CN112699354A - User authority management method and terminal equipment - Google Patents

User authority management method and terminal equipment Download PDF

Info

Publication number
CN112699354A
CN112699354A CN201911008589.9A CN201911008589A CN112699354A CN 112699354 A CN112699354 A CN 112699354A CN 201911008589 A CN201911008589 A CN 201911008589A CN 112699354 A CN112699354 A CN 112699354A
Authority
CN
China
Prior art keywords
user
identity authentication
target application
information
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911008589.9A
Other languages
Chinese (zh)
Inventor
林峰
王季
王冉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201911008589.9A priority Critical patent/CN112699354A/en
Publication of CN112699354A publication Critical patent/CN112699354A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)

Abstract

The embodiment of the application provides a user authority management method and terminal equipment, wherein the method comprises the following steps: acquiring identity information of a user currently holding terminal equipment and performing identity authentication on the user, wherein the terminal equipment or a target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed; and feeding back information to the user according to the authentication result of the identity authentication for one time or more times so that the user can access the terminal equipment or the target application program within the permission range. By adopting the embodiment of the application, the safety performance of the terminal equipment can be improved.

Description

User authority management method and terminal equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a user right management method and a terminal device.
Background
With the rapid development of electronic technology, terminal devices (such as mobile phones, computers, etc.) are used as carriers for human to use mobile services and store personal information of users, and the utilization rate and the popularization rate of the terminal devices are higher and higher; as more and more personal information is stored in the terminal device and rich communication and data exchange functions provide channels for information leakage and virus propagation, security problems faced by the terminal device are increasingly highlighted. At present, when the security problem of the terminal equipment is solved, a common mode is to perform security authentication, and the security authentication generally adopts an access control type management strategy, specifically, after one-time security authentication is passed, a user operating the terminal equipment can continuously use the terminal equipment for a long time. If the owner of the terminal device gives the terminal device to another person for use after performing security authentication on the owner of the terminal device, once the terminal device is out of sight of the owner of the terminal device, a security problem is likely to be caused. For example, children use terminal devices to enjoy anchor casts, purchase gaming equipment, view chat logs, personal photo albums, and the like. How to perform security authentication on a terminal device to effectively improve the security of the terminal device is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application discloses a user authority management method and terminal equipment, which can improve the safety performance of the terminal equipment.
In a first aspect, an embodiment of the present application provides a user right management method, where the method includes: acquiring identity information of a user currently holding terminal equipment and performing identity authentication on the user, wherein the terminal equipment or a target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed; and feeding back information to the user according to the authentication result of the identity authentication for one time or more times so that the user can access the terminal equipment or the target application program within the permission range.
In the method, after the terminal device or the target application program has performed identity authentication and the authentication passes, the identity authentication is continuously performed on the user operating the terminal device or the target application program, and information is fed back to the user according to one or more identity authentication results obtained by the continuous authentication, so that the user can access the terminal device or the target application program within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
In some possible implementations of the first aspect, the feeding back information to the user according to the authentication result of the identity authentication one or more times to enable the user to access the terminal device or the target application within a range allowed by the authority includes: and outputting prompt information to the user according to the authentication result of the identity authentication for multiple times, wherein the prompt information is used for prompting whether the user operating the terminal equipment or the target application program in the running process is replaced or not.
In this way, the target user can immediately know whether the terminal equipment is operated by other users, so that the possible safety problems and risks can be immediately evaluated, and remedial measures can be immediately provided for the possible safety problems and risks.
In some possible implementations of the first aspect, the prompt message includes a voice prompt, a text prompt, or an image prompt, or the outputting the prompt message includes requesting the user to input the identity information again for identity authentication.
In some possible implementations of the first aspect, the feeding back information to the user according to the authentication result of the identity authentication one or more times to enable the user to access the terminal device or the target application within the range allowed by the authority includes: determining the current operation authority of the user on the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times; and controlling the user to access the terminal equipment or the target application program according to the operation authority. It can be understood that after the terminal device or the target application program has performed the identity authentication and the authentication passes, the identity authentication is performed one or more times and the operation right is further determined according to the identity authentication result of one or more times, so that the determined security level of the operation right is higher, and the security of the terminal device is improved.
In some possible implementation manners of the first aspect, the obtaining identity information of a user currently holding a terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the identity information collected every time is used for obtaining the authentication result of one time of identity authentication. Namely, the identity authentication is performed according to the preset frequency, so that the purpose of continuous identity authentication is achieved.
In some possible implementation manners of the first aspect, the obtaining identity information of a user currently holding a terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment when triggering operation of preset functions is detected, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is more than or equal to 1. That is, the identity authentication is performed every time the first application program runs to the preset function, so that the purpose of continuous identity authentication is achieved.
In some possible implementations of the first aspect, the identity information used in the identity authentication includes one or more of fingerprint information, face information, iris information, or voiceprint information of the user.
In some possible implementation manners of the first aspect, the controlling, according to the operation permission, the current access of the user to the terminal device or the target application includes: if the user is determined not to have the operation authority on the terminal equipment or the target application program, outputting prompt information to prompt the target user to perform identity authentication; receiving identity authentication information input again; and if the user operating the terminal equipment or the target application program is determined to be the target user according to the identity authentication information input again, granting the operation authority to the terminal equipment or the target application program.
In the embodiment of the application, after the operation permission of the user on the terminal device or the target application program is not granted preliminarily, the target user can be further prompted to carry out secondary authorization, and if the secondary authorization passes, the operation permission of the user on the terminal device or the target application program is still granted, so that the authorization flexibility is improved, and the user requirements under more application scenes can be met.
In some possible implementation manners of the first aspect, if it is determined that the user does not currently have an operation right for the terminal device or the target application, outputting a prompt message to prompt the target user to perform identity authentication, where the method includes: and if the user does not have the operation authority on the terminal equipment or the target application program at present and the type of the target application program is a first preset type, outputting prompt information to prompt the target user to perform identity authentication. That is, the specific type of application is pre-configured to qualify for secondary authorization, so that the diversity management of various applications at the security level can be realized.
In some possible implementation manners of the first aspect, the determining, according to the authentication result of the identity authentication one or more times, the current operation permission of the user on the terminal device or on the target application program includes: determining whether a user currently operating the terminal equipment has an operation authority for the terminal equipment or the target application program according to the authentication result of the identity authentication for a plurality of times and the information of the currently operating target application program; the information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program.
In the method, the terminal equipment or the target application program is authenticated in a continuous identity authentication mode (namely, full-process tracking authentication); then, determining the operation authority of the user on the terminal equipment or the target application program by combining the identity authentication result (namely chain authentication) and the information of the target application program for many times; the mode of continuous identity authentication and determining the operation authority based on multiple authentication results of continuous authentication can identify the identity of the user currently operating the terminal equipment or the target application program more timely and accurately, and the security is higher.
In some possible implementation manners of the first aspect, the determining, according to the authentication result of the identity authentication for the plurality of times and the information of the currently running target application, whether a user currently operating the terminal device has an operation right for the terminal device or the target application includes: if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the security requirement of the target application is satisfied to the maximum extent by the control of the authority.
In some possible implementation manners of the first aspect, the determining, according to the authentication result of the identity authentication at least multiple times and information of a currently running target application program, whether a user currently operating the terminal device has an operation right for the terminal device or the target application program includes: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application. In addition, the latest identity authentication result is required to be the target user, and the safety is further improved.
In some possible implementations of the first aspect, the method further comprises: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is not the target user, and/or the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment does not have the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program.
In some possible implementation manners of the first aspect, an authentication result of any one of the multiple times of identity authentications is obtained by performing identity authentication on a user operating the terminal device by the multiple virtual computing nodes and performing consensus on the authentication results obtained by the multiple virtual computing nodes. It can be understood that, because a way of joint authentication of a plurality of virtual computing nodes is adopted, even if a certain computing node is maliciously broken to generate an authentication result which is not beneficial to safety, after some other virtual computing nodes which are not broken are in consensus with the broken virtual computing node, a relatively safe final authentication result can be obtained, and the safety of identity authentication is improved.
In some possible implementation manners of the first aspect, the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and modalities of the plurality of virtual computing nodes that are based on the plurality of virtual computing nodes are different when performing identity authentication are different. It can be understood that, since the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, the plurality of virtual computing nodes are in a relatively isolated environment, and even if one of the plurality of virtual computing nodes is maliciously broken, the remaining virtual computing nodes can still normally operate, thereby improving the security of identity authentication. In addition, because the modes based on which the identity authentication of each virtual computing node is carried out are different (for example, not completely the same), the mode forms are enriched, so that the identity authentication process is difficult to crack by the outside; for example, if only one modality is identified by fingerprint, when user fingerprint information is leaked, the identity authentication process is easily cracked by the outside world; however, if the operation behavior habit of the user when using each application program and various biological characteristics of the user are included in the modal authentication, even if some part of the characteristic information of the user is leaked, the substantial safety hazard is not brought to the identity authentication link of the terminal device.
In a second aspect, an embodiment of the present application provides a user right management method, where the method includes: if the user currently operating the terminal equipment is determined to have the operation authority on the terminal equipment or the target application program according to the authentication result of one or more times of identity authentication, displaying first prompt information to prompt that the user is allowed to use the terminal equipment or the target application program within a preset time period; and if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times, prompting the target user to perform the identity authentication.
By adopting the method, after the operation authority of the user on the terminal equipment or the target application program is not granted preliminarily, the target user can be further prompted to carry out secondary authorization, and if the secondary authorization passes, the operation authority of the user on the terminal equipment or the target application program is still granted, so that the authorization flexibility is improved, and the user requirements under more application scenes can be met.
In some possible implementation manners of the second aspect, if it is determined that the user currently operating the terminal device does not have the operation right to the terminal device or the target application according to the authentication result of the one or more times of identity authentication, prompting the target user to perform identity authentication, includes: if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times, outputting second prompt information to prompt the target user to perform the identity authentication; receiving identity authentication information input again; and if the user operating the terminal equipment or the target application program is determined to be the target user according to the identity authentication information input again, granting the operation authority to the terminal equipment or the target application program.
In some possible implementations of the second aspect, the authentication result is used to determine an operation right of the user on the target application; if it is determined that the user currently operating the terminal device does not have the operation authority for the terminal device or the target application program according to the authentication result of the one or more identity authentications, outputting second prompt information to prompt the target user to perform the identity authentication, including: and if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times and the target application program belongs to a preset first preset type, outputting second prompt information to prompt the target user to perform the identity authentication. That is, the specific type of application is pre-configured to qualify for secondary authorization, so that the diversity management of various applications at the security level can be realized.
In some possible implementations of the second aspect, the method further includes: and if the user currently operating the terminal equipment is determined not to have the operation authority on the terminal equipment or the target application program according to the authentication result of the identity authentication for one or more times, and the target application program does not belong to a preset first preset type, limiting the operation on the target application program. It can be understood that the security level of some target applications is higher, and as long as it is determined that the user does not have the operation authority, the operation authority of the target application is directly limited, so that the security level of the target application is improved.
In some possible implementations of the second aspect, the restricting operation of the target application includes: quitting the display of the target application program, or displaying an interface used for shielding the content displayed by the application program so as to prevent the user from using the target application program, or displaying part of the content except the private content in the target application program, or displaying prompt information so as to prompt the user to view the private content in the target application program without permission, or prohibiting the user from calling the target application program from a third-party device.
In some possible implementation manners of the second aspect, before determining that the user currently operating the terminal device has the operation right to the terminal device or the target application according to the authentication result of the one or more identity authentications, the method further includes: and acquiring identity information of a user currently operating the terminal equipment and performing identity authentication on the user, wherein the terminal equipment or the target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed. It can be understood that after the terminal device or the target application program has performed the identity authentication and the authentication passes, the identity authentication is continued for the user operating the terminal device or the target application program, and information is fed back to the user according to one or more identity authentication results obtained by the continued authentication, so that the user can access the terminal device or the target application program within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
In some possible implementation manners of the second aspect, the obtaining identity information of a user currently operating the terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the identity information collected every time is used for obtaining the authentication result of one time of identity authentication. Namely, the identity authentication is performed according to the preset frequency, so that the purpose of continuous identity authentication is achieved.
In some possible implementation manners of the second aspect, the obtaining identity information of a user currently operating the terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment when triggering operation of preset functions is detected, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is more than or equal to 1. That is, the identity authentication is performed every time the first application program runs to the preset function, so that the purpose of continuous identity authentication is achieved.
In some possible implementations of the second aspect, the identity information used in the identity authentication includes one or more of fingerprint information, face information, iris information, or voiceprint information of the user.
In some possible implementation manners of the second aspect, before displaying the first prompt information, if it is determined that the user currently operating the terminal device has the operation right to the terminal device or the target application according to the authentication result of the one or more identity authentications, the method further includes: determining whether a user currently operating the terminal equipment has an operation authority on the terminal equipment or the target application program according to the authentication results of the multiple identity authentications and the information of the target application program; the information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program.
In the method, the terminal equipment or the target application program is authenticated in a continuous identity authentication mode (namely, full-process tracking authentication); then, determining the operation authority of the user on the terminal equipment or the target application program by combining the identity authentication result (namely chain authentication) and the information of the target application program for many times; the mode of continuous identity authentication and determining the operation authority based on multiple authentication results of continuous authentication can identify the identity of the user currently operating the terminal equipment or the target application program more timely and accurately, and the security is higher.
In some possible implementation manners of the second aspect, the determining whether a user currently operating the terminal device has an operation right for the terminal device or the target application according to the authentication result of the multiple identity authentications and the information of the target application includes: if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the security requirement of the target application is satisfied to the maximum extent by the control of the authority.
In some possible implementation manners of the second aspect, the determining whether a user currently operating the terminal device has an operation right for the terminal device or the target application according to the authentication result of the multiple identity authentications and the information of the target application includes: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application. In addition, the latest identity authentication result is required to be the target user, and the safety is further improved.
In some possible implementation manners of the second aspect, the authentication result of any one of the multiple times of identity authentications is obtained by performing identity authentication on the user operating the terminal device by the multiple virtual computing nodes and performing consensus on the authentication results obtained by the multiple virtual computing nodes. It can be understood that, because a way of joint authentication of a plurality of virtual computing nodes is adopted, even if a certain computing node is maliciously broken to generate an authentication result which is not beneficial to safety, after some other virtual computing nodes which are not broken are in consensus with the broken virtual computing node, a relatively safe final authentication result can be obtained, and the safety of identity authentication is improved.
In some possible implementation manners of the second aspect, the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and modalities of the plurality of virtual computing nodes that are based on the plurality of virtual computing nodes are different when performing identity authentication are different. It can be understood that, since the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, the plurality of virtual computing nodes are in a relatively isolated environment, and even if one of the plurality of virtual computing nodes is maliciously broken, the remaining virtual computing nodes can still normally operate, thereby improving the security of identity authentication. In addition, because the modes based on which the identity authentication of each virtual computing node is carried out are different (for example, not completely the same), the mode forms are enriched, so that the identity authentication process is difficult to crack by the outside; for example, if only one modality is identified by fingerprint, when user fingerprint information is leaked, the identity authentication process is easily cracked by the outside world; however, if the operation behavior habit of the user when using each application program and various biological characteristics of the user are included in the modal authentication, even if some part of the characteristic information of the user is leaked, the substantial safety hazard is not brought to the identity authentication link of the terminal device.
In a third aspect, an embodiment of the present application provides a terminal device, where the terminal device includes one or more processors and a memory, where the memory is used to store a computer program, and the one or more processors invoke the computer program to implement the method described in the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, an embodiment of the present application provides a terminal device, where the terminal device includes one or more processors and a memory, where the memory is used to store a computer program, and the one or more processors invoke the computer program to implement the method described in the second aspect or any one of the possible implementation manners of the second aspect.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium, which stores therein a computer program, which, when executed on one or more processors, implements the method described in the first aspect or any one of the possible implementations of the first aspect.
In a sixth aspect, embodiments of the present application provide a computer-readable storage medium, which stores a computer program that, when executed on one or more processors, implements the method described in the second aspect or any one of the possible implementations of the second aspect.
By adopting the embodiment of the application, after the terminal equipment or the target application program has performed identity authentication and passes the authentication, the identity authentication is continuously performed on the user operating the terminal equipment or the target application program, and information is fed back to the user according to one or more identity authentication results obtained by the continuous authentication, so that the user can access the terminal equipment or the target application program within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
Drawings
The drawings used in the embodiments of the present application are described below.
Fig. 1 is a schematic diagram of an operation framework of a terminal according to an embodiment of the present application;
fig. 2 is a schematic diagram of an operation framework of another terminal provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an android operating system provided in an embodiment of the present application;
fig. 4A is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 4B is a flowchart illustrating another user right management method according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 6 is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 7 is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 8 is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 9 is a flowchart illustrating a user right management method according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described below with reference to the drawings.
The user right management method in the embodiment of the application may be implemented based on a terminal, where the terminal may be a handheld device (e.g., a mobile phone, a tablet computer, a palm computer, etc.), a vehicle-mounted device (e.g., an automobile, a bicycle, an electric vehicle, an airplane, a ship, etc.), a wearable device (e.g., a smart watch (such as iWatch, etc.), a smart bracelet, a pedometer, etc.), a smart home device (e.g., a refrigerator, a television, an air conditioner, an electric meter, etc.), an intelligent robot, a workshop device, and so on.
As shown in fig. 1, the terminal includes a service layer 101, an SDK layer 102, an execution layer 103, an engine layer 104, a link layer 105, and a data layer 106, and these layers cooperate to jointly complete the user right management method, where:
data layer 106: the terminal comprises a terminal body, a data acquisition module, a data processing module and a data processing module, wherein the terminal body is used for acquiring modal data in a terminal using process and then performing fusion calculation on the acquired modal data, and the fusion calculation specifically comprises five parts of modal acquisition, modal detection, feature extraction, feature fusion and classification decision; the layer can support a plurality of computing nodes to perform fusion computation on modal data, and supports distributed security defense detection.
The link layer 105: the method is used for integrating the result after the data layer fusion, such as shielding the difference between data from different computing nodes in the data layer through a CA plug-in, a sensing hub (Sensorhub) plug-in and a distributed protocol plug-in so as to meet the requirement of an engine layer.
The engine layer 104: for providing a persistent identity authentication service, a chain of security defense engine, and a multimodal computing engine, wherein:
and providing a continuous identity authentication service for carrying out continuous identity authentication on the terminal according to the modal data integrated by the link layer.
The security defense chain engine is used for realizing a security defense chain mechanism, which comprises a security detector, chain management and node management, wherein: and the safety detector is used for setting safety detection points according to the safety authentication requirements, one safety detection point can have one or more continuous multi-mode identity authentications, and the result of one-time identity authentication is used as the uplink record of one-time transaction record. And the chain management is used for realizing a safety defense chain mechanism of the distributed block chain network and ensuring the consistency and the non-falsification of elements on the chain through a data synchronization mechanism. And the node management is used for managing node information and communication among nodes in the distributed block chain network.
The multi-mode computing engine is used for realizing multi-mode computing and comprises an owner characteristic manager which is used for registering owner characteristics and used for fusion classification of the multi-mode computing engine. And a multi-modal manager is included for managing the multi-modal computation and driving the data layer to start or stop the acquisition operation of the modal data (e.g. multi-modal computation Pipeline work).
The execution layer 103: and providing dynamic authorization management and control service, and performing authorization management and control, such as authorization and re-authorization operations, according to the continuous identity authentication result on the chain of the engine layer, wherein the authorization type may include system authority, general authority and the like.
Software Development Kit (SDK) layer 102: an Application Programming Interface (API) that provides a persistent authentication service for a service-oriented layer provides, for example, a persistent authentication API for each Application (APP) installed on a terminal, or a service in a cloud, or an internet of things (IoT) service. The layer can be regarded as an adaptation layer, which provides an entry for service registration (calling the persistent authentication API immediately after registration) on one hand, and passes through the information (such as authorization, unauthorized, or specifically authorized functions) about the user right finally obtained after persistent authentication to the registered service on the other hand.
The service layer 101: the method is used for supporting the realization of some services, for example, supporting the realization of various applications APP, cloud services, Internet of things IoT services and other services.
Optionally, as shown in fig. 2, a plurality of operating systems may be deployed in the terminal, and the operating systems may be regarded as respective computing nodes in the distributed blockchain. For example, the multiple operating systems may include an android system 201, an iTrustee system 202, and a LiteOS system 203, each of which is described in greater detail below.
The Android system 201: the system can be used as a Rich Execution Environment (REE) and directly interface with an upper business layer to realize five modules including scene recognition (also called application information recognition, for example, the information includes the type of an application and/or the function currently executed by the application), a continuous identity authentication service, a security defense chain engine on the REE side, a multi-modal computing engine and a dynamic authorization management and control service. The upper-layer service can set a security detection point through the API of the continuous identity authentication service, and can also define a security detection strategy of a specific scene through scene identification, and an identity authentication result is returned to the upper-layer service and the dynamic authorization management and control service through the API of the continuous identity authentication service. The multi-mode calculation engine drives the calculation nodes to perform multi-mode calculation through the adaptation layer, and provides calculation service for the security defense chain engine. The security defense chain engine comprises a security detector, chain management and node management, and provides a reliable multi-mode identity authentication result for upper-layer business and dynamic authorization management and control service.
As shown in fig. 3, the internal more detailed structure of the Android system provided in the embodiment of the present application is mainly distributed in an application layer 301, a Framework (Framework) layer 302, and a Native (Native) layer 303. Wherein: framework layer 302: the system comprises a dynamic authorization management and control service, a security defense chain engine, a multi-mode calculation engine, a configuration management module, and two background services of the security defense chain service and the multi-mode calculation service supporting the engines. The security defense chain engine and the multi-mode calculation engine are communicated with the security defense chain service and the multi-mode calculation service through a binder mechanism. Native layer 303: the REE security defense chain engine is mainly realized, and bottom layer calculation is provided for upper layer security defense chain service, including node management, communication among nodes, creation, deletion, monitoring and synchronization of chain elements.
iTrust ee System 202: the terminal can be used as a Trusted Execution Environment (TEE) and includes a multi-modal Trusted Application (TA) and an authorization TA, where the multi-modal TA is used to implement fusion and classification decision of features such as behavior and physiology of a user, and the authorization TA is used to authorize (i.e., perform user right management) according to a classification decision result of the multi-modal TA. Optionally, the REE and the TEE may communicate through a Client API (CA) plug-in.
The LiteOS system 203 mainly realizes the calculation of low-power consumption modes (a low-power consumption Camera (Camera) and a low-power consumption Microphone (MIC)), and transmits the calculation result to the TEE for fusion, and optionally, the sensing hub (SensorHub) and the TEE can communicate through a sensing hub IPC driver (SensorHub IPC driver).
Referring to fig. 4A, fig. 4A is a user right management method according to an embodiment of the present application, which may be implemented based on the terminal shown in fig. 1, and the method includes, but is not limited to, the following steps:
step S411: the terminal equipment acquires the identity information of a user currently holding the terminal equipment and performs identity authentication on the user.
Specifically, before the step "the terminal device obtains the identity information of the user currently holding the terminal device and performs identity authentication on the user" is executed, the terminal device or the target application program has already executed at least one identity authentication and is in an operating state after the identity authentication is passed; that is, the terminal device has already obtained the identity information of the user for identity authentication in the process of running by itself or running a target application program, and usually, the terminal device will prestore information of one (or certainly, a plurality of) users, the user is called a target user in the embodiment of the present application, optionally, the target user is usually the owner of the terminal device, the terminal device compares the obtained identity information with the prestored identity information of the target user, and if the obtained identity information is different from the prestored identity information of the target user, it indicates that authentication has not passed; if the acquired identity information is the same as the pre-stored identity information of the target user, the authentication is passed, and then the running state after the identity authentication is passed is entered. Optionally, the identity authentication that has already been performed may be regarded as the identity authentication that is performed when the terminal device is unlocked in the screen-locked state, and the authentication in this case is also generally referred to as "door access type" authentication.
Optionally, the target application is an application currently running, which may be an application running on the terminal device, or an application running on a third-party device (in this case, this may be referred to as a third-party application).
In the embodiment of the present application, there are various ways for the terminal device to acquire the identity information of the user currently holding the terminal device and perform identity authentication on the user, and several optional implementation ways are provided below:
the method comprises the steps of acquiring identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively authenticating the identity of the user operating the terminal equipment according to the acquired identity information each time to obtain an authentication result of one or more times of identity authentication, wherein the identity information acquired each time is used for obtaining the authentication result of one time of identity authentication. For example, the acquisition and authentication may be performed every 2 minutes, or every 5 minutes.
And in a second mode, when the triggering operation of the preset functions is detected, the identity information of the user currently holding the terminal equipment is collected, and the user operating the terminal equipment is respectively subjected to identity authentication according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is greater than or equal to 1. It will be appreciated that many service functions may be implemented on the terminal device, such as taking pictures, playing music, gaming, purchasing gaming equipment, paying payments, transferring money, modifying account information, etc. Some of the functions may be marked as preset functions, and the identity information needs to be acquired whenever the user wants to use the preset functions. For example, if the payment, transfer and account information modification are marked as preset functions, the terminal device performs identity authentication when the user triggers any one of the functions of payment, transfer and account information modification.
Optionally, the authentication result of any one-time identity authentication in the identity authentication process is obtained by performing identity authentication on the user operating the terminal device by the plurality of virtual computing nodes and commonly recognizing the authentication results obtained by the plurality of virtual computing nodes, for example, if there are a virtual computing node 1, a virtual computing node 2, and a virtual computing node 3, where the virtual computing node 1 obtains an identity authentication result 1 through authentication, the virtual computing node obtains an identity authentication result 2 through authentication, the virtual computing node obtains a virtual computing node 3 through authentication, and then the three virtual computing nodes commonly recognize the identity authentication result 1, the identity authentication result 2, and the identity authentication result 3 to obtain a one-time identity authentication result. Further, the plurality of virtual computing nodes are different operating systems installed on the terminal device (e.g., an Android system, a LiteOS system, etc. installed on the terminal device), or at least one operating system installed on the terminal device and at least one third-party device (i.e., an external device) connected to the terminal device, and the modalities of the plurality of virtual computing nodes for identity authentication are different from each other (e.g., one virtual computing node performs identity authentication based on an iris, and the other virtual computing node performs identity authentication based on a fingerprint).
In the embodiment of the present application, it is mentioned that the terminal device or the target application performs identity authentication, and it is also mentioned that the operation authority of the terminal device or the target application is determined, and the description describes the terminal device and the target application as a parallel relationship, because in practical applications, there are cases where some control policies are only for some target applications, and cases where some control policies are for the terminal device (that is, the control policies are applicable regardless of what application the terminal device currently runs. Therefore, in many links, the terminal device and the target application program are described in parallel in the embodiments of the present application.
Optionally, a modality on which authentication is based is selected first in the identity authentication process, where the modality may refer to a source or a form of information, and for example, fingerprint recognition, iris recognition, face recognition, user operation (habit) recognition, and the like all belong to different modalities. In the embodiment of the present application, the modality selected for each authentication may be one or multiple (i.e., multiple modalities), and there are many ways to select a modality, and for ease of understanding, an alternative way is exemplified below.
Optionally, if the identity authentication is to determine the operation authority of the target application program, a matching relationship between information of the various application programs and various modalities may be preconfigured, and once the information of the target application program is determined, a corresponding modality may be determined from the matching relationship according to the target application program, so as to obtain a final modality used for the identity authentication.
Optionally, if the identity authentication is to determine an operation authority of an application (such as the target application), a matching relationship between application information and candidate modalities may be configured in advance, and then, in a process of running the target application, the candidate modalities corresponding to the information of the target application are matched according to the matching relationship, where the candidate modalities include at least one modality; the matching relation defines candidate modalities corresponding to at least two kinds of information, and the candidate modalities corresponding to any two kinds of information in the at least two kinds of information are not identical. Optionally, if the information of the application includes the type of the application but does not include the currently executed function, table 1 illustrates candidate modalities corresponding to the game-class application, the shopping-class application, and the music-class application.
TABLE 1
Application type Candidate modalities
Game class Fingerprint identification, user operation, face identification
Shopping category Face recognition, fingerprint recognition, iris recognition
Music class Face recognition and fingerprint recognition
Referring to table 1, when the target application is glory for the royal, it belongs to the application of the game class, and therefore, the corresponding candidate modalities include fingerprint recognition, user operation, and face recognition; when the target application program is the Jingdong application program, the target application program belongs to shopping application programs, and therefore the corresponding candidate modalities comprise face recognition, fingerprint recognition and iris recognition; and so on for the rest.
And after determining the candidate modalities corresponding to the target application program, adopting one or more of the candidate modalities corresponding to the target application program as a final modality for performing identity authentication on a user operating the terminal equipment. For example, when the target application program is a shopping application, one or more modalities are selected from face recognition, fingerprint recognition and iris recognition corresponding to the shopping application as a final modality for identity authentication, for example, a multi-modality consisting of face recognition and fingerprint recognition is selected; as another example, a multi-modality consisting of fingerprint recognition and iris recognition is selected. Optionally, one or more modalities may be selected from candidate modalities corresponding to the target application program according to the environment parameter in the environment where the terminal device is currently located, and the selected modality or modalities may be used as a modality for performing identity authentication on a user operating the terminal device. That is, when one or more modalities are selected from candidate modalities corresponding to the type of the target application program, the selection may be performed based on the environmental parameters in the environment where the terminal device is currently located, for example, when it is determined that the terminal device is currently in the night color according to the environmental parameters, modalities other than face recognition and iris recognition are used, so that the accuracy of subsequent identity recognition may be improved.
Step S412: and the terminal equipment feeds back information to the user according to the authentication result of the identity authentication for one time or more times so that the user can access the terminal equipment or the target application program within the permission range.
Specifically, there are at least two possible implementation schemes for feeding back information to the user:
optionally, prompt information is output to the user according to the authentication result of the multiple times of identity authentication, where the prompt information is used to prompt whether the user operating the terminal device or the target application program in the running process has changed.
In case 1, if the multiple times are specifically 3 times, where the 1 st authentication result indicates that the user is the target user, the 2 nd authentication result indicates that the user is the target user, and the 3 rd authentication result indicates that the user is not the target user, outputting prompt information to the user, where outputting the prompt information includes requesting the user to input the identity information again for identity authentication.
Case 2, if the multiple times are specifically 4 times, wherein the identity authentication result of the 1 st time indicates that the user is the target user, the identity authentication result of the 2 nd time indicates that the user is the target user, the identity authentication result of the 3 rd time indicates that the user is not the target user, and the identity authentication result of the 4 th time indicates that the user is the target user, the prompt information is output. In this case, the last authentication in the multiple authentications indicates that the operating terminal device or the target application is the target user, and the authentication result occurring before the last authentication indicates that the operating terminal device or the target application is not the target user, in which case, the prompt message is output to prompt the user to be replaced. The purpose of the configuration is to make the prompt information as visible as possible for the target user and to make the prompt information as invisible as possible for users other than the target user; optionally, the prompt information includes a voice prompt, a text prompt, an image prompt, or the like.
And determining the current operation authority of the user on the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times.
And in the case A, when the determination is performed according to the primary identity authentication result, if the primary identity authentication result indicates that the user operating the terminal device or the target application program is not the target user, the operation authority of the user on the terminal device or the target application program is not granted, and if the primary identity authentication result indicates that the user operating the terminal device or the target application program is the target user, the operation authority of the user on the terminal device or the target application program is granted.
And B, when the determination is carried out according to the multiple identity authentication results, determining whether the user currently operating the terminal equipment has the operation authority for the terminal equipment or the target application program according to the multiple identity authentication results and the information of the currently running target application program. Taking the determination of the operation right of the target application as an example, when the terminal device determines the current operation right of the target application, the first aspect needs to consider the multiple identity authentication results, and the second aspect needs to consider the information of the target application; the second aspect is mainly to consider that the security levels of the application programs are often different when the information of the application programs is different, the identity authentication requirement of the application program with high security level is higher, and the identity authentication requirement of the application program with low security level is relatively lower in the embodiment of the application. For example, the applications of Taobao, Jingdong and Wei-Hui belong to shopping applications, the Internet music, QQ music and Ku-me music belong to music applications, the security level of the music applications is obviously lower than that of the shopping applications (relating to fund exchange), and therefore the requirements of the shopping applications on the identity authentication result can be relatively high. For another example, the security level of each business function included in the same application is often different, for example, the security level of the function of querying the goods in the treasure panning application is lower than the security level of the payment for the goods, so the requirement of the goods payment function for the identity authentication result is higher than the requirement of the goods query function for the identity authentication result.
The information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program. The terminal device may identify information of a target application in advance, where the information identifying the currently running target application may also be considered as identifying a current application scenario of the target application, and the information of the target application includes a type of the target application and/or a function currently executed by the target application, for example, the information of the target application includes the type of the target application; for another example, the information of the target application includes a function currently executed by the target application; as another example, the type of the target application and the function currently being performed by the target application. Optionally, the information of the target application may include other information besides the above listed information, and what information is not limited here.
It is understood that each application corresponds to a type, for example, internet music, QQ music, etc. belong to music types; taobao, Tianmao, Jingdong, etc. belong to the shopping category; the payment treasure, the payment through, and the like belong to payment types, the application on the third-party device belongs to a third-party application type, and the like, and fig. 4A illustrates the payment types as an example. What type an application belongs to may be determined by information such as its name, or its description file, or type identification.
Optionally, the information of the target application may be obtained by identifying a program of the terminal device (which may be considered as system initiative, such as initiative identification of a mobile phone intelligent scene identification system), or may be obtained by identifying a third-party platform establishing a communication connection with the terminal device or a third-party application running on the terminal device by calling an API of the terminal device (which may be considered as service initiative).
Two alternative cases are provided below to teach how to combine the first and second aspects to determine the current operating rights of the target application (for case B above):
in case one, if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority for the target application program; and if the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment does not have the operation authority on the target application program. And the target proportion threshold is determined according to the information of the target application program. For example, if the number of times is 5, when the information of the target application indicates that the type of the target application is a shopping application, the target proportion threshold may be set to 100%, that is, the identity authentication results of the last 5 times are required to all show that the user operating the terminal device is the target user (i.e., the owner), and then the current operation permission of the target application may be obtained; when the information of the target application indicates that the type of the target application is a music application, the target proportion threshold value can be set to be 20%; that is, the user operating the terminal device is required to be displayed as the target user at least once in the last 5 times of identity authentication results, so that the current operation authority of the target application program can be obtained.
In case two, if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal device is the target user, and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal device is the target user, it is determined that the user currently operating the terminal device has the operation authority for the target application program; and if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is not the target user and/or the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment does not have the operation authority on the target application program. And the target proportion threshold is determined according to the information of the target application program. It can be seen that, in the case two, compared to the case one, the last authentication result obtained in the time sequence (if the class blockchain architecture is adopted, the authentication result obtained in the last consensus in the time sequence) is required to display the user operating the terminal device as the target user, thereby further improving the security.
Case three, determining a secondary value N according to the information of the target application program; optionally, the terminal device stores a count value corresponding to each piece of application information, so that the count value N may be determined based on the correspondence. After the numerical value N is determined according to the target application program, whether the user operating the terminal equipment is displayed as the target user is judged according to the latest N-time identity authentication results in the time sequence, and if yes, the current operation authority of the target application program is determined as the allowed operation. For example, when the information of the target application program indicates that the currently executed function is the payment function, the determined number of times N is equal to 5, that is, the last 5 times of identity authentication results are required to show that the user operating the terminal device is the target user, that is, the current operation authority of the target application program can be obtained; when the information of the target application program indicates that the currently executed function is a function of playing music, the determined number of times value N is equal to 2; that is, the identity authentication results of the last 2 times are required to show that the user operating the terminal device is the target user, so that the current operation authority of the target application program can be obtained.
After the operation authority of the user on the terminal device or the target application program is determined in the above manner, the access of the user on the terminal device or the target application program is controlled according to the operation authority. For example, if it is determined that the user has the operation permission for the terminal device or the target application program, allowing the user to currently operate the terminal device or the target application program, for example, displaying first prompt information to prompt that the user is allowed to use the terminal device or the target application program within a preset time period; and if the user does not have the operation authority for the terminal equipment or the target application program, the user is not allowed to operate the terminal equipment or the target application program currently, or a secondary authorization process is entered, for example, the target user is prompted to perform identity authentication.
Optionally, the secondary authorization process may output second prompt information to prompt the target user of the terminal device to perform identity authentication; then, receiving identity authentication information input by a user; and if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, granting the operation authority to the terminal equipment or the target application program. It should be noted that the identity authentication mechanism in the secondary authorization process may be regarded as higher-level authentication, which can more accurately identify whether the operating terminal device is the target user, so that even if it is determined that the user does not have the operation right for the terminal device or the target application program last time, as long as the identity authentication result in the secondary authorization process shows that the target user is operating, the user may still be granted the operation right for the terminal device or the target application program.
Optionally, when the secondary authorization is to determine the operation right of the user on the target application program, the secondary authorization mechanism may not be adopted for all application programs, and specific application programs that can adopt the secondary authorization mechanism may be preset. For example, the secondary authorization mechanism may be adopted and the secondary authorization mechanism may not be adopted according to the type of the application, for example, the secondary authorization mechanism may be adopted for setting the application of the game class and the application of the music class. In this case, the following operation needs to be performed before the secondary authorization: determining a type of the target application; and under the condition that the type of the target application program is a preset first preset type, executing the step of outputting second prompt information to prompt a target user of the terminal device to perform identity authentication. Optionally, it may be recorded in the terminal device for which the application program is granted with the operation permission after the secondary authorization, so that when the user uses the application program again next time, the terminal device determines the current operation permission of the target application program according to the multiple identity authentication results and the information of the application program, and does not grant the operation permission of the user currently operating the terminal device to the target application program.
Optionally, if it is determined that the user currently operating the terminal device does not have the operation permission for the target application program according to the authentication result of the identity authentication and the information of the currently running target application program for multiple times, and the target application program does not belong to the preset first preset type, the operation on the target application program is limited.
Optionally, the limiting the operation of the target application program may specifically be: quitting the display of the target application program, or displaying an interface used for shielding the content displayed by the application program so as to prevent the user from using the target application program, or displaying part of the content except the private content in the target application program, or displaying prompt information so as to prompt the user to view the private content in the target application program without permission, or forbidding the target application program to be called from a third-party device.
In the method shown in fig. 4A, after the terminal device or the target application has performed the identity authentication and the authentication passes, the identity authentication is continued for the user operating the terminal device or the target application, and information is fed back to the user according to one or more identity authentication results obtained by the continued authentication, so that the user can access the terminal device or the target application within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
Referring to fig. 4B, fig. 4B is a user right management method provided in this embodiment of the present application, which may be implemented based on the terminal shown in fig. 1, and this method may be regarded as a more specific implementation in the embodiment of the method shown in fig. 4A, and in particular, how to determine the current operation right of the target application based on the identity authentication result of multiple times of identity authentication corresponds to a case B in an alternative embodiment shown in fig. 4A, where the method includes, but is not limited to the following steps:
step S421: and the terminal equipment identifies the information of the currently running target application program.
Specifically, the target application may be an application currently running on the terminal, or may also be an application currently running on a third-party device (in this case, this case may also be referred to as a third-party application), and the information identifying the currently running target application may also be considered to identify a current application scenario of the target application, where the information of the target application includes a type of the target application and/or a function currently executed by the target application, for example, the information of the target application includes the type of the target application; for another example, the information of the target application includes a function currently executed by the target application; as another example, the type of the target application and the function currently being performed by the target application. Optionally, the information of the target application may include other information besides the above listed information, and what information is not limited here.
It is understood that each application corresponds to a type, for example, internet music, QQ music, etc. belong to music types; taobao, Tianmao, Jingdong, etc. belong to the shopping category; the payment treasure, the financial payment and the like belong to payment types, the application on the third-party device belongs to a third-party application type, and the like, and fig. 4B illustrates the payment types as an example. What type an application belongs to may be determined by information such as its name, or its description file, or type identification.
It is understood that each application generally has one or more functions, for example, functions of transferring money, paying, ant insurance, social security query, etc. exist in the application of the payer; for another example, the application program of naobao has the functions of commodity search, shopping addition, order inquiry, after-sale application, applicant's payment and payment.
Specifically, the information of the target application may be obtained by identifying a program of the terminal device (which may be considered as system initiative, such as initiative identification of a mobile phone intelligent scene identification system), or may be obtained by identifying a third-party platform that establishes a communication connection with the terminal device or a third-party application running on the terminal device by calling an API of the terminal device (which may be considered as service initiative).
Step S422: and the terminal equipment determines a mode for identity authentication according to the information of the target application program.
Specifically, in the process of identity authentication, a modality on which authentication is based is selected first, and the modality may refer to a source or a form of information, for example, fingerprint recognition, iris recognition, face recognition, user operation (habit) recognition, and the like all belong to different modalities. In the embodiment of the present application, the modality selected for each authentication may be one or multiple (i.e., multiple modalities), and there are many ways to select a modality, and for ease of understanding, an alternative way is exemplified below.
Optionally, a matching relationship between the application information and the modalities may be preconfigured, and once the application information is determined, a final modality for identity authentication may be determined according to the matching relationship.
Optionally, a matching relationship between the application program information and the candidate modalities may be preconfigured, and then the candidate modalities corresponding to the information of the target application program are matched according to the matching relationship in the running process of the target application program, where the candidate modalities include at least one modality; the matching relation defines candidate modalities corresponding to at least two kinds of information, and the candidate modalities corresponding to any two kinds of information in the at least two kinds of information are not identical. Optionally, if the information of the application includes the type of the application but does not include the currently executed function, table 1 illustrates candidate modalities corresponding to the game-class application, the shopping-class application, and the music-class application.
Referring to table 1, when the target application is glory for the royal, it belongs to the application of the game class, and therefore, the corresponding candidate modalities include fingerprint recognition, user operation, and face recognition; when the target application program is the Jingdong application program, the target application program belongs to shopping application programs, and therefore the corresponding candidate modalities comprise face recognition, fingerprint recognition and iris recognition; and so on for the rest.
And after determining the candidate modalities corresponding to the target application program, adopting one or more of the candidate modalities corresponding to the target application program as a final modality for performing identity authentication on a user operating the terminal equipment. For example, when the target application program is a shopping application, one or more modalities are selected from face recognition, fingerprint recognition and iris recognition corresponding to the shopping application as a final modality for identity authentication, for example, a multi-modality consisting of face recognition and fingerprint recognition is selected; as another example, a multi-modality consisting of fingerprint recognition and iris recognition is selected. Optionally, one or more modalities may be selected from candidate modalities corresponding to the target application program according to the environment parameter in the environment where the terminal device is currently located, and the selected modality or modalities may be used as a modality for performing identity authentication on a user operating the terminal device. That is, when one or more modalities are selected from candidate modalities corresponding to the type of the target application program, the selection may be performed based on the environmental parameters in the environment where the terminal device is currently located, for example, when it is determined that the terminal device is currently in the night color according to the environmental parameters, modalities other than face recognition and iris recognition are used, so that the accuracy of subsequent identity recognition may be improved.
Step S423: and the terminal equipment acquires information according to the determined mode to obtain identity information for identity recognition.
Specifically, the link may include processes of modality acquisition, modality detection, feature extraction, feature fusion, decision making, and the like (of course, some of the links may also be omitted), where the modality acquisition specifically performs acquisition according to the determined modality, and for example, if the determined modality is a multi-modality formed by iris recognition and fingerprint recognition, iris information and fingerprint information may be acquired; then, the acquired original information is processed correspondingly, for example, modality detection (for example, to detect whether available modality data exists in a certain modality or some modalities), feature extraction, feature fusion, classification decision, and the like, so as to obtain refined data with better usability, which may be referred to as identity information.
Step S424: and the terminal equipment reads the acquired identity information at the configured security detection point.
Specifically, the terminal device needs to continuously perform identity authentication on a user operating the terminal device during the running process, for example, a plurality of security detection points may be configured, and identity information is read at each security detection point for continuous authentication. The security detection point may be a default configuration of the terminal device (which may be called system initiative), or may be configured by a third-party platform establishing a communication connection with the terminal device or a third-party application running on the terminal device by calling an API of the terminal device (which may be called service initiative).
The security detection point is configured in at least the following two ways:
in a first mode, the security detection points are distributed according to a certain frequency rule, so that the identity information is specifically read according to a preset frequency in the running process of the target application program, and accordingly, the identity authentication is performed on the user operating the terminal device. For example, authentication may be performed every two minutes, or every 5 minutes. The frequency may be preset as desired.
Secondly, the security check point is configured based on service functions, and it can be understood that many service functions can be implemented on the terminal device, such as taking a picture, playing music, playing games, purchasing game equipment, paying, transferring accounts, modifying account information, and the like. Some of the functions may be marked as preset functions, and each time a user wants to use a preset function, there is a security detection point, i.e. the identity information needs to be read. That is to say, in the running process of the target application program, whenever the trigger operation of the preset function of the target application program is detected, the identity information is read, and accordingly the identity authentication is performed on the user operating the terminal device, and the number of the preset function of the target application program is greater than or equal to 1. For example, if the payment, transfer and account information modification are marked as preset functions, the terminal device performs identity authentication when the user triggers any one of the functions of payment, transfer and account information modification.
It should be noted that, when configuring security detection points, the type (i.e. scene) of the target application may be taken into consideration, and the configuration results of the security detection points of different types of applications may be different, for example, if the target application is a music-type application, the security detection points may be set to be a bit dense; if the target application is a payment-type application, the security detection points may be set a little bit more densely. In addition, the configuration of the security detection point may be set in step S424, or may be set in other preceding links, for example, in step S421.
Step S425: and the terminal equipment performs identity authentication based on the identity information to obtain M continuous identity authentication results in time sequence.
Step S426: and the terminal equipment determines the current operation authority of the target application program according to the identity authentication result of multiple times in the M times of identity authentication results and the information of the target application program, and optionally, the M is equal to the number of times of authentication results obtained by authentication.
Specifically, the multiple identity authentication results are obtained in the running process of the target application, or the multiple identity authentication results include an identity authentication result in the running process of the target application and an identity authentication result in the running process of the previous application, and in short, the multiple identity authentication results need to be determined based on two different identity authentication results in time sequence and the type of the target application, so that a "security defense chain" type identity authentication mechanism is embodied. The previous application is the last application that was run before the target application was run, for example, after the user ran the treasure removal client and went to the treasure payment client, if the target application is a treasure payment, the previous application is a treasure removal. It can be understood that the principle of obtaining the authentication result in the previous application program running process is the same as the principle of obtaining the authentication result in the target application program running process.
In this embodiment, the multiple-time authentication result may be a multiple-time authentication result that is continuous in time sequence, or may be a multiple-time authentication result that is discontinuous in time sequence. For example, if the previous application is running at 6:00-6:15 of 1/10/2019, the target application is running at 6:15-6:20 of 1/10/2019, and the authentication results are obtained at 6:00, 6:04, 6:08, 6:11, 6:12, 6:15, 6:16, 6:18, and 6:20, respectively, 6:16 and 6:18 may be regarded as two consecutive authentication results in time sequence, 6:12, 6:15, and 6:16 may also be regarded as three consecutive authentication results in time sequence, and 6:16 and 6:20 may be regarded as two consecutive authentication results in time sequence. The number of times may be two, three, four, five, or other times, and specifically, how many times may be configured in advance according to needs, which is not limited herein.
In the embodiment of the application, when the terminal device determines the current operation right of the target application program, the first aspect needs to consider the identity authentication result for multiple times, and the second aspect needs to consider the information of the target application program; the second aspect is mainly to consider that the security levels of the application programs are often different when the information of the application programs is different, the identity authentication requirement of the application program with high security level is higher, and the identity authentication requirement of the application program with low security level is relatively lower in the embodiment of the application. For example, the applications of Taobao, Jingdong and Wei-Hui belong to shopping applications, the Internet music, QQ music and Ku-me music belong to music applications, the security level of the music applications is obviously lower than that of the shopping applications (relating to fund exchange), and therefore the requirements of the shopping applications on the identity authentication result can be relatively high. For another example, the security level of each business function included in the same application is often different, for example, the security level of the function of querying the goods in the treasure panning application is lower than the security level of the payment for the goods, so the requirement of the goods payment function for the identity authentication result is higher than the requirement of the goods query function for the identity authentication result. Two alternative cases are provided below to teach how to combine the first and second aspects to determine the current operating rights of the target application.
In the first scheme, if an authentication result exceeding a target proportion threshold value in the multiple identity authentication results indicates that a user operating the terminal device is a target user (for example, the owner of the terminal device), determining that the current operation authority of the target application program is allowed to operate; if the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the current operation authority of the target application program is not allowed to operate; the target proportion threshold is determined according to the information of the target application program, and can be configured in advance according to needs. For example, if the number of times is 5, when the information of the target application indicates that the type of the target application is a shopping application, the target proportion threshold may be set to 100%, that is, the identity authentication results of the last 5 times are all required to display that the user operating the terminal device is the target user, and the current operation permission of the target application may be obtained; when the information of the target application indicates that the type of the target application is a music application, the target proportion threshold value can be set to be 20%; that is, the user operating the terminal device is required to be displayed as the target user at least once in the last 5 times of identity authentication results, so that the current operation authority of the target application program can be obtained.
If the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the current operation authority of the target application program is allowed to operate; if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is not the target user and/or the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the current operation authority of the target application program is not allowed to operate; and the target proportion threshold is determined according to the information of the target application program. It can be seen that, in the second scheme, compared to the first scheme, the last authentication result obtained in the time sequence (if the similar block chain architecture is adopted, the authentication result obtained in the last consensus in the time sequence) is required to display the user operating the terminal device as the target user, and thus the security is further improved.
Determining a secondary value N according to the information of the target application program; optionally, the terminal device stores a count value corresponding to each piece of application information, so that the count value N may be determined based on the correspondence. After the numerical value N is determined according to the target application program, whether the user operating the terminal equipment is displayed as the target user is judged according to the latest N-time identity authentication results in the time sequence, and if yes, the current operation authority of the target application program is determined as the allowed operation. For example, when the information of the target application program indicates that the currently executed function is the payment function, the determined number of times N is equal to 5, that is, the last 5 times of identity authentication results are required to show that the user operating the terminal device is the target user, that is, the current operation authority of the target application program can be obtained; when the information of the target application program indicates that the currently executed function is a function of playing music, the determined number of times value N is equal to 2; that is, the identity authentication results of the last 2 times are required to show that the user operating the terminal device is the target user, so that the current operation authority of the target application program can be obtained.
In the embodiment of the application, if the determined current operation permission of the target application is the permission operation, a user currently operating the terminal device is permitted to use a first function of the target application, which is requested currently, for example, if the user needs to use a payment function on the target application currently, the payment function is the first function; if the user currently needs to use the transfer function on the target application, the transfer function is the first function.
In the embodiment of the application, if the determined current operation authority of the target application program is that the operation is not allowed, the user currently operating the terminal device is not allowed to use the first function of the target application program which is requested currently.
Optionally, after the first function is not allowed to be used, secondary authorization may be allowed to be performed, for example, a second prompt message is output to prompt the target user of the terminal device to perform identity authentication; then, receiving input identity authentication information; and if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, allowing the user currently operating the terminal equipment to use the first function of the target application program which is requested currently. It should be noted that the identity authentication mechanism in the secondary authorization process can be regarded as higher-level authentication, which can more accurately identify whether the operation terminal device is the target user, so that even if the first function is not allowed to be used last time, as long as the identity authentication result in the secondary authorization process shows that the target user is operating, the user can still be allowed to use the first function of the target application program. And if the secondary authorization result indicates that the user operating the terminal is not the target user, restricting the use of the target application, for example, disallowing the use of the first function of the target application, for example, exiting the display of the target application, or displaying an interface for blocking the content displayed by the application to prevent the use of the user, or displaying a part of the content in the target application except the private content, or displaying a prompt message to prompt the user to have no authority to view the private content in the target application, or forbidding the target application from being called from a third-party device, and the like.
The secondary authorization mechanism may not be adopted for all the application programs, and specific application programs that can adopt the secondary authorization mechanism may be preset. For example, the secondary authorization mechanism may be adopted and the secondary authorization mechanism may not be adopted according to the type of the application, for example, the secondary authorization mechanism may be adopted for setting the application of the game class and the application of the music class. In this case, the following operation needs to be performed before the secondary authorization: determining a type of the target application; and under the condition that the type of the target application program is a first preset type, executing the step of outputting second prompt information to prompt a target user of the terminal device to perform identity authentication.
In addition, it is possible to record in the terminal device which applications are allowed to use the first function after the secondary authorization, so that when the user uses the application again next time, the terminal device determines the current operation authority of the target application according to the multiple identity authentication results and the information of the application, and then does not allow the user currently operating the terminal device to use the currently requested first function of the application, and then, because the terminal device records the history of the previous secondary authorization, the terminal device still allows the user to use the currently requested first function of the application without performing the secondary authorization again. In the method depicted in fig. 4B, the target application is authenticated by continuous identity authentication (i.e., full-tracking authentication); then, combining the identity authentication result (namely chain authentication) and the information (namely scene) of the target application program for multiple times to determine the current operation authority of the target application program; compared with the method that the use permission of all the application programs is obtained through one-time authentication, the continuous identity authentication mode can identify the identity of the user who operates the target application program more timely and accurately, and the safety is higher.
Fig. 5 is a user right management method provided in an embodiment of the present application, which mainly embodies a process of secondary authorization in the embodiment shown in fig. 4B, and a principle of each operation in the method shown in fig. 5 can be described with reference to the embodiment shown in fig. 4B, where the method includes:
501. and acquiring scene information, identifying scenes according to the scene information, and identifying whether the currently running target application program is a payment scene, a chat scene, a game scene, an album browsing scene or other scenes.
502. And inputting the identified scene into the continuous identity authentication service so that the continuous identity authentication service determines a modality for identity identification according to the scene, acquiring identity information for identity authentication (which can comprise modality acquisition, modality detection, feature extraction, feature fusion, decision and the like) based on the determined modality, and continuously authenticating the user operating the terminal equipment according to the identity information.
503. And inputting the identified scene into the dynamic authorization management and control service.
504. The continuous identity authentication service inputs a plurality of identity authentication results into the dynamic authorization management and control service, correspondingly, the dynamic authorization management and control service carries out authorization decision according to the input plurality of identity authentication results and scenes, and the decision process is as follows:
a, if the authorization is successful (i.e. the above-mentioned permission operation), returning to execute the above-mentioned step 501;
b, if the authorization is not successful, one option is to directly terminate the use of the first service currently running by the target application, or limit the use of the target application, for example, not allowing the first function of the target application, for example, quitting the display of the target application, or displaying an interface for blocking the content displayed by the application to prevent the user from using, or displaying a part of the content of the target application except the private content, or displaying a prompt message to prompt the user to have no authority to view the private content in the target application, or forbidding the target application from being called from a third-party device, etc.; another alternative is to trigger a secondary authorization mechanism, at this time, a corresponding interface can be displayed to prompt a target user to perform identity authentication, and then identity authentication information input by the user is detected; if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, the authorization is successful (namely, the operation is allowed), and the process is the secondary authorization.
The terminal device may then control the user's use of the first function of the target application based on the outcome of the authorization decision.
Optionally, the target application may also be deployed on a third-party device or platform instead of the terminal device, in this case, the whole identity authentication and authorization decision flow further includes step 505 and step 506, which is described in detail below.
505. A third-party device (such as an internet of things device) or a platform is registered to the terminal device, the terminal device is requested to carry out continuous identity authentication on a target application program running on the third-party device or the platform, and an authorization decision is carried out according to an identity authentication result; the timing of step 505 may also be advanced, for example, before step 501 above.
506. And the terminal equipment sends the result of the authorization decision to third-party equipment or a platform, and correspondingly, the third-party equipment or the platform controls the user to use the first function of the target application program according to the result of the authorization decision.
The inherent execution principles of steps 501-506 are already described in steps S421 and S422, and are not described herein again.
For the user right management method shown in fig. 5, three specific application cases are provided below in conjunction with fig. 6-8.
Case one, dynamic authorization governance for game class applications, as in fig. 6.
601. If a non-owner (such as a child) enters a game scene, the scene recognition module performs scene recognition and sends the recognized game scene to the continuous identity authentication service, and the continuous identity authentication service determines a mode corresponding to the game scene and performs identity authentication continuously according to the mode to obtain an identity authentication result.
602. And managing the user authority in the dynamic authorization management and control service to obtain the identity authentication result.
603. The user authority management carries out authorization decision according to the identity authentication results for many times, and the decision process is as follows:
604. if the authorization is successful (i.e., the allow operation described above), then game play is allowed to continue, e.g., for a specified time.
605. If the authorization is unsuccessful, it is determined whether a secondary authorization (i.e., re-authorization) is required.
606. And if the secondary authorization is not allowed, the currently running game is not allowed to be operated, namely the game is controlled, wherein the control mode comprises authorization interface (UI) shielding (for example, the game interface is blocked so that the user can not operate the game any more), exiting the current game and the like.
607. And if the secondary authorization is allowed, displaying a re-authorization UI interface to prompt the target user to perform identity authentication.
608. The persistent authentication service detects authentication information input by a user.
609. And if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, the user authority management updates the user operation authority, so that the game is allowed to be used (namely, the secondary authorization is successful).
Case two, dynamic authorization policing for privacy class applications, as in fig. 7.
701. If the owner (such as a stranger) does not browse the photo album, the scene recognition module performs scene recognition and sends the recognized privacy scene to the continuous identity authentication service, and the continuous identity authentication service determines the mode corresponding to the privacy scene and performs identity authentication continuously according to the mode to obtain an identity authentication result.
702. And managing the user authority in the dynamic authorization management and control service to obtain the identity authentication result.
703. The user authority management carries out authorization decision according to the identity authentication results for many times, and the decision process is as follows:
704. if the authorization is successful (i.e., the allow operation described above), continued browsing of the album contents is allowed.
705. If the authorization is unsuccessful, it is determined whether a secondary authorization (i.e., re-authorization) is required.
706. And if the secondary authorization is not allowed, browsing the photo album is not allowed, namely browsing management and control, wherein the management and control mode comprises that the user is reminded through an authorization interface (UI) that the private content cannot be viewed, or the private content is directly filtered, or the user is reminded that the private content cannot be viewed or does not need to be viewed, and the like.
707. And if the secondary authorization is allowed, displaying a re-authorization UI interface to prompt the target user to perform identity authentication.
708. The persistent authentication service detects authentication information input by a user.
709. And if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, the user authority management updates the user operation authority, so that the photo album is allowed to be browsed (namely, the secondary authorization is successful).
Case three, dynamic authorization management for a third-party application (which is installed on a third-party device and can be considered as the target application program described above) as shown in fig. 8.
801. If a non-owner (such as a stranger) uses a third-party application in a third-party device (such as a sound) to play music in the terminal device, the scene recognition module performs scene recognition and sends the recognized third-party application scene to the continuous identity authentication service, and the continuous identity authentication service determines a mode corresponding to the third-party application scene and performs identity authentication continuously according to the mode to obtain an identity authentication result. The third-party device establishes a connection with the terminal device in advance, and registers related information on the terminal device, so that the terminal device can identify the third-party device and the third-party application thereon.
802. And managing the user authority in the dynamic authorization management and control service to obtain the identity authentication result.
803. The user authority management carries out authorization decision according to the identity authentication results for many times, and the decision process is as follows:
804. and if the authorization is successful, performing third-party authorization management to allow the current user to operate the third-party application program on the third-party device.
805. If the authorization is unsuccessful, it is determined whether a secondary authorization (i.e., re-authorization) is required.
806. And if the secondary authorization is not allowed, performing third-party authorization management to prevent the current user from operating the third-party application program on the third-party device.
807. And if the secondary authorization is allowed, displaying a re-authorization UI interface to prompt the target user to perform identity authentication.
808. The persistent authentication service detects authentication information input by a user.
809. And if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, the user authority management updates the user operation authority so as to allow the current user to operate the third-party application program on the third-party equipment.
It should be noted that the identity authentication in the embodiment of the present application may be performed by a single virtual computing node, for example, the identity authentication is performed with respect to one operating system. Of course, the identity authentication in the embodiment of the present application may also be completed by a plurality of virtual computing nodes, for example, the plurality of virtual computing nodes are a plurality of operating systems installed on the terminal device, or the plurality of virtual computing nodes are at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device. When the virtual computing nodes complete the configuration, the virtual computing nodes may be considered to form a class blockchain architecture, and the specific identity authentication process may be: respectively carrying out identity authentication on a user operating the terminal equipment through a plurality of virtual computing nodes in the running process of a target application program; and then, the identity authentication results obtained by the virtual computing nodes are commonly identified through the virtual computing nodes to obtain a primary identity authentication result in the running process of the target application program. For example, at a certain time, all the plurality of virtual computing nodes perform identity authentication, and then the plurality of virtual computing nodes perform consensus on the identity authentication result obtained at the time to obtain a consensus result, which can be used as the final identity authentication result at the time. For another example, within a certain period of time (e.g., within 30 seconds), all the virtual computing nodes perform identity authentication, and then the virtual computing nodes perform consensus on the identity authentication results obtained within the period of time to obtain a consensus result, which can be used as the final identity authentication result within the period of time. In this case, when the operation right is determined based on the multiple-time identity authentication result, the multiple-time identity authentication result refers to the multiple-time identity authentication result obtained after the consensus is performed based on the class block chain architecture, that is, the multiple-time identity authentication result on the security defense chain after the consensus. Optionally, the plurality of virtual computing nodes are different in the mode of identity authentication, so that the accuracy of identity authentication can be improved.
Referring to fig. 9, fig. 9 is a user right management method according to an embodiment of the present application, which mainly embodies that the identity authentication in the embodiment shown in fig. 4B is implemented by multiple virtual computing nodes
In the case of point completion, the plurality of virtual compute nodes include REE nodes, TEE nodes, and SensorHub nodes, which constitute a class blockchain architecture. The principle of each operation in the method shown in fig. 9 can be described with reference to the corresponding description of the embodiment shown in fig. 4B, and the method shown in fig. 9 includes:
901. the scene recognition module in the REE node determines the type of target application (i.e., scene).
902. And setting security detection points according to the scenes by a security defense chain engine in the REE.
903. And determining the mode required by the REE node and the mode required by the TEE node when the identity authentication is carried out on the target application program by a multi-mode computing engine in the REE node according to the scene. Then, the REE node and the TEE node respectively collect modal data according to the determined modes, and the collected modal data are subjected to fusion processing at the TEE node to obtain identity information for identity authentication.
904. The chain of security defense engine in the REE obtains identity information from the multimodal computation engine at various security detection points.
905. The security defense chain engine in the REE performs identity authentication on the identity information of each security detection point to obtain an identity authentication result of each security detection point; and then broadcasting the obtained identity authentication result and identity information of each security detection point to the class blockchain architecture. Correspondingly, each node in the block chain performs consensus on the received identity authentication result based on the received identity information of each safety detection point to obtain the consensus identity authentication result. Optionally, a consensus identity authentication result may be obtained for each security detection point, and the consensus identity authentication results of the security detection points form a time-sequential continuous identity authentication result, that is, a security defense chained identity authentication result.
906. And each node in the class block chain structure selects the accounting node through a formula algorithm. Each node may include a REE node, a TEE node, a SensorHub node, and other nodes (e.g., IOT device nodes accessed by a third party), the consensus algorithm may consider node asymmetry, and use a similar block of ownership (POS)/importance (POI) mechanism, and different nodes allocate different weights according to different security levels.
907. And the security defense chain engine of the selected accounting node (such as the TEE node) accounts the content of the commonly recognized blocks.
908. The accounting node issues an accounting book synchronization notification to the nodes in the blockchain system.
909. And after receiving the synchronous notification, each node in the block chain performs account book checking, and keeps the consistency of defense chain data through a synchronous mechanism.
910. And when the account book is updated, triggering a decision authorization module of the REE node to decide authorization according to the history record on the chain.
911. And the dynamic authorization management and control service in the REE node executes dynamic authorization management and control according to the decision result of the decision authorization module. The principle of dynamic authorization management and control has been described in detail above and will not be described in detail here.
The method of the embodiments of the present application is set forth above in detail and the apparatus of the embodiments of the present application is provided below.
Referring to fig. 10, fig. 10 is a terminal device 100 according to an embodiment of the present application, where the terminal device 100 includes a processor 1001, a memory 1002, and a communication interface 1003, and the processor 1001 and the memory 1002 are connected to each other through a bus.
The terminal device 100 may also include an input device and an output device, for example, the input device may include a touch screen, a physical button, a microphone, and the like; the output device may be a display screen, a voice output circuit, or the like.
The memory 1002 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or a portable read-only memory (CD-ROM), and the memory 1002 is used for related computer programs and data.
The processor 1001 may be one or more Central Processing Units (CPUs), and in the case where the processor 1001 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
In the first scheme, the processor 1001 in the terminal device 100 reads a computer program stored in the memory 1002 for performing the following operations:
acquiring identity information of a user currently holding terminal equipment and performing identity authentication on the user, wherein the terminal equipment or a target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed; and feeding back information to the user according to the authentication result of the identity authentication for one time or more times so that the user can access the terminal equipment or the target application program within the permission range.
In the method, after the terminal device or the target application program has performed identity authentication and the authentication passes, the identity authentication is continuously performed on the user operating the terminal device or the target application program, and information is fed back to the user according to one or more identity authentication results obtained by the continuous authentication, so that the user can access the terminal device or the target application program within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
In a possible implementation manner, the feeding back information to the user according to the authentication result of the identity authentication one or more times so that the user accesses the terminal device or the target application within the permission range includes: and outputting prompt information to the user according to the authentication result of the identity authentication for multiple times, wherein the prompt information is used for prompting whether the user operating the terminal equipment or the target application program in the running process is replaced or not.
In this way, the target user can immediately know whether the terminal equipment is operated by other users, so that the possible safety problems and risks can be immediately evaluated, and remedial measures can be immediately provided for the possible safety problems and risks.
In a possible implementation manner, the prompt message includes a voice prompt, a text prompt, or an image prompt, or the outputting the prompt message includes requesting the user to input the identity information again for identity authentication.
In a possible implementation manner, the feeding back information to the user according to the authentication result of the identity authentication one or more times so that the user accesses the terminal device or the target application within the range allowed by the authority includes: determining the current operation authority of the user on the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times; and controlling the user to access the terminal equipment or the target application program according to the operation authority. It can be understood that after the terminal device or the target application program has performed the identity authentication and the authentication passes, the identity authentication is performed one or more times and the operation right is further determined according to the identity authentication result of one or more times, so that the determined security level of the operation right is higher, and the security of the terminal device is improved.
In a possible implementation manner, the obtaining identity information of a user currently holding a terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the identity information collected every time is used for obtaining the authentication result of one time of identity authentication. Namely, the identity authentication is performed according to the preset frequency, so that the purpose of continuous identity authentication is achieved.
In a possible implementation manner, the obtaining identity information of a user currently holding a terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment when triggering operation of preset functions is detected, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is more than or equal to 1. That is, the identity authentication is performed every time the first application program runs to the preset function, so that the purpose of continuous identity authentication is achieved.
In a possible implementation manner, the identity information used in the identity authentication includes one or more of fingerprint information, face information, iris information, or voiceprint information of the user.
In a possible implementation manner, the controlling, according to the operation authority, the current access of the user to the terminal device or the target application includes: if the user is determined not to have the operation authority on the terminal equipment or the target application program, outputting prompt information to prompt the target user to perform identity authentication; receiving identity authentication information input again; and if the user operating the terminal equipment or the target application program is determined to be the target user according to the identity authentication information input again, granting the operation authority to the terminal equipment or the target application program.
In the embodiment of the application, after the operation permission of the user on the terminal device or the target application program is not granted preliminarily, the target user can be further prompted to carry out secondary authorization, and if the secondary authorization passes, the operation permission of the user on the terminal device or the target application program is still granted, so that the authorization flexibility is improved, and the user requirements under more application scenes can be met.
In a possible implementation manner, if it is determined that the user does not currently have an operation right to the terminal device or to the target application, outputting a prompt message to prompt the target user to perform identity authentication, where the method includes: and if the user does not have the operation authority on the terminal equipment or the target application program at present and the type of the target application program is a first preset type, outputting prompt information to prompt the target user to perform identity authentication. That is, the specific type of application is pre-configured to qualify for secondary authorization, so that the diversity management of various applications at the security level can be realized.
In a possible implementation manner, the determining, according to the authentication result of the identity authentication one or more times, the current operation authority of the user on the terminal device or on the target application program includes: determining whether a user currently operating the terminal equipment has an operation authority for the terminal equipment or the target application program according to the authentication result of the identity authentication for a plurality of times and the information of the currently operating target application program; the information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program.
In the method, the terminal equipment or the target application program is authenticated in a continuous identity authentication mode (namely, full-process tracking authentication); then, determining the operation authority of the user on the terminal equipment or the target application program by combining the identity authentication result (namely chain authentication) and the information of the target application program for many times; the mode of continuous identity authentication and determining the operation authority based on multiple authentication results of continuous authentication can identify the identity of the user currently operating the terminal equipment or the target application program more timely and accurately, and the security is higher.
In a possible implementation manner, the determining, according to the authentication result of the identity authentication for the plurality of times and the information of the currently running target application, whether a user currently operating the terminal device has an operation right for the terminal device or the target application includes: if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the security requirement of the target application is satisfied to the maximum extent by the control of the authority.
In a possible implementation manner, the determining, according to the authentication result of the identity authentication at least a plurality of times and the information of the currently running target application, whether a user currently operating the terminal device has an operation right for the terminal device or the target application includes: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application. In addition, the latest identity authentication result is required to be the target user, and the safety is further improved.
In one possible implementation, the method further includes: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is not the target user, and/or the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment does not have the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program.
In a possible implementation manner, the authentication result of any one of the multiple times of identity authentication is obtained by the multiple virtual computing nodes respectively performing identity authentication on the user operating the terminal device and commonly recognizing the respective obtained authentication results. It can be understood that, because a way of joint authentication of a plurality of virtual computing nodes is adopted, even if a certain computing node is maliciously broken to generate an authentication result which is not beneficial to safety, after some other virtual computing nodes which are not broken are in consensus with the broken virtual computing node, a relatively safe final authentication result can be obtained, and the safety of identity authentication is improved.
In a possible implementation manner, the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and modalities of the plurality of virtual computing nodes that are based on the plurality of virtual computing nodes are different when performing identity authentication are different. It can be understood that, since the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, the plurality of virtual computing nodes are in a relatively isolated environment, and even if one of the plurality of virtual computing nodes is maliciously broken, the remaining virtual computing nodes can still normally operate, thereby improving the security of identity authentication. In addition, because the modes based on which the identity authentication of each virtual computing node is carried out are different (for example, not completely the same), the mode forms are enriched, so that the identity authentication process is difficult to crack by the outside; for example, if only one modality is identified by fingerprint, when user fingerprint information is leaked, the identity authentication process is easily cracked by the outside world; however, if the operation behavior habit of the user when using each application program and various biological characteristics of the user are included in the modal authentication, even if some part of the characteristic information of the user is leaked, the substantial safety hazard is not brought to the identity authentication link of the terminal device.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in fig. 4A, 4B, and 5 to 9.
In the second scheme, the processor 1001 in the terminal device 100 reads the computer program stored in the memory 1002 for performing the following operations:
if the user currently operating the terminal equipment is determined to have the operation authority on the terminal equipment or the target application program according to the authentication result of one or more times of identity authentication, displaying first prompt information to prompt that the user is allowed to use the terminal equipment or the target application program within a preset time period; and if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times, prompting the target user to perform the identity authentication.
By adopting the method, after the operation authority of the user on the terminal equipment or the target application program is not granted preliminarily, the target user can be further prompted to carry out secondary authorization, and if the secondary authorization passes, the operation authority of the user on the terminal equipment or the target application program is still granted, so that the authorization flexibility is improved, and the user requirements under more application scenes can be met.
In a possible implementation manner, if it is determined that the user currently operating the terminal device does not have the operation right to the terminal device or the target application according to the authentication result of the one or more times of identity authentication, prompting the target user to perform identity authentication includes: if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times, outputting second prompt information to prompt the target user to perform the identity authentication; receiving identity authentication information input again; and if the user operating the terminal equipment or the target application program is determined to be the target user according to the identity authentication information input again, granting the operation authority to the terminal equipment or the target application program.
In a possible implementation manner, the authentication result is used for determining the operation authority of the user on the target application program; if it is determined that the user currently operating the terminal device does not have the operation authority for the terminal device or the target application program according to the authentication result of the one or more identity authentications, outputting second prompt information to prompt the target user to perform the identity authentication, including: and if the user currently operating the terminal equipment does not have the operation authority to the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times and the target application program belongs to a preset first preset type, outputting second prompt information to prompt the target user to perform the identity authentication. That is, the specific type of application is pre-configured to qualify for secondary authorization, so that the diversity management of various applications at the security level can be realized.
In one possible implementation manner, the method further includes: and if the user currently operating the terminal equipment is determined not to have the operation authority on the terminal equipment or the target application program according to the authentication result of the identity authentication for one or more times, and the target application program does not belong to a preset first preset type, limiting the operation on the target application program. It can be understood that the security level of some target applications is higher, and as long as it is determined that the user does not have the operation authority, the operation authority of the target application is directly limited, so that the security level of the target application is improved.
In one possible implementation, the limiting the operation of the target application includes: quitting the display of the target application program, or displaying an interface used for shielding the content displayed by the application program so as to prevent the user from using the target application program, or displaying part of the content except the private content in the target application program, or displaying prompt information so as to prompt the user to view the private content in the target application program without permission, or prohibiting the user from calling the target application program from a third-party device.
In a possible implementation manner, before determining that the user currently operating the terminal device has the operation right to the terminal device or the target application according to the authentication result of the one or more identity authentications, the method further includes: and acquiring identity information of a user currently operating the terminal equipment and performing identity authentication on the user, wherein the terminal equipment or the target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed. It can be understood that after the terminal device or the target application program has performed the identity authentication and the authentication passes, the identity authentication is continued for the user operating the terminal device or the target application program, and information is fed back to the user according to one or more identity authentication results obtained by the continued authentication, so that the user can access the terminal device or the target application program within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
In a possible implementation manner, the obtaining identity information of a user currently operating the terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the identity information collected every time is used for obtaining the authentication result of one time of identity authentication. Namely, the identity authentication is performed according to the preset frequency, so that the purpose of continuous identity authentication is achieved.
In a possible implementation manner, the obtaining identity information of a user currently operating the terminal device and performing identity authentication on the user includes: the method comprises the steps of collecting identity information of a user currently holding the terminal equipment when triggering operation of preset functions is detected, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is more than or equal to 1. That is, the identity authentication is performed every time the first application program runs to the preset function, so that the purpose of continuous identity authentication is achieved.
In a possible implementation manner, the identity information used in the identity authentication includes one or more of fingerprint information, face information, iris information, or voiceprint information of the user.
In a possible implementation manner, before displaying the first prompt information, if it is determined that the user currently operating the terminal device has the operation right to the terminal device or the target application according to the authentication result of the one or more identity authentications, the method further includes: determining whether a user currently operating the terminal equipment has an operation authority on the terminal equipment or the target application program according to the authentication results of the multiple identity authentications and the information of the target application program; the information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program.
In the method, the terminal equipment or the target application program is authenticated in a continuous identity authentication mode (namely, full-process tracking authentication); then, determining the operation authority of the user on the terminal equipment or the target application program by combining the identity authentication result (namely chain authentication) and the information of the target application program for many times; the mode of continuous identity authentication and determining the operation authority based on multiple authentication results of continuous authentication can identify the identity of the user currently operating the terminal equipment or the target application program more timely and accurately, and the security is higher.
In a possible implementation manner, the determining, according to the authentication result of the multiple times of identity authentication and the information of the target application program, whether a user currently operating the terminal device has an operation right for the terminal device or the target application program includes: if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the security requirement of the target application is satisfied to the maximum extent by the control of the authority.
In a possible implementation manner, the determining, according to the authentication result of the multiple times of identity authentication and the information of the target application program, whether a user currently operating the terminal device has an operation right for the terminal device or the target application program includes: if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application. In addition, the latest identity authentication result is required to be the target user, and the safety is further improved.
In a possible implementation manner, the authentication result of any one of the multiple times of identity authentication is obtained by the multiple virtual computing nodes respectively performing identity authentication on the user operating the terminal device and commonly recognizing the respective obtained authentication results. It can be understood that, because a way of joint authentication of a plurality of virtual computing nodes is adopted, even if a certain computing node is maliciously broken to generate an authentication result which is not beneficial to safety, after some other virtual computing nodes which are not broken are in consensus with the broken virtual computing node, a relatively safe final authentication result can be obtained, and the safety of identity authentication is improved.
In a possible implementation manner, the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and modalities of the plurality of virtual computing nodes that are based on the plurality of virtual computing nodes are different when performing identity authentication are different. It can be understood that, since the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, the plurality of virtual computing nodes are in a relatively isolated environment, and even if one of the plurality of virtual computing nodes is maliciously broken, the remaining virtual computing nodes can still normally operate, thereby improving the security of identity authentication. In addition, because the modes based on which the identity authentication of each virtual computing node is carried out are different (for example, not completely the same), the mode forms are enriched, so that the identity authentication process is difficult to crack by the outside; for example, if only one modality is identified by fingerprint, when user fingerprint information is leaked, the identity authentication process is easily cracked by the outside world; however, if the operation behavior habit of the user when using each application program and various biological characteristics of the user are included in the modal authentication, even if some part of the characteristic information of the user is leaked, the substantial safety hazard is not brought to the identity authentication link of the terminal device.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in fig. 4A, 4B, and 5 to 9.
In the third scheme, the processor 1001 in the terminal device 100 reads the computer program stored in the memory 1002 for performing the following operations:
performing identity authentication on a user operating the terminal equipment in the running process of the target application program;
determining the current operation authority of the target application program according to multiple identity authentication results and the information of the target application program, wherein the multiple identity authentication results are obtained in the running process of the target application program, or the multiple identity authentication results comprise the identity authentication result in the running process of the target application program and the identity authentication result in the running process of a second application program, and the second application program is the last application program which runs before the target application program is run.
In the equipment, the target application program is authenticated in a continuous identity authentication mode (namely, full-process tracking authentication); then, combining the identity authentication result and the information (namely the scene) of the target application program for many times to determine the current operation authority of the target application program; compared with the method that the use permission of all the application programs is obtained through one-time authentication, the continuous identity authentication mode can identify the identity of the user who operates the target application program more timely and accurately, and the safety is higher.
In one possible implementation, the information of the target application includes a type of the target application and/or a function currently executed by the target application. It can be understood that the type of the target application program and the currently executed function can reflect the current security requirement of the terminal device to a certain extent, so that the operation authority is determined based on the information of the target application program, and the security performance of the terminal device can be improved.
In a possible implementation manner, the authenticating the identity of the user operating the terminal device in the process of running the target application program specifically includes:
respectively carrying out identity authentication on a user operating the terminal equipment through a plurality of virtual computing nodes in the running process of a target application program;
and carrying out consensus on the identity authentication results obtained by the virtual computing nodes respectively through the virtual computing nodes to obtain a primary identity authentication result in the running process of the target application program. It can be understood that, because a way of joint authentication of a plurality of virtual computing nodes is adopted, even if a certain computing node is maliciously broken to generate an authentication result which is not beneficial to safety, after some other virtual computing nodes which are not broken are in consensus with the broken virtual computing node, a relatively safe final authentication result can be obtained, and the safety of identity authentication is improved.
In a possible implementation manner, the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and modalities of the plurality of virtual computing nodes that are based on the plurality of virtual computing nodes are different when performing identity authentication are different. It can be understood that, since the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, the plurality of virtual computing nodes are in a relatively isolated environment, and even if one of the plurality of virtual computing nodes is maliciously broken, the remaining virtual computing nodes can still normally operate, thereby improving the security of identity authentication. In addition, because the modes based on which the identity authentication of each virtual computing node is carried out are different (for example, not completely the same), the mode forms are enriched, so that the identity authentication process is difficult to crack by the outside; for example, if only one modality is identified by fingerprint, when user fingerprint information is leaked, the identity authentication process is easily cracked by the outside world; however, if the operation behavior habit of the user when using each application program and various biological characteristics of the user are included in the modal authentication, even if some part of the characteristic information of the user is leaked, the substantial safety hazard is not brought to the identity authentication link of the terminal device.
In one possible implementation, the processor is further configured to:
if the determined current operation authority of the target application program is the operation permission, allowing a user currently operating the terminal equipment to use the first function of the target application program requested currently;
and if the determined current operation authority of the target application program is not allowed to operate, not allowing the user currently operating the terminal equipment to use the first function of the target application program currently requested.
In one possible implementation, the terminal device includes an output device and an input device; after the user currently operating the terminal device is not allowed to use the first function of the currently requested target application, the processor is further configured to:
outputting prompt information through the output equipment to prompt a target user of the terminal equipment to perform identity authentication;
receiving input identity authentication information through the input device;
and if the user operating the terminal equipment is determined to be the target user according to the identity authentication information, allowing the user currently operating the terminal equipment to use the first function of the target application program which is requested currently.
In the embodiment of the application, after the current user is not allowed to use the first function, the target user can be further prompted to perform secondary authorization, if the target user allows the current user to use the first function, the terminal device finally allows the current user to use the first function, so that the authorization flexibility is improved, and the user requirements under more application scenes can be met.
In a possible implementation manner, after the user currently operating the terminal device is not allowed to use the currently requested first function of the target application, before the prompt information is output through the output device to prompt the target user of the terminal device to perform identity authentication, the processor is further configured to:
determining a type of the target application;
and under the condition that the type of the target application program is a first preset type, executing the operation of outputting prompt information through the output equipment to prompt a target user of the terminal equipment to perform identity authentication. That is, the specific type of application is pre-configured to qualify for secondary authorization, so that the diversity management of various applications at the security level can be realized.
In a possible implementation manner, the authenticating the identity of the user operating the terminal device during the running of the target application includes:
and performing identity authentication on the user operating the terminal equipment according to a preset frequency in the running process of the target application program. Namely, the identity authentication is performed according to the preset frequency, so that the purpose of continuous identity authentication is achieved.
In a possible implementation manner, the authenticating the identity of the user operating the terminal device in the process of running the target application program specifically includes:
in the running process of a target application program, identity authentication is carried out on a user operating terminal equipment when the triggering operation of the preset functions of the target application program is detected, wherein the number of the preset functions of the target application program is more than or equal to 1. That is, the identity authentication is performed whenever the target application program runs to the preset function, so that the purpose of continuous identity authentication is achieved. On one hand, when the user continuously uses each function of the target application program, the safety of the terminal equipment can be fully ensured; on the other hand, when the user uses the target application program function but does not switch the function, the number of times of identity authentication can be reduced, and the power consumption can be reduced.
In a possible implementation manner, the determining, according to the multiple identity authentication results and the information of the target application program, the current operation authority of the target application program is specifically:
if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining the current operation authority of the target application program as the allowable operation; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application.
In a possible implementation manner, the determining, according to the multiple identity authentication results and the information of the target application program, the current operation authority of the target application program is specifically:
if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining the current operation authority of the target application program as the allowable operation; and the target proportion threshold is determined according to the information of the target application program. That is, the number of times that the target user needs to be authenticated is determined by the information (i.e., scene) of the target application, so that the control of the authority maximally satisfies the requirements of the target application. In addition, the latest identity authentication result is required to be the target user, and the safety is further improved.
In a possible implementation manner, the authenticating the identity of the user operating the terminal device in the process of running the target application program specifically includes:
matching candidate modalities corresponding to the information of the target application program according to a preset matching relation in the running process of the target application program; the matching relation defines candidate modals corresponding to at least two kinds of information, the candidate modals include at least one modality, and the candidate modalities corresponding to any two kinds of information in the at least two kinds of information are not completely the same;
and adopting one or more of the candidate modals corresponding to the target application program to perform identity authentication on the user operating the terminal equipment. It can be understood that different scenes of the application program have different requirements on the security level, and therefore, the corresponding modality is reasonably matched for identity authentication according to the scene of the target application program, so that the identity authentication result can better meet the security requirement. Moreover, the dynamic rather than fixed modal authentication mode has higher anti-attack performance and higher security level.
In a possible implementation manner, the performing identity authentication on the user operating the terminal device by using one or more of the candidate modalities corresponding to the target application program specifically includes:
and selecting one or more modes from the candidate modes corresponding to the target application program according to the environment parameters in the current environment of the terminal equipment to perform identity authentication on the user operating the terminal equipment. The inventor of the present application finds that, in the process of continuous environmental parameters, if the same modality is used for authentication all the time, the authentication result is inaccurate or cannot be authenticated, for example, the authentication is performed through the modality of facial recognition in dark light, which may cause the authentication result to be inaccurate. In contrast, the inventor of the present application proposes that a specific modality is matched for identity authentication aiming at a specific environment parameter, so that the accuracy of identity authentication is improved. Moreover, the dynamic rather than fixed modal authentication mode has higher anti-attack performance and higher security level.
It should be noted that, the implementation of each operation may also correspond to the corresponding description of the method embodiments shown in fig. 4A, 4B, and 5 to 9.
The embodiment of the present application further provides a chip system, where the chip system includes at least one processor, a memory and an interface circuit, the memory is interconnected with the at least one processor through a line, and the at least one memory stores a computer program; the computer program, when executed by the processor, implements the method flows shown in fig. 4A, 4B, 5-9.
Embodiments of the present application further provide a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed on a processor, the computer program implements the method flows shown in fig. 4A, fig. 4B, and fig. 5 to fig. 9.
Embodiments of the present application also provide a computer program product, which when stored in a memory, implements the method flows shown in fig. 4A, 4B, and 5-9 when the computer program product runs on a processor.
In summary, by implementing the embodiment of the present application, after the terminal device or the target application has performed the identity authentication and the authentication passes, the identity authentication is continuously performed on the user operating the terminal device or the target application, and information is fed back to the user according to one or more identity authentication results obtained by the continuous authentication, so that the user can access the terminal device or the target application within the permission range. The continuous identity authentication mode can continuously ensure the safety of the terminal equipment or the target application program.
One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments can be implemented by hardware associated with a computer program that can be stored in a computer-readable storage medium, and when executed, can include the processes of the above method embodiments. And the aforementioned storage medium includes: various media that can store computer program code, such as ROM or RAM, magnetic or optical disks, etc.

Claims (17)

1. A method for user rights management, comprising:
acquiring identity information of a user currently holding terminal equipment and performing identity authentication on the user, wherein the terminal equipment or a target application program has performed at least one time of identity authentication and is in an operating state after the identity authentication is passed;
and feeding back information to the user according to the authentication result of the identity authentication for one time or more times so that the user can access the terminal equipment or the target application program within the permission range.
2. The method according to claim 1, wherein the feeding back information to the user according to the authentication result of the identity authentication one or more times so that the user accesses the terminal device or the target application within the permission range comprises:
and outputting prompt information to the user according to the authentication result of the identity authentication for multiple times, wherein the prompt information is used for prompting whether the user operating the terminal equipment or the target application program in the running process is replaced or not.
3. The method of claim 2, wherein the prompt message comprises a voice prompt, a text prompt, or a graphic prompt, or wherein outputting the prompt message comprises requesting the user to re-enter identity information for identity authentication.
4. The method according to claim 1, wherein the feeding back information to the user according to the authentication result of the identity authentication one or more times so that the user accesses the terminal device or the target application within the permission range comprises:
determining the current operation authority of the user on the terminal equipment or the target application program according to the authentication result of the identity authentication for one time or multiple times;
and controlling the user to access the terminal equipment or the target application program according to the operation authority.
5. The method according to any one of claims 1 to 4, wherein the obtaining identity information of a user currently holding the terminal device and performing identity authentication on the user comprises:
the method comprises the steps of collecting identity information of a user currently holding the terminal equipment according to a preset frequency, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time so as to obtain an authentication result of one or more times of identity authentication, wherein the identity information collected every time is used for obtaining the authentication result of one time of identity authentication.
6. The method according to any one of claims 1 to 4, wherein the obtaining identity information of a user currently holding the terminal device and performing identity authentication on the user comprises:
the method comprises the steps of collecting identity information of a user currently holding the terminal equipment when triggering operation of preset functions is detected, and respectively carrying out identity authentication on the user operating the terminal equipment according to the collected identity information every time to obtain an authentication result of one or more times of identity authentication, wherein the collected identity information every time is used for obtaining the authentication result of one time of identity authentication, and the number of the preset functions in the terminal equipment is more than or equal to 1.
7. The method according to any one of claims 1-6, wherein the identity information used for the identity authentication comprises a fusion of one or more of fingerprint information, face information, iris information, or voiceprint information of the user.
8. The method according to any one of claims 4-7, wherein the controlling the current access of the user to the terminal device or the target application according to the operation authority comprises:
if the user is determined not to have the operation authority on the terminal equipment or the target application program, outputting prompt information to prompt the target user to perform identity authentication;
receiving identity authentication information input again;
and if the user operating the terminal equipment or the target application program is determined to be the target user according to the identity authentication information input again, granting the operation authority to the terminal equipment or the target application program.
9. The method of claim 8, wherein if it is determined that the user does not currently have an operation right for the terminal device or the target application, outputting a prompt message to prompt the user to perform identity authentication, comprising:
and if the user does not have the operation authority on the terminal equipment or the target application program at present and the type of the target application program is a first preset type, outputting prompt information to prompt the target user to perform identity authentication.
10. The method according to claim 4, wherein the determining the current operation authority of the user on the terminal device or the target application according to the authentication result of the identity authentication for one or more times comprises:
determining whether a user currently operating the terminal equipment has an operation authority for the terminal equipment or the target application program according to the authentication result of the identity authentication for a plurality of times and the information of the currently operating target application program; the information of the target application program comprises the type of the target application program and/or the function currently executed by the target application program.
11. The method according to claim 10, wherein the determining whether the user currently operating the terminal device has the operation right for the terminal device or the target application according to the authentication result of the identity authentication and the information of the currently running target application for a plurality of times includes:
if the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program.
12. The method according to claim 10, wherein the determining whether the user currently operating the terminal device has the operation right for the terminal device or the target application according to the authentication result of the identity authentication at least a plurality of times and the information of the target application currently running comprises:
if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user and the authentication result exceeding the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment has the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program.
13. The method of claim 12, further comprising:
if the last identity authentication result in the multiple identity authentication results indicates that the user operating the terminal equipment is not the target user, and/or the authentication result which does not exceed the target proportion threshold value in the multiple identity authentication results indicates that the user operating the terminal equipment is the target user, determining that the user currently operating the terminal equipment does not have the operation authority on the terminal equipment or the target application program; and the target proportion threshold is determined according to the information of the target application program.
14. The method according to any one of claims 1 to 13, wherein the authentication result of any one of the plurality of times of authentication is obtained by the plurality of virtual computing nodes respectively authenticating the user operating the terminal device and commonly recognizing the respective authentication results.
15. The method according to claim 14, wherein the plurality of virtual computing nodes are different operating systems installed on the terminal device, or at least one operating system installed on the terminal device and at least one third-party device connected to the terminal device, and the plurality of virtual computing nodes are different from each other in a modality on which identity authentication is performed.
16. A terminal device comprising one or more processors and memory for storing a computer program, the one or more processors invoking the computer program for implementing the method of any one of claims 1-15.
17. A computer-readable storage medium, in which a computer program is stored which, when run on one or more processors, implements the method of any one of claims 1-15.
CN201911008589.9A 2019-10-22 2019-10-22 User authority management method and terminal equipment Pending CN112699354A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911008589.9A CN112699354A (en) 2019-10-22 2019-10-22 User authority management method and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911008589.9A CN112699354A (en) 2019-10-22 2019-10-22 User authority management method and terminal equipment

Publications (1)

Publication Number Publication Date
CN112699354A true CN112699354A (en) 2021-04-23

Family

ID=75504705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911008589.9A Pending CN112699354A (en) 2019-10-22 2019-10-22 User authority management method and terminal equipment

Country Status (1)

Country Link
CN (1) CN112699354A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794718A (en) * 2021-09-14 2021-12-14 交通运输信息安全中心有限公司 Security authentication method and security authentication device for multiple application systems
CN115720148A (en) * 2022-10-12 2023-02-28 上海慧程工程技术服务有限公司 Industrial Internet of things information visualization method, server and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060407A (en) * 2007-05-22 2007-10-24 上海众恒信息产业有限公司 User access authorization management method and system
CN103581905A (en) * 2012-07-30 2014-02-12 百度在线网络技术(北京)有限公司 Account information management method and mobile terminal oriented to multi-application
WO2015019104A2 (en) * 2013-08-07 2015-02-12 Eus Associates Ltd Access and control authorisation system
US20150143494A1 (en) * 2013-10-18 2015-05-21 National Taiwan University Of Science And Technology Continuous identity authentication method for computer users
CN106921663A (en) * 2017-03-03 2017-07-04 杭州智贝信息科技有限公司 Identity based on intelligent terminal software/intelligent terminal continues Verification System and method
WO2018015481A1 (en) * 2016-07-21 2018-01-25 Huf Hülsbeck & Fürst Gmbh & Co. Kg Authentication method for authenticating a user of a terminal
CN108038363A (en) * 2017-12-05 2018-05-15 吕庆祥 Improve the method and device of Terminal security
CN108537022A (en) * 2018-03-27 2018-09-14 努比亚技术有限公司 terminal control method, terminal and computer readable storage medium
CN109145562A (en) * 2018-09-25 2019-01-04 浙江智贝信息科技有限公司 A kind of lasting authenticating identity method and its equipment by finger print mouse

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060407A (en) * 2007-05-22 2007-10-24 上海众恒信息产业有限公司 User access authorization management method and system
CN103581905A (en) * 2012-07-30 2014-02-12 百度在线网络技术(北京)有限公司 Account information management method and mobile terminal oriented to multi-application
WO2015019104A2 (en) * 2013-08-07 2015-02-12 Eus Associates Ltd Access and control authorisation system
US20150143494A1 (en) * 2013-10-18 2015-05-21 National Taiwan University Of Science And Technology Continuous identity authentication method for computer users
WO2018015481A1 (en) * 2016-07-21 2018-01-25 Huf Hülsbeck & Fürst Gmbh & Co. Kg Authentication method for authenticating a user of a terminal
CN106921663A (en) * 2017-03-03 2017-07-04 杭州智贝信息科技有限公司 Identity based on intelligent terminal software/intelligent terminal continues Verification System and method
CN108038363A (en) * 2017-12-05 2018-05-15 吕庆祥 Improve the method and device of Terminal security
CN108537022A (en) * 2018-03-27 2018-09-14 努比亚技术有限公司 terminal control method, terminal and computer readable storage medium
CN109145562A (en) * 2018-09-25 2019-01-04 浙江智贝信息科技有限公司 A kind of lasting authenticating identity method and its equipment by finger print mouse

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794718A (en) * 2021-09-14 2021-12-14 交通运输信息安全中心有限公司 Security authentication method and security authentication device for multiple application systems
CN113794718B (en) * 2021-09-14 2023-08-29 交通运输信息安全中心有限公司 Security authentication method and security authentication device for multiple application systems
CN115720148A (en) * 2022-10-12 2023-02-28 上海慧程工程技术服务有限公司 Industrial Internet of things information visualization method, server and storage medium
CN115720148B (en) * 2022-10-12 2024-04-26 上海慧程工程技术服务有限公司 Industrial Internet of things information visualization method, server and storage medium

Similar Documents

Publication Publication Date Title
JP7030981B2 (en) Asset management methods and equipment, and electronic devices
US10749681B2 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
CA2798071C (en) Methods and systems for increasing the security of network-based transactions
CN111602116A (en) System and method for binding verifiable claims
CN111386514A (en) Extending secure key storage for transaction validation and encryption of currency
KR101624575B1 (en) User identity attestation in mobile commerce
CN105637522B (en) Access control is driven using the world of trusted certificate
CN110826043B (en) Digital identity application system and method, identity authentication system and method
WO2016133576A1 (en) Secure transaction processing through wearable device
WO2021147442A1 (en) Access control method and apparatus, terminal device, and storage medium
CN106681717B (en) Terminal application program management method and device and electronic equipment
CN109416800B (en) Authentication method of mobile terminal and mobile terminal
CN104901805B (en) A kind of identification authentication methods, devices and systems
US20130159217A1 (en) Environmentally-responsive behavioral fingerprinting
CN108475304B (en) Method and device for associating application program and biological characteristics and mobile terminal
CN112398978A (en) Privacy protection method of electronic equipment and electronic equipment
CN106228054A (en) Auth method and device
CN113641981A (en) Authentication method and electronic equipment
US11676118B2 (en) Methods and systems for conducting multi-user interactions on a device using biometric authentication
US20220224720A1 (en) Link detection method and apparatus, electronic device, and storage medium
CN108932435A (en) A kind of information security management method, terminal device and computer readable storage medium
WO2019214438A1 (en) Radio frequency card function calling method and device
RU2653253C1 (en) Method and device for online payment
CN106778295A (en) File storage, display methods, device and terminal
US11797711B2 (en) Electronic device, method for providing personal information using same, and computer-readable recording medium for recording same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination