JP2020035306A - Authentication system and method thereof, and program thereof - Google Patents

Abstract

To take security measures in response to various environments in which a terminal is used and various requests of a user who has made a connection request via a network.SOLUTION: In an authentication system, an authentication server authenticates an account of a user for a request transmitted via a network from a terminal used by the user. The authentication system includes a communication unit that receives a request including an account, an authentication control unit that controls authentication, a storage unit that stores an authentication management table for managing an authentication method corresponding to the account, and an authentication processing unit that executes the authentication method. The authentication control unit selects an authentication method corresponding to the account held by the request from the authentication management table, and the authentication processing unit executes the selected authentication method to authenticate the account.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an authentication system and method, and a program thereof, and more particularly to authentication of a terminal and a user connected via a network.

  It is common practice to connect a terminal such as a personal computer, a smartphone, or a tablet to a target site or server via a network to acquire content or use an application. Information such as content to be accessed includes highly secure information such as personal information and confidential information. Therefore, security protection is achieved by rejecting a network connection in response to a request from an unauthorized user such as a terminal without access authority or an impersonation.

  As a user authentication technique for confirming a legitimate user, a technique of inputting a password from a user's terminal and verifying its consistency is general. Further, as a user authentication for enhancing security, for example, as disclosed in Patent Document 1, there is known a composite authentication system for performing authentication by combining biometric information such as a user's fingerprint, face, handwriting, and iris. Also, as disclosed in Patent Literature 1, as a device for authenticating both a terminal and a user, a communication network of the terminal is obtained by double authentication based on personal authentication of a terminal user. A multi-authentication system for a communication network that issues an access permission for is known.

JP-A-2003-186836 JP 2014-164359 A

  The techniques described in Patent Literatures 1 and 2 can certainly enhance security as compared with verification of only a password. On the other hand, there are various types of terminals used by users, such as those having advanced functions, those having weak security measures, and various environments in which these terminals are used. Furthermore, there are various functions of security measures required by the user. In order to meet the demands of these various security measures, the security measures described in Patent Documents 1 and 2 alone cannot be said to be sufficient. In addition, for a request for further strengthening security, the authentication function tends to be more complicated, but the cost tends to increase correspondingly.

  An object of the present invention is to provide an authentication system, a method, and a program capable of taking security measures in accordance with various environments in which a terminal is used and various requests of a user who have a connection request via a network. To provide.

  It is another object of the present invention to minimize the cost for authentication so that the operation of authentication is not complicated.

  It is still another object of the present invention to simplify the authentication procedure for a genuine user as much as possible, thereby improving user convenience.

  In a preferred example, the authentication system according to the present invention is an authentication system in which an authentication server authenticates a user account in response to a request sent via a network from a terminal used by the user, wherein the request including the account is provided. A communication unit that receives an authentication control unit that controls authentication, a storage unit that stores an authentication management table that manages an authentication method corresponding to the account, and an authentication processing unit that executes the authentication method. The authentication control unit has, from the authentication management table, selects the authentication method corresponding to the account that the request has, the authentication processing unit executes the selected authentication method, The authentication system is configured to authenticate an account.

  The present invention is also understood as an authentication method and an authentication program performed by the authentication system.

  According to the present invention, it is possible to take security measures in accordance with various environments in which a terminal is used or various requests of a user who have a connection request via a network. In addition, the cost for authentication can be reduced as much as possible, and the operation of authentication can be prevented from becoming complicated. In addition, the authentication procedure can be simplified as much as possible for a genuine user, thereby improving user convenience.

FIG. 2 is a diagram illustrating a configuration example of an authentication system. It is a figure showing the example of access permission DB. FIG. 4 is a diagram illustrating an example of an account authentication DB. FIG. 4 is a diagram illustrating an example of an authentication method adopted for each type of user. It is a figure showing the example of an initial registration DB. FIG. 9 is a sequence diagram illustrating a processing procedure of processing performed in the authentication system. It is a figure showing an example of an account ID input screen. FIG. 4 is a diagram illustrating an example of session data. It is a figure showing an example of an authentication error screen. FIG. 9 is a sequence diagram illustrating a processing procedure of a terminal authentication process. FIG. 9 is a sequence diagram illustrating a procedure of a mobile terminal authentication process. FIG. 9 is a sequence diagram illustrating a procedure of a device authentication process. It is a figure showing an example of a screen displayed on each PC and terminal.

  Hereinafter, an embodiment of an authentication system and a method thereof, and a program thereof according to the present invention will be described in detail with reference to the accompanying drawings.

[System configuration]
FIG. 1 is a diagram illustrating a configuration example of the authentication system 1000.
As shown in FIG. 1, an authentication system 1000 includes a user PC (Personal Computer) 100 for a user to obtain approval for using a content, and a mobile terminal (for example, a smart phone) 110 for authenticating the user with the mobile terminal. A device PC 120 for authenticating a user using a device (for example, a USB (Universal Serial Bus)) and an authentication server 200 for authenticating a user using an authentication method corresponding to the user are mutually connected via a network N1. Connected. The content server 300 is also connected to the network N1. The network N1 is a general communication network such as a WAN (Wide Area Network), for example. Although FIG. 1 shows one user PC 100, one portable terminal 110, and one device PC 120, a large number of these devices are actually connected.

  As shown in FIG. 1, the user PC 100 includes an application unit 101, a display unit 102, a communication I / F (interface) unit 103, and a control unit 104.

  The application unit 101 receives a use approval request from a user, and if the user is authenticated as a genuine user using an authentication method corresponding to the user, the application unit 101 performs viewing and operation of the content stored in the content server 300. The application to execute.

  The input display unit 102 includes, for example, an input / output device such as a touch panel, receives input of various information necessary for the authentication system from the user, processes various information obtained via the network N1, and processes the application unit 101. The displayed information and various screens used for authentication are displayed.

The communication unit I / F unit 103 includes, for example, a communication device such as a NIC (Network Interface Card) and manages transmission and reception of various information via the network N1.
The control unit 104 is configured by a processing device such as a CPU (Central Processing Unit), and controls the operation of each unit of the user PC 100.

  These functions of these units are realized by the control unit 104 executing a program. Specifically, the processing described below is realized by the CPU reading a program stored in a ROM (Read Only Memory) not shown, loading the program in a RAM (Random Access Memory), and executing the program.

  These programs may be downloaded from the network N1 via the communication unit I / F unit 103, loaded on the RAM, and executed by the CPU. Alternatively, the program may be directly loaded onto the RAM from a portable computer-readable storage medium such as a CD (Compact Disk) or a DVD (Digital Versatile Disk) and executed by the CPU. Specific operations of each unit of the user PC 100 will be described later with reference to sequence diagrams and flowcharts.

As shown in FIG. 1, the mobile terminal 110 includes a mobile terminal authentication unit 111, an input display unit 112, a communication I / F (interface) unit 113, and a control unit 114.
The mobile terminal authentication unit 111 is an application that performs authentication when the authentication method of the user who has requested use approval from the user PC 100 includes an authentication method using the mobile terminal 110 (mobile terminal authentication).

  The input display unit 112 receives input of various information for authentication, and displays various screens used in the present authentication system, such as an authentication result obtained via the network N1.

  The communication unit I / F unit 113 manages transmission and reception of various information via the network N1.

  The control unit 114 is a processing device such as a CPU, for example, and controls the operation of each unit of the mobile terminal 110.

  These functions of these units are realized by the control unit 114 executing a program. The specific operation of each unit of the mobile terminal 110 will be described later using a sequence diagram and a flowchart.

  As shown in FIG. 1, the device PC 120 includes an application unit 121, a device authentication unit 122, an input display unit 123, a communication I / F (interface) unit 124, and a device I / F (interface) unit 125. And a control unit 126.

  The application unit 121 receives a content use approval request from the user, and if the user is authenticated as a genuine user using an authentication method corresponding to the user, the application unit 121 performs viewing and listening of the content stored in the content server 300. An application that performs an action.

  The device authentication unit 122 is an application that performs authentication when the authentication method of the user who has requested use approval includes an authentication method using the device PC 120 (device authentication).

  The input display unit 123 accepts input of various information for authentication, and displays various screens used in the present authentication system, such as an authentication result obtained via the network N1.

  The communication unit I / F unit 124 controls transmission and reception of various information via the network N1.

  The device I / F unit 125 is an interface device such as a USB board, for example, and detects insertion and removal of various devices such as a USB.

  The control unit 126 is a processing device such as a CPU, for example, and controls the operation of each unit of the device PC 120.

  These functions are realized by the control unit 126 executing a program in each unit described above. The specific operation of each unit of the device PC 120 will be described later using a sequence diagram and a flowchart.

  The authentication server 200 is a server that selects a user authentication method in accordance with the user's account for which use approval has been requested from the user PC 100 or the device PC 120, and authenticates the user according to the selected authentication method.

  As illustrated in FIG. 1, the authentication server 200 includes a storage unit 201, a communication unit 202, an authentication control unit 204, and a control unit 205. Further, the authentication control unit 204 includes a password authentication unit 2041 for performing authentication based on a password match, a terminal authentication unit 2042 for performing authentication for specifying a user by using a registered terminal (browser), and a registered A mobile terminal authentication unit 2043 for performing authentication for specifying a user by owning a mobile terminal, and a device authentication unit 2044 for performing authentication for specifying a user by owning a registered device I have.

  The storage unit 201 is configured by a general storage device such as an HDD or an SSD, and stores an account authentication DB (Data Base) 2011. The storage unit 201 includes an access permission DB 2011 for confirming an authentication time period of access by a user and a connection source of a use approval request, and an account authentication DB 2012 for selecting an authentication method according to an account of a user who is permitted to access. And an initial registration DB 2013 for registering the user PC 100 used by the user for use approval, the portable terminal 110 used by the user for authentication, and the device PC 120. Specific configurations of the access permission DB 2011 (FIG. 2), the account authentication DB 2012 (FIG. 3), and the initial registration DB 2013 (FIG. 5) will be described later.

  The communication unit 202 is, for example, an NIC or a modem, and controls transmission and reception of various information via the network N1. The access control unit 203 executes a process in response to an access request (use approval request) from the user PC 100 or the like.

  The authentication control unit 204 refers to the account authentication DB 2012 and selects a predetermined authentication method from the password authentication unit 2041, the terminal authentication unit 2042, the mobile terminal authentication unit 2043, and the device authentication unit 2044 according to the user's account. Select and execute.

The password authentication unit 2041 authenticates a user with an account ID and a password.
The terminal authentication unit 2042 authenticates the user by terminal authentication.
The mobile terminal authentication unit 2043 authenticates the user by mobile terminal authentication.
The device authentication unit 2044 authenticates the user by device authentication.

  The control unit 205 is a processing device such as a CPU, for example, and controls the operation of each unit of the authentication server 200. The specific operation of each unit of the authentication server 200 will be described later using a sequence diagram and a flowchart. These functions are realized by the control unit 205 executing the program in each unit described above.

In the present authentication system, four authentication methods of “password authentication”, “terminal authentication”, “mobile terminal authentication”, and “device authentication” are employed for user and / or terminal authentication.
Here, in the password authentication, the user is authenticated by inputting a predetermined password. In that sense, it can be said that the user authentication method is the simplest method. The terminal authentication authenticates whether terminals such as the user's PC 100 and the device PC 120 are the same as those registered in the authentication system in advance.

  The mobile terminal authentication authenticates the user using a predetermined mobile terminal to determine whether the use environment such as the installation location of the user's PC 100 or the like and the use time zone is appropriate. Even in the environment where a plurality of users share the user PC 100, the users can be authenticated. This authentication method authenticates a user using personal information such as biometric information and a password registered in the mobile terminal in advance by the user himself. Since mobile terminals have a high penetration rate, there are many users who carry out business in a BYOD (Bring Your Own Device) environment. Therefore, by adopting “mobile terminal authentication”, the user can be easily authenticated with little risk without registering personal information that only the user can know in the authentication server 200.

  The device authentication is authentication for checking whether a device such as a USB attached to the device PC 120 has device authentication information registered in the initial registration DB 2013 in advance. By changing the device authentication information of the authentication device 130 provided for each user, the authentication devices 130 possessed by a plurality of users can be attached to the device PC 120 and authenticated. Therefore, it is possible to authenticate the user by a simple method without adding cost, and to share the device PC 120 with a plurality of users.

  The content server 300 provides the requested content to the user PC 100 and the device PC 120 that the authentication server 200 has authenticated.

[Authentication management method]
FIG. 2 is a diagram illustrating an example of the access permission DB 2011. As shown in FIG. 2, the access permission DB 2011 associates, for each account, a connection source condition indicating a condition for permitting access from a connection source IP address with a time condition indicating a time zone for permitting access. It is remembered. Since the IP address can be said to indicate the location of a terminal having the IP address, the connection condition can be called a locational condition.

  In FIG. 2, for example, when a user with an account ID “E2” is accessed from a user PC 100 with an IP address “192.168.0.0/24”, the connection source condition is permitted. Which indicates that. Furthermore, when the connection is in the working time zone “9:00 to 17:00”, it indicates that the time condition is permitted. That is, the user whose account ID is “E2” is not subjected to a user authentication process described later unless these connection source conditions and time conditions are permitted.

  Also, for example, a user whose account ID is “E2” indicates that access is not permitted from the user PC 100 whose IP address is “192.168.20.0/24” regardless of the connection time. ing. Further, when the connection time is “0:00 to 5:00”, which is a midnight time zone, it indicates that access is not permitted regardless of the IP address of the connection source. As described above, by confirming “who”, “when”, and “from where” the use approval request is made, a user who illegally accesses the authentication system 1000 can be identified before each authentication unit performs authentication processing. Can be eliminated in advance.

  FIG. 3 is a diagram illustrating an example of the account authentication DB 2012. As shown in FIG. 3, the account authentication DB 2011 includes an account of a user who is permitted to access, an authentication method of the user, an authentication connection source address indicating a location condition for permitting authentication of the account, An authentication connection time indicating a time condition for permitting authentication of the account that has made the authentication request is stored in association with the authentication connection time.

  FIG. 3 shows that, for example, the user of the account “C” needs authentication by two types of authentication methods, “password authentication” and “mobile terminal authentication (smartphone authentication)”.

  Also, for example, it indicates that the user of the account “F2” needs to be authenticated by two types of authentication methods, “terminal authentication” and “mobile terminal authentication”. Further, it indicates that the mobile terminal is to be authenticated when the user is accessed from an address other than “192.168.0.0/24” defined as the authentication connection source address.

  Further, for example, it indicates that the user of the account “F3” needs to be authenticated by two types of authentication methods, “terminal authentication” and “mobile terminal authentication”. Further, it indicates that the mobile terminal authentication is to be performed when the user is accessed at a time other than “09:00 to 17:00” (during working hours) defined as the authentication connection time.

  Also, for example, it indicates that the user of the account “G2” needs authentication by two types of authentication methods, “terminal authentication” and “device authentication”. Further, when this user is accessed from the address of “192.168.0.11/32” defined as the authentication connection source address, it indicates that device authentication is not performed (through). .

  Also, for example, it indicates that the user of the account “G3” needs to be authenticated by two types of authentication methods, “terminal authentication” and “device authentication”. Further, when this user is accessed at “09: 00 to 17:00” (during working hours) defined as the authentication connection time, it indicates that device authentication is not performed (through). .

  As described above, in this authentication system, a set of authentication methods suitable for the user can be selected from various authentication methods according to the user's account in response to the use approval request, and the user can be authenticated. Further, by determining the location condition and the time condition for each account, the user of the account can be individually authenticated, and the user can be authenticated using the time and location conditions. Moreover, in authentication using a set of authentication methods, the authentication method that secures the strongest security (“password authentication”, “terminal authentication”, and “mobile terminal authentication”) has been changed to the most convenient authentication method (“password authentication”). Authentication only) can provide optimal security in a wide range of environments.

  In the present authentication system, use approval is performed using the access permission DB 2011 shown in FIG. 2, and a set of authentication methods is selected and authenticated using the account authentication DB 2012 shown in FIG. Authentication can be performed by an authentication method according to time and location conditions. That is, in the present embodiment, an approval is made as to whether the time condition and the location condition (referred to as a first condition) are satisfied by using the access permission DB 2011, and then the authentication method (second condition) is performed by using the account authentication DB 2012. Since the authentication based on is performed, the former can be called the first authentication, and the latter can be called the second authentication. Further, in the second authentication, the account of F2, F3, G2, and G3 authenticates the location condition or the time condition, and therefore, these can be said to be more strict authentication.

  FIG. 4 is a diagram illustrating an example of an authentication method adopted for each type of user. FIG. 4 shows the relationship between the location condition (inside / outside the company) and the time condition for the user types “employee” and “non-employee”. As shown in FIG. 4, when the user's account is “employee”, when accessing from inside the company, the account and password authentication (convenient mild authentication regardless of during or outside of working hours) Method). On the other hand, in the case of access from outside the company, mobile terminal authentication (smartphone authentication) is performed in addition to the above-described authentication method in any time zone. This authentication is a strong authentication method because three authentication methods are performed. Also, if the user's account is "non-employee", if the access is from within the company, the account and password are authenticated during the working hours, while if the access is from outside the company, the user is authenticated during the working hours. If there is, terminal authentication and mobile terminal authentication (smartphone authentication) are further performed. Then, outside of working hours, access is prohibited, both inside and outside the company.

  As described above, by performing authentication using the access permission DB 2011 and the account authentication DB 2012, the authentication method is changed according to the type of the user, the locational condition, and the time condition so that a genuine user has a simple authentication method. Can be changed. That is, a setting 401 for dynamically changing the authentication method according to the type of the user, a setting 402 for dynamically changing the authentication method depending on the location, and a setting 403 for dynamically changing the authentication method depending on the time are possible. Conventionally, in order to authenticate an account, it was necessary to combine systems such as an authentication infrastructure, a VPN, and a certificate authority. However, in the authentication system according to the present embodiment, authentication with high security is performed by the authentication server 200 for each user. Can be realized. In the case of authentication using a combination of conventional systems, in general, the introduction cost becomes expensive, the operation management becomes complicated, and errors occur in the settings for authentication, including account definition and coordination. Although there is a risk, according to the authentication system of the present embodiment, easy and safe operation management can be performed at a low introduction cost.

  FIG. 5 is a diagram illustrating an example of the initial registration DB 2013. As shown in FIG. 5, in the initial registration DB 2013, an account of a user using the present authentication system is stored in association with password information, terminal authentication information, portable terminal authentication information, and device authentication information of the user. . In FIG. 5, for example, the user of the account “A” has a password “123” registered as password information, a tally “α (α1, α2)” registered as terminal authentication information, and a biometric code “ a "is registered, and the USB serial number" X0001 "is registered as device authentication information. Note that FIG. 5 illustrates a case where all the authentication methods are registered, but it is sufficient that at least the authentication method corresponding to the user account is registered.

[Authentication control]
FIG. 6 is a sequence diagram illustrating a processing procedure of processing performed in the authentication system 1000. As shown in FIG. 6, first, the application unit 101 of the user PC 100 displays an account ID input screen on which the user inputs an account on the input display unit 102 (S601).

  FIG. 7 is a diagram illustrating an example of an account ID input screen. As shown in FIG. 7, the account ID input screen includes an input field for inputting an account of a user who requests use approval from the user PC 100, and an OK button for transmitting the input account ID to the authentication server 200. Is displayed.

  When the OK button is pressed, the application unit 101 of the user PC 100 transmits the input account ID to the authentication server 200. The authentication control unit 204 of the authentication server 200 registers the account ID received from the user PC 100 in the session (S602). Specifically, the authentication control unit 204 generates session data, which is an example of a session management table to which a session ID corresponding to the account ID has been assigned, and stores the session data in the storage unit 201.

  FIG. 8 is a diagram illustrating an example of the session data. A session is a series of processes through a network from when a user makes a use approval request to when a result for the request is obtained, and the session data indicates a result of a process performed in a series of sessions. Data. The items held by the session data change according to the results of the processing described below. Here, as shown in FIG. 8A, session data in which a session ID and an account ID are associated is held. FIG. 8A shows that the session ID “S0001” has been assigned to the account ID “E”. The authentication control unit 204 refers to the access permission DB 2011 using the account ID associated with the session ID as a key, reads out the connection source condition and the time condition for the user of the account ID to access, and satisfies these conditions. It is determined whether it is an access (S603, S604).

  In S603, if the authentication control unit 204 determines that the access does not satisfy these conditions (S603; No, and / or S604; No), the fact is transmitted to the user PC 100, and the application unit of the user PC 100 101 displays an authentication error screen on the input display unit 102 (S605).

  FIG. 9 is a diagram illustrating an example of the authentication error screen. As shown in FIG. 9, the authentication error screen displays that the authentication has failed. By displaying the authentication error screen, the user can recognize that he or she does not satisfy the conditions for permitting access to the authentication system.

  If the authentication control unit 204 determines that the account of the user whose usage approval has been requested satisfies both the connection source condition and the time condition (first condition) (S603; Yes, S604; Yes), With reference to the account authentication DB 2012 using the account ID as a key, an authentication method (second condition) is read corresponding to the account ID (S606).

  For example, when the account ID is “E”, the authentication control unit 204 reads “password authentication” and “device authentication” as the authentication method. At this time, the authentication control unit 204 adds an item indicating the authentication result of each authentication method to the session data generated in S602, and replaces information “−” indicating that the item is not used for authentication with an item not used as the authentication method. Is written. FIG. 8B is a diagram illustrating an example of session data to which an item indicating an authentication result of each authentication method is added. In FIG. 8B, among the items indicating the authentication result of each authentication method added to the session data shown in FIG. 8A, "-" is used for "terminal authentication" and "mobile terminal authentication" which are not adopted. It can be seen that the data has been written.

  Further, the authentication control unit 204 refers to the account authentication DB 2012 using the account ID as a key, and determines whether the user of the account ID is a user satisfying the connection source address and / or the connection time (S607). , S608). Here, the user who satisfies the connection source address and / or the connection time is a user who can not execute (through) the authentication by each authentication method by satisfying these conditions.

  If the authentication control unit 204 determines that the user of the account ID is a user who has satisfied the authentication source connection address and / or the authentication connection time (S607; Yes, S608; Yes), the process proceeds to S615. On the other hand, when the authentication control unit 204 determines that the user of the account ID does not satisfy at least one of the connection source address and the connection time (S607; No, or S608; No), the process proceeds to S609.

  When the authentication control unit 204 determines that the user of the account ID does not satisfy at least either the connection source address or the connection time (S607; No, or S608; No), the authentication control unit 204 associates the fact with the account ID. An instruction to authenticate the user with the authentication method defined in the above is transmitted to the user PC 100, and the application unit 101 of the user PC 100 redirects to each authentication unit according to the instruction (S609). For example, when the authentication method corresponding to the account ID is “password authentication” or “device authentication”, the application unit 101 first calls the password authentication unit 2041 that executes “password authentication”, and the authentication by the password authentication unit 2041 is performed. Execute the process. The same applies to the case where the authentication by the terminal authentication unit 2042, the authentication by the mobile terminal authentication unit 2043, and the authentication by the device authentication unit 2044 are performed.

