Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/36—User authentication by graphic or iconic representation
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/42—User authentication using separate channels for security data

Definitions

• the present invention relates to the field of the distribution of goods and services via a data communication network.
• the invention relates more particularly to the control of access to the service or to the distributed good.
• These goods and services are typically offered by a merchant via a service platform, often called an online trading platform, connected to the data communication network and made accessible to users via this network.
• the user uses a terminal also connected to the data communication network allowing him to connect and interact with the merchant's platform.
• the terminal used by the user is typically a personal computer, a digital tablet, a smart phone (smartphone) or any other information processing device that can be connected to the data communication network.
• the user wishing to access a good or service offered by an e-commerce platform must typically register with the platform. This registration typically consists of opening an account linked to the user with the platform and the attribution by the platform of authentication credit to the user to then allow him to authenticate himself with the platform.
• a first family of access control methods consists of encrypting the content offered and providing the user with a hardware device for decryption.
• This hardware device typically called a decoder
• This second hardware device is typically a smart card.
• Access to the service requires the use of the decoder and the associated smart card.
• This first family offers a good level of legitimacy control access to the service by the user. However, it limits access to the user's home where the decoder is installed. This constraint is increasingly unsuited to a context where the user typically has several terminals allowing access to the service, these terminals being increasingly mobile. Users now expect to be able to access their services more freely regardless of the place of access.
• a second family of access control methods allows the user to use any type of terminal connected to the data communication network.
• the only constraint imposed consists in asking the user to authenticate himself from the terminal when he wishes to access the service. This authentication is then typically based on entering the password associated with the user's account.
• This family of access control methods offers the flexibility expected in terms of the freedom offered to the user to access from any terminal connected to the network and from any location. However, it comes up against a lower level of control. In particular, it is not possible to verify that the authentication credits have indeed been entered by the legitimate user. Merchants using these access control methods have the greatest difficulty in limiting the sharing of identifiers between users and the resulting fraudulent access.
• the present invention aims to solve the aforementioned drawbacks by proposing an access control method making it possible to offer flexibility of access as to the access terminal and its location while offering better control of the legitimacy of access. It is based on the distinction made between the service access terminal and the authentication terminal. It is also based on a token issued by the platform in response to a service access request. This token is made accessible from the service access terminal, it is then transmitted to the authentication terminal and returned to the platform with the authentication result. It is then possible to offer great flexibility at the level of the access terminal used while benefiting from strong security provided by the authentication terminal. The token makes it possible to make the link between the two.
• the invention relates to a method for controlling access to a good or service offered by a platform (102) from an access terminal (100), characterized in that it comprises:
• the token is a QR-code.
• the token is a brand concealed in an image.
• the token is transmitted between the access terminal and the authentication terminal by photographic capture of the token from the authentication terminal.
• the token further comprises platform identification information.
• the token further comprises information relating to the access terminal.
• the authentication terminal is registered beforehand with the authentication server, only one terminal being able to be registered for a given user.
• the authentication server also carries out checks relating to the legitimacy of the stored request.
• the user authentication step includes the verification of a biometric characteristic of this user.
• the token is transmitted with the authenticated identity of the user from the authentication server to the platform.
• the invention relates to a computer program comprising instructions adapted to the implementation of each of the steps of the method according to the invention when said program is executed on a computer.
• the invention relates to a means of storing information, removable or not, partially or totally readable by a computer or a microprocessor comprising code instructions of a computer program for the execution of each of the steps of the process according to the invention.
• FIG. 1 illustrates a known system for distributing goods and/or services via a data communication network
• FIG. 2 [0032][Fig. 2] illustrates a system for distributing goods and/or services according to one embodiment of the invention
• FIG. 3 illustrates the exchanges when accessing a good or service according to one embodiment of the invention
• FIG. 4 is a schematic block diagram of an information processing device for implementing one or more embodiments of the invention.
• FIG. 1 illustrates a known system for the distribution of goods and/or services via a data communication network.
• a client 100 is connected to a data communication network 101, typically the Internet network.
• a platform 102 also connected to the data communication network 101 offers goods or services.
• a user can access a good or service offered by the platform 102 from the client 100. This access is done using exchanges 103 between the client 100 and the platform 102.
• the client 100 is typically service access software, such as for example a Web browser running on an access terminal connected to the network 101.
• the access terminal can be a personal computer, a digital tablet, a smart mobile phone, or any other information processing device that can connect to the network.
• the platform 102 is a set of software running on one or more computer servers. We will talk here about the platform to designate all the services offered by a merchant to users regardless of the hardware implementation of the server(s) allowing this software to operate.
• the platform can operate on a single server or a set of servers that can be located in different geographical locations. These servers can communicate with each other to provide the service.
• the platform 102 typically combines several functions. In addition to the offer and distribution of goods and services as such, the platform also typically manages a database of users registered with the platform, their authentication, and the rights associated with each user.
• the platform can be a platform for the purchase of goods online, for the distribution of services such as, for example, video on demand services, film rental, music distribution, etc.
• a user connecting to the platform for the first time is typically offered a registration procedure.
• This registration procedure consists of creating an account for the user and assigning him authentication credits to allow him to authenticate with the platform. This recording may be subject to purchase or be made free of charge depending on the distribution model adopted by the platform.
• the platform has an account linked to the user which records information linked to this user. This may include banking information, rights related to registration, authentication data and any information necessary for the platform to offer its service to the user.
• the user wishing to access a good or service offered by the platform must connect to it from the client running on his terminal.
• This client can typically be an Internet browser, such as Safari (trademark), Chrome (trademark), Edge (trademark) or other.
• the client can also be an application dedicated to accessing the platform. To do this, it typically needs to authenticate with the platform. Any type of authentication can then be used.
• the most common authentication process consists of providing a pair of identifiers consisting of a user identifier, often referred to by the English word login, and an associated password.
• Authentication can be requested at each connection or only from time to time.
• the identity of the user is then saved by the client.
• the user can access the platform and choose a product or service.
• a request for a product or service is then sent by the customer to the platform.
• the latter typically verifies the legitimacy of the request, i.e. it verifies that the user has the rights to access the product or requested service.
• This verification may include a verification of the geographic location of the customer, for example when the product or service is only legally available in certain parts of the world. This may be the case for audio-visual services where the rights associated with a work may be geographically limited. Depending on the type of product or service offered, any type of verification may be necessary. Payment may also be required to obtain the requested product or service.
• the user can obtain the requested good or service.
• the requested audiovisual program can be broadcast by the platform to the client of the user's terminal from which the request was issued.
• This access control method offers flexibility of access from any terminal, at home and outside the home, to the user.
• the latter wishes to access the platform from a new terminal, all he has to do is authenticate himself to the platform from the client available on the terminal.
• Mere knowledge of the authentication credits, here an identifier and a password allows access to the platform by taking advantage of the rights associated with the user.
• the invention aims to solve this problem by proposing a method of controlling access to an online platform making it possible to offer flexible access to the services offered from any terminal by limiting the risks of fraudulent access by a user other than the legitimate user.
• Figure 2 illustrates an architecture for the distribution of goods or services from a platform according to one embodiment of the invention.
• This figure shows the access terminal 100 to the platform 102 via the data communication network 101.
• the access terminal 100 exchanges messages 103 with the platform 102.
• the authentication terminal 200 is a single terminal, linked to the user. It can be, for example, his smartphone, a digital tablet or other.
• a second aspect of the invention consists in distinguishing the platform 102 offering the goods or services from the authentication server 202 in charge of user authentication.
• the user authentication is performed by the latter from the authentication terminal 200.
• the user uses an authentication client running on the terminal 200.
• This client can be a generic client such as than a Web browser, or preferably a dedicated authentication application offered by the service provider of the authentication server 202. Any authentication protocol can be used here, from the simple identifier and password to more secure ones that can use verification a biometric characteristic of this user, for example.
• an authentication of the challenge-response type is used, the user using a secret convention specific to him to determine the response to the challenge proposed by the authentication server.
• a secret convention specific to him is described in the French patent application published under the number FR3074321.
• the authentication involves a connection from the authentication terminal 200 to the authentication server 202 via the communication link 204.
• the authentication terminal is registered beforehand with the authentication server and it is only possible to a given user to register only one authentication terminal.
• the platform 102 when it receives a request from an access terminal, it generates a token and retransmits it to the access terminal 100.
• the user transfers this token to the terminal of authentication 200.
• This transfer can take any form. It may be an electronic transmission via a connection between the two terminals of the wireless type according to, for example, the Bluetooth protocol (registered trademark) or else the Wifi protocol (registered trademark). It may also be information displayed on the screen of the access terminal 100 that the user copies onto the authentication terminal 200.
• the token transmitted by the platform is displayed on the screen of the access terminal 100 and photographed from the authentication terminal 200.
• the token can take, in this embodiment, the form of a two-dimensional code of the QR-code type or even a concealed mark in an image using a process known as watermarking.
• the token, or at least the information contained in the token is then transmitted by the authentication terminal to the authentication server during the exchanges performing this authentication.
• the authentication server 202 is able to transmit to the platform the verified identity of the user and the token, or the information contained in the token, to the platform 102.
• the platform 102 having the identity of the user and the token is then able to authorize the distribution, or the transmission, of the good or service requested by the user.
• the nature of this dissemination or transmission depends on the nature of the good or service requested by the user. This may be a transmission to the access terminal, for example in the case of a digital book or an audiovisual work purchased by the user. It can also be the distribution without storage, streaming in English, of an audiovisual work. It can even be the shipment of a physical good, unrelated to the access terminal which will only have been used for the purchase, when the user's request concerns a material good.
• the token must contain at least one piece of information allowing the platform to identify directly: the pending request received from the access terminal and which prompted the generation of the token, indirectly: to find or calculate a information identifying the pending request from the access terminal. It can be an identifier of this request which is typically stored by the platform while waiting for authentication. This identifier is then typically generated by the platform when storing the request. In an alternative embodiment, it may be an identifier of the access terminal that sent the request, the platform then searches among the stored requests for the one that comes from this access terminal. In general, this can be any data allowing the platform to identify the request, directly or indirectly.
• the platform can carry out additional checks when receiving the identity of user and token. These checks may relate to the rights linked to the user, to time slots for use of the good or service. They may also relate to the characteristics of the access terminal, these characteristics possibly being technical characteristics such as the size of the screen, the power of the processor or others, or even characteristics linked to the geographical location of the access terminal, access rights to certain goods or services that may be limited geographically, but also characteristics related to the context of the access terminal such as the presence of an acoustic High Fidelity system that can be used in the vicinity or the presence of an electronic component or digital, such as for example a Secure Element or digital safe, accessible and usable from the access terminal.
• these checks may relate to the rights linked to the user, to time slots for use of the good or service. They may also relate to the characteristics of the access terminal, these characteristics possibly being technical characteristics such as the size of the screen, the power of the processor or others, or even characteristics linked to the geographical location of the access terminal, access rights to certain goods or services that may be limited geographically, but
• Some of these checks relating to the legitimacy of the pending request can be performed by the authentication server in some embodiments of the invention. It is then possible for the platform to transmit certain necessary information within the token. This information may, for example, contain information on the capabilities of the access terminal, its location and its network environment.
• Access to the good or service may be conditional on payment by the user.
• This payment can be managed by the platform upon receipt of the user's authenticated identity in collaboration with a payment platform and/or the bank associated with the user's account. The payment will then be confirmed by the user from the access terminal.
• Payment management can also be managed by the authentication server.
• the platform upon receipt of the user's identity and the token informs the authentication server of the need for payment.
• the server then proceeds to manage the payment which will be confirmed by the user from the authentication terminal, this payment being able, for example, to credit a platform account in real time and linking this payment to the token issued by said platform allowing the release of the service identified by the token.
• the information required for payment can be stored by the authentication server or provided by the platform for each operation.
• the authentication server can be associated with a given platform. But in some embodiments, the authentication server allows user authentication of a plurality of platforms.
• the platform may include a platform identifier in the token information.
• This identifier can take the form of the internet address of the platform, an identifier previously agreed between the platform and the authentication server or any information enabling the authentication server to identify the platform.
• the invention allows the user to benefit from access to the platform from any access terminal and in any place.
• the authentication terminal is typically, but not limited to, a smart phone of the user. Authentication therefore requires physical access to this phone. The distribution of its authentication credits to a friendly circle, for example, is no longer possible. It is therefore possible, thanks to the invention, to retain the flexibility of the customer's choice of access to a platform while very strongly limiting the possibilities of fraudulent access by an illegitimate user.
• Figure 3 illustrates the exchanges occurring during access to a good or service in an embodiment of the invention.
• a user wishing to access a good or service offered by a platform from an access terminal causes an access request 300 to be sent from this access terminal to the platform.
• the platform receives this request 300 and stores it. This request is then pending.
• information on the access terminal is stored within or with the request received. This information can be transmitted by the access terminal with the request. For example, if the request is made using the http protocol (Hyper Text Transfer Protocol in English), a header of the http request typically contains a signature of the access terminal and of the client issuing the request.
• the platform generates a token and transmits this token in the form of a response 301 to the request 300. As discussed above, this token contains at least one piece of information that will allow the platform to identify the pending request 300 subsequently.
• the token may also contain information making it possible to identify the platform or any additional information such as information on the access terminal.
• this token must be transmitted, 302, by the user to his authentication terminal.
• This transmission can take any form. It can be a transmission using a wired or wireless transmission protocol between the access terminal and the authentication terminal. It can also be a photographic capture of an element such as a QR-code or an invisible marking, the token then being displayed on the screen of the access terminal. It can also involve the manual copying of information, such as a string of characters, displayed on the screen of the access terminal.
• the user is authenticated from his authentication terminal.
• the particular exchanges here are dependent on the authentication protocol used, which here can be any known authentication protocol.
• the authentication terminal transmits the token and the user identifier in a 303 authentication request to the authentication server.
• the authentication server generates and transmits in response a challenge 304 to the authentication terminal.
• the user then uses the secret convention to produce the challenge response and transmit it, 305, to the authentication server.
• the authentication server performs the authentication and, if successful, transmits the authenticated identity of the user and the received token to the platform in the form of message 306.
• the authentication server may perform additional checks as described above. These checks may require the interpretation and use of additional information contained in the token. It may also be necessary for the authentication server to obtain an identifier from the platform contained in the token to identify the platform when there are several. In certain embodiments, the information contained in the token which is useful only to the authentication server is not retransmitted to the platform. Only the information allowing the platform to identify the pending request is required in addition to the authenticated identity of the user.
• the platform When the platform receives the authenticated identity of the user and the information identifying the pending request, it can release, by a message 307, access to the good or service requested in the pending request from the terminal. 'access.
• the authentication server can, on the basis of session or context information already resident and dated in the authentication terminal, not carry out a new authentication of the user and directly transmit the previously obtained authenticated identity of the user to the platform.
• These exchanges between the access terminal, the authentication terminal, the authentication server and the platform can use any transmission protocol.
• the HTTP protocol is used.
• FIG. 4 is a schematic block diagram of an information processing device 400 for implementing one or more embodiments of the invention.
• the information processing device 400 can be a peripheral such as a microcomputer, a workstation or a mobile telecommunications terminal.
• Device 400 includes a communication bus connected to:
• central processing unit 401 such as a microprocessor, denoted CPU;
• a random access memory 402 denoted RAM, for memorizing the executable code of the embodiment method of the invention as well as the registers suitable for recording variables and parameters necessary for the implementation of the method according to modes of carrying out the invention;
• the memory capacity of the device can be supplemented by an optional RAM memory connected to an expansion port, for example;
• a network interface 404 is normally connected to a communication network over which digital data to be processed is transmitted or received.
• the network interface 404 can be a single network interface, or composed of a set of different network interfaces (for example wired and wireless, interfaces or different types of wired or wireless interfaces). Data packets are sent over the network interface for transmission or are read from the network interface for reception under the control of the software application running in processor 401;
• a user interface 405 for receiving input from a user or for displaying information to a user
• an input/output module 407 for receiving/sending data from/to external devices such as hard disk, removable storage medium or others.
• the executable code can be stored in a read only memory 403, on the storage device 406 or on a digital removable medium such as for example a disc.
• the executable code of the programs can be received by means of a communication network, via the network interface 404, in order to be stored in one of the storage means of the communication device 400, such as the storage device 406, before being executed.
• the central processing unit 401 is suitable for controlling and directing the execution of the instructions or software code portions of the program or programs according to one of the embodiments of the invention, instructions which are stored in one of the aforementioned storage means. After power-up, CPU 401 is able to execute instructions from main RAM 402 relating to a software application. Such software, when executed by processor 401, causes the processes described to be performed.
• the device is a programmable device that uses software to implement the invention.
• the present invention may be implemented in hardware (eg, as a specific integrated circuit or ASIC).
• ASIC application specific integrated circuit

Applications Claiming Priority (2)

Publications (1)

Family

ID=76523066

Family Applications (1)

Country Status (3)

Family Cites Families (3)

• 2021
  • 2021-04-09 FR FR2103663A patent/FR3121764A1/fr active Pending
• 2022
  • 2022-04-07 WO PCT/FR2022/050649 patent/WO2022214768A1/fr active Application Filing
  • 2022-04-07 EP EP22721103.4A patent/EP4320534A1/de active Pending

Also Published As

Similar Documents

Legal Events