensional code on its screen. For convenience of description and distinction, in the embodiment of the present application, a two-dimensional code displayed on a terminal device is defined as a first two-dimensional code. Accordingly, the token device can scan the first two-dimensional code by using a camera of the token device to obtain data to be signed. Wherein the token device comprises: smart terminals (smartphones, tablets, wearable devices, etc.), U2F token devices, etc., but are not limited thereto. Furthermore, when the token device is an intelligent terminal (portable devices such as a smart phone, a tablet computer and a wearable device), the corresponding U2F token device does not need to be configured, the second factor authentication can be realized by directly using the intelligent terminal, and the portable device is convenient to carry, so that the convenience of the user during login can be improved.

Further, the token device signs the data to be signed to obtain signature data, converts the signature data into a corresponding two-dimensional code, and displays the two-dimensional code on a screen of the token device. For convenience of description and distinction, in the embodiment of the present application, the two-dimensional code herein is defined as a second two-dimensional code. Accordingly, in step 704, the terminal device may scan the second two-dimensional code displayed by the token device by using its camera, and further obtain the signature data therefrom.

Then, step 705 is entered, and the terminal device sends the signature data to the server, so that the server can determine the login result of the terminal device based on the signature data.

Accordingly, the server performs second factor authentication on the login request of the terminal device based on the signature data, and when the signature data passes the authentication of the server, the server allows the terminal device to perform login. Accordingly, if the signature data is not authenticated by the server, the server rejects the login request of the terminal device and does not allow it to login.

In the embodiment, on the basis of login authentication based on the login account and the password, login authentication based on the second factor of signature data returned by the token device is added, so that an attacker can be prevented from displaying the fishing two-dimensional code on the terminal device, the danger that the user is fished when scanning the fishing two-dimensional code occurs, and the security of login authentication can be improved.

In the embodiment, when the login request of the terminal equipment is authenticated, a two-factor verification mechanism is introduced, so that the security of authentication can be improved, and the security of the existing code scanning login is improved by one level; and the screens of the terminal equipment and the token equipment and the cameras of the terminal equipment and the token equipment form a bidirectional communication channel, so that the interoperability can be improved, the token equipment does not need to interact with a network in the whole login authentication process, the security risk caused by monitoring of the token equipment can be prevented, and the authentication security is further improved.

Fig. 8 is a schematic flowchart of a payment method according to an embodiment of the present application. The method is applicable to a terminal device, which may be implemented as the first device in fig. 1 a. As shown in fig. 8, the method includes:

801. and responding to a payment operation sent by a user, and sending a payment request to the server, wherein the payment request carries a payment account and a payment password.

802. And receiving data to be signed returned by the server, wherein the data to be signed is generated after the payment account number and the payment password are verified by the server.

803. And converting the data to be signed into a first two-dimensional code and displaying the first two-dimensional code so that the token equipment can scan the first two-dimensional code to obtain the data to be signed.

804. Scanning the second two-dimensional code displayed by the token equipment to acquire signature data; the second two-dimensional code is obtained by converting signature data obtained by signing the data to be signed by the token device.

805. And sending the signature data to the server for the server to determine whether to deduct fees from the payment account number according to the payment password based on the signature data.

In this embodiment, if the terminal device is a smart phone, a wearable device, or the like, the user may trigger an APP icon on the terminal device to open a corresponding payment page. Then, the user inputs a pre-registered payment account and a pre-registered payment password in an account and password text box of the payment page, and triggers a corresponding payment control; or the account and password text boxes of the payment page retain the information of the previous payment account and payment password of the user, and the user can directly trigger the corresponding payment control. Or, when the terminal device is a computer, the user may perform a payment operation through the browser or the corresponding client. And after the user triggers the payment control, in step 801, the terminal device may respond to the payment operation sent by the user and send a payment request to the server, where the login request carries a payment account and a payment password.

And then, the server performs first factor payment authentication on the terminal equipment based on the account and the password in the payment request. And when the payment account number and the payment password in the payment request pass verification, namely the terminal equipment passes the first factor payment authentication, the server generates data to be signed, namely a second authentication parameter, based on the payment request, and returns the data to be signed to the terminal equipment. Accordingly, in step 802, the terminal device receives the data to be signed returned by the server.

Next, in step 803, the terminal device converts the data to be signed into a corresponding two-dimensional code and displays the two-dimensional code on its screen. For convenience of description and distinction, in the embodiment of the present application, a two-dimensional code displayed on a terminal device is defined as a first two-dimensional code. Accordingly, the token device can scan the first two-dimensional code by using a camera of the token device to obtain data to be signed. Wherein the token device comprises: smart terminals (smartphones, tablets, wearable devices, etc.), U2F token devices, etc., but are not limited thereto. Furthermore, when the token device is an intelligent terminal, the corresponding U2F token device does not need to be configured, the intelligent terminal can be directly used for realizing the authentication of the second factor, and the convenience of the user in login is improved.

Then, in step 805, the terminal device sends the signature data to the server, so that the server determines whether to deduct a fee from the payment account according to the payment password based on the signature data.

Correspondingly, the server performs second factor verification on the payment request of the terminal device based on the signature data, and when the signature data passes the verification of the server, the server deducts fees from the corresponding payment account according to the payment password. Accordingly, if the signature data is not authenticated by the server, the server rejects the payment request of the terminal device and does not deduct the fee.

In this embodiment, on the basis of payment authentication based on a payment account and a payment password, the payment authentication based on the second factor performed by signature data returned by a token device is added, so that an attacker can be prevented from displaying a phishing two-dimensional code on a terminal device, and when a user scans the phishing two-dimensional code, the phishing danger occurs, and the security of the payment authentication can be improved.

In the embodiment of the application, when the payment request of the terminal equipment is authenticated, a two-factor verification mechanism is introduced, so that the security of authentication can be improved, and the security of the existing code scanning payment is improved by one level; and the screens of the terminal equipment and the token equipment and the cameras of the terminal equipment and the token equipment form a bidirectional communication channel, so that the interoperability can be improved, the token equipment does not need to interact with a network in the whole login authentication process, the security risk caused by monitoring of the token equipment can be prevented, and the authentication security is further improved.

It should be noted that the execution subjects of the steps of the methods provided in the above embodiments may be the same device, or different devices may be used as the execution subjects of the methods. For example, the execution subjects of steps 301 to 304 may be device a; for another example, the execution subject of steps 301 and 302 may be device a, and the execution subject of step 303 may be device B; and so on.

In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 401, 402, etc., are merely used to distinguish various operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An authentication method applied to a first device, the method comprising:

2. The method according to claim 1, wherein the converting and outputting the second authentication parameter into the first visual information comprises:

converting the second authentication parameter into a bar code, and displaying the bar code on a screen of the first equipment; or

Converting the second authentication parameter into screen flash control information, and controlling a screen of the first device to flash according to the screen flash control information; or

And converting the second authentication parameter into signal lamp control information, and controlling a signal lamp of the first device to flicker according to the signal lamp control information.

3. The method of claim 1 or 2, wherein the first device is installed with a main program and an auxiliary program; the converting and outputting the second authentication parameter into first visual information comprises:

after receiving the second authentication parameter, the main program sends an HID request on an HID interface of the first equipment;

and the auxiliary program monitors the HID interface, and converts the second authentication parameter into the first visual information and outputs the first visual information when monitoring the HID request.

4. The method according to claim 1 or 2, wherein the collecting the second visual information by the camera and the analyzing the signature data from the second visual information comprise:

if the second visual information is the bar code, the bar code is scanned by using a camera, and the signature data is analyzed from the scanned bar code.

5. The method according to claim 1 or 2, characterized in that the second device is a smart terminal or a U2F token device.

6. An authentication method applied to a second device, comprising:

7. The method of claim 6, wherein acquiring the first visual information output by the first device comprises:

if the first visual information is a bar code, scanning the bar code by using a camera;

the analyzing the second authentication parameter from the first visual information includes:

and analyzing the second authentication parameter from the scanned bar code.

8. The method of claim 6, wherein said signing the second authentication parameter to obtain signature data comprises:

sending the second authentication parameter to a security module in the second device, so that the security module signs the second authentication parameter by using a local private key to obtain signature data; and

and receiving the signature data returned by the security module.

9. The method of claim 8, wherein the security module is a TEE or a SE.

10. The method of claim 6, wherein converting the signature data into second visual information and outputting the second visual information comprises:

converting the signature data into a bar code, and displaying the bar code on a screen of the second equipment; or

Converting the signature data into screen flash control information, and controlling a screen of the second device to flash according to the screen flash control information; or

And converting the signature data into signal lamp control information, and controlling a signal lamp of the second equipment to flicker according to the signal lamp control information.

11. An authentication method applied to a first device, the method comprising:

12. An authentication method applied to a second device, comprising:

acquiring a first sound wave signal sent by first equipment; the first sound wave signal is obtained by converting a second authentication parameter issued by the server after the first equipment is authenticated by a first factor;

13. A login method is suitable for terminal equipment, and is characterized by comprising the following steps:

14. A payment method is applicable to terminal equipment and is characterized by comprising the following steps:

15. A computer device, comprising: the device comprises a memory, a processor, a communication assembly and a camera; wherein the content of the first and second substances,

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

16. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 1 to 5.

17. A computer device, comprising: the device comprises a memory, a processor and a camera;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

18. The computer device of claim 17, further comprising: a security module and a communication component; when the processor signs the second authentication parameter to obtain signature data, the processor is specifically configured to:

sending the second authentication parameter to a security module in the second device through the communication component, so that the security module signs the second authentication parameter by using a local private key to obtain signature data; and

receiving, by the communication component, the signature data returned by the security module.

19. The computer device of claim 18, wherein the security module is a TEE or a SE.

20. A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 6 to 10.

21. An authentication system, comprising: a first device, a second device and a server; wherein the content of the first and second substances,

22. A computer device, comprising: a memory, a processor, a communication component, and an audio component;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

and acquiring the second acoustic signal by using the audio component, analyzing the signature data from the second acoustic signal and sending the signature data to the server so as to enable the server to perform second factor authentication based on the signature data.

23. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, causes the processor to carry out the steps of the method as claimed in claim 11.

24. A computer device, comprising: a memory, a processor, and an audio component;

the memory for storing a computer program;

the processor, coupled with the memory, to execute the computer program to:

25. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, causes the processor to carry out the steps of the method as claimed in claim 12.