CN111726365B

CN111726365B - Method and device for online identity authentication

Info

Publication number: CN111726365B
Application number: CN202010611671.7A
Authority: CN
Inventors: 毕坚; 罗子辉; 洪创煌
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Filing date: 2020-06-29
Publication date: 2024-07-16
Anticipated expiration: 2040-06-29

Abstract

The invention relates to the field of financial science and technology (Fintech), and discloses a method and a device for online identity authentication, wherein the method comprises the following steps: the method comprises the steps that an application client collects first biological characteristic information of a user; after determining that the authentication policy is the authentication of the application terminal, the application client transmits the first biological characteristic information to the application server; the application client receives a first user authentication result which is sent by the application server and is verified based on the first biological characteristic information; and the application client sends a first signature result signed by the user private key to the authentication server after the first user authentication result is that the authentication is passed. The invention solves the problem that the CFCA FIDO authentication is at safety risk or the device which can not support the FIDO authentication temporarily, realizes the online identity authentication and improves the authentication safety.

Description

Method and device for online identity authentication

Technical Field

The invention relates to the technical field of financial science and technology (Fintech), in particular to a method and a device for online identity authentication.

Background

With the development of computer technology, more and more technologies (such as distributed architecture, cloud computing or big data) are applied in the financial field, and the traditional financial industry is gradually changed to the financial technology, so that the big data technology is not exceptional, but the big data technology is also required to be higher due to the requirements of security and real-time performance of the financial and payment industries.

At present, CFCA FIDO (FAST IDENTITY Online) technology is introduced in transactions such as transfer and the like, the technical mode solves the defects of the traditional authentication mode, and the risk of remote biological recognition technology authentication is avoided.

The CFCA FIDO technology realizes the authentication of equipment to the user through a local biological recognition technology and the authentication of the equipment through a server, so that an authentication mode compatible with safety and convenience is brought to the user, the user does not need to carry hardware equipment similar to a U shield, and the digital certificate authentication mode is conveniently used through modes of fingerprint brushing, face brushing, iris brushing and the like.

On the one hand, according to the scheme, the FIDO authentication has a security risk for the machine types with online identity authentication loopholes very individually. On the other hand, on-line identity authentication cannot be realized for a model that does not have a FIDO hardware authenticator or a FIDO software authentication period itself.

Disclosure of Invention

The application provides a method and a device for online identity authentication, which are used for solving the problem of how to safely and efficiently perform online identity authentication under the condition that equipment cannot perform online identity authentication.

In a first aspect, an embodiment of the present application provides a method for online identity authentication, where the method includes:

the application client side collects first biological characteristic information of a user based on a transaction request initiated by the user;

After determining that the authentication policy is the authentication of the application server, the application client sends the first biological characteristic information to the application server;

The application client receives a first user authentication result which is sent by the application server and is verified based on the first biological characteristic information;

After the first user authentication result is that the authentication is passed, the application client sends a first signature result signed by using a user private key to an authentication server; the authentication server is used for generating a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and the first signature verification result is used for indicating whether the application server side processes the transaction request or not.

According to the scheme, the application server side is used for verifying based on the first biological characteristic information to obtain the first user authentication result, so that the authentication of the equipment to the user is realized; meanwhile, after the first user authentication result is that the authentication is passed, the application client sends a first signature result signed by using a user private key to the authentication server through the application server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk for CFCA FIDO authentication or can not support the FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

Optionally, before the application client collects the first biometric information of the user based on the transaction request initiated by the user, the method further includes:

The application client collects second biological characteristic information of the user based on an authentication starting request initiated by the user;

After the application client determines that the authentication policy is application authentication, the application client sends the second biometric information to the application server;

The application client receives a second user authentication result which is sent by the application server and is verified based on the second biological characteristic information;

After the second user authentication result is that the authentication is passed, the application client generates a user private key and a user public key of the application client;

The application client sends a second signature result of signing the user public key by using the application secret key to the authentication server; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key or not.

According to the scheme, before transaction, an authentication opening process of online identity authentication of the user is needed. Specifically, the application server side verifies based on the second biological characteristic information to obtain a second user authentication result, so that the equipment can start authentication of the user; meanwhile, after the second user authentication result is that the authentication is passed, the application client sends the user public key signed by the application secret key to the authentication server, and a certificate of the user public key is generated after the verification is passed, so that the authentication of the authentication server to the equipment is started, and the security of subsequent transactions is ensured.

Optionally, before the application client collects the second biometric information of the user, the application client further includes:

the application client acquires a first authentication working state of the application server and a second authentication working state of the authentication server;

The application client determines whether the first authentication working state is consistent with the second authentication working state; and if the user private key and the user public key are inconsistent, sending an authentication closing request to the application server and the authentication server, and deleting the user private key and the user public key stored in the application client.

According to the scheme, through judging whether the first authentication working state is consistent with the second authentication working state, authentication can be performed only under the condition that the first authentication working state and the second authentication working state are both opened, namely, the authentication states of the application server side and the authentication server side for the same application of the same user are consistent, and therefore the safety of online identity authentication is improved.

Optionally, the authentication policy is as follows:

If the application client determines that the application client does not have the local authentication function, the authentication policy is application authentication;

The application client sends a vulnerability query request to the application server if the application client determines that the application client has a local authentication function; and if the equipment where the application client is located is determined to be the vulnerability equipment, determining the authentication policy as the application authentication, otherwise, determining the authentication policy as the local authentication.

According to the scheme, after the application client determines that the device without the local authentication function or the device where the application client is located is the vulnerability device, the application authentication is adopted, so that the alternative scheme of online identity authentication for the device with safety risk or temporary unsupported for online identity authentication is realized.

Optionally, after the transaction information signed using the user private key is sent to the authentication server, the method further includes:

the application client sends an authentication closing request to the application server and the authentication server;

and after receiving the authentication closing result of the application server and the authentication closing result of the authentication server, the application client deletes the user private key and the user public key of the application client.

According to the scheme, after the application client sends the authentication closing request to the application server and the authentication server, the user private key and the user public key of the application client are deleted, so that the risk of error caused by the next online identity authentication is reduced.

In a second aspect, an embodiment of the present application provides a method for online identity authentication, where the method includes:

The application server receives the first biological characteristic information sent by the application client; the first biological characteristic information is collected by the application client based on a transaction request initiated by a user;

The application server determines a first user authentication result of the first biological characteristic information and sends the first user authentication result to the application client;

The application server sends a first signature result signed by the application client by using a user private key to an authentication server; the first signature result is sent to the application server after the application client determines that the first user authentication result is authentication passing;

the application server receives a first signature verification result sent by the authentication server and determines whether to process the transaction request according to the first signature verification result; the first signature verification result is obtained by the authentication server through verification of the first signature result according to a pre-stored certificate and a user public key.

According to the scheme, the first user authentication result of the first biological characteristic information is determined through the application server and sent to the application client, so that the authentication of the equipment to the user is realized; the transaction information signed by the application client side by using the user private key is sent to the authentication server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk for CFCA FIDO authentication or can not support the FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

Optionally, before the application server receives the first biometric information sent by the application client, the method further includes:

The application server receives second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication opening request initiated by a user;

The application server determines a second user authentication result of the second biological characteristic information and sends the second user authentication result to the application client;

The application server sends a second signature result of the application client for signing the user public key by using the application secret key to the authentication server; the second signature result is sent by the application client after determining that the second user authentication result is authentication passing; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key or not.

According to the scheme, before the transaction, the application server determines the second user authentication result of the second biological characteristic information and sends the second user authentication result to the application client, and the application client sends the user public key signed by the application key to the authentication server, so that the security of the transaction is guaranteed.

Optionally, the determining, by the application server, the first user authentication result of the first biometric information includes:

After authentication results based on the first biological characteristic information acquired for N times are authentication failures, the application server sends indication information corresponding to the enhanced authentication mode to the application client according to the enhanced authentication mode in the auditing strategy;

and the application server root determines an authentication result of the enhanced authentication mode to obtain the first user authentication result.

According to the scheme, after the authentication results based on the N-time acquired first biological characteristic information are authentication failures, the application server determines the authentication result of the enhanced authentication mode according to the enhanced authentication mode in the auditing strategy, so that the risk that authentication cannot be passed due to improper operation of a user is reduced, and the accuracy of online identity authentication is improved.

Optionally, before the application server receives the second biometric information sent by the application client, the method further includes:

The application server receives a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after determining that the application client has a local authentication function;

And the application server side sends a vulnerability query result to the application client side, and the vulnerability query result user indicates whether the equipment where the application client side is located is vulnerability equipment or not.

According to the scheme, after the application client determines that the device without the local authentication function or the device where the application client is located is the vulnerability device, the application authentication is adopted, so that the alternative scheme of online identity authentication of the device which has safety risk and cannot be supported temporarily for CFCA FIDO authentication is realized.

In a third aspect, an embodiment of the present application provides a method for online identity authentication, where the method includes:

an application server receives first biological characteristic information sent by an application client;

after the first user authentication result is that the authentication is passed, the application client sends a first signature result signed by using a user private key to an authentication server;

The authentication server generates a first signature verification result of the first signature result according to a pre-stored certificate and a user public key;

The authentication server sends the first signature verification result to the application server;

and the application server determines whether to process the transaction request according to the first signature verification result.

In a fourth aspect, an embodiment of the present application provides an apparatus for online identity authentication, where the apparatus includes:

The acquisition module is used for acquiring first biological characteristic information of the user based on a transaction request initiated by the user;

The processing module is used for sending the first biological characteristic information to an application server after determining that the authentication strategy is the authentication of the application server; receiving a first user authentication result which is sent by the application server and is verified based on the first biological characteristic information; after the first user authentication result is that authentication is passed, a first signature result signed by using a user private key is sent to an authentication server; the authentication server is used for generating a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and the first signature verification result is used for indicating whether the application server side processes the transaction request or not.

Optionally, the acquiring module is further configured to: before the application client side collects first biological characteristic information of a user based on a transaction request initiated by the user, collecting second biological characteristic information of the user based on an authentication opening request initiated by the user; after determining that the authentication policy is application-side authentication, sending the second biometric information to the application server;

receiving a second user authentication result which is sent by the application server and is verified based on the second biological characteristic information;

After the second user authentication result is that the authentication is passed, generating a user private key and a user public key of the application client;

Optionally, the processing module is further configured to: before the application client collects the second biometric information of the user based on the authentication opening request initiated by the user, the method further comprises:

Acquiring a first authentication working state of the application server and a second authentication working state of the authentication server;

Determining whether the first authentication working state is consistent with the second authentication working state; and if the user private key and the user public key are inconsistent, sending an authentication closing request to the application server and the authentication server, and deleting the user private key and the user public key stored in the application client.

Optionally, the processing module is specifically configured to: the authentication policy is as follows:

Optionally, the processing module is further configured to:

After the transaction information signed by using the user private key is sent to an authentication server, an authentication closing request is sent to the application server and the authentication server;

and deleting the user private key and the user public key of the application client after receiving the authentication closing result of the application server and the authentication closing result of the authentication server.

In a fifth aspect, an embodiment of the present application provides an apparatus for online identity authentication, where the apparatus includes:

Optionally, the acquiring module is further configured to: before the application server receives the first biological characteristic information sent by the application client, receiving the second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication opening request initiated by a user;

Determining a second user authentication result of the second biological characteristic information and sending the second user authentication result to the application client;

Optionally, the processing module is specifically configured to:

After authentication results based on the first biological characteristic information acquired for N times are authentication failures, sending indication information corresponding to the enhanced authentication mode to the application client according to the enhanced authentication mode in the auditing strategy;

And determining an authentication result of the enhanced authentication mode to obtain the first user authentication result.

Optionally, the processing module is further configured to: before the application server receives the second biological characteristic information sent by the application client, receiving a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after determining that the application client has a local authentication function;

and sending a vulnerability query result to the application client, wherein the vulnerability query result is used for indicating whether the equipment where the application client is located is a vulnerability equipment.

Accordingly, an embodiment of the present invention further provides a computing device, including:

a memory for storing program instructions;

and the processor is used for calling the program instructions stored in the memory and executing the online identity authentication method according to the obtained program.

Correspondingly, the embodiment of the invention also provides a computer-readable nonvolatile storage medium, which comprises computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute the method for online identity authentication.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a system frame of a method for online identity authentication according to an embodiment of the present invention;

FIG. 2 is a flow chart of a method for online identity authentication according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

FIG. 4 is a flowchart of a method for online identity authentication according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of a method for online identity authentication according to an embodiment of the present invention;

FIG. 8 is a flowchart of a method for online identity authentication according to an embodiment of the present invention;

FIG. 9 is a flowchart of a method for online identity authentication according to an embodiment of the present invention;

FIG. 10 is a flowchart of a method for online identity authentication according to an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of an online identity authentication device according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of an online identity authentication device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

First, some terms in the present application will be explained in order to be understood by those skilled in the art.

FIDO: the combination of the local biological recognition technology and the PKI technology can realize the access of various biological recognition technologies (such as fingerprints, voiceprints, faces and the like) and finally realize the body-building authentication effect of equipment on user authentication and server authentication.

CFCA FIDO: the FIDO technology service provided by China financial authentication center is the combination of on-line fast identity authentication (FIDO) and digital certificate.

Based on this, the embodiment of the present invention provides a method for online identity authentication, which may be applied to a system architecture shown in fig. 1, where the system architecture includes an application client 100, an application server 200, and an authentication server 300.

The application client 100 receives a transaction request initiated by a user and collects first biological characteristic information of the user, and sends the first biological characteristic information to the application server 200 after determining that an authentication policy is an application authentication;

The application server 200 performs verification based on the first biological characteristic information to obtain a first user authentication result and sends the first authentication result to the application client 100;

after the first user authentication result is that the authentication is passed, the application client 100 sends a first signature result signed by using the user private key to the authentication server 300 through the application server;

The authentication server 300 is configured to generate a first signature verification result of the first signature result according to a pre-stored certificate and a public key of a user, and send the first signature verification result to the application server 200;

the application server 200 determines whether to process the transaction request based on the first signature verification result.

It should be noted that fig. 1 is only an example of a system architecture according to an embodiment of the present application, and the present application is not limited thereto in particular.

Based on the system architecture illustrated above, fig. 2 is a flow diagram corresponding to a method for online identity authentication according to an embodiment of the present invention, as shown in fig. 2, where the method includes:

In step 201, the application client collects first biometric information of the user based on a transaction request initiated by the user.

Step 202, after determining that the authentication policy is the authentication of the application terminal, the application client transmits the first biological characteristic information to the application server.

In step 203, the application client receives a first user authentication result that is sent by the application server and is verified based on the first biometric information.

In step 204, the application client sends the first signature result signed by the user private key to the authentication server after the first user authentication result is that the authentication is passed.

It should be noted that, the authentication server is configured to generate a first signature verification result of the first signature result according to the pre-stored certificate and the public key of the user, where the first signature verification result is used to indicate whether the application server side processes the transaction request.

Further, a schematic diagram corresponding to the above method is shown in fig. 3.

According to the scheme, the application server side is used for verifying based on the first biological characteristic information to obtain the first user authentication result, so that the authentication of the equipment to the user is realized; meanwhile, after the first user authentication result is that the authentication is passed, the application client sends the transaction information signed by the user private key to the authentication server through the application server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk for CFCA FIDO authentication or can not support the FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved.

In step 201, in a possible implementation manner, first biometric information of a user may be acquired by way of face brushing.

It should be noted that face brushing is a popular name for collecting facial biological characteristics, and is a biological characteristic collecting technology for identity authentication based on facial characteristic information of a person.

Specifically, the application client pulls up the face to instruct the user to brush the face.

It should be noted that, in the embodiment of the present application, the application server side is configured with parameters that allow the user to call up the face for the maximum number of times, and the parameters may be modified based on the configuration. For example, the user is allowed to call up the swipe at most three times, that is, the application client will not call up again, regardless of the obtained user authentication result of the third time of call up the swipe.

In step 203 of the embodiment of the present application, after the application client sends the first biometric information to the application server, the application server verifies based on the first biometric information to obtain a first user authentication result, and in a possible implementation manner, in order to visualize the user authentication result and improve the user experience, the application client may light up. That is, the user authentication result is indirectly displayed by the color of the lighted lamp.

It should be noted that, the application server side of the embodiment of the present application may compare the first biometric information of the user with the biometric information of the user pre-stored in the public security system, and correlate the similarity of the biometric information after comparison with the color of the on lamp.

For example, the similarity may be displayed sequentially from high to low by a green light, a yellow light, and a red light, that is, the green light represents the highest similarity of the biometric information, and the red light represents the lowest similarity of the biometric information.

In one possible implementation, the user authentication is finished when the green light is present, for example, when the user authentication is turned up to three times, and the user authentication is finished when the first authentication is green light. For example, when the authentication result of the first time is yellow or red, the face is continuously brushed, and when the face brushing result of the second time is green, the face brushing is finished. For another example, when the authentication results of the first time, the second time and the third time are not green light, the face brushing is finished due to the limitation that the maximum number of times is 3.

In step 204, the specific determining process of the first user authentication result in the embodiment of the present application is as follows:

Taking the above face brushing with the maximum number of 3 as an example, the application server obtains the one-time face brushing information with the best face brushing result in the face brushing list as the final face brushing result according to the information of the face brushing list.

It should be noted that, after each Face brushing, a Face ID corresponding to the Face brushing information is generated.

For example, the following further describes obtaining the best one-time face information for the user to transact at this time:

1. the green light is arranged on the face brushing result, the face brushing information with the green light is obtained as the face brushing result, and the green light is obtained as the final face brushing result.

2. If the 3-time face brushing result is not green light, judging whether the face brushing result is yellow light in the 3-time face brushing, if so, taking out face brushing information that the face brushing result is yellow light, and if so, obtaining the final face brushing result to be yellow light.

The present application is not limited to this, and any one of the face brushing results may be taken out as the face brushing information of the yellow lamp, or the face brushing information of the yellow lamp with the earliest time may be taken out according to the face brushing time.

3. If the result of 3 face brushing is not green light or yellow light, the result of 3 face brushing is red light, any red light face brushing information is taken out, and the final face brushing result is red light.

Further, after the final face brushing result is obtained, the configuration result of the follow-up processing of the current transaction scene is obtained from the local configuration rule table.

In the embodiment of the application, an application server determines a processing strategy according to the identification result of the first biological characteristic information; wherein the processing policy comprises at least one of: pass, reject, asynchronous audit, online video.

Further, the client side returns the configuration result of the subsequent processing to the application client side for subsequent processing.

In one possible implementation, the local configuration rule table is a processing rule corresponding to red, yellow and green light, and the service can be configured and modified in the configuration center.

It should be noted that, each transaction scenario has a set of corresponding processing rules, and the processing rules of each transaction scenario are independent.

For example, in a transaction scenario of transfer, the processing rules may be specifically: when the final result of the face brushing is green light, the processing rule is that the application server side sends the face brushing information into asynchronous auditing, and the transaction information is effective after the auditing is passed. When the final result of the face brushing is a yellow light, the processing rule is refusal. When the face brushing result is red light, the processing result is refusal.

For another example, in the transaction scenario of the newly added employee, the processing rule may be specifically: when the final result of the face brushing is green light, the processing rule is that the application server side sends the face brushing information into asynchronous auditing, and the transaction information is effective after the auditing is passed. When the final result of the face brushing is yellow, the processing rule calls an online video for the application server, namely, the online video is initiated to the user through the application client, and transaction information is validated after the online video is checked. When the face brushing result is red light, the processing result is refusal.

Further, in the embodiment of the present application, after determining the first user authentication result according to the processing policy, the application server specifically includes:

1. The authentication result is that: and sending the first signature result signed by the private key of the user to an authentication server, and after the authentication server passes the signature verification, directly regulating service services such as transfer, newly added staff and the like by the application server, and returning a final service processing result to the application client.

2. The authentication result is refusal: the application server updates the service flow to failure and returns the result to the application client.

3. The authentication result is asynchronous audit, the application server submits the face brushing information to an asynchronous audit system, and simultaneously returns the face brushing information to the asynchronous audit of the application client, and after the asynchronous audit has the result, specific business is processed continuously, if the result passes, a first signature result signed by using a user private key is sent to the authentication server, after the authentication server passes the signature verification, the corresponding business is processed continuously, if the result passes the rejection, the current transaction is failed, and the flow is terminated.

4. The authentication result is online video, the application server returns online video authentication of the application client, the application client guides the user to enter the online video, and after the online video synchronously or asynchronously obtains the result, the corresponding service processing is continued. If the online video result is passed, a first signature result signed by using a user private key is sent to an authentication server, the authentication server continues the service flow after checking the signature, and if the online video result is refused, the current transaction device is failed, and the flow is terminated.

After the application client obtains that the first user authentication result is that the authentication passes, the application client sends a transaction request to the application server, the application server forwards the transaction request to the authentication server, and after the authentication server verifies that the request is legal, the application server verifies the transaction information and returns the transaction information to the application server. Specifically, the application server performs logic processing according to the following situations:

1. and if the first signature verification result is abnormal, the application server fails the transaction and returns the transaction failure to the application client.

2. And after the transaction message passes the check, the application server returns a processing result of the final transaction request to the application client.

The above specifically describes a specific process of online identity authentication of the application client based on the transaction request initiated by the user, and the following specifically describes a specific process of online identity authentication of the application client based on the authentication initiation request initiated by the user.

Before step 201, the flow of the steps of the embodiment of the present application is shown in fig. 4, which specifically includes the following steps:

In step 401, the application client collects second biometric information of the user based on the authentication start request initiated by the user.

Step 402, after determining that the authentication policy is the application authentication, the application client sends the second biometric information to the application server.

Step 403, the application client receives a second user authentication result based on the second biometric information for verification, which is sent by the application server.

In step 404, the application client generates a user private key and a user public key of the application client after the second user authentication result is passed.

In step 405, the application client sends a second signature result, which signs the user public key with the application key, to the authentication server.

It should be noted that, the authentication server is configured to generate, according to the pre-stored application key, a second signature verification result of the second signature result, where the second signature verification result is used to indicate whether the authentication server generates a certificate of the user public key.

Before step 401, as shown in fig. 5, the application client acquires a first authentication working state of the application server and a second authentication working state of the authentication server;

The application client determines whether the first authentication working state is consistent with the second authentication working state; if the user private key and the user public key are inconsistent, an authentication closing request is sent to the application server and the authentication server, and the user private key and the user public key stored in the application client are deleted.

According to the scheme, the judgment of whether the first authentication working state is consistent with the second authentication working state ensures that authentication can be performed only under the condition that the first authentication working state and the second authentication working state are both opened, and improves the safety of online identity authentication.

Specifically, the application client initiates an authentication start request, the application server acquires a ciphertext string of a second authentication working state sent by the authentication server, and simultaneously, the application server also returns the first authentication working state of the application server to the application client, and the application client decrypts the ciphertext returned by the authentication server by a method of checkPolicy, acquires the second authentication working state of the authentication server, and checks whether the second authentication working state is consistent with the first authentication working state returned by the application server. In one possible implementation, the first authentication working state includes an on state, an in-audit state and an off state. The following is discussed in some cases:

1. The state of the authentication server is open and the state of the application server is closed when the authentication server is inconsistent; or the state of the authentication server is off, and the state of the application server is on, the application client sends an authentication closing request to the application server and the authentication server, and the application client deletes the user private key and the user public key of the application client after receiving the authentication closing result of the application server and the authentication closing result of the authentication server.

2. The state of the authentication server is on, and the state of the application server is on, which indicates that the authentication server is on.

3. If the authentication server is closed, that is, the state of the authentication server is closed, the state of the application server is closed, and the authentication server is not opened.

Based on the above, for the state that is not opened, the application client prompts the user to open, and the user initiates a corresponding authentication opening request.

According to the scheme, the first authentication working state is added to the application server, that is, whether the authentication working state is started or not is determined by the second authentication working state of the authentication server, the first authentication working state of the application server and whether the model identified by the application client supports fingerprint or face authentication.

Further, in step 402, the authentication policy is as shown in fig. 6, and the following manner is adopted:

If the application client determines that the application client does not have the local authentication function, the authentication policy is the authentication of the application terminal;

If the application client determines that the application client has the local authentication function, the application client sends a vulnerability query request to the application server; and if the equipment where the application client is located is determined to be the vulnerability equipment, determining the authentication policy as the application authentication, otherwise, determining the authentication policy as the local authentication.

It should be noted that, the application server may maintain the vulnerability model list, and the application client may query the vulnerability model list in real time when querying the vulnerability device.

Specifically, firstly, the application client judges whether the device supports fingerprint or face authentication, and the method is divided into the following cases:

1. An Zhuoduan by the system provided ISHARDWAREDETECTED () method of FINGERPRINTMANAGER class it is possible to detect if the handset device is fingerprint recognition hardware capable and by hasEnrolledFingerprints () method it is possible to detect if the user has entered a fingerprint on the device.

2. The IOS terminal can detect whether the equipment has touchID and faceID identification verification functions or not through a canEvaluatePolicy method of LocalAuthentication library provided by the system, and can judge whether a user has entered a fingerprint or a face on the equipment or not through an error code recalled by the method.

Further, in the embodiment of the present application, if the device does not support fingerprint and facial authentication, the application client determines that the device does not have a local authentication function, and the recognition process ends. If the device supports fingerprint or face authentication, inquiring an application server side configuration model and judging whether the model belongs to a vulnerability model, wherein the two conditions are as follows:

1. If the current model belongs to the vulnerability model, the application client determines that the application client does not have a local authentication function, and the identification process is ended.

2. If the current model does not belong to the vulnerability model, the application client determines that the application client has a local authentication function, and the identification process is ended.

Further, taking the face brushing as an example, in step 403, the application server determines a processing policy according to the recognition result of the second biometric information; wherein the processing policy comprises at least one of: pass, reject, asynchronous audit, online video.

For example, the processing rules may be specifically: when the final result of the face brushing is green light, the processing rule is that the application server side sends the face brushing information into asynchronous auditing. And when the final result of the face brushing is yellow, the processing rule indicates the application client to enter the online video for the application server. When the face brushing result is red light, the processing result is refusal, namely refusal to turn on.

Further, in the embodiment of the present application, the application server determines the second user authentication result according to the processing policy, and then specifically includes the following steps:

1. the authentication result is that: and the application client sends a second signature result of signing the user public key by using the application secret key to the authentication server, and the application server modifies the first authentication working state to be opened after the authentication server certificate is downloaded, and returns the result to the application client to be successfully opened.

2. The authentication result is refusal: the application server modifies the first authentication working state to be closed, and returns the first authentication working state to the opening failure of the application client.

3. The authentication result is asynchronous audit, the application server submits the face brushing information to an asynchronous audit system, and simultaneously returns the face brushing information to the asynchronous audit of the application client, if the face brushing information passes the asynchronous audit, the application client sends a second signature result which uses an application secret key to sign a user public key to an authentication server, the application server modifies the first authentication working state to be started after the authentication server certificate is downloaded, and the face brushing information is returned to the application client to be successfully started. If the first authentication state is refused, the application server modifies the first authentication state to be closed, and returns to the opening failure of the application client.

4. The authentication result is online video, the application server returns online video authentication of the application client, the application client guides a user to enter the online video, after the online video synchronously or asynchronously obtains the result, if the online video result is passed, the application client sends a second signature result which uses an application key to sign a user public key to an authentication server, the authentication server modifies the first authentication working state to be started after certificate downloading, and the application server returns successful starting to the application client. If the result of the online video is refusal, the application server modifies the first authentication working state to be closed, and returns to the application client to fail to open.

Further, a schematic diagram corresponding to the above method is shown in fig. 7.

After the application client obtains that the second user authentication result is that the authentication passes, the application client sends a second signature result obtained by signing the user public key by using the application secret key to the application server, the application server forwards the second signature result to the authentication server, the authentication server downloads the certificate to the CFCA after verifying that the request is legal, the certificate is stored in the authentication server, and an opening result is returned to the application server. Specifically, the application server performs logic processing according to the following situations:

1. And if the second signature result is abnormal, the application server directly returns to the application client to fail to open.

2. And the second signature result is normal, and the application server modifies the first authentication working state to be opened and returns the first authentication working state to the application client to be successfully opened.

Further, after the transaction information signed by using the user private key is sent to the authentication server, the application client sends an authentication closing request to the application server and the authentication server;

after receiving the authentication closing result of the application server and the authentication closing result of the authentication server, the application client deletes the user private key and the user public key of the application client.

In the embodiment of the application, the on-line identity authentication closing flow is specifically as follows:

first, a user initiates an authentication closing request, and an application server changes a first authentication working state into closing.

Then, the application server sends a closing request to the authentication server, the authentication server closes the authentication state of the current user, and sends a request for certificate revocation to the CFCA, and the request is returned to the application client in sequence after success.

And finally, after receiving the closing response of the application server, the application client clears the key generated when the application client is started.

The method for online identity authentication provided by the application is described in detail from the perspective of the application client, and the method for online identity authentication provided by the application is described below from the perspective of the application server. Fig. 8 is a schematic flow diagram corresponding to a method for online identity authentication according to an embodiment of the present application, as shown in fig. 8, where the method includes:

In step 801, an application server receives first biometric information sent by an application client.

It should be noted that, the first biometric information is collected by the application client based on the transaction request initiated by the user.

Step 802, the application server determines a first user authentication result of the first biometric information and sends the first user authentication result to the application client.

In step 803, the application server sends a first signature result signed by the application client using the user private key to the authentication server.

It should be noted that, the first signature result is sent to the application server by the application client after determining that the first user authentication result is authentication passing.

In step 804, the application server receives the first signature verification result of the transaction information sent by the authentication server, and determines whether to process the transaction request according to the first signature verification result.

It should be noted that, the first signature verification result is obtained by the authentication server verifying the first signature result according to the pre-stored certificate and the public key of the user.

According to the scheme, the first user authentication result of the first biological characteristic information is determined through the application server and sent to the application client, so that the authentication of the equipment to the user is realized; the transaction information signed by the application client side by using the user private key is sent to the authentication server, so that the authentication of the authentication server to the equipment is realized; therefore, the equipment which has safety risk for CFCA FIDO authentication or can not support the FIDO authentication temporarily is solved, online identity authentication is realized, and authentication safety is improved. In the embodiment of the present application, before step 801, the application server further performs a step flow as shown in fig. 9, specifically:

In step 901, the application server receives the second biometric information sent by the application client.

It should be noted that, the second biometric information is collected by the application client based on the authentication start request initiated by the user.

In step 902, the application server determines a second user authentication result of the second biometric information and sends the second user authentication result to the application client.

In step 903, the application server sends a second signature result of the application client signing the public key of the user by using the application key to the authentication server.

It should be noted that, the second signature result is sent by the application client after determining that the second user authentication result is authentication passing; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key.

Before step 901, an application server receives a vulnerability query request sent by an application client; the vulnerability query request is sent by the application client after determining that the application client has a local authentication function;

The application server side sends a vulnerability query result to the application client side, wherein the vulnerability query result is used for indicating whether the equipment where the application client side is located is vulnerability equipment or not.

Further, in step 802, after the authentication results based on the N-time collected first biometric information are authentication failures, the application server sends indication information corresponding to the enhanced authentication mode to the application client according to the enhanced authentication mode in the audit policy;

And the application server determines an authentication result of the enhanced authentication mode to obtain a first user authentication result.

Further, fig. 10 is a schematic flow diagram corresponding to a method for online identity authentication according to an embodiment of the present invention, as shown in fig. 10, where the method includes:

In step 1001, the application client collects first biometric information of the user based on a transaction request initiated by the user.

In step 1002, the application server receives the first biometric information sent by the application client.

In step 1003, the application server determines a first user authentication result of the first biometric information and sends the first user authentication result to the application client.

In step 1004, the application client sends the first signature result signed by using the user private key to the authentication server after the first user authentication result is that the authentication is passed.

In step 1005, the authentication server generates a first signature verification result of the first signature result according to the pre-stored certificate and the user public key.

In step 1006, the authentication server sends the first signature verification result to the application server.

In step 1007, the application server determines whether to process the transaction request according to the first signature verification result.

It should be noted that the details of execution of the client and the server are identical to those of the above embodiments.

Based on the same inventive concept, fig. 11 illustrates an apparatus for online identity authentication according to an embodiment of the present invention, where the apparatus may be a flow of a method for online identity authentication.

The device comprises:

An acquisition module 1101, configured to acquire first biometric information of a user based on a transaction request initiated by the user;

The processing module 1102 is configured to send the first biometric information to an application server after determining that the authentication policy is application authentication; receiving a first user authentication result which is sent by the application server and is verified based on the first biological characteristic information; after the first user authentication result is that authentication is passed, transaction information signed by using a user private key is sent to an authentication server through the application server; the authentication server is used for generating a signature verification result of the transaction information according to a pre-stored certificate public key, and the signature verification result of the transaction information is used for indicating whether the application server side processes the transaction request or not.

Optionally, the obtaining module 1101 is further configured to: before the application client side collects first biological characteristic information of a user based on a transaction request initiated by the user, collecting second biological characteristic information of the user based on an authentication opening request initiated by the user; after determining that the authentication policy is application-side authentication, sending the second biometric information to the application server;

Transmitting a user public key signed by using an application secret key to the authentication server through the application server; the authentication server is used for downloading the signature verification result of the user public key according to the prestored application secret key, and the signature verification result of the user public key is used for indicating whether the authentication server downloads the certificate of the user public key or not.

Optionally, the processing module 1102 is further configured to: before the application client collects the second biometric information of the user based on the authentication opening request initiated by the user, the method further comprises:

Optionally, the processing module 1102 is specifically configured to: the authentication policy is as follows:

if the authentication policy is determined to have no local authentication function, the authentication policy is application authentication;

After determining that the application server has a local authentication function, sending a vulnerability query request to the application server; after the equipment where the application client is located is determined to be the vulnerability equipment, the authentication policy is determined to be the application authentication, otherwise, the authentication policy is determined to be the local authentication.

Optionally, the processing module 1102 is further configured to:

Sending an authentication closing request to the application server and the authentication server;

Based on the same inventive concept, fig. 12 illustrates an apparatus for online identity authentication according to an embodiment of the present invention, where the apparatus may be a flow of a method for online identity authentication. The device comprises:

An obtaining module 1201, configured to receive first biometric information sent by an application client; the first biological characteristic information is collected by the application client based on a transaction request initiated by a user;

a processing module 1202, configured to determine a first user authentication result of the first biometric information and send the first user authentication result to the application client; transmitting transaction information signed by the application client by using a user private key to an authentication server; the transaction information is sent by the application client after determining that the first user authentication result is authentication passing; receiving a signature verification result of the transaction information sent by the authentication server, and determining whether to process the transaction request according to the signature verification result of the transaction information; the signing verification result of the transaction information is obtained by the authentication server through signing verification of the transaction information according to a pre-stored certificate public key.

Optionally, the obtaining module 1201 is further configured to: before the application server receives the first biological characteristic information sent by the application client, receiving the second biological characteristic information sent by the application client; the second biological characteristic information is acquired by the application client based on an authentication opening request initiated by a user;

transmitting a user public key signed by the application client by using an application key to the authentication server; the user public key is sent by the application client after determining that the second user authentication result is authentication passing; the authentication server is used for downloading the signature verification result of the user public key according to the prestored application secret key, and the signature verification result of the user public key is used for indicating whether the authentication server downloads the certificate of the user public key or not.

Optionally, the processing module 1202 is specifically configured to:

Optionally, the processing module 1202 is further configured to: before the application server receives the second biological characteristic information sent by the application client, receiving a vulnerability query request sent by the application client; the vulnerability query request is sent by the application client after determining that the application client has a local authentication function;

And sending a vulnerability query result to the application client, wherein the vulnerability query result is used for indicating that the device where the application client is located is a vulnerability device.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method of online identity authentication, comprising:

If the application client determines that the application client does not have the local authentication function, the authentication policy is application authentication; the application client sends a vulnerability query request to an application server if the application client determines that the application client has a local authentication function; if the equipment where the application client is located is determined to be the vulnerability equipment, determining the authentication policy as application authentication, otherwise determining the authentication policy as local authentication;

After the application client determines that the authentication policy is application authentication, the application client sends the first biological characteristic information to the application server;

The application client receives a first user authentication result which is sent by the application server and is used for verifying the first biological characteristic information based on pre-stored biological characteristic information;

2. The method of claim 1, further comprising, prior to the application client gathering the first biometric information of the user based on the user-initiated transaction request:

The application client sends a second signature result for signing the user public key by using an application secret key to the authentication server; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key or not.

3. The method of claim 2, wherein the application client, based on the user initiated authentication initiation request, further comprises, prior to collecting the second biometric information of the user:

4. A method according to any one of claims 1 to 3, wherein after the transaction information signed using the user private key is sent to the authentication server, further comprising:

5. A method of online identity authentication, comprising:

under the condition that the application client determines that the application client does not have a local authentication function, the authentication policy is application authentication;

The application server side sends a vulnerability query result to the application client side, wherein the vulnerability query result is used for indicating whether equipment where the application client side is located is vulnerability equipment or not and determining whether the authentication policy is application side authentication or not;

after the application client determines that the authentication policy is application authentication, the application server receives first biological characteristic information sent by the application client; the first biological characteristic information is collected by the application client based on a transaction request initiated by a user;

the application server determines a first user authentication result of the first biological characteristic information based on the pre-stored biological characteristic information and sends the first user authentication result to the application client;

6. The method of claim 5, further comprising, before the application server receives the first biometric information sent by the application client:

The application server sends a second signature result of the application client for signing the user public key by using an application secret key to the authentication server; the second signature result is sent by the application client after determining that the second user authentication result is authentication passing; the authentication server is used for generating a second signature verification result of the second signature result according to the pre-stored application secret key, and the second signature verification result is used for indicating whether the authentication server downloads the certificate of the user public key or not.

7. The method of any one of claims 5 or 6, wherein the application service end determines a first user authentication result of the first biometric information based on pre-stored biometric information, comprising:

and the application server determines an authentication result of the enhanced authentication mode to obtain the first user authentication result.

8. A method of online identity authentication, comprising:

After the application client determines that the authentication policy is application authentication, the application client sends the first biological characteristic information to the application server; the application server receives first biological characteristic information sent by the application client;

9. An apparatus for online identity authentication, the apparatus comprising:

The processing module is used for the application client to determine that the application client does not have a local authentication function, and the authentication policy is application authentication; the application client sends a vulnerability query request to an application server if the application client determines that the application client has a local authentication function; if the equipment where the application client is located is determined to be the vulnerability equipment, determining the authentication policy as application authentication, otherwise determining the authentication policy as local authentication; after determining that the authentication policy is application-side authentication, sending the first biological characteristic information to the application server side; receiving a first user authentication result which is sent by the application server and is used for verifying the first biological characteristic information based on pre-stored biological characteristic information; after the first user authentication result is that authentication is passed, a first signature result signed by using a user private key is sent to an authentication server; the authentication server is used for generating a first signature verification result of the first signature result according to a pre-stored certificate and a user public key, and the first signature verification result is used for indicating whether the application server side processes the transaction request or not.

10. An apparatus for online identity authentication, the apparatus comprising:

The processing module is used for receiving a vulnerability query request sent by the application client by the application server; the vulnerability query request is sent by the application client after determining that the application client has a local authentication function;

The processing module is used for authenticating the application terminal according to an authentication policy if the application client terminal determines that the application client terminal does not have a local authentication function;

the processing module is configured to send a vulnerability query result to the application client by using the application server, where the vulnerability query result is used to indicate whether the device where the application client is located is a vulnerability device, and determine whether the authentication policy is application authentication;

The acquisition module is used for receiving the first biological characteristic information sent by the application client side by the application server side after the application client side determines that the authentication policy is the authentication of the application side; the first biological characteristic information is collected by the application client based on a transaction request initiated by a user;

The processing module is used for determining a first user authentication result of the first biological characteristic information based on the pre-stored biological characteristic information by the application server and sending the first user authentication result to the application client;

The processing module is used for the application server to send a first signature result signed by the application client by using a user private key to the authentication server; the first signature result is sent to the application server after the application client determines that the first user authentication result is authentication passing;

The processing module is used for receiving a first signature verification result sent by the authentication server by the application server and determining whether to process the transaction request according to the first signature verification result; the first signature verification result is obtained by the authentication server through verification of the first signature result according to a pre-stored certificate and a user public key.

11. A computing device, comprising:

a memory for storing program instructions;

A processor for invoking program instructions stored in said memory to perform the method of any of claims 1 to 4, 5 to 7 or 8 in accordance with the obtained program.

12. A computer readable non-transitory storage medium comprising computer readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 4, 5 to 7 or 8.