JP2021047814A - Re-authentication device, method for re-authentication, and re-authentication program - Google Patents

Abstract

To improve the convenience of an account recovery.SOLUTION: A re-authentication device includes an acquisition unit, a determination unit, and a re-authentication unit. The acquisition unit acquires first detection information detected by predetermined detection means from a first terminal device used by a first user, whose account to receive a predetermined web service has been authenticated. The determination unit is a terminal device used by the first user, and determines whether the first detection information is similar to second detection information when the predetermined detection means has received the second detection information from a second terminal device different from the first terminal device. The re-authentication unit re-authenticates the account of the first user when the first and second detection information have been determined to be similar to each other.SELECTED DRAWING: Figure 1

Description

The present invention relates to a recertification device, a recertification method and a recertification program.

Conventionally, there is known a technology for providing various services to a user who has authenticated an account via the Internet. In such a technology, there is known a technology for recovering an account by using a pair of questions and answers that only the user can know when the user loses information used for account authentication such as a password. .. In addition, a technique for authenticating a user based on an answer to a question about a user's life log is known.

JP-A-2009-93273

However, with the above prior art, there is room for improving the convenience of account recovery.

For example, in the above-mentioned conventional technique, it is necessary to give a correct answer to a question regarding the past life log, so that the account cannot be recovered when the user forgets the past event. Also, if the user forgets the content or answer of the secret question, the account cannot be recovered.

On the other hand, with the progress of information processing technology in recent years, a technology of FIDO (Fast IDentity Online) that authenticates the user himself / herself without asking the user to input an account name or password has been proposed. In such FIDO technology, if the user is requested to input various information in order to realize account recovery, the improvement of usability may be impaired.

The present application has been made in view of the above, and an object of the present application is to improve the convenience of account recovery.

The re-authentication device according to the present application is an acquisition unit that acquires first detection information detected by a predetermined detection means from a first terminal device used by a first user whose account for receiving a predetermined web service has been authenticated. When the second detection information detected by the predetermined detection means is received from the second terminal device which is the terminal device used by the first user and is different from the first terminal device, the first When the determination unit for determining whether the detection information and the second detection information are similar and the determination unit for determining whether the first detection information and the second detection information are similar, the account of the first user. It has a recertification unit that recertifies.

According to one aspect of the embodiment, the convenience of account recovery can be improved.

FIG. 1 is a diagram showing an example of an account recovery process according to the embodiment. FIG. 2 is a diagram showing a configuration example of the re-authentication device according to the embodiment. FIG. 3 is a diagram showing an example of the authentication database according to the embodiment. FIG. 4 is a flowchart showing an example of the processing procedure of the re-authentication device according to the embodiment. FIG. 5 is a diagram showing an example of the hardware configuration of the computer that executes the program.

Hereinafter, the re-authentication device, the re-authentication method, and the mode for implementing the re-certification program according to the present application (hereinafter, referred to as “the embodiment”) will be described in detail with reference to the drawings. It should be noted that these embodiments do not limit the re-authentication device, the re-authentication method, and the re-authentication program according to the present application. Further, in the following embodiments, the same parts are designated by the same reference numerals, and duplicate description is omitted.

(Embodiment)
[1. Account recovery process]
First, an example of account recovery processing realized by the re-authentication program according to the embodiment will be described with reference to FIG. FIG. 1 is a diagram showing an example of an account recovery process according to the embodiment. FIG. 1 describes a recovery process (an example of an account procedure) in which when a user loses a terminal device, a new terminal device requests an account recovery approval request.

The state in which the account expires is a state in which the corresponding account cannot be used temporarily, for example, when the password is entered incorrectly more than a specified number of times when logging in to the service.

The first terminal device 10 and the second terminal device 20 shown in FIG. 1 are smart devices such as smartphones and tablet terminals, and are information processing devices used by the user U. In the present embodiment, the first terminal device 10 is a terminal device used by the user U. Further, the second terminal device 20 is a terminal device that the user U newly purchases (acquires) and starts using after losing the first terminal device 10.

Further, the third terminal device 30 and the fourth terminal device 40 shown in FIG. 1 include, for example, a desktop / notebook PC (Personal Computer), a mobile phone (feature phone), a stationary / portable game machine, and an AV (audio visual). It is a device, an information home appliance, or other electronic device (gadget) that can receive information via the Internet, and is an information processing device that can be used by the user U as needed. In the present embodiment, the third terminal device 30 is a wearable terminal that can be worn by the user U. Further, the fourth terminal device 40 is a notebook PC that can be used by the user.

Further, the re-authentication device 100 shown in FIG. 1 is a server device accessible from the first terminal device 10, the second terminal device 20, the third terminal device 30, and the fourth terminal device 40, and the first terminal device 10, The user U of the second terminal device 20, the third terminal device 30, and the fourth terminal device 40 is provided with a predetermined web service that requires login with an account. In an embodiment, the re-authentication device 100 provides at least the first service as the web service. Further, the re-authentication device 100 manages the account of the user U, and performs the account recovery process in response to the recovery request requesting the recovery of the account.

As shown in FIG. 1, the first terminal device 10 requests the re-authentication device 100 according to the embodiment to perform FIDO (Fast IDentity Online) authentication, and the re-authentication device 100 requests the first terminal device 10 to perform FIDO (Fast IDentity Online) authentication. Then, FIDO authentication is performed (step S1).

For example, the re-authentication device 100 performs FIDO authentication to the first terminal device 10 when the first terminal device 10 requests a login to a predetermined web service provided by the first terminal device 10. In FIDO authentication, the first terminal device 10 releases the "private key" stored in itself by biometric authentication, and as a result of biometric authentication, signs the authentication result that can be identified as the user U himself / herself with the private key. And send it to the re-authentication device 100. The re-authentication device 100 uses the "public key" stored in itself to identify the signed authentication result sent from the first terminal device 10 and authenticate the user U.

After the FIDO authentication is successful, the first terminal device 10 requests the re-authentication device 100 to perform a recovery backup (step S2). The re-authentication device 100 requests context information from the first terminal device 10 in response to a recovery backup request (step S3). The first terminal device 10 acquires context information from the third terminal device 30 in response to a request for context information (step S4). Similarly, the first terminal device 10 acquires context information from the fourth terminal device 40 (step S5).

The context information is, for example, identification information for identifying another terminal device different from the first terminal device 10 used by the user U. That is, the context information is preferably information unique to each terminal device. In the present embodiment, the third terminal device 30 and the fourth terminal device 40 are used as other terminal devices different from the first terminal device 10.

For example, the first terminal device 10 includes an acceleration sensor, a gyro sensor, a voice sensor, and an illuminance sensor of the third terminal device 30 and the fourth terminal device 40 (hereinafter, may be collectively referred to as “other terminal devices”). Etc., various sensor information may be acquired as context information. Further, the first terminal device 10 may acquire, for example, information indicating the user's context estimated based on various sensor information as context information. For example, the first terminal device 10 determines where the user is, whether he / she is walking, whether he / she is running, whether he / she is driving a vehicle, or whether he / she is moving by public transportation. Information indicating the state of various arbitrary users, such as whether or not the terminal device is operated, whether or not the book is being browsed, and whether or not the food or drink is purchased, may be used as context information. The state of such a user may be a person estimated by another terminal device based on sensor information, and is estimated from information of various sensors acquired by the first terminal device 10 from other terminal devices. It may be the person who did it.

For example, the first terminal device 10 uses the context information detected by the detection means of each of the third terminal device 30 and the fourth terminal device 40 as date and time information indicating the date and time when the context information was detected / position information indicating the position. Get with. The date / time information / location information may be included in the context information. The detection means is various sensors or the like.

The first terminal device 10 provides the re-authentication device 100 with context information acquired from each of the third terminal device 30 and the fourth terminal device 40 (step S6). For example, the first terminal device 10 provides the re-authentication device 100 with context information together with the above date / time information / location information.

The re-authentication device 100 generates a token that identifies the context information (step S7). Further, the re-authentication device 100 stores the token and the context information in association with each other (step S8). The token indicates the identification information for identifying the context information. For example, the token may use the above date / time information / location information. As the token, any information can be adopted as long as the context information can be identified. For example, the token is a hash value obtained by converting the context information and the date and time information or the position information by a predetermined hash function. May be good.

The re-authentication device 100 provides a token to the first terminal device 10 (step S9).

The first terminal device 10 registers the token provided by the re-authentication device 100 in another terminal device (step S10). The other terminal device may be either the third terminal device 30 or the fourth terminal device 40. In the present embodiment, the first terminal device 10 registers the token in the fourth terminal device 40.

After that, it is assumed that the user U loses the first terminal device 10 (step S11) and newly purchases the second terminal device 20 (step S12). That is, the first terminal device 10 leaves the hand of the user U, and the second terminal device 20 is activated to start the use by the user U.

The second terminal device 20 makes an account recovery request to the re-authentication device 100 (step S13).

The re-authentication device 100 requests context information from the second terminal device 20 in response to the account recovery request (step S14).

The second terminal device 20 acquires the token and context information from the terminal device in which the first terminal device 10 has registered the token (step S15). In the present embodiment, the second terminal device 20 acquires the token and the context information from the fourth terminal device 40.

Further, the second terminal device 20 acquires context information from the third terminal device 30 (step S16).

The second terminal device 20 provides the token and context information to the re-authentication device 100 (step S17). In the present embodiment, the second terminal device 20 provides the re-authentication device 100 with the token and context information acquired from the fourth terminal device 40 and the context information acquired from the third terminal device 30.

The re-authentication device 100 determines whether the context information stored in association with the token and the context information provided by the second terminal device 20 are similar (step S18).

When the re-authentication device 100 determines that the context information stored in association with the token and the context information provided by the second terminal device 20 are similar, the re-authentication device 100 performs FIDO authentication on the second terminal device 20 ( Step S19).

[2. Configuration of re-authentication device]
Next, the configuration of the re-authentication device 100 according to the embodiment will be described with reference to FIG. FIG. 2 is a diagram showing a configuration example of the re-authentication device 100 according to the embodiment. As shown in FIG. 2, the re-authentication device 100 includes a communication unit 110, a storage unit 120, and a control unit 130. The re-authentication device 100 includes an input unit (for example, a keyboard, a mouse, etc.) that receives various operations from an administrator or the like that manages the re-authentication device 100, and a display unit (for example, a liquid crystal display) for displaying various information. ) Etc. may have a console. Further, the re-authentication device 100 may accept various operations from the terminal device used by the administrator via the network N.

(About communication unit 110)
The communication unit 110 is realized by, for example, a NIC (Network Interface Card) or the like. The communication unit 110 is connected to the network N by wire or wirelessly, and information is transmitted between the first terminal device 10, the second terminal device 20, the third terminal device 30, and the fourth terminal device 40 via the network N. Send and receive.

(About storage unit 120)
The storage unit 120 is realized by, for example, a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk. The storage unit 120 has an authentication database 121.

(About authentication database 121)
The authentication database 121 stores information about the first service. Here, FIG. 3 shows an example of the authentication database 121 according to the embodiment. FIG. 3 is a diagram showing an example of the authentication database 121 according to the embodiment. In the example shown in FIG. 3, the authentication database 121 has an "account ID", a "registered device ID", a "registered user", a "user ID", "context information", a "token", and a "first service action history". It has items such as. In addition, the first service action history has sub-items such as "usage log ID", "action history", "action date and time", and "location information".

The "account ID" indicates identification information for identifying an account in the first service. The "registered device ID" indicates identification information for identifying a device registered as a device used in the first service. "Registered user" indicates a user who holds an account. In the embodiment, the identification information such as the account ID shall match the reference code used in the description. For example, a device having a registered device ID of "20" indicates a first terminal device 10.

The "user ID" is identification information used to identify a user who uses an account. For example, the user ID is composed of an arbitrary character string selected by the user when the user creates an account in the first service. As the user ID, for example, an e-mail address registered in the first terminal device 10 which is a registration device may be used.

"Context information" indicates identification information for identifying another device different from the registered device. For example, the context information indicates identification information for identifying a third terminal device 30 or a fourth terminal device 40 other than the first terminal device 10 when the registered device ID is the first terminal device 10. That is, the context information is preferably information unique to each of the third terminal device 30 and the fourth terminal device 40. The context information may be the biometric information (fingerprint, hand vein, iris, etc.) of the user U detected by the third terminal device 30 and the fourth terminal device 40, respectively. Further, the context information may be position information of each terminal device, device information or configuration information, wireless LAN (Local Area Network) authentication information, SSID (Service Set Identifier), or the like.

The "token" indicates the identification information for identifying the context information. Token is synonymous with context ID. The token may be date / time information indicating the date / time when the context information is detected, position information indicating the position where the context information is detected, or the like.

The "first service action history" indicates the action history of the first service. The "usage log ID" indicates identification information for identifying the log when the user logs in to use the first service. In the example shown in FIG. 3, the usage log ID is assigned for each session from when the user logs in to the first service to when he / she logs out.

The "behavior history" indicates the user's behavior history. Although not shown in FIG. 3, in the action history item, for example, the action of the user clicking an article on the portal site, the action of purchasing a product, or a query is input to perform a search. Specific actions such as actions may be memorized.

The "action date and time" indicates a date and time corresponding to the user's action history. In the example shown in FIG. 3, it is shown that the action date and time is stored every 10 minutes, but the action date and time may be stored in a finer unit (1 minute, 1 second, etc.). The "location information" indicates the location information corresponding to the action history. For example, the re-authentication device 100 continuously acquires the position information detected by the first terminal device 10 (smartphone) at the time when the user logs in to the first service or while the login is continued, and the action history. Is stored in the authentication database 121 in association with. Note that FIG. 3 shows an example in which conceptual information such as "G011" is stored in the position information item, but in reality, the position information item contains specific numerical values such as longitude and latitude. And information that can estimate the position information (for example, the IP address of the first terminal device 10) and the like are stored.

That is, in the example of FIG. 3, the first terminal device 10 which is the device identified by the registered device ID "20" is registered in the account A01 identified by the account ID "A01", and the registered user is " It shows that it is "U01". Further, the user ID corresponding to the account A01 is "XXXXX", the context information is "YYYY", and the token is "A02". In addition, the log identified by the usage log IDs "B01" and "B02" is accumulated in the account A01. For example, in the usage log B01, "login" is set as the action history on "March 1, 2017". It is performed at "12:00", and indicates that the position information of the first terminal device 10 at that time is "G011".

(About control unit 130)
The control unit 130 is, for example, a controller, and various programs (related to the embodiment) stored in a storage device inside the re-authentication device 100 by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. It is realized by executing the RAM as a work area (corresponding to an example of a re-authentication program). Further, the control unit 130 is a controller, and is realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

As shown in FIG. 2, the control unit 130 includes a registration unit 131, a transmission unit 132, an acquisition unit 133, a determination unit 134, and a re-authentication unit 135, and has an information processing function described below. Realize or execute the action. The internal configuration of the control unit 130 is not limited to the configuration shown in FIG. 2, and may be another configuration as long as it is a configuration for performing information processing described later. Further, the connection relationship of each processing unit included in the control unit 130 is not limited to the connection relationship shown in FIG. 2, and may be another connection relationship.

The registration unit 131 associates the first detection information (context information) and the identification information (token) for identifying the first detection information from the first terminal device 10 with a predetermined storage device (authentication database of the storage unit 120). Register in 121).

When the transmission unit 132 receives the registration request of the first detection information (context information) from the first terminal device 10, the transmission unit 132 transmits the identification information (token) to the first terminal device 10. In addition, the transmission unit 132 transmits identification information that can be transmitted to other terminal devices (third terminal device 30 and fourth terminal device 40) capable of communicating with the first terminal device 10.

The acquisition unit 133 acquires the first detection information detected by the predetermined detection means from the first terminal device 10 used by the first user U whose account for receiving the predetermined web service is authenticated. For example, the acquisition unit 133 acquires the first detection information detected by the detection means included in the first terminal device 10. The acquisition unit 133 may acquire a plurality of first detection information.

Further, the acquisition unit 133 may acquire the first detection information detected by the detection means included in the third terminal device 30 capable of communicating with the first terminal device 10. The third terminal device 30 may be read as the fourth terminal device 40. At this time, the acquisition unit 133 acquires the biological information of the user U detected by the detection means of the third terminal device 30 that the user U can wear as the first detection information. Further, the acquisition unit 133 acquires the information detected by the detection means of the third terminal device 30 capable of communicating with the first terminal device 10, and the first detection information regarding the device capable of communicating with the third terminal device 30. To do.

Further, the acquisition unit 133 acquires the first detection information and the identification information for identifying the first detection information. In addition, the acquisition unit 133 acquires the first detection information and the first date and time information indicating the date and time when the first detection information was detected.

From another point of view, the acquisition unit 133 is in a web service that authenticates the account of the user U by using the information detected by the detection device that detects the information about the user U without using the information input by the user U. The first detection information is acquired from the first terminal device 10 used by the first user U who is the target of account re-authentication.

When the determination unit 134 is a terminal device used by the first user U and receives the second detection information detected by a predetermined detection means from the second terminal device 20 different from the first terminal device 10. , It is determined whether or not the first detection information and the second detection information are similar. For example, when the determination unit 134 receives the second detection information and the identification information detected by the predetermined detection means from the second terminal device 20, the determination unit 134 is associated with the identification information and registered in the predetermined storage device. It is determined whether or not the first detection information and the second detection information are similar. The predetermined detection means may be the detection means included in the second terminal device 20. That is, when the determination unit 134 receives the second detection information detected by the detection means included in the second terminal device 20, it determines whether or not the first detection information and the second detection information are similar.

When the determination unit 134 receives the second detection information detected by the detection means of the third terminal device 30 capable of communicating with the second terminal device 20, is the first detection information similar to the second detection information? Judge whether or not. The second detection information may be, for example, biometric information of the user U, or device information related to a device capable of communicating with the third terminal device 30.

When the determination unit 134 receives the plurality of second detection information, the determination unit 134 determines whether or not the plurality of first detection information and the plurality of second detection information are similar. When the number of second detection information similar to the plurality of first detection information exceeds a predetermined threshold value among the plurality of second detection information, the determination unit 134 includes the plurality of first detection information and the plurality of first detection information. 2 Judge that the detection information is similar.

Further, when the determination unit 134 receives the second detection information and the second date and time information indicating the date and time when the second detection information is detected, the first detection information and the second detection information are similar and , It is determined whether or not the first date and time information and the second date and time information are similar.

When the re-authentication unit 135 determines that the first detection information and the second detection information are similar, the re-authentication unit 135 re-authenticates the account of the first user U. For example, when the re-authentication unit 135 determines that the first detection information and the second detection information are similar and the first date and time information and the second date and time information are similar, the account of the first user U To reauthenticate.

[3. Processing procedure]
Next, the procedure of the process relating to the re-authentication device 100 according to the embodiment will be described with reference to FIG. FIG. 4 is a flowchart showing an example of the processing procedure of the re-authentication device 100 according to the embodiment.

As shown in FIG. 4, the re-authentication device 100 determines whether or not the recovery backup request has been accepted (step S101). If the re-authentication device 100 has not determined that the recovery backup request has been accepted (No in step S101), the re-authentication device 100 continues the current process until the recovery backup request is accepted (returns to step S101).

When the re-authentication device 100 determines that the recovery backup request has been accepted (Yes in step S101), the re-authentication device 100 requests context information from the requesting terminal device (step S102). In the present embodiment, when the control unit 130 receives the recovery backup request from the first terminal device 10 via the communication unit 110, the acquisition unit 133 requests the context information from the first terminal device 10.

The re-authentication device 100 determines whether or not the context information has been accepted (step S103). If the re-authentication device 100 has not determined that the context information has been received (No in step S103), the re-authentication device 100 continues the current process until the context information is received (returns to step S103).

When the re-authentication device 100 determines that the context information has been accepted (Yes in step S101), the re-authentication device 100 issues a token to the requesting terminal device (step S104). In the present embodiment, when the acquisition unit 133 receives the context information from the first terminal device 10, the control unit 130 issues a token to the first terminal device 10.

The re-authentication device 100 registers the token and the context information in association with each other (step S105). In the present embodiment, the registration unit 131 registers the context information and the token in the authentication database 121 of the storage unit 120 in association with each other.

The re-authentication device 100 transmits the token to the requesting terminal device (step S106). In the present embodiment, the transmission unit 132 transmits a token to the first terminal device 10. The first terminal device 10 registers the token provided by the re-authentication device 100 in the fourth terminal device 40.

The re-authentication device 100 determines whether or not the account recovery request has been accepted (step S107). For example, when the user U loses the first terminal device 10, the user U newly purchases the second terminal device 20. After that, the user U makes an account recovery request to the re-authentication device 100 using the second terminal device 20. If the re-authentication device 100 has not determined that the account recovery request has been accepted (No in step S107), the re-authentication device 100 continues the processing up to now until the account recovery request is accepted (returns to step S101).

When the re-authentication device 100 determines that the account recovery request has been accepted (Yes in step S107), the re-authentication device 100 requests context information from the requesting terminal device (step S108). In the present embodiment, when the control unit 130 receives the account recovery request from the second terminal device 20 via the communication unit 110, the acquisition unit 133 requests the second terminal device 20 for context information.

The re-authentication device 100 determines whether or not the context information and the token have been accepted (step S109). If the re-authentication device 100 has not determined that the context information and the token have been accepted (No in step S109), the re-authentication device 100 continues the current process until the context information is accepted (returns to step S109).

When the re-authentication device 100 determines that the context information and the token have been accepted (Yes in step S109), the re-authentication device 100 determines whether or not the context information associated with the token and the received context information are similar. (Step S110). The similarity is, for example, a partial match, but may be an exact match. In the present embodiment, the second terminal device 20 acquires the context information from the third terminal device 30, and acquires the context information and the token from the fourth terminal device 40. After that, the second terminal device 20 provides the re-authentication device 100 with the token and context information acquired from the fourth terminal device 40 and the context information acquired from the third terminal device 30. When the acquisition unit 133 receives the context information and the token from the second terminal device 20, the determination unit 134 stores the context information stored in association with the token in the authentication database 121 of the storage unit 120 and the context information stored from the second terminal device 20. Determine if the context information provided is similar.

When the re-authentication device 100 determines that the context information associated with the token and the received context information are similar (Yes in step S110), the re-authentication device 100 re-authenticates the user U. In the present embodiment, when the determination unit 134 determines that the context information associated with the token and the received context information are similar, the re-authentication unit 135 re-authenticates the user U. As a result, the re-authentication device 100 approves the new second terminal device 20 of the user U as an account-authenticated terminal.

On the contrary, when the re-authentication device 100 does not determine that the context information associated with the token and the received context information are similar (No in step S110), the re-authentication device 100 does not re-authenticate the user U. , Ends a series of processing.

[4. Hardware configuration]
The first terminal device 10, the second terminal device 20, the third terminal device 30, the fourth terminal device 40, and the re-authentication device 100 in the above-described embodiment are programmed by a computer 200 having a configuration as shown in FIG. 5, for example. It is realized by executing.

FIG. 5 is a diagram showing an example of the hardware configuration of the computer that executes the program. The computer 200 includes a CPU (Central Processing Unit) 201, a RAM 202 (Random Access Memory), a ROM (Read Only Memory) 203, an HDD (Hard Disk Drive) 204, a communication interface (I / F) 205, and an input / output interface (I / F). It includes F) 206 and a media interface (I / F) 207.

The CPU 201 operates based on the program stored in the ROM 203 or the HDD 204, and controls each part. The ROM 203 stores a boot program executed by the CPU 201 when the computer 200 is started, a program that depends on the hardware of the computer 200, and the like.

HDD 204 stores data and the like used by a program executed by CPU 201. The communication interface 205 corresponds to the communication unit 110, receives data from another device via the network N and sends it to the CPU 201, and transmits the data generated by the CPU 201 to the other device via the network N.

The CPU 201 controls an output device such as a display or a printer, and an input device such as a keyboard or a mouse via the input / output interface 206. The CPU 201 acquires data from the input device via the input / output interface 206. Further, the CPU 201 outputs the generated data to the output device via the input / output interface 206.

The media interface 207 reads the program or data stored in the recording medium 208 and provides it to the CPU 201 via the RAM 202. The CPU 201 loads the program from the recording medium 208 onto the RAM 202 via the media interface 207, and executes the loaded program. The recording medium 208 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or PD (Phase change rewritable Disk), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. And so on.

When the computer 200 functions as the re-authentication device 100, the CPU 201 of the computer 200 executes the program loaded on the RAM 202 to execute the registration unit 131, the transmission unit 132, the acquisition unit 133, and the determination unit 134 shown in FIG. And each function of the re-authentication unit 135 is realized. The registration unit 131, the transmission unit 132, the acquisition unit 133, the determination unit 134, and the re-authentication unit 135 are all or part of hardware such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). It may be configured.

Further, when the computer 200 functions as each of the first terminal device 10, the second terminal device 20, the third terminal device 30, and the fourth terminal device 40, the CPU 301 of the computer 200 executes the program loaded on the RAM 302. By doing so, each function of the first terminal device 10, the second terminal device 20, the third terminal device 30, and the fourth terminal device 40 is realized.

The CPU 201 of the computer 200 reads and executes the re-authentication program from the recording medium 208, but as another example, these programs may be acquired from another device via the network N.

The HDD 204 corresponds to the storage unit 120 and stores the same data as the storage unit 120. Further, instead of the HDD 204, a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, an SSD (Solid State Drive), or a storage device such as an optical disk may be used.

[5. effect〕
As described above, the re-authentication device 100 according to the embodiment includes an acquisition unit 133, a determination unit 134, and a re-authentication unit 135. The acquisition unit 133 acquires the first detection information detected by the predetermined detection means from the first terminal device 10 used by the first user whose account for receiving the predetermined web service is authenticated. When the determination unit 134 is a terminal device used by the first user and receives the second detection information detected by a predetermined detection means from the second terminal device 20 different from the first terminal device 10, the determination unit 134 is used. It is determined whether or not the first detection information and the second detection information are similar. When it is determined that the first detection information and the second detection information are similar, the re-authentication unit 135 re-authenticates the account of the first user. As a result, it is possible to realize a server that performs recovery processing using context information. As a result, the convenience of account recovery can be improved.

The acquisition unit 133 acquires the first detection information detected by the detection means included in the first terminal device 10. When the determination unit 134 receives the second detection information detected by the detection means included in the second terminal device 20, it determines whether or not the first detection information and the second detection information are similar. As a result, recovery processing can be performed using the context information detected by the terminal device.

The acquisition unit 133 acquires the first detection information detected by the detection means of the third terminal device 30 capable of communicating with the first terminal device 10. When the determination unit 134 receives the second detection information detected by the detection means of the third terminal device 30 capable of communicating with the second terminal device 20, is the first detection information similar to the second detection information? Judge whether or not. As a result, recovery processing can be performed using the context information detected by another terminal device capable of communicating with the terminal device.

The acquisition unit 133 acquires the biometric information of the user detected by the detection means of the third terminal device 30 that can be worn by the user as the first detection information. When the determination unit 134 receives the second detection information, which is the biometric information of the user detected by the detection means of the third terminal device 30 capable of communicating with the second terminal device 20, the first detection information and the second detection information It is determined whether or not the detection information is similar. As a result, recovery processing can be performed using the context information detected by the wearable device.

The acquisition unit 133 acquires the information detected by the detection means of the third terminal device 30 capable of communicating with the first terminal device 10, and the first detection information regarding the device capable of communicating with the third terminal device 30. .. The determination unit 134 receives the information detected by the detection means of the third terminal device 30 capable of communicating with the second terminal device 20, and the second detection information regarding the device capable of communicating with the third terminal device 30. In this case, it is determined whether or not the first detection information and the second detection information are similar. As a result, recovery processing can be performed using the context information detected by the device capable of communicating with the wearable device.

Further, the re-authentication device according to the embodiment further has a registration unit 131. The registration unit 131 registers the first detection information and the identification information for identifying the first detection information in a predetermined storage device in association with each other. When the determination unit 134 receives the second detection information and the identification information detected by the predetermined detection means from the second terminal device 20, the determination unit 134 is associated with the identification information and registered in the predetermined storage device. It is determined whether or not the 1st detection information and the 2nd detection information are similar. This enables re-authentication using the token.

Further, the re-authentication device according to the embodiment further includes a transmission unit 132 that transmits identification information to the first terminal device 10 when receiving a registration request for the first detection information from the first terminal device 10. .. This allows the server to issue tokens.

The transmission unit 132 transmits the identification information that can be transmitted to another terminal device that can communicate with the first terminal device 10. This enables re-authentication using a token that can be registered in another terminal device.

The acquisition unit 133 acquires the first detection information and the identification information for identifying the first detection information. As a result, the terminal device can issue the token.

The acquisition unit 133 acquires a plurality of first detection information. When the determination unit 134 receives the plurality of second detection information, the determination unit 134 determines whether or not the plurality of first detection information and the plurality of second detection information are similar. As a result, a plurality of context information can be used.

When the number of second detection information similar to the plurality of first detection information exceeds a predetermined threshold value among the plurality of second detection information, the determination unit 134 includes the plurality of first detection information and the plurality of second detection information. Judge that the information is similar. As a result, it is possible to compare a plurality of detection information and perform re-authentication when a predetermined number are similar.

The acquisition unit 133 acquires the first detection information and the first date and time information indicating the date and time when the first detection information was detected. When the determination unit 134 receives the second detection information and the second date and time information indicating the date and time when the second detection information was detected, the first detection information and the second detection information are similar and the second detection information is similar. It is determined whether or not the first date and time information and the second date and time information are similar. When the re-authentication unit 135 determines that the first detection information and the second detection information are similar and the first date and time information and the second date and time information are similar, the re-authentication unit 135 re-authenticates the account of the first user. To do. As a result, re-authentication that reflects the commonality of the detection information acquisition time zones can be performed.

The acquisition unit 133 is the target of account re-authentication in the web service that authenticates the user's account using the information detected by the detection device that detects the information about the user without using the information input by the user. The first detection information is acquired from the first terminal device 10 used by the first user. As a result, the FIDO authentication can be re-authenticated.

Although some of the embodiments of the present application have been described in detail with reference to the drawings, these are examples, and various modifications are made based on the knowledge of those skilled in the art, including the embodiments described in the disclosure column of the invention. It is possible to practice the present invention in other improved forms.

Further, the above-mentioned "section, module, unit" can be read as "means" or "circuit". For example, the registration unit can be read as a registration means or a registration circuit.

10 1st terminal device 20 2nd terminal device 30 3rd terminal device 40 4th terminal device 100 Re-authentication device 110 Communication unit 120 Storage unit 121 Authentication database 130 Control unit 131 Registration unit 132 Transmission unit 133 Acquisition unit 134 Judgment unit 135 Re-authentication unit Certification department

Claims (15)

An acquisition unit that acquires the first detection information detected by the predetermined detection means from the first terminal device used by the first user whose account for receiving the predetermined web service is authenticated.
When the second detection information detected by the predetermined detection means is received from the second terminal device which is the terminal device used by the first user and is different from the first terminal device, the first detection information A determination unit for determining whether or not the second detection information is similar to the second detection information,
A re-authentication device comprising a re-authentication unit that re-authenticates the account of the first user when it is determined that the first detection information and the second detection information are similar. The acquisition unit acquires the first detection information detected by the detection means included in the first terminal device, and obtains the first detection information.
When the determination unit receives the second detection information detected by the detection means included in the second terminal device, the determination unit determines whether or not the first detection information and the second detection information are similar. The re-authentication device according to claim 1. The acquisition unit acquires the first detection information detected by the detection means of the third terminal device capable of communicating with the first terminal device.
When the determination unit receives the second detection information detected by the detection means of the third terminal device capable of communicating with the second terminal device, the first detection information and the second detection information are similar. The re-authentication device according to claim 1, wherein it is determined whether or not the device is used. The acquisition unit acquires the biometric information of the user detected by the detection means of the third terminal device that can be worn by the user as the first detection information.
When the determination unit receives the second detection information which is the biological information of the user detected by the detection means of the third terminal device capable of communicating with the second terminal device, the first detection information and the said The re-authentication device according to claim 3, further comprising determining whether or not the second detection information is similar. The acquisition unit acquires the information detected by the detection means of the third terminal device capable of communicating with the first terminal device, and acquires the first detection information regarding the device capable of communicating with the third terminal device.
When the determination unit receives the information detected by the detection means of the third terminal device capable of communicating with the second terminal device and receives the second detection information regarding the device capable of communicating with the third terminal device. The re-authentication device according to claim 3, further comprising determining whether or not the first detection information and the second detection information are similar. It has a registration unit that registers the first detection information and the identification information for identifying the first detection information in a predetermined storage device in association with each other.
When the determination unit receives the second detection information and the identification information detected by the predetermined detection means from the second terminal device, the determination unit is associated with the identification information and registered in the predetermined storage device. The re-authentication device according to any one of claims 1 to 5, wherein it is determined whether or not the first detection information and the second detection information are similar. The re-statement according to claim 6, wherein when the registration request of the first detection information is received from the first terminal device, the first terminal device has a transmission unit for transmitting the identification information to the first terminal device. Authentication device. The re-authentication device according to claim 7, wherein the transmission unit transmits identification information that can be transmitted to another terminal device capable of communicating with the first terminal device. The re-authentication device according to claim 6, wherein the acquisition unit acquires the first detection information and the identification information for identifying the first detection information. The acquisition unit acquires a plurality of the first detection information and obtains the plurality of first detection information.
The claim is characterized in that, when the determination unit receives a plurality of the second detection information, it determines whether or not the plurality of the first detection information and the plurality of the second detection information are similar. The re-authentication device according to any one of 1 to 9. When the number of second detection information similar to the first detection information among the plurality of second detection information exceeds a predetermined threshold value, the determination unit includes the plurality of first detection information and the plurality of first detection information. The re-authentication device according to claim 10, wherein it is determined that the second detection information is similar to the second detection information. The acquisition unit acquires the first detection information and the first date and time information indicating the date and time when the first detection information was detected.
When the determination unit receives the second detection information and the second date and time information indicating the date and time when the second detection information is detected, the first detection information and the second detection information are similar. And, it is determined whether or not the first date and time information and the second date and time information are similar.
When the re-authentication unit determines that the first detection information and the second detection information are similar and the first date and time information and the second date and time information are similar, the first user The re-authentication device according to any one of claims 1 to 11, wherein the account of the above is re-authenticated. The acquisition unit is the target of account re-authentication in a web service that authenticates the user's account using the information detected by the detection device that detects the information about the user without using the information input by the user. The re-authentication device according to any one of claims 1 to 12, wherein the first detection information is acquired from the first terminal device used by the first user. This is the re-authentication method performed by the re-authentication device.
The acquisition process of acquiring the first detection information detected by the predetermined detection means from the first terminal device used by the first user whose account for receiving the predetermined web service is authenticated.
When the second detection information detected by the predetermined detection means is received from the second terminal device which is the terminal device used by the first user and is different from the first terminal device, the first detection information A determination step for determining whether or not the second detection information is similar to the second detection information,
A re-authentication method comprising a re-authentication step of re-authenticating the account of the first user when it is determined that the first detection information and the second detection information are similar. An acquisition procedure for acquiring the first detection information detected by the predetermined detection means from the first terminal device used by the first user whose account for receiving the predetermined web service has been authenticated.
When the second detection information detected by the predetermined detection means is received from the second terminal device which is the terminal device used by the first user and is different from the first terminal device, the first detection information And the determination procedure for determining whether or not the second detection information is similar to the second detection information.
A re-authentication program for causing a computer to perform a re-authentication procedure for re-authentication of the first user's account when it is determined that the first detection information and the second detection information are similar.

Images