CN112653679A - Dynamic identity authentication method, device, server and storage medium - Google Patents

Dynamic identity authentication method, device, server and storage medium Download PDF

Info

Publication number
CN112653679A
CN112653679A CN202011471797.5A CN202011471797A CN112653679A CN 112653679 A CN112653679 A CN 112653679A CN 202011471797 A CN202011471797 A CN 202011471797A CN 112653679 A CN112653679 A CN 112653679A
Authority
CN
China
Prior art keywords
score
authentication
trust
user agent
agent information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011471797.5A
Other languages
Chinese (zh)
Other versions
CN112653679B (en
Inventor
桂艳峰
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhizhangyi Technology Co ltd
Original Assignee
Beijing Zhizhangyi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhizhangyi Technology Co ltd filed Critical Beijing Zhizhangyi Technology Co ltd
Priority to CN202011471797.5A priority Critical patent/CN112653679B/en
Publication of CN112653679A publication Critical patent/CN112653679A/en
Application granted granted Critical
Publication of CN112653679B publication Critical patent/CN112653679B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the invention discloses a dynamic identity authentication method, a dynamic identity authentication device, a server and a storage medium. The method comprises the following steps: acquiring user agent information in an identity authentication request corresponding to a login behavior, acquiring a corresponding trust score and a corresponding weight value, and calculating a total score of the identity authentication request; if the total score is lower than the trust threshold, triggering an authentication mode corresponding to the score section to which the total score belongs; respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjusting model, recalculating the total score according to each adjusted trust score and the corresponding weight value, wherein the score adjusting model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result; and determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result. According to the embodiment, the dynamic identity authentication is performed on the login behavior, so that the security of the identity authentication is improved.

Description

Dynamic identity authentication method, device, server and storage medium
Technical Field
The embodiments of the present invention relate to identity authentication technologies, and in particular, to a dynamic identity authentication method, apparatus, server, and storage medium.
Background
The software system can not be subjected to identity authentication, and the identity authentication needs to take safety and convenience into account at the same time. This puts higher demands on identity authentication to some extent.
The traditional authentication system adopts a mechanism of strong element authentication (such as human face) or multi-factor authentication, and an information security level protection system also definitely requires two or more combined authentication technologies such as passwords, cryptographic technologies, biology and the like to authenticate the identity of a user, wherein one authentication technology at least needs to be realized by using the cryptographic technology. For example, a simple user password authentication mechanism on the market at present triggers an account or an IP locking policy according to the number of times of user access failure.
However, these are usually fixed policies, and after zero trust is widely paid attention to and introduced, the visitor at the access entrance may be an illegal user such as other number stealing software besides the user, and the accessed terminal is also more and more complex. The traditional authentication obviously cannot meet the requirements of the current complex use environment. Therefore, how to improve the security of identity authentication becomes an urgent problem to be solved.
Disclosure of Invention
Embodiments of the present invention provide a dynamic identity authentication method, apparatus, server, and storage medium, which can implement dynamic identity authentication on a login behavior, and improve security of identity authentication.
In a first aspect, an embodiment of the present invention provides a dynamic identity authentication method, including:
acquiring user agent information in an identity authentication request corresponding to a login behavior, acquiring trust scores and weight values corresponding to the user agent information, and calculating a total score of the identity authentication request according to each trust score and corresponding weight value, wherein the user agent information is determined based on login information and application attribute information;
if the total score is lower than the trust threshold, triggering an authentication mode corresponding to the score section to which the total score belongs;
obtaining an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjustment model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjustment model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;
and determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
In a second aspect, an embodiment of the present invention further provides a dynamic identity authentication apparatus, including:
the score calculation module is used for acquiring user agent information in the identity authentication request corresponding to the login behavior, acquiring trust scores and weight values corresponding to the user agent information, and calculating the total score of the identity authentication request according to the trust scores and the corresponding weight values, wherein the user agent information is determined based on the login information and the application attribute information;
the authentication triggering module is used for triggering an authentication mode corresponding to the score section to which the total score belongs if the total score is lower than a trust threshold;
the score adjusting module is used for acquiring an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjusting model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjusting model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;
and the result determining module is used for determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
In a third aspect, an embodiment of the present invention further provides a server, where the server includes:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a dynamic authentication method as provided by any of the embodiments of the invention.
In a fourth aspect, embodiments of the present invention further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the dynamic identity authentication method provided in any of the embodiments of the present invention.
The method comprises the steps of obtaining user agent information in an identity authentication request corresponding to a login behavior, obtaining trust scores and weight values corresponding to the user agent information, calculating a total score of the identity authentication request according to the trust scores and the corresponding weight values, triggering an authentication mode corresponding to a score section to which the total score belongs if the total score is lower than a trust threshold, respectively updating the trust scores of all dimensions in the user agent information according to an authentication result and a preset score adjustment model, recalculating the total score of the identity authentication request according to each adjusted trust score and the corresponding weight value, and determining the identity authentication result of the login behavior according to a comparison result of the recalculated total score and the trust threshold and the authentication result. According to the embodiment of the invention, the trust scores corresponding to all dimensions in the user agent information are dynamically adjusted in the identity authentication process of the login behavior, so that the login behavior is dynamically authenticated under the condition of not reducing the use convenience of the user, the risk of the user account being stolen is reduced, and the security of the identity authentication is improved.
Drawings
Fig. 1 is a flowchart of a dynamic identity authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart of another dynamic identity authentication method according to the second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a dynamic identity authentication apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a dynamic identity authentication method according to an embodiment of the present invention, where the embodiment is applicable to identity authentication of an acquired login behavior to determine whether to allow login according to an identity authentication result, and the method may be executed by a dynamic identity authentication device, and the device may be implemented in a software and/or hardware manner. The apparatus may be configured in a server. As shown in fig. 1, the method includes:
step S110, user agent information in the identity authentication request corresponding to the login behavior is obtained, trust scores and weight values corresponding to the user agent information are obtained, and the total score of the identity authentication request is calculated according to the trust scores and the corresponding weight values.
The login behavior may be a behavior generated based on a user account of a login application on the access terminal. For example, the login behavior may be generated based on a user a logging into an a account of an application on an android device. The user can send an identity authentication request corresponding to the login behavior to the server through the access terminal so as to obtain the login authority through the server. The identity authentication request can be used for applying login authority to the server. For example, the authentication request may include an authentication-based hypertext transfer protocol (HTTP) request, or the like.
The user agent information is determined based on the login information and the application attribute information. The login information may be information related to login behavior, and may include, for example, user account information, access terminal information, and the like in the login behavior. The access terminal information may include a terminal Internet Protocol (IP) address, a terminal type, and the like. The terminal IP address may be the IP address of the access terminal. The terminal type may be a device type of the access terminal, for example, the terminal type may include a computer, an android phone, an apple phone, and the like. The application attribute information may be attribute information of an application requesting login. For example, the application attribute information may include application security level information. The security level information of the application may be set based on whether the application is involved in a fund transaction. A higher security level may be set for applications involving funds transactions. It is also possible to set security level information of an application based on whether or not personal privacy information is involved in the application, set a higher security level for an application that involves personal privacy information, and the like.
The user agent information may be used to determine pertinent factor information for login behavior. For example, the user agent information may include login information and application attribute information, or the user agent information may further include user account information, access terminal information, and application attribute information.
The trust score and the weight value corresponding to the user agent information can be understood as the trust score and the weight value corresponding to each dimension in the user agent information. The trust scores corresponding to the user agent information can be initialized according to experience, the trust scores corresponding to all the dimensions are dynamically adjusted according to the authentication result when the login behavior is obtained every time, and the adjusted trust scores are stored respectively, so that the adjusted trust scores corresponding to all the dimensions are obtained when the login behavior is obtained next time. For example, if the user agent information at least includes the access terminal type, the initial trust score corresponding to each access terminal information may be determined according to the security factor of each access terminal. If the security factor of some devices is extremely high, the initial trust scores corresponding to the devices can be set to be 99, and if some devices are determined by analysis or known to be cracked in advance, such as an in-vehicle system or an entertainment system, the initial trust scores corresponding to the devices can be set to be lower scores such as 30 or 40. The weight value corresponding to each dimension can also be initialized according to experience, and is adaptively adjusted according to the login condition of each dimension. For example, the weight values corresponding to the login information and the Application attribute information in the user agent information are initialized to 0.25, and after a period of time, it is found that a specific Application only logs in through a corresponding Application program (APP), but does not log in through a browser, so that the weight value corresponding to the Application attribute information can be gradually degraded to 0.
Specifically, an identity authentication request corresponding to a login behavior is obtained, user agent information in the identity authentication request is obtained, corresponding trust scores and weight values are obtained according to information of all dimensions in the user agent information, and a weighted sum is calculated for each trust score and corresponding weight value to obtain a total score of the identity authentication request.
Illustratively, user account information, a terminal IP address, a terminal type and application attribute information in an identity authentication request corresponding to the login behavior are obtained. If at least one of the user account information, the terminal IP address, the terminal type and the application attribute information is first login, for a target dimension of the first login, determining that a trust score corresponding to the target dimension is a preset initial trust score, and a corresponding weight value is a preset initial weight value. And if the user account information, the terminal IP address, the terminal type and the application attribute information are not logged in for the first time, directly acquiring the corresponding trust score and the weight value from the server. And calculating the total score of the identity authentication request according to each trust score and the corresponding weight value.
Step S120, determining whether the total score is lower than the trust threshold, if so, performing step S130, otherwise, performing step S160.
The trust threshold may be preset to a fixed value or determined according to the security level of each dimension in the user agent information and a preset threshold corresponding to each security level, and is used to determine whether the identity authentication result of the login behavior is successful.
And S130, triggering an authentication mode corresponding to the scoring section to which the total score belongs.
Specifically, if the calculated total score is lower than the trust threshold, the scoring segment to which the total score belongs is determined, the authentication mode corresponding to the total score is determined according to the corresponding relationship between the preset scoring segment and the authentication mode, and the authentication mode is triggered. Wherein, different authentication modes can open corresponding interfaces and services in an independent triggered mode.
The authentication method can be used for identity authentication of login behavior. For example, the authentication method may include password authentication, short message verification code authentication, identification number authentication, fingerprint authentication, face recognition authentication, and the like. The score segment has a corresponding relationship with the authentication mode, for example, a score greater than or equal to 50 and less than 60 may correspond to password authentication, a score greater than or equal to 40 and less than 50 may correspond to short message verification code authentication, and a score greater than or equal to 30 and less than 40 may correspond to face recognition authentication.
Step S140, obtaining an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjusting model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value.
The score adjustment model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result.
For example, if the user agent information includes user account information, a terminal IP address, a terminal type, and application attribute information, the authentication matrix of the score adjustment model may be:
Figure BDA0002834172020000081
Figure BDA0002834172020000082
when an identity authentication request applying login behaviors is received, calculating a current identity authentication result based on an authentication matrix, adjusting trust scores of all dimensions according to the identity authentication result and configuration information related to the trust scores in a score adjustment model, and realizing updating of the trust scores of all dimensions in the authentication matrix and updating of login attempt times and success times based on identity authentication result regression iterative computation until a final identity authentication result is obtained.
Taking the terminal IP address as an example, the initial trust score of the terminal IP address may be set to 58. For the authentication mode of password authentication, the configuration information in the score adjustment model may be the trust score plus 5 if the authentication is successful and the trust score minus 1 if the authentication is failed. For the authentication mode of short message verification code authentication, the configuration information in the score adjustment model can be the trust score plus 10 if the authentication is successful and the trust score minus 2 if the authentication is failed. For the authentication mode of face recognition authentication, the configuration information in the score adjustment model may be the trust score plus 20 if authentication is successful and the trust score minus 4 if authentication is failed. Other dimensions in the user agent information may similarly configure corresponding score adjustment models. And if the authentication result corresponding to the password authentication is successful, adding 5 to the trust score corresponding to the terminal IP address in the user agent information, and respectively updating the trust scores corresponding to other dimensions according to a preset score adjustment model. And then, recalculating the total score of the identity authentication request according to each adjusted trust score and the corresponding weight value.
And S150, determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
Specifically, whether the recalculated total score is lower than a trust threshold value or not is judged, and the identity authentication result of the login behavior is determined according to the comparison result and the authentication result. If the total score after recalculation is not lower than the trust threshold, the identity authentication result of the login behavior can be directly determined to be the success of the identity authentication. If the identity authentication result of the login behavior still cannot be determined based on the comparison result and the authentication result, the authentication mode can be continuously triggered and the trust scores corresponding to all dimensions in the user agent information can be adjusted. For example, if the authentication result is successful, if the recalculated total score is still lower than the trust threshold, a higher level authentication mode may be triggered based on the ranking result of the authentication modes. And when the authentication result is authentication failure, the corresponding authentication mode can be continuously triggered according to the recalculated total score, and when the number of authentication failure times exceeds a set number threshold, the identity authentication result of the login behavior can be directly determined to be identity authentication failure.
Step S160, it is determined that the identity authentication result of the login behavior is that the identity authentication is successful.
Specifically, if the total score is higher than or equal to the trust threshold, it is determined that the identity authentication result of the login behavior is identity authentication success.
The method comprises the steps of obtaining user agent information in an identity authentication request corresponding to a login behavior, obtaining trust scores and weight values corresponding to the user agent information, calculating total scores of the identity authentication request according to the trust scores and the corresponding weight values, triggering an authentication mode corresponding to a score section to which the total scores belong if the total scores are lower than a trust threshold, respectively updating the trust scores of all dimensions in the user agent information according to an authentication result and a preset score adjustment model, recalculating the total scores of the identity authentication request according to the adjusted trust scores and the corresponding weight values, and determining the identity authentication result of the login behavior according to a comparison result of the recalculated total scores and the trust threshold and the authentication result. According to the embodiment of the invention, the trust scores corresponding to all dimensions in the user agent information are dynamically adjusted in the identity authentication process of the login behavior, so that the login behavior is dynamically authenticated under the condition of not reducing the use convenience of the user, the risk of the user account being stolen is reduced, and the security of the identity authentication is improved.
Example two
Fig. 2 is a flowchart of another dynamic identity authentication method provided in the second embodiment of the present invention, and this embodiment is optimized on the basis of the foregoing embodiment, as shown in fig. 2, the method includes:
step S201, obtaining user agent information in the identity authentication request corresponding to the login behavior, obtaining trust scores and weight values corresponding to the user agent information, and calculating a total score of the identity authentication request according to each trust score and corresponding weight value.
Wherein the user agent information is determined based on the login information and the application attribute information.
Step S202, determining whether the total score is lower than the trust threshold, if yes, performing step S203, otherwise, performing step S204.
Step S203, determining that the identity authentication result of the login behavior is that the identity authentication is successful.
Step S204, determining the security level of the application according to the application attribute information in the user agent information, determining the scoring standard corresponding to the application according to the security level, and determining the corresponding trust threshold value and the corresponding relation between the scoring segment and the authentication mode based on the scoring standard.
Illustratively, the trust threshold for common applications is preset to be 60. The trust threshold for a pre-defined highly sensitive application is higher than that for a normal application, for example, a financial level security application may have a trust threshold of 80. The trust threshold for a predetermined super high level application is higher than for highly sensitive applications, for example, the trust threshold for a security application associated with sensitive information or sensitive documents, etc. may be 90. And simultaneously presetting corresponding grading segments and corresponding relations between the grading and the authentication modes.
Alternatively, determining the security level of the application according to the application attribute information in the user agent information, and determining the scoring criteria corresponding to the application according to the security level may include:
and determining the security level of the terminal IP address according to the terminal IP address in the user agent information and a preset IP address blacklist, and determining a corresponding scoring standard according to the security level of the terminal IP address.
Specifically, the security level of the terminal IP address in the preset IP address blacklist is determined according to the terminal IP address in the user agent information, and a corresponding scoring standard is determined according to the security level. For example, if the IP address of the terminal is in the IP address blacklist and is set as a risk level due to the fact that the account is stolen for many times in history, a corresponding scoring standard can be determined according to the risk level.
Alternatively, determining the security level of the application according to the application attribute information in the user agent information, and determining the scoring criteria corresponding to the application according to the security level may include:
judging whether the access terminal is cracked or not according to the terminal information in the user agent information, determining the security level of the access terminal according to the judgment result, and determining the corresponding scoring standard according to the security level.
Specifically, whether a cracking attribute exists in the terminal information of the user agent information is detected, if so, the access terminal can be determined to be cracked, the security level corresponding to the cracking terminal can be further determined, if not, the access terminal can be determined not to be cracked, and the security level corresponding to the non-cracked terminal can be further determined. And then the corresponding scoring standard can be determined according to the security level.
And S205, triggering an authentication mode corresponding to the scoring section to which the total score belongs.
Optionally, the triggering of the authentication manner corresponding to the score segment to which the total score belongs includes:
if the scoring segment to which the total score belongs is the first scoring segment, determining that the authentication mode corresponding to the first scoring segment is password authentication, and triggering the password authentication;
if the score section to which the total score belongs is the second score section, determining that the authentication mode corresponding to the second score section is short message verification code authentication, and triggering short message verification code authentication;
and if the scoring segment to which the total score belongs is the third scoring segment, determining that the authentication mode corresponding to the third scoring segment is face recognition authentication, and triggering the face recognition authentication.
Wherein the first scoring segment, the second scoring segment, and the third scoring segment may be non-overlapping or overlapping with each other. For example, if three scoring segments overlap each other and the scoring segment to which the total score belongs is located at the overlap of two or three scoring segments, two or three authentication modes may be triggered accordingly.
Step S206, obtaining an authentication result corresponding to the authentication mode, if the authentication result is that the authentication is passed, step S207 is executed, and if the authentication result is that the authentication is failed, step S208 is executed.
And step S207, respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model. Execution continues with step S209.
The first scoring rule may be configured to indicate configuration information for increasing the trust score of each dimension in the user agent according to an authentication result that the authentication is successful.
And S208, respectively reducing the trust scores of all dimensions in the user agent information according to a first reduction rule in a preset score adjustment model. The process continues to step S210.
Wherein the first deduction rule may be used to indicate configuration information for reducing trust scores of the dimensions in the user agent according to an authentication result of authentication failure.
In the embodiment, after the identity authentication request is acquired and the calculated total score is lower than the trust threshold, the trust score of each dimension in the user agent is dynamically adjusted according to the first score adding rule and the first score subtracting rule, so that the simplicity of the subsequent authentication process is improved.
Optionally, before the first score adding rule in the preset score adjustment model respectively increases the trust score of each dimension in the user agent information, and the first score subtracting rule in the preset score adjustment model respectively reduces the trust score of each dimension in the user agent information, the method further includes:
and if the trust scores of all the dimensions in the user agent information are detected to be kept unchanged in a first preset period, adjusting a first score adding rule and a first score subtracting rule in a preset score adjusting model.
Illustratively, taking the application attribute information in the user agent information as an example, the first bonus rule corresponding to the application attribute information may be that 6 credits are added to the trust score if the password authentication is successful, and 12 credits are added to the trust score if the short message verification code authentication is successful. The first deduction rule corresponding to the application attribute information can be that the trust score is subtracted by 2 points when password authentication fails, and the trust score is subtracted by 4 points when short message verification code authentication fails. If it is detected that the trust scores of the application attribute information remain unchanged within 3 months, the increasing scores in the first score adding rule can be all adjusted up to 0.1, and the decreasing scores in the first score decreasing rule can be all adjusted down to 0.5. In this case, if the user logs in with the APP all the time, but accidentally logs in with the browser once, a higher-level authentication method is not directly triggered due to a few login failures. According to the embodiment, the login behavior of the user can be well predicted by dynamically adjusting the first score adding rule and the first score subtracting rule.
And S209, recalculating the total score of the identity authentication request according to the increased trust scores and the corresponding weight values. The process continues to step S211.
And step S210, recalculating the total score of the identity authentication request according to the reduced trust scores and the corresponding weight values. The process continues to step S213.
Step S211, determining whether the recalculated total score is lower than the trust threshold, if so, executing step S203, otherwise, executing step S212.
Step S212, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step S206.
And if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step of updating the trust scores of all dimensions in the user agent information respectively according to the authentication result and a preset score adjustment model.
Illustratively, if the user switches to log in or update the access terminal at a place, although the authentication result obtained in step S206 is that the authentication is passed, the recalculated total score is still lower than the trust threshold, a higher-level authentication manner is triggered, and the step of updating the trust scores of the dimensions in the user agent information according to the authentication result and the preset score adjustment model is returned.
Step S213, determining whether the number of authentication failures exceeds a set number threshold, if so, executing step S214, otherwise, returning to execute step S205.
And returning to the step of executing the authentication mode corresponding to the score segment to which the total trigger score belongs when the authentication result is authentication failure.
Step S214, the identity authentication result of the login behavior is determined to be the identity authentication failure.
And if the authentication failure times exceed the set time threshold, determining that the identity authentication result of the login behavior is identity authentication failure.
Optionally, at a preset time, respectively obtaining login success times and login attempt times corresponding to each dimension in the user agent information in a second preset period;
calculating the target dimension adjusted trust score by the following formula:
Figure BDA0002834172020000141
and the ratio of the second value to the first value is equal to the preset accuracy.
Illustratively, with 75% as the boundary, the confidence score for the day of the target dimension increases by 1 point for each 5% improvement in accuracy. Every 5% reduction in accuracy reduces the current trust score of the target dimension by 1 point.
Optionally, at a preset time, respectively obtaining login success times and login attempt times corresponding to each dimension in the user agent information in a second preset period;
respectively calculating the ratio of the login success times to the login attempt times to obtain login accuracy;
for a target dimension with the login accuracy higher than the preset accuracy, calculating a difference value between the accuracy of the target dimension and the preset accuracy, and increasing the trust score of the target dimension at the preset moment corresponding to the target dimension according to a second scoring rule corresponding to the accuracy difference value section to which the difference value belongs;
calculating the difference between the accuracy of the target dimension and the preset accuracy for the target dimension with the login accuracy lower than the preset accuracy, and reducing the trust score of the target dimension at the preset moment corresponding to the target dimension according to a second score reduction rule corresponding to the accuracy difference segment to which the difference belongs;
and for the target dimension with the login accuracy rate equal to the preset accuracy rate, keeping the trust score of the target dimension at the preset moment unchanged.
Illustratively, by taking a day as a unit, the login success times and the login attempt times corresponding to each dimension in the user agent information of the day are acquired at morning time of each day, the login accuracy of each dimension is respectively calculated, 75% is taken as the preset accuracy, and for the target dimension with the accuracy higher than 75%, the difference between the accuracy of the target dimension and 75% is calculated. If the difference is less than 5%, adding 1 to the current trust score of the target dimension; if the difference is greater than or equal to 5% and less than 10%, then the current day trust score of the target dimension may be increased by 2; if the difference is greater than or equal to 10% and less than 15%, then the current day's trust score for the target dimension may be increased by 3; if the difference is greater than or equal to 15% and less than 20%, adding 4 to the current day trust score of the target dimension; if the difference is greater than or equal to 20% and less than 25%, then the current day's trust score for the target dimension may be incremented by 5.
According to the embodiment, the login success event and the login attempt event of each dimension in the user agent information are audited, and the trust score of each dimension is continuously adjusted, so that the user behavior and the future pressure condition of the system can be better predicted, and the security risk is reduced.
According to the embodiment of the invention, when the access terminal sends the identity authentication request, the trust score of the current access terminal is followed and the corresponding authentication mode is triggered, after the authentication is passed, the total score of the identity authentication request is further calculated again according to the adjusted trust score and the corresponding weight value, and is compared with the trust threshold value again, and whether a higher-level authentication process is triggered is determined according to the comparison result, so that the trust score of each dimension in the user agent information is dynamically adjusted in the identity authentication process, the problem that the user identity cannot be safely authenticated in a complex environment in the prior art is solved, the login behavior is dynamically authenticated by combining with the multi-dimension information, and the security of the identity authentication is improved.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a dynamic identity authentication apparatus according to a third embodiment of the present invention. The device can be realized by software and/or hardware, can be generally integrated in a server, and can realize dynamic identity authentication on login behaviors by executing a dynamic identity authentication method, thereby improving the security of identity authentication. As shown in fig. 3, the apparatus includes:
the score calculating module 310 is configured to obtain user agent information in an identity authentication request corresponding to a login behavior, obtain trust scores and weight values corresponding to the user agent information, and calculate a total score of the identity authentication request according to each trust score and corresponding weight value, where the user agent information is determined based on login information and application attribute information;
the authentication triggering module 320 is configured to trigger an authentication manner corresponding to a score segment to which the total score belongs if the total score is lower than a trust threshold;
a score adjustment module 330, configured to obtain an authentication result corresponding to the authentication manner, update trust scores of each dimension in the user agent information according to the authentication result and a preset score adjustment model, and recalculate a total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, where the score adjustment model is used to indicate configuration information for adjusting the trust score of each dimension in the user agent information according to the authentication result;
and the result determining module 340 is configured to determine an identity authentication result of the login behavior according to the comparison result between the recalculated total score and the trust threshold and the authentication result.
Optionally, the result determining module 340 is specifically configured to:
if the authentication result is successful, if the recalculated total score is not lower than the trust threshold, determining that the identity authentication result of the login behavior is successful;
if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step of updating the trust scores of all dimensions in the user agent information respectively according to the authentication result and a preset score adjustment model;
returning to the step of executing the authentication mode corresponding to the score segment to which the total score belongs when the authentication result is authentication failure;
and if the authentication failure times exceed a set time threshold, determining that the identity authentication result of the login behavior is identity authentication failure.
Optionally, the authentication triggering module 320 is specifically configured to:
if the scoring segment to which the total score belongs is a first scoring segment, determining that the authentication mode corresponding to the first scoring segment is password authentication, and triggering the password authentication;
if the scoring segment to which the total score belongs is a second scoring segment, determining that the authentication mode corresponding to the second scoring segment is short message verification code authentication, and triggering the short message verification code authentication;
and if the scoring segment to which the total score belongs is a third scoring segment, determining that the authentication mode corresponding to the third scoring segment is face recognition authentication, and triggering the face recognition authentication.
Optionally, the score adjusting module 330 is specifically configured to:
if the authentication result is that the authentication is passed, respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model;
and if the authentication result is authentication failure, respectively reducing the trust scores of all dimensions in the user agent information according to a first reduction rule in a preset score adjustment model.
Optionally, the score adjusting module 330 is further specifically configured to:
before respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model and respectively reducing the trust scores of all dimensions in the user agent information according to a first score reducing rule in the preset score adjusting model, if the trust scores of all dimensions in the user agent information are detected to be kept unchanged in a first preset period, adjusting the first score adding rule and a first score reducing rule in the preset score adjusting model.
Optionally, the apparatus further comprises:
and the safety level determining module is used for determining the safety level of the application according to the application attribute information in the user agent information before triggering the authentication mode corresponding to the scoring section to which the total score belongs if the total score is lower than the trust threshold, determining the scoring standard corresponding to the application according to the safety level, and determining the corresponding trust threshold and the corresponding relation between the scoring section and the authentication mode based on the scoring standard.
Optionally, the apparatus further comprises:
the login time acquisition module is used for respectively acquiring login success times and login attempt times corresponding to all dimensions in the user agent information in a second preset period at a preset time;
the adjusted score calculating module is used for calculating the trust score after the target dimension is adjusted through the following formula:
Figure BDA0002834172020000181
and f (target dimension) represents the trust score after the target dimension is adjusted, and the ratio of the second value to the first value is equal to the preset accuracy.
The dynamic identity authentication device provided by the embodiment of the invention can execute the dynamic identity authentication method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention, as shown in fig. 4, the server includes a processor 400, a memory 410, an input device 420, and an output device 430; the number of the processors 400 in the server may be one or more, and one processor 400 is taken as an example in fig. 4; the processor 400, the memory 410, the input device 420 and the output device 430 in the server may be connected by a bus or other means, and fig. 4 illustrates the connection by a bus as an example.
The memory 410 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions and/or modules corresponding to the dynamic authentication method in the embodiment of the present invention (for example, the score calculating module 310, the authentication triggering module 320, the score adjusting module 330, and the result determining module 340 in the dynamic authentication device). The processor 400 executes various functional applications of the server and data processing by executing software programs, instructions and modules stored in the memory 410, so as to implement the above-mentioned dynamic authentication method.
The memory 410 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 410 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 410 may further include memory located remotely from processor 400, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 420 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the server. The output device 430 may include a display device such as a display screen.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for dynamic identity authentication, the method including:
acquiring user agent information in an identity authentication request corresponding to a login behavior, acquiring trust scores and weight values corresponding to the user agent information, and calculating a total score of the identity authentication request according to each trust score and corresponding weight value, wherein the user agent information is determined based on login information and application attribute information;
if the total score is lower than the trust threshold, triggering an authentication mode corresponding to the score section to which the total score belongs;
obtaining an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjustment model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjustment model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;
and determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the dynamic identity authentication method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the dynamic identity authentication apparatus, the included units and modules are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A dynamic identity authentication method, comprising:
acquiring user agent information in an identity authentication request corresponding to a login behavior, acquiring trust scores and weight values corresponding to the user agent information, and calculating a total score of the identity authentication request according to each trust score and corresponding weight value, wherein the user agent information is determined based on login information and application attribute information;
if the total score is lower than the trust threshold, triggering an authentication mode corresponding to the score section to which the total score belongs;
obtaining an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjustment model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjustment model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;
and determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
2. The method of claim 1, wherein determining the identity authentication result of the login behavior based on the comparison of the recalculated total score to the trust threshold and the authentication result comprises:
if the authentication result is successful, if the recalculated total score is not lower than the trust threshold, determining that the identity authentication result of the login behavior is successful;
if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step of updating the trust scores of all dimensions in the user agent information respectively according to the authentication result and a preset score adjustment model;
returning to the step of executing the authentication mode corresponding to the score segment to which the total score belongs when the authentication result is authentication failure;
and if the authentication failure times exceed a set time threshold, determining that the identity authentication result of the login behavior is identity authentication failure.
3. The method according to claim 1, wherein the triggering of the authentication mode corresponding to the score segment to which the total score belongs comprises:
if the scoring segment to which the total score belongs is a first scoring segment, determining that the authentication mode corresponding to the first scoring segment is password authentication, and triggering the password authentication;
if the scoring segment to which the total score belongs is a second scoring segment, determining that the authentication mode corresponding to the second scoring segment is short message verification code authentication, and triggering the short message verification code authentication;
and if the scoring segment to which the total score belongs is a third scoring segment, determining that the authentication mode corresponding to the third scoring segment is face recognition authentication, and triggering the face recognition authentication.
4. The method according to claim 1, wherein the updating the trust scores of the user agent information in each dimension according to the authentication result and a preset score adjustment model comprises:
if the authentication result is that the authentication is passed, respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model;
and if the authentication result is authentication failure, respectively reducing the trust scores of all dimensions in the user agent information according to a first reduction rule in a preset score adjustment model.
5. The method of claim 4, further comprising, before the first score adding rule in the preset score adjustment model respectively increases the trust scores of the dimensions in the user agent information, and the first score subtracting rule in the preset score adjustment model respectively decreases the trust scores of the dimensions in the user agent information:
and if the trust scores of all dimensions in the user agent information are detected to be kept unchanged in a first preset period, adjusting the first score adding rule and the first score subtracting rule in the preset score adjusting model.
6. The method according to claim 1, wherein before triggering the authentication method corresponding to the score segment to which the total score belongs if the total score is lower than the trust threshold, the method further comprises:
determining the security level of the application according to the application attribute information in the user agent information, determining a scoring standard corresponding to the application according to the security level, and determining a corresponding trust threshold value and a corresponding relation between a scoring segment and an authentication mode based on the scoring standard.
7. The method of claim 1, further comprising:
respectively acquiring login success times and login attempt times corresponding to all dimensions in the user agent information in a second preset period at a preset time;
calculating the target dimension adjusted trust score by the following formula:
Figure FDA0002834172010000031
and f (target dimension) represents the trust score after the target dimension is adjusted, and the ratio of the second value to the first value is equal to the preset accuracy.
8. A dynamic authentication apparatus, comprising:
the score calculation module is used for acquiring user agent information in the identity authentication request corresponding to the login behavior, acquiring trust scores and weight values corresponding to the user agent information, and calculating the total score of the identity authentication request according to the trust scores and the corresponding weight values, wherein the user agent information is determined based on the login information and the application attribute information;
the authentication triggering module is used for triggering an authentication mode corresponding to the score section to which the total score belongs if the total score is lower than a trust threshold;
the score adjusting module is used for acquiring an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjusting model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjusting model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;
and the result determining module is used for determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.
9. A server, characterized in that the server comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the dynamic identity authentication method of any one of claims 1-7.
10. A storage medium containing computer-executable instructions for performing the dynamic authentication method of any one of claims 1-7 when executed by a computer processor.
CN202011471797.5A 2020-12-14 2020-12-14 Dynamic identity authentication method, device, server and storage medium Active CN112653679B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011471797.5A CN112653679B (en) 2020-12-14 2020-12-14 Dynamic identity authentication method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011471797.5A CN112653679B (en) 2020-12-14 2020-12-14 Dynamic identity authentication method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN112653679A true CN112653679A (en) 2021-04-13
CN112653679B CN112653679B (en) 2022-11-15

Family

ID=75353887

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011471797.5A Active CN112653679B (en) 2020-12-14 2020-12-14 Dynamic identity authentication method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN112653679B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779521A (en) * 2021-09-09 2021-12-10 北京安天网络安全技术有限公司 Identity authentication method and device, storage medium and electronic equipment
CN113824732A (en) * 2021-10-13 2021-12-21 成都安恒信息技术有限公司 Zero trust-based multi-factor authentication method
CN115865606A (en) * 2022-12-06 2023-03-28 国网天津市电力公司 Distributed network construction method under zero trust

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089568A1 (en) * 2013-09-26 2015-03-26 Wave Systems Corp. Device identification scoring
US20160063229A1 (en) * 2014-09-02 2016-03-03 Securemetric Technology Sdn Bhd Hybrid adaptive authentication scoring system
CN108076018A (en) * 2016-11-16 2018-05-25 阿里巴巴集团控股有限公司 Identity authorization system, method, apparatus and account authentication method
CN110120928A (en) * 2018-02-05 2019-08-13 北京智明星通科技股份有限公司 A kind of identity authentication method, device, server and computer-readable medium
CN111901347A (en) * 2020-07-29 2020-11-06 南方电网科学研究院有限责任公司 Dynamic identity authentication method and device under zero trust

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089568A1 (en) * 2013-09-26 2015-03-26 Wave Systems Corp. Device identification scoring
US20160063229A1 (en) * 2014-09-02 2016-03-03 Securemetric Technology Sdn Bhd Hybrid adaptive authentication scoring system
CN108076018A (en) * 2016-11-16 2018-05-25 阿里巴巴集团控股有限公司 Identity authorization system, method, apparatus and account authentication method
CN110120928A (en) * 2018-02-05 2019-08-13 北京智明星通科技股份有限公司 A kind of identity authentication method, device, server and computer-readable medium
CN111901347A (en) * 2020-07-29 2020-11-06 南方电网科学研究院有限责任公司 Dynamic identity authentication method and device under zero trust

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779521A (en) * 2021-09-09 2021-12-10 北京安天网络安全技术有限公司 Identity authentication method and device, storage medium and electronic equipment
CN113779521B (en) * 2021-09-09 2024-05-24 北京安天网络安全技术有限公司 Identity authentication method and device, storage medium and electronic equipment
CN113824732A (en) * 2021-10-13 2021-12-21 成都安恒信息技术有限公司 Zero trust-based multi-factor authentication method
CN115865606A (en) * 2022-12-06 2023-03-28 国网天津市电力公司 Distributed network construction method under zero trust

Also Published As

Publication number Publication date
CN112653679B (en) 2022-11-15

Similar Documents

Publication Publication Date Title
US11108752B2 (en) Systems and methods for managing resetting of user online identities or accounts
US11017100B2 (en) Identity fraud risk engine platform
CN112653679B (en) Dynamic identity authentication method, device, server and storage medium
US10320800B2 (en) Fraud detection mechanism
US11714886B2 (en) Modifying application function based on login attempt confidence score
US7257835B2 (en) Securely authorizing the performance of actions
US8635662B2 (en) Dynamic trust model for authenticating a user
US11212283B2 (en) Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
US11775623B2 (en) Processing authentication requests to secured information systems using machine-learned user-account behavior profiles
US8452980B1 (en) Defeating real-time trojan login attack with delayed interaction with fraudster
US20150040193A1 (en) Physical Interaction Style Based User Authentication for Mobile Computing Devices
US10110578B1 (en) Source-inclusive credential verification
US9485255B1 (en) Authentication using remote device locking
US10826891B1 (en) Contextual and time sensitive out of band transactional signing
US11902275B2 (en) Context-based authentication of a user
US12125050B2 (en) Security policy enforcement
CN110704820A (en) Login processing method and device, electronic equipment and computer readable storage medium
WO2019114246A1 (en) Identity authentication method, server and client device
US11461744B2 (en) Introducing variance to online system access procedures
US20240330423A1 (en) Real-time adjustment of the volume of passcode entry authentication attempts
US20240121276A1 (en) Genterating and providing various degrees of digital information and account-based functionality based on a predicted network security threat
CN116709327A (en) User access method and device, computing equipment and storage medium
CN118916895A (en) Unified authority platform system based on multi-factor authentication, authentication method, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant