JP2006072562A - Program for authentication - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program for authentication for improving security in user authentication. <P>SOLUTION: When a log-in request is made from any Web client device 10, a Web server device 20 acquires the ID and PW of a user from the Web client device 10, and when any ID and PW matched with the acquired ID and PW is recorded in a member information management table 25, the Web server device 20 acquires answers to question sentences with two or more information corresponding to those ID and PW as correct answers from the Web client device 10, and when each answer is completely matched with each correct answer, the Web server device 20 grants access authority to the Web client device 10. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an authentication program for determining whether or not to grant access authority to a client device.

  As is well known, password authentication user authentication is generally performed as identity verification when a service provider such as an ISP or a website operator grants access authority to a user. In the user authentication of the personal identification information input method, the user is required to have identification information uniquely assigned to identify the user and personal identification information to prove that the user is the principal. Then, the service provider determines whether or not a combination that completely matches the combination of identification information and personal identification information acquired from the user exists in the list recorded at the time of user registration. In that case, the access authority is given to the user.

  Recently, in order to be able to perform user authentication even when the user forgets the password information, as a complementary system to the user information of the password information input method, the user authentication of the question and answer method has been able to be performed. Yes. In the question-and-answer system user authentication, the service provider asks the user to select one of several prepared questions and register an answer to the selected question when registering the user. Obtain it from the user. And when performing user authentication of the question-and-answer system, after obtaining the identification information from the user, the service provider throws a question corresponding to the identification information to the user to obtain an answer to the question, It is determined whether or not the acquired answer and the answer corresponding to the identification information match, and if they match, the access authority is given to the user.

  In the above-described conventional password information input method user authentication, once the password information is known to the Service-to-Self, the Service-to-Self can freely exploit the access authority until the user changes the password information. It was. For this reason, the password authentication user authentication method has a problem that the password information must be frequently changed to prevent such malicious intent.

  Also, in the above-described conventional question-and-answer system user authentication, since the number of questions is basically one, once the answer is known to the Service-to-Self, similar to the problem of password information, the answer is repeatedly abused. There was a fear. However, since all of the questions to be selected by the user at the time of user registration are those that can be easily guessed by relatives or friend acquaintances of the user. However, there is a problem that even if the user's personal identification information is not known, access authority can be easily obtained by impersonating the user.

  The present invention has been made in view of the conventional problems as described above, and its object is to improve security in user authentication.

  An authentication program invented to solve the above problem is an authentication program for determining whether or not to grant access authority to a client device, and uniquely identifies a computer and a user. Storage means for associating and storing identification information for the user and two or more secret information about the user in the storage device, and input means for inputting the identification information when there is a request from any client device First transmission means for transmitting screen data for displaying an input screen to a requesting client device through a communication device; input of the input screen from the client device that has transmitted the screen data by the first transmission means First acquisition means for acquiring identification information input to the means through the communication device, identification information acquired by the first acquisition means Reading means for reading out the corresponding two or more secret information from the storage device, and question sentences that list some of the two or more secret information read out by the reading means are listed and the question sentences Screen data generation means for generating screen data for displaying a question screen provided with an input means for inputting an answer to the screen, the screen data generated by the screen data generation means through the communication device, the client device Second transmission means for transmitting to the second acquisition means for acquiring, through the communication device, an answer input to the input means for the question screen from the client device that has transmitted the screen data by the second transmission means, The answer for each question sentence acquired by the second acquisition means and the secret information corresponding to the question sentence all match. And a granting unit that grants the access authority to the client device when the judging unit judges that all the answers and the secret information all match. It is characterized by functioning as a means.

  In this way, in user authentication, if identification information is acquired from a user and the user is made to correctly answer a plurality of question sentences that answer some secret information corresponding to the identification information. Even if some secret information is known to the Service-to-Self, this Service-to-Self cannot be completely correct in user authentication unless all the secret information is known. Access privileges cannot be abused by impersonating a registered user. And the greater the number of question sentences, the more difficult it is to find all the correct answers, even for the user's relatives and friends. As a result, according to the present invention, it is possible to ensure a higher level of security than conventional user authentication.

  In the present invention, the question sentences listed on the question screen may be fixed at all times, but the question sentence may be changed for each login request. When the question sentence is changed each time, it is desirable to randomly select secret information for generating the question sentence from secret information stored in two or more storage devices. If the question presented to the user changes for each login request, even if the Service-to-Self learns the correct answer at the time of a certain request, he / she tries to impersonate the user at another opportunity to make a login request. When doing so, since the question sentence and the correct answer have changed, a part or all of the answer memorized by the Service-to-Self cannot be used.

  Therefore, according to the present invention, security in user authentication can be improved.

  Hereinafter, an embodiment for carrying out the present invention will be described with reference to the accompanying drawings.

  FIG. 1 is a schematic diagram of a computer network system according to an embodiment of the present invention. The computer network system includes a web client device 10 and a web server device 20. The devices 10 and 20 are connected to each other via a network N.

  The web client device 10 is a so-called personal computer to which a function as a web client is added, and includes a display device such as a liquid crystal display, an input device such as a keyboard and a mouse, and a main body connected to these devices. Yes. The main body includes a CPU [Central Processing Unit], a RAM [Random Access Memory], a communication adapter, an FDD [Flexible Disk Drive], a CDD [Compact Disk Drive], and an HDD [Hard Disk Drive]. Stores an operating system program, a web client program 11 and a mailer 12.

  The web client program 11 is a program for adding a function as a web client (so-called web browser) to a personal computer, and more specifically, a URL [Uniform Resource Locator] designated by an operator of the web client device 10. ] Is requested to the web server device 20 storing it, the requested web page data is acquired from the web server device 20, and the web page is displayed on the display device.

  The mailer 12 is a program for adding, to a personal computer, functions for sending / receiving emails to / from an email server (not shown), editing emails, and managing sent / received emails.

  The web server device 20 is a so-called general-purpose computer to which a function as a web server is added, and includes a CPU, a RAM, a communication adapter, and a storage device. In addition to the operating system program, the storage device includes web page data 21, web server program 22, e-mail transmission program 23, session management program 24, member information management table 25, question information management table 26, member registration program 27, and The authentication program 28 is stored.

  The web page data 21 is source data composed of text described in a hypertext markup language. Each web page data 21 is assigned a unique URL. The web page data 21 forms a website by being associated with each other. Further, this website includes web page data 21 having contents for members registered in advance. The web page data 21 having contents for these members is provided only during a predetermined session.

  The web server program 22 is a program for adding a function as a web server to a general-purpose computer. More specifically, the web server program 22 receives web page data 21 or image data (not shown) in response to a request from the web client device 10. Send.

  The e-mail transmission program 23 is a program for adding a function of transmitting an e-mail to an e-mail server (not shown) to a general-purpose computer.

  The session management program 24 is a program for managing information related to a session performed with the web client device 10 to which access authority for the web page data 21 for members is given. The session-related information includes, for example, log information related to request message reception and response message transmission, member information acquired at the time of login, and transaction information acquired from the web client device 10 during the session.

  The member information management table 25 is a table for managing information related to users registered as members as member information. FIG. 2 is a diagram illustrating an example of the data structure of the member information management table 25. The records stored in the member information management table 25 in FIG. 2 are “ID”, “PW”, “Mr.”, “Name”, “Zip code”, “Address”, “Telephone number”, “E-mail address”. , "Father's maiden name", "Mother's maiden name", "Pet's name", "Prefectural name (in kanji)", ..., "Number of questions", and "Change question content" fields It is out.

  In the “ID” field, identification information (ID) uniquely assigned to each member in order to identify each member among all members is recorded. In the “PW” field, personal identification information (PW) used as information for proving that the member is the person at the time of login is recorded.

  In the fields of “Mr.”, “First Name”, “Zip Code”, “Address”, “Telephone Number”, and “E-mail Address”, the last name of the member, the name of the member, the mail of the member's address The number, the address of the member, and the e-mail address assigned to the web client device 10 owned by the member are recorded.

  In the fields of “Father's maiden name”, “Mother's maiden name”, “Pet's name”, “Birth ’s prefectural name (in kanji)”,…, the member's father's maiden name, mother's maiden name, pet name , The name of the prefecture of the place of birth in Chinese characters are recorded. As will be described later, only those selected by the member are recorded in these fields, and those not selected by the member are blank.

  In the “number of questions” field, the number selected as the number of questions that the member should receive at the time of login is recorded. In the “question content change” field, a flag indicating whether or not the content of the question received by the member at the time of login is changed for each login is recorded.

  The question information management table 26 is a table for managing the contents of questions presented to members at the time of login. Although not shown, the record stored in the question information management table 26 includes fields of “question code” and “question content”. In the “question code” field, the name of each field after the “PW” field and before the “number of questions” field in the member information management table 25 is recorded as a question code. In the “question content” field, a question sentence for asking a question code recorded in the “question code” field is recorded. For example, when the question code is the name of a pet, the content of the question is “What is your pet's name?”. The question code corresponds to secret information.

  The member registration program 27 is a program for registering a desired person among the users of the web client device 10 as a member. Further, the authentication program 28 is a program for confirming whether or not the user of the web client device 10 to log in is a registered member. The contents of processing executed by the web server device 20 in accordance with the member registration program 27 and the authentication program 28 will be described later.

  Next, the contents of processing executed in the computer network system configured as described above and the operation thereof will be described.

  When the user designates the URL of the web page data 21 for membership registration of the web server device 20 during execution of the web client program 11 in the web client device 10, the web client device 10 has the domain name in the URL. A request message is transmitted to the web server device 20 shown. When the web server device 20 receives this request message during the execution of the web server program 22, the web server device 20 reads the member registration program 27 from a storage device (not shown) and executes the member registration process. FIG. 3 is a flowchart showing the contents of the member registration process.

  In the first step S101 after the start of the member registration process, the web server device 20 (CPU thereof) generates screen data of the member registration screen. FIG. 4 is a diagram illustrating an example of the member registration screen 30. As shown in FIG. 4, the member registration screen 30 includes an essential information input area 31, a question information input area 32, and a login setting input area 33.

  The essential information input area 31 shows a text box for inputting information necessary for member registration, such as the name, postal code, address, telephone number, and e-mail address of the user who wants to register as a member.

  In the question information input area 32, the question sentences stored in the question information management table 26 are listed, and a text box 32a for inputting an answer to each question sentence is listed. In the question information input area 32, a text box 32b for inputting a new question code not listed in the area 32, and a text for inputting an answer to a question sentence asking the new question code. At least one set of boxes 32c is shown.

  In the login setting input area 33, a text box for inputting a number considered appropriate as the number of questions requested at the time of login by the user who intends to register as a member, and whether the user should change the contents of the question for each login A set of radio buttons for selecting whether or not is shown.

  Further, the member registration screen 30 shows a registration button 34 that is clicked by the user who has finished inputting the text boxes and radio buttons in the areas 31 to 33.

  The web server device 20 generates screen data of the member registration screen 30 as shown in FIG. 4, and then proceeds to step S102.

  In step S102, the web server device 20 uses the function of the web server program 22 to transmit a response message including the screen data generated in step S101 in the body to the requesting web client device 10. After the transmission, the web server device 20 advances the process to step S103.

  The web client device 10 that has received this response message displays the member registration screen 30 on the display device in accordance with the web client program 11. A user who wants to register as a member first inputs various information into each text box in the essential information input area 31 on the member registration screen 30. Subsequently, the user inputs an answer to the question sentence selected from each question sentence in the question information input area 32 to the text box 32a, and if the user wants to use a desired question sentence, the question sentence and The answer to is input into each text box 32b, 32c. Then, the user inputs a number in the text box in the login setting input area 33 and selects a radio button. After completing these inputs, the user clicks the registration button 34. Then, according to the web client program 11, the web client device 10 transmits a request message including information input to each text box and information about the selected radio button to the web server device 20.

  In step S103, the web server device 20 stands by until a request message including information input on the member registration screen 30 is received from the web client device 10 (S103; NO). And if the request message containing the information input into the member registration screen 30 is received from the web client apparatus 10 (S103; YES), the web server apparatus 20 will advance a process to step S104.

  In step S104, the web server device 20 determines whether or not a new question code (information entered in the text box 32b of the member registration screen 30) is included in the information received from the web client device 10. Determine. When the web server device 20 determines that a new question code is not included (S104; NO), the process proceeds to step S106, and when it is determined that a new question code is included (S104; YES), the process proceeds to step S105.

  In step S <b> 105, the web server device 20 registers a new question code and a question sentence that asks the question code as a correct answer in the question information management table 26. The web server device 20 generates a field having the new question code as a field name in the member information management table 25. Thereafter, the web server device 20 advances the processing to step S106.

  In step S <b> 106, the web server device 20 generates a new ID and PW that are not used in the member information management table 25.

  In the next step S107, the web server device 20 adds the ID and PW generated in step S106 and the information received in step S103 to the member information management table 25 as a new record.

  In the next step S108, the web server device 20 generates an e-mail with the contents of notifying the ID and PW generated in step S106, and according to the e-mail transmission program 23, the e-mail address in the information received in step S103. The e-mail is transmitted to the address. After the transmission, the web server device 20 ends the member registration process.

  After the user completes member registration through the member registration process described above and obtains the ID and PW through e-mail, the web client device 10 is running for the member of the web server device 20 while the web client program 11 is being executed. When the URL of the web page data 21 is designated, the web client device 10 transmits a request message to the web server device 20 indicated by the domain name in the URL. When the web server device 20 receives this request message while the web server program 22 is being executed, the web server device 20 reads the authentication program 28 from a storage device (not shown) and executes an authentication process. FIG. 5 is a flowchart showing the contents of the authentication process.

  In the first step S201 after the start of the authentication process, the web server device 20 uses the function of the web server program 22 to send a response message including screen data of an authentication information input screen (not shown) in the body. To the web client device 10. After the transmission, the web server device 20 advances the process to step S202.

  The web client device 10 that has received this response message displays an authentication information input screen (not shown) on a display device (not shown) according to the web client program 11. This authentication information input screen includes two text boxes for inputting ID and PW. In addition, the authentication information input screen includes a send button that is clicked when input to these text boxes is completed. When the user inputs the ID and PW in each text box and clicks the send button, the web client device 10 sends a request message including the ID and PW input in each text box according to the web client program 11. It transmits to the web server device 20.

  In step S202, the web server device 20 stands by until it receives from the web client device 10 a request message including the ID and PW entered on the authentication information input screen (not shown) (S202; NO). When the request message including the ID and PW input on the authentication information input screen is received from the web client device 10 (S202; YES), the web server device 20 advances the process to step S203.

  In step S203, the web server device 20 determines whether an ID and PW that completely match the combination of ID and PW received in step S202 are registered in the member information management table 25. If the web server device 20 determines that the ID and PW that completely match the received combination of ID and PW are not registered in the member information management table 25 (S203; NO), the process proceeds to step S212. If it is determined that the ID and PW that completely match the received ID and PW combination are registered in the member information management table 25 (S203; YES), the process proceeds to step S204.

  In step S204, the web server device 20 identifies the record of the ID received in step S202 among the records stored in the member information management table 25, and the number of questions in the “number of questions” field of this record; The flag in the “question content change” field is read as login setting information.

  In the next step S205, the web server device 20 includes a non-blank field (recorded correct answer) in each field after the “PW” field and before the “number of questions” field in the record specified in step S204. Select some. Specifically, when the flag is off, the web server device 20 selects, for example, the same number of fields as the number of questions from the front in the arrangement order in FIG. elect. On the other hand, if the flag is on, the web server device 20 randomly selects the same number of fields as the number of questions from the fields that are not blank.

  In the next step S206, the web server device 20 reads out a question sentence corresponding to the name of the field (question code) selected in step S205 from the question information management table 26, and on the question screen, based on the read question sentence. Generate screen data. FIG. 6 is a diagram illustrating an example of the question screen 40. As shown in FIG. 6, question texts are listed on the question screen 40. A text box 40a is prepared for each question sentence. Each text box 40a is for inputting an answer to a question sentence corresponding to the text box 40a. Each text box 40a may be a drop-down list box. Further, the question screen 40 shows a send button 40b that is clicked when an answer is entered in each text box 40a.

  In the next step S207, the web server device 20 uses the function of the web server program 22 to transmit a response message including the screen data of the question screen generated in step S206 to the request source web client device 10. To do. After the transmission, the web server device 20 advances the process to step S208.

  In step S208, the web server device 20 determines whether or not a predetermined time has elapsed. If it is determined that the predetermined time has not elapsed (S208; NO), the web server device 20 advances the process to step S209.

  In step S209, the web server device 20 determines whether information input in each text box on the question screen has been received from the web client device 10 that has transmitted the response message in step S207. When it is determined that the information input in each text box on the question screen has not been received from the web client device 10 (S209; NO), the web server device 20 returns the process to step S208.

  If it is determined that the predetermined time has elapsed during the execution of the processing loop of steps S208 and S209 (S208; YES), the web server device 20 branches the processing from step S208 to step S213.

  If it is determined that a request message including information input in each text box on the question screen is received from the web client device 10 during execution of the processing loop of steps S208 and S209 (S209; YES), the web server device 20 branches the process from step S209 to step S210.

  In step S210, the web server device 20 determines whether or not each answer received in step S209 completely matches the correct answer (question code) in the field selected in step S205. If it is determined that each answer received in step S209 completely matches the correct answer in the field selected in step S205 (S210; YES), the web server device 20 advances the process to step S211.

  In step S <b> 211, the web server device 20 uses the function of the web server program 22 to transmit a response message including the screen data of the authentication completion notification screen in the body to the requesting web client device 10.

  In the next step S212, the web server device 20 notifies the session management process generated in advance by starting the session management program 24 of the start of the session. After the notification, the web server device 20 ends the authentication process.

  On the other hand, when it is determined in step S210 that at least one of the answers received in step S209 does not match the answer in the field selected in step S205 (S210; NO), the web server device 20 performs step S213. Proceed to the process.

  In step S213, the web server device 20 transmits a response message including the screen data of the authentication impossible notification screen in the body to the web client device 10 that is the request source. After the transmission, the web server device 20 ends the authentication process.

  The computer network system of the present embodiment has the following effects by the contents of the processing described above and the operation thereof.

  When the user selects some of a plurality of questions presented at the time of member registration and registers an answer to the selected question, the user is presented with a question for answering the answer at the time of login. This question will be presented in the number set at the time of member registration. However, as the number of questions increases, even the user's relatives and friend acquaintances cannot find all the answers. Therefore, the possibility of being logged in as a user is reduced. As a result, this embodiment can ensure higher security than conventional user authentication. However, as the number of questions increases, it takes more time for identity verification at the time of login. Therefore, the actual number of questions is preferably suppressed to such an extent that it takes less time for identity verification.

  In addition, the question content can be set so that the question content is changed every time when the member is registered, or the question content can be set to be fixed every time. When the setting is made so that the question content is changed every time, a question having a different content for each login is presented to the user. For this reason, even if a Service-to-Self sees some of the answers that the user has registered in advance, when the Service-to-Self impersonates the user and logs in, he can always log in with the answer that he / she saw. Not necessarily. Therefore, this embodiment can ensure a higher level of security than conventional user authentication.

  In the present embodiment, as illustrated in FIGS. 2 and 3, the PW is requested at the time of login (S106, S108, S201). However, the present invention is not limited to this. Actually it is not necessary. When there is no PW, the answer to each question sentence functions as password information for certifying the person instead of the PW. However, PWs made of inorganic character strings are very hard to remember and forgetful, but by using the answers to these questions for identity verification, the answers are a little distracted or completely forgotten. Even if it is, the question text is immediately recalled, so that the problem that login cannot be performed due to PW forgetting can be solved.

  By the way, in the question sentence used for the above explanations, examples such as father's maiden name, mother's maiden name, pet name, birthplace prefecture name, etc. can be easily known by relatives and friends. It is not necessary to be limited to, but rather, it is desirable to register in advance what a relative or friend cannot easily know. Examples of questions that such relatives and friends may not know easily include, for example, “How many steps did you take to enter the elementary school gates?”, “How many times did you replace the desk light bulb?” "How many issues have you been buying for a particular magazine?"

Schematic diagram of a computer network system according to an embodiment of the present invention The figure which shows an example of the data structure of a member information management table Flow chart showing the contents of the member registration process Figure showing an example of the member registration screen Flow chart showing contents of authentication process Figure showing an example of a question screen

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Web client apparatus 11 Web client program 12 Mailer 20 Web server apparatus 21 Web page data 22 Web server program 23 E-mail transmission program 24 Session management program 25 Member information management table 26 Question information management table 27 Member registration program 28 Authentication program 30 Member Registration Screen 31 Essential Information Input Area 32 Question Information Input Area 32a Text Box 32b Text Box 32c Text Box 33 Login Setting Input Area 34 Registration Button 40 Question Screen 40a Text Box 40b Send Button

Claims (5)

An authentication program for determining whether to grant access authority to a client device,
Computer
Storage means for storing identification information for uniquely identifying a user in association with two or more secret information about the user in a storage device;
First transmission for transmitting screen data for displaying an input screen having an input means for inputting identification information to a requesting client device through a communication device when a request is received from any client device means,
A first acquisition unit configured to acquire, through the communication device, identification information input to the input unit of the input screen from the client device that has transmitted the screen data by the first transmission unit;
Reading means for reading out two or more pieces of the secret information corresponding to the identification information acquired by the first acquisition means from the storage device;
In order to display a question screen that includes an input means for inputting an answer to the question sentence, and enumerates question sentences with some of the two or more secret information read by the reading means as correct answers. Screen data generation means for generating screen data of
Second transmission means for transmitting the screen data generated by the screen data generation means to the client device through the communication device;
Second acquisition means for acquiring, through the communication device, an answer input to the question screen input means from the client device that has transmitted the screen data by the second transmission means;
A determination means for determining whether or not the answer for each question sentence acquired by the second acquisition means and the secret information corresponding to the question sentence all match; and
An authentication program that causes the client device to function as an access unit that grants the access authority when the determination unit determines that the answers and the secret information all match. . The screen data generating means randomly selects some of the two or more secret information read by the reading means, and enumerates question sentences with the selected secret information as correct answers. 2. The authentication program according to claim 1, wherein screen data for displaying a question screen provided with an input means for inputting an answer is generated. The storage means stores a numerical value indicating the number of questions in association with identification information and secret information in a storage device,
The screen data generation means selects the same number of secret information as the numerical value corresponding to the secret information from the two or more secret information read by the reading means, and makes the selected secret information the correct answer The authentication program according to claim 1 or 2, wherein screen data for displaying a question screen provided with input means for inputting an answer to the question sentence while enumerating sentences is generated. 4. The authentication program according to claim 3, wherein the numerical value stored in the storage device by the storage means is a numerical value selected in advance by the user. The storage means stores the identification information and the secret information together with the password information for certifying the identity in the storage device.
The first transmission means transmits screen data for displaying an input screen having an input means for inputting identification information and personal identification information to a requesting client device through a communication device,
The reading means stores the identification information and the secret information when the identification information and the secret information that completely match the combination of the identification information and the secret information acquired by the first acquisition means are stored in the storage device. 5. The authentication program according to claim 1, wherein two or more pieces of the secret information corresponding to the information are read from the storage device.