CN116910723A

CN116910723A - Security authentication method, security authentication device, client, device, and storage medium

Info

Publication number: CN116910723A
Application number: CN202310908552.1A
Authority: CN
Inventors: 张帆; 胥亚锋
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-07-24
Filing date: 2023-07-24
Publication date: 2023-10-20

Abstract

The disclosure provides a security authentication method, a security authentication device, a client, equipment and a storage medium, which can be applied to the technical fields of Internet and finance. The method comprises the following steps: the method comprises the steps of responding to an identity authentication request sent by a client to obtain basic information of a user, wherein the basic information comprises a plurality of transaction information and a plurality of scene information, and the identity authentication request is generated in response to the transaction operation of the user; determining a first authentication mode list of transaction operation according to weights corresponding to different basic information, wherein the first authentication mode list comprises identity authentication modes with different priorities; and transmitting the first authentication mode list to the client under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, so that the user can perform identity authentication on the client, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to transaction operation.

Description

Security authentication method, security authentication device, client, device, and storage medium

Technical Field

The present disclosure relates to the field of the internet, and in particular, to a security authentication method, a security authentication apparatus, a client, a device, a storage medium, and a program product.

Background

In recent years, with popularization and application of various types of mobile terminal software, user registration and identity authentication have become widely demanded identity authentication modes of various software.

For example, authentication using a user name and a password is one of the most common authentication methods, for example, a user name and a password character are read, and compared with a pre-stored user name and password when a user is registered in a database by an encryption method, and if the user name and the password are completely consistent, the authentication is passed.

However, in the related art, the identity authentication mode displayed to the user by the client is usually set, and a mode which is suitable for the current payment environment and has higher security cannot be displayed to the user according to the specific situation of the current transaction of the user, so that flexibility is poor, and hidden danger may be brought to the fund security of the user.

Disclosure of Invention

In view of the above, the present disclosure provides a security authentication method, a security authentication apparatus, a client, a device, a storage medium, and a program product.

According to a first aspect of the present disclosure, there is provided a security authentication method applied to a server communicatively connected to a client, the method comprising:

Acquiring basic information of a user in response to an identity authentication request sent by the client, wherein the basic information comprises a plurality of transaction information and a plurality of scene information, and the identity authentication request is generated in response to the transaction operation of the user;

determining a first authentication mode list of the transaction operation according to weights corresponding to different basic information, wherein the first authentication mode list comprises identity authentication modes with different priorities;

and transmitting the first authentication mode list to the client so as to enable the user to perform identity authentication on the client when the same authentication mode does not exist between the first authentication mode list and a second authentication mode list, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to the transaction operation.

According to an embodiment of the present disclosure, the transaction information includes a transaction type, a transaction amount, and a collection account, and the scenario information includes geographical location information;

wherein determining the first authentication mode list of the transaction operation according to weights corresponding to different basic information comprises:

Generating a transaction risk index according to the transaction type weight, the transaction amount weight, the collection account weight and the geographic position weight, wherein different transaction types correspond to different transaction type weights, transaction amounts occupy different proportions of user assets and correspond to different transaction amount weights, different risk levels of the collection account correspond to different collection account weights, and different deviation degrees of the geographic position and the historical geographic position correspond to different geographic position weights;

determining a transaction risk level of the transaction operation according to the transaction risk index;

and generating a first list under the condition that the transaction risk classification is a first classification, wherein the first list comprises a security device authentication mode and a biological authentication mode which are ordered according to the priority, and the first authentication mode list comprises the first list.

According to an embodiment of the present disclosure, the security authentication method further includes:

and generating a second list under the condition that the transaction risk sharing level is a second level, wherein the second list comprises a biological authentication mode, a verification code verification mode and a password verification mode which are ordered according to the priority, and the first authentication mode list comprises the second list.

and generating a third list under the condition that the transaction risk sharing level is a third level, wherein the third list comprises verification code verification modes and password verification modes which are ordered according to priorities, and the first authentication mode list comprises the third list.

According to an embodiment of the present disclosure, the transaction information further includes a transaction frequency, and the scenario information further includes device information, time information, and installation software information of the client;

the transaction risk index is generated according to the transaction type weight, the transaction amount weight, the collection account weight, the geographic position weight, the weight of the transaction frequency, the equipment weight, the time weight and the installation software weight, wherein the weight of the transaction frequency is determined according to the transaction frequency in a first time period where the transaction operation is performed and the transaction frequency in a historical time period, the equipment weight is determined according to the client and the historical equipment used in the historical time period, the time weight is determined according to the time information of the transaction operation and the time of identity authentication in the historical time period, and the installation software weight is determined according to the security level of the installation software information in the client.

According to an embodiment of the present disclosure, the second authentication method list is generated by:

acquiring a plurality of historical identity authentication modes for the user to perform identity authentication in the transaction scene in a historical time period;

and ordering the plurality of historical identity authentication modes based on a preset ordering rule to obtain the second authentication mode list.

and transmitting the same authentication mode to the client under the condition that the same authentication mode exists between the first authentication mode list and the second authentication mode list, so that the user performs identity authentication on the client.

According to a second aspect of the present disclosure, there is provided a security authentication method applied to a client communicatively connected to a server, the method comprising:

transmitting an identity authentication request to the server in response to an identity authentication operation of a user, so that the server generates a first authentication mode list, wherein the first authentication mode list is determined by the server according to weights corresponding to different basic information and is transmitted under the condition that the same authentication mode does not exist between the first authentication mode list and a second authentication mode list, and the basic information comprises a plurality of transaction information and a plurality of scene information;

And displaying the first authentication mode list to the user so as to enable the user to carry out identity authentication.

According to an embodiment of the present disclosure, displaying the first authentication manner list to the user to enable the user to perform identity authentication includes:

displaying the identity authentication mode with the highest priority in the first authentication mode list to the user so that the user performs identity authentication through the identity authentication mode with the highest priority;

and under the condition that the user inputs the operation of changing the authentication mode on the client, displaying the authentication modes with other priorities in the first authentication mode list to the user so that the user can perform identity authentication through the authentication modes with other priorities.

According to a third aspect of the present disclosure, there is provided a security authentication apparatus applied to a server communicatively connected to a client, the apparatus comprising:

the system comprises an acquisition module, a user identification module and a user identification module, wherein the acquisition module is used for responding to an identity authentication request sent by the client and acquiring basic information of a user, the basic information comprises a plurality of transaction information and a plurality of scene information, and the identity authentication request is generated in response to the transaction operation of the user;

The determining module is used for determining a first authentication mode list of the transaction operation according to weights corresponding to different basic information, wherein the first authentication mode list comprises identity authentication modes with different priorities;

and the transmission module is used for transmitting the first authentication mode list to the client so as to enable the user to carry out identity authentication on the client under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to the transaction operation.

According to a fourth aspect of the present disclosure, there is provided a client, comprising:

the sending module is used for responding to the identity authentication operation of the user and sending an identity authentication request to the server so that the server generates a first authentication mode list, wherein the first authentication mode list is determined by the server according to weights corresponding to different basic information and is sent under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, and the basic information comprises a plurality of transaction information and a plurality of scene information;

And the display module is used for displaying the first authentication mode list to the user so as to enable the user to carry out identity authentication.

A fifth aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.

A sixth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the above-described method.

A seventh aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.

According to the embodiment of the disclosure, a first authentication mode list is generated through transaction information, scene information and weights of the user, and security authentication is performed by using a mode in the first list in combination with a second authentication mode list of historical user preference of the user under the scene when the same authentication mode does not exist in the first authentication mode list and the second authentication mode list. The first authentication mode list of the current transaction operation is combined with the second authentication mode list with the history preference, so that a safe authentication mode can be provided for the user, and potential safety hazards brought to property of the user when the user performs the transaction with risks due to the fact that the user performs authentication by using a conventional authentication mode are avoided.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

fig. 1 schematically illustrates an application scenario diagram of a security authentication method according to an embodiment of the present disclosure;

fig. 2 schematically illustrates a flow chart of a security authentication method according to an embodiment of the present disclosure;

FIG. 3 schematically illustrates a flow chart of a first authentication manner list of determining a transaction operation according to an embodiment of the present disclosure;

FIG. 4 schematically illustrates a flow chart of a first authentication manner list of determining a transaction operation according to an embodiment of the present disclosure;

fig. 5 schematically illustrates a block diagram of a security authentication device according to an embodiment of the present disclosure;

FIG. 6 schematically illustrates a block diagram of a client according to an embodiment of the disclosure; and

fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a security authentication method according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.

The embodiment of the disclosure provides a security authentication method, a security authentication device, a client, equipment and a storage medium. The method comprises the following steps: the method comprises the steps of responding to an identity authentication request sent by a client to obtain basic information of a user, wherein the basic information comprises a plurality of transaction information and a plurality of scene information, and the identity authentication request is generated in response to the transaction operation of the user; determining a first authentication mode list of transaction operation according to weights corresponding to different basic information, wherein the first authentication mode list comprises identity authentication modes with different priorities; and transmitting the first authentication mode list to the client under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, so that the user can perform identity authentication on the client, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to transaction operation.

Fig. 1 schematically illustrates an application scenario diagram of a security authentication method according to an embodiment of the present disclosure.

As shown in fig. 1, the application scenario 100 according to this embodiment may include a transfer operation of a user. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the security authentication method provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the security authentication device provided by the embodiments of the present disclosure may be generally provided in the server 105. The security authentication method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the security authentication apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The security authentication method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 4 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flow chart of a security authentication method according to an embodiment of the present disclosure.

As shown in fig. 2, the security authentication method of this embodiment is applied to a server communicatively connected to a client, and includes operations S210 to S230.

In operation S210, basic information of a user is acquired in response to an authentication request transmitted from a client, wherein the basic information includes a plurality of transaction information and a plurality of scenario information, and the authentication request is generated in response to a transaction operation of the user.

In operation S220, a first authentication mode list of the transaction operation is determined according to the weights corresponding to the different basic information, where the first authentication mode list includes identity authentication modes with different priorities.

In operation S230, if the same authentication method does not exist between the first authentication method list and the second authentication method list, the first authentication method list is transmitted to the client, so that the user performs identity authentication on the client, where the second authentication method list is generated according to a plurality of historical user preference methods of the user in a transaction scenario corresponding to the transaction operation.

According to embodiments of the present disclosure, the authentication request may be generated according to an authentication operation or a transaction operation input by a user on a client.

According to the embodiment of the disclosure, the identity authentication modes with different priorities may refer to a security device authentication mode with a first priority, a biometric authentication mode with a second priority, a verification code verification mode with a third priority, and a password verification mode with a fourth priority, where the security device may refer to an electronic encryptor, a U-shield, and the like. The biometric authentication method may refer to face recognition, fingerprint recognition, and the like. The authentication code may be a mobile phone authentication code or mailbox authentication code sent by a financial institution to a user's mobile phone or mailbox, etc. The password authentication method may refer to at least one of fixed login password authentication, transaction password, and the like.

According to embodiments of the present disclosure, transaction information may refer to an amount of money during a transaction, a payee account, and user personal information, such as account balance, liability information, and the like. The scene information may refer to device information of the client, geographical locations where transaction operations are performed, and the like, and the device information may refer to device numbers, IP addresses, MAC information, device models, software lists installed in the devices, and the like.

According to an embodiment of the present disclosure, the preference mode may refer to an identity authentication mode that is commonly used by a user in a certain scenario in a period of time, for example, a fingerprint identification mode is commonly used to pay when a user eats in the past month, where the commonly used mode refers to an identity authentication mode with a ratio exceeding a preset ratio (e.g., 80%).

According to the embodiment of the disclosure, when a user needs to pay, firstly, the user inputs a payment operation on a client, at this time, the client generates an identity authentication request and sends the identity authentication request to a server, and the server responds to the identity authentication request to acquire basic information related to the user from a database. For each basic information, a corresponding weight is set specifically according to the actual situation, for example, for the transaction amount, the amount can be divided into sections, if the amount is located in a certain section, the weight corresponding to the section is used for calculation, and for the collection account belonging to a certain risk sharing level, the weight corresponding to the risk sharing level can be used for calculation.

According to the embodiment of the disclosure, the risk index of the current transaction operation can be obtained according to the weights corresponding to the various basic information, and the corresponding first authentication list is determined and selected based on the risk index. And simultaneously acquiring a user authentication mode, namely a historical user preference mode, of the user which is the same as the scene information in the historical time period, so as to generate a corresponding second authentication mode list.

According to the embodiment of the disclosure, by comparing the first authentication mode list with the second authentication mode list, if the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, the first authentication mode list is sent to the client so that the client displays the authentication modes in the first authentication mode list, the user can finish authentication of the identity through the authentication modes, and the transaction operation can be finished after the authentication passes.

It should be noted that, the security authentication method of the present disclosure is not only suitable for operations such as transfer and payment, but also suitable for service inquiry, for example, the user performs balance inquiry on the client, and at this time, authentication of the user identity can also be achieved by the method of the present disclosure.

According to an embodiment of the present disclosure, the transaction information includes a transaction type, a transaction amount, and a collection account, and the scenario information includes geographic location information.

Fig. 3 schematically illustrates a flow chart of a first authentication manner list of determining a transaction operation according to an embodiment of the present disclosure.

As shown in fig. 3, the first authentication method list of the transaction operation is determined according to the weights corresponding to the different basic information, including operations S310 to S330.

In operation S310, a transaction risk index is generated according to the transaction type weight, the transaction amount weight, the collection account weight, and the geographic location weight, wherein different transaction types correspond to different transaction type weights, different proportions of transaction amounts in user assets correspond to different transaction amount weights, different risk levels of the collection account correspond to different collection account weights, and different deviations of the geographic location from the historical geographic location correspond to different geographic location weights.

In operation S320, a transaction risk level of the transaction operation is determined according to the transaction risk index.

In operation S330, in the case where the transaction risk score is the first score, a first list is generated, wherein the first list includes a security device authentication method and a biometric authentication method ordered by priority, and the first authentication method list includes the first list.

According to embodiments of the present disclosure, transaction types may refer to eating and drinking play consumption, commodity purchase, inquiring balance/receipt, transferring accounts, etc. in daily life. The transaction amount weight may be distinguished according to the interval in which the amount is located, so that each interval corresponds to a preset transaction amount weight, for example, when the transaction amount is 4500, the transaction amount may be located in (4000, 5000), the weight corresponding to the interval may be 0.4, or the interval may also correspond to an interval in which the amount of the transaction is located according to the ratio of the amount of the transaction to the user's assets, for example, when the transaction amount is 4500, the user's assets sum up to 10000, the ratio is 0.45, the transaction amount may be located in (0.4, 0.5), and the weight corresponding to the interval may be 0.4.

According to embodiments of the present disclosure, the collection account weight refers to a corresponding high (medium or low) risk weight as the collection account weight of the collection account if the collection account is a high (medium or low) risk account. The degree of deviation of the geographic location is determined based on the degree of difference in location between the geographic location at the time of the current transaction operation and the average geographic location at the time of the historical transaction operation.

According to the embodiment of the disclosure, the transaction type weight, the transaction amount weight, the collection account weight and the geographic position weight in the transaction operation are calculated according to a preset calculation rule, so as to obtain a transaction risk index, wherein the preset calculation rule can be direct summation or weighted summation. The risk index of the transaction is determined according to the risk index interval in which the risk index of the transaction is located, for example, the calculated risk index of the transaction is 1.5, and the risk index interval is located in the risk index interval (1.2,2), and the risk index interval belongs to a high risk grade, so that the transaction operation can be determined to be a first high risk grade, and a first list corresponding to the first grade can be sent to the client side at this time.

According to the embodiments of the present disclosure, the foregoing examples are merely illustrative, and specific risk index intervals, transaction amount intervals, duty ratio intervals, and the like may be adjusted according to actual situations.

According to the embodiment of the disclosure, the first list corresponding to the transaction risk sharing level is determined by judging the transaction risk sharing level of the current transaction operation, so that the security risk caused by using a security code verification mode and a password verification mode with lower security to carry out identity verification under the condition of high risk level can be avoided.

As shown in fig. 3, the security authentication method further includes an operation 340.

In operation 340, in the event that the transaction risk score is a second score, a second list is generated, wherein the second list includes a biometric authentication method, a verification code verification method, and a password verification method ordered by priority, and the first authentication method list includes the second list.

According to embodiments of the present disclosure, the second level may refer to a risk level, the second list including a second-priority biometric authentication mode, a third-priority verification code verification mode, and so on.

According to the embodiment of the disclosure, if the calculated transaction risk index belongs to the transaction risk level of the second level, a corresponding second list may be generated according to the biometric authentication method, the verification code verification method, and the like, so as to send the second list to the client.

According to the embodiment of the disclosure, whether the transaction operation belongs to the second level is determined through the transaction risk index, so that the corresponding second list is generated, the problem of complex identity authentication flow for the user caused by using a security equipment authentication mode can be avoided, and the use experience of the user is improved.

As shown in fig. 3, the security authentication method further includes an operation 350.

And under the condition that the transaction risk sharing level is a third level, generating a third list, wherein the third list comprises verification code verification modes and password verification modes which are ordered according to the priority, and the first authentication mode list comprises the third list.

According to an embodiment of the present disclosure, the third level may refer to a low risk level, and the third list includes a verification code verification manner of the third priority, a password verification manner of the fourth priority, and so on.

According to the embodiment of the disclosure, if the calculated transaction risk index belongs to the transaction risk level of the third level, a corresponding third list may be generated according to the verification code verification mode, the password verification mode, and the like, so as to send the third list to the client.

According to the embodiment of the disclosure, whether the transaction operation belongs to the third level is determined through the transaction risk index, so that a corresponding third list is generated, the user can quickly complete the transaction when performing the transaction operation with low risk, and the use experience of the user is improved.

the transaction risk index is generated according to transaction type weight, transaction amount weight, collection account weight, geographic position weight, weight of transaction frequency, equipment weight, time weight and installation software weight, wherein the weight of the transaction frequency is determined according to the transaction frequency in a first time period where transaction operation is located and the transaction frequency in a historical time period, the equipment weight is determined according to a client and historical equipment used in the historical time period, the time weight is determined according to time information of the transaction operation and time for identity authentication in the historical time period, and the installation software weight is determined according to the security level of installation software information in the client.

According to the embodiment of the disclosure, the transaction frequency may refer to the frequency of the transaction operation performed by the user in the current time period, for example, when the user performs the transaction on 28 days of the month, 112 transactions are performed in total in the month, and the interval where the transaction number is located and the weight corresponding to the transaction number interval are determined, so that the weight is taken as the weight of the transaction frequency.

According to an embodiment of the present disclosure, the device weight may refer to whether a device used in performing a current transaction operation is a device commonly used by the user, if so, a value with a smaller weight is used as the device weight of the current transaction operation, and if not, a value with a larger weight is used as the device weight of the current transaction operation.

According to the embodiment of the disclosure, the time weight may refer to whether the time when the transaction operation is performed is within a time period in which the user frequently performs the transaction in a historical time period, or may be whether the current transaction time belongs to a special time (such as a holiday, a promotion time, etc.), if so, a value with a smaller weight value is used as the time weight of the transaction operation, and if not, a value with a larger weight value is used as the time weight of the transaction operation.

According to an embodiment of the present disclosure, the installation software weight may refer to whether the client has software with a security level of risk and the number of risk software installed therein, if no risk software is installed therein, a value with a smaller weight value (e.g., 0) is used as the installation software weight of the transaction operation, if the client has risk software with a smaller weight value than a first threshold range installed therein, a value with a moderate weight value (e.g., 1) is used as the installation software weight of the transaction operation, and if the client has risk software with a larger weight value than the first threshold range installed therein, a value with a larger weight value (e.g., 5) is used as the installation software weight of the transaction operation, where the first threshold range may be set according to practical situations, such as [1, 3).

According to an embodiment of the present disclosure, the second authentication manner list is generated by:

acquiring a plurality of historical identity authentication modes of identity authentication of a user in a transaction scene in a historical time period;

and ordering the plurality of historical identity authentication modes based on a preset ordering rule to obtain a second authentication mode list.

According to embodiments of the present disclosure, the historical time period may be a time period prior to the current transaction time, such as may be the last month or the first n months (or days, weeks, etc.).

According to the embodiment of the disclosure, if the transaction scene is online shopping, a historical identity authentication mode used when the user makes multiple online shopping in a historical time period is obtained. The ordering is performed according to the order of the times from big to small, for example, 10 online purchases are performed in three last months, wherein the number of times of the identity authentication mode of fingerprint identification is 6 times, the number of times of the verification code authentication is 3 times, and the mode of password authentication is 1 time, and at this time, the 'biological authentication mode- & gt the verification code authentication mode- & gt the password authentication mode' can be used as a second authentication mode list.

According to the embodiments of the present disclosure, if the same authentication method exists between the first authentication method list and the second authentication method list, for example, the first authentication method list is "security device authentication method→biometric authentication method", the second authentication method list is "biometric authentication method→verification code verification method→password verification method", at this time, the "biometric authentication method" may be sent to the client, so that the user performs identity authentication on the client.

According to the embodiment of the disclosure, under the condition that the same authentication mode exists between the first authentication mode list and the second authentication mode list, the same authentication mode is transmitted to the client, so that the user can verify in a more convenient mode, and the experience of the user is improved.

Fig. 4 schematically illustrates a flow chart of a first authentication manner list of determining a transaction operation according to an embodiment of the present disclosure.

As shown in fig. 4, the security authentication method of this embodiment is applied to a client communicatively connected to a server, and includes operations S410 to S420.

In operation S410, in response to an identity authentication operation of a user, an identity authentication request is sent to a server, so that the server generates a first authentication mode list, wherein the first authentication mode list is determined by the server according to weights corresponding to different basic information and is sent when the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, and the basic information includes a plurality of transaction information and a plurality of scene information;

In operation S420, a first authentication mode list is presented to the user to enable the user to perform identity authentication.

According to the embodiment of the disclosure, when a user needs to pay, firstly, the user inputs payment operation on a client, at this time, the client generates an identity authentication request and sends the identity authentication request to a server, the server generates a first authentication mode list through basic information of the user, meanwhile, the first authentication mode list is compared and analyzed with a second authentication mode list generated based on a plurality of historical user preference modes of the user under a transaction scene corresponding to the transaction operation, and if the two authentication modes do not exist, the server sends the first authentication mode list, so that the client displays the identity authentication modes in the first authentication mode list to the user, and the user completes identity authentication through the client.

According to an embodiment of the present disclosure, a first authentication mode list is presented to a user to enable the user to perform identity authentication, including:

under the condition that a user inputs an operation of changing the authentication mode on the client, the authentication modes of other priorities in the first authentication mode list are displayed to the user, so that the user performs identity authentication through the authentication modes of other priorities.

According to the embodiment of the disclosure, when the client side displays the identity authentication mode, firstly displaying the identity authentication mode with the highest priority in the first authentication mode list, and at this time, the user can perform identity authentication through the identity authentication mode with the highest priority.

According to the embodiments of the present disclosure, for some objective reasons of the client, for example, a security device authentication mode is shown, and since the client does not carry the security device with him, the user may input an operation of changing the authentication mode on the client, at this time, the client may display all the authentication modes in the first authentication mode list for the user to select, for example, a second-priority biometric authentication mode and a third-priority verification code verification mode, and if the user clicks the biometric authentication mode, the client may display the biometric authentication mode for the user to complete the authentication.

The identity authentication method according to the present disclosure is merely illustrative, and other methods such as a character password, a gesture password, and the like are also possible.

Based on the security authentication method, the disclosure further provides a security authentication device. The device will be described in detail below in connection with fig. 5 and 6.

Fig. 5 schematically shows a block diagram of a security authentication device according to an embodiment of the present disclosure.

As shown in fig. 5, the security authentication device 500 of this embodiment is applied to a server communicatively connected to a client, and the security authentication device 500 includes an acquisition module 510, a determination module 520, and a transmission module 530.

The obtaining module 510 is configured to obtain, in response to an identity authentication request sent by the client, basic information of a user, where the basic information includes a plurality of transaction information and a plurality of scenario information, and the identity authentication request is generated in response to a transaction operation of the user.

The determining module 520 is configured to determine a first authentication mode list of the transaction operation according to weights corresponding to different basic information, where the first authentication mode list includes identity authentication modes with different priorities.

And the transmission module 530 is configured to transmit the first authentication mode list to the client so that the user performs identity authentication on the client when the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, where the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scenario corresponding to the transaction operation.

According to an embodiment of the present disclosure, the transaction information includes a transaction type, a transaction amount, and a collection account, and the scenario information includes geographic location information;

according to an embodiment of the present disclosure, the determining module 520 includes a first generating unit, a determining unit, and a second generating unit.

The first generation unit is used for generating a transaction risk index according to the transaction type weight, the transaction amount weight, the collection account weight and the geographic position weight, wherein different transaction types correspond to different transaction type weights, different proportions of transaction amounts occupying user assets correspond to different transaction amount weights, different risk grades of the collection account correspond to different collection account weights, and different deviation degrees of the geographic position and the historical geographic position correspond to different geographic position weights.

And the determining unit is used for determining the transaction risk level of the transaction operation according to the transaction risk index.

The second generation unit is used for generating a first list under the condition that the transaction risk sharing level is a first level, wherein the first list comprises a security device authentication mode and a biological authentication mode which are ordered according to the priority, and the first authentication mode list comprises the first list.

According to an embodiment of the present disclosure, the determining module 520 further comprises a third generating unit.

And the third generating unit is used for generating a second list under the condition that the transaction risk sharing level is a second level, wherein the second list comprises a biological authentication mode, a verification code verification mode and a password verification mode which are ordered according to the priority, and the first authentication mode list comprises the second list.

According to an embodiment of the present disclosure, the determining module 520 further comprises a fourth generating unit.

And the fourth generation unit is used for generating a third list under the condition that the transaction risk sharing level is a third level, wherein the third list comprises verification code verification modes and password verification modes which are ordered according to the priority, and the first authentication mode list comprises the third list.

According to an embodiment of the present disclosure, the transaction information further includes a transaction frequency, and the scenario information further includes device information, time information, and installation software information of the client.

According to an embodiment of the present disclosure, the transaction risk index is generated according to a transaction type weight, a transaction amount weight, a collection account weight, a geographical location weight, a weight of a transaction frequency, a device weight, a time weight, and an installation software weight, wherein the weight of the transaction frequency is determined according to the transaction frequency in a first period of time in which a transaction operation is performed and the transaction frequency in a history period of time, the device weight is determined according to a client and a history device used in the history period of time, the time weight is determined according to time information of the transaction operation and time for identity authentication in the history period of time, and the installation software weight is determined according to a security level of installation software information in the client.

According to an embodiment of the present disclosure, the second authentication manner list is generated by the first acquisition unit, the sorting unit.

The first acquisition unit is used for acquiring a plurality of historical identity authentication modes of the user for identity authentication in a transaction scene in a historical time period.

The ordering unit is used for ordering the plurality of historical identity authentication modes based on a preset ordering rule to obtain a second authentication mode list.

According to an embodiment of the present disclosure, the security authentication device 500 further includes a second transmission module.

And the second transmission module is used for transmitting the same authentication mode to the client under the condition that the same authentication mode exists between the first authentication mode list and the second authentication mode list, so that the user can perform identity authentication on the client.

Fig. 6 schematically shows a block diagram of a client according to an embodiment of the present disclosure.

As shown in fig. 6, the client 600 of this embodiment includes a sending module 610 and a presentation module 620.

And a sending module 610, configured to send an identity authentication request to the server in response to an identity authentication operation of the user, so that the server generates a first authentication mode list, where the first authentication mode list is determined by the server according to weights corresponding to different basic information, and is sent when the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, and the basic information includes a plurality of transaction information and a plurality of scene information.

And the display module 620 is configured to display the first authentication mode list to the user, so that the user performs identity authentication.

According to an embodiment of the present disclosure, the display module 620 includes a first display unit, a second display unit.

The first display unit is used for displaying the identity authentication mode with the highest priority in the first authentication mode list to the user so that the user can perform identity authentication through the identity authentication mode with the highest priority.

The second display unit is used for displaying the identity authentication modes of other priorities in the first authentication mode list to the user under the condition that the user inputs the operation of changing the authentication modes on the client so that the user can perform identity authentication through the identity authentication modes of other priorities.

According to an embodiment of the present disclosure, any of the acquisition module 510, the determination module 520, the transmission module 530, or the transmission module 610, the presentation module 620 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the acquisition module 510, the determination module 520, the transmission module 530, or the transmission module 610, the presentation module 620 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the acquisition module 510, the determination module 520, the transmission module 530, or the transmission module 610, the presentation module 620 may be at least partially implemented as a computer program module, which, when executed, may perform the respective functions.

As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.

In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. The processor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the program may be stored in one or more memories other than the ROM 702 and the RAM 703. The processor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, the electronic device 700 may further include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The electronic device 700 may also include one or more of the following components connected to an input/output (I/O) interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to an input/output (I/O) interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 702 and/or RAM 703 and/or one or more memories other than ROM 702 and RAM 703 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims

1. A security authentication method applied to a server communicatively connected to a client, the method comprising:

transmitting the first authentication mode list to the client so that the user can perform identity authentication on the client under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to the transaction operation.

2. The method of claim 1, the transaction information comprising a transaction type, a transaction amount, and a collection account, the scenario information comprising geographic location information;

and under the condition that the transaction risk classification is the first classification, generating a first list, wherein the first list comprises a security device authentication mode and a biological authentication mode which are ordered according to the priority, and the first authentication mode list comprises the first list.

3. The method of claim 2, further comprising:

and under the condition that the transaction risk sharing level is a second level, generating a second list, wherein the second list comprises a biological authentication mode, a verification code verification mode and a password verification mode which are ordered according to the priority, and the first authentication mode list comprises the second list.

4. A method according to claim 2 or 3, further comprising:

5. The method of claim 2, wherein the transaction information further comprises a transaction frequency, the scenario information further comprising device information, time information, and installation software information of a client;

The transaction risk index is generated according to the transaction type weight, the transaction amount weight, the collection account weight, the geographic position weight, the weight of the transaction frequency, the equipment weight, the time weight and the installation software weight, wherein the weight of the transaction frequency is determined according to the transaction frequency in a first time period where the transaction operation is located and the transaction frequency in a historical time period, the equipment weight is determined according to historical equipment used in the client and the historical time period, the time weight is determined according to time information of the transaction operation and time for identity authentication in the historical time period, and the installation software weight is determined according to the security level of the installation software information in the client.

6. The method of claim 1, wherein the second authentication manner list is generated by:

acquiring a plurality of historical identity authentication modes of the user for identity authentication in the transaction scene in a historical time period;

7. The method of claim 1, further comprising:

8. A security authentication method applied to a client communicatively connected to a server, the method comprising:

responding to identity authentication operation of a user, sending an identity authentication request to the server so that the server generates a first authentication mode list, wherein the first authentication mode list is determined by the server according to weights corresponding to different basic information and is sent under the condition that the same authentication mode does not exist between the first authentication mode list and a second authentication mode list, and the basic information comprises a plurality of transaction information and a plurality of scene information;

and displaying the first authentication mode list to the user so that the user can perform identity authentication.

9. The method of claim 8, wherein presenting the first authentication manner list to the user to enable the user to authenticate the identity comprises:

and under the condition that the user inputs the operation of changing the authentication mode on the client, displaying the authentication modes of other priorities in the first authentication mode list to the user so that the user performs identity authentication through the authentication modes of other priorities.

10. A security authentication device for use with a server communicatively coupled to a client, the device comprising:

the transmission module is used for transmitting the first authentication mode list to the client so as to enable the user to carry out identity authentication on the client under the condition that the same authentication mode does not exist between the first authentication mode list and the second authentication mode list, wherein the second authentication mode list is generated according to a plurality of historical user preference modes of the user in a transaction scene corresponding to the transaction operation.

11. A client, comprising:

the system comprises a sending module, a server and a receiving module, wherein the sending module is used for responding to the identity authentication operation of a user and sending an identity authentication request to the server so as to enable the server to generate a first authentication mode list, the first authentication mode list is determined by the server according to weights corresponding to different basic information and is sent under the condition that the same authentication mode does not exist between the first authentication mode list and a second authentication mode list, and the basic information comprises a plurality of transaction information and a plurality of scene information;

12. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-9.

13. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 9.

14. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 9.