CN116800477A

CN116800477A - Certificate registration and login authentication method of application program and electronic equipment

Info

Publication number: CN116800477A
Application number: CN202310602039.XA
Authority: CN
Inventors: 胡浚颥; 李毅超; 陈恩恩; 王晶一; 周浩雅; 陈鹏; 李潇; 汪领领; 潘紫璇; 李伟; 方攀
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2023-05-23
Filing date: 2023-05-23
Publication date: 2023-09-22

Abstract

The embodiment of the application discloses a credential registration method and device of an application program, a login authentication method and device of the application program, a service component providing method and device, a Web authentication interface realizing method and device, a configuration method and device for credential sharing, a computer readable storage medium and electronic equipment. The method comprises the following steps: providing a verifier process with an identity verifier built in by a client of the first application program; receiving a challenge value generated by a server side of a first application program aiming at a registration request submitted by a target user, sending the challenge value to a verifier process in a mode of calling a Web authentication interface, generating credential information associated with the target user under the first application program by an identity verifier, locally storing a private key in the credential information, and signing the challenge value by using the private key; and sending the public key in the credential information and the signed challenge value obtained by signing to the server. Thus, the Web authentication function can be realized on the application program.

Description

Certificate registration and login authentication method of application program and electronic equipment

Technical Field

The present application relates to the field of information processing technologies, and in particular, to a method and apparatus for registering credentials of an application, a method and apparatus for login authentication of an application, a method and apparatus for providing a service component, a method and apparatus for implementing a Web authentication interface, a method and apparatus for registering credentials for local area network, a method and apparatus for local area network login, a method and apparatus for configuring credentials sharing, a method and apparatus for registering credentials, a method and apparatus for login authentication, a computer readable storage medium, and an electronic device.

Background

At present, the password authentication mode is the most common and direct identity authentication mode used in our daily life, but when facing some malicious attacks, the password is easy to leak in the attack actions such as phishing, library collision and the like, and certain potential safety hazard exists. In addition, since a large portion of users are accustomed to using the same password for multiple websites, this results in a single password leak that may involve multiple websites.

In order to improve the security of identity authentication, the authentication operation can be performed by generating a dynamic token and switching between different terminal devices. For example, a user needs to log in and authenticate through an application program installed on a computer terminal, and an application program capable of generating a dynamic token is installed on a mobile phone terminal correspondingly. When login authentication is carried out, a user can start the mobile phone end application program to obtain a dynamically generated token, then the token is manually input into a login authentication page of the computer end application program in the valid period of the token, and the background server carries out identity authentication according to the token.

According to the scheme, although the identity authentication safety can be improved, the switching between different terminals brings the problems of troublesome operation, long authentication link and the like, and influences the use experience of a user.

Disclosure of Invention

The application provides a credential registration method and device for an application program, a login authentication method and device for the application program, a service component providing method and device, a Web authentication interface realizing method and device, a credential registration method and device for local area network login, a local area network login method and device, a configuration method and device for credential sharing, a credential registration method and device, a login authentication method and device, a computer readable storage medium and an electronic device, which can realize a Web authentication function on the application program, improve authentication security and reduce authentication difficulty.

The application provides the following scheme:

a credential registration method for an application, comprising:

providing a verifier process with an identity verifier built in by a client of the first application program;

receiving a challenge value generated by a server side of the first application program aiming at a registration request submitted by a target user, sending the challenge value to a verifier process in a mode of calling a Web authentication interface, generating credential information associated with the target user under the first application program by the identity verifier, locally storing a private key in the credential information, and signing the challenge value by utilizing the private key;

And sending the public key in the credential information and the signed challenge value obtained by signing to the server.

The method for sending the challenge value to the verifier process by calling the Web authentication interface comprises the following steps:

and when the verifier process monitors that the client calls the Web authentication interface, establishing connection with the Web authentication interface to obtain a challenge value submitted to the Web authentication interface by the client.

Wherein the method further comprises:

and when the number of the users for performing credential registration for the first application program does not exceed the preset number, the registration request submitted by the target user is sent to the server side, and the challenge value is generated by the server side.

A login authentication method of an application program, comprising:

receiving a challenge value generated by a server side of the first application program aiming at a login request submitted by a target user, sending the challenge value to the verifier process in a mode of calling a Web authentication interface, obtaining a private key in credential information associated with the target user under the first application program by the identity verifier, and signing the challenge value by using the private key; the credential information is generated by the client according to a registration request submitted by the target user, and a public key in the credential information is sent to the server for storage;

And sending the signed challenge value obtained by the signature of the identity verifier to the server.

A service component providing method, comprising:

providing a service component for credential registration, wherein the service component provides a verifier process with an identity verifier, and after the service component is deployed on a client of a first application program, the following processing is executed:

A service component providing method, comprising:

providing a service component for login authentication, wherein the service component provides a verifier process with an identity verifier, and after the service component is deployed at a client of a first application program, the following processing is executed:

Receiving a challenge value generated by a server side of the first application program aiming at a login request submitted by a target user, sending the challenge value to the verifier process in a mode of calling a Web authentication interface, obtaining a private key in credential information associated with the target user under the first application program by the identity verifier, and signing the challenge value by using the private key; the credential information is generated by a service component for credential registration deployed on the client according to a registration request submitted by the target user, and a public key in the credential information is sent to the server for storage;

A Web authentication interface implementation method includes:

and the interface layer implementation of the Web authentication interface is sleeved to the bottom layer implementation of the service component, and when the service component monitors that the interface layer accepts the call, the service component obtains a challenge value submitted to the Web authentication interface and starts an identity verifier built in the service component to perform credential registration or login authentication.

A credential registration method for local area network login, comprising:

A client of an application program for realizing local area network login provides a verifier process with an identity verifier built in;

when the terminal equipment associated with the application program is determined to be registered with the biological identification information of the target user, starting the identity verifier to perform credential registration through the verifier process, and obtaining the credential information associated with the target user under the application program.

A local area network login method, comprising:

acquiring the biological identification information of a user requesting local area network login, and comparing the biological identification information of a target user registered by terminal equipment associated with the application program;

and when the biometric information is confirmed to pass verification, starting the identity verifier to carry out login authentication through the verifier process, and accessing to a local area network when the login authentication passes.

A configuration method for credential sharing, comprising:

acquiring at least two application programs with binding relation, wherein the at least two application programs are installed on terminal equipment associated with a target user;

and aiming at the service components deployed in the at least two application programs, configuring the same shared identity verifier, wherein the shared identity verifier is built in a verifier process provided by the service components, and when the verifier process obtains a challenge value submitted to a Web authentication interface, the shared identity verifier is started to perform credential registration or login authentication.

A credential registration method, comprising:

determining a first application program from at least two application programs associated with a target user and having a binding relationship, wherein clients of the at least two application programs respectively provide a first verifier process with the same shared identity verifier built-in;

and starting the shared identity verifier to perform credential registration through a first verifier process provided by the client of the first application program to obtain shared credential information associated by the target user under the at least two application programs, wherein the shared credential information comprises a shared public key and a shared private key.

A login authentication method, comprising:

the method comprises the steps that a first verifier process with a built-in shared identity verifier is provided by a client of a second application program, the second application program belongs to at least two application programs with binding relations associated with a target user, and the same shared identity verifier is built in the first verifier processes respectively provided by the clients of the at least two application programs;

and starting the shared identity verifier through a first verifier process provided by the client of the second application program, obtaining a shared private key in shared credential information associated by the target user under the at least two application programs, and performing login authentication, wherein the shared credential information is generated by the client of the first application program in the at least two application programs.

Wherein the client of the second application further provides a second verifier process with a private identity verifier built-in, the method further comprising:

providing the shared identity verifier and the private identity verifier as options to the target user;

and when determining to select the shared identity verifier to carry out login authentication on the target user, starting the shared identity verifier through the first verifier process.

A credential registration device of an application, for application to a client of a first application, the device comprising:

a verifier process providing unit for providing a verifier process with an identity verifier built therein;

the authentication system comprises a credential information generation unit, a verification unit and a verification unit, wherein the credential information generation unit is used for receiving a challenge value generated by a server side of the first application program aiming at a registration request submitted by a target user, sending the challenge value to the verifier process in a manner of calling a Web authentication interface, generating credential information associated with the target user under the first application program by the identity verifier, locally storing a private key in the credential information, and signing the challenge value by utilizing the private key;

And the credential information sending unit is used for sending the public key in the credential information and the signed challenge value obtained by the signature to the server.

A login authentication device of an application program, applied to a client of a first application program, the device comprising:

the authentication system comprises a credential information obtaining unit, a verification unit and a verification unit, wherein the credential information obtaining unit is used for receiving a challenge value generated by a server side of the first application program aiming at a login request submitted by a target user, sending the challenge value to the verifier process in a manner of calling a Web authentication interface, obtaining a private key in credential information associated with the target user under the first application program by the identity verifier, and signing the challenge value by utilizing the private key; the credential information is generated by the client according to a registration request submitted by the target user, and a public key in the credential information is sent to the server for storage;

and the challenge value sending unit is used for sending the signed challenge value obtained by the signature of the identity verifier to the server.

A service component providing apparatus comprising:

The service component providing unit is used for providing a service component for certificate registration, the service component provides a verifier process with an identity verifier, and after the service component is deployed at a client of a first application program, the following processing is executed:

A service component providing apparatus comprising:

the service component providing unit is used for providing a service component for login authentication, the service component provides a verifier process with an identity verifier, and after the service component is deployed at a client of a first application program, the following processing is executed:

A Web authentication interface implementation apparatus comprising:

the system comprises a Web authentication interface, a sleeving unit and a service component, wherein the Web authentication interface is used for sleeving an interface layer implementation of the Web authentication interface to a bottom layer implementation of the service component, and when the service component monitors that the interface layer accepts a call, the service component obtains a challenge value submitted to the Web authentication interface and starts an identity verifier built in the service component to perform credential registration or login authentication.

A credential registration device for local area network login, applied to a client of an application program for implementing local area network login, the device comprising:

and the credential registration unit is used for starting the identity verifier to perform credential registration through the verifier process when the terminal equipment associated with the application program is determined to register the biological identification information of the target user, so as to obtain the credential information associated with the target user under the application program.

A lan login device applied to a client of an application program for realizing lan login, the device comprising:

the biometric information comparison unit is used for acquiring the biometric information of the user requesting local area network login and comparing the biometric information of the target user registered by the terminal equipment associated with the application program;

and the login authentication unit is used for starting the identity verifier to carry out login authentication through the verifier process when the biometric information passes verification, and accessing to a local area network when the login authentication passes.

A configuration apparatus for credential sharing, comprising:

the binding relation obtaining unit is used for obtaining at least two application programs with binding relation, and the at least two application programs are installed on terminal equipment associated with a target user;

the identity verifier configuration unit is used for configuring the same shared identity verifier aiming at the service components deployed in the at least two application programs, wherein the shared identity verifier is arranged in a verifier process provided by the service components, and when the verifier process obtains a challenge value submitted to a Web authentication interface, the shared identity verifier is started to perform credential registration or login authentication.

A credential registration device, comprising:

an application program determining unit, configured to determine a first application program from at least two application programs associated with a target user and having a binding relationship, where clients of the at least two application programs respectively provide a first verifier process with the same shared identity verifier built therein;

and the credential registration unit is used for starting the shared identity verifier to perform credential registration through a first verifier process provided by the client of the first application program to obtain shared credential information associated by the target user under the at least two application programs, wherein the shared credential information comprises a shared public key and a shared private key.

A login authentication device applied to a client of a second application, the device comprising:

the system comprises a verifier process providing unit, a shared identity verifier providing unit and a shared identity verifier providing unit, wherein the verifier process providing unit is used for providing a first verifier process with the shared identity verifier, the second application program belongs to at least two application programs which are associated by a target user and have a binding relationship, and the same shared identity verifier is arranged in the first verifier process respectively provided by the clients of the at least two application programs;

and the login authentication unit is used for starting the shared identity verifier through a first verifier process provided by the client of the second application program, obtaining a shared private key in shared credential information associated by the target user under the at least two application programs, and carrying out login authentication, wherein the shared credential information is generated by the client of the first application program in the at least two application programs.

A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the preceding claims.

An electronic device, comprising:

one or more processors; and

a memory associated with the one or more processors, the memory for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the preceding claims.

According to the specific embodiment provided by the application, the application discloses the following technical effects:

in the embodiment of the application, the service component for realizing the Web authentication function can be provided, and the Web authentication function can be realized on the application program when the service component is installed and deployed on the application program. Therefore, the Web authentication can be applied to the login authentication of the application program by the advantage that the login authentication can be performed in a biometric identification mode without inputting an account number and a password by a user, so that the authentication security of the application program can be improved, and the authentication difficulty of the application program can be reduced.

Specifically, the interface layer implementation of the Web authentication interface can be sleeved into the bottom layer implementation of the service component provided by the embodiment of the application, so that the service component can monitor the call condition of the Web authentication interface, and when the interface layer is determined to accept the call, an identity verifier built in the service component is started, and a challenge value transmitted through the Web authentication interface is sent to the identity verifier for certificate registration or login authentication. Based on the interface transformation scheme, a new user-friendly authentication mode can be realized on the application program.

Of course, it is not necessary for any one product to practice the application to achieve all of the advantages set forth above at the same time.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of Web authentication by a browser;

FIG. 2 is a flow chart of a credential registration method for an application provided by an embodiment of the present application;

FIG. 3 is a flowchart of a login authentication method of an application program according to an embodiment of the present application;

FIG. 4 is a flow chart of a credential registration method for local area network login provided by an embodiment of the present application;

fig. 5 is a flowchart of a local area network login method according to an embodiment of the present application;

FIG. 6 is a flow chart of a configuration method for credential sharing provided by an embodiment of the present application;

FIG. 7 is a flow chart of a credential registration method provided by an embodiment of the present application;

FIG. 8 is a flowchart of a login authentication method provided by an embodiment of the present application;

FIG. 9 is a schematic diagram of a credential registration device of an application provided by an embodiment of the present application;

FIG. 10 is a schematic diagram of a login authentication device for an application according to an embodiment of the present application;

FIG. 11 is a schematic diagram of a credential registration device for local area network login provided by an embodiment of the present application;

fig. 12 is a schematic diagram of a lan login device according to an embodiment of the present application;

FIG. 13 is a schematic diagram of a configuration apparatus for credential sharing provided by an embodiment of the present application;

FIG. 14 is a schematic diagram of a credential registration device provided by an embodiment of the present application;

FIG. 15 is a schematic diagram of a login authentication device according to an embodiment of the present application;

fig. 16 is a schematic diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the application, fall within the scope of protection of the application.

With the gradual increase of information security consciousness of people, the requirement on login authentication is gradually increased, so that the authentication security is expected to be improved, and the authentication difficulty is expected to be reduced. Under the requirement of the user, how to solve the problems of troublesome operation, long authentication link and the like in the login authentication process of an Application (APP) in the prior art, provides a more user-friendly identity authentication mode, and becomes a technical problem which needs to be solved by a person skilled in the art.

The inventor finds that in the research process, the Web authentication (Web Authentication, webAuthn for short, is a Web standard issued by the world wide Web alliance) can realize login authentication in a biometric identification mode without inputting an account number and a password by a user. However, webAuthn is only applicable to Web applications to enable credential registration and login authentication for Web applications.

Referring to the schematic diagram shown in fig. 1, a browser 1 and a browser 2 are installed on a terminal device, when a user accesses a website 1 supporting WebAuthn authentication through the browser 1, a credential registration can be performed on the website 1, and subsequently login authentication can be performed on the website 1 based on credential information obtained by the registration. The credential registration process may be embodied as:

first, the browser 1 may send a registration request submitted by a user to a server of the website 1, and receive a challenge value (challenge) randomly generated by the server for the registration request.

Second, browser 1 may invoke WebAuthenticationAPI to pass challenge values and other parameters (e.g., website domain name, user identity information, etc.) to an authentication device (authenticator) built into browser 1. An identity verifier is understood to be an abstract functional model that can perform cryptographic operations, either physically or virtually.

Then, the authentication device generates a pair of public key and private key according to the parameters transferred by the browser 1 as the credential information 1 obtained by the user registering at the website 1 through the browser 1. In practical applications, the private key may be stored locally, for example, in a security module of the terminal device; the challenge value can be signed by using the private key, and the public key and the signed challenge value are sent to the server through the browser 1.

And finally, the server side performs validity verification on the signed challenge value through the public key, and after the verification is passed, the public key and the user identity information are associated and stored in a database.

In order to realize the WebAuthn authentication function on the APP, the embodiment of the application can modify the existing interface for realizing Web authentication, namely the Web AuthenticationAPI interface, and the interface layer realization of the Web authentication interface is sleeved to the bottom realization of the service component provided by the embodiment of the application, namely the protocol for realizing the function of the service component. The bottom layer implementation can monitor the call condition of the Web authentication interface, can acquire a challenge value submitted to the Web authentication interface when the interface layer is determined to accept the call, and starts an identity verifier built in the service component to perform credential registration or login authentication. That is, when the Web AuthenticationAPI interface is called, only the API interface layer is called, and the bottom layer of the service component is actually called, so that the Web authentication function is realized on the APP on which the service component is deployed.

As an example, an embodiment of the present application may provide a service component for credential registration. The service component can provide a verifier process with an identity verifier, after the service component is deployed on a client side of the first application program, the verifier process can monitor the call condition of the Web authentication interface and intercept parameters (for example, at least a challenge value generated by the server side of the first application program for a registration request submitted by a target user) transmitted through the Web authentication interface, and the identity verifier is started to generate credential information associated with the target user under the first application program. The intercepted parameters may be determined based on credential registration requirements, which are not limited in accordance with embodiments of the present application.

As another example, an embodiment of the present application may provide a service component for login authentication. The service component can provide a verifier process with an identity verifier, after the service component is deployed on a client side of the first application program, the verifier process can monitor the call condition of the Web authentication interface and intercept parameters (for example, at least a challenge value generated by the server side of the first application program for a login request submitted by a target user) transmitted through the Web authentication interface, and the identity verifier is started to obtain a private key in credential information associated by the target user under the first application program to carry out login authentication. The intercepted parameters may be determined according to login authentication requirements, which is not limited in the embodiments of the present application.

The first application program may be an APP installed on a terminal device associated with the target user.

It should be noted that, the service component for credential registration and the service component for login authentication may exist separately and be deployed independently on the client of the first application, as long as both may access the same identity verifier; alternatively, the two may be integrated, i.e. packaged to implement 2 functions of credential registration and login authentication by one service component.

In actual practice, the service components may be embodied as an SDK (Software Development Kit ) loadable into the application.

Referring to the flowchart shown in fig. 2, the method for registering credentials of an application program according to an embodiment of the present application may include:

s201: the client of the first application provides a verifier process with an identity verifier built-in.

As an example, the service component for credential registration provided by the embodiment of the present application may be loaded on the client of the first application, so that the client may provide a verifier process with an identity verifier built therein, to implement credential registration.

S202: the method comprises the steps of receiving a challenge value generated by a server side of a first application program for a registration request submitted by a target user, sending the challenge value to a verifier process in a mode of calling a Web authentication interface, generating credential information associated with the target user under the first application program by an identity verifier, locally storing a private key in the credential information, and signing the challenge value by using the private key.

As an example, after the target user starts the client of the first application program on the terminal device, the client may provide the credential registration page for the target user, and obtain, through the operation options provided by the credential registration page, the registration request submitted by the target user, and then may send the registration request to the server of the first application program.

In one implementation, the client may provide the credential registration page when it is determined that the target user is in a login state. For example, in the case that the target user logs in to the first application client through the terminal device for the first time, identity verification may be performed by means of token authentication or verification code authentication, and after the identity verification is passed, login is performed, so as to provide a credential registration page for the target user.

It can be appreciated that after the server obtains the registration request submitted by the client, a random challenge value can be correspondingly generated and returned to the client. For example, a front-end page provided by the client may be specifically returned, where the front-end page may be a credential registration page currently viewed by the user. The client receives the challenge value returned by the server, and the challenge value can be transferred to the verifier process by calling the Web authentication interface.

As an example, the verifier process may be embodied as a resident process in the background of the first application program, and may monitor the call condition of the Web authentication interface in real time. By resident process, it is understood a process that is permanently present in memory and that is capable of remaining active without being killed.

Specifically, when the verifier process monitors that the client calls the Web authentication interface, the verifier process can establish connection with the Web authentication interface to obtain a challenge value transmitted to the Web authentication interface by the client. In practical applications, besides the challenge value, some other parameters may be transferred to the verifier process according to needs, and in particular, reference may be made to the related art, which is not limited by the embodiment of the present application.

In this way, the verifier process can start the built-in identity verifier, transfer the challenge value and other parameters submitted by the client to the identity verifier, and the identity verifier generates a pair of public key and private key as the credential information associated by the target user under the first application program. The private key may be stored locally, the public key may be returned to the server for storage, and the specific implementation process may refer to the related technology.

As an example, to increase private key storage security, the identity verifier may generate a key pair in a secure enclave, i.e. the identity verifier may invoke a secure module of the terminal device to generate the key pair. In general, the chip of the security module and the chip of the terminal device are not connected together, so that the key pair is generated without passing through the CPU of the terminal device or the on-board memory, and even if the security module is broken maliciously, the private key stored in the security of the local storage of the private key cannot be extracted, thereby ensuring the security of the local storage of the private key.

Optionally, the identity verifier may verify the identity of the target user prior to generating the credential information. For example, the target user may be prompted to input biometric information to perform user identity verification, and after the identity verification is passed, that is, when the target user is determined to be a legal user of the terminal device, credential information is regenerated.

Optionally, the embodiment of the application can also limit the number of credential registrants of the first application deployed on the terminal device. Specifically, when it is determined that the number of users performing credential registration for the first application does not exceed a preset number on the terminal device associated with the first application, a registration request submitted by the target user may be sent to the server, and the server generates a challenge value.

That is, after obtaining a registration request submitted by a target user through a client of the first application, the number of users who have completed credential registration through the first application installed and deployed on the current terminal device may be obtained first. If the number of users exceeds the preset number, no credential registration service is provided for the target user; otherwise, the registration request can be sent to the server to continue to provide the credential registration service for the target user.

If the preset number is 1, that is, only one user is allowed to register the credentials through the first application program installed on the terminal device, when the registered user is determined to exist, relevant prompt information can be returned to the target user, for example, the target user can be prompted that the current device is registered by other users, and the registration cannot be repeated. The scheme for limiting the number of registered certificates is favorable for ensuring the safety of login authentication, and further improves the use safety of the first application program. Specifically, for a legal user of the terminal device, if the registered user is prompted to exist when the terminal device performs credential registration, the terminal device can be determined to be registered by an illegal user, and illegal user investigation can be performed; in addition, if the legitimate user has completed credential registration before the illegitimate user performs credential registration, the illegitimate user is not allowed to perform repeated registration.

S203: and sending the public key in the credential information and the signed challenge value obtained by signing to the server.

The identity verifier can sign the challenge value generated by the server by using the private key to obtain a signed challenge value, then send the public key and the signed challenge value to a front-end page of the client through a verifier process, and forward the challenge value to the server, the server verifies the validity of the signed challenge value by using the public key, and after the verification is passed, the public key and the identity information of the target user are stored in a database in an associated mode for use in login authentication. The implementation process of validity verification and public key storage of the server may refer to the related art, and embodiments of the present application are not limited in detail.

Referring to a flowchart shown in fig. 3, the login authentication method for an application program provided in the embodiment of the present application may include:

s301: the client of the first application provides a verifier process with an identity verifier built-in.

As an example, the service component for login authentication provided by the embodiment of the present application may be loaded on the client of the first application program, so that the client may provide a verifier process with an identity verifier built therein, to implement login authentication.

S302: receiving a challenge value generated by a server side of the first application program aiming at a login request submitted by a target user, sending the challenge value to the verifier process in a mode of calling a Web authentication interface, obtaining a private key in credential information associated with the target user under the first application program by the identity verifier, and signing the challenge value by using the private key; the credential information is generated by the client according to a registration request submitted by the target user, and a public key in the credential information is sent to the server for storage.

As an example, after the target user starts the client of the first application program on the terminal device, the client may provide a login page for the target user, and after obtaining a login request submitted by the target user through an operation option provided by the login page, the login page may be sent to the server of the first application program.

After the server obtains the login request submitted by the client, a random challenge value can be correspondingly generated and returned to the client. For example, a specific return may be made to a client-provided front-end page, which may be a login page currently viewed by the user. The client receives the challenge value returned by the server, and the challenge value can be transferred to the verifier process by calling the Web authentication interface.

As an example, the verifier process may be embodied as a resident process in the background of the first application program, and may monitor the call condition of the Web authentication interface in real time.

In this way, the verifier process can start the built-in identity verifier, transfer the challenge value and other parameters submitted by the client to the identity verifier, and the identity verifier searches the credential information associated with the target user under the first application program according to the challenge value and other parameters, and specifically refers to the locally stored private key.

S303: and sending the signed challenge value obtained by the signature of the identity verifier to the server.

The identity verifier can sign the challenge value generated by the server by using the private key to obtain a signed challenge value, then the signed challenge value is sent to a front-end page of the client by a verifier process and forwarded to the server, the server searches a public key associated with a target user under a first application program from a database, validity verification is carried out on the signed challenge value by using the public key, and a login success page is provided for the target user after verification is passed. The implementation process of public key lookup and validity verification by the server may refer to the related art, which is not specifically limited in the embodiment of the present application.

In summary, the WebAuthn authentication function can be realized on the APP, the advantages that the WebAuthn authentication function can be performed by the biometric authentication mode without inputting an account number and a password by a user are achieved, the WebAuthn authentication function is applied to the login authentication of an application program, the authentication security of the application program can be improved, the authentication difficulty of the application program can be reduced, and a user-friendly identity authentication scheme is realized in the application program.

The following illustrates an application scenario of the embodiment of the present application.

With the continuous development of mobile office technology, users can process business related matters at any time and any place, but in order to ensure office security, the terminal equipment associated with the users is generally required to be authenticated legally, and then is allowed to access to a local area network and access related data in the network. At present, a dynamic token is mainly generated through an application program installed at a mobile phone end, validity authentication is carried out through a mode that the application program installed at a computer end verifies the validity of the token, switching is needed between the mobile phone end and the computer end, and the two terminals are matched with each other to complete an authentication process.

Correspondingly, the scheme provided by the embodiment of the application can realize the Web authentication function under the LAN login scene, and simplify the operation link of LAN connection.

Referring to the flowchart shown in fig. 4, the credential registration method for local area network login provided in the embodiment of the present application may include:

s401: a client for an application implementing local area network login provides a verifier process with an identity verifier built in.

In this example, the first application is an application for implementing local area network login. The application program can be an application program installed on the mobile phone terminal, the Web authentication function is realized on the mobile phone terminal through the scheme of the embodiment of the application, and local area network login is carried out according to the Web authentication function; or the application program can be an application program installed on the computer end, the Web authentication function is realized on the computer end through the scheme of the embodiment of the application, and the local area network login is carried out according to the Web authentication function.

Specifically, the service component for credential registration provided by the embodiment of the application can be loaded on the client of the application program, so that the client can provide a verifier process with an identity verifier built in, and the credential registration is realized.

S402: when the terminal equipment associated with the application program is determined to be registered with the biological identification information of the target user, starting the identity verifier to perform credential registration through the verifier process, and obtaining the credential information associated with the target user under the application program.

In order to achieve the purpose of completing local area network login only by a biological recognition mode, the client can firstly judge whether the terminal equipment associated with the application program, namely the terminal equipment for installing the application program is registered with biological recognition information of the target user. In this example, the target user may be a legitimate user of the terminal device.

If the terminal equipment registers the biological identification information of the target user, continuing to provide the certificate registration service for the target user; otherwise, the target user can be prompted to register the biometric information, namely, the biometric information of the target user is input in the terminal equipment. For example, the target user may be prompted to enter the fingerprint of the target user through the fingerprint acquisition module of the terminal device, or the target user may be prompted to enter the face feature of the target user through the camera of the terminal device, etc., and the biometric information of the target user is not limited in the embodiment of the present application.

When the terminal equipment is determined to be registered with the biological identification information of the target user, an identity verifier can be started to perform credential registration through a verifier process, and associated credential information of the target user under an application program is obtained. Specifically, the client may provide a credential registration page, obtain, through an operation option provided by the credential registration page, a registration request submitted by the target user, send the registration request to a server of an application program for implementing local area network login, and generate a random challenge value by the server. Correspondingly, the client obtains the challenge value generated by the server, can call the Web authentication interface, transmits the challenge value and other parameters to the identity verifier through the verifier process, and generates the credential information associated with the target user under the application program according to the challenge value and other parameters. The specific implementation of credential registration may be described with reference to fig. 2 and will not be described in detail herein.

Correspondingly, the embodiment of the application also provides a local area network login method, which can be shown in a flowchart in fig. 5 and includes:

s501: a client for an application implementing local area network login provides a verifier process with an identity verifier built in.

In this example, the first application is an application for implementing local area network login. The service component for login authentication provided by the embodiment of the application can be loaded on the client of the application program, so that the client can provide a verifier process with an identity verifier, and login authentication is realized.

S502: and acquiring the biological identification information of the user requesting local area network login, and comparing the biological identification information of the target user registered by the terminal equipment associated with the application program.

When the local area network is required to be accessed, a login page can be provided for the user, and if the user selects to use the identity verifier for login authentication, a biological identification information acquisition page can be provided for the user for identity verification. For example, the user may be prompted to input fingerprint information in the page, and after the biometric information of the user requesting to perform the local area network login is collected, the biometric information is compared with the biometric information of the target user registered on the terminal device on which the application program is installed, that is, the legal biometric information. If the two are matched, the biological identification information can be confirmed to pass verification, the current user is a legal user of the terminal equipment, and login authentication service can be continuously provided for the user; if the two are not matched, the user requesting to log in the local area network does not have login authority, namely, the user does not have authority to obtain the private key and log in authentication by using the private key.

S503: and when the biometric information is confirmed to pass verification, starting the identity verifier to carry out login authentication through the verifier process, and accessing to a local area network when the login authentication passes.

When the user identity verification is confirmed to pass, an identity verifier can be started to carry out login authentication through a verifier process, and the local area network is accessed when the login authentication passes. Specifically, the client may generate a login request and send the login request to the server of the application program for implementing the local area network login, and the server generates a random challenge value. Correspondingly, the client obtains the challenge value generated by the server, can call the Web authentication interface, transmits the challenge value and other parameters to the identity verifier through the verifier process, and locally searches a private key associated with the target user under the application program by the identity verifier, signs the challenge value by using the private key, and sends the signed challenge value to the server, so that the server can verify the validity of the signed challenge value according to the public key associated with the target user under the application program, and is connected with the local area network after the verification is passed. The specific implementation of login authentication is described with reference to fig. 3 and will not be described in detail here.

In this example, the biometric information of the user requesting to log in the local area network may be collected first, identity verification may be performed, and after the identity verification is passed, the client may be triggered to perform login authentication according to the private key associated by the target user under the application program, so as to access the local area network under the condition that the login authentication is passed. From the user experience, the target user can trigger the client to automatically perform login authentication in the background only by inputting the biological identification information according to the prompt. The target user does not need to execute excessive operation actions for login authentication, and also does not need to switch authentication among a plurality of terminals, so that the operation process of local area network login can be simplified, and the operation difficulty is reduced. In addition, identity verification is carried out according to the biological identification information of the target user, so that the security of the identity verification can be ensured to the greatest extent, and the security of local area network login is further improved.

As an example, based on the service component provided by the embodiment of the application, the credential sharing among a plurality of application programs can be realized, and the credential registration and login authentication process is further simplified.

The application background of the credential sharing scheme is explained first.

Currently, webAuthn credentials in the related art cannot be used across containers. For example, the credential information registered by the user through the browser 1 cannot be used across browsers, i.e., cannot be used for login authentication on the browser 2; nor can it be used across Web applications, i.e., the credential information registered by the user through Web application 1 cannot be used for login authentication of Web application 2. It should be noted that, a browser, a Web application, and the like, which cannot realize credential sharing, are all installed on one terminal device.

A container may be understood as a memory space with isolated processes or threads, and the memory space may support HTML (hypertext markup Language) and JS (JavaScript, a lightweight, interpreted, or just-in-time programming Language with functional preference) running environments.

Take the example of being unusable across browsers. In the example illustrated in fig. 1, when a user accesses the website 1 through the browser 1, the user may register to obtain the credential information 1, and implement login authentication for the website 1 on the browser 1 based on the credential information 1. If the user wants to access the website 1 through the browser 2 and perform login authentication, web AuthenticationAPI is called through the browser 2, and the credential information 2 associated with the website 1 of the browser 2 is re-registered by the identity verifier built in the browser 2. The method is characterized in that different browsers are respectively internally provided with different identity verifiers, credential registration and login authentication are respectively realized by the respectively-built identity verifiers, the different browsers respectively correspond to different containers, browser operation is realized in the respectively-corresponding containers, namely, the bottom layer is the isolation of the respective-corresponding independent containers among the browsers, so that credential information cannot be used across the containers, and a user needs to repeatedly register credentials in different browsers and different Web applications.

Corresponding to the method, when Web authentication is realized based on the embodiment of the application, when the calling of the API layer is initiated Web AuthenticationAPI, the actual calling is realized by the bottom layer of the service component, the bottom layer can intercept and call the built-in identity verifier of the browser, and the built-in identity verifier of the verifier process is called, so that cross-container credential sharing can be realized based on the technology.

The credential sharing scheme of the embodiment of the present application is explained below with reference to specific examples.

As an example, an embodiment of the present application may provide a configuration method for credential sharing, referring to a flowchart shown in fig. 6, may include:

s601: and obtaining at least two application programs with binding relation, wherein the at least two application programs are installed on terminal equipment associated with the target user.

In this example, at least two applications with binding relationship refer to applications that can perform credential sharing, and can be determined according to the use requirement. The types of the application programs having the binding relationship may be various, for example, a browser (an application program for retrieving, displaying and delivering Web information resources) and a Web application (an application program that can be accessed through the Web) which are conventionally capable of realizing the Web authentication function, and an APP which adopts the scheme of the embodiment of the present application to realize the Web authentication function, etc., and the embodiment of the present application is not particularly limited to the types of the application programs, so long as the service components provided by the embodiment of the present application can be loaded. For example, service components may be loaded in the form of SDKs at the APP and plug-ins at the browser.

In practical application, at least two application programs can be determined to be bound from application programs installed on terminal equipment associated with a target user according to use requirements. The types of the application programs with the binding relationship may be the same or different, and the embodiment of the present application is not limited to this.

Optionally, when the browser is included in the application program with the binding relationship, the credential sharing granularity may be refined from the information security perspective. For example, credential sharing granularity may be refined to websites accessed through a browser. That is, credential sharing of the same website at different browsers can be achieved. In the above examples of accessing the website 1 by the browser 1 and the browser 2, when the credential sharing is performed according to the scheme of the embodiment of the present application, it may be determined that the browser 1 and the browser 2 have a binding relationship when accessing the website 1. Thus, after the user registers the credentials of the website 1 through the browser 1, when accessing the website 1 through the browser 2, the user can use the registration credentials information to perform login authentication without repeated registration.

Alternatively, the credential sharing granularity may be refined to websites belonging to the same domain. That is, credential sharing among different browsers for multiple websites within a domain may be achieved. For example, when the domain of the enterprise a is associated with the websites A1, A2 and A3, and the credential sharing is performed according to the embodiment of the present application, it may be determined that the browser 1 and the browser 2 have a binding relationship when accessing the website associated with the domain of the enterprise a. Thus, after the user performs the credential registration on the website A1 through the browser 1, the login authentication for accessing the websites A2, A3 through the browser 1 and the login authentication for accessing the websites A1, A2, A3 through the browser 2 can be realized through the registration credential information.

S602: and aiming at the service components deployed in the at least two application programs, configuring the same shared identity verifier, wherein the shared identity verifier is built in a verifier process provided by the service components, and when the verifier process obtains a challenge value submitted to a Web authentication interface, the shared identity verifier is started to perform credential registration or login authentication.

The technical basis for realizing cross-container credential sharing in combination with the embodiment of the application can be known that in order to realize credential sharing between at least two application programs with binding relationship, the same shared identity verifier can be configured for service components deployed in the at least two application programs. That is, when the Web authentication function is implemented, at least two application programs may call the same underlying implementation, and credential generation and login authentication are performed by the same shared identity verifier, so that credential sharing is implemented.

Based on the above configuration scheme for credential sharing, the embodiment of the present application may provide a credential registration method capable of implementing credential sharing, which may include:

s701: and determining a first application program from at least two application programs associated with the target user and provided with the same shared identity verifier, wherein the clients of the at least two application programs are respectively provided with a first verifier process built in the same shared identity verifier.

As an example, a selection interface may be provided to the target user, where the interface may include at least two applications with binding relationships, from which the target user selects a first application, and further performs credential registration via the first application.

Or, as another example, among at least two applications having a binding relationship, a target user currently starts which application and submits a registration request through the application, the application may be determined as a first application.

As in the example illustrated above, when accessing the web site 1, the browser 1 and the browser 2 have a binding relationship, and if the target user currently accesses the web site 1 through the browser 1 and submits a registration request, the browser 1 may be determined as the first application.

S702: and starting the shared identity verifier to perform credential registration through a first verifier process provided by the client of the first application program to obtain shared credential information associated by the target user under the at least two application programs, wherein the shared credential information comprises a shared public key and a shared private key.

The process of performing credential registration by the first verifier process of the built-in shared identity verifier may be embodied as: the browser 1 receives the challenge value returned by the server side of the website 1, can call Web AuthenticationAPI, and when the first verifier process monitors the interface call, can start the shared identity verifier, and sends the challenge value and other parameters transmitted through the API interface to the shared identity verifier for credential generation to obtain the shared public key and the shared private key. The shared private key may be stored locally, and the shared public key may be returned to the server for storage, and the specific implementation process may be described above, which is not illustrated here.

Correspondingly, the embodiment of the application also provides a method for realizing login authentication based on the shared certificate, which can be seen in a flow chart shown in fig. 8 and comprises the following steps:

s801: the client of the second application program provides a first verifier process with a built-in shared identity verifier, the second application program belongs to at least two application programs associated by a target user and provided with binding relations, and the same shared identity verifier is built in the first verifier processes respectively provided by the clients of the at least two application programs.

S802: and starting the shared identity verifier through a first verifier process provided by the client of the second application program, obtaining a shared private key in shared credential information associated by the target user under the at least two application programs, and performing login authentication, wherein the shared credential information is generated by the client of the first application program in the at least two application programs.

Also for the example illustrated above, if the target user accesses website 1 through browser 2 and submitted a login request, browser 2 may be determined to be the second application. The login authentication process performed by the first verifier process of the built-in shared identity verifier can be embodied as follows: the browser 2 receives the challenge value returned by the server side of the website 1, and can call webauthentication npi, when the first verifier process monitors the interface call, the shared identity verifier can be started, the challenge value and other parameters transmitted through the API interface are sent to the shared identity verifier, and the shared identity verifier searches the credential information associated with the website 1 in the browser 2 locally according to the challenge value and the other parameters. In this example, it may be determined that the browser 1 and the browser 2 have a binding relationship when accessing the website 1, and the shared credential information of the website 1 is obtained by registration of the browser 1, so that the challenge value may be signed by using the shared secret key, and the signed challenge value is sent to the server, so that the server performs validity verification on the signed challenge value according to the corresponding shared secret key, and login authentication is implemented. Specific implementation procedures can be found in the above description, and are not illustrated here.

Optionally, if the client of the second application program further provides a second verifier process with a built-in private identity verifier, the shared identity verifier and the private identity verifier may be provided to the target user as options when login authentication is performed; and when determining to select the shared identity verifier to carry out login authentication on the target user, starting the shared identity verifier through the first verifier process.

Taking the browser 2 as the second application program as an example, the built-in identity verifier of the browser 2 is a private identity verifier, if the browser 2 registers the credential information 2 of the website 1 and the browser 1 registers the shared credential information of the website 1, a selection interface can be provided for the target user when the browser 2 accesses the website 1 to perform login authentication, and the interface can include an operation option of performing login authentication through the shared identity verifier and an operation option of performing login authentication through the private identity verifier, so that the target user can select.

If the target user chooses to perform login authentication through the private identity verifier, when the browser 2 obtains the challenge value returned by the server, web AuthenticationAPI can be invoked and login authentication can be performed through the bottom layer of Web AuthenticationAPI. Specifically, the challenge value may be passed to an authentication device built in the browser 2, and login authentication may be performed using a private key in the credential information 2.

If the target user chooses to perform login authentication through the shared identity verifier, when the browser 2 obtains the challenge value returned by the server, web AuthenticationAPI can be invoked and login authentication can be performed through the bottom layer implementation of the service component. Specifically, the challenge value may be passed to the shared identity verifier by the first verifier process, with login authentication using the shared private key in the shared credential information.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a credential registration device of an application, applied to a client of a first application, referring to fig. 9, where the device may include:

a verifier process providing unit 901 for providing a verifier process with an identity verifier built therein;

The credential information generating unit 902 is configured to receive a challenge value generated by a server of the first application program for a registration request submitted by a target user, send the challenge value to the verifier process by invoking a Web authentication interface, generate credential information associated with the target user under the first application program by the identity verifier, locally store a private key in the credential information, and sign the challenge value by using the private key;

the credential information sending unit 903 is configured to send the public key in the credential information and the signed challenge value obtained by the signing to the server.

The credential information generating unit is specifically configured to: and when the verifier process monitors that the client calls the Web authentication interface, establishing connection with the Web authentication interface to obtain a challenge value submitted to the Web authentication interface by the client.

Wherein the apparatus further comprises:

the registration number determining unit is configured to determine that, on a terminal device associated with the first application, when the number of users performing credential registration for the first application does not exceed a preset number, send a registration request submitted by the target user to the server, and generate the challenge value by the server.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a credential registration device of an application, applied to a client of a first application, referring to fig. 10, where the device may include:

a verifier process providing unit 1001 for providing a verifier process with an identity verifier built therein;

the credential information obtaining unit 1002 is configured to receive a challenge value generated by a server of the first application for a login request submitted by a target user, send the challenge value to the verifier process by invoking a Web authentication interface, obtain, by the identity verifier, a private key in credential information associated with the target user under the first application, and sign the challenge value with the private key; the credential information is generated by the client according to a registration request submitted by the target user, and a public key in the credential information is sent to the server for storage;

and a challenge value sending unit 1003, configured to send the signed challenge value obtained by the signature of the identity verifier to the server.

Corresponding to the foregoing method embodiment, the present application further provides a service component providing apparatus, where the apparatus may include:

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a Web authentication interface implementation device, where the device may include:

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a credential registration device for local area network login, which is applied to a client of an application program for implementing local area network login, and referring to fig. 11, the device may include:

a verifier process providing unit 1101 for providing a verifier process with an identity verifier built therein;

and the credential registration unit 1102 is configured to, when determining that the terminal device associated with the application program registers the biometric information of the target user, start the identity verifier to perform credential registration through the verifier process, and obtain credential information associated with the target user under the application program.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a lan login device, which is applied to a client of an application program for implementing lan login, and referring to fig. 12, the device may include:

a verifier process providing unit 1201 for providing a verifier process with an identity verifier built therein;

a biometric information comparison unit 1202, configured to collect biometric information of a user requesting to perform local area network login, and compare the biometric information of a target user registered with a terminal device associated with the application program;

And the login authentication unit 1203 is used for starting the identity verifier to perform login authentication through the verifier process when the biometric information passes verification, and accessing to a local area network when the login authentication passes.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a configuration apparatus for credential sharing, referring to fig. 13, where the apparatus may include:

a binding relationship obtaining unit 1301, configured to obtain at least two application programs with a binding relationship, where the at least two application programs are installed on a terminal device associated with a target user;

the identity verifier configuration unit 1302 is configured to configure the same shared identity verifier for a service component deployed in the at least two application programs, where the shared identity verifier is built in a verifier process provided by the service component, and when the verifier process obtains a challenge value submitted to a Web authentication interface, the shared identity verifier is started to perform credential registration or login authentication.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a credential registration device, referring to fig. 14, where the device may include:

an application determining unit 1401, configured to determine a first application from at least two applications associated with a target user and having a binding relationship, where clients of the at least two applications respectively provide a first verifier process with the same shared identity verifier built therein;

The credential registration unit 1402 is configured to start, by using a first verifier process provided by a client of the first application, the shared identity verifier to perform credential registration, and obtain shared credential information associated by the target user under the at least two applications, where the shared credential information includes a shared public key and a shared private key.

Corresponding to the foregoing method embodiment, the embodiment of the present application further provides a login authentication device, which is applied to a client of a second application program, referring to fig. 15, where the device may include:

a verifier process providing unit 1501, configured to provide a first verifier process with a shared identity verifier built therein, where the second application belongs to at least two applications associated with a target user and having a binding relationship, and the same shared identity verifier is built in the first verifier processes respectively provided by clients of the at least two applications;

the login authentication unit 1502 is configured to start the shared identity verifier through a first verifier process provided by a client of the second application, obtain a shared private key in shared credential information associated with the target user under the at least two applications, and perform login authentication, where the shared credential information is generated by a client of a first application of the at least two applications.

Wherein the client of the second application further provides a second verifier process with a private identity verifier built-in, the apparatus further comprising:

an identity verifier determination unit configured to provide the shared identity verifier and the private identity verifier as options to the target user; and when determining to select the shared identity verifier to carry out login authentication on the target user, starting the shared identity verifier through the first verifier process.

In addition, the embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the steps of the method of any one of the previous method embodiments.

And an electronic device comprising:

one or more processors; and

a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of the preceding method embodiments.

In which fig. 16 illustrates an architecture of an electronic device, for example, device 1600 may be a mobile phone, computer, digital broadcast terminal, messaging device, game console, tablet device, medical device, exercise device, personal digital assistant, aircraft, or the like.

Referring to fig. 16, device 1600 may include one or more of the following components: a processing component 1602, a memory 1604, a power component 1606, a multimedia component 1608, an audio component 1610, an input/output (I/O) interface 1612, a sensor component 1614, and a communication component 1616.

The processing component 1602 generally controls overall operation of the device 1600, such as operations associated with display, telephone call, data communication, camera operation, and recording operations. The processing component 1602 may include one or more processors 1620 to execute instructions to perform all or part of the steps of the methods provided by the disclosed subject matter. In addition, the processing component 1602 may include one or more modules that facilitate interactions between the processing component 1602 and other components. For example, the processing component 1602 may include a multimedia module to facilitate interactions between the multimedia component 1608 and the processing component 1602.

The memory 1604 is configured to store various types of data to support operations at the device 1600. Examples of such data include instructions for any application or method operating on device 1600, contact data, phonebook data, messages, pictures, video, and the like. The memory 1604 may be implemented by any type of volatile or nonvolatile memory device or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.

The power supply component 1606 provides power to the various components of the device 1600. Power supply component 1606 can include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for device 1600.

The multimedia component 1608 includes a screen between the device 1600 and the user that provides an output interface. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation. In some embodiments, the multimedia component 1608 includes a front-facing camera and/or a rear-facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 1600 is in an operational mode, such as a capture mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have focal length and optical zoom capabilities.

The audio component 1610 is configured to output and/or input audio signals. For example, the audio component 1610 includes a Microphone (MIC) configured to receive external audio signals when the device 1600 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may be further stored in the memory 1604 or transmitted via the communication component 1616. In some embodiments, the audio component 1610 further includes a speaker for outputting audio signals.

Input/output (I/O) interface 1612 provides an interface between processing component 1602 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: homepage button, volume button, start button, and lock button.

The sensor assembly 1614 includes one or more sensors for providing status assessment of various aspects of the device 1600. For example, the sensor assembly 1614 may detect an on/off state of the device 1600, a relative positioning of the components, such as a display and keypad of the device 1600, the sensor assembly 1614 may also detect a change in position of the device 1600 or a component of the device 1600, the presence or absence of user contact with the device 1600, an orientation or acceleration/deceleration of the device 1600, and a change in temperature of the device 1600. The sensor assembly 1614 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. The sensor assembly 1614 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 1614 may also include an acceleration sensor, a gyroscopic sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component 1616 is configured to facilitate communication between the device 1600 and other devices, either wired or wireless. The device 1600 may access a wireless network based on a communication standard, such as WiFi, or a mobile communication network of 2G, 3G, 4G/LTE, 5G, etc. In one exemplary embodiment, the communication component 1616 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component 1616 also includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, device 1600 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic elements for executing the methods described above.

In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as a memory 1604 that includes instructions executable by the processor 1620 of the device 1600 to perform the methods provided by the disclosed subject matter. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a system or system embodiment, since it is substantially similar to a method embodiment, the description is relatively simple, with reference to the description of the method embodiment being made in part. The systems and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.

The above description of the scheme related to Web authentication provided by the present application has been provided in detail, and specific examples are applied herein to illustrate the principles and embodiments of the present application, and the above examples are only used to help understand the method and core idea of the present application; also, it is within the scope of the present application to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the application.

Claims

1. A credential registration method for an application, comprising:

2. The method of claim 1, wherein the sending the challenge value to the verifier process by invoking a Web authentication interface comprises:

3. The method according to claim 1 or 2, further comprising:

4. A login authentication method of an application program, comprising:

5. A service component providing method, comprising:

6. A service component providing method, comprising:

7. A Web authentication interface implementation method, comprising:

8. A credential registration method for local area network login, comprising:

9. A method for local area network login, comprising:

10. A configuration method for credential sharing, comprising:

11. A method of credential registration, comprising:

12. A login authentication method, comprising:

13. The method of claim 12, wherein the client of the second application further provides a second verifier process with a private identity verifier built-in, the method further comprising:

14. An electronic device, comprising:

one or more processors; and

a memory associated with the one or more processors for storing program instructions that, when read for execution by the one or more processors, perform the steps of the method of any of claims 1 to 13.