JP2002342281A - Interactive personal identification system and method therefor, execution program for the method and recording medium for the program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a personal identification system and its method in an internet service or the like, making it difficult for an unauthorized user to pose as an authenticated user, and simplifying the system constitution and increasing the convenience of a user. SOLUTION: At executing the personal identification of a user 1 by an internet service or the like, an authenticating server 6 automatically prepares questions (choices) for authentication, based on the information of an electronic mail or the like known only by the user 1, and displays them at a user terminal 2. When the user 1 answers the questions by text work selection of those choices, the authenticating server 6 collates a text keyword stored in a data base as a determining standard, and judges whether or not the user is the person concerned so as to eliminate the need for the user to store an authentication keyword. When the determination of whether or not the user is the person in question is not successful, the authenticating server 6 repeats interactive questions, answers, and determinations until it is successful. The text keyword is stored according to the frequency of generation by collecting and classifying the information of the electronic mail or the like, and then updated in each fixed period, without making the user 1 concious of the keyword.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

TECHNICAL FIELD The present invention relates to a financial system, a settlement system,
The present invention relates to personal authentication technology used in communication systems, access systems, and the like.

[0002]

2. Description of the Related Art Table 1 summarizes fields of use and scenes in which personal authentication is performed.

[0003]

[Table 1]

[0004] In the financial system, cashing and small payments, in the settlement system, digital signatures performed on company LANs and public documents,
In the telecommunications system, electronic approval by e-mail or mobile phone, in the access system, access rights such as internal HR database,
Identity verification is performed by a content distribution service or the like via the Internet. As can be seen from these examples, for non-face-to-face services or high-security services related to privacy or money, the person who receives the service after entering the ID number such as the member number, employee number, student number, etc. of the person is the person himself The process of checking whether or not it is always performed.

[0005] Table 2 shows the results of evaluation of a generally performed personal identification method from the viewpoints of difficulty of impersonation, simplicity of equipment configuration, and user convenience.

[0006]

[Table 2]

[0007] In a typical personal authentication currently performed,
It is used for 4-digit number personal PIN verification frequently used in bank cards, e-mail access restriction, personal PIN verification of about 8 to 10-digit alphanumeric characters frequently used in in-house electronic approval, access restriction for mobile communication, etc. Fingerprints and irises used in one-time password verification and access control to secure rooms and databases
A typical example is biometrics collation using physical characteristics such as bills.

[0008] Personal PIN verification using about four digits is simple and less troublesome for the user, but the phone number, address, date of birth, etc. are often used for the four digits, and the entire wallet may be lost. If necessary, personal ID from ID card etc.
Is stolen, and there is a problem that spoofing is easy.

[0009] Next, personal PIN verification based on 8 to 10 alphanumeric characters, which are frequently used in electronic mail access restrictions and in-house electronic approvals, are alphanumeric, so there are many combinations, and the system requires periodic updates. Therefore, spoofing is difficult. However, the user cannot remember the multiple personal PINs corresponding to the service, or
There is a problem such as forgetting.

A one-time password used for network connection on a mobile PC is a personal PIN.
In addition, since a password is generated from the terminal device of the remote access system, spoofing is difficult. However, the convenience of the user is not always good, such as always holding the password generator and inputting the displayed password. At the same time, since the device configuration is complicated, use at the time of network connection with a mobile PC is currently limited.

Finally, identity authentication using biometrics is extremely difficult to impersonate, and it is expected that its use will increase in the future. However, the user is forced to perform complicated operations such as pressing a finger or putting his / her eyes on the device, and in some cases, there is a privacy problem such as storing physical characteristics in a file of a third party. Furthermore, the burden on a system such as connecting a special device such as a fingerprint sensor to the terminal is large.

As described above, in the current personal authentication, the user or the service provider uses a method using a personal PIN of numbers, a personal PIN mixed with alphanumeric characters, and biometrics according to the security level of the service. We use one-time passwords.

[0013]

The in-house LAN service, various Internet services, and personal authentication for restricting access to the database, which are expected to grow rapidly in the future, are not only difficult to impersonate. There is a need for a new method that places more importance on the simplicity of the system configuration and the convenience of the user. In particular, since network connection of the system has become commonplace, and since communication costs can be expected to be lower than ever, it is possible to maintain the same difficulty of spoofing as the conventional alphanumeric PIN and the simplicity of the system configuration, There has been a strong demand for a highly convenient personal authentication method that is easy for a user to remember and can be performed without being conscious of PIN updating.

According to the present invention, impersonation is difficult in personal authentication for use of in-house services, personal authentication for Internet services, personal authentication for restricting database access, and the like, which are expected to rapidly grow in the future. In addition, an object of the present invention is to provide a personal authentication system which has a simple system configuration, is easy for a user to remember keywords, and can be updated without being conscious of the user, and which is excellent in user convenience and a method thereof.

[0015]

SUMMARY OF THE INVENTION In order to solve the above-mentioned problems, an interactive personal authentication system according to the present invention uses identification information stored by a user or identification information stored in a portable memory medium held by the user. And a user terminal serving as a contact point between the system and the user, having input function means for inputting the identification information, or reading function means for reading the identification information from the portable medium, and A user terminal having function means for displaying options in the form of dialogue, and an authentication server connected to the user terminal for performing personal authentication, wherein the user inputs / outputs text from / to the user terminal. Means for storing in a database the collation text keywords created based on the collation, interactive user authentication based on the collation text keywords Function means for creating an option consisting of a necessary text string, function means for allowing a user to select text in the option in an interactive manner and receive as an answer, and collating the answer with the matching text / keyword in the database and authenticating And an authentication server provided with a function unit for performing personal authentication processing for determining whether or not the authentication server is an authentication server.

Alternatively, in the above-mentioned interactive personal authentication system, the function means for creating an option in the authentication server mixes a text keyword for collation stored in the database with a similar text arbitrarily generated. Create choices as text columns,
The function means for receiving the answer is to display the option on the user's terminal so as to guide the user to select a new text keyword in the memory. A dialogue form in which the function means for creating the option and the function means for receiving the answer are used to judge whether or not the user is an identity until the keyword is matched and the identity can be determined. The personal authentication process is repeated.

Alternatively, in the above-mentioned interactive personal authentication system, the function means of the authentication server for storing the collation text / keyword in the database includes transmitting / receiving e-mail performed by the user, input / output text searched on the Internet, and Text data is collected and classified from one or more pieces of document information created on the user terminal, and stored as a text keyword in a database corresponding to each user in the order of appearance frequency according to the classification, or for a certain period of time. The data may be updated later or used as fluid collation data, and universal personal information may be obtained from the user in advance and stored in a database corresponding to each user, and the personal information text / keyword may be universally used. The functional means for determining and comparing the dynamic collation data with the universal collation data Either the verification data, or characterized by both used in authentication processing as a text keyword for collating.

Further, the interactive personal authentication method according to the present invention is a personal authentication method in which an authentication server connected to a user terminal and a network performs personal authentication, wherein the identification information input by the user at the user terminal is provided. Or a first procedure for transmitting identification information read from a portable medium held by a user to an authentication server, and the authentication server uses the authentication server for interactive personal authentication based on a text keyword for verification. A second procedure for creating an option consisting of a text string and transmitting the option to the user terminal, and a third procedure for displaying an option for interactive personal authentication from the authentication server at the user terminal A fourth step of transmitting, at the user terminal, a text selected by the user from the displayed text string of options to the authentication server as an answer; And having a fifth procedure against the answer received al and collating text keyword database performing identity authentication process to determine whether a person.

Alternatively, in the above-mentioned interactive type personal authentication method, in the second procedure, a choice is created as a text string in which a collating text keyword stored in a database and an arbitrary generated similar text are mixed. Third
In the procedure, the option is displayed on the user's terminal, and the user is prompted to select and answer a new text keyword in the memory. In the fifth procedure, the answer is the same as the collation text keyword. It is characterized in that interactive identity authentication processing from the second procedure to the fifth procedure is repeated until it is determined whether or not they match, and whether or not the user is the identity can be determined.

Alternatively, in the above-mentioned interactive personal authentication method, prior to the first procedure, transmission / reception of an e-mail performed by the user, input / output text searched on the Internet, and document information created on the user terminal are performed. Collect and classify text data from one or more and store it as a text keyword in a database corresponding to each user in the order of appearance frequency according to the classification, or update it after a certain period of time, and perform fluid collation With the procedure for acquiring universal personal information from the user in advance and storing it in a database corresponding to each user, the personal information text / keyword as universal collation data, In the fifth procedure, one or both of the fluid collation data and the universal collation data is collated with a collation text. And performing the identity authentication process is used as a keyword.

Alternatively, the method according to the present invention is characterized in that a program for causing a computer to execute the procedure in the interactive personal authentication method is provided.

Alternatively, the program for executing the above-mentioned interactive personal authentication method is recorded on a computer-readable recording medium.

According to the present invention, when the user is authenticated, the authentication server automatically creates a question for authentication based on information such as e-mail that only the user knows, A question is asked interactively with the user based on options that include multiple text keywords, and if there is an answer from the user terminal based on the user's selection, the user is identified by using the text keyword stored in the database as a criterion. By judging whether or not this is the case, it is possible to realize difficult spoofing with a simple system configuration and eliminate the need for the user to memorize authentication keywords and the like. In addition, the text / keyword used as the basis for generating the question can be appropriately updated without being conscious of the user by collecting information such as e-mail and the frequency of occurrence and updating the information at regular intervals. As described above, the convenience of the user is realized, and the accuracy of authentication and the security are improved.

In the conventional method, the identity of the user is confirmed by collating a fixed PIN or a temporary PIN generated by a device or collating physical characteristic data of the user. In the present invention, the data to be collated is universal personal information and fluid text information memorized by the user, and the fluid collation data is updated without the user's awareness over time. There is. Also, unlike the conventional method in which personal PIN and physical characteristic data are statically collated with reference data, collation of the memory information of the individual with the judgment reference data is repeated a plurality of times in an interactive manner, and the selected answer is repeated. It is significantly different from the conventional technique to determine whether or not the system is the person by collating with the text keyword which is the criterion data.

[0025]

Embodiments of the present invention will be described below in detail with reference to the drawings.

FIG. 1 shows an example of a system configuration according to the present invention. 1 is a user, 2 is a user terminal, 3 is a reader / writer (R / W), 4 is an IC card, 5 is a communication server, 6 is an authentication server, and 7 is a network connection with an external organization.
Each of these system units has the functional means of the present invention.

The device configuration according to the present invention is an ordinary in-house LAN.
It is almost the same as the equipment and the like, and the system configuration is extremely simple and simple because only the authentication server 6 for performing the authentication process is added to the communication server 5. In the present embodiment, a case will be described in which text information of an e-mail is used as a text keyword, assuming personal authentication when the user uses an e-mail service of an in-house LAN.

First, the function of each part (device) of the system will be described.

The user 1 stores an ID identification symbol such as an employee number or has a portable memory medium such as an IC card 4 storing the information. The user terminal 2 handled by the user 1 is connected to a keyboard for inputting stored identification symbols or a reader / writer 3 capable of reading an IC card 4 held therein. The user terminal 2 is provided with a display for displaying interactive options from the authentication server 6.

An authentication server 6 for performing personal authentication is connected to the communication server 5 via a network.
And a network connection 7 with the outside. The authentication server 6 collects and classifies text data from an e-mail sent and received by the user, input / output text searched on the Internet, and document information created on the user terminal, and the text data for each classification is collected. A function to store in the database as a text keyword for each occurrence frequency, a function to generate random similar text necessary for user selection and create choices as a text string mixed with the text keyword, and an interactive user Has the function of selecting a text word from the choices (text strings) presented to the user, and the function of checking the selected text word (answer) with the text / keyword stored in the database to determine whether or not the user is himself / herself. ing.

Next, a general flow of personal authentication will be described.

FIG. 2 is a flow chart of the present invention in an interactive manner between the user 1 and the authentication server 6. (1) When the user 1 transmits / receives text data or inputs text data, the authentication server 6 collects and classifies the text data via the communication server 5,
For example, the information is stored in the database as text keywords in the order of occurrence frequency for each information classification. The stored data is similarly automatically updated at regular intervals without the user 1 being aware of it. (2) When the user 1 starts personal authentication to receive a specific service, the authentication server 6 creates an option including a text keyword, displays the created option on the user terminal 2, and displays the option. 1 is a new text in memory
Invite you to select a keyword. When the user 1 selects and answers a specific text word, the authentication server 6 receiving the answer performs a correct / incorrect judgment by collating with the text keyword stored in the database, and Alternatively, it is determined that the user is not the person. (3) If the authentication server 6 cannot determine that the user is the principal or is not the principal (unknown), the authentication server 6 repeats the routine of (2) question / answer / determination based on keyword selection. If the authentication server 6 is able to determine whether or not the user is the principal, the process exits from the question / answer / determination routine. If the user is determined to be the principal, the service is continued. Perform service interruption.

Next, a specific method for storing a text keyword from a normal electronic mail in a database will be described.

FIG. 3 shows text data of a sender and a title obtained by ordinary electronic mail. FIG. 4 is an example of text keywords stored in a database (DB). Information is collected from the communication server 5, and a collation database as shown in FIG. 4 is constructed in the database in the authentication server 6 based on the information in FIG. In this example, the text
The keywords are updated every day. For example, information such as a sender and a title is classified, and the number of appearances of each word is recorded. For example, since a database of text keywords specific to a user is updated daily, text keywords stored in response to a change in memory of the user are treated as fluid collation data. Therefore, the user 1 does not consciously memorize the keyword corresponding to the personal PIN, and is not forced to regularly update the keyword. It is not necessary to store all text data in the text keyword stored in the database. For example, a method of storing only 30 words in the order of frequency is sufficient as collation data, and how many numbers are stored. Whether it is possible can be determined by the authentication server 6. However, the number of text keywords for collation and the number of routines in the interactive mode differ depending on individual differences of text keywords and the number of authentication targets.

In an environment such as an in-house LAN, for example, a large number of e-mails from department / section managers may be distributed all at once, and the user can store only the frequently appearing fluid text keywords by e-mail. It is difficult to make individual differences for the keywords. In order to improve this, the personal information text of the user 1 (universal personal information such as date of birth) is registered in advance as universal collation data as a complement to the fluid collation data. Improvements are possible.

FIG. 5 shows an example of collation data in which the personal information of the user 1 is stored in the authentication server 6. By allowing the user to select the user in an interactive manner while mixing the fluid text keyword (collation data) and the universal collation data of the individual, the authentication server 6 can quickly determine the identity authentication. . In this example, there is a phenomenon that individual differences do not easily appear in the text keywords of the database because it is an in-house LAN. However, in the case of various personal-based Internet services, the same text keywords are used for collation. Since it is rarely stored as data, it is not necessary or necessary to store such personal information in advance.

Next, a specific example of user selection in interactive personal authentication sent from the authentication server 6 to the user 1 will be described.

FIGS. 6A to 6E show examples of the user's keyword selection in the interactive format (indicated by a circle). The authentication server 6 determines options 1 (FIG. 6 (a)) to options 5 (FIG. 6) while determining the answer by the user selection (text word selection).
(E) Repeat the question / answer / judgment routine. At this time, the user 1 only needs to be aware of the option screen shown in FIG. 6 and the selection of the text word. Specifically, (1) the authentication server 6 displays the option 1 on the user terminal 2. (2) The user 1 selects a new text / keyword for storage with a keyboard or the like and answers. (3) The authentication server 6 checks with the text / keyword stored in the individual database of the user 1, and if it is not possible to determine whether or not the user is the user himself / herself, the authentication server 6 selects the user terminal 2 again. 2 is displayed. (4) The user selects a new text / keyword in the memory with a keyboard or the like and answers.

As described above, this question / answer is repeated until it can be determined whether or not the user is the person. The example of FIG. 6 is an example of an option in which fluid matching data and universal personal data are alternately selected, and the determination efficiency of the authentication server 6 is prioritized. As described above, the user 1 performs the personal authentication by repeating the simple selection according to the authentication server 6 without being conscious of the keyword.

In this example, the sender and title of the e-mail (universal personal information as necessary) have been described as collation text keywords. However, word processors such as WORD and Ichitaro, and network services use the user 1 It is also possible to accumulate the input text, the text of the content of the e-mail, etc., store them in the database of the authentication server 6, and use them as text keywords. At this time, the text is collected not from the communication server 5 but from the user terminal 2. In this case, the user terminal 2
First, software such as storing the input text in a primary buffer and sending it to the authentication server 6 at one time is required. However, the subsequent database storage method and processing procedure are basically the same, and as in the present embodiment, It goes without saying that personal authentication can be performed.

As described above, the present invention determines whether or not the authentication server is the principal by exchanging a plurality of text keywords stored in the database between the user and the system in an interactive manner. This makes it possible to realize personal authentication while emphasizing more on the simplicity of the system configuration and the convenience of the user, as well as the difficulty of spoofing.

A part or all of the functions of each part of the system shown in FIG. 1 is constituted by a computer program, and the program can be executed by using the computer of each device to realize the present invention; or ,
It is needless to say that the procedure of the processing shown in FIG. 2 can be constituted by a computer program, and that the program can be executed by the computer of each part of the system. And a computer-readable recording medium such as FD (Floppy Disk (registered trademark)), MO, ROM, memory card, CD, and DV.
D, it can be recorded on a removable disk or the like, and stored or distributed. Further, it is also possible to provide the above program through a network such as the Internet or e-mail. The program is naturally created for each device for the user terminal and for the authentication server. However, both programs may be recorded together and loaded or activated for each device.

[0043]

As described above, personal authentication for use of in-house services, which is expected to grow rapidly in the future, personal authentication for Internet services, and personal authentication for restricting access to a database, etc. By using the invention, it is difficult to impersonate like an alphanumeric PIN, the system configuration is simple, the user does not need to remember the personal PIN strongly and does not need to periodically update the PIN. It is possible to provide a highly convenient personal authentication system.

[Brief description of the drawings]

FIG. 1 is a diagram showing an example of a system configuration according to an embodiment of the present invention.

FIG. 2 is a diagram showing a flow of an interactive process between a user and an authentication server in the embodiment.

FIG. 3 is a diagram showing an example of text data of a sender and a title obtained by a normal electronic mail in the embodiment.

FIG. 4 is a diagram illustrating an example of a fluid text keyword stored in an authentication server according to the embodiment.

FIG. 5 is a diagram showing an example in which universal personal information of a user in the embodiment is stored in an authentication server.

FIG. 6 (a), (b), (c), (d), (e)
It is a figure in the example of the above-mentioned embodiment which shows an example of a user's keyword selection in an interactive style.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 ... User 2 ... User terminal 3 ... Reader / writer (R / W) 4 ... IC card 5 ... Communication server 6 ... Authentication server 7 ... Network connection with external organization

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04L 9/00 673E (72) Inventor Yasuhiro Nagai 2-3-1 Otemachi, Chiyoda-ku, Tokyo Nippon Telegraph and Telephone Telephone Co., Ltd. F term (reference) 5B058 KA01 KA06 KA12 KA33 5B085 AE01 AE12 BG03 BG07 CA04 CA06 CE03 5J104 AA07 KA01 KA06 NA35 NA38 NA41

Claims (8)

[Claims] An identification information stored by a user, or identification information stored in a portable memory medium owned by a user, and a user terminal serving as a contact point between the system and the user, wherein the identification information is input. A user terminal having input function means for reading, or reading function means for reading the identification information from the portable medium, and having function means for displaying interactive options from an authentication server; and A function means for storing, in a database, a text keyword for collation created based on text input and output by the user from the user terminal, the authentication server being a network-authenticated personal authentication server; Functional means for creating an option consisting of a text string required for interactive identity authentication based on text keywords, and interactively providing the user with the option And an authentication server having a function for performing a personal authentication process of comparing the answer with the matching text keyword in the database to determine whether or not the user is an identity. An interactive personal authentication system characterized by: 2. The authentication server according to claim 1, wherein the function of creating the option is to create the option as a text string in which a matching text keyword stored in a database and a similar text generated arbitrarily are mixed. Yes, the function means to receive as an answer is to display the option on the user's terminal and guide the user to select a new text keyword in the memory. Until it can be determined whether or not it matches the text / keyword for use, and until it can be determined whether or not the user is the user, it is determined whether or not the user is the user by using the function means for creating the option and the function means for receiving the answer. The interactive personal authentication system according to claim 1, wherein the interactive personal authentication processing is repeated. 3. The authentication server, wherein the function means for storing the collation text / keyword in the database includes sending / receiving e-mails performed by a user, input / output text searched on the Internet, and document information created on a user terminal. Text data is collected and classified from one or more of the above and stored as a text keyword in a database corresponding to each user in the order of appearance frequency according to the classification, or updated after a certain period of time. The function means to acquire universal personal information from users in advance and store them as text keywords in the database corresponding to each user as universal collation data, Either one or both of the fluid collation data and the universal collation data is used for the collation data. 3. The interactive personal authentication system according to claim 1, wherein the interactive personal authentication system is used as a keyword in a personal authentication process. 4. An identity authentication method in which an authentication server connected to a user terminal and a network performs identity authentication, wherein identification information entered by the user at the user terminal or a portable medium held by the user is provided. A first procedure for transmitting the identification information read from the authentication server to the authentication server, and the authentication server creates an option consisting of a text string necessary for interactive personal authentication based on the collation text / keyword; A second procedure for transmitting to the user terminal; a third procedure for displaying, at the user terminal, an option for personal authentication in an interactive manner from the authentication server; A fourth procedure of transmitting a text selected by the user from the displayed text string of the option to the authentication server as a response, and the authentication server transmitting the response received from the user terminal to the authentication server in the database. Against the case for text keyword fifth to perform the authentication process to determine whether or not a person
And an interactive personal authentication method. 5. In a second step, an option is created as a text string in which a collating text keyword stored in a database and a arbitrarily generated similar text are mixed, and in a third step, the option is generated. Is displayed on the user's terminal, and the user is prompted to select a new text keyword in the memory and answer it. In the fifth procedure, it is determined whether the answer matches the text keyword for collation. 5. The interactive personal authentication method according to claim 4, wherein the interactive personal authentication processing from the second procedure to the fifth procedure is repeated until it can be determined whether or not the user is the principal. 6. Prior to the first procedure, text data is collected and / or classified from at least one of a user's transmission / reception of an e-mail, input / output text searched on the Internet, and document information created on a user terminal. The data is stored as a text keyword in a database corresponding to each user in the order in which the frequency of appearance is high for each classification, or is updated after a certain period of time, and is used as fluid collation data. The personal information is obtained from the user in advance, stored in a database corresponding to each user, and the personal information text / keyword is subjected to universal collation data. Performs the personal authentication process using one or both of the simple collation data and the universal collation data as collation text keywords. Interactive authentication method according to claim 4 or 5, wherein the door. 7. An execution program for an interactive personal authentication method, characterized in that the procedure in the interactive personal authentication method according to any one of claims 4 to 6 is a program for causing a computer to execute the procedure. 8. A recording medium recording an interactive personal authentication method execution program according to claim 7, wherein the interactive personal authentication method execution program is recorded on a computer-readable recording medium.