CN116389037A - Identity authentication method - Google Patents
Identity authentication method Download PDFInfo
- Publication number
- CN116389037A CN116389037A CN202310003278.3A CN202310003278A CN116389037A CN 116389037 A CN116389037 A CN 116389037A CN 202310003278 A CN202310003278 A CN 202310003278A CN 116389037 A CN116389037 A CN 116389037A
- Authority
- CN
- China
- Prior art keywords
- authentication
- verification
- mode
- protocol
- short message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims description 168
- 230000004048 modification Effects 0.000 claims description 19
- 238000012986 modification Methods 0.000 claims description 19
- 230000008520 organization Effects 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 4
- 238000011161 development Methods 0.000 abstract description 9
- 230000000875 corresponding effect Effects 0.000 description 24
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000010200 validation analysis Methods 0.000 description 4
- 238000003491 array Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to an identity authentication method, which belongs to the technical field of identity authentication, and the method sends an authentication request to a middle authentication service when an authentication end (such as different subjects of an application, a system, equipment or a user) needs authentication login, and the middle authentication service responds to the authentication request to determine an authentication protocol corresponding to the authentication request so as to authenticate different authentication modes for different authentication protocols. The corresponding relation between the authentication protocol and the authentication mode can be configured according to the service application, so that different service system access center authentication services can be authenticated, the problem of repeated development is avoided, and manpower and material resources are saved.
Description
Technical Field
The invention relates to the technical field of identity authentication, in particular to an identity authentication method.
Background
In the prior art, there are a plurality of identity authentication methods in the market, including: password authentication, dynamic tokens, short message/mail authentication codes, fingerprint/voiceprint/iris/face recognition, and the like. Specifically, in the scenes of user login, reserved mobile phone number modification, password recovery, online transaction payment or other wind control verification related and the like, the user is verified through the authentication mode.
However, in the conventional application system, when a function related to identity authentication is developed, a mode or a combination of modes for authentication is generally customized according to the use of a scene. For example, depending on whether the device is commonly used, it may be that the commonly used device supports password authentication, the very used device requires short message authentication code authentication, and so on. Therefore, these control logics are all required to develop custom processing to be realized. Therefore, even if parts of the application systems have the same functions, the application systems are developed again, and a large number of repeated development problems exist, so that manpower and material resources are wasted.
Disclosure of Invention
Therefore, the present invention aims to provide an identity authentication method, so as to solve the problem of wasting manpower and material resources caused by repeated development in a large number.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in one aspect, an identity authentication method is applied to a central authentication service, and the method includes:
receiving an authentication request sent by an authentication terminal, and determining an authentication protocol corresponding to the authentication request;
determining an authentication mode corresponding to an authentication protocol in a corresponding relation between a preset authentication protocol and the authentication mode as a target authentication mode;
and responding to the authentication request according to the target authentication mode.
Optionally, the method further comprises:
responding to an authentication protocol configuration instruction, and configuring an authentication mode corresponding to each authentication protocol as a corresponding relation between the preset authentication protocol and the authentication mode;
the corresponding relation between the preset authentication protocol and the authentication mode comprises the following steps: when the authentication protocol is oauth2.0, starting multi-factor authentication, wherein the authentication modes comprise three authentication modes with sequence, the first authentication mode is password authentication, face authentication or OTP authentication, the second authentication mode is business authentication and OTP authentication, and the third authentication mode is short message authentication; when the authentication protocol is SAML, starting multi-factor authentication, wherein the combined authentication mode is short message authentication and face authentication; when the authentication protocol is LDAP, multi-factor authentication is not started, and the combined authentication mode is password authentication.
Optionally, the method further comprises:
setting an opening state for opening the single sign-on authentication protocol in response to the single sign-on authentication protocol opening instruction; and configuring the corresponding relation between the preset authentication protocol and the authentication mode in the state that the single sign-on authentication protocol is started.
Optionally, the method further comprises:
determining an authentication protocol; whether to start multi-factor authentication and different authentication modes are configured for the authentication protocol; the authentication mode comprises the following steps: at least one of short message authentication, password authentication, face authentication, three-party social authentication and enterprise joint authentication.
Optionally, the configuring whether to open multi-factor authentication and different authentication modes for the authentication protocol includes: when multi-factor authentication is started, respectively configuring an authentication mode of first-round authentication and an authentication mode of second-round authentication under the authentication protocol; when the multi-factor authentication is closed, an authentication mode under the authentication protocol is configured, wherein the authentication mode comprises short message authentication, password authentication and joint authentication login.
Optionally, the method further comprises: responding to a login page configuration instruction, and configuring different login pages for different login modes; so as to carry out identity authentication on the login page.
Optionally, the method further comprises:
responding to a verification scene setting instruction sent by each service system, displaying a preset verification scene and a corresponding verification mode for editing and confirming by the service system;
wherein, the verification scene includes: the user forgets the password, the user modifies the mobile phone number autonomously, the user modifies the mailbox autonomously and modifies the organization.
Optionally, the preset verification scene and the corresponding verification mode include:
when the verification scene is that the user forgets the password, under the condition of starting multi-factor authentication, the verification modes comprise three modes of setting sequence, wherein the first verification mode is as follows: short message authentication+face authentication, the second authentication mode is: mail verification, wherein the third verification mode is account information verification and short message verification;
under the condition that the verification scene is a user-defined modification mobile phone number and multi-factor authentication is not started, the verification mode is mail verification, short message verification or face verification;
under the condition that the verification scene is that a user modifies a mailbox by self and multi-factor authentication is not started, the verification mode is mail verification, short message verification or face verification;
and under the condition that the verification scene is a modification organization and the multi-factor authentication is not started, the verification mode is that modification is not allowed.
Optionally, when the verification scene is that the user forgets the password, if the mobile phone number is unique, the verification mode is short message verification; if the mobile phone number is not unique, the verification mode defaults to null;
when the verification scene is that the user modifies the mobile phone number by self, the default verification mode is short message verification; the short message verification comprises verification of new and old mobile phone numbers and short message verification codes;
when the verification scene is a self-service user modification mailbox, a default verification mode is mail verification; the verification mail is verified by a new mailbox and an old mailbox and a mailbox verification code.
Optionally, the method further comprises:
responding to a verification scene and verification mode configuration instruction sent by each service system, and configuring the verification scene and the verification mode according to the verification scene and the verification mode configuration instruction;
the method comprises the steps of configuring a verification scene and a verification mode, wherein the verification scene and the verification mode comprise whether to start multi-factor authentication and verification modes of different scenes, and the verification mode comprises at least one of short message authentication, mail authentication, face authentication and dynamic code authentication.
The technical scheme provided by the invention has at least the following beneficial effects:
when an authentication end (such as an application, a system, equipment or a user and other different subjects) needs to authenticate and log in, an authentication request is sent to a middle authentication service, and the middle authentication service responds to the authentication request and determines an authentication protocol corresponding to the authentication request, so that authentication of different authentication modes is performed on different authentication protocols. The corresponding relation between the authentication protocol and the authentication mode can be configured according to the service application, so that different service system access center authentication services can be authenticated, the problem of repeated development is avoided, and manpower and material resources are saved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an identity authentication method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, based on the examples herein, which are within the scope of the invention as defined by the claims, will be within the scope of the invention as defined by the claims.
So far, user verification of different application systems for a plurality of scenes such as account login, mobile phone number modification, password recovery and the like is controlled by independently writing program codes each time. Each system is led to repeatedly manufacture wheels, so that development resources are wasted to a certain extent.
Based on the above, the embodiment of the invention provides an identity authentication method which is applied to a center authentication service, so that different business systems access the center authentication service to authenticate, the problem of repeated development is avoided, and manpower and material resources are saved.
Fig. 1 is a flow chart of an identity authentication method according to an embodiment of the present invention, where the method is applied to a central authentication service, referring to fig. 1, the embodiment may include the following steps:
step S1, receiving an authentication request sent by an authentication end, and determining an authentication protocol corresponding to the authentication request;
step S2, determining an authentication mode corresponding to the authentication protocol in a corresponding relation between a preset authentication protocol and the authentication mode as a target authentication mode;
and step S3, responding to the authentication request according to the target authentication mode.
The authentication end may be an application, a system, a device, a user, or other different entities, and requests an authentication service through an interface, an SDK, a plug-in, or a web page, that is, sends an authentication request to the middle authentication service. The center platform authentication service can be a unified authentication platform, and the unified authentication platform carries out combination of different authentication modes (including biological authentication, non-biological authentication and three-party authentication) on different authentication protocols (including SAML, OAuth2.0, JWT, OIDC and the like) through an authentication engine center, so that the authentication process is flexibly scheduled and organized to support the requirements of different authentication scenes.
It should be noted that the unified authentication platform may include an authentication engine, and after receiving the authentication request, determines a corresponding authentication mode according to an authentication protocol of a path of sending the authentication request. The authentication mode comprises non-biological authentication, biological authentication and three-party authentication. Non-biometric authentication includes: two-dimensional code, short message, gesture, mail, OTP (One-time-Password), password and the like; biometric authentication includes face, fingerprint, iris, voiceprint, palmprint, etc.; three-party authentication includes personal social (e.g., weChat, QQ, microblog, payment, etc.), business social (e.g., business WeChat), business federal (e.g., IBM, SAP, etc.).
It can be understood that, in the technical solution provided in this embodiment, when an authentication end (for example, different entities such as an application, a system, a device, or a user) needs to perform authentication login, an authentication request is sent to a middle authentication service, and the middle authentication service determines an authentication protocol corresponding to the authentication request in response to the authentication request, so as to perform authentication in different authentication modes on different authentication protocols. The corresponding relation between the authentication protocol and the authentication mode can be configured according to the service application, so that different service system access center authentication services can be authenticated, the problem of repeated development is avoided, and manpower and material resources are saved.
The technical scheme provided by the application can support different applications to freely configure an authentication mode or flow according to different single sign-on authentication protocols and whether to start the MFA. Single Sign On (SSO) is one of the popular solutions for enterprise business integration, and SSO is defined as that a user can access all application systems trusted by one time only in a plurality of application systems. Authentication protocol: refers to a mutual trust standard used for single sign-on verification between systems. MFA is an abbreviation of Multi-factor authentication, i.e. Multi-factor authentication, using an authentication group policy that combines multiple authentication means and combines in a suitable way.
In some embodiments, further comprising: responding to an authentication protocol configuration instruction, and configuring an authentication mode corresponding to each authentication protocol as a corresponding relation between a preset authentication protocol and the authentication mode;
the method for presetting the corresponding relation between the authentication protocol and the authentication mode comprises the following steps: when the authentication protocol is oauth2.0, starting multi-factor authentication, wherein the authentication modes comprise three authentication modes with sequence, the first authentication mode is password authentication, face authentication or OTP authentication, the second authentication mode is business authentication and OTP authentication, and the third authentication mode is short message authentication; when the authentication protocol is SAML, starting multi-factor authentication, wherein the combined authentication mode is short message authentication and face authentication; when the authentication protocol is LDAP, multi-factor authentication is not started, and the combined authentication mode is password authentication.
In some embodiments, further comprising:
setting an opening state for opening the single sign-on authentication protocol in response to the single sign-on authentication protocol opening instruction; and configuring the corresponding relation between the preset authentication protocol and the authentication mode in the state that the single sign-on authentication protocol is started.
In some embodiments, further comprising:
determining an authentication protocol; whether to start multi-factor authentication and different authentication modes are configured for the authentication protocol; the authentication mode comprises the following steps: at least one of short message authentication, password authentication, face authentication, three-party social authentication and enterprise joint authentication.
In some embodiments, the configuring whether to open multi-factor authentication and different authentication modes for the authentication protocol includes: when multi-factor authentication is started, an authentication mode of first-round authentication and an authentication mode of second-round authentication under an authentication protocol are respectively configured; when the multi-factor authentication is closed, an authentication mode under an authentication protocol is configured, wherein the authentication mode comprises short message authentication, password authentication and joint authentication login.
For example, different authentication protocols oauth2.0, SAML, JWT can be configured to be different from each other to determine whether to turn on the MFA and different authentication modes, and can be used for performing authentication combinations of different modes such as sms authentication, password authentication, face authentication, three-party social authentication, and corporate joint authentication. For example, the authentication protocol may be oauth2.0, and several different authentication methods may be configured. The first mode is password authentication, face authentication or OTP authentication; the second authentication is three-party authentication+OTP authentication, and the third authentication mode is short message authentication. However, for the authentication protocol of LDAP, multi-factor authentication is not started, and the combined authentication mode is password authentication.
Specifically, when the authentication protocol is configured, the authentication protocol is added, and the authentication protocol can be clicked to be added, and the authentication protocol type is selected first; after the protocol type is selected, the corresponding relevant content is displayed in a linkage way according to the selected protocol content, such as whether a callback subdomain is allowed, an authorization code mode and the like; and clicking authentication chain management in the list to configure an authentication mode.
For example, if the MFA is turned on, different authentication modes of the first round of authentication and the second round of authentication may be edited respectively, and specifically, the authentication modes supportable in the pull-down option may be preset through a system configuration file according to actual needs of the service system, and three rounds of authentication may be further set (for example, when the authentication protocol is oauth2.0, the three rounds of authentication correspond to the first authentication mode, the second authentication mode and the third authentication mode respectively). By default, the center service can display and select all authentication modes provided externally.
For example, if the MFA is turned off, the authentication method may be at least one of short message authentication, password authentication, and joint authentication login. The joint authentication login comprises a nail, a payment device, a WeChat, a Chinese day and the like, for example, the login of staff in an enterprise (namely, the Chinese day) is also equivalent to a three-party login platform such as the WeChat, the nail and the like, and the joint authentication login is used as one of joint login authentication modes.
In some embodiments, further comprising: responding to a login page configuration instruction, and configuring different login pages for different login modes; so that the identity authentication is performed on the login page.
For example, a login page may be set. The login page in the click list is set, the page is popped up, different login pages can be displayed in a correlated mode according to the configured login mode, if the login page and the login page are both available, the viewing effect can be switched according to password login and short message login click respectively, and the login frame is a static picture.
It is worth to say that, the technical scheme provided by the application can configure multi-scene authentication service according to business application.
In some embodiments, further comprising:
responding to the verification scene setting instruction sent by each service system, displaying a preset verification scene and a corresponding verification mode for editing and confirming by the service system;
wherein, verify the scene, include: the user forgets the password, the user modifies the mobile phone number autonomously, the user modifies the mailbox autonomously and modifies the organization.
In some embodiments, presetting a verification scene and a corresponding verification manner includes:
when the verification scene is that the user forgets the password, under the condition of starting multi-factor authentication, the verification modes comprise three modes of setting the sequence, wherein the first verification mode is as follows: short message authentication+face authentication, the second authentication mode is: mail verification, wherein the third verification mode is account information verification and short message verification;
under the condition that the verification scene is a user-defined modification mobile phone number and multi-factor authentication is not started, the verification mode is mail verification, short message verification or face verification;
under the condition that the verification scene is that the user modifies the mailbox by self and does not start multi-factor authentication, the verification mode is mail verification, short message verification or face verification;
and under the condition that the verification scene is a modification organization and the multi-factor authentication is not started, the verification mode is that modification is not allowed.
In some embodiments, when the verification scene is that the user forgets the password, if the mobile phone number is unique, the verification mode is short message verification; if the mobile phone number is not unique, the verification mode defaults to null;
when the verification scene is that the user modifies the mobile phone number by self, the default verification mode is short message verification; the short message verification comprises verification of new and old mobile phone numbers and short message verification codes;
when the verification scene is that the user modifies the mailbox by self, the default verification mode is mail verification; the verification mail is verified by a new mailbox and an old mailbox and a mailbox verification code.
In some embodiments, further comprising:
and responding to the verification scene and verification mode configuration instructions sent by each service system, and configuring the verification scene and the verification mode according to the verification scene and the verification mode configuration instructions, wherein the configuration of the verification scene and the verification mode comprises whether to start multi-factor authentication and verification modes of different scenes, and the verification modes comprise at least one of short message authentication, mail authentication, face authentication and dynamic code authentication.
For example, whether to open the MFA and different authentication modes can be configured for different scenes, and authentication combinations of different modes such as short message authentication, mail authentication, face authentication, dynamic code authentication and the like can be made. Several commonly used verification scenarios are preset, including: the user forgets the password, the user modifies the mobile phone number by self, and the user modifies the mailbox by self.
For example, 3 conventional verification scenarios may be preset by default in the present application, and each service system may be edited in combination with an actual situation, but may not be deleted. For example, 3 conventional verification scenarios are preset by default as follows:
the user forgets the password: for a system with a unique mobile phone number, verifying a short message in a verification mode; for a system with a non-unique mobile phone number, the verification mode defaults to null. Each application manager can configure editing modifications by himself.
The user modifies the mobile phone number by self: the default verification mode is short message verification (including verification of new and old mobile phone number and short message verification code). Each application manager can configure editing modifications by himself.
The user modifies the mailbox by self: the default validation mode is mail validation (including new and old mailbox+mailbox validation code validation). Each application manager can configure editing modifications by himself.
Besides the preset verification scene, the scene needing verification can be customized, whether the MFA is started or not and different authentication modes are flexibly configured, and authentication combinations of different modes such as short message authentication, mail authentication, face authentication, dynamic code authentication and the like can be made. For example, when the custom verification scenario is a modification organization, the verification mode is that modification is not allowed under the condition that multi-factor authentication is not started.
That is, the technical scheme supports the service system to flexibly define scene main bodies and operations which need to be verified, and freely configure the modes and processes which need to be verified.
For example, the add button may be clicked, with the default MFA verification turned off. Multiple scenes can be added in a clicking mode, and multiple records are automatically generated on the list page after the multiple scenes are successfully stored.
And clicking the adding scene, and displaying a blank row below, wherein an operation main body and an operation type are required to be selected.
Wherein, the operation main part: including the business context involved in the changed business context, including: account information, personnel information, organization, database operation and the like, wherein the business scenes can be defined and configured in advance according to the needs, and the business scenes are preset in the middle-stage service through a background configuration file.
Operation type: and displaying in linkage according to different selected service contents. If the operation main body selects account information, the operation type comprises adding, deleting, editing, enabling and disabling; if the operation subject is a database, the operation types include: new libraries/tables, modify library/table configuration, delete libraries/tables, etc.
When the MFA authentication is started, steps required to carry out multi-round authentication can be flexibly defined, and at most 3 rounds of authentication modes (including account information authentication, short message authentication, mail authentication, face authentication, dynamic code authentication and the like) supported by each round can be supported. The specific authentication mode supportable in the pull-down option can be preset through a system configuration file according to the actual requirement of a service system. By default, the center service can display and select all authentication modes provided externally.
The method supports the judging condition that the self-development of the business application needs business verification, and flexibly connects the middle authentication service in the technical scheme through the authentication flow step and the authentication mode defined by the standard in the mode of interface parameter transmission. The method can meet the service scene with stronger characteristics, can use the general technical service in the scheme, and reduces the development cost to a certain extent.
It can be understood that the technical scheme provided by the application supports the free combination of different scene authentication modes and authentication flow steps; supporting flexible definition of business scenes needing authentication, including free combination configuration of an operation main body and operation types; support to provide flexible SDK, plug-in and API interface to support different business application docking middle station authentication service.
It is to be understood that the same or similar parts in the above embodiments may be referred to each other, and that in some embodiments, the same or similar parts in other embodiments may be referred to.
It should be noted that in the description of the present invention, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present invention, unless otherwise indicated, the meaning of "plurality" means at least two.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (10)
1. An identity authentication method, applied to a medium authentication service, comprising:
receiving an authentication request sent by an authentication terminal, and determining an authentication protocol corresponding to the authentication request;
determining an authentication mode corresponding to an authentication protocol in a corresponding relation between a preset authentication protocol and the authentication mode as a target authentication mode;
and responding to the authentication request according to the target authentication mode.
2. The method of claim 1, further comprising:
responding to an authentication protocol configuration instruction, and configuring an authentication mode corresponding to each authentication protocol as a corresponding relation between the preset authentication protocol and the authentication mode;
the corresponding relation between the preset authentication protocol and the authentication mode comprises the following steps: when the authentication protocol is oauth2.0, starting multi-factor authentication, wherein the authentication modes comprise three authentication modes with sequence, the first authentication mode is password authentication, face authentication or OTP authentication, the second authentication mode is business authentication and OTP authentication, and the third authentication mode is short message authentication; when the authentication protocol is SAML, starting multi-factor authentication, wherein the combined authentication mode is short message authentication and face authentication; when the authentication protocol is LDAP, multi-factor authentication is not started, and the combined authentication mode is password authentication.
3. The method as recited in claim 1, further comprising:
setting an opening state for opening the single sign-on authentication protocol in response to the single sign-on authentication protocol opening instruction; and configuring the corresponding relation between the preset authentication protocol and the authentication mode in the state that the single sign-on authentication protocol is started.
4. The method as recited in claim 1, further comprising:
determining an authentication protocol; whether to start multi-factor authentication and different authentication modes are configured for the authentication protocol; the authentication mode comprises the following steps: at least one of short message authentication, password authentication, face authentication, three-party social authentication and enterprise joint authentication.
5. The method of claim 4, wherein said configuring whether to turn on multi-factor authentication and different authentication modes for the authentication protocol comprises:
when multi-factor authentication is started, respectively configuring an authentication mode of first-round authentication and an authentication mode of second-round authentication under the authentication protocol; when the multi-factor authentication is closed, an authentication mode under the authentication protocol is configured, wherein the authentication mode comprises short message authentication, password authentication and joint authentication login.
6. The method as recited in claim 1, further comprising: responding to a 5-setting instruction of the login page, and setting different login pages for different login modes; so as to carry out identity authentication on the login page.
7. The method as recited in claim 1, further comprising:
responding to a verification scene setting instruction sent by each service system, displaying a preset verification scene and a corresponding verification mode for editing and confirming by the service system;
0, wherein the verification scenario comprises: the user forgets the password, the user modifies the mobile phone number autonomously, the user modifies the mailbox autonomously and modifies the organization.
8. The method of claim 7, wherein the preset verification scenario and the corresponding verification method comprise:
when the verification scene is that the user forgets the password, the verification mode 5 comprises three modes of setting the sequence under the condition of starting the multi-factor authentication, wherein the first verification mode is as follows: short message authentication+face authentication, the second authentication mode is: mail verification, wherein the third verification mode is account information verification and short message verification;
under the condition that the verification scene is a user-defined modification mobile phone number and multi-factor authentication is not started, the verification mode is mail verification, short message verification or face verification;
under the condition that the verification scene is that a user modifies a mailbox by self and multi-factor authentication is not started, the verification party 0 is mail verification, short message verification or face verification;
and under the condition that the verification scene is a modification organization and the multi-factor authentication is not started, the verification mode is that modification is not allowed.
9. The method of claim 7, wherein when the authentication scenario is that the user forgets the password, if the mobile phone number is unique, the authentication mode is short message authentication; if the mobile phone number is not unique, the verification party 5 defaults to null;
when the verification scene is that the user modifies the mobile phone number by self, the default verification mode is short message verification; the short message verification comprises verification of new and old mobile phone numbers and short message verification codes;
when the verification scene is a self-service user modification mailbox, a default verification mode is mail verification; the verification mail is verified by a new mailbox and an old mailbox and a mailbox verification code.
10. The method as recited in claim 7, further comprising:
responding to a verification scene and verification mode configuration instruction sent by each service system, and configuring the verification scene and the verification mode according to the verification scene and the verification mode configuration instruction;
the method comprises the steps of configuring a verification scene and a verification mode, wherein the verification scene and the verification mode comprise whether to start multi-factor authentication and verification modes of different scenes, and the verification mode comprises at least one of short message authentication, mail authentication, face authentication and dynamic code authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310003278.3A CN116389037A (en) | 2023-01-03 | 2023-01-03 | Identity authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310003278.3A CN116389037A (en) | 2023-01-03 | 2023-01-03 | Identity authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116389037A true CN116389037A (en) | 2023-07-04 |
Family
ID=86973822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310003278.3A Pending CN116389037A (en) | 2023-01-03 | 2023-01-03 | Identity authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116389037A (en) |
-
2023
- 2023-01-03 CN CN202310003278.3A patent/CN116389037A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240236087A1 (en) | Authentication System | |
| US11068575B2 (en) | Authentication system | |
| US10931673B2 (en) | Policy activation for client applications | |
| US8087072B2 (en) | Provisioning of digital identity representations | |
| US8407767B2 (en) | Provisioning of digital identity representations | |
| US9166786B2 (en) | Personal portable secured network access system | |
| US20140173125A1 (en) | Systems and methods for transferring a session between devices in an on-demand computing environment | |
| US11627129B2 (en) | Method and system for contextual access control | |
| US11855982B2 (en) | Caller and recipient alternate channel identity confirmation | |
| CN104902028A (en) | Onekey registration authentication method, device and system | |
| US20210390207A1 (en) | Consent-driven privacy disclosure control processing | |
| US9178860B2 (en) | Out-of-path, content-addressed writes with untrusted clients | |
| JP5730907B2 (en) | Personal portable and secure network access system | |
| US11444950B2 (en) | Automated verification of authenticated users accessing a physical resource | |
| CN105187412A (en) | Login authentication method, device and system based on gesture recognition | |
| CN109040088B (en) | Authentication information transmission method, key management client and computer equipment | |
| CN116389037A (en) | Identity authentication method | |
| CN112734360B (en) | End-to-end business process management method, device, equipment and storage medium | |
| US20210243195A1 (en) | Application program access control | |
| CN114614998B (en) | Account identity verification method, device, computer device and storage medium | |
| CN113360885A (en) | Access method and device of security chip |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |