CN115567283A

CN115567283A - Identity authentication method, device, electronic equipment, system and storage medium

Info

Publication number: CN115567283A
Application number: CN202211157044.6A
Authority: CN
Inventors: 任肖丽; 廖敏飞; 刘丽娟; 康亚冰; 陈泽智
Original assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Current assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Priority date: 2022-09-21
Filing date: 2022-09-21
Publication date: 2023-01-03

Abstract

The embodiment of the invention discloses an identity authentication method, an identity authentication device, electronic equipment and a storage medium. The invention relates to the technical field of artificial intelligence. The method comprises the following steps: acquiring an authentication request sent by a browser end, and acquiring equipment risk information and service scene information according to the authentication request; determining a risk level according to the equipment risk information and the service scene information, acquiring an authentication strategy according to the risk level, and sending the authentication strategy to the browser end, wherein the authentication strategy is used for indicating the browser end to collect face identification data according to a corresponding biopsy mode; and acquiring the face recognition data sent by the browser, and determining an identity authentication result according to the face recognition data and the equipment risk information. The technical scheme of the embodiment of the invention can improve the randomness of the face recognition process by dynamically issuing the authentication strategy to the browser end, and the identity authentication result is determined by combining the face recognition data and the equipment risk information, thereby ensuring the safety of face recognition and improving the accuracy of identity authentication.

Description

Identity authentication method, device, electronic equipment, system and storage medium

Technical Field

The embodiment of the invention relates to the technical field of artificial intelligence, in particular to an identity authentication method, an identity authentication device, electronic equipment, an identity authentication system and a storage medium.

Background

Along with the gradual popularization of artificial intelligence deep learning, the accuracy and the performance of a face recognition algorithm are also continuously improved, and simultaneously along with the upgrading of software and hardware, the improvement of the algorithm and the calculation power, a face recognition technology is also continuously advanced and matured in the development process, so that the face recognition algorithm is widely applied. Accordingly, the demand scenes of H5 face recognition are increasing.

In the prior art, most of H5 face recognition realization modes are that a camera is called through a browser to shoot a picture or record a section of video, the picture or the video is sent to a server, and living body detection or face recognition is carried out at the server. When the camera is called, due to differences of a system and a browser and openness of H5, the risk that local existing photos or video data cannot be screened and selected exists, a client can easily upload photos or videos of a non-user, and a server cannot judge whether the videos or photos come from videos or photos of the user, which are actually shot, of the user.

Therefore, how to improve the safety of the face recognition operation becomes an urgent problem to be solved.

Disclosure of Invention

The embodiment of the invention provides an identity authentication method, an identity authentication device, identity authentication equipment, an identity authentication system and a storage medium, which are used for improving the safety of face recognition operation.

In a first aspect, an embodiment of the present invention provides an identity authentication method, including:

acquiring an authentication request sent by a browser, and acquiring equipment risk information and service scene information according to the authentication request;

determining a risk level according to the equipment risk information and the service scene information, acquiring an authentication strategy according to the risk level, and sending the authentication strategy to the browser end, wherein the authentication strategy is used for indicating the browser end to collect face identification data according to a corresponding biopsy mode;

acquiring face recognition data sent by the browser end, and determining an identity authentication result according to the face recognition data and equipment risk information

In a second aspect, an embodiment of the present invention provides an identity authentication method, including:

sending an authentication request to an authentication server based on authentication operation, wherein the authentication request comprises service information and equipment identification, the service information is used for determining service scene information, the equipment identification is used for determining equipment risk information, the authentication server is used for determining a risk level according to the equipment risk information and the service scene information, and acquiring an authentication strategy according to the risk level;

acquiring an authentication strategy sent by the authentication server, and collecting face identification data according to a biopsy mode contained in the authentication strategy;

sending the face recognition data to the authentication server, wherein the face recognition data is used for indicating the face server to determine an identity authentication result according to the face recognition data and equipment risk information

In a third aspect, an embodiment of the present invention further provides an identity authentication apparatus, where the apparatus includes:

the information acquisition module is used for acquiring an authentication request sent by a browser end and acquiring equipment risk information and service scene information according to the authentication request;

the policy acquisition module is used for determining a risk level according to the equipment risk information and the service scene information, acquiring an authentication policy according to the risk level, and sending the authentication policy to the browser end, wherein the authentication policy is used for indicating the browser end to acquire face identification data according to a corresponding biopsy mode;

and the identity authentication module is used for acquiring the face recognition data sent by the browser end and determining an identity authentication result according to the face recognition data and the equipment risk information.

In a fourth aspect, an embodiment of the present invention further provides an identity authentication apparatus, where the apparatus includes:

the authentication system comprises a request sending module, an authentication server and an authentication module, wherein the request sending module is used for sending an authentication request to the authentication server based on authentication operation, the authentication request comprises service information and equipment identification, the service information is used for determining service scene information, the equipment identification is used for determining equipment risk information, a risk level is determined according to the equipment risk information and the service scene information through the authentication server, and an authentication strategy is obtained according to the risk level;

the data acquisition module is used for acquiring the authentication strategy sent by the authentication server and acquiring the face identification data according to the biopsy mode contained in the authentication strategy;

and the data sending module is used for sending the face identification data to the authentication server, wherein the face identification data is used for indicating the face server to determine an identity authentication result according to the face identification data and equipment risk information.

In a fifth aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the identity authentication method according to any one of the embodiments of the present invention when executing the program.

In a sixth aspect, an embodiment of the present invention further provides an identity authentication system, including a browser end, a service server, an authentication server, and a security monitoring server, which are in communication connection, where the authentication server and the security monitoring server implement the identity authentication method according to any one of the embodiments of the present invention when executing the program.

In a seventh aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements an identity authentication method according to any one of the embodiments of the present invention.

In an eighth aspect, embodiments of the present invention further provide a computer program product, which includes a computer program and when executed by a processor, the computer program implements the identity authentication method according to any one of the embodiments of the present invention.

In the embodiment of the invention, the randomness of the face recognition process can be improved by dynamically issuing the authentication strategy to the browser end, the identity authentication result is determined by combining the face recognition data and the equipment risk information, the safety of the face recognition is ensured, and the accuracy of the identity authentication is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

Fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present invention;

fig. 2 is a flowchart of another identity authentication method according to an embodiment of the present invention;

fig. 3 is a flowchart of another identity authentication method according to an embodiment of the present invention;

fig. 4 is a flowchart of another identity authentication method according to an embodiment of the present invention;

fig. 5 is a flowchart of another identity authentication method according to an embodiment of the present invention;

fig. 6a is a schematic structural diagram of an identity authentication system according to an embodiment of the present invention;

fig. 6b is a schematic structural diagram of an identity authentication system according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an identity authentication apparatus according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of another identity authentication apparatus according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an electronic device of an identity authentication method according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.

Fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present invention, where the embodiment is applicable to a case of identity authentication by collecting face image information, and the method may be executed by an identity authentication device, where the identity authentication device may be implemented in a form of hardware and/or software, and the identity authentication device may be configured in an electronic device with data processing capability. As shown in fig. 1, the method includes:

s110, an authentication request sent by the browser end is obtained, and equipment risk information and service scene information are obtained according to the authentication request.

Specifically, the browser end sends a request to the cloud server, the cloud server obtains a webpage material corresponding to the request, the webpage material is analyzed and rendered and calculated at the server end, then a rendering result is sent to the browser end through a certain protocol, and the rendering result is displayed on the terminal device through the browser. The terminal device may be a smart phone, or any terminal device with a playing and/or displaying function, such as a notebook computer or a tablet computer, or a terminal device capable of controlling other devices to play and/or display videos.

Specifically, in this embodiment, the user can enter an H5 (HTML 5) face recognition page through a user operation, where H5 may be a language description mode for constructing Web content. The existing H5 (HTML 5) face recognition mainly has the following implementation modes: video brushing and silent live brushing. After the video is brushed, the camera is called through the browser to record a section of video, the video is sent to the server, and video living body detection and face recognition are carried out at the server.

After entering the face recognition page, the present embodiment sends an authentication request by clicking an authentication button on a browser side, where the authentication request may include service scenario information, a device identifier, and the like. Further, the service scenario information may be determined by the service information, for example, the service scenario information may include bank-related service scenarios such as credit card opening service and transfer service; the device identifier is used for uniquely identifying the terminal device, wherein one device can correspond to one identifier ID, so that the device identifier has uniqueness and can accurately represent the device to be subjected to face recognition.

The equipment risk information is monitoring information of the operating environment of the terminal equipment and is used for indicating whether the terminal equipment has operating risks or not. For example, operational risk may include having root privileges, running a simulator, or running suspicious software, etc. The safety monitoring server side can obtain the monitoring information of the terminal equipment periodically, carry out safety risk analysis on the monitoring information, obtain equipment risk information, and associate the storage equipment identification with the equipment risk information. Therefore, the authentication server can inquire the equipment risk information according to the equipment identification in the authentication request.

And S120, determining a risk level according to the equipment risk information and the service scene information, acquiring an authentication strategy according to the risk level, and sending the authentication strategy to the browser end, wherein the authentication strategy is used for indicating the browser end to collect the face identification data according to a corresponding biopsy mode.

The risk level is used for representing the risk of face recognition authentication predicted from two dimensions of the risk of the terminal equipment and the risk of a business scene. For example, if suspicious software is present in a device, the device risk level is considered high, otherwise, the device risk level is considered low. And if the business scene is transfer remittance, the business risk level is considered to be higher. And if the business scene is that the credit card is opened, the business risk level is considered to be lower. And integrating the equipment risk level and the service risk level to determine the risk level of the face recognition authentication.

In the embodiment, the risk level can be determined according to the equipment risk information and the service scene information, the authentication strategy is obtained according to the risk level, the authentication strategy is sent to the browser end, and the browser end can acquire the face recognition data by using a corresponding biopsy mode according to the authentication strategy issued by the service end and then upload the face recognition related data to the authentication service end. By dynamically issuing the authentication strategy, the browser end can prevent the client from directly selecting local existing photo or video data to upload to the browser and can also prevent the client from easily uploading non-personal photos or videos, so that the face recognition operation is finished after the real person shoots the photos or videos on site, and the accuracy of identity authentication is improved.

The authentication strategy in this embodiment is a combination of one or more living body detection methods.

Biopsy modalities may include, but are not limited to, silence, glare, and motion, among others.

Furthermore, the silent biopsy may be performed by calling a camera through a browser to take a picture, and then sending the picture to a server, where the server performs silent biopsy and face recognition.

The colorful biopsy can be a living body detection technology for identifying counterfeiting means such as copying and synthesis through face lighting and color sequence recovery analysis, and identifying a real person video recorded in advance.

An action biopsy may be a biopsy technique that performs an action as instructed.

The authentication policy is stored in association with the risk level, wherein the authentication policy includes one or more combinations of specific liveness detection modes. And pre-configuring biopsy modes corresponding to different risk levels to obtain authentication strategies under different risk levels, and storing the risk levels and the authentication strategies in an associated manner so as to conveniently inquire the authentication strategies according to the risk levels in a follow-up manner.

In this embodiment, since the risk level and the authentication policy correspond to each other, one or more corresponding living body detection modes may be determined according to the risk level. Specifically, an H5 face recognition biopsy strategy is intelligently selected, and one or two biopsy modes such as silence, dazzle color and action are selected; such as: the biopsy mode can be one of silence, dazzle color and action alone, also can adopt silence and dazzle two kinds of colors, and the combination of biopsy mode is not specifically limited to this embodiment, can set up in a flexible way as required. And when the combination of the specific living body detection modes is determined, acquiring the face data by adopting the corresponding living body detection mode combination.

The face recognition data in this embodiment may include face feature data in a face image.

And S130, acquiring the face recognition data sent by the browser, and determining an identity authentication result according to the face recognition data and the equipment risk information.

And the identity authentication result is used for indicating whether the face recognition authentication passes or not.

In this embodiment, the face identification data is sent to the authentication server, the authentication server performs face identification in combination with the equipment risk information and the face identification data of the security monitoring server, and an identity authentication result is determined according to the face identification data and the equipment risk information.

Optionally, determining the identity authentication result according to the face recognition data and the device risk information may include: performing living body safety analysis based on the face identification data, and determining a living body detection risk level by matching a living body safety analysis result with a third grade division rule; querying the safety monitoring server again according to the equipment identifier, acquiring second equipment risk information, matching a first grade division rule according to the second equipment risk information, and determining a second equipment risk grade; and determining a face recognition risk according to the living body detection risk level and the second equipment risk level, and determining an identity authentication result according to the face recognition risk.

And the third grading rule is used for defining the in-vivo detection risk grades corresponding to different in-vivo safety analysis results. For example, the third ranking rule may be such that different in-vivo detection risk levels are set for different risk threshold intervals, and if the in-vivo safety analysis result matches a risk threshold interval, the in-vivo detection risk level corresponding to the matched risk threshold interval is taken as the in-vivo detection risk level determined from the in-vivo safety analysis result.

For example, the living body safety analysis is performed on the face recognition data according to a specific living body detection algorithm, and a living body safety analysis result is obtained. And if the living body safety analysis result is the probability of passing the biopsy, matching the probability with a preset risk threshold interval, and determining that the living body detection risk level is low, medium or high according to the matching result.

Alternatively, the third grading rule may further include determining a living body detection risk level according to whether the living body safety analysis result is passed. For example, biopsy if the result of the in vivo safety analysis is a pass biopsy, the in vivo detection risk level is lower. And if the biopsy fails to pass the biopsy result of the in-vivo safety analysis, the in-vivo detection risk level is higher.

The safety monitoring server side obtains the monitoring information of the terminal device periodically, and carries out safety risk analysis on the monitoring information to obtain the device risk information. Over time, the more monitoring information the security monitoring server obtains, and therefore, the more accurate the analysis of the equipment risk information. After the face recognition data sent by the browser end is obtained, the security monitoring server end is queried again based on the device identifier to obtain second device risk information. The second equipment risk information is more accurate than the security risk analysis result of the first equipment risk information.

The first grade division rule is used for stipulating equipment risk information contained in different equipment risk grades. For example, the first ranking rule may specify a correspondence between a degree of damage of the equipment risk information and an equipment risk level. The device risk information includes first device risk information and second device risk information. And determining the risk level of the second equipment by matching the risk information of the second equipment with the first grade division rule.

Optionally, determining the face recognition risk according to the living body detection risk level and the second device risk level may include: and determining the face recognition risk according to the combination of the living body detection risk level and the second equipment risk level.

In this embodiment, the face recognition risk may be determined jointly in a combined form according to the living body detection risk level and the second device risk level. For example, the face recognition risk is (liveness detection risk level is medium, and the second device risk level is low, etc.).

Optionally, determining the face recognition risk according to the living body detection risk level and the second device risk level may include: and determining the face recognition risk according to the higher level of the living body detection risk level and the second equipment risk level.

In this embodiment, if the living body detection risk level is medium, and the second device risk level is high, the face recognition risk level is determined to be high.

Optionally, determining the identity authentication result according to the face recognition risk may include: judging whether the face recognition risk exceeds a risk threshold value; if so, determining the identity authentication result as authentication failure, and returning the identity authentication result to the browser end so as to display the identity authentication result through the browser; otherwise, carrying out face recognition according to the face recognition data, determining an identity authentication result according to the face recognition result, and returning the identity authentication result to the browser end so as to display the identity authentication result through the browser.

For example, if the face recognition risk is high, the identity authentication is directly determined to be failed, and the identity authentication result is returned to the browser end so as to be displayed through the browser end. And if the face recognition risk does not exceed the risk threshold, face recognition is carried out by adopting a face recognition algorithm based on the face recognition data, and an identity authentication result is determined according to the face recognition result. For example, if the face recognition result is that the matching degree of the current face and the pre-stored face of the user at the authentication server is higher than a set threshold, the identity authentication is determined to be passed, otherwise, the identity authentication is determined to be failed. And returning the identity authentication result to the browser end so as to display the identity authentication result through the browser end.

In the embodiment, the face identification data is sent to the authentication server, the authentication server performs face identification risk analysis by combining equipment risk information and living body safety analysis of the safety monitoring end, and if the face identification risk analysis fails, the identity authentication result is identity authentication failure and authentication failure is directly returned; and if the face recognition risk analysis is passed, performing face recognition authentication by using the collected face recognition data, returning a face recognition authentication result to the service server, and inquiring the face recognition authentication result through the service server by the browser end and performing corresponding service processing and result display. According to the embodiment, the authentication strategy is dynamically issued to the browser end, the randomness of the face recognition process can be improved, the face recognition data and the equipment risk information are combined to determine the identity authentication result, the safety of face recognition is guaranteed, and meanwhile the accuracy of identity authentication is improved.

In order to further improve the randomness of face recognition authentication, some embodiments add a string of random verification codes obtained from the authentication server in real time on the basis of face brushing, perform living body detection at the authentication server, check whether the verification codes read by the video character are consistent with the verification codes issued by the server, and determine whether the character is the user according to the judgment result.

Fig. 2 is a flowchart of an identity authentication method according to an embodiment of the present invention, and further limits "acquiring device risk information and service scenario according to an authentication request" based on the above embodiment. As shown in fig. 2, the identity authentication method includes the following steps:

and S210, acquiring the authentication request sent by the browser.

S220, inquiring a safety monitoring server according to the equipment identifier in the authentication request, and acquiring first equipment risk information, wherein the safety monitoring server is used for acquiring terminal safety monitoring data acquired by a safety monitoring module arranged in the browser end, and performing safety risk analysis on the terminal safety monitoring data to acquire the equipment risk information.

In the embodiment, when an H5 face recognition page is entered, an H5 security monitoring module is initialized when the page is loaded, and terminal security monitoring data is obtained through the security detection module; and sending the terminal safety monitoring data to a safety monitoring server. And the safety monitoring server performs safety risk analysis on the terminal safety monitoring data to obtain equipment risk information. It should be noted that, after the H5 face recognition page is opened, even if the authentication button is not clicked, the security detection module may also collect terminal security monitoring data and report the terminal security monitoring data to the security monitoring server, where the reported terminal security monitoring data is associated with the device identifier, and the process may also be understood as asynchronous uploading.

In this embodiment, since the reported terminal security monitoring data is associated with the device identifier, after the authentication request is obtained, the security monitoring server is queried according to the device identifier in the authentication request, so that the first device risk information can be obtained.

In this embodiment, the terminal security monitoring data acquired by the security monitoring module may be operating environment information of the terminal device to which the browser belongs, for example, whether a root exists in the operating environment, whether simulator information exists, and whether abnormal software is installed may be determined, so as to evaluate the device risk. The abnormal software can be software which causes the bank card to be embezzled and the like to have risks.

The safety monitoring server side can perform safety risk analysis based on the terminal safety monitoring data to obtain equipment risk information. The equipment risk information can be understood as the analysis condition of the terminal safety monitoring data, and optionally, the type of the risk information existing in the equipment can be determined through the terminal safety monitoring data. For example, if suspicious software is present in a device, the device risk information type may be the presence of suspicious software.

And S230, determining the service scene information according to the service information in the authentication request.

S240, determining a risk level according to the equipment risk information and the service scene information, obtaining an authentication strategy according to the risk level, and sending the authentication strategy to the browser end, wherein the authentication strategy is used for indicating the browser end to collect the face identification data according to a corresponding biopsy mode.

And S250, acquiring the face recognition data sent by the browser end, and determining an identity authentication result according to the face recognition data and the equipment risk information.

According to the embodiment of the invention, the terminal safety monitoring data of the terminal equipment are acquired in real time through the safety monitoring model built in the browser end, and the terminal safety monitoring data are sent to the safety monitoring server, so that after the safety risk analysis is carried out on the terminal safety monitoring data through the safety monitoring server, the equipment risk information and the terminal identification are associated, after the authentication request is obtained, the safety monitoring server is inquired according to the equipment identification in the authentication request, and the equipment risk information can be obtained, the obtaining efficiency of the equipment risk information is improved, the safety of face identification is ensured, and the accuracy of identity authentication is improved.

Fig. 3 is a flowchart of an identity authentication method according to an embodiment of the present invention, and further defines "determining a risk level according to equipment risk information and a service scenario" on the basis of the embodiment. As shown in fig. 3, the identity authentication method includes the following steps:

and S310, acquiring the authentication request sent by the browser.

S320, inquiring a safety monitoring server according to the equipment identifier in the authentication request to acquire first equipment risk information, wherein the safety monitoring server is used for acquiring terminal safety monitoring data acquired by a safety monitoring module built in the browser end, and performing safety risk analysis on the terminal safety monitoring data to acquire the equipment risk information.

And S330, determining the service scene information according to the service information in the authentication request.

And S340, matching a first grade division rule according to the first equipment risk information, and determining a first equipment risk grade, wherein the first grade division rule is used for stipulating equipment risk information contained in different equipment risk grades.

The first equipment risk information can judge whether a root exists in the current operating environment, whether simulator information exists and whether abnormal software is installed, and the service scene information can be related service scenes of banks such as credit card opening service and transfer service.

In this embodiment, if the device risk information indicates that the terminal device is equipped with abnormal software in the operating environment, the risk level of the terminal device is higher.

And S350, matching a second-level division rule according to the business scene information, and determining the business risk level, wherein the second-level division rule is used for stipulating the business scene information contained in different business risk levels.

And presetting service scenes corresponding to different service risk levels. The embodiment may determine the business risk level by matching the business scenario with the second level classification rule. For example, if the service scenario information is a credit card opening service, the service risk level is low. And if the service scene information is transfer remittance, the service risk grade is high.

And S360, determining the risk level according to the equipment risk level and the business risk level.

Optionally, S360 may include: and determining a risk level according to the combination of the first equipment risk level and the business risk level.

In this embodiment, the risk level may be determined jointly in a combined form according to the first device risk level and the business risk level. For example, the risk level is (first device risk level is low, business risk level is high).

Optionally, S360 may include: and determining the risk level according to the higher level of the first equipment risk level and the business risk level.

In this embodiment, if the first device risk level is low and the business risk level is high, the risk level is determined to be high.

Optionally, in a case where the risk level is higher, a failure may occur in the identity authentication.

Optionally, when the risk level is higher, an alarm message may be sent to prompt the user. The warning information may appear in a text or sound manner, which is not specifically limited in this embodiment.

And S370, acquiring an authentication strategy according to the risk level, and sending the authentication strategy to the browser end, wherein the authentication strategy is used for indicating the browser end to collect the face recognition data according to a corresponding biopsy mode.

And S380, acquiring the face recognition data sent by the browser end, and determining an identity authentication result according to the face recognition data and the equipment risk information.

In the embodiment, different grade division rules are preset, the equipment risk information and the service scene information are respectively adopted to match the grade division rules, the equipment risk grade and the service risk grade are determined, and the equipment risk grade and the service risk grade are integrated to determine the risk grade of face recognition authentication, so that the determination efficiency of the risk grade is improved, and the safety of identity authentication is also ensured.

Fig. 4 is a flowchart of another identity authentication method provided in an embodiment of the present invention, where this embodiment is applicable to a case of performing identity authentication by collecting face image information, and the method may be executed by an identity authentication apparatus, where the identity authentication apparatus may be implemented in a form of hardware and/or software, and the identity authentication apparatus may be configured in an electronic device with data processing capability. The same terms as those of the above embodiments are not described herein. As shown in fig. 4, the method includes:

s410, an authentication request is sent to an authentication server side based on authentication operation, wherein the authentication request comprises service information and equipment identification, the service information is used for determining service scene information, the equipment identification is used for determining equipment risk information, the authentication server side is used for determining a risk level according to the equipment risk information and the service scene information, and an authentication strategy is obtained according to the risk level.

The authentication server is a server which dynamically generates an authentication strategy and performs identity authentication based on face identification data.

The terminal equipment of the browser establishes long connection with the service server based on the set communication protocol, so that the authentication request is sent to the service server.

Illustratively, the authentication request is initiated by clicking a page authentication button on the browser side, and the service information and the device identifier are sent to the service server through the service server. And initializing based on the service information and the equipment identification through the service server, and setting a service identification ID for each service in order to realize service initialization. The service server sends the service identification ID and the authentication request to the authentication server side together, corresponding initialization is carried out on the authentication server side based on the service information, the equipment identification and the service identification ID, and the same service can be processed by the two server sides due to the fact that the service identification IDs are consistent.

And S420, acquiring an authentication strategy sent by the authentication server, and collecting face identification data according to a biopsy mode contained in the authentication strategy.

The terminal equipment of the browser side establishes long connection with the authentication service side based on the set communication protocol, and therefore the authentication strategy is obtained from the authentication service side.

Biopsy modalities may include, but are not limited to, silence, glare, and motion, among others. Furthermore, the silent biopsy may be performed by calling a camera through a browser to take a picture, and then sending the picture to a server, where the server performs silent biopsy and face recognition.

The dazzling biopsy can be a living body detection technology for identifying a real person video recorded in advance and other counterfeiting means such as face polishing, color sequence recovery analysis, identification reproduction, synthesis and the like.

Optionally, acquiring the face recognition data according to the biopsy mode included in the authentication policy may include: and acquiring face recognition data by adopting a corresponding biopsy algorithm according to a biopsy mode contained in the authentication strategy.

And S430, sending the face recognition data to an authentication server, wherein the face recognition data is used for indicating the face server to determine an identity authentication result according to the face recognition data and the equipment risk information.

The browser maintains long connection with the authentication server, and the face recognition data are sent to the authentication server after the face recognition data are collected.

And the browser acquires the identity authentication result returned by the authentication server and displays the identity authentication result. And if the identity authentication is not passed, displaying the prompt information of the failure of the identity authentication through the browser. And if the identity authentication is passed, displaying the identity authentication passing prompt information through the browser, and executing the subsequent business process.

In the embodiment, the face identification data is collected according to the biopsy mode contained in the authentication policy by obtaining the authentication policy dynamically issued by the authentication server and is sent to the authentication server, so that the randomness of the face identification process can be improved, the face identification safety can be ensured by determining the identity authentication result through the authentication server in combination with the face identification data and the equipment risk information, and meanwhile, the accuracy of identity authentication is improved.

In order to further improve the randomness of face recognition authentication, some embodiments acquire a string of random verification codes acquired from an authentication server in real time on the basis of face brushing of a video, display the random verification codes through a browser, instruct a user to read the random verification codes aloud, send a video containing an aloud action to the authentication server, perform living body detection on the authentication server, check whether the verification codes aloud of a video character are consistent with the verification codes issued by the server, and determine whether the aloud character is the user according to a judgment result.

Fig. 5 is a flowchart of an identity authentication method according to an embodiment of the present invention, and further limits "sending an authentication request to an authentication server based on an authentication operation" on the basis of the embodiment. As shown in fig. 5, the identity authentication method further includes the following steps:

s510, when the face recognition page is loaded, initializing a safety monitoring module, and reporting terminal safety monitoring data to a safety monitoring server through the safety monitoring module according to a set period, wherein the safety monitoring server is used for acquiring the terminal safety monitoring data and performing safety risk analysis on the terminal safety monitoring data to obtain equipment risk information.

In the embodiment, when an H5 face recognition page is entered, an H5 security monitoring module is initialized when the page is loaded, and terminal security monitoring data is obtained through the security detection module; and sending the terminal safety monitoring data to a safety monitoring server. And the safety monitoring server performs safety risk analysis on the terminal safety monitoring data to obtain equipment risk information. It should be noted that, after the H5 face recognition page is opened, even if the authentication button is not clicked, the security detection module collects terminal security monitoring data according to a set period and reports the terminal security monitoring data to the security monitoring server, the reported terminal security monitoring data is associated with the device identifier, and the process can also be understood as asynchronous uploading.

In this embodiment, since the reported terminal security monitoring data is associated with the device identifier, after the authentication request is obtained, the security monitoring server is queried according to the device identifier in the authentication request, and then the device risk information can be obtained.

In this embodiment, the terminal security monitoring data acquired by the security monitoring module may be operating environment information of the terminal device to which the browser belongs, for example, whether a root exists in the operating environment, whether simulator information exists, and whether abnormal software is installed may be determined, so as to evaluate the device risk. The abnormal software can be software which can cause the bank card to be swiped illegally and has risk.

The safety monitoring server side can perform safety risk analysis based on the terminal safety monitoring data to obtain equipment risk information. The equipment risk information can be understood as the analysis condition of the terminal safety monitoring data, and optionally, the type of the risk information existing in the equipment can be determined through the terminal safety monitoring data. For example, if suspicious software is present in the device, the device risk information type may be the presence of suspicious software.

S520, detecting the user operation of the specific authentication control in the service page, and generating an authentication request according to the service information and the equipment identifier.

S530, sending an authentication request to a service server, initializing based on service information through the service server, and sending the authentication request and initialization information to an authentication server through the service server.

The authentication request comprises service information and equipment identification, the service information is used for determining service scene information, the equipment identification is used for determining equipment risk information, the authentication server side is used for determining a risk level according to the equipment risk information and the service scene information, and an authentication strategy is obtained according to the risk level.

The method comprises the steps that a page authentication button is clicked at a browser end to initiate an authentication request, service information and equipment identification are sent to an authentication server end through a service server to be initialized based on the service information, in order to achieve service initialization, an identification ID is set for each service and sent to the authentication server end together, corresponding initialization is conducted at a face authentication server end, and the fact that the service IDs are consistent can guarantee that the two server ends process the same service.

And S540, acquiring an authentication strategy sent by the authentication server, and collecting face identification data according to a biopsy mode contained in the authentication strategy.

And S550, sending the face recognition data to an authentication server, wherein the face recognition data is used for indicating the face server to determine an identity authentication result according to the face recognition data and the equipment risk information.

In the embodiment, terminal safety monitoring data of the terminal device are collected in real time through a safety monitoring model built in a browser end, and the terminal safety monitoring data are sent to a safety monitoring server, after safety risk analysis is carried out on the terminal safety monitoring data through the safety monitoring server, equipment risk information and a terminal identifier are associated, after an authentication request is obtained, a safety monitoring server is inquired according to the equipment identifier in the authentication request, equipment risk information can be obtained, the obtaining efficiency of the equipment risk information is improved, the safety of face recognition is guaranteed, and meanwhile the accuracy of identity authentication is improved.

Fig. 6a is a timing diagram of an identity authentication method according to an embodiment of the present invention. As shown in fig. 6a, the method comprises:

and S601, initializing an H5 safety monitoring module by the browser.

And S602, the browser end asynchronously uploads the terminal safety monitoring data acquired by the safety monitoring module to the safety monitoring server end.

The browser end can be used for entering an H5 face recognition page, initializing an H5 safety monitoring module when the page is loaded, and asynchronously uploading terminal safety monitoring data to a safety monitoring service end, wherein the safety monitoring service end is used for acquiring terminal safety monitoring data acquired by a safety monitoring module arranged in the browser end.

S603, the safety monitoring server collects terminal safety monitoring data.

And S604, the safety monitoring server side performs safety risk analysis on the terminal safety monitoring data.

The safety monitoring server-side carries out safety risk analysis on the terminal safety monitoring data to obtain equipment risk information. The device risk information is stored in association with the device identification.

S605, the browser end sends an authentication request to the service server, wherein the authentication request comprises service information and equipment identification.

The method comprises the steps of initiating an authentication request through an authentication button, uploading service scene information and equipment risk information contained in the authentication request to a service server, wherein the service server is used for initializing based on the service information in the authentication request and sending initialization information to an authentication server.

And S606, the service server acquires the authentication request and performs H5 face refreshing initialization.

For example, the service server receives the service information and the device identifier included in the authentication request to perform H5 face refreshing initialization, and then sends the H5 face refreshing initialization information to the security monitoring server.

The service server can be used for carrying out H5 face refreshing initialization and sending H5 face refreshing initialization information to the safety monitoring server side.

And S607, the safety monitoring server acquires the authentication request and performs H5 face refreshing initialization.

S608, the authentication server sends the equipment identification to the safety monitoring server.

And S609, the safety monitoring server side inquires equipment risk information according to the equipment identification and returns the equipment risk information to the authentication server side.

S610, the authentication server dynamically generates an authentication strategy according to the equipment risk information and the service scene information, and returns the authentication strategy to the authentication server.

S611, the authentication server returns the authentication policy and other initialization information to the browser.

And S612, the browser end performs living body detection by using a biopsy mode included in the authentication strategy and acquires face identification data.

S613, the browser side uploads the face recognition data to the authentication server side.

The authentication server dynamically generates an authentication strategy according to the risk level, returns the authentication strategy and other initialization information to the browser, performs living body detection by using a biopsy mode included in the authentication strategy and uploads the face identification data to the authentication server.

And S614, the authentication server side performs living body safety analysis based on the face recognition data.

And S615, the authentication server judges whether the face recognition risk passes the risk requirement or not according to the living body safety analysis result and the equipment risk information, if so, S616 is executed, and if not, S622 is executed.

And S616, the authentication server performs face brushing authentication.

And carrying out face recognition based on the face recognition data reported by the browser, and matching the face recognition result with a prestored face to realize face brushing authentication.

S617, successfully calling back by the browser.

And S618, the browser end sends a result query request to the service server.

S619, the service server forwards the result query request to the authentication server.

S620, the authentication server inquires the face brushing result based on the result inquiry request.

S621, the authentication server sends the face brushing result to the browser, and executes S623.

And S622, calling back by the browser end in a failure mode.

And S623, displaying the face brushing result by the browser.

If the identity authentication is successful, returning a successful identity authentication result to the browser end, wherein the browser end can inquire the identity authentication result and sequentially return the identity authentication result to the service server and the authentication service end, and the authentication service end returns the result to the browser end to display the identity authentication result; and if the identity authentication is not passed, returning a failed result to the browser end, and displaying the failed authentication result by the browser end.

Fig. 6b is a block diagram of an identity authentication system according to an embodiment of the present invention. As shown in fig. 6b, the system comprises: a browser side 6011, an operation server 6012, an authentication server side 6013 and a security monitoring server side 6014 which are in communication connection.

The safety monitoring server 6014 is configured to acquire terminal safety monitoring data acquired by a safety monitoring module built in the browser end, and perform safety risk analysis on the terminal safety monitoring data to obtain equipment risk information;

the service server 6012, configured to initialize based on the service information in the authentication request, and send the authentication request and the initialization information to the authentication server;

an authentication server 6013, configured to execute the identity authentication method in any one of the foregoing embodiments;

the browser 6011 is configured to execute the identity authentication method according to any of the embodiments.

According to the embodiment, the authentication strategy is dynamically issued to the browser end, the randomness of the face recognition process can be improved, the face recognition data and the equipment risk information are combined to determine the identity authentication result, the safety of face recognition is guaranteed, and meanwhile the accuracy of identity authentication is improved.

Fig. 7 is a schematic structural diagram of an identity authentication apparatus according to an embodiment of the present invention. The device can execute the identity authentication method provided by the embodiment of the invention to improve the security of identity authentication. The apparatus is configured in an electronic device, such as a server or a cluster of servers. As shown in fig. 7, the apparatus includes:

the information acquisition module 701 is used for acquiring an authentication request sent by a browser end and acquiring equipment risk information and service scene information according to the authentication request;

a policy obtaining module 702, configured to determine a risk level according to the device risk information and the service scenario information, obtain an authentication policy according to the risk level, and send the authentication policy to the browser end, where the authentication policy is used to instruct the browser end to collect face identification data according to a corresponding biopsy mode;

the identity authentication module 703 is configured to acquire the face recognition data sent by the browser, and determine an identity authentication result according to the face recognition data and the device risk information.

The identity authentication device provided by the embodiment of the invention is set as an identity authentication method, the realization principle and the technical effect of the identity authentication device are similar to those of the identity authentication method, and the details are not repeated here.

Further, the information obtaining module 701 is specifically configured to:

inquiring a safety monitoring server according to the equipment identifier in the authentication request to acquire first equipment risk information, wherein the safety monitoring server is used for acquiring terminal safety monitoring data acquired by a safety monitoring module arranged in the browser end and carrying out safety risk analysis on the terminal safety monitoring data to acquire equipment risk information;

and determining service scene information according to the service information in the authentication request.

Further, the policy obtaining module 702 is specifically configured to:

matching a first grade division rule according to the first equipment risk information, and determining a first equipment risk grade, wherein the first grade division rule is used for stipulating equipment risk information contained in different equipment risk grades;

matching a second-level division rule according to the service scene information, and determining service risk levels, wherein the second-level division rule is used for stipulating service scene information contained in different service risk levels;

and determining the risk level according to the equipment risk level and the business risk level.

Further, the policy obtaining module 702 may be further configured to:

and determining the risk level according to the combination of the first equipment risk level and the business risk level.

Further, the policy obtaining module 702 may be further configured to:

and determining the risk level according to the higher level of the first equipment risk level and the business risk level.

Further, the authentication policy is stored in association with a risk level, wherein the authentication policy includes one or more combinations of specific living body detection modes.

Further, the identity authentication module 703 is specifically configured to:

performing living body safety analysis based on the face identification data, and determining a living body detection risk level by matching a living body safety analysis result with a third level division rule;

querying the safety monitoring server again according to the equipment identifier, acquiring second equipment risk information, matching the first grade division rule according to the second equipment risk information, and determining a second equipment risk grade;

and determining a face recognition risk according to the living body detection risk level and the second equipment risk level, and determining an identity authentication result according to the face recognition risk.

Further, the identity authentication module 703 may be further configured to:

and determining the face recognition risk according to the combination of the living body detection risk level and the second equipment risk level.

Further, the identity authentication module 703 may be further configured to:

and determining the face recognition risk according to the higher level of the living body detection risk level and the second equipment risk level.

Further, the identity authentication module 703 may be further specifically configured to:

judging whether the face recognition risk exceeds a risk threshold value;

if so, determining that the identity authentication result is authentication failure, and returning the identity authentication result to the browser end so as to display the identity authentication result through the browser;

otherwise, carrying out face recognition according to the face recognition data, determining an identity authentication result according to a face recognition result, and returning the identity authentication result to the browser end so as to display the identity authentication result through the browser.

The identity authentication device provided by the embodiment of the invention can execute the steps executed by the server in the identity authentication method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Fig. 8 is a schematic structural diagram of another identity authentication apparatus according to an embodiment of the present invention, and specifically, the identity authentication apparatus may be configured in an electronic device, for example, the electronic device may be a terminal device with a camera, such as a smart phone and a notebook computer. As shown in fig. 8, the apparatus includes:

a request sending module 801, configured to send an authentication request to an authentication server based on an authentication operation, where the authentication request includes service information and a device identifier, the service information is used to determine service scenario information, the device identifier is used to determine device risk information, a risk level is determined by the authentication server according to the device risk information and the service scenario information, and an authentication policy is obtained according to the risk level;

a data acquisition module 802, configured to acquire an authentication policy sent by the authentication server, and acquire face identification data according to a biopsy mode included in the authentication policy;

a data sending module 803, configured to send the face recognition data to the authentication server, where the face recognition data is used to instruct the face server to determine an identity authentication result according to the face recognition data and the equipment risk information.

Further, the above embodiment further includes:

the safety monitoring server is used for acquiring the terminal safety monitoring data and carrying out safety risk analysis on the terminal safety monitoring data to obtain equipment risk information.

Further, the request sending module 801 is specifically configured to:

detecting user operation of a specific authentication control in a business page, and generating an authentication request according to business information and equipment identification;

and sending an authentication request to the service server, initializing based on the service information through the service server, and sending the authentication request and initialization information to the authentication server through the service server.

Further, the data acquisition module 802 is specifically configured to:

and acquiring face recognition data by adopting a corresponding biopsy algorithm according to the biopsy mode contained in the authentication strategy.

Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 9, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 may also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The processor 11 performs the various methods and processes described above, such as an identity authentication method.

In some embodiments, an identity authentication method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of an identity authentication method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform an identity authentication method by any other suitable means (e.g. by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.

The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.

Optionally, an embodiment of the present invention further provides a computer program product, including a computer program, where the computer program, when executed by a processor, implements an identity authentication method as provided in any embodiment of the present application.

Computer program product in implementing the computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired result of the technical solution of the present invention can be achieved.

The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. An identity authentication method, comprising:

acquiring an authentication request sent by a browser end, and acquiring equipment risk information and service scene information according to the authentication request;

and acquiring the face recognition data sent by the browser end, and determining an identity authentication result according to the face recognition data and the equipment risk information.

2. The method according to claim 1, wherein the obtaining device risk information and service scenario information according to the authentication request comprises:

3. The method of claim 2, wherein determining a risk level based on the device risk information and the traffic scenario information comprises:

4. The method of claim 3, wherein determining the risk level based on the equipment risk level and the business risk level comprises:

5. The method of claim 3, wherein determining the risk level based on the equipment risk level and the business risk level comprises:

6. The method of claim 1, wherein the authentication policy is stored in association with a risk level, wherein the authentication policy comprises one or more combinations of specific liveness detection modalities.

7. The method of claim 3, wherein determining an identity authentication result based on the face recognition data and the device risk information comprises:

8. The method of claim 7, wherein determining a face recognition risk from the liveness detection risk level and a second device risk level comprises:

9. The method of claim 7, wherein determining a face recognition risk from the liveness detection risk level and a second device risk level comprises:

10. The method of claim 7, wherein determining an authentication result according to the face recognition risk comprises:

judging whether the face recognition risk exceeds a risk threshold;

11. An identity authentication method, comprising:

sending an authentication request to an authentication server side based on authentication operation, wherein the authentication request comprises service information and equipment identification, the service information is used for determining service scene information, the equipment identification is used for determining equipment risk information, the authentication server side is used for determining a risk level according to the equipment risk information and the service scene information, and acquiring an authentication strategy according to the risk level;

acquiring an authentication strategy sent by the authentication server, and acquiring face identification data according to a biopsy mode contained in the authentication strategy;

and sending the face recognition data to the authentication server, wherein the face recognition data is used for indicating the face server to determine an identity authentication result according to the face recognition data and equipment risk information.

12. The method of claim 11, further comprising:

when the face recognition page is loaded, initializing a safety monitoring module, and reporting terminal safety monitoring data to a safety monitoring server through the safety monitoring module according to a set period, wherein the safety monitoring server is used for acquiring the terminal safety monitoring data and performing safety risk analysis on the terminal safety monitoring data to obtain equipment risk information.

13. The method according to claim 11, wherein the sending an authentication request to the authentication server based on the authentication operation comprises:

and sending the authentication request to a service server, initializing based on the service information through the service server, and sending the authentication request and initialization information to the authentication server through the service server.

14. The method of claim 11, wherein collecting face recognition data according to a biopsy modality included in the authentication policy comprises:

15. An identity authentication apparatus, comprising:

16. The apparatus of claim 15, wherein the information acquisition module is specifically configured to:

querying a security monitoring server according to the equipment identifier in the authentication request to acquire first equipment risk information, wherein the security monitoring server is used for acquiring terminal security monitoring data acquired by a security monitoring module built in a browser end and performing security risk analysis on the terminal security monitoring data to acquire equipment risk information;

17. The apparatus of claim 16, wherein the policy acquisition module is specifically configured to:

matching a second-level division rule according to the service scene information, and determining a service risk level, wherein the second-level division rule is used for stipulating service scene information contained in different service risk levels;

18. The apparatus of claim 17, wherein the identity authentication module is specifically configured to:

19. An identity authentication apparatus, comprising:

and the data sending module is used for sending the face recognition data to the authentication server, wherein the face recognition data is used for indicating the face server to determine an identity authentication result according to the face recognition data and the equipment risk information.

20. The apparatus of claim 19, further comprising:

21. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements the method of identity authentication according to any one of claims 1-14.

22. An identity authentication system is characterized by comprising a browser end, a service server, an authentication server end and a safety monitoring server end which are in communication connection;

the safety monitoring server is used for acquiring terminal safety monitoring data acquired by a safety monitoring module arranged in the browser end, and performing safety risk analysis on the terminal safety monitoring data to obtain equipment risk information;

the service server is used for initializing based on the service information in the authentication request and sending the authentication request and the initialization information to the authentication server;

the authentication server is used for executing the identity authentication method of any one of claims 1-10;

the browser end is used for executing the identity authentication method of any one of claims 11 to 14.

23. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method of identity authentication according to any one of claims 1-14.

24. A computer program product comprising a computer program, characterized in that the computer program realizes the identity authentication method according to any one of claims 1-14 when executed by a processor.