JP2013257806A - Authentication system, authentication method, proxy authentication processing device, terminal device, proxy authentication processing method, control method of terminal device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform such efficient authentication without imposing a load on a user that the user authentication can be collectively performed even when the user accesses a plurality of systems connected to a communication network.SOLUTION: A proxy authentication processing device comprises: means which authenticates a terminal device; and means which transmits a monitoring module to the terminal device. The terminal device, in which the monitoring module transmitted from the proxy authentication processing device is installed, comprises: means which monitors communication and detects access to systems; and means which transmits pieces of identification information of the systems to the proxy authentication processing device when access to the systems connected to a communication network is detected. The proxy authentication processing device further comprises means which transmits, to the systems identified by the pieces of identification information, pre-registered authentication information of the terminal device required for using the systems, when the pieces of identification information of the systems transmitted from the terminal device are received.

Description

  The present invention relates to an authentication system, an authentication method, an authentication processing proxy device, a terminal device, an authentication processing proxy method, a terminal device control method, and a program.

  In recent years, information processing systems often perform user authentication. Here, when a plurality of web systems are used from a terminal device or the like, the situation in which the user has to input an ID and a password for each of the plurality of web systems each time is for a user who performs an input operation. It ’s pretty cumbersome.

  In addition, when different IDs and passwords are required for each web system, it becomes more difficult for the user to remember all of these IDs and passwords without error as the number of systems to be used increases.

  Various techniques related to such a background are known (see, for example, Patent Document 1).

  Patent Document 1 describes a user authentication proxy method in which a user authentication proxy device that performs user authentication on a website is arranged between a user terminal that accesses a web server via the Internet and the web server. . More specifically, this method uses a URL (Uniform Resource Locator) of a website as information related to a series of user authentication processes performed with a web server via the Internet by a user using a user terminal. The data stored by the user terminal for the user authentication from the web server and the user authentication data transmitted by the user terminal for the user authentication to the web server are stored as a set in the storage means. In this method, when a user specifies a URL of a website using an arbitrary user terminal, a connection request is transmitted to the web server indicated by the URL. In this method, when data is received from the web server, the received data is compared with the received data stored in advance in the storage means. If both are equal, the received data from the web server device is Instead of transferring to the terminal, transmission data for user authentication stored in advance in the storage means is transmitted to the web server instead of the user terminal. Thus, depending on this method, user authentication can be performed by single sign-on for any website that requires user authentication.

JP 2002-032340 A

  The technique described in Patent Literature 1 solves the above-described problems by providing an authentication proxy. However, since the authentication proxy finally starts the authentication process after reaching the time point at which the authentication is necessary, the execution speed becomes slow as a whole. Moreover, since it is necessary to consider the existence of the proxy on both the web system side and the user terminal side when constructing the system, it is not easy to construct the system.

  An object of the present invention is to provide an authentication system, an authentication method, an authentication processing proxy device, a terminal device, an authentication processing proxy method, a terminal device control method, and a program that solve the above-described problems.

  In order to solve the above problems, according to an authentication system of the present invention, a terminal device connected to a system that requires authentication via a communication network, and an authentication process connected to the system and the terminal device via a communication network The authentication processing proxy device has a means for authenticating the terminal device and a means for transmitting the monitoring module to the terminal device for which authentication has been completed, and the monitoring module transmitted from the authentication processing proxy device is incorporated. The received terminal device monitors the communication, and when there is access to the system, means for detecting it, and when detecting access to the system connected to the communication network, the identification information of the system Is transmitted to the authentication processing proxy device, and the authentication processing proxy device receives the system identification information transmitted from the terminal device. Further includes the system identified by the identification information, transmits the authentication information for the terminal device is required to use the system that has been previously registered, the means for performing an authentication process in place of the terminal device.

  According to the authentication method of the present invention, an authentication processing proxy device connected to a system requiring authentication and a terminal device via a communication network authenticates the terminal device connected to the communication network, and connects to the communication network. The authentication processing proxy device transmits a monitoring module to the terminal device that has been authenticated, and the terminal device incorporating the monitoring module transmitted from the authentication processing proxy device monitors the communication, and the system When a terminal device incorporating a monitoring module transmitted from an authentication processing proxy device detects access to a system connected to a communication network, The identification information of the system is transmitted to the authentication processing agent device, and the authentication processing agent device transmits the system information transmitted from the terminal device. If the terminal identification information is received, the terminal device authentication information necessary for using the pre-registered system is transmitted to the system identified by the identification information. A step of performing an authentication process;

  According to the authentication processing proxy device of the present invention, means for authenticating a terminal device connected to a system that requires authentication via a communication network, means for transmitting a monitoring module to the terminal device for which authentication has been completed, When the system identification information transmitted from the terminal device is received, the terminal device authentication information necessary for using the pre-registered system is transmitted to the system identified by the identification information. And means for performing an authentication process instead of the terminal device.

  According to the terminal device of the present invention, the communication is monitored, and when there is an access to the system connected to the communication network, the means for detecting the access and the access to the system connected to the communication network are detected. In this case, the system includes means for transmitting the identification information of the system to an authentication processing proxy device connected to the communication network.

  According to the authentication processing proxy method of the present invention, a step of authenticating a terminal device connected to a system that requires authentication via a communication network, a step of transmitting a monitoring module to the terminal device that has been authenticated, When the system identification information transmitted from the terminal device is received, the terminal device authentication information necessary for using the pre-registered system is transmitted to the system identified by the identification information. And a step of performing authentication processing instead of the terminal device.

  According to the method for controlling a terminal device of the present invention, the step of monitoring communication and detecting when there is an access to a system connected to the communication network, and the access to the system connected to the communication network are detected. And detecting the system identification information to the authentication processing proxy device connected to the communication network.

  According to the program of the present invention, means for authenticating a terminal device connected via a communication network to a system requiring authentication, means for transmitting a monitoring module to the terminal device for which authentication has been completed, and terminal device When receiving the identification information of the system transmitted from the terminal, the authentication information of the terminal device necessary for using the pre-registered system is transmitted to the system identified by the identification information, and the terminal It functions as a means for performing authentication processing instead of the device.

  According to the program of the present invention, a computer monitors communication and detects when there is access to a system connected to a communication network, and detects access to a system connected to the communication network. In this case, the identification information of the system is made to function as means for transmitting to the authentication processing proxy device connected to the communication network.

  As is apparent from the above description, according to the present invention, when accessing a system that requires authentication, even if there are a large number of systems to be accessed, it is possible to perform authentication in a lump, and it is labor-intensive for the user himself / herself. Efficient authentication can be performed without imposing a burden on the screen.

It is a figure which shows the utilization environment of the authentication system which concerns on one Embodiment. 2 is a diagram showing a block configuration of a terminal device 10. FIG. 3 is a configuration diagram showing a block configuration of an authentication processing proxy device 20. FIG. It is a figure which shows the data structure as an example of the information stored in user IDDB207. It is a figure which shows the data structure as an example of the user ID and password stored in authentication system DB206. It is a figure which shows the block configuration of system A30 which requires personal authentication. It is a figure which shows the block configuration of system B40 which requires personal authentication. It is a figure which shows the structure of the data stored in user IDDB303. It is a figure which shows the structure of the data which user IDDB404 stores. It is a figure which shows operation | movement at the time of creating a new ID and establishing the session with respect to the authentication processing proxy device 20. FIG. It is a figure which shows operation | movement in the case of establishing the session with respect to the authentication process proxy apparatus 20 using the existing ID. 6 is a diagram illustrating an operation when registering authentication information in the authentication processing proxy device 20 after a session between the terminal device 10 and the authentication processing proxy device 20 is started. FIG. FIG. 10B is a diagram (1/2) illustrating an operation in a case where forward authentication is performed in the authentication processing proxy device 20 after a session between the terminal device 10 and the authentication processing proxy device 20 is started. It is a figure which shows the operation | movement in the case of performing proactive authentication in the authentication process proxy device 20 after the session of the terminal device 10 and the authentication process proxy device 20 is started (2/2). It is a figure which shows operation | movement in the case of cut | disconnecting the session of the terminal device 10 and the authentication process proxy apparatus 20, and ending the utilization of the authentication process proxy apparatus 20. FIG.

  Hereinafter, the present invention will be described through embodiments of the invention. However, the following embodiments do not limit the claimed invention, and all combinations of features described in the embodiments are described below. However, this is not always essential for the solution of the invention.

  FIG. 1 shows a use environment of an authentication system according to an embodiment. In the figure, the authentication system of this embodiment includes a terminal device 10, an authentication processing proxy device 20, a system A30 that requires personal authentication, a system B40 that requires personal authentication, and a network 500. The terminal device 10, the authentication processing proxy device 20, the system A30 (web system) that requires personal authentication, and the system B40 (web system) that requires personal authentication via a network 500 including the Internet as a component. Are connected to each other. Here, the network 500 may be the Internet or an intranet. The network connection may be via a router or a mobile phone communication network, and the terminal has a short-range wireless communication function such as a wireless LAN (Local Area Network), which is used for short-range wireless communication. May be connected to the Internet or the like via a base station (or access point in the case of a wireless LAN).

  Only the terminal device 10 is shown as a terminal device that accesses a system that requires personal authentication. However, the number of terminal devices that access a system that requires personal authentication is arbitrary, and the installation location is also arbitrary.

  Moreover, the system which requires user authentication shows only two systems, system A30 which requires user authentication and system B40 which requires user authentication. However, the number of systems that require personal authentication is arbitrary. These systems that require online personal authentication have a function that works in conjunction with the authentication processing proxy device 20 that manages the common authentication information so that the common authentication information can be used.

  The user of the terminal device 10 receives the pre-authentication of the authentication processing proxy device 20 in advance and registers the ID and password necessary for authentication in a system that requires personal authentication. By performing this pre-authentication and registration, the authentication process can be performed without performing the authentication procedure from the terminal device 10 to the system A30 requiring the personal authentication from the terminal device 10 or the system B40 requiring the personal authentication. The terminal device 10 can access the system A30 or the system B40 by an authentication procedure performed by the proxy device 20. In order to enable this, the authentication processing proxy device 20 installs a monitoring module that holds a URL registered in advance in the terminal device 10 when the pre-authentication is completed. Thereby, the authentication processing proxy device 20 can recognize that an access to a system that requires personal authentication is about to be made, and can cause the system to authenticate the user of the terminal device 10. That is, the authentication processing proxy device 20 also sends the authentication information ahead of the above-described system that requires the user authentication, the system refers to the authentication information, authenticates, and notifies the terminal device 10 of the result. To do.

  In this way, the user of the terminal device 10 does not need to prepare the authentication information prepared for each system that requires the above-described personal authentication, and performs an authentication operation for each system. There is no need.

  The terminal device 10 has a network connection function and has an operation requiring authentication, such as a mobile phone, a smartphone, another device (for example, a game machine, a tablet PC (Personal Computer), a notebook PC, a PDA (Personal). Data Assistants)) and the like.

  FIG. 2 is a configuration diagram illustrating a block configuration of the terminal device 10. The terminal device 10 illustrated in the figure includes a basic function unit 101, a web browser 102, and a monitoring module 103.

  The basic function unit 101 is a component that controls the basic functions of the terminal device 10. The basic function unit 101 activates the web browser 102 based on an operation from the user, and further inputs an address (URL) of an access destination system and an ID and password necessary for access on the web browser 102. Display a screen for Further, the basic function unit 101 transmits information (ID and password) input on the displayed screen to the authentication processing proxy device 20, the system A30 that requires personal authentication, or the system 40 that requires personal authentication. This transmission is via the network 500. Further, the basic function unit 101 accesses the authentication processing proxy device 20 in order to receive authentication in the authentication processing proxy device 20. After the pre-authentication is completed, the authentication processing proxy device 20 transmits a monitoring module 103 for monitoring network communication of the terminal device 10 to the terminal device 10. After receiving the monitoring module 103, the basic function unit 101 executes processing to be incorporated into the terminal device 10 as the monitoring module 103.

  The web browser 102 passes information input from the user to the basic function unit 101. Alternatively, the web browser 102 receives the information transmitted from the authentication processing proxy device 20, the system A30 that requires personal authentication, or the system B40 that requires personal authentication from the basic function unit 101, and displays the screen.

  The monitoring module 103 is a software module incorporated in the terminal device 10 in order to monitor network communication of the terminal device 10. After the completion of the incorporation, the monitoring module 103 constantly monitors access to other systems in the network communication of the terminal device 10. The monitoring module 103 is information stored in an authentication system DB 206 (FIG. 4) of the authentication processing proxy device 20 (to be described later), more specifically, information on a system that requires personal authentication (here, URL1, URL2, ...) is held. When the monitoring module 103 detects that the terminal device 10 has accessed a site that matches this information, the monitoring module 103 immediately notifies the communication monitoring unit 204 of the authentication processing proxy device 20 of the user ID and personal authentication in the authentication processing proxy device. Notify system information that requires Then, a proactive authentication unit 205 (FIG. 3), which will be described later, of the authentication processing proxy device 20 executes authentication proactively for access.

  FIG. 3 is a configuration diagram showing a block configuration of the authentication processing proxy device 20. The authentication processing proxy device 20 illustrated in the figure includes a basic function unit 201, an authentication system registration reception unit 202, a user authentication reception unit 203, a communication monitoring unit 204, a forward authentication unit 205, an authentication system DB 206 (database), and a user ID DB 207. (Database). In FIG. 3, the basic function unit 201 controls the function as the authentication processing proxy device 20. In addition, when the user accesses for pre-authentication via the terminal device 10, the basic function unit 201 requests the user authentication receiving unit 203 to perform processing. Based on the request from the user authentication receiving unit 203, the authentication system registration receiving unit 202 receives registration of information for executing authentication ahead of access via the authentication processing proxy device 20.

  Here, the information for performing the advance authentication specifically refers to information on the system A30 that requires the personal authentication and the system B40 that requires the personal authentication, and to authenticate these systems. ID and password. The authentication system registration receiving unit 202 receives these pieces of information and registers them in the authentication system DB 206. In addition, the user authentication reception unit 203 performs an authentication reception process via the terminal device 10 of the user who performs forward authentication by the authentication processing proxy device 20. On the other hand, the user terminal device 10 transmits the ID and password to the user authentication reception unit 203 of the authentication processing proxy device 20 via the terminal device 10.

  When receiving the ID and password, the user authentication receiving unit 203 performs a matching process between these pieces of information and information registered in the user ID DB 207. If there is matching information as a result of this matching processing, the user authentication receiving unit 203 regards that authentication is successful. However, the authentication system registration accepting unit 202 accepts in the new registration mode when registering a new ID and password at the time of pre-authentication, and stores the input ID and password in the user ID DB 207 in advance. Consider authentication successful. If the user desires after the authentication is successful, the authentication system registration reception unit 202 is requested to register information necessary for performing the advance authentication.

  The communication monitoring unit 204 continuously communicates with the monitoring module 103 stored in the terminal device 10 to confirm processing. When the communication monitoring unit 204 receives the notification of the start of advance authentication execution from the monitoring module 103, the communication monitor unit 204 instructs the advance authentication unit 205 to perform advance authentication. When the advance authentication unit 205 receives the notification of the start of the advance authentication execution from the communication monitoring unit 204, the advance authentication unit 205 receives the user ID and password used for authentication in a system that requires personal authentication corresponding to the notified information. Obtained from the authentication system DB 206. Thereafter, the advance authentication unit 205 uses this user ID and password to perform authentication on behalf of a system that requires personal authentication. The authentication here is processing for confirming that the user is a registered user. Here, the notified information is information notified from the monitoring module 103 and is information on a system that requires user ID and personal authentication in the authentication processing proxy device 20. The advanced authentication unit 205 does not perform the above authentication unless the user ID and password corresponding to the notified information for the system that requires the personal authentication are stored in the authentication system DB 206. The authentication system DB 206 in FIG. 3 stores information on a system that requires personal authentication, which is a target of advance authentication, and user authentication information corresponding thereto.

  FIG. 4 is a data configuration diagram illustrating a data configuration as an example of information stored in the user ID DB 207. As shown in the figure, the user ID DB 207 of the authentication processing proxy device 20 stores user ID and password information necessary for the authentication processing proxy device 20 to make a proxy authentication request. Note that the URL necessary for accessing the system is used as information on the system that requires personal authentication.

  FIG. 5 is a data configuration diagram illustrating a data configuration as an example of the user ID and password stored in the authentication system DB 206. The user ID and password shown in the figure are information referred to when the authentication processing proxy device 20 authenticates a user.

  FIG. 6 is a block diagram showing a block configuration of a system A30 that requires personal authentication. The system A30 requiring personal authentication exemplified in the figure includes a basic function unit 301, a user authentication receiving unit 302, a user ID DB 303, and a web application unit 304. The system A 30 that requires personal authentication is a system that can accept access from a user via the web browser 102 of the terminal device 10. When the system A 30 requiring user authentication receives an access from the user via the terminal device 10, the system A 30 requests an input of an ID and a password for confirming the user identity via the terminal device 10. In FIG. 6, a basic function unit 301 controls basic functions of the system A30 that requires personal authentication.

  When the user accesses the system A 30 that requires personal authentication via the terminal device 10, the basic function unit 301 instructs the user authentication reception unit 302 to perform reception processing corresponding to the access. When the basic function unit 301 receives the result of the authentication success from the user authentication reception unit 302, the basic function unit 301 transmits a notification permitting execution of the application to the web application unit 304. As described above, the user authentication reception unit 302 performs authentication reception processing for a user who has accessed.

  Normally, when a user accesses the system A30 that requires personal authentication via the terminal device 10, the user transmits an ID and a password to the system A30 via the terminal device 10. However, when the network processing related to the terminal device 10 is monitored by the authentication processing proxy device 20, the authentication processing proxy device 20 detects the access by the notification from the monitoring module 103 and performs the advance control. More specifically, the authentication processing agent device 20 detects the user ID and password registered in advance in the authentication system DB 206 from the authentication processing agent device 20 based on the detection, in a form that precedes the access. Send to. The user authentication reception unit 302 that has received the ID and password performs matching between the ID and password and information registered in the user ID DB 303, as in normal authentication processing.

  If there is matching information by this matching, it is regarded as authentication success, and the result of authentication success is reported to the basic function unit 301. In addition, when registering a new ID and password, the system accepts the ID and password in the new registration mode, and stores the input ID and password in the user ID DB 303. The user ID DB 303 stores user ID and password information for authenticating the system A30 that requires personal authentication. The web application unit 304 includes a web application (FIG. 6 shows an example thereof) that is executed in the system A30 that requires personal authentication, and executes the application. However, these web applications can be executed only when the basic function unit 301 is notified of permission to execute the web application.

  FIG. 8 is a data configuration diagram showing a configuration of data stored in the user ID DB 303.

  FIG. 7 is a block diagram showing a block configuration of a system B40 that requires personal authentication. Here, the configuration of the system B40 that requires personal authentication conforms to the above-described configuration of the system A30 that requires personal authentication, and thus the description of the configuration and functions is omitted. The configuration of the user ID DB 404 is shown in FIG.

  In the following description, the operation of the authentication system according to the present embodiment will be described in detail with reference to the flowcharts shown in FIGS. Here, the preparatory stage authentication process shown in the flowcharts of FIGS. 10 and 11 is referred to as phase 1, and the authentication process using the advanced control function of the authentication processing proxy device 20 shown in the flowcharts of FIGS. To.

  FIG. 10 shows an operation when creating a new ID and establishing a session for the authentication processing proxy device 20. Hereinafter, the operation in the case where a new ID is created and a session for the authentication processing proxy device 20 is established will be described with reference to FIGS.

  First, the terminal device 10 accesses the authentication processing proxy device 20 based on a user operation. Then, the authentication processing proxy device 20 transmits to the terminal device 10 access screen information on which a new registration start or pre-authentication start instruction button is displayed. Here, when the user performs a new registration operation on the access screen displayed on the terminal device 10, the terminal device 10 transmits the ID and password to be newly registered to the authentication processing proxy device 20 (A1). The new registration ID and password are simply used to authenticate the authentication processing proxy device 20. Next, the authentication processing proxy device 20 registers the ID and password acquired by receiving the transmission in the user ID DB 207 (A2). Thereafter, the authentication processing proxy device 20 transmits the monitoring module 103 to the terminal device 10 (A3). The terminal device 10 introduces the received monitoring module 103 and activates the module, and starts a session with the authentication processing proxy device 20 (A4).

  If the user has established a session between the terminal device 10 and the authentication processing proxy device 20 in the past and the monitoring module 103 is already installed in the terminal device 10, the authentication processing proxy device 20 Therefore, the monitoring module 103 that has already been installed is held. Therefore, in this case, the authentication processing proxy device 20 confirms information on a system that requires personal authentication (hereinafter, this information is referred to as a URL), and only the URL that is not held at this time is stored in the terminal device 10. It is transmitted and included in the installed monitoring module 103. Thereafter, the terminal device 10 similarly activates the monitoring module 103 (detailed operation will be described with reference to FIG. 11).

  FIG. 11 shows an operation when a session for the authentication processing proxy device 20 is established using an existing ID. Hereinafter, the operation in the case of establishing a session for the authentication processing proxy device 20 using an existing ID will be described using the flowchart shown in FIG. 11 with reference to FIGS.

  First, the terminal device 10 accesses the authentication processing proxy device 20 based on a user operation. Then, the authentication processing proxy device 20 transmits to the terminal device 10 access screen information on which a new registration start or pre-authentication start instruction button is displayed. Here, when the user performs an operation for starting pre-authentication on the access screen displayed on the terminal device 10, the terminal device 10 transmits an ID and password for new registration to the authentication processing proxy device 20 (A5). Note that the ID and password for this new registration are also simply for receiving the authentication processing proxy device 20 authentication. Next, the authentication processing proxy device 20 receives the above ID and password, and searches the user ID DB 207 to verify whether there is information that matches the password (A6).

  If there is no match in the user ID DB 207 (A6: No), the authentication processing proxy device 20 requests the terminal device 10 to retransmit the ID and password (A7), and returns to step A6.

  On the other hand, when a match exists in the user ID DB 207 (A6: Yes), the authentication processing proxy device 20 transmits the monitoring module 103 to the terminal device 10 (A8). The terminal device 10 introduces and activates the received monitoring module 103 to its own device, and starts a session with the authentication processing proxy device 20 (A9).

  If a session between the terminal device 10 and the authentication processing proxy device 20 has been established in the past and the monitoring module 103 has already been installed in the terminal device 10, the authentication processing proxy device 20 is similar to the above. Transmits only the URL not owned by the monitoring module 103 to the terminal device 10 to be included in the built-in monitoring module 103. Thereafter, the terminal device 10 activates the monitoring module 103. In addition, after the authentication process in the above phase 1 is executed, the started session is continuously maintained until the session with the authentication processing proxy device 20 is explicitly disconnected from the terminal device 10.

  FIG. 12 shows an operation when registering authentication information in the authentication processing proxy device 20 after a session between the terminal device 10 and the authentication processing proxy device 20 is started. Hereinafter, referring to FIGS. 1 to 9, when the authentication information is registered in the authentication processing proxy device 20 after the session between the terminal device 10 and the authentication processing proxy device 20 is started using the flowchart shown in FIG. 12. The operation of will be described. Here, the authentication information is a URL indicating an access destination to the system A30 or the system B40, and an ID and a password used for authentication in the access destination system indicated by the URL.

  First, based on the user's operation, the terminal device 10 inquires of the authentication processing proxy device 20 whether or not the URL has already been registered in the authentication system DB 206 (A10). Upon receiving this introduction, the authentication processing proxy device 20 checks whether or not the URL for which the inquiry has been made is already registered in the authentication system DB 206 (A11). When the URL is not registered in the authentication system DB 206 (A11: No), the authentication processing proxy device 20 transmits a message to the terminal device 10 confirming whether or not to newly register the inquired URL. (A12). The terminal device 10 that has received the message responds that a new URL is to be registered (A13). Upon receiving the response, the authentication processing proxy device 20 newly registers the URL in the authentication system DB 206 (A14).

  Then, the authentication processing proxy device 20 requests the terminal device 10 to store the new URL in the monitoring module 103 (A15). This request is because the URL newly registered in the authentication processing proxy device 20 needs to be newly registered in the monitoring module 103 to ensure consistency. Upon receiving the request, the terminal device 10 registers a new URL in the monitoring module 103 (A16). Thereafter, the process waits until an ID and password registration request is transmitted from the authentication processing proxy device 20, and when the ID and password registration request is transmitted from the authentication processing proxy device 20, the terminal device 10 receives the ID and password. The data is transmitted to the authentication processing proxy device 20 (A18), and the processing ends.

  On the other hand, when the URL has already been registered in the authentication system DB 206 (A11: Yes), or when the URL is newly stored in the monitoring module 103 as the processing result of Step A15, the authentication processing proxy device 20 Then, registration of the ID and password for accessing the URL device (system that requires user authentication) is requested (A17). After that, it waits until the ID and password are transmitted from the terminal device 10, and when the ID and password are transmitted from the terminal device 10, the authentication processing proxy device 20 registers the received ID and password in the authentication system DB 206. (A19), the process is terminated. The ID and password are for receiving authentication of another system indicated by the URL.

  FIGS. 13 and 14 show an operation when the authentication processing proxy device 20 performs forward authentication after the session between the terminal device 10 and the authentication processing proxy device 20 is started. This advance authentication is continued unless a process for registering authentication information in the authentication processing proxy device 20 (see FIG. 12) or a process for disconnecting a session is executed. Hereinafter, with reference to FIGS. 1 to 9, the authentication processing proxy device 20 performs proactive authentication after the session between the terminal device 10 and the authentication processing proxy device 20 is started, using the flowcharts shown in FIGS. 13 and 14. The operation in the case of performing will be described.

  First, after the processing of phase 1 is completed, the monitoring module 103 of the terminal device 10 starts communication monitoring (that is, access to another system indicated by the URL) (A20). Next, in response to a user request, the terminal device 10 accesses a system that requires personal authentication (for example, the system A30 that requires personal authentication) (A21). The system that needs the personal authentication that has received the access transmits authentication screen information to the terminal device 10 (A22). The terminal device 10 that has received the authentication screen information displays an authentication screen on the web browser 102 based on the authentication screen information (A23). At that time, the monitoring module 103 of the terminal device 10 verifies whether or not it owns the URL of the authentication screen (A24). When the URL of the authentication screen is held in the monitoring module 103 (A24: Yes), the terminal device 10 transmits the held URL to the authentication processing proxy device 20 (A25).

  Upon receiving the URL, the authentication processing proxy device 20 searches the authentication system DB 206 and is necessary for accessing the system that requires the personal authentication having the URL received from the terminal device 10 that maintains the session. It is verified whether the ID and password are registered in the authentication system DB 206 (A26). When the registration is not performed, the processing as the authentication processing proxy device 20 is terminated. When the registration is performed, the authentication processing proxy device 20 transmits a signal indicating the start of the advance authentication to the terminal device 10 (A27). After that, the authentication processing proxy device 20 receives the ID and password, and information indicating that they are the ID and password transmitted in response to the access from the terminal device 10 (predetermined predetermined information code). It transmits to the system which requires said user authentication (A29), and complete | finishes a process after that.

  On the other hand, the terminal device 10 that has received the signal indicating the start of the advance authentication based on the process of step A27 displays a message indicating that the advance authentication is being performed, for example, on the display screen. Is notified (A28).

  When the URL of the authentication screen is not held in the monitoring module 103 (A24: No), the terminal device 10 instructs the user to perform an ID and password input operation. Then, the terminal device 10 transmits the ID and password input by this instruction to the above-described system that requires the personal authentication (A32).

  When receiving the information transmitted in step A29 or the information transmitted in step A32, the system requiring the user authentication performs personal authentication using the information (A30). If this authentication is successful, authentication success information is transmitted to the terminal device 10, and then the authentication process is terminated. If this authentication fails, the process ends. When the terminal device 10 receives the authentication success information (A31), the terminal device 10 ends the authentication process (a message indicating a successful authentication may be displayed before the end). Thereafter, the terminal device 10 can start a session with the system that requires the above-described personal authentication. If the terminal device 10 cannot receive the authentication success information even after a predetermined period of time has elapsed since the start of access, the terminal device 10 ends the processing as an authentication failure.

  FIG. 15 shows an operation when the session between the terminal device 10 and the authentication processing proxy device 20 is disconnected and the use of the authentication processing proxy device 20 is terminated.

  First, the terminal device 10 transmits a signal instructing session disconnection to the authentication processing proxy device 20 (A33). Upon receiving this signal, the authentication processing proxy device 20 performs processing for removing the terminal device 10 from the monitoring target (A34), and then ends the processing. The terminal device 10 verifies whether or not the monitoring module 103 should be deleted after transmitting the above-described signal for disconnecting the session (this verification may be performed by asking the user) (A35). ). If the monitoring module 103 should be deleted, the monitoring module 103 is deleted (A36). If the monitoring module 103 should not be deleted, the processing is terminated as it is.

  As described above, according to the authentication system according to this embodiment, there is an effect that it is possible to eliminate the need to input an ID and a password for a system that provides a service online. The reason is that all IDs and passwords necessary for the access can be registered in the authentication processing proxy device 20 in advance for each system that requires personal authentication to be used. That is, as a result of this registration, the user of the terminal device 10 can authenticate the authentication processing proxy device 20 to the authentication processing proxy device 20 as long as it has already authenticated itself to the authentication processing proxy device 20 in advance. Can do. As a result, there is an effect that a plurality of systems providing services on an online network such as the Internet can be smoothly utilized. Furthermore, since the above authentication is performed by performing double authentication of authentication by the authentication processing proxy device 20 and authentication by the above-described system that requires personal authentication, the reliability of personal authentication can be increased. it can.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

  (Supplementary Note 1) A terminal device connected to a communication network and an authentication processing proxy device connected to the communication network, the authentication processing proxy device authenticating the terminal device, and the authentication is completed The terminal device having a means for transmitting a monitoring module to the terminal device and incorporating the monitoring module transmitted from the authentication processing proxy device monitors communication and is able to access a system that requires authentication. Means for detecting it, and means for transmitting identification information of the system to the authentication processing proxy device when access to the system connected to the communication network is detected, When the authentication processing proxy device receives the system identification information transmitted from the terminal device, the authentication processing proxy device Transmits the authentication information of the terminal device necessary for using the system which has been registered in advance, further authentication system having means for performing the authentication process instead of the terminal device.

  (Supplementary Note 2) The authentication according to supplementary note 1, wherein the authentication processing proxy device further includes means for storing the authentication information necessary for the terminal device to use the system in association with the identification information of the system. system.

  (Additional remark 3) The said authentication process surrogate apparatus is further provided with the means to transmit to the said terminal device the information which notifies that authentication is started when performing an authentication apparatus instead of the said terminal device. Authentication system.

  (Supplementary Note 4) When the terminal device in which the monitoring module is incorporated receives information notifying that the authentication is started from the authentication processing proxy device, the terminal device replaces the terminal device until the authentication processing is completed. The authentication system according to appendix 3, further comprising means for displaying information notifying that the authentication device is performing authentication processing.

  (Supplementary Note 5) An authentication processing proxy device connected to a communication network authenticates a terminal device connected to the communication network, and an authentication processing proxy device connected to the communication network has completed the authentication. A step of transmitting a monitoring module to a device; and when the terminal device incorporating the monitoring module transmitted from the authentication processing proxy device monitors communication and accesses the system, And when the terminal device incorporating the monitoring module transmitted from the authentication processing proxy device detects access to the system connected to the communication network, the identification information of the system is A step of transmitting to the authentication processing agent device; and an identification of a system transmitted from the terminal device by the authentication processing agent device When the information is received, the authentication information of the terminal device necessary for using the system registered in advance is transmitted to the system identified by the identification information, and instead of the terminal device. An authentication method comprising a step of performing an authentication process.

  (Appendix 6) Means for authenticating a terminal device connected to a communication network, means for transmitting a monitoring module to the terminal device for which the authentication has been completed, and receiving system identification information transmitted from the terminal device In this case, the authentication information of the terminal device necessary for using the system registered in advance is transmitted to the system identified by the identification information, and authentication processing is performed instead of the terminal device. An authentication processing proxy device comprising means for performing.

  (Supplementary note 7) When communication is monitored and access to a system connected to a communication network is detected, means for detecting the access and when access to a system connected to the communication network is detected, A terminal device comprising means for transmitting identification information of the system to an authentication processing proxy device connected to the communication network.

  (Appendix 8) Authenticating a terminal device connected to a communication network, transmitting a monitoring module to the terminal device that has been authenticated, and receiving system identification information transmitted from the terminal device In this case, the authentication information of the terminal device necessary for using the system registered in advance is transmitted to the system identified by the identification information, and authentication processing is performed instead of the terminal device. An authentication processing proxy method comprising a step of performing.

  (Supplementary Note 9) When monitoring communication and detecting access to a system connected to a communication network, and detecting access to a system connected to the communication network, A method for controlling a terminal device, comprising: transmitting identification information of the system to an authentication processing proxy device connected to the communication network.

  (Supplementary Note 10) Means for authenticating a computer to a terminal device connected to a communication network, means for transmitting a monitoring module to the terminal device for which the authentication has been completed, and system identification information transmitted from the terminal device If received, the authentication information of the terminal device necessary for using the system registered in advance is transmitted to the system identified by the identification information, and authentication processing is performed instead of the terminal device. A program that functions as a means of performing

  (Supplementary Note 11) Means for detecting when a computer monitors communication and accesses a system connected to a communication network, When detecting access to a system connected to the communication network And a program for causing the identification information of the system to function as means for transmitting to the authentication processing proxy device connected to the communication network.

10 Terminal device 20 Authentication processing proxy device 30, 40 System 101, 201, 301, 401 that requires user authentication Basic function unit 102 Web browser 103 Monitoring module 202 Authentication system registration receiving unit 203, 302, 402 User authentication receiving unit 204 Communication monitoring unit 205 Advanced authentication unit 206 Authentication system DB
207, 303, 403 User ID DB
304 Web application section 500 network

Claims (10)

A terminal device connected via a communication network to a system that requires authentication;
An authentication processing proxy device connected to the system and the terminal device via the communication network,
The authentication processing proxy device
Means for authenticating the terminal device;
Means for transmitting a monitoring module to the terminal device for which the authentication has been completed;
The terminal device in which the monitoring module transmitted from the authentication processing proxy device is incorporated,
Means for monitoring communications and detecting when there is access to the system;
Means for transmitting identification information of the system to the authentication processing agent device when access to the system connected to the communication network is detected;
The authentication processing proxy device
When the identification information of the system transmitted from the terminal device is received, the authentication information of the terminal device necessary for using the system registered in advance is used for the system identified by the identification information. An authentication system further comprising means for transmitting and performing an authentication process instead of the terminal device. The authentication processing proxy device
The authentication system according to claim 1, further comprising means for storing the authentication information necessary for the terminal device to use the system in association with the identification information of the system. The authentication processing proxy device
3. The authentication system according to claim 1, further comprising: means for transmitting, to the terminal device, information for notifying that authentication is started when performing the authentication device instead of the terminal device. An authentication processing proxy device connected to the system requiring authentication and the terminal device via the communication network authenticates the terminal device connected to the communication network;
An authentication processing proxy device connected to a communication network transmits a monitoring module to the terminal device for which the authentication has been completed;
The terminal device in which the monitoring module transmitted from the authentication processing proxy device is incorporated, monitors communication and detects the access to the system; and
When the terminal device incorporating the monitoring module transmitted from the authentication processing proxy device detects access to a system connected to the communication network, the identification information of the system is sent to the authentication processing proxy device. Sending, and
When the authentication processing proxy device receives the system identification information transmitted from the terminal device, it is necessary to use the system registered in advance for the system identified by the identification information. An authentication method comprising a step of transmitting authentication information of the terminal device and performing authentication processing instead of the terminal device. Means for authenticating a terminal device connected via a communication network to a system requiring authentication;
Means for transmitting a monitoring module to the terminal device for which the authentication has been completed;
When the identification information of the system transmitted from the terminal device is received, the authentication information of the terminal device necessary for using the system registered in advance is used for the system identified by the identification information. An authentication processing proxy device comprising means for transmitting and performing authentication processing instead of the terminal device. Means for monitoring communication and detecting when there is access to a system connected to a communication network;
A terminal device comprising: means for transmitting identification information of the system to an authentication processing proxy device connected to the communication network when access to the system connected to the communication network is detected. Authenticating a terminal device connected via a communication network to a system requiring authentication;
Transmitting a monitoring module to the terminal device for which the authentication has been completed;
When the identification information of the system transmitted from the terminal device is received, the authentication information of the terminal device necessary for using the system registered in advance is used for the system identified by the identification information. An authentication processing proxy method comprising the step of transmitting and performing authentication processing instead of the terminal device. Monitoring communications and detecting if there is access to a system connected to a communications network;
A method for controlling a terminal device comprising: when detecting access to a system connected to the communication network, transmitting identification information of the system to an authentication processing proxy device connected to the communication network. Computer
Means for authenticating a terminal device connected via a communication network to a system requiring authentication;
Means for transmitting a monitoring module to the terminal device for which the authentication has been completed;
When the identification information of the system transmitted from the terminal device is received, the authentication information of the terminal device necessary for using the system registered in advance is used for the system identified by the identification information. A program that transmits and functions as means for performing an authentication process instead of the terminal device. Computer
Means for monitoring communications and detecting when there is access to a system connected to a communications network;
When detecting access to a system connected to the communication network, a program that functions as means for transmitting identification information of the system to an authentication processing proxy device connected to the communication network.

Images