CN118200058A - Multi-factor authentication method and system based on physical isolation channel - Google Patents
Multi-factor authentication method and system based on physical isolation channel Download PDFInfo
- Publication number
- CN118200058A CN118200058A CN202410612485.3A CN202410612485A CN118200058A CN 118200058 A CN118200058 A CN 118200058A CN 202410612485 A CN202410612485 A CN 202410612485A CN 118200058 A CN118200058 A CN 118200058A
- Authority
- CN
- China
- Prior art keywords
- user
- server
- client
- rolling code
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 175
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000005096 rolling process Methods 0.000 claims abstract description 258
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 69
- 238000012795 verification Methods 0.000 claims description 152
- 238000012549 training Methods 0.000 claims description 44
- 238000012790 confirmation Methods 0.000 claims description 32
- 238000013138 pruning Methods 0.000 claims description 29
- 230000001360 synchronised effect Effects 0.000 claims description 24
- 238000004821 distillation Methods 0.000 claims description 19
- 230000032683 aging Effects 0.000 claims description 14
- 230000001960 triggered effect Effects 0.000 claims description 14
- 238000001514 detection method Methods 0.000 claims description 13
- 238000013135 deep learning Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 7
- 238000011176 pooling Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 6
- 210000000554 iris Anatomy 0.000 description 178
- 238000004891 communication Methods 0.000 description 19
- 230000005540 biological transmission Effects 0.000 description 12
- 238000011156 evaluation Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 8
- 239000000243 solution Substances 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004580 weight loss Effects 0.000 description 1
Landscapes
- Collating Specific Patterns (AREA)
Abstract
The invention relates to the technical field of network security, and discloses a multi-factor authentication method and system based on a physical isolation channel, wherein the method comprises the following steps: when the client detects a server access request, user information input by a user is acquired, the client generates a current login rolling code according to a user account and a preset rolling code generation algorithm, the user information and the current login rolling code are sent to the server based on a preset physical isolation channel, and when the user information and the current login rolling code are verified by the server, a data access channel between the server and the client is established, and a user is authorized to access data of the server through the data access channel. Therefore, the invention can improve the safety and reliability of the authentication based on multi-factor authentication, and simultaneously the physical isolation channel can improve the authentication speed and reduce the risk of interception of authentication factors, and the iris information based authentication can realize non-contact recognition, so that the authentication convenience and the user experience are improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a multi-factor authentication method and system based on a physical isolation channel.
Background
With the continuous development of the Internet and artificial intelligence, networking and informatization are gradually popularized in the life of people, and the networking and informatization bring convenience to the life of people in the fields of mobile payment, online education, intelligent home and the like, but at the same time, with the rapid increase of data volume, the improvement of system complexity and the occurrence of intelligent network attack, the network and information security meet unprecedented challenges.
In the prior art, the dual-factor authentication method based on the short message is widely applied to the field of identity verification by virtue of convenience and safety. However, with the appearance of diversified network attack forms, the dual-factor authentication method based on the short message is easy to intercept the short message verification code, or when the third-party short message service is attacked by the network, fluctuation is easy to occur, and even the safe operation of the whole verification system is influenced. Therefore, it is important to provide a technical solution capable of improving the security of authentication.
Disclosure of Invention
The invention provides a multi-factor authentication method and system based on a physical isolation channel, which can be beneficial to improving the identity verification security.
In order to solve the technical problem, the first aspect of the present invention discloses a multi-factor authentication method based on a physical isolation channel, the method is applied to a multi-factor authentication system based on the physical isolation channel, the system comprises a client and a server, and the method comprises:
The client detects a server access request triggered by a user, and when the client detects the server access request, user information input by the user is obtained, wherein the user information comprises a user account, a user password and iris information;
The client generates a current login rolling code according to the user account and a preset rolling code generation algorithm, and displays the current login rolling code to the user;
After the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel;
the server side receives the user information and the current login rolling code sent by the client side, and verifies the user information and the current login rolling code to obtain a verification result;
when the verification result shows that the user information and the current login rolling code meet preset login conditions, the server establishes a data access channel between the server and the client, and authorizes the user to access the data of the server through the data access channel.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
when the client receives a user registration request sent by a user, the client collects registration information of the user according to the user registration request, wherein the registration information comprises a registered user account, a registration password and registration iris information;
The client acquires a preset rolling code generation algorithm and generates an initial rolling code according to the registered user account, the rolling code generation algorithm and a randomly generated target random number;
the client sends the registration information and the initial rolling code to the server based on a preset physical isolation channel;
The server receives the registration information and the initial rolling code, and recognizes the received registration iris information to obtain registration iris characteristic information corresponding to the user;
The server verifies whether the received registered user account, the received registered password and the received initial rolling code meet preset validity conditions, and when the registered user account, the received registered password and the received initial rolling code meet the validity conditions, the server correlates the registered user account, the received registered password, the received initial rolling code and the received registered iris characteristic information to obtain and store a correlation information set of the user.
As an optional implementation manner, in the first aspect of the present invention, the verification result includes a first sub-verification result, a second sub-verification result, and a third sub-verification result, and the login condition includes a first sub-login condition, a second sub-login condition, and a third sub-login condition;
the server side verifies the user information and the current login rolling code to obtain a verification result, and the method comprises the following steps:
The server side determines a corresponding association information set of the user according to the user account, verifies whether the user account and the user password input by the user meet the first sub-login condition according to the registered user account and the registered password in the association information set, and obtains the first sub-verification result;
when the first sub-verification result indicates that the user account and the user password meet the first sub-login condition, the server verifies whether the current login rolling code meets the second sub-login condition according to the initial rolling code in the association information set, and the second sub-verification result is obtained;
and when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set to obtain the third sub-verification result.
In an optional implementation manner, in a first aspect of the present invention, the sending, by the client, the user information and the current login rolling code to the server based on a preset physical isolation channel includes:
The client determines the security level requirements of the user, wherein the security level requirements comprise a first security level requirement or a second security level requirement;
When the security level requirements of the user include the first security level requirements, the client determines a device type of a user device used by the user to log in the client, wherein the device type includes a first device type or a second device type;
When the equipment type of the user equipment comprises the first equipment type, the client sends the user account, the user password and the current login rolling code to the server based on a preset first sub-physical isolation channel, and sends the iris information to the server based on a preset second sub-physical isolation channel, wherein the physical isolation channel comprises the first sub-physical isolation and the second sub-physical isolation; or alternatively
When the equipment type of the user equipment comprises the second equipment type, the client sends the user account, the user password and the current login rolling code to the server based on a preset third sub-physical isolation channel, and sends the iris information to the server based on a preset fourth sub-physical isolation channel, wherein the physical isolation channel comprises the third sub-physical isolation and the fourth sub-physical isolation; or alternatively
And when the security level requirement of the user comprises the second security level requirement, the client sends the user information and the current login rolling code to the server based on a preset fifth sub-physical isolation channel, wherein the physical isolation channel comprises the fifth sub-physical isolation.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
the client acquires the current time and a preset encryption algorithm, and generates a synchronous code according to the current time;
The client generates a first dynamic secret key through a secret key generation algorithm according to the current time, a preset factory secret key and a preset seed code;
the client encrypts the user information and the current login rolling code according to the first dynamic secret key and the encryption algorithm to obtain encrypted data corresponding to the user information and the current login rolling code, and encapsulates the encrypted data and the synchronous code to obtain an encapsulated data packet;
And the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel, comprising:
the client sends the encapsulated data packet to the server based on a preset physical isolation channel;
and the server receives the user information and the current login rolling code sent by the client, and the method comprises the following steps:
The server receives the encapsulated data packet sent by the client, records the receiving time of the encapsulated data packet, and analyzes the encapsulated data packet to obtain the encrypted data and the synchronous code;
The server judges whether the synchronous code meets a preset aging verification condition according to the receiving time, and when the synchronous code meets the aging verification condition, the server generates a second dynamic key through the key generation algorithm according to the current time, the factory key and the seed code;
And the server decrypts the encrypted data according to the second dynamic secret key and a decryption algorithm corresponding to the encryption algorithm.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
The server end builds an initial iris recognition model based on a deep learning framework, wherein the initial iris recognition model comprises a convolution layer, a pooling layer and a full connection layer;
The server side carries out model training on the initial iris recognition model according to a preprocessed data set to obtain a model training result, and calculates model loss corresponding to the initial iris recognition model according to the model training result, wherein the data set comprises a training data set, a verification data set and a test data set;
The server side carries out importance assessment on model parameters in the initial iris recognition model to obtain an importance assessment result, carries out model pruning on the initial iris recognition model according to the importance assessment result, and obtains the initial iris recognition model after model pruning;
The server determines a teacher model corresponding to the initial iris recognition model after model pruning, and trains the training data set through the teacher model to obtain a softening label;
The server calculates distillation loss according to the softening tag and the model training result, and trains the initial iris recognition model after model pruning according to the model loss and the distillation loss to obtain a target iris recognition model;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris feature information in the associated information set to obtain a third sub-verification result, which comprises:
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition through the target iris recognition model according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
the client detects target operation of the user on the client at fixed time;
The client judges whether the target operation meets a preset operation verification condition, and when the target operation meets the operation verification condition, the client displays operation confirmation reminding information to the user;
And the client detects whether a confirmation instruction of the user for the operation confirmation reminding information is received within a preset time period, and when the client does not receive the confirmation instruction within the preset time period, the client disconnects a data access channel between the server and the client and triggers and executes the operation of detecting the server access request triggered by the user.
The invention discloses a multi-factor authentication system based on a physical isolation channel, which comprises a client and a server, wherein the client comprises a detection module, a generation module and a sending module, wherein:
The detection module is used for detecting a server access request triggered by a user, and acquiring user information input by the user when the server access request is detected, wherein the user information comprises a user account number, a user password and iris information;
The generation module is used for generating a current login rolling code according to the user account and a preset rolling code generation algorithm and displaying the current login rolling code to the user;
the sending module is used for sending the user information and the current login rolling code to the server side based on a preset physical isolation channel after detecting that the user inputs the current login rolling code;
the server side comprises a receiving module and a channel establishing module, wherein:
The receiving module is used for receiving the user information and the current login rolling code sent by the client and verifying the user information and the current login rolling code to obtain a verification result;
The channel establishing module is used for establishing a data access channel between the server side and the client side when the verification result shows that the user information and the current login rolling code meet preset login conditions, and authorizing the user to access the data of the server side through the data access channel.
As an optional implementation manner, in the second aspect of the present invention, the client further includes a collecting module, and a first obtaining module, where:
The collecting module is used for collecting the registration information of the user according to the user registration request when receiving the user registration request sent by the user, wherein the registration information comprises a registration user account, a registration password and registration iris information;
the first acquisition module is used for acquiring a preset rolling code generation algorithm and generating an initial rolling code according to the registered user account, the rolling code generation algorithm and a randomly generated target random number;
The sending module is further configured to send the registration information and the initial rolling code to the server based on a preset physical isolation channel;
The receiving module is further used for receiving the registration information and the initial rolling code, and identifying the received registration iris information to obtain registration iris characteristic information corresponding to the user;
The server side further comprises a verification module, wherein:
The verification module is used for verifying whether the received registered user account, the received registered password and the received initial rolling code meet preset validity conditions, and when the registered user account, the received registered password and the received initial rolling code meet the validity conditions, the registered user account, the received registered password, the received initial rolling code and the received registered iris characteristic information are subjected to information association to obtain and store an associated information set of the user.
As an optional implementation manner, in the second aspect of the present invention, the verification result includes a first sub-verification result, a second sub-verification result, and a third sub-verification result, and the login condition includes a first sub-login condition, a second sub-login condition, and a third sub-login condition;
The receiving module verifies the user information and the current login rolling code, and the method for obtaining the verification result specifically comprises the following steps:
determining a corresponding association information set of the user according to the user account, and verifying whether the user account and the user password input by the user meet the first sub-login condition according to the registered user account and the registered password in the association information set to obtain a first sub-verification result;
When the first sub-verification result indicates that the user account and the user password meet the first sub-login condition, verifying whether the current login rolling code meets the second sub-login condition according to the initial rolling code in the associated information set, and obtaining a second sub-verification result;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, verifying whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set to obtain the third sub-verification result.
In a second aspect of the present invention, the manner in which the sending module sends the user information and the current login rolling code to the server based on a preset physical isolation channel specifically includes:
determining a security level requirement of the user, the security level requirement comprising a first security level requirement or a second security level requirement;
When the security level requirements of the user comprise the first security level requirements, determining the equipment type of user equipment used by the user for logging in the client, wherein the equipment type comprises a first equipment type or a second equipment type;
When the equipment type of the user equipment comprises the first equipment type, transmitting the user account number, the user password and the current login rolling code to the server side based on a preset first sub-physical isolation channel, and transmitting the iris information to the server side based on a preset second sub-physical isolation channel, wherein the physical isolation channel comprises the first sub-physical isolation and the second sub-physical isolation; or alternatively
When the equipment type of the user equipment comprises the second equipment type, transmitting the user account, the user password and the current login rolling code to the server side based on a preset third sub-physical isolation channel, and transmitting the iris information to the server side based on a preset fourth sub-physical isolation channel, wherein the physical isolation channel comprises the third sub-physical isolation and the fourth sub-physical isolation; or alternatively
And when the security level requirement of the user comprises the second security level requirement, transmitting the user information and the current login rolling code to the server side based on a preset fifth sub-physical isolation channel, wherein the physical isolation channel comprises the fifth sub-physical isolation.
As an optional implementation manner, in the second aspect of the present invention, the client further includes a second obtaining module and an encrypting module, where:
The second acquisition module is used for acquiring the current time and a preset encryption algorithm and generating a synchronous code according to the current time;
The generation module is further configured to generate a first dynamic key according to the current time, a preset factory key and a preset seed code through a key generation algorithm;
The encryption module is used for encrypting the user information and the current login rolling code according to the first dynamic secret key and the encryption algorithm to obtain encrypted data corresponding to the user information and the current login rolling code, and packaging the encrypted data and the synchronous code to obtain a packaged data packet;
The mode of the sending module sending the user information and the current login rolling code to the server based on a preset physical isolation channel specifically comprises the following steps:
transmitting the encapsulated data packet to the server based on a preset physical isolation channel;
and the mode of the receiving module for receiving the user information and the current login rolling code sent by the client specifically comprises the following steps:
receiving the encapsulated data packet sent by the client, recording the receiving time of the encapsulated data packet, and analyzing the encapsulated data packet to obtain the encrypted data and the synchronous code;
judging whether the synchronous code meets a preset aging check condition according to the receiving time, and generating a second dynamic key through the key generation algorithm according to the current time, the factory key and the seed code when the synchronous code meets the aging check condition;
and decrypting the encrypted data according to the second dynamic secret key and a decryption algorithm corresponding to the encryption algorithm.
As an optional implementation manner, in the second aspect of the present invention, the server side further includes a building module, a model training module, an evaluation module, a determination module, and a distillation module, where:
The construction module is used for constructing an initial iris recognition model based on the deep learning framework, wherein the initial iris recognition model comprises a convolution layer, a pooling layer and a full connection layer;
The model training module is used for carrying out model training on the initial iris recognition model according to a preprocessed data set to obtain a model training result, and calculating model loss corresponding to the initial iris recognition model according to the model training result, wherein the data set comprises a training data set, a verification data set and a test data set;
The evaluation module is used for carrying out importance evaluation on model parameters in the initial iris recognition model to obtain an importance evaluation result, and carrying out model pruning on the initial iris recognition model according to the importance evaluation result to obtain the initial iris recognition model after model pruning;
the determining module is used for determining a teacher model corresponding to the initial iris recognition model after model pruning, and training the training data set through the teacher model to obtain a softening label;
The distillation module is used for calculating distillation loss according to the softening label and the model training result, and training the initial iris recognition model after model pruning according to the model loss and the distillation loss to obtain a target iris recognition model;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the receiving module verifies whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set, and the method for obtaining the third sub-verification result specifically comprises the following steps:
and when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, verifying whether the iris information meets the third sub-login condition or not through the target iris recognition model according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result.
As an optional implementation manner, in the second aspect of the present invention, the detection module is further configured to detect, at regular time, a target operation of the user on the client;
the client also comprises a judging module, wherein:
the judging module is used for judging whether the target operation meets a preset operation verification condition, and displaying operation confirmation reminding information to the user when the target operation meets the operation verification condition;
The detection module is further used for detecting whether a confirmation instruction of the user for the operation confirmation reminding information is received within a preset time period, disconnecting a data access channel between the server side and the client side when the confirmation instruction is not received within the preset time period, and triggering the detection module to execute the operation of detecting the server access request triggered by the user.
The third aspect of the invention discloses a multi-factor authentication device based on a physical isolation channel, which comprises:
a memory storing executable program code;
A processor coupled to the memory;
The processor invokes the executable program code stored in the memory to execute the multi-factor authentication method based on the physical isolation channel disclosed in the first aspect of the present invention.
A fourth aspect of the invention discloses a computer storage medium storing computer instructions for performing the physically isolated channel-based multi-factor authentication method disclosed in the first aspect of the invention when called.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
In the embodiment of the invention, when a client detects a server access request, user information input by a user is acquired, the client generates a current login rolling code according to a user account number and a preset rolling code generation algorithm, after the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel, and when the server verifies the user information and the current login rolling code, a data access channel between the server and the client is established, and a user is authorized to access data of the server through the data access channel. Therefore, the invention can carry out three-factor authentication on the user identity based on the user account password, the dynamically generated rolling code and the user iris information, thereby improving the safety and the reliability of the authentication, simultaneously, the physical isolation channel can improve the authentication speed, reduce the risk of interception of authentication factors, realize non-contact recognition based on the iris information authentication, improve the authentication convenience and improve the user experience.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a multi-factor authentication method based on a physical isolation channel according to an embodiment of the present invention;
FIG. 2 is a flow chart of another multi-factor authentication method based on a physical isolation channel according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a multi-factor authentication system based on a physically isolated channel according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a configuration of another multi-factor authentication system based on physically isolated channels according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a multi-factor authentication device based on a physical isolation channel according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The invention discloses a multi-factor authentication method and a system based on a physical isolation channel, which can perform three-factor authentication on a user identity based on a user account password, a dynamically generated rolling code and user iris information, improve the safety and reliability of identity authentication, simultaneously improve the authentication speed of the physical isolation channel, reduce the risk of interception of authentication factors, realize non-contact recognition based on iris information authentication, improve authentication convenience and improve user experience. The following will describe in detail.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of a multi-factor authentication method based on a physical isolation channel according to an embodiment of the present invention. The multi-factor authentication method based on the physical isolation channel described in fig. 1 may be applied to a multi-factor authentication system based on the physical isolation channel, where the multi-factor authentication system based on the physical isolation channel may include a client and a server, where a user may access data of the server through the client, the server may include an intelligent server or an intelligent platform for verifying identity information of the user, and the intelligent server includes a local server or a cloud server. As shown in fig. 1, the multi-factor authentication method based on the physical isolation channel may include the following operations:
101. the client detects a server access request triggered by a user, and when the client detects the server access request, user information input by the user is obtained, wherein the user information comprises a user account number, a user password and iris information.
In the embodiment of the invention, optionally, a user can access the server through the client, the client can comprise application software corresponding to the server, can also comprise an applet corresponding to the server, can also comprise a webpage corresponding to the server, the user can log in the client through equipment such as a smart phone, a tablet, a computer and the like, the client provides an intuitive and easy-to-use interface for the user, at least comprises functions such as a login window, an authentication request submitting and the like, the user can interact through the interface, own identity authentication information is input, the interface can also display the authentication state and the authentication result of the user and error information possibly occurring in the authentication process, and the interface can also provide multiple language support, and the invention is not limited.
In the embodiment of the invention, optionally, when the client detects the server access request, user information input by the user is obtained, wherein the user information comprises a user account, a user password and iris information, and the iris information of the user can be acquired through equipment logged in the client.
102. And the client generates a current login rolling code according to the user account and a preset rolling code generation algorithm, and displays the current login rolling code to the user.
In the embodiment of the invention, optionally, when the user registers the account, the server determines the corresponding rolling code generation algorithm, generates the initial rolling code according to the account registered by the user and the rolling code generation algorithm, stores the initial rolling code, and synchronizes the rolling code generation algorithm to the client, namely the client and the server share the same rolling code generation algorithm.
103. After the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel.
In the embodiment of the present invention, optionally, when the user finishes inputting the user account number and the user password, the client displays the generated current login rolling code to the user, where the display mode includes voice display and/or text information display, and the preset physical isolation channel may include an optical fiber broadband channel+5g channel or a 5G channel+5g channel.
104. The server receives the user information and the current login rolling code sent by the client, and verifies the user information and the current login rolling code to obtain a verification result.
In the embodiment of the invention, optionally, when receiving the user information and the current login rolling code sent by the client, the server side can perform preliminary verification on the user information and the current login rolling code, including integrity verification, legal verification and the like, and perform identity verification again when the verification passes, so that malicious attacks such as violent cracking, botnet and the like can be prevented.
105. When the verification result shows that the user information and the current login rolling code meet the preset login condition, the server side establishes a data access channel between the server side and the client side, and authorizes the user to access the data of the server side through the data access channel.
In the embodiment of the invention, optionally, when the verification result indicates that the user information and the current login rolling code meet the preset login condition, that is, the user information and the user password pass verification, the current login rolling code pass verification and the iris information pass verification, the server establishes a data access channel between the server and the client, and authorizes the user to access the data of the server through the data access channel.
In the embodiment of the invention, optionally, when the verification result indicates that the user information and the current login rolling code meet the preset login condition, the server side can determine the trust score of the user according to the user information and the current login rolling code, record the authentication record of the user, store the user information, the trust score and the authentication record into the database, further optionally encrypt and/or access control the database to prevent unauthorized access, and further optionally, the database can backup and recover the stored data to reduce the occurrence of the condition that identity authentication cannot be performed due to system failure or data loss.
In the embodiment of the invention, a security layer can be optionally arranged for a multi-factor authentication system based on a physical isolation channel and is responsible for ensuring the security of data transmission and storage of the whole system, and particularly, security measures such as encryption, firewall, intrusion detection and the like can be implemented for the system, so that the probability of illegal acquisition or tampering of data in the transmission and storage processes is reduced, and measures for preventing network attacks such as DDoS attack, SQL injection and the like are added for the system.
It can be seen that, implementing the multi-factor authentication method based on the physical isolation channel described in fig. 1 can obtain user information input by a user when the client detects a server access request, the client generates a current login rolling code according to a user account number and a preset rolling code generation algorithm, and after the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on the preset physical isolation channel, when the server verifies the user information and the current login rolling code, a data access channel between the server and the client is established, and a user is authorized to access data of the server through the data access channel, three-factor authentication can be performed on the user identity based on the user account number password, the dynamically generated rolling code and the user iris information, so that the security and the reliability of identity authentication can be improved, meanwhile, the physical isolation channel can improve the authentication speed, reduce the risk of interception of authentication factors, realize non-contact recognition based on iris information authentication, improve the authentication convenience, and improve the user experience.
In an alternative embodiment, the client side transmitting the user information and the current login rolling code to the server side based on the preset physical isolation channel may include the following operations:
The client determines the security level requirements of the user, wherein the security level requirements comprise a first security level requirement or a second security level requirement;
When the security level requirements of the user comprise first security level requirements, the client determines the equipment type of the user equipment used for logging in the client by the user, wherein the equipment type comprises a first equipment type or a second equipment type;
When the equipment type of the user equipment comprises a first equipment type, the client side sends a user account number, a user password and a current login rolling code to the server side based on a preset first sub-physical isolation channel, and sends iris information to the server side based on a preset second sub-physical isolation channel, wherein the physical isolation channel comprises a first sub-physical isolation and a second sub-physical isolation; or alternatively
When the equipment type of the user equipment comprises a second equipment type, the client side sends the user account number, the user password and the current login rolling code to the server side based on a preset third sub-physical isolation channel, and sends iris information to the server side based on a preset fourth sub-physical isolation channel, wherein the physical isolation channel comprises third sub-physical isolation and fourth sub-physical isolation; or alternatively
And when the security level requirement of the user comprises a second security level requirement, the client sends the user information and the current login rolling code to the server based on a preset fifth sub-physical isolation channel, wherein the physical isolation channel comprises the fifth sub-physical isolation.
In this optional embodiment, optionally, the security level requirement of the user may include a first security level requirement or a second security level requirement, where the first security level requirement is higher than the second security level requirement, and when the security level requirement of the user includes the first security level requirement, the client determines a device type of a user device used for logging in the client, where the device type may include a first device type or a second device type, where a device corresponding to the first device type may perform wired broadband communication +5g wireless communication, the device corresponding to the first device type may include a PC such as a notebook, a server type terminal, and at this time, the client sends the user account number, the user password, and the current login rolling code to the server based on a preset first sub-physical isolation channel, and sends iris information to the server based on a preset second sub-physical isolation channel, where the physical isolation channel includes the first sub-physical isolation channel and the second sub-physical isolation channel, and the second sub-physical isolation channel may include a wired broadband channel, the first sub-physical isolation channel may include a 5G wireless channel, the second sub-physical isolation channel may include a 5G wireless channel, the 5G wireless channel may include a china wireless channel, a china wireless communication, and a mobile communication network such as a china wireless communication, and a wireless communication network such as a wireless communication system may be implemented by any of the user may not implement.
In this optional embodiment, optionally, the device corresponding to the second device type may perform first 5G wireless communication+second 5G wireless communication, where the device corresponding to the second device type may include an intelligent communication device supporting dual-card dual-standby, such as a smart phone, a smart tablet, and the like, where the client terminal sends the user account number, the user password, and the current login rolling code to the server terminal based on a preset third sub-physical isolation channel, and sends iris information to the server terminal based on a preset fourth sub-physical isolation channel, where the physical isolation channel includes third sub-physical isolation and fourth sub-physical isolation, where the third sub-physical isolation may include the first 5G wireless channel, the fourth sub-physical isolation may include the second 5G wireless channel, the first 5G wireless channel and the second 5G wireless channel may include 5G wireless networks of any one operator such as china telecom, china mobile, china UNICOM, and china radio, and the second 5G wireless channel may be 5G wireless networks of the same operator, and may also be different wireless networks of different operators, and the embodiment of the wireless network may be defined by different operators.
In this optional embodiment, optionally, when the security level requirement of the user includes the second security level requirement, the client sends the user information and the current login rolling code to the server based on a preset fifth sub-physical isolation channel, where the physical isolation channel includes a fifth sub-physical isolation, and the fifth sub-physical isolation may include a single 5G wireless channel, and this embodiment is not limited.
Therefore, by implementing the alternative embodiment, different authentication factors can be isolated and transmitted based on the wired broadband communication +5G wireless communication or the dual-channel physical isolation channel of the 5G wireless communication +5G wireless communication, the network transmission safety can be effectively improved while the high transmission speed of the 5G network is fully utilized, the physical isolation of the authentication factor transmission channel is realized, and the safety and the authentication speed of multi-factor authentication are further improved.
