JP2007304750A - Authentication system, authentication computer and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a safe and convenient personal authentication system. <P>SOLUTION: The personal authentication system comprises a plurality of client computers, and an authentication computer connected to the plurality of computers. When an authentication request is received from the client computer, the authentication computer assigns a receivable mail address to the client computer that is the transmission source of the received authentication request. The authentication computer specifies, upon receipt of an e-mail, a transmission destination mail and a transmission source mail from the received e-mail, specifies a user corresponding to the specified transmission source mail address in reference to user information, specifies a client computer corresponding to the transmission destination specified mail address in reference to authentication mail address correspondence information, and determines that authentication is requested by the specified user in the authentication request received from the specified client computer. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to an authentication system, an authentication computer, and a program.

Conventionally, a combination of a user ID and a password is known as personal authentication for providing a service by specifying a user. For example, a person who logs in to a WEB site via the Internet inputs a user ID and a password according to a WEB screen displayed on a personal computer to be operated, and transmits an authentication request to the WEB server. In addition, when a user of a financial institution withdraws a deposit at the ATM of the financial institution, a cash card is inserted into the ATM, a personal identification number is input, and an authentication request is transmitted to the authentication server. The user ID in this case is a cash card.

However, the user of the WEB site has the trouble of inputting the user ID and password according to the screen of the WEB site. In addition, this authentication method is widely used, and is adopted in Internet banking and various electronic commerce WEB sites. For this reason, user IDs and passwords to be managed by one person are increasing. When the user of the WEB site forgets the user ID or password, it is necessary to inquire the user of the user ID or password to the site operator and cannot enjoy the convenience of the WEB site. Further, impersonation in which a person who is not an original user gives up a user ID and a password and performs a transaction has become a social problem. Phishing and spyware are known as means for giving up the user ID and password. Phishing is an act of providing a pseudo site that looks just like a regular WEB site, allowing the original user to input a user ID and password, and giving up the user ID and password. Spyware is software that is installed without the knowledge of the user of the personal computer, and is software that reads various user IDs and passwords entered by the user and notifies the server of the eavesdropper via the Internet. When a transaction by spoofing is established by Internet banking or electronic commerce, not only the original user but also the operator of the WEB site will be seriously damaged due to loss of site reliability and compensation problems.

When a user of a financial institution withdraws a deposit at the ATM of the financial institution, it is troublesome to insert a cash card into the ATM and input a personal identification number. Further, when a personal identification number is voyeurized by a voyeur camera and a cash card is stolen, a deposit is withdrawn by an impersonating user. Banks as well as depositors are severely damaged by the loss of reliability and compensation issues.

Patent Document 1 discloses a personal authentication method for authenticating a user by inputting a user ID and a password to the WEB site and dialing a specific telephone number when the user of the WEB site is authenticated.

Patent Document 2 discloses a personal authentication method for authenticating a user by inputting a telephone number as a user ID into the WEB site and dialing a specific telephone number when the user of the WEB site is authenticated. Yes.
Patent Publication 2002-229951 Patent Publication No. 2004-213440

According to the technique of Patent Document 1, impersonation can be prevented even when a user ID and a password are complied for using a caller telephone number. Further, according to the technique of Patent Document 2, impersonation can be prevented even when a spoofed telephone number is input to a WEB site in order to use a caller telephone number. However, in the techniques of Patent Literature 1 and Patent Literature 2, authentication cannot be performed when the user cannot make a dial accompanied by a caller ID notification. For example, authentication cannot be performed when the mobile phone does not receive radio waves.

Further, with the techniques of Patent Document 1 and Patent Document 2, it is impossible to accurately grasp the correspondence between the user who dialed with the caller telephone number notification and the computer operated by the user. For this reason, the techniques of Patent Document 1 and Patent Document 2 cannot provide authentication with high safety and convenience. For example, in the techniques of Patent Document 1 and Patent Document 2, a person who is not an original user may impersonate the legitimate user by inputting the user ID of the legitimate user many times. Specifically, if a legitimate user authenticates by dialing a specific telephone number and then redials the specific telephone number by mistake, the person who is not the original user is authenticated as a legitimate user. It will be.

The present invention has been made in view of the above-described problems, and an object of the present invention is to provide a personal authentication system with high safety and convenience.

An authentication system comprising: a plurality of client computers including a processor, a memory, and an interface; and an authentication computer that is connected to the plurality of client computers via a network and includes a processor, a memory, and an interface. User information indicating the correspondence between the user and the user's mail address is stored, and when an authentication request is received from the client computer, the mail address that can be received by the authentication computer is assigned to any of the plurality of client computers An unassigned email address is assigned to the client computer that is the sender of the received authentication request, and the correspondence between the client computer that is the sender of the received authentication request and the email address assigned to the client computer is authorized. When the received e-mail is stored in the e-mail address correspondence information, the e-mail address of the transmission destination and the e-mail address of the transmission source are specified from the received e-mail, and the specified transmission is performed with reference to the user information A user corresponding to the original e-mail address is identified, a client computer corresponding to the identified e-mail address is identified with reference to the authentication e-mail address correspondence information, and received from the identified client computer In the authentication request, it is determined that authentication is requested by the specified user.

An authentication system comprising: a plurality of client computers including a processor, a memory, and an interface; and an authentication computer that is connected to the plurality of client computers via a network and includes a processor, a memory, and an interface. Stores user information indicating correspondence between the user and the mail address of the user, and when receiving an authentication request from the client computer, any of the previously received authentication requests among the mail addresses that can be received by the authentication computer. A mail address not assigned to the authentication request is assigned to the received authentication request, and the correspondence between the received authentication request and the mail address assigned to the authentication request is stored in the authentication mail address correspondence information, and an e-mail is stored. The received electronic The mail address of the transmission destination and the mail address of the transmission source are specified from the mail, the user corresponding to the specified mail address of the transmission source is specified with reference to the user information, and the authentication mail address is supported. An authentication request corresponding to the specified destination mail address is specified with reference to the information, and it is determined in the specified authentication request that authentication is requested by the specified user. Authentication system.

An authentication system comprising: a plurality of client computers including a processor, a memory, and an interface; and an authentication computer that is connected to the plurality of client computers via a network and includes a processor, a memory, and an interface. Stores user information indicating the correspondence between the user and the user's mail address, and stores the client computer in the client computer so that the client computer and the mail address that can be received by the authentication computer do not overlap with other client computers. The correspondence with the assigned email address is stored in the authentication email address correspondence information, and when the authentication request is received from the client computer and the email is received, the received email address and the destination email address and Sender mail An address is specified, the user information is referred to, a user corresponding to the specified sender's email address is specified, the authentication email address correspondence information is referred to, and the specified destination mail is specified. An authentication system characterized in that a client computer corresponding to an address is specified and an authentication request received from the specified client computer determines that authentication is requested by the specified user.

According to the exemplary embodiment of the present invention, the safety and convenience of the personal authentication system can be improved.

Embodiments of the present invention will be described with reference to the drawings. Note that a general-purpose embodiment of the present invention will be described as the first embodiment. Next, as the second embodiment, a specific embodiment in which the first embodiment is used for a WEB site will be described. Next, as the third embodiment, a specific embodiment for easily introducing the second embodiment into an existing WEB server will be described. Next, as the fourth embodiment, a specific embodiment in which the third embodiment is used for Internet credit card settlement will be described. Next, as a fifth embodiment, a specific embodiment in which the first embodiment is used for an ATM of a financial institution will be described. Next, as a sixth embodiment, a specific embodiment in which the first embodiment is used for credit card payment at a store will be described. Next, as the seventh embodiment, a specific embodiment in which the first embodiment is used for connection to an in-house intranet will be described. Next, as an eighth embodiment, a specific embodiment in which the first embodiment is used for connecting a thin client to a centralized server will be described. Next, a specific embodiment in which the first embodiment is used for public wireless LAN connection will be described as a ninth embodiment. Next, as a tenth embodiment, a general-purpose embodiment using a client ID that is an identifier of a client device instead of an authentication request ID will be described.

(First embodiment)
FIG. 1 is a schematic configuration diagram of a personal authentication system according to the first embodiment. The personal authentication system shown in FIG. 1 includes a plurality of client devices 10 and a mail authentication device 3. The client device 10 is a computer operated by a user who is going to be authenticated. The client device 10 is connected to the network 9. Details of the client device 10 will be described with reference to FIG. The network 9 is a data communication network such as a leased line network, a public switched telephone line network, or a LAN. The network 9 may be an internal network or the Internet. The mail authentication device 3 is connected to the client device 10 via the network 9. Specifically, the mail authentication device 3 is connected to the client device 10 via the Internet or an internal network. The mail authentication device 3 may include an Internet interface and an internal network interface. In this case, the mail authentication device 3 is connected to some client devices 10 via the Internet, and further connected to some other client devices 10 via an internal network. Details of the mail authentication device 3 will be described with reference to FIG. For the sake of clarity, the authentication process for one client apparatus 10 will be described in the personal authentication system of the first embodiment. In practice, the mail authentication device 3 authenticates a plurality of client devices 10 via the network 9. That is, the mail authentication device 3 can receive authentication result requests from the plurality of client devices 10. In FIG. 1, five client apparatuses 10 are illustrated, but any number of personal authentication systems may be provided.

FIG. 2 is a block diagram of a configuration of the client device 10 included in the personal authentication system according to the first embodiment. The client device 10 is physically a computer system including a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), and the like. . The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (the mail authentication device 3). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is a memory, for example. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a mouse, a keyboard, or a touch panel. Various information is input to the input device from the user. The display device is a display. On the display device, information instructed to be displayed by the central processing unit 12 is displayed. The client device 10 may take any form as long as it includes the transmission / reception unit 11, the central processing unit 12, and the main storage device 13. For example, the client device 10 is a personal computer, a server, a mobile phone, an ATM, or the like.

The client device 10 transmits an authentication request to the mail authentication device 3 by a user operation. Then, the client device 10 receives the authentication mail address and the authentication request ID from the mail authentication device 3. Details of the authentication mail address and the authentication request ID will be described later.

The client device 10 transmits an e-mail addressed to the authentication e-mail address in response to a user operation.

The client device 10 transmits an authentication result request including the authentication request ID to the mail authentication device 3. Note that the client device 10 may transmit an authentication result request in response to a user operation, or may transmit an authentication result request at regular intervals.

The client device 10 receives the authentication result from the mail authentication device 3.

FIG. 3 is a block diagram of a configuration of the mail authentication device 3 provided in the personal authentication system of the first embodiment. The mail authentication device 3 is physically a computer system including a transmission / reception unit 31, a central processing unit 32, a main storage device 33, an auxiliary storage device 34, an input device (not shown), a display device (not shown), and the like. is there. The mail authentication device 3 is assigned an IP address and a domain (DOMAIN) for receiving electronic mail. The transmission / reception unit 31 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (client device 10). The central processing unit 32 is, for example, a CPU. The central processing unit 32 performs various processes by executing programs stored in the main storage device 33. The main storage device 33 is, for example, a memory. The main storage device 33 stores programs executed by the central processing unit 32, information required by the central processing unit 32, and the like. The auxiliary storage device 34 is, for example, a hard disk. The auxiliary storage device 34 stores various information. The input device is, for example, a mouse, a keyboard, or a touch panel. Various information is input to the input device from the administrator. The display device is a display. On the display device, information instructed to be displayed from the central processing unit 32 is displayed. The mail authentication device 3 may be in any form as long as it includes the transmission / reception unit 31, the central processing unit 32, and the main storage device 33. For example, the mail authentication device 3 is a personal computer or a server.

FIG. 4 is a functional block diagram of the mail authentication device 3 according to the first embodiment. The auxiliary storage device 34 of the mail authentication device 3 stores the authentication program 300 of the first embodiment. When the authentication program 300 of the first embodiment is executed, the main storage device 33 of the mail authentication device 3 includes a main module 331, an authentication request reception module 3321, an authentication result request reception module 3322, and an authentication request ID generation module 333. The authentication mail address generation module 334, the authentication mail address transmission module 335, the mail reception module 336, the received mail reading module 337, the authentication module 338, and the authentication result transmission module 339 are stored.

The main module 331 includes an authentication request reception module 3321, an authentication result request reception module 3322, an authentication request ID generation module 333, an authentication mail address generation module 334, an authentication mail address transmission module 335, a mail reception module 336, and a received mail reading module. 337, and the processing of the authentication module 338 and the authentication result transmission module 339.

The authentication request receiving module 3321 receives an authentication request from the client device 10. Upon receiving the authentication request, the authentication request receiving module 3321 requests the authentication request ID generation module 333 to generate an authentication request ID.

The authentication result request reception module 3322 receives an authentication result request from the client device 10. When receiving the authentication result request, the authentication result request receiving module 3322 requests the authentication module 338 to perform authentication.

Upon receiving a request from the authentication request reception module 3321, the authentication request ID generation module 333 generates an authentication request ID. Then, the authentication request ID generation module 333 assigns the created authentication request ID to the authentication request received by the authentication request reception module 3321. The authentication request ID is a unique identifier of the authentication request. If the mail authentication device 3 receives authentication requests from a plurality of client devices 10 at the same time, a different authentication request ID is assigned to each received authentication request. Further, during processing of the first authentication request, the mail authentication device 3 may receive the second authentication request from the client device 10 that is the transmission source of the first authentication request being processed. In this case, the mail authentication device 3 assigns an authentication request ID different from the first authentication request to the second authentication request. Thus, the mail authentication device 3 can process a plurality of authentication requests transmitted from the same client device 10 at the same time. The authentication request ID generation module 333 generates an authentication request ID based on a random number, an application ID, an authentication request ID generation time, and the like. The application ID is a unique identifier of the authentication program 300 installed in the mail authentication device 3. The application ID is generally known as a license key and will not be described in detail. As a method for generating the authentication request ID, other methods may be used as long as the purpose is achieved. Subsequently, the authentication request ID generation module 333 delivers the generated authentication request ID to the authentication mail address generation module 334.

The authentication mail address generation module 334 accepts the authentication request ID generated by the authentication request ID generation module 333. Then, the authentication email address generation module 334 newly generates an email address that can be received by the email authentication device 3. Then, the authentication e-mail address generation module 334 assigns the generated e-mail address as an authentication e-mail address to the accepted authentication request. As a result, the relationship between the authentication mail address and the authentication request ID becomes one-to-one. That is, the authentication request is uniquely specified by the authentication mail address. Note that the authentication email address generation module 334 may cancel the assignment of the authentication email address when a predetermined time elapses after the authentication email address is assigned to the authentication request ID. Further, when the authentication mail address generation module 334 completes the authentication for the authentication request, the authentication mail address generation module 334 may cancel the assignment of the authentication mail address for the authentication request. Further, the authentication mail address generation module 334 may cancel the assignment of the authentication mail address to the authentication request at another opportunity. When the assignment of the authentication email address to the authentication request is canceled, the spoofed access by the authentication email address is lost. The time for releasing the allocation of the authentication mail address may be a time after a certain time from the allocation, for example, 10 minutes later. It is left to the practitioner of the present invention to cancel the assignment of the authentication mail address.

Here, a specific method for canceling the assignment of the authentication mail address to the authentication request will be described. For example, the authentication email address generation module 334 discards the authentication email address to be canceled. When the authentication mail address is discarded, the mail authentication device 3 cannot receive an e-mail with the authentication mail address. Further, for example, the authentication email address generation module 334 obtains, from the authentication email address correspondence table 341, a record in which the authentication email address to be canceled matches the authentication email address 3412 of the authentication email address correspondence table 341. select. Then, the authentication mail address generation module 334 deletes the selected record from the authentication mail address correspondence table 341. The method for canceling the assignment of the authentication mail address to the authentication request may be other methods as long as the purpose can be achieved. Details of the authentication mail address correspondence table 341 (FIG. 5) will be described later.

An example of an authentication mail address generation method of the authentication mail address generation module 334 will be described. The authentication email address generation module 334 generates an authentication email address based on the authentication request ID and the domain assigned to the email authentication device 3. When the authentication request ID is “0029382” and the domain is “authadd.com”, the authentication mail address generation module 334 generates “0029382@authadd.com” as the authentication mail address. Since the authentication request ID is unique, the authentication mail address is also unique. Note that the method for generating the authentication mail address does not necessarily need to use the authentication request ID as long as the relationship between the authentication mail address and the authentication request ID is 1: 1. As a method for generating the authentication mail address, other methods may be used as long as the purpose is achieved.

When generating the authentication mail address, the authentication mail address generation module 334 stores the accepted authentication request ID and the generated authentication mail address in association with each other. The authentication request ID and the authentication mail address are managed by an authentication mail address correspondence table 341 (FIG. 5) stored in the auxiliary storage device 34.

FIG. 5 is a configuration diagram of the authentication mail address correspondence table 341 stored in the auxiliary storage device 34 of the mail authentication device 3 according to the first embodiment. The authentication mail address correspondence table 341 includes an authentication request ID 3411, an authentication mail address 3412, and a user mail address 3413. The authentication request ID 3411 is a unique identifier of the authentication request. The authentication request ID 3411 stores the authentication request ID generated by the authentication request ID generation module 333. The authentication e-mail address 3412 is an e-mail address assigned to the authentication request identified by the authentication request ID 3411 of the record. The authentication mail address 3412 stores the authentication mail address generated by the authentication mail address generation module 334. A user mail address 3413 is a mail address of a user who requests authentication. The user mail address 3413 stores the mail address of the transmission source acquired by the received mail reading module 337 from the electronic mail transmitted from the client device 10. In the present embodiment, the user's mail address is also used as the user's unique identifier.

Returning to FIG. Next, the authentication mail address generation module 334 delivers the authentication mail address generated by the authentication mail address generation module 334 and the authentication request ID received from the authentication request ID generation module 333 to the authentication mail address transmission module 335. .

The main storage device 33 of the mail authentication device 3 may store an authentication mail address assignment module instead of the authentication mail address generation module 334. In this case, a plurality of mail addresses that can be received by the mail authentication apparatus 3 are set in advance in the mail authentication apparatus 3. When the authentication mail address assignment module accepts the authentication request ID, the authentication mail address assignment module specifies a mail address that is not assigned to any of the previously accepted authentication request IDs from mail addresses that the mail authentication device 3 can receive. Then, the authentication mail address assignment module assigns the specified mail address as the authentication mail address to the accepted authentication request ID. In other words, the authentication mail address assignment module does not assign the authentication mail address already assigned to the authentication request ID to other authentication requests. Also in this case, the relationship between the authentication mail address and the authentication request ID is one-to-one. That is, the authentication request is uniquely specified by the authentication mail address. However, the authentication mail address assignment module needs to cancel the assignment of the authentication mail address to the authentication request ID. This is because the mail address assigned to the authentication request ID is insufficient. For example, the authentication e-mail address assignment module cancels the assignment of the authentication e-mail address when a predetermined time elapses after the authentication e-mail address is assigned. Further, when the authentication mail address assignment module completes the authentication for the authentication request, the authentication mail address assignment module cancels the assignment of the authentication mail address for the authentication request. Then, the authentication e-mail address assignment module can re-assign to the different authentication request IDs using the e-mail addresses whose assignment has been canceled as authentication e-mail addresses. However, the mail authentication device 3 cannot authenticate more users than the preset number of mail addresses within a predetermined time. This is because if all the mail addresses that can be received by the mail authentication device 3 have already been assigned to the authentication request ID, the authentication mail address assignment module cannot assign the mail address to the newly accepted authentication request ID. Because. Therefore, it is preferable that the number of mail addresses that can be received by the mail authentication device 3 is set in advance according to the service provision scale. The specific method by which the authentication mail address assignment module cancels the assignment of the authentication mail address in response to the authentication request is the same as that of the authentication mail address generation module 334, and thus the description thereof is omitted.

The authentication e-mail address transmission module 335 transmits the authentication e-mail address and the authentication request ID received from the authentication e-mail address generation module 334 to the client device 10.

The mail receiving module 336 receives an electronic mail from the client device 10. The mail receiving module 336 may receive an e-mail from other than the client device 10. Next, the mail receiving module 336 acquires a destination mail address from the received electronic mail. Next, the mail receiving module 336 discards the authentication mail address that matches the acquired mail address. As a result, the mail authentication device 3 cannot receive an electronic mail addressed to the discarded authentication mail address. Note that the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated. It should be noted that impersonation of the sender mail address may be determined by any method.

The received mail reading module 337 acquires the transmission source mail address and the transmission destination mail address from the electronic mail received by the mail reception module 336. Subsequently, the received mail reading module 337 selects, from the authentication mail address correspondence table 341, a record in which the acquired transmission destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 341. Next, the received mail reading module 337 stores the acquired transmission source mail address in the user mail address 3413 of the selected record.

The authentication module 338 receives an authentication result request including the authentication request ID from the client device 10. Subsequently, the authentication module 338 acquires an authentication request ID from the authentication result request. Next, the authentication module 338 selects, from the authentication mail address correspondence table 341, a record in which the acquired authentication request ID matches the authentication request ID 3411 of the authentication mail address correspondence table 341. Subsequently, the authentication module 338 extracts the user mail address 3413 from the selected record. The authentication module 338 determines that authentication is not possible when the user mail address cannot be extracted.

Next, the authentication module 338 selects, from the user management table 342, a record in which the extracted user mail address matches the mail address 3422 of the user management table 342 (FIG. 6). Details of the user management table 342 will be described later. The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be selected. On the other hand, the authentication module 338 determines that authentication is possible when a record with a matching email address can be selected. Then, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as an authentication result. Thereby, the authentication module 338 can specify the user who issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 specifies that the issuer of the authentication request identified by the acquired authentication request ID is a user identified by the extracted user ID 3421. Note that the authentication module 338 may include the user-specific information corresponding to the extracted user ID 3421 in the authentication result.

FIG. 6 is a configuration diagram of the user management table 342 stored in the auxiliary storage device 34 of the mail authentication device 3 according to the first embodiment. The user management table 342 includes a user ID 3421 and a mail address 3422. The user ID 3421 is a unique identifier of a user who is authenticated by the mail authentication device 3 of the first embodiment. The e-mail address 3422 is the user's e-mail address identified by the user ID 3421 of the record. Normally, the email address 3422 is an email address that can be used only by the user identified by the user ID 3421 of the record. Because e-mail contains private content, many individuals have their own e-mail addresses. Note that the user management table 342 may hold other information unique to the user. The user-specific information includes, for example, at least one of a user name, password, credit card number, cash card number, user biometric information, schedule table, operation history, and deposit balance. That is, in the user management table 342, user-specific information is managed corresponding to the user ID 3421.

The user of the mail authentication device 3 according to the first embodiment registers the user ID 3421 and the mail address 3422 in the user management table 342 in advance by a predetermined method. Note that when the mail address 3422 is used as the user ID, the user ID 3421 can be omitted.

The authentication result transmission module 339 transmits the authentication result determined by the authentication module 338 to the client device 10. When the authentication module 338 determines that authentication is possible, the authentication result transmission module 339 may transmit an authentication result accompanied with user-specific information corresponding to the user ID 3421.

Next, processing of the personal authentication method of the first embodiment will be described with reference to the drawings. FIG. 7 is a sequence diagram of processing of the personal authentication method according to the first embodiment.

The client device 10 transmits an authentication request to the mail authentication device 3 via the network 9 in response to a user operation (ST111).

Then, authentication request receiving module 3321 receives the authentication request from client device 10 (ST112). Next, the authentication request reception module 3321 requests the authentication request ID generation module 333 to generate an authentication request ID.

Upon receiving a request for generating an authentication request ID, authentication request ID generating module 333 generates an authentication request ID (ST113). Next, the authentication request ID generation module 333 delivers the generated authentication request ID to the authentication mail address generation module 334.

The authentication email address generation module 334 accepts the authentication request ID from the authentication request ID generation module 333. Next, the authentication e-mail address generation module 334 generates an authentication e-mail address (ST114). Next, the authentication email address generation module 334 generates a new record in the authentication email address correspondence table 341. Next, the authentication mail address generation module 334 stores the authentication request ID accepted from the authentication request ID generation module 333 in the authentication request ID 3411 of the created new record. Next, authentication mail address generation module 334 stores the generated authentication mail address in authentication mail address 3412 of the created new record (ST115). Next, the authentication email address generation module 334 passes the generated authentication email address and the authentication request ID accepted from the authentication request ID generation module 333 to the authentication email address transmission module 335.

The authentication email address transmission module 335 accepts the authentication email address and the authentication request ID from the authentication email address generation module 334. Next, the authentication mail address transmission module 335 transmits the accepted authentication mail address and authentication request ID to the client device 10 via the network 9 (ST116).

The client device 10 receives the authentication email address and the authentication request ID from the email authentication device 3 (ST117).

The client apparatus 10 transmits an e-mail addressed to the authentication e-mail address via the network 9 in response to a user operation (ST118).

Then, the mail receiving module 336 receives an electronic mail from the client device 10 (ST119). Next, the mail receiving module 336 acquires a destination mail address from the received electronic mail. Next, the mail receiving module 336 discards the authentication mail address that matches the acquired mail address. At this time, the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated.

Subsequently, the received mail reading module 337 acquires the transmission source mail address and the transmission destination mail address from the electronic mail received by the mail reception module 336. Next, the received mail reading module 337 selects, from the authentication mail address correspondence table 341, a record in which the acquired transmission destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 341. Next, the received mail reading module 337 stores the acquired transmission source mail address in the user mail address 3413 of the selected record (ST120).

On the other hand, the client device 10 transmits an authentication result request including the authentication request ID to the mail authentication device 3 via the network 9 (ST121).

Then, the authentication result request receiving module 3322 receives an authentication result request from the client device 10 (ST122). When receiving the authentication result request, the authentication result request receiving module 3322 requests the authentication module 338 to perform authentication.

Subsequently, when the authentication module 338 receives an authentication request, the authentication module 338 acquires an authentication request ID from the authentication result request received by the authentication result request reception module 3322. Next, the authentication module 338 selects, from the authentication mail address correspondence table 341, a record in which the acquired authentication request ID matches the authentication request ID 3411 of the authentication mail address correspondence table 341. Subsequently, the authentication module 338 extracts the user mail address 3413 from the selected record. If the user mail address 3413 cannot be extracted, the authentication module 338 determines that authentication is not possible. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. On the other hand, the authentication module 338 selects, from the user management table 342, a record in which the extracted user mail address 3413 matches the mail address 3422 of the user management table 342 (FIG. 6) (ST123). The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be extracted from the user management table 342. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. In the first embodiment, the authentication module 338 determines that a user who is not registered in advance in the user management table 342 is not authenticated. However, the authentication module 338 may authenticate a user who is not registered in advance in the user management table 342 as a new user. In this case, the authentication module 338 generates a new user ID when a record with a matching email address cannot be extracted from the user management table 342. At this time, the authentication module 338 generates a user ID so as not to overlap with all the user IDs 3421 included in the user management table 342. Next, the authentication module 338 newly generates a record in the user management table 342. Next, the authentication module 338 stores the generated user ID in the user ID 3421 of the generated new record. Further, the authentication module 338 stores the extracted user mail address 3413 in the mail address 3422 of the generated new record. As a result, the authentication module 338 associates the generated user ID with the mail address of the transmission source acquired from the electronic mail and stores them in the user management table 342. Then, the authentication module 338 authorizes the user corresponding to the destination mail address acquired from the e-mail as a new user. Note that the authentication module 338 may receive information specific to the registered user from the client device 10. Then, the authentication module 338 stores the received unique information of the user in the newly generated record. Note that the user-specific information may be included in the authentication request, may be included in the authentication result request, or may be transmitted alone.

On the other hand, the authentication module 338 determines that authentication is possible when a record having a matching email address can be selected. Next, the authentication module 338 hands over authentication to the authentication result transmission module 339 as an authentication result. Thereby, the authentication module 338 can specify the user who issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 specifies that the issuer of the authentication request identified by the acquired authentication request ID is a user identified by the extracted user ID 3421. Note that the authentication module 338 may include the user-specific information corresponding to the extracted user ID 3421 in the authentication result.

The authentication result transmission module 339 takes the authentication result from the authentication module 338. Next, the authentication result transmission module 339 transmits the accepted authentication result to the client device 10 via the network 9 (ST124).

Then, the client device 10 receives the authentication result from the mail authentication device 3 (ST125).

As described above, the user of the client device 10 can receive personal authentication without entering a user ID and password. Therefore, there is no risk that the user ID and password are given up. Further, the user of the client device 10 does not need to manage the user ID and password. As described above, the present embodiment does not require management of the user ID and password by the user of the client device 10. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being praised. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

In the present embodiment, the mail authentication device 3 is configured by a single device, but may be configured by a plurality of devices depending on the scale of the service to be provided. In this case, the devices constituting the mail authentication device 3 are connected to each other via an appropriate data transfer path. Further, the mail authentication device 3 may be composed of a plurality of devices for each function. For example, the mail authentication device 3 includes an apparatus that generates an authentication mail address and receives an e-mail, and an apparatus that receives an authentication request and an authentication result request and transmits the authentication mail address and the authentication result. . Also in this case, the devices constituting the mail authentication device 3 are connected to each other via an appropriate data transfer path. Information including the authentication e-mail address and the e-mail address of the e-mail is transferred between the devices via the data transfer path.

Here, the maximum feature of this embodiment will be described. As described above, the client device 10 transmits an e-mail addressed to the authentication e-mail address. Then, the mail authentication device 3 receives an e-mail. The mail authentication device 3 specifies a user who is to be authenticated based on the mail address of the transmission source of the received electronic mail. In addition, the mail authentication device 3 specifies an authentication request ID that is a unique identifier of the authentication request from the transmission destination of the received electronic mail. That is, the mail authentication device 3 can specify the correspondence between the authentication request and the user who requests authentication based on the authentication request. Next, the client device 10 transmits an authentication result request to the mail authentication device 3. Then, the mail authentication device 3 receives an authentication result request. The mail authentication device 3 can specify the client device operated by the specified user by the authentication request ID included in the received authentication result request. As a result, in the present embodiment, the mail authentication device 3 can realize authentication even though the user ID is not included in the authentication request. In the authentication method using the user ID and password, the user ID and password are included in the authentication request. On the other hand, the mail authentication device 3 according to the present embodiment specifies a user to be authenticated by electronic mail. Then, the mail authentication device 3 specifies the client device operated by the specified user. As a result, the mail authentication device 3 can perform authentication even if the user ID is not included in the authentication request.

In the present embodiment, the authentication mail address transmission module 335 sends the authentication mail address generated by the authentication mail address generation module 334 and the authentication request ID generated by the authentication request ID generation module 333 to the client device 10. sent. However, the authentication mail address transmission module 335 may transmit only the authentication mail address to the client device 10. In this case, the authentication request ID 3411 in the authentication mail address correspondence table 341 can be omitted. That is, the authentication mail address is also used as an identifier for identifying the authentication request. Then, the client device 10 transmits an authentication result request including the authentication mail address instead of the authentication request ID to the mail authentication device 3. Then, the authentication module 338 acquires an authentication e-mail address from the authentication result request. Next, the authentication module 338 selects, from the authentication mail address correspondence table 341, a record in which the acquired authentication mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 341. Then, the authentication module 338 extracts the user mail address 3413 from the selected record. A part of the authentication mail address may be used as an identifier for identifying the authentication request.

In the present embodiment, the client apparatus 10 receives the authentication mail address from the mail authentication apparatus 3 and transmits an electronic mail to the received authentication mail address. However, it may be as follows. The client device 10 displays the authentication email address received from the email authentication device 3 on the display device. Subsequently, the user may transmit an e-mail addressed to the authentication e-mail address from the second client apparatus 10 different from the client apparatus 10 displaying the authentication e-mail address. In this case, the authenticated user is a user corresponding to the transmission source mail address of the email transmitted from the second client device 10. Then, the client device 10 displaying the authentication email address receives the authentication result from the email authentication device 3. For example, the client device 10 that displays an authentication mail address is a personal computer, and the second client device 10 that transmits an e-mail is a mobile phone that is connected to the Internet and capable of transmitting an e-mail.

By the way, in the above-described embodiment, the user of the client device 10 uses electronic mail in order to receive authentication. The user of the client device 10 may use communication by SIP (Session Initiation Protocol) to receive authentication. In this case, the client device 10 has the function of a SIP user agent. Further, the mail authentication device 3 has a SIP user agent function and a SIP server function. Then, the mail authentication device 3 generates an authentication user agent address instead of the authentication mail address. The authentication user agent address is an address for the mail authentication apparatus 3 to receive communication based on SIP. Since the address system is the same as that of electronic mail, detailed description is omitted. The method for generating the authentication user agent address may be the same as the method for generating the authentication mail address. The mail authentication device 3 associates the generated authentication request ID with the generated authentication user agent address and stores them in the authentication mail address correspondence table. The client device 10 transmits signaling to the authentication user agent address by SIP in response to a user operation. The mail authentication device 3 receives signaling from the client device 10. The mail authentication device 3 extracts the source user agent address and the destination user agent address from the received signaling. Next, the mail authentication device 3 selects, from the authentication mail address correspondence table, a record in which the acquired destination user agent address matches the authentication user agent address in the authentication mail address correspondence table. Next, the mail authentication device 3 stores the extracted user agent address of the user in the selected record. As a result, the mail authentication device 3 stores the correspondence between the extracted user agent address of the user and the authentication request ID in the authentication mail address correspondence table. On the other hand, the client device 10 transmits an authentication result request including the authentication request ID to the mail authentication device 3. The mail authentication device 3 receives an authentication result request from the client device 10. The mail authentication device 3 extracts the authentication request ID from the received authentication result request. Next, the mail authentication device 3 selects a record in which the extracted authentication request ID matches the authentication request ID in the authentication mail address correspondence table from the authentication mail address correspondence table. Next, the mail authentication device 3 extracts the user agent address of the user from the selected record. Here, the mail authentication device 3 determines whether or not the user agent address of the user has been extracted from the user management table. If it can be extracted, the mail authentication device 3 determines that authentication is possible. Then, the mail authentication device 3 can specify the user who issued the authentication request. Specifically, the mail authentication device 3 extracts the user ID from the selected record. Then, the mail authentication device 3 specifies that the issuer of the authentication request identified by the extracted authentication request ID is a user identified by the extracted user ID. Note that the mail authentication device 3 may include user-specific information corresponding to the extracted user ID in the authentication result. In all the embodiments, SIP communication may be used instead of e-mail.

Here, a modification of the first embodiment of the present invention will be described. When the mail authentication device 3 according to the first embodiment receives the authentication result request from the client device 10, it is determined whether or not the user mail address 3413 extracted from the authentication mail address correspondence table 341 is stored in the user management table 342. It was confirmed. However, when receiving the e-mail, the mail authentication device 3 may confirm whether or not the mail address of the transmission source of the received e-mail is stored in the user management table 342. In this case, the authentication mail address correspondence table 341 includes a confirmation result flag. The confirmation result flag indicates whether or not the mail authentication device 3 has confirmed that the mail address of the e-mail transmission source is stored in the user management table 342. Specifically, “0” is stored in advance in the confirmation result flag. Then, when the mail authentication device 3 confirms that the mail address of the source of the received electronic mail is stored in the user management table 342, it stores “1” in the confirmation result flag. When the mail authentication apparatus 3 receives the authentication result request from the client apparatus 10, the mail authentication apparatus 3 refers to the authentication mail address correspondence table 341 instead of referring to the user management table 342. Specifically, if “1” is stored in the confirmation result flag of the authentication mail address correspondence table 341, the mail authentication device 3 determines that authentication is possible. On the other hand, if “0” is stored in the confirmation result flag of the authentication mail address correspondence table 341, the mail authentication device 3 determines that authentication is not possible.

By the way, since the security against the impersonation of the present invention depends on the strength against the e-mail impersonation, the e-mail impersonation will be described.

First, the case where the sender of the e-mail is camouflaged will be described. A forged person can impersonate an original user who possesses a forged e-mail address if the sender of the electronic mail is forged and authenticated by the mail authentication device 3 of the first embodiment. Therefore, the mail receiving module 336 is equipped with a mail receiving function in accordance with SPF (Sender Policy Framework). SPF is a technique for an electronic mail server to detect forged mail. The mail reception module 336 requests a DNS (Domain Name Server) inquiry about the domain of the received electronic mail. Then, the mail reception module 336 determines whether or not the email address of the email transmission source is spoofed by checking the inquiry result by DNS and the IP address of the email transmission source. It should be noted that the camouflaged mail detection technology employed by the mail receiving module 336 may be another method as long as the purpose is achieved.

Next, a case where the e-mail transmission destination is camouflaged will be described. Even if the camouflager impersonates the transmission destination of the electronic mail and is authenticated by the mail authentication device 3 of the first embodiment, it cannot impersonate the other person. Rather, others impersonate impersonators. The other person who impersonates a camouflage is a person who operates the client apparatus that has received the same mail address as the mail address for fake transmission as an authentication mail address. Therefore, even if the camouflager disguises the destination of the e-mail, he cannot gain any profit. Further, since the authentication email address is generated by a random number or the like, the camouflaged email address rarely matches the authentication email address.

Here, authentication in the present invention will be described. Authentication in the present invention includes not only a general concept but also authentication in a broad sense. Specifically, the authentication in the present invention is verification of whether or not the user has the right to use the service provided by the personal authentication system. The personal authentication system of the present invention can identify a user who uses a client device and provide a service corresponding to each identified user. Therefore, the authentication request in the present invention is a request for verifying whether the user has the right to use the service provided by the personal authentication system. For example, the authentication request is a request for logging in to the WEB page. In this case, the mail authentication device 3 may be a WEB server or an authentication-dedicated device that receives an authentication request from the WEB server. The authentication request is a request for credit card settlement on the WEB page. In this case, the mail authentication device 3 may be a WEB server that performs credit card payment, or may be a dedicated authentication device that receives an authentication request from the WEB server. The authentication request is a request for withdrawal of a deposit, repayment of a borrowing or borrowing of a borrowing in an ATM. In this case, the client device 10 is an ATM. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages settlement in ATM. The authentication request is a request for credit card payment at the store. In this case, the client device 10 is a reader device that reads credit card information. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages payment of a credit card in the reader device. The authentication request is a request for debit card settlement. In this case, the client device 10 is a reader device that reads information of the debit card. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages settlement of debit cards in the reader device. The authentication request is a request for borrowing after payment with the public utility fee. In this case, the client device 10 is an ATM. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages borrowing in the ATM. The authentication request is a request for payment of unpaid utility bills. In this case, the client device 10 is an information terminal installed in a convenience store or the like. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages the information terminal. The authentication request is a request for connection to the in-house intranet. In this case, the mail authentication device 3 is a management server that manages the intranet in the company. The authentication request is a request for connection to a server by a thin client (THIN CLIENT). In this case, the mail authentication device 3 is a management server that manages the connection between the thin client device and the server. The authentication request is a request for connection to a wireless LAN access point. In this case, the mail authentication device 3 is a management server that manages the connection between the client device 10 and the access point. Although the authentication request of the present embodiment does not include the user ID and password, the mail authentication device 3 can perform authentication processing. The mail authentication device 3 may improve safety by executing a conventional authentication process in combination with the authentication process of the present embodiment. For example, the mail authentication device 3 may authenticate by collating unique information of the user together with the authentication process of the present embodiment. The user-specific information includes, for example, at least one of a user name, a password, a credit card number, a cash card number, a user's biometric information, a mail address, and a telephone number. However, the user-specific information is preferably other than the mail address registered in the mail address 3422 of the user management table 342. This is because the Service-to-Self who wants to be authenticated by impersonation knows the mail address registered in the user management table 342, and therefore does not increase the security of the authentication system of the present embodiment. Next, a specific example of an authentication method for verifying user-specific information will be described. Specifically, the mail authentication device 3 may authenticate by checking at least one of a user ID and a password. In this case, the mail authentication device 3 stores in advance the correspondence between the user ID and the user's unique information. On the other hand, a user who wants to receive authentication inputs user-specific information to the client device 10. The input here includes not only the operation of a keyboard or the like but also the reading of a card by a card reader. That is, any client device 10 may be used as long as it can acquire user-specific information. The input timing of the user's unique information may be any time. The client device 10 transmits the input user-specific information to the mail authentication device 3. The client device 10 may transmit the input user-specific information in the authentication request, may be transmitted in the authentication result request, or may be transmitted alone. The mail authentication device 3 receives user-specific information from the client device 10. The authentication module 338 of the mail authentication device 3 identifies the user who issued the authentication request in step ST123 of the personal authentication method processing (FIG. 7). Next, the mail authentication device 3 specifies user-specific information stored corresponding to the specified user ID of the user. Next, the authentication module 338 of the mail authentication device 3 determines whether or not the identified unique information of the user matches the unique information of the user received from the client device 10. Then, the mail authentication device 3 determines that authentication is possible when the unique information of the two users matches. On the other hand, the mail authentication device 3 determines that authentication is not possible when the unique information of the two users does not match.

Further, the user of the present embodiment may be a computer instead of a person. For example, the computer may be authenticated as a user.

(Second Embodiment)
Although the personal authentication system of the second embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and description thereof is omitted.

FIG. 8 is a schematic configuration diagram of the personal authentication system according to the second embodiment. The personal authentication system shown in FIG. 8 includes a client device 9010 and a mail authentication WEB device 903. The client device 9010 is a computer operated by a user who is going to be authenticated. The client device 9010 is connected to the network 9. In the third embodiment, the network 9 is the Internet. Since the configuration of the client device 9010 is the same as that of the client device 10 (FIG. 2) provided in the personal authentication system of the first embodiment, a description thereof will be omitted. The client device 9010 may be in any form as long as it includes a transmission / reception unit, a central processing unit, and a main storage device. For example, the client device 9010 is a personal computer, server, mobile phone, ATM, or the like. However, if the mobile phone is the client device 9010, it has a WEB browser function. The mail authentication WEB device 903 is connected to the client device 9010 via the network 9. The mail authentication WEB apparatus 903 has a WEB server function and a mail receiving server function. Since the configuration of the mail authentication WEB apparatus 903 is the same as that of the mail authentication apparatus 3 (FIG. 3) provided in the personal authentication system of the first embodiment, the description thereof is omitted. For the sake of clarity, the authentication process for one client device 9010 will be described in the personal authentication system of the second embodiment. In practice, the mail authentication WEB apparatus 903 performs authentication for a plurality of client apparatuses 9010 via the network 9. Although FIG. 8 illustrates five client devices 9010 (three personal computers and two mobile phones), any number of personal authentication systems may be provided.

Since the function of the client device 9010 is the same as that of the client device 10 provided in the personal authentication system of the first embodiment, a description thereof will be omitted. Specifically, the client device 9010 transmits an authentication request and an authentication result request to the mail authentication WEB device 903 by HTTP. Also, the client device 9010 receives the authentication mail address and the authentication result from the mail authentication WEB device 903 by HTTP.

FIG. 9 is a functional block diagram of the mail authentication WEB apparatus 903 according to the second embodiment. The auxiliary storage device of the mail authentication web device 903 stores the authentication program 90300 of the second embodiment. When the authentication program 90300 of the second embodiment is executed, the main module of the mail authentication WEB apparatus 903 includes a main module 331, an authentication request reception module 3321, an authentication result request reception module 3322, and an authentication request ID generation module 333. The authentication mail address generation module 334, the authentication mail address transmission module 90335, the mail reception module 336, the received mail reading module 337, the authentication module 338, and the authentication result transmission module 90339 are stored.

The authentication mail address transmission module 90335 has the same function as the authentication mail address transmission module 335 provided in the mail authentication device 3 of the first embodiment. The authentication result transmission module 90339 has the same function as the authentication result transmission module 339 provided in the mail authentication device 3 of the first embodiment. The other modules are the same as those provided in the mail authentication device 3 of the first embodiment, and thus description thereof is omitted.

The authentication email address transmission module 90335 generates a WEB page including the authentication email address in addition to the function of the authentication email address transmission module 335. The authentication mail address transmission module 90335 transmits the generated WEB page and the authentication request ID accepted from the authentication request ID generation module 333 to the client device 9010.

A web page (not shown) generated by the authentication mail address transmission module 90335 includes an authentication mail address and an authentication result request button, and is displayed on the client device 9010. The authentication result request button accepts an instruction to send an authentication result request from the user. That is, when the authentication result request button is operated by the user, the client apparatus 9010 transmits an authentication result request to the mail authentication WEB apparatus 903. Note that the WEB page generated by the authentication mail address transmission module 90335 may not include the authentication request button. In this case, the client apparatus 9010 transmits an authentication result request to the mail authentication WEB apparatus 903 at regular intervals without triggering a user operation.

The authentication result transmission module 90339 generates a WEB page including the authentication result of the authentication module 338 in addition to the function of the authentication result transmission module 339. The authentication result transmission module 90339 transmits the generated WEB page to the client device 9010 as an authentication result. If the authentication result can be authenticated, the WEB page generated by the authentication result transmission module 90339 may include user-specific information corresponding to the user ID. The user-specific information includes, for example, at least one of a user name, password, credit card number, cash card number, user biometric information, schedule table, operation history, and deposit balance.

Next, the personal authentication method of the second embodiment will be described with reference to the drawings. FIG. 10 is a sequence diagram of processing of the personal authentication method of the second embodiment. The personal authentication method of the second embodiment (FIG. 10) is compared with the personal authentication method of the first embodiment (FIG. 7). The personal authentication method of the second embodiment includes ST90116 instead of ST116. Also, the personal authentication method of the second embodiment includes ST90124 instead of ST124. The processing of the personal authentication method of the second embodiment is the same as that of the personal authentication method of the first embodiment (FIG. 7), except for ST90116 and ST90124. Therefore, description of steps other than ST90116 and ST90124 will be omitted.

ST90116 will be described. The authentication e-mail address transmission module 90335 accepts the authentication e-mail address generated by the authentication e-mail address generation module 334 and the authentication request ID generated by the authentication request ID generation module 333 from the authentication e-mail address generation module 334. Next, the authentication email address transmission module 335 generates a WEB page including the accepted authentication email address. Next, the authentication mail address transmission module 90335 transmits the generated WEB page and the accepted authentication request ID to the client apparatus 9010 via the network 9 (ST90116).

Next, ST90124 will be described. The authentication result transmission module 90339 accepts the authentication result from the authentication module 338. Next, the authentication result transmission module 90339 generates a WEB page including the accepted authentication result. Next, the authentication result transmission module 90339 transmits the generated WEB page to the client device 9010 via the network 9 (ST90124). Note that the authentication result transmission module 90339 may generate a WEB page including user-specific information corresponding to the user ID, and transmit the generated WEB page.

As described above, the user of the client device 9010 can receive personal authentication without entering a user ID and password. Therefore, there is no risk that the user ID and password are given up. Further, the user of the client device 9010 does not need to manage the user ID and password. In this way, this embodiment makes it unnecessary to manage the user ID and password by the user of the WEB site. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being given up due to phishing or spyware. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

Further, a session ID may be used instead of the authentication request ID. The session ID is an identifier for identifying communication between the WEB server and the WEB browser. The generation and management of the session ID is a function of a normal WEB server and a normal WEB browser. Therefore, detailed description of the session ID is omitted.

(Third embodiment)
In the following, the personal authentication system of the third embodiment will be described. However, the same reference numerals are used for portions that overlap the personal authentication system of the first embodiment or the personal authentication system of the second embodiment. Omitted.

The mail authentication WEB apparatus 903 provided in the personal authentication system of the second embodiment includes an authentication function and a WEB page transmission function including user-specific information. At this time, in order to change the conventional WEB server to have the function of the mail authentication WEB apparatus 903, it is essential to change the program of the WEB server. On the other hand, in the third embodiment, an embodiment in which the personal authentication method of the present invention can be easily introduced to a conventional WEB server will be described. A conventional WEB server provided in the personal authentication system of the third embodiment is referred to as an introduction WEB server 5.

FIG. 11 is a schematic configuration diagram of a personal authentication system according to the third embodiment. The personal authentication system shown in FIG. 11 includes a plurality of client devices 10, a plurality of mobile phones 60, an introduction WEB server 5, and a mail authentication dedicated WEB device 943. The client device 10 is a computer operated by a user who is going to be authenticated. The client device 10 is connected to the network 9. Since the configuration of the client device 10 is the same as that of the client device 10 (FIG. 2) provided in the personal authentication system of the first embodiment, the description thereof is omitted. The mobile phone 60 is operated by a user who is going to be authenticated. The mobile phone 60 is equipped with a WEB browser. The mobile phone 60 is equipped with an e-mail transmission function. The mobile phone 60 is connected to the network 9. The introduction WEB server 5 is connected to the client device 10 and the mobile phone 60 via the network 9. In the present embodiment, the network 9 is the Internet. The introduction WEB server 5 is a conventional WEB server. For example, the introduction WEB server 5 receives a login from the user of the client device 10. Then, the introduction WEB server 5 transmits a WEB page including user-specific information to the client device 10. Specifically, the introduction WEB server 5 transmits a member WEB page corresponding to the user ID. The mail authentication dedicated WEB device 943 is connected to the client device 10 and the mobile phone 60 via the network 9. The mail authentication dedicated WEB device 943 has a WEB server function and a mail receiving server function. Since the configuration of the email authentication dedicated WEB device 943 is the same as that of the email authentication device 3 (FIG. 3) provided in the personal authentication system of the first embodiment, a description thereof will be omitted. In FIG. 11, three client devices 10 are illustrated, but any number of client authentication systems may be provided in the personal authentication system. Further, although two mobile phones 60 are illustrated, any number of personal authentication systems may be provided.

For the sake of clarity, in the description of the personal authentication system of the third embodiment, it is assumed that the domain “dunyu.jp” is assigned to the introduction WEB server 5. Further, it is assumed that the domain “ninsho.jp” is assigned to the mail authentication dedicated WEB device 943.

Since the functional configuration of the client device 10 is the same as that of the client device 10 provided in the personal authentication system of the first embodiment, the description thereof is omitted. The client apparatus 10 transmits an authentication request to the mail authentication dedicated WEB apparatus 943, not to the introduction WEB server 5. Thereafter, the client apparatus 10 receives the authentication mail address and the authentication request ID from the mail authentication dedicated WEB apparatus 943. In addition, the client device 10 transmits an e-mail to the authentication e-mail address, thereby transmitting the e-mail to the mail authentication-dedicated WEB device 943. Then, the client apparatus 10 transmits an authentication result request including the authentication request ID to the mail authentication dedicated WEB apparatus 943.

The client device 10 has the following functions in addition to the functions of the client device 10 provided in the personal authentication system of the first embodiment. The client device 10 transmits a request for a login WEB page to the introduction WEB server 5 in response to a user operation. In addition, the client device 10 transmits a request for a member WEB page to the introduction WEB server 5 based on information included in the WEB page indicating the authentication result received from the mail authentication dedicated WEB device 943.

The introduction WEB server 5 receives a request for a login WEB page from the client device 10. Then, the introduction WEB server 5 transmits the requested login WEB page to the client device 10. The login WEB page includes authentication site information. The authentication site information is information that prompts the client apparatus 10 to transmit an authentication request to the mail authentication dedicated WEB apparatus 943. The authentication site information includes a return URL. The return URL is a URL to which the client device 10 transmits a request for a member WEB page after the authentication by the mail authentication dedicated WEB device 943 is completed. Here, an example of authentication site information is shown. For example, the authentication site information is “<SCRIPT SRC = 'http: //www.ninsho.jp/index.php? Rurl = http: //www.dunyu.jp/member.php' >> </ SCRIPT>". is there. The URL after “rurl =” is the return URL. Further, for example, the authentication site information is “<A HREF='http://www.ninsho.jp/index.php?rurl=http://www.dunyu.jp/member.php'> Click here for authentication < / A> ". The URL after “rurl =” is the return URL. The authentication site information may be other information as long as the purpose is achieved.

The introduction WEB server 5 receives a request for a member WEB page from the client device 10. The introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. The introduction WEB server 5 generates a WEB page including user-specific information stored in advance based on the extracted mail address. The introduction WEB server 5 transmits the generated WEB page to the client apparatus 10 as a member WEB page.

The functions of the mail authentication dedicated WEB device 943 are mainly the same as those of the mail authentication WEB device 903 provided in the personal authentication system of the second embodiment. The functions of the mail authentication dedicated WEB device 943 include the following functions in addition to the functions of the mail authentication WEB device 903 provided in the personal authentication system of the second embodiment. The mail authentication dedicated WEB device 943 extracts the return URL from the authentication request received from the client device 10. Further, the mail authentication dedicated WEB device 943 stores the extracted return URL in association with the generated authentication request ID in the authentication mail address correspondence table 341. Therefore, the authentication mail address correspondence table 341 includes a return URL (not shown). Further, the mail authentication dedicated WEB device 943 generates a WEB page including the return URL and the user's mail address as a result of the authentication. The example of the source code contained in the produced | generated WEB page is shown. For example, the source code is “<meta http-equiv =“ Refresh ”content =“ 0; url = http: // www. dounyu. jp / member. php? usrmail = taka @ yahoo. co. jp & auth = 1 ">". The URL after “url =” is the return URL. The mail address after “usmail =” is the user's mail address. The value after “auth =” is the result of authentication. For example, “1” can be authenticated, and “0” cannot be authenticated. However, “auth =” is not necessarily included. For example, the source code is “<A HREF =“ http: // www. dounyu. jp / member. php? usrmail = taka @ yahoo. co. jp & auth = 1 "> Membership page is here </A>". The URL after “url =” is the return URL. The mail address after “usmail =” is the user's mail address. The value after “auth =” is the result of authentication. For example, “1” can be authenticated, and “0” cannot be authenticated. However, “auth =” is not necessarily included. The source code included in the WEB page may be other as long as the purpose is achieved.

Next, a personal authentication method according to the third embodiment will be described with reference to the drawings. FIG. 12 is a sequence diagram of processing of the personal authentication method of the third embodiment. The personal authentication method of the third embodiment (FIG. 12) is compared with the personal authentication method of the second embodiment (FIG. 10). The personal authentication method of the third embodiment includes ST94112 instead of ST112. Further, the personal authentication method of the third embodiment includes ST94115 instead of ST115. Also, the personal authentication method of the third embodiment includes ST94124 instead of ST124. The personal authentication method of the third embodiment includes ST94109, ST94110, ST94126, ST94127, and ST94128. The processing of the personal authentication method of the third embodiment is the same as that of the personal authentication method of the second embodiment (FIG. 10) except for ST94109, ST94110, ST94112, ST94115, ST94124, ST94126, ST94127, and ST94128. is there. Therefore, description of steps other than ST94109, ST94110, ST94112, ST94115, ST94124, ST94126, ST94127, and ST94128 is omitted.

ST94109 will be described. Client apparatus 10 transmits a request for a login WEB page to introduction WEB server 5 via network 9 (ST94109).

ST94110 will be described. The introduction WEB server 5 receives a request for a login WEB page from the client device 10. Next, introductory WEB server 5 transmits a login WEB page including authentication site information to client device 10 via network 9 (ST94110).

ST94112 will be described. The authentication request receiving module provided in the mail authentication dedicated WEB device 943 receives the authentication request from the client device 10. Next, the authentication request receiving module extracts a return URL included in the received authentication request. Next, the authentication request receiving module requests the authentication request ID generation module to generate an authentication request ID (ST94112).

ST94115 will be described. The authentication e-mail address generation module generates a new record in the authentication e-mail address correspondence table 341. Next, the authentication mail address generation module stores the authentication request ID accepted from the authentication request ID generation module in the authentication request ID 3411 of the created new record. Next, the authentication email address generation module stores the generated authentication email address in the authentication email address 3412 of the created new record. Next, the authentication e-mail address generation module stores the return URL extracted by the authentication request reception module in the return URL of the created new record (ST94115).

ST94124 will be described. The authentication result transmission module accepts an authentication result from the authentication module. Next, the authentication result transmission module extracts the return URL and the user mail address 3413 from the authentication mail address correspondence table 341 based on the authentication request ID extracted by the authentication result request reception module. The authentication result transmission module generates a WEB page including the return URL and the user's mail address as a result of the authentication. Next, the authentication result transmission module transmits the generated WEB page as a result of authentication to the client apparatus 10 via the network 9 (ST94124).

ST94126 will be described. The client device 10 receives the WEB page transmitted as a result of the authentication from the mail authentication dedicated WEB device 943. Next, based on the received WEB page, the client device 10 transmits a member WEB page request to the introduction WEB server 5 via the network 9 (ST94126). The request for the member WEB page transmitted by the client device 10 includes the user's mail address. For example, a request for a WEB page for a member is a URL “http://www.dunyu.jp/member.php?usrmail=taka@yahoo.co.jp&auth=1”. The mail address after “usmail =” is the user's mail address.

ST94127 will be described. The introduction WEB server 5 receives a request for a member WEB page from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. Next, the introduction WEB server 5 identifies the user based on the extracted mail address. Next, the mail authentication dedicated WEB device 943 generates a member WEB page corresponding to the identified user. Next, the introduction WEB server 5 transmits the generated member WEB page to the client device 10 via the network 9 (ST94127).

ST94128 will be described. The client device 10 receives a member WEB page from the introduction WEB server 5 via the network 9. Next, client device 10 displays the received member WEB page on the display device (ST94128).

An outline of processing of the personal authentication method of the third embodiment will be described. The client device 10 requests a login WEB page from the introduction WEB server 5 in response to a user operation (ST94109). The introduction WEB server 5 transmits the requested login WEB page to the client device 10 (ST94110). Based on the authentication site information included in the login WEB page, the client device 10 transmits an authentication request to the mail authentication dedicated WEB device 943 (ST111). The mail authentication dedicated WEB device 943 receives the authentication request. Next, the mail authentication dedicated WEB device 943 extracts a return URL from the received authentication request (ST94112). Next, the mail authentication dedicated WEB device 943 generates an authentication request ID and an authentication mail address (ST113, ST114). Next, the mail authentication dedicated WEB device 943 stores the authentication request ID, the authentication mail address, and the return URL in association with each other in the authentication mail address correspondence table 341 (ST94115). Next, the mail authentication dedicated WEB apparatus 943 transmits the generated authentication request ID and authentication mail address to the client apparatus 10 (ST94116). The client device 10 receives the authentication request ID and the authentication mail address (ST117). Next, the client device 10 transmits an e-mail addressed to the authentication e-mail address (ST118). Then, the mail authentication dedicated WEB device 943 receives an electronic mail from the client device 10 (ST119). Next, the mail authentication-dedicated WEB device 943 identifies the source mail address and the destination mail address of the received electronic mail. Next, the mail authentication dedicated WEB device 943 stores the authentication request ID corresponding to the specified transmission destination mail address and the specified transmission source mail address in the authentication mail address correspondence table 341 in association with each other. (ST120). On the other hand, the client apparatus 10 transmits an authentication result request to the mail authentication dedicated WEB apparatus 943 (ST121). Then, the mail authentication dedicated WEB device 943 receives an authentication result request from the client device 10 (ST122). The mail authentication dedicated WEB device 943 extracts an authentication request ID from the received authentication result request. Next, the mail authentication dedicated web device 943 extracts the user mail address 3413 corresponding to the extracted authentication request ID from the authentication mail address correspondence table 341. Next, the mail authentication dedicated web device 943 determines whether or not the extracted user mail address 3413 is stored in the mail address 3422 of the user management table 342 (ST123). When the user mail address 3413 is stored in the user management table 342, the mail authentication dedicated WEB device 943 determines that authentication is possible. On the other hand, when the user mail address 3413 is not stored in the user management table 342, the mail authentication dedicated WEB device 943 determines that the authentication is impossible. Next, the mail authentication dedicated WEB device 943 transmits the authentication result to the client device 10 (ST94124). The client device 10 receives the authentication result (ST125). Next, based on the received authentication result, the client device 10 transmits a member web page request to the introduction web server 5 (ST94126). The introduction WEB server 5 receives a request for a member WEB page from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. Next, the introduction WEB server 5 transmits a member WEB page corresponding to the extracted mail address to the client device 10 (ST94127). The member WEB page includes user-specific information corresponding to the user of the extracted mail address. Next, the client device 10 receives a member WEB page from the introduction WEB server 5. Next, client device 10 displays the received member WEB page on the display device (ST94128).

As described above, the introduction WEB server 5 which is a conventional WEB server can introduce the personal authentication method of the present invention simply by including the authentication site information in the login WEB page transmitted to the client device 10.

In the embodiment described above, the mail authentication dedicated WEB device 943 stores the user management table 342. However, the mail authentication dedicated WEB device 943 does not necessarily need to store the user management table 342. In this case, the introduction WEB server 5 stores the user management table 342. In this case, in step ST123, the mail authentication dedicated web device 943 does not need to determine whether or not the extracted user mail address 3413 is stored in the mail address 3422 of the user management table 342. Instead, the introduction WEB server 5 determines whether or not the mail address included in the request for the member WEB page received from the client device 10 is stored in the user management table 342.

In the embodiment described above, the introduction WEB server 5 trusts the mail address included in the request for the member WEB page received from the client device 10 and transmits the member WEB page. However, the e-mail address included in the request for the member WEB page may be forged. Therefore, the introduction WEB server 5 may confirm that the link source is the mail authentication-dedicated WEB device 943 by referring to the referer.

Here, a modification of the third embodiment of the present invention will be described. In the third embodiment, the mail authentication dedicated WEB device 943 generates an authentication request ID. However, the introduction WEB server 5 may generate an authentication request ID instead of the mail authentication dedicated WEB device 943. In this case, the introduction WEB server 5 stores the generated authentication request ID. Next, the introduction WEB server 5 transmits authentication site information including the generated authentication request ID to the client device 10. The client device 10 extracts the authentication request ID from the received authentication site information. Next, the client apparatus 10 transmits an authentication request including the extracted authentication request ID to the mail authentication dedicated WEB apparatus 943. The mail authentication dedicated WEB device 943 receives an authentication request from the client device 10 instead of generating an authentication request ID. Next, the mail authentication dedicated web device 943 stores the authentication request ID included in the received authentication request and the authentication mail address in association with each other in the authentication mail address correspondence table 341. The mail authentication dedicated WEB apparatus 943 transmits the WEB page including the authentication request ID stored in the authentication mail address correspondence table 341 to the client apparatus 10 as a result of the authentication. The client device 10 receives the authentication result from the mail authentication dedicated WEB device 943. Next, the client device 10 transmits a request for a member WEB page to the introduction WEB server 5 based on the received authentication result. Here, the client device 10 transmits a request for the member WEB page including the authentication request ID to the introduction WEB server 5. The introduction WEB server 5 receives a request for a member WEB page from the client device 10. Next, the introduction WEB server 5 extracts the authentication request ID from the received request for the member WEB page. Next, the introduction WEB server 5 determines whether or not the extracted authentication request ID is stored. The introduction WEB server 5 transmits a member WEB page to the client device 10 when the authentication request ID is stored. On the other hand, if the introduction web server 5 does not store the authentication request ID, it determines that the received request for the member web page is camouflaged. Therefore, the introduction WEB server 5 does not transmit a member WEB page. When the mail authentication dedicated WEB device 943 is connected to a plurality of introduction WEB servers 5, each introduction WEB server 5 generates a unique authentication request ID in the personal authentication system. For example, the introduction WEB server 5 generates an authentication request ID including a unique identifier of the introduction WEB server 5, thereby generating a unique authentication request ID within the personal authentication system.

(Fourth embodiment)
Although the personal authentication system of the fourth embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the third embodiment, and description thereof is omitted.

In electronic commerce on the Internet, a credit card is often used as a settlement means. In the fourth embodiment, an example in which the personal authentication system of the third embodiment is applied to credit card settlement on the Internet will be described.

Since the schematic configuration diagram of the personal authentication system of the fourth embodiment is the same as the schematic configuration diagram (FIG. 11) of the personal authentication system of the third embodiment, detailed description thereof will be omitted. The client device 10 is operated by a user who intends to execute a credit card payment. The mobile phone 60 is operated by a user who intends to execute credit card payment. The introduction WEB server 5 is a WEB server that provides electronic commerce such as article sales or service sales. The mail authentication dedicated WEB device 943 is a WEB device that processes credit card credit examination and billing. The user management table 342 of the mail authentication dedicated WEB device 943 includes a credit card number (not shown). The credit card number included in the user management table is the user's credit card number. The user management table 342 stores a credit card number and an e-mail address of a user who owns the credit card in association with each other. Further, the authentication mail address correspondence table 341 of the mail authentication dedicated WEB device 943 includes a settlement amount (not shown). The settlement amount included in the authentication mail address correspondence table 341 is an amount to be settled with a credit card.

The outline of the process of the personal authentication method of the fourth embodiment will be described. The introduction WEB server 5 determines the payment amount with the user's operation. The settlement amount determination method may be a method adopted in a conventional electronic commerce site. Next, in response to a user operation, the client device 10 transmits a settlement WEB page request to the introduction WEB server 5 instead of a login WEB page request. The introduction WEB server 5 receives a request for a payment WEB page. Then, the introduction WEB server 5 generates the requested payment WEB page. Next, the introduction WEB server 5 transmits the generated payment WEB page to the client device 10. The payment WEB page generated by the introduction WEB server 5 includes authentication site information. The authentication site information includes not only the return URL but also the settlement amount. The client device 10 receives the payment WEB page. Next, the client device 10 transmits an authentication request to the mail authentication dedicated WEB device 943 based on the authentication site information included in the received payment WEB page. The mail authentication dedicated WEB device 943 receives the authentication request. Next, the mail authentication dedicated WEB device 943 extracts the return URL and the payment amount from the received authentication request. Next, the mail authentication dedicated web device 943 generates an authentication request ID and an authentication mail address. Next, the mail authentication dedicated WEB device 943 stores the generated authentication request ID, the generated authentication mail address, the extracted return URL, and the extracted payment amount in association with the authentication mail address correspondence table 341. Next, the mail authentication dedicated WEB apparatus 943 transmits the generated authentication request ID and authentication mail address to the client apparatus 10. The client device 10 receives the authentication request ID and the authentication mail address. Next, the client device 10 transmits an e-mail addressed to the authentication e-mail address. As a result, the client apparatus 10 transmits an e-mail to the mail authentication dedicated WEB apparatus 943. The mail authentication dedicated WEB device 943 receives an electronic mail from the client device 10. Then, the mail authentication-dedicated WEB device 943 acquires the transmission source mail address and the transmission destination mail address from the received electronic mail. Next, the mail authentication dedicated web device 943 stores the authentication request ID corresponding to the acquired transmission destination mail address and the acquired transmission source mail address in the authentication mail address correspondence table 341 in association with each other. . On the other hand, the client apparatus 10 transmits an authentication result request to the mail authentication dedicated WEB apparatus 943. The mail authentication dedicated WEB device 943 receives an authentication result request from the client device 10. The mail authentication dedicated WEB device 943 extracts an authentication request ID from the received authentication result request. Next, the mail authentication dedicated WEB device 943 extracts the e-mail address and the payment amount corresponding to the extracted authentication request ID from the authentication e-mail address correspondence table 341. Next, the mail authentication dedicated web device 943 extracts the credit card number corresponding to the extracted e-mail address from the user management table 342. Next, the email authentication dedicated WEB device 943 performs credit examination by determining whether or not the extracted payment amount can be used with the extracted credit card number. The credit screening here is the same as the credit screening when using a conventional credit card. If the credit examination is satisfactory, the mail authentication dedicated WEB device 943 charges the payment amount to the credit card. The email authentication dedicated WEB device 943 may request the credit examination processing and the billing processing from a device dedicated to the credit examination processing and the billing processing. When the accounting process is completed, the mail authentication dedicated WEB device 943 determines that the authentication result can be authenticated. The mail authentication dedicated WEB device 943 transmits the authentication result to the client device 10. Based on the received authentication result, the client device 10 transmits a request for the ending WEB page to the introduction WEB server 5. The introduction WEB server 5 receives a request for a WEB page for completion of payment from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the request for the WEB page. Next, the introduction WEB server 5 transmits to the client device 10 a payment-finished WEB page corresponding to the extracted mail address. The payment-finished WEB page includes user-specific information corresponding to the extracted mail address.

As described above, the personal authentication system of the third embodiment can be applied to a credit card settlement. In the fourth embodiment, the credit card settlement has been described. However, the settlement means may be any means as long as it is a means for settlement through authentication. For example, the settlement means includes “Edy” (trademark), “Jay debit” (trademark), “mobile phone payment service” (trademark), and the like. “Edy” (trademark) is electronic money that can be used in stores and on the Internet. “J Debit” (trademark) is a settlement service for deposit account withdrawal that can be used in stores and on the Internet. “Mobile Phone Payment Service” (trademark) is a postpaid payment service available on the Internet, where the payment amount is added to the charge for the mobile phone fee.

Here, a modification of the personal authentication system of the fourth embodiment will be described. The mail authentication-dedicated WEB device 943 provided in the personal authentication system of the fourth embodiment specifies the credit card number based on the sender of the e-mail. Therefore, when the sender of the e-mail is camouflaged, it is settled by an impersonating user. In order to prevent impersonation settlement, the user inputs a credit card number into the client device 10. The client device 10 transmits the input credit card number to the mail authentication dedicated WEB device 943. The client device 10 may transmit the input credit card number included in the authentication request or the authentication confirmation request. The mail authentication dedicated WEB device 943 receives the credit card number from the client device 10. Then, the mail authentication dedicated WEB device 943 stores the received credit card number. The outline of the modification is as follows. The introduction WEB server 5 transmits a settlement WEB page including a credit card number input field to the client device 10. The user of the client device 10 inputs the credit card number in the credit card number input field on the payment WEB page. The input here includes not only the operation of a keyboard or the like but also the reading of a card by a card reader. That is, any client device 10 may be used as long as it can obtain a credit card number. The client device 10 transmits an authentication request including the input credit card number to the mail authentication dedicated WEB device 943. The mail authentication dedicated WEB device 943 extracts a credit card number from the authentication request received from the client device 10. Next, the mail authentication dedicated WEB device 943 associates the extracted credit card number with the authentication request ID and stores them in the authentication mail address correspondence table 341. On the other hand, the mail authentication dedicated WEB device 943 receives an authentication result request from the client device 10. Then, the mail authentication dedicated WEB device 943 extracts the credit card number corresponding to the authentication request ID included in the received authentication result request from the user management table 342. As a result, the mail authentication dedicated web device 943 extracts the credit card number used for the settlement from the user management table 342. Next, the mail authentication dedicated web device 943 collates the extracted credit card number with the credit card number stored in the authentication mail address correspondence table 341. Only when the two credit card numbers match, the mail authentication dedicated WEB device 943 performs credit examination on the credit card and charges the credit card. Moreover, it may be as follows. The mail authentication dedicated WEB device 943 receives an authentication request from the client device 10. The mail authentication dedicated WEB device 943 transmits a WEB page including the authentication mail address to the client device 10. The WEB page including the authentication mail address further includes a credit card number input field. The user of the client device 10 enters the credit card number in the credit card number input field on the WEB page including the authentication mail address. The client apparatus 10 transmits an authentication result request including the input credit card number to the mail authentication dedicated WEB apparatus 943. The mail authentication dedicated WEB device 943 receives the authentication result request from the client device 10 as described above. Then, the mail authentication dedicated WEB device 943 extracts the credit card number corresponding to the authentication request ID included in the received authentication result request from the user management table 342. As a result, the mail authentication dedicated web device 943 extracts the credit card number used for the settlement from the user management table 342. Next, the mail authentication dedicated WEB device 943 collates the extracted credit card number with the credit card number included in the authentication result request. Only when the two credit card numbers match, the mail authentication dedicated WEB device 943 performs credit examination on the credit card and charges the credit card. In the modification of the ninth embodiment, impersonation may be prevented by allowing the user to input other information such as a password instead of allowing the user to input a credit card number.

(Fifth embodiment)
In the following, the personal authentication system of the fifth embodiment will be described. However, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and the description thereof is omitted.

FIG. 13 is a schematic configuration diagram of a personal authentication system according to the fifth embodiment. The personal authentication system shown in FIG. 13 includes a plurality of ATM (AUTOMATIC TELLER MACHINE) 2010, a plurality of mobile phones 2060, and an ATM mail authentication device 923. ATM 2010 is an AUTOMATIC TELLER MACHINE operated by a user who is authenticated and intends to withdraw or withdraw cash. The ATM 2010 is connected to the network 9. The ATM mail authentication device 923 is connected to the ATM 2010 via the network 9. In the fifth embodiment, the network 9 is an internal network. The network 9 may include a relay device that aggregates ATM mail authentication devices installed in a plurality of financial institutions. The ATM mail authentication device 923 is connected to the mobile phone 2060 via the Internet 1. The configuration of the ATM mail authentication device 923 is the same as that of the mail authentication device 3 (FIG. 3) provided in the personal authentication system of the first embodiment, and a description thereof will be omitted. In order to clarify the explanation, an authentication process for one ATM 2010 will be described in the personal authentication system of the fifth embodiment. Actually, the ATM mail authentication device 923 authenticates a plurality of ATMs 2010 via the network 9. In FIG. 13, three ATMs 2010 are illustrated, but any number of personal authentication systems may be provided. Further, although three mobile phones 2060 are illustrated, any number of personal authentication systems may be provided. The personal authentication system may include a terminal having an e-mail transmission function instead of the mobile phone 2060.

FIG. 14 is a block diagram of a configuration of the ATM 2010 provided in the personal authentication system of the fifth embodiment. The ATM 2010 is physically an ATM including a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), a cash handling unit 15, and the like. (AUTOMATIC TELLER MACHINE). The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (ATM mail authentication device 923). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is a memory, for example. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a keyboard or a touch panel. Various information is input to the input device from the user. The display device is a display. On the display device, information instructed to be displayed by the central processing unit 12 is displayed. The cash handling unit 15 physically manages banknotes and money. Further, the cash handling unit 15 deposits and withdraws banknotes and money. The cash handling unit 15 may be provided in an ATM of a general financial institution.

The functions of the ATM 2010 are the same as those of the client device 10 provided in the personal authentication system of the first embodiment except for the cash handling unit 15, and thus description thereof is omitted.

The mobile phone 2060 is equipped with an Internet connection function. Therefore, the mobile phone 2060 transmits an e-mail to the ATM mail authentication device 923 via the network 9.

The functional configuration of the ATM mail authentication device 923 of the fifth embodiment is the same as that of the mail authentication device 3 (FIG. 4) provided in the personal authentication system of the first embodiment, and thus description thereof is omitted.

The user management table 342 stored in the auxiliary storage device of the ATM mail authentication device 923 stores user-specific information corresponding to the user ID. The user-specific information in the present embodiment is account information of a financial institution. The account information of the financial institution includes an account number, a deposit balance, a borrowing balance, a borrowable balance, and the like. However, the user-specific information does not necessarily have to be managed by the user management table 342, and any method may be used as long as it is managed corresponding to the user ID. The management method of the user's unique information is left to the implementer of the present invention according to the type of service and the scale of the user. Part of the user's unique information corresponding to the user ID is included in the authentication result transmitted from the ATM mail authentication device 923 to the ATM 2010.

Next, a personal authentication method according to the fifth embodiment will be described. Since the processing of the personal authentication method of the fifth embodiment is the same as that of the personal authentication method of the first embodiment (FIG. 7), description thereof is omitted. However, here, characteristic steps of the personal authentication method of the fifth embodiment will be described.

ST118 in the fifth embodiment will be described. The apparatus that transmits the e-mail is not the ATM 2010 but the mobile phone 2060 that is the second client apparatus. The cellular phone 2060 transmits an electronic mail to the ATM mail authentication device 923 in response to a user operation.

ST124 in the fifth embodiment will be described. The authentication result transmission module 339 of the ATM mail authentication device 923 transmits the authentication result to the ATM 2010 via the network 9. The result of the authentication includes user-specific information such as an account number corresponding to the user ID, a deposit balance, a borrowing balance, or a borrowable balance.

Subsequent to ST124, the ATM 2010 displays the authentication result received from the ATM mail authentication device 923 and the user-specific information on the display device. A user of the ATM 2010 performs a subsequent operation based on the displayed information. Subsequent operations are, for example, withdrawal of deposits, repayment of borrowings or borrowing of borrowings.

By the way, a general ATM can accept various operations such as withdrawal of deposits, repayment of borrowings and borrowing of borrowings. Therefore, prior to ST111, ATM 2010 accepts the type of operation from the user. The ATM 2010 includes the type of operation requested by the user in the authentication request transmitted to the ATM mail authentication device 923. The ATM mail authentication device 923 extracts the type of operation requested by the user of the ATM 2010 from the authentication request received from the ATM 2010. Then, the ATM mail authentication device 923 determines user-specific information to be included in the authentication result based on the extracted operation type.

The following procedure may also be used. A general ATM can accept various operations such as withdrawal of deposits, repayment of borrowings and borrowing of borrowings. Here, the ATM mail authentication device 923 stores operations that can be accepted from the user of the ATM 2010 in advance corresponding to the user ID. In this case, the ATM 2010 does not accept the type of operation from the user before sending the authentication request. First, the ATM 2010 is authenticated by the personal authentication method of the fifth embodiment. The ATM mail authentication device 923 includes an acceptable operation corresponding to the authenticated user ID in the authentication result and transmits it to the ATM 2010. The ATM 2010 displays the result of authentication received from the ATM mail authentication device 923 and acceptable operations on the display device. The user of the ATM 2010 selects an operation from the types of operations displayed on the display device of the ATM 2010. Then, the ATM 2010 executes the selected type of operation.

Note that the personal authentication method of the fifth embodiment may be combined with a conventional personal authentication method using a cash card and a personal identification number. As a result, even if the cash card and the password are stolen, the deposit is not withdrawn by the impersonating user unless an electronic mail is transmitted by the user's mail address. The personal authentication method of the fifth embodiment may be combined with personal authentication using either a cash card or a personal identification number.

Here, a modification of the fifth embodiment of the present invention will be described. In the fifth embodiment, the ATM mail authentication device 923 generates an authentication request ID and transmits it to the ATM 2010. However, in a modified example, the ATM 2010 may transmit an authentication request including its own ATM_ID to the ATM mail authentication device 923. ATM_ID is a unique identifier of ATM 2010. Then, the ATM mail authentication device 923 extracts ATM_ID from the authentication request. Then, the ATM mail authentication device 923 stores the extracted ATM_ID and the authentication mail address in association with each other. In this case, the authentication mail address correspondence table 341 includes ATM_ID instead of the authentication request ID 3411. Note that the ATM 2010 does not send a different authentication request to the ATM mail authentication device 923 before the processing for one authentication request is completed. Accordingly, there is a one-to-one correspondence between ATM_ID and authentication mail address. When receiving the electronic mail from the mobile phone 2060, the ATM mail authentication device 923 specifies the ATM_ID corresponding to the transmission destination address of the received electronic mail. Then, the ATM mail authentication device 923 transmits the authentication result to the ATM 2010 identified by the specified ATM_ID. That is, the ATM mail authentication device 923 can transmit the authentication result without receiving an authentication result request from the ATM 2010.

Here, an application example of the fifth embodiment of the present invention will be described. The ATM mail authentication device 923 provided in the personal authentication system of the application example of the fifth embodiment also serves as a device for calculating the utility bill. In this case, the ATM mail authentication device 923 calculates a utility bill, issues a bill, and manages the payment status. For example, the public charges are telephone charges, mobile phone charges, electricity charges, gas charges, water charges, and the like. The ATM mail authentication device 923 stores the mail address of the mobile phone 2060 and the identifier of the user who receives the utility bill service in association with each other. When the ATM mail authentication device 923 lends a loan to the user of the ATM 2010, the ATM mail authentication apparatus 923 charges the loan together with the bill for the utility bill. Also, the ATM mail authentication device 923 accepts a utility bill payment request from a user of the ATM 2010. When the ATM mail authentication device 923 authenticates the user of the ATM 2010 as described above, the ATM mail authentication device 923 accepts from the ATM 2010 payment of unpaid utility charges of the user of the mobile phone 2060. Also, the ATM mail authentication device 923 accepts a loan loan request from a user of the ATM 2010. When the ATM mail authentication device 923 authenticates the user of the ATM 2010 as described above, the loan is lent out from the ATM 2010. Note that the ATM mail authentication device 923 charges the loan together with the utility bill.

  In the fifth embodiment of the present invention, a non-overlapping authentication e-mail address may be assigned in advance to each of all ATMs 2010. In this case, the correspondence between the ATM 2010 and the authentication mail address is unchanged, and is stored in advance in the authentication mail address correspondence table 341 or the like. Then, the ATM mail authentication device 923 can identify the ATM 2010 that is the transmission source of the user authentication request based on the mail address of the transmission destination.

(Sixth embodiment)
The personal authentication system of the sixth embodiment will be described below, but the same reference numerals are used for the same portions as those of the personal authentication system of the first embodiment and the personal authentication system of the fifth embodiment. Omitted.

As a personal authentication system of the sixth embodiment, a specific embodiment in which the personal authentication system of the first embodiment is used for credit card payment at a store will be described. Conventionally, in a store credit card settlement, in order to prevent the use of impersonation, a store salesperson visually compares the signature of the usage slip with the signature on the back of the credit card. However, visual verification is not sufficient as an anti-spoofing measure. In the personal authentication system according to the sixth embodiment, an example in which an electronic mail address is used instead of signature verification will be described.

FIG. 15 is a schematic configuration diagram of a personal authentication system according to the sixth embodiment. The personal authentication system shown in FIG. 15 includes a plurality of reader devices 2110, a plurality of mobile phones 60, and a mail authentication device 3. The reader device 2110 is connected to the network 9. The mail authentication device 3 is connected to the mobile phone 60 via the Internet 1. The reader device 2110 is a device for reading credit card information. Details of the reader device 2110 will be described with reference to FIG. In a store, a store salesperson usually operates the reader device 2110. However, the user who is authenticated in the personal authentication system of the sixth embodiment is a credit card holder. Therefore, in order to simplify the description, in the description of the present embodiment, the user of the reader device 2110 is assumed to be a credit card holder. The mail authentication device 3 is connected to the reader device 2110 via the network 9. The block diagram of the email authentication device 3 is the same as the email authentication device 3 included in the personal authentication system of the first embodiment, and a description thereof is omitted. For the sake of clarity, in the personal authentication system of the sixth embodiment, authentication processing of one reader device 2110 will be described. In practice, the mail authentication device 3 authenticates the plurality of reader devices 2110 via the network 9. That is, the mail authentication device 3 can receive an authentication request and an authentication result request from the plurality of reader devices 2110. In practice, the mail authentication device 3 is connected to a plurality of mobile phones 60 via the Internet 1. In FIG. 15, three reader devices 2110 are shown, but any number of personal authentication systems may be provided. FIG. 15 shows three mobile phones, but any number of personal authentication systems may be provided.

FIG. 16 is a block diagram of a configuration of the reader device 2110 provided in the personal authentication system of the sixth embodiment. The reader device 2110 physically includes a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), a card information reading unit 16, and the like. Prepare. The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (the mail authentication device 3). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is a memory, for example. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a keyboard or a touch panel. Various information is input to the input device from the user. The display device is a display. On the display device, information instructed to be displayed by the central processing unit 12 is displayed. The card information reading unit 16 is a device that reads information stored in a credit card. The card information reading unit 16 provided in a general credit card card reader is sufficient. Note that the reader device 2110 does not necessarily include the auxiliary storage device 14.

The function of the reader device 2110 provided in the personal authentication system of the sixth embodiment is mainly the same as that of the client device 10 provided in the personal authentication system of the first embodiment. The reader device 2110 included in the personal authentication system of the sixth embodiment has the following functions in addition to the functions of the client device 10 included in the personal authentication system of the first embodiment. The reader device 2110 receives a credit card number and a payment amount by a user operation. The reader device 2110 includes the accepted credit card number and settlement amount in the authentication request transmitted to the mail authentication device 3.

The mobile phone 60 is a mobile phone equipped with an Internet connection function. The mobile phone 60 transmits an e-mail to the mail authentication device 3 via the Internet 1.

The function of the mail authentication device 3 of the sixth embodiment is mainly the same as that of the personal authentication system of the first embodiment. The mail authentication device 3 of the sixth embodiment has the following functions in addition to the functions of the mail authentication device 3 included in the personal authentication system of the first embodiment. The mail authentication device 3 of the sixth embodiment processes credit card credit examination and billing. The user management table 342 of the mail authentication device 3 includes a credit card number (not shown). The credit card number included in the user management table 342 is a credit card number owned by the user. That is, in the user management table 342, the credit card number and the user's e-mail address are stored in advance in association with each other. Further, the authentication mail address correspondence table 341 of the mail authentication device 3 includes a settlement amount (not shown) and a credit card number (not shown). The settlement amount included in the authentication mail address correspondence table 341 is an amount to be settled with a credit card. The credit card number included in the authentication mail address correspondence table 341 is the number of the credit card that is about to be used for settlement.

Next, an outline of processing of the personal authentication method of the sixth embodiment will be described. The sequence diagram of the personal authentication method of the sixth embodiment is mainly the same as FIG. 7 which is the sequence diagram of the personal authentication method of the first embodiment. However, the device that transmits the e-mail is not the reader device 2110 but the mobile phone 60 that is the second client device.

The outline of the process of the personal authentication method of the sixth embodiment is as follows. The reader device 2110 receives a payment amount from the user. Further, the card information reading unit 16 of the reader device 2110 reads the credit card number by the user's card operation. Next, the reader device 2110 transmits an authentication request including the accepted payment amount and the read credit card number to the mail authentication device 3 (ST111). The mail authentication device 3 receives the authentication request (ST112). Next, the mail authentication device 3 extracts the payment amount and the credit card number from the received authentication request. Next, the mail authentication device 3 generates an authentication request ID and an authentication mail address (ST113, ST114). Next, the mail authentication device 3 stores the generated authentication request ID, the generated authentication mail address, the extracted payment amount, and the extracted credit card number in association with the authentication mail address correspondence table 341 (ST115). . Next, the mail authentication device 3 transmits the generated authentication request ID and the generated authentication mail address to the reader device 2110 (ST116). The reader device 2110 receives the authentication request ID and the authentication mail address (ST117). Next, the reader device 2110 displays the received authentication mail address on the display device. Note that the reader device 2110 may print paper on which the authentication mail address is described without displaying the authentication mail address. That is, the reader device 2110 may use any method as long as it can notify the user of the authentication mail address. The reader device 2110 may display or print a QR code or the like corresponding to the authentication mail address. The cellular phone 60 transmits an e-mail addressed to the displayed authentication e-mail address in response to a user operation (ST118). Then, the mail authentication device 3 receives an electronic mail from the mobile phone 60 (ST119). Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, based on the acquired transmission destination mail address, the mail authentication device 3 associates the acquired transmission source mail address with the authentication request ID and stores it in the authentication mail address correspondence table 341 (ST120). Specifically, the mail authentication device 3 selects from the authentication mail address correspondence table 341 a record in which the acquired destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 341. Next, the mail authentication device 3 stores the acquired sender mail address in the user mail address 3413 of the selected record. On the other hand, the reader device 2110 transmits an authentication result request to the mail authentication device 3 (ST121). The mail authentication device 3 receives an authentication result request from the reader device 2110 (ST122). The mail authentication device 3 extracts the authentication request ID from the received authentication result request. Next, the mail authentication device 3 extracts the user mail address, the payment amount, and the credit card number stored in association with the extracted authentication request ID from the authentication mail address correspondence table 341 (ST123). Specifically, the mail authentication device 3 selects a record in which the extracted authentication request ID matches the authentication request ID 3411 of the authentication mail address correspondence table 341 from the authentication mail address correspondence table 341. Next, the mail authentication device 3 extracts the user mail address 3413, the payment amount, and the credit card number from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the extracted user mail address 3413 matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts a credit card number from the extracted record. Next, the mail authentication device 3 collates the credit card number extracted from the authentication mail address correspondence table 341 with the credit card number extracted from the user management table 342. If the two extracted credit card numbers do not match, the mail authentication device 3 determines that authentication is not possible. On the other hand, when the two extracted credit card numbers match, the mail authentication device 3 performs a credit examination to determine whether or not the extracted payment amount can be used. Credit screening is the same as that performed when using a conventional credit card. If the credit check is satisfactory, the mail authentication device 3 charges the payment amount to the credit card. The mail authentication device 3 may request a dedicated device for credit examination and billing processing. In this case, the mail authentication device 3 is connected via a network to a dedicated device that performs credit examination and billing. The mail authentication device 3 determines that authentication is possible when the accounting process is completed. The mail authentication device 3 transmits the authentication result to the reader device 2110 (ST124). The reader device 2110 receives the authentication result (ST125). Next, the reader device 2110 displays the authentication result on the display device.

As described above, in the personal authentication system of the sixth embodiment, an e-mail address can be used instead of signature verification in credit card payment at a store. In the sixth embodiment, the credit card settlement has been described. However, the settlement means is not limited to a credit card as long as it is a means for making a settlement through authentication. For example, the settlement means is “Jay Debit” (trademark).

In the above-described embodiment, the authentication request transmitted by the reader device 2110 includes the credit card number. However, it may be as follows. The reader device 2110 may include the credit card number in the authentication result request instead of the authentication request. In this case, the authentication mail address correspondence table 341 of the mail authentication device 3 does not have to include a credit card number. The reader device 2110 transmits an authentication result request to the mail authentication device 3. The mail authentication device 3 receives an authentication result request from the reader device 2110. Next, the mail authentication device 3 extracts an authentication request ID from the received authentication result request. Next, the mail authentication device 3 selects a record in which the extracted authentication request ID matches the authentication request ID 3411 of the authentication mail address correspondence table 341 from the authentication mail address correspondence table 341. Next, the mail authentication device 3 extracts the user mail address 3413 and the payment amount from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the extracted user mail address 3413 matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts a credit card number from the selected record. Next, the mail authentication device 3 collates the credit number extracted from the user management table 342 with the credit card included in the authentication result request. If the two credit card numbers match, the mail authentication device 3 performs a credit examination and charges.

Next, a modification of the sixth embodiment of the present invention will be described. In the personal authentication system of the sixth embodiment, the reader device 2110 reads credit card information. However, in the modified example of the sixth embodiment, an example will be described in which credit card settlement can be executed without the reader device 2110 reading credit card information. That is, even if the user does not physically hold a credit card, credit card payment can be made at the store.

The authentication request transmitted by the reader device 2110 provided in the modified example of the sixth embodiment does not include a credit card number. Further, the authentication mail address correspondence table 341 of the mail authentication device 3 provided in the modification of the sixth embodiment does not include a credit card number.

The outline of the process of the modified example of the sixth embodiment will be described. The reader device 2110 transmits an authentication request to the mail authentication device 3 in response to a user operation. The mail authentication device 3 receives the authentication request. Next, the mail authentication device 3 extracts the payment amount from the received authentication request. Next, the mail authentication device 3 generates an authentication request ID and an authentication mail address. Next, the mail authentication device 3 stores the generated authentication request ID, the generated authentication mail address, and the extracted payment amount in the authentication mail address correspondence table 341 in association with each other. Next, the email authentication device 3 transmits the generated authentication request ID and the generated authentication email address to the reader device 2110. The reader device 2110 receives the authentication request ID and the authentication e-mail address. Next, the reader device 2110 displays the received authentication mail address on the display device. The cellular phone 60 sends an e-mail to the displayed authentication e-mail address in response to a user operation. The mail authentication device 3 receives an e-mail from the mobile phone 60. Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, the mail authentication device 3 stores the acquired transmission source mail address in the authentication mail address correspondence table 341 in association with the authentication request ID based on the acquired transmission destination mail address. Specifically, the mail authentication device 3 selects from the authentication mail address correspondence table 341 a record in which the acquired destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 341. Next, the mail authentication device 3 stores the acquired mail address of the transmission source in the user mail address 3413 of the selected record. On the other hand, the reader device 2110 transmits an authentication result request to the mail authentication device 3. The mail authentication device 3 receives an authentication result request from the reader device 2110. The mail authentication device 3 extracts the authentication request ID from the received authentication result request. Next, the mail authentication device 3 selects a record in which the extracted authentication request ID matches the authentication request ID 3411 of the authentication mail address correspondence table 341 from the authentication mail address correspondence table 341. Next, the mail authentication device 3 extracts the user mail address 3413 and the payment amount from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the extracted user mail address 3413 matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts a credit card number from the selected record. Next, the mail authentication device 3 performs a credit examination on the extracted credit card number. Credit screening is performed when a conventional credit card is used. If the credit examination is good, the mail authentication device 3 charges the payment amount to the credit card. The mail authentication device 3 may request a dedicated device for credit examination and billing processing. In this case, the mail authentication device 3 is connected via a network to a dedicated device that performs credit examination and billing. The mail authentication device 3 determines that authentication is possible when the accounting process is completed. The mail authentication device 3 transmits the authentication result to the reader device 2110. The reader device 2110 receives the authentication result. Then, the reader device 2110 displays the received authentication result on the display device.

As described above, in the modification of the sixth embodiment, even if the user does not physically hold the credit card at the store, the credit card can be settled.

Here, an application example of a modification of the sixth embodiment of the present invention will be described. The mail authentication device 3 provided in the personal authentication system of the application example of the modified example of the sixth embodiment also serves as a device for calculating public utility charges. That is, the mail authentication device 3 calculates a utility bill, issues an invoice, and manages the payment status. For example, the public charges are telephone charges, mobile phone charges, electricity charges, gas charges, water charges, and the like. In the sixth embodiment, the user management table 342 of the mail authentication device 3 stores the electronic mail address of the mobile phone 60 and the credit card number in association with each other. In the application example of the modified example of the sixth embodiment, the user management table 342 of the mail authentication device 3 stores the correspondence between the e-mail address of the mobile phone 60 and the identifier of the user who receives the utility bill service. The mail authentication device 3 adds the payment amount at the store to the public bill instead of charging the credit card. The user of the reader device 2110 can complete payment at the store only by holding the mobile phone 60.

(Seventh embodiment)
In the following, an example in which a personal computer and a PDA are connected to an in-house intranet in the personal authentication system of the first embodiment will be described as the personal authentication system of the seventh embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

Many companies set up an internal intranet to encourage employees to communicate information while keeping internal information confidential. An employee connects a portable terminal such as a personal computer or a PDA to a company intranet by means of communication means such as dial-up or VPN for the purpose of browsing or updating company information from a destination or sending and receiving e-mail. Conventionally, an employee inputs a user ID and a password and connects to an in-house intranet. The user of the personal computer or PDA receives authentication using the authentication method of the first embodiment, and connects the portable terminal to the in-house intranet. In this case, the client device 10 is a portable terminal that is about to be connected to an in-house intranet. The mail authentication device 3 is a management server that manages an intranet in the company. Employees can connect to the corporate intranet without entering a user ID and password. Note that the security can be further enhanced by transmitting an e-mail to the mail authentication apparatus 3 using a second client device different from the portable terminal. In this case, a user who intends to connect a portable terminal to an in-house intranet may receive personal authentication unless both the portable terminal and the second client device capable of transmitting an e-mail having a user mail address as a transmission source are available. Can not. As a result, another person who has acquired only the portable terminal can not be authenticated by impersonating the user of the portable terminal. That is, even if the portable terminal is lost, information leakage can be prevented.

(Eighth embodiment)
The following describes an example in which a thin client device is connected to an in-house server in the personal authentication system of the first embodiment as the personal authentication system of the eighth embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

The thin client device is a personal computer having a minimum auxiliary storage device. Companies have introduced a thin client system in order to prevent information leakage due to theft or loss of personal computers. The auxiliary storage device of the thin client device does not store sufficient in-house data and applications. In-house data and applications are stored by the central server. The employee operates the thin client device to connect to the central server, and browses and updates the in-house data. Conventionally, an employee inputs a user ID and a password and connects to a centralized server. The user of the thin client device receives authentication using the authentication method of the first embodiment, and connects the thin client device to the in-house intranet. In this case, the client device 10 is a thin client device to be connected to the central server. The mail authentication device 3 is a management server that manages the connection between the thin client device and the server. The management server may be included in the central server. The employee can connect the thin client device to the central server without entering the user ID and password.

(Ninth embodiment)
In the following, an example of connecting a personal computer and a PDA to a public wireless LAN in the personal authentication system of the first embodiment will be described as the personal authentication system of the ninth embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

Public wireless LANs that connect to the Internet at the destination are widespread. Conventionally, a user of a public wireless LAN inputs a user ID and a password, and connects a portable terminal such as a personal computer and a PDA to an access point of the public wireless LAN. The user of the public wireless LAN is authenticated using the authentication method of the first embodiment, and connects the portable terminal to the access point. In this case, the client device 10 is a portable terminal to be connected to the access point. The mail authentication device 3 is a management server that manages the connection between the portable terminal and the access point. A public wireless LAN user can connect to an access point without entering a user ID and password.

(Tenth embodiment)
Although the personal authentication system of the tenth embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and description thereof is omitted.

The personal authentication system of the tenth embodiment uses a client ID that is an identifier of the client device 10 instead of the authentication request ID. Note that the personal authentication system of the tenth embodiment can be applied to any of the first to ninth personal authentication systems. Here, the case where it applies to the authentication system of 1st Embodiment is demonstrated.

The personal authentication system of the tenth embodiment is the same as the personal authentication system (FIG. 1) of the first embodiment except for the authentication mail address correspondence table (FIG. 5) stored in the mail authentication device 3. is there.

FIG. 17 is a configuration diagram of the authentication mail address correspondence table 20341 stored in the auxiliary storage device of the mail authentication device 3 according to the tenth embodiment. The authentication mail address correspondence table 20341 includes a client ID 203411, an authentication mail address 3412, and a user mail address 3413. The authentication e-mail address 3412 and the user e-mail address 3413 are the same as those included in the authentication e-mail address correspondence table (FIG. 5) according to the first embodiment, and a description thereof will be omitted. The client ID 203411 is a unique identifier of the client device 10 provided in the personal authentication system. The client ID 20341 stores the client ID included in the authentication request transmitted from the client device 10.

Next, processing of the personal authentication system of the tenth embodiment will be described. Note that the description of the same processing as in the first embodiment is omitted. The client device 10 transmits an authentication request including its own client ID. Then, the mail authentication device 3 assigns an authentication mail address to the client ID included in the received authentication request. Next, the mail authentication device 3 stores the correspondence between the client ID included in the received authentication request and the authentication mail address assigned to the client ID in the authentication mail address correspondence table 20341. Specifically, the mail authentication device 3 newly generates a mail address that can be received by the mail authentication device 3. Next, the mail authentication device 3 generates a new record in the authentication mail address correspondence table 20341. Next, the mail authentication device 3 stores the client ID included in the received authentication request in the client ID 203411 of the created new record. Further, the mail authentication device 3 stores the generated authentication mail address in the authentication mail address 3412 of the created new record.

Next, the mail authentication device 3 transmits the generated authentication email address to the client device 10 via the network 9. The client device 10 receives the authentication email address from the email authentication device 3. Next, the client device 10 displays the received authentication mail address on the display device.

The client device 10 sends an e-mail to the displayed authentication e-mail address in response to a user operation. Then, the mail authentication device 3 receives an electronic mail from the client device 10. Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, the mail authentication device 3 selects, from the authentication mail address correspondence table 20341, a record in which the acquired transmission destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 20341. Next, the mail authentication device 3 extracts the client ID 203411 from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the acquired mail address of the transmission source matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts the user ID 3421 from the selected record. Then, the mail authentication device 3 determines that the authentication request transmitted from the client device 10 identified by the extracted client ID 203411 is from the user identified by the extracted user ID 3421. Therefore, the mail authentication device 3 determines whether to authenticate the user identified by the extracted user ID 3421. Then, the mail authentication device 3 transmits the authentication result to the client device 10 identified by the extracted client ID 203411. In this case, the mail authentication device 3 can transmit the authentication result to the client device 10 without receiving the authentication result request.

Moreover, it may be as follows. The mail authentication device 3 receives an email from the client device 10. Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, the mail authentication device 3 selects, from the authentication mail address correspondence table 20341, a record in which the acquired transmission destination mail address matches the authentication mail address 3412 of the authentication mail address correspondence table 20341. Next, the mail authentication device 3 stores the acquired sender mail address in the user mail address 3413 of the selected record.

On the other hand, the client device 10 transmits an authentication result request including its own client ID to the mail authentication device 3. The mail authentication device 3 selects, from the authentication mail address correspondence table 20341, a record in which the client ID included in the authentication result request matches the client ID 203411 of the authentication mail address correspondence table 20341. Next, the mail authentication device 3 extracts the user mail address 3413 from the selected record. Then, the mail authentication device 3 determines the authentication result based on the extracted user mail address 3413, as in the first embodiment. Specifically, the mail authentication device 3 determines that authentication is not possible when the user mail address 3413 cannot be extracted. On the other hand, when the user mail address 3413 can be extracted, the mail authentication device 3 selects from the user management table 342 a record in which the extracted user mail address 3413 matches the mail address 3422 of the user management table 342 (FIG. 6). To do. The mail authentication device 3 determines that authentication is not possible when a record with a matching mail address cannot be extracted. On the other hand, the mail authentication device 3 determines that authentication is possible when a record having a matching mail address can be extracted. Thereby, the mail authentication device 3 can identify the user who issued the authentication request. Specifically, the mail authentication device 3 extracts the user ID 3421 from the selected record. Then, the mail authentication device 3 specifies that the issuer of the authentication request transmitted from the client device 10 identified by the client ID included in the authentication result request is the user identified by the extracted user ID 3421. Note that the mail authentication device 3 may include unique information of the user corresponding to the extracted user ID 3421 in the authentication result. Then, the mail authentication device 3 transmits the authentication result to the client device 10 identified by the client ID included in the authentication result request via the network 9. The other processes in the tenth embodiment are the same as those in the first embodiment. Therefore, description of the same processing is omitted. In the present embodiment, SIP communication may be used instead of e-mail.

Further, in the tenth embodiment of the present invention, non-overlapping authentication mail addresses may be assigned in advance to all of the client devices 10. In this case, the correspondence between the client device 10 and the authentication email address is unchanged, and is stored in advance in the authentication email address correspondence table 20341 or the like. Then, the mail authentication device 3 can identify the client device 10 that is the transmission source of the user authentication request based on the mail address of the transmission destination.

It is a figure which shows schematic structure of the personal authentication system of 1st Embodiment. 2 is a block diagram of a configuration of a client device 10. FIG. 3 is a block diagram of a configuration of a mail authentication device 3. FIG. 3 is a functional block diagram of the mail authentication device 3. FIG. 4 is a configuration diagram of an authentication mail address correspondence table 341 stored in an auxiliary storage device 34 of the mail authentication device 3. FIG. 4 is a configuration diagram of a user management table 342 stored in an auxiliary storage device 34 of the mail authentication device 3. FIG. It is a sequence diagram of a process of the personal authentication method of the first embodiment. It is a schematic block diagram of the personal authentication system of 2nd Embodiment. 3 is a functional block diagram of a mail authentication WEB apparatus 903. FIG. It is a sequence diagram of a process of the personal authentication method of the second embodiment. It is a schematic block diagram of the personal authentication system of 3rd Embodiment. It is a sequence diagram of a process of the personal authentication method of the third embodiment. It is a schematic block diagram of the personal authentication system of 5th Embodiment. It is a block diagram of a structure of ATM2010. It is a schematic block diagram of the personal authentication system of 6th Embodiment. 2 is a block diagram of a configuration of a reader device 2110. FIG. It is a block diagram of the authentication mail address corresponding | compatible table 20341 memorize | stored in the auxiliary storage device of the mail authentication apparatus 3 of 10th Embodiment.

Explanation of symbols

1 Internet 3 Mail Authentication Device 5 Introduction Web Server 9 Network 10 Client Device 11 Transmission / Reception Unit 12 Central Processing Unit 13 Main Storage Device 14 Auxiliary Storage Device 15 Cash Handling Unit 16 Card Information Reading Unit 2010 ATM
2060 Mobile phone 2110 Reader device 20341 Authentication mail address correspondence table 20411 Client ID
31 Transmission / Reception Unit 32 Central Processing Unit 33 Main Storage Unit 34 Auxiliary Storage Unit 300 Authentication Program 331 Main Module 3321 Authentication Request Reception Module 3322 Authentication Result Request Reception Module 333 Authentication Request ID Generation Module 334 Authentication Email Address Generation Module 335 Authentication Email Address Transmission module 336 Mail reception module 337 Reception mail reading module 338 Authentication module 339 Authentication result transmission module 341 Authentication mail address correspondence table 3411 Authentication request ID
3412 Authentication email address 3413 User email address 342 User management table 3421 User ID
3422 mail address 60 mobile phone 903 mail authentication WEB apparatus 923 ATM mail authentication apparatus 943 mail authentication dedicated WEB apparatus 9010 client apparatus 90300 authentication program 90335 authentication mail address transmission module 90339 authentication result transmission module

Claims (78)

An authentication system comprising: a plurality of client computers comprising a processor, a memory and an interface; and an authentication computer connected to the plurality of client computers via a network and comprising a processor, a memory and an interface,
The authentication computer is
Storing user information indicating correspondence between the user and the user's email address;
When an authentication request is received from the client computer, a mail address that is not assigned to any of the plurality of client computers among mail addresses that can be received by the authentication computer is a client that is a transmission source of the received authentication request Assigned to the calculator,
Storing the correspondence between the client computer that is the source of the received authentication request and the mail address assigned to the client computer in the authentication mail address correspondence information;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, identify a client computer corresponding to the identified email address of the destination,
An authentication system, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. An authentication system comprising: a plurality of client computers comprising a processor, a memory and an interface; and an authentication computer connected to the plurality of client computers via a network and comprising a processor, a memory and an interface,
The authentication computer is
Storing user information indicating correspondence between the user and the user's email address;
When an authentication request is received from the client computer, among the email addresses that can be received by the authentication computer, an email address that is not assigned to any of the previously received authentication requests is assigned to the received authentication request,
Storing the correspondence between the received authentication request and the email address assigned to the authentication request in the authentication email address correspondence information;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, an authentication request corresponding to the identified destination email address is identified,
The authentication system according to claim 1, wherein the specified authentication request determines that authentication is requested by the specified user. An authentication system comprising: a plurality of client computers comprising a processor, a memory and an interface; and an authentication computer connected to the plurality of client computers via a network and comprising a processor, a memory and an interface,
The authentication computer is
Storing user information indicating correspondence between the user and the user's email address;
The correspondence between the client computer and a mail address assigned to the client computer so as not to overlap with other client computers among the mail addresses that can be received by the authentication computer is stored in the authentication mail address correspondence information. ,
Receiving an authentication request from the client computer;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, identify a client computer corresponding to the identified email address of the destination,
An authentication system, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. The authentication computer is
When a certain amount of time has passed since the email address was assigned, the email address will be unassigned,
The authentication system according to claim 1 or 2, wherein the email address that has been deallocated is reassigned. The authentication computer sends the assigned email address to the client computer that is the source of the authentication request,
The authentication system according to any one of claims 1 to 3, wherein the client computer outputs a mail address received from the authentication computer. The client computer sends an authentication result request including an email address received from the authentication computer to the authentication computer,
When the authentication computer receives the authentication result request from the client computer, the authentication computer extracts the email address from the received authentication result request,
Determining whether the extracted email address is an email that is the email address of the sender,
When receiving the e-mail, referring to at least one of the user information and the authentication e-mail address correspondence information, determine the result of the received authentication request,
6. The authentication system according to claim 5, wherein the determination result is transmitted to a client computer that is a transmission source of the received authentication result request.   The authentication computer determines that the authentication request result received from the specified client computer is unauthenticated when the user corresponding to the specified sender mail address cannot be specified by referring to the user information The authentication system according to claim 1 or 3, wherein:   The authentication computer refers to the user information and determines that the result of the specified authentication request is unauthenticated when the user corresponding to the specified mail address of the sender cannot be specified. The authentication system according to claim 2.   If the authentication computer cannot identify a user corresponding to the identified sender's email address with reference to the user information, the identified sender's email address is used as the new user's email address, and the user 4. The authentication system according to claim 1, wherein the authentication system is stored in information. The authentication computer is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
The authentication system according to claim 1, wherein the determination result is transmitted to the identified client computer. The authentication computer is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
The authentication system according to claim 2, wherein the determination result is transmitted to a client computer that is a transmission source of the specified authentication request. The authentication computer is
When an authentication result request including an identifier of the client computer that is the transmission source of the authentication request is received from the client computer, the identifier of the client computer is extracted from the received authentication result request,
Referring to at least one of the user information and the authentication email address correspondence information, determine the result of the authentication request received from the client computer identified by the extracted identifier;
4. The authentication system according to claim 1, wherein the determined result is transmitted to a client computer that is a transmission source of the received authentication result request. The authentication computer is
When an authentication request is received from the client computer, an identifier of the received authentication request is generated,
Sending the generated authentication request identifier to the client computer;
Receiving an authentication result request including an identifier of the authentication request from the client computer;
Extract the authentication request identifier from the received authentication result request,
With reference to at least one of the user information and the authentication email address correspondence information, a result of an authentication request identified by the extracted identifier is determined;
The authentication system according to claim 2, wherein the determination result is transmitted to a client computer that is a transmission source of the received authentication result request. The user information further includes a correspondence between the user and information unique to the user,
The authentication computer is
Referring to the user information to identify unique information corresponding to the identified user;
Receiving user-specific information from the client computer;
4. The method according to claim 1, wherein when the specified unique information matches the received unique information, the result of the received authentication request is determined to be authentic. 5. Authentication system.   15. The authentication system according to claim 14, wherein the unique information of the user includes at least one of a user identifier, a personal identification number, a card number owned by the user, and a user's biometric information. And a WEB computer for transmitting a WEB page to the client computer.
The authentication system according to claim 1 or 2, wherein the authentication computer processes an authentication request for the client computer to access the WEB computer. The user information further includes correspondence between the user and a credit card owned by the user,
The authentication computer is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
When it is determined that the received authentication request result can be authenticated, the credit card corresponding to the identified user is identified with reference to the user information,
Perform credit examination for the identified credit card,
The authentication system according to any one of claims 1 to 3, wherein the credit card is permitted to be settled if the credit examination result is good. The user information further includes a correspondence between the user and the user's account,
The authentication computer is
Refer to at least one of the user information and the authentication email address correspondence information, determine a result of the received authentication request, and determine that the received authentication request can be authenticated, refer to the user information, Identify an account corresponding to the identified user;
The authentication system according to claim 1, wherein a transaction for the specified account is executed.   4. The authentication system according to claim 1, wherein the client computer is any one of a personal computer, a reader device that reads card information, and an ATM.   The authentication system according to claim 1, wherein the authentication computer is a WEB server. The authentication computer is
When an authentication request is received from the client computer, a new mail address that can be received by the authentication computer is created,
By assigning the created new mail address to the client computer that is the transmission source of the received authentication request, the mail address that can be received by the authentication computer is assigned to any of the plurality of client computers. 2. The authentication system according to claim 1, wherein an unassigned mail address is assigned to a client computer that is a transmission source of the authentication request. The authentication computer is
When an authentication request is received from the client computer, a new mail address that can be received by the authentication computer is created,
By assigning the created new email address to the received authentication request, among the email addresses that can be received by the authentication computer, an email address that is not assigned to any of the previously received authentication requests, 3. The authentication system according to claim 2, wherein the authentication system is assigned to the received authentication request.   The authentication computer cancels the assignment of the created email address by invalidating the created email address when a predetermined time elapses after the email address is newly created. The authentication system according to claim 21 or 22. The authentication computer is
Determine whether the email address of the identified sender is forged,
The authentication according to claim 1 or 3, wherein when the specified sender's e-mail address is camouflaged, the result of the authentication request received from the specified client computer is determined to be unauthenticated. system. The authentication computer is
Determine whether the email address of the identified sender is forged,
3. The authentication system according to claim 2, wherein when the specified sender's mail address is camouflaged, the result of the specified authentication request is determined to be unauthenticated. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user's email address;
When an authentication request is received from the client computer, a mail address that is not assigned to any of the plurality of client computers among mail addresses that can be received by the authentication computer is a client that is a transmission source of the received authentication request Assigned to the calculator,
Storing the correspondence between the client computer that is the source of the received authentication request and the mail address assigned to the client computer in the authentication mail address correspondence information;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, identify a client computer corresponding to the identified email address of the destination,
An authentication computer, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user's email address;
When an authentication request is received from the client computer, among the email addresses that can be received by the authentication computer, an email address that is not assigned to any of the previously received authentication requests is assigned to the received authentication request,
Storing the correspondence between the received authentication request and the email address assigned to the authentication request in the authentication email address correspondence information;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, an authentication request corresponding to the identified destination email address is identified,
In the specified authentication request, it is determined that authentication is requested by the specified user. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user's email address;
The correspondence between the client computer and a mail address assigned to the client computer so as not to overlap with other client computers among the mail addresses that can be received by the authentication computer is stored in the authentication mail address correspondence information. ,
Receiving an authentication request from the client computer;
When an email is received, the destination email address and the sender email address are identified from the received email,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
Referring to the authentication email address correspondence information, identify a client computer corresponding to the identified email address of the destination,
An authentication computer, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. The processor is
When a certain amount of time has passed since the email address was assigned, the email address will be unassigned,
29. The authentication computer according to claim 26 or 28, wherein the email address that has been deallocated is reassigned. The processor is
Sending the assigned email address to the client computer that is the sender of the authentication request;
29. The authentication computer according to claim 26, wherein the client computer is instructed to output the transmitted mail address. The processor is
Receiving an authentication result request including the transmitted email address from the client computer;
An email address is extracted from the received authentication result request,
Determining whether the extracted email address is an email that is the email address of the sender,
When receiving the e-mail, referring to at least one of the user information and the authentication e-mail address correspondence information, determine the result of the received authentication request,
The authentication computer according to claim 30, wherein the determination result is transmitted to a client computer that is a transmission source of the received authentication result request.   The processor refers to the user information, and determines that the result of the authentication request received from the identified client computer is unauthenticated when the user corresponding to the identified sender mail address cannot be identified. The authentication computer according to claim 26 or 28.   The processor refers to the user information and determines that the result of the specified authentication request is unauthenticated when the user corresponding to the specified mail address of the sender cannot be specified. The authentication computer according to claim 27.   If the processor cannot identify a user corresponding to the identified sender's email address with reference to the user information, the processor uses the identified sender's email address as the email address of the new user. 29. The authentication computer according to any one of claims 26 to 28, wherein the authentication computer is stored in the authentication computer. The processor is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
29. The authentication computer according to claim 26 or 28, wherein the determined result is transmitted to the identified client computer. The processor is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
28. The authentication computer according to claim 27, wherein the determined result is transmitted to a client computer that is a transmission source of the specified authentication request. The processor is
When an authentication result request including an identifier of the client computer that is the transmission source of the authentication request is received from the client computer, the identifier of the client computer is extracted from the received authentication result request,
Referring to at least one of the user information and the authentication email address correspondence information, determine the result of the authentication request received from the client computer identified by the extracted identifier;
The authentication computer according to claim 26 or 28, wherein the determination result is transmitted to a client computer that is a transmission source of the received authentication result request. The processor is
When an authentication request is received from the client computer, an identifier of the received authentication request is generated,
Sending the generated authentication request identifier to the client computer;
Receiving an authentication result request including an identifier of the authentication request from the client computer;
Extract the authentication request identifier from the received authentication result request,
With reference to at least one of the user information and the authentication email address correspondence information, a result of an authentication request identified by the extracted identifier is determined;
28. The authentication computer according to claim 27, wherein the determined result is transmitted to a client computer that is a transmission source of the received authentication result request. The user information further includes a correspondence between the user and information unique to the user,
The processor is
Referring to the user information to identify unique information corresponding to the identified user;
Receiving user-specific information from the client computer;
29. If the specified unique information matches the received unique information, it is determined that the result of the received authentication request is authenticable. Authentication calculator.   40. The authentication computer according to claim 39, wherein the unique information of the user includes at least one of a user identifier, a personal identification number, a card number owned by the user, and user biometric information. And connected to a WEB computer that transmits a WEB page to the client computer,
28. The authentication computer according to claim 26 or 27, wherein the processor processes an authentication request for the client computer to access the WEB computer. The user information further includes correspondence between the user and a credit card owned by the user,
The processor is
Refer to at least one of the user information and the authentication email address correspondence information, determine the result of the received authentication request,
When it is determined that the received authentication request result can be authenticated, the credit card corresponding to the identified user is identified with reference to the user information,
Perform credit examination for the identified credit card,
29. The authentication computer according to any one of claims 26 to 28, wherein if the result of credit examination is good, the credit card settlement is permitted. The user information further includes a correspondence between the user and the user's account,
The processor is
Refer to at least one of the user information and the authentication email address correspondence information, determine a result of the received authentication request, and determine that the received authentication request can be authenticated, refer to the user information, Identify an account corresponding to the identified user;
28. The authentication computer according to claim 26 or 27, wherein a transaction for the specified account is executed.   29. The authentication computer according to claim 26, wherein the client computer is a personal computer, a reader device that reads card information, or an ATM.   The authentication computer according to any one of claims 26 to 28, wherein the authentication computer is a WEB server. The processor is
When an authentication request is received from the client computer, a new mail address that can be received by the authentication computer is created,
By assigning the created new mail address to the client computer that is the transmission source of the received authentication request, the mail address that can be received by the authentication computer is assigned to any of the plurality of client computers. 27. The authentication computer according to claim 26, wherein an unassigned mail address is assigned to a client computer that is a transmission source of the authentication request. The processor is
When an authentication request is received from the client computer, a new mail address that can be received by the authentication computer is created,
By assigning the created new email address to the received authentication request, among the email addresses that can be received by the authentication computer, an email address that is not assigned to any of the previously received authentication requests, 28. The authentication computer according to claim 27, which is assigned to the received authentication request.   The processor cancels the assignment of the created email address by invalidating the created email address when a predetermined time has elapsed since the email address was newly created. 48. An authentication computer according to claim 46 or 47. The processor is
Determine whether the email address of the identified sender is forged,
29. The authentication according to claim 26 or 28, wherein when the specified email address of the sender is forged, the result of the authentication request received from the specified client computer is determined to be unauthenticated. calculator. The processor is
Determine whether the email address of the identified sender is forged,
28. The authentication computer according to claim 27, wherein when the specified sender's mail address is camouflaged, the result of the specified authentication request is determined to be unauthenticated. A program connected to a plurality of client computers via a network and executed by an authentication computer having a processor, a memory and an interface,
Storing user information indicating correspondence between the user and the user's email address;
When an authentication request is received from the client computer, a mail address that is not assigned to any of the plurality of client computers among mail addresses that can be received by the authentication computer is a client that is a transmission source of the received authentication request Assigning it to a calculator,
Storing the correspondence between the client computer that is the transmission source of the received authentication request and the email address assigned to the client computer in the authentication email address correspondence information;
Upon receiving an e-mail, from the received e-mail, identifying a destination e-mail address and a source e-mail address;
Referring to the user information, identifying a user corresponding to the identified sender email address;
Referring to the authentication email address correspondence information, identifying a client computer corresponding to the identified email address of the destination;
And determining in the authentication request received from the specified client computer that authentication is requested by the specified user. A program connected to a plurality of client computers via a network and executed by an authentication computer having a processor, a memory and an interface,
Storing user information indicating correspondence between the user and the user's email address;
When receiving an authentication request from the client computer, out of the mail addresses that can be received by the authentication computer, assigning an email address that is not assigned to any of the previously received authentication requests to the received authentication request;
Storing the correspondence between the received authentication request and the email address assigned to the authentication request in the authentication email address correspondence information;
Upon receiving an e-mail, from the received e-mail, identifying a destination e-mail address and a source e-mail address;
Referring to the user information, identifying a user corresponding to the identified sender email address;
Referring to the authentication email address correspondence information, identifying an authentication request corresponding to the identified destination email address;
Determining in the specified authentication request that authentication is requested by the specified user. A program connected to a plurality of client computers via a network and executed by an authentication computer having a processor, a memory and an interface,
Storing user information indicating correspondence between the user and the user's email address;
The correspondence between the client computer and a mail address assigned to the client computer so as not to overlap with another client computer among mail addresses that can be received by the authentication computer is stored in the authentication mail address correspondence information. Steps,
Receiving an authentication request from the client computer;
Upon receiving an e-mail, from the received e-mail, identifying a destination e-mail address and a source e-mail address;
Referring to the user information, identifying a user corresponding to the identified sender email address;
Referring to the authentication email address correspondence information, identifying a client computer corresponding to the identified email address of the destination;
And determining in the authentication request received from the specified client computer that authentication is requested by the specified user. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user agent address of the user;
When an authentication request is received from the client computer, a user agent address that is not assigned to any of the plurality of client computers among user agent addresses that can be received by the authentication computer is transmitted from the source of the received authentication request. Assigned to a client computer,
Storing the correspondence between the client computer that is the transmission source of the received authentication request and the user agent address assigned to the client computer in the authentication user agent address correspondence information;
When receiving the signaling, the user agent address of the transmission destination and the user agent address of the transmission source are specified from the received signaling,
With reference to the user information, the user corresponding to the identified user agent address of the transmission source is identified,
Referring to authentication user agent address correspondence information, identify a client computer corresponding to the identified user agent address of the destination,
An authentication computer, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user agent address of the user;
When receiving an authentication request from the client computer, among user agent addresses that can be received by the authentication computer, a user agent address that is not assigned to any of the previously received authentication requests is assigned to the received authentication request,
Storing the correspondence between the received authentication request and the user agent address assigned to the authentication request in the authentication user agent address correspondence information;
When receiving the signaling, the user agent address of the transmission destination and the user agent address of the transmission source are specified from the received signaling,
With reference to the user information, the user corresponding to the identified user agent address of the transmission source is identified,
With reference to the authentication user agent address correspondence information, the authentication request corresponding to the user agent address of the specified destination is specified,
In the specified authentication request, it is determined that authentication is requested by the specified user. An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user agent address of the user;
The correspondence between the client computer and the user agent address that can be received by the authentication computer, and the user agent address assigned to the client computer so as not to overlap with other client computers is the authentication user agent address correspondence information. Remember
Receiving an authentication request from the client computer;
When receiving the signaling, the user agent address of the transmission destination and the user agent address of the transmission source are specified from the received signaling,
With reference to the user information, the user corresponding to the identified user agent address of the transmission source is identified,
Referring to authentication user agent address correspondence information, identify a client computer corresponding to the identified user agent address of the destination,
An authentication computer, wherein an authentication request received from the specified client computer determines that authentication is requested by the specified user. The processor is
When a predetermined time has elapsed since the user agent address was assigned, the user agent address assignment is canceled,
57. The authentication computer according to claim 54 or 56, wherein the user agent address that has been deallocated is reassigned. The processor is
Sending the assigned user agent address to the client computer that is the sender of the authentication request;
57. The authentication computer according to claim 54, wherein the client computer is instructed to output the transmitted user agent address. The processor is
Receiving an authentication result request including the transmitted user agent address from the client computer;
Extracting the user agent address from the received authentication result request,
Determining whether the extracted user agent address is a signaling that is a source user agent address;
When receiving the signaling, refer to at least one of the user information and the authentication user agent address correspondence information, determine the result of the received authentication request,
59. The authentication computer according to claim 58, wherein the determined result is transmitted to a client computer that is a transmission source of the received authentication result request.   The processor determines that the result of the authentication request received from the specified client computer is unauthenticated when the user corresponding to the specified user agent address of the specified transmission source cannot be specified by referring to the user information The authentication computer according to claim 54 or 56, wherein:   The processor refers to the user information, and when the user corresponding to the specified user agent address of the specified transmission source cannot be specified, the processor determines that the result of the specified authentication request is unauthenticated. The authentication computer according to claim 55.   When the processor cannot identify a user corresponding to the user agent address of the identified transmission source with reference to the user information, the user agent address of the identified transmission source is set as the user agent address of the new user, 57. The authentication computer according to any one of claims 54 to 56, which is stored in the user information. The processor is
Refer to at least one of the user information and the authentication user agent address correspondence information, determine the result of the received authentication request,
57. The authentication computer according to claim 54 or 56, wherein the determined result is transmitted to the identified client computer. The processor is
Refer to at least one of the user information and the authentication user agent address correspondence information, determine the result of the received authentication request,
56. The authentication computer according to claim 55, wherein the determined result is transmitted to a client computer that is a transmission source of the specified authentication request. The processor is
When an authentication result request including an identifier of the client computer that is the transmission source of the authentication request is received from the client computer, the identifier of the client computer is extracted from the received authentication result request,
With reference to at least one of the user information and the authentication user agent address correspondence information, a result of the authentication request received from the client computer identified by the extracted identifier is determined;
57. The authentication computer according to claim 54 or 56, wherein the determined result is transmitted to a client computer that is a transmission source of the received authentication result request. The processor is
When an authentication request is received from the client computer, an identifier of the received authentication request is generated,
Sending the generated authentication request identifier to the client computer;
Receiving an authentication result request including an identifier of the authentication request from the client computer;
Extract the authentication request identifier from the received authentication result request,
With reference to at least one of the user information and the authentication user agent address correspondence information, a result of an authentication request identified by the extracted identifier is determined;
56. The authentication computer according to claim 55, wherein the determined result is transmitted to a client computer that is a transmission source of the received authentication result request. The user information further includes a correspondence between the user and information unique to the user,
The processor is
Referring to the user information to identify unique information corresponding to the identified user;
Receiving user-specific information from the client computer;
57. When the specified unique information matches the received unique information, it is determined that the result of the received authentication request is authenticable. 57. Authentication calculator.   68. The authentication computer according to claim 67, wherein the unique information of the user includes at least one of a user identifier, a personal identification number, a card number owned by the user, and user biometric information. And connected to a WEB computer that transmits a WEB page to the client computer,
56. The authentication computer according to claim 54 or 55, wherein the processor processes an authentication request for the client computer to access the WEB computer. The user information further includes correspondence between the user and a credit card owned by the user,
The processor is
Refer to at least one of the user information and the authentication user agent address correspondence information, determine the result of the received authentication request,
When it is determined that the received authentication request result can be authenticated, the credit card corresponding to the identified user is identified with reference to the user information,
Perform credit examination for the identified credit card,
57. The authentication computer according to any one of claims 54 to 56, wherein if the result of credit examination is good, the credit card settlement is permitted. The user information further includes a correspondence between the user and the user's account,
The processor is
Refer to at least one of the user information and the authentication user agent address correspondence information, determine a result of the received authentication request, and determine that the received authentication request can be authenticated, refer to the user information Identify an account corresponding to the identified user;
56. The authentication computer according to claim 54 or 55, wherein a transaction for the identified account is executed.   57. The authentication computer according to claim 54, wherein the client computer is a personal computer, a reader device that reads card information, or an ATM.   57. The authentication computer according to any one of claims 54 to 56, wherein the authentication computer is a WEB server. The processor is
Upon receiving an authentication request from the client computer, a new user agent address that can be received by the authentication computer is created,
By assigning the created new user agent address to the client computer that is the transmission source of the received authentication request, among the user agent addresses that can be received by the authentication computer, any of the plurality of client computers 55. The authentication computer according to claim 54, wherein an unassigned user agent address is assigned to a client computer that is a transmission source of the authentication request. The processor is
Upon receiving an authentication request from the client computer, a new user agent address that can be received by the authentication computer is created,
By assigning the created new user agent address to the received authentication request, a user agent that is not assigned to any of the previously received authentication requests among user agent addresses that can be received by the authentication computer. The authentication computer according to claim 55, wherein an address is assigned to the received authentication request.   The processor cancels the assignment of the created user agent address by invalidating the created user agent address when a predetermined time has elapsed since the user agent address was newly created. The authentication computer according to claim 74 or 75, wherein The processor is
Determining whether the identified source user agent address is spoofed;
57. The authentication request received from the specified client computer is determined to be unauthenticated when the specified source user agent address is camouflaged. Authentication calculator. The processor is
Determining whether the identified source user agent address is spoofed;
56. The authentication computer according to claim 55, wherein when the specified source user agent address is camouflaged, the result of the specified authentication request is determined to be unauthenticated.

Images