JP2022030084A - Authentication system, control method for authentication system and authentication device - Google Patents

Abstract

To prevent a third party who obtained a user ID and a password by unauthorized means from logging in, in identity verification of a user in an online service.SOLUTION: An authentication system includes: a terminal device that stores terminal identification information, outputs a login request, acquires authentication information from a server device, performs an operation based on the authentication information, and sends response information to an authentication device; the server device that acquires the login request from the terminal device, outputs an authentication information generation request, acquires the authentication information, outputs the authentication information to the terminal device, acquires an authentication result output by the authentication device, and determines login propriety; and the authentication device that acquires the authentication information generation request from the server device, generates the authentication information, outputs the authentication information, acquires response information, performs an operation based on the authentication information and the terminal identification information, determines whether or not to perform authentication of the terminal device based on an operation result obtained by the operation and an acquired operation result, and outputs the authentication result.SELECTED DRAWING: Figure 1

Description

The present invention relates to an authentication system, a control method of the authentication system, an authentication device, a server device, and a terminal device.

Conventionally, in an online service via the Internet, there has been a technique for verifying the identity (authentication) of a user by inputting a user ID and a password (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 9-204251

According to the technique described above, in order to log in to the network system, the user is required to enter a user ID and password. The network system authenticates the user when the user ID and password entered by the user match the user ID and password registered in advance. When such technology is used, if a third party obtains a user ID and password by theft, fraud, duress, or other fraudulent means, the third party can impersonate the user and log in illegally. It ends up. That is, according to the prior art, there is a problem that if the user ID and password are known to a third party, there is a risk of unauthorized login.

Therefore, an object of the present invention is to provide an authentication technique capable of deterring a third party who has obtained a user ID and password by unauthorized means from logging in in the identity verification of a user in an online service via the Internet. And.

In one aspect of the present invention, the authentication system includes a server device that provides a service to a customer through a telecommunications line, a terminal device that allows the customer to receive a service provided by the server device by logging in to the server device, and a terminal device. The terminal device includes an authentication device that authenticates the user to log in to the server device from the terminal device, and the terminal device has a terminal identification information storage unit that stores terminal identification information that identifies the terminal device and logs in to the server device. A login request output unit that outputs a login request, which is information for performing an authentication, an authentication information acquisition unit that acquires authentication information from the server device, an arithmetic unit that performs an operation based on the acquired authentication information, and the arithmetic unit. The server device includes a response information transmission unit that transmits the calculated calculation result and a response information including the terminal identification information to the authentication device, and the server device is a login request acquisition unit that acquires the login request from the terminal device. An authentication information generation request output unit that outputs an authentication information generation request that is information for generating the authentication information, an authentication information acquisition unit that acquires the authentication information generated by the authentication device, and the acquired authentication information acquisition unit. An authentication information output unit that outputs authentication information to the terminal device, an authentication result acquisition unit that acquires the authentication result output by the authentication device, and a login determination unit that determines whether or not to log in according to the acquired authentication result. The authentication device includes an authentication information generation request acquisition unit that acquires the authentication information generation request from the server device, and an authentication information generation unit that generates the authentication information based on the acquired authentication information generation request. The authentication information output unit that outputs the authentication information, the response information acquisition unit that acquires the response information transmitted from the terminal device, the output authentication information, and the terminal identification included in the acquired response information. It is determined whether or not to authenticate the terminal device based on the authentication calculation unit that performs the calculation based on the information, the calculation result included in the acquired response information, and the calculation result calculated by the authentication calculation unit. It includes a determination unit and an authentication result output unit that outputs the authentication result based on the result determined by the determination unit.

Further, in the authentication system according to one aspect of the present invention, the server device is information different from the first customer identification information for identifying the customer and the first customer identification information for identifying the customer. The terminal further includes a customer information acquisition unit that acquires a correspondence relationship between the first customer identification information and the second customer identification information from a customer information storage device that stores a correspondence relationship with a certain second customer identification information. The login request output unit provided in the device outputs the login request including the first customer identification information, and the customer information acquisition unit provided in the server device outputs the login request including the first customer identification information, and the customer information acquisition unit provided in the server device is the first customer included in the acquired login request. The second customer identification information corresponding to the identification information is acquired, and the authentication information generation request output unit provided in the server device outputs the authentication information generation request including the second customer identification information.

Further, in the authentication system according to one aspect of the present invention, the login request output unit provided in the terminal device outputs the login request including the terminal identification information, and the server device and the authentication device indicate the terminal. The information identifies the terminal device.

Further, in the control method of the authentication system according to one aspect of the present invention, a server device that provides a service to a customer through a telecommunications line and a service provided by the server device by logging in to the server device are provided to the customer. It is a control method of an authentication system including a terminal device to be received and an authentication device for performing authentication for logging in to the server device from the terminal device, wherein the terminal device provides terminal identification information for identifying the terminal device. The terminal identification information storage process to be stored, the login request output process for outputting the login request for the terminal device to log in to the server device, and the authentication information acquisition for the terminal device to acquire the authentication information from the server device. The authentication includes a step, a calculation step in which the terminal device performs an calculation based on the acquired authentication information, a calculation result calculated by the terminal device in the calculation step, and the terminal identification information. The response information transmission step to be transmitted to the device, the login request acquisition step in which the server device acquires the login request from the terminal device, and the authentication information generation which is the information for the server device to generate the authentication information. An authentication information generation request output step for outputting a request, an authentication information acquisition step for the server device to acquire the authentication information generated by the authentication device, and the authentication information acquired by the server device for the terminal device. The authentication information output process to be output to, the authentication result acquisition process in which the server device acquires the authentication result output by the authentication device, and the authentication result acquisition process in which the server device determines whether or not to log in according to the acquired authentication result. The login determination step, the authentication information generation request acquisition step in which the authentication device acquires the authentication information generation request from the server device, and the authentication information generation in the authentication device based on the acquired authentication information generation request. The authentication information generation step, the authentication information output step of outputting the generated authentication information by the authentication device, the response information acquisition step of the authentication device acquiring the response information transmitted from the terminal device, and the above. An authentication calculation step in which the authentication device performs a calculation based on the output authentication information and the terminal identification information included in the acquired response information, and a calculation result included in the response information acquired by the authentication device. Based on the calculation result calculated by the authentication calculation step, the determination step of determining whether or not to authenticate the terminal device and the authentication connection of the authentication device based on the result determined by the determination step. Includes a certification result output process that outputs results.

Further, the authentication device according to one aspect of the present invention generates authentication information which is information for authenticating that the customer logs in to the server device from a server device that provides a service to the customer through a telecommunications line. An authentication information generation request acquisition unit that acquires a requested authentication information generation request, an authentication information generation unit that generates the authentication information based on the acquired authentication information generation request, and an authentication information output unit that outputs the generated authentication information. The response information acquisition unit that acquires the response information transmitted from the terminal device that receives the service provided by the server device by logging in to the server device, the output authentication information, and the acquired response information. The terminal device is based on an authentication calculation unit that performs an operation based on the terminal identification information that identifies the terminal device included, and an operation result included in the acquired response information and an operation result calculated by the authentication calculation unit. Outputs an authentication result including information on whether or not to authenticate the customer to log in to the server device based on the determination unit for determining whether or not to perform the authentication of the above and the result of the determination by the determination unit. It is equipped with an authentication result output unit.

Further, the server device according to one aspect of the present invention is information for determining whether or not to authenticate the login based on the login request acquisition unit that acquires the login request from the terminal device and the acquired login request. An authentication information generation request output unit that outputs an authentication information generation request that is a request for generating authentication information, an authentication information acquisition unit that acquires the authentication information generated based on the authentication information generation request, and the acquired authentication. An authentication information output unit that outputs information to the terminal device, and an authentication result acquisition unit that acquires an authentication result that is information indicating whether or not to authenticate the login based on the output authentication information. A login determination unit for determining whether or not to log in from the terminal device is provided according to the authentication result.

Further, the terminal device according to one aspect of the present invention outputs a terminal identification information storage unit that stores terminal identification information that identifies the terminal device and a login request for logging in to a server device that provides a service through a telecommunications line. A login request output unit, an authentication information acquisition unit that acquires authentication information generated in response to the output login request from the server device, an arithmetic unit that performs an operation based on the acquired authentication information, and the arithmetic unit. A response information transmission unit that transmits response information including the calculation result calculated by the above and the terminal identification information to the authentication device, and a login indicating that login to the server device is permitted based on the transmitted response information. It is equipped with a login permission information acquisition unit that acquires permission information.

According to the present invention, it is possible to prevent a third party who has obtained a user ID and password by unauthorized means from logging in in the identity verification of a user in an online service via the Internet.

It is a figure which shows an example of the schematic diagram of the authentication system which concerns on 1st Embodiment. It is a figure for demonstrating an example of the case where a malicious third party tries to log in by impersonating a user in the authentication system which concerns on 1st Embodiment. It is a figure which shows an example of the functional block diagram of the terminal apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the functional block diagram of the server apparatus which concerns on 1st Embodiment. It is a figure for demonstrating the correspondence relationship between the user ID and the user code which concerns on 1st Embodiment. It is a figure which shows an example of the functional block diagram of the authentication apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the information which the authentication information storage device which concerns on 1st Embodiment stores. It is a figure which shows an example of the information which the application number storage device which concerns on 1st Embodiment stores. It is a figure for demonstrating a series of flow at the time of setting registration which concerns on 1st Embodiment. It is an example of a sequence diagram explaining a series of flow at the time of setting registration which concerns on 1st Embodiment. It is a figure for demonstrating a series of flow at the time of login which concerns on 1st Embodiment. It is an example of a sequence diagram for explaining a series of flows at the time of login according to the first embodiment. It is an example of the flowchart explaining an example of the response information output step which concerns on 1st Embodiment. It is a figure which shows an example of the functional block diagram of the terminal apparatus which concerns on 2nd Embodiment. It is a figure for demonstrating an example of the user response information acquisition step step of the terminal apparatus which concerns on 2nd Embodiment. It is a flowchart for demonstrating an example of the user response information acquisition step of the terminal apparatus which concerns on 2nd Embodiment. It is a figure for demonstrating the outline of the authentication method by a prior art.

[Prior Technique]
Hereinafter, the prior art will be described with reference to the drawings.
FIG. 17 is a diagram for explaining an outline of an authentication method according to the prior art.
According to the authentication system 90 according to the prior art, the user 98 logs in to the server device 92 from the terminal device 91 using the user ID and password stored by the user 98 himself / herself. For example, the user ID and the password are both character strings composed of alphanumerical characters and the like.

The terminal device 91 includes an input device (not shown) such as a keyboard. The terminal device 91 acquires the character string input to the input device as a user ID and password. The terminal device 91 transmits a login request including the acquired user ID and password to the server device 92.
When the user ID and password received from the terminal device 91 match the user ID and password registered in advance, the server device 92 permits the terminal device 91 to log in.

Here, it is assumed that the third party 99 obtains the user ID and password from the user 98 by theft, fraud, duress, or other fraudulent means. In this case, the third party 99 can make a login request to the server device 92 by using the terminal device 91A different from the terminal device 91 possessed by the user 98 and the acquired user ID and password. Since the server device 92 cannot determine whether the received login request is a request from a legitimate user or a request from a malicious third party, in addition to the login request from the legitimate user, the server device 92 cannot determine. Even in response to a login request from a malicious third party, login was permitted.
That is, according to the prior art, if the user ID and password are acquired by a third party, there is a risk that the user will be logged in illegally.

The user ID and password may be acquired by a third party by a method such as a password list type attack (restore attack) or phishing fraud. Therefore, in the present invention, in the identity verification of the user in the online service via the Internet, it is prevented that a third party who has obtained the user ID and password by theft, fraud, duress, or other fraudulent means logs in. The purpose is to provide authentication technology that can be used.

[First Embodiment]
Hereinafter, the first embodiment of the present invention will be described with reference to the drawings.

[Outline of authentication system]
FIG. 1 is a diagram showing an example of a schematic diagram of the authentication system 1 according to the first embodiment. An example of a schematic diagram of the authentication system 1 according to the first embodiment will be described with reference to the figure.
The authentication system 1 includes a terminal device 10, a server device 20, and an authentication device 30. The authentication system 1 is applied to, for example, an EC (Electronic Commerce) system 2.

The EC system 2 includes a terminal device 10 and a server device 20. The EC system 2 is used by the user U.
The user U makes a service request to the server device 20 via the terminal device 10, and receives the service. The service in the present embodiment is a service that requires authentication of the user U in connection with the provision of the service. The service in the present embodiment requires authentication associated with payment, for example, in providing the service. Specifically, the service in this embodiment is a service for placing and receiving orders for products and the like via the Internet (EC or electronic commerce), a service for banks via the Internet (Internet banking or online banking), and the like. There may be.

When the EC system 2 provides EC or electronic commerce, the products handled by the EC system 2 are not limited to physical products, but may be digital contents such as music media and movie media.

The terminal device 10 acquires an operation from the user U and inputs / outputs information to / from the server device 20 by a predetermined communication method. Specifically, the terminal device 10 makes a service request SEQU to the server device 20, and as a result, receives the service providing SP. The terminal device 10 enjoys the service provided by the server device 20 by logging in to the server device 20.
Specifically, the terminal device 10 is an information processing device such as a smartphone, a tablet terminal, or a personal computer. The terminal device 10 may be a dedicated terminal specialized for communication with the server device 20, or may be a general-purpose terminal.
Hereinafter, the terminal device 10 may be referred to as a user terminal.

The terminal device 10 stores terminal identification information that identifies the terminal device 10. Hereinafter, the terminal identification information may also be described as the application number AN.

The server device 20 provides a service through a telecommunication line by a predetermined communication method. Specifically, the server device 20 provides a service providing SP to the user U who operates the terminal device 10 based on the service request SEQU from the terminal device 10.
Hereinafter, the server device 20 will also be referred to as an EC site side server.

The authentication device 30 authenticates in the EC system 2. That is, the authentication device 30 authenticates to log in to the server device 20 from the terminal device 10.
The authentication device 30 acquires the authentication request ARQ from the server device 20. The server device 20 generates authentication information based on the acquired authentication request ARQ. The terminal device 10 provides the response R to the authentication device 30 based on the generated authentication information. The authentication device 30 authenticates the login based on the response R, and outputs the authentication result AR as a result to the server device 20.

In the present embodiment, the server device 20 receives a service request SEQU from a plurality of terminal devices 10 and performs a service providing SP to the plurality of terminal devices 10. The server device 20 and the terminal device 10 may be connected by a predetermined network (not shown) such as the Internet.
In this embodiment, the authentication device 30 authenticates a plurality of EC systems 2. The authentication device 30 and the server device 20 may be connected by a predetermined network (not shown) such as the Internet. Further, the authentication device 30 and the terminal device 10 may be connected by a predetermined network (not shown) such as the Internet.

FIG. 2 is a diagram for explaining an example of a case where a malicious third party attempts to log in by impersonating a user in the authentication system 1 according to the first embodiment. With reference to the figure, an example of a case where a malicious third party attempts to log in by impersonating a user will be described.
In this example, the user U1 logs in to the server device 20 via the terminal device 10 held by the user U1. The third party U2 and the third party U3 are malicious third parties who try to log in to the server device 20 by impersonating the user U1.

The user U1 unlocks the terminal device 10 by using the screen unlock password stored by the user U1 himself. For example, the screen unlock password may be a password composed of a plurality of numbers or a password using a pattern recognition technique.

In this example, an example in which the screen unlock password is input via the input unit (not shown) included in the terminal device 10 will be described, but the screen lock is biometric authentication (biometrics authentication) or the like. It may be configured by using the authentication method of.
The biometric authentication may utilize the physical characteristics of the user acquired by the imaging unit (not shown), the voice input unit, or the like provided in the terminal device 10. The biometric authentication may be, for example, fingerprint authentication, face authentication, voice authentication, retinal authentication, iris authentication, or the like.

When the screen lock of the terminal device 10 is released, the user U1 sends a login request for logging in to the server device 20. When the server device 20 receives the login request, the authentication device 30 performs the authentication work of the terminal device 10. For the authentication work in this embodiment, the application number AN stored in the terminal device 10 is used. When the terminal device 10 is authenticated by the authentication device 30, the server device 20 permits the login of the terminal device 10.

Here, a case where the third party U2 acquires the terminal device 10 from the user U1 by theft, fraud, duress, or other fraudulent means will be described. The third party U2 has the terminal device 10, but cannot log in to the terminal device 10 because he / she does not have the screen unlock password. Therefore, since the third party U2 cannot log in to the terminal device 10, it cannot log in to the server device 20.

Next, a case where the third party U3 obtains the screen unlock password of the terminal device 10 from the user U1 by theft, fraud, duress, or other fraudulent means will be described. The third party U2 has a password for unlocking the screen of the terminal device 10, but cannot log in to the terminal device 10 because he does not have the terminal device 10. Even if the third party U3 sends a login request to the server device 20 by the terminal device 10A which is a terminal different from the terminal device 10, for example, the terminal device 10A does not have the application number AN or the application number. Even if the terminal device 10A has the AN, the terminal device 10A cannot log in to the server device 20 because the application number AN is different from the terminal device 10.

As described above, in the present embodiment, when either the terminal device 10 or the screen unlock password of the terminal device 10 is obtained by a third party by theft, fraud, impersonation, or other fraudulent means. Even if there is, it is possible to prevent the user U from logging in to the server device 20 by impersonating the user U.
Hereinafter, the details of the management device 10, the server device 20, and the authentication device 30 included in the authentication system 1 will be described with reference to the drawings.

[Functional configuration of terminal device]
FIG. 3 is a diagram showing an example of a functional configuration diagram of the terminal device 10 according to the first embodiment. An example of the functional configuration of the terminal device 10 according to the first embodiment will be described with reference to the figure.

The terminal device 10 includes a login request operation reception unit 111, a login request output unit 112, an authentication information acquisition unit 114, an application number storage unit (terminal identification information storage unit) 131, a calculation unit 132, and a login permission information acquisition. A unit 115 and a response information transmission unit 123 are provided.
The login request operation reception unit 111 acquires the login request LEQU from the user U. The login request LRQ is a request for the terminal device 10 to log in to the server device 20. Specifically, the login request operation receiving unit 111 accepts an operation for performing a login request LEQU through a user interface such as a touch panel.
Further, the login request operation reception unit 111 acquires the usage registration request REQU from the user U. The usage registration request RRQ is a request required when the terminal device 10 logs in to the server device 20 for the first time. That is, the usage registration request REQU is a request for setting registration performed at the first login.

The login request output unit 112 outputs a login request LEQU, which is a request for the terminal device 10 to log in to the server device 20, to the server device 20 based on the operation received by the login request operation reception unit 111. Further, the login request output unit 112 outputs the usage registration request REQU to the server device 20 based on the operation received by the login request operation reception unit 111.
The login request LRQ and the usage registration request REQU output by the login request output unit 112 may include an application number AN or a user ID (UID) that identifies the terminal device 10.

The authentication information acquisition unit 114 acquires the authentication information AI from the server device 20. The authentication information AI is information for authenticating that the terminal device 10 logs in to the server device 20.
The application number storage unit 131 stores the application number (terminal identification information) AN. The terminal identification information identifies the terminal device 10. That is, the application number storage unit 131 stores the terminal identification information that identifies the terminal device 10.
The calculation unit 132 performs a calculation based on the authentication information acquired by the authentication information acquisition unit 114.
The response information transmission unit 123 transmits the response information RI including the calculation result calculated by the calculation unit 132 and the application number (terminal identification information) AN stored in the application number storage unit 131 to the authentication device 30.

The login permission information acquisition unit 115 acquires the login permission information LAI from the server device 20. The login permission information LAI is information indicating that the terminal device 10 permits the server device 20 to log in.

[Functional configuration of server device]
FIG. 4 is a diagram showing an example of a functional configuration diagram of the server device 20 according to the first embodiment. An example of the functional configuration of the server device 20 according to the first embodiment will be described with reference to the figure.
The server device 20 includes a login request acquisition unit 210, a user ID acquisition unit (customer information acquisition unit) 215, an authentication information generation request output unit 220, an authentication information acquisition unit 230, an authentication information output unit 240, and an authentication result. It includes an acquisition unit 250, a login determination unit 260, and a login permission information output unit 270.

The login request acquisition unit 210 acquires a login request LRQ or a usage registration request REQU from the terminal device 10 by a predetermined communication method. The login request LRQ or the usage registration request RRQ may be configured to be acquired from the terminal device 10 via a network such as the Internet.
The login request LRQ or the usage registration request REQU acquired by the login request acquisition unit 210 may include the application number AN or the user ID that identifies the terminal device 10.

When the user ID acquisition unit (customer information acquisition unit) 215 acquires the usage registration request REQU, the user ID acquisition unit (customer information acquisition unit) 215 stores the correspondence between the user ID (UID) and the user code (UC). Here, when the user ID acquisition unit 215 acquires the usage registration request REQU, the user ID acquisition unit 215 assigns a predetermined user code according to the new user ID and stores the correspondence relationship.
When the user ID acquisition unit 215 acquires the login request LRQ, the user ID acquisition unit 215 acquires the correspondence between the user ID and the user code. Here, in the present embodiment, the user U may log in to the server device 20 by the user ID via the terminal device 10. When the user U logs in to the server device 20 by the user ID, the server device 20 identifies the terminal device 10 by the user ID. On the other hand, the server device 20 identifies the terminal device 10 by the user code instead of the user ID in the communication with the authentication device 30. The user ID acquisition unit 215 acquires a user code corresponding to the user ID acquired from the terminal device 10. The correspondence between the user ID and the user code is stored in, for example, the user information storage device (customer information storage device) 25.
That is, the user ID acquisition unit (customer information acquisition unit) 215 has a user ID (first customer identification information) that identifies the user (customer) and a user that is information different from the user ID and that identifies the user. The correspondence between the user ID and the user code is acquired from the customer information storage device that stores the correspondence with the code (second customer identification information).

FIG. 5 is a diagram for explaining the correspondence between the user ID and the user code according to the first embodiment. The correspondence between the user ID and the user code will be described with reference to the figure.
In the example shown in the figure, the user ID "UID01" is associated with the user code "UC01". Similarly, the user ID "UID02" is associated with the user code "UC02". Similarly, the user ID "UID03" is associated with the user code "UC03".
In this case, the terminal device 10 whose user ID is specified as "UID01" in the communication between the terminal device 10 and the server device 20 has the user code "UC01" in the communication between the server device 20 and the authentication device 30. Specified as. Similarly, in the exchange between the terminal device 10 and the server device 20, the user code of the terminal device 10 specified as "UID02" is "UC02" in the exchange between the server device 20 and the authentication device 30. Specified as. Similarly, in the exchange between the terminal device 10 and the server device 20, the user code of the terminal device 10 specified as "UID03" is "UC03" in the exchange between the server device 20 and the authentication device 30. Specified as.

The authentication information generation request output unit 220 outputs an authentication information generation request AGREF, which is a request for generating authentication information, based on the acquired login request LRQ.
The authentication information generation request AGREF is a request for the authentication device 30 to generate the authentication information generation request AGREF.

The authentication information acquisition unit 230 acquires the authentication information AI generated by the authentication device 30. The authentication information acquisition unit 230 may be configured to acquire the authentication information AI from the authentication device 30 via a network such as the Internet.
The authentication information output unit 240 outputs the acquired authentication information AI to the terminal device 10. The authentication information output unit 240 is configured to output the authentication information AI to the terminal device 10 via a network such as the Internet, for example. You may.
The authentication result acquisition unit 250 acquires the authentication result AR output by the authentication device 30. The authentication result acquisition unit 250 may be configured to acquire the authentication result AR from the authentication device 30 via a network such as the Internet.

The login determination unit 260 determines whether or not the terminal device 10 can log in to the server device 20 according to the acquired authentication result AR.
The login permission information output unit 270 outputs the login permission information LAI including information indicating that the terminal device 10 is permitted to log in based on the result determined by the login determination unit 260.

[Functional configuration of authentication device]
FIG. 6 is a diagram showing an example of a functional configuration diagram of the authentication device 30 according to the first embodiment. An example of the functional configuration of the authentication device 30 according to the first embodiment will be described with reference to the figure.
The authentication device 30 includes an authentication information generation request acquisition unit 310, an authentication information generation unit 320, an authentication information output unit 330, a response information acquisition unit 340, an authentication calculation unit 345, a determination unit 350, and an authentication result output unit. It is equipped with 360.

The authentication information generation request acquisition unit 310 acquires the authentication information generation request AGREF from the server device 20. The authentication information generation request acquisition unit 310 may be configured to acquire the authentication information generation request AGREF from the server device 20 via a network such as the Internet.
The authentication information generation unit 320 generates the authentication information AI based on the acquired authentication information generation request AGREF. The authentication information AI includes information such as information for identifying the server device 20 itself and information for identifying the user U.
The authentication information output unit 330 outputs the authentication information AI generated by the authentication information generation unit 320 to the server device 20. The authentication information AI output by the authentication information output unit 330 is stored in the authentication information storage device 35.

FIG. 7 is a diagram showing an example of information stored in the authentication information storage device 35 according to the first embodiment. An example of the information stored in the authentication information storage device 35 will be described with reference to the figure.
The authentication information storage device 35 stores the site code (SC), the user code, and the generated authentication information AI in association with each other. The site code is identification information that identifies the server device 20. The user code is identification information for identifying the terminal device 10. The generated authentication information AI is the authentication information AI generated by the authentication information generation unit 320.
In the example shown in the figure, the site code "S01", the user code "UC01", and the generated authentication information "AI01" are associated with each other. Similarly, the site code "S01", the user code "UC02", and the generated authentication information "AI02" are associated with each other. That is, in this example, for different users (user code "UC01" and user code "UC02") on the same site (site code "S01"), the authentication device 30 uses different authentication information AI (generated authentication information ". AI01 ”and the generated authentication information“ AI02 ”) are generated, and the information generated by the authentication device 30 is stored in the authentication information storage device 35.

Returning to FIG. 6, the response information acquisition unit 340 acquires the response information RI transmitted from the terminal device 10. The response information RI acquired from the terminal device 10 by the response information acquisition unit 340 includes a calculation result calculated by the calculation unit 132 included in the terminal device 10 and an application number (terminal identification information) AN. The response information acquisition unit 340 may be configured to acquire the authentication result AR from the server device 20 via a network such as the Internet.
The authentication calculation unit 345 acquires the authentication information AI output by the authentication information output unit 330 from the authentication information storage device 35. The authentication calculation unit 345 performs a calculation based on the authentication information AI output by the authentication information output unit 330 and the application number (terminal identification information) AN included in the response information RI acquired by the response information acquisition unit 340. The authentication calculation unit 345 provides the result of performing the authentication calculation to the determination unit 350 as the authentication calculation result CR.

The determination unit 350 authenticates the terminal device 10 based on the calculation result included in the response information RI acquired by the response information acquisition unit 340 and the authentication calculation result (calculation result) CR calculated by the authentication calculation unit 345. Judge whether to do it or not. Specifically, the determination unit 350 of the terminal device 10 determines that the calculation result included in the response information acquired by the response information acquisition unit 340 and the calculation result calculated by the authentication calculation unit 345 are the same. It is determined that the authentication is valid, and if they are not the same, it is determined that the authentication of the terminal device 10 is invalid.
The determination unit 350 compares the calculation result included in the response information acquired by the response information acquisition unit 340 with the calculation result calculated by the authentication calculation unit 345, and the comparison result is within a predetermined range. In this case, it may be determined that the authentication of the terminal device 10 is valid, and if it is not within the predetermined range, it may be determined that the authentication of the terminal device 10 is invalid.

The authentication result output unit 360 outputs the authentication result AR based on the result determined by the determination unit 350. For example, the authentication result output unit 360 identifies the terminal device 10 and the server device 20 based on the correspondence information stored in the application number storage device 37, and outputs the authentication result AR to the server device 20.

FIG. 8 is a diagram showing an example of information stored in the application number storage device 37 according to the first embodiment. An example of the information stored in the application number storage device 37 will be described with reference to the figure.
The application number storage device 37 stores the site code, the user code, and the application number AN in association with each other. The site code, the user code, and the application number AN are acquired at the time of setting registration of the user U, and are stored in association with the application number storage device 37.

In the example shown in the figure, the site code "S01", the user code "UC01", and the application number "AP01" are associated with each other. Similarly, the site code "S01", the user code "UC02", and the application number "AP02" are associated with each other.

[A series of flow when registering settings]
FIG. 9 is a diagram for explaining a series of flows at the time of setting registration according to the first embodiment. With reference to the figure, a series of flows at the time of setting registration according to the first embodiment will be described.
First, the terminal device 10 acquires the usage registration request REQU from the user U. The login request output unit 112 provided in the terminal device 10 outputs the acquired usage registration request REQU to the server device 20. Here, the usage registration request REQU includes a user ID (UID). The user ID may be any alphanumerical character set by the user U.

When the server device 20 acquires the usage registration request REQU from the terminal device 10, it assigns a predetermined user code (UC) corresponding to the user ID and stores the correspondence relationship between the user ID and the user code. The user code may be a value unique to each server device 20, and may be a duplicate value in the correspondence with other server devices 20. The server device 20 outputs an authentication information generation request AGCHECK including a user code and a site code (SC) that identifies its own server device 20 to the authentication device 30.

When the authentication device 30 acquires the authentication information generation request AGCHECK, the authentication device 30 generates the authentication information AI. After generating the authentication information AI, the authentication device 30 stores the user code included in the acquired authentication information generation request AGREF, the site code, and the authentication information AI in association with each other. The authentication device 30 outputs the authentication information AI to the server device 20.
The server device 20 outputs the acquired authentication information AI to the terminal device 10.

When the terminal device 10 acquires the authentication information AI, the terminal device 10 outputs the response information RI including the authentication information AI and the application number AN to the authentication device 30.
When the authentication device 30 acquires the response information RI, it stores the application number AN in association with the site code and the user code corresponding to the authentication information included in the acquired response information RI.

FIG. 10 is an example of a sequence diagram illustrating a series of flows at the time of setting registration according to the first embodiment. With reference to the figure, a series of flows at the time of setting registration according to the first embodiment will be described.
(Step S110) The login request operation receiving unit 111 provided in the terminal device 10 acquires the usage registration request REQU by an operation from the user U.
(Step S120) When the login request operation receiving unit 111 acquires the usage registration request RRQ from the user U, the login request output unit 112 provided in the terminal device 10 outputs the acquired usage registration request RRQ to the server device 20. do.
(Step S130) When the usage registration request RRQ is output by the login request output unit 112 provided in the terminal device 10, the output usage registration request RRQ is transferred to the server device 20 by a predetermined communication method.

(Step S135) The login request acquisition unit 210 provided in the server device 20 acquires the usage registration request REQU. When the user ID acquisition unit 215 provided in the server device 20 acquires the usage registration request REQU from the terminal device 10, it assigns a predetermined user code corresponding to the user ID and stores the correspondence relationship between the user ID and the user code. Let me. The server device 20 identifies the terminal device 10 by using the user code in the communication with the authentication device 30. That is, the server device 20 converts the user ID into a user code in step 135.
(Step S140) The authentication information generation request output unit 220 outputs the authentication information generation request AGREF to the authentication device 30. The authentication information generation request AGREF includes a user code and a site code.
(Step S150) When the authentication information generation request AGREF is output by the authentication information generation request output unit 220 provided in the server device 20, the output authentication information generation request AGREF is transferred to the authentication device 30 by a predetermined communication method. Will be done.

(Step S160) The authentication information generation request acquisition unit 310 provided in the authentication device 30 acquires the authentication information generation request AGREF from the server device 20. The authentication information generation unit 320 generates the authentication information AI when the authentication information generation request AGREF is acquired by the authentication information generation request acquisition unit 310. The authentication device 30 stores the user code included in the authentication information generation request AGCHECK, the site code, and the generated authentication information AI in association with each other. The authentication information output unit 330 outputs the generated authentication information AI to the server device 20.

(Step S170) The authentication information AI output by the authentication information output unit 330 included in the authentication device 30 is transferred to the server device 20.
(Step S180) The authentication information acquisition unit 230 acquires the authentication information AI.
(Step S190) The authentication information output unit 240 transfers the acquired authentication information AI to the terminal device 10.

(Step S200) The authentication information acquisition unit 114 provided in the terminal device 10 acquires the authentication information AI.
(Step S220) The calculation unit 132 provided in the terminal device 10 performs a calculation based on the acquired authentication information AI.
(Step S240) The response information transmission unit 123 transmits the response information RI including the calculation result calculated by the calculation unit 132 and the application number AN to the authentication device 30.

(Step S250) The response information RI output by the response information transmission unit 123 provided in the terminal device 10 is transferred to the authentication device 30.
(Step S260) When the authentication device 30 acquires the response information RI from the terminal device 10, the authentication device 30 registers the settings of the terminal device 10. Specifically, the authentication device 30 stores the application number AN included in the acquired response information RI in association with the user ID (UID) and the user code (UCD) stored when the authentication information AI is generated. ..
Even if the authentication device 30 compares the calculation result included in the acquired response information RI with the calculation result based on the authentication information AI generated by itself, and registers the setting of the terminal device 10 based on the comparison result. good.

[A series of flow when logging in by user ID]
FIG. 11 is a diagram for explaining a series of flows at the time of login according to the first embodiment. With reference to the figure, a series of flows at the time of login according to the first embodiment will be described. In the present embodiment, the user U logs in to the server device 20 by using either the user ID (UID) or the application number AN. First, an example of a case where the user U logs in using the user ID will be described.
The terminal device 10 acquires a login request LEQU from the user U. The login request output unit 112 provided in the terminal device 10 outputs the acquired login request LEQU to the server device 20. The login request LEQU includes a user ID (first identification information). The user ID is a user ID used by the user U at the time of setting registration. User U does not need to enter a password when logging in.

When the user ID acquisition unit (customer information acquisition unit) 215 provided in the server device 20 acquires the login request LRQ from the server device 20, a predetermined user ID (first customer identification information) corresponding to the user ID (first customer identification information) included in the login request LRQ is obtained. Acquire a user code (second customer identification information). The authentication information generation request output unit 220 provided in the server device 20 outputs the authentication information generation request AGCHECK including the acquired user code and the site code for identifying its own server device 20 to the authentication device 30. That is, the authentication information generation request output unit 220 outputs the authentication information generation request AGREF including the user code (second customer identification information).

When the authentication device 30 acquires the authentication information generation request AGCHECK, the authentication device 30 generates the authentication information AI. The authentication device 30 stores the generated authentication information AI in association with the user code and the site code, and outputs the authentication information AI to the server device 20.
The server device 20 outputs the acquired authentication information AI to the terminal device 10.

When the terminal device 10 acquires the authentication information AI, the terminal device 10 performs an operation based on the authentication information AI. After performing the calculation based on the authentication information AI, the terminal device 10 outputs the response information RI including the calculation result and the application information to the authentication device 30.
When the authentication device 30 acquires the response information RI, the authentication device 30 performs an operation based on the application number AN included in the response information RI and the generated authentication information. The authentication device 30 compares the result of the calculation with the calculation result included in the acquired response information RI, and determines whether or not to authenticate the terminal device 10.

[A series of flow when logging in by application number]
Next, an example of the case where the user U logs in using the application number AN will be described. When the user U logs in using the application number AN, the user U can log in to the terminal device 10 without inputting either the user ID and the password. The login method using the application number AN will be described with reference to FIG.
In this example, the terminal device 10 outputs a login request LEQU including an application number (terminal identification information) AN, and the server device 20 and the authentication device 30 identify the terminal device by the terminal identification information.

The login request operation reception unit 111 provided in the terminal device 10 acquires the login request LEQU from the user U. The login request output unit 112 provided in the terminal device 10 outputs the acquired login request LEQU to the server device 20. Here, the login request LEQU includes the application number AN instead of the user ID. That is, in this example, the user U does not need to enter either the user ID or the password.

When the server device 20 acquires the login request LREF from the server device 20, it outputs the authentication information generation request AGREF including the site code for identifying its own server device 20 and the application number AN to the authentication device 30.

When the authentication device 30 acquires the authentication information generation request AGCHECK, the authentication device 30 generates the authentication information AI. The authentication device 30 stores the generated authentication information AI in association with the site code and the application number AN included in the authentication information generation request AGREF, and outputs the authentication information AI to the server device 20.
If the application number AN included in the authentication information generation request AGCHECK is not stored at the time of setting registration, the authentication device 30 may notify the server device 20 that the user is an unregistered user.
The server device 20 outputs the acquired authentication information AI to the terminal device 10.

When the terminal device 10 acquires the authentication information AI, the terminal device 10 performs an operation based on the authentication information AI. After performing the calculation based on the authentication information AI, the terminal device 10 outputs the response information RI including the calculation result and the application information to the authentication device 30.
When the authentication device 30 acquires the response information RI, the authentication device 30 performs an operation based on the application number AN included in the response information RI and the generated authentication information. The authentication device 30 compares the result of the calculation with the calculation result included in the acquired response information RI, and determines whether or not to authenticate the terminal device 10.

FIG. 12 is an example of a sequence diagram illustrating a series of flows at the time of login according to the first embodiment.
(Step S310) The login request operation receiving unit 111 provided in the terminal device 10 acquires the login request LEQU from the user U.
(Step S320) When the login request LRQ is acquired from the user U by the login request operation reception unit 111, the login request output unit 112 provided in the terminal device 10 outputs the acquired login request LRQ to the server device 20.
(Step S330) When the login request LRQ is output by the login request output unit 112 provided in the terminal device 10, the output login request LRQ is transferred to the server device 20 by a predetermined communication method.

(Step S335) The login request acquisition unit 210 provided in the server device 20 acquires the login request LEQU. When the login request LRQ includes a user ID, the user ID acquisition unit 215 provided in the server device 20 acquires a predetermined user code corresponding to the user ID when the user registration request RRQ is acquired from the terminal device 10. For example, the user ID acquisition unit 215 acquires a predetermined user code corresponding to the user ID included in the acquired login request LEQU from the user information storage device 25 in which the user ID and the user code are stored in association with each other. When the login request LEQU includes the user ID, the server device 20 identifies the terminal device 10 by using the user code in the communication with the authentication device 30. That is, the server device 20 converts the user ID into a user code in step 135. If the login request LEQU does not include the user ID and includes the application number AN instead of the user ID, the process of step S335 is not performed.

(Step S340) The authentication information generation request output unit 220 outputs the authentication information generation request AGCHECK to the authentication device 30. When the login request LRQ includes a user ID, the authentication information generation request output unit 220 outputs an authentication information generation request AGEQU including a site code for identifying the server device 20 and a user code corresponding to the user ID. When the login request LRQ includes the application number AN, the authentication information generation request output unit 220 outputs the authentication information generation request AGREF including the site code for identifying the server device 20 and the application number AN.
(Step S350) When the authentication information generation request AGREF is output by the authentication information generation request output unit 220 provided in the server device 20, the output authentication information generation request AGREF is transferred to the authentication device 30 by a predetermined communication method. Will be done.

(Step S360) The authentication information generation request acquisition unit 310 provided in the authentication device 30 acquires the authentication information generation request AGCHECK from the server device 20. The authentication information generation unit 320 generates the authentication information AI when the authentication information generation request AGREF is acquired by the authentication information generation request acquisition unit 310.
When the user code is included in the authentication information generation request AGREF, the authentication device 30 stores the user code included in the authentication information generation request AGREF, the site code, and the generated authentication information AI in association with each other.
When the authentication information generation request AGREF includes the application number AN, the authentication device 30 stores the application number AN included in the authentication information generation request AGREF, the site code, and the generated authentication information AI in association with each other.
The authentication information output unit 330 outputs the generated authentication information AI to the server device 20.

(Step S370) The authentication information AI output by the authentication information output unit 330 included in the authentication device 30 is transferred to the server device 20.
(Step S380) The authentication information acquisition unit 230 acquires the authentication information AI.
(Step S390) The authentication information output unit 240 transfers the acquired authentication information AI to the terminal device 10.

(Step S400) The authentication information acquisition unit 114 provided in the terminal device 10 acquires the authentication information AI.
(Step S420) The calculation unit 132 provided in the terminal device 10 performs a calculation based on the acquired authentication information AI.
(Step S440) The response information transmission unit 123 transmits the response information RI including the calculation result calculated by the calculation unit 132 and the application number AN to the authentication device 30.

(Step S450) The response information RI output by the response information transmission unit 123 provided in the terminal device 10 is transferred to the authentication device 30.
(Step S460) When the authentication device 30 acquires the response information RI from the terminal device 10, the authentication device 30 authenticates the terminal device 10.

Here, the details of the authentication of the terminal device 10 performed by the authentication device 30 will be described with reference to the drawings.
FIG. 13 is an example of a flowchart illustrating an example of the authentication step according to the first embodiment. An example of the authentication step according to the first embodiment will be described with reference to the figure.
(Step S461) The response information acquisition unit 340 provided in the authentication device 30 acquires the response information RI.
(Step S463) The authentication calculation unit 345 provided in the authentication device 30 performs an authentication calculation. Specifically, the authentication calculation unit 345 acquires the authentication information AI associated with the application number AN included in the acquired response information RI from the authentication information storage device 35. The authentication calculation unit 345 performs a calculation based on the authentication information AI and the application number AN. The authentication calculation unit 345 provides the result of performing the authentication calculation to the determination unit 350 as the authentication calculation result CR.

(Step S465) The determination unit 350 provided in the authentication device 30 is based on the calculation result included in the response information RI acquired by the response information acquisition unit 340 and the authentication calculation result CR calculated by the authentication calculation unit 345. , Determine whether or not to authenticate the terminal device 10. In the determination unit 350, the calculation result included in the response information acquired by the response information acquisition unit 340 and the calculation result calculated by the authentication calculation unit 345 are the same, or the response information acquired by the response information acquisition unit 340 is used. When the difference between the included calculation result and the calculation result calculated by the authentication calculation unit 345 is within a predetermined range (that is, step S465; YES), the process proceeds to step S467. In the determination unit 350, when the calculation result included in the response information acquired by the response information acquisition unit 340 and the calculation result calculated by the authentication calculation unit 345 are not the same or are not included in a predetermined range (that is,). , Step S465; NO), the process proceeds to step S468.
(Step S467) The determination unit 350 determines that the authentication of the terminal device 10 is valid.
(Step S468) The determination unit 350 determines that the authentication of the terminal device 10 is invalid.
(Step S469) The authentication result output unit 360 provided in the authentication device 30 outputs the authentication result AR based on the result determined by the determination unit 350. The authentication result output unit 360 identifies the terminal device 10 and the server device 20 based on the correspondence information stored in the application number storage device 37, and outputs the authentication result AR to the server device 20.

(Step S470) Returning to FIG. 12, the authentication result AR output by the authentication result output unit 360 provided in the authentication device 30 is transferred to the authentication device 30.
(Step S480) The authentication result acquisition unit 250 provided in the server device 20 acquires the authentication result AR. The login determination unit 260 determines whether or not to allow the login of the terminal device 10 based on the acquired authentication result AR. Specifically, the login determination unit 260 acknowledges the login of the terminal device 10 when the response information RI output by the terminal device 10 is determined to be valid by the authentication device 30, and is output by the terminal device 10. If the response information RI is determined by the authentication device 30 to be invalid, the login of the terminal device 10 is not permitted.
(Step S490) The login permission information output unit 270 outputs the result determined by the login determination unit 260 to the terminal device 10 as the login permission information LAI.

If the determination unit 350 determines that the authentication identified by the authentication information identification number AIID included in the response information RI is invalid, the authentication system 1 is provided with a login request operation reception unit in the terminal device 10. 111 may start over from the step (step S310) of acquiring the login request LEQU from the user U.

[Summary of the first embodiment]
According to the embodiment described above, the authentication system 1 includes a terminal device 10, a server device 20, and an authentication device 30. The terminal device 10 acquires the login request LRQ from the user U by including the login request operation receiving unit 111, and outputs the login request LRQ to the server device 20 by including the login request output unit 112. The server device 20 acquires a login request LRQ from the terminal device 10 by including the login request acquisition unit 210, and outputs an authentication information generation request AGCHECK to the authentication device 30 by including the authentication information generation request output unit 220. The authentication device 30 acquires the authentication information generation request AGREF from the server device 20 by including the authentication information generation request acquisition unit 310, generates the authentication information AI by including the authentication information generation unit 320, and generates the authentication information AI, and the authentication information output unit 330. The authentication information AI is output to the server device 20 by providing the above. The server device 20 acquires the authentication information AI from the authentication device 30 by including the authentication information acquisition unit 230, and outputs the acquired authentication information AI to the terminal device 10 by including the authentication information output unit 240. The terminal device 10 acquires the authentication information AI by including the authentication information acquisition unit 114, performs an operation based on the acquired authentication information AI by including the calculation unit 132, and calculates by including the response information transmission unit 123. The result and the application number are output to the authentication device 30 as response information RI. The authentication device 30 acquires the response information RI from the terminal device 10 by including the response information acquisition unit 340, and the calculation result application number included in the response information RI acquired by the authentication calculation unit 345 and the generated authentication. The calculation based on the information AI is performed, it is determined whether or not the login is valid by providing the determination unit 350, and the authentication result AR is output by providing the authentication result output unit 360.
That is, according to the present embodiment, the user U cannot log in to the server device 20 unless the specific terminal device 10 for which the setting registration is performed is used. Therefore, even if a third party obtains the login ID, password, or the like of the user U for an unauthorized purpose, the third party cannot log in to the server device 20.
Therefore, the authentication system 1 can prevent a third party who has obtained the user ID and password by unauthorized means from logging in in the identity verification of the user in the online service via the Internet.

Further, according to the embodiment described above, even if a third party obtains the terminal device 10 for an illegal purpose, the terminal device 10 is provided with a screen lock by a screen lock password, biometric authentication, or the like. , A third party cannot use the terminal device 10.
Therefore, the authentication system 1 can prevent a third party who has obtained the terminal device 10 from logging in by unauthorized means in the identity verification of the user in the online service via the Internet.

Further, according to the embodiment described above, the server device 20 includes the user ID acquisition unit 215, and thus has a user code (first customer identification information) corresponding to the user ID (first customer identification information) included in the acquired login request LRQ. 2 Acquire identification information). The server device 20 and the authentication device 30 specify the terminal device 10 not by the user ID used by the user U but by the user code. That is, according to the present embodiment, the server device 20 and the authentication device 30 can specify the terminal device 10 without using the user ID used by the user U. Therefore, according to the present embodiment, the server device 20 and the authentication device 30 do not specify the terminal device 10 based on the personal information of the user U.
Therefore, according to the present embodiment, the authentication device 30 can authenticate that the terminal device 10 logs in to the server device 20 without managing the personal information of the terminal device 10.

Here, according to the prior art, in order for the terminal device 10 to log in to the server device 20, it is necessary to log in using the user ID and password. That is, the user U has to perform troublesome work such as inputting a user ID and a password when logging in. The administrator who manages the server device 20 has requested that the user U be provided with a secure authentication method without requiring complicated input work.

According to the embodiment described above, the terminal device 10 outputs a login request LEQU including an application number. Both the server device 20 and the authentication device 30 specify the terminal device 10 by the application number. That is, according to the present embodiment, the user U can log in without inputting either the user ID and the password.
Therefore, according to the present embodiment, it is possible to provide a secure authentication method without requiring the user U to perform complicated input work.

[Second Embodiment]
Hereinafter, the second embodiment of the present invention will be described with reference to the drawings.

[Functional configuration of the terminal device according to the second embodiment]
FIG. 14 is a diagram showing an example of a functional configuration diagram of the terminal device according to the second embodiment. An example of the functional configuration of the terminal device 10A according to the second embodiment will be described with reference to the figure. The terminal device 10A is different from the terminal device 10 in that the terminal device 10A is composed of different terminals of the first terminal device 11 and the second terminal device 12. The contents already described in the description of the terminal device 10 may be omitted by assigning the same reference numerals.

The terminal device 10A includes a first terminal device 11 and a second terminal device 12.
The first terminal device 11 includes a login request operation reception unit 111, a login request output unit 112, an authentication information acquisition unit 114, a display unit 113, and a login permission information acquisition unit 115 as functional configurations. The first terminal device 11 may be, for example, an information processing terminal such as a personal computer or a tablet terminal.
The first terminal device 11 is different from the terminal device 10 in that the display unit 113 is further provided.
The display unit 113 displays the information included in the authentication information AI acquired by the authentication information acquisition unit 114 to the user U. That is, the display unit 113 displays the information based on the acquired authentication information AI.

The second terminal device 12 includes a response operation reception unit 121, an application number storage unit 131, a calculation unit 132, and a response information transmission unit 123 as functional configurations. The second terminal device 12 may be, for example, an information processing terminal such as a smartphone or a tablet terminal.
The second terminal device 12 is different from the terminal device 10 in that it further includes a response operation receiving unit 121.

The response operation reception unit 121 receives a response operation from the user U. Specifically, the response operation receiving unit 121 accepts an operation from the user U by acquiring the user response information URI. The user U performs an operation according to the information based on the authentication information AI displayed on the display unit 113. The display unit 113 accepts an operation by the user U according to the information based on the authentication information AI displayed on the display unit 113. That is, the response operation receiving unit 121 accepts an operation according to the display of the display unit 113.

FIG. 15 is a diagram for explaining an example of a user response information acquisition step of the terminal device according to the second embodiment. The second embodiment is different from the first embodiment in that it has a user response information acquisition step between the acquisition of the authentication information AI and the execution of the authentication operation. The user response information acquisition step will be described with reference to the figure.

When the first terminal device 11 acquires the authentication information AI from the server device 20, it is displayed on the display unit 113. The display unit 113 may be, for example, a liquid crystal display or the like. In the present embodiment, the display unit 113 displays the information included in the authentication information AI as the image P1. The image P1 may be, for example, a two-dimensional code or the like.
In other words, the image P1 is an image including the authentication information AI. That is, the display unit 113 displays an authentication image which is an image including the authentication information AI.

The second terminal device 12 is operated by the user U. The second terminal device 12 includes an image pickup unit (not shown), and images P1 displayed on the display unit 113 of the first terminal device 11 at an angle of view A. The image P2 on which the image P1 is captured is displayed on the display unit 125 of the second terminal device 12. The second terminal device 12 performs an operation based on the information contained in the image P2, and outputs the response information RI to the authentication device 30.
The image pickup unit provided in the second terminal device 12 is an example of the response operation reception unit 121. That is, the response operation reception unit 121 receives the user response operation URI by capturing the image (authentication image) P1.

FIG. 16 is a flowchart for explaining an example of the user response information acquisition step of the terminal device according to the second embodiment. The details of the user response information acquisition step of the terminal apparatus according to the second embodiment will be described with reference to the figure.

(Step S511) The login request operation receiving unit 111 provided in the first terminal device 11 acquires the login request LEQU from the user U.
(Step S513) The login request output unit 112 provided in the first terminal device 11 outputs the acquired login request LEQU to the server device 20.
(Step S515) When the authentication information acquisition unit 114 provided in the first terminal device 11 acquires the authentication information AI from the server device 20 (that is, step S515; YES), the process proceeds to step S517. The authentication information acquisition unit 114 keeps the process in step S515 (that is, step S515; NO) until the authentication information AI is acquired from the server device 20.
(Step S517) The display unit 113 provided in the first terminal device 11 displays the image P1 based on the acquired authentication information AI.

(Step S519) The image pickup unit (not shown) as the response operation reception unit 121 provided in the second terminal device 12 captures the image P2 displayed on the display unit 113 of the first terminal device 11. When the image P2 is normally captured (that is, step S519; YES), the response operation reception unit 121 advances the process to step S520. The response operation receiving unit 121 keeps the process in step S519 (that is, step S519; NO) until the image P2 is normally captured.
The response operation reception unit 121 may determine whether or not the image P2 has been normally captured by a determination unit (not shown). The determination unit determines whether or not the image P2 has been normally imaged, for example, depending on whether or not the image P2 contains a predetermined reference numeral.
(Step S520) The calculation unit 132 provided in the second terminal device 12 performs a calculation based on the information acquired by the response operation reception unit 121.
(Step S521) The response information transmission unit 123 provided in the second terminal device 12 outputs the calculated result and the application number AN to the authentication device 30 as the response information RI.

(Step S523) When the login permission information acquisition unit 115 provided in the first terminal device 11 acquires the login permission information LAI within a predetermined period (that is, step S523; YES), it is determined that the login is successful and the login process is performed. To finish. If the login permission information acquisition unit 115 does not acquire the login permission information LAI within a predetermined period (that is, step S523; NO), it determines that the login has failed and returns the process to step S511.

[Summary of the second embodiment]
According to the embodiment described above, the terminal device 10A in the authentication system 1A includes a first terminal device 11 and a second terminal device 12. The display unit 113 provided in the first terminal device 11 displays an image (authentication image) P1 which is an image including the authentication information AI. The response operation reception unit 121 provided in the second terminal device 12 receives the response operation RI by capturing the image (authentication image) P1 displayed on the display unit 113. The second terminal device 12 is a general-purpose information processing terminal such as a smartphone.
Therefore, according to the present embodiment, the user U does not need to perform a troublesome operation and can perform the authentication work. Therefore, according to the present embodiment, the authentication system 1A can easily perform the impression work by including the first terminal device 11 and the second terminal device 12.

It should be noted that all or a part of the functions of each part of the terminal device 10, the server device 20, and the authentication device 30 provided in the authentication system 1 in the above-described embodiment can read the program for realizing these functions by a computer. It may be realized by recording on a recording medium, loading the program recorded on the recording medium into a computer system, and executing the program. The term "computer system" as used herein includes hardware such as an OS and peripheral devices.
Further, the "computer-readable recording medium" refers to a portable medium such as a flexible disk, a magneto-optical disk, a ROM, or a CD-ROM, or a storage unit such as a hard disk built in a computer system. Further, a "computer-readable recording medium" is a communication line for transmitting a program via a network such as the Internet or a communication line such as a telephone line, and dynamically holds the program for a short period of time. It may also include a program that holds a program for a certain period of time, such as a volatile memory inside a computer system that is a server or a client in that case. Further, the above-mentioned program may be for realizing a part of the above-mentioned functions, and may be further realized for realizing the above-mentioned functions in combination with a program already recorded in the computer system.

1 ... Authentication system, 2 ... EC system, 10 ... Terminal device, 20 ... Server device, 30 ... Authentication device, 111 ... Login request operation reception unit, 112 ... Login request output unit, 114 ... Authentication information acquisition unit, 115 ... Login Authorization information acquisition unit, 131 ... App number storage unit, 132 ... Calculation unit, 123 ... Response information transmission unit, 210 ... Login request acquisition unit, 215 ... User ID acquisition unit, 220 ... Authentication information generation request output unit, 230 ... Authentication Information acquisition unit, 240 ... Authentication information output unit, 250 ... Authentication result acquisition unit, 260 ... Login determination unit, 270 ... Login permission information output unit, 25 ... User information storage device, 310 ... Authentication information generation request acquisition unit, 320 ... Authentication information generation unit, 330 ... Authentication information output unit, 340 ... Response information acquisition unit, 345 ... Authentication calculation unit, 350 ... Judgment unit, 360 ... Authentication result output unit, 35 ... Authentication information storage device, 37 ... App number storage device , U ... user, SRQ ... service request, SP ... service provision, AEQU ... authentication request, AGEQU ... authentication information generation request, AR ... authentication result, R ... response, LRQ ... login request, AI ... authentication information, RI ... response information , LAI ... Login permission information, REQU ... Usage registration request

The present invention relates to an authentication system, a control method of the authentication system, and an authentication device .

In one aspect of the present invention, the authentication system includes a server device that provides a service to a customer through a telecommunications line, a terminal device that allows the customer to receive a service provided by the server device by logging in to the server device, and a terminal device. The terminal device includes an authentication device that authenticates the user to log in to the server device from the terminal device, and the terminal device has a terminal identification information storage unit that stores terminal identification information that identifies the terminal device and logs in to the server device. A login request output unit that outputs a login request, which is information for performing an authentication, an authentication information acquisition unit that acquires authentication information from the server device, an arithmetic unit that performs an operation based on the acquired authentication information, and the arithmetic unit. The server device includes a response information transmission unit that transmits the calculated calculation result and a response information including the terminal identification information to the authentication device, and the server device is a login request acquisition unit that acquires the login request from the terminal device. An authentication information generation request output unit that outputs an authentication information generation request that is information for generating the authentication information, an authentication information acquisition unit that acquires the authentication information generated by the authentication device, and the acquired authentication information acquisition unit. An authentication information output unit that outputs authentication information to the terminal device, an authentication result acquisition unit that acquires the authentication result output by the authentication device, and a login determination unit that determines whether or not to log in according to the acquired authentication result. The authentication device includes an authentication information generation request acquisition unit that acquires the authentication information generation request from the server device, and an authentication information generation unit that generates the authentication information based on the acquired authentication information generation request. The authentication information output unit that outputs the authentication information, the response information acquisition unit that acquires the response information transmitted from the terminal device, the output authentication information, and the terminal identification included in the acquired response information. It is determined whether or not to authenticate the terminal device based on the authentication calculation unit that performs the calculation based on the information, the calculation result included in the acquired response information, and the calculation result calculated by the authentication calculation unit. The determination unit includes an authentication result output unit that outputs the authentication result based on the result determined by the determination unit, and the authentication result output unit includes identification information for identifying the server device and the terminal identification information. Based on the associated correspondence information, the authentication result is output to the server device corresponding to the terminal identification information included in the response information acquired by the response information acquisition unit .

Further, in the control method of the authentication system according to one aspect of the present invention, a server device that provides a service to a customer through a telecommunications line and a service provided by the server device by logging in to the server device are provided to the customer. It is a control method of an authentication system including a terminal device to be received and an authentication device for performing authentication for logging in to the server device from the terminal device, wherein the terminal device provides terminal identification information for identifying the terminal device. The terminal identification information storage process to be stored, the login request output process for outputting the login request for the terminal device to log in to the server device, and the authentication information acquisition for the terminal device to acquire the authentication information from the server device. The authentication includes a step, a calculation step in which the terminal device performs an calculation based on the acquired authentication information, a calculation result calculated by the terminal device in the calculation step, and the terminal identification information. The response information transmission step to be transmitted to the device, the login request acquisition step in which the server device acquires the login request from the terminal device, and the authentication information generation which is the information for the server device to generate the authentication information. An authentication information generation request output step for outputting a request, an authentication information acquisition step for the server device to acquire the authentication information generated by the authentication device, and the authentication information acquired by the server device for the terminal device. The authentication information output process to be output to, the authentication result acquisition process in which the server device acquires the authentication result output by the authentication device, and the authentication result acquisition process in which the server device determines whether or not to log in according to the acquired authentication result. The login determination step, the authentication information generation request acquisition step in which the authentication device acquires the authentication information generation request from the server device, and the authentication information generation in the authentication device based on the acquired authentication information generation request. The authentication information generation step, the authentication information output step of outputting the generated authentication information by the authentication device, the response information acquisition step of the authentication device acquiring the response information transmitted from the terminal device, and the above. An authentication calculation step in which the authentication device performs a calculation based on the output authentication information and the terminal identification information included in the acquired response information, and a calculation result included in the response information acquired by the authentication device. Based on the calculation result calculated by the authentication calculation step, the determination step of determining whether or not to authenticate the terminal device and the authentication connection of the authentication device based on the result determined by the determination step. The authentication result output step includes the authentication result output step of outputting the result, and the authentication result output step is based on the correspondence information associated with the identification information for identifying the server device and the terminal identification information, and is performed by the response information acquisition step. The authentication result is output to the server device corresponding to the terminal identification information included in the acquired response information .

Further, the authentication device according to one aspect of the present invention generates authentication information which is information for authenticating that the customer logs in to the server device from the server device that provides a service to the customer through a telecommunications line. An authentication information generation request acquisition unit that acquires a requested authentication information generation request, an authentication information generation unit that generates the authentication information based on the acquired authentication information generation request, and an authentication information output unit that outputs the generated authentication information. The response information acquisition unit that acquires the response information transmitted from the terminal device that receives the service provided by the server device by logging in to the server device, the output authentication information, and the acquired response information. The terminal device is based on an authentication calculation unit that performs an operation based on the terminal identification information that identifies the terminal device included, and an operation result included in the acquired response information and an operation result calculated by the authentication calculation unit. Outputs an authentication result including information on whether or not to authenticate the customer to log in to the server device based on the determination unit for determining whether or not to perform the authentication of the server device and the result of the determination by the determination unit. The authentication result output unit includes an authentication result output unit, and the authentication result output unit includes the response acquired by the response information acquisition unit based on the correspondence information associated with the identification information for identifying the server device and the terminal identification information. The authentication result is output to the server device corresponding to the terminal identification information included in the information .

Claims (7)

A server device that provides services to customers through telecommunication lines,
A terminal device that allows the customer to receive a service provided by the server device by logging in to the server device.
It is equipped with an authentication device that performs authentication for logging in to the server device from the terminal device.
The terminal device is
A terminal identification information storage unit that stores terminal identification information that identifies the terminal device,
A login request output unit that outputs a login request, which is information for logging in to the server device, and a login request output unit.
An authentication information acquisition unit that acquires authentication information from the server device,
A calculation unit that performs calculations based on the acquired authentication information, and
A response information transmission unit that transmits response information including the calculation result calculated by the calculation unit and the terminal identification information to the authentication device is provided.
The server device is
A login request acquisition unit that acquires the login request from the terminal device,
An authentication information generation request output unit that outputs an authentication information generation request, which is information for generating the authentication information, and an authentication information generation request output unit.
An authentication information acquisition unit that acquires the authentication information generated by the authentication device, and
An authentication information output unit that outputs the acquired authentication information to the terminal device,
The authentication result acquisition unit that acquires the authentication result output by the authentication device,
It is equipped with a login determination unit that determines whether or not to log in according to the acquired authentication result.
The authentication device is
An authentication information generation request acquisition unit that acquires the authentication information generation request from the server device,
An authentication information generation unit that generates the authentication information based on the acquired authentication information generation request,
An authentication information output unit that outputs the generated authentication information, and
A response information acquisition unit that acquires the response information transmitted from the terminal device,
An authentication calculation unit that performs an operation based on the output authentication information and the terminal identification information included in the acquired response information.
A determination unit for determining whether or not to authenticate the terminal device based on the calculation result included in the acquired response information and the calculation result calculated by the authentication calculation unit.
An authentication system including an authentication result output unit that outputs the authentication result based on the result determined by the determination unit. The server device stores the correspondence between the first customer identification information that identifies the customer and the second customer identification information that is different from the first customer identification information and is information that identifies the customer. Further provided with a customer information acquisition unit for acquiring the correspondence between the first customer identification information and the second customer identification information from the customer information storage device.
The login request output unit provided in the terminal device outputs the login request including the first customer identification information.
The customer information acquisition unit provided in the server device acquires the second customer identification information corresponding to the first customer identification information included in the acquired login request.
The authentication system according to claim 1, wherein the authentication information generation request output unit provided in the server device outputs the authentication information generation request including the second customer identification information. The login request output unit provided in the terminal device outputs the login request including the terminal identification information, and outputs the login request.
The authentication system according to claim 1, wherein the server device and the authentication device identify the terminal device by the terminal identification information. A server device that provides a service to a customer through a telecommunications line, a terminal device that allows the customer to receive a service provided by the server device by logging in to the server device, and a terminal device that logs in to the server device. It is a control method of an authentication system equipped with an authentication device that performs authentication for the purpose.
A terminal identification information storage step in which the terminal device stores terminal identification information for identifying the terminal device,
A login request output process in which the terminal device outputs a login request for logging in to the server device, and
An authentication information acquisition process in which the terminal device acquires authentication information from the server device,
A calculation process in which the terminal device performs a calculation based on the acquired authentication information, and
A response information transmission step in which the terminal device transmits response information including the calculation result calculated by the calculation step and the terminal identification information to the authentication device.
A login request acquisition step in which the server device acquires the login request from the terminal device, and
An authentication information generation request output process in which the server device outputs an authentication information generation request, which is information for generating the authentication information,
An authentication information acquisition step in which the server device acquires the authentication information generated by the authentication device, and
An authentication information output process in which the server device outputs the acquired authentication information to the terminal device,
The authentication result acquisition process in which the server device acquires the authentication result output by the authentication device, and
A login determination step in which the server device determines whether or not to log in according to the acquired authentication result.
The authentication information generation request acquisition step in which the authentication device acquires the authentication information generation request from the server device, and
An authentication information generation step in which the authentication device generates the authentication information based on the acquired authentication information generation request.
An authentication information output process in which the authentication device outputs the generated authentication information,
A response information acquisition step in which the authentication device acquires the response information transmitted from the terminal device, and
An authentication calculation step in which the authentication device performs an operation based on the output authentication information and the terminal identification information included in the acquired response information.
A determination step of determining whether or not to authenticate the terminal device based on the calculation result included in the acquired response information and the calculation result calculated by the authentication calculation step.
A control method of an authentication system including an authentication result output step in which the authentication device outputs the authentication result based on the result determined by the determination step. An authentication information generation request for acquiring an authentication information generation request that requests the generation of authentication information that is information for authenticating that the customer logs in to the server device from a server device that provides a service to the customer through a telecommunication line. Acquisition department and
An authentication information generation unit that generates the authentication information based on the acquired authentication information generation request,
An authentication information output unit that outputs the generated authentication information, and
A response information acquisition unit that acquires response information transmitted from a terminal device that receives a service provided by the server device by logging in to the server device, and a response information acquisition unit.
An authentication calculation unit that performs an operation based on the output authentication information and the terminal identification information that identifies the terminal device included in the acquired response information.
A determination unit for determining whether or not to authenticate the terminal device based on the calculation result included in the acquired response information and the calculation result calculated by the authentication calculation unit.
An authentication device including an authentication result output unit that outputs an authentication result including information on whether or not to authenticate the customer to log in to the server device based on the result of the determination by the determination unit. The login request acquisition unit that acquires the login request from the terminal device,
Based on the acquired login request, an authentication information generation request output unit that outputs an authentication information generation request that is a request to generate authentication information that is information for determining whether to authenticate login, and an authentication information generation request output unit.
An authentication information acquisition unit that acquires the authentication information generated based on the authentication information generation request, and
An authentication information output unit that outputs the acquired authentication information to the terminal device,
Based on the output authentication information, the authentication result acquisition unit that acquires the authentication result, which is the information indicating whether or not to authenticate the login, and the authentication result acquisition unit.
A server device including a login determination unit that determines whether or not to log in from the terminal device according to the acquired authentication result. A terminal identification information storage unit that stores terminal identification information that identifies the terminal device,
A login request output unit that outputs a login request for logging in to a server device that provides services through a telecommunication line, and a login request output unit.
An authentication information acquisition unit that acquires the authentication information generated in response to the output login request from the server device, and
A calculation unit that performs calculations based on the acquired authentication information, and
A response information transmission unit that transmits response information including the calculation result calculated by the calculation unit and the terminal identification information to the authentication device.
A terminal device including a login permission information acquisition unit that acquires login permission information indicating that login to the server device is permitted based on the transmitted response information.

Images