CN117614726A

CN117614726A - Identity authentication method and device

Info

Publication number: CN117614726A
Application number: CN202311659863.5A
Authority: CN
Inventors: 杨刚
Original assignee: New H3C Security Technologies Co Ltd
Current assignee: New H3C Security Technologies Co Ltd
Priority date: 2023-11-30
Filing date: 2023-11-30
Publication date: 2024-02-27

Abstract

The application provides an identity authentication method and device, and relates to the technical field of communication. When the gateway equipment implements the method, a first authentication message sent by a user terminal is received, wherein the first authentication message carries authentication information of a user; after passing the authentication of the user based on the authentication information, sending an identity authentication instruction to the user terminal; acquiring and recording a first identity authentication result of the user from the authentication server, wherein the first identity authentication result carries first position information; receiving a second authentication message sent by the user terminal, wherein the second authentication message carries second position information; and authenticating the identity of the user according to the first position information and the second position information. Therefore, the safety of user identity authentication is realized, the accuracy of an authentication result is improved, and the safety of intranet data when the user passing authentication accesses the intranet is also improved.

Description

Identity authentication method and device

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to an identity authentication method and apparatus.

Background

SSLVPN (Secure Sockets Layer Virtual Private Network, secure socket layer virtual private network) is a virtual private network solution based on SSL protocols. It allows users to access enterprise internal network resources remotely through encrypted channels and ensures the security and integrity of data transmission. Conventional SSLVPN authentication methods typically use a user name and password to verify the user's identity. The traditional authentication mode has security holes such as cracked, leaked or forged passwords and the like. In addition, some recent new verification technologies adopt biometric identification technology, and although the security is greatly improved, no matter in a traditional authentication mode or a new authentication technology based on biometric identification, an attacker risks using illegal connection 'fishing' to break login.

Therefore, how to perform security authentication on the identity of the user when remotely accessing the internal resource based on the SSLVPN, and ensuring the security of the intranet data is one of the technical problems that are worth considering.

Disclosure of Invention

In view of this, the present application provides an identity authentication method and apparatus, which are used to perform security authentication on the identity of a user when the user accesses an internal resource remotely based on SSLVPN, so as to ensure the security of intranet data.

Specifically, the application is realized by the following technical scheme:

according to a first aspect of the present application, there is provided an identity authentication method applied to a gateway device, the method including:

receiving a first authentication message sent by a user terminal, wherein the first authentication message carries authentication information of a user;

after the user is authenticated based on the authentication information, an identity authentication instruction is sent to the user terminal, wherein the identity authentication instruction is used for instructing an authentication server to acquire user information, biological characteristic information and position information of the mobile terminal of the user, and the user is authenticated according to the user information and the biological characteristic information;

acquiring and recording a first identity authentication result of the user from the authentication server, wherein the first identity authentication result carries first position information, and the first position information is the position information of the mobile terminal carried in the first identity authentication result after the authentication server authenticates the user;

Receiving a second authentication message sent by the user terminal, wherein the second authentication message carries second position information, the second position information is the position information of the user terminal and/or the position information of the mobile terminal, and the position information of the mobile terminal in the second authentication message is obtained from a second identity authentication result obtained by the user terminal from the authentication server;

and authenticating the identity of the user according to the first position information and the second position information.

According to a second aspect of the present application, there is provided an identity authentication method applied to a user terminal, the method comprising:

sending a first authentication message to gateway equipment, wherein the first authentication message carries authentication information of a user;

receiving an identity authentication instruction sent by the gateway equipment after the user authentication is passed based on the authentication information, wherein the identity authentication instruction is used for instructing an authentication server to acquire user information, biological characteristic information and position information of a mobile terminal of the user, and authenticating the user according to the user information and the biological characteristic information;

Acquiring an identity authentication result of the user from the authentication server, wherein the identity authentication result carries the position information of the mobile terminal;

sending a second authentication message to the gateway equipment so that the gateway equipment authenticates the identity of the user according to the first position information and the second position information;

the first position information is the position information of the mobile terminal, and the position information of the mobile terminal is carried in an identity authentication result sent to the gateway device after the authentication server passes the authentication of the user; the second location information is location information of the user terminal and/or location information of the mobile terminal.

According to a third aspect of the present application, there is provided an identity authentication apparatus provided in a gateway device, the apparatus comprising:

the receiving module is used for receiving a first authentication message sent by the user terminal, wherein the first authentication message carries authentication information of a user;

the first authentication module is used for authenticating the user based on the authentication information;

the sending module is used for sending an identity authentication instruction to the user terminal after the first authentication module authenticates the user based on the authentication information, wherein the identity authentication instruction is used for instructing an authentication server to acquire user information, biological characteristic information and position information of the mobile terminal of the user, and authenticating the user according to the user information and the biological characteristic information;

The acquisition module is used for acquiring and recording a first identity authentication result of the user from the authentication server, wherein the first identity authentication result carries first position information, and the first position information is the position information of the mobile terminal carried in the first identity authentication result after the authentication server authenticates the user;

the receiving module is further configured to receive a second authentication message sent by the user terminal, where the second authentication message carries second location information, where the second location information is location information of the user terminal, and/or location information of the mobile terminal, where the location information of the mobile terminal in the second authentication message is obtained from a second identity authentication result obtained by the user terminal from the authentication server;

and the second authentication module is used for authenticating the identity of the user according to the first position information and the second position information.

According to a fourth aspect of the present application, there is provided an identity authentication device, provided in a user terminal, the device comprising:

the sending module is used for sending a first authentication message to the gateway equipment, wherein the first authentication message carries authentication information of a user;

The receiving module is used for receiving an identity authentication instruction sent by the gateway equipment after the user is authenticated based on the authentication information, wherein the identity authentication instruction is used for instructing an authentication server to acquire the user information, the biological characteristic information and the position information of the mobile terminal of the user, and authenticate the user according to the user information and the biological characteristic information;

the acquisition module is used for acquiring an identity authentication result of the user from the authentication server, wherein the identity authentication result carries the position information of the mobile terminal;

the sending module is further configured to send a second authentication packet to the gateway device, so that the gateway device authenticates the identity of the user according to the first location information and the second location information;

According to a fifth aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first or second aspect of the embodiments of the present application.

According to a sixth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided in the first or second aspect of the embodiments of the present application.

The beneficial effects of the embodiment of the application are that:

in the identity authentication method and the device provided by the embodiment of the application, after the first authentication message is obtained, the gateway equipment performs preliminary authentication on the identity of the user based on the authentication information of the user in the first authentication message, and sends an identity authentication instruction to the user terminal after the authentication is passed so as to perform re-authentication on the identity of the user, namely, an authentication server is introduced, so that the authentication server authenticates the acquired biological characteristic information of the user, and the authentication server acquires the position information of the mobile terminal of the user while acquiring the biological characteristic information of the user, so that after the authentication server passes the biological characteristic authentication of the user, the gateway equipment can acquire a biological characteristic authentication result of the user, namely, a first identity authentication result carrying the position information (first position information) of the mobile terminal after the biological characteristic authentication is passed; on the other hand, in order to access intranet resources, the user terminal also obtains a biometric authentication result of the user from the authentication server, namely, a second identity authentication result carrying the position information of the mobile terminal after the biometric authentication is passed, so that the user terminal can initiate a second authentication message so as to facilitate the gateway equipment to carry out secondary authentication on the identity of the user, and the second authentication message carries the second position information; therefore, the gateway equipment can carry out secondary authentication on the identity of the user according to the first position information and the second position information, so that the security of user identity authentication is realized, the accuracy of an authentication result is improved, and the security of intranet data when the user passing authentication accesses the intranet is also improved.

Drawings

Fig. 1 is a schematic flow chart of an identity authentication method provided in an embodiment of the present application;

FIG. 2 is a flow chart of another message processing method according to an embodiment of the present disclosure;

fig. 3 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of another identity authentication device according to an embodiment of the present application;

fig. 5 is a schematic hardware structure of an electronic device implementing an identity authentication method according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.

The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.

It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

The identity authentication method provided in the present application is described in detail below.

Referring to fig. 1, fig. 1 is a flowchart of an identity authentication method provided in the present application, where the method may be applied to a gateway device, and when the gateway device implements the method, the method may include the following steps:

s101, receiving a first authentication message sent by a user terminal, wherein the first authentication message carries authentication information of a user.

In this step, when the user desires to access the intranet, authentication needs to be performed to the gateway device, and after the authentication is passed, the gateway device will release the service message of the user terminal for accessing the service in the intranet. Therefore, in order to achieve user authentication, the user may send an authentication message to the gateway device through the user terminal, where the authentication message is denoted as a first authentication message in order to distinguish from subsequent authentications. Then, in order to realize the authentication of the gateway device to the user, the user terminal may carry the authentication information of the user in the first authentication message.

Alternatively, the authentication information may be, but is not limited to, a user name and password, etc., of the user, which may be, but is not limited to, a user account of the user.

In addition, when the user terminal interacts with the gateway device, the interaction can be performed through an SSL VPN tunnel, that is, the user terminal can send the first authentication message to the gateway device through the SSLVPN tunnel. In addition, the subsequent user terminal can also be based on the SSLVPN tunnel when interacting with the gateway device.

S102, after the user is authenticated based on the authentication information, an identity authentication instruction is sent to the user terminal.

The identity authentication instruction is used for instructing an authentication server to acquire user information, biological characteristic information and position information of a mobile terminal of the user, and authenticating the user according to the user information and the biological characteristic information.

In this step, after receiving the first authentication message, the gateway device may extract authentication information from the first authentication message, and then match the authentication information with locally recorded authentication information of the user, where when the matching is consistent, it indicates that authentication of the user is passed. Notably, authentication information of a user allowed to access the intranet is recorded on the gateway device.

On the basis, after the authentication of the user is passed, the user is indicated to be suspected to be a safe user, and in order to further improve the safety of the intranet, the gateway equipment needs to further authenticate the identity of the user so as to further improve the safety of the intranet. In view of this, the present embodiment proposes to generate an identity authentication indication for the user and then send the identity authentication indication to the user terminal. After the user obtains the identity authentication instruction based on the user terminal, the user can establish communication connection with the authentication server by using the mobile terminal of the user because the identity authentication instruction can indicate the data to be authenticated which needs to be acquired and the communication information of the authentication server for authenticating the data to be authenticated, so that the authentication server can acquire the data to be authenticated for authenticating the user.

The data to be authenticated may be, but is not limited to, user information of the user, biometric information of the user. It should be noted that, the authentication server may enable the biometric feature recognition function thereon to acquire biometric feature information of the user; based on this, in order to improve accuracy of the identity authentication result, the data to be authenticated may further include location information of the mobile terminal, that is, the user may enable its positioning function based on communication information of the authentication server carried in the identity authentication instruction, then establish communication connection with the authentication server by using the mobile terminal (terminal device other than the user terminal) of the user, and then upload, to the authentication server, location information of the mobile terminal located by the positioning function in the current mobile terminal, so that the authentication server may obtain the data to be authenticated.

It should be noted that the identity authentication instruction may carry user information of the user, so that the authentication server acquires the user information of the user based on the identity authentication instruction while acquiring the biometric information of the user.

Optionally, the identity authentication indication is an authentication two-dimensional code, and the authentication two-dimensional code carries an access path of the authentication server.

Specifically, when the identity authentication indication is an authentication two-dimensional code, the user terminal can display the authentication two-dimensional code to the user in the form of a page through a display device after receiving the authentication two-dimensional code, wherein the page contains the authentication two-dimensional code; therefore, the user can use the mobile terminal to scan the authentication two-dimensional code, and after the mobile terminal scans the authentication two-dimensional code, communication connection can be established between the mobile terminal and the authentication server through the access path of the authentication server in the authentication two-dimensional code, then the authentication server can call an API (application program interface) for acquiring biological characteristic information, and then the authentication server can acquire the biological characteristic information of the user through the API; meanwhile, the authentication server also needs to obtain access rights for obtaining the position information of the mobile terminal of the user, and when the user allows the mobile terminal to send the current position information to the authentication server, so that the authentication server can execute a subsequent verification process.

It should be noted that when the biometric information is facial feature information, the authentication server may start a facial feature collection API, and then display a facial feature collection frame through a user terminal, and when the user matches the position of the user's face with the facial feature collection frame, the authentication server may collect facial feature information of the user.

In addition, when the authentication server verifies the identity of the user, the verification process is approximately as follows: a pre-maintained registration information list of users is obtained locally, wherein registration information of each trusted user is maintained in the registration information list, and the registration information of each user can include, but is not limited to, user information and biological characteristic information of the user. Then, the authentication server can confirm whether the registration information consistent with the user information and the biological characteristic information of the user exists from the registration information list based on the acquired user information and biological characteristic information of the user, and when the registration information is present, the authentication server indicates that the identity authentication of the user is passed; if not, determining that the identity authentication of the user is not passed.

The registration information of each trusted user in the registration information list is registered and maintained in advance on the authentication server for the trusted user. Specifically, the user may initiate a registration request to the authentication server in advance through the user terminal, where the registration request may carry user information of the user, after the authentication server receives the registration request, the authentication server may start the biometric identification API, and then collect the biometric information of the user through the API, so that the authentication server may obtain a correspondence between the user information and the biometric information of the user, and so on, and finally form the registration information list. Alternatively, before the authentication server starts the API, the authentication server may obtain the user information of the trusted user locally, and after receiving the registration request of the user, confirm whether the user is trusted based on the user information in the registration request, and collect the biometric information of the user after confirming that the user is trusted.

S103, acquiring and recording a first identity authentication result of the user from the authentication server, wherein the first identity authentication result carries first position information.

The first location information is location information of the mobile terminal carried in the first identity authentication result after the authentication server authenticates the user.

In this step, the gateway device may periodically acquire an identity authentication result of performing identity authentication on the authentication server from the authentication server. Specifically, in one embodiment, the gateway device may collect the users that the network device performs the preliminary authentication in the set period of time, and then form a user list, where the user list may include the collected user information of the users, and then send the user list to the authentication server. In this way, after receiving the user list, the authentication server obtains the identity authentication result corresponding to each piece of user information in the user list according to the user list, and then returns the obtained identity authentication result corresponding to each piece of user information to the gateway device in the form of the identity authentication list, wherein the identity authentication list can include the corresponding relation between each piece of user information and the identity authentication result. In another possible embodiment, the gateway device may send an authentication result obtaining request to the authentication server, so that after receiving the obtaining request, the authentication server may send the correspondence between the user information of the user on which the authentication procedure is performed and the identity authentication result to the gateway device. Specifically, the authentication server may also transmit the information back to the gateway device in the form of an identity authentication list, where the identity authentication list may include a correspondence between user information of the user who has performed the authentication procedure and the identity authentication result, respectively; further, when the gateway device sends the authentication result obtaining request, the authentication result obtaining request may further carry a set period of time, so as to instruct the authentication server to obtain the identity authentication result in the set period of time based on the time of receiving the obtaining request.

Based on the above, the gateway device can acquire the identity authentication result from the received identity authentication list based on the user information of the initiating user of the first authentication message, and in order to distinguish from the subsequent identity authentication result, the identity authentication result of the user acquired from the authentication server is recorded as the first identity authentication result.

Specifically, the identity authentication result may include that authentication is passed or not passed, and when the identity authentication result includes that authentication is passed, the identity authentication result may also carry location information of the mobile terminal.

S104, receiving a second authentication message sent by the user terminal, wherein the second authentication message carries second position information.

The second location information is location information of the user terminal, and/or location information of the mobile terminal, where the location information of the mobile terminal in the second authentication message is obtained from a second identity authentication result obtained by the user terminal from the authentication server.

Specifically, after the user terminal receives the identity authentication instruction, the user terminal can acquire the access path of the authentication server based on the identity authentication instruction, so that the user terminal can periodically acquire the identity authentication result of the user to which the user belongs from the authentication server. Specifically, when the set time after the first authentication message is sent arrives, the user terminal may send an authentication result acquisition request to the authentication initiation, where the acquisition request may carry user information of the user, so after receiving the acquisition request, the authentication server may query a corresponding identity authentication result based on the user information in the acquisition request, and then send the corresponding identity authentication result to the user terminal, so that the user terminal also obtains the identity authentication result of the user to which the user belongs, and records the identity authentication result as the second identity authentication result, where the second identity authentication result carries location information of the mobile terminal, so as to facilitate subsequent secondary authentication. On the basis, the user terminal can send a second authentication message to the gateway equipment based on the acquired second identity authentication result, so that the gateway equipment carries out secondary authentication on the user, the accuracy of the authentication result is improved, and meanwhile, the safety of the intranet is improved.

It should be noted that, in order to facilitate the passing of the authentication of the gateway device to the user, the user terminal may smoothly access the intranet resource, where the user terminal may carry the second location information in the second authentication packet, where the second location information may be the location information of the user terminal and/or the location information of the mobile terminal, so that the gateway device authenticates the user more accurately.

The order of execution of steps S103 and S104 is not limited, and the present embodiment may be executed in the order shown in fig. 3, or step S104 may be executed first and step S103 may be executed later. When step S104 is performed first, the gateway device may perform any one of the above-described 2 ways of acquiring the identity authentication result from the authentication server, and may perform the following procedure: after receiving the second authentication message, the gateway device may further carry user information of the user, so that the gateway device may send the obtained user information of the user to the authentication server, so that after receiving the user information, the authentication server queries an identity authentication result corresponding to the user information, that is, the first identity authentication result, which is recorded locally, and then returns the identity authentication result to the gateway device.

S105, authenticating the identity of the user according to the first position information and the second position information.

In this step, because the user accesses the gateway device by using the user terminal, and then the user uses the mobile terminal to perform identity authentication, the user terminal and the mobile terminal are generally located at the same position, so when the gateway device obtains the first position information and the second position information, the first position information is the position information of the mobile terminal, and the second position information is the position information of the user terminal or the mobile terminal, the gateway device can accurately authenticate the identity of the user based on the obtained two position information, thereby ensuring the security of intranet data when the authenticated user accesses the intranet.

In the identity authentication method provided by the application, after the first authentication message is obtained, the gateway equipment performs preliminary authentication on the identity of the user based on the authentication information of the user in the first authentication message, and sends an identity authentication instruction to the user terminal after authentication is passed, so as to perform re-authentication on the identity of the user, namely, an authentication server is introduced, so that the authentication server authenticates the acquired biological characteristic information of the user, and the authentication server acquires the biological characteristic information of the user and also acquires the position information of the mobile terminal of the user, so that after the authentication server passes the biological characteristic authentication of the user, the gateway equipment can acquire a biological characteristic authentication result of the user, namely, a first identity authentication result carrying the position information (first position information) of the mobile terminal after the biological characteristic authentication is passed; on the other hand, in order to access intranet resources, the user terminal also obtains a biometric authentication result of the user from the authentication server, namely, a second identity authentication result carrying the position information of the mobile terminal after the biometric authentication is passed, so that the user terminal can initiate a second authentication message so as to facilitate the gateway equipment to carry out secondary authentication on the identity of the user, and the second authentication message carries the second position information; therefore, the gateway equipment can carry out secondary authentication on the identity of the user according to the first position information and the second position information, so that the security of user identity authentication is realized, the accuracy of an authentication result is improved, and the security of intranet data when the user passing authentication accesses the intranet is also improved.

Optionally, based on any of the foregoing embodiments, in this embodiment, when the gateway device performs step S105, in a possible embodiment, when the second location information is the location information of the mobile terminal, if it is determined that the first location information is consistent with the second location information, it is determined that the identity authentication of the user passes.

Specifically, when the second location information is the location information of the mobile terminal, the gateway device may directly compare the first location information with the second location information, and when the comparison is consistent, the gateway device may determine that the authentication of the user is passed in combination with the feature that the authentication server passes the biometric authentication of the user.

In another possible embodiment, when the second location information is the location information of the user terminal, if the location information of the user terminal is in an area that is preconfigured in the gateway device and allows the user to access resources, and it is confirmed that the second location information is consistent with the first location information, it is determined that the identity authentication of the user passes.

Specifically, when the second location information only includes the location information of the user terminal, the user terminal and the mobile terminal are generally located at the same location when the user performs identity authentication, so after the gateway device receives the second location information, if the first location information is confirmed to be identical to the second location information, it indicates that the location of the user terminal of the user is identical to the location of the mobile terminal, the user authentication can be confirmed to pass, and meanwhile, the situation that other users impersonate the identity of the user to perform intranet access is avoided.

Further, the gateway device may further locally maintain an area to which an IP address used when each trusted user allows access to intranet data, and further, after receiving the second location information, the gateway device may determine whether the second location information is in an area corresponding to the user, and if so, when determining that the first location information is consistent with the second location information, determine that identity authentication of the user passes.

In still another possible embodiment, when the second location information is the location information of the user terminal and the location information of the mobile terminal, if the location information of the user terminal is in an area that is preconfigured in the gateway device and allows the user to access resources, and it is determined that the location information of the user terminal and the location information of the mobile terminal are both identical to the first location information, it is determined that the identity authentication of the user is passed.

Specifically, when the second location information includes both the location information of the mobile terminal and the location information of the user terminal, since the user terminal and the mobile terminal are generally located at the same location when the user performs identity authentication, after receiving the second location information, the gateway device confirms that the location of the user terminal of the user is the same as the location of the mobile terminal if the first location information is identical to the location information of the user terminal and the location information of the mobile terminal, so that the user authentication can be confirmed to pass, and meanwhile, the situation that other users perform intranet access by using the identity of the user is avoided.

Further, the gateway device may further locally maintain an area to which an IP address used when each trusted user allows access to intranet data, and further, after receiving the second location information, the gateway device may determine whether the location information of the user terminal in the second location information is in an area corresponding to the user, and if so, determine that identity authentication of the user passes when it is determined that the first location information is consistent with the second location information.

Optionally, based on any one of the embodiments, in this embodiment, the first identity authentication result further carries an identity identification; the second authentication message also carries an identification mark, wherein the identification mark is distributed after the authentication server passes the authentication of the user; on this basis, step S105 may be performed according to the following procedure: and if the first position information is confirmed to be consistent with the second position information and the identity identification carried by the first identity authentication result is confirmed to be consistent with the identity identification carried by the second authentication message, determining that the identity authentication of the user passes.

Specifically, in order to further improve accuracy of the identity authentication result, the embodiment also provides that the authentication server can also allocate an identity to each user after the biometric information of the user passes verification, and the identity allocated by different users is different; when the first identity authentication result is fed back to the gateway equipment after the authentication server passes the authentication of the user, the first identity authentication result can also carry the identity identification allocated to the user; similarly, after the authentication server authenticates the user, when a second identity authentication result is fed back to the user terminal, the second identity authentication result can also carry the identity identification allocated to the user. Furthermore, when the user sends the second authentication message through the user terminal, the received identification mark can be carried in the authentication message, so that the gateway equipment can judge whether the identification mark carried by the first identification result is consistent with the identification mark carried by the second authentication message or not besides carrying out identification of the position information after receiving the second authentication message, and when the identification mark is consistent with the identification mark carried by the second authentication message, and when the first position information is consistent with the second position information, the identification of the user is confirmed to pass. If the first position information is inconsistent with the second position information and/or the identity identification carried by the first identity authentication result is inconsistent with the identity identification carried by the second authentication message, the identity authentication of the user is determined to be failed, and the user is refused to access intranet data through the gateway equipment.

Optionally, this embodiment proposes that, when the second location information is location information of the mobile terminal, the second authentication message is sent when the user terminal confirms that the location information of the mobile terminal is consistent with the location information of the user terminal.

Specifically, in order to improve the identity authentication speed, after receiving the second identity authentication result, the user terminal may first perform recognition of the location information once, that is, when it is recognized that the location information of the user terminal is consistent with the location information of the mobile terminal in the second identity authentication result, it may be determined that the user terminal of the user is located at the same location as the mobile terminal, and on this basis, the user terminal may carry the location information of the mobile terminal when sending the second authentication message. Therefore, the gateway equipment can realize the authentication of the identity of the user only by judging whether the first position information is consistent with the second position information, thereby improving the identity authentication efficiency of the user at the gateway equipment side.

Alternatively, based on any of the above embodiments, in this embodiment, the step of recording the first authentication result of the user in step S103 may be performed according to the following procedure: judging whether the first position information is in the allowable position range of the user or not; if yes, recording a first identity authentication result of the user; if not, discarding the first identity authentication result.

Specifically, the gateway device may maintain in advance a permitted location range formed by locations where each trusted user is permitted to access intranet data and the mobile terminal is permitted to be located when performing identity authentication, for example, the gateway device may maintain a location access list in which a correspondence between user information of each trusted user and a corresponding permitted location range is recorded. Thus, after the gateway device obtains the first identity authentication result from the authentication server, the user information and the first position information, namely the position information of the mobile terminal, can be extracted from the first identity authentication result, then the position access list is queried based on the user information and the first position information, if the position access list is hit, the mobile terminal is confirmed to be in the permitted position range of the user when the user uses the mobile user to carry out identity authentication, so the gateway device can record the first identity authentication result at the moment; if the identity authentication result is missed, the identity authentication result can be discarded, after the first identity authentication result is discarded, and after the user terminal initiates the second authentication message, the gateway equipment finds that the first identity authentication result of the user is not recorded locally, and can directly determine that the identity authentication of the user is not passed. Therefore, the storage space of the gateway equipment and the accuracy of the identity authentication result are saved.

Alternatively, based on any of the above embodiments, in this embodiment, the user information of the user may be, but is not limited to, a user account of the user, and the like, where different users correspond to different user accounts.

It should be noted that the location information of the user terminal and the location information of the mobile terminal may be, but not limited to, address information obtained for GPS positioning.

Based on the same inventive concept, the present application further provides an identity authentication method provided by a user terminal side, and referring to fig. 2, a flow chart of another identity authentication method provided by an example of the present application is shown and applied to a user terminal of a user, where the user terminal may be, but is not limited to, a PC, a notebook, a Mac, and so on. The user terminal may include the following steps when implementing the method:

s201, a first authentication message is sent to gateway equipment, wherein the first authentication message carries authentication information of a user.

In this step, when the user desires to access the intranet, authentication needs to be performed to the gateway device, and after the authentication is passed, the gateway device will release the service message of the user terminal for accessing the service in the intranet. Therefore, in order to realize user authentication, the user can send the first authentication message to the gateway device through the user terminal, and the first authentication message carries authentication information of the user, so that the gateway device authenticates the user.

S202, receiving an identity authentication instruction sent by the gateway equipment after the user authentication is passed based on the authentication information.

In this step, after the authentication of the user is passed, the user is indicated to be a suspected safe user, and in order to further improve the security of the intranet, the gateway device needs to further authenticate the identity of the user, so as to further improve the security of the intranet. In view of this, the present embodiment proposes to generate an identity authentication indication for the user and then send the identity authentication indication to the user terminal. After the user obtains the identity authentication instruction based on the user terminal, the user can establish communication connection with the authentication server by using the mobile terminal of the user because the identity authentication instruction can indicate the data to be authenticated which needs to be acquired and the communication information of the authentication server for authenticating the data to be authenticated, so that the authentication server can acquire the data to be authenticated for authenticating the user.

Optionally, when the identity authentication indication is an authentication two-dimensional code, the authentication two-dimensional code carries an access path of the authentication server; when the identity authentication indication is an authentication two-dimensional code, the user terminal can display the authentication two-dimensional code to a user in the form of a page through a display device after receiving the authentication two-dimensional code, wherein the page contains the authentication two-dimensional code; therefore, the user can use the mobile terminal to scan the authentication two-dimensional code, and after the mobile terminal scans the authentication two-dimensional code, communication connection can be established between the mobile terminal and the authentication server through the access path of the authentication server in the authentication two-dimensional code, then the authentication server can call an API (application program interface) for acquiring biological characteristic information, and then the authentication server can acquire the biological characteristic information of the user through the API; meanwhile, the authentication server also needs to obtain access rights for obtaining the position information of the mobile terminal of the user, and when the user allows the mobile terminal to send the current position information to the authentication server, so that the authentication server can execute a subsequent verification process.

And the authentication server can also return the identity authentication result to the mobile terminal, and if the identity authentication result is authentication failure, the user can scan the authentication two-dimensional code again through the mobile terminal after knowing the authentication failure result, and the biometric authentication process is continuously executed.

S203, acquiring an identity authentication result of the user from an authentication server, wherein the identity authentication result carries the position information of the mobile terminal.

In this step, after the user terminal receives the identity authentication instruction, the user terminal can also acquire the access path of the authentication server based on the identity authentication instruction, so that the user terminal can periodically acquire the identity authentication result of the user to which the user belongs from the authentication server. Specifically, when the set time after the first authentication message is sent arrives, the user terminal can send an authentication result acquisition request to the authentication initiation, wherein the acquisition request can carry user information of the user, so that after receiving the acquisition request, the authentication server can inquire a corresponding identity authentication result based on the user information in the acquisition request and then send the corresponding identity authentication result to the user terminal, the user terminal can obtain the identity authentication result of the user to which the user belongs, and the identity authentication result carries the position information of the mobile terminal, so that the subsequent secondary authentication is facilitated. On the basis, the user terminal can send a second authentication message to the gateway equipment based on the acquired identity authentication result, so that the gateway equipment carries out secondary authentication on the user, the accuracy of the authentication result is improved, and meanwhile, the safety of the intranet is improved.

In addition, when the identity authentication instruction is the authentication two-dimensional code, the user terminal can acquire the identity authentication result of the user from the authentication server according to the access path of the authentication server because the authentication two-dimensional code carries the access path of the authentication server.

S204, sending a second authentication message to the gateway equipment so that the gateway equipment authenticates the identity of the user according to the first position information and the second position information.

The first position information is the position information of the mobile terminal, and the position information of the mobile terminal is carried in an identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is location information of the user terminal and/or location information of the mobile terminal.

By providing the identity authentication method, the gateway equipment performs secondary authentication on the identity of the user, so that the security of the user identity authentication is realized, the accuracy of the authentication result is improved, and the security of intranet data when the user passing the authentication accesses the intranet is also improved.

Alternatively, based on any of the above embodiments, in this embodiment, step S204 may be performed according to the following procedure: acquiring the position information of the user terminal; and if the position information of the user terminal is consistent with the acquired position information of the mobile terminal, sending a second authentication message to the gateway equipment, wherein the second authentication message only carries the position information of the mobile terminal.

Optionally, based on any one of the foregoing embodiments, in this embodiment, the second authentication packet may further carry an identification, where the identification is allocated to the authentication server after passing the authentication of the user; thereby, a more accurate authentication of the identity of the user by the gateway device is achieved.

For better understanding of the present embodiment, an example is illustrated in which a user accesses the SSLVPN-based gateway device B using the terminal device a:

step 1, after a user opens an SSLVPN login interface at a terminal device A and inputs a user name and a password, the user triggers first authentication, a gateway device B firstly verifies the user name and the password, generates an authentication two-dimensional code according to input information of the user after verification is passed, and returns the authentication two-dimensional code to the terminal device A, so that the terminal device A is required to scan the code by using a mobile terminal C, communication connection is established between the terminal device C and an authentication server after the terminal device C scans the authentication two-dimensional code, and a biometric feature acquisition window is popped up by the authentication server, so that the authentication server can acquire biometric features through the popped window.

Step 2, after the user scans the authentication two-dimensional code by using the mobile terminal C, the authentication server also needs to obtain the authority of the position information of the mobile terminal C so as to obtain the position information of the mobile terminal C.

Step 3, the authentication server can authenticate the biological characteristics of the user based on the acquired biological characteristic information; after passing the authentication, a unique identification is allocated to the user. After authentication is completed, the authentication server can also return a biometric authentication result to the mobile terminal C; if authentication fails, the user can scan the authentication two-dimensional code again through the mobile terminal C, and the biometric authentication process is continuously executed.

And 4, the gateway equipment B periodically acquires a first identity authentication result of the user from the authentication server, and the terminal equipment A also periodically acquires a second identity authentication result of the user from the authentication server. When the authentication server passes the user authentication, the first identity authentication result can carry the position information (first position information) of the mobile terminal C, the user information and the identity identification; the second identity authentication result can also carry the position information, the user information and the identity identification of the mobile terminal C.

Step 5, after receiving the second identity authentication result, the terminal equipment A can extract the position information and the identity identification of the mobile terminal C from the second identity authentication result; based on the information, the terminal equipment A can initiate a second authentication message to the gateway equipment B, wherein the second authentication message carries second position information and an identification mark.

And 6, after the gateway equipment B receives the second authentication message, the identity of the user can be subjected to secondary authentication according to the identity identification in the second authentication message, the identity identification in the first identity authentication result, the first position information and the second position information, so that the accuracy of the authentication result is improved, and meanwhile, the safety of intranet data is enhanced.

Therefore, the identity verification of the user and the acquisition of the geographic information of the user are carried out based on the biological feature recognition technology, the consistency of the user is strictly ensured through the geographic information of the user and the login-supporting source and the geographic coordinates configured on the SSLVPN gateway equipment, the login-limiting geographic information source is supported on the SSLVPN gateway equipment, the safety of the user accessing to the intranet based on the SSLVPN can be greatly improved, and the leakage of intranet resources caused by the theft of the account can be basically and thoroughly prevented.

It is noted that the authentication server described above may be, but is not limited to, a server provided for a trusted third party service provider.

Based on the same inventive concept, the application also provides an identity authentication device corresponding to the identity authentication method provided by the gateway equipment side. The implementation of the identity authentication device may refer to the description of the gateway device on the identity authentication method, which is not discussed here.

Referring to fig. 3, fig. 3 is an identity authentication device provided in an exemplary embodiment of the present application, and disposed in a gateway device, where the device includes:

a receiving module 301, configured to receive a first authentication message sent by a user terminal, where the first authentication message carries authentication information of a user;

A first authentication module 302, configured to authenticate the user based on the authentication information;

a sending module 303, configured to send an identity authentication instruction to the user terminal after the first authentication module 302 authenticates the user based on the authentication information, where the identity authentication instruction is used to instruct an authentication server to obtain user information, biometric information, and location information of a mobile terminal of the user, and authenticate the user according to the user information and the biometric information;

an obtaining module 304, configured to obtain and record a first authentication result of the user from the authentication server, where the first authentication result carries first location information, and the first location information is location information of the mobile terminal carried in the first authentication result after the authentication server authenticates the user;

the receiving module 301 is further configured to receive a second authentication packet sent by the user terminal, where the second authentication packet carries second location information, where the second location information is location information of the user terminal, and/or location information of the mobile terminal, where the location information of the mobile terminal in the second authentication packet is obtained from a second identity authentication result obtained by the user terminal from the authentication server;

And a second authentication module 305, configured to authenticate the identity of the user according to the first location information and the second location information.

Optionally, based on the foregoing embodiment, in this embodiment, the first identity authentication result further carries an identity identification; the second authentication message also carries an identification mark, and the identification mark is distributed after the authentication server passes the authentication of the user; the second authentication module 305 is specifically configured to determine that the identity authentication of the user passes if it is determined that the first location information is consistent with the second location information, and it is determined that the identity identification carried by the first identity authentication result is consistent with the identity identification carried by the second authentication message.

Optionally, based on any one of the foregoing embodiments, in this embodiment, when the second location information is location information of the mobile terminal, the second authentication message is sent by the user terminal when it is confirmed that the location information of the mobile terminal is consistent with the location information of the user terminal.

Alternatively, based on any one of the above embodiments, in this embodiment, the obtaining module 304 is specifically configured to determine whether the first location information is within a permitted location range of the user; if yes, recording a first identity authentication result of the user; and if not, discarding the first identity authentication result.

Optionally, based on any one of the foregoing embodiments, in this embodiment, the second authentication module 305 is specifically configured to, when the second location information is the location information of the mobile terminal, determine that identity authentication of the user passes if it is determined that the first location information is consistent with the second location information; or,

when the second position information is the position information of the user terminal, if the position information of the user terminal is in a preset area allowing the user to access resources in the gateway equipment, and the second position information is confirmed to be consistent with the first position information, the identity authentication of the user is confirmed to pass; or,

and when the second position information is the position information of the user terminal and the position information of the mobile terminal, if the position information of the user terminal is in a region which is preconfigured in the gateway equipment and allows the user to access resources, and the position information of the user terminal, the position information of the mobile terminal and the first position information are consistent, the identity authentication of the user is determined to pass.

Based on the same inventive concept, the application also provides an identity authentication device corresponding to the identity authentication method provided by the user terminal side. The implementation of the identity authentication device may refer to the description of the identity authentication method by the user terminal, which is not discussed here.

Referring to fig. 4, fig. 4 is an identity authentication device provided in an exemplary embodiment of the present application, provided in a user terminal, where the device includes:

a sending module 401, configured to send a first authentication message to a gateway device, where the first authentication message carries authentication information of a user;

a receiving module 402, configured to receive an identity authentication instruction sent by the gateway device after the user is authenticated based on the authentication information, where the identity authentication instruction is used to instruct an authentication server to obtain user information, biometric information, and location information of a mobile terminal of the user, and authenticate the user according to the user information and the biometric information;

an obtaining module 403, configured to obtain an identity authentication result of the user from the authentication server, where the identity authentication result carries location information of the mobile terminal;

The sending module 401 is further configured to send a second authentication message to the gateway device, so that the gateway device authenticates the identity of the user according to the first location information and the second location information;

Alternatively, based on the above embodiment, in this embodiment, the above sending module 401 is specifically configured to obtain location information of the user terminal; and if the position information of the user terminal is consistent with the acquired position information of the mobile terminal, sending a second authentication message to the gateway equipment, wherein the second authentication message only carries the position information of the mobile terminal.

Optionally, based on any one of the embodiments, in this embodiment, the identity authentication indication is an authentication two-dimensional code, where the authentication two-dimensional code carries an access path of the authentication server; the obtaining module 403 is specifically configured to obtain, from the authentication server, an identity authentication result of the user according to the access path of the authentication server.

Based on the same inventive concept, embodiments of the present application provide an electronic device, which may be, but is not limited to, the gateway device, the user terminal, or the authentication server described above. As shown in fig. 5, the electronic device includes a processor 501 and a machine-readable storage medium 502, the machine-readable storage medium 502 storing a computer program executable by the processor 501, the processor 501 being caused by the computer program to perform the identity authentication method provided by any of the embodiments of the present application. The electronic device further comprises a communication interface 503 and a communication bus 504, wherein the processor 501, the communication interface 503 and the machine readable storage medium 502 perform communication with each other via the communication bus 504.

The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface is used for communication between the electronic device and other devices.

The machine-readable storage medium 502 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.

For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.

Claims

1. An identity authentication method, which is applied to gateway equipment, comprises the following steps:

2. The method of claim 1, wherein the first authentication result further carries an identification; the second authentication message also carries an identification mark, and the identification mark is distributed after the authentication server passes the authentication of the user;

authenticating the identity of the user according to the first location information and the second location information, including:

and if the first position information is confirmed to be consistent with the second position information and the identity identification carried by the first identity authentication result is confirmed to be consistent with the identity identification carried by the second authentication message, determining that the identity authentication of the user passes.

3. The method according to claim 1, wherein when the second location information is location information of the mobile terminal, the second authentication message is sent by the user terminal when confirming that the location information of the mobile terminal is consistent with the location information of the user terminal.

4. The method of claim 1, wherein recording the first authentication result of the user comprises:

judging whether the first position information is in a permitted position range of the user or not;

if yes, recording a first identity authentication result of the user;

and if not, discarding the first identity authentication result.

5. The method of claim 1, wherein authenticating the identity of the user based on the first location information and the second location information comprises:

when the second position information is the position information of the mobile terminal, if the first position information is confirmed to be consistent with the second position information, the identity authentication of the user is confirmed to pass; or,

6. An identity authentication method, which is applied to a user terminal, comprising:

7. The method of claim 6, wherein sending a second authentication message to the gateway device comprises:

acquiring the position information of the user terminal;

and if the position information of the user terminal is consistent with the acquired position information of the mobile terminal, sending a second authentication message to the gateway equipment, wherein the second authentication message only carries the position information of the mobile terminal.

8. The method of claim 6, wherein the identity authentication indication is an authentication two-dimensional code, the authentication two-dimensional code carrying an access path of the authentication server;

Obtaining an identity authentication result of the user from the authentication server, including:

and acquiring an identity authentication result of the user from the authentication server according to the access path of the authentication server.

9. An identity authentication device, characterized in that it is disposed in a gateway apparatus, the device comprising:

10. An identity authentication device, characterized in that it is provided in a user terminal, said device comprising: