FR3007600A1 - METHOD FOR AUTHENTICATING A USER TO ACCESS A SET OF SERVICES PROVIDED ON A PRIVATE COMMUNICATION NETWORK - Google Patents

Abstract

A method for authenticating a user for access to a set of services provided over a private communication network (P_NW), the user having a first communication terminal (TER1) able to connect to a network of mobile telephony (W_NW), this first terminal being provided with NFC-type wireless reading means. The method comprises the following steps: a) - following a cooperation between the first terminal (TER1) and an NFC-type wireless communication device (TAG), transmitting the wireless communication device (TAG) to the first terminal ( TER1), an access address to an authentication server (AUTH) on the mobile telephone network (W_NW); b) - automatic creation in the first terminal (TER1), from the access web address, of an access request to the authentication server (AUTH), and transmission of the access request to the server Authentication c) - reception by the authentication server (AUTH) of the access request, and authentication of the user from at least one identifier of the first terminal (TER1) contained in the access request, and, if the user authentication is successful: d) - validation of the user's access to the set of services (PF_SV); e) - sending to the first terminal (TER1) and / or at least one second terminal (TER2-3), an access notification to the set of services.

Description

The invention relates to the authentication of a user for access to a set of services provided over a private communication network, from a communication terminal able to connect to a mobile telephone network. A particular but non-exclusive application of the invention relates to the corporate world in which more and more employees today use their personal terminals to connect to the company's private communication network. This private network may typically consist of a private network based on the IP (Internet Protocol), Internet type, conventionally designated intranet, this private network can be, if necessary, associated with a professional mobile network.

The current tendency of a company's employees to use their personal terminal more and more to connect to the corporate network, is referred to as "Bring your own device" (BYOD). it can be translated as "Bring your personal equipment". In other words, it is a practice to use your personal equipment (phone, laptop, tablet, etc.) in a different context, for example in the professional setting. However, this increasingly common practice poses information security problems. Indeed, to date, the number of users of mobile devices is increasing enormously and the volume of information conveyed is growing. This induces the development of fraudulent operations, aimed at recovering personal and professional data (malware, terminal thefts, wiretapping ...). To answer this problem of information security, solutions exist to authenticate personal equipment in the professional sphere.

Such solutions involve in particular the installation in the personal terminal of the user-employee of an authentication application and security certificates. The aforementioned solutions, in that they require the installation of a specific application in the terminal in question, therefore affect the integrity of the terminal with the inherent risks that this entails, for example the risk of loss of personal data. the user when installing an authentication application.

Moreover, if the user-employee has several personal terminals (laptop, digital tablet, smartphone, ...) that can be used for business purposes, the number of authentication application installation operations is multiplied for each user by the number of separate personal terminals.

On the other hand, this approach involves complex management of software updates for authentication applications, and generates significant financial costs for the company. According to another trend, more and more communication terminals (more than 100 million in 2012), such as tablets and mobile phones, are natively equipped with near field communication (NFC) technology. NFC or "near-field communication" is a short-range, high-frequency wireless communication technology that allows the exchange of information between devices up to a distance of about 10 cm. This technology equipping a communication terminal allows the latter to be able to exchange information with a passive NFC chip, external to the terminal and called NFC tag (NFC tag). The present invention aims at improving the situation described above relating to the security and cost problem related to the current tendency of the employees of a company to use more and more their personal terminal to connect to the company network, in taking advantage of the NFC technology that is now increasingly used for communication terminals. The invention, however, applies to any situation in which personal terminals of users are used in a context different from their initial destination, to connect to a private communication network subject to specific access rights. For this purpose, according to a first aspect, the present invention relates to a method for authenticating a user for access to a set of services provided on a private communication network, the user having a first communication terminal. adapted to connect to a mobile network, the first terminal being provided with NFC-type wireless reading means. According to the invention this method comprises: a) - following a cooperation between the first terminal and an NFC wireless communication device, transmission of the wireless communication device to the first terminal, an access web address to an authentication server on the mobile network; b) - automatic creation in the first terminal, from the access web address, a request for access to the authentication server, and transmission of the access request to the authentication server; c) - receiving by the authentication server of the access request, and authentication of the user from at least one identifier of the first terminal contained in the access request, and, if the authentication of the the user is successful: d) - validation of the user's access to the set of services; e) - sending to the first terminal and / or at least one second terminal, an access notification to the set of services.

Thus, thanks to the authentication method according to the invention, a user having a mobile terminal ("first terminal"), for example a mobile phone type smartphone (literally "smart phone" in French) equipped with the NFC technology, will be able to connect and access services provided via a private network - for example a corporate intranet - without the need to install a specific authentication application in the terminal. It is a simple and inexpensive authentication process, since it is sufficient that the terminal can automatically read a URL (Uniform Resource Locator) provided by the NFC-type wireless communication device (for example an NFC tag), so that it can connect (via a browser for example) to an authentication server. The connection of the first terminal to the authentication server simply uses the mobile network corresponding to the information stored in the SIM card (Subscriber Identity Module) of the terminal. According to one embodiment of the invention, the user authentication step c) comprises the consultation in a database of a user profile selected from the identifier of the first terminal, this profile. of user comprising information identifying at least one terminal associated with the user, and for each terminal associated with the user at least one identifier of a service to which the user is authorized.

In practice, the identifier of the first terminal used to select a user profile is the telephone number corresponding to the SIM card of the first terminal. This number conventionally obtained by a device in the mobile network then makes it possible to simply select in the authentication server the profile of the user - subscriber to the mobile telephony service - corresponding to the mobile terminal number transmitting the access request.

Such a user profile is advantageous because it allows for each user listed in the database of profiles, to define access equipment (terminals of different types) and corresponding communications services. According to one embodiment of the invention, the step (d) of validating the access of the user to the set of services, comprises sending to a server a service platform on the communication network. private, a request for access authorization of the user, the access authorization request including at least one terminal identifier of the user and at least one identifier of an authorized service for each identified terminal .

In this embodiment, the mobile network is only responsible for the authentication of the user and once the latter validly authenticated, it then transmits an access authorization request to a server equipment of the private communication network, which is responsible for providing the services validated for the user. Therefore, this embodiment involves a minimal cost in terms of specific equipment to be installed in the mobile network. According to one embodiment of the invention, the step e) of sending to the first terminal and / or to at least one second terminal of the user, a notification of access to at least one service, is preceded a step of adapting the access notification according to each terminal of the user receiving the access notification.

Thanks to this characteristic, the notification is adapted according to the capabilities of the terminal or terminals receiving the notification. For example an SMS for a simple mobile phone, a web page for a digital tablet, etc. According to one embodiment of the invention, following the creation of the access request in the first terminal, prior to its transmission to the authentication server, the access request is transmitted to a device on the telephony network. mobile, in which the identifier of the first terminal is added to the access request. This feature makes it possible to "enrich" the access request automatically with an identifier of the first terminal, for example with a number that makes it possible to uniquely identify the first terminal, such as the International Mobile Subscriber Identity (IMSI) number. or the number 1M El (International Mobile Equipment Identity), or an identifier such as the CID (Cell ID). Such an identifier is conventionally obtained by data connection mobile network access equipment, in connection with equipment such as, for example, a Mobile Service Switching Center (MSC) equipment and / or SGSN equipment (Serving GPRS Support). Node). According to a first implementation of the invention, the wireless communication device is an NFC tag, this tag being located near a second terminal, or affixed to a second terminal, or incorporated in a second terminal, in a environment related to the private communication network. In this first implementation, the NFC tag is associated with a communication terminal in an environment related to the private communication network, for example an office of a company. The label can be for example glued on the terminal itself or on the desktop on which the terminal is placed. Thus in this example, the user must first be allowed to enter the premises of the company before being able to communicate his mobile phone with the NFC tag, to access the services provided on the corporate network. According to a second implementation of the invention of the invention, the wireless communication device is a portable object incorporating an NFC chip, previously supplied to the user. In this implementation example, the NFC tag may for example be incorporated into a professional badge or provided in the form of a key ring for example, and the user can then connect remotely (without being physically present in a local business) via the mobile network. According to particular embodiments of the invention, in step b), the access request includes, in addition to an authentication server access web address, a data element among the set of data elements. next: - a digital signature stored in the first terminal of the user; in addition to the previous element, a security certificate stored in the wireless communication device; in addition to the previous element, a security certificate stored in the first terminal; - In addition to the previous item, a personal identification identifier entered by the user with the first terminal. Thanks to these provisions, it is possible to gradually improve the authentication security according to the needs, by the implementation of digital signatures and / or security certificates in the exchange of information between the NFC tag and the NFC tag. first terminal and / or in sending the access request by the first terminal to the authentication server.

According to a particular characteristic of embodiment, in step c), the access request received by the authentication server contains temporal information relating to the sending of the access request by the first terminal, and / or geographical location information of the first terminal, this information being used during the authentication of the user of the first terminal. This information is typically added to the access request when the request is received in a mobile network access equipment, and is then used as additional authentication criteria for the user of the first terminal, by the server. authentication, to increase the security of access to the private network. According to a second aspect, the invention relates to an authentication server on a mobile telephone network, for the implementation of an authentication method as briefly described above, this server comprising: a reception module; an access request containing an identifier of a user terminal in the mobile telephone network; a module for authenticating a user from the identifier of the terminal contained in the access request; a module for determining a set of services to which the user is authorized, when the authentication of the user is successful; a module for transmitting an access authorization request from the authenticated user to the set of services, intended for a server of a service platform on a private communication network. In particular, according to one embodiment, the aforementioned server comprises means for accessing a database of user profiles, in which each user profile comprises at least one identifier of a terminal associated with a user, and wherein, for each terminal identified in the profile, is associated with at least one service to which the user is authorized. According to a third aspect, the invention relates to a server of a service platform on a communication network, for the implementation of an authentication method as briefly described above. According to the invention, this server comprises: a module for receiving an access authorization request from an authenticated user to a set of services provided via the communication network, the access authorization request including at least one user terminal identifier and at least one authorized service identifier for each identified terminal; a module for creating a user's access notification to at least one service, for each terminal identified in the access authorization request, the access notification being adapted to the type of terminal identified; a module for sending an access notification to each terminal identified in the access authorization request. Finally, according to a last aspect, the present invention relates to a computer program (or set of software modules) stored on an information medium for implementing all or part of the steps of an authentication method according to the invention. invention, as briefly discussed above. This program may in particular be partly incorporated in a server on a mobile telephone network, according to the invention, and partly in a server of a service platform, according to the invention, on a private communication network, for example. example a corporate intranet. Moreover, such a computer program according to the invention can use any programming language, and include programs in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable form. The invention is therefore also directed to a computer-readable information recording medium, and including computer program instructions. Such a recording medium may be constituted by any entity or device capable of storing such a program. For example, the medium may include storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or a removable recording means such as a USB key or a recording medium magnetic, such as a hard disk. On the other hand, a software module according to the invention can in particular be downloaded to an Internet type network. The advantages provided by the aforementioned servers, according to the invention, and a computer program according to the invention, as briefly described above, are identical or contribute to those already mentioned in connection with the authentication method, according to the invention. the invention, and will therefore not be recalled here. Other features and advantages of the present invention will be apparent from the following detailed description, which refers to the accompanying drawings in which: - Figure 1 illustrates an example of a communication system in which the present invention can be implemented; FIGS. 2 and 3 respectively illustrate the hardware architecture of an authentication server and a server of a service platform, according to the invention; FIG. 4 represents in flowchart form the main steps of a method, according to the invention, of authenticating a user for access to a set of services provided on a private communication network, implemented in the communication system of Figure 1.

Figure 1 illustrates an example of a communication system in which the present invention can be implemented. According to the example considered, the invention is implemented in a company in order to allow a user, an employee of the company, to connect to the internal communication network of the company, by using a portable terminal able to establish communications on a mobile network, for example a mobile phone type "smart phone" (smartphone in English). The mobile network considered W_NW may be a second, third or fourth generation mobile network (2G, 3G, 4G). In this example, the company's internal communication network (P_NW) is an "intranet", that is to say a computer network used inside the company and based on the same protocols as the Internet. . The portable terminal TER1 of the user can be a personal terminal - that is to say a terminal specific to the user and equipped to connect to a public mobile network of a telephone operator - or a terminal professional, that is to say provided by the company and intended to communicate on a professional mobile network. In terms of hardware, the user's portable terminal may be in addition to a smartphone, a portable personal computer, or a digital tablet, etc. As represented in FIG. 1, in this example, the user has, in a local (office) of the company, a TER2 computer terminal such as a PC, connected to the corporate network (P_NW), and than a digital tablet TER3 adapted to be connected to the corporate network, for example by a wireless connection (Wi-Fi). The user's portable terminal TER1 is natively equipped with an NFC device playback application such as the NFC tag. As shown in FIG. 1, near the terminal TER1 is an NFC tag (TG) on which access data to the corporate network is stored. The NFC tag, TG, can be fixedly located in the user's office, for example directly affixed (glued for example) on the TER2 PC, or fixed on a piece of furniture in the premises of the company. Alternatively, the NFC tag can be brought into the premises of the company by the user himself. In this case, the NFC tag can then take the form of a key ring or be incorporated in a professional badge, for example. The mobile network W_NW conventionally comprises at least one access device W_SVR implemented by the provider of the data service (data connection) of the mobile network (WISP - Wireless Internet Service Provider). Such access equipment W_SVR cooperates classically in particular with a MSC (Mobile Service Switching Center) having access to a database HLR (Home Location Register) comprising the information relating to any user authorized to use the mobile network W_NW, as well as has a Visitor Location Register (VLR) database containing various information about the users of the network, in particular information (LAI - Location Area Code) relating to the area in which the mobile terminal of the user is located when a connection to the network. The mobile network W_NW further comprises an authentication server AUTH according to the invention, intended to authenticate a user for access to the services provided by a service platform 10 on the private network of the company P_NW. In the embodiment described here, the authentication server has the hardware architecture of a computer, as shown in FIG. 2. The authentication server comprises in particular a processor 2A, a read-only memory 2B, an RAM 2C, a non-volatile memory 2D (hard disk for example) and 2E communication means with, in particular, the entities of the mobile network W_NW, including the server W_SVR, and with the service platform 10 of the corporate network P_NW . These communication means 2E include for example a network card, known per se and not detailed here. The read-only memory 2B of the authentication server AUTH constitutes a recording medium in accordance with the invention, readable by the processor 2A and on which is recorded a computer program according to the invention, comprising instructions for execution. steps of an authentication method according to the invention, the steps of this method being described later with reference to FIG. 4.

This computer program correspondingly defines functional modules of the authentication server able to implement these steps, and in particular: a module for receiving an access request containing an identifier of a user terminal in the mobile phone network; an authentication module of a user from the identifier of the terminal contained in the access request; a module for determining a set of services to which the user is authorized, when the authentication of the user is successful; a module for transmitting an access authorization request from the authenticated user to the set of services for a communication server on a private communication network, such as the service platform 10 Finally, in the embodiment described, the authentication server comprises a module for accessing a database of user profiles, in which each user profile comprises at least one identifier of a terminal associated with a user, and wherein, for each terminal identified in the profile, is associated with at least one service to which the user is authorized.

It should be noted here that in the embodiment described here, the authentication server AUTH supports the HTML (HyperText Markup Language) and the HTTP / HTTPs (HyperText Transfer Protocol / Secure) protocols so, on the one hand, to to be able to receive and process an access request transmitted by the terminal TER1 of the user, and secondly to transmit an access authorization request from the authenticated user to a set of services, destined for a user. server of the service platform 10 of the private network P_NW. The server of the service platform 10, in the embodiment described, is constituted according to the hardware architecture of a computer, illustrated schematically in FIG.

The server 10 comprises in particular a processor 3A, a read-only memory 3B, a random access memory 30, a nonvolatile memory 3D (hard disk for example) and 3E communication means with, in particular, the authentication server AUTH of the mobile network W_NW, and with user terminals directly connected to the private network P_NW, such as terminals TER2 and TER3, or, via an interconnection gateway (not shown in FIG. 1), with terminals of users connected to the mobile network W_NW, such as the terminal TER1. These communication means 3E include for example a network card, known per se and not detailed here. The read-only memory 3B of the server of the service platform constitutes a recording medium in accordance with the invention, readable by the processor 3A and on which is recorded a computer program according to the invention, comprising instructions for the execution of the steps of an authentication method according to the invention, which concern the service platform 10. These steps will be described later with reference to FIG.

This computer program correspondingly defines functional modules of the server 10 able to implement the aforementioned steps, and in particular: a module for receiving an access authorization request from an authenticated user to a set of services provided by the service platform, the access authorization request including at least one user terminal identifier and at least one authorized service identifier for each identified terminal; a module for creating a notification of access of the user to at least one service, for each terminal identified in the access authorization request, this access notification being adapted to the identified terminal type; a module for sending an access notification to each terminal identified in the access authorization request.

The server 10 of the service platform supports in particular the HTML (HyperText Markup Language) and the HTTP / HTTPs (HyperText Transfer Protocol / Secure) protocols in order to be able, in particular, to receive and process an access authorization request sent by the authentication server AUTH and transmit to user terminals access notifications to specific services.

In relation with FIG. 4, the main steps of a method, according to the invention, of authentication of a user for access to a set of services provided on a private communication network, set out below, will now be described. implemented in the communication system of FIG. 1. As represented in FIG. 4, the authentication method according to the invention starts with the automatic reading (S400) by the mobile terminal TER1 of the information stored on the NFC tag. (TAG). This cooperation (S400) between the first terminal TER1 and the tag TAG results in the transmission (S401) of the NFC tag to the first terminal TER1, an access web address pointing to a resource located in the server. authentication (AUTH) on the mobile network (W_NW). This web address - denoted URL (auth) in FIG. 4 - is used by the terminal TER1 during the step S402 to automatically create in the terminal TER1 an access request to the authentication server AUTH. Indeed, currently the NFC technology natively equipped most smartphone type terminals allows the automatic launch of an HTTP request pointing to a web address (URL) obtained by reading from an NFC device, such as an NFC tag , located in the NFC reading area of the terminal in question. The request according to the aforementioned HTTP protocol thus constitutes an access request (RQ_ACC) sent, in step S403, to the authentication server 5 AUTH. As indicated above in the description, following the cooperation between the terminal TER 1 and the tag NFC TAG, the access request can in addition to the web address URL (auth) be enriched by a digital signature stored in the terminal TER1, for example in a memory of the terminal or in the SIM card of the terminal. The access request can also be enriched with a security certificate stored in the NFC tag and / or with a security certificate stored in the terminal TER1 and / or a personal identification identifier (PIN) entered by the user. terminal TER1. It is thus possible, according to the security objectives, to gradually improve authentication security, by implementing digital signatures and / or security certificates attached to the access request. For example with the presence of a security certificate in the NFC tag and in the terminal TER1 (double certification), it prevents the risk of authentication of a malicious person who stole the user both his mobile terminal (TER1) and its NFC tag, in the embodiment where it is provided to the user (badge, key ring ...). Returning to FIG. 4, the access request (RQ_ACC) transmitted (S403) to the authentication server AUTH is first received, in a conventional manner, by the access equipment W_SVR (FIG. ) of the mobile network, which typically cooperates with in particular a Mobile Service Switching Center (MSC) 25 and / or a Serving GPRS Support Node (SGSN) equipment, and automatically adds (step S404) to the access request the identifier of the terminal TER1, in practice a number associated with this terminal (called "telephone number" to simplify), and information relating to the user whose subscriber identifier corresponds to the telephone number, as well as location information of the terminal TER1. This information can be obtained as mentioned above, from the HLR and VLR databases associated with the MSC equipment and / or the SGSN equipment. Then, the access request, thus "enriched" (RQ_ACC_ID) with the aforementioned information obtained by the equipment W_SVR, is transmitted to the authentication server AUTH (step S405).

After receiving the access request RQ_ACC_ID, the authentication server AUTH performs the authentication operation itself, in step S406. This authentication operation uses in particular the identifier of the first terminal contained in the access request. More precisely, the server AUTH consults a database of user profiles and selects the one corresponding to the identifier of the terminal TER1 (eg the telephone number). Each user profile of the profile database includes information identifying at least one terminal associated with the user. Thus, in the example described, the user has three terminals, a mobile terminal TER1 at the origin of the access request, a laptop TER2 and a touch pad TER3. The terminal TER1 is identified by its telephone number, while the terminals TER2 and TER3 can, for example, be identified by an IP (Internet Protocol) address, since they can be directly connected to the corporate network P_NW.

In the user's profile, it can be provided that each identified terminal of the user is associated with at least one identifier of a service to which the user is authorized. For example, if a terminal identified in the user's profile is a fixed telephone, the authorized service may be, for example, only the VoIP audio communication and the conference call. If the terminal is a laptop (TER2), authorized services are for example access to the intranet portal of the company, instant messaging, video conferencing, etc. Moreover, the authentication criteria implemented by the authentication server AUTH may also include other information contained in the access request and obtained at step S404 of processing the request in the server W_SVR (equipment MSC or SGSN and databases HLR, VLR), for example temporal information (date of sending the request) and geographical location information terminal TER1. For example, if the terminal TER1 is located outside the premises of the company when the access request is sent, or if the access request is sent during the closure of the premises of the company ( at night or on weekends, for example), access to services is not validated for terminals (TER2-3) located on the premises of the company. If the user's access request is validated during step S406, at least one service is authorized for at least one terminal of the user. In other words, a set of services provided by the service platform PF_SV is validated for the user, the number of services of this set being variable, depending on the user and the information contained in the access request. . On the other hand, if the access request is not validated, a message (not shown in FIG. 4) indicating that the authentication of the user has not succeeded, is sent to the terminal TER1 by the server of authentication. The authentication server then transmits, in step S407, to the server of the PF_SV service platform, an access authorization request (RQ_AUT_ACC) of the user. The access authorization request uses the HTTP protocol in the example described, and includes at least one terminal identifier of the user and at least one identifier of an authorized service for each identified terminal (TER1-3). However, according to other embodiments, provision can be made to use a proprietary protocol between the authentication server AUTH and the service platform PF_SV. The access authorization request (RQ_AUT_ACC) is received by the service platform (PF_SV) and the service or services authorized for the user are then activated in step S408. The following step S409 consists in generating an access notification intended to be transmitted to each of the terminals of the user for which at least one service has been activated, in order to inform the user that the access services has been validated for each terminal receiving such notification. In the embodiment described here, this access notification is adapted according to each terminal (TER1-3) of the user. For example, for the mobile terminal TER1, this access notification (NOTIF_TER1) may take the form of an SMS transmitted in step S411. For the TER2 laptop and the TER3 tablet, this access notification (NOTIF_TER2-3) may consist of sending a web page intended to be read by a web browser equipping each of these two terminals.

Claims (13)

REVENDICATIONS1. A method for authenticating a user for access to a set of services provided over a private communication network (P_NW), the user having a first communication terminal (TER1) able to connect to a network of mobile telephone system (W_NW), said first terminal being provided with NFC-type wireless reading means, the method being characterized in that it comprises: a) - following a cooperation (S400) between the first terminal (TER1) and an NFC wireless communication device (TAG), transmission (S401) of the wireless communication device to the first terminal (TER1), an authentication server access web address (AUTH) on the mobile telephone network (W_NW); b) - automatic creation (S402) in the first terminal (TER1), from the access web address, an access request to the authentication server (AUTH), and transmission (S403, S404, S405)) of the access request to the authentication server; c) - receiving by the authentication server (AUTH) of the access request, and authentication (S406) of the user from at least one identifier of the first terminal contained in the access request, and, if the authentication of the user is successful: d) - validation (S407, S408, S409) of the access of the user to the set of services; e) - sending (S410, S411) to the first terminal and / or at least one second terminal, an access notification to the set of services. 2. The method of claim 1, wherein the step (c) authentication (S406) of the user comprises the consultation in a database of a user profile selected from the identifier of the first terminal. said user profile comprising information identifying at least one terminal associated with the user, and for each terminal associated with the user at least one identifier of a service to which the user is authorized. 3. Method according to one of claims 1 and 2, wherein the step (d of validation of the access of the user to the set of services, comprises sending (S407) to a server of a service platform (PF_SV) on the private communication network, a user access authorization request, said access authorization request including at least one terminal identifier of the user and at least one identifier of an authorized service for each identified terminal (TER1-3). 4. Method according to any one of claims 1 to 3, wherein the e) sending step (S410, S411) to the first terminal and / or at least a second terminal of the user, a notification access to at least one service, is preceded by a step of adaptation (S409) of said access notification according to each terminal (TER1-3) of the user receiving the access notification. 5. Method according to any one of claims 1 to 4, wherein, following the creation (S402) of the access request in the first terminal, prior to its transmission to the authentication server, said access request is transmitted (S403) to a device (W_SVR) on the mobile telephone network, in which the identifier of the first terminal is added (S404) to said access request. The method of any one of claims 1 to 5, wherein the wireless communication device is an NFC tag, said tag being located near a second terminal, or affixed to a second terminal, or embedded in a second terminal, in an environment related to the private communication network. 7. Method according to any one of claims 1 to 5, wherein the wireless communication device is a portable object incorporating an NFC chip, provided beforehand to the user. The method according to any one of claims 1 to 7, wherein in step b), said access request includes in addition to said authentication server access web address, a data element among the set of data elements following: - a digital signature stored in the first terminal of the user; in addition to the previous element, a security certificate stored in the wireless communication device; - In addition to the previous item, a security certificate stored in the first terminal - In addition to the previous item, a personal identification identifier entered by the user with the first terminal. 9. Method according to any one of the preceding claims, wherein, in step c), the access request received by the authentication server contains time information relating to the sending of the access request by the first terminal, and / or geographical location information of the first terminal, this information being used during the authentication of the user of the first terminal. Authentication server on a mobile telephone network, for the implementation of an authentication method according to any one of claims 1 to 9, said server comprising: a module for receiving a request for a access containing an identifier of a user terminal in the mobile telephone network; a module for authenticating a user from the identifier of the terminal contained in the access request; a module for determining a set of services to which the user is authorized, when the authentication of the user is successful; a module for transmitting an access authorization request from the authenticated user to the set of services, intended for a server of a service platform on a private communication network. The server of claim 10, comprising a user profile database access module, wherein each user profile comprises at least one identifier of a terminal associated with a user, and wherein, for each terminal identified in the profile, is associated at least one service to which the user is authorized. 12. Server of a service platform on a communication network, for the implementation of an authentication method according to any one of claims 1 to 9, said communication server comprising: a reception module; an access authorization request from an authenticated user to a set of services provided via the communication network, the access authorization request including at least one user terminal identifier and at least one user identifier; authorized service for each identified terminal; a module for creating a notification of access of the user to at least one service, for each terminal identified in the access authorization request, said access notification being adapted the type of terminal identified; a module for sending an access notification to each terminal identified in the access authorization request. 13. Computer program stored on an information carrier for the implementation of all or part of the steps of a method according to any one of claims 1 to 9, when the program is executed by a processor. 15