In another alternative embodiment, the physically isolated channel-based multi-factor authentication method may further include the operations of:
the client acquires the current time and a preset encryption algorithm, and generates a synchronous code according to the current time;
the client generates a first dynamic secret key through a secret key generation algorithm according to the current time, a preset factory secret key and a preset seed code;
the client encrypts the user information and the current login rolling code according to the first dynamic key and the encryption algorithm to obtain encrypted data corresponding to the user information and the current login rolling code, and encapsulates the encrypted data and the synchronous code to obtain an encapsulated data packet;
And the client transmitting the user information and the current login rolling code to the server based on the preset physical isolation channel may include the following operations:
The client sends the encapsulated data packet to the server based on a preset physical isolation channel;
and the server receiving the user information and the current login rolling code sent by the client may include the following operations:
the server receives the encapsulated data packet sent by the client, records the receiving time of the encapsulated data packet, and analyzes the encapsulated data packet to obtain encrypted data and a synchronous code;
The server judges whether the synchronous code meets the preset aging check condition according to the receiving time, and when the synchronous code meets the aging check condition, the server generates a second dynamic key through a key generation algorithm according to the current time, the factory key and the seed code;
and the server decrypts the encrypted data according to the second dynamic key and a decryption algorithm corresponding to the encryption algorithm.
In this optional embodiment, optionally, the encryption algorithm may include Advanced Encryption Standard (AES), american Data Encryption Standard (DES), and the like, the synchronization code may be generated according to the current time, or the synchronization code may be generated according to a random number generated in advance, the key generation algorithm may include a hash function, the client may encrypt the user information and the current login rolling code according to the first dynamic key and the encryption algorithm, to obtain encrypted data corresponding to the user information and the current login rolling code, and encapsulate the encrypted data and the synchronization code to obtain an encapsulated data packet, and send the encapsulated data packet to the server based on a preset physical isolation channel, where the embodiment is not limited.
In this optional embodiment, optionally, the server may determine whether the synchronization code meets a preset aging check condition according to the receiving time of the received package data packet, specifically, may determine whether a time difference between the receiving time and a current time corresponding to the synchronization code is greater than a preset duration threshold, when the time difference is greater than the preset duration threshold, determine that the synchronization code does not meet the aging check condition, and may not meet the aging check condition at this time, terminate the decryption process, and when the synchronization code meets the aging check condition, the server generates a second dynamic key according to the current time, the factory secret key and the seed code through a secret key generation algorithm, and decrypt the encrypted data according to a decryption algorithm corresponding to the second dynamic secret key and the encryption algorithm, which is not limited in this embodiment.
Therefore, by implementing the alternative embodiment, a plurality of authentication factors can be encrypted and transmitted, timeliness of transmitted information is verified based on the synchronous codes, the received data packet can be ensured to be latest and effective, probability of replay attack and reception of outdated data is reduced, generation of a dynamic secret key ensures that each encryption/decryption process is unique, safety of data transmission is further improved, and reliability and safety of identity authentication are improved.
In yet another alternative embodiment, the physically isolated channel-based multi-factor authentication method may further comprise the operations of:
The method comprises the steps that a client detects target operation of a user for the client at fixed time;
the client judges whether the target operation meets the preset operation verification condition, and when the target operation meets the operation verification condition, the client displays operation confirmation reminding information to the user;
The client detects whether a confirmation instruction of a user for operation confirmation reminding information is received within a preset time period, and when the client does not receive the confirmation instruction within the preset time period, the client disconnects a data access channel between the server and the client and triggers and executes operation of detecting a server access request triggered by the user.
In this optional embodiment, optionally, the timing detecting the target operation of the user on the client may be set by the user, or may be set according to a trust level of the user, where the target operation of the user on the client may include the operation of the user on at least one device such as a keyboard, a mouse, and a touch screen, and the determining, by the client, whether the target operation meets the preset operation verification condition may include the determining, by the client, whether the user operates at least one device such as the keyboard, the mouse, and the touch screen for a preset duration, and when the user does not operate at least one device such as the keyboard, the mouse, and the touch screen for the preset duration, the client displays operation confirmation reminding information to the user, where the operation confirmation reminding is used to verify whether the client is within the operable range of the user, when the client does not receive the confirmation instruction of the user for operation confirmation reminding information within the preset time, the client is not in the operable range of the user, namely the user leaves the client for a long time, at the moment, the client disconnects a data access channel between the server and the client, and when the client needs to access the server again, the client needs to conduct identity authentication again, wherein the preset time can be set by the user or can be set automatically according to the trust level of the user, the minimum value of the frequency for detecting the target operation of the user for the client and the maximum value of the preset time can be limited based on the trust level of the user, optionally, when the trust level of the user is larger than the preset trust level threshold, the minimum value of the frequency for detecting the target operation of the user for the client can be reduced, and the maximum value of the preset time can be increased, the present embodiment is not limited.
It can be seen that, implementing this optional embodiment can regularly detect the target operation of user to the customer end, the customer end judges whether target operation satisfies the operation verification condition of predetermineeing, when target operation satisfies the operation verification condition, the customer end demonstrates operation confirmation warning information to the user, customer end detects whether the confirmation instruction of user to operation confirmation warning information is received in predetermineeing duration, when the customer end does not receive the confirmation instruction in predetermineeing duration, the customer end breaks the data access passageway between server end and the customer end, and trigger execution detects the operation of the server access request that the user triggered, can stop the access of customer end to server end when the user leaves the customer end for a long time, reduce the probability that the customer end of user carries out malicious operation to the customer end of user when leaving the customer end for a long time, improve the security of user access server end data.
Example two
Referring to fig. 2, fig. 2 is a flow chart of a multi-factor authentication method based on a physical isolation channel according to an embodiment of the present invention. The multi-factor authentication method based on the physical isolation channel described in fig. 2 may be applied to a multi-factor authentication system based on the physical isolation channel, where the multi-factor authentication system based on the physical isolation channel may include a client and a server, where a user may access data of the server through the client, the server may include an intelligent server or an intelligent platform for verifying identity information of the user, and the intelligent server includes a local server or a cloud server. As shown in fig. 2, the multi-factor authentication method based on the physical isolation channel may include the following operations:
201. when receiving a user registration request sent by a user, the client collects registration information of the user according to the user registration request, wherein the registration information comprises a registration user account number, a registration password and registration iris information.
In the embodiment of the invention, optionally, before the user registers, the server side can determine a rolling code generation algorithm for generating a rolling code, the server side provides an interface for registering, logging in and acquiring the rolling code generation algorithm for the client side, when the client side receives a user registration request sent by the user, the client side collects registration information of the user according to the user registration request, the registration information comprises a registration user account number, a registration password and registration iris information, wherein the registration user account number and the registration password are required to meet a preset user account number setting rule and a preset password setting rule, the registration iris information can comprise registration iris information of a single eye of the user or registration iris information of both eyes of the user, and in order to ensure the integrity and the accuracy of the acquired iris information of the user, the client side prompts and guides the user to adjust the distance and/or angle between eyes and equipment according to the gesture of the user when the iris information is acquired.
202. The client acquires a preset rolling code generation algorithm, and generates an initial rolling code according to the account number of the registered user, the rolling code generation algorithm and the randomly generated target random number.
In the embodiment of the present invention, optionally, the client may acquire a preset rolling code generation algorithm through an interface provided by the server, and generate an initial rolling code according to the registered user account, the rolling code generation algorithm and the randomly generated target random number, where the randomly generated target random number may include the current time.
203. The client side sends the registration information and the initial rolling code to the server side based on a preset physical isolation channel.
204. The server receives the registration information and the initial rolling code, and recognizes the received registration iris information to obtain the registration iris characteristic information corresponding to the user.
In the embodiment of the invention, optionally, after receiving the registered iris information, the server identifies the registered iris information to obtain registered iris feature information corresponding to the user.
205. The server side verifies whether the received registered user account, the received registered password and the received initial rolling code meet preset validity conditions, and when the registered user account, the received registered password and the received initial rolling code meet the validity conditions, the server side carries out information association on the registered user account, the received registered password, the received initial rolling code and the received registered iris characteristic information to obtain and store an associated information set of the user.
In the embodiment of the invention, optionally, the server side verifies whether the received registered user account, registered password and initial rolling code meet preset validity conditions, namely, verifies whether the received registered user account, registered password and initial rolling code are valid, when the registered user account, registered password and initial rolling code meet the validity conditions, the server side carries out information association on the registered user account, registered password, initial rolling code and registered iris characteristic information to obtain an associated information set of the user, wherein the associated information set can comprise the registered user account, registered password, initial rolling code and registered iris characteristic information, and can also comprise the associated relation among the registered user account, registered password, initial rolling code and registered iris characteristic information.
In the embodiment of the invention, optionally, after the server side stores the association information set of the user, the server side can send the prompt information of successful registration to the client side.
206. The client detects a server access request triggered by a user, and when the client detects the server access request, user information input by the user is obtained, wherein the user information comprises a user account number, a user password and iris information.
207. And the client generates a current login rolling code according to the user account and a preset rolling code generation algorithm, and displays the current login rolling code to the user.
208. After the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel.
209. The server receives the user information and the current login rolling code sent by the client, and verifies the user information and the current login rolling code to obtain a verification result.
210. When the verification result shows that the user information and the current login rolling code meet the preset login condition, the server side establishes a data access channel between the server side and the client side, and authorizes the user to access the data of the server side through the data access channel.
In the embodiment of the present invention, for other descriptions of step 206 to step 210, please refer to the detailed descriptions of step 101 to step 105 in the first embodiment of the present invention, and the detailed description of the embodiment of the present invention is omitted.
It can be seen that implementing the multi-factor authentication method based on the physical isolation channel described in fig. 2 can collect the registration information of the user according to the user registration request when the client receives the user registration request sent by the user, generate an initial rolling code according to the registration user account number, the rolling code generation algorithm and the randomly generated target random number, generate the initial rolling code, send the registration information and the initial rolling code to the server based on the preset physical isolation channel, verify the registration user account number, the registration password and the initial rolling code to satisfy the validity condition when the server verifies the registration user account number, the registration password, the initial rolling code and the registration iris feature information, obtain and store the associated information set of the user, collect the registration information of the user and store the registration information, generate the initial rolling code for subsequent rolling code verification, improve the accuracy and the reliability of identity verification, and improve the speed of identity verification, acquire the user information input by the user when the client detects the server access request, generate the current rolling code according to the user information and the rolling code generation algorithm, and the current rolling code, and verify the current rolling code when the client detects the current user account number, the registration password and the preset physical isolation channel satisfy the validity condition, and the current rolling code, and the user iris feature information are simultaneously, and the three-based on the current data of the user access channel can be authenticated, and the three-channel can be authenticated, and the user access data can be authenticated, and the user access channel can be authenticated, and the user access information can be authenticated, and the user information can be authenticated by the user is authenticated by the user, and the user information and the user can be authenticated by the user, the risk that authentication factors are intercepted is reduced, non-contact recognition can be achieved based on iris information authentication, authentication convenience is improved, and user experience is improved.
In an alternative embodiment, the verification result includes a first sub-verification result, a second sub-verification result, and a third sub-verification result, and the login condition includes a first sub-login condition, a second sub-login condition, and a third sub-login condition;
the server side verifies the user information and the current login rolling code, and the verification result can be obtained by the following operations:
The server side determines a corresponding association information set of the user according to the user account, verifies whether the user account and the user password input by the user meet a first sub-login condition according to the registered user account and the registered password in the association information set, and obtains a first sub-verification result;
When the first sub-verification result shows that the user account and the user password meet the first sub-login condition, the server verifies whether the current login rolling code meets the second sub-login condition according to the initial rolling code in the associated information set to obtain a second sub-verification result;
And when the second sub-verification result shows that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result.
In this optional embodiment, optionally, the server verifies whether the user account and the user password input by the user are matched with the registered user account and the registered password registered by the user, when the user account and the user password input by the user are matched with each other, the first sub-verification result indicates that the user account and the user password input by the user meet a first sub-login condition, the server verifies whether the current login rolling code is matched with an initial rolling code stored in the server and used for rolling code verification, when the user account and the user password are matched with each other, the second sub-verification result indicates that the current login rolling code meets a second sub-login condition, the server identifies current iris feature information corresponding to iris information, verifies whether the current iris feature information is matched with the registered iris feature information, and when the user account and the user password are matched with each other, the third sub-verification result indicates that the iris information meets a third sub-login condition.
In this optional embodiment, optionally, when the first sub-verification result, the second sub-verification result and the third sub-verification result all indicate that the verification of the corresponding authentication factor is successful, the server returns information of successful login to the client, replaces the initial rolling code with the current login rolling code to update the initial rolling code for use as the next verification, and when any one sub-verification result indicates that the verification of the corresponding authentication factor is failed, the server returns authentication failure prompt information of the authentication factor corresponding to the sub-verification result to the client, which is not limited in this embodiment.
Therefore, by implementing the optional embodiment, three-factor authentication can be performed on the user identity based on the user account password, the dynamically generated rolling code and the user iris information, so that the safety and the reliability of the authentication are improved, meanwhile, due to the disposable characteristic of the rolling code, even if an attacker intercepts a certain communication content, the next rolling code value cannot be predicted, the threat of replay attack and man-in-the-middle attack to the system is effectively reduced, and the safety of user data is further improved.
In another alternative embodiment, the physically isolated channel-based multi-factor authentication method may further include the operations of:
The server end builds an initial iris recognition model based on the deep learning framework, wherein the initial iris recognition model comprises a convolution layer, a pooling layer and a full connection layer;
the server side carries out model training on the initial iris recognition model according to the preprocessed data set to obtain a model training result, and calculates model loss corresponding to the initial iris recognition model according to the model training result, wherein the data set comprises a training data set, a verification data set and a test data set;
The server side carries out importance assessment on model parameters in the initial iris recognition model to obtain an importance assessment result, carries out model pruning on the initial iris recognition model according to the importance assessment result, and obtains an initial iris recognition model after model pruning;
the server side determines a teacher model corresponding to the initial iris recognition model after model pruning, and trains a training data set through the teacher model to obtain a softening label;
the server calculates distillation loss according to the softening label and the model training result, and trains an initial iris recognition model after model pruning according to the model loss and the distillation loss to obtain a target iris recognition model;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result, which comprises the following steps:
And when the second sub-verification result shows that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition through the target iris recognition model according to the registered iris characteristic information in the associated information set, and a third sub-verification result is obtained.
In this optional embodiment, optionally, before the server end builds the initial iris recognition model based on the deep learning framework, the method may further include:
Data preparation: a large amount of iris image data is collected. The data should include multiple samples from different people, as well as multiple samples of the same person;
data preprocessing: in processing iris images, a series of preprocessing operations including iris localization, normalization, image enhancement, etc. are required. These operations aim to improve image quality, reduce noise, and prepare for subsequent deep learning model training;
data tag: to ensure accuracy of the model, a corresponding label needs to be assigned to each iris image. These tags are typically associated with the identity or class of the individual with which the image is associated so that the model can identify different irises from the tag.
In this optional embodiment, optionally, a convolutional AIGC large model LLM neural network structure may be selected according to iris recognition requirements and computing resources at a server side, an initial iris recognition model may be constructed based on a deep learning framework, the initial iris recognition model may include a convolutional layer, a pooling layer and a full connection layer, a loss function (such as cross entropy loss) and an optimizer (such as Adam) are set for constructing the initial iris recognition model, a data set may include a training data set, a verification data set and a test data set, model loss corresponding to the initial iris recognition model may be calculated according to model training results, indexes such as accuracy, recall, F1 score and the like corresponding to the initial iris recognition model may be calculated according to model training results, and a confusion matrix may be generated to analyze the performance of the model on each category.
In this optional embodiment, optionally, the server performs importance assessment on the model parameters in the initial iris recognition model to obtain an importance assessment result, determines unimportant model parameters or neurons according to the importance assessment result, performs model pruning on the initial iris recognition model to obtain an initial iris recognition model after model pruning, and may perform fine tuning on the initial iris recognition model after model pruning to restore performance, and then performs iterative pruning until a balance between a required model size and performance is achieved, which is not limited in this embodiment.
In this optional embodiment, optionally, the server determines a teacher model corresponding to the initial iris recognition model after the model pruning, where the teacher model includes a comprehensive and complex model consistent with the initial iris recognition model function and output, and has good performance but large calculation amount, trains a training data set through the teacher model to obtain a softening tag, calculates distillation loss according to the softening tag and the model training result, trains the initial iris recognition model after the model pruning according to the model loss and the distillation loss, optimizes the model loss and the distillation loss through training, makes the initial iris recognition model after the model pruning learn knowledge useful in the teacher model, performs performance evaluation on the target iris recognition model obtained after the training through a verification data set, and adjusts super parameters in the distillation process according to the performance evaluation result and the requirement, where the super parameters may include distillation temperature, weight loss, and so on, so as to optimize performance of the student model, and the embodiment is not limited.
In this optional embodiment, optionally, the server side verifies, according to the registered iris feature information in the associated information set, whether the iris information meets a third sub-login condition through the target iris recognition model, to obtain a third sub-login result, and may include:
The server side identifies current iris characteristic information corresponding to the iris information, the current iris characteristic information is input into the target iris identification model, the target iris identification model matches the current iris characteristic information with all registered iris characteristic information stored in the database of the server side, and when at least one registered iris characteristic information is successfully matched with the current iris characteristic information in the database, a third sub-verification result indicates that the verification iris information meets a third sub-login condition, and the embodiment is not limited.
In this optional embodiment, optionally, in order to improve the security of data in the iris authentication process, desensitization or anonymization may be performed on iris data to protect the privacy of a user, even if the data is revealed, an attacker may not easily associate the data with a specific individual, and may also perform security audit and monitoring on the system regularly, so as to ensure the security and integrity of the system, and by detecting abnormal behaviors and potential security holes, countermeasures may be timely taken, and the system may be updated and maintained regularly so as to cope with new security threats and challenges.
It can be seen that implementing this alternative embodiment can construct an initial iris recognition model based on a deep learning framework, pruning and distilling the model, improving the generalization capability of the model by reducing model parameters and reducing the complexity of model operation, and simultaneously reducing the computational resource requirements, and improving the accuracy and reliability of iris verification by performing iris verification through a target iris recognition model.
Example III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a multi-factor authentication system based on a physical isolation channel according to an embodiment of the present invention. The multi-factor authentication system based on the physical isolation channel described in fig. 3 may include a client and a server, where a user may access data of the server through the client, and the server may include an intelligent server or an intelligent platform for verifying identity information of the user, and the intelligent server includes a local server or a cloud server. As shown in fig. 3, the multi-factor authentication system based on a physical isolation channel may include a client 30 and a server 40, where the client 30 includes a detection module 301, a generation module 302, and a transmission module 303, where:
The detection module 301 is configured to detect a server access request triggered by a user, and when the server access request is detected, acquire user information input by the user, where the user information includes a user account, a user password, and iris information;
the generating module 302 is configured to generate a current login rolling code according to a user account and a preset rolling code generating algorithm, and display the current login rolling code to a user;
the sending module 303 is configured to send, after detecting that the user inputs the current login rolling code, user information and the current login rolling code to the server based on a preset physical isolation channel;
the server side 40 includes a receiving module 401 and a channel establishing module 402, wherein:
The receiving module 401 is configured to receive the user information and the current login rolling code sent by the client 40, and verify the user information and the current login rolling code to obtain a verification result;
The channel establishment module 402 is configured to establish a data access channel between the server 40 and the client 30 and authorize the user to access the data of the server 40 through the data access channel when the verification result indicates that the user information and the current login rolling code satisfy the preset login condition.
It can be seen that, implementing the multi-factor authentication system based on the physical isolation channel described in fig. 3 can obtain user information input by a user when the client detects a server access request, the client generates a current login rolling code according to a user account number and a preset rolling code generation algorithm, and after the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on the preset physical isolation channel, when the server verifies the user information and the current login rolling code, a data access channel between the server and the client is established, and a user is authorized to access data of the server through the data access channel, three-factor authentication can be performed on the user identity based on the user account number password, the dynamically generated rolling code and the user iris information, so that the security and the reliability of identity authentication can be improved, meanwhile, the physical isolation channel can improve the authentication speed, reduce the risk of interception of authentication factors, realize non-contact recognition based on iris information authentication, improve the authentication convenience, and improve the user experience.
In an alternative embodiment, as shown in fig. 4, the client 30 further includes a collecting module 304, a first obtaining module 305, where:
The collecting module 304 is configured to collect, when a user registration request sent by a user is received, registration information of the user according to the user registration request, where the registration information includes a registered user account, a registration password, and registration iris information;
the first obtaining module 305 is configured to obtain a preset rolling code generation algorithm, and generate an initial rolling code according to the account number of the registered user, the rolling code generation algorithm, and the randomly generated target random number;
the sending module 303 is further configured to send the registration information and the initial rolling code to the server 40 based on a preset physical isolation channel;
the receiving module 401 is further configured to receive the registration information and the initial rolling code, and identify the received registration iris information to obtain registration iris feature information corresponding to the user;
The server side 40 further comprises a verification module 403, wherein:
the verification module 403 is configured to verify whether the received registered user account, the registered password, and the initial rolling code meet a preset validity condition, and when the registered user account, the registered password, and the initial rolling code meet the validity condition, perform information association on the registered user account, the registered password, the initial rolling code, and the registered iris feature information, so as to obtain and store an association information set of the user.
It can be seen that, implementing the multi-factor authentication system based on the physical isolation channel described in fig. 4 can collect the registration information of the user according to the user registration request when the client receives the user registration request sent by the user, generate an initial rolling code according to the registered user account number, the rolling code generation algorithm and the randomly generated target random number, generate the initial rolling code, send the registration information and the initial rolling code to the server based on the preset physical isolation channel, verify the registered user account number, the registration password and the initial rolling code to satisfy the validity condition when the server verifies the registered user account number, the registration password, the initial rolling code and the registration iris feature information, perform information association to obtain and store the associated information set of the user, collect the registration information of the user and store the registration information, generate the initial rolling code for subsequent rolling code verification, improve the accuracy and the reliability of identity verification, and improve the speed of identity verification, acquire the user information input by the user according to the user and the rolling code generation algorithm when the client detects the server access request, and the current rolling code is generated by the client, and the current rolling code is detected by the client, and the current rolling code is input by the client, the user account number is input by the client, the current rolling code is established to the current physical isolation channel and the current user access channel, the user access data can be authenticated by the user access channel, and the three-iris feature information is authenticated by the server, and the user access channel is authenticated by the user access channel is simultaneously, the three-channel is authenticated by the user access data is authenticated, the risk that authentication factors are intercepted is reduced, non-contact recognition can be achieved based on iris information authentication, authentication convenience is improved, and user experience is improved.
In another alternative embodiment, as shown in fig. 4, the verification result includes a first sub-verification result, a second sub-verification result, and a third sub-verification result, and the login condition includes a first sub-login condition, a second sub-login condition, and a third sub-login condition;
The specific ways of the receiving module 401 to verify the user information and the current login rolling code to obtain the verification result include:
Determining a corresponding association information set of a user according to the user account, and verifying whether the user account and the user password input by the user meet a first sub-login condition according to a registered user account and a registered password in the association information set to obtain a first sub-verification result;
when the first sub-verification result shows that the user account and the user password meet the first sub-login condition, verifying whether the current login rolling code meets the second sub-login condition according to the initial rolling code in the associated information set to obtain a second sub-verification result;
And when the second sub-verification result shows that the current login rolling code meets the second sub-login condition, verifying whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set, and obtaining a third sub-verification result.
Therefore, the multi-factor authentication system based on the physical isolation channel described in fig. 4 can perform three-factor authentication on the user identity based on the user account password, the dynamically generated rolling code and the user iris information, so that the security and reliability of the authentication are improved, meanwhile, due to the disposable characteristic of the rolling code, even if an attacker intercepts a certain communication content, the next rolling code value cannot be predicted, the threat of replay attack and man-in-the-middle attack to the system is effectively reduced, and the security of user data is further improved.
In yet another alternative embodiment, as shown in fig. 4, the specific manner of sending, by the sending module 303, the user information and the current login rolling code to the server side based on the preset physical isolation channel includes:
Determining a security level requirement of a user, wherein the security level requirement comprises a first security level requirement or a second security level requirement;
When the security level requirements of the user comprise first security level requirements, determining the equipment type of user equipment used for logging in the client side by the user, wherein the equipment type comprises a first equipment type or a second equipment type;
when the equipment type of the user equipment comprises a first equipment type, transmitting a user account number, a user password and a current login rolling code to a server side based on a preset first sub-physical isolation channel, and transmitting iris information to the server side based on a preset second sub-physical isolation channel, wherein the physical isolation channel comprises a first sub-physical isolation and a second sub-physical isolation; or alternatively
When the equipment type of the user equipment comprises a second equipment type, transmitting a user account number, a user password and a current login rolling code to a server side based on a preset third sub-physical isolation channel, and transmitting iris information to the server side based on a preset fourth sub-physical isolation channel, wherein the physical isolation channel comprises third sub-physical isolation and fourth sub-physical isolation; or alternatively
And when the security level requirement of the user comprises a second security level requirement, transmitting the user information and the current login rolling code to the server side based on a preset fifth sub-physical isolation channel, wherein the physical isolation channel comprises the fifth sub-physical isolation.
Therefore, the multi-factor authentication system based on the physical isolation channel described in fig. 4 can perform isolated transmission on different authentication factors based on the wired broadband communication +5g wireless communication or the dual-channel physical isolation channel of the 5G wireless communication +5g wireless communication, and can effectively improve network transmission safety while fully utilizing the high transmission speed of the 5G network, and realize physical isolation of the authentication factor transmission channel, thereby further improving the safety and authentication speed of multi-factor authentication.
In yet another alternative embodiment, as shown in fig. 4, the client 30 further comprises a second acquisition module 306 and an encryption module 307, wherein:
A second obtaining module 306, configured to obtain a current time and a preset encryption algorithm, and generate a synchronization code according to the current time;
The generating module 302 is further configured to generate a first dynamic key according to the current time, a preset factory key, and a preset seed code through a key generation algorithm;
the encryption module 307 is configured to encrypt the user information and the current login rolling code according to the first dynamic key and the encryption algorithm to obtain encrypted data corresponding to the user information and the current login rolling code, and encapsulate the encrypted data and the synchronization code to obtain an encapsulated data packet;
And, the specific way for the sending module 303 to send the user information and the current login rolling code to the server based on the preset physical isolation channel includes:
transmitting the encapsulated data packet to a server based on a preset physical isolation channel;
And, the specific manner of receiving the user information and the current login rolling code sent by the client by the receiving module 401 includes:
receiving the encapsulated data packet sent by the client 40, recording the receiving time of the received encapsulated data packet, and analyzing the encapsulated data packet to obtain encrypted data and a synchronous code;
Judging whether the synchronous code meets a preset aging check condition according to the receiving time, and generating a second dynamic key through a key generation algorithm according to the current time, the factory key and the seed code when the synchronous code meets the aging check condition;
and decrypting the encrypted data according to the second dynamic key and a decryption algorithm corresponding to the encryption algorithm.
Therefore, implementing the multi-factor authentication system based on the physical isolation channel described in fig. 4 can encrypt and transmit multiple authentication factors, verify the timeliness of the transmitted information based on the synchronization code, ensure that the received data packet is up-to-date and effective, reduce the probability of replay attack and the reception of outdated data, ensure that each encryption/decryption process is unique by the generation of the dynamic key, further improve the security of data transmission, and improve the reliability and security of identity authentication.
In yet another alternative embodiment, as shown in fig. 4, server side 40 further includes a build module 404, a model training module 405, an evaluation module 406, a determination module 406, and a distillation module 408, wherein:
A construction module 404, configured to construct an initial iris recognition model based on the deep learning framework, where the initial iris recognition model includes a convolution layer, a pooling layer, and a full connection layer;
The model training module 405 is configured to perform model training on the initial iris recognition model according to a pre-processed data set, obtain a model training result, and calculate a model loss corresponding to the initial iris recognition model according to the model training result, where the data set includes a training data set, a verification data set, and a test data set;
the evaluation module 406 is configured to perform importance evaluation on model parameters in the initial iris recognition model to obtain an importance evaluation result, and perform model pruning on the initial iris recognition model according to the importance evaluation result to obtain an initial iris recognition model after model pruning;
the determining module 406 is configured to determine a teacher model corresponding to the initial iris recognition model after pruning the model, and train the training data set through the teacher model to obtain a softening tag;
The distillation module 408 is configured to calculate a distillation loss according to the softening tag and the model training result, and train the initial iris recognition model after pruning the model according to the model loss and the distillation loss to obtain a target iris recognition model;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the receiving module 401 verifies whether the iris information meets the third sub-login condition according to the registered iris feature information in the associated information set, and the manner of obtaining the third sub-verification result specifically includes:
And when the second sub-verification result shows that the current login rolling code meets the second sub-login condition, verifying whether the iris information meets the third sub-login condition through the target iris recognition model according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result.
Therefore, implementing the multi-factor authentication system based on the physical isolation channel described in fig. 4 can construct an initial iris recognition model based on a deep learning framework, pruning and distilling the model, improving the generalization capability of the model by reducing model parameters and reducing the complexity of model operation, reducing the requirement of computing resources, and improving the accuracy and reliability of iris verification by performing iris verification through a target iris recognition model.
In yet another alternative embodiment, as shown in fig. 4, the detection module 301 is further configured to detect, at regular time, a target operation of the user on the client;
the client 30 further includes a determination module 308, wherein:
a judging module 308, configured to judge whether the target operation meets a preset operation verification condition, and when the target operation meets the operation verification condition, display operation confirmation reminding information to the user;
The detection module 301 is further configured to detect whether a confirmation instruction of the user for the operation confirmation reminder is received within a preset duration, disconnect a data access channel between the server side and the client side when the confirmation instruction is not received within the preset duration, and trigger the detection module 301 to perform an operation of detecting a server access request triggered by the user.
As can be seen, implementing the multi-factor authentication system based on the physical isolation channel described in fig. 4 can detect the target operation of the user with respect to the client at regular time, the client determines whether the target operation meets the preset operation verification condition, when the target operation meets the operation verification condition, the client displays operation confirmation reminding information to the user, the client detects whether a confirmation instruction of the user with respect to the operation confirmation reminding information is received within a preset time period, when the client does not receive the confirmation instruction within the preset time period, the client disconnects the data access channel between the server and the client, and triggers the execution of the operation of detecting the server access request triggered by the user, so that the access of the client to the server can be stopped when the user leaves the client for a long time, the probability of malicious operation of the user by other people on the client of the user is reduced, and the security of the data access of the server by the user is improved.
Example IV
Referring to fig. 5, fig. 5 is a schematic structural diagram of a multi-factor authentication device based on a physical isolation channel according to an embodiment of the present invention. As shown in fig. 5, the physically isolated channel-based multi-factor authentication apparatus may include:
A memory 501 in which executable program codes are stored;
a processor 502 coupled to the memory 501;
the processor 502 invokes executable program code stored in the memory 501 to perform the steps in the physically isolated channel-based multi-factor authentication method described in the first or second embodiments of the present invention.
Example five
The embodiment of the invention discloses a computer storage medium which stores computer instructions for executing the steps in the multi-factor authentication method based on the physical isolation channel described in the first embodiment or the second embodiment of the invention when the computer instructions are called.
Example six
Embodiments of the present invention disclose a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to perform the steps of the physically isolated channel-based multi-factor authentication method described in embodiment one or embodiment two.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), one-time programmable Read-Only Memory (OTPROM), electrically erasable programmable Read-Only Memory (EEPROM), compact disc Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical disc Memory, magnetic disc Memory, tape Memory, or any other medium that can be used for computer-readable carrying or storing data.
Finally, it should be noted that: the embodiment of the invention discloses a multi-factor authentication method and system based on a physical isolation channel, which are disclosed by the embodiment of the invention only for illustrating the technical scheme of the invention, but not limiting the technical scheme; although the invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that; the technical scheme recorded in the various embodiments can be modified or part of technical features in the technical scheme can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. The multi-factor authentication method based on the physical isolation channel is characterized by being applied to a multi-factor authentication system based on the physical isolation channel, wherein the system comprises a client side and a server side, and the method comprises the following steps:
The client detects a server access request triggered by a user, and when the client detects the server access request, user information input by the user is obtained, wherein the user information comprises a user account, a user password and iris information;
The client generates a current login rolling code according to the user account and a preset rolling code generation algorithm, and displays the current login rolling code to the user;
After the client detects that the user inputs the current login rolling code, the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel;
the server side receives the user information and the current login rolling code sent by the client side, and verifies the user information and the current login rolling code to obtain a verification result;
when the verification result shows that the user information and the current login rolling code meet preset login conditions, the server establishes a data access channel between the server and the client, and authorizes the user to access the data of the server through the data access channel.
2. The physically isolated channel-based multi-factor authentication method of claim 1, further comprising:
when the client receives a user registration request sent by a user, the client collects registration information of the user according to the user registration request, wherein the registration information comprises a registered user account, a registration password and registration iris information;
The client acquires a preset rolling code generation algorithm and generates an initial rolling code according to the registered user account, the rolling code generation algorithm and a randomly generated target random number;
the client sends the registration information and the initial rolling code to the server based on a preset physical isolation channel;
The server receives the registration information and the initial rolling code, and recognizes the received registration iris information to obtain registration iris characteristic information corresponding to the user;
The server verifies whether the received registered user account, the received registered password and the received initial rolling code meet preset validity conditions, and when the registered user account, the received registered password and the received initial rolling code meet the validity conditions, the server correlates the registered user account, the received registered password, the received initial rolling code and the received registered iris characteristic information to obtain and store a correlation information set of the user.
3. The multi-factor authentication method based on a physical isolation channel according to claim 2, wherein the verification result includes a first sub-verification result, a second sub-verification result, and a third sub-verification result, and the login condition includes a first sub-login condition, a second sub-login condition, and a third sub-login condition;
the server side verifies the user information and the current login rolling code to obtain a verification result, and the method comprises the following steps:
The server side determines a corresponding association information set of the user according to the user account, verifies whether the user account and the user password input by the user meet the first sub-login condition according to the registered user account and the registered password in the association information set, and obtains the first sub-verification result;
when the first sub-verification result indicates that the user account and the user password meet the first sub-login condition, the server verifies whether the current login rolling code meets the second sub-login condition according to the initial rolling code in the association information set, and the second sub-verification result is obtained;
and when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris characteristic information in the associated information set to obtain the third sub-verification result.
4. A multi-factor authentication method based on a physical isolation channel according to any one of claims 1 to 3, wherein the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel, comprising:
The client determines the security level requirements of the user, wherein the security level requirements comprise a first security level requirement or a second security level requirement;
When the security level requirements of the user include the first security level requirements, the client determines a device type of a user device used by the user to log in the client, wherein the device type includes a first device type or a second device type;
When the equipment type of the user equipment comprises the first equipment type, the client sends the user account, the user password and the current login rolling code to the server based on a preset first sub-physical isolation channel, and sends the iris information to the server based on a preset second sub-physical isolation channel, wherein the physical isolation channel comprises the first sub-physical isolation and the second sub-physical isolation; or alternatively
When the equipment type of the user equipment comprises the second equipment type, the client sends the user account, the user password and the current login rolling code to the server based on a preset third sub-physical isolation channel, and sends the iris information to the server based on a preset fourth sub-physical isolation channel, wherein the physical isolation channel comprises the third sub-physical isolation and the fourth sub-physical isolation; or alternatively
And when the security level requirement of the user comprises the second security level requirement, the client sends the user information and the current login rolling code to the server based on a preset fifth sub-physical isolation channel, wherein the physical isolation channel comprises the fifth sub-physical isolation.
5. A physically isolated channel-based multi-factor authentication method according to any of claims 1-3, further comprising:
the client acquires the current time and a preset encryption algorithm, and generates a synchronous code according to the current time;
The client generates a first dynamic secret key through a secret key generation algorithm according to the current time, a preset factory secret key and a preset seed code;
the client encrypts the user information and the current login rolling code according to the first dynamic secret key and the encryption algorithm to obtain encrypted data corresponding to the user information and the current login rolling code, and encapsulates the encrypted data and the synchronous code to obtain an encapsulated data packet;
And the client sends the user information and the current login rolling code to the server based on a preset physical isolation channel, comprising:
the client sends the encapsulated data packet to the server based on a preset physical isolation channel;
and the server receives the user information and the current login rolling code sent by the client, and the method comprises the following steps:
The server receives the encapsulated data packet sent by the client, records the receiving time of the encapsulated data packet, and analyzes the encapsulated data packet to obtain the encrypted data and the synchronous code;
The server judges whether the synchronous code meets a preset aging verification condition according to the receiving time, and when the synchronous code meets the aging verification condition, the server generates a second dynamic key through the key generation algorithm according to the current time, the factory key and the seed code;
And the server decrypts the encrypted data according to the second dynamic secret key and a decryption algorithm corresponding to the encryption algorithm.
6. A physically isolated channel-based multi-factor authentication method according to claim 3, further comprising:
The server end builds an initial iris recognition model based on a deep learning framework, wherein the initial iris recognition model comprises a convolution layer, a pooling layer and a full connection layer;
The server side carries out model training on the initial iris recognition model according to a preprocessed data set to obtain a model training result, and calculates model loss corresponding to the initial iris recognition model according to the model training result, wherein the data set comprises a training data set, a verification data set and a test data set;
The server side carries out importance assessment on model parameters in the initial iris recognition model to obtain an importance assessment result, carries out model pruning on the initial iris recognition model according to the importance assessment result, and obtains the initial iris recognition model after model pruning;
The server determines a teacher model corresponding to the initial iris recognition model after model pruning, and trains the training data set through the teacher model to obtain a softening label;
The server calculates distillation loss according to the softening tag and the model training result, and trains the initial iris recognition model after model pruning according to the model loss and the distillation loss to obtain a target iris recognition model;
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition according to the registered iris feature information in the associated information set to obtain a third sub-verification result, which comprises:
And when the second sub-verification result indicates that the current login rolling code meets the second sub-login condition, the server verifies whether the iris information meets the third sub-login condition through the target iris recognition model according to the registered iris characteristic information in the associated information set to obtain a third sub-verification result.
7. A physically isolated channel-based multi-factor authentication method according to any of claims 1-3, further comprising:
the client detects target operation of the user on the client at fixed time;
The client judges whether the target operation meets a preset operation verification condition, and when the target operation meets the operation verification condition, the client displays operation confirmation reminding information to the user;
And the client detects whether a confirmation instruction of the user for the operation confirmation reminding information is received within a preset time period, and when the client does not receive the confirmation instruction within the preset time period, the client disconnects a data access channel between the server and the client and triggers and executes the operation of detecting the server access request triggered by the user.
8. The multi-factor authentication system based on the physical isolation channel is characterized by comprising a client and a server, wherein the client comprises a detection module, a generation module and a sending module, and the system comprises the following components:
The detection module is used for detecting a server access request triggered by a user, and acquiring user information input by the user when the server access request is detected, wherein the user information comprises a user account number, a user password and iris information;
The generation module is used for generating a current login rolling code according to the user account and a preset rolling code generation algorithm and displaying the current login rolling code to the user;
the sending module is used for sending the user information and the current login rolling code to the server side based on a preset physical isolation channel after detecting that the user inputs the current login rolling code;
the server side comprises a receiving module and a channel establishing module, wherein:
The receiving module is used for receiving the user information and the current login rolling code sent by the client and verifying the user information and the current login rolling code to obtain a verification result;
The channel establishing module is used for establishing a data access channel between the server side and the client side when the verification result shows that the user information and the current login rolling code meet preset login conditions, and authorizing the user to access the data of the server side through the data access channel.
9. A physically isolated channel-based multi-factor authentication apparatus, the apparatus comprising:
a memory storing executable program code;
A processor coupled to the memory;
The processor invokes the executable program code stored in the memory to perform the physically isolated channel based multi-factor authentication method of any of claims 1-7.
10. A computer storage medium storing computer instructions which, when invoked, are operable to perform the physically isolated channel-based multi-factor authentication method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410612485.3A CN118200058A (en) | 2024-05-17 | 2024-05-17 | Multi-factor authentication method and system based on physical isolation channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410612485.3A CN118200058A (en) | 2024-05-17 | 2024-05-17 | Multi-factor authentication method and system based on physical isolation channel |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118200058A true CN118200058A (en) | 2024-06-14 |
Family
ID=91405388
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410612485.3A Pending CN118200058A (en) | 2024-05-17 | 2024-05-17 | Multi-factor authentication method and system based on physical isolation channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118200058A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294725A (en) * | 2016-04-05 | 2017-10-24 | 电子科技大学 | A kind of three factor authentication methods under environment of multi-server |
| CN111565177A (en) * | 2020-04-26 | 2020-08-21 | 蘑菇车联信息科技有限公司 | Vehicle-mounted machine data encryption transmission method and device |
| CN113191260A (en) * | 2021-04-29 | 2021-07-30 | 华中科技大学 | Iris verification method and system based on iris external rectangular graph |
| CN114329394A (en) * | 2021-12-31 | 2022-04-12 | 江苏安几科技有限公司 | Multiple identity authentication method, device, terminal and storage medium for rail transit crew |
| CN116248338A (en) * | 2022-12-24 | 2023-06-09 | 航天信息股份有限公司 | Single sign-on authentication method, device and medium based on OAuth2.0 protocol |
| CN116996277A (en) * | 2023-07-21 | 2023-11-03 | 中国电信股份有限公司技术创新中心 | Data access control method, device, computer equipment and storage medium |
-
2024
- 2024-05-17 CN CN202410612485.3A patent/CN118200058A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294725A (en) * | 2016-04-05 | 2017-10-24 | 电子科技大学 | A kind of three factor authentication methods under environment of multi-server |
| CN111565177A (en) * | 2020-04-26 | 2020-08-21 | 蘑菇车联信息科技有限公司 | Vehicle-mounted machine data encryption transmission method and device |
| CN113191260A (en) * | 2021-04-29 | 2021-07-30 | 华中科技大学 | Iris verification method and system based on iris external rectangular graph |
| CN114329394A (en) * | 2021-12-31 | 2022-04-12 | 江苏安几科技有限公司 | Multiple identity authentication method, device, terminal and storage medium for rail transit crew |
| CN116248338A (en) * | 2022-12-24 | 2023-06-09 | 航天信息股份有限公司 | Single sign-on authentication method, device and medium based on OAuth2.0 protocol |
| CN116996277A (en) * | 2023-07-21 | 2023-11-03 | 中国电信股份有限公司技术创新中心 | Data access control method, device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 肖红光,李为,巫小蓉: ""基于同步数的轻量级高效RFID身份认证协议"", 《计算机工程与科学》, vol. 38, no. 4, 30 April 2016 (2016-04-30), pages 2 - 3 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11552940B1 (en) | System and method for continuous authentication of user entity identity using context and behavior for real-time modeling and anomaly detection | |
| US11868039B1 (en) | System and method for continuous passwordless authentication across trusted devices | |
| US11005839B1 (en) | System and method to identify abnormalities to continuously measure transaction risk | |
| US11677755B1 (en) | System and method for using a plurality of egocentric and allocentric factors to identify a threat actor | |
| US11455641B1 (en) | System and method to identify user and device behavior abnormalities to continuously measure transaction risk | |
| US9942220B2 (en) | Preventing unauthorized account access using compromised login credentials | |
| US9800574B2 (en) | Method and apparatus for providing client-side score-based authentication | |
| CN107612698B (en) | Commercial password detection method, device and system | |
| CN111130798B (en) | Request authentication method and related equipment | |
| US20210306369A1 (en) | Methods of monitoring and protecting access to online services | |
| US20150038114A1 (en) | Methods and System for Device Authentication | |
| CN110474921A (en) | A kind of perception layer data fidelity method towards local Internet of Things | |
| KR102160656B1 (en) | Login Method Using Palm Vein | |
| CN104883364A (en) | Method and device for judging abnormity of user access server | |
| CN105024813A (en) | Server, user equipment and interactive method of the user equipment and the server | |
| EP4293551A1 (en) | User account risk measurement method and related apparatus | |
| KR20170033788A (en) | Method for authentication and device thereof | |
| CN116467731A (en) | Sensitive information processing method, device, equipment and storage medium | |
| US20220303293A1 (en) | Methods of monitoring and protecting access to online services | |
| CN118200058A (en) | Multi-factor authentication method and system based on physical isolation channel | |
| US20210306355A1 (en) | Methods of monitoring and protecting access to online services | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| KR20190012026A (en) | System and method for login authentication processing | |
| Gupta | Machine learning-based device type classification for IoT device re-and continuous authentication | |
| US9565205B1 (en) | Detecting fraudulent activity from compromised devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |