JP2006318317A - User authentication device, user authentication method and user authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To establish onetime-password-based user authentication more simply without increasing a load on a client. <P>SOLUTION: A user authentication device has an authentication database storing user authentication information about each user, a quiz generation means for generating a quiz using the authentication information when an access request is received from a terminal used by the user, a sending means for sending the generated quiz to the terminal, an answer reception means for receiving user identification information and an answer to the generated quiz from the terminal, a calculation means for identifying the authentication information corresponding to the user identification information from the authentication database and applying the identified authentication information to the generated quiz to calculate an answer to the quiz, and a determination means for determining that the access is requested from an authorized user if the quiz answer received by the answer reception means is equal to the quiz answer calculated by the calculation means. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a user authentication technique for authenticating a user's validity.

In recent years, identity theft of user IDs and passwords on the Internet, represented by phishing scams, has become a problem. For this reason, one time password (One Time Password) is one of technologies for ensuring higher security. The one-time password is a “disposable password” that can be used only once for authentication. Patent Document 1 describes a user authentication system in which a client generates a user authentication code (one-time password) using parameters stored in a recording medium and parameters transmitted from a server.
JP 11-41230

  By the way, in patent document 1, a client and a server each generate a one-time password and perform user authentication in cooperation. However, it is difficult to add a function for generating a one-time password to an unspecified number of clients connected to the Internet because the load increases in terms of system and cost. Also on the server side, authenticating the one-time password generated by each of a large number of clients has a large system load.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to more easily perform user authentication using a one-time password method without increasing the load on the client side.

  In order to solve the above-described problems, the present invention provides, for example, a user authentication device that accepts an access request from an authentication database storing authentication information of the user and a terminal used by the user for each user. Quiz generation means for generating a quiz using the authentication information; transmission means for transmitting the generated quiz to the terminal; and answer receiving means for receiving user identification information and the generated quiz response from the terminal; Identifying the authentication information corresponding to the user identification information from the authentication database, calculating the quiz answer by applying the identified authentication information to the generated quiz, and the quiz received by the answer accepting unit When the answer and the answer of the quiz calculated by the calculating means match, it is determined that the access request is from a legitimate user. It has a that discriminating means.

  In the present invention, user authentication using the one-time password method can be performed more easily without increasing the load on the client side.

  Hereinafter, embodiments of the present invention will be described.

  FIG. 1 is an overall configuration diagram of an authentication system to which an embodiment of the present invention is applied. The authentication system according to this embodiment includes at least one client 1 and a server 2. Each client 1 and server 2 are connected by a network 3 such as the Internet.

  The client 1 accesses the server 2 via the network 3 and requests various services provided by the server 2. The client 1 includes a display unit 11 and an instruction receiving unit 12 as illustrated. The display unit 11 has the same function as a general Web browser, analyzes the information received from the server 2, and displays it on an output device (not shown). The instruction receiving unit 12 receives an instruction from a user who operates the client 1.

  The server 2 authenticates the user who uses the client 1, and provides various services when the authentication is successful. As illustrated, the server 2 includes a login screen generation unit 21, a quiz generation unit 22, an authentication unit 23, a service providing unit 24, an authentication DB 26, and a parameter table 27.

  The login screen generation unit 21 receives a login request (access request) from the client 1 and generates a login screen described later. The quiz generating unit 22 dynamically generates a quiz (problem) to be displayed on the login screen. The authentication unit 23 receives the user ID, password, and quiz answer and performs user authentication. The service providing unit 24 provides various services to the client 1. The authentication DB 26 is a database in which authentication information necessary for user authentication is stored for each user. The parameter table 27 is a table in which parameters of authentication information used for the quiz are stored.

  Next, the authentication DB 26 and parameter table 27 of the server 2 will be described.

  FIG. 2 is a diagram illustrating an example of the authentication DB 26. The authentication DB 26 is a database obtained by extracting authentication information necessary for user authentication from a personal information DB (not shown). The server 2 has a personal information DB that stores personal information (name, address, telephone number, etc.) of each user.

  The illustrated authentication DB 26 includes a user ID 261, a password 262, a postal code 263, a home phone number 264, a mobile phone number 265, and a date of birth 266 for each user. In the present embodiment, numeric personal information having a predetermined numbering system (number of digits) is extracted as authentication information 263 to 266 from various types of personal information and used for quizzes. The authentication information 263 to 266 is registered in the authentication DB 26 by separating each column by one digit.

  In addition to the authentication information 263 to 266 shown in the figure, for example, a private car number (4 digits) or a driver's license number (12 digits) may be used.

  FIG. 3 is a diagram showing an example of the parameter table 27. The parameter table 27 is a table in which digits (positions from the head) 272 that can be used in the quiz are set for each authentication information 271. Specifically, the postal code has 7 digits, and is relatively widely used from “000-0001” to “999-8531”. Therefore, “1” to “7” are set in the usable digit 272 of the postal code. Accordingly, any digit from the first digit to the seventh digit can be selected in the quiz generation process described later.

  The home phone number (fixed phone) has 10 digits, but the beginning of the area code (the first digit from the beginning) is “0”, and the next number (the second digit from the beginning) is also part. There are numbers that are not used. For this reason, the first digit and the second digit are excluded, and “3” to “10” are set in the usable digit 272 of the home phone number. Accordingly, any digit from the third digit to the tenth digit can be selected in the quiz generation process described later.

  The mobile phone number has 11 digits, and the first three digits are currently fixed at “090” or “080”. For this reason, the first digit to the third digit are excluded, and “4” to “11” are set in the usable digit 272 of the mobile phone number. Accordingly, any digit from the fourth digit to the eleventh digit can be selected in the quiz generation process described later.

  In addition, the date of birth is 8 digits of the year (4 digits), month (2 digits), and day (2 digits). Since the Internet users are estimated to be born in the 1900s for the time being, the first two digits of the year (the first and second digits from the beginning) are not used. The tenth place (5th digit from the beginning) of the month is “0” or “1”. Further, the tenth place (the seventh digit from the top) of the day is also a number from “0” to “3”. Therefore, “3”, “4”, “6”, and “8” are set in the usable digit 272 of the date of birth. Thereby, in the quiz generation process described later, any one of the third digit, the fourth digit, the sixth digit, and the eighth digit can be selected.

For example, the client 1 and the server 2 described above each include a CPU 901, a memory 902, an external storage device 903 such as an HDD, an input device 904 such as a keyboard and a mouse, a display and a printer as shown in FIG. A general-purpose computer system including an output device 905 such as a communication control device 906 for connecting to a network can be used. In this computer system, a CPU 901 has a memory 902.
Each function of each device is realized by executing a predetermined program loaded thereon.

For example, the functions of the client 1 and the server 2 are realized by the CPU 901 of the client 1 executing the program for the client 1, and the CPU 901 of the server 2 executing the program for the server 2, respectively. . It is assumed that the server 2 memory 902 or the external storage device 903 is used for the authentication DB 26 and the parameter table 27 of the server 2. In addition, regarding the input device 904 and the output device 905, each device is provided as necessary.

  Next, a login screen displayed on the output device of the client 1 will be described.

  FIG. 5 is a diagram illustrating an example of a login screen. The illustrated login screen includes a user ID input field 51, a password input field 52, at least one quiz display field 53 a, 53 b, 53 c, a quiz answer input field 54 corresponding to the quiz display field 53, and a send button 55. And have. It is assumed that the login screen of the present embodiment has three quiz display fields 53a, 53b, and 53c. Also, it is assumed that the quiz display fields 53a, 53b, and 53c display a quiz text and an example of a calculation method together.

  Note that the greater the number of quizzes displayed (questions) on the login screen, the higher the strength of user authentication. That is, guesswork and impersonation become difficult. Therefore, the number of quizzes displayed on the login screen is not limited to three.

  In addition, the quiz of the present embodiment makes the user answer a one-digit number. Therefore, each answer input column 54 is assumed to select a predetermined number by a select box (pull-down format) capable of selecting a number from “0” to “9”.

  Next, processing of the authentication system of this embodiment will be described.

  FIG. 6 is a process flow diagram showing an outline of the process of the authentication system.

  First, the instruction receiving unit 12 of the client 1 receives a user instruction, accesses the server 2, and requests a login screen (S11). The server 2 accepts the request from the client 1, dynamically generates a login screen including a quiz, and transmits it to the requesting client 1 (S12).

  Then, the display unit 11 of the client 1 displays the login screen received from the server on the output device (S13). Then, the instruction receiving unit 12 of the client 1 receives the user ID, password, and quiz answer input by the user and transmits them to the server 2 (S14). The server 2 performs user authentication using the user ID received from the client 1 (S15). Then, the server 2 transmits an authentication success screen or an authentication error screen to the client 1 according to the result of user authentication. Then, the display unit 11 of the client 1 displays the authentication success screen or the authentication error screen received from the server on the output device (S16).

  Next, the login screen generation process (S12) shown in FIG. 6 will be described in detail.

  FIG. 7 is a flowchart of the server 2 login screen generation process. The login screen generation unit 21 of the server 2 generates a login screen as shown in FIG. 5 using a markup language such as HTML (HyperText Markup Language) or XML (eXtensible Markup Language).

  First, the login screen generation unit 21 generates screen information of a user ID input field and a password input field (S21). And the login screen production | generation part 21 repeats the process of S23 to S25 by the number of quizzes displayed on a login screen (S22, S26). In the present embodiment, since three quizzes are displayed on the login screen, it is assumed that n = 3 is repeated three times (loop processing).

  In the iterative process, the login screen generator 21 generates a random number for selecting a quiz pattern (S23). In addition, the quiz of this embodiment uses three types of calculation patterns, an addition pattern, a subtraction pattern, and a multiplication pattern so that the user who answers the quiz can easily calculate the answer using mental arithmetic or a calculator. Shall. Therefore, in the illustrated example, the login screen generation unit 21 generates a random number of “1” (addition pattern), “2” (subtraction pattern), and “3” (multiplication pattern) by a predetermined algorithm. .

  Then, the login screen generation unit 21 calls the quiz generation function using the random number of the quiz pattern generated in S23 as an argument (S24). The quiz generation function will be described later.

  And the login screen production | generation part 21 acquires the text of the quiz produced | generated by the quiz production | generation function and the calculation example of the said quiz, and produces | generates a quiz display column. Further, the login screen generation unit 21 generates a quiz answer input field (S25). In the quiz answer field of this embodiment, a select box that can select a number from “0” to “9” is used.

  In addition, the login screen generation unit 21 sets the quiz identification information (quiz identification code) for identifying the generated quiz as hidden data (“hidden attribute” of the input form) or as cookie information on the login screen. . Accordingly, the login screen generation unit 21 can transmit the quiz identification information to the client 1 together with the login screen, and can receive the quiz identification information from the client 1 together with the quiz answer. The quiz identification information includes the quiz pattern generated in S23 and variables (parameters) acquired from the quiz generation function.

  Then, after completing the predetermined number of times (three times) (S26), the login screen generation unit 21 generates a transmission button and completes the login screen. Then, the login screen generation unit 21 transmits the generated login screen to the client (S27). Note that the display unit 11 of the client 1 analyzes the login screen described in HTML or the like and outputs the login screen (see FIG. 5) to the output device.

  Next, processing of the quiz generation function (FIG. 7: S24) will be described.

  FIG. 8 is a processing flow diagram of the quiz generation function. First, the quiz generating unit 22 determines whether or not the quiz pattern set as an argument is “1” (S31). When the quiz pattern is “1” (S31: YES), the quiz generation unit 22 calls an addition quiz generation function described later (S32).

  When the quiz pattern is not “1” (S31: NO), the quiz generation unit 22 further determines whether or not the quiz pattern is “2” (S33). When the quiz pattern is “2” (S33: YES), the quiz generation unit 22 calls a subtraction quiz generation function described later (S34). When the quiz pattern is not “2”, that is, “3” (S33: NO), the quiz generation unit 22 calls a multiplication quiz generation function to be described later (S35). And the quiz production | generation part 22 acquires the text and example of a quiz produced | generated by each function, and quiz identification information (S36).

  Next, processing of the addition quiz generation function, the subtraction quiz generation function, and the multiplication quiz generation function will be described.

  FIG. 9 is a processing flowchart of the addition quiz generation function.

  The quiz generating unit 22 generates a random number for selecting the postal code digit (position from the top) used for the quiz (S41). That is, the quiz generating unit 22 refers to the parameter table 27 and randomly selects any number from among the usable digits (numbers) of the zip code by a predetermined algorithm.

  And the quiz production | generation part 22 produces | generates the random number for selecting the digit of the home telephone number used for a quiz (S42). That is, the quiz generating unit 22 refers to the parameter table 27 and randomly selects one of the usable digits of the home phone number by a predetermined algorithm.

  And the quiz production | generation part 22 produces | generates the random number for selecting the digit of the mobile telephone number used for a quiz (S43). That is, the quiz generating unit 22 refers to the parameter table 27 and randomly selects one of the digits that can be used for the mobile phone number by a predetermined algorithm.

  And the quiz production | generation part 22 produces | generates the random number for selecting the digit of the date of birth used for a quiz (S44). That is, the quiz generating unit 22 refers to the parameter table 27 and randomly selects one of the digits that can be used from the date of birth using a predetermined algorithm.

  And the quiz production | generation part 22 produces | generates the text of the addition quiz using the number selected by S41 to S44 (S45). As the text of the addition quiz, for example, as shown in the login screen (quiz display field 53a) of FIG. 5, "n (number generated in S41) digit of your address zip code and n (S42 (Number generated in step S), the nth (number generated in S43) digit of the mobile phone number, and the nth (number generated in S44) digit of the date of birth are added together. Please answer the number of the place. " Note that “n” in the above text is a variable.

  Then, the quiz generating unit 22 generates a quiz calculation example (S46). For example, as shown in the login screen (quiz display field 53a) of FIG. 5, for example, a predetermined number that matches the numbering system of the item is set for each item, and the variable portion of the set number is underlined. pull. Then, it is conceivable to generate a calculation formula for adding the numerical values in the underlined portion.

  Then, the quiz generating unit 22 returns the generated quiz text, calculation examples, and quiz identification information (variables generated in S41 to S44) to the quiz generation function (FIG. 8: S36) (S47).

  FIG. 10 is a processing flowchart of the subtraction quiz generation function.

  The quiz generating unit 22 generates a random number for selecting a postal code, a home phone number, a mobile phone number, and a date of birth as in S41 to S44 of FIG. 9 (S51 to S54). And the quiz production | generation part 22 produces | generates the text of a subtraction quiz similarly to S45 of FIG. 9 (S55). For example, as shown in the log-in screen (quiz display field 53b) of FIG. 5, the subtraction quiz text is “from the n-th digit of your address zip code to the n-th digit of the home phone number and the mobile phone number. Please subtract all the nth digits of the date of birth and the nth digit of the date of birth, and answer the number of the 1st digit of the result. Please answer the number of the 1st digit even if the calculation result is negative. " Can be considered.

  And the quiz production | generation part 22 produces | generates the example of a quiz calculation as shown, for example in the login screen (quiz display column 53b) of FIG. 5 (S56). Then, the quiz generation unit 22 returns the generated quiz text, calculation examples, and quiz identification information (variables generated in S51 to S54) to the quiz generation function (FIG. 8: S36) (S57).

  FIG. 11 is a process flow diagram of the multiplication quiz generation function.

  The quiz generating unit 22 generates a random number for selecting a postal code, a home phone number, a mobile phone number, and a date of birth as in S41 to S44 of FIG. 9 (S61 to S64). And the quiz production | generation part 22 produces | generates the text of a multiplication quiz similarly to S45 of FIG. 9 (S65). As the text of the multiplication quiz, for example, as shown in the login screen (quiz display field 53c) in FIG. 5, "the nth digit of your postal code, the nth digit of the home phone number, and the mobile phone number Multiply the nth digit of the date of birth by the nth digit of the date of birth, and answer the number of the first place of the result.However, when “0” is selected, “0” is changed to “1”. Please read "" and calculate. Or the like.

  And the quiz production | generation part 22 produces | generates the example of a quiz calculation as shown, for example in the login screen (quiz display column 53c) of FIG. 5 (S66). Then, the quiz generation unit 22 returns the generated quiz text, calculation examples, and quiz identification information (variables generated in S61 to S64) to the quiz generation function (FIG. 8: S36) (S67).

  Next, the user authentication process (S15) shown in FIG. 6 will be described in detail.

  12 and 13 are process flowcharts of the user authentication process of the server 2. As illustrated in FIG. 12, the authentication unit 23 receives a user ID, a password, a quiz answer, and quiz identification information from the client 1 (S71). The quiz identification information is transmitted to the server 2 as hidden data (hidden attribute) or as cookie information together with input information (user ID, password, quiz answer).

  And the authentication part 23 discriminate | determines whether the received user ID exists in authentication DB26 (S72). When the received user ID does not exist in the authentication DB 26 (S72: NO), the authentication unit 23 transmits an authentication error screen as shown in FIG. 14A to the client 1 (S74). In the illustrated authentication error screen, a URL for linking (transitioning) to the login screen is embedded.

  If the received user ID exists in the authentication DB 26 (S72: YES), the authentication unit 23 determines whether the password of the user ID stored in the authentication DB 26 matches the received password. (S73). When the passwords do not match (S73: NO), the authentication unit 23 transmits an authentication error screen as shown in FIG. Note that the authentication unit 23 may perform an account lockout process (a process for rejecting login with the user ID) when an authentication error occurs with the same user ID exceeding a predetermined number of times.

  If the passwords match (S73: YES), the authentication unit 23 performs the process of FIG. That is, the authentication unit 23 repeats the processing from S76 to S85 for the number of quizzes displayed on the login screen (S75, S87). In the present embodiment, since three quizzes are displayed on the login screen, it is assumed that n = 3 is repeated three times (loop processing).

  First, the authentication unit 23 specifies an answer (answer (i)) of a predetermined quiz (i-th quiz) and quiz identification information from the information received in S71 (S76). And the authentication part 23 specifies the record of the received user ID with reference to authentication DB26. And the authentication part 23 specifies the number (numerical value) set to the variable part (n-th digit) of quiz identification information for every authentication information (zip code, home phone number, mobile phone number, date of birth). The record is extracted from the recorded record (S77).

  Then, the authentication unit 23 determines whether or not the quiz pattern included in the quiz identification information is “1” (S78). When the quiz pattern is “1” (S78: YES), the authentication unit 23 adds all the numbers extracted in S77, and sets the first digit of the calculation result as the calculated value (result (i)). (S79).

  If the quiz pattern is not “1” (S78: NO), the authentication unit 23 further determines whether or not the quiz pattern is “2” (S80). When the quiz pattern is “2” (S80: YES), the authentication unit 23 sequentially subtracts the numbers extracted in S77, and sets the first digit of the calculation result as the calculated value (result (i)). (S81).

  If the quiz pattern is not “2”, that is, “3” (S80: NO), the authentication unit 23 determines whether “0” is present in each number extracted in S77. (S82). When “0” exists (S82: YES), the authentication unit 23 replaces “0” with “1” (S83). Then, the authentication unit 23 multiplies all the numbers extracted in S77 (or replaced “1”), and sets the number of the first place of the calculation result as the calculated value (result (i)) (S84).

  Then, the authentication unit 23 determines whether or not the quiz answer (answer (i)) matches the calculated value (result (i)) (S85). When the answer of the quiz and the calculated value do not match (S85: NO), the authentication unit 23 transmits an authentication error screen as shown in FIG. 14A to the client 1 (S86). Note that the authentication unit 23 may perform account lockout processing as necessary.

  When the answer to the quiz matches the calculated value (S85: YES), the authentication unit 23 repeats the process (S87) a predetermined number of times (three times). If all quiz responses match, the authentication unit 23 transmits an authentication success screen indicating that the authentication has succeeded to the client 1 as shown in FIG. 14B (S88). The "session management" mechanism necessary for conducting business transactions on HTTP (HyperText Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Security) is successfully authenticated after authentication by the authentication unit 23 (after successful authentication). Access to the screen and beyond shall be permitted. In the illustrated authentication success screen, a URL for linking (transition) is embedded in a menu screen on which menus of various services are displayed. After transitioning to the menu screen, the service providing unit 24 of the server 2 provides a service instructed by the client.

  The embodiment of the present invention has been described above.

  In this embodiment, a quiz using numbers included in personal information is generated when a login request is made, and the user is made to answer. Thereby, user authentication can be performed more easily without mounting a function for user authentication on the client side.

  Further, the server 2 randomly selects a predetermined quiz pattern from among quiz patterns such as addition and subtraction. Further, the server 2 randomly selects a predetermined digit (position from the top) of each personal information (authentication information) used for the quiz as a variable (parameter). In this way, user authentication using a simple one-time password method can be realized by dynamically selecting a quiz pattern and a variable for a login request.

  In addition, resistance to a brute force attack can be ensured by randomly changing the quiz pattern and the variable when a login request is made.

  In the present embodiment, user authentication is performed in a quiz format by combining a plurality of personal information without using the personal information itself. Thus, even if a malicious third party knows only one piece of personal information (for example, a mobile phone number), a correct answer cannot be answered. Moreover, since personal information cannot be derived from the quiz answer, leakage of personal information can be prevented.

  Further, in the present embodiment, the parameter table 27 is provided, and digits inappropriate for the quiz (position from the top) are excluded for each personal information (authentication information). Thereby, the danger that solution space will become small can be prevented. That is, it is possible to prevent a risk that a person other than the person can easily guess the correct answer.

  In addition, this invention is not limited to said embodiment, Many deformation | transformation are possible within the range of the summary. For example, in the above embodiment, the server 2 has the authentication DB 26 and the parameter table 27. However, the present invention is not limited to this, and another server (not shown) connected to the server 2 via the network may have the authentication DB 26 and the parameter table 27. In this case, it is assumed that the server 2 accesses the authentication DB 26 and the parameter table 27 of the other server via the network.

  In the above embodiment, user authentication is performed using the user ID, password, and quiz. However, the present invention is not limited to this, and more advanced user authentication may be performed using a quiz when issuing cookie information. Cookie information is user information transmitted and received between the server 2 and the client 1 (Web browser). Note that the cookie information here is not intended to realize a “session management” mechanism necessary for performing a business transaction or the like on an essentially stateless HTTP (S) protocol, but a specific user and client 1 ( Web browser) is used as a proof that the authentication in the quiz format of the present invention has already been successful.

  FIG. 15 is a processing flow diagram of the server 2 when a quiz is used when issuing cookie information. In the illustrated process, the authentication DB 26 (see FIG. 2) further includes a cookie information setting field for storing cookie information and an expiration date of the cookie information.

  First, the server 2 receives a user ID and a password from the client 1 (S91). That is, the client 1 displays a login screen that accepts input of a user ID and password on the output device, and transmits the user ID and password input by the user to the server 2.

  Then, the server 2 determines whether or not the received user ID and password exist in the authentication DB 26 (S92). When it does not exist in the authentication DB 26 (S92: NO), the server 2 transmits an authentication error screen (see FIG. 14A) to the client 1 (S99). On the other hand, if it exists in the authentication DB 26 (S92: YES), the server 2 determines whether or not cookie information is added to the received user ID and password (S93).

  When the cookie information is not added (S93: NO), the server 2 generates the quiz described in the above embodiment (see FIGS. 7 to 11) and transmits it to the client 1 in order to increase the strength of user authentication. (S94). Cookie information is not added when logging in for the first time, when the expiration date of the cookie information expires, or when a valid user logs in from a different client (for example, home (company) personal computer) Or the case of impersonation by a malicious third party.

  Then, the server 2 receives a quiz answer from the client 1 (S95). The client 1 displays the quiz transmitted from the server 2 on the output device and accepts the answer of the quiz input by the user. Then, the client 1 transmits the accepted quiz answer to the server 2.

  Then, as described in the above embodiment (see FIGS. 12 and 13), the server 2 determines whether or not the received quiz answer is correct (S96). If the answer to the quiz is not correct (S96: NO), the server 2 transmits an authentication error screen (see FIG. 14A) to the client 1 (S99).

  On the other hand, when the answer to the quiz is correct (S96: YES), the server 2 determines that the user is a valid user and generates cookie information (S97). Then, the server 2 sets the generated cookie information in the cookie information setting field for the user ID in the authentication DB 26. If the expiration date of the cookie information has passed, the generated cookie information is overwritten in the cookie information setting field. When a legitimate user logs in from a different client, a new record of the user (client) is added to the authentication DB, and the generated cookie information is set.

  Then, the server 2 transmits an authentication success screen (see FIG. 14B) to which the generated cookie information is added to the client 1 (S98). In order to further enhance the security, the server 2 may send an email describing a URL (one-time URL) for issuing cookie information to the client. Then, the user of the client 1 who has received the mail may click on the URL described in the mail and issue cookie information from the URL.

  If cookie information is added (S93: YES), it is determined whether or not the added cookie information matches the corresponding cookie information set in the authentication DB 26 (S100). If the cookie information does not match (S100: NO), the server 2 proceeds to S94, generates a quiz, and transmits it to the client 1. On the other hand, when the cookie information matches (S100: YES), the server 2 transmits an authentication success screen to the client 1 without generating a quiz (S98).

  Through the processing described above, when issuing cookie information, it is possible to perform higher-level user authentication using a quiz and ensure high security. Moreover, in the process demonstrated above, an authentication process is performed entangled with cookie information and a quiz. Thereby, since a quiz is given only when cookie information is issued, the convenience of the user can be improved while maintaining the strength of authentication.

  Further, the processing described above can prevent damage caused by phishing scams. That is, in phishing fraud, a general method is to set up a camouflaged site with a domain name similar to a real site and steal authentication information such as a user ID / password or personal information. In this case, a measure to strengthen authentication by introducing a dynamic one-time password is considered so that impersonation is not performed only by fraudulently capturing a static user ID / password. Recently, however, there have been reports of cases in which a one-time password entered on a forged site is immediately transferred to a real site for successful authentication and immediately followed by a fraudulent act pretending to be the person. Since cookie information basically has the property that it is not returned to anything other than the real server or domain that issued the cookie information, it is also effective against phishing scams as described above.

1 is a diagram illustrating an overall configuration of an authentication system to which an embodiment of the present invention is applied. It is a figure which shows an example of authentication DB. It is a figure which shows an example of a parameter table. It is a figure which shows the hardware structural example of each apparatus. It is a figure which shows an example of a login screen. It is a whole processing flow figure of an authentication system. It is a production | generation processing flowchart of a login screen. It is a processing flow figure of a quiz generation function. It is a processing flow figure of an addition quiz production | generation function. It is a processing flow figure of a subtraction quiz generation function. It is a processing flow figure of a multiplication quiz production | generation function. It is a processing flowchart of a user authentication process. It is a processing flowchart of a user authentication process. It is a figure which shows an example of an authentication error screen and an authentication success screen. It is a processing flow figure in the case of generating a quiz when issuing cookie information.

Explanation of symbols

1: Client, 11: Display unit, 12: Instruction reception unit, 2: Server, 21: Login screen generation unit, 22: Quiz generation unit, 23: Authentication unit, 24: Service provision unit, 26: Authentication DB, 27: Parameter table 3: Network

Claims (6)

A user authentication device,
For each user, an authentication database storing authentication information of the user,
A quiz generating means for receiving an access request from a terminal used by the user and generating a quiz using the authentication information;
Transmitting means for transmitting the generated quiz to the terminal;
Answer receiving means for receiving user identification information and the generated quiz answer from the terminal;
A means for identifying authentication information corresponding to the user identification information from the authentication database, and applying the identified authentication information to the generated quiz to calculate a quiz answer;
A determination unit configured to determine that the access request is from a legitimate user when the response of the quiz received by the response reception unit matches the response of the quiz calculated by the calculation unit. User authentication device. The user authentication device according to claim 1,
A plurality of the authentication information is stored in the authentication database,
Each of the authentication information is a numeric item having a predetermined number system,
The quiz generating means randomly selects a predetermined position of each of the authentication information, and generates a quiz for calculating a number set at each of the selected positions. The user authentication device according to claim 2,
The quiz generating means is set to an addition quiz for adding each number set at each selected position, a subtraction quiz for subtracting each number set to each selected position, and each selected position. A user authentication apparatus, characterized by generating a quiz of any pattern of multiplication quizzes for multiplying each number. The user authentication device according to claim 2,
For each authentication information, further comprising parameter storage means for storing at least one position of the authentication information that can be selected by the quiz generating means,
The quiz generating means reads out the parameter storage means, randomly selects a predetermined position from the selectable positions for each authentication information, and calculates a number set at each selected position. A user authentication device characterized by generating A user authentication method performed by an information processing apparatus,
The information processing apparatus includes, for each user, an authentication database in which authentication information of the user is stored, and a processing unit.
The processor is
A quiz generation step of receiving an access request from a terminal used by the user and generating a quiz using the authentication information;
A transmission step of transmitting the generated quiz to the terminal;
An answer reception step for receiving user identification information and the generated quiz answer from the terminal;
A step of identifying authentication information corresponding to the user identification information from the authentication database, and applying the identified authentication information to the generated quiz to calculate a quiz answer;
A determination step of determining that the access request is from a legitimate user when the answer of the quiz received in the answer reception step matches the answer of the quiz calculated in the calculation step. User authentication method. A user authentication program executed by the information processing apparatus,
The information processing apparatus includes, for each user, an authentication database in which authentication information of the user is stored, and a processing unit.
In the processing unit,
A quiz generation step of receiving an access request from a terminal used by the user and generating a quiz using the authentication information;
A transmission step of transmitting the generated quiz to the terminal;
An answer reception step for receiving user identification information and the generated quiz answer from the terminal;
A step of identifying authentication information corresponding to the user identification information from the authentication database, and applying the identified authentication information to the generated quiz to calculate a quiz answer;
A determination step of determining that the access request is from a legitimate user when the answer of the quiz received in the answer reception step matches the answer of the quiz calculated in the calculation step. User authentication program.

Images