CN111654468A

CN111654468A - Secret-free login method, device, equipment and storage medium

Info

Publication number: CN111654468A
Application number: CN202010359194.XA
Authority: CN
Inventors: 梁庭宾
Original assignee: Ping An International Smart City Technology Co Ltd
Current assignee: Ping An International Smart City Technology Co Ltd
Priority date: 2020-04-29
Filing date: 2020-04-29
Publication date: 2020-09-11

Abstract

The invention relates to artificial intelligence and discloses a secret-free login method, a secret-free login device, secret-free login equipment and a secret-free login storage medium, wherein the secret-free login method comprises the following steps: when a first client is redirected to a preset authentication authorization page, receiving a user login request with identification information, which is initiated by the first client; generating and displaying a corresponding two-dimensional code on an authentication authorization page according to the identification information; receiving a user authentication request initiated by a second client scanning the two-dimensional code; judging whether the second client side is authorized to log in the first client side without secret according to the user authentication request; if the second client side authorizes the password-free login of the first client side, otherwise, performing biological characteristic authentication on a user corresponding to the second client side to determine that the password-free login authorization is successful; and generating a user information acquisition code corresponding to the second client and returning the user information acquisition code to the first client so as to simplify the process of the user for login of each website/APP without secret. In addition, the invention also relates to a block chain technology, and information can be stored in the block chain nodes.

Description

Secret-free login method, device, equipment and storage medium

Technical Field

The invention relates to the field of artificial intelligence network security, in particular to a secret-free login method, a secret-free login device, secret-free login equipment and a secret-free login storage medium.

Background

The twenty-first century is the century of the internet where everyone needs to log in various websites and APPs every day. The good login and authentication experience can greatly improve the user experience and the user satisfaction.

The traditional authentication methods are two types: firstly, a website/APP realizes a user authentication system by itself, and the other method is logging in by using a QQ, WeChat and other social account numbers, and the two methods have problems. The former: different accounts and passwords need to be registered for different websites/APPs, and login is carried out through the accounts and the passwords, so that password-free login cannot be used basically. The latter: the social account login is realized based on an OAuth protocol, the protocol is not an authentication protocol but an authorization protocol, and a user still needs to login with a password or to be authenticated by using a mobile phone number at the same time. Both of the above-mentioned login methods are complicated in operation.

Disclosure of Invention

The invention mainly aims to solve the problem that the existing login method is complicated to operate.

The invention provides a secret-free login method in a first aspect, which comprises the following steps:

when a first client is redirected to a preset authentication authorization page, receiving and analyzing a user login request initiated by the first client to obtain identification information of the first client;

generating and displaying a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client so as to be scanned by a second client;

receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code; judging whether the second client side is authorized to log in the first client side without secret based on the user authentication request;

if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful; if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

and if the password-free login authorization is successful, generating a user information acquisition code corresponding to the second client, and returning the user information acquisition code to the first client so as to respond to a user login request initiated by the first client and provide the first client for acquiring the user information corresponding to the second client based on the user information acquisition code.

Optionally, in a first implementation manner of the first aspect of the present invention, before the step of receiving and analyzing a user login request initiated by a first client when the first client is redirected to a preset authentication authorization page, and obtaining identification information of the first client, the method further includes:

receiving a registration request initiated by the first client, wherein the registration request comprises registration information and access security level information of the first client;

and generating an identity ID and a secret key of the first client based on the registration request, and returning the identity ID and the secret key to the first client, wherein the identity ID and the secret key are used for uniquely identifying the first client.

Optionally, in a second implementation manner of the first aspect of the present invention, before the step of receiving and analyzing a user login request initiated by a first client when the first client is redirected to a preset authentication authorization page, and obtaining identification information of the first client, the method further includes:

receiving an initialization request with user registration information of the second client, and storing the user registration information;

returning biological characteristic acquisition prompt information to the second client based on the initialization request so as to prompt the user to enter the biological characteristic information;

and receiving and storing the biological characteristic information sent by the second client, and returning an initialization result to the second client.

Optionally, in a third implementation manner of the first aspect of the present invention, the determining, based on the user authentication request, whether the second client authorizes a secure login to the first client includes:

analyzing the user authentication request to obtain first client identification information and second client identification information;

judging whether a local server stores a binding record of the first client identification information and the second client identification information; if the local server does not store the binding record, determining that the second client is not authorized to log in the first client in a secret-free manner;

and if the local server stores the binding record, determining that the second client is authorized to log in the first client in a secret-free manner.

Optionally, in a fourth implementation manner of the first aspect of the present invention, if the second client does not authorize the secure login to the first client, performing biometric authentication on a user corresponding to the second client, and if the authentication passes, determining that the secure login authorization is successful includes:

if the second client side does not authorize the password-free login of the first client side, reading access security level information of the first client side stored in a local server;

judging the security level of the first client based on the access security level information;

if the security level of the first client is greater than the preset security level, prompting the second client to perform biometric authentication corresponding to the user;

and receiving and authenticating the user biological characteristic information returned by the second client, and if the authentication is passed, determining that the password-free login authorization is successful, and generating and storing a binding record of the first client identification information and the second client identification information.

Optionally, in a fifth implementation manner of the first aspect of the present invention, the receiving and authenticating the user biometric information returned by the second client, and if the authentication passes, determining that the password-free login authorization is successful, and generating and storing a binding record of the first client identification information and the second client identification information includes:

receiving user biological characteristic information returned by the second client as first iris characteristic information, and counting the number of characteristic values of the first iris characteristic information to obtain n of the number of the characteristic values;

calculating the mean value of each feature value of the first iris feature information to obtain a mean feature vector f ═ (f1, f2, f3,. fn) T, f_iN represents the ith mean feature, and n is a positive integer;

reading iris characteristic information stored in a local server when the second client is registered as second iris characteristic information, and calculating a characteristic mean value and a characteristic variance of the second iris characteristic information;

calculating a difference parameter between the first iris characteristic information and the second iris characteristic information by using the following formula

Wherein f is_i'(i ═ 1,2,3.. N) is a feature mean value of the ith feature value of the second iris feature information, N is a positive integer, and g'_iThe characteristic variance is the ith characteristic value of the second iris characteristic information;

judging whether the value of the difference parameter is smaller than a preset difference parameter value;

if the value of the difference parameter is smaller than the preset difference parameter value, judging that the iris feature matching authentication is passed;

and if the iris feature matching authentication passes, determining that the password-free login authorization is successful, and generating and storing a binding record of the first client identification information and the second client identification information.

Optionally, in a sixth implementation manner of the first aspect of the present invention, after the generating a user information obtaining code corresponding to the second client if the password-free login authorization is successful, and returning the user information obtaining code to the first client to respond to a user login request initiated by the first client and enable the first client to obtain the user information corresponding to the second client based on the user information obtaining code, the method further includes:

receiving a user identity token request with the user information acquisition code, which is initiated by the first client;

generating a user identity token with user identity identification information based on the user information acquisition code and returning the user identity token to the first client;

receiving a user information acquisition request with the user identity token initiated by the first client;

and determining the password-free login user information corresponding to the user identity token and returning the password-free login user information to the first client.

A second aspect of the present invention provides a secret-less login apparatus, including:

the receiving module is used for receiving and analyzing a user login request initiated by a first client when the first client is redirected to a preset authentication authorization page to obtain identification information of the first client;

the coding module is used for generating and displaying a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client so as to be scanned by a second client;

the analysis module is used for receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

the authorization module is used for judging whether the second client side is authorized to log in the first client side in a secret-free mode or not based on the user authentication request; if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful; if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

and the distribution module is used for generating a user information acquisition code corresponding to the second client if the password-free login authorization is successful, returning the user information acquisition code to the first client so as to respond to a user login request initiated by the first client, and allowing the first client to acquire the user information corresponding to the second client based on the user information acquisition code.

Optionally, in a first implementation manner of the second aspect of the present invention, the apparatus further includes a registration module, specifically configured to:

Optionally, in a second implementation manner of the second aspect of the present invention, the second implementation manner further includes an initialization module, specifically configured to:

Optionally, in a third implementation manner of the second aspect of the present invention, the authorization module is specifically configured to:

judging whether a local server stores a binding record of the first client identification information and the second client identification information;

if the local server does not store the binding record, determining that the second client is not authorized to log in the first client in a secret-free manner;

Optionally, in a fourth implementation manner of the second aspect of the present invention, the authorization module is further specifically configured to:

Optionally, in a fifth implementation manner of the second aspect of the present invention, the authorization module further includes a biometric unit, specifically configured to:

Optionally, in a sixth implementation manner of the second aspect of the present invention, the apparatus further includes a pushing module, specifically configured to:

A third aspect of the present invention provides a secret-less login device, including: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line; the at least one processor invokes the instructions in the memory to cause the secure login-free device to perform the secure login-free method described above.

A fourth aspect of the present invention provides a computer-readable storage medium including a stored data area storing data created according to use of blockchain nodes and a stored program area storing a computer program, wherein the computer program, when executed by a processor, implements the above-described secret-less login method.

In the technical scheme provided by the invention, when a first client is redirected to a preset authentication authorization page, a user login request initiated by the first client is received and analyzed to obtain identification information of the first client; generating and displaying a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client so as to be scanned by a second client; receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code; judging whether the second client side is authorized to log in the first client side without secret based on the user authentication request; if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful; if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful; and if the password-free login authorization is successful, generating a user information acquisition code corresponding to the second client, and returning the user information acquisition code to the first client so as to respond to a user login request initiated by the first client and provide the first client for acquiring the user information corresponding to the second client based on the user information acquisition code. In the embodiment of the invention, the complicated login operation is avoided, and the complete password-free login of the password-free login system to other platforms is directly realized.

Drawings

FIG. 1 is a diagram of an embodiment of a method for secure login according to an embodiment of the present invention;

FIG. 2 is a diagram of another embodiment of a secret-free login method in an embodiment of the present invention;

FIG. 3 is a diagram of an embodiment of a secure login-free device in an embodiment of the present invention;

FIG. 4 is a schematic diagram of another embodiment of a secure login-free device in an embodiment of the present invention;

fig. 5 is a schematic diagram of an embodiment of a secret-less login device in the embodiment of the present invention.

Detailed Description

The embodiment of the invention provides a secret-free login method, a secret-free login device and a storage medium, wherein after a user clicks a login client, a two-dimensional code of the login client is displayed on an authentication authorization page so as to be scanned by a second client and perform biological characteristic authentication and user click authorization on the login client; if the second client authorizes the login client, directly logging in without authentication and authorization; if the second client does not authorize the login client, initial authentication and authorization are required, and subsequent direct login is required, so that the second client can log in the first client without secret.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

For convenience of understanding, a detailed flow of an embodiment of the present invention is described below, and referring to fig. 1, an embodiment of a secret-less login method in an embodiment of the present invention includes:

101. when a first client is redirected to a preset authentication authorization page, receiving and analyzing a user login request initiated by the first client to obtain identification information of the first client;

in this embodiment, it is understood that the execution subject of the present invention may be a secret login-free device, and may also be a terminal or a server, which is not limited herein. In order to realize the password-free login client, a special authentication server is constructed to authenticate, authorize and log in the account of the client and manage the account information. The authentication system takes OpenID Connect as an identity authentication protocol, comprises an authentication server and a second client, and the secret-free login method is explained through a specific implementation process of the authentication system for secret-free login of the first client.

In this embodiment, the first client may be a PC or a mobile terminal where a third-party website requesting for login without secret is located, and the second client is a mobile terminal where authentication software of the authentication system is located.

When a user logs in a first client, a login button displayed by the first client is clicked, and then the first client is redirected to an authentication authorization page, wherein the first client initiates a first user authentication request to an authentication server through the redirection process;

the authentication server accesses the login process of the first client by receiving the user login request. The first user authentication request contains identification information of the first client, such as a client _ id obtained when the first client registers in the authentication server.

102. Generating and displaying a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client so as to be scanned by a second client;

in the embodiment, the authentication client generates the unique two-dimensional code of the website by encoding the identification information of the website and displays the unique two-dimensional code on the authentication authorization page of the website; the user can use the authentication software to scan the two-dimensional code to access the authentication and authorization process of the website.

103. Receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

in this embodiment, the user authentication request is used to access an authentication process for a website, so as to subsequently guide a user to complete authentication and authorization. The two-dimension code is obtained by coding the identification information of the website, so that a user authentication request initiated by the authentication software after scanning the two-dimension code can be determined by the authentication server to access the authentication process of the website.

In this embodiment, the website displays the two-dimensional code, and the user scans the two-dimensional code by using the authentication software through the mobile terminal to send a user authentication request to the authentication server, during which the website remains unchanged, the mobile terminal is in a loading state, displays a blank page, and waits for feedback information of the user authentication request from the authentication server.

104. Judging whether the second client side is authorized to log in the first client side without secret based on the user authentication request;

in this embodiment, after the user first authorizes the login of the website through the authentication software, the user can directly log in without re-authorizing the website within the valid period. Therefore, after the authentication software scans the two-dimensional code and initiates a user authentication request to the authentication server, whether the authentication account is authorized to log in the website within the validity period is determined.

In this embodiment, the identification information of the authentication account and the website identification information included in the user authentication request are retrieved, and whether the identification information of the authentication account and the website identification information have a binding relationship is retrieved to determine whether the authentication account authorizes the website. And writing a binding effective date into the binding entry table of the authentication account and the website, and judging that the authentication account and the website are effectively bound before the date.

105. If the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful;

106. if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

in this embodiment, the authentication authorization manner of the authentication server for the website is different according to the actual situation: if the current login account of the authentication software is authorized to log in the website without secret, the authorization of the website is directly finished, if the current login account of the authentication software is not authorized to log in the website without secret, the initial authentication and authorization are required to be carried out on the user corresponding to the website, and the subsequent login of the website is not required to be authenticated again. The authentication system carries out secret-free login on a third-party website in a biological characteristic authentication and authorization mode, wherein the biological characteristic authentication and authorization mode can comprise iris recognition, fingerprint recognition, face recognition and the like, and a user can input biological characteristic information through a camera or a configured biological recognition instrument of the mobile terminal depending on whether the mobile terminal of the user is provided with related hardware and software equipment. In addition, when the user logs in the account of the authentication software, the user only needs to log in through biological identification, and the account password or the mobile phone number and the verification code do not need to be input.

In this embodiment, if the authentication account is authorized to log in the website without secret, the authentication software loads the authentication success interface as feedback information for the user authentication request, automatically jumps to the authentication success interface, and finally displays a login success prompt.

And if the authentication account number is not authorized to log in the website without secret or the authorization fails, the authentication software jumps to a biological characteristic authentication page to guide the user to carry out biological characteristic authentication to serve as feedback information of a user authentication request, then jumps to the authorization page, and finally displays a prompt for successful login.

107. And if the password-free login authorization is successful, generating a user information acquisition code corresponding to the second client, and returning the user information acquisition code to the first client so as to respond to a user login request initiated by the first client and provide the first client for acquiring the user information corresponding to the second client based on the user information acquisition code.

In this embodiment, after the authentication server successfully authorizes the password-free login of the website, a pass for directly acquiring the information of the corresponding user account in the authentication server needs to be issued to the website. The authentication server randomly generates a user information acquisition code for the website, and returns the user information acquisition code in a mode of redirecting back to the website so as to feed back a successful authorization result to the website. The subsequent website can acquire the user information corresponding to the user through the user information identification code to complete the password-free login.

In this embodiment, if the authentication system successfully authorizes the website for password-free login, the website directly jumps back to the website home page from the authentication authorization page displaying the two-dimensional code, and the user interface of the authentication account in the website is displayed on the website home page. And the authentication software interface displays a prompt for successful login.

In this embodiment, in step S10, the HTTP request initiated by the first client includes the preset redirection address and the final authentication method after the password-free login authorization is successful. The preset redirection address is required to be consistent with a redirection address reserved by the first client when the authentication server is registered, and the client can jump.

In the embodiment of the invention, when a user logs in a first client, an HTTP authentication request is initiated to an authentication server, and the authentication server generates a two-dimensional code with identification information of the first client by analyzing the authentication request; the second client initiates an authentication request to the authentication server by scanning the two-dimension code, and requests the authentication server to judge whether the authentication server authorizes the password-free login of the first client; if the second client authorizes the first client once, the authentication server does not need to authenticate the user corresponding to the authentication server again, and the second client directly authorizes the password-free login to the first client; if the second client does not authorize the first client, the authentication server is required to authenticate the user by the authentication server, after authentication is completed, the second client authorizes the password-free login of the first client and stores an authorization record, and the second client responds to the fact that the HTTP authentication request initiated by the first client passes through in a mode of returning to the first client by carrying a user information acquisition code. The first client can also obtain the user information corresponding to the second client through the user information obtaining code. Through the embodiment, the second client can realize the secret-free login of the first client. Therefore, the method can be applied to the field of system authentication of intelligent government affairs, and construction of the intelligent city is promoted.

Referring to fig. 2, another embodiment of the method for accessing a service by multiple tenants in the embodiment of the present invention includes:

201. receiving a registration request initiated by the first client, wherein the registration request comprises registration information and access security level information of the first client;

202. and generating an identity ID and a secret key of the first client based on the registration request, and returning the identity ID and the secret key to the first client, wherein the identity ID and the secret key are used for uniquely identifying the first client.

In this embodiment, before the authentication server authenticates the third-party website, the third-party website needs to be registered at the authentication server, and becomes a relying party of the OpenIDConnect protocol of the authentication server.

In this embodiment, the website developer inputs the website host address, the authorized redirection address, the security level setting, and other registration information, and sends the registration information to the authentication server along with the registration request, and the authentication server stores the registration information of the first client, and is used for authentication when subsequently performing secret-free login on the first client.

In this embodiment, if the authentication server passes the registration request of the website, the client _ id and the client _ secret of the website are generated, and the client _ id and the client _ secret are returned to the website to respond to the registration request of the website. The client _ id can be published to the whole network, and the client _ secret is stored by a background server where the website is located.

203. Receiving an initialization request with user registration information of the second client, and storing the user registration information;

204. returning biological characteristic acquisition prompt information to the second client based on the initialization request so as to prompt the user to enter the biological characteristic information;

205. and receiving and storing the biological characteristic information sent by the second client, and returning an initialization result to the second client.

In this embodiment, before the authentication server authenticates the third-party website, the user also needs to register an authentication account at the authentication server for login of the third-party website without secret. The registered user information is used to authenticate the user with a real name. The authentication server also generates the open id of the user for the user, and the open id is used for uniquely identifying the user.

After a user clicks and enters the authentication software, a user information input interface is displayed on the interface, the user inputs personal information including an account name, an account password, an associated electronic mailbox, an associated mobile phone number and the like according to instructions, and a registration button is clicked to initiate an authentication account initialization request to an authentication server.

In this embodiment, when the user registers the authentication account in the authentication system, the user needs to enter the biometric information for subsequent password-free login to the authentication account and the password-free login to the third-party website in addition to entering the personal information.

After the user clicks the 'register' button, the authentication server side returns prompt information such as 'please enter biological characteristic information' prompt words and 'biological characteristic' icons to the second client side for displaying, and the user can complete the entry of the biological characteristic information by indicating the entered biological characteristic information according to the interface and clicking a submit button, wherein the biological characteristic information comprises iris characteristic information, fingerprint characteristic information, voiceprint characteristic information and the like. If the user uses the configured biological identification to input the biological characteristic information, the user needs to bind a biological identification instrument through a local area network or a wireless network; if the user uses the built-in device of the mobile phone to input the biological characteristic information, the biological characteristic information can be directly input.

In this embodiment, the authentication server receives and stores the user biometric information entered by the user through the second client, so as to perform biometric authentication on the user when the user logs in the authentication account and the third-party website without password. Then, an initialization result of successful registration is returned to the second client, and a registration success prompt message is displayed on the display screen to inform the user that the registration is completed, such as "successful registration".

206. When a first client is redirected to a preset authentication authorization page, receiving and analyzing a user login request initiated by the first client to obtain identification information of the first client;

207. generating and displaying a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client so as to be scanned by a second client;

208. receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

209. judging whether the second client side is authorized to log in the first client side without secret based on the user authentication request;

in this embodiment, the specific implementation manner of determining whether the second client is authorized to log in the first client without secret through the user authentication request is as follows:

In this embodiment, the user authentication request is used to authenticate the user by accessing the authentication server, and first, it is determined whether the authentication account authorizes the website, so that the authentication account identification information and the website identification information need to be provided in the user authentication request, so that the authentication server retrieves the binding record according to the identification information.

In this embodiment, the binding record of the authentication account for the website authorization is stored in the storage space of the server. If the identification information of the authentication account is open id and the identification information of the website is client _ id, whether a login record of the client _ id is stored in an open id storage area is searched, and if the login record exists, the fact that the authentication account authorizes the login of the website without secret is shown.

In the embodiment, whether a local server stores a binding record of authentication account identification information and website identification information is searched, and if the local server stores the binding record of the authentication account identification information and the website identification information, the authentication account is indicated to authorize the website; if not, the authentication account number is not authorized to the website, and the password-free login authorization needs to be carried out for the first time.

210. If the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful;

211. if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

in this embodiment, the security level of the first client needs to be considered when the second client authorizes the secure-free login to the first client for the first time, and the specific implementation manner is as follows:

In this embodiment, if the website is not authorized by the authentication account, before the authentication server authorizes the website for the first time, the security level information of the website is determined, and the corresponding authorization service is executed according to the security level. If the security requirement of the website is high, such as a bank client or a payment client, the inventor can set the security level of the website to be high, and the authentication service executed by the authentication server is the iris authentication service with higher security; if the website is only a common client, only the click authorization service is needed.

In this embodiment, the website developer sets the security level of the website when registering in the authentication server, the security level information includes the security level field, and the security level of the website can be identified by the security level field.

In the embodiment, for the website with the low security level, the authentication server generates the authorization prompt information and sends the authorization prompt information to the authentication software, the authentication software displays the authorization button on the interface after receiving the prompt information, and the user clicks the authorization button to finish the authorization of the website, so that the authorization process is simplified. In addition, the authentication server also stores the binding record of the website identification information and the authentication account identification information, and the authorization and password-free login of the website can be realized by logging in the authentication account by using authentication software and directly scanning the login two-dimensional code of the website next time.

In this embodiment, if it is determined that the security level of the website is high through the security registration information, the second client needs to be prompted to perform biometric authentication on the corresponding user to ensure login security of the website.

At the moment, the second client interface displays prompt information in a mode of 'please enter biological characteristic information', if iris identification authentication is carried out, iris characteristic information 'please enter iris characteristic information' is displayed, if fingerprint identification authentication is carried out, fingerprint characteristic information 'please enter fingerprint characteristic information' is displayed, and if face identification authentication is carried out, eye characteristic information 'please enter eye characteristic information' is displayed.

In this embodiment, for the user biometric information returned by the authentication software, the biometric information records in the storage space of the authentication server are traversed, feature matching is performed, if the same biometric information is found, the authentication is determined to be successful, otherwise, the authentication is determined to be authenticated. And after the authentication server successfully authenticates the user corresponding to the second client, the authorization of the website is completed, the authentication account identification information and the website identification information are bound and stored, and the authorization and password-free login of the website can be realized by directly scanning the login two-dimensional code of the website by the user next time by using the second client.

In addition, for a first client with a high security requirement, biometric authentication needs to be performed on a user, and the specific implementation manner is as follows:

Wherein f is_i'(i ═ 1,2,3.. N) is a feature mean value of the ith feature value of the second iris feature information, N is a positive integer, and g'_iIs the second iris characteristicThe feature variance of the ith feature value of the feature information;

In this embodiment, when the authentication server guides the user to perform biometric authentication through the second client, the second client may collect an iris image of the user corresponding thereto through the configured iris recognition apparatus; then preprocessing the image through iris positioning, iris normalization and image enhancement algorithms; and then, extracting characteristic values from the preprocessed image by adopting a specific algorithm, and coding to obtain iris characteristic information. In this embodiment, a feature matching process between the first iris feature information and the second iris feature information is described.

In this embodiment, before calculating the weighted euclidean distance between the first iris feature information and the second iris feature information, the mean value of the first iris feature information is calculated.

In this embodiment, the weighted euclidean distance between the first iris feature information and the second iris feature information is calculated by first calculating the mean and variance of the second iris feature information.

In this embodiment, a weighted euclidean distance between the first iris feature information and the second iris feature information is calculated by a weighted euclidean distance formula to quantify a difference degree between the two sets of iris feature information, where the larger the weighted euclidean distance is, the larger the difference between the two sets of iris feature information is, and otherwise, the smaller the difference between the two sets of iris feature information is.

In this embodiment, the preset weighted euclidean distance is obtained through neural network training, and represents a weighted euclidean distance mean of the same iris feature information. The method has statistical significance for distinguishing two sections of iris characteristic information from the same iris image or different iris images.

If the weighted Euclidean distance is smaller than the preset weighted Euclidean distance, the two sections of iris feature information come from the same user, so that the authentication server successfully authenticates the user by applying the second client; otherwise, the authentication fails.

In the embodiment, the difference degree between the two groups of iris feature information is quantized by the weighted Euclidean distance, the authentication result can be visually obtained, the uniqueness of the iris features determines the safety of iris feature authentication, and the iris feature authentication can ensure the safety and simply authenticate a user.

212. And if the password-free login authorization is successful, generating a user information acquisition code corresponding to the second client, and returning the user information acquisition code to the first client so as to respond to a user login request initiated by the first client and provide the first client for acquiring the user information corresponding to the second client based on the user information acquisition code.

In this embodiment, after the second client logs in the first client without secret authorization, the first client further needs to obtain information from the second client through the user information obtaining code, and the specific implementation manner is as follows:

213. receiving a user identity token request with the user information acquisition code, which is initiated by the first client;

214. generating a user identity token with user identity identification information based on the user information acquisition code and returning the user identity token to the first client;

215. receiving a user information acquisition request with the user identity token initiated by the first client;

216. and determining the password-free login user information corresponding to the user identity token and returning the password-free login user information to the first client.

In the embodiment of the invention, after a user clicks a login client, a two-dimensional code of the login client is displayed on an authentication authorization page for scanning by the authentication client and carrying out biological characteristic authentication and user click authorization on the login client; if the authentication client authorizes the login client, directly logging in without authentication and authorization; if the authentication client does not authorize the login client, initial authentication and authorization are required, and subsequent direct login is required, so that the second client can log in the first client without secret.

In this embodiment, the user identity token request includes a user information obtaining code and a first client key, where the user identity obtaining code is used to inform the authentication server that the first client obtains an object of information, and the first client key is used to confirm the identity of the first client to the authentication server, and is the user identity token request initiated by the first client.

The first client can retrieve and acquire the user information corresponding to the user identity information from the authentication server through the user identity information.

In this embodiment, the first client exchanges the user identity token with the authentication server through the user information acquisition code acquired by the authentication server after authorization, the user identity token includes a sub field of a unique id of a user corresponding to the second client, and represents a pass of the first client for acquiring the user information, and the first client can directly acquire the user information from the second client through the token without secret login each time. The user identity token is in a JWT format, is encrypted through JWS signature, and needs to be decrypted and verified when user information is acquired from a client through the token, so that the safety of the user information is ensured.

With reference to fig. 3, the secret-less login method in the embodiment of the present invention is described above, and a secret-less login device in the embodiment of the present invention is described below, where an embodiment of the secret-less login device in the embodiment of the present invention includes:

a receiving module 301, configured to receive and analyze a user login request initiated by a first client when the first client redirects to a preset authentication authorization page, so as to obtain identification information of the first client;

the encoding module 302 is configured to generate and display a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client, so that the two-dimensional code can be scanned by a second client;

the analysis module 303 is configured to receive a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

an authorization module 304, configured to determine, based on the user authentication request, whether the second client is authorized to log in to the first client in a secure manner; if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful; if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

the allocating module 305 is configured to generate a user information obtaining code corresponding to the second client if the password-free login authorization is successful, and return the user information obtaining code to the first client to respond to the user login request initiated by the first client, and provide the first client with the user information corresponding to the second client based on the user information obtaining code.

In the embodiment of the invention, when a user logs in a first client, an HTTP authentication request is initiated to an authentication server, and the authentication server generates a two-dimensional code with identification information of the first client by analyzing the authentication request; the second client initiates an authentication request to the authentication server by scanning the two-dimension code, and requests the authentication server to judge whether the authentication server authorizes the password-free login of the first client; if the second client authorizes the first client once, the authentication server does not need to authenticate the user corresponding to the authentication server again, and the second client directly authorizes the password-free login to the first client; if the second client does not authorize the first client, the authentication server is required to authenticate the user by the authentication server, after authentication is completed, the second client authorizes the password-free login of the first client and stores an authorization record, and the second client responds to the fact that the HTTP authentication request initiated by the first client passes through in a mode of returning to the first client by carrying a user information acquisition code. The first client can also obtain the user information corresponding to the second client through the user information obtaining code. Through the embodiment, the second client can realize the secret-free login of the first client.

Referring to fig. 4, another embodiment of the secret-less login apparatus in the embodiment of the present invention includes:

a receiving module 401, configured to receive and analyze a user login request initiated by a first client when the first client redirects to a preset authentication authorization page, so as to obtain identification information of the first client;

the encoding module 402 is configured to generate and display a corresponding two-dimensional code on the authentication authorization page based on the identification information of the first client, so that the two-dimensional code can be scanned by a second client;

an analysis module 403, configured to receive a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

an authorization module 404, configured to determine, based on the user authentication request, whether the second client is authorized to log in to the first client in a secure manner; if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful; if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

the allocating module 405 is configured to generate a user information acquisition code corresponding to the second client if the password-free login authorization is successful, and return the user information acquisition code to the first client to respond to a user login request initiated by the first client, and provide the first client with the user information corresponding to the second client based on the user information acquisition code.

The secret-free login device further comprises a registration module 406, configured to receive a registration request initiated by the first client, where the registration request includes registration information and access security level information of the first client; and generating an identity ID and a secret key of the first client based on the registration request, and returning the identity ID and the secret key to the first client, wherein the identity ID and the secret key are used for uniquely identifying the first client.

The secret-free login device further comprises an initialization module 407, configured to receive an initialization request that the second client has user registration information, and store the user registration information; returning biological characteristic acquisition prompt information to the second client based on the initialization request so as to prompt the user to enter the biological characteristic information; and receiving and storing the biological characteristic information sent by the second client, and returning an initialization result to the second client.

The authorization module 404 includes an analysis unit and a first determination unit, and is specifically configured to:

the analysis unit is used for analyzing the user authentication request to obtain first client identification information and second client identification information;

the first judging unit is used for judging whether the local server stores the binding record of the first client identification information and the second client identification information; if the local server does not store the binding record, determining that the second client is not authorized to log in the first client in a secret-free manner; and if the local server stores the binding record, determining that the second client is authorized to log in the first client in a secret-free manner.

The authorization module 404 further includes a second determination unit, a pushing unit, and an authorization unit, and is specifically configured to:

a second determining unit, configured to read, if the second client does not authorize a secure login to the first client, access security level information of the first client stored in a local server; judging the security level of the first client based on the access security level information;

the pushing unit is used for prompting the second client to perform biological feature authentication corresponding to the user if the security level of the first client is greater than the preset security level;

and the authorization unit is used for receiving the user biological characteristic information returned by the second client and authenticating the user biological characteristic information, if the user biological characteristic information passes the authentication, determining that the password-free login authorization is successful, and generating and storing a binding record of the first client identification information and the second client identification information.

The authorization module 404 further includes a biometric identification unit, specifically configured to receive user biometric information returned by the second client as first iris feature information, and count the number of feature values of the first iris feature information to obtain that the number of feature values is n; calculating the mean value of each feature value of the first iris feature information to obtain a mean feature vector f ═ (f1, f2, f3,. fn) T, f_iN represents the ith mean feature, and n is a positive integer; reading iris characteristic information stored in a local server when the second client is registered as second iris characteristic information, and calculating a characteristic mean value and a characteristic variance of the second iris characteristic information; calculating a difference parameter between the first iris characteristic information and the second iris characteristic information by using the following formula

Wherein f is_i'(i ═ 1,2,3.. N) is a feature mean value of the ith feature value of the second iris feature information, N is a positive integer, and g'_iThe characteristic variance is the ith characteristic value of the second iris characteristic information; judging whether the value of the difference parameter is smaller than a preset difference parameter value; if the value of the difference parameter is smaller than the preset difference parameter value, judging that the iris feature matching authentication is passed; and if the iris feature matching authentication passes, determining that the password-free login authorization is successful, and generating and storing a binding record of the first client identification information and the second client identification information.

The secret-free login device further comprises a pushing module 408, configured to receive a user identity token request with the user information acquisition code, which is initiated by the first client; generating a user identity token with user identity identification information based on the user information acquisition code and returning the user identity token to the first client; receiving a user information acquisition request with the user identity token initiated by the first client; and determining the password-free login user information corresponding to the user identity token and returning the password-free login user information to the first client.

In the embodiment of the invention, after a user clicks a login client, a two-dimensional code of the login client is displayed on an authentication authorization page for a second client to scan and carry out biological characteristic authentication and user click authorization on the login client; if the second client authorizes the login client, directly logging in without authentication and authorization; if the second client does not authorize the login client, initial authentication and authorization are required, and subsequent direct login is required, so that the second client can log in the first client without secret.

Fig. 3 and fig. 4 describe the secret-less login apparatus in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the secret-less login apparatus in the embodiment of the present invention is described in detail from the perspective of hardware processing.

Fig. 5 is a schematic structural diagram of a secure login-free device according to an embodiment of the present invention, where the secure login-free device 500 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored on the storage medium 530 may include one or more modules (not shown), each of which may include a sequence of instructions for operating the secure login apparatus 500. Further, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the secure login apparatus 500.

The secure logon device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, and the like. Those skilled in the art will appreciate that the secure logon device configuration shown in fig. 5 does not constitute a limitation of the secure logon device and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.

The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and which may also be a volatile computer-readable storage medium, having stored therein instructions, which, when run on a computer, cause the computer to perform the steps of the secure login method.

Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A secret-free login method is characterized by comprising the following steps:

receiving a user authentication request initiated after the second client scans and analyzes the two-dimensional code;

judging whether the second client side is authorized to log in the first client side without secret based on the user authentication request;

if the second client side authorizes the password-free login to the first client side, determining that the password-free login authorization is successful;

if the second client side does not authorize the password-free login to the first client side, performing biological characteristic authentication on a user corresponding to the second client side, and if the authentication is passed, determining that the password-free login authorization is successful;

2. The secret-free login method of claim 1, wherein before the step of receiving and parsing a user login request initiated by a first client to obtain identification information of the first client when the first client is redirected to a preset authentication authorization page, the secret-free login method further comprises:

3. The secret-free login method of claim 1, wherein before the step of receiving and parsing a user login request initiated by a first client to obtain identification information of the first client when the first client is redirected to a preset authentication authorization page, the secret-free login method further comprises:

4. The method of claim 1, wherein the determining whether the second client is authorized to log in the first client without secret based on the user authentication request comprises:

if the local server stores the binding record, determining that the second client is authorized to log in the first client in a secret-free manner;

and if the local server does not store the binding record, determining that the second client is not authorized to log in the first client in a secret-free manner.

5. The method according to claim 1, wherein if the second client does not authorize the secure login to the first client, performing biometric authentication on a user corresponding to the second client, and if the authentication passes, determining that the secure login authorization is successful comprises:

6. The method of claim 5, wherein the receiving and authenticating biometric information of the user returned by the second client, determining that the authorization for the secure login is successful if the authentication is successful, and generating and storing the binding record of the first client identification information and the second client identification information comprises:

7. The method according to claim 1, wherein after the generating a user information obtaining code corresponding to the second client if the authorization for the password-free login is successful, and returning the user information obtaining code to the first client, in response to a user login request initiated by the first client, and for the first client to obtain user information corresponding to the second client based on the user information obtaining code, the method further comprises:

8. A secret-less login apparatus, comprising:

9. A secret-less login device, comprising: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line;

the at least one processor invokes the instructions in the memory to cause the secure login-free device to perform the secure login-free method of any of claims 1-7.

10. A computer-readable storage medium comprising a stored data area storing data created from use of blockchain nodes and a stored program area storing a computer program, wherein the computer program when executed by a processor implements a secure login method as defined in any one of claims 1 to 7.