JP2008117325A - Authentication system, authentication computer and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an individual authentication system of high safety and convenience. <P>SOLUTION: An authentication computer stores user information, and when receiving an authentication request from a client computer, assigns a mail address not assigned to any of previously received authentication requests out of mail addresses receivable by the authentication computer, to the received authentication request, and stores it in authentication mail address corresponding information. When receiving e-mail, the authentication computer specifies mail addresses of a transmission source and a transmission destination from the received e-mail, refers to the user information to specify a user corresponding to the specified mail address of the transmission source, refers to the authentication mail address corresponding information to specify the authentication request corresponding to the specified mail address of the transmission destination, and determines that authentication is requested from the specified user in the specified authentication request. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to an authentication system, an authentication computer, and a program.

Conventionally, a combination of a user ID and a password is known as personal authentication when a user is specified and a service is provided. For example, a person who logs in to a WEB site via the Internet inputs a user ID and a password according to a WEB screen displayed on a personal computer to be operated, and transmits an authentication request to the WEB server. In addition, when a user of a financial institution withdraws a deposit at the ATM of the financial institution, a cash card is inserted into the ATM, a personal identification number is input, and an authentication request is transmitted to the authentication server. The user ID in this case is a cash card.

However, the user of the WEB site has the trouble of inputting the user ID and password according to the screen of the WEB site. In addition, this authentication method is widely used, and is adopted in Internet banking and various electronic commerce WEB sites. For this reason, user IDs and passwords to be managed by one person are increasing. If the user of the WEB site forgets the user ID or password, it is necessary to inquire the user of the user ID or password to the site operator, and the user cannot enjoy the convenience of the WEB site. Further, impersonation in which a person who is not an original user gives up a user ID and a password and performs a transaction has become a social problem. Phishing and spyware are known as means for giving up the user ID and password. Phishing is an act of providing a pseudo site that looks just like a regular WEB site, allowing the original user to input a user ID and password, and giving up the user ID and password. Spyware is software that is installed without the knowledge of the user of the personal computer, and is software that reads various user IDs and passwords input by the user and notifies the server of the eavesdropper via the Internet. When a transaction by impersonation is established by Internet banking or electronic commerce, not only the original user but also the WEB site operator will suffer serious damage due to the loss of site reliability and compensation problems.

When a user of a financial institution withdraws a deposit at the ATM of the financial institution, it is troublesome to insert a cash card into the ATM and input a personal identification number. Further, when a personal identification number is voyeurized by a voyeur camera and a cash card is stolen, a deposit is withdrawn by an impersonating user. Banks as well as depositors are severely damaged by the loss of reliability and compensation issues.

Patent Document 1 discloses a personal authentication method for authenticating a user by inputting a user ID and a password to the WEB site and dialing a specific telephone number when the user of the WEB site is authenticated.

Patent Document 2 discloses a personal authentication method for authenticating a user by inputting a telephone number as a user ID into the WEB site and dialing a specific telephone number when the user of the WEB site is authenticated. Yes.
Patent Publication 2002-229951 Patent Publication No. 2004-213440

According to the technique of Patent Document 1, impersonation can be prevented even when a user ID and a password are complied for using a caller telephone number. Further, according to the technique of Patent Document 2, impersonation can be prevented even when a spoofed telephone number is input to a WEB site in order to use a caller telephone number. However, in the techniques of Patent Literature 1 and Patent Literature 2, authentication cannot be performed when the user cannot make a dial accompanied by a caller ID notification. For example, authentication cannot be performed when the mobile phone does not receive radio waves.

Further, with the techniques of Patent Document 1 and Patent Document 2, it is impossible to accurately grasp the correspondence between the user who dialed with the caller telephone number notification and the computer operated by the user. For this reason, the techniques of Patent Document 1 and Patent Document 2 cannot provide authentication with high safety and convenience. For example, in the techniques of Patent Document 1 and Patent Document 2, a person who is not an original user may impersonate the legitimate user by inputting the user ID of the legitimate user many times. Specifically, if a legitimate user authenticates by dialing a specific telephone number and then redials the specific telephone number by mistake, the person who is not the original user is authenticated as a legitimate user. It will be.

The present invention has been made in view of the above-described problems, and an object thereof is to provide a personal authentication system with high safety and convenience.

An authentication computer that is connected to a plurality of client computers via a network and includes a processor, a memory, and an interface, wherein the processor stores user information indicating a correspondence between a user and a mail address of the user, and the client computer When the authentication request is received from the e-mail address, the e-mail address that can be received by the authentication computer is assigned to the received authentication request an e-mail address that is not assigned to any of the previously received authentication requests. Is stored in the authentication mail address correspondence information, and when an e-mail is received, the destination e-mail address and the source e-mail address are determined from the received e-mail. Identify and refer to the user information to identify the A user corresponding to the e-mail address of the transmission source is identified, an authentication request corresponding to the e-mail address of the specified transmission destination is identified with reference to the authentication e-mail address correspondence information, and the identified authentication request Then, it is determined that authentication is requested by the specified user.

According to the exemplary embodiment of the present invention, the safety and convenience of the personal authentication system can be improved.

Embodiments of the present invention will be described with reference to the drawings. Note that a general-purpose embodiment of the present invention will be described as the first embodiment. Next, as the second embodiment, a specific embodiment in which the first embodiment is used for a WEB site will be described. Next, as the third embodiment, a specific embodiment for easily introducing the second embodiment into an existing WEB server will be described. Next, as the fourth embodiment, a specific embodiment in which the third embodiment is used for Internet credit card settlement will be described. Next, as a fifth embodiment, a specific embodiment in which the first embodiment is used for an ATM of a financial institution will be described. Next, as a sixth embodiment, a specific embodiment in which the first embodiment is used for credit card payment at a store will be described. Next, as the seventh embodiment, a specific embodiment in which the first embodiment is used for connection to an in-house intranet will be described. Next, as an eighth embodiment, a specific embodiment in which the first embodiment is used for connecting a thin client to a centralized server will be described. Next, a specific embodiment in which the first embodiment is used for public wireless LAN connection will be described as a ninth embodiment. Next, as a tenth embodiment, a general-purpose embodiment using a client ID that is an identifier of a client device instead of an authentication request ID will be described.

(First embodiment)
FIG. 1 is a schematic configuration diagram of a personal authentication system according to the first embodiment. The personal authentication system shown in FIG. 1 includes a plurality of client devices 10 and a mail authentication device 3. The client device 10 is a computer operated by a user who is going to be authenticated. The client device 10 is connected to the network 9. Details of the client device 10 will be described with reference to FIG. The network 9 is a data communication network such as a leased line network, a public switched telephone line network, or a LAN. The network 9 may be an internal network or the Internet. The mail authentication device 3 is connected to the client device 10 via the network 9. Specifically, the mail authentication device 3 is connected to the client device 10 via the Internet or an internal network. The mail authentication device 3 may include an Internet interface and an internal network interface. In this case, the mail authentication device 3 is connected to some client devices 10 via the Internet, and further connected to some other client devices 10 via an internal network. Details of the mail authentication device 3 will be described with reference to FIG. For the sake of clarity, the authentication process for one client apparatus 10 will be described in the personal authentication system of the first embodiment. In practice, the mail authentication device 3 authenticates a plurality of client devices 10 via the network 9. That is, the mail authentication device 3 can receive authentication requests from a plurality of client devices 10. In FIG. 1, five client apparatuses 10 are illustrated, but any number of personal authentication systems may be provided.

FIG. 2 is a block diagram of a configuration of the client device 10 included in the personal authentication system according to the first embodiment. The client device 10 is physically a computer system including a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), and the like. . The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (the mail authentication device 3). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is, for example, a memory. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a mouse, a keyboard, or a touch panel. Various information is input to the input device from the user. The display device is a display. The display device displays information instructed to be displayed from the central processing unit 12. The client device 10 may be in any form as long as it includes the transmission / reception unit 11, the central processing unit 12, and the main storage device 13. For example, the client device 10 is a personal computer, a server, a mobile phone, an ATM, or the like.

The client device 10 transmits an authentication email address acquisition request to the email authentication device 3 by a user operation. Then, the client device 10 receives the authentication email address from the email authentication device 3. Details of the authentication email address will be described later.

The client device 10 transmits an e-mail addressed to the authentication e-mail address in response to a user operation.

The client device 10 transmits an authentication request including the authentication email address to the email authentication device 3. Note that the authentication request may include the entire authentication mail address or may include a part of the authentication mail address. The client device 10 may transmit an authentication request in response to a user operation, or may transmit an authentication request at regular intervals.

The client device 10 receives the authentication result from the mail authentication device 3.

FIG. 3 is a block diagram of a configuration of the mail authentication device 3 provided in the personal authentication system of the first embodiment. The mail authentication device 3 is physically a computer system including a transmission / reception unit 31, a central processing unit 32, a main storage device 33, an auxiliary storage device 34, an input device (not shown), a display device (not shown), and the like. is there. The mail authentication device 3 is assigned an IP address and a domain (DOMAIN) for receiving electronic mail. The transmission / reception unit 31 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (client device 10). The central processing unit 32 is, for example, a CPU. The central processing unit 32 performs various processes by executing programs stored in the main storage device 33. The main storage device 33 is, for example, a memory. The main storage device 33 stores a program executed by the central processing unit 32, information required by the central processing unit 32, and the like. The auxiliary storage device 34 is, for example, a hard disk. The auxiliary storage device 34 stores various information. The input device is, for example, a mouse, a keyboard, or a touch panel. Various information is input to the input device from the administrator. The display device is a display. On the display device, information instructed to be displayed from the central processing unit 32 is displayed. The mail authentication device 3 may be in any form as long as it includes the transmission / reception unit 31, the central processing unit 32, and the main storage device 33. For example, the mail authentication device 3 is a personal computer or a server.

FIG. 4 is a functional block diagram of the mail authentication device 3 according to the first embodiment. The auxiliary storage device 34 of the mail authentication device 3 stores the authentication program 300 of the first embodiment. When the authentication program 300 of the first embodiment is executed, the main storage device 33 of the mail authentication device 3 includes a main module 331, an authentication mail address acquisition request reception module 3321, an authentication request reception module 3322, and an authentication mail. An address generation module 334, an authentication mail address transmission module 335, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 339 are stored.

The main module 331 includes an authentication mail address acquisition request reception module 3321, an authentication request reception module 3322, an authentication mail address generation module 334, an authentication mail address transmission module 335, a mail reception module 336, a received mail reading module 337, and an authentication module. 338 and the authentication result transmission module 339 are integrated.

The authentication email address acquisition request reception module 3321 receives an authentication email address acquisition request from the client device 10. Upon receiving the authentication mail address acquisition request, the authentication mail address acquisition request reception module 3321 requests the authentication mail address generation module 334 to generate an authentication mail address.

The authentication request receiving module 3322 receives an authentication request from the client device 10. When receiving the authentication request, the authentication request receiving module 3322 requests the authentication module 338 to perform authentication.

Upon receiving a request from the authentication mail address acquisition request receiving module 3321, the authentication mail address generation module 334 newly generates a mail address that can be received by the mail authentication device 3. Then, the authentication email address generation module 334 passes the generated email address to the authentication email address transmission module 335 as the authentication email address. The authentication e-mail address generation module 334 may discard the authentication e-mail address when a predetermined time has elapsed since the generation of the authentication e-mail address. When the authentication mail address is discarded, the mail authentication device 3 cannot receive an e-mail with the authentication mail address. Therefore, there is no spoofed access by the authentication email address. The time when the authentication mail address is discarded is left to the practitioner of the present invention.

An example of an authentication mail address generation method of the authentication mail address generation module 334 will be described. The authentication email address generation module 334 generates an authentication email address based on the domain assigned to the email authentication device 3. A case where the domain assigned to the mail authentication device 3 is “authadd.com” will be described. The authentication e-mail address generation module 334 generates a random character string based on a random number, an application ID, a generation time of the authentication e-mail address, and the like. The application ID is a unique identifier of the authentication program 300 installed in the mail authentication device 3. The application ID is generally known as a license key and will not be described in detail. For example, the authentication e-mail address generation module 334 generates a random character string “0029382”. Then, the authentication email address generation module 334 generates “0029382@authadd.com” as an authentication email address based on the generated character string “0029382” and domain “authadd.com”. Note that other methods may be used as the method for generating the authentication email address as long as the purpose is achieved.

If the mail authentication device 3 receives authentication mail address acquisition requests from a plurality of client devices 10 simultaneously, the mail authentication device 3 generates a different authentication mail address for each received authentication mail address acquisition request. Further, after receiving the first authentication email address acquisition request, the email authentication device 3 receives the second authentication email address acquisition request from the client device 10 that is the transmission source of the first authentication request. Also good. In this case, the mail authentication device 3 generates an authentication mail address different from the authentication mail address generated in response to the first authentication mail address acquisition request. As a result, the mail authentication device 3 can simultaneously process a plurality of authentication requests transmitted from the same client device 10.

Next, the authentication email address generation module 334 passes the generated authentication email address to the authentication email address transmission module 335.

The authentication e-mail address transmission module 335 transmits the authentication e-mail address accepted from the authentication e-mail address generation module 334 to the client device 10.

The mail receiving module 336 receives an electronic mail from the client device 10. The mail receiving module 336 may receive an e-mail from other than the client device 10. Next, the mail receiving module 336 acquires a destination mail address from the received electronic mail. Next, the mail receiving module 336 discards the authentication mail address that matches the acquired transmission destination mail address. As a result, the mail authentication device 3 cannot receive an e-mail addressed to the discarded authentication e-mail address. Note that the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated. It should be noted that impersonation of the sender mail address may be determined by any method.

The received mail reading module 337 acquires the transmission source mail address and the transmission destination mail address from the electronic mail received by the mail reception module 336. Subsequently, the received mail reading module 337 creates a new record in the mail address correspondence table 341 (FIG. 5). Next, the received mail reading module 337 stores the transmission destination mail address acquired from the electronic mail in the transmission destination mail address 3412 of the created new record. Next, the received mail reading module 337 stores the transmission source mail address acquired from the electronic mail in the transmission source mail address 3413 of the created new record.

FIG. 5 is a configuration diagram of the mail address correspondence table 341 stored in the auxiliary storage device 34 of the mail authentication device 3 according to the first embodiment. The mail address correspondence table 341 includes a transmission destination mail address 3412 and a transmission source mail address 3413. The transmission destination mail address 3412 is a transmission destination mail address of the electronic mail received by the mail authentication device 3. The sender email address 3413 is a sender email address of the email received by the email authentication device 3. In the present embodiment, the destination mail address 3412 is used to identify the client computer 10 operated by the user who requests authentication from among the many client computers 10 connected to the mail authentication device 3. Is done. The sender mail address 3413 is used to specify a user who requests authentication.

The authentication module 338 receives an authentication request including an authentication mail address from the client device 10. The authentication request may include a part of the authentication email address or may include the entire authentication email address. For example, a part of the authentication email address is a character string excluding the domain of the authentication email address. The client device 10 may use any method as long as it can notify the mail authentication device 3 of the authentication mail address corresponding to the authentication request together with the authentication request. For example, the communication session ID for transmitting the authentication request may include a part or all of the authentication mail address. The session ID is an identifier for identifying communication between the WEB server and the WEB browser. The generation and management of the session ID is a function of a normal WEB server and a normal WEB browser. Therefore, detailed description of the session ID is omitted.

Subsequently, the authentication module 338 acquires an authentication mail address from the received authentication request. Next, the authentication module 338 selects, from the mail address correspondence table 341, a record in which the acquired authentication mail address matches the destination mail address 3412 of the mail address correspondence table 341. As a result, the authentication module 338 grasps the correspondence between the authentication request and the e-mail, which are completely separate communications. That is, the authentication module 338 specifies an e-mail corresponding to the received authentication request from e-mails received by the mail receiving module 336. Subsequently, the authentication module 338 extracts the transmission source mail address 3413 from the selected record. That is, the authentication module 338 specifies the source address of the e-mail corresponding to the received authentication request. The authentication module 338 determines that authentication is not possible when the source mail address 3413 cannot be extracted.

Next, the authentication module 338 selects, from the user management table 342, a record in which the extracted transmission source mail address 3413 matches the mail address 3422 of the user management table 342 (FIG. 6). Details of the user management table 342 will be described later. The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be selected. On the other hand, the authentication module 338 determines that authentication is possible when a record with a matching email address can be selected. Then, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as an authentication result. As a result, the authentication module 338 can specify the user who operates the computer that issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 determines that the computer that issued the authentication request is operated by the user identified by the extracted user ID 3421. Note that the authentication module 338 may include user-specific information corresponding to the extracted user ID 3421 in the authentication result.

FIG. 6 is a configuration diagram of the user management table 342 stored in the auxiliary storage device 34 of the mail authentication device 3 according to the first embodiment. The user management table 342 includes a user ID 3421 and a mail address 3422. The user ID 3421 is a unique identifier of a user who is authenticated by the mail authentication device 3 of the first embodiment. The mail address 3422 is a user's electronic mail address identified by the user ID 3421 of the record. Normally, the email address 3422 is an email address that can be used only by the user identified by the user ID 3421 of the record. Because e-mail contains private content, many individuals have their own e-mail addresses. Note that the user management table 342 may hold other information unique to the user. The user-specific information includes, for example, at least one of a user name, password, credit card number, cash card number, user biometric information, schedule table, operation history, and deposit balance. That is, in the user management table 342, user-specific information is managed corresponding to the user ID 3421.

The user of the mail authentication device 3 according to the first embodiment registers the user ID 3421 and the mail address 3422 in the user management table 342 in advance by a predetermined method. Note that when the mail address 3422 is used as the user ID, the user ID 3421 can be omitted.

The authentication result transmission module 339 transmits the authentication result determined by the authentication module 338 to the client device 10. When the authentication module 338 determines that authentication is possible, the authentication result transmission module 339 may transmit an authentication result accompanied with user-specific information corresponding to the user ID 3421.

Next, processing of the personal authentication method of the first embodiment will be described with reference to the drawings. FIG. 7 is a sequence diagram of processing of the personal authentication method according to the first embodiment.

The client apparatus 10 transmits an authentication mail address acquisition request to the mail authentication apparatus 3 via the network 9 in response to a user operation (ST111).

Then, authentication mail address acquisition request receiving module 3321 receives an authentication mail address acquisition request from client device 10 (ST112). Next, the authentication mail address acquisition request reception module 3321 requests the authentication mail address generation module 334 to generate an authentication mail address.

When receiving the request for generating the authentication mail address, the authentication mail address generating module 334 generates the authentication mail address (ST114). Next, the authentication email address generation module 334 passes the generated authentication email address to the authentication email address transmission module 335.

The authentication email address transmission module 335 accepts the authentication email address from the authentication email address generation module 334. Next, the authentication mail address transmission module 335 transmits the accepted authentication mail address to the client device 10 via the network 9 (ST116).

The client device 10 receives the authentication email address from the email authentication device 3 (ST117).

The client apparatus 10 transmits an e-mail addressed to the authentication e-mail address via the network 9 in response to a user operation (ST118).

Then, the mail receiving module 336 receives an electronic mail from the client device 10 (ST119). Next, the mail receiving module 336 acquires a destination mail address from the received electronic mail. Next, the mail receiving module 336 discards the authentication mail address that matches the acquired mail address. At this time, the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated.

Subsequently, the received mail reading module 337 acquires the transmission source mail address and the transmission destination mail address from the electronic mail received by the mail reception module 336. Next, the received mail reading module 337 creates a new record in the mail address correspondence table 341. Next, the received mail reading module 337 stores the acquired transmission destination mail address in the transmission destination mail address 3412 of the created new record. Next, the received mail reading module 337 stores the acquired sender mail address in the sender mail address 3413 of the created new record (ST120).

On the other hand, the client device 10 transmits an authentication request including part or all of the authentication mail address to the mail authentication device 3 via the network 9 (ST121).

Then, authentication request receiving module 3322 receives the authentication request from client device 10 (ST122). When receiving the authentication request, the authentication request receiving module 3322 requests the authentication module 338 to perform authentication.

Subsequently, when the authentication module 338 receives an authentication request, the authentication module 338 acquires an authentication e-mail address from the authentication request received by the authentication request receiving module 3322. Next, the authentication module 338 selects, from the mail address correspondence table 341, a record in which the acquired authentication mail address matches the destination mail address 3412 of the mail address correspondence table 341. Subsequently, the authentication module 338 extracts the transmission source mail address 3413 from the selected record. Note that the authentication module 338 determines that authentication is not possible when the source mail address 3413 cannot be extracted. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. On the other hand, the authentication module 338 selects, from the user management table 342, a record in which the extracted transmission source mail address 3413 matches the mail address 3422 of the user management table 342 (FIG. 6) (ST123). The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be extracted from the user management table 342. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. In the first embodiment, the authentication module 338 determines that a user who is not registered in advance in the user management table 342 is not authenticated. However, the authentication module 338 may authenticate a user who is not registered in advance in the user management table 342 as a new user. In this case, the authentication module 338 generates a new user ID when the record having the same mail address cannot be extracted from the user management table 342. At this time, the authentication module 338 generates a user ID so as not to overlap with all the user IDs 3421 included in the user management table 342. Next, the authentication module 338 newly generates a record in the user management table 342. Next, the authentication module 338 stores the generated user ID in the user ID 3421 of the generated new record. Further, the authentication module 338 stores the extracted transmission source mail address 3413 in the mail address 3422 of the generated new record. As a result, the authentication module 338 associates the generated user ID with the mail address of the transmission source acquired from the electronic mail and stores them in the user management table 342. Then, the authentication module 338 authorizes the user corresponding to the destination mail address acquired from the e-mail as a new user. Note that the authentication module 338 may receive information specific to the registered user from the client device 10. Then, the authentication module 338 stores the received unique information of the user in the newly generated record. Note that the user's unique information may be included in the authentication request or may be transmitted alone.

On the other hand, the authentication module 338 determines that authentication is possible when a record having a matching email address can be selected. Next, the authentication module 338 hands over authentication to the authentication result transmission module 339 as an authentication result. As a result, the authentication module 338 can identify the user who is operating the client computer 10 that issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 specifies that the user operating the client computer 10 that issued the authentication request identified by the acquired user ID 3421 is a user identified by the extracted user ID 3421. Note that the authentication module 338 may include user-specific information corresponding to the extracted user ID 3421 in the authentication result.

The authentication result transmission module 339 accepts the authentication result from the authentication module 338. Next, the authentication result transmission module 339 transmits the accepted authentication result to the client device 10 via the network 9 (ST124).

Then, the client device 10 receives the authentication result from the mail authentication device 3 (ST125).

As described above, the user of the client device 10 can receive personal authentication without entering a user ID and password. Therefore, there is no risk that the user ID and password are given up. Further, the user of the client device 10 does not need to manage the user ID and password. As described above, the present embodiment does not require management of the user ID and password by the user of the client device 10. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being praised. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

In this embodiment, the mail authentication device 3 is configured by a single device, but may be configured by a plurality of devices depending on the scale of the service to be provided. In this case, the devices constituting the mail authentication device 3 are connected to each other via an appropriate data transfer path. Further, the mail authentication device 3 may be composed of a plurality of devices for each function. For example, the mail authentication device 3 generates an authentication email address and receives an email, a device that receives an authentication email address acquisition request and an authentication request, and transmits an authentication email address and an authentication result. Consists of. Also in this case, the devices constituting the mail authentication device 3 are connected to each other via an appropriate data transfer path. Information including an authentication e-mail address and an e-mail e-mail address is delivered between apparatuses via the data transfer path.

Here, the maximum feature of this embodiment will be described. The mail authentication device 3 receives the authentication request. The mail authentication device 3 can specify the correspondence between the received electronic mail and the received authentication request based on the authentication mail address included in the received authentication request. That is, the authentication mail address is uniquely assigned to one authentication request and is also used as an identifier of the authentication request. Further, the mail authentication device 3 specifies a user who is to be authenticated based on the mail address of the transmission source of the electronic mail corresponding to the authentication request. In this way, the mail authentication device 3 can specify the correspondence between the authentication request and the user who requests authentication based on the authentication request. Thus, in the present embodiment, the mail authentication device 3 can realize authentication even though the user ID is not included in the authentication request. In the authentication method using the user ID and password, the user ID and password are included in the authentication request. On the other hand, the mail authentication device 3 of the present embodiment specifies a user who is to be authenticated by electronic mail. Then, the mail authentication device 3 specifies the client device operated by the specified user. Accordingly, the mail authentication device 3 can perform authentication even if the user ID is not included in the authentication request.

In the present embodiment, the client apparatus 10 receives the authentication mail address from the mail authentication apparatus 3 and transmits an electronic mail to the received authentication mail address. However, it may be as follows. The client device 10 displays the authentication email address received from the email authentication device 3 on the display device. Subsequently, the user may transmit an e-mail addressed to the authentication e-mail address from the second client apparatus 10 different from the client apparatus 10 displaying the authentication e-mail address. In this case, the authenticated user is a user corresponding to the transmission source mail address of the email transmitted from the second client device 10. Then, the client device 10 displaying the authentication mail address receives the authentication result from the mail authentication device 3. For example, the client device 10 that displays an authentication mail address is a personal computer, and the second client device 10 that transmits an e-mail is a mobile phone that is connected to the Internet and can transmit an e-mail.

By the way, in the above-described embodiment, the user of the client device 10 uses electronic mail in order to receive authentication. The user of the client device 10 may use communication by SIP (Session Initiation Protocol) to receive authentication. In this case, the client device 10 has the function of a SIP user agent. Further, the mail authentication device 3 has a SIP user agent function and a SIP server function. Then, the mail authentication device 3 generates an authentication user agent address instead of the authentication mail address. The authentication user agent address is an address for the mail authentication apparatus 3 to receive communication based on SIP. Since the address system is the same as that of electronic mail, detailed description is omitted. The method for generating the authentication user agent address may be the same as the method for generating the authentication mail address. The mail authentication device 3 generates an authentication user agent address and notifies the client device 10 of it. The client device 10 transmits signaling to an authentication user agent address by SIP in response to a user operation. The mail authentication device 3 receives signaling from the client device 10. The mail authentication device 3 extracts the source user agent address and the destination user agent address from the received signaling. Next, the mail authentication device 3 stores the correspondence between the acquired destination user agent address and the authentication user agent address in the authentication mail address correspondence table in the user agent address correspondence table. On the other hand, the client device 10 transmits an authentication request including part or all of the authentication user agent address to the mail authentication device 3. The mail authentication device 3 receives an authentication request from the client device 10. The mail authentication device 3 extracts an authentication user agent address from the received authentication request. Next, the mail authentication device 3 selects from the user agent address correspondence table a record in which the extracted authentication user agent address matches the destination user agent address in the user agent address correspondence table. Next, the mail authentication device 3 extracts the transmission source user agent address from the selected record. Next, the mail authentication apparatus 3 selects a record in which the extracted transmission source user agent address matches the user agent address of the user in the user management table. Here, the mail authentication device 3 determines whether or not a record having a matching user agent address can be selected from the user management table. If it can be selected, the mail authentication device 3 determines that authentication is possible. Then, the mail authentication device 3 can specify the user who issued the authentication request. Specifically, the mail authentication device 3 extracts the user ID from the selected record. Then, the mail authentication device 3 specifies that the issuer of the received authentication request is a user identified by the extracted user ID. Note that the mail authentication device 3 may include user-specific information corresponding to the extracted user ID in the authentication result. In all the embodiments, SIP communication may be used instead of e-mail.

By the way, since the security against the impersonation of the present invention depends on the strength against the impersonation of the e-mail, the impersonation of the e-mail will be described.

First, the case where the sender of the e-mail is camouflaged will be described. A forged person can impersonate an original user who possesses a forged email address if the sender of the electronic mail is forged and authenticated by the mail authentication device 3 of the first embodiment. Therefore, the mail receiving module 336 is equipped with a mail receiving function in accordance with SPF (Sender Policy Framework). SPF is a technique for an electronic mail server to detect forged mail. The mail reception module 336 requests a DNS (Domain Name Server) inquiry about the domain of the received electronic mail. Then, the mail reception module 336 determines whether or not the email address of the email transmission source is spoofed by checking the inquiry result by DNS and the IP address of the email transmission source. It should be noted that the forged mail detection technology employed by the mail receiving module 336 may be another method such as DKIM as long as the purpose is achieved.

Next, a case where an electronic mail transmission destination is camouflaged will be described. Even if the camouflager impersonates the transmission destination of the electronic mail and is authenticated by the mail authentication device 3 of the first embodiment, it cannot impersonate the other person. Rather, others impersonate impersonators. The other person who impersonates a camouflage is a person who operates the client apparatus that has received the same mail address as the mail address for fake transmission as an authentication mail address. Therefore, even if the camouflager disguises the transmission destination of the e-mail, no profit can be obtained. Further, since the authentication email address is generated by a random number or the like, the camouflaged email address rarely matches the authentication email address.

Here, authentication in the present invention will be described. Authentication in the present invention includes not only a general concept but also authentication in a broad sense. Specifically, the authentication in the present invention is verification of whether or not the user has the right to use the service provided by the personal authentication system. The personal authentication system of the present invention can identify a user who uses a client device and provide a service corresponding to each identified user. Therefore, the authentication request in the present invention is a request for verifying whether the user has the right to use the service provided by the personal authentication system. For example, the authentication request is a request for logging in to the WEB page. In this case, the mail authentication device 3 may be a WEB server or an authentication-dedicated device that receives an authentication request from the WEB server. The authentication request is a request for credit card settlement on the WEB page. In this case, the mail authentication device 3 may be a WEB server that performs credit card payment, or may be a dedicated authentication device that receives an authentication request from the WEB server. The authentication request is a request for withdrawal of a deposit, repayment of a borrowing or borrowing of a borrowing in an ATM. In this case, the client device 10 is an ATM. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages settlement in ATM. The authentication request is a request for credit card payment at the store. In this case, the client device 10 is a reader device that reads credit card information. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages payment of a credit card in the reader device. The authentication request is a request for debit card settlement. In this case, the client device 10 is a reader device that reads information of the debit card. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages settlement of debit cards in the reader device. The authentication request is a request for borrowing after payment with the public utility fee. In this case, the client device 10 is an ATM. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages borrowing in the ATM. The authentication request is a request for payment of unpaid utility bills. In this case, the client device 10 is an information terminal installed in a convenience store or the like. The second client device 10 for transmitting electronic mail is a portable terminal such as a mobile phone. Furthermore, the mail authentication device 3 is a management server that manages the information terminal. The authentication request is a request for connection to the in-house intranet. In this case, the mail authentication device 3 is a management server that manages the intranet in the company. The authentication request is a request for connection to a server by a thin client (THIN CLIENT). In this case, the mail authentication device 3 is a management server that manages the connection between the thin client device and the server. The authentication request is a request for connection to a wireless LAN access point. In this case, the mail authentication device 3 is a management server that manages the connection between the client device 10 and the access point. Although the authentication request of the present embodiment does not include a user ID and a password, the mail authentication device 3 can perform an authentication process. The mail authentication device 3 may improve safety by executing a conventional authentication process in combination with the authentication process of the present embodiment. For example, the mail authentication device 3 may authenticate by collating unique information of the user together with the authentication process of the present embodiment. The user-specific information includes, for example, at least one of a user name, a password, a credit card number, a cash card number, a user's biometric information, a mail address, and a telephone number. However, the user-specific information is preferably other than the mail address registered in the mail address 3422 of the user management table 342. This is because the Service-to-Self who wants to be authenticated by impersonation knows the mail address registered in the user management table 342, and thus does not increase the security of the authentication system of this embodiment. Next, a specific example of an authentication method for verifying user-specific information will be described. Specifically, the mail authentication device 3 may authenticate by checking at least one of a user ID and a password. In this case, the mail authentication device 3 stores in advance the correspondence between the user ID and the user's unique information. On the other hand, a user who wants to receive authentication inputs user-specific information to the client device 10. The input here includes not only the operation of a keyboard or the like but also the reading of a card by a card reader. That is, any client device 10 may be used as long as it can acquire user-specific information. The input timing of the user's unique information may be any time. The client device 10 transmits the input user-specific information to the mail authentication device 3. The client device 10 may transmit the input user-specific information in the authentication mail address acquisition request, may be transmitted in the authentication request, or may be transmitted alone. Also good. The mail authentication device 3 receives user-specific information from the client device 10. The authentication module 338 of the mail authentication device 3 identifies the user who issued the authentication request in step ST123 of the personal authentication method processing (FIG. 7). Next, the mail authentication device 3 specifies user-specific information stored corresponding to the specified user ID of the user. Next, the authentication module 338 of the mail authentication device 3 determines whether or not the specified unique user information matches the unique user information received from the client device 10. Then, the mail authentication device 3 determines that authentication is possible when the unique information of the two users matches. On the other hand, the mail authentication device 3 determines that authentication is not possible when the unique information of the two users does not match.

Further, the user of the present embodiment may be a computer instead of a person. For example, the computer may be authenticated as a user.

(Second Embodiment)
Although the personal authentication system of the second embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and description thereof is omitted.

FIG. 8 is a schematic configuration diagram of the personal authentication system according to the second embodiment. The personal authentication system shown in FIG. 8 includes a client device 9010 and a mail authentication WEB device 903. The client device 9010 is a computer operated by a user who is going to be authenticated. The client device 9010 is connected to the network 9. In the third embodiment, the network 9 is the Internet. Since the configuration of the client device 9010 is the same as that of the client device 10 (FIG. 2) provided in the personal authentication system of the first embodiment, a description thereof will be omitted. The client device 9010 may take any form as long as it includes a transmission / reception unit, a central processing unit, and a main storage device. For example, the client device 9010 is a personal computer, server, mobile phone, ATM, or the like. However, when the mobile phone is the client device 9010, it has a WEB browser function. The mail authentication WEB device 903 is connected to the client device 9010 via the network 9. The mail authentication WEB apparatus 903 has a WEB server function and a mail receiving server function. Since the configuration of the mail authentication WEB apparatus 903 is the same as that of the mail authentication apparatus 3 (FIG. 3) provided in the personal authentication system of the first embodiment, the description thereof is omitted. For the sake of clarity, the authentication process for one client device 9010 will be described in the personal authentication system of the second embodiment. In practice, the mail authentication WEB device 903 authenticates a plurality of client devices 9010 via the network 9. Although FIG. 8 illustrates five client devices 9010 (three personal computers and two mobile phones), any number of personal authentication systems may be provided.

Since the function of the client device 9010 is the same as that of the client device 10 provided in the personal authentication system of the first embodiment, the description thereof is omitted. Specifically, the client device 9010 transmits an authentication request and an authentication request to the mail authentication WEB device 903 by HTTP. Also, the client device 9010 receives the authentication email address and the authentication result from the email authentication WEB device 903 by HTTP.

FIG. 9 is a functional block diagram of the mail authentication WEB apparatus 903 according to the second embodiment. The auxiliary storage device of the mail authentication web device 903 stores the authentication program 90300 of the second embodiment. When the authentication program 90300 of the second embodiment is executed, the main module of the mail authentication WEB apparatus 903 includes a main module 331, an authentication mail address acquisition request reception module 3321, an authentication request reception module 3322, and an authentication mail. An address generation module 334, an authentication mail address transmission module 90335, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 90339 are stored.

The authentication mail address transmission module 90335 has the same function as the authentication mail address transmission module 335 provided in the mail authentication device 3 of the first embodiment. The authentication result transmission module 90339 has the same function as the authentication result transmission module 339 provided in the mail authentication device 3 of the first embodiment. The other modules are the same as those provided in the mail authentication device 3 of the first embodiment, and thus description thereof is omitted.

The authentication mail address transmission module 90335 generates a WEB page including the authentication mail address in addition to the function of the authentication mail address transmission module 335. The authentication mail address transmission module 90335 transmits the generated WEB page to the client device 9010.

A web page (not shown) generated by the authentication mail address transmission module 90335 includes an authentication mail address and an authentication request button, and is displayed on the client device 9010. The authentication request button accepts an instruction to send an authentication request from the user. In other words, when the authentication request button is operated by the user, the client device 9010 transmits an authentication request to the mail authentication WEB device 903. Note that the WEB page generated by the authentication mail address transmission module 90335 may not include the authentication request button. In this case, the client apparatus 9010 transmits an authentication request to the mail authentication WEB apparatus 903 at regular intervals without triggering a user operation.

The authentication result transmission module 90339 generates a WEB page including the authentication result by the authentication module 338 in addition to the function of the authentication result transmission module 339. The authentication result transmission module 90339 transmits the generated WEB page to the client device 9010 as an authentication result. If the authentication result can be authenticated, the WEB page generated by the authentication result transmission module 90339 may include user-specific information corresponding to the user ID. The user-specific information includes, for example, at least one of a user name, password, credit card number, cash card number, user biometric information, schedule table, operation history, and deposit balance.

Next, the personal authentication method of the second embodiment will be described with reference to the drawings. FIG. 10 is a sequence diagram of processing of the personal authentication method of the second embodiment. The personal authentication method of the second embodiment (FIG. 10) is compared with the personal authentication method of the first embodiment (FIG. 7). The personal authentication method of the second embodiment includes ST90116 instead of ST116. Also, the personal authentication method of the second embodiment includes ST90124 instead of ST124. The processing of the personal authentication method of the second embodiment is the same as that of the personal authentication method of the first embodiment (FIG. 7), except for ST90116 and ST90124. Therefore, description of steps other than ST90116 and ST90124 will be omitted.

ST90116 will be described. The authentication email address transmission module 90335 accepts the authentication email address generated by the authentication email address generation module 334 from the authentication email address generation module 334. Next, the authentication email address transmission module 335 generates a WEB page including the accepted authentication email address. Next, authentication mail address transmission module 90335 transmits the generated WEB page to client apparatus 9010 via network 9 (ST90116).

Next, ST90124 will be described. The authentication result transmission module 90339 accepts the authentication result from the authentication module 338. Next, the authentication result transmission module 90339 generates a WEB page including the accepted authentication result. Next, the authentication result transmission module 90339 transmits the generated WEB page to the client device 9010 via the network 9 (ST90124). Note that the authentication result transmission module 90339 may generate a WEB page including user-specific information corresponding to the user ID, and transmit the generated WEB page.

As described above, the user of the client device 9010 can receive personal authentication without entering a user ID and password. Therefore, there is no risk that the user ID and password are given up. Further, the user of the client device 9010 does not need to manage the user ID and password. In this way, this embodiment makes it unnecessary to manage the user ID and password by the user of the WEB site. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being given up due to phishing or spyware. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

(Third embodiment)
In the following, the personal authentication system of the third embodiment will be described. However, the same reference numerals are used for portions that overlap the personal authentication system of the first embodiment or the personal authentication system of the second embodiment. Omitted.

The mail authentication WEB apparatus 903 provided in the personal authentication system of the second embodiment includes an authentication function and a WEB page transmission function including user-specific information. At this time, in order to change the conventional WEB server to have the function of the mail authentication WEB apparatus 903, it is essential to change the program of the WEB server. On the other hand, in the third embodiment, an embodiment in which the personal authentication method of the present invention can be easily introduced to a conventional WEB server will be described. A conventional WEB server provided in the personal authentication system of the third embodiment is referred to as an introduction WEB server 5.

FIG. 11 is a schematic configuration diagram of a personal authentication system according to the third embodiment. The personal authentication system shown in FIG. 11 includes a plurality of client devices 10, a plurality of mobile phones 60, an introduction WEB server 5, and a mail authentication dedicated WEB device 943. The client device 10 is a computer operated by a user who is going to be authenticated. The client device 10 is connected to the network 9. Since the configuration of the client device 10 is the same as that of the client device 10 (FIG. 2) provided in the personal authentication system of the first embodiment, the description thereof is omitted. The mobile phone 60 is operated by a user who is going to be authenticated. The mobile phone 60 is equipped with a WEB browser. The mobile phone 60 is equipped with an e-mail transmission function. The mobile phone 60 is connected to the network 9. The introduction WEB server 5 is connected to the client device 10 and the mobile phone 60 via the network 9. In the present embodiment, the network 9 is the Internet. The introduction WEB server 5 is a conventional WEB server. For example, the introduction WEB server 5 receives a login from the user of the client device 10. Then, the introduction WEB server 5 transmits a WEB page including user-specific information to the client device 10. Specifically, the introduction WEB server 5 transmits a member WEB page corresponding to the user ID. The mail authentication dedicated WEB device 943 is connected to the client device 10 and the mobile phone 60 via the network 9. The mail authentication dedicated WEB device 943 has a WEB server function and a mail receiving server function. Since the configuration of the email authentication dedicated WEB device 943 is the same as that of the email authentication device 3 (FIG. 3) provided in the personal authentication system of the first embodiment, a description thereof will be omitted. In FIG. 11, three client apparatuses 10 are illustrated, but any number of personal authentication systems may be provided. Further, although two mobile phones 60 are illustrated, any number of personal authentication systems may be provided.

For the sake of clarity, in the description of the personal authentication system of the third embodiment, it is assumed that the domain “dunyu.jp” is assigned to the introduction WEB server 5. Further, it is assumed that the domain “ninsho.jp” is assigned to the mail authentication dedicated WEB device 943.

Since the functional configuration of the client device 10 is the same as that of the client device 10 provided in the personal authentication system of the first embodiment, the description thereof is omitted. Note that the client device 10 transmits an authentication mail address acquisition request to the mail authentication dedicated WEB device 943, not to the introduction WEB server 5. Thereafter, the client device 10 receives the authentication email address from the email authentication dedicated WEB device 943. Further, the client device 10 transmits an e-mail to the mail authentication-dedicated WEB device 943 by transmitting an e-mail to the authentication e-mail address. Then, the client apparatus 10 transmits an authentication request including part or all of the authentication mail address to the mail authentication dedicated WEB apparatus 943.

The client device 10 has the following functions in addition to the functions of the client device 10 provided in the personal authentication system of the first embodiment. The client device 10 transmits a request for a login WEB page to the introduction WEB server 5 in response to a user operation. In addition, the client device 10 transmits a request for a member WEB page to the introduction WEB server 5 by using information included in the WEB page indicating the authentication result received from the mail authentication dedicated WEB device 943.

The introduction WEB server 5 receives a request for a login WEB page from the client device 10. Then, the introduction WEB server 5 transmits the requested login WEB page to the client device 10. The login WEB page includes authentication site information. The authentication site information is information that prompts the client apparatus 10 to transmit an authentication request to the mail authentication dedicated WEB apparatus 943. The authentication site information includes a return URL. The return URL is a URL to which the client device 10 transmits a request for a member WEB page after the authentication by the mail authentication dedicated WEB device 943 is completed. Here, an example of authentication site information is shown. For example, the authentication site information is “<SCRIPT SRC = 'http: //www.ninsho.jp/index.php? Rurl = http: //www.dunyu.jp/member.php'> </ SCRIPT>”. is there. The URL after “rurl =” is the return URL. Also, for example, the authentication site information is “<A HREF='http://www.ninsho.jp/index.php?rurl=http://www.dunyu.jp/member.php'> Click here for authentication < / A> ". The URL after “rurl =” is the return URL. The authentication site information may be other information as long as the purpose is achieved.

The introduction WEB server 5 receives a request for a member WEB page from the client device 10. The introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. The introduction WEB server 5 generates a WEB page including user-specific information stored in advance based on the extracted mail address. The introduction WEB server 5 transmits the generated WEB page to the client apparatus 10 as a member WEB page.

The function of the mail authentication dedicated WEB apparatus 943 is mainly the same as that of the mail authentication WEB apparatus 903 provided in the personal authentication system of the second embodiment. The functions of the mail authentication dedicated WEB apparatus 943 include the following functions in addition to the functions of the mail authentication WEB apparatus 903 provided in the personal authentication system of the second embodiment. The mail authentication dedicated WEB device 943 extracts the return URL from the authentication mail address acquisition request received from the client device 10. Further, the mail authentication dedicated WEB device 943 transmits the extracted return URL together with the generated authentication mail address. Further, the mail authentication dedicated WEB device 943 generates a WEB page including the return URL and the user's mail address as a result of the authentication. The example of the source code contained in the produced | generated WEB page is shown. For example, the source code is “<meta http-equiv =“ Refresh ”content =“ 0; url = http: // www. dounyu. jp / member. php? usrmail = taka @ yahoo. co. jp & auth = 1 ">". The URL after “url =” is the return URL. The mail address after “usmail =” is the user's mail address. The value after “auth =” is the result of authentication. For example, “1” can be authenticated, and “0” cannot be authenticated. However, “auth =” is not necessarily included. For example, the source code is “<A HREF =“ http: // www. dounyu. jp / member. php? usrmail = taka @ yahoo. co. jp & auth = 1 "> Membership page is here </A>". The URL after “url =” is the return URL. The mail address after “usmail =” is the user's mail address. The value after “auth =” is the result of authentication. For example, “1” can be authenticated, and “0” cannot be authenticated. However, “auth =” is not necessarily included. The source code included in the WEB page may be other as long as the purpose is achieved.

Next, a personal authentication method according to the third embodiment will be described with reference to the drawings. FIG. 12 is a sequence diagram of processing of the personal authentication method of the third embodiment. The personal authentication method of the third embodiment (FIG. 12) is compared with the personal authentication method of the second embodiment (FIG. 10). The personal authentication method of the third embodiment includes ST94112 instead of ST112. Further, the personal authentication method of the third embodiment includes ST94116 instead of ST90116. In addition, the personal authentication method of the third embodiment includes ST94121 instead of ST121. Also, the personal authentication method of the third embodiment includes ST94122 instead of ST122. Also, the personal authentication method of the third embodiment includes ST94124 instead of ST124. Further, the personal authentication method of the third embodiment includes ST94109, ST94110, ST94126, ST94121, ST94122, ST94127 and ST94128. The processing of the personal authentication method of the third embodiment is the same as the personal authentication method of the second embodiment (FIG. 10) except for ST94109, ST94110, ST94112, ST94116, ST94124, ST94126, ST94127, and ST94128. is there. Therefore, description of steps other than ST94109, ST94110, ST94112, ST94115, ST94124, ST94126, ST94127, and ST94128 is omitted.

ST94109 will be described. Client apparatus 10 transmits a request for a login WEB page to introduction WEB server 5 via network 9 (ST94109).

ST94110 will be described. The introduction WEB server 5 receives a request for a login WEB page from the client device 10. Next, introductory WEB server 5 transmits a login WEB page including authentication site information to client device 10 via network 9 (ST94110).

ST94112 will be described. The authentication request receiving module provided in the mail authentication dedicated WEB device 943 receives the authentication request from the client device 10. Next, the authentication request receiving module extracts a return URL included in the received authentication request. Next, the authentication request receiving module requests the authentication mail address generation module to generate an authentication request mail address (ST94112).

ST94116 will be described. The authentication e-mail address transmission module accepts the authentication e-mail address generated by the authentication e-mail address generation module from the authentication e-mail address generation module. Next, the authentication mail address transmission module generates a WEB page including the accepted authentication mail address. Next, authentication mail address transmission module 90335 transmits the generated WEB page and the return URL extracted by the authentication request reception module to client device 10 via network 9 (ST94116).

ST94121 will be described. The client apparatus 10 transmits the authentication request including the return URL and the authentication mail address received in ST94116 to the mail authentication dedicated WEB apparatus 943 via the network 9 (ST94121).

ST94121 will be described. The authentication request receiving module receives an authentication request from the client device 10. Next, the authentication request receiving module extracts the return URL and the authentication mail address from the received authentication request. Then, when receiving the authentication request, the authentication request receiving module requests authentication from the authentication module.

ST94124 will be described. The authentication result transmission module accepts an authentication result from the authentication module. Next, the authentication result transmitting module generates a WEB page including the user's mail address and the return URL received by the authentication request receiving module as a result of the authentication. Next, the authentication result transmission module transmits the generated WEB page as a result of authentication to the client apparatus 10 via the network 9 (ST94124).

ST94126 will be described. The client apparatus 10 receives the WEB page transmitted as a result of the authentication from the mail authentication dedicated WEB apparatus 943. Next, based on the received WEB page, the client device 10 transmits a member WEB page request to the introduction WEB server 5 via the network 9 (ST94126). The request for the member WEB page transmitted by the client device 10 includes the user's mail address. For example, a request for a WEB page for a member is a URL “http://www.dunyu.jp/member.php?usrmail=taka@yaho.co.jp&auth=1”. The mail address after “usmail =” is the user's mail address.

ST94127 will be described. The introduction WEB server 5 receives a request for a member WEB page from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. Next, the introduction WEB server 5 identifies the user based on the extracted mail address. Next, the mail authentication dedicated WEB device 943 generates a member WEB page corresponding to the identified user. Next, the introduction WEB server 5 transmits the generated member WEB page to the client device 10 via the network 9 (ST94127).

ST94128 will be described. The client device 10 receives a member WEB page from the introduction WEB server 5 via the network 9. Next, client device 10 displays the received member WEB page on the display device (ST94128).

An outline of processing of the personal authentication method of the third embodiment will be described. The client device 10 requests a login WEB page from the introduction WEB server 5 in response to a user operation (ST94109). The introduction WEB server 5 transmits the requested login WEB page to the client device 10 (ST94110). Based on the authentication site information included in the login WEB page, the client device 10 transmits an authentication request to the mail authentication dedicated WEB device 943 (ST111). The mail authentication dedicated WEB device 943 receives the authentication request. Next, the mail authentication dedicated WEB device 943 extracts a return URL from the received authentication request (ST94112). Next, the mail authentication dedicated web device 943 generates an authentication mail address (ST114). . Next, the mail authentication dedicated WEB apparatus 943 transmits the generated authentication mail address and the extracted return URL to the client apparatus 10 (ST94116). The client device 10 receives the authentication mail address and the return URL (ST117). Next, the client device 10 transmits an e-mail addressed to the authentication e-mail address (ST118). Then, the mail authentication dedicated WEB device 943 receives an electronic mail from the client device 10 (ST119). Next, the mail authentication-dedicated WEB device 943 identifies the source mail address and the destination mail address of the received electronic mail. Next, the email authentication dedicated WEB device 943 associates the identified destination email address with the identified source email address, and stores them in the email address correspondence table 341 (ST120). On the other hand, the client apparatus 10 transmits an authentication request to the mail authentication dedicated WEB apparatus 943 (ST121). Then, the mail authentication dedicated WEB device 943 receives an authentication request from the client device 10 (ST122). The mail authentication dedicated web device 943 extracts the authentication mail address and the return URL from the received authentication request. Next, the mail authentication dedicated web device 943 selects from the mail address correspondence table 341 a record in which the extracted authentication mail address matches the destination mail address 3412 of the mail address correspondence table 341 from the mail address correspondence table 341. To do. Next, the mail authentication dedicated WEB apparatus 943 extracts the transmission source mail address 3413 from the selected record. Next, the mail authentication dedicated web device 943 determines whether or not the extracted transmission source mail address 3413 is stored in the mail address 3422 of the user management table 342 (ST123). When the sender mail address 3413 is stored in the user management table 342, the mail authentication dedicated WEB device 943 determines that authentication is possible. On the other hand, when the transmission source mail address 3413 is not stored in the user management table 342, the mail authentication dedicated WEB apparatus 943 determines that the authentication is impossible. Next, the mail authentication dedicated WEB device 943 transmits the authentication result to the client device 10 (ST94124). The client device 10 receives the authentication result (ST125). Next, based on the received authentication result, the client device 10 transmits a member web page request to the introduction web server 5 (ST94126). The introduction WEB server 5 receives a request for a member WEB page from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the received request for the member WEB page. Next, the introduction WEB server 5 transmits a member WEB page corresponding to the extracted mail address to the client device 10 (ST94127). The member WEB page includes user-specific information corresponding to the user of the extracted mail address. Next, the client device 10 receives a member WEB page from the introduction WEB server 5. Next, client device 10 displays the received member WEB page on the display device (ST94128).

As described above, the introduction WEB server 5 which is a conventional WEB server can introduce the personal authentication method of the present invention simply by including the authentication site information in the login WEB page transmitted to the client device 10.

In the embodiment described above, the mail authentication dedicated WEB device 943 stores the user management table 342. However, the mail authentication dedicated WEB device 943 does not necessarily need to store the user management table 342. In this case, the introduction WEB server 5 stores the user management table 342. In this case, in step ST123, the mail authentication dedicated web device 943 does not need to determine whether or not the extracted transmission source mail address 3413 is stored in the mail address 3422 of the user management table 342. Instead, the introduction WEB server 5 determines whether or not the mail address included in the request for the member WEB page received from the client device 10 is stored in the user management table 342.

In the embodiment described above, the introduction WEB server 5 trusts the mail address included in the request for the member WEB page received from the client device 10 and transmits the member WEB page. However, the e-mail address included in the request for the member WEB page may be forged. Therefore, the introduction WEB server 5 may confirm that the link source is the mail authentication-dedicated WEB device 943 by referring to the referer.

(Fourth embodiment)
Although the personal authentication system of the fourth embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the third embodiment, and description thereof is omitted.

In electronic commerce on the Internet, a credit card is often used as a settlement means. In the fourth embodiment, an example in which the personal authentication system of the third embodiment is applied to credit card settlement on the Internet will be described.

Since the schematic configuration diagram of the personal authentication system of the fourth embodiment is the same as the schematic configuration diagram (FIG. 11) of the personal authentication system of the third embodiment, detailed description thereof will be omitted. The client device 10 is operated by a user who intends to execute a credit card payment. The mobile phone 60 is operated by a user who intends to execute credit card payment. The introduction WEB server 5 is a WEB server that provides electronic commerce such as article sales or service sales. The mail authentication dedicated WEB device 943 is a WEB device that processes credit card credit examination and billing. The user management table 342 of the mail authentication dedicated WEB device 943 includes a credit card number (not shown). The credit card number included in the user management table is the user's credit card number. The user management table 342 stores a credit card number and an e-mail address of a user who owns the credit card in association with each other.

The outline of the process of the personal authentication method of the fourth embodiment will be described. The introduction WEB server 5 determines the payment amount with the user's operation. The settlement amount determination method may be a method adopted in a conventional electronic commerce site. Next, in response to a user operation, the client device 10 transmits a settlement WEB page request to the introduction WEB server 5 instead of a login WEB page request. The introduction WEB server 5 receives a request for a payment WEB page. Then, the introduction WEB server 5 generates the requested payment WEB page. Next, the introduction WEB server 5 transmits the generated payment WEB page to the client device 10. The payment WEB page generated by the introduction WEB server 5 includes authentication site information. The authentication site information includes not only the return URL but also the settlement amount. The client device 10 receives the payment WEB page. Next, the client device 10 transmits an authentication email address acquisition request to the email authentication dedicated WEB device 943 based on the authentication site information included in the received settlement WEB page. The mail authentication dedicated WEB device 943 receives the authentication mail address acquisition request. Next, the mail authentication dedicated WEB device 943 extracts the return URL and the payment amount from the received authentication request. Next, the mail authentication dedicated web device 943 generates an authentication mail address. Next, the mail authentication dedicated WEB device 943 transmits the generated authentication email address, the extracted return URL, and the extracted settlement amount to the client device 10. The client device 10 receives the authentication email address, the return URL, and the payment amount. Next, the client device 10 transmits an e-mail addressed to the authentication e-mail address. As a result, the client apparatus 10 transmits an e-mail to the mail authentication dedicated WEB apparatus 943. The mail authentication dedicated WEB device 943 receives an electronic mail from the client device 10. Then, the mail authentication-dedicated WEB device 943 acquires the transmission source mail address and the transmission destination mail address from the received electronic mail. Next, the mail authentication dedicated WEB device 943 stores the acquired transmission destination mail address and the acquired transmission source mail address in the mail address correspondence table 341 in association with each other. On the other hand, the client device 10 transmits an authentication request including the authentication email address, the return URL, and the settlement amount to the email authentication dedicated WEB device 943. The mail authentication dedicated WEB device 943 receives an authentication request from the client device 10. The mail authentication dedicated WEB device 943 extracts the authentication mail address, the return URL, and the settlement amount from the received authentication request. Next, the mail authentication dedicated web device 943 selects, from the mail address correspondence table 341, a record in which the extracted authentication mail address matches the destination mail address 3412 of the mail address correspondence table 341. Next, the mail authentication dedicated WEB apparatus 943 extracts the transmission source mail address 3413 from the selected record. Next, the mail authentication dedicated web device 943 extracts the credit card number corresponding to the extracted transmission destination mail address 3413 from the user management table 342. Next, the email authentication dedicated WEB device 943 performs credit examination by determining whether or not the extracted payment amount can be used with the extracted credit card number. The credit screening here is the same as the credit screening when using a conventional credit card. If the credit examination is satisfactory, the mail authentication dedicated WEB device 943 charges the payment amount to the credit card. The mail authentication dedicated WEB device 943 may request the credit screening process and the billing process from a device dedicated to the credit screening process and the billing process. When the accounting process is completed, the mail authentication dedicated WEB device 943 determines that the authentication result can be authenticated. The mail authentication dedicated WEB device 943 transmits the authentication result to the client device 10. Based on the received authentication result, the client device 10 transmits a request for the ending WEB page to the introduction WEB server 5. The introduction WEB server 5 receives a request for a WEB page for completion of payment from the client device 10. Next, the introduction WEB server 5 extracts the user's mail address from the request for the WEB page. Next, the introduction WEB server 5 transmits to the client device 10 a payment-finished WEB page corresponding to the extracted mail address. The payment-finished WEB page includes user-specific information corresponding to the extracted mail address.

As described above, the personal authentication system of the third embodiment can be applied to a credit card settlement. In the fourth embodiment, the credit card settlement has been described. However, the settlement means may be any means as long as it is a means for settlement through authentication. For example, the payment means includes “Edy” (trademark), “Jay debit” (trademark), “mobile phone payment service” (trademark), and the like. “Edy” (trademark) is electronic money that can be used in stores and on the Internet. “J Debit” (trademark) is a deposit account debit settlement service that can be used in stores and on the Internet. “Mobile Phone Payment Service” (trademark) is a postpaid payment service available on the Internet, where the payment amount is added to the charge for the mobile phone fee.

Here, a modification of the personal authentication system of the fourth embodiment will be described. The mail authentication-dedicated WEB device 943 provided in the personal authentication system of the fourth embodiment specifies the credit card number based on the sender of the e-mail. Therefore, when the sender of the e-mail is camouflaged, it is settled by an impersonating user. In order to prevent impersonation settlement, the user inputs a credit card number into the client device 10. The client device 10 transmits the input credit card number to the mail authentication dedicated WEB device 943. The client device 10 may transmit the input credit card number included in the authentication mail address acquisition request or the authentication request. The mail authentication dedicated WEB device 943 receives the credit card number from the client device 10. Then, the mail authentication dedicated WEB device 943 collates the received credit card number with the credit card number extracted from the user management table 342. Only when the two credit card numbers match, the mail authentication dedicated WEB device 943 performs credit examination on the credit card and charges the credit card. In the modification of the ninth embodiment, impersonation may be prevented by allowing the user to input other information such as a password instead of allowing the user to input a credit card number.

(Fifth embodiment)
In the following, the personal authentication system of the fifth embodiment will be described. However, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and the description thereof is omitted.

FIG. 13 is a schematic configuration diagram of a personal authentication system according to the fifth embodiment. The personal authentication system shown in FIG. 13 includes a plurality of ATM (AUTOMATIC TELLER MACHINE) 2010, a plurality of mobile phones 2060, and an ATM mail authentication device 923. ATM 2010 is an AUTOMATIC TELLER MACHINE that is operated by a user who is authenticated and intends to withdraw or withdraw cash. The ATM 2010 is connected to the network 9. The ATM mail authentication device 923 is connected to the ATM 2010 via the network 9. In the fifth embodiment, the network 9 is an internal network. The network 9 may include a relay device that aggregates ATM mail authentication devices installed in a plurality of financial institutions. The ATM mail authentication device 923 is connected to the mobile phone 2060 via the Internet 1. The configuration of the ATM mail authentication device 923 is the same as that of the mail authentication device 3 (FIG. 3) provided in the personal authentication system of the first embodiment, and a description thereof will be omitted. For the sake of clarity, in the personal authentication system of the fifth embodiment, an authentication process for one ATM 2010 will be described. Actually, the ATM mail authentication device 923 authenticates a plurality of ATMs 2010 via the network 9. In FIG. 13, three ATMs 2010 are illustrated, but any number of personal authentication systems may be provided. Further, although three mobile phones 2060 are illustrated, any number of personal authentication systems may be provided. The personal authentication system may include a terminal having an e-mail transmission function instead of the mobile phone 2060.

FIG. 14 is a block diagram of a configuration of the ATM 2010 provided in the personal authentication system of the fifth embodiment. The ATM 2010 physically includes an ATM including a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), a cash handling unit 15, and the like. (AUTOMATIC TELLER MACHINE). The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (ATM mail authentication device 923). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is, for example, a memory. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a keyboard or a touch panel. Various information is input to the input device from the user. The display device is a display. The display device displays information instructed to be displayed from the central processing unit 12. The cash handling unit 15 physically manages banknotes and money. Further, the cash handling unit 15 deposits and withdraws banknotes and money. The cash handling unit 15 may be provided in an ATM of a general financial institution.

The functions of the ATM 2010 are the same as those of the client device 10 provided in the personal authentication system of the first embodiment except for the cash handling unit 15, and thus description thereof is omitted.

The mobile phone 2060 is equipped with an Internet connection function. Therefore, the mobile phone 2060 transmits an e-mail to the ATM mail authentication device 923 via the network 9.

The functional configuration of the ATM mail authentication device 923 of the fifth embodiment is the same as that of the mail authentication device 3 (FIG. 4) provided in the personal authentication system of the first embodiment, and thus description thereof is omitted.

The user management table 342 stored in the auxiliary storage device of the ATM mail authentication device 923 stores user-specific information corresponding to the user ID. The user-specific information in the present embodiment is account information of a financial institution. The account information of the financial institution includes an account number, a deposit balance, a borrowing balance, a borrowable balance, and the like. However, user-specific information does not necessarily have to be managed by the user management table 342, and any method may be used as long as it is managed corresponding to the user ID. The management method of the user's unique information is left to the implementer of the present invention according to the type of service and the scale of the user. Part of the user's unique information corresponding to the user ID is included in the authentication result transmitted from the ATM mail authentication device 923 to the ATM 2010.

Next, a personal authentication method according to the fifth embodiment will be described. Since the processing of the personal authentication method of the fifth embodiment is the same as that of the personal authentication method of the first embodiment (FIG. 7), description thereof is omitted. However, here, characteristic steps of the personal authentication method of the fifth embodiment will be described.

ST118 in the fifth embodiment will be described. The apparatus that transmits the e-mail is not the ATM 2010 but the mobile phone 2060 that is the second client apparatus. The cellular phone 2060 transmits an electronic mail to the ATM mail authentication device 923 in response to a user operation.

ST124 in the fifth embodiment will be described. The authentication result transmission module 339 of the ATM mail authentication device 923 transmits the authentication result to the ATM 2010 via the network 9. The result of the authentication includes user-specific information such as an account number corresponding to the user ID, a deposit balance, a borrowing balance or a borrowable balance.

Subsequent to ST124, the ATM 2010 displays the authentication result received from the ATM mail authentication device 923 and the user-specific information on the display device. A user of the ATM 2010 performs a subsequent operation based on the displayed information. Subsequent operations are, for example, withdrawal of deposits, repayment of borrowings or borrowing of borrowings.

By the way, a general ATM can accept various operations such as withdrawal of deposits, repayment of borrowings and borrowing of borrowings. Therefore, prior to ST111, ATM 2010 accepts the type of operation from the user. The ATM 2010 includes the type of operation requested by the user in the authentication mail address acquisition request transmitted to the ATM mail authentication device 923. The ATM mail authentication device 923 extracts the type of operation requested by the user of the ATM 2010 from the authentication mail address acquisition request received from the ATM 2010. Then, the ATM mail authentication device 923 determines user-specific information to be included in the authentication result based on the extracted operation type.

The following procedure may also be used. A general ATM can accept various operations such as withdrawal of deposits, repayment of borrowings and borrowing of borrowings. Here, the ATM mail authentication device 923 stores operations that can be received from the user of the ATM 2010 in advance corresponding to the user ID. In this case, the ATM 2010 does not accept the type of operation from the user before sending the authentication request. First, the ATM 2010 is authenticated by the personal authentication method of the fifth embodiment. The ATM mail authentication device 923 includes an acceptable operation corresponding to the authenticated user ID in the authentication result, and transmits it to the ATM 2010. The ATM 2010 displays the result of authentication received from the ATM mail authentication device 923 and acceptable operations on the display device. The user of the ATM 2010 selects an operation from the types of operations displayed on the display device of the ATM 2010. Then, the ATM 2010 executes the selected type of operation.

The personal authentication method of the fifth embodiment may be combined with a conventional personal authentication method using a cash card and a personal identification number. As a result, even if the cash card and the password are stolen, the deposit is not withdrawn by the impersonating user unless an e-mail is transmitted by the user's e-mail address. Further, the personal authentication method of the fifth embodiment may be combined with personal authentication using either a cash card or a personal identification number.

Here, a modification of the fifth embodiment of the present invention will be described. In the fifth embodiment, the ATM mail authentication device 923 generates an authentication mail address and transmits it to the ATM 2010. However, in a modified example, the ATM 2010 may generate an authentication mail address including its own ATM_ID. ATM_ID is a unique identifier of ATM 2010. When receiving the electronic mail from the mobile phone 2060, the ATM mail authentication device 923 extracts the ATM_ID from the transmission destination address of the received electronic mail. Then, the ATM mail authentication device 923 transmits the authentication result to the ATM 2010 identified by the extracted ATM_ID. That is, the ATM mail authentication device 923 can transmit the authentication result without receiving an authentication request from the ATM 2010.

Here, an application example of the fifth embodiment of the present invention will be described. An ATM mail authentication device 923 provided in the personal authentication system of the application example of the fifth embodiment also serves as a device for calculating a utility bill. In this case, the ATM mail authentication device 923 calculates a utility bill, issues a bill, and manages the payment status. For example, the public charges are telephone charges, mobile phone charges, electricity charges, gas charges, water charges, and the like. The ATM mail authentication device 923 stores the mail address of the mobile phone 2060 and the identifier of the user who receives the utility bill service in association with each other. When the ATM mail authentication device 923 lends a loan to the user of the ATM 2010, the ATM mail authentication apparatus 923 charges the loan together with the bill for the utility bill. Also, the ATM mail authentication device 923 accepts a utility bill payment request from a user of the ATM 2010. When the ATM mail authentication device 923 authenticates the user of the ATM 2010 as described above, the ATM mail authentication device 923 accepts from the ATM 2010 payment of unpaid utility charges of the user of the mobile phone 2060. Also, the ATM mail authentication device 923 accepts a loan loan request from a user of the ATM 2010. When the ATM mail authentication device 923 authenticates the user of the ATM 2010 as described above, the loan is lent out from the ATM 2010. Note that the ATM mail authentication device 923 charges the loan together with the utility bill.

  In the fifth embodiment of the present invention, a non-overlapping authentication e-mail address may be assigned in advance to each of all ATMs 2010. In this case, the correspondence between the ATM 2010 and the authentication e-mail address is unchanged. Then, the ATM mail authentication device 923 can identify the ATM 2010 that is the transmission source of the user authentication request based on the mail address of the transmission destination.

(Sixth embodiment)
The personal authentication system of the sixth embodiment will be described below, but the same reference numerals are used for the same portions as those of the personal authentication system of the first embodiment and the personal authentication system of the fifth embodiment. Omitted.

As a personal authentication system of the sixth embodiment, a specific embodiment in which the personal authentication system of the first embodiment is used for credit card payment at a store will be described. Conventionally, in store credit card settlement, in order to prevent the use of impersonation, a store salesperson visually compares the signature of the usage slip with the signature on the back of the credit card. However, visual verification is not sufficient as an anti-spoofing measure. In the personal authentication system according to the sixth embodiment, an example in which an electronic mail address is used instead of signature verification will be described.

FIG. 15 is a schematic configuration diagram of a personal authentication system according to the sixth embodiment. The personal authentication system shown in FIG. 15 includes a plurality of reader devices 2110, a plurality of mobile phones 60, and a mail authentication device 3. The reader device 2110 is connected to the network 9. The mail authentication device 3 is connected to the mobile phone 60 via the Internet 1. The reader device 2110 is a device for reading credit card information. Details of the reader device 2110 will be described with reference to FIG. In a store, a store salesperson usually operates the reader device 2110. However, the user who is authenticated in the personal authentication system of the sixth embodiment is a credit card holder. Therefore, in order to simplify the description, in the description of the present embodiment, the user of the reader device 2110 is assumed to be a credit card holder. The mail authentication device 3 is connected to the reader device 2110 via the network 9. The block diagram of the email authentication device 3 is the same as the email authentication device 3 included in the personal authentication system of the first embodiment, and a description thereof is omitted. In order to clarify the explanation, in the personal authentication system of the sixth embodiment, an authentication process of one reader device 2110 will be described. In practice, the mail authentication device 3 authenticates the plurality of reader devices 2110 via the network 9. That is, the mail authentication device 3 can receive authentication requests and authentication requests from the plurality of reader devices 2110. In practice, the mail authentication device 3 is connected to a plurality of mobile phones 60 via the Internet 1. In FIG. 15, three reader devices 2110 are shown, but any number of personal authentication systems may be provided. FIG. 15 shows three mobile phones, but any number of personal authentication systems may be provided.

FIG. 16 is a block diagram of a configuration of the reader device 2110 provided in the personal authentication system of the sixth embodiment. The reader device 2110 physically includes a transmission / reception unit 11, a central processing unit 12, a main storage device 13, an auxiliary storage device 14, an input device (not shown), a display device (not shown), a card information reading unit 16, and the like. Prepare. The transmission / reception unit 11 is an interface that is connected to the network 9 and transmits / receives data to / from an external device (the mail authentication device 3). The central processing unit 12 is, for example, a CPU. The central processing unit 12 performs various processes by executing programs stored in the main storage device 13. The main storage device 13 is, for example, a memory. The main storage device 13 stores programs executed by the central processing unit 12, information required by the central processing unit 12, and the like. The auxiliary storage device 14 is, for example, a hard disk. The auxiliary storage device 14 stores various information. The input device is, for example, a keyboard or a touch panel. Various information is input to the input device from the user. The display device is a display. The display device displays information instructed to be displayed from the central processing unit 12. The card information reading unit 16 is a device that reads information stored in a credit card. The card information reading unit 16 provided in a general credit card card reader is sufficient. Note that the reader device 2110 does not necessarily include the auxiliary storage device 14.

The function of the reader device 2110 provided in the personal authentication system of the sixth embodiment is mainly the same as that of the client device 10 provided in the personal authentication system of the first embodiment. The reader device 2110 included in the personal authentication system of the sixth embodiment has the following functions in addition to the functions of the client device 10 included in the personal authentication system of the first embodiment. The reader device 2110 receives a credit card number and a payment amount by a user operation. The reader device 2110 includes the accepted credit card number and settlement amount in the authentication request transmitted to the mail authentication device 3.

The mobile phone 60 is a mobile phone equipped with an Internet connection function. The mobile phone 60 transmits an e-mail to the mail authentication device 3 via the Internet 1.

The function of the mail authentication device 3 of the sixth embodiment is mainly the same as that of the personal authentication system of the first embodiment. The mail authentication device 3 of the sixth embodiment has the following functions in addition to the functions of the mail authentication device 3 included in the personal authentication system of the first embodiment. The mail authentication device 3 of the sixth embodiment processes credit card credit examination and billing. The user management table 342 of the mail authentication device 3 includes a credit card number (not shown). The credit card number included in the user management table 342 is a credit card number owned by the user. That is, in the user management table 342, the credit card number and the user's email address are stored in advance in association with each other.

Next, an outline of processing of the personal authentication method of the sixth embodiment will be described. The sequence diagram of the personal authentication method of the sixth embodiment is mainly the same as FIG. 7 which is the sequence diagram of the personal authentication method of the first embodiment. However, the device that transmits the e-mail is not the reader device 2110 but the mobile phone 60 that is the second client device.

The outline of the process of the personal authentication method of the sixth embodiment is as follows. The reader device 2110 receives a payment amount from the user. Further, the card information reading unit 16 of the reader device 2110 reads the credit card number by the user's card operation. Next, the reader device 2110 transmits an authentication email address acquisition request including the accepted payment amount and the read credit card number to the email authentication device 3 (ST111). The mail authentication device 3 receives the authentication request (ST112). Next, the mail authentication device 3 extracts the payment amount and the credit card number from the received authentication request. Next, the mail authentication device 3 generates an authentication mail address (ST114). Next, the email authentication device 3 transmits the generated authentication email address, the extracted payment amount, and the extracted credit card number to the reader device 2110 (ST116). The reader device 2110 receives the authentication mail address, the payment amount, and the credit card number (ST117). Next, the reader device 2110 displays the received authentication mail address on the display device. Note that the reader device 2110 may print paper on which the authentication mail address is described without displaying the authentication mail address. That is, the reader device 2110 may use any method as long as it can notify the user of the authentication mail address. The reader device 2110 may display or print a QR code or the like corresponding to the authentication mail address. The cellular phone 60 transmits an e-mail addressed to the displayed authentication e-mail address in response to a user operation (ST118). Then, the mail authentication device 3 receives an electronic mail from the mobile phone 60 (ST119). Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, the mail authentication device 3 associates the acquired transmission destination mail address with the acquired transmission source mail address, and stores them in the mail address correspondence table 341 (ST120). On the other hand, the reader apparatus 2110 transmits an authentication request including an authentication e-mail address, a payment amount, and a credit card number to the e-mail authentication apparatus 3 (ST121). The mail authentication device 3 receives an authentication request from the reader device 2110 (ST122). The mail authentication device 3 extracts the authentication mail address, the payment amount, and the credit card number from the received authentication request. Next, the mail authentication device 3 extracts a destination mail address 3413 corresponding to the extracted authentication mail address from the mail address correspondence table 341 (ST123). Specifically, the mail authentication device 3 selects from the mail address correspondence table 341 a record in which the extracted authentication mail address matches the transmission destination mail address 3412 of the mail address correspondence table 341. Next, the mail authentication device 3 extracts the transmission source mail address 3413 from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the extracted transmission source mail address 3413 matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts a credit card number from the extracted record. Next, the mail authentication device 3 collates the credit card number extracted from the mail address correspondence table 341 with the credit card number extracted from the authentication request. If the two extracted credit card numbers do not match, the mail authentication device 3 determines that authentication is not possible. On the other hand, when the two extracted credit card numbers match, the mail authentication device 3 performs a credit examination to determine whether or not the extracted payment amount can be used. Credit screening is the same as that performed when using a conventional credit card. If the credit check is satisfactory, the mail authentication device 3 charges the payment amount to the credit card. The mail authentication device 3 may request a dedicated device for credit examination and billing processing. In this case, the mail authentication device 3 is connected to a dedicated device that performs credit examination and billing via a network. The mail authentication device 3 determines that authentication is possible when the accounting process is completed. The mail authentication device 3 transmits the authentication result to the reader device 2110 (ST124). The reader device 2110 receives the authentication result (ST125). Next, the reader device 2110 displays the authentication result on the display device.

As described above, in the personal authentication system of the sixth embodiment, an e-mail address can be used instead of signature verification in credit card settlement at a store. In the sixth embodiment, the credit card settlement has been described. However, the settlement means is not limited to a credit card as long as it is a means for settlement after authentication. For example, the settlement means is “Jay Debit” (trademark).

In the embodiment described above, the authentication mail address acquisition request transmitted by the reader device 2110 includes a credit card number. However, it may be as follows. The reader device 2110 may include the credit card number in the authentication request instead of the authentication mail address acquisition request.

Next, a modification of the sixth embodiment of the present invention will be described. In the personal authentication system of the sixth embodiment, the reader device 2110 reads credit card information. However, in the modified example of the sixth embodiment, an example will be described in which credit card settlement can be executed without the reader device 2110 reading credit card information. That is, even if the user does not physically hold a credit card, credit card payment can be made at the store.

The authentication mail address acquisition request transmitted by the reader device 2110 provided in the modification of the sixth embodiment does not include a credit card number.

The outline of the process of the modified example of the sixth embodiment will be described. The reader device 2110 transmits an authentication mail address acquisition request to the mail authentication device 3 in response to a user operation. The mail authentication device 3 receives the authentication mail address acquisition request. Next, the email authentication device 3 extracts the payment amount from the received authentication email address acquisition request. Next, the mail authentication device 3 generates an authentication mail address. Next, the email authentication device 3 transmits the generated authentication email address and the extracted payment amount to the reader device 2110. The reader device 2110 receives the authentication e-mail address and the payment amount. Next, the reader device 2110 displays the received authentication mail address on the display device. The cellular phone 60 sends an e-mail to the displayed authentication e-mail address in response to a user operation. The mail authentication device 3 receives an e-mail from the mobile phone 60. Next, the mail authentication device 3 acquires a transmission source mail address and a transmission destination mail address from the received electronic mail. Next, the mail authentication device 3 stores the acquired transmission destination mail address and the acquired transmission source mail address in the mail address correspondence table 341 in association with each other. On the other hand, the reader device 2110 transmits an authentication request to the mail authentication device 3. The mail authentication device 3 receives an authentication request including the authentication email address and the payment amount from the reader device 2110. The mail authentication device 3 extracts the authentication mail address and the payment amount from the received authentication request. Next, the mail authentication device 3 selects from the mail address correspondence table 341 a record in which the extracted authentication mail address matches the destination mail address 3412 of the mail address correspondence table 341. Next, the mail authentication device 3 extracts the transmission source mail address 3413 from the selected record. Next, the mail authentication device 3 selects from the user management table 342 a record in which the extracted transmission source mail address 3413 matches the mail address 3422 of the user management table 342. Next, the mail authentication device 3 extracts a credit card number from the selected record. Next, the mail authentication device 3 performs a credit examination on the extracted credit card number. Credit screening is performed when a conventional credit card is used. If the credit examination is good, the mail authentication device 3 charges the payment amount to the credit card. The mail authentication device 3 may request a dedicated device for credit examination and billing processing. In this case, the mail authentication device 3 is connected via a network to a dedicated device that performs credit examination and billing. The mail authentication device 3 determines that authentication is possible when the accounting process is completed. The mail authentication device 3 transmits the authentication result to the reader device 2110. The reader device 2110 receives the authentication result. Then, the reader device 2110 displays the received authentication result on the display device.

As described above, in the modification of the sixth embodiment, even if the user does not physically hold the credit card at the store, the credit card can be settled.

Here, an application example of a modification of the sixth embodiment of the present invention will be described. The mail authentication device 3 provided in the personal authentication system of the application example of the modified example of the sixth embodiment also serves as a device for calculating public utility charges. That is, the mail authentication device 3 calculates a utility bill, issues an invoice, and manages the payment status. For example, the public charges are telephone charges, mobile phone charges, electricity charges, gas charges, water charges, and the like. In the sixth embodiment, the user management table 342 of the mail authentication device 3 stores the electronic mail address of the mobile phone 60 and the credit card number in association with each other. In the application example of the modified example of the sixth embodiment, the user management table 342 of the mail authentication device 3 stores the correspondence between the e-mail address of the mobile phone 60 and the identifier of the user who receives the utility bill service. The mail authentication device 3 adds the payment amount at the store to the public bill instead of charging the credit card. The user of the reader device 2110 can complete payment at the store only by holding the mobile phone 60.

(Seventh embodiment)
In the following, an example in which a personal computer and a PDA are connected to an in-house intranet in the personal authentication system of the first embodiment will be described as the personal authentication system of the seventh embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

Many companies set up an internal intranet to encourage employees to communicate information while keeping internal information confidential. An employee connects a portable terminal such as a personal computer or a PDA to a company intranet by a communication means such as dial-up or VPN for the purpose of browsing or updating company information from a destination or sending / receiving e-mail. Conventionally, an employee inputs a user ID and a password and connects to an in-house intranet. The user of the personal computer or PDA receives authentication using the authentication method of the first embodiment, and connects the portable terminal to the in-house intranet. In this case, the client device 10 is a portable terminal that is about to be connected to an in-house intranet. The mail authentication device 3 is a management server that manages an intranet in the company. Employees can connect to the corporate intranet without entering a user ID and password. Note that the security can be further enhanced by transmitting an e-mail to the mail authentication apparatus 3 using a second client device different from the portable terminal. In this case, a user who intends to connect a portable terminal to an in-house intranet may receive personal authentication unless both the portable terminal and the second client device capable of transmitting an e-mail having a user mail address as a transmission source are available. Can not. As a result, another person who has acquired only the portable terminal can not be authenticated by impersonating the user of the portable terminal. That is, even if the portable terminal is lost, information leakage can be prevented.

(Eighth embodiment)
The following describes an example in which a thin client device is connected to an in-house server in the personal authentication system of the first embodiment as the personal authentication system of the eighth embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

The thin client device is a personal computer having a minimum auxiliary storage device. Companies have introduced a thin client system in order to prevent information leakage due to theft or loss of personal computers. The auxiliary storage device of the thin client device does not store sufficient in-house data and applications. In-house data and applications are stored by the central server. The employee operates the thin client device to connect to the central server, and browses and updates the in-house data. Conventionally, an employee inputs a user ID and a password and connects to a centralized server. The user of the thin client device receives authentication using the authentication method of the first embodiment, and connects the thin client device to the in-house intranet. In this case, the client device 10 is a thin client device to be connected to the central server. The mail authentication device 3 is a management server that manages the connection between the thin client device and the server. The management server may be included in the central server. The employee can connect the thin client device to the central server without entering the user ID and password.

(Ninth embodiment)
In the following, an example of connecting a personal computer and a PDA to a public wireless LAN in the personal authentication system of the first embodiment will be described as the personal authentication system of the ninth embodiment. The same code | symbol is used for the location which overlaps with the personal authentication system of 1st Embodiment.

Public wireless LANs that connect to the Internet at the destination are widespread. Conventionally, a user of a public wireless LAN inputs a user ID and a password, and connects a portable terminal such as a personal computer and a PDA to an access point of the public wireless LAN. The user of the public wireless LAN is authenticated using the authentication method of the first embodiment, and connects the portable terminal to the access point. In this case, the client device 10 is a portable terminal to be connected to the access point. The mail authentication device 3 is a management server that manages the connection between the portable terminal and the access point. A public wireless LAN user can connect to an access point without entering a user ID and password.

(Tenth embodiment)
Although the personal authentication system of the tenth embodiment will be described below, the same reference numerals are used for portions that overlap with the personal authentication system of the first embodiment, and description thereof is omitted.

In the personal authentication system of the first embodiment, the mail authentication device 3 generates an authentication mail address. However, in the personal authentication system of the tenth embodiment, the client device 10 generates an authentication request ID. The personal authentication system of the tenth embodiment can be applied to any of the first to ninth personal authentication systems. Here, the case where it applies to the authentication system of 1st Embodiment is demonstrated.

A client device 10 according to the tenth embodiment will be described. The client device 10 transmits an authentication email address generation information acquisition request to the email authentication device 3 by a user operation. Then, the client device 10 receives the authentication email address generation information from the email authentication device 3. The authentication mail address generation information is information for the client device 10 to generate an authentication mail address. For example, it is a client side program written in Java (registered trademark) Script. The authentication mail address generation information includes a domain in which the mail authentication device 3 can receive an electronic mail. The client device 10 generates an authentication email address based on the received authentication email address generation information. For example, the client device 10 generates an authentication email address using at least one of time and random numbers. The generated authentication email address must be unique. Therefore, the number of character strings of the authentication mail address generated by the client device 10 is set to a sufficient length according to the number of users that the mail authentication device 3 authenticates within a predetermined time.

The client device 10 transmits an e-mail to the authentication e-mail address in response to a user operation.

The client device 10 transmits an authentication request including the authentication email address to the email authentication device 3. Note that the authentication request may include the entire authentication mail address or may include a part of the authentication mail address. The client device 10 may transmit an authentication request in response to a user operation, or may transmit an authentication request at regular intervals.

The client device 10 receives the authentication result from the mail authentication device 3.

Next, the mail authentication device 3 according to the tenth embodiment will be described. FIG. 17 is a functional block diagram of the mail authentication device 3 according to the tenth embodiment. The auxiliary storage device 34 of the mail authentication device 3 stores the authentication program 300 of the tenth embodiment. When the authentication program 300 of the tenth embodiment is executed, the main memory 33 of the mail authentication device 3 includes the main module 331, the authentication mail address generation information acquisition request reception module 3325, the authentication request reception module 3322, the authentication. A mail address generation information transmission module 3353, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 339 are stored.

Since the authentication request receiving module 3322, the mail receiving module 336, the received mail reading module 337, the authentication module 338, and the authentication result transmitting module 339 are the same as those provided in the mail authentication device 3 of the eleventh embodiment, description thereof is omitted.

The main module 331 includes an authentication mail address generation information acquisition request reception module 3325, an authentication request reception module 3322, an authentication mail address generation information transmission module 3353, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result. It supervises the processing of the transmission module 339.

The authentication email address generation information acquisition request reception module 3325 receives an authentication email address generation information acquisition request from the client device 10. Upon reception of the authentication mail address generation information acquisition request 3325, the authentication mail address generation information acquisition request reception module 3325 requests the authentication mail address generation information transmission module 3353 to transmit the authentication mail address generation information.

The authentication e-mail address generation information transmission module 3353 transmits the authentication e-mail address generation information to the client device 10.

Next, processing of the personal authentication method of the tenth embodiment will be described with reference to the drawings. FIG. 18 is a sequence diagram of processing of the personal authentication method of the tenth embodiment.

The client device 10 transmits an authentication request ID acquisition request to the mail authentication device 3 via the network 9 in response to a user operation (ST211).

Then, authentication mail address generation information acquisition request reception module 3325 receives an authentication mail address generation information acquisition request from client device 10 (ST212). Then, the authentication mail address generation information acquisition request reception module 3325 requests the authentication mail address generation information transmission module 3353 to transmit the authentication mail address generation information.

Upon receiving the request, authentication email address generation information transmission module 3353 transmits authentication email address generation information to client device 10 via network 9 (ST214).

The client device 10 receives the authentication email address generation information from the email authentication device 3 (ST216).

Next, the client device 10 generates an authentication e-mail address based on the received authentication e-mail address generation information acquisition (ST217).

The client device 10 transmits an e-mail to the generated authentication e-mail address via the network 9 in response to a user operation (ST218).

Subsequent steps are the same as those of the personal authentication system of the first embodiment, and thus description thereof is omitted.

As described above, the user of the client device 10 can receive personal authentication without entering a user ID and password. Therefore, this embodiment makes it unnecessary to manage the user ID and password by the user of the client device 10. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being praised. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

(Eleventh embodiment)
The personal authentication system according to the eleventh embodiment will be described below. However, the same reference numerals are used for portions that overlap the personal authentication system according to the first embodiment, and description thereof is omitted.

The personal authentication system of the eleventh embodiment uses an authentication request ID or a client ID instead of the authentication mail address. The authentication request ID is a unique identifier of the authentication request. The client ID is a unique identifier of the client device 10. Note that the personal authentication system of the eleventh embodiment can be applied to any of the first to tenth personal authentication systems. Here, the case where it applies to the authentication system of 1st Embodiment is demonstrated.

FIG. 19 is a functional block diagram of the mail authentication device 3 according to the eleventh embodiment. The auxiliary storage device 34 of the mail authentication device 3 stores the authentication program 300 of the eleventh embodiment. When the authentication program 300 of the eleventh embodiment is executed, the main storage device 33 of the mail authentication device 3 includes a main module 331, an authentication request ID acquisition request reception module 3323, an authentication request reception module 3322, and an authentication request ID generation. A module 333, an authentication request ID transmission module 3351, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 339 are stored.

The main module 331 includes an authentication request ID acquisition request reception module 3323, an authentication request reception module 3322, an authentication request ID generation module 333, an authentication request ID transmission module 3351, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication. It supervises the processing of the result transmission module 339.

The authentication request ID acquisition request reception module 3323 receives an authentication request ID acquisition request from the client device 10. Upon receiving the authentication request ID acquisition request, the authentication request ID acquisition request reception module 3323 requests the authentication request ID generation module 333 to generate an authentication request ID.

The authentication request receiving module 3322 receives an authentication request from the client device 10. When receiving the authentication request, the authentication request receiving module 3322 requests the authentication module 338 to perform authentication.

Upon receiving a request from the authentication request ID acquisition request reception module 3323, the authentication request ID generation module 333 generates an authentication request ID. The authentication request ID is a unique identifier of the authentication request. For example, the authentication request ID generation module 333 generates an authentication request ID based on a random number, an application ID, an authentication request ID generation time, and the like. The application ID is a unique identifier of the authentication program 300 installed in the mail authentication device 3. The application ID is generally known as a license key and will not be described in detail. As a method for generating the authentication request ID, other methods may be used as long as the purpose is achieved. Subsequently, the authentication request ID generation module 333 delivers the generated authentication request ID to the authentication request ID transmission module 3351.

If the mail authentication device 3 receives an authentication request ID acquisition request from a plurality of client devices 10 at the same time, it generates a different authentication request ID for each received authentication request ID acquisition request. Further, after receiving the first authentication request ID acquisition request, the mail authentication device 3 may receive the second authentication request ID acquisition request from the client device 10 that is the transmission source of the first authentication request. . In this case, the mail authentication device 3 generates an authentication request ID different from the authentication request ID generated for the first authentication request ID acquisition request. As a result, the mail authentication device 3 can simultaneously process a plurality of authentication requests transmitted from the same client device 10.

The authentication request ID transmission module 3351 transmits the authentication request ID received from the authentication request ID generation module 333 and the mail address that can be received by the mail authentication device to the client device 10.

The mail receiving module 336 receives an electronic mail from the client device 10. The mail receiving module 336 may receive an e-mail from other than the client device 10. Note that the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated. It should be noted that impersonation of the sender mail address may be determined by any method.

The received mail reading module 337 acquires the mail address and authentication request ID of the transmission source from the electronic mail received by the mail receiving module 336. For example, the received mail reading module 337 acquires the authentication request ID from the text or subject of the electronic mail. Subsequently, the received mail reading module 337 creates a new record in the authentication request ID correspondence table 3411 (FIG. 20). Next, the received mail reading module 337 stores the transmission destination mail address acquired from the electronic mail in 3412 in the transmission destination mail address of the created new record. Next, the received mail reading module 337 stores the transmission source mail address acquired from the electronic mail in the transmission source mail address 3413 of the created new record.

FIG. 20 is a configuration diagram of the authentication request ID correspondence table 3411 stored in the auxiliary storage device 34 of the mail authentication device 3 according to the eleventh embodiment. The authentication request ID correspondence table 3411 includes an authentication request ID 34112 and a source mail address 34113. The authentication request ID 34112 is an authentication request ID included in the email received by the email authentication device 3. The sender email address 34113 is a sender email address of the email received by the email authentication device 3. In the present embodiment, the authentication request ID 34112 is used to specify the client computer 10 operated by the user who requests authentication from among the many client computers 10 connected to the mail authentication device 3. . The sender email address 34113 is used to specify a user who requests authentication.

The authentication module 338 receives an authentication request including the authentication request ID from the client device 10. The client device 10 may use any method as long as it can notify the mail authentication device 3 of an authentication request ID for identifying the authentication request together with the authentication request. For example, the communication session ID for transmitting the authentication request may include the authentication request ID. The session ID is an identifier for identifying communication between the WEB server and the WEB browser. The generation and management of the session ID is a function of a normal WEB server and a normal WEB browser. Therefore, detailed description of the session ID is omitted.

Subsequently, the authentication module 338 acquires an authentication request ID from the received authentication request. Next, the authentication module 338 selects from the authentication request ID correspondence table 3411 a record in which the acquired authentication request ID matches the authentication request ID 34112 of the authentication request ID correspondence table 3411. As a result, the authentication module 338 grasps the correspondence between the authentication request and the e-mail, which are separate communications. That is, the authentication module 338 specifies an e-mail corresponding to the received authentication request from e-mails received by the mail receiving module 336. Subsequently, the authentication module 338 extracts the transmission source mail address 34113 from the selected record. That is, the authentication module 338 specifies the source address of the e-mail corresponding to the received authentication request. If the source mail address 34113 cannot be extracted, the authentication module 338 determines that authentication is not possible.

Next, the authentication module 338 selects, from the user management table 342, a record in which the extracted transmission source mail address 34113 matches the mail address 3422 of the user management table 342 (FIG. 6). The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be selected. On the other hand, the authentication module 338 determines that authentication is possible when a record with a matching email address can be selected. Then, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as an authentication result. As a result, the authentication module 338 can specify the user who operates the computer that issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 determines that the computer that issued the authentication request is operated by the user identified by the extracted user ID 3421. Note that the authentication module 338 may include user-specific information corresponding to the extracted user ID 3421 in the authentication result.

The authentication result transmission module 339 transmits the authentication result determined by the authentication module 338 to the client device 10. When the authentication module 338 determines that authentication is possible, the authentication result transmission module 339 may transmit an authentication result accompanied with user-specific information corresponding to the user ID 3421.

Next, processing of the personal authentication method of the eleventh embodiment will be described with reference to the drawings. FIG. 21 is a sequence diagram of processing of the personal authentication method according to the eleventh embodiment.

The client device 10 transmits an authentication request ID acquisition request to the mail authentication device 3 via the network 9 in response to a user operation (ST211).

Then, authentication request ID acquisition request reception module 3323 receives an authentication request ID acquisition request from client device 10 (ST212). Next, the authentication request ID acquisition request reception module 3323 requests the authentication request ID generation module 333 to generate an authentication request ID.

Upon receiving a request for generating an authentication request ID, authentication request ID generation module 333 generates an authentication request ID (ST214). Next, the authentication request ID generation module 333 delivers the generated authentication request ID to the authentication request ID transmission module 3351.

The authentication request ID transmission module 3351 accepts the authentication request ID from the authentication request ID generation module 333. Next, the authentication request ID transmission module 3351 transmits the accepted authentication request ID and the mail address that can be received by the mail authentication device 3 to the client device 10 via the network 9 (ST216).

Client device 10 receives the authentication request ID and the mail address from mail authentication device 3 (ST217).

The client device 10 transmits an electronic mail including an authentication request ID via the network 9 in response to a user operation (ST218). The e-mail transmission destination e-mail address is an e-mail address received from the e-mail authentication apparatus 3 and is an e-mail address that can be received by the e-mail authentication apparatus 3. Further, the authentication request ID included in the e-mail may be described in either the text or the subject. Furthermore, the authentication request ID included in the e-mail may be encrypted.

Then, the mail receiving module 336 receives an electronic mail from the client device 10 (ST219). At this time, the mail receiving module 336 may determine whether or not the mail address of the transmission source of the received electronic mail has been camouflaged. The received mail reading module 337 performs processing only when the mail receiving module 336 determines that the sender's mail address is not impersonated.

Subsequently, the received mail reading module 337 acquires the transmission source mail address and the authentication request ID from the electronic mail received by the mail receiving module 336. Next, the received mail reading module 337 creates a new record in the authentication request ID correspondence table 3411. Next, the received mail reading module 337 stores the acquired authentication request ID in the authentication request ID 34112 of the created new record. Next, received mail reading module 337 stores the acquired transmission source mail address in transmission source mail address 34113 of the created new record (ST220).

On the other hand, the client device 10 transmits an authentication request including the authentication request ID to the mail authentication device 3 via the network 9 (ST221). Note that the authentication request ID included in the authentication request may be encrypted.

Then, authentication request receiving module 3322 receives the authentication request from client device 10 (ST222). When receiving the authentication request, the authentication request receiving module 3322 requests the authentication module 338 to perform authentication.

Subsequently, upon receiving an authentication request, the authentication module 338 acquires an authentication request ID from the authentication request received by the authentication request receiving module 3322. Next, the authentication module 338 selects from the authentication request ID correspondence table 3411 a record in which the acquired authentication request ID matches the authentication request ID 34112 of the authentication request ID correspondence table 3411. Subsequently, the authentication module 338 extracts the transmission source mail address 34113 from the selected record. Note that the authentication module 338 determines that authentication is not possible when the source mail address 34113 cannot be extracted. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. On the other hand, the authentication module 338 selects, from the user management table 342, a record in which the extracted transmission source mail address 34113 matches the mail address 3422 of the user management table 342 (FIG. 6) (ST223). The authentication module 338 determines that authentication is not possible when a record with a matching email address cannot be extracted from the user management table 342. If the authentication module 338 determines that the authentication is impossible, the authentication module 338 delivers the authentication result to the authentication result transmission module 339 as the authentication result. In the first embodiment, the authentication module 338 determines that a user who is not registered in advance in the user management table 342 is not authenticated. However, the authentication module 338 may authenticate a user who is not registered in advance in the user management table 342 as a new user. In this case, the authentication module 338 generates a new user ID when the record having the same mail address cannot be extracted from the user management table 342. At this time, the authentication module 338 generates a user ID so as not to overlap with all the user IDs 3421 included in the user management table 342. Next, the authentication module 338 newly generates a record in the user management table 342. Next, the authentication module 338 stores the generated user ID in the user ID 3421 of the generated new record. Further, the authentication module 338 stores the extracted transmission source mail address 34113 in the mail address 3422 of the generated new record. As a result, the authentication module 338 associates the generated user ID with the mail address of the transmission source acquired from the electronic mail and stores them in the user management table 342. Then, the authentication module 338 authorizes the user corresponding to the destination mail address acquired from the e-mail as a new user. Note that the authentication module 338 may receive information specific to the registered user from the client device 10. Then, the authentication module 338 stores the received unique information of the user in the newly generated record. Note that the user's unique information may be included in the authentication request or may be transmitted alone.

On the other hand, the authentication module 338 determines that authentication is possible when a record having a matching email address can be selected. Next, the authentication module 338 hands over authentication to the authentication result transmission module 339 as an authentication result. As a result, the authentication module 338 can identify the user who is operating the client computer 10 that issued the authentication request. Specifically, the authentication module 338 extracts the user ID 3421 from the selected record. Then, the authentication module 338 specifies that the user operating the client computer 10 that issued the authentication request identified by the acquired authentication request ID is a user identified by the extracted user ID 3421. Note that the authentication module 338 may include user-specific information corresponding to the extracted user ID 3421 in the authentication result.

The authentication result transmission module 339 accepts the authentication result from the authentication module 338. Next, the authentication result transmission module 339 transmits the accepted authentication result to the client device 10 via the network 9 (ST224).

Then, the client device 10 receives the authentication result from the mail authentication device 3 (ST225).

As described above, the user of the client device 10 can receive personal authentication without entering a user ID and password. Therefore, there is no risk that the user ID and password are given up. Further, the user of the client device 10 does not need to manage the user ID and password. As described above, the present embodiment does not require management of the user ID and password by the user of the client device 10. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being praised. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

(Twelfth embodiment)
Although the personal authentication system of the twelfth embodiment will be described below, the same reference numerals are used for the same portions as those of the personal authentication systems of the first and eleventh embodiments, and the description is omitted.

In the personal authentication system of the eleventh embodiment, the mail authentication device 3 generates an authentication request ID. However, in the personal authentication system of the twelfth embodiment, the client device 10 generates an authentication request ID. The personal authentication system of the twelfth embodiment can be applied to any of the first to tenth personal authentication systems. Here, the case where it applies to the authentication system of 1st Embodiment is demonstrated.

A client device 10 according to the twelfth embodiment will be described. The client device 10 transmits an authentication request ID acquisition request to the mail authentication device 3 by a user operation. Then, the client device 10 receives the authentication request ID generation information and the e-mail address that can be received by the mail authentication device 3 from the mail authentication device 3. The authentication request ID generation information is information for the client device 10 to generate an authentication request ID. For example, it is a client side program written in Java (registered trademark) Script. The client device 10 generates an authentication request ID based on the received authentication request ID generation information. For example, the client device 10 generates an authentication request ID using at least one of time and random numbers. The generated authentication request ID must be unique. Therefore, the number of character strings of the authentication request ID generated by the client device 10 is set to a sufficient length according to the number of users authenticated by the mail authentication device 3 within a predetermined time.

The client device 10 transmits an e-mail that includes the authentication request ID in the text or the subject in response to a user operation. The e-mail transmission destination e-mail address is an e-mail address received from the e-mail authentication apparatus 3 and is an e-mail address that can be received by the e-mail authentication apparatus 3.

The client device 10 transmits an authentication request including the generated authentication request ID to the mail authentication device 3.

Next, the mail authentication device 3 according to the twelfth embodiment will be described. FIG. 22 is a functional block diagram of the mail authentication device 3 according to the twelfth embodiment. The auxiliary storage device 34 of the mail authentication device 3 stores an authentication program 300 of the twelfth embodiment. When the authentication program 300 of the twelfth embodiment is executed, the main storage device 33 of the mail authentication device 3 includes a main module 331, an authentication request ID acquisition request reception module 3324, an authentication request reception module 3322, and an authentication request ID transmission. A module 3352, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 339 are stored.

Since the authentication request receiving module 3322, the mail receiving module 336, the received mail reading module 337, the authentication module 338, and the authentication result transmitting module 339 are the same as those provided in the mail authentication device 3 of the eleventh embodiment, description thereof is omitted.

The main module 331 performs processing of an authentication request ID acquisition request reception module 3324, an authentication request reception module 3322, an authentication request ID transmission module 3352, a mail reception module 336, a received mail reading module 337, an authentication module 338, and an authentication result transmission module 339. Supervise.

The authentication request ID acquisition request reception module 3324 receives an authentication request ID acquisition request from the client device 10. Upon receiving the authentication request ID acquisition request, the authentication request ID acquisition request reception module 3324 requests the authentication request ID transmission module 3352 to transmit the authentication request ID generation information and an email address that can be received by the mail authentication device 3.

The authentication request ID transmission module 3352 transmits the authentication request ID generation information and the email address that can be received by the mail authentication device 3 to the client device 10.

Next, processing of the personal authentication method of the twelfth embodiment will be described with reference to the drawings. FIG. 23 is a sequence diagram of processing of the personal authentication method of the twelfth embodiment.

The client device 10 transmits an authentication request ID acquisition request to the mail authentication device 3 via the network 9 in response to a user operation (ST211).

Then, authentication request ID acquisition request reception module 3324 receives an authentication request ID acquisition request from client device 10 (ST212). Then, the authentication request ID acquisition request reception module 3324 requests the authentication request ID transmission module 3352 to transmit authentication request ID generation information and an email address that can be received by the mail authentication device 3.

Upon receiving the request, authentication request ID transmission module 3352 transmits authentication request ID generation information and an email address that can be received by mail authentication device 3 to client device 10 via network 9 (ST214).

Client apparatus 10 receives authentication request ID generation information and e-mail address that can be received by mail authentication apparatus 3 from mail authentication apparatus 3 (ST216).

Next, the client device 10 generates an authentication request ID based on the received authentication request ID generation information (ST217).

The client device 10 transmits an email including the generated authentication request ID via the network 9 in response to a user operation (ST218). The e-mail transmission destination e-mail address is an e-mail address received from the e-mail authentication apparatus 3 and is an e-mail address that can be received by the e-mail authentication apparatus 3. Further, the authentication request ID included in the e-mail may be described in either the text or the subject. Furthermore, the authentication request ID included in the e-mail may be encrypted.

Subsequent steps are the same as those of the personal authentication system of the eleventh embodiment, and a description thereof is omitted.

As described above, the user of the client device 10 can receive personal authentication without entering a user ID and password. Therefore, this embodiment makes it unnecessary to manage the user ID and password by the user of the client device 10. Further, it is possible to save the user from entering the user ID and password. Furthermore, there is no risk of the user ID and password being praised. That is, the personal authentication system of this embodiment can authenticate a user safely and conveniently.

It is a figure which shows schematic structure of the personal authentication system of 1st Embodiment. 2 is a block diagram of a configuration of a client device 10. FIG. 3 is a block diagram of a configuration of a mail authentication device 3. FIG. 3 is a functional block diagram of the mail authentication device 3. FIG. 4 is a configuration diagram of a mail address correspondence table 341 stored in an auxiliary storage device 34 of the mail authentication device 3. FIG. 4 is a configuration diagram of a user management table 342 stored in an auxiliary storage device 34 of the mail authentication device 3. FIG. It is a sequence diagram of a process of the personal authentication method of the first embodiment. It is a schematic block diagram of the personal authentication system of 2nd Embodiment. 3 is a functional block diagram of a mail authentication WEB apparatus 903. FIG. It is a sequence diagram of a process of the personal authentication method of the second embodiment. It is a schematic block diagram of the personal authentication system of 3rd Embodiment. It is a sequence diagram of a process of the personal authentication method of the third embodiment. It is a schematic block diagram of the personal authentication system of 5th Embodiment. It is a block diagram of a structure of ATM2010. It is a schematic block diagram of the personal authentication system of 6th Embodiment. 2 is a block diagram of a configuration of a reader device 2110. FIG. It is a functional block diagram of the mail authentication apparatus 3 of 10th Embodiment. It is a sequence diagram of a process of the personal authentication method of the tenth embodiment. It is a functional block diagram of the mail authentication apparatus 3 of 11th Embodiment. It is a block diagram of the authentication request ID corresponding | compatible table 3411 memorize | stored in the auxiliary storage device 34 of the mail authentication apparatus 3 of 11th Embodiment. It is a sequence diagram of a process of the personal authentication method of the eleventh embodiment. It is a functional block diagram of the mail authentication apparatus 3 of 12th Embodiment. It is a sequence diagram of the process of the personal authentication method of 12th Embodiment.

Explanation of symbols

1 Internet 3 Mail Authentication Device 5 Introduction Web Server 9 Network 10 Client Device 11 Transmission / Reception Unit 12 Central Processing Unit 13 Main Storage Device 14 Auxiliary Storage Device 15 Cash Handling Unit 16 Card Information Reading Unit 2010 ATM
2060 Mobile phone 2110 Reader device 20341 Authentication mail address correspondence table 20411 Client ID
31 Transmission / Reception Unit 32 Central Processing Unit 33 Main Storage Unit 34 Auxiliary Storage Unit 300 Authentication Program 331 Main Module 3321 Authentication Request Reception Module 3322 Authentication Request Reception Module 3323 Authentication Request ID Acquisition Request Reception Module 3324 Authentication Request ID Acquisition Request Reception Module 3325 Email address generation information acquisition request reception module 333 Authentication request ID generation module 334 Authentication email address generation module 335 Authentication email address transmission module 3351 Authentication request ID transmission module 3352 Authentication request ID transmission module 3353 Authentication email address generation information transmission module 336 Mail reception module 337 Received mail reading module 338 Authentication module 339 Authentication result transmission module 341 Authentication mail Address correspondence table 3411 Authentication request ID
3412 Authentication email address 3413 User email address 342 User management table 3421 User ID
3422 mail address 60 mobile phone 903 mail authentication WEB apparatus 923 ATM mail authentication apparatus 943 mail authentication dedicated WEB apparatus 9010 client apparatus 90300 authentication program 90335 authentication mail address transmission module 90339 authentication result transmission module

Claims (30)

An authentication computer connected to a plurality of client computers via a network and comprising a processor, a memory and an interface,
The processor is
Storing user information indicating correspondence between the user and the user's email address;
When an email is received, the destination email address and the sender email address are extracted from the received email,
Storing the correspondence between the extracted destination email address and the extracted sender email address in email address correspondence information;
When an authentication request is received from one of the plurality of client computers, a destination mail corresponding to the received authentication request is selected from among the destination mail addresses stored in the mail address correspondence information. Identify the address,
With reference to the email address correspondence information, the email address of the sender corresponding to the email address of the identified destination is specified,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
An authentication computer, wherein the received authentication request determines that authentication is requested by the identified user. The processor is
Of the email addresses that can be received by the authentication computer, assign an email address that is not assigned to any authentication request to an authentication request transmitted from one of the plurality of client computers,
Notifying the assigned email address to the client computer that sends the authentication request assigned the email address;
When an authentication request is received from one of the plurality of client computers, by specifying an email address assigned to the received authentication request, a correspondence destination is stored in the email address correspondence information. The authentication computer according to claim 1, wherein a mail address of a transmission destination corresponding to the received authentication request is specified from mail addresses. The authentication request includes a part or all of an email address assigned to the authentication request,
When the processor receives an authentication request from one of the plurality of client computers, it is assigned to the received authentication request by extracting a part or all of a mail address from the received authentication request. The authentication computer according to claim 2, wherein a specified mail address is specified. The processor is
When a certain amount of time has passed since the email address was assigned, the email address will be unassigned,
The authentication computer according to claim 2, wherein the email address that has been deallocated is reassigned. The processor is
Create a new email address that can be received by the authentication computer,
By assigning the created new mail address to an authentication request transmitted from one of the plurality of client computers, the mail address that can be received by the authentication computer is assigned to any of the authentication requests. 3. The authentication computer according to claim 2, wherein an unassigned mail address is assigned to an authentication request transmitted from one of the plurality of client computers.   The processor cancels the assignment of the created email address by invalidating the created email address when a predetermined time has elapsed since the email address was newly created. The authentication computer according to claim 5. The processor is
Determine whether the email address of the identified sender is forged,
2. The authentication computer according to claim 1, wherein when the specified sender mail address is camouflaged, the result of the received authentication request is determined to be unauthenticated.   The processor, referring to the user information, determines that the result of the received authentication request is unauthenticated when the user corresponding to the specified mail address of the transmission source cannot be specified. Item 4. The authentication computer according to item 1.   If the processor cannot identify a user corresponding to the identified sender's email address with reference to the user information, the processor uses the identified sender's email address as the email address of the new user. The authentication computer according to claim 1, wherein the authentication computer is stored in the storage. The user information further includes a correspondence between the user and information unique to the user,
The processor is
Referring to the user information to identify unique information corresponding to the identified user;
Receiving user-specific information from the client computer;
2. The authentication computer according to claim 1, wherein if the specified unique information matches the received unique information, the result of the received authentication request is determined to be authentic. The user information further includes correspondence between the user and a credit card owned by the user,
The processor is
Refer to the user information, determine the result of the received authentication request,
When it is determined that the received authentication request result can be authenticated, the credit card corresponding to the identified user is identified with reference to the user information,
Perform credit examination for the identified credit card,
The authentication computer according to claim 1, wherein if the result of credit examination is good, the specified credit card is allowed to be settled. The user information further includes a correspondence between the user and the user's account,
The processor is
With reference to the user information, the result of the received authentication request is determined. When the received authentication request is determined to be authenticable, an account corresponding to the specified user is specified with reference to the user information. ,
The authentication computer according to claim 1, wherein execution of a transaction for the specified account is permitted. An authentication system comprising: a plurality of client computers comprising a processor, a memory and an interface; and an authentication computer connected to the plurality of client computers via a network and comprising a processor, a memory and an interface,
The authentication computer is
Storing user information indicating correspondence between the user and the user's email address;
When an email is received, the destination email address and the sender email address are extracted from the received email,
Storing the correspondence between the extracted destination email address and the extracted sender email address in email address correspondence information;
When an authentication request is received from one of the plurality of client computers, a destination mail corresponding to the received authentication request is selected from among the destination mail addresses stored in the mail address correspondence information. Identify the address,
With reference to the email address correspondence information, the email address of the sender corresponding to the email address of the identified destination is specified,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
The authentication system, wherein the received authentication request determines that authentication is requested by the specified user. The authentication computer is
Of the email addresses that can be received by the authentication computer, assign an email address that is not assigned to any authentication request to an authentication request transmitted from one of the plurality of client computers,
Notifying the assigned email address to the client computer that sends the authentication request assigned the email address;
When an authentication request is received from one of the plurality of client computers, by specifying an email address assigned to the received authentication request, a correspondence destination is stored in the email address correspondence information. 14. The authentication system according to claim 13, wherein a mail address of a transmission destination corresponding to the received authentication request is specified from mail addresses. The authentication request includes a part or all of an email address assigned to the authentication request,
When the authentication computer receives an authentication request from one of the plurality of client computers, the authentication computer is assigned to the received authentication request by extracting a part or all of a mail address from the received authentication request. The authentication system according to claim 14, wherein a specified mail address is specified. The authentication computer is
When a certain amount of time has passed since the email address was assigned, the email address will be unassigned,
The authentication system according to claim 14, wherein the email address that has been deallocated is reassigned. The authentication computer is
Create a new email address that can be received by the authentication computer,
By assigning the created new mail address to an authentication request transmitted from one of the plurality of client computers, the mail address that can be received by the authentication computer is assigned to any of the authentication requests. 15. The authentication system according to claim 14, wherein an unassigned mail address is assigned to an authentication request transmitted from one of the plurality of client computers.   The authentication computer cancels the assignment of the created email address by invalidating the created email address when a predetermined time elapses after the email address is newly created. The authentication system according to claim 17. The authentication computer is
Determine whether the email address of the identified sender is forged,
The authentication system according to claim 13, wherein when the specified sender's mail address is camouflaged, the result of the received authentication request is determined to be unauthenticated.   The authentication computer refers to the user information, and determines that the result of the received authentication request is unauthenticated when the user corresponding to the specified mail address of the transmission source cannot be specified. The authentication system according to claim 13.   If the authentication computer cannot identify a user corresponding to the identified sender's email address with reference to the user information, the identified sender's email address is used as the new user's email address, and the user The authentication system according to claim 13, wherein the authentication system is stored in information. The user information further includes a correspondence between the user and information unique to the user,
The authentication computer is
Referring to the user information to identify unique information corresponding to the identified user;
Receiving user-specific information from the client computer;
The authentication system according to claim 13, wherein when the specified unique information matches the received unique information, the result of the received authentication request is determined to be authenticable. The user information further includes correspondence between the user and a credit card owned by the user,
The authentication computer is
Refer to the user information, determine the result of the received authentication request,
When it is determined that the received authentication request result can be authenticated, the credit card corresponding to the identified user is identified with reference to the user information,
Perform credit examination for the identified credit card,
The authentication system according to claim 13, wherein if the result of the credit examination is good, the specified credit card is allowed to be settled. The user information further includes a correspondence between the user and the user's account,
The authentication computer is
With reference to the user information, the result of the received authentication request is determined. When the received authentication request is determined to be authenticable, an account corresponding to the specified user is specified with reference to the user information. ,
The authentication system according to claim 13, wherein execution of a transaction for the specified account is permitted. The client computer is
Of the email addresses that can be received by the authentication computer, an email address that is not assigned to any of the authentication requests is assigned to an authentication request to be transmitted later,
Sending an authentication request to which the email address is assigned to the authentication computer;
When the authentication computer receives an authentication request from one of the plurality of client computers, the correspondence is stored in the mail address correspondence information by specifying the mail address assigned to the received authentication request. 14. The authentication system according to claim 13, wherein a destination mail address corresponding to the received authentication request is specified from among the destination mail addresses. The client computer is
Create a new email address that can be received by the authentication computer,
By assigning the created new e-mail address to an authentication request to be transmitted later, an e-mail address that is not assigned to any of the authentication requests among e-mail addresses that can be received by the authentication computer is subsequently transmitted. The authentication system according to claim 25, wherein the authentication system is assigned to an authentication request to be performed. A program executed by an authentication computer connected to a plurality of client computers via a network,
Storing user information indicating correspondence between the user and the user's email address;
Receiving an e-mail, extracting a destination e-mail address and a source e-mail address from the received e-mail; and
Storing the correspondence between the extracted destination email address and the extracted sender email address in email address correspondence information;
When an authentication request is received from one of the plurality of client computers, a destination mail corresponding to the received authentication request is selected from among the destination mail addresses stored in the mail address correspondence information. Identifying the address;
Referring to the email address correspondence information, identifying a sender email address corresponding to the identified recipient email address;
Referring to the user information, identifying a user corresponding to the identified sender email address;
The received authentication request includes a step of determining that authentication is requested by the specified user. Assigning an email address that is not assigned to any of the authentication requests among the email addresses that can be received by the authentication computer to an authentication request transmitted from one of the plurality of client computers;
Notifying the assigned email address to a client computer that transmits an authentication request assigned to the email address,
In the step of identifying the destination email address corresponding to the received authentication request from the destination email addresses stored in correspondence with the email address correspondence information, the address is assigned to the received authentication request. 28. The program according to claim 27, wherein a mail address is specified. An authentication system comprising: a plurality of client computers comprising a processor, a memory and an interface; and an authentication computer connected to the plurality of client computers via a network and comprising a processor, a memory and an interface,
The authentication computer is
Storing user information indicating correspondence between the user and the user's email address;
Upon receiving the e-mail, the authentication request identification information and the e-mail address of the transmission source are extracted from the received e-mail,
Storing the correspondence between the extracted authentication request identification information and the extracted mail address of the sender in the authentication request identification information correspondence information;
When an authentication request is received from one of the plurality of client computers, authentication request identification information that can identify the received authentication request from authentication request identification information stored in correspondence with the mail address correspondence information Identify
Referring to the authentication request identification information correspondence information, specify a mail address of a transmission source corresponding to the specified authentication request identification information,
Referring to the user information, the user corresponding to the identified email address of the sender is specified,
The authentication system, wherein the received authentication request determines that authentication is requested by the specified user.   30. The authentication system according to claim 29, wherein the authentication request identification information is an e-mail destination mail address.

Images