CN114791998A

CN114791998A - Identity authentication method, related device and system

Info

Publication number: CN114791998A
Application number: CN202110102425.3A
Authority: CN
Inventors: 王开荣; 熊晟; 金妍红; 沈泽洋
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-01-26
Filing date: 2021-01-26
Publication date: 2022-07-26

Abstract

The embodiment of the application provides an identity authentication method, a related device and a system, wherein the method is applied to a distributed system formed by a plurality of electronic devices, the plurality of electronic devices comprise a first device, a second device and a third device, and the method comprises the following steps: the first equipment authenticates the first user according to the first user characteristic of the first user to obtain a first authentication result of the first user; the first equipment shares a first authentication result with the electronic equipment in the distributed system; if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share a user model of the first user, wherein the user model of the first user comprises user characteristics used for describing the first user; and if the third equipment determines that the first user is in the preset range according to the user model of the first user, the third equipment determines that the first user is legal. By adopting the embodiment of the application, the safety can be ensured, the times of executing authentication operation by a user when equipment is switched can be reduced, and great convenience is brought to the user.

Description

Identity authentication method, related device and system

Technical Field

The present application relates to the field of information security technologies, and in particular, to an identity authentication method, a related device, and a system.

Background

When a user uses an electronic device such as a mobile phone or a tablet computer, the user often needs to manually perform identity authentication. Under the condition that the identity authentication is passed, the user can normally access functions, applications and the like on the electronic equipment, so that an illegal user can steal information through the electronic equipment, and the safety is ensured. The identity authentication method includes various authentication methods, such as traditional authentication methods including password authentication and graphic authentication, and biometric authentication methods including fingerprint authentication and face authentication. The authentication modes of different electronic devices may be different. When a user switches the electronic device to be used, the user often needs to manually perform identity authentication again based on the electronic device that the user wants to use, which is tedious to operate and causes a poor user experience. Therefore, how to solve the problem of repeated identity authentication when a user switches devices while ensuring security is a problem that is being studied by those skilled in the art.

Disclosure of Invention

The embodiment of the application discloses an identity authentication method, a related device and a system, which can solve the problem that identity authentication needs to be repeated when a user switches equipment while ensuring the safety, reduce the times of executing authentication operation when the user switches equipment and greatly facilitate the use of the user.

In a first aspect, an embodiment of the present application discloses an identity authentication method applied to a distributed system formed by a plurality of electronic devices, where the plurality of electronic devices include a first device, a second device, and a third device, and the method includes: the first equipment authenticates the first user according to the first user characteristic of the first user to obtain a first authentication result of the first user; the first device shares the first authentication result with an electronic device in the distributed system; if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share a user model of the first user, wherein the user model of the first user comprises user characteristics used for describing the first user; and if the third equipment determines that the first user is in a preset range according to the user model of the first user, the third equipment determines that the first user is legal.

Wherein the second device may be a plurality of devices. The third device may be any device in the distributed system, that is, any device in the distributed system may have an identity authentication requirement, and may be used to determine whether the user is legal.

In this application, after the first user passes the authentication of the first device, the multiple devices in the distributed system may determine that the first user is a valid user. If the first user wants to use the third device, the third device can identify the user identity according to the shared user model of the first user, and can directly avoid authentication for the legal first user, so that the times of executing authentication operation when the legal user switches the devices are reduced, and the effect of one-end authentication and multi-end authentication is realized. A plurality of devices in the distributed system can continuously and multi-dimensionally track the first user and obtain a user model of the first user, and compared with an authentication mode with a single user characteristic and a one-time authentication mode, the safety and reliability of user identity identification through the user model of the first user are higher.

In one possible implementation, the method further includes: and if the first authentication result is that the authentication is passed, the second device acquires the user characteristics of the first user at a plurality of time points, wherein the user characteristics of the first user at the plurality of time points are used for determining the user model of the first user.

In the application, a plurality of devices in the distributed system can continuously and multi-dimensionally track the first user and obtain the user model of the first user, and compared with an authentication mode with a single user characteristic and a one-time authentication mode, the safety and reliability of identifying the user identity through the user model of the first user are higher.

In one possible implementation manner, the user features of the first user at the multiple time points include a first feature and a second feature, and the confidence of the first feature is greater than that of the second feature; the method further comprises the following steps: the second device determines a user model of the first user according to user characteristics of the first user at multiple time points, wherein the user model of the first user comprises a third characteristic and a fourth characteristic, the first characteristic and the third characteristic are of the same type, the second characteristic and the fourth characteristic are of the same type, the similarity degree of the first characteristic and the third characteristic is greater than or equal to a preset threshold value, and the similarity degree of the second characteristic and the fourth characteristic is less than the preset threshold value; the second device updates a user model of the first user using the second feature.

The updating of the user model of the first user may be triggered when the first authentication result is that the authentication passes, or may be triggered within a preset period.

In this application, the second device may update or trigger updating of the established user model periodically, so that the updated user model is more consistent with the user described by the user model, that is, the user model has higher reliability. The safety and reliability of the user identity identification through the user model with higher credibility are higher.

In a possible implementation manner, if the third device determines that the first user is within a preset range according to the user model of the first user, before the third device determines that the first user is legal, the method further includes: the second device determines that the first user is in the preset range according to user characteristics of the first user at multiple time points, and shares first indication information with the electronic device in the distributed system, wherein the first indication information is used for indicating that the first user is in the preset range; if the third device determines that the first user is in a preset range according to the user model of the first user, the third device determines that the first user is legal, including: and the third equipment determines that the first user is in the preset range according to the user model of the first user and the first indication information, and the third equipment determines that the first user is legal.

In this application, the second device may perform behavior prediction on the first user, and determine whether the first user wants to use any device in the distributed system. The third device is notified when the first device determines that the first user wants to use the third device. After receiving the notification, the third device may identify the user identity according to the user model of the first user, and refrain from authentication when it is determined that the first user is legitimate. The user feels nothing in the whole process, the user does not need to operate the third equipment, the third equipment can be used without authentication, and the user can use the third equipment conveniently.

In a possible implementation manner, if the third device determines that the first user is within a preset range according to the user model of the first user, the third device determines that the first user is legal, including: the third equipment receives a first user operation of the first user; and the third equipment determines that the first user is in the preset range according to the first user operation and the user model of the first user, and the third equipment determines that the first user is legal.

In one possible implementation, the method further includes: if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share second indication information, wherein the second indication information is used for indicating that the user model of the first user is associated with the distributed system to which the first device belongs; if the third device determines that the first user is in a preset range according to the user model of the first user, the third device determines that the first user is legal, including: the third equipment determines that the first user is in the preset range according to the user model of the first user; and the third equipment determines that the third equipment belongs to the distributed system associated with the user model of the first user according to the second indication information, and the third equipment determines that the first user is legal.

In one possible implementation, the method further includes: if the first authentication result is that the first user passes the authentication, the first device and the electronic device in the distributed system share the first user characteristic of the first user; if the third device determines that the first user is in a preset range according to the user model of the first user, the third device determines that the first user is legal, including: the third equipment determines that the first user is in a preset range according to the user model of the first user; and the third equipment authenticates the first user according to the first user characteristic to obtain a second authentication result of the first user, wherein the second authentication result is used for indicating whether the first user is legal or not.

In the application, after the first device passes the authentication of the first user characteristic of the first user, if the first user wants to use the third device, the third device may identify the user identity according to the shared user model of the first user, and authenticate the first user characteristic to obtain a second authentication result. The third device can judge whether authentication is required according to the second authentication result, a user does not need to manually execute the authentication process, the number of times of executing authentication operation when the user switches the devices is reduced, and great convenience is brought to the user.

In one possible implementation manner, the user characteristics of the first user at multiple time points are acquired by one or more electronic devices in the distributed system at different time points.

In the application, the user characteristics used for determining the user model are the user characteristics obtained by the plurality of electronic devices in the distributed system from different angles, so that the consistency between the user model and the user described by the user model is higher, that is, the credibility of the user model is higher. The security and reliability of the user identity identification through the user model with higher credibility are higher.

In a possible implementation manner, the preset range is a range with respect to the distributed system, or a range with respect to the third device.

In a possible implementation manner, any one of the electronic devices in the distributed system is a device that needs to authenticate the validity of the user identity before use.

In this application, any device in the distributed system may have an identity authentication requirement, and may be used to determine whether the user is legal, that is, any device may be the third device. Even if the third device does not have the acquisition capability, the user identity can be identified according to the shared user model of the first user, and the usability is high.

In a second aspect, an embodiment of the present application discloses another identity authentication method, which is applied to a second device in a distributed system, where the distributed system is composed of multiple electronic devices, and the multiple electronic devices include a first device, the second device, and a third device, and the method includes: the second equipment acquires a first authentication result of a first user from the distributed system, wherein the first authentication result is obtained by the first equipment through authenticating the first user according to the first user characteristic of the first user; if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share the user model of the first user, and the user model of the first user comprises user characteristics for describing the first user; the user model of the first user is used for tracking the first user, and the first user is legal when the first user is in a preset range.

In this application, after the first user passes the authentication of the first device, the multiple devices in the distributed system may determine that the first user is a valid user. If the first user wants to use the third device, the third device can identify the user identity according to the shared user model of the first user, and can directly avoid authentication for the legal first user, so that the times of executing authentication operation when the legal user switches the devices are reduced, and the effect of one-end authentication and multi-end authentication is realized. A plurality of devices in the distributed system can continuously and multi-dimensionally track the first user and obtain a user model of the first user, and compared with an authentication mode with a single user characteristic and a one-time authentication mode, the safety and reliability of identifying the user identity through the user model of the first user are higher.

In this application, the second device may update or trigger updating of the established user model periodically, so that the updated user model is more consistent with the user described by the user model, that is, the user model has higher reliability. The security and reliability of the user identity identification through the user model with higher credibility are higher.

In one possible implementation, the method further includes: the second device determines that the first user is within the preset range according to the user characteristics of the first user at multiple time points, and shares first indication information with the electronic device in the distributed system, wherein the first indication information is used for indicating that the first user is within the preset range, and the first indication information is used for determining that the first user is legal by the electronic device in the distributed system.

In one possible implementation, the method further includes: if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share second indication information, wherein the second indication information is used for indicating that the user model of the first user is associated with the distributed system to which the first device belongs; the second indication information is used for determining that the first user is legal when the electronic equipment in the distributed system determines that the first user is within a preset range.

In the application, the user characteristics used for determining the user model are the user characteristics obtained by the electronic devices in the distributed system from different angles, so that the consistency between the user model and the user described by the user model is higher, that is, the credibility of the user model is higher. The safety and reliability of the user identity identification through the user model with higher credibility are higher.

In this application, any device in the distributed system may have an identity authentication requirement, and may be used to determine whether the user is legal, that is, any device may be the third device. Even if the third device does not have the acquisition capacity, the user identity can be identified according to the shared user model of the first user, and the usability is high.

In a third aspect, an embodiment of the present application discloses another identity authentication method, which is applied to a third device in a distributed system, where the distributed system is composed of a plurality of electronic devices, and the plurality of electronic devices include a first device, a second device, and the third device, and the method includes: the third device obtains a user model of a first user from the distributed system, wherein the user model of the first user is obtained by the second device when a first authentication result of the first user is authenticated, the user model of the first user comprises user characteristics used for describing the first user, and the first authentication result is obtained by the first device authenticating the first user according to the first user characteristics of the first user; and if the third equipment determines that the first user is in a preset range according to the user model of the first user, the third equipment determines that the first user is legal.

In a possible implementation manner, if the third device determines that the first user is within a preset range according to the user model of the first user, the third device determines that the first user is legal, including:

and the third device determines that the first user is in the preset range according to the user model of the first user and first indication information, and determines that the first user is legal, wherein the first indication information is used for indicating that the first user is in the preset range, and the first indication information is obtained by the second device according to user characteristics of the first user at multiple time points.

In a possible implementation manner, if the third device determines that the first user is within a preset range according to the user model of the first user, the third device determines that the first user is legal, including: the third equipment determines that the first user is in the preset range according to the user model of the first user; the third device determines, according to second indication information, that the third device belongs to the distributed system associated with the user model of the first user, and the third device determines that the first user is legal, where the second indication information is determined by the second device when the first authentication result is that the authentication is passed, and the second indication information is used to indicate that the user model of the first user is associated with the distributed system to which the first device belongs.

In a possible implementation manner, if the third device determines that the first user is within a preset range according to the user model of the first user, the third device determines that the first user is legal, including: the third equipment determines that the first user is in a preset range according to the user model of the first user; and the third equipment authenticates the first user according to the first user characteristic to obtain a second authentication result of the first user, wherein the second authentication result is used for indicating whether the first user is legal or not.

In this application, after the first device passes the authentication of the first user characteristic of the first user, if the first user wants to use the third device, the third device may identify the user identity according to the shared user model of the first user, and authenticate the first user characteristic to obtain a second authentication result. The third device can judge whether authentication is required according to the second authentication result, a user does not need to manually execute the authentication process, the number of times of executing authentication operation when the user switches the devices is reduced, and great convenience is brought to the user.

In one possible implementation manner, the user characteristics of the first user at multiple time points are acquired by one or more electronic devices in the distributed system at different time instants.

In the application, the user characteristics used for determining the user model are the user characteristics obtained by the plurality of electronic devices in the distributed system from different angles, so that the consistency between the user model and the user described by the user model is higher, that is, the credibility of the user model is higher. The safety and reliability of the user identity identification through the user model with higher credibility are higher.

In a fourth aspect, an embodiment of the present application discloses a distributed system, including a plurality of electronic devices, where the plurality of electronic devices include a first device, a second device, and a third device, where: the first device is used for authenticating a first user according to first user characteristics of the first user to obtain a first authentication result of the first user, and the first authentication result is shared with the electronic device in the distributed system; the second device is used for sharing the user model of the first user with the electronic devices in the distributed system when the first authentication result is authentication passing, and the user model of the first user comprises user characteristics used for describing the first user; and the third device is used for determining that the first user is in a preset range according to the user model of the first user and determining that the first user is legal.

The first device is the first device described in the first aspect or any one of the possible manners of the first aspect. The second apparatus is as described in the first and second aspects or in any possible form of the first and second aspects. The third apparatus is as described in the first and third aspects or any one of the possible ways of the first and third aspects.

In a fifth aspect, an embodiment of the present application discloses an electronic device, which includes one or more memories, one or more processors, and one or more memories coupled with the one or more processors, where the one or more memories are configured to store a computer program, where the one or more processors are configured to invoke the computer program, where the computer program includes instructions that, when executed by the one or more processors, cause the electronic device to perform the identity authentication method described in the first aspect, the second aspect, and the third aspect, or any one of the possible manners of the first aspect, the second aspect, and the third aspect. The electronic equipment is first equipment, second equipment or third equipment.

In a sixth aspect, an embodiment of the present application discloses a computer storage medium, which includes a computer program including instructions that, when executed on a processor, implement the identity authentication method described in the first aspect, the second aspect, and the third aspect, or any one of the possible manners of the first aspect, the second aspect, and the third aspect.

In a seventh aspect, an embodiment of the present application discloses a chip system, where the chip system includes at least one processor, a memory, and an interface circuit, where the memory, the interface circuit, and the at least one processor are interconnected by a line, and a computer program is stored in the memory, and when the computer program is executed by the at least one processor, the identity authentication method described in the first aspect, the second aspect, and the third aspect, or any one of the possible manners of the first aspect, the second aspect, and the third aspect, is implemented.

Drawings

The drawings used in the embodiments of the present application are described below.

Fig. 1 is a schematic diagram of an identity authentication scenario provided in an embodiment of the present application;

fig. 2 is a schematic architecture diagram of an identity authentication system according to an embodiment of the present application;

3-4 are schematic structural diagrams of some electronic devices provided by the embodiments of the present application;

fig. 5 is a schematic structural diagram of another identity authentication system provided in an embodiment of the present application;

fig. 6-10 are flow charts illustrating some identity authentication methods provided in embodiments of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described in detail and clearly with reference to the accompanying drawings. The terminology used in the description of the embodiments of the examples herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.

Referring to fig. 1, fig. 1 is a schematic diagram of an identity authentication scenario 10 according to an embodiment of the present disclosure. The scene 10 may be a home scene, an office scene, or the like, and a plurality of electronic devices (hereinafter, referred to as devices for short) may exist in the scene 10. A user 100 may exist in the scenario 10, and the user 100 may carry a first device 101 and a second device 102. There may be three rooms under the scene 10: a first room 110, a second room 120, a third room 130, any one of which may have equipment placed therein. Specifically, the first room 110 may house the third device 111, the fourth device 112, and the fifth device 113, the second room 120 may house the sixth device 121 and the seventh device 122, and the third room 130 may house the eighth device 131 and the ninth device 132. The user 100 may be located anywhere under the scene 10.

A plurality of devices in the scenario 10 may form at least one system, and the application takes the case that a plurality of devices in the scenario 10 form one system as an example, and specific examples can refer to the first system 20 shown in fig. 2.

When the user 100 uses any one of the devices in the scenario 10, the device may perform an authentication process of the user identity. For example, the first device 101 may perform a continuous authentication of the touch screen behavior during use of the first device 101 by the user 100. The first device 101 may continuously obtain touch screen behavior information (e.g., a position, an area, an occurrence timestamp, a touch frequency, a pressure magnitude, etc. of the touch area) of the user 100, and then compare the touch screen behavior information with a pre-established touch screen behavior sample and determine whether the touch screen behavior information is consistent with the pre-established touch screen behavior sample. In case of agreement, the first device 101 confirms that the user 100 is a legitimate user; in case of inconsistency, the first device 101 confirms that the user 100 is not a legitimate user. The touch screen behavior sample may be obtained by the first device 101 through multiple times of learning of touch screen behavior information, and may be used to represent touch screen behavior information of a valid user. The reliability of the authentication mode is closely related to the quality of the user touch screen behavior sample, if the number of samples is small or the quality of the samples is poor, the reliability of the authentication result is low, and the misjudgment rate is high. For another example, the first device 101 may perform continuous authentication of face information while the user 100 uses the first device 101. Specifically, the first device 101 may continuously acquire the face information of the user 100, and determine whether the user in the sampling region changes according to the face information. The authentication mode is single, and is only used for judging whether the user in the image acquisition area changes, so that the safety is low. In addition, the two authentication methods in the above example have a high requirement on the power consumption of the device, and are likely to cause too fast power consumption of the device, resulting in poor practicability. And, the authentication modes of different devices may be different. When the user 100 switches to use another device in the scene 10, the other device still needs to perform the authentication process of the user identity, which is tedious and causes poor user experience.

The embodiment of the application provides an identity authentication method which can be applied to an identity authentication system. The system may be a distributed system comprising a plurality of devices. The system can continuously perform multi-dimensional human body tracking on the user in the near-field three-dimensional space of the system, namely continuously acquiring various types of user characteristics of the user and identifying the identity of the user according to the acquired user characteristics. The result obtained by human body tracking (tracking result for short) is used for representing the identity of the user. The tracking result can be shared in the identity authentication system, and is used for any equipment in the system to identify the identity of the user and determine whether to exempt authentication. If the user is a legal user, authentication can be determined to be avoided, wherein the legal user can be a user authenticated by any equipment in the identity authentication system. Therefore, when a legal user uses any one device in the identity authentication system, authentication can be avoided, and the effect of one-end authentication and multi-end authentication can be realized. And the tracking result is obtained according to the continuously acquired multi-dimensional user characteristics, and compared with an authentication mode with single user characteristics, the method is more accurate and reliable and has higher safety. A plurality of devices in the distributed system cooperatively acquire the tracking result, so that the requirement on the power consumption of the devices is low, and the usability is better.

The distributed system shown in the following embodiment is an identity authentication system, and is used for implementing the identity authentication method in the present application.

It should be noted that "authentication-free" means that a user is not required to manually perform an authentication process of the user identity (hereinafter, referred to as a manual authentication process for short), and the user can directly view a user interface after the authentication is passed through the device. When directed to a user, the manual authentication process includes, for example: the user places a finger on the fingerprint sensing area of the device or the user enters a password based on the device. For the device, the manual authentication procedure includes, for example: the equipment automatically collects fingerprint characteristics and authenticates the fingerprint characteristics, or the equipment acquires a password input by a user and authenticates the password. Therefore, the equipment identifies the user identity according to the tracking result shared by the distributed system, and determines that the authentication-free process is not sensible to the user, so that the user experience is improved.

Illustratively, the user 100 may manually perform identity authentication (e.g., fingerprint authentication, face authentication, etc.) using a device in the scene 10, such as the first device 101, for the first time. In the case that the identity authentication passes, the first device 101 may determine that the user 100 is a legitimate user, and share the authentication result to other devices in the scenario 10. The multiple devices in the scene 10 may acquire the user characteristics of the user 100 from various angles in the three-dimensional space of the near field, and obtain the tracking result according to the user characteristics. The tracking result indicates that the currently tracked user is the user 100, and the user 100 is a legal user. The tracking results may be shared to provide a basis for cross-device authentication. For example, when the user 100 is in the first room 110, the third device 111 and the fourth device 112 may acquire the location of the user 100 through a near-field positioning technology (e.g., bluetooth, Wi-Fi (wireless fidelity), Ultra Wide Band (UWB), etc.), and the fifth device 113 may acquire an image of the user 100. When the user 100 leaves the first room 110 and enters the third room 130, the eighth device 131 may capture a voiceprint of the user 100 and the ninth device 132 may capture an image of the user 100. The image of the user can be used for obtaining characteristics of the user, such as face information, body information, behavior information, position information and the like. When the user 100 triggers the authentication of the eighth device 131 (for example, the user 100 presses a key of the eighth device 131), the eighth device 131 may determine that the user to be authenticated currently is the user 100 and the user 100 is a legal user according to the shared tracking result. At this time, the eighth device 131 may directly display a user interface when the authentication passes, for example, a desktop of the eighth device 131. That is to say, a plurality of devices in the distributed system can realize continuous and user-insensitive device access control according to the tracking result, thereby ensuring the security and improving the user experience.

In some embodiments, the tracking result is a user model. That is, the distributed system may share user models, one user model may characterize one user, and different users may have different corresponding user models. Alternatively, the user model may be a data set that may include a variety of user characteristics that describe the user. The user characteristics can be obtained by analyzing and processing the collected user characteristics and used for characterizing the characteristic data of the user identity. Such as biometric characteristics, physical characteristics, behavioral characteristics, and the like. Examples of biological characteristics include, but are not limited to: fingerprint, voice print, face, heart rate, pulse, etc. Physical characteristics include, for example and without limitation: height, length of limbs, etc. Behavioral characteristics include, for example and without limitation: signature, gait, touch screen behavior (such as key press rhythm), etc. That is, the present application may quantify a user by a data set of user characteristics. The present application takes the tracking result as an example of a user model for explanation.

It is understood that the scenario 10 shown in fig. 1 is only an example, and in a specific implementation, the number of devices, the number of rooms, the number of users, and the number of devices carried by the user in the scenario 10 may be more or less.

The device related in the embodiment of the present application may be, but not limited to, a smart television, a smart camera, a smart speaker, a smart projector, a smart router, a smart gateway and other home devices, a smart bracelet, smart glasses and other wearable devices, or other mobile phones, tablet computers, handheld computers, Personal Digital Assistants (PDA), desktop computers, laptop computers, notebook computers, Ultra-mobile Personal computers (UMPC), netbooks, smart screens and other devices.

Exemplarily, in the scene 10 shown in fig. 1, the first device 101 is a mobile phone, the second device 102 is a smart band, the third device 111 is a smart router, the fourth device 112 is a smart projector, the sixth device 121 is a smart speaker, the eighth device 131 is a smart television, and the fifth device 113, the seventh device 122, and the ninth device 132 are all smart cameras.

Referring to fig. 2, fig. 2 is a schematic diagram of an architecture of a first system 20 according to an embodiment of the present disclosure. The first system 20 is a distributed system.

As shown in fig. 2, the first system 20 may include a plurality of devices that may be connected and communicate with each other in a wired and/or wireless manner. Wherein the wired manner may include at least one of: universal Serial Bus (USB), twisted pair wire, coaxial cable, fiber optic and gateway devices (e.g., routers, Access Points (APs)), and the like. The wireless means may include at least one of: Wi-Fi, bluetooth, cellular, etc.

In some embodiments, the devices and connection medium under the first system 20 may form and communicate over a local area network.

In some embodiments, multiple devices under the first system 20 may be trusted devices with respect to each other. For example, an application program (for example, but not limited to, hua smart home) for implementing communication may be installed on a terminal device such as a mobile phone, a tablet computer, and a smart band. The application may log into an account, which may be subsequently referred to as an account application. The network may include an application server corresponding to the account application (which may be referred to as an account application server hereinafter). The device with the account application installed can log in the same account or a related account through the account application, so that communication is carried out through the account application server. Other devices except the terminal device can be connected to the account application server in a wireless mode such as Bluetooth or a wired mode such as USB, for example, a user can manually add smart home devices to smart home through Bluetooth. The account application server may identify whether any electronic device is trusted, for example, a device that has been connected or has been connected to the account application server for a predetermined period of time is trusted.

Without being limited to this, in a specific implementation, the device may also be authenticated first, and in case of passing the authentication, the device is a trusted device, that is, belongs to the first system 20. For example, a device may only access a Wi-Fi network (i.e., belonging to the first system 20) if password authentication is passed. Alternatively, the plurality of devices in the first system 20 implement single sign-on (SSO) through cookie, json, or the like. The present application does not limit the communication method of the plurality of devices in the first system 20.

Illustratively, the first system 20 may be the internet of things (IOT) in a home scenario, or a group of smart devices.

The first system 20 in this application may be a distributed system, that is, a plurality of devices in the system cooperate with each other, for example, the plurality of devices in the first system 20 cooperate with each other to acquire user characteristics of a user, and the acquired user characteristics may be shared. The distributed system realizes resource integration among multiple devices, reduces the processing pressure of a single device and has high availability.

In some embodiments, there may be at least one grandmaster device in the distributed system for comprehensively scheduling the implementation of the identity authentication process. For convenience of description, the present application illustrates an example where there is one general control device in the first system 20. Illustratively, the overall control device distributes the process of determining the tracking result to a plurality of devices in a distributed manner, that is, the plurality of devices in the first system 20 cooperate to determine the tracking result according to the shared user characteristics. Tracking results may also be shared. The shared data may be stored scattered across multiple devices in the first system 20.

In some embodiments, the distributed storage of the first system 20 may be that a plurality of devices in the first system 20 store through a local memory, for example, a portion of the devices store the user model, a portion of the devices store the collected user characteristics, and a portion of the devices store the authenticated user characteristics (which may be referred to as authentication credentials).

Without being limited thereto, in particular implementations, the distributed storage of the first system 20 is also implemented by at least one server. For example, the plurality of devices in the first system 20 may be connected to at least one server, where the server may be a hardware server or a cloud server. Alternatively, the at least one server may be a database-mounted server from which any one of the devices in the first system 20 may download data and upload data to the server. The at least one server may store the collected user characteristics, the established user model, the related information of the user model, the tracking result, and the like.

An exemplary electronic device provided by embodiments of the present application is described next.

Referring to fig. 3, fig. 3 schematically illustrates a structure of an electronic device 30. The electronic device 30 may be any one of the devices in the scenario 10 shown in fig. 1, and may also be any one of the devices in the first system 20 shown in fig. 2. The electronic device 30 may include a processor 310, a memory 320, and a transceiver 330, and the processor 310, the memory 320, and the transceiver 330 may be connected to each other by a bus.

The processor 310 may be one or more Central Processing Units (CPUs), and in the case that the processor 310 is one CPU, the CPU may be a single-core CPU or a multi-core CPU. The memory 320 includes, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or a portable read-only memory (CD-ROM), and the memory 320 is used for storing related computer programs and data.

The transceiver 330 is used to receive and transmit data. In some embodiments, the transceiver 330 may provide a solution for wireless communications including 2G/3G/4G/5G, etc. applied on the electronic device 30. In some embodiments, the transceiver 330 may provide a solution for wireless communication applied on the electronic device 30, including Wireless Local Area Networks (WLANs) (e.g., Wi-Fi networks), Bluetooth (BT), Global Navigation Satellite System (GNSS), Frequency Modulation (FM), Near Field Communication (NFC), Infrared (IR), and the like. The electronic device 30 may communicate with the network and other devices using wireless communication techniques through the transceiver 330. The wireless communication technology may include global system for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), time-division code division multiple access (TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR technologies, among others. The GNSS may include a Global Positioning System (GPS), a global navigation satellite system (GLONASS), a beidou satellite navigation system (BDS), a quasi-zenith satellite system (QZSS), and/or a Satellite Based Augmentation System (SBAS).

In some embodiments, the electronic device 30 may also include a display screen. The display screen is used for displaying images, videos, characters and the like. The display screen includes a display panel. The display panel may be a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode, AMOLED), a flexible light-emitting diode (FLED), a miniature, a Micro-oeld, a quantum dot light-emitting diode (QLED), or the like. Alternatively, the electronic device 30 may include 1 or N display screens, where N is a positive integer greater than 1.

In some embodiments, the electronic device 30 may further include at least one acquisition module, any of which may be used to acquire at least one user characteristic. The present application is described with an example where an acquisition module is used to acquire a user characteristic.

For example, the electronic device 30 may include 1 or N cameras, N being a positive integer greater than 1. The camera is used to capture still images or video. The electronic device 30 may collect facial features of the user through the camera.

For example, the electronic device 30 may include a touch sensor, also referred to as a "touch device". Alternatively, the touch sensor may be disposed on the display screen, and the touch sensor and the display screen form a touch screen, which is also called a "touch screen". When a touch operation is applied to the display screen, the electronic device 30 may detect the intensity, position, etc. of the touch operation through the touch sensor and transfer the detected touch operation to the processor 310 to determine the type of the touch event. Optionally, the electronic device 30 may also provide visual output related to the touch operation through the display screen. Without being limited thereto, the touch sensor may be disposed on the surface of the electronic device 30 at a position different from the position of the display screen. The electronic device 30 may collect the touch screen behavior characteristics (e.g., location, area of touch region, occurrence time stamp, number of touches, pressure magnitude, etc.) of the user through the touch sensor.

For example, the electronic device 30 may include a pulse sensor. In some embodiments, the pulse sensor can detect the pressure changes produced by the arterial pulse and convert them into electrical signals. There are various types of pulse sensors, such as piezoelectric pulse sensors, piezoresistive pulse sensors, and photoelectric pulse sensors. The piezoelectric pulse sensor and the piezoresistive pulse sensor can convert the pressure process of pulse pulsation into signals and output the signals through micro-pressure type materials (such as a piezoelectric sheet, a bridge and the like). The photoelectric pulse sensor can convert the change of the light transmittance of the blood vessel in the pulse beating process into signal output in a reflection or transmission mode or other modes, namely, a pulse signal is obtained through photoplethysmography (PPG). The electronic device 30 may acquire the pulse characteristics of the user through a pulse sensor.

For example, the electronic device 30 may include a heart rate sensor. In some embodiments, the heart rate sensor may acquire a heart rate signal through the PPG. The heart rate sensor can convert the change of the blood vessel dynamics, such as the change of the blood pulse rate (heart rate) or the blood volume (cardiac output), into a signal output by means of reflection or transmission. In some embodiments, the heart rate sensor may measure signals of electrical activity induced in the heart tissue by electrodes attached to the skin of the human body, i.e. the heart rate signal is acquired by Electrocardiography (ECG). The electronic device 30 may acquire the heart rate characteristics of the user via a heart rate sensor.

For example, the electronic device 30 may include at least one microphone. The microphone is used for converting a sound signal into an electric signal. When a call is made or voice information is sent, a user can input a voice signal into the microphone by making a sound by approaching the microphone through the mouth of the user. The electronic device 30 may capture voiceprint characteristics of the user through a microphone.

In the present application, the electronic device 30 may belong to a distributed system. The electronic device 30 may connect and communicate with other devices in the distributed system, such as sharing authentication results, tracking results, etc., via the transceiver 330. When the first user triggers the authentication electronic device 30, for example, the processor 310 receives the detection signal of the touch sensor, the processor 310 may identify whether the first user is a legitimate user according to the shared tracking result, thereby determining whether to exempt authentication. The valid user is a user authenticated by any device in the distributed system and the authentication result is a user passing the authentication, and the processor 310 may determine whether the user is a valid user according to the shared authentication result. When the first user is a legitimate user, the processor 310 may determine to be authentication-free, and instruct the display screen to display a user interface when the authentication passes, such as a desktop of the electronic device 30, a specific interface of an application, and the like. Even if the electronic device 30 does not include a collection module, the electronic device 30 can identify the user identity according to the shared tracking result and determine whether to avoid authentication, which is highly useful.

The processor 310 in the electronic device 30 may be configured to read the computer program and data stored in the memory 320 and execute the identity authentication method shown in fig. 6-10, where the electronic device 30 may be any one of devices in a distributed system.

Referring to fig. 4, fig. 4 schematically illustrates a structure of another electronic device 30. The electronic device 30 may be any one of the devices in the scenario 10 shown in fig. 1, or may be any one of the devices in the first system 20 shown in fig. 2. The electronic device 30 belongs to a distributed system.

As shown in fig. 4, the electronic device 30 may include an authentication unit 401. The authentication unit 401 is configured to identify a user identity according to a tracking result shared by the distributed system, and determine whether authentication is to be avoided. The tracking result is used for representing the identity of a user currently tracked by a plurality of devices in the distributed system, and the tracking result can be a user model. When the user to be authenticated is determined to be a legal user, the authentication unit 401 determines authentication exemption, and when the user to be authenticated is determined not to be the legal user, the authentication unit 401 triggers a manual authentication process to obtain an authentication result. The legal user is the user which is authenticated by any device in the distributed system and the authentication result is the user which passes the authentication.

In some embodiments, the electronic device 30 may further comprise an acquisition unit for acquiring at least one user characteristic. Alternatively, the acquisition unit may comprise at least one acquisition subunit, each for acquiring a user characteristic, e.g. an acquisition subunit comprising an acquisition module comprised by the electronic device 30 shown in fig. 3. Illustratively, the face acquisition unit is used for acquiring face features. The gait acquisition unit is used for acquiring gait characteristics. The pulse acquisition unit is used for acquiring pulse characteristics. The heart rate acquisition unit is used for acquiring heart rate characteristics. The touch screen behavior acquisition unit is used for acquiring touch screen behavior characteristics. The position acquisition unit is used for acquiring the position characteristics of the user.

When the authentication unit 401 triggers the manual authentication process of the first user, the collecting unit may collect at least one user characteristic of the first user and provide the user characteristic to the authentication unit 401 for authentication, so as to obtain an authentication result of the first user. The authentication result may be shared to multiple devices in the distributed system. When the authentication result is that the authentication is passed, the plurality of devices in the distributed system may determine that the first user is a legitimate user.

In some embodiments, electronic device 30 may also include a model unit 402. The model unit 402 may determine a user model (i.e., tracking result) of the first user according to the user characteristics of the first user shared by the distributed system, where the user characteristics of the first user shared by the distributed system are acquired by the plurality of devices in the distributed system at different time instances. Multiple devices in the distributed system may also share at least one user model that has been established. Optionally, when the user model of the first user does not exist in the at least one user model, the model unit 402 may perform modeling training (for example, by using a Support Vector Machine (SVM)) based on the shared user feature of the first user to obtain the user model of the first user. Optionally, when the user model of the first user exists in the at least one user model, the model unit 402 may select the user model of the first user from the at least one user model according to the shared user characteristics of the first user.

In some embodiments, electronic device 30 may also include a model management unit 403. When the authentication unit 401 determines that the authentication result of the first user is authenticated, the authentication unit 401 may transmit the authentication result to the model management unit 403. The model unit 402 may also send the user model (i.e., tracking result) of the first user to the model management unit 403. The model management unit 403 may determine that the first user is a valid user according to the user model of the first user and the authentication result of the first user.

In some embodiments, when authentication unit 401 determines that the authentication result of the first user is authentication pass, authentication unit 401 may further send a user characteristic (which may be referred to as an authentication credential) of the first user authenticated by the manual authentication process to model management unit 403. The model management unit 403 may bind the authentication credentials of the first user and the user model of the first user together. The authentication unit 401 may determine that the user to be authenticated is the first user according to the user model (i.e., the tracking result) of the first user, and authenticate the authentication credential of the first user. And when the authentication is passed, the first user is a legal user. When the authentication does not pass, the authentication unit 401 may trigger a manual authentication process.

In some embodiments, the electronic device 30 may belong to a plurality of distributed systems. The electronic device 30 may share the authentication result of the first user with devices in the plurality of distributed systems to which it belongs. If the authentication result of the first user is that the authentication is passed, the devices in the multiple distributed systems may all identify the first user as a valid user, and at this time, the user model of the first user may be referred to as being associated with the multiple distributed systems. The model management unit 403 may be used to manage the association of user models and systems. The authentication unit 401 may identify, in cooperation with the model management unit 403, the identity of the user to be authenticated: that is, the user to be authenticated is determined as the first user according to the user model (i.e., the tracking result) of the first user, and then it is determined that the user model of the first user is associated with the distributed system to which the electronic device 30 belongs. When the user model of the first user is associated with the distributed system to which the electronic device 30 belongs, the authentication unit 401 may determine that the first user is a legitimate user, and determine that authentication is not required.

It will be appreciated that a system may also associate multiple user models. Alternatively, a distributed system may implement device access control for different users according to user models of the different users. For example, the first system 20 is provided with an access policy: the user's height is above a predetermined height threshold before using the entertainment device (e.g., television, computer, cell phone, etc.) in the first system 20. Assume that the first system 20 associates a user model of a first user and a user model of a second user, both of which include height characteristics of the users, wherein the height of the first user is below a preset height threshold and the height of the second user is above the preset height threshold. Thus, when the first user triggers authentication of the entertainment device in the first system 20, the entertainment device will not display the user interface when authentication passes, even if the first user is determined to be legitimate. While the second user may trigger authentication of the entertainment device in the first system 20, the entertainment device may be authentication-free.

In some embodiments, there may be a validity period for each user model, and the model management unit 403 may also be used to manage the validity period of the user model. The starting time of the validity period may be the time when the user characterized by the user model triggers authentication last time and is identified as a legal user. Or, the starting time of the validity period may also be the time when the user characterized by the user model triggers the manual authentication process the last time, and the authentication result is determined to be that the authentication passes. The duration of the validity period may be obtained by a plurality of devices in the distributed system by convention, for example, the duration of the validity period of each user model is a preset duration. Alternatively, after acquiring the user model (i.e., the tracking result) of the first user, the authentication unit 401 may determine whether the user model is within the validity period. If the user model is within the validity period, the authentication unit 401 may determine that the first user is a valid user, and if the user model is not within the validity period, the authentication unit 401 may trigger a manual authentication process. If the authentication result of the first user obtained in the manual authentication process is that the authentication is passed, the model management unit 403 may reset the validity period of the user model of the first user, that is, the start time of the validity period of the user model is set as the time when the authentication result of the first user is determined to be that the authentication is passed (for example, the time when the model management unit 403 receives the authentication result of the first user sent by the authentication unit 401).

Without being limited to the above list, in a specific implementation, the duration of the validity period may also be determined by the distributed system according to the frequency of the user triggering authentication characterized by the user model, for example, if the frequency of the user triggering authentication is greater than the first threshold or less than the second threshold (i.e., the frequency is too fast or too slow), the distributed system may shorten the duration of the validity period of the user model of the user. Alternatively, the duration of the validity period may be determined by the distributed system based on the duration that the user is tracked, such as the duration that the user 100 is in the scene 10 shown in FIG. 1. For example, if the user is tracked for a length of time that is less than a third threshold, the distributed system may shorten the length of the validity period for the user model for the user. The specific determination method of the duration of the validity period is not limited in the present application.

In some embodiments, the authentication credential may also have a validity period. The model management unit 403 may also be used to manage the validity period of the authentication credentials. The validity period of the authentication credential is similar to that of the user model, and is not described in detail.

In some embodiments, the electronic device 30 may also include a system management unit 404. The system management unit 404 is configured to manage at least one distributed system to which the electronic device 30 belongs and a plurality of devices included in each distributed system. The electronic device 30 may obtain information of the at least one distributed system to which the electronic device belongs, such as a system identifier, a number of devices included, a device identifier, a device address, and the like, through the system management unit 404. For example, the electronic device 30 may communicate with other devices in the distributed system through the system management unit 404. The system management unit 404 may include the transceiver 330 included in the electronic device 30 shown in fig. 3.

In some embodiments, the electronic device 30 may further include a storage unit, and the storage unit may be configured to store data shared by the distributed systems, for example, the tracking result, the established at least one user model, the association relationship between the user model and the distributed systems, the authentication credential bound to the user model, and the like. Any one of the units in the electronic device 30 may retrieve the stored data from the storage unit to perform the authentication process. Optionally, the storage unit comprises the memory 320 comprised by the electronic device 30 shown in fig. 3.

In the present application, even if the processing performance of the electronic device 30 is low (for example, only including the authentication unit and the storage unit), the user identity may be identified and whether authentication is to be avoided may be determined according to the tracking result and the authentication credential shared by the distributed system, so that the influence on power consumption is reduced, and the usability is high.

It is understood that the authentication unit 401, the model unit 402, the model management unit 403, and the system management unit 404 included in the electronic device 30 shown in fig. 4 may belong to the processor 310 included in the electronic device 30 shown in fig. 3.

Referring to fig. 5, fig. 5 illustrates an architecture diagram of another first system 20. The first system 20 is a distributed system.

As shown in fig. 5, the first system 20 may include a device acquisition layer 501, a model tracking layer 502, an authentication layer 503, and a database 504. Wherein the description of each layer is as follows:

and the device acquisition layer 501 is used for acquiring user characteristics. The device acquisition layer 501 may comprise acquisition units of a plurality of devices having acquisition capabilities in the first system 20, such as acquisition units of device 1, acquisition units of device 2, …, acquisition units of device n-1. Fig. 5 illustrates an example in which the device n in the first system 20 does not have acquisition capability, i.e., does not include an acquisition unit. The acquisition units of multiple devices in the device acquisition layer 501 may work together: multi-dimensional user features of the first user are collected in real time, that is, multiple types of user features of the first user at multiple time points are collected for the model tracking layer 502 to determine the user model of the first user. Optionally, the multidimensional user characteristics acquired by the device acquisition layer 501 in real time may be sent to the database 504, and any device in the distributed system may acquire data from the database 504, thereby implementing the identity authentication process.

Illustratively, the device acquisition layer 501 includes devices such as a mobile phone, a tablet computer, a television, a large screen, and a camera for acquiring image data, devices such as a router, a smart watch, a smart band, a mobile phone, and a tablet computer for acquiring position data, and devices such as an earphone, a smart band, a smart watch, a mobile phone, and a tablet computer for acquiring somatosensory data. The image data can be used for obtaining characteristics such as face information, body information, behavior information and position information. The somatosensory data includes characteristics such as body information, behavior information, heart rate information, voiceprint information, and the like.

As shown in fig. 5, the model tracking layer 502 may include processing units such as feature extraction, building and updating of user models, situation tracking, and the like. Wherein:

and feature extraction, which is used for processing the user features acquired by the equipment acquisition layer 501 in real time, and the processed user features are used for establishing and updating a user model and tracking the situation. For convenience of description, in the present application, the user feature acquired by the device acquisition layer 501 in real time is referred to as a first user feature, and the user feature obtained by processing the first user feature through feature extraction of the model tracking layer 502 is referred to as second feature data. For example, the face features acquired in real time by the device acquisition layer 501 are provided as first feature data to the feature extraction of the model tracking layer 502. The feature extraction can extract the relative position and the relative size of the most representative parts (such as eyebrows, eyes, a nose, a mouth and the like) on the face of the human face as second feature data, and then the shape information of the contour of the human face is taken as the second feature data.

Illustratively, the feature extraction may include: the method comprises the steps of obtaining position information based on image data, obtaining the position information through near field communication technologies such as Bluetooth, Wi-Fi and UWB, extracting biological features (for example, obtaining face information based on the image data), extracting somatosensory data features and the like.

And establishing and updating the user model, wherein the user model is used for performing modeling training (for example, an SVM implementation manner) on the second feature data obtained by feature extraction to obtain a corresponding user model. Optionally, the user model is established and updated, and an existing user model can be updated according to the second feature data obtained by feature extraction, so that the user model can quantify users more accurately. Optionally, the obtained user model and the updated user model may be sent to the database 504.

And the situation tracking is used for determining a corresponding user model from the existing user models according to the second feature data obtained by feature extraction. Where the existing user model may be a situation trace obtained from database 504. For example, the situation tracking may process the second feature data obtained by feature extraction to obtain a corresponding data set. Then, the situation tracking may obtain a degree of similarity between the data set and the existing user model (for example, when both the data set and the existing user model include a face feature, a cosine distance or a euclidean distance of a vector of the face feature may be used as the degree of similarity). When the similarity degree between the data set and the first user model is larger than a preset similarity threshold, the situation tracking can determine that the first user model is used for representing the users to which the first feature data and the second feature data belong, namely the first user model is a tracking result.

In some embodiments, the model tracking layer 502 may also include behavioral predictions. And the behavior prediction is used for judging whether the user triggers the authentication of the equipment or not according to the second characteristic data obtained by the characteristic extraction. For example, the second characteristic data belongs to the first user and includes a location characteristic. When the distance between the location feature and the device n in the first system 20 gradually decreases and is less than the preset distance, the behavior prediction may determine that the first user triggers authentication of the device n. When the behavior prediction determines that the first user triggers authentication of the device n, a notification may be sent to the authentication layer 503, so that the authentication unit of the device n in the authentication layer 503 recognizes the identity of the first user and determines whether authentication is to be avoided.

It is to be appreciated that the model tracking layer 502 shown in FIG. 5 may include model elements of a plurality of devices in the first system 20.

As shown in fig. 5, the authentication layer 503 is configured to identify a user identity according to a tracking result obtained by the model tracking layer 502, and determine whether authentication is to be avoided. The authentication layer 503 may include authentication units of a plurality of devices having authentication capabilities in the first system 20, such as the authentication unit of device 1, the authentication unit of device 2, …, the authentication unit of device n. The plurality of authentication units can cooperatively identify the user identity according to the tracking result, and the authentication unit of any equipment can also identify the user identity according to the tracking result.

In some embodiments, the authentication layer 503 may also include model management. Model management is used to manage the association of user models and systems. When any one of the devices in the first system 20 determines that the authentication result of the manual authentication process performed by the first user is authentication pass, the model management may determine that the user model of the first user is associated with the first system 20. At this time, if the authentication unit of any one device in the first system 20 determines that the user to be authenticated is the first user according to the tracking result, the collaborative model management may determine that the first user is associated with the first system 20, and thus may determine that the first user is a valid user, and provide a function of imperceptible authentication for the user. Optionally, the association between the user model and the system may be sent to the database 504.

In some embodiments, the authentication layer 503 may also include system management. The system management is used for managing the first system 20, for example, managing the identification of the first system 20, the number of devices included in the first system 20, the device identification, the device address, and the like. Illustratively, the general control device in the first system 20 may determine, through system management, whether the device to be authenticated belongs to the first system 20 according to the identifier of the device to be authenticated. Alternatively, the overall control device may obtain the identification of the first system 20 through system management, and determine the user model associated with the first system 20 through model management.

Illustratively, system management may enable device discovery of the first system 20, such as actively searching for eligible devices and determining that the device is a device included in the first system 20. The system management may also implement device authentication of the first system 20, for example, authenticating a device accessing the first system 20 (e.g., checking whether the Wi-Fi password is correct), and if the authentication is successful, determining that the device is a device included in the first system 20. System management may also enable trusted transfer of devices in the first system 20, such as managing a first key used to encrypt and decrypt data transferred between multiple devices in the first system 20.

It is to be understood that the model management in the authentication layer 503 shown in fig. 5 may include model management units of a plurality of devices in the first system 20, and the system management may include system management units of a plurality of devices in the first system 20.

In some embodiments, model management may also be used to manage authentication credentials bound to the user model. When any one of the devices in the first system 20 determines that the authentication result of the manual authentication process performed by the first user is authentication pass, the authentication unit of the device may send the user characteristics authenticated by the manual authentication process as an authentication credential to the model management, and the model management may bind the authentication credential and the user model (i.e., tracking result) obtained by the model tracking layer 502. At this time, if the authentication unit of any device in the first system 20 determines that the user to be authenticated is the first user according to the tracking result, the collaborative model manages to authenticate the authentication credential bound to the user model of the first user. When the authentication is passed, the authentication unit may determine that the first user is a legitimate user, and provide the user with a function of imperceptible authentication. Alternatively, the authentication credentials bound to the user model may be sent to the database 504.

In some embodiments, model management may also be used to manage the expiration of user models. When the authentication layer 503 performs authentication, it may determine whether the user model obtained by situation tracking is in the validity period in combination with model management. If the user model is not within the validity period, the authentication layer 503 may determine that the user corresponding to the user model is not legitimate and may trigger a manual authentication process. If the user model is in the validity period, the authentication layer 503 determines whether the user corresponding to the user model is legal or not, and whether authentication is to be avoided or not.

In some embodiments, model management may also be used to manage the validity period of authentication credentials. When the authentication layer 503 performs authentication, it may determine, in combination with model management, whether an authentication credential corresponding to the user model obtained by situation tracking is within a validity period. If the authentication credential is not within the validity period, the authentication layer 503 may determine that the user corresponding to the user model is illegal, and may trigger a manual authentication process. If the authentication credential is within the validity period, the authentication layer 503 determines whether the user corresponding to the user model is legal or not, and whether authentication is to be avoided or not.

In the authentication layer 503, the authentication unit of any device may further perform a manual authentication process, that is, authenticate the collected user characteristics of the first user and obtain an authentication result of the first user. In some embodiments, the model update may be triggered when the authentication result of the first user is authentication pass. That is, when the synchronized authentication result of the first user is authentication pass, the establishment and updating of the user model in the model tracking layer 502 may update the user model of the first user, for example, add the collected user characteristics of the first user to the user model of the first user. In some embodiments, when the authentication result of the first user is authentication pass, the model management may also be triggered to update the relevant information of the user model of the first user, for example, update the validity period of the user model of the first user, the authentication credentials bound to the user model of the first user, and the like.

As shown in FIG. 5, database 504 is used to store at least one of: the user model established by the model tracking layer 502, the updated user model, the authentication credentials used by the authentication unit of the authentication layer 503 during the manual authentication process, and the model managing the determined association relationship between the user model and the system and the authentication credentials bound with the user model. The database 504 may be a storage unit including a plurality of devices in the first system 20, but is not limited thereto, and may also be a database (e.g., at least one server as described in fig. 1) to which a plurality of devices are connected. Database 504 may be used to synchronize the stored data, which may be retrieved from database 504 by any device in first system 20.

In a specific implementation, the situation tracking may also be a neural network model, where the input of the model is the first feature data or the second feature data, and the output of the model is a user model, and the user model is used to characterize a user to which the first feature data or the second feature data belongs. The present application does not limit the specific manner of determining the tracking result.

The description of the acquisition unit, the authentication unit, the model management unit, and the system management unit shown in fig. 5 can be referred to the description of the acquisition unit, the authentication unit 401, the model unit 402, the model management unit 403, and the system management unit 404 included in the electronic device 30 shown in fig. 4.

It is understood that the authentication in the present application may be system-level authentication or application-level authentication. The system-level authentication is, for example, screen unlocking, the authentication is performed by displaying a screen locking interface on the front device, and the authentication is performed by displaying a desktop or a user interface before screen locking on the rear device. The authentication at the application level is, for example, the authentication of system applications (such as settings, file lockers, short messages, galleries, and the like), and the specific interfaces of the system applications can be displayed by the equipment after the authentication is passed. The application-level authentication may also be authentication of applications (such as payment applications, banking applications, social applications, etc.) that exist in the application server, and the device can display a specific interface of such applications after the authentication is passed.

For an application with an application server, the device may obtain data of the application from the application server, and display a corresponding user interface using the obtained data. In some embodiments, the application server may send the application data only when the user identity is authenticated, and the authentication unit of the device may send a notification message to the application server when determining that the user model corresponding to the user to be authenticated is associated with the system to which the user belongs. The application server can determine that the user to be authenticated is a legal user according to the notification message, and send corresponding data to the device.

The authentication unit of any one of the devices in the authentication layer 503 may include a local authentication unit and an application authentication unit. For example, the authentication unit of the device 1 includes a local authentication unit and an application authentication unit. After obtaining the authentication result, the local authentication unit may be directly used for system-level authentication of the device 1. After obtaining the authentication result, the application authentication unit may be directly used for the application-level authentication of the device 1. Optionally, the local authentication unit may obtain the authentication result and then send the authentication result to the application authentication unit, so as to be used for the application-level authentication of the device 1.

In some embodiments, the model management of the authentication layer 503 is also used to manage authentication credentials bound to the user model. After the authentication unit of the device in the authentication layer 503 obtains the user model (i.e., the tracking result) of the user to be authenticated, the authentication unit may authenticate the authentication credential bound to the user model, and if the authentication is passed, it is determined that the user to be authenticated is legal, and it is determined that the authentication is not required. Optionally, for an application in which the application server exists, the device may send the authentication credential to the application server for authentication. When the application server determines that the authentication is passed, corresponding data is sent to the device. At this time, the device determines authentication exemption, i.e., displays a corresponding user interface using data transmitted from the application server.

The identity authentication method provided by the embodiment of the application is described next.

Referring to fig. 6, fig. 6 is a diagram illustrating an identity authentication method according to an embodiment of the present disclosure. The method may be applied to the scenario 10 shown in fig. 1. The method may be applied to a distributed system including a plurality of devices, such as the first system 20 shown in fig. 2, the first system 20 shown in fig. 5. The plurality of devices may include a first device, a second device, and a third device.

It should be noted that the first device, the second device and the third device are only used for distinguishing roles of devices performing the identity authentication method. Illustratively, the first device is a device that is manually authenticated by a user prior to use of the third device. The second device is used to share the tracking results (i.e. the user model determined from the user characteristics acquired in real time). The third device is a device to be authenticated that the user wants to use. In particular implementations, a device may have multiple roles, for example, a device may be both a first device and a second device. The multiple devices may also be in the same role, for example, three devices are all the second device, and the three devices cooperate to acquire the tracking result and share the tracking result to other devices in the distributed system. The role of any device in the distributed system may be determined according to actual conditions, which is not limited in this application.

Illustratively, the first user is in a scenario in which a plurality of devices are located in a distributed system, for example, the distributed system is the first system 20 shown in fig. 2, and the scenario in which the plurality of devices are located in the distributed system is the scenario 10 shown in fig. 1. The plurality of devices in the distributed system can continuously track the first user, namely, the user characteristics of the first user at a plurality of time points are collected, and a user model (namely, a tracking result) of the first user is determined according to the user characteristics. The first device may be the device that the first user first triggered authentication under scenario 10. The first device may perform a manual authentication process and obtain an authentication result of the first user. Both the tracking results and the authentication results may be shared within the distributed system. When the first user triggers another device, such as a third device, in the distributed system, the third device may determine that the first user is a valid user according to the tracking result and the authentication result, and determine that authentication is not required (i.e., display a user interface when authentication is passed). Therefore, the effect of one-end authentication and multi-end authentication-free is achieved, and the times of executing authentication operation when the user switches the equipment are reduced.

The method may include, but is not limited to, the steps of:

s101: the first equipment authenticates the first user according to the first user characteristic of the first user to obtain an authentication result of the first user.

Specifically, the first user may trigger the first device to perform a manual authentication process, that is, the first device collects a first user characteristic of the first user and authenticates the first user characteristic to obtain an authentication result of the first user. For example, the first user feature is a face feature, and the first device may obtain a similarity degree between the acquired face feature and a face feature sample recorded in advance (for example, the similarity degree is expressed by a cosine distance or a euclidean distance of a face feature vector). When the similarity degree is greater than or equal to the preset similarity threshold, the first device may determine that the authentication result of the first user is authenticated, and when the similarity degree is less than the preset similarity threshold, the first device may determine that the authentication result of the first user is not authenticated. When the authentication result is that the authentication is passed, the first device may display a user interface when the authentication is passed, such as a specific interface of the system device, the application program, and the like. The first user characteristics can comprise various user characteristics, and compared with an authentication mode with a single user characteristic, the authentication method is more accurate and reliable, and the error identification rate is lower.

S102: the first device shares the authentication result of the first user with devices in the distributed system.

Specifically, the authentication result obtained by any device in the distributed system executing the manual authentication process may be shared with multiple devices in the distributed system, and this process may be referred to as synchronizing the authentication state. The synchronous authentication state may be executed once every preset time period, or may be executed once each time an authentication result is obtained.

S103: and if the authentication result of the first user is that the authentication is passed, the second device and the devices in the distributed system share the user model of the first user.

Specifically, a plurality of devices in the distributed system may collect user characteristics of the first user at a plurality of time points, for example, a device 1 (e.g., a mobile phone or a tablet, etc.) in the distributed system collects motion sensing data and touch screen sensing data, a device 2 (e.g., a wearable device such as a smart watch and a smart bracelet, etc.) collects motion sensing data, biometric data and signal distance data, and a device 3 (which may include a camera such as a camera, a large screen, etc.) collects situation data and location data. Specific examples may refer to the illustration of multiple devices in scene 10 of fig. 1 capturing user features of user 100 from various angles within a three-dimensional space of the near field. The collected user characteristics can be synchronized to a plurality of devices in the distributed system.

Then, a plurality of devices in the distributed system, for example, the second device or the third device, may determine the user model (i.e., tracking result) of the first user according to the collected user characteristics of the first user at a plurality of time points. The user characteristics (e.g., location characteristics) and tracking results of the first user at multiple points in time may be shared with any device in the distributed system, so that any device in the distributed system may determine the current tracked user, e.g., the location of the first user.

One user model can represent one user, and the user models corresponding to different users are different. Alternatively, the user model may be a data set that may include a variety of user characteristics for representing the user. The user characteristics can be obtained by analyzing and processing the collected user characteristics and used for characterizing the characteristic data of the user identity. Such as biological characteristics, physical characteristics, behavioral characteristics, and the like. Examples of biological characteristics include, but are not limited to: fingerprint, voice print, face, heart rate, pulse, etc. Physical characteristics include, for example and without limitation: height, length of limbs, etc. Behavioral characteristics include, for example and without limitation: signature, gait, touch screen behavior (e.g., key press rhythm), etc. The user characteristics of the first user at the multiple time points can also comprise multiple user characteristics, the user model is determined more accurately and reliably through the multi-dimensional user characteristics, and the misjudgment rate is lower.

Specifically, the distributed system may share at least one user model, and the at least one user model may be obtained by performing modeling training on devices in the distributed system based on the collected user features. In some embodiments, if the user model of the first user does not exist in the at least one user model, the plurality of devices in the distributed system may build the user model of the first user according to the collected user characteristics of the first user at a plurality of time points. In other embodiments, the plurality of devices in the distributed system may select the user model of the first user from the at least one user model according to the collected user characteristics of the first user at a plurality of time points.

For example, the second device may process the collected user characteristics of the first user at a plurality of points in time to obtain corresponding data sets. The second device may then obtain a degree of similarity of the at least one user model and the data set shared by the distributed system. When the similarity degree between the first user model and the data set is greater than the preset threshold, the second device may determine that the data set belongs to the user characterized by the first user model, that is, the currently tracked user is the user characterized by the first user model.

It is to be appreciated that when multiple devices in the distributed system track the first user, the location characteristics of the first user can be obtained in conjunction with near field communication technology (e.g., bluetooth, Wi-Fi, UWB), and the location characteristics can be used to more accurately identify the user. For example, the current tracked users include a first user and a second user, the locations of which are not typically the same, and the plurality of devices in the distributed system may distinguish the first user from the second user based on the obtained location characteristics. Alternatively, the user identity may also be identified based on whether the location features are continuous or not. The distance difference between the positions of the first user in two consecutive seconds should be smaller than a second distance threshold, the distance difference between the positions of the second user in two consecutive seconds should be smaller than the second distance threshold, and the plurality of devices in the distributed system can distinguish the first user from the second user according to the position characteristics acquired at the plurality of time points.

S104: and if the third equipment determines that the first user is in the preset range according to the user model of the first user, the third equipment determines that the first user is legal.

Specifically, the third device may determine whether the first user is within the preset range according to the shared user characteristics (e.g., location characteristics) of the first user at a plurality of time points, the user model of the first user. When the third device determines that the first user is within the preset range, it may be determined that the first user triggers authentication of the third device, that is, the first user has or is about to initiate an access request. Since the first device in the distributed system has determined that the authentication result of the first user is that the authentication is passed, at this time, the third device may determine that the first user is a legitimate user, and determine that the authentication is not to be performed (for example, directly display a user interface when the authentication is passed).

The preset range may be a range relative to the distributed system, and optionally, a distance between the location of the first user and the location of any device in the distributed system is smaller than the first distance threshold. For example, a plurality of devices in the distributed system exist in the scene 10 shown in fig. 1, and the first user is characterized in that the first user is within the preset range when the first user is located at any position in the scene 10. The preset range may also be a range relative to the third device, and optionally, a distance between the location of the first user and the location of the third device is smaller than the second distance threshold. For example, a plurality of devices in the distributed system exist in the scene 10 shown in fig. 1, the third device is the device 131 or the device 132 in the scene 10, and the first user is characterized in the preset range when the first user is in the third room 130.

In some embodiments, the method may further comprise: if the first authentication result is that the authentication is passed, a plurality of devices in the distributed system, for example, the second device or the third device, may determine that the user model of the first user is associated with the distributed system to which the first device belongs.

In particular, one device may belong to at least one distributed system, e.g. the first device not only belongs to the first system 20 shown in fig. 2, but also to other systems. Therefore, when the first device determines that the authentication result of the first user is that the authentication is passed, the multiple distributed systems to which the first device belongs may all determine that the first user is a legitimate user, and at this time, it may be characterized that the multiple distributed systems are all associated with the user model of the first user. In S104, when the third device determines that the first user is within the preset range, it may be determined whether the user model of the first user is associated with the distributed system to which the third device belongs. When the user model of the first user is associated with the distributed system to which the third device belongs, the third device determines that the first user is a valid user. Optionally, the tracking result shared by the second device may also carry: and indication information indicating whether the user model of the first user is associated with the distributed system to which the third device belongs.

In some embodiments, the method may further comprise: if the first authentication result is that the authentication is passed, the first device and the devices in the distributed system may share the first user characteristic of the first user.

In particular, the first user characteristic may be bound together as an authentication credential and a user model of the first user. In S104, when the third device determines that the first user is within the preset range, the third device may authenticate the first user by using the first user characteristic, so as to obtain a second authentication result of the first user. And when the second authentication result is that the authentication is passed, the third equipment determines that the first user is a legal user.

It will be appreciated that the plurality of devices in the distributed system may track the first user after the first user performs a manual authentication pass. Without being limited to this, the multiple devices in the distributed system may also track the first user when the first user enters the scenario in which the distributed system is located for the first time, or may also track the first user when the first user initiates an access request to a device in the distributed system (that is, when it is determined that the first user is within the preset range). Illustratively, the tracking process may include: the multiple devices in the distributed system perform behavior similarity analysis (for example, similarity analysis on the collected motion sensing data, touch screen sensing data and situation data), similarity analysis on the biological feature data and location analysis on the first user based on the collected user features to obtain a tracking result. Then, when the device in the distributed system determines that the first user is within the preset range, the device may determine the user identity by combining the tracking result, and determine whether to avoid authentication. The user directly accesses the device when authentication is not required, and the device can execute a manual authentication process when authentication is not required.

In some embodiments, prior to S104, the method may further include: a plurality of devices in the distributed system, for example, a second device or a third device, may determine that the first user is within the preset range according to the collected user characteristics of the first user at multiple time points, that is, determine that the first user triggers authentication of the third device. At this time, the plurality of devices in the distributed system may transmit indication information to the third device, so that the third device determines that the first user is within the preset range, thereby triggering authentication. For example, when the distance between the position where the first user is located and the position where the third device is located is gradually reduced and is smaller than a third distance threshold value, it is determined that the first user is within the preset range.

In some embodiments, prior to S104, the method may further include: the third device receives a first user operation of a first user. The third device may determine that the first user is within the preset range according to the first user operation and the tracking result. The first user action is for example but not limited to: click operation, sliding operation, floating operation, lifting operation and the like on a display screen and a key of the third device.

In some embodiments, the user model may be updated as multiple devices in the distributed system determine the tracking results. Illustratively, the collected user characteristics of the first user at the multiple time points include a first characteristic and a second characteristic, and the user model of the first user includes a third characteristic and a fourth characteristic. The first feature and the third feature are of the same type and the second feature and the fourth feature are of the same type. For example, the first feature and the third feature are both fingerprint features, and the second feature and the fourth feature are both face features. Since the confidence of the first feature is greater than the confidence of the second feature, when the degree of similarity between the first feature and the third feature is greater than or equal to the preset similarity threshold, even if the degree of similarity between the second feature and the fourth feature is less than the preset similarity threshold, it can be determined that the currently tracked user is the first user. At this point, the plurality of devices in the distributed system may update the user model of the first user with the second feature, for example, adding the second feature to the user model of the first user, or replacing the fourth feature with the second feature.

In some embodiments, multiple devices in the distributed system may also acquire environmental parameters in the near-field space in which the distributed system is located, such as environmental parameters in the scene 10. Examples include, but are not limited to: whether to turn on the light, brightness, object placement position, time of the object, etc. Multiple devices in the distributed system may determine the tracking result in combination with the real-time collected environmental parameters and the user characteristics of the first user. Illustratively, the user model of the first user includes two types of facial features: face features at 6 am when no light is turned on, and face features at 6 pm when light is turned on. The environmental parameters collected in real time are: the lamp is turned on at 8 o' clock in the evening. The user features of the first user collected in real time include facial features. The confidence coefficient of the face features which are 6 o 'clock at night and are lighted is higher by combining the environmental parameters, so that the face features which are 6 o' clock at night and are lighted in the user model of the first user and the similarity degree of the face features of the first user, which are acquired in real time, can be acquired. And when the similarity degree is larger than a preset similarity threshold value, determining that the tracking result is the user model of the first user.

In a specific implementation, the multiple devices in the distributed system may also periodically obtain the environmental parameters in the near-field space where the distributed system is located, and update the user model according to the environmental parameters. For example, multiple devices in a distributed system may obtain the object placement location to determine if there is a blockage around the devices. If a plurality of devices in the distributed system determine that an obstruction exists around a device (such as a camera) for acquiring the human face features, the confidence level of the human face features in the user model can be adjusted to be low.

In some embodiments, the distributed system may also update the authentication credentials. For example, each time the authentication result of the first user obtained by the manual authentication process is that the authentication passes, the distributed system may update the authentication credential using the user characteristic used in the authentication process, that is, binding the user characteristic as the authentication credential with the user model of the first user, or replacing the authentication credential bound with the user model of the first user with the user characteristic.

The specific implementation of the identity authentication method can be seen in the examples shown in fig. 7-8.

In the method shown in fig. 6, after the first user passes the authentication of the first device, the multiple devices in the distributed system may determine that the first user is a legitimate user, and perform a continuous and multidimensional tracking process on the first user to obtain a tracking result. Any one device in the distributed system may have identity authentication requirements, i.e. any one device may be a third device. Even if the third device does not have the collecting capacity, the user identity can be identified according to the shared tracking result, and the usability is high. The third device can directly avoid authentication for the legal first user, reduces the times of executing authentication operation when the legal user switches the devices, and achieves the effect of one-end authentication and multi-end authentication avoidance. Compared with the authentication mode with single user characteristic and the one-time authentication mode, the security and the reliability of identifying the user identity through the tracking result obtained by continuous tracking are higher.

Next, application scenarios related to embodiments of the present application and human-computer interaction diagrams in the scenarios are described. The following embodiment is described by taking the architecture of the first system 20 as an example of the architecture shown in fig. 5, and only shows a part of the processing units in each layer.

First, the cooperation relationship of the layers in the first system 20 in S101-S103 shown in fig. 6 is described, and specifically shown in fig. 7.

1. The authentication unit of device 1 (i.e., the first device) in authentication layer 503 determines that the first user triggers a manual authentication process.

2. The acquisition unit of the device 1 (i.e., the first device) in the device acquisition layer 501 acquires the first user characteristic of the first user.

3. The acquisition unit of the device 1 sends the first user characteristic to the authentication unit of the device 1.

4. The authentication unit of the device 1 authenticates the first user characteristic and obtains an authentication result of the first user.

5. The authentication unit of device 1 sends the authentication result of the first user to the database 504, i.e. the authentication result of the first user is shared with the devices in the first system 20.

6. The device acquisition layer 501 acquires user characteristics of the first user at a plurality of time points, for example, continuously acquires multi-dimensional second user characteristics of the first user.

7. The device acquisition layer 501 sends the second user features to the feature extraction of the model tracking layer 502.

8. Feature extraction of the model tracking layer 502 processes the second user features to obtain third user features. An example of the manner of processing may be seen in the description of feature extraction of model tracking layer 502 shown in FIG. 5.

9. Feature extraction of the model tracking layer 502 sends third user features to the situational tracking.

10. The situational tracking of the model tracking layer 502 determines a user model (i.e., tracking results) of the first user based on the third user characteristics. Optionally, the situational tracking builds a user model of the first user based on the third user characteristic. Optionally, the situation tracking obtains at least one user model shared in the database 504, and determines the user model of the first user from the at least one user model according to the third user characteristic.

11. The situation tracking of the model tracking layer 502 obtains the authentication result of the first user shared in the database 504.

12. If the authentication result of the first user is that the authentication is passed, the situation tracking of the model tracking layer 502 sends the user model of the first user to the database 504, i.e., the user model of the first user is shared with the devices in the first system 20 (i.e., the tracking result).

13. The model management of the authentication layer 503 acquires the authentication result of the first user and the user model of the first user shared in the database 504.

14. If the authentication result of the first user is that the authentication is passed, the model management of the authentication layer 503 determines that the user model of the first user is associated with the first system 20 to which the device 1 belongs.

15. The model management of the authentication layer 503 sends second indication information to the database 504, i.e. sharing the second indication information with the devices in the first system 20, wherein the second indication information is used for indicating that the user model of the first user is associated with the first system 20 to which the device 1 belongs.

Wherein 1-5 correspond to S101-S102 of fig. 6. The order of 1-5 and 6-10 is not limited and can be performed simultaneously.

In some embodiments, after the situation tracking of model tracking layer 502 determines the user model (i.e., 10) of the first user, the creation and updating of the user model in model tracking layer 502 may update the user model of the first user according to the third user characteristics.

Next, the cooperation relationship of the respective layers in the first system 20 in S104 shown in fig. 6 is described, specifically as shown in fig. 8.

16. The device acquisition layer 501 acquires user characteristics of the first user at a plurality of time points, for example, continuously acquires a multi-dimensional fourth user characteristic of the first user. The fourth user characteristic may be obtained when or before the first user approaches device n (i.e., the third device).

17. The device acquisition layer 501 sends the fourth user feature to the feature extraction of the model tracking layer 502.

18. Feature extraction of the model tracking layer 502 processes the fourth user feature to obtain a fifth user feature.

19. Feature extraction of the model tracking layer 502 sends a fifth user feature to the behavior prediction.

20. The behavior prediction of the model tracking layer 502 may determine that the first user is within the preset range based on the fifth user characteristic.

21. The behavior prediction of the model tracking layer 502 sends a first notification to the authentication unit of the device n in the authentication layer 503, the first notification indicating that the first user is within the preset range.

22. The authentication unit of device n in the authentication layer 503 determines that the first user is within the preset range according to the first notification.

23. The authentication unit of device n in authentication layer 503 obtains the user model of the first user shared in database 504.

24. The authentication unit of the device n in the authentication layer 503 acquires the association relationship between the user model of the first user and the system from the model management.

25. The authentication unit of the device n in the authentication layer 503 acquires the system to which the device n belongs from the system management.

26. The authentication unit of the device n in the authentication layer 503 determines, based on the acquired data: the device n belongs to the first system 20 associated with the user model of the first user, i.e. it is determined that the first user is legitimate, and therefore authentication is not performed for the first user, and the user interface when authentication is passed is directly displayed.

It should be noted that the second user characteristic shown in fig. 7 and the fourth user characteristic shown in fig. 8 may be user characteristics at different time points.

It should be noted that when the first system 20 implements the process shown in fig. 8, the first user may be continuously tracked, i.e., 6-10 shown in fig. 7 is executed. The user model of the first user, obtained at 24 in fig. 8, is actually a tracking result obtained by the first system 20 continuously tracking the first user. If the first user is not in the scene of the first system 20 when the device n executes 24, the obtained tracking result may not be the user model of the first user, but may be the user model of the user in the scene of the first system 20. The first system 20 will perform corresponding operations based on the current tracking result, for example, determine whether the current tracking user is a legal user.

In some embodiments, before S101 of fig. 6, the identity authentication method shown in fig. 6 may further include: the method comprises the steps that a plurality of devices in the distributed system collect user characteristics of a first user at a plurality of time points, and a user model without the first user is determined according to the collected user characteristics. When the first device determines that the first user triggers authentication, the first device may determine that the first user is illegal and trigger a manual authentication process (e.g., perform S101). For example, a first user enters a scenario in which multiple devices are located in a distributed system for the first time. An example of a flow for determining that the manual authentication process is triggered is shown in fig. 9.

1. When a first user enters the scene 10 where multiple devices are located in the first system 20, the device acquisition layer 501 continuously acquires the multidimensional sixth user characteristics of the first user.

2. The device acquisition layer 501 sends the sixth user feature to the feature extraction of the model tracking layer 502.

3. Feature extraction of the model tracking layer 502 processes the sixth user feature to obtain a seventh user feature.

4. The feature of the model tracking layer 502 provides for sending the seventh user feature for situational tracking.

5. Situation tracking by model tracking layer 502 retrieves at least one user model that has been built from database 504.

6. The situation tracking of the model tracking layer 502 determines that the user model of the first user does not exist in the at least one user model according to the seventh user characteristic.

7. The situational tracking of the model tracking layer 502 sends a second notification to the database 504, i.e., sharing the second notification with the devices in the first system 20, where the second notification indicates that there is no user model for the first user, and the devices in the first system 20 may determine from the second notification that the currently tracked first user is not legitimate.

8. When the authentication unit of the device 1 in the authentication layer 503 determines that the first user is within the preset range, the second notification shared in the database 504 may be acquired. The preset range may be a range of a relatively distributed system, or a range of the relatively device 1. The authentication unit of the device 1 may determine that the first user is within the preset range according to the location characteristics of the first user collected by the device collection layer 501 in real time.

9. The authentication unit of device 1 in authentication layer 503 determines that the currently tracked first user is not legitimate according to the second notification, and then determines to trigger the manual authentication process.

It should be noted that the sixth user characteristic shown in fig. 9, the second user characteristic shown in fig. 7, and the fourth user characteristic shown in fig. 8 may be user characteristics at different time points.

Without being limited to the example of FIG. 9, in particular implementations, the situation tracking of model tracking layer 502 may determine the user model of the first user based on the seventh user characteristic. The authentication unit of the device 1 in the authentication layer 503 may acquire the association relationship of the user model and the system of the first user from the model management, and acquire the system to which the device 1 belongs from the system management. Then, the authentication unit of the device 1 may determine that the user model of the first user and the first system 20 to which the device 1 belongs do not have an association relationship based on the above-mentioned acquired data, and thus determine that the first user is illegal. At this time, the authentication unit of the device 1 may trigger a manual authentication process. That is, although the user model of the first user exists in the database 504 of the first system 20, the first user is not authenticated by any device in the first system 20, and the first user does not trigger authentication but triggers a manual authentication process when triggering authentication.

Alternatively, there may be a period of validity for each user model. The situational tracking of the model tracking layer 502 may determine a user model of the first user based on the seventh user characteristic. The authentication unit of the device 1 in the authentication layer 503 may determine whether the user model of the first user is within the validity period. If the user model of the first user is within the validity period, the third device performs another determination process (e.g., whether the user model of the first user is associated with the system to which the device 1 belongs), and if the user model of the first user is not within the validity period, the third device may determine to trigger the manual authentication process. That is, although the user model of the first user exists in the database 504 of the first system 20, the user model of the first user is not within the validity period, and the first user triggers authentication without authentication, but triggers a manual authentication process.

Alternatively, the authentication credential may have a validity period. The situational tracking of the model tracking layer 502 may determine a user model of the first user based on the seventh user characteristic. The authentication unit of device 1 in authentication layer 503 may determine whether the authentication credential bound to the user model of the first user is within the validity period. If the authentication credential is within the validity period, the third device authenticates the authentication credential again, and if the authentication credential is not within the validity period, the third device may determine to trigger a manual authentication process. That is, although the user model of the first user exists in the database 504 of the first system 20, the authentication credential bound to the user model of the first user is not within the validity period, and the first user does not exempt from authentication when triggering authentication, but triggers a manual authentication process.

It is understood that the user model of the first user exists in the database 504 of the first system 20, which can be understood as the first user entering a scenario in which a plurality of devices in the distributed system are located.

In some embodiments, after the first user performs a manual authentication process in the distributed system and the authentication result is that the authentication passes (e.g., S101-S103 of fig. 6), the first user may leave the scenario in which the plurality of devices are located in the distributed system. When the first user returns to the scene, the plurality of devices in the distributed system can retrack the first user to obtain a tracking result. When the first user triggers the authentication of any one device in the distributed system, the device can judge whether the first user is legal or not according to the tracking result, so as to judge whether the authentication is avoided or not. A specific example can be seen in fig. 10.

1. When a first user enters the scene 10 in which multiple devices are located in the first system 20, the device acquisition layer 501 continuously acquires the multi-dimensional eighth user features of the first user.

2. The device acquisition layer 501 sends the eighth user feature to the feature extraction of the model tracking layer 502.

3. Feature extraction by model tracking layer 502 processes the eighth user feature to obtain a ninth user feature.

4. The feature extraction of the model tracking layer 502 sends the ninth user feature to the gesture tracking.

6. The situation tracking of the model tracking layer 502 determines the user model of the first user from the at least one user model according to the ninth user characteristic.

7. The situation tracking of the model tracking layer 502 sends the user model of the first user to the database 504, i.e., the user model of the first user is shared with the devices in the first system 20.

8. When the device n receives a first user operation of a first user, the authentication unit of the device n in the authentication layer 503 acquires a user model of the first user shared in the database 504.

9. The authentication unit of the device n in the authentication layer 503 determines that the first user is within the preset range according to the first user operation, the user model of the first user (and optionally the location characteristics of the first user collected in real time by the device collection layer 501).

10. The authentication unit of the device n in the authentication layer 503 acquires the association relationship between the user model of the first user and the system from the model management.

11. The authentication unit of the device n in the authentication layer 503 acquires the system to which the device n belongs from the system management.

12. When the authentication unit of the device n in the authentication layer 503 determines that the device n belongs to the first system 20 associated with the user model of the first user according to the acquired data, it determines that the first user is legal, and therefore, the first user is not authenticated, and a user interface when the authentication is passed is directly displayed.

Illustratively, the home of the user a is a scene in which a plurality of devices in the distributed system are located, and the distributed system may include a mobile phone, a smart watch, a camera, and a large screen. When the user A uses the mobile phone at home, the mobile phone carries out face authentication on the user A and determines that the authentication is passed. The result of the authentication pass is shared to multiple devices in the distributed system. Before, during or after the face authentication of the user a, multiple devices in the distributed system can continuously perform multi-dimensional human body tracking on the user a. That is to say, user A's positional information can be gathered to the cell-phone, and user A's heart rate information and pulse information can be gathered to the intelligence wrist-watch, and user A's posture information can be gathered to the camera, and the large screen also can not gather. A plurality of devices in the distributed system can establish a user model of the user A according to the collected user characteristics and store the user model into the plurality of devices in a distributed mode. The subsequent user a can directly use any one device in the distributed system without manual authentication. For example, user A returns home and multiple devices in the distributed system may track user A and obtain a user model for user A. The large screen may determine that user a wants to use the large screen when user a walks in front of the large screen. Even if the large screen does not have the acquisition capacity (for example, the large screen does not comprise a camera), the user A can be determined to be a legal user according to the user model of the user A obtained by tracking and the result of passing the authentication, and authentication is avoided.

However, when other users use the devices in the distributed system, manual authentication is required. For example, the first time user B enters user A's home, multiple devices in the distributed system may track user B and determine that there is no user model for user B. When the user B walks to the front of the large screen, the large screen can determine that the user B wants to use the large screen, and because the user model of the user B does not exist in the tracking, the large screen can determine that the user B is illegal and trigger manual authentication. User C enters user A's home a second time, and multiple devices in the distributed system may track user C and obtain the user model for user C. However, the user C does not pass any device authentication in the distributed system for the first time, and when the user C moves to the front of the large screen, the large screen may determine that the user C is illegal according to the user model of the user C obtained by the tracking, and trigger manual authentication.

In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the above computer program instructions are loaded and executed on a computer, the processes or functions described above in accordance with the present application are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk), among others.

In short, the above description is only an example of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalents, improvements and the like made in accordance with the disclosure of the present invention should be considered as being included in the scope of the present invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. An identity authentication method applied to a distributed system formed by a plurality of electronic devices including a first device, a second device, and a third device, the method comprising:

the first equipment authenticates the first user according to the first user characteristic of the first user to obtain a first authentication result of the first user;

the first device shares the first authentication result with an electronic device in the distributed system;

if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share a user model of the first user, wherein the user model of the first user comprises user characteristics used for describing the first user;

and if the third equipment determines that the first user is in a preset range according to the user model of the first user, the third equipment determines that the first user is legal.

2. The method of claim 1, wherein the method further comprises:

and if the first authentication result is that the authentication is passed, the second device acquires the user characteristics of the first user at multiple time points, wherein the user characteristics of the first user at the multiple time points are used for determining the user model of the first user.

3. The method of claim 2, wherein the user characteristics of the first user at the plurality of points in time include a first characteristic and a second characteristic, the confidence of the first characteristic being greater than the confidence of the second characteristic; the method further comprises the following steps:

the second device determines a user model of the first user according to user characteristics of the first user at multiple time points, wherein the user model of the first user comprises a third characteristic and a fourth characteristic, the first characteristic and the third characteristic are of the same type, the second characteristic and the fourth characteristic are of the same type, the similarity degree of the first characteristic and the third characteristic is greater than or equal to a preset threshold value, and the similarity degree of the second characteristic and the fourth characteristic is less than the preset threshold value;

the second device updates a user model of the first user using the second feature.

4. The method according to claim 2 or 3, wherein if the third device determines that the first user is within a predetermined range according to the user model of the first user, before the third device determines that the first user is legitimate, the method further comprises:

the second device determines that the first user is in the preset range according to the user characteristics of the first user at multiple time points, and shares first indication information with the electronic device in the distributed system, wherein the first indication information is used for indicating that the first user is in the preset range;

if the third device determines that the first user is in a preset range according to the user model of the first user, the third device determines that the first user is legal, and the method includes:

and the third equipment determines that the first user is in the preset range according to the user model of the first user and the first indication information, and the third equipment determines that the first user is legal.

5. The method as claimed in any one of claims 1 to 3, wherein said determining, by said third device, that said first user is legitimate if said third device determines that said first user is within a predetermined range according to said user model of said first user, comprises:

the third equipment receives a first user operation of the first user;

and the third equipment determines that the first user is in the preset range according to the first user operation and the user model of the first user, and the third equipment determines that the first user is legal.

6. The method of any one of claims 1-5, further comprising:

if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share second indication information, wherein the second indication information is used for indicating that the user model of the first user is associated with the distributed system to which the first device belongs;

if the third device determines that the first user is in a preset range according to the user model of the first user, the third device determines that the first user is legal, including:

the third equipment determines that the first user is in the preset range according to the user model of the first user;

and the third equipment determines that the third equipment belongs to the distributed system associated with the user model of the first user according to the second indication information, and the third equipment determines that the first user is legal.

7. The method of any one of claims 1-5, further comprising:

if the first authentication result is that the first user passes the authentication, the first device and the electronic device in the distributed system share the first user characteristic of the first user;

the third equipment determines that the first user is in a preset range according to the user model of the first user;

and the third equipment authenticates the first user according to the first user characteristic to obtain a second authentication result of the first user, wherein the second authentication result is used for indicating whether the first user is legal or not.

8. The method of any of claims 2-4, wherein the user characteristics of the first user at multiple points in time are collected at different times by one or more electronic devices in the distributed system.

9. The method of any one of claims 1-8, wherein the predetermined range is a range with respect to the distributed system or a range with respect to the third device.

10. A method according to any one of claims 1 to 9, wherein any one electronic device in the distributed system is a device that requires authentication of the legitimacy of a user's identity prior to use.

11. An identity authentication method applied to a second device in a distributed system, the distributed system being composed of a plurality of electronic devices including a first device, the second device and a third device, the method comprising:

the second equipment acquires a first authentication result of a first user from the distributed system, wherein the first authentication result is obtained by the first equipment through authenticating the first user according to the first user characteristic of the first user;

if the first authentication result is that the authentication is passed, the second device and the electronic device in the distributed system share the user model of the first user, and the user model of the first user comprises user characteristics for describing the first user; the user model of the first user is used for tracking the first user, and the first user is legal when the first user is in a preset range.

12. The method of claim 11, wherein the method further comprises:

and if the first authentication result is that the authentication is passed, the second device acquires the user characteristics of the first user at a plurality of time points, wherein the user characteristics of the first user at the plurality of time points are used for determining the user model of the first user.

13. The method of claim 12, wherein the user features of the first user at the multiple points in time include a first feature and a second feature, the confidence of the first feature being greater than the confidence of the second feature; the method further comprises the following steps:

14. The method of claim 12 or 13, further comprising:

the second device determines that the first user is in the preset range according to user characteristics of the first user at multiple time points, and shares first indication information with the electronic device in the distributed system, wherein the first indication information is used for indicating that the first user is in the preset range, and the first indication information is used for determining that the first user is legal by the electronic device in the distributed system.

15. The method of any one of claims 11-14, further comprising:

the second indication information is used for determining that the first user is legal when the electronic equipment in the distributed system determines that the first user is within a preset range.

16. The method of any of claims 12-14, wherein the user characteristics of the first user at multiple points in time are collected at different times by one or more electronic devices in the distributed system.

17. The method of any one of claims 11-16, wherein the predetermined range is a range with respect to the distributed system or a range with respect to the third device.

18. A method according to any one of claims 11 to 17, wherein any one electronic device in the distributed system is a device that requires authentication of the legitimacy of a user's identity prior to use.

19. An identity authentication method applied to a third device in a distributed system, the distributed system being composed of a plurality of electronic devices including a first device, a second device, and the third device, the method comprising:

the third equipment acquires a user model of a first user from the distributed system, wherein the user model of the first user is acquired by the second equipment when a first authentication result of the first user passes authentication, the user model of the first user comprises user characteristics used for describing the first user, and the first authentication result is acquired by the first equipment for authenticating the first user according to the first user characteristics of the first user;

20. The method of claim 19, wherein the third device determining that the first user is legitimate if the third device determines that the first user is within a predetermined range according to the user model of the first user comprises:

the third device determines that the first user is in the preset range according to a user model of the first user and first indication information, and determines that the first user is legal, wherein the first indication information is used for indicating that the first user is in the preset range, and the first indication information is obtained by the second device according to user characteristics of the first user at multiple time points.

21. The method according to claim 19 or 20, wherein the third device determining that the first user is legitimate if the third device determines that the first user is within a predetermined range according to the user model of the first user comprises:

the third equipment receives a first user operation of the first user;

22. The method according to any of claims 19-21, wherein said third device determining that said first user is legitimate if said third device determines that said first user is within a predetermined range according to said user model of said first user, comprises:

and the third device determines that the third device belongs to the distributed system associated with the user model of the first user according to second indication information, and determines that the first user is legal, wherein the second indication information is determined by the second device when the first authentication result is that the first authentication is passed, and the second indication information is used for indicating that the user model of the first user is associated with the distributed system to which the first device belongs.

23. The method according to any of claims 19-21, wherein said third device determining that said first user is legitimate if said third device determines that said first user is within a predetermined range according to said user model of said first user, comprises:

24. The method of claim 20, wherein the user characteristics of the first user at multiple points in time are collected at different times by one or more electronic devices in the distributed system.

25. The method of any one of claims 19-24, wherein the predetermined range is a range with respect to the distributed system or a range with respect to the third device.

26. A method according to any one of claims 19 to 25, wherein any one electronic device in the distributed system is a device that requires authentication of the legitimacy of a user's identity prior to use.

27. A distributed system comprising a plurality of electronic devices including a first device, a second device, and a third device, wherein:

the first device is used for authenticating a first user according to first user characteristics of the first user to obtain a first authentication result of the first user, and the first authentication result is shared with the electronic device in the distributed system;

the second device is used for sharing the user model of the first user with the electronic device in the distributed system when the first authentication result is authentication passing, wherein the user model of the first user comprises user characteristics used for describing the first user;

and the third device is used for determining that the first user is in a preset range according to the user model of the first user and determining that the first user is legal.

28. An electronic device, wherein the electronic device comprises one or more memories, one or more processors, and one or more memories coupled with the one or more processors, wherein the one or more memories are configured to store a computer program, and wherein the one or more processors are configured to invoke the computer program, wherein the computer program comprises instructions that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 11-18, or the method of any of claims 19-26.

29. A computer storage medium comprising a computer program comprising instructions which, when executed on a processor, implement the method of any of claims 11-18, or the method of any of claims 19-26.