JP2022087192A - Authentication system and method thereof, and program thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To take security measures in response to various environments in which a terminal is used and various requests of a user who has made a connection request via a network.

SOLUTION: In an authentication system, an authentication server authenticates an access request from a terminal via a network. The authentication server includes a first authentication unit that determines whether time when an access request is received satisfies a predetermined time condition and a second authentication unit that performs authentication based on one or more authentication elements relating to the access request after the authentication by the first authentication unit.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2022,JPO&INPIT

Description

The present invention relates to an authentication system and a method thereof, and a program thereof, and particularly relates to authentication of terminals and users connected via a network.

It is common practice to connect terminals such as personal computers, smartphones, and tablets to target sites and servers via networks to acquire content and use applications. Information such as content to be accessed includes highly secure information such as personal information and confidential information. Therefore, security protection is achieved by denying network connection to requests from unauthorized users such as terminals without access authority and spoofing.

As a user authentication technique for confirming a legitimate user, a method of inputting a password from a user's terminal and verifying the matching is generally performed. Further, as a user authentication for enhancing security, for example, as disclosed in Patent Document 1, a composite authentication system that authenticates by combining biometric information such as a user's fingerprint, face, handwriting, and iris is known. Further, as disclosed in Patent Document 1, both the terminal and the user are authenticated by the double authentication by the authentication of the terminal and the personal authentication of the user of the terminal, and the communication network of the terminal. Multiple authentication systems to communication networks are known that issue permissions for.

Japanese Patent Application Laid-Open No. 2003-186836 Japanese Unexamined Patent Publication No. 2014-164359

The techniques described in Patent Documents 1 and 2 can certainly enhance security as compared with the verification of only the password. On the other hand, there are various terminals used by users, such as those having advanced functions and those with weak security measures, and the environment in which these terminals are used is also various. Furthermore, there are various functions of security measures required by the user. In order to meet the demands of these various security measures, it cannot be said that the security measures described in Patent Documents 1 and 2 are sufficient. Furthermore, the authentication function tends to be more complicated in response to the request for further strengthening of security, and the cost tends to increase accordingly.

An object of the present invention is to provide an authentication system, a method thereof, and a program capable of taking security measures in response to various environments in which terminals are used and various requests of users who have connection requests via a network. To provide.

Another object of the present invention is to keep the cost for authentication as low as possible so that the operation of authentication is not complicated.

Furthermore, an object of the present invention is to improve the convenience of the user by simplifying the authentication procedure as much as possible for the genuine user.

The authentication system according to the present invention is, in a preferred example, an authentication system in which an authentication server authenticates an access request from a terminal through a network, and the authentication server has a time when the access request is received in advance. The first authentication unit that determines whether the determined time condition is satisfied, and the second authentication unit that performs authentication based on one or more authentication elements in relation to the access request after the authentication by the first authentication unit. It is configured as an authentication system characterized by having and.

The present invention is also understood as an authentication method and an authentication program performed by the authentication system.

According to the present invention, security measures can be taken according to various environments in which the terminal is used and various requests of the user who have a connection request via the network. In addition, the cost for authentication can be suppressed as much as possible so that the operation of authentication is not complicated. In addition, it is possible to improve the convenience of the user by simplifying the authentication procedure as much as possible for the genuine user.

It is a figure which shows the configuration example of an authentication system. It is a figure which shows the example of the access permission DB. It is a figure which shows the example of the account authentication DB. It is a figure which shows the example of the authentication method adopted for each type of a user. It is a figure which shows the example of the initial registration DB. It is a sequence diagram which shows the processing procedure of the processing performed in the authentication system. It is a figure which shows the example of the account ID input screen. It is a figure which shows the example of the session data. It is a figure which shows the example of the authentication error screen. It is a sequence diagram which shows the processing procedure of the terminal authentication processing. It is a sequence diagram which shows the processing procedure of the mobile terminal authentication processing. It is a sequence diagram which shows the processing procedure of the device authentication processing. It is a figure which shows the example of the screen displayed on each PC and a terminal.

The authentication system according to the present invention, a method thereof, and an embodiment of the program will be described in detail with reference to the accompanying drawings.

[System configuration]
FIG. 1 is a diagram showing a configuration example of the authentication system 1000.
As shown in FIG. 1, the authentication system 1000 includes a user PC (Personal Computer) 100 for the user to obtain approval for using the content, and a mobile terminal (for example, a smartphone) 110 for authenticating the user with the mobile terminal. A device PC 120 for authenticating a user using a device (for example, USB (Universal Serial Bus)) and an authentication server 200 for authenticating the user using an authentication method according to the user are connected to each other via a network N1. Connected and configured. The content server 300 is also connected to the network N1. The network N1 is, for example, a general communication line network such as a WAN (Wide Area Network). Although FIG. 1 shows one user PC 100, one mobile terminal 110, and one device PC 120, a large number of these devices are actually connected.

As shown in FIG. 1, the user PC 100 includes an application unit 101, a display unit 102, a communication I / F (interface) unit 103, and a control unit 104.

When the application unit 101 receives a usage approval request from a user and is authenticated as a genuine user by using the authentication method corresponding to the user, the application unit 101 views or operates the content stored in the content server 300. The application to run.

The input display unit 102 is composed of, for example, an input / output device such as a touch panel, accepts input of various information necessary for the authentication system from a user, and processes various information obtained via the network N1 by the application unit 101. Display the information and various screens used for authentication.

The communication unit I / F unit 103 is composed of, for example, a communication device such as a NIC (Network Interface Card), and controls transmission / reception of various information via the network N1.
The control unit 104 is configured by, for example, a processing device such as a CPU (Central Processing Unit), and controls the operation of each unit of the user PC 100.

In each of the above units, these functions are realized by the control unit 104 executing the program. Specifically, the processing shown below is realized by the CPU reading a program stored in a ROM (Read Only Memory) (not shown), loading it into a RAM (Random access memory), and executing the program.

These programs may be downloaded from the network N1 via the communication unit I / F unit 103, loaded onto the RAM, and executed by the CPU. Alternatively, it may be directly loaded onto the RAM from a portable computer-readable storage medium such as a CD (Compact Disk) or DVD (Digital Versatile Disk) and executed by the CPU. The specific operation of each part of the user PC 100 will be described later with reference to a sequence diagram and a flowchart.

As shown in FIG. 1, the mobile terminal 110 includes a mobile terminal authentication unit 111, an input display unit 112, a communication I / F (interface) unit 113, and a control unit 114.
The mobile terminal authentication unit 111 is an application that authenticates the user who has requested the usage approval from the user PC 100 when the authentication method includes the authentication method using the mobile terminal 110 (mobile terminal authentication).

The input display unit 112 accepts input of various information for authentication, displays authentication results obtained via the network N1, and other various screens used in this authentication system.

The communication unit I / F unit 113 controls transmission / reception of various information via the network N1.

The control unit 114 is a processing device such as a CPU, and controls the operation of each unit of the mobile terminal 110.

In each of the above units, these functions are realized by the control unit 114 executing the program. The specific operation of each part of the mobile terminal 110 will be described later with reference to a sequence diagram and a flowchart.

As shown in FIG. 1, the device PC 120 includes an application unit 121, a device authentication unit 122, an input display unit 123, a communication I / F (interface) unit 124, and a device I / F (interface) unit 125. And a control unit 126.

When the application unit 121 receives a content usage approval request from a user and is authenticated as a genuine user by using the authentication method corresponding to the user, the application unit 121 can view the content stored in the content server 300 or view the content. An application that performs an operation.

The device authentication unit 122 is an application that authenticates the user who has requested the usage approval when the authentication method includes an authentication method (device authentication) using the device PC 120.

The input display unit 123 accepts input of various information for authentication, displays authentication results obtained via the network N1, and other various screens used in this authentication system.

The communication unit I / F unit 124 controls transmission / reception of various information via the network N1.

The device unit I / F unit 125 is an interface device such as a USB board, and detects the insertion / removal of various devices such as USB.

The control unit 126 is a processing device such as a CPU, and controls the operation of each unit of the device PC 120.

In each of the above units, these functions are realized by the control unit 126 executing the program. The specific operation of each part of the device PC 120 will be described later with reference to a sequence diagram and a flowchart.

The authentication server 200 is a server that selects a user authentication method according to the user's account for which usage approval is requested from the user PC 100 or device PC 120, and authenticates the user by the selected authentication method.

As shown in FIG. 1, the authentication server 200 includes a storage unit 201, a communication unit 202, an authentication control unit 204, and a control unit 205. Further, the authentication control unit 204 includes a password authentication unit 2041 that authenticates by matching passwords, a terminal authentication unit 2042 that authenticates to identify a user by using a registered terminal (browser), and registered terminals. It has a mobile terminal authentication unit 2043 that authenticates to identify a user by possession of a mobile terminal, and a device authentication unit 2044 that authenticates to identify a user by possession of a registered device. There is.

The storage unit 201 is composed of a general storage device such as an HDD or SSD, and stores an account authentication DB (Data Base) 2012. The storage unit 201 has an access permission DB 2011 for confirming the authentication time zone of access by the user and the connection source of the usage approval request, and an account authentication DB 2012 for selecting an authentication method according to the account of the user who is permitted to access. It has a user PC 100 used by the user for usage approval, a mobile terminal 110 used by the user for authentication, and an initial registration DB 2013 for registering the device PC 120. The specific configurations of the access permission DB 2011 (FIG. 2), the account authentication DB 2012 (FIG. 3), and the initial registration DB 2013 (FIG. 5) will be described later.

The communication unit 202 is, for example, a NIC or a modem, and controls transmission / reception of various information via the network N1. The access control unit 203 receives an access request (use approval request) from the user PC 100 or the like and executes processing.

The authentication control unit 204 refers to the account authentication DB 2012, and depending on the user's account, a predetermined authentication method is selected from the password authentication unit 2041, the terminal authentication unit 2042, the mobile terminal authentication unit 2043, and the device authentication unit 2044. Select and execute.

The password authentication unit 2041 authenticates the user with an account ID and a password.
The terminal authentication unit 2042 authenticates the user by terminal authentication.
The mobile terminal authentication unit 2043 authenticates the user by mobile terminal authentication.
The device authentication unit 2044 authenticates the user by device authentication.

The control unit 205 is a processing device such as a CPU, and controls the operation of each unit of the authentication server 200. The specific operation of each part of the authentication server 200 will be described later with reference to a sequence diagram and a flowchart. In each of the above units, these functions are realized by the control unit 205 executing the program.

In this authentication system, four authentication methods of "password authentication", "terminal authentication", "portable terminal authentication", and "device authentication" are adopted for user and / or terminal authentication. Here, in password authentication, the user is authenticated by inputting a predetermined password. In that sense, it can be said to be the user authentication method by the simplest method. Further, the terminal authentication authenticates whether the terminal such as the user PC 100 or the device PC 120 is the same as the one registered in the authentication system in advance.

In the mobile terminal authentication, the user is authenticated by using a predetermined mobile terminal to determine whether the usage environment such as the installation location and the usage time zone of the user PC 100 or the like is appropriate. Even when a plurality of users are in an environment where the user PC 100 is shared, the users can be authenticated. This authentication method authenticates the user by using personal information such as a biometric information and a password registered in advance in the mobile terminal by the user himself / herself. Since mobile terminals have a high penetration rate, many users carry out their business in a BYOD (Bring Your Own Device) environment. Therefore, by adopting "mobile terminal authentication", it is possible to easily authenticate the user himself / herself with less risk without registering personal information that only the user can know in the authentication server 200.

The device authentication is an authentication for confirming whether a device such as a USB mounted on the device PC 120 has the device authentication information registered in advance in the initial registration DB 2013. By changing the device authentication information of the authentication device 130 possessed by each user, the authentication device 130 possessed by each of the plurality of users can be attached to the device PC 120 to receive authentication. Therefore, it is possible to authenticate the user by a simple method without incurring a cost, and the device PC 120 can be shared by a plurality of users.

The content server 300 provides the requested content to the user PC 100 and the device PC 120 that the authentication server 200 has authenticated as authentic.

[Authentication management method]
FIG. 2 is a diagram showing an example of the access permission DB 2011. As shown in FIG. 2, in the access permission DB 2011, the connection source condition indicating the condition for permitting access from the IP address of the connection source and the time condition indicating the time zone for permitting access are associated with each other for each account. It is remembered. Since the IP address can be said to represent the location of the terminal having the IP address, the above connection condition can be referred to as a location condition.

In FIG. 2, for a user whose account ID is "E2", for example, when an access is made from a user PC 100 whose IP address is "192.168.0.0/24", it is permitted as a connection source condition. Which indicates that. Further, when the connection is in the working hours zone "9:00 to 17:00", it is shown that the connection is permitted as a time condition. That is, the user whose account ID is "E2" is not subjected to the user authentication process described later unless these connection source conditions and time conditions are permitted.

Further, for example, it is shown that the user whose account ID is "E2" is not permitted to access from the user PC 100 whose IP address is "192.168.20.0/24" regardless of the connection time. ing. Further, when the connection time is "0:00 to 5:00", which is the midnight time zone, it indicates that access is not permitted regardless of the IP address of the connection source. In this way, by confirming "who", "when", and "where" the usage approval request is made, the user who illegally accesses the authentication system 1000 can be authenticated by each authentication unit. In addition, it can be eliminated in advance.

FIG. 3 is a diagram showing an example of the account authentication DB 2012. As shown in FIG. 3, the account authentication DB 2011 includes an account of a user who is permitted to access, an authentication method of the user, and an authentication connection source address indicating a location condition for permitting authentication of the account. The authentication connection time, which indicates the time condition for permitting the authentication of the account that made the authentication request, is stored in association with it.

FIG. 3 shows that, for example, the user of the account "C" needs to be authenticated by two types of authentication methods, "password authentication" and "mobile terminal authentication (smartphone authentication)".

Further, for example, the user of the account "F2" indicates that authentication by two types of authentication methods, "terminal authentication" and "mobile terminal authentication", is required. Further, it is shown that the mobile terminal authentication is performed for this user when the user is accessed from an address other than "192.168.0.0/24" defined as the authentication connection source address.

Further, for example, the user of the account "F3" indicates that authentication by two types of authentication methods, "terminal authentication" and "mobile terminal authentication", is required. Further, it is shown that the mobile terminal authentication is performed for this user when the user is accessed at a time other than "09: 00-17: 00" (during working hours) defined as the authentication connection time.

Further, for example, the user of the account "G2" indicates that authentication by two types of authentication methods, "terminal authentication" and "device authentication", is required. Further, it is shown that the device authentication is not performed (through) for this user when the user is accessed from the address of "192.168.0.11/32" defined as the authentication connection source address. ..

Further, for example, the user of the account "G3" indicates that authentication by two types of authentication methods, "terminal authentication" and "device authentication", is required. Further, for this user, if the user is accessed from "09: 00 to 17:00" (during working hours) defined as the authentication connection time, it is shown that the device authentication is not performed (through). ..

As described above, in this authentication system, a set of authentication methods suitable for the user can be selected from various authentication methods according to the user's account in response to the usage approval request, and the user can be authenticated. Further, by setting the place condition and the time condition for each account, it is possible to individually authenticate the user of the account and authenticate using the time and place conditions for each user. Moreover, in the authentication using the set of authentication methods, the most convenient authentication method ("password authentication") from the authentication method that guarantees the strongest security ("password authentication", "terminal authentication", and "mobile terminal authentication"). Optimal security can be provided for a wide range of environments, including "authentication" only).

In this authentication system, the access permission DB 2011 shown in FIG. 2 is used to approve the use, and the account authentication DB 2012 shown in FIG. 3 is used to select and authenticate a set of authentication methods. , It is possible to authenticate by the authentication method according to the time condition and the place condition. That is, in this embodiment, the access permission DB 2011 is used to approve whether the time condition and the location condition (referred to as the first condition) are satisfied, and then the account authentication DB 2012 is used for the authentication method (second condition). Since the authentication is performed based on the above, the former can be called the first authentication and the latter can be called the second authentication. Further, even in the latter second authentication, since the F2, F3, G2, and G3 accounts perform authentication under locational conditions or temporal conditions, these can be said to be stricter authentications.

FIG. 4 is a diagram showing an example of an authentication method adopted for each type of user. FIG. 4 shows the relationship between the locational condition (internal and external) and the temporal condition for the user types “employee” and “non-employee”. As shown in FIG. 4, when the user's account is an "employee", in the case of access from within the company, the account and password authentication (convenient and light authentication) regardless of whether it is during working hours or after working hours. Method). On the other hand, in the case of access from outside the company, mobile terminal authentication (smartphone authentication) is performed in addition to the above authentication method at any time.
This authentication can be said to be a strong authentication method because it uses three authentication methods. In addition, when the user's account is "non-employee", in the case of access from inside the company, the account and password are authenticated during working hours, while in the case of access from outside the company, during working hours. If there is, further terminal authentication and mobile terminal authentication (smartphone authentication) are performed. And, when it is out of working hours, access is prohibited regardless of whether it is inside or outside the company.

In this way, by performing authentication using the access permission DB 2011 and the account authentication DB 2012, the authentication method can be changed according to the user type, location condition, and time condition so that the authentication method is simple for a genuine user. Can be changed. That is, it is possible to set 401 that dynamically changes the authentication method according to the type of user, setting 402 that dynamically changes the authentication method depending on the location, and setting 403 that dynamically changes the authentication method depending on the time. In the past, when authenticating an account, it was necessary to combine each system such as an authentication infrastructure, DSN, and an authentication authority, but in the authentication system of this embodiment, highly secure authentication is performed for each user on the authentication server 200. It can be realized. In the case of authentication by a combination of systems as in the past, in general, the introduction cost is high, the operation management becomes complicated, and there are errors in the settings for authentication such as account definition and linkage. Although there is a risk, according to the authentication system of this embodiment, easy and safe operation management is possible at a low introduction cost.

FIG. 5 is a diagram showing an example of the initial registration DB 2013. As shown in FIG. 5, the initial registration DB 2013 stores the account of the user who uses this authentication system and the password information, terminal authentication information, mobile terminal authentication information, and device authentication information of the user in association with each other. .. In FIG. 5, for example, the user of the account “A” is registered with the password “123” as the password information, the tally “α (α1, α2)” is registered as the terminal authentication information, and the biocode “biological code” is registered as the mobile terminal authentication information. It indicates that "a" is registered and the USB serial number "X0001" is registered as the device authentication information. Note that FIG. 5 illustrates the case where all authentication methods are registered, but at least the authentication methods corresponding to the user's account may be registered.

[Authentication control]
FIG. 6 is a sequence diagram showing a processing procedure of processing performed by the authentication system 1000. As shown in FIG. 6, first, the application unit 101 of the user PC 100 displays an account ID input screen for the user to input an account on the input display unit 102 (S601).

FIG. 7 is a diagram showing an example of an account ID input screen. As shown in FIG. 7, the account ID input screen includes an input field for inputting the account of the user requesting usage approval from the user PC 100, and an OK button for transmitting the input account ID to the authentication server 200. Is displayed.

When the OK button is pressed, the application unit 101 of the user PC 100 transmits the input account ID to the authentication server 200. The authentication control unit 204 of the authentication server 200 registers the account ID received from the user PC 100 in the session (S602). Specifically, the authentication control unit 204 generates session data, which is an example of a session management table to which a session ID corresponding to the account ID is assigned, and holds it in the storage unit 201.

FIG. 8 is a diagram showing an example of session data. A session is a series of processes via a network from the time when a user makes a usage approval request until the result for the request is obtained, and the session data is the result of the processes performed in one series of sessions. It is the data to be included. The items held by the session data change according to the result of the processing shown below. Here, as shown in FIG. 8A, session data in which the session ID and the account ID are associated with each other is held. FIG. 8A shows that the session ID “S0001” has been assigned to the account ID “E”. The authentication control unit 204 refers to the access permission DB 2011 using the account ID associated with the session ID as a key, reads out the connection source condition and the time condition for the user of the account ID to access, and satisfies these conditions. It is determined whether or not it is an access (S603, S604).

When the authentication control unit 204 determines in S603 that the access does not satisfy these conditions (S603; No, or / and S604; No), it transmits to that effect to the user PC 100, and the application unit of the user PC 100. 101 displays the authentication error screen on the input display unit 102 (S605).

FIG. 9 is a diagram showing an example of an authentication error screen. As shown in FIG. 9, the authentication error screen indicates that the authentication has failed. By displaying the authentication error screen, the user can recognize that he / she does not satisfy the access permission condition to the authentication system.

When the authentication control unit 204 determines that the account of the user whose usage approval is requested satisfies both the connection source condition and the time condition (first condition) (S603; Yes, S604; Yes), further. Using the account ID as a key, the account authentication DB 2012 is referred to, and the authentication method (second condition) is read out corresponding to the account ID (S606).

For example, when the account ID is "E", the authentication control unit 204 reads "password authentication" and "device authentication" as the authentication method. At this time, the authentication control unit 204 adds an item indicating the authentication result of each authentication method to the session data generated in S602, and information "-" indicating that the item is not used for authentication in the item not adopted as the authentication method. "Written. FIG. 8B is a diagram showing an example of session data to which an item indicating the authentication result of each authentication method is added. In FIG. 8 (b), among the items indicating the authentication results of each authentication method added to the session data shown in FIG. 8 (a), "-" is added to the "terminal authentication" and "mobile terminal authentication" that are not adopted. You can see that it has been written.

Further, the authentication control unit 204 refers to the account authentication DB 2012 using the account ID as a key, and determines whether or not the user of the account ID is a user who satisfies the connection source address and / and the connection time (S607). , S608). Here, the user who satisfies the connection source address and / and the connection time is a user who can not execute (through) the authentication by each authentication method by satisfying these conditions.

When the authentication control unit 204 determines that the user of the account ID is a user who satisfies the authentication source connection address and / and the authentication connection time (S607; Yes, S608; Yes), the process proceeds to S615. On the other hand, when the authentication control unit 204 determines that the user of the account ID does not satisfy at least one of the connection source address and the connection time (S607; No, or S608; No), the process proceeds to S609.

When the authentication control unit 204 determines that the user of the account ID does not satisfy at least either the connection source address or the connection time (S607; No or S608; No), the authentication control unit 204 associates that fact with the account ID. An instruction for authenticating the user by the authentication method defined in the above is transmitted to the user PC 100, and the application unit 101 of the user PC 100 redirects to each authentication unit according to the instruction (S609). For example, when the authentication methods corresponding to the account ID are "password authentication" and "device authentication", the application unit 101 first calls the password authentication unit 2041 that executes "password authentication", and the authentication unit 2041 authenticates. Execute the process. The same applies to the case where the authentication by the terminal authentication unit 2042, the authentication by the mobile terminal authentication unit 2043, and the authentication by the device authentication unit 2044 are performed.

When each authentication unit receives an execution instruction from the authentication control unit 204 of the authentication server 200, each authentication unit executes authentication by each authentication method (S610). The authentication process by each authentication unit is realized by, for example, a CGI (Common Gateway Interface) program. Each authentication method will be described later using a flowchart.

In S610, when authentication is executed by each authentication unit and the authentication result is written in the session data, each authentication unit transmits to the user PC 100 that the authentication result has been obtained, and the application unit 101 of the user PC 100 , Redirect to the authentication control unit 204 (S611).

Then, the authentication control unit 204 starts a session check (S612), and determines whether or not the authentication result by each authentication unit is authentication OK (permission) (S613). For example, when the authentication method is "password authentication", the authentication control unit 204 can authenticate the item indicating the authentication processing result by the password authentication unit 2041 in the session data as shown in FIG. 8 (c). Confirm that the mark) is written.

When the authentication control unit 204 determines that the authentication result by each authentication unit is not OK (not permitted) (S613; No), the authentication control unit 204 transmits to that effect to the user PC 100, and the application unit 101 of the user PC 100 shows the figure. The authentication error screen shown in 9 is displayed on the input display unit 112 (S614).

On the other hand, when the authentication control unit 204 determines that the authentication result by each authentication unit is authentication OK (S613; Yes), it further determines whether or not there is an unimplemented authentication method added to the session data (S613; Yes). S615). When the authentication control unit 204 determines that there is an authentication method that has not been implemented (S615; Yes), the authentication control unit 204 returns to S607 and repeats the subsequent processing for the other authentication methods.

When the authentication control unit 204 determines that there is no authentication method that has not been implemented (S615; No), that is, as shown in FIG. 8D, an item indicating all the authentication processing results of each authentication unit of the session data. When it is confirmed that the authentication OK is written in, the SSO (single sign-on) process is executed (S616). In this example, although SSO is exemplified, HTTP (Hypertext Transfer Protocol) reverse proxy processing may be executed.

The authentication control unit 204 sends an instruction to redirect to the single sign-on destination to the user PC 100 (S617), and the application unit 101 of the user PC 100 sends an authorization request to the site of the content server 300 according to the instruction. Then, the content server 300 executes the login process to the above-mentioned site according to the authorization request (S618). The content server 300 transmits the site screen after the login process to the user PC 100, and the application unit 101 of the user PC 100 displays the site screen on the display unit 102 (S619). When the processing of S619 is completed, all the processing shown in FIG. 6 is completed, and only the user of the account who is approved for use and authenticated by all the authentication methods determined according to the user becomes the content of the content server 300. You will be able to access it. Next, authentication by each authentication method will be described.

[Authentication by each authentication method]
(Password authentication)
The password authentication unit 2041 authenticates the user using a predetermined password. When the password authentication unit 2041 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the password authentication unit 2041 refers to the initial registration DB 2013 using the account ID as a key, and the password input unit is requested to be input by the password authentication unit