  Upon receiving the execution instruction from the authentication control unit 204 of the authentication server 200, each authentication unit executes authentication using each authentication method (S610). The authentication process by each authentication unit is realized by, for example, a CGI (Common Gateway Interface) program. Each authentication method will be described later using a flowchart.

  In S610, when the authentication is performed by each authentication unit and the authentication result is written in the session data, each authentication unit transmits to the user PC 100 that the authentication result has been obtained, and the application unit 101 of the user PC 100 Is redirected to the authentication control unit 204 (S611).

  Then, the authentication control unit 204 starts a session check (S612), and determines whether or not the authentication result of each authentication unit is authentication OK (permission) (S613). For example, when the authentication method is “password authentication”, the authentication control unit 204 sets the authentication OK (○) in an item indicating the authentication processing result by the password authentication unit 2041 in the session data as shown in FIG. Check that the mark is written.

  When the authentication control unit 204 determines that the authentication result of each authentication unit is not authentication OK (non-permission) (S613; No), the authentication control unit 204 transmits the fact to the user PC 100, and the application unit 101 of the user PC 100 The authentication error screen shown in FIG. 9 is displayed on the input display unit 112 (S614).

  On the other hand, when the authentication control unit 204 determines that the authentication result of each authentication unit is authentication OK (S613; Yes), the authentication control unit 204 further determines whether there is an unexecuted authentication method added to the session data ( S615). If it is determined that there is an unexecuted authentication method (S615; Yes), the authentication control unit 204 returns to S607, and repeats the subsequent processing for another authentication method.

  If the authentication control unit 204 determines that there is no unexecuted authentication method (S615; No), that is, as shown in FIG. 8D, an item indicating all authentication processing results of each authentication unit in the session data If it is confirmed that the authentication OK has been written in, an SSO (single sign-on) process is executed (S616). In this example, SSO is exemplified, but reverse proxy processing of HTTP (Hypertext Transfer Protocol) may be executed.

  The authentication control unit 204 transmits an instruction to redirect to the single sign-on destination to the user PC 100 (S617), and the application unit 101 of the user PC 100 transmits an authorization request to the site of the content server 300 according to the instruction. Then, the content server 300 executes a login process to the site according to the authorization request (S618). The content server 300 transmits the site screen after performing the login process to the user PC 100, and the application unit 101 of the user PC 100 displays the site screen on the display unit 102 (S619). When the process of S619 is completed, all the processes illustrated in FIG. 6 are completed, and only the user of the account that has been approved for use and that has been authenticated by all the authentication methods determined according to the user is included in the content of the content server 300. You will be able to access it. Next, authentication by each authentication method will be described.

[Authentication by each authentication method]
(Password authentication)
The password authentication unit 2041 authenticates a user using a predetermined password. When receiving an instruction from the authentication control unit 204 in S610 of FIG. 6, the password authentication unit 2041 refers to the initial registration DB 2013 using the account ID as a key, and the password input by the password authentication unit 2041 upon requesting input is: It is determined whether or not the password is registered in the initial registration DB 2013. When requesting the input of a password, the password authentication unit 2041 outputs a password input screen as shown in FIG. 13A, and the application unit 101 of the user PC 100 displays the password input screen on the input display unit 102.

  If the password authentication unit 2041 determines that the input password is a password registered in the initial registration DB 2013, it writes the authentication result in the corresponding item of the session data as authentication OK (FIG. 8C, FIG. 8 (d)). If the password authentication unit 2041 determines that the input password is not the password registered in the initial registration DB 2013, it writes the authentication result to the corresponding item of the session data as authentication NG (non-permission). .

  As described above, in the “password authentication”, authentication is performed only by inputting a predetermined password, so that a user who is permitted to access the authentication system can be authenticated by the simplest method, It is possible to reduce the operation burden for authentication for the user.

(Terminal authentication)
FIG. 10 is a sequence diagram illustrating a processing procedure of the terminal authentication processing. In the following, terminal authentication information (tally on the server side and client side in this example) used for terminal authentication is registered in the initial registration DB 2013 in advance, and the tally on the client side is also registered in the user PC 100. And

  As shown in FIG. 10, upon receiving an instruction from the authentication control unit 204 in S610 of FIG. 6, the terminal authentication unit 2042 refers to the initial registration DB 2013 using the account ID as a key, and obtains terminal authentication information corresponding to the account ID. In step S1001, the server reads the tally on the server (for example, α1 in FIG. 5) and requests the tally on the PC.

  The application unit 101 of the user PC 100 reads a tally (eg, α2 in FIG. 5) on the client side registered in the memory in advance, and transmits the tally to the authentication server 200 (S1002).

The terminal authentication unit 2042 of the authentication server 200 matches the client-side tally received from the user PC 100 with the server-side tally, and determines whether or not both match (S1003). When the terminal authentication unit 2042 determines that both match, the authentication is OK and the authentication result is written in the corresponding item of the session data (FIGS. 8C and 8D). On the other hand, if the terminal authentication unit 2042 determines that the two do not match, the authentication result is written as an authentication NG in the corresponding item of the session data (S1004).
FIG. 10 illustrates terminal authentication using a tally, but terminal authentication using the MAC address of the user PC 100 or a client certificate may be performed. Also, the tally does not necessarily have to be used.

  As described above, in the terminal authentication, in general, one account is assigned to a plurality of users in order to authenticate a terminal whose use environment is determined, and even if the PC is shared, the account is authenticated. Can be.

(Mobile terminal authentication)
FIG. 11 is a sequence diagram illustrating a processing procedure of the mobile terminal authentication processing. As shown in FIG. 11, upon receiving an instruction from the authentication control unit 204 in S610 of FIG. 6, the portable terminal authentication unit 2043 refers to the initial registration DB 2013 using the account ID as a key, and refers to the portable terminal corresponding to the account ID. The authentication information (for example, passcode) is read (S1101), and a push notification for requesting authentication is issued to the portable terminal 110 (S1102). Upon performing the push notification, the authentication control unit 204 transmits an authentication screen for performing authentication based on the mobile terminal authentication information to the mobile terminal 110, and the mobile terminal authentication unit 111 of the mobile terminal 100 causes the input display An authentication screen is displayed on the unit 112 (S1103). On the other hand, the authentication control unit 204 transmits to the user PC 100 a mobile terminal authentication notification screen indicating that authentication is being performed by the mobile terminal, and the application unit 101 of the user PC 100 A terminal authentication notification screen is displayed (S1104).

  FIG. 13B is a diagram illustrating an example of a screen displayed on the mobile terminal. 13B shows an example of the authentication screen in S1103, and the left part of FIG. 13B shows an example of the portable terminal authentication notification screen in S1104.

  As shown on the right side of FIG. 13B, the authentication screen displays an authentication button for executing authentication based on mobile terminal authentication information and a close button for terminating the process without executing authentication. When the user presses the authentication button, the mobile terminal authentication unit 111 displays a screen for performing authentication based on the mobile terminal authentication information (for example, a passcode input screen), and transmits the input information to the authentication server 200. As described above, the authentication screen is displayed on the portable terminal 110 by the push notification, so that the user can be immediately authenticated.

  Further, as shown on the left side of FIG. 13 (b), the mobile terminal authentication notification screen displays that a push notification has been made to the mobile terminal 100 to authenticate with the mobile terminal 110 and that a confirmation is urged. I have. As described above, the mobile terminal authentication notification screen is displayed on the user's PC 100, so that the user can grasp an operation necessary for performing authentication by the mobile terminal 110.

  Thereafter, when the mobile terminal authentication unit 111 transmits the mobile terminal authentication information input from the input display unit 112 to the authentication server 200, the mobile terminal authentication unit 2043 of the authentication server 200 transmits the mobile terminal authentication information registered in the initial registration DB 2013. The terminal authentication information is compared with the input mobile terminal authentication information, and it is determined whether or not both match (S1105, S1106). If it is determined that the two match, the mobile terminal authentication unit 2043 writes the authentication result in the corresponding item of the session data as authentication OK (S1106; Yes, S1108, FIGS. 8C and 8D). On the other hand, if the terminal authentication unit 2042 determines that the two do not match (S1106; No, authentication NG), the authentication result to that effect is written in the corresponding item of the session data, and the same as the authentication error screen shown in FIG. Is transmitted to the portable terminal 110, and the portable terminal authentication unit 111 of the portable terminal 110 displays the authentication error screen on the input display unit 112 (S1107).

  The mobile terminal authentication unit 2043 reads the authentication result written in the session data, and determines whether the authentication result is authentication OK (S1109, S1110). When determining that the authentication result is authentication OK (S1110; Yes), the mobile terminal authentication unit 2043 further determines whether the valid time has not elapsed (S1111). The valid time is, for example, a time from when the push notification is made in S1102 to when the authentication is determined to be OK in S1110, and is a time when the authentication operation from the portable terminal 110 times out (for example, 4 minutes). If the authentication result is not authentication OK, that is, if the authentication result is authentication NG (S1110: No), the portable terminal authentication unit 2043 proceeds to S1112 and determines the authentication result.

  When determining that the valid time has not elapsed (S1111; Yes), the portable terminal authentication unit 2043 determines the authentication result written in S1107 and S1108 (S1112). On the other hand, when it is determined that the valid time has not elapsed, that is, the valid time has passed (S1111; No), the portable terminal authentication unit 2043 returns to S1104 and continues the subsequent processing. In this case, even if the authentication OK is written in the session data as the authentication result in S1108, the portable terminal authentication unit 2043 determines that the valid time has elapsed, and in S1112, rewrites to the authentication NG to determine the authentication result. Let it.

  Although the push notification is transmitted in step S1102 in this example, the mobile terminal 110 may perform the pull notification instead of the push notification.

  As described above, in the mobile terminal authentication, the user of the mobile terminal authenticates the user using the personal information registered by himself / herself. Therefore, the user himself / herself can be easily authenticated with little risk without registering the personal information in the authentication server 200. be able to. In addition, since authentication is performed using a portable terminal that the user is accustomed to, the operation for authentication can be performed without a sense of incongruity.

(Device authentication)
FIG. 12 is a sequence diagram illustrating the procedure of the device authentication process. As shown in FIG. 12, upon receiving an instruction from the authentication control unit 204 in S610 of FIG. 6, the device authentication unit 2044 refers to the initial registration DB 2013 using the account ID as a key, and refers to the device authentication information corresponding to the account ID. (E.g., a USB serial number), transmits the read device authentication information to the device PC 120 (S1201), transmits a device authentication notification screen prompting device authentication to the device PC 120, and sends the device PC 120 The device authentication unit 121 displays a device authentication notification screen on the input display unit 122 via the browser (S1202).

  In S1202, when the device authentication unit 121 detects that a device has been inserted into the device I / F unit 124, a device authentication execution screen for executing device authentication is displayed on the input display unit 122 (S1203).

  FIG. 13C is a diagram illustrating an example of a screen displayed on the device PC. 13C illustrates an example of the device authentication notification screen in S1202, and FIG. 13C illustrates an example of the device authentication execution screen in S1203.

  As shown on the left side of FIG. 13C, the device authentication notification screen displays that a predetermined device 130 is inserted into the device PC 120 to authenticate the device in order to perform device authentication. By displaying the device authentication notification screen on the device PC 120 in this manner, the user can grasp the operation required for device authentication by the device PC 120.

  13C, the device authentication execution screen includes a drive selection field for selecting a drive into which the device 130 is to be inserted, an authentication button for executing authentication using device authentication information, and an authentication button. A cancel button for terminating the process without executing the command is displayed. By displaying the device authentication execution screen on the device PC 120 in this manner, the user can select a drive for device authentication by the device PC 120 and then perform device authentication.

  In step S1203, when the authentication button is pressed by the user, the device authentication unit 121 matches the device authentication information transmitted from the authentication server 200 in step S1201 with the device authentication information inserted in step S1203. It is determined whether or not to perform the authentication, and the authentication result is transmitted to the authentication server 200. In this example, the device authentication unit 121 of the device PC 120 performs device authentication, but the device authentication unit 2044 of the authentication server 200 may execute device authentication.

  Upon receiving the authentication result from the device PC 120, the device authentication unit 2044 of the authentication server 200 writes the authentication result in the corresponding item of the session data (S1204, FIGS. 8C and 8D).

  The device authentication unit 2044 reads the authentication result written in the session data (S1205), and determines whether the authentication result is authentication OK (S1206). When determining that the authentication result is authentication OK (S1206; Yes), the device authentication unit 2044 further determines whether the valid time has not elapsed (S1207). The valid time is the same as that in the case of the mobile terminal authentication shown in FIG. 11, and the description thereof is omitted here. Note that if the device authentication unit 2044 determines that the authentication result is not authentication OK, that is, the authentication is NG (S1206; No), the process proceeds to S1208 to determine the authentication result.

  If the device authentication unit 2044 determines that the valid time has not elapsed (S1207; Yes), the device authentication unit 2044 determines the authentication result written in S1204 (S1208). On the other hand, when it is determined that the valid time has not elapsed, that is, the valid time has passed (S1207; No), the portable terminal authentication unit 2043 returns to S1202 and continues the subsequent processing. In this case, even if authentication OK is written in the session data as the authentication result in S1204, the device authentication unit 2044 determines that the valid time has elapsed, and in S1208, rewrites to authentication NG to determine the authentication result. .

  As described above, in the device authentication, by authenticating the user using an inexpensive device such as a USB, the user can be authenticated by a simple method without adding cost. In addition, since the device is connected to the network as needed via the device PC, information necessary for authentication can be managed independently of the network.

[Alternatives and modifications]
As described above, a preferred embodiment has been described, but the present invention is not limited to this, and may be modified or substituted as appropriate without departing from the scope of the invention.

  For example, in the above embodiment, the user PC 100 and the device PC 120 are separately illustrated in FIG. However, in the modified example, if the user PC 100 is provided with a connector for mounting the authentication device 130, the user PC 100 can be used as the device PC. In this case, a plurality of users possessing the authentication device 130 can share the user PC 100.

  Further, in the above embodiment, in the control with reference to FIG. 6, both step S603 (determination of the temporal condition) and step S604 (determination of the location condition) are performed. In an alternative example, there may be an example in which one of these steps S603 and S604 is performed.

  In the above-described embodiment, the location condition is determined using the IP address that is the connection source address in step S604 with reference to FIG. 6, but the present invention is not limited to this in an alternative example. For example, the authentication control unit 204 can also acquire location information (GPS information) where the connection-source user PC 100 and device PC 120 are installed, and determine the location condition.

  In the above embodiment, the authentication control unit 204 of the authentication server 200 generates a session in response to a request from the terminal, and registers the authentication method and the authentication result in the session. According to another example, in a server including an access control unit 203 that controls an external access request, the access control unit 203 may generate a session. In that case, the authentication control unit 204 of the authentication server 200 can register various information related to authentication for the generated session. As still another example, the access control unit 203 may perform a part of the control operation in FIG. 6, for example, the operations of steps S602 to S604. In this case, the authentication control unit may be considered to have a broad meaning including the operations and functions of S602 to S604 performed by the access control unit.

  In the above embodiment, the authentication server 200 includes the password authentication unit 2041, the terminal authentication unit 2042, the mobile terminal authentication unit 2043, and the device authentication unit 2044. According to an alternative example, one or more of the authentication units 2041 to 2044 may be realized by a server different from the authentication server 200. For example, the terminal authentication unit 2042 and / or other components can be realized on a cloud computer. Even in such a case, the authentication unit realized by another server is controlled under the control of the authentication control unit 204.

  In the above embodiment, the access permission DB 2011, the account authentication DB 2012, and the initial registration DB 2013 are referred to. However, these may be referred to as an access permission management table, an account authentication management table, and an initial registration management table, respectively.

  Further, in the above-described embodiment, the authentication control unit 204 is realized as a function unit of the authentication server 200, but this function unit may be realized as a proxy server.

  Further, in this embodiment, PCs, smartphones, and devices are exemplified as devices used for authentication, but various contents including media playback devices such as a moving image player and a music player are used via a network. The present invention can be similarly applied to apparatuses and devices for performing the above.

  As described above, in the authentication system of the present embodiment, a plurality of sets (authentication sets) each including a combination of one or a plurality of authentication elements are defined with each of a plurality of different authentication methods as an authentication factor. Then, one authentication set is selected in accordance with the user (in one example, the user's account) and executed by the authentication unit corresponding to one or more authentication factors included in the authentication set, and the user or the connection request is requested. Authenticate the terminal. Thus, security measures can be taken in accordance with various environments in which the terminal is used or various requests of the user who have a connection request via the network. In addition, since the authentication server performs the authentication control and the authentication by each authentication method, the cost for the authentication can be reduced as much as possible, and the operation of the authentication can be simplified. Further, as shown in FIG. 4, for a genuine user, the authentication procedure can be simplified as much as possible, and the user's convenience can be improved.

  The authentication system according to the present embodiment authenticates a user and a terminal using a plurality of authentication sets (which may be referred to as authentication patterns) each including a combination of different authentication factors, and thus can be said to be a multi-factor authentication system.

1000 Authentication system 100 User PC
101 application section 102 input display section 103 communication I / F section 104 control section 110 portable terminal 111 portable terminal authentication section 112 input display section 113 communication I / F section 114 control section 120 device PC
121 application unit 122 device authentication unit 123 input display unit 124 communication I / F unit 125 device I / F unit 126 control unit 130 authentication device 200 authentication server 201 storage unit 2011 access permission DB
2012 Account Authentication DB
2013 Initial Registration DB
202 Communication unit 203 Access control unit 204 Authentication control unit 2041 Password authentication unit 2042 Terminal authentication unit 2043 Portable terminal authentication unit 2044 Device authentication unit 205 Control unit 300 Content server N1 Network.

Claims (16)

An authentication system in which an authentication server authenticates a user account in response to a request sent from a terminal used by a user via a network,
A communication unit for receiving a request including the account;
An authentication control unit for controlling authentication,
A storage unit for storing an authentication management table for managing an authentication method corresponding to the account,
An authentication processing unit that executes the authentication method,
The authentication control unit, from the authentication management table, selects the authentication method corresponding to the account that the request has,
The authentication processing unit executes the selected authentication method to authenticate the account,
An authentication system, characterized in that: The authentication control unit assigns a session ID to the request, and selects the authentication method from the authentication management table within a session identified by the session ID.
The authentication system according to claim 1. The authentication server stores, in the storage unit, a time / place management table that defines a time condition and / or a location condition as the access condition of the account,
The authentication control unit,
Referring to the time and place management table using the account associated with the session, to determine whether the account satisfies the access conditions,
If it is determined that the access condition is satisfied, the authentication processing unit executes an authentication method corresponding to the account,
The authentication system according to claim 2. The authentication management table registers a plurality of authentication sets composed of a combination of one or more different authentication methods corresponding to the account,
The authentication processing unit executes one or a plurality of authentication methods included in the set selected from the authentication management table,
The authentication system according to claim 1. The authentication server stores, for each session ID, the account and a session management table for registering information for identifying one or more authentication methods corresponding to the account in the storage unit,
The authentication control unit records the result of authentication by the authentication processing unit in the session management table.
The authentication system according to claim 2. The authentication server stores, for each session ID, the account and a session management table for registering information for identifying one or more authentication methods corresponding to the account in the storage unit,
The authentication control unit, the result of the authentication by the authentication processing unit, with reference to the session management table, to determine whether there is an unexecuted authentication method,
When there is the unexecuted authentication method, the authentication processing unit executes the unexecuted authentication method,
The authentication system according to claim 2. The authentication management table registers a plurality of authentication sets composed of a combination of one or more different authentication methods corresponding to the account,
As a result of determining whether the access condition is satisfied (first authentication),
If the access condition is satisfied, the authentication control unit selects a set including a relatively light authentication method corresponding to the account from the authentication management table,
The authentication processing unit performs authentication based on one or more authentication methods included in the selected set,
The authentication system according to claim 3. The authentication system according to claim 3, wherein as a result of the first authentication, when the access condition is not satisfied, the authentication control unit performs control so as not to perform authentication by the authentication processing unit. The authentication management table registers a plurality of authentication sets composed of a combination of one or more different authentication methods corresponding to the account,
As a result of determining whether or not the access condition is satisfied (first authentication), if the temporal condition is satisfied, but the address for which the access request is made falls within a specific range of the address condition, the authentication control is performed. The unit selects a set including a relatively strong authentication method from the authentication management table according to the account,
The authentication processing unit performs authentication based on one or more authentication methods included in the selected set,
The authentication system according to claim 6. The authentication set registered in the authentication management table is:
Password authentication for authenticating the authenticity of the terminal user;
Terminal authentication for authenticating the authenticity of the terminal,
Mobile terminal authentication for authenticating the authenticity of the user upon receiving input permission from a second terminal other than the terminal;
Device authentication for authenticating using the unique information of the device possessed by the user,
Consisting of one or more combinations of
The authentication system according to claim 7. As a result of determining whether or not the access condition is satisfied (first authentication), if the time condition and the address condition are satisfied, the authentication control unit determines the password from the authentication management table according to the account. Select the pair that includes the certification,
The authentication processing unit performs the password authentication of the selected set,
The authentication system according to claim 10. As a result of the authentication by the first authentication unit, if the time condition is satisfied, but the address for which the access request is made falls within a specific range of the address condition, the authentication control unit Selecting a set including the password authentication, the terminal authentication, and the mobile terminal authentication from the authentication management table,
The authentication processing unit executes the authentication included in the selected set,
The authentication system according to claim 10. An authentication method in an authentication system in which an authentication server authenticates a user account in response to a request sent via a network from a terminal used by a user,
The authentication system comprises:
A communication unit for receiving a request including the account;
An authentication control unit for controlling authentication,
A storage unit for storing an authentication management table for managing an authentication method corresponding to the account,
An authentication processing unit that executes the authentication method,
The authentication control unit, from the authentication management table, selects the authentication method corresponding to the account that the request has,
The authentication processing unit executes the selected authentication method to authenticate the account,
An authentication method characterized in that: The authentication control unit assigns a session ID to the request, and selects the authentication method from the authentication management table within a session identified by the session ID.
The authentication method according to claim 13. The authentication server stores, in the storage unit, a time / place management table that defines a time condition and / or a location condition as the access condition of the account,
The authentication control unit,
Referring to the time and place management table using the account associated with the session, to determine whether the account satisfies the access conditions,
The authentication method according to claim 13, wherein when it is determined that the access condition is satisfied, the authentication processing unit executes an authentication method corresponding to the account. An authentication program for authenticating a user account by executing an authentication server in response to a request sent via a network from a terminal used by a user,
The authentication server,
A communication unit for receiving a request including the account;
An authentication control unit for controlling authentication,
A storage unit for storing an authentication management table for managing an authentication method corresponding to the account,
An authentication processing unit that executes the authentication method,
The authentication program operates the authentication server,
The authentication control unit, from the authentication management table, corresponding to the account having the request, select the authentication method,
The authentication processing unit authenticates the account by executing the selected authentication method,
An authentication program characterized by the following.

Images