JP2007034727A - User authentication device and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an interactive user authentication technique with stability using writing. <P>SOLUTION: A user authentication device 1 has a question/answer storage section 16 which stores question sentences and answers to the question sentences by users, and user identification information while previously making them correspond to one another, an identification information receiving means of receiving input of user identification information, a question/answer receiving means of receiving a user question and a user answer that a user inputs, and a second authentication processing section 14 which refers to the question/answer storage section 16 to perform user authentication based upon the input user identification information, the user question and user answer. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technique for user authentication, and more particularly to a technique for user authentication using text.

Conventionally, user authentication using a user ID and a password, which are user identification information, is generally widely used. Since password authentication is very simple, it is now widely used as the most popular user authentication means. However, the authentication strength of password authentication is not always sufficient. Therefore, many user authentication systems with higher authentication strength have been proposed. For example, Patent Literature 1 describes a user authentication method performed in an interactive manner.
JP 2002-342281 A

  In the user authentication method disclosed in Patent Literature 1, both the question and the answer to the user are automatically generated by the system. If it does so, it will become a question which the person who is a regular user cannot necessarily answer correctly, or even a 3rd person can answer easily, and it is unstable as a user authentication system, and cannot be used in peace.

  Therefore, an object of the present invention is to provide an interactive user authentication technique using sentences without including the above instability.

  A user authentication device according to an embodiment of the present invention includes a storage unit that stores in advance a user-specific question message, an answer to the question message, and user identification information in association with each other, and identification information reception that receives input of user identification information Means, a user answer sentence and a user answer input by the user, a question answer accepting means for accepting the user answer, referring to the storage means, the user identification information accepted by the identification information accepting means, and the question answer accepting means accepted by the question answering means First authentication means for performing user authentication based on a user question sentence and a user answer, and output means for outputting an authentication result for the user based on an authentication result by the first authentication means.

  Thereby, the question sentence and answer predetermined for every user can be utilized for user authentication.

  In a preferred embodiment, the apparatus further comprises second authentication means using the user identification information and a password. And the said output means may output the authentication result with respect to the said user based on the authentication result of the 1st and 2nd authentication means.

  Accordingly, the authentication strength can be increased by using the first authentication means together with password authentication.

  In a preferred embodiment, the question text is stored in the storage means divided into phrases. Then, the question answer receiving means refers to the storage means, displays a selection screen for each phrase including a plurality of phrase candidates for each phrase of the question sentence, and selects from among the plurality of phrase candidates of each selection sentence screen You may make it produce | generate a user question sentence by combining each clause selected by the user.

  In a preferred embodiment, the output means may output an authentication result for the user after the question answer accepting means accepts selection of a plurality of phrases and input of the user answer. .

  In a preferred embodiment, the question answer accepting unit includes a plurality of dummy phrases that do not include a correct phrase in the phrase-specific selection screen of the next phrase when one dummy phrase is selected in a certain phrase-specific selection screen. A plurality of phrase candidates including only may be displayed.

  In a preferred embodiment, when one dummy clause is selected on a certain phrase-specific selection screen, the question answer receiving means includes a plurality of phrases including a correct phrase and a plurality of dummy phrases on the phrase-specific selection screen of the next phrase. Or a plurality of phrase candidates that include only a plurality of dummy phrases and that do not include the correct phrase may be displayed.

  In a preferred embodiment, the plurality of phrase candidates on each phrase-specific screen include a correct phrase and a plurality of dummy phrases in the phrase, and the plurality of dummy phrases are the same as the correct phrase in semantics. Or you may belong to a similar classification.

  Hereinafter, a network system having a user authentication function according to an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 shows the overall configuration of a network system according to this embodiment.

  In this system, a user authentication device 1 is connected to a user terminal 5 via a network 9. The system further includes an AP server 3 that provides a predetermined service. Then, an authentication request is made from the user terminal 5 to the user authentication device 1, and the user authenticated as a regular user here can access the AP server 3 and receive a service provided by the AP server 3.

  Authentication in the user authentication device 1 of this system is performed in two stages. That is, the user authentication device 1 performs first authentication using a user ID and a password, and second authentication using a sentence unique to each user. In the second authentication in the present embodiment, a question sentence set by the user himself / herself and a combination of an answer to the question sentence are registered in advance, and the question sentence and the answer input by the user are compared with these for authentication. Hereinafter, the configuration or function related to the second authentication will be mainly described.

  The user authentication device 1, the AP server 3, and the user terminal 5 are all configured by, for example, a general-purpose computer system, and individual components or functions in the user authentication device 1, the AP server 3, and the user terminal 5 described below. Is realized, for example, by executing a computer program.

  The user terminal 5 is a terminal device for a user interface equipped with an input / output device. For example, the user terminal 5 is a general-purpose personal computer, a PDA (Personal Digital Assistant), or a portable information processing device such as a cellular phone. Good.

  The user authentication device 1 includes an interface processing unit 10, a screen generation unit 11 for generating a user interface (UI) screen for input / output, a first authentication processing unit 12, a question answer registration processing unit 13, A second authentication processing unit 14, a user information storage unit 15, a question / answer storage unit 16, and a semantic DB 17 are provided.

  The interface processing unit 10 controls data transmission / reception with the user terminal 5 via the network 9. For example, UI screen information for displaying a UI screen on the user terminal 5 is transmitted, and information input to the screen at the user terminal 5 is received. Further, the interface processing unit 10 permits access to the AP server 3 in response to an access request from a user who has been authenticated as a regular user by first and second authentication processing described later.

  The screen generation unit 11 generates screen information for displaying a screen on the user terminal 5. For example, predetermined screen template data is held, and screen data is generated based on instructions from the first authentication processing unit 12, the question / answer registration processing unit 13, and the second authentication processing unit 14. An example of a specific UI screen generated by the screen generator 11 will be described later.

  FIG. 2 shows an example of the data structure of the user information storage unit 15.

  The user information storage unit 15 includes, as data items, a user ID 151 for uniquely identifying a user, a password 152 for each user ID, a user name 153, and a user attribute 154. The user information is stored in the user information storage unit 15 in advance.

  Returning to FIG. 1, the first authentication processing unit 12 acquires information input to the user ID and password input screen generated by the screen generation unit 11, and stores them in the user information storage unit 15. The first user authentication (password authentication) is performed by determining whether or not the user ID 151 and the password 152 match.

  FIG. 3 shows an example of the data structure of the question / answer storage unit 16.

  The question / answer storage unit 16 stores a user ID 161, a question sentence 162 for each user ID, and an answer 163 for the question sentence in association with each other. The question sentence 162 is registered by being divided into phrases 1621 to 1627. The number of clauses that can be registered as the question sentence 162 is arbitrary. The question sentence 162 and the answer 163 are registered by the question / answer registration processing unit 13 described below, and are used for the second authentication by the second authentication processing unit 14.

  The question / answer registration processing unit 13 acquires the information input to the question / answer registration screen generated by the screen generation unit 11, and based on this, the question / answer storage unit 16 stores the question text 162 and The answer 163 is registered. This detailed process will be described later.

  The second authentication processing unit 14 acquires information input to the question sentence and answer input screen generated by the screen generation part 11, and these are stored in the question / answer storage part 16. It is determined whether it matches with 162 and the answer 163, and user authentication is performed. Detailed processing will be described later.

  The semantic DB 17 is a database in which words are classified and stored with a focus on semantics. For example, a word used as a phrase of a question sentence is registered in a state of being associated based on semantics.

  FIG. 4 shows an example of the association of words (character strings) registered in the semantic DB 17.

  For example, in the example shown in the figure, a plurality of phrases that are phrase candidates are associated with each other based on their semantics in a tree structure. A meaning including a word positioned below the tree is assigned to the root 171 of the tree structure. Then, a lower level meaning of the meaning shown in the route 171 is assigned to the nodes 172a to 172c in the hierarchy immediately below the route 171. The phrase phrasal candidates having the subordinate concepts of the nodes 172a to 172c are associated with the leaves 173a to 173f of the tree structure. As a result, phrase candidates having the same route 171 belong to the same classification in the classification by semantics. Note that the tree structure of FIG. 4 is an example, and the depth of the tree hierarchy is arbitrary.

  Next, user authentication processing when there is a login request to the network system having the above configuration will be described together with UI screen transition. Note that each screen in the following description is displayed on the user terminal 5 by transmitting the screen information generated by the screen generation unit 11 to the user terminal 5.

  First, FIGS. 5 and 6 show screen transitions when a user logs in to the system for the first time.

  When logging in for the first time, the question text and answer used in the second authentication performed at the next and subsequent logins are registered. The process in the user authentication device 1 will be described together with the screen transition shown in FIG.

  As shown in FIG. 5, when a user ID and a password are input while the first authentication screen 100 is displayed on the user terminal 5, the first authentication processing unit 12 accepts this (S11). Then, the first authentication processing unit 12 determines whether the user ID and password input on the first authentication screen 100 match those registered in the user information storage unit 15 in advance.

  As a result of the password authentication, if the input user ID and password match those registered, the process proceeds to a question sentence and answer registration process described below. That is, the display screen of the user terminal 5 transitions to the text registration screen 210.

  The sentence registration screen 210 includes a question sentence input area 211 and a sentence input support function button 212. And the input area 211 receives the question sentence which a user inputs (S12). The question sentence may be input freely by the user or may be performed according to a text input support function described below.

  When the text input support function button 212 is pressed on the text registration screen 210, the screen of the user terminal 5 transitions to the text registration screen 220 based on an instruction from the question answer registration processing unit 13.

  In the sentence registration screen 220, in addition to the question sentence input area 221, a phrase candidate 225, a next button 226, and an answer button 227 for configuring the question sentence are displayed. When the user selects from the phrase candidates 225, the selected phrase is added to the question sentence input area 221 (S13). Here, when the next button 226 is pressed, the screen sequentially shifts to the text registration screen 220 on which the next phrase candidate is displayed.

  Here, for the phrase candidate phrases included in the phrase candidate 225, the question answer registration processing unit 13 acquires appropriate candidates from the semantic DB 17 according to the generation degree of the question sentence. For example, the question / answer registration processing unit 13 analyzes the semantics of the input phrase, and extracts phrase candidates suitable for the next phrase from the question / answer storage unit 16 by the semantic DB 17 or other users registered.

  And the input of a question sentence is completed by repeating the input of step S13, S14. This state is the text registration screen 220 shown in step S15 of FIG.

  When the selected phrase is added to the input area 221 and the question sentence is gradually generated, the question answer registration processing unit 13 determines the strength when the generated question sentence is used for authentication. The authentication strength is calculated. The authentication strength may be calculated, for example, by automatically analyzing the input sentence for each phrase and calculating the contents (such as the number of similar phrases) of the already registered question / answer DB 16 and semantic DB 17. If the calculated authentication strength is less than the predetermined strength, a predetermined alarm is output, such as displaying a message 228 prompting the change of the question text as in the text registration screen 220 of step S15. May be.

  When the user completes the input of the question text, by pressing the answer button 227, the screen transitions to an answer input screen 230 for inputting an answer.

  Then, an answer is input to the input area 231 of the answer input screen 230 (S16). Here, when the registration button 232 is pressed, the question sentence already inputted and the answer inputted here are stored in the question / answer storage unit 16 via the input confirmation screen 240 (S17).

  When the answer is input in step S16, the question / answer registration processing unit 13 also determines the authentication strength of the input answer. For example, when there is a possibility of lowering the authentication strength, such as one answer for Japanese or one alphanumeric character, a predetermined warning may be output, such as displaying a message prompting the change.

  Through the above processing, a question sentence and an answer specific to each user are registered when each user logs in for the first time. Next, the authentication process when performing the second and subsequent logins will be described.

  FIG. 7 shows a first mode of input screen transition related to authentication at the second and subsequent logins.

  First, the first authentication screen 100 is displayed on the user terminal 5 to accept input of a user ID and password, and the first authentication processing unit 12 performs password authentication as first authentication (S21). At the second and subsequent logins, the user authentication device 1 performs the second authentication described below following the first authentication. Here, the second authentication may be performed only when the first authentication is successful.

  After the first authentication, the question sentence input screen 300 is displayed on the user terminal 5 based on the screen information generated by the screen generation unit 11 based on the instruction of the second authentication processing unit 14. The question sentence input screen 300 includes a plurality of phrase input areas 301 and receives an input to each input area 301 (S22). The user inputs a question sentence set by the user on the input screen 300 for each phrase and completes the question sentence.

  In the example of FIG. 7, ten clause input areas 301 are prepared, whereas the question sentence has seven phrases. The number of phrases of the question sentence set by the user is arbitrary, but the guidance of the number of phrases is not displayed on the question sentence input screen 300. Therefore, when an unauthorized access person who does not know the question text correctly inputs the question text, there is a high possibility of making an input mistake.

  When the user completes the input of the question text on the question text input screen 300 and presses the next button 302, the screen transitions to the answer input screen 400 (S23). The answer input screen 400 has an answer input area 401 and an authentication button 402.

  In this screen 400, when an answer is input to the answer input area 401 and the authentication button 402 is pressed, the second authentication processing unit 14 performs a second authentication process based on the input question text and the answer. That is, the second authentication processing unit 14 acquires the question sentence and the answer input from the question sentence input screen 300 and the answer input screen 400, and is registered in the question / answer storage unit 16 in the first authentication. It is determined whether or not the authenticated user's question sentence 162 and answer 163 match.

  In this system, when the information matches the registered information in both the first authentication and the second authentication, the user is authenticated as a regular user and login is permitted.

  Here, the question text input screen 300 shown in FIG. 7 is an example of a screen that accepts an input of a question text for the second authentication. FIG. 8 and FIG. 9 show modified examples of the question sentence input screen.

  The question sentence input screen 380 shown in FIG. 8 includes one question sentence input area 381 and a next button 382. The user inputs a question sentence to the question sentence input area 381 without being aware of the paragraph breaks. When the input of the question sentence is completed, the user presses the next button 382.

  Here, in order to accept the input of the question text on the question text input screen 380 in FIG. 8, the user authentication device 1 or the user terminal 5 needs a phrase break detection function. In other words, when the next button 382 is pressed, the question sentence input in the question sentence input area 381 is divided into phrases by the phrase break detection function.

  The question sentence input screen 390 shown in FIG. 9 includes a question sentence input area 391 and a plurality of phrase display areas 392. The user inputs a question sentence to the question sentence input area 391 without being aware of the paragraph breaks.

  Here, as in the case of FIG. 8, in order to accept the input of the question sentence on the question sentence input screen 390 of FIG. 9, the user authentication device 1 or the user terminal 5 needs a phrase break detection function. In the case of FIG. 9, the question text input to the question text input area 391 is monitored as needed. Each time a phrase break in the question sentence input by the phrase break detection function is detected, each phrase is sequentially moved to the phrase display area 392. When all the question sentences are input, each phrase is displayed in the phrase display area 392, as in the case of FIG.

  Next, the second aspect of the question text and answer input at the second and subsequent logins will be described.

  FIG. 10 shows an example of the question sentence input screen and the answer input screen transition according to the second mode.

  In the question sentence input screen 310 (311 to 314) in the form shown in the figure, each screen accepts selection input of one phrase. That is, each question sentence input screen 311 to 314 displays a phrase candidate matrix 321 to 324 including a plurality of candidates for one phrase.

  Here, each of the phrase candidate matrices 311 to 314 includes a plurality of dummy phrases in addition to the correct phrase in each phrase. As for the dummy phrase, the second authentication processing unit 14 selects a phrase having the same or similar semantics as the correct phrase from the semantic DB 17. Then, the screen generation unit 11 generates image information of the question sentence input screen 310.

  First, the second authentication processing unit 14 displays a question sentence input screen 311 for the first phrase on the user terminal 5 and accepts a selection from the phrase candidate matrix 321. If the first phrase is selected, the screen shifts to the input screen 312 for the second phrase, and the selection for the second phrase is accepted. Thereafter, when this is repeated and selection is sequentially received from the first phrase, the question sentence is completed.

  Each time a phrase is selected on each question sentence input screen 310, the second authentication processing unit 14 acquires the selected phrase candidate. Then, with reference to the question / answer storage unit 16, it is determined whether or not the selected phrase candidate is a correct phrase.

  For example, if the phrase candidate selected on the question sentence input screen 311 is a correct answer, a phrase candidate matrix 322 including a correct phrase is generated for the question sentence input screen 310 of the next phrase, and the question sentence including this Transition to the input screen 312. On the other hand, when the phrase candidate selected on the question sentence input screen 311 is not the correct answer, a phrase matrix 323 not including the correct phrase of the next phrase may be generated, and the transition to the question sentence input screen 313 including this may be made. As in the case of correct answers, the screen may be changed to a question sentence input screen 312 including correct answer candidates.

  Once a phrase candidate that is not correct is selected, only phrase candidates that do not include the correct answer may be displayed on all question sentence input screens 310 thereafter.

  Note that it is not necessary to output the result of the correctness / incorrectness determination of the phrase selected on each question text input screen 310 each time. In this case, after inputting the question text, after the answer is input on the answer input screen 410, only whether the question text and the answer are all determined to be correct (that is, authenticated as an authorized user) is output. It may be. By doing so, the user cannot know where the mistake was made in the process of inputting the question sentence and the answer.

  When the input of the question text is completed on the question text input screen 314, the user presses the answer button 340. As a result, a question sentence in which a plurality of clauses input so far are combined is completed. And it changes to the reply input screen 410, and receives a reply input.

  Note that the answer button 340 is also present on all the question sentence input screens 310, and guidance regarding the number of phrases in the question sentence is not displayed. Therefore, the user must determine the number of phrases to be input before pressing the answer button 340. As a result, even if clause candidate choices are prepared as described above, if an unauthorized access person who does not know the question text correctly enters the question text, there is a high possibility of an input error.

  According to the present embodiment, the strength of authentication can be increased with a relatively simple configuration by combining password authentication and authentication using a question sentence and an answer specified by the user.

  The above-described embodiments of the present invention are examples for explaining the present invention, and are not intended to limit the scope of the present invention only to those embodiments. Those skilled in the art can implement the present invention in various other modes without departing from the gist of the present invention.

1 is a diagram illustrating an overall configuration of a network system according to an embodiment of the present invention. 4 is a diagram illustrating an example of a data structure of a user information storage unit 15. FIG. 4 is a diagram illustrating an example of a data structure of a question / answer storage unit 16. FIG. It is a figure which shows an example of the correlation of the word registered in Semantic DB17. It is a figure which shows the screen transition at the time of logging in to this system for the first time. It is a figure which shows the screen transition at the time of logging in to this system for the first time. It is a figure which shows the 1st aspect of the input screen transition regarding the authentication at the time of the login after the 2nd time. It is a figure which shows the other modification of a question text input screen. It is a figure which shows the other modification of a question text input screen. It is a figure which shows the 2nd aspect of the input screen transition regarding the authentication at the time of the login after the 2nd time.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 User authentication apparatus 3 AP server 5 User terminal 10 Interface process part 11 Screen generation part 12 Authentication process part 13 Question answer registration process part 14 Authentication process part 15 User information storage part 16 Question and answer storage part

Claims (9)

A storage means for storing a question sentence for each user and an answer to the question sentence and user identification information in association with each other;
Identification information receiving means for receiving input of user identification information;
A question answer accepting means for accepting a user question sentence and a user answer inputted by the user;
A first authentication unit that performs user authentication based on the user identification information received by the identification information receiving unit and the user question sentence and the user response received by the question answer receiving unit with reference to the storage unit; ,
An output unit that outputs an authentication result for the user based on an authentication result by the first authentication unit. A second authentication unit using the user identification information and a password;
The user authentication apparatus according to claim 1, wherein the output unit outputs an authentication result for the user based on authentication results of the first and second authentication units. In the storage means, the question sentence is stored divided into phrases,
The question answer acceptance means refers to the storage means, displays a phrase-specific selection screen including a plurality of phrase candidates for each phrase of the question sentence, and is selected by the user from a plurality of phrase candidates on each phrase-specific selection screen. The user authentication device according to claim 1, wherein a user question sentence is generated by combining the selected phrases. The output means includes
The user authentication apparatus according to claim 3, wherein the question answer receiving unit outputs an authentication result for the user after receiving selection of a plurality of phrases and input of the user answer.   The question answer accepting means, when one dummy clause is selected on a certain phrase selection screen, the next phrase selection screen includes a plurality of phrases including only a plurality of dummy phrases not including a correct phrase. The user authentication device according to claim 3 or 4, wherein candidates are displayed.   The question answer accepting means displays a plurality of phrase candidates including a correct phrase and a plurality of dummy phrases on the phrase-specific selection screen of the next phrase when one dummy phrase is selected on a certain phrase-specific selection screen. The user authentication device according to claim 3 or 4, wherein a plurality of phrase candidates including only a plurality of dummy phrases and not including a correct phrase are displayed.   The plurality of phrase candidates of each phrase-specific screen include a correct phrase and a plurality of dummy phrases in the phrase, and the plurality of dummy phrases belong to the same or similar classification as the correct phrase in the semantics. The user authentication device according to claim 3. Storing a question sentence for each user and an answer to the question sentence, and user identification information in association with each other in a storage unit;
Receiving input of user identification information;
Receiving a user question and user answer entered by the user;
Referring to the storage means, and performing user authentication based on the received user identification information, user question text and user answer;
And a step of outputting an authentication result for the user based on the result of the user authentication. When executed on a computer,
Storing a question sentence for each user and an answer to the question sentence, and user identification information in association with each other in a storage unit;
Receiving input of user identification information;
Receiving a user question and user answer entered by the user;
Referring to the storage means, and performing user authentication based on the received user identification information, user question text and user answer;
A computer program for user authentication that performs a step of outputting an authentication result for the user based on a result of the user authentication.

Images