CN111931144B - Unified safe login authentication method and device for operating system and service application - Google Patents

Unified safe login authentication method and device for operating system and service application Download PDF

Info

Publication number
CN111931144B
CN111931144B CN202010493772.9A CN202010493772A CN111931144B CN 111931144 B CN111931144 B CN 111931144B CN 202010493772 A CN202010493772 A CN 202010493772A CN 111931144 B CN111931144 B CN 111931144B
Authority
CN
China
Prior art keywords
authentication
user
operating system
login
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010493772.9A
Other languages
Chinese (zh)
Other versions
CN111931144A (en
Inventor
颜涛
郭子昕
朱江
韩勇
朱世顺
刘苇
张跃
孙圣武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Information and Communication Technology Co
Original Assignee
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Information and Communication Technology Co filed Critical Nari Information and Communication Technology Co
Priority to CN202010493772.9A priority Critical patent/CN111931144B/en
Publication of CN111931144A publication Critical patent/CN111931144A/en
Application granted granted Critical
Publication of CN111931144B publication Critical patent/CN111931144B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention discloses a unified safe login authentication method and a unified safe login authentication device for operating system users and service users.A unified centralized control mechanism is utilized to uniformly register and authorize and manage all personnel identity login authentication information in the whole network range, so that the sharing and consistency of the user identity authentication information are realized; the method comprises the steps of establishing an association strategy of a virtual account of an operating system and an entity personnel user, realizing the single sign-on function of a user for logging in the operating system and business application, and realizing the secret-free high-strength identity authentication by utilizing a UsbKey authentication technology and a fingerprint, face, iris and other biological characteristic identification technology.

Description

Unified safe login authentication method and device for operating system and service application
Technical Field
The invention belongs to the technical field of information security identity authentication, and particularly relates to a unified security login authentication method for an operating system and service application, and a device corresponding to the method.
Background
The user login authentication is an access of a host operating system and a service application system, is a first line of defense of network information security, and reliable identity identification is important for ensuring the security and confidentiality of a system and data.
At present, almost all access control models and identity authentication mechanisms on the operating system level are basically independent of service application, user identity information cannot be shared, multiple accounts need to be configured for accessing multiple service software on an operating system host by the same user, and multiple repeated login authentication is carried out, so that resource access rights are not uniform, single-point login cannot be realized, and resource sharing access efficiency is influenced; and various authentication methods of each service application are different and have large difference, which is not beneficial to unified management, safety audit and violation tracing.
On the other hand, the traditional identity authentication mode based on static or dynamic passwords, smart cards or UsbKey and the like has a plurality of potential safety hazards such as low security level of account passwords, easy identity impersonation, poor convenience and the like.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, provides a unified safe login authentication method and device for an operating system and a service application, and solves the technical problems of dispersion and inconsistency of authentication of a virtual account of a host operating system and a service application access user in the whole network range in the prior art.
In order to solve the above technical problem, the present invention provides a unified security login authentication method for an operating system and a service application, which is characterized by comprising the following steps:
registering user information, host equipment information and service application program information; the user information comprises basic information and identity authentication data of a user, and the host equipment information comprises a virtual account of an operating system;
associating the user information with a virtual account of the operating system;
responding to the operation of a user logging in a host operating system, acquiring a corresponding identity certificate of the user from an identity authentication terminal according to an authentication mode, and acquiring host equipment information;
performing identity authentication on the user according to the identity certificate and the host equipment information of the user and the registered identity authentication data and the host equipment information; if the authentication is successful, obtaining an operating system virtual account associated with the user;
authenticating the virtual account of the operating system, and if the authentication is successful, allowing the user to log in the operating system based on the virtual account;
and acquiring an operating system login account, and allowing a user to automatically login the service application program if the account has the authority of accessing the service application program.
Further, the identity authentication data comprises a user name and a password, signature data, fingerprints, a face and irises.
Further, the authentication mode comprises one or more combinations of user name and password authentication, signature data, fingerprint authentication, face recognition authentication and iris recognition authentication.
Further, if the virtual account authentication of the operating system is unsuccessful, the user is not allowed to log in the operating system.
Further, if the operating system login account does not have the authority of accessing the service application program, performing secondary authentication on the service application program.
Further, the secondary authentication of the business application includes:
issuing an identity authentication terminal, wherein the terminal comprises a user access right appointed by authorization;
acquiring an identity certificate corresponding to a user from an identity authentication terminal according to an authentication mode of a login service application program;
authenticating the user identity certificate and the user access authority; and if the authentication is successful, allowing the user to log in the service application program.
Correspondingly, the invention provides a unified safe login authentication device for an operating system and business application, which is characterized by comprising an information registration module, an information association module, an authentication information acquisition module, an authentication module, an operating system login module and an application program login module, wherein:
the information registration module is used for registering user information, host equipment information and service application program information; the user information comprises basic information and identity authentication data of a user, and the host equipment information comprises a virtual account of an operating system;
the information association module is used for associating the user information with the virtual account of the operating system;
the authentication information acquisition module is used for responding to the operation of a user logging in the host operating system, acquiring the corresponding identity certificate of the user from the identity authentication terminal according to an authentication mode and acquiring the host equipment information;
the authentication module is used for authenticating the identity of the user according to the identity certificate and the host equipment information of the user and the registered identity authentication data and the host equipment information; if the authentication is successful, obtaining an operating system virtual account associated with the user;
the operating system login module is used for authenticating the virtual account of the operating system, and if the authentication is successful, the user is allowed to login the operating system based on the virtual account;
and the application program login module is used for acquiring an operating system login account, and if the account has the authority of accessing the business application program, allowing the user to automatically login the business application program.
Further, the identity authentication data includes a user name and a password, signature data, a fingerprint, a face and an iris.
Further, the authentication mode comprises one or more combinations of user name and password authentication, signature data, fingerprint authentication, face recognition authentication and iris recognition authentication.
Further, the application program login module further includes a secondary login authentication module, where the secondary login authentication module is configured to perform secondary authentication on the service application program if the operating system login account does not have the authority to access the service application program, and the secondary login authentication module includes:
acquiring an identity certificate corresponding to a user from an identity authentication terminal according to an authentication mode of a login service application program;
authenticating the user identity certificate and the user access authority; and if the authentication is successful, allowing the user to log in the service application program.
Compared with the prior art, the invention has the following beneficial effects: a unified centralized control mechanism is utilized to uniformly register and authorize and manage all personnel identity login authentication information in the whole network range, so that the sharing and consistency of user identity authentication information are realized; the method comprises the steps of establishing an association strategy of a virtual account of an operating system and an entity personnel user, realizing the single sign-on function of a user for logging in the operating system and business application, and realizing the secret-free high-strength identity authentication by utilizing a UsbKey authentication technology and a fingerprint, face, iris and other biological characteristic identification technology.
Drawings
FIG. 1 is a block diagram of the module of the present invention;
FIG. 2 is a flow chart of the method of the present invention;
FIG. 3 is a schematic diagram of the overall application of an embodiment of the process of the present invention;
fig. 4 is a functional interaction flow of internal encapsulation of the identity authentication SDK interface according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The biometric authentication technology is a hotspot of research and application in the field of current identity authentication, is considered as the safest identity authentication method, realizes user login authentication by utilizing biometric identification technologies based on fingerprints, irises, faces and the like, can completely replace a login mode of a user name and a password applied by an operating system and services, thoroughly eliminates potential safety hazards such as weak passwords, password leakage, misuse and the like, ensures the credible identity of a user, and realizes high-strength identity authentication.
The invention conception of the invention is as follows: a unified identity authentication service system is established based on a human body biological characteristic identification technology, an intelligent UsbKey authentication technology and a PKI digital certificate system, so that the identity authentication requirements of a whole network user for logging in an operating system and a login service application program are met, and the encryption-free high-strength authentication is realized; the single sign-on function of the user for logging in the operating system and the service application is realized through the virtual account of the operating system and the association strategy of the entity personnel user. By authorizing and verifying multidimensional authentication elements such as user information, operating system host equipment information, service application program information and the like, multilevel cascade authentication from user safety, equipment safety and application program safety is realized, and the authentication safety is greatly enhanced.
Referring to fig. 1, the technical solution of the present invention includes an identity authentication terminal, an operation host device, an identity authentication SDK, and a unified identity authentication server.
The identity authentication terminal in the embodiment of the invention comprises a fingerprint UsbKey, a Usb camera and/or an iris identifier, wherein the fingerprint UsbKey is used for collecting and storing fingerprint information, identifying user fingerprints, generating user key pairs, safely storing personal digital certificates and calculating user signatures; the Usb camera is used for acquiring a face image of a login user and acquiring a 128-bit characteristic value of the face image; the iris recognition instrument is used for acquiring the iris characteristics of the eyes of the login user and comparing and verifying the iris characteristics.
The operating host equipment in the embodiment of the invention is provided with a Linux desktop operating system, which is a service application program running carrier, and a user logs in an operating system account and accesses a service application program through the operating host equipment; and an identity authentication SDK dynamic library is deployed in the operating system and is called by an operating system PAM authentication module and a service application program so as to realize the safe login authentication function of the user. The unified identity authentication service interface is an independently deployed background management system.
The identity authentication SDK in the embodiment of the invention is an interface dynamic library file used for collecting, processing, encrypting transmission and authentication of user identity authentication data (comprising user names, user signature data, fingerprints, human faces and irises), operation host equipment information (comprising MAC, IP and hard disk serial numbers) and service application program information (comprising application program names, version numbers and Md5 values), and is used for calling an API (application program) interface by a service application program and an operation system PAM (pulse amplitude modulation) module to package the fingerprint information extraction of the operation host equipment, the fingerprint information extraction of the service application program, the read-write operation of an identity authentication terminal, a data preprocessing algorithm, encrypting and decrypting transmission and a communication interaction process with a background unified identity authentication server, so that a unified one-key calling interface is provided for realizing all application scene shielding authentication technologies. The interaction flow between the identity authentication SDK and the unified identity authentication server is shown in fig. 3. The specific process is as follows:
when the identity authentication SDK interface is called, firstly, hardware information of the operating host equipment, including MAC, IP, hard disk serial number and the like, is automatically acquired, and then a unique hash value is generated by utilizing a national secret Sm3 algorithm to serve as the equipment identification mark; then determining whether to acquire a service application program identifier according to the called parameter, if so, generating a service application identification identifier by utilizing a national secret Sm3 algorithm according to information such as an application program name, a version number, an application program executable file and the like; and then according to the authentication mode selected by the caller: one of a static password, a UsbKey, a face or an iris, wherein the static user name and the password are respectively and specifically read or user authentication credential information acquired through an identity authentication terminal comprises a fingerprint, a user name, a user UsbKey signature value, a face characteristic value or an iris characteristic value; if the equipment identifier, the application program identifier and the user authentication information are successfully extracted, assembling an authentication request message, sending the authentication request message to a background unified identity authentication server through TCP/SSL (transmission control protocol/security socket layer) secure encryption communication, receiving authentication response information in time, and returning a fixed-length 128-identity Token for subsequent single sign-on or Token authentication if the authentication is passed.
The unified identity authentication server in the embodiment of the invention is independent of business application deployment, provides information registration, information association binding authorization, authentication management and Token management functions by a visual operation client interface, and starts tcp/SSL communication service to provide authentication service externally, wherein the authentication service supports static password authentication, face identification authentication, iris identification authentication and identity Token authentication.
Based on the above technical solution, as shown in fig. 4, the method for operating system and business application unified secure login authentication of the present invention is described by taking a user a as an example to log in and access a business application a and a business application B through a host PC1, and includes the following steps:
the first step is as follows: the registration of the information is carried out,
and registering the basic information and the identity authentication information of the user A, the equipment information of the host PC1 and the information of the service application programs A and B in a background unified identity authentication server.
The specific process is as follows:
firstly, a user A submits an access authorization application, a unified identity authentication service system administrator is responsible for inputting basic information of the user including a user name, a gender, a unit where the user is located, a department to which the user belongs, a job, a default static password and the like into a background database, the system administrator collects user identity authentication data (including fingerprint information, face characteristic information and iris characteristic information), and the system administrator issues a UsbKey identity authentication terminal; then registering host PC1 device information including MAC, IP, hard disk serial number, etc., virtual account information of operating system login, and finally registering application program information including application name, version number, MD5 value, etc.
After the successful registration, the unified identity authentication service system respectively generates a host hardware unique identification mark, namely device fingerprint information, and a business application program unique identification mark, namely program fingerprint information, on the basis of an SM3Hash algorithm according to the registered host device information and the business application program information, and the host hardware unique identification mark and the business application program unique identification mark are respectively used for subsequent host credibility verification and business application program credibility verification;
the second step: the authorization of the user is carried out,
the unified identity authentication service system operator checks user registration information, host equipment information and business application program information, sets the user state, the host equipment and the business application programs A and B as credible according to the actual access requirement of the user, and associates and binds the user name of the user A and an operating system login virtual account in the host equipment; i.e. the authorization is complete. Here, one real user corresponds to one virtual account of the operating system.
The third step: the authentication of the login is carried out,
deploying an identity authentication SDK and a PAM authentication module on a host PC1, and restarting equipment for taking effect; referring to fig. 2, when a user logs in a host operating system, an authentication mode is selected according to a login interface prompt: usbKey authentication, face identification authentication or iris identification authentication, and inserting a corresponding identity authentication terminal according to an authentication mode: a fingerprint-type Usbkey, a camera or an iris recognition instrument,
at the moment, the PAM authentication module calls a corresponding interface of the identity authentication SDK to obtain an identity certificate of the authenticated user: fingerprint, certificate information, user signature or human face characteristics or iris characteristics are sent to a unified identity authentication server in an SSL (secure socket layer) security encryption mode to realize identity authentication based on a user name plus a password, biological characteristics (fingerprint, human face) and UsbKey, the user name is returned after authentication is successful, a virtual account and a token of the host operating system are associated, the virtual account further requests a PAM (pulse amplitude modulation) authentication module to realize the login of the operating system, and the user name and the token are stored in a memory for subsequent service application login;
the fourth step: the single sign-on is carried out,
the user starts the service application program A after successfully logging in the operating system, the service application program A firstly calls an identity authentication SDK interface to obtain a login user name and a token of the operating system, if the user has the authority of accessing the service application program A (controlled by the application program), the user automatically logs in the service system, otherwise, a login window is opened for secondary login authentication.
The secondary authentication of the service application program is described by taking fingerprint type UsbKey authentication login as an example, and comprises the following steps:
the first step is as follows: a system administrator initializes fingerprint type UsbKey authentication equipment and authorizes an appointed user access right, wherein the designated user access right comprises input personnel fingerprints, personnel digital certificates and background unified authentication service registration authorization;
the second step is that: a user uses fingerprint type UsbKey equipment as an authentication carrier to authenticate, inserts an UsbKey terminal, selects UsbKey authentication on a service application program login interface, clicks login, and calls an UsbKey authentication function in an identity authentication SDK interface in a background;
the third step: according to the prompt of a user to input a fingerprint, the authentication interface is responsible for calling UsbKey equipment drive to read and identify the fingerprint, if the fingerprint authentication is successful, the authentication interface further acquires a digital certificate of a person in the UsbKey, generates a random number and signs the random number; secondly, acquiring a hardware fingerprint identifier of the host and an application program fingerprint identifier assembly authentication request message, and sending the authentication request message to a unified identity authentication server for authentication; otherwise, if the fingerprint authentication fails, jumping to the fifth step, the authentication interface leaves the authentication interface and returns to fail, prompting the user that the authentication fails, and forbidding logging in the service application program;
the fourth step: the unified identity authentication server receives and processes authentication request information, and firstly analyzes a user name, user signature data, a host hardware fingerprint characteristic identifier and an application program fingerprint characteristic identifier; then inquiring a background database, if the fingerprint feature identifier of the host is in a trusted host list (the host is trusted after the authorization is successful), judging that the host is legal and trusted, then inquiring whether the fingerprint feature identifier of the application program is in the trusted application program list again, so as to judge whether the program is trusted, further verifying the user information and the signature data if the program is successful, checking the signature of the signature data by using a corresponding personnel certificate, if the signature is successful, generating an identity token by the server, and returning an authentication response;
the fifth step: the authentication interface returns an authentication result to the service application program authentication module, if the authentication is successful, the service application program is logged in for subsequent operation, otherwise, the user is prohibited from logging in.
The invention has the advantages that the identity authentication of the user entity logged in by the host operating system is realized, and the safety of the host and the operating system is improved; the unified management of the authentication information in the whole network range is realized, the information sharing and consistency are realized, and the universal requirements of one-time registration and the whole network are met; the binding of the virtual account and the personnel entity information is established, and the single sign-on of an operating system and a business application program is realized; the authentication security is higher, the entity authentication is realized by utilizing the UsbKey and the biological characteristic identification technology, the authentication elements not only contain personnel, but also contain hardware host information, and the service application program is authenticated in a credible mode.
Examples
Correspondingly, the invention provides a unified safe login authentication device for an operating system and business application, which is characterized by comprising an information registration module, an information association module, an authentication information acquisition module, an authentication module, an operating system login module and an application program login module, wherein:
the information registration module is used for registering user information, host equipment information and service application program information; the user information comprises basic information and identity authentication data of a user, and the host equipment information comprises a virtual account of an operating system;
the information association module is used for associating the user information with the virtual account of the operating system;
the authentication information acquisition module is used for responding to the operation of a user logging in the host operating system, acquiring the corresponding identity certificate of the user from the identity authentication terminal according to an authentication mode and acquiring the host equipment information;
the authentication module is used for authenticating the identity of the user according to the identity certificate and the host equipment information of the user and the registered identity authentication data and the host equipment information; if the authentication is successful, obtaining an operating system virtual account associated with the user;
the operating system login module is used for authenticating the virtual account of the operating system, and if the authentication is successful, allowing the user to login the operating system based on the virtual account;
and the application program login module is used for acquiring an operating system login account, and if the account has the authority of accessing the business application program, allowing the user to automatically login the business application program.
Further, the identity authentication data includes a user name and a password, signature data, a fingerprint, a face and an iris.
Further, the authentication mode comprises one or more combinations of user name and password authentication, signature data, fingerprint authentication, face recognition authentication and iris recognition authentication.
Further, the application program login module further includes a secondary login authentication module, where the secondary login authentication module is configured to perform secondary authentication on the service application program if the operating system login account does not have the authority to access the service application program, and the secondary login authentication module includes:
acquiring an identity certificate corresponding to a user from an identity authentication terminal according to an authentication mode of a login service application program;
authenticating the user identity certificate and the user access authority; and if the authentication is successful, allowing the user to log in the service application program.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (8)

1. A unified safe login authentication method for an operating system and service application is characterized by comprising the following processes:
registering user information, host equipment information and service application program information; the user information comprises basic information and identity authentication data of a user, and the host equipment information comprises a virtual account of an operating system;
associating the user information with a virtual account of the operating system;
responding to an operation request of a user for logging in a host operating system, acquiring a corresponding identity certificate of the user from an identity authentication terminal according to an authentication mode, and acquiring host equipment information;
performing identity authentication on the user according to the identity certificate and the host equipment information of the user and the registered identity authentication data and the host equipment information; if the authentication is successful, obtaining an operating system virtual account associated with the user;
authenticating the virtual account of the operating system, and if the authentication is successful, allowing the user to log in the operating system based on the virtual account; acquiring an operating system login account, and allowing a user to automatically login a service application program if the account has the authority of accessing the service application program; if the operating system login account does not have the authority of accessing the service application program, performing secondary authentication on the service application program; the secondary authentication of the business application program comprises the following steps:
acquiring an identity certificate corresponding to a user from an identity authentication terminal according to an authentication mode of a login service application program;
authenticating the user identity certificate and the user access authority; and if the authentication is successful, allowing the user to log in the service application program.
2. The unified security login authentication method for operating system and business application as claimed in claim 1, wherein the authentication data comprises user name and password, signature data, fingerprint, face and iris.
3. The unified security login authentication method for operating system and business application as claimed in claim 1, wherein the authentication means comprises one or more of username and password authentication, signature data, fingerprint authentication, face recognition authentication and iris recognition authentication.
4. The method as claimed in claim 1, wherein if the virtual account of the operating system is not authenticated, the user is not allowed to log in the operating system.
5. An operating system and business application unified safe login authentication device is characterized by comprising an information registration module, an information association module, an authentication information acquisition module, an authentication module, an operating system login module and an application program login module, wherein:
the information registration module is used for registering user information, host equipment information and service application program information; the user information comprises basic information and identity authentication data of a user, and the host equipment information comprises a virtual account of an operating system;
the information association module is used for associating the user information with the virtual account of the operating system;
the authentication information acquisition module is used for responding to the operation of a user logging in the host operating system, acquiring the corresponding identity certificate of the user from the identity authentication terminal according to an authentication mode, and acquiring the host equipment information;
the authentication module is used for authenticating the identity of the user according to the identity certificate and the host equipment information of the user and the registered identity authentication data and the host equipment information; if the authentication is successful, obtaining an operating system virtual account associated with the user;
the operating system login module is used for authenticating the virtual account of the operating system, and if the authentication is successful, the user is allowed to login the operating system based on the virtual account;
and the application program login module is used for acquiring an operating system login account, and if the account has the authority of accessing the business application program, allowing the user to automatically login the business application program.
6. The unified security login authentication device for operating system and business application as claimed in claim 5, wherein said authentication data comprises user name and password, signature data, fingerprint, face and iris.
7. The unified security login authentication device for the operating system and the business application as claimed in claim 5, wherein said authentication means comprises one or more combinations of username and password authentication, signature data, fingerprint authentication, face recognition authentication and iris recognition authentication.
8. The device of claim 5, wherein the application program login module further comprises a secondary login authentication module, and the secondary login authentication module is configured to perform secondary authentication on the service application program if the operating system login account does not have the authority to access the service application program, and the secondary login authentication module comprises:
acquiring an identity certificate corresponding to a user from an identity authentication terminal according to an authentication mode of a login service application program;
authenticating the user identity certificate and the user access authority; and if the authentication is successful, allowing the user to log in the service application program.
CN202010493772.9A 2020-06-03 2020-06-03 Unified safe login authentication method and device for operating system and service application Active CN111931144B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010493772.9A CN111931144B (en) 2020-06-03 2020-06-03 Unified safe login authentication method and device for operating system and service application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010493772.9A CN111931144B (en) 2020-06-03 2020-06-03 Unified safe login authentication method and device for operating system and service application

Publications (2)

Publication Number Publication Date
CN111931144A CN111931144A (en) 2020-11-13
CN111931144B true CN111931144B (en) 2023-04-07

Family

ID=73317130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010493772.9A Active CN111931144B (en) 2020-06-03 2020-06-03 Unified safe login authentication method and device for operating system and service application

Country Status (1)

Country Link
CN (1) CN111931144B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112543454B (en) * 2020-11-30 2022-11-15 亚信科技(成都)有限公司 Authentication method and equipment
CN113051545A (en) * 2020-12-11 2021-06-29 北京芯盾时代科技有限公司 User authentication method and device
CN113014576B (en) * 2021-02-23 2023-05-12 中国联合网络通信集团有限公司 Service authority control method, device, server and storage medium
CN113468514A (en) * 2021-06-28 2021-10-01 深圳供电局有限公司 Multi-factor identity authentication method and system in intranet environment
CN113343273B (en) * 2021-06-30 2022-12-30 重庆渝高科技产业(集团)股份有限公司 User login method, first server and computer readable storage medium
CN113742705A (en) * 2021-08-30 2021-12-03 北京一砂信息技术有限公司 Method and system for realizing IFAA (Interface authentication and Access Association) number based authentication service
CN113992353B (en) * 2021-09-27 2024-01-09 北京达佳互联信息技术有限公司 Login certificate processing method and device, electronic equipment and storage medium
CN114363015B (en) * 2021-12-17 2024-03-15 上海大智慧申久信息技术有限公司 Customer identity authentication method and system under multi-account system
CN117455315A (en) * 2023-12-20 2024-01-26 合肥创诚科技信息技术有限公司 Project data management system for research and development of small and medium enterprises

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833361A (en) * 2018-05-23 2018-11-16 国政通科技股份有限公司 A kind of identity identifying method and device based on virtual account
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A kind of wide area multiple-factor identity authorization system
CN110351269A (en) * 2019-07-05 2019-10-18 苏州思必驰信息科技有限公司 The method for logging in open platform by third-party server

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833361A (en) * 2018-05-23 2018-11-16 国政通科技股份有限公司 A kind of identity identifying method and device based on virtual account
CN110213246A (en) * 2019-05-16 2019-09-06 南瑞集团有限公司 A kind of wide area multiple-factor identity authorization system
CN110351269A (en) * 2019-07-05 2019-10-18 苏州思必驰信息科技有限公司 The method for logging in open platform by third-party server

Also Published As

Publication number Publication date
CN111931144A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
CN111931144B (en) Unified safe login authentication method and device for operating system and service application
CN110213246B (en) Wide-area multi-factor identity authentication system
CN106330850B (en) Security verification method based on biological characteristics, client and server
US8332637B2 (en) Methods and systems for nonce generation in a token
US7409543B1 (en) Method and apparatus for using a third party authentication server
CN108964885B (en) Authentication method, device, system and storage medium
US8627424B1 (en) Device bound OTP generation
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
CN109005155B (en) Identity authentication method and device
EP1914658B1 (en) Identity controlled data center
CN106789059B (en) A kind of long-range two-way access control system and method based on trust computing
CN110661800A (en) Multi-factor identity authentication method supporting guarantee level
CN107733636A (en) Authentication method and Verification System
CN111800378A (en) Login authentication method, device, system and storage medium
Ziyad et al. Critical review of authentication mechanisms in cloud computing
Al Rousan et al. A comparative analysis of biometrics types: literature review
Karie et al. Hardening saml by integrating sso and multi-factor authentication (mfa) in the cloud
CN109587123A (en) Double factor verification method and certificate server, biometric authentication service device
WO2022042745A1 (en) Key management method and apparatus
CN106295384B (en) Big data platform access control method and device and authentication server
CN112039857B (en) Calling method and device of public basic module
CN110995661B (en) Network card platform
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
US20090327704A1 (en) Strong authentication to a network
CN113826095A (en) Single click login process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant