CN113051545A - User authentication method and device - Google Patents

User authentication method and device Download PDF

Info

Publication number
CN113051545A
CN113051545A CN202011459534.2A CN202011459534A CN113051545A CN 113051545 A CN113051545 A CN 113051545A CN 202011459534 A CN202011459534 A CN 202011459534A CN 113051545 A CN113051545 A CN 113051545A
Authority
CN
China
Prior art keywords
target user
user
parameter
login
feedback information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011459534.2A
Other languages
Chinese (zh)
Inventor
丁龙
郭晓鹏
孙悦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Trusfort Technology Co ltd
Original Assignee
Beijing Trusfort Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Trusfort Technology Co ltd filed Critical Beijing Trusfort Technology Co ltd
Priority to CN202011459534.2A priority Critical patent/CN113051545A/en
Publication of CN113051545A publication Critical patent/CN113051545A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Social Psychology (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application discloses a user authentication method and a device, wherein the method is applied to a protocol proxy server and comprises the following steps: intercepting an authentication request sent by user equipment running any type of operating system; determining whether the access authority authentication result of the target user passes or not according to the authentication request; if the access right authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is a first parameter; if the behavior risk parameter of the target user is the first parameter, determining whether the first security authentication result of the target user passes; if the first security authentication result of the target user is passed, generating feedback information for confirming login; and sending feedback information for confirming login to the user equipment. The user authentication method and device can cover various operating systems, and are better in universality, higher in safety and high in manageability.

Description

User authentication method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a user authentication method and apparatus.
Background
Currently, there are four main schemes for user management and authentication of a common operating system:
(1) microsoft Active Directory (AD) domain control solution, which is widely used for user management and authentication in Windows system in office and server fields, is not good for supporting Linux system in aspects such as network policy management, user system internal rights management, etc., and requires high business cost.
(2) The system local user management scheme is that a Windows system or a Linux system locally manages user accounts and authentication. But the scheme does not realize unified user management and authentication, and potential safety hazards exist.
(3) The bastion machine and system local user management scheme is that an operating system locally manages user accounts and authenticates, and the bastion machine controls the authority of the user for using the system accounts. However, the scheme is mainly operated by a Linux system command line, has poor support degree for a Windows system, is difficult to be used in the office field, and cannot meet the office requirements of users from the aspects of user experience and performance.
(4) An LDAP (Lightweight Directory Access Protocol) Directory user management scheme is provided, which is supported by default in a Linux system, but is not supported by components in a Windows system, and only has some open source components, so that the scheme faces a series of use and security problems, such as lack of user Access system authority control, low password authentication security, user system internal authority management and the like, and is rarely applied in reality.
In summary, there is a need for a user management and authentication scheme for operating systems, which solves the problem that the user management and authentication of each operating system are distributed and unsafe.
Disclosure of Invention
The invention aims to provide a user authentication method and device aiming at the defects of the prior art.
In order to achieve the above object, in a first aspect, an embodiment of the present invention provides a user authentication method, where the method is applied to a protocol proxy server, and the method includes:
intercepting an authentication request sent by user equipment running any type of operating system;
determining whether the access authority authentication result of the target user passes or not according to the authentication request;
if the access right authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is a first parameter;
if the behavior risk parameter of the target user is the first parameter, determining whether a first security authentication result of the target user passes;
if the first security authentication result of the target user is passed, generating feedback information for confirming login;
and sending the feedback information for confirming the login to the user equipment.
Preferably, if the result of the authentication of the access right of the target user does not pass, the method further includes:
and generating feedback information for preventing login, and sending the feedback information to the user equipment.
Preferably, if the behavioral risk parameter of the target user is not the first parameter, the method further includes:
determining whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, determining whether a second security authentication result of the target user passes;
if the second security authentication result of the target user is passed, generating login confirmation feedback information, and sending the login confirmation feedback information to the user equipment;
if the second security authentication result of the target user does not pass, generating login-preventing feedback information, and sending the login-preventing feedback information to the user equipment;
and if the behavior risk parameter of the target user is not the second parameter, generating feedback information for preventing login, and sending the feedback information to the user equipment.
Preferably, if the first security authentication result of the target user does not pass, the method further includes:
and generating feedback information for preventing login, and sending the feedback information to the user equipment.
Preferably, if the access right authentication result of the target user is passed, before determining whether the behavior risk parameter of the target user is the first parameter, the method further includes:
determining whether a third security authentication result of the target user is passed;
if the third safety authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is a first parameter;
if the third safety authentication result of the target user does not pass, generating feedback information for preventing login;
and sending the login feedback information for preventing login to the user equipment.
In a second aspect, an embodiment of the present invention further provides a user authentication apparatus, where the apparatus is applied to a protocol proxy server, and the apparatus includes:
the intercepting unit is used for intercepting an authentication request sent by user equipment running any type of operating system;
the authority confirming unit is used for determining whether the access authority authentication result of the target user passes or not according to the authentication request;
the risk confirmation unit is used for determining whether the behavior risk parameter of the target user is a first parameter or not if the access authority authentication result of the target user is passed;
the safety confirmation unit is used for determining whether a first safety authentication result of the target user passes or not if the behavior risk parameter of the target user is the first parameter;
the feedback unit is used for generating feedback information for confirming login if the first security authentication result of the target user passes;
the feedback unit is further configured to send the feedback information for confirming the login to the user equipment.
Preferably, if the access right authentication result of the target user does not pass, the feedback unit is further configured to:
and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
Preferably:
if the behavior risk parameter of the target user is not the first parameter, the risk confirmation unit is further configured to determine whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, the security confirmation unit is further configured to determine whether a second security authentication result of the target user passes;
if the second security authentication result of the target user is passed, the feedback unit is further configured to generate login confirmation feedback information, and send the login confirmation feedback information to the user equipment;
if the second security authentication result of the target user does not pass, the feedback unit is further configured to generate login-blocking feedback information, and send the login-blocking login feedback information to the user equipment;
and if the behavior risk parameter of the target user is not the first parameter or the second parameter, the feedback unit is further configured to generate login-preventing feedback information, and send the login-preventing feedback information to the user equipment.
Preferably, if the first security authentication result of the target user does not pass, the feedback unit is further configured to:
and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
Preferably, the apparatus further includes a password authentication unit, if the result of the authentication of the access right of the target user is that the access right of the target user passes, before determining whether the behavior risk parameter of the target user is the first parameter, the password authentication unit is configured to:
determining whether a third security authentication result of the target user is passed;
if the third security authentication result of the target user is passed, enabling the risk confirmation unit to determine whether the behavior risk parameter of the target user is a first parameter;
and if the third security authentication result of the target user does not pass, enabling the feedback unit to generate login-preventing feedback information, and sending the login-preventing feedback information to the user equipment.
An embodiment of the present disclosure further provides an electronic device, which includes: a processor; a memory for storing the processor-executable instructions; the processor is configured to read the executable instructions from the memory and execute the instructions to implement the user authentication method as disclosed in the first aspect.
An embodiment of the present disclosure further provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program is configured to execute the user authentication method disclosed in the foregoing first aspect.
The embodiment of the invention provides a user authentication method, which is used for intercepting a user authentication request of user equipment running with any operating system, confirming whether a user has access authority or not, whether user operation behaviors have risks or not and whether the safety authentication of the user passes or not, so that the user authentication method disclosed by the application can cover various operating systems, and is good in universality, higher in safety and high in manageability.
Drawings
The above and other objects, features and advantages of the present application will become more apparent by describing in more detail embodiments of the present application with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. In the drawings, like reference numbers generally represent like parts or steps.
Fig. 1 is a flowchart of a method of a user authentication method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method according to a first embodiment of the present invention;
FIG. 3 is a flowchart of a method according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a user authentication device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a third embodiment according to the present invention;
fig. 6 is a schematic structural diagram of the electronic device according to the embodiment of the present invention.
Detailed Description
Hereinafter, example embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be understood that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and that the present application is not limited by the example embodiments described herein.
The application provides a user authentication method which is applied to a protocol proxy server. The protocol proxy server is used for a protocol proxy service constructed between an operating system and a user management and authentication service. The protocol proxy service is preferably an LDAP protocol proxy service.
Based on the protocol proxy server, a method flowchart of the login authentication method provided by the present application is shown in fig. 1, and includes the following steps:
step 110, intercepting an authentication request sent by user equipment running any type of operating system;
specifically, in general, system authentication components are installed in various operating systems, such as an open source component pGINA of a Windows system, an open source component nss-pam-ldapd of a Linux system, and an LDAP configuration component of a Mac system. User equipment running any type of operating system can interact with the protocol proxy server through the system authentication components.
Further specifically, the protocol proxy server monitors whether the user equipment running any type of operating system receives a login operation instruction input by the user. When the user equipment receives the login operation instruction, a system authentication component in an operating system of the user equipment initiates an authentication request, and the protocol proxy server intercepts the authentication request, so that the user management and authentication of the user equipment are subsequently taken over.
It is understood that the operating system referred to herein includes, but is not limited to, a Windows system, a Linux system, and a Mac system.
Step 120, determining whether the access right authentication result of the user passes according to the authentication request;
specifically, the protocol proxy server determines whether the user has the access right by calling the right authentication service, that is, determines whether the access right authentication result of the user is passed. The authorization authentication service may be static authorization control or dynamic authorization control.
In a specific example, the protocol proxy server sends a call request to an authentication server storing the authority authentication service according to the authentication request, and calls the authority control directory in the authentication server. The authentication request carries login information of the user, the protocol proxy server obtains an access authority authentication result of the user according to the authority control directory corresponding to the login information of the user, and then whether the access authority authentication result of the user passes is determined.
The login information of the user includes, but is not limited to, information such as a user ID, a login IP, a login time, a login location, and a login frequency. The static authority control can be an authority control directory configured by default, and the dynamic authority control can be an authority control directory dynamically adjusted according to user risk behaviors.
If the result of the access right authentication of the user is pass, the following step 130 is performed.
In some preferred embodiments, if the access right authentication result of the user is not passed, the protocol proxy server generates feedback information for preventing login, and sends the feedback information to the user equipment to indicate that the login fails.
Step 130, if the access right authentication result of the user is passed, determining whether the behavior risk parameter of the user is a first parameter;
specifically, if the user has the access right, the protocol proxy server determines whether the operation behavior of the user has a risk by calling a risk authentication service, namely, determines the behavior risk parameter of the user. The risk authentication service may specifically be an authentication service that performs risk analysis on information representing user behavior in the user login information through an expert rule or a machine learning model.
The behavioral risk parameters of the user include: the method comprises the steps of obtaining a first parameter representing that the current operation behavior of the user does not have risk, obtaining a second parameter representing that the current operation behavior of the user has certain risk and needs secondary verification, and obtaining a third parameter representing that the current operation behavior of the user has risk. The protocol proxy server determines whether the behavior risk parameter of the user is a first parameter, namely whether the current operation behavior of the user has risk.
In a specific example, the protocol proxy server sends a call request to an authentication server which also stores a risk authentication service according to the authentication request, and calls a behavior risk authentication directory in the authentication server. The protocol proxy server obtains the behavior risk parameter of the user according to the behavior risk authentication directory corresponding to the login information of the user, and determines whether the behavior risk parameter of the user is a first parameter.
If the behavior risk parameter of the user is the first parameter, which represents that the current operation behavior of the user has no risk, the following step 140 is executed.
In some preferred embodiments, if the behavior risk parameter of the user is not the first parameter, the protocol proxy server determines whether the behavior risk parameter of the user is the second parameter, that is, determines that the current operation behavior of the user has a certain risk, and needs secondary verification. The second secure authentication may be understood as an authentication of a higher level than the first secure authentication, such as a biometric authentication.
And if the behavior risk parameter of the user is the second parameter, determining whether the second security authentication result of the user is passed.
And if the second security authentication result of the user is passed, generating login confirmation feedback information, and sending the login confirmation feedback information to the user equipment. And if the second security authentication result of the user does not pass, generating login-preventing feedback information, and sending the login-preventing feedback information to the user equipment.
And if the behavior risk parameter of the user is determined not to be the second parameter on the premise that the behavior risk parameter of the user is determined not to be the first parameter, the behavior risk parameter of the user is the third parameter, namely the current operation behavior of the user is determined to have risk, feedback information for preventing login is generated and sent to the user equipment.
Step 140, if the behavior risk parameter of the user is the first parameter, determining whether the first security authentication result of the user passes;
in particular, the first security authentication may be understood as a password authentication. And if the current operation behavior of the user does not have risk, the protocol proxy server determines whether the password authentication of the user passes by calling the security authentication service. The security authentication service includes: authentication services such as dynamic password authentication, biometric authentication, APP push authentication, and the like.
In a specific example, the protocol proxy server sends a call request to an authentication server storing the security authentication service according to the authentication request, and calls a password authentication directory in the authentication server. The protocol proxy server determines to obtain a first security authentication result of the user according to the password authentication directory corresponding to the login information of the user, and further determines whether the first security authentication result of the user passes.
If the first security authentication result of the user is pass, which represents that the password authentication of the user passes, the following step 150 is performed.
In some preferred embodiments, if the first security authentication result of the user is that the user passes the first security authentication result and does not pass the first security authentication result, the protocol proxy server generates feedback information for preventing login, and sends the feedback information to the user equipment to indicate that the login fails.
Step 150, if the first security authentication result of the user is passed, generating feedback information for confirming login;
specifically, if the user password authentication is passed, feedback information for confirming the login is generated.
Step 160, sending feedback information for confirming login to the user equipment;
specifically, the protocol proxy server sends the feedback information for confirming the login to the corresponding user equipment to indicate that the login is successful.
In some more preferred embodiments, the present application may also implement two-factor authentication.
In step 130, if the access right authentication result of the target user is pass, before determining whether the behavior risk parameter of the target user is the first parameter, the protocol proxy server further needs to determine whether a third security authentication result of the target user is pass.
The third secure authentication may be understood as an account password authentication. The protocol proxy server determines a third security authentication result of the user by invoking the password authentication service. Preferably, the cryptographic authentication service employs an LDAP directory.
In a specific example, the protocol proxy server sends a call request to an authentication server storing a password authentication service according to the authentication request, and calls a password authentication directory in the authentication server. And the protocol proxy server determines to obtain a third security authentication result of the user according to the password authentication directory corresponding to the login information of the user, and further determines whether the third security authentication result of the target user passes.
And if the third safety authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is the first parameter. And if the third security authentication result of the target user does not pass, generating login-preventing feedback information, and sending the login-preventing feedback information to the user equipment.
It should be understood that the account password authentication is only one way of user management and authentication, and during the authentication, a way of secret-free authentication may also be adopted, so that the above step of determining the third security authentication result of the target user may not be included.
In other more preferred embodiments, the authority authentication service, the risk authentication service, the security authentication service and the password authentication service may be managed by providing a management service module.
In summary, in a specific embodiment of "two-factor authentication", the user authentication method of the present application is shown in fig. 2, where "two-factor authentication" may specifically be password authentication plus push authentication, and the method is applied to a protocol proxy server, and includes:
step 210, intercepting an authentication request sent by user equipment running any type of operating system.
Step 220, determining whether the access authority authentication result of the target user passes according to the authentication request;
if the result of the access right authentication of the target user is pass, indicating that the user has the access right, step 230 is performed, and if the result of the access right authentication of the target user is not pass, indicating that the user does not have the access right, step 270 is performed.
Step 230, determining whether the third security authentication result of the target user is passed;
the third secure authentication represents a password authentication. If the third security authentication result of the target user is pass, indicating that the user password authentication is passed, step 240 is performed, and if the third security authentication result of the target user is not pass, indicating that the user password authentication is not passed, step 270 is performed.
Step 240, determining whether the behavior risk parameter of the target user is a first parameter;
if the behavior risk parameter of the target user is the first parameter, it indicates that the current operation behavior of the user does not have risk, step 250 is executed, and if the behavior risk parameter of the target user is not the first parameter, step 251 is executed.
Step 250, determining whether the first security authentication result of the target user is passed;
the first security authentication represents password authentication, such as sms push password authentication. If the first security authentication result of the target user is pass, indicating that the user password authentication is passed, step 260 is executed, and if the first security authentication result of the target user is not pass, indicating that the user password authentication is not passed, step 270 is executed.
Step 251, determining whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, it indicates that the current operation behavior of the user has a certain risk, and secondary verification is required, step 252 is executed, and if the behavior risk parameter of the target user is not the first parameter, it is also not the second parameter, it indicates that the current operation behavior of the user has a risk, and step 270 is executed.
Step 252, determining whether the second security authentication result of the target user is passed;
the second secure authentication represents biometric authentication, such as face recognition authentication. The second security authentication is at a higher level than the first security authentication. If the second security authentication result of the target user is pass, indicating that the user biometric authentication is passed, step 260 is performed, and if the second security authentication result of the target user is not pass, indicating that the user biometric authentication is not passed, step 270 is performed.
And step 260, generating feedback information for confirming login, and sending the feedback information to the user equipment.
And step 270, generating feedback information for preventing login, and sending the feedback information to the user equipment.
In addition, in a specific embodiment of the "secret-free authentication", as shown in fig. 3, the user authentication method of the present application may specifically be push authentication, and the method is applied to a protocol proxy server, and includes:
step 310, intercepting an authentication request sent by a user equipment running any type of operating system.
Step 320, determining whether the access right authentication result of the target user passes according to the authentication request;
if the result of the access right authentication of the target user is pass, indicating that the user has the access right, step 330 is performed, and if the result of the access right authentication of the target user is not pass, indicating that the user does not have the access right, step 360 is performed.
Step 330, determining whether the behavior risk parameter of the target user is a first parameter;
if the behavior risk parameter of the target user is the first parameter, it indicates that the current operation behavior of the user does not have risk, step 340 is executed, and if the behavior risk parameter of the target user is not the first parameter, step 341 is executed.
Step 340, determining whether the first security authentication result of the target user is passed;
the first security authentication represents push authentication, such as sms push authentication. If the first security authentication result of the target user is pass, which indicates that the user push authentication passes, step 350 is executed, and if the first security authentication result of the target user is not pass, which indicates that the user push authentication does not pass, step 360 is executed.
Step 341, determining whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, it indicates that the current operation behavior of the user has a certain risk, and secondary verification is required, step 342 is performed, and if the behavior risk parameter of the target user is not the first parameter, it is also not the second parameter, it indicates that the current operation behavior of the user has a risk, and step 360 is performed.
Step 342, determining whether the second security authentication result of the target user is passed;
the second secure authentication represents biometric authentication, such as face recognition authentication. The second security authentication is at a higher level than the first security authentication. If the second security authentication result of the target user is pass, indicating that the user biometric authentication is passed, step 350 is executed, and if the second security authentication result of the target user is not pass, indicating that the user biometric authentication is not passed, step 360 is executed.
And 350, generating feedback information for confirming login, and sending the feedback information to the user equipment.
And step 360, generating feedback information for preventing login, and sending the feedback information to the user equipment.
The user authentication method provided by the embodiment of the application intercepts the user authentication request of the user equipment running with any operating system, and confirms whether the user has access authority, whether the user operation behavior has risk and whether the user security authentication passes, so that the user authentication method disclosed by the application can cover various operating systems, the universality is good, and the application has higher security and high manageability.
Correspondingly, an embodiment of the present invention further provides a user authentication apparatus for implementing the user authentication method, where the apparatus is applied to a protocol proxy server, and as shown in fig. 4, the apparatus includes: an interception unit 401, a permission confirmation unit 402, a risk confirmation unit 403, a security confirmation unit 404, and a feedback unit 405.
Specifically, the intercepting unit 401 is configured to intercept an authentication request sent by a user equipment running any type of operating system;
an authority confirmation unit 402, configured to determine whether an access authority authentication result of the target user passes according to the authentication request;
a risk confirming unit 403, configured to determine whether the behavior risk parameter of the target user is the first parameter if the access right authentication result of the target user is passed;
a security confirmation unit 404, configured to determine whether a first security authentication result of the target user passes if the behavior risk parameter of the target user is the first parameter;
a feedback unit 405, if the first security authentication result of the target user is passed, the feedback unit 405 is configured to generate feedback information for confirming login;
the feedback unit 405 is further configured to send feedback information for confirming login to the user equipment.
Preferably, if the access right authentication result of the target user does not pass, the feedback unit 405 is further configured to: and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
Preferably, if the behavioral risk parameter of the target user is not the first parameter, the risk confirming unit 402 is further configured to: determining whether the behavior risk parameter of the target user is a second parameter;
if the behavioral risk parameter of the target user is the second parameter, the security confirmation unit 404 is further configured to: determining whether a second security authentication result of the target user is passed;
if the second security authentication result of the target user is pass, the feedback unit 405 is further configured to: generating feedback information for confirming login, and sending login feedback information for confirming login to the user equipment;
if the second security authentication result of the target user is not passed, the feedback unit 405 is further configured to: generating feedback information for preventing login, and sending login feedback information for preventing login to the user equipment;
if the behavioral risk parameter of the target user is not the first parameter or the second parameter, the feedback unit 405 is further configured to: and generating feedback information for preventing login, and preventing the login feedback information from logging in to the user equipment.
Preferably, if the first security authentication result of the target user is not passed, the feedback unit 405: and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
Preferably, the user authentication apparatus disclosed in the present application further includes a password authentication unit, and if the access right authentication result of the target user is that the access right authentication result of the target user passes, before determining whether the behavior risk parameter of the target user is the first parameter, the password authentication unit (not shown in the figure) is configured to:
determining whether the third security authentication result of the target user is passed;
if the third security authentication result of the target user is pass, the risk confirmation unit 403 determines whether the behavior risk parameter of the target user is the first parameter;
if the third security authentication result of the target user does not pass, the feedback unit 405 generates login-blocking feedback information, and sends the login-blocking feedback information to the user equipment.
In summary, in a specific embodiment, an application scenario of the user authentication apparatus of the present application is shown in fig. 5:
the protocol proxy server 500 intercepts the authentication request of any one of the operating systems 501, 502, 503, and calls the authority authentication service 510, the risk authentication service 520, the security authentication service 530, and the password authentication service 540, while the management service module 550 manages the authority authentication service, the risk authentication service, the security authentication service, and the password authentication service. The protocol proxy server 500 corresponds to a protocol proxy service that is constructed between any operating system and each authentication service.
The user authentication device provided by the embodiment of the application intercepts a user authentication request of user equipment running with any operating system, and confirms whether a user has access authority, whether user operation behaviors have risks and whether the user security authentication passes, so that the user authentication method disclosed by the application can cover various operating systems, and is good in universality, higher in security and high in manageability.
Next, an electronic apparatus 11 according to an embodiment of the present application is described with reference to fig. 6. FIG. 6 illustrates a block diagram of an electronic device in accordance with an embodiment of the present application.
As shown in fig. 6, the electronic device 11 includes one or more processors 111 and memory 112.
The processor 111 may be a central processing subunit (CPU) or other form of processing subunit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 11 to perform desired functions.
Memory 112 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by processor 111 to implement the testing methods of the various embodiments of the present application described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 11 may further include: an input device 113 and an output device 114, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 113 may include, for example, a keyboard, a mouse, and the like.
The output device 114 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 114 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for the sake of simplicity, only some of the components of the electronic device 11 relevant to the present application are shown in fig. 3, and components such as buses, input/output interfaces, and the like are omitted. In addition, the electronic device 11 may include any other suitable components, depending on the particular application.
In addition to the above-described methods and apparatus, embodiments of the present application may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in a test method according to various embodiments of the present application described in the "exemplary methods" section of this specification, supra.
The computer program product may be written with program code for performing the operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform steps in a testing method according to various embodiments of the present application described in the "exemplary methods" section above of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present application in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present application are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present application. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the foregoing disclosure is not intended to be exhaustive or to limit the disclosure to the precise details disclosed.
The block diagrams of devices, apparatuses, systems referred to in this application are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
It should also be noted that in the devices, apparatuses, and methods of the present application, the components or steps may be decomposed and/or recombined. These decompositions and/or recombinations are to be considered as equivalents of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, the description is not intended to limit embodiments of the application to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (12)

1. A user authentication method applied to a protocol proxy server, the method comprising:
intercepting an authentication request sent by user equipment running any type of operating system;
determining whether the access authority authentication result of the target user passes or not according to the authentication request;
if the access right authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is a first parameter;
if the behavior risk parameter of the target user is the first parameter, determining whether a first security authentication result of the target user passes;
if the first security authentication result of the target user is passed, generating feedback information for confirming login;
and sending the feedback information for confirming the login to the user equipment.
2. The method according to claim 1, wherein if the access right authentication result of the target user is not passed, the method further comprises:
and generating feedback information for preventing login, and sending the feedback information to the user equipment.
3. The user authentication method according to claim 1, wherein if the behavioral risk parameter of the target user is not the first parameter, the method further comprises:
determining whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, determining whether a second security authentication result of the target user passes;
if the second security authentication result of the target user is passed, generating login confirmation feedback information, and sending the login confirmation feedback information to the user equipment;
if the second security authentication result of the target user does not pass, generating login-preventing feedback information, and sending the login-preventing feedback information to the user equipment;
and if the behavior risk parameter of the target user is not the second parameter, generating feedback information for preventing login, and sending the feedback information to the user equipment.
4. The method according to claim 1, wherein if the first security authentication result of the target user is not passed, the method further comprises:
and generating feedback information for preventing login, and sending the feedback information to the user equipment.
5. The user authentication method according to claim 1, wherein if the access right authentication result of the target user is pass, before determining whether the behavior risk parameter of the target user is the first parameter, the method further comprises:
determining whether a third security authentication result of the target user is passed;
if the third safety authentication result of the target user is passed, determining whether the behavior risk parameter of the target user is a first parameter;
if the third safety authentication result of the target user does not pass, generating feedback information for preventing login;
and sending the login feedback information for preventing login to the user equipment.
6. A user authentication apparatus, wherein the apparatus is applied to a protocol proxy server, the apparatus comprising:
the intercepting unit is used for intercepting an authentication request sent by user equipment running any type of operating system;
the authority confirming unit is used for determining whether the access authority authentication result of the target user passes or not according to the authentication request;
the risk confirmation unit is used for determining whether the behavior risk parameter of the target user is a first parameter or not if the access authority authentication result of the target user is passed;
the safety confirmation unit is used for determining whether a first safety authentication result of the target user passes or not if the behavior risk parameter of the target user is the first parameter;
the feedback unit is used for generating feedback information for confirming login if the first security authentication result of the target user passes;
the feedback unit is further configured to send the feedback information for confirming the login to the user equipment.
7. The apparatus according to claim 6, wherein if the access right authentication result of the target user is not passed, the feedback unit is further configured to:
and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
8. The user authentication apparatus according to claim 6, wherein:
if the behavior risk parameter of the target user is not the first parameter, the risk confirmation unit is further configured to determine whether the behavior risk parameter of the target user is a second parameter;
if the behavior risk parameter of the target user is the second parameter, the security confirmation unit is further configured to determine whether a second security authentication result of the target user passes;
if the second security authentication result of the target user is passed, the feedback unit is further configured to generate login confirmation feedback information, and send the login confirmation feedback information to the user equipment;
if the second security authentication result of the target user does not pass, the feedback unit is further configured to generate login-blocking feedback information, and send the login-blocking login feedback information to the user equipment;
and if the behavior risk parameter of the target user is not the first parameter or the second parameter, the feedback unit is further configured to generate login-preventing feedback information, and send the login-preventing feedback information to the user equipment.
9. The apparatus according to claim 6, wherein if the first security authentication result of the target user is not passed, the feedback unit is further configured to:
and generating feedback information for preventing login, and sending the feedback information for preventing login to the user equipment.
10. The apparatus according to claim 6, further comprising a password authentication unit, if the access right authentication result of the target user is passed, before determining whether the behavior risk parameter of the target user is the first parameter, the password authentication unit is configured to:
determining whether a third security authentication result of the target user is passed;
if the third security authentication result of the target user is passed, enabling the risk confirmation unit to determine whether the behavior risk parameter of the target user is a first parameter;
and if the third security authentication result of the target user does not pass, enabling the feedback unit to generate login-preventing feedback information, and sending the login-preventing feedback information to the user equipment.
11. A computer-readable storage medium storing a computer program for executing the user authentication method according to any one of claims 1 to 5.
12. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the user authentication method of any one of claims 1 to 5.
CN202011459534.2A 2020-12-11 2020-12-11 User authentication method and device Pending CN113051545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011459534.2A CN113051545A (en) 2020-12-11 2020-12-11 User authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011459534.2A CN113051545A (en) 2020-12-11 2020-12-11 User authentication method and device

Publications (1)

Publication Number Publication Date
CN113051545A true CN113051545A (en) 2021-06-29

Family

ID=76508081

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011459534.2A Pending CN113051545A (en) 2020-12-11 2020-12-11 User authentication method and device

Country Status (1)

Country Link
CN (1) CN113051545A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965341A (en) * 2018-09-28 2018-12-07 北京芯盾时代科技有限公司 The method, apparatus and system of login authentication
CN110084011A (en) * 2019-05-08 2019-08-02 北京芯盾时代科技有限公司 A kind of method and device of the verifying of user's operation
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN111541656A (en) * 2020-04-09 2020-08-14 中央电视台 Identity authentication method and system based on converged media cloud platform
CN111931144A (en) * 2020-06-03 2020-11-13 南京南瑞信息通信科技有限公司 Unified safe login authentication method and device for operating system and service application
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965341A (en) * 2018-09-28 2018-12-07 北京芯盾时代科技有限公司 The method, apparatus and system of login authentication
CN110084011A (en) * 2019-05-08 2019-08-02 北京芯盾时代科技有限公司 A kind of method and device of the verifying of user's operation
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN111541656A (en) * 2020-04-09 2020-08-14 中央电视台 Identity authentication method and system based on converged media cloud platform
CN111931144A (en) * 2020-06-03 2020-11-13 南京南瑞信息通信科技有限公司 Unified safe login authentication method and device for operating system and service application
CN111935165A (en) * 2020-08-14 2020-11-13 中国工商银行股份有限公司 Access control method, device, electronic device and medium

Similar Documents

Publication Publication Date Title
CN107172054B (en) Authority authentication method, device and system based on CAS
US20180115551A1 (en) Proxy system for securely provisioning computing resources in cloud computing environment
CN111404923B (en) Control method and system for access authority of container cluster
US10511593B2 (en) Cross cloud application access
CN111416822B (en) Method for access control, electronic device and storage medium
US9154504B2 (en) Device apparatus, control method, and relating storage medium
EP3639499B1 (en) Cross cloud tenant discovery
JP2023541599A (en) Service communication methods, systems, devices and electronic equipment
CN110324338B (en) Data interaction method, device, fort machine and computer readable storage medium
US9544311B2 (en) Secure identity propagation in a cloud-based computing environment
WO2022247359A1 (en) Cluster access method and apparatus, electronic device, and medium
US9590972B2 (en) Application authentication using network authentication information
US10505918B2 (en) Cloud application fingerprint
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
CN111737232A (en) Database management method, system, device, equipment and computer storage medium
CN116170234B (en) Single sign-on method and system based on virtual account authentication
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN113051545A (en) User authentication method and device
CN116015824A (en) Unified authentication method, equipment and medium for platform
US20220038502A1 (en) Method and system for processing authentication requests
WO2022169640A1 (en) Sponsor delegation for multi-factor authentication
CN111027051B (en) Method and device for controlling page permission calling and readable storage medium
CN107045603A (en) Control method and device are called in a kind of application
CN117978445A (en) Method and system for authentication control processing based on gateway
CN116720166A (en) User management method, device, terminal equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210629