CN111726365A

CN111726365A - Online identity authentication method and device

Info

Publication number: CN111726365A
Application number: CN202010611671.7A
Authority: CN
Inventors: 毕坚; 罗子辉; 洪创煌
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2020-06-29
Filing date: 2020-06-29
Publication date: 2020-09-29
Anticipated expiration: 2040-06-29

Abstract

The invention relates to the field of financial technology (Fintech), and discloses a method and a device for online identity authentication, wherein the method comprises the following steps: the method comprises the steps that an application client acquires first biological characteristic information of a user; the application client sends the first biological characteristic information to the application server after determining that the authentication strategy is application authentication; the method comprises the steps that an application client receives a first user authentication result which is sent by an application server and verified based on first biological characteristic information; and after the first user authentication result is that the authentication is passed, the application client sends the first signature result signed by using the user private key to the authentication server. The invention solves the problem that CFCA FIDO authentication has safety risk or cannot support FIDO authentication temporarily, realizes online identity authentication and improves authentication safety.

Description

Online identity authentication method and device

Technical Field

The invention relates to the technical field of financial technology (Fintech), in particular to a method and a device for online identity authentication.

Background

With the development of computer technology, more and more technologies (such as distributed architecture, cloud computing or big data) are applied in the financial field, the traditional financial industry is gradually changing to the financial technology, and big data technology is no exception, but higher requirements are also put forward on big data technology due to the security and real-time requirements of the financial and payment industries.

At present, a CFCA FIDO (Fast Identity Online) technology is introduced into transactions such as transfer, the defects of a traditional authentication mode are overcome in a technical mode, and the risk of authentication of a remote biometric identification technology is avoided.

The CFCA FIDO technology realizes the authentication of the equipment to the user through the local biological identification technology and the identity authentication of the equipment through the server side, brings an identity authentication mode compatible with safety and convenience for the user, enables the user not to carry hardware equipment similar to a U shield, and conveniently uses a digital certificate authentication mode through fingerprint brushing, face brushing, iris brushing and other modes.

According to the scheme, on one hand, for extremely individual models with online identity authentication vulnerabilities, FIDO authentication has security risks. On the other hand, for a model which does not have an FIDO hardware authenticator or an FIDO software authentication period, online identity authentication cannot be realized.

Disclosure of Invention

The application provides an online identity authentication method and device, which are used for solving the problem of how to safely and efficiently perform online identity authentication under the condition that equipment cannot perform online identity authentication.

In a first aspect, an embodiment of the present application provides a method for online identity authentication, where the method includes:

the method comprises the steps that an application client side collects first biological characteristic information of a user based on a transaction request initiated by the user;

after the application client determines that the authentication strategy is application authentication, the application client sends the first biological characteristic information to an application server;

the application client receives a first user authentication result which is sent by the application server and verified based on the first biological characteristic information;

the application client sends a first signature result signed by using a user private key to an authentication server after the first user authentication result is authenticated; the authentication server is used for generating a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and the first signature verification result is used for indicating whether the application server processes the transaction request or not.

According to the scheme, the application server side verifies based on the first biological characteristic information to obtain a first user authentication result, so that the user authentication of the equipment is realized; meanwhile, after the first user authentication result is that the authentication is passed, the application client sends the first signature result signed by using the user private key to the authentication server through the application server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk aiming at CFCA FIDO authentication or can not support FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

Optionally, before the application client collects the first biometric information of the user based on the transaction request initiated by the user, the method further includes:

the application client side collects second biological characteristic information of the user based on an authentication starting request initiated by the user;

after determining that the authentication policy is application authentication, the application client sends the second biological characteristic information to the application server;

the application client receives a second user authentication result which is sent by the application server and verified based on the second biological characteristic information;

the application client generates a user private key and a user public key of the application client after the second user authentication result is that the second user authentication is passed;

the application client sends a second signature result obtained by using the application secret key to sign the user public key to the authentication server; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key.

According to the scheme, before transaction, an authentication starting process of user online identity authentication needs to be realized. Specifically, the application server side verifies based on the second biological characteristic information to obtain a second user authentication result, so that the authentication of the device to the user is started; meanwhile, after the second user authentication result is that the authentication is passed, the application client sends the user public key signed by using the application secret key to the authentication server, and a certificate of the user public key is generated after the signature verification is passed, so that the authentication of the authentication server on the equipment is started, and the safety of subsequent transactions is guaranteed.

Optionally, before the application client collects the second biometric information of the user based on the authentication start request initiated by the user, the method further includes:

the application client acquires a first authentication working state of the application server and a second authentication working state of the authentication server;

the application client determines whether the first authentication working state is consistent with the second authentication working state; and if the two are not consistent, sending an authentication closing request to the application server and the authentication server, and deleting the user private key and the user public key stored in the application client.

According to the scheme, the judgment of whether the first authentication working state is consistent with the second authentication working state ensures that authentication can be carried out only under the condition that the first authentication working state and the second authentication working state are both opened, namely the authentication states of the application server and the authentication server aiming at the same application of the same user are consistent, so that the safety of online identity authentication is improved.

Optionally, the authentication policy is implemented by:

if the application client determines that the application client does not have the local authentication function, the authentication strategy is application authentication;

if the application client side determines that the application client side has a local authentication function, a vulnerability query request is sent to the application server side; and if the equipment where the application client is located is determined to be the vulnerability equipment, determining that the authentication strategy is application authentication, otherwise determining that the authentication strategy is local authentication.

According to the scheme, after the application client determines that the equipment without the local authentication function or where the application client is located is the vulnerability equipment, the application client performs authentication, so that a substitute scheme for online identity authentication of equipment with safety risk or temporarily incapable of being supported by online identity authentication is realized.

Optionally, after the sending the transaction information signed by using the user private key to the authentication server, the method further includes:

the application client sends an authentication closing request to the application server and the authentication server;

and after receiving the authentication closing result of the application server and the authentication closing result of the authentication server, the application client deletes the user private key and the user public key of the application client.

According to the scheme, the application client side sends the authentication closing request to the application server side and the authentication server side and then deletes the user private key and the user public key of the application client side, and the risk of errors caused by next online identity authentication is reduced.

In a second aspect, an embodiment of the present application provides an online identity authentication method, where the method includes:

the application server receives first biological characteristic information sent by the application client; the first biological characteristic information is acquired by the application client based on a transaction request initiated by a user;

the application server side determines a first user authentication result of the first biological characteristic information and sends the first user authentication result to the application client side;

the application server side sends a first signature result signed by the application client side through a user private key to an authentication server; the first signature result is sent to the application server by the application client after the first user authentication result is determined to be authenticated;

the application server receives a first signature checking result sent by the authentication server and determines whether to process the transaction request according to the first signature checking result; and the first signature verification result is obtained by verifying the first signature result by the authentication server according to a pre-stored certificate and a user public key.

According to the scheme, the first user authentication result of the first biological characteristic information is determined by the application server and is sent to the application client, so that the user authentication of the equipment is realized; the transaction information signed by the application client side by using the user private key is sent to the authentication server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk aiming at CFCA FIDO authentication or can not support FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

Optionally, before the application server receives the first biometric information sent by the application client, the method further includes:

the application server receives second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication starting request initiated by a user;

the application server side determines a second user authentication result of the second biological characteristic information and sends the second user authentication result to the application client side;

the application server side sends a second signature result obtained by the application client side by using the application secret key to sign the user public key to the authentication server; the second signature result is sent by the application client after the second user authentication result is determined to be authenticated; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key.

According to the scheme, before the transaction, the application server side determines the second user authentication result of the second biological characteristic information and sends the second user authentication result to the application client side, and the user public key signed by the application client side through the application secret key is sent to the authentication server, so that the security of the transaction is guaranteed.

Optionally, the determining, by the application server, a first user authentication result of the first biometric information includes:

the application server sends indication information corresponding to an enhanced authentication mode to the application client according to the enhanced authentication mode in the auditing strategy after authentication results based on the first biological characteristic information acquired for N times are all authentication failures;

and the application server root determines the authentication result of the enhanced authentication mode to obtain the first user authentication result.

According to the scheme, after the authentication results of the first biological characteristic information acquired for N times are all authentication failures, the application server determines the authentication result of the enhanced authentication mode according to the enhanced authentication mode in the auditing strategy, so that the risk that the authentication cannot pass due to improper user operation is reduced, and the accuracy of online identity authentication is improved.

Optionally, before the application server receives the second biometric information sent by the application client, the method further includes:

the application server receives a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after the application client determines that the application client has a local authentication function;

and the application server side sends a vulnerability query result to the application client side, and the vulnerability query result user indicates whether the equipment where the application client side is located is vulnerability equipment.

According to the scheme, after the application client determines that the equipment without the local authentication function or where the application client is located is the vulnerability equipment, the application end authentication is adopted, so that the alternative scheme of online identity authentication of the equipment which has safety risk and cannot be supported temporarily for CFCA FIDO authentication is realized.

In a third aspect, an embodiment of the present application provides a method for online identity authentication, where the method includes:

the application server receives first biological characteristic information sent by the application client;

the application client sends a first signature result signed by using a user private key to an authentication server after the first user authentication result is authenticated;

the authentication server generates a first signature verification result of the first signature result according to a pre-stored certificate and a user public key;

the authentication server sends the first signature verification result to the application server;

and the application server side determines whether to process the transaction request according to the first signature verification result.

In a fourth aspect, an embodiment of the present application provides an apparatus for online identity authentication, where the apparatus includes:

the acquisition module is used for acquiring first biological characteristic information of a user based on a transaction request initiated by the user;

the processing module is used for sending the first biological characteristic information to the application server after the authentication strategy is determined to be application authentication; receiving a first user authentication result which is sent by the application server and verified based on the first biological characteristic information; after the first user authentication result is that the authentication is passed, sending a first signature result signed by using a user private key to an authentication server; the authentication server is used for generating a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and the first signature verification result is used for indicating whether the application server processes the transaction request or not.

Optionally, the obtaining module is further configured to: before the application client collects first biological characteristic information of a user based on a transaction request initiated by the user, collecting second biological characteristic information of the user based on an authentication starting request initiated by the user; after the authentication strategy is determined to be application authentication, the second biological characteristic information is sent to the application server;

receiving a second user authentication result which is sent by the application server and verified based on the second biological characteristic information;

after the second user authentication result is that the authentication is passed, generating a user private key and a user public key of the application client;

Optionally, the processing module is further configured to: before the application client collects the second biometric information of the user based on the authentication start request initiated by the user, the method further includes:

acquiring a first authentication working state of the application server and a second authentication working state of the authentication server;

determining whether the first authentication operating state is consistent with the second authentication operating state; and if the two are not consistent, sending an authentication closing request to the application server and the authentication server, and deleting the user private key and the user public key stored in the application client.

Optionally, the processing module is specifically configured to: the authentication policy is implemented by:

Optionally, the processing module is further configured to:

after the transaction information signed by using the user private key is sent to an authentication server, an authentication closing request is sent to the application server and the authentication server;

and deleting the user private key and the user public key of the application client after receiving the authentication closing result of the application server and the authentication closing result of the authentication server.

In a fifth aspect, an embodiment of the present application provides an apparatus for online identity authentication, where the apparatus includes:

Optionally, the obtaining module is further configured to: before the application server receives first biological characteristic information sent by an application client, receiving second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication starting request initiated by a user;

determining a second user authentication result of the second biological characteristic information and sending the second user authentication result to the application client;

Optionally, the processing module is specifically configured to:

after authentication results based on the first biological characteristic information acquired for N times are all authentication failures, sending indication information corresponding to an enhanced authentication mode to the application client according to the enhanced authentication mode in the auditing strategy;

and determining the authentication result of the enhanced authentication mode to obtain the first user authentication result.

Optionally, the processing module is further configured to: before the application server receives the second biological characteristic information sent by the application client, receiving a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after the application client determines that the application client has a local authentication function;

and sending a vulnerability query result to the application client, wherein the vulnerability query result is used for indicating whether the equipment where the application client is located is vulnerability equipment.

Correspondingly, an embodiment of the present invention further provides a computing device, including:

a memory for storing program instructions;

and the processor is used for calling the program instruction stored in the memory and executing the online identity authentication method according to the obtained program.

Accordingly, an embodiment of the present invention further provides a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute the above online identity authentication method.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a system framework of a method for online identity authentication according to an embodiment of the present invention;

fig. 2 is a flowchart illustrating a method for online identity authentication according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

fig. 4 is a flowchart illustrating a method for online identity authentication according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

fig. 6 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

fig. 8 is a flowchart illustrating a method for online identity authentication according to an embodiment of the present invention;

fig. 9 is a flowchart illustrating a method for online identity authentication according to an embodiment of the present invention;

fig. 10 is a flowchart illustrating a method for online identity authentication according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an online identity authentication apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of an online identity authentication apparatus according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

First, some terms in the present application are explained so as to be understood by those skilled in the art.

FIDO: the combination of Fast Identity Online (Fast Identity Online), local biometric identification technology and PKI technology can realize the access of various biometric identification technologies (such as fingerprints, voiceprints, human faces and the like), and finally realize the strong Identity authentication effect of the equipment on user authentication and the equipment authentication of the server side.

CFCA FIDO: the FIDO technical service provided by the China financial authentication center is a combination of on-line fast identity authentication (FIDO) and a digital certificate.

Based on this, the embodiment of the present invention provides an online identity authentication method, which may be applied to the system architecture shown in fig. 1, where the system architecture includes an application client 100, an application server 200, and an authentication server 300.

The application client 100 receives a transaction request initiated by a user, collects first biological characteristic information of the user, and sends the first biological characteristic information to the application server 200 after determining that an authentication strategy is application authentication;

the application server 200 verifies based on the first biological characteristic information to obtain a first user authentication result and sends the first authentication result to the application client 100;

after the first user authentication result is that the authentication is passed, the application client 100 sends the first signature result signed by using the user private key to the authentication server 300 through the application server;

the authentication server 300 is configured to generate a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and send the first signature verification result to the application server 200;

the application server 200 determines whether to process the transaction request based on the first signature verification result.

It should be noted that fig. 1 is only an example of a system architecture according to an embodiment of the present application, and the present application is not limited to this specifically.

Based on the above-mentioned schematic system architecture, fig. 2 is a schematic flow chart corresponding to a method for online identity authentication provided in an embodiment of the present invention, as shown in fig. 2, the method includes:

in step 201, an application client collects first biological characteristic information of a user based on a transaction request initiated by the user.

Step 202, after determining that the authentication policy is application authentication, the application client sends the first biological characteristic information to the application server.

In step 203, the application client receives a first user authentication result which is sent by the application server and verified based on the first biological characteristic information.

And step 204, after the first user authentication result is that the authentication is passed, the application client sends the first signature result signed by using the user private key to the authentication server.

It should be noted that the authentication server is configured to generate a first signature verification result of the first signature result according to the pre-stored certificate and the user public key, where the first signature verification result is used to indicate whether the application server processes the transaction request.

Further, a schematic diagram corresponding to the above method is shown in fig. 3.

According to the scheme, the application server side verifies based on the first biological characteristic information to obtain a first user authentication result, so that the user authentication of the equipment is realized; meanwhile, after the first user authentication result is that the authentication is passed, the application client sends the transaction information signed by using the user private key to the authentication server through the application server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk aiming at CFCA FIDO authentication or can not support FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

In step 201, in a possible implementation manner, the first biometric information of the user may be collected by brushing a face.

It should be noted that face brushing is a common name for collecting human face biological characteristics, and is a biological characteristic collection technology for performing identity authentication based on human face characteristic information.

Specifically, the application client pulls up the brush face to instruct the user to brush the face.

It should be noted that, in the embodiment of the present application, a parameter configuration that allows the user to invoke face brushing the most times is performed in advance at the application server, and the parameter may be modified based on the configuration. For example, the user is allowed to turn up the face brushing up to three times, that is, the application client will not be turned up again regardless of the obtained user authentication result of turning up the face brushing up for the third time.

In step 203, after the application client sends the first biometric information to the application server, the application server may perform verification based on the first biometric information to obtain a first user authentication result. That is, the user authentication result is indirectly displayed by the color of the lighting.

It should be noted that, in the application server in the embodiment of the present application, the first biometric information of the user may be compared with the biometric information of the user pre-stored in the public security system, and the similarity of the compared biometric information is associated with the color of the lighting.

For example, the similarity may be displayed sequentially by a green light, a yellow light, and a red light from high to low, that is, the green light represents the highest similarity of the biometric information, and the red light represents the lowest similarity of the biometric information.

In one possible implementation, the face brushing is ended when the user authentication result has a green light, for example, when the face brushing is started up at most three times, and when the authentication result for the first time is a green light. For example, when the first authentication result is a yellow light or a red light, the face brushing is continued, and when the second authentication result is a green light, the face brushing is ended. For another example, when the authentication results of the first, second, and third times are not all green lights, the face brushing is completed due to the limitation that the maximum number of times is 3.

In step 204, the specific determination process of the first user authentication result in the embodiment of the present application is as follows:

taking the face brushing with the maximum number of times of 3 as an example, the application server obtains one piece of face brushing information with the best face brushing result in the face brushing list as a final face brushing result according to the information of the face brushing list.

It should be noted that after each Face brushing, a Face ID corresponding to the Face brushing information is generated, and in the embodiment of the present application, a relationship between the Face ID and the Face brushing information is recorded in the Face brushing list.

For example, the following further description is provided for obtaining the best one-time face brushing information of the user in the transaction:

1. the face brushing result is the face brushing information of the green light if the face brushing result is the green light, and the final face brushing result is the green light.

2. If the face brushing result of 3 times is not green, judging whether the face brushing result of the 3 times is yellow or not, if yes, taking out the face brushing information of which the face brushing result is yellow, and taking out the final face brushing result which is the yellow.

Note that, the face brushing information of the yellow light may be extracted as any one of the face brushing results, or the face brushing information of the yellow light with the earliest time may be extracted according to the face brushing time, which is not particularly limited in the present application.

3. If the result of brushing the face for 3 times is not a green light or a yellow light once, the result of brushing the face for 3 times is a red light, any red light is taken out to brush the face information, and the final result of brushing the face is the red light.

Further, after the final face brushing result is obtained, a configuration result of subsequent processing of the current transaction scene is obtained from the local configuration rule table.

In the embodiment of the application, the application server determines a processing strategy according to the identification result of the first biological characteristic information; wherein the processing policy comprises at least one of: passing, rejecting, asynchronous auditing and online video.

Further, the client server returns the configuration result of the configured subsequent processing to the application client for subsequent processing.

In a possible implementation, the local configuration rule table is the processing rules corresponding to the red, yellow and green lights, and the service can be configured and modified in the configuration center.

It should be noted that each transaction scenario has a set of corresponding processing rules, and the processing rules of each transaction scenario are independent.

For example, in a transaction scenario of transfer, the processing rule may specifically be: and when the final result of face brushing is green light, the processing rule is that the application server sends the face brushing information to asynchronous audit, and the transaction information takes effect after the audit is passed. When the end result of the face brushing is a yellow light, the processing rule is reject. And when the face brushing result is a red light, the processing result is rejection.

For another example, in a transaction scenario of a newly added employee, the processing rule may specifically be: and when the final result of face brushing is green light, the processing rule is that the application server sends the face brushing information to asynchronous audit, and the transaction information takes effect after the audit is passed. When the final result of the face brushing is a yellow light, the processing rule calls an online video for the application server, namely the online video is launched to the user through the application client, and the transaction information becomes effective after the online video is approved. And when the face brushing result is a red light, the processing result is rejection.

Further, in this embodiment of the application, after the application server determines the first user authentication result according to the processing policy, the following is specifically performed:

1. the authentication result is that: and sending the first signature result signed by using the user private key to an authentication server, and after the authentication server passes the signature verification, directly calling service services such as transfer, newly added staff and the like by the application server side, and returning a final service processing result to the application client side.

2. The authentication result is rejection: and the application server side updates the service flow to failure and returns the result to the application client side.

3. And if the authentication result is asynchronous audit, the application server side submits the face brushing information to an asynchronous audit system and returns the face brushing information to the asynchronous audit system of the application client side, specific services are continuously processed after the asynchronous audit result is obtained, if the result is passed, a first signature result signed by using a user private key is sent to an authentication server, the authentication server continuously processes corresponding services after the signature is verified by the authentication server, and if the result is rejected, the current transaction is failed, and the process is terminated.

4. And the authentication result is an online video, the application server returns the online video authentication of the application client, the application client guides the user to enter the online video, and then the online video synchronously or asynchronously obtains the result and then continues the corresponding service processing. If the online video result is passed, the first signature result signed by using the user private key is sent to the authentication server, the service process is continued after the authentication server passes the signature verification, and if the online video result is rejected, the current transaction is failed, and the process is terminated.

After the application client obtains the first user authentication result and the first user authentication result is that the first user authentication result is authenticated, the application client sends the transaction request to the application server, the application server forwards the transaction request to the authentication server, and after the authentication server verifies that the first user authentication result is a legal request, the authentication server verifies the transaction information and returns the transaction information to the application server. Specifically, the application server performs logic processing according to the following situations:

1. and if the first signature checking result is abnormal, the application server side sets the transaction to be failed and returns the transaction to the application client side for failure.

2. And the first signature checking result is normal, and after the transaction message passes the check, the application server returns the processing result of the final transaction request to the application client.

The above specifically describes a specific process of online identity authentication of the application client based on a transaction request initiated by a user, and the following specifically describes a specific process of online identity authentication of the application client based on an authentication start request initiated by a user.

Before step 201, the flow of steps in the embodiment of the present application is shown in fig. 4, which specifically includes the following steps:

step 401, the application client collects the second biological characteristic information of the user based on the authentication start request initiated by the user.

Step 402, after determining that the authentication policy is application authentication, the application client sends the second biometric information to the application server.

In step 403, the application client receives a second user authentication result that is sent by the application server and verified based on the second biometric information.

In step 404, the application client generates a user private key and a user public key of the application client after the second user authentication result is passed.

In step 405, the application client sends a second signature result obtained by signing the user public key with the application key to the authentication server.

It should be noted that the authentication server is configured to generate a second signature verification result of the second signature result according to the pre-stored application key, where the second signature verification result is used to indicate whether the authentication server generates a certificate of the user public key.

Before step 401, as shown in fig. 5, the application client obtains a first authentication operating state of the application server and a second authentication operating state of the authentication server;

According to the scheme, the judgment of whether the first authentication working state is consistent with the second authentication working state ensures that authentication can be carried out only under the condition that the first authentication working state and the second authentication working state are both opened, and the safety of online identity authentication is improved.

Specifically, the application client initiates an authentication start request, the application server obtains a ciphertext string of a second authentication working state sent by the authentication server, meanwhile, the application server also returns the first authentication working state of the application server to the application client, the application client adjusts the checksum method to decrypt the ciphertext returned by the authentication server, obtains the second authentication working state of the authentication server, and checks whether the second authentication working state is consistent with the first authentication working state returned by the application server. In a possible implementation manner, the first authentication operating state has three states of opening, auditing and closing. The following is discussed in cases:

1. if the authentication server is inconsistent with the application server, the authentication server is in an on state, and the application server is in an off state; or, the state of the authentication server is off, the state of the application server is on, the application client sends an authentication closing request to the application server and the authentication server, and the application client deletes the user private key and the user public key of the application client after receiving the authentication closing result of the application server and the authentication closing result of the authentication server.

2. The state of the authentication server is open, and the state of the application server is open, which indicates that the authentication server is open.

3. If the authentication server is closed, namely the state of the authentication server is off, and the state of the application server is off, the authentication server is not opened.

Based on the above, the application client prompts the user to open the terminal if the state is not open, and the user initiates a corresponding authentication opening request.

According to the scheme, the application server side is additionally provided with the first authentication working state, namely, whether the authentication working state is started or not is jointly determined by the second authentication working state of the authentication server, the first authentication working state of the application server side and whether the model identified by the application client side supports fingerprint or face authentication or not.

Further, in step 402, in the embodiment of the present application, as shown in fig. 6, the authentication policy is as follows:

if the application client side determines that the application client side has the local authentication function, a vulnerability query request is sent to the application server side; and if the equipment where the application client is located is determined to be the vulnerability equipment, determining the authentication strategy to be application side authentication, and otherwise, determining the authentication strategy to be local authentication.

It should be noted that the application server may maintain the bug machine type list, and the application client may query the bug machine type list in real time when querying the bug device.

Specifically, firstly, the application client determines whether the device supports fingerprint or face authentication, which includes the following situations:

1. the android end can detect whether the mobile phone equipment has the fingerprint identification hardware capability through an isHardwarred detected () method of a finger print manager type provided by the system, and detects whether a user inputs a fingerprint on the equipment through a hasEnroledFilgerprints () method.

2. The IOS end can detect whether the equipment has a touchID and faceID identification verification function through a canEvaluatePolicoy method of a Local authentication library provided by the system, and can judge whether a user inputs a fingerprint or a face on the equipment through an error code called back by the method.

Further, in this embodiment of the application, if the device does not support fingerprint and face authentication, the application client determines that the application client does not have a local authentication function, and the identification process is ended. If the equipment supports fingerprint or face authentication, inquiring the configuration model of the application server and judging whether the model belongs to a bug model, wherein the two conditions are as follows:

1. and if the current model belongs to the bug model, the application client determines that the application client does not have the local authentication function, and the identification process is finished.

2. And if the current model does not belong to the bug model, the application client determines that the application client has the local authentication function, and the identification process is finished.

Further, continuing to take the face brushing as an example, in step 403, the application server determines a processing policy according to the identification result of the second biometric information; wherein the processing policy comprises at least one of: passing, rejecting, asynchronous auditing and online video.

For example, the processing rule may specifically be: and when the final result of face brushing is green light, the processing rule is that the application server sends face brushing information to asynchronous audit. And when the final result of face brushing is a yellow light, the processing rule indicates the application client to enter the online video for the application server. And when the face brushing result is a red light, the processing result is refusing to start the device.

Further, in this embodiment of the application, after the application server determines the second user authentication result according to the processing policy, the following details are provided:

1. the authentication result is that: and the application client sends a second signature result obtained by using the application secret key to sign the user public key to the authentication server, and the application server modifies the first authentication working state into an open state after the certificate of the authentication server is downloaded and returns the first authentication working state to the application client for successful opening.

2. The authentication result is rejection: and the application server side modifies the first authentication working state into a closed state and returns the closed state to the application client side, and the opening of the application client side fails.

3. And after the certificate of the authentication server is downloaded, the application server modifies the first authentication working state to be open and returns the first authentication working state to the application client for successful opening. If the authentication is rejected, the application server side modifies the first authentication working state into a closed state, and returns the closed state to the application client side, and the opening of the application client side fails.

4. The authentication result is an online video, the application server returns the online video authentication of the application client, the application client guides the user to enter the online video, then the online video synchronously or asynchronously obtains the result, if the online video result passes, the application client sends a second signature result obtained by using the application key to sign the user public key to the authentication server, and the application server modifies the first authentication working state to be open after the certificate of the authentication server is downloaded, and returns the first authentication working state to the application client for successful opening. And if the online video result is refused, the application server side modifies the first authentication working state into a closed state and returns the closed state to the application client side, and the opening is failed.

Further, a schematic diagram corresponding to the above method is shown in fig. 7.

After the application client obtains the second user authentication result and passes the authentication, the application client sends the second signature result obtained by signing the user public key by using the application secret key to the application server, the application server forwards the second signature result to the authentication server, and after the authentication server verifies that the request is legal, the authentication server downloads the certificate to the CFCA and stores the certificate in the authentication server, and returns the opening result to the application server. Specifically, the application server performs logic processing according to the following situations:

1. and if the second signature result is abnormal, the application server side directly returns the result to the application client side, and the opening is failed.

2. And if the second signature result is normal, the application server side modifies the first authentication working state into an open state and returns the open state to the application client side for successful opening.

Further, after the transaction information signed by using the user private key is sent to the authentication server, the application client sends an authentication closing request to the application server and the authentication server;

In the embodiment of the present application, the online identity authentication closing process specifically includes:

firstly, a user initiates an authentication closing request, and an application server changes a first authentication working state into a closed state.

And then, the application server sends a closing request to the authentication server, the authentication server closes the authentication state of the current user, sends a request for revoking the certificate to the CFCA, and returns the request to the application client in sequence after the request is successful.

And finally, after the application client receives the closing response of the application server, clearing the key generated when the application client is opened.

The above-mentioned method for online identity authentication provided by the present application is described in detail from the perspective of the application client, and the method for online identity authentication provided by the present application is described below from the perspective of the application server. Fig. 8 is a schematic flowchart corresponding to a method for online identity authentication provided in an embodiment of the present invention, and as shown in fig. 8, the method includes:

step 801, an application server receives first biological characteristic information sent by an application client.

It should be noted that the first biometric information is collected by the application client based on a transaction request initiated by the user.

Step 802, the application server determines a first user authentication result of the first biometric information and sends the first user authentication result to the application client.

Step 803, the application server sends the first signature result signed by the application client using the user private key to the authentication server.

It should be noted that, the first signature result is sent to the application server by the application client after determining that the first user authentication result is authenticated.

And step 804, the application server receives a first signature verification result of the transaction information sent by the authentication server, and determines whether to process the transaction request according to the first signature verification result.

It should be noted that the first signature verification result is obtained by the authentication server verifying the first signature result according to the pre-stored certificate and the user public key.

According to the scheme, the first user authentication result of the first biological characteristic information is determined by the application server and is sent to the application client, so that the user authentication of the equipment is realized; the transaction information signed by the application client side by using the user private key is sent to the authentication server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk aiming at CFCA FIDO authentication or can not support FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved. In this embodiment of the present application, before step 801, the application server further performs a step flow as shown in fig. 9, specifically:

and step 901, the application server receives the second biometric information sent by the application client.

It should be noted that the second biometric information is collected by the application client based on an authentication start request initiated by the user.

In step 902, the application server determines a second user authentication result of the second biometric information and sends the second user authentication result to the application client.

Step 903, the application server sends a second signature result obtained by the application client signing the user public key by using the application key to the authentication server.

It should be noted that the second signature result is sent by the application client after determining that the second user authentication result is authenticated; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key.

Before step 901, an application server receives a vulnerability query request sent by an application client; the vulnerability query request is sent by the application client after the application client determines that the application client has a local authentication function;

and the application server side sends a vulnerability query result to the application client side, wherein the vulnerability query result is used for indicating whether the equipment where the application client side is located is vulnerability equipment.

Further, in step 802, after the authentication results based on the first biometric feature information collected for N times are all authentication failures, the application server sends, according to the enhanced authentication mode in the auditing policy, indication information corresponding to the enhanced authentication mode to the application client;

the application server determines an authentication result of the enhanced authentication mode to obtain a first user authentication result.

Further, fig. 10 is a schematic flowchart corresponding to a method for online identity authentication provided in an embodiment of the present invention, and as shown in fig. 10, the method includes:

step 1001, an application client collects first biological characteristic information of a user based on a transaction request initiated by the user.

In step 1002, the application server receives first biometric information sent by the application client.

In step 1003, the application server determines a first user authentication result of the first biometric information and sends the first user authentication result to the application client.

Step 1004, after the first user authentication result is that the authentication is passed, the application client sends the first signature result signed by using the user private key to the authentication server.

Step 1005, the authentication server generates a first signature verification result of the first signature result according to the pre-stored certificate and the user public key.

Step 1006, the authentication server sends the first signature verification result to the application server.

Step 1007, the application server determines whether to process the transaction request according to the first signature verification result.

It should be noted that the implementation details of the client and the server are consistent with the above-described embodiment.

Based on the same inventive concept, fig. 11 exemplarily illustrates an online identity authentication apparatus according to an embodiment of the present invention, which may be a flow of an online identity authentication method.

The apparatus, comprising:

the acquisition module 1101 is configured to acquire first biometric information of a user based on a transaction request initiated by the user;

the processing module 1102 is configured to send the first biometric feature information to an application server after determining that the authentication policy is application authentication; receiving a first user authentication result which is sent by the application server and verified based on the first biological characteristic information; after the first user authentication result is that the first user passes the authentication, the transaction information signed by using a user private key is sent to an authentication server through the application server; the authentication server is used for generating a signature verification result of the transaction information according to a pre-stored certificate public key, and the signature verification result of the transaction information is used for indicating whether the application server side processes the transaction request or not.

Optionally, the obtaining module 1101 is further configured to: before the application client collects first biological characteristic information of a user based on a transaction request initiated by the user, collecting second biological characteristic information of the user based on an authentication starting request initiated by the user; after the authentication strategy is determined to be application authentication, the second biological characteristic information is sent to the application server;

sending the user public key signed by using the application secret key to the authentication server through the application server; the authentication server is used for downloading the signature verification result of the user public key according to the pre-stored application secret key, and the signature verification result of the user public key is used for indicating whether the authentication server downloads the certificate of the user public key.

Optionally, the processing module 1102 is further configured to: before the application client collects the second biometric information of the user based on the authentication start request initiated by the user, the method further includes:

Optionally, the processing module 1102 is specifically configured to: the authentication policy is implemented by:

if the authentication policy does not have the local authentication function, the authentication policy is application authentication;

after determining that the application server has a local authentication function, sending a vulnerability query request to the application server; and after determining that the equipment where the application client is located is the vulnerability equipment, determining that the authentication strategy is application side authentication, otherwise, determining that the authentication strategy is local authentication.

Optionally, the processing module 1102 is further configured to:

sending an authentication closing request to the application server side and the authentication server;

Based on the same inventive concept, fig. 12 exemplarily illustrates an online identity authentication apparatus, which may be a flow of a method for online identity authentication according to an embodiment of the present invention. The device comprises:

an obtaining module 1201, configured to receive first biometric information sent by an application client; the first biological characteristic information is acquired by the application client based on a transaction request initiated by a user;

the processing module 1202 is configured to determine a first user authentication result of the first biometric information and send the first user authentication result to the application client; sending the transaction information signed by the application client side by using a user private key to an authentication server; the transaction information is sent by the application client after the first user authentication result is determined to be authenticated; receiving the signature checking result of the transaction information sent by the authentication server, and determining whether to process the transaction request according to the signature checking result of the transaction information; and the signature verification result of the transaction information is obtained by verifying the transaction information by the authentication server according to a pre-stored certificate public key.

Optionally, the obtaining module 1201 is further configured to: before the application server receives first biological characteristic information sent by an application client, receiving second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication starting request initiated by a user;

sending the user public key signed by the application client side by using the application secret key to the authentication server; the user public key is sent by the application client after the second user authentication result is determined to be authenticated; the authentication server is used for downloading the signature verification result of the user public key according to the pre-stored application secret key, and the signature verification result of the user public key is used for indicating whether the authentication server downloads the certificate of the user public key.

Optionally, the processing module 1202 is specifically configured to:

Optionally, the processing module 1202 is further configured to: before the application server receives the second biological characteristic information sent by the application client, receiving a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after the application client determines that the application client has a local authentication function;

and sending a vulnerability query result to the application client, wherein the vulnerability query result is used for indicating that the equipment where the application client is located is vulnerability equipment.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method of online identity authentication, comprising:

2. The method of claim 1, prior to the application client collecting the first biometric information of the user based on the user-initiated transaction request, further comprising:

3. The method of claim 2, wherein before the application client collects the second biometric information of the user based on the authentication start request initiated by the user, the method further comprises:

4. A method according to any one of claims 1 to 3, wherein the authentication policy is determined by:

5. The method of any of claims 1 to 3, wherein after sending the transaction information signed using the user private key to the authentication server, further comprising:

6. A method of online identity authentication, comprising:

7. The method of claim 6, wherein before the application server receives the first biometric information sent by the application client, further comprising:

8. The method according to any one of claims 6 or 7, wherein the determining, by the application server, the first user authentication result of the first biometric information comprises:

and the application server determines the authentication result of the enhanced authentication mode to obtain the first user authentication result.

9. The method of claim 8, wherein before the application server receives the second biometric information sent by the application client, further comprising:

10. A method of online identity authentication, comprising:

11. An apparatus for online identity authentication, the apparatus comprising:

12. An apparatus for online identity authentication, the apparatus comprising:

13. A computing device, comprising:

a memory for storing program instructions;

a processor for calling program instructions stored in said memory to perform the method of any one of claims 1 to 5, 6 to 9 or 10 in accordance with the obtained program.

14. A computer readable non-transitory storage medium including computer readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 5, 6 to 9 or 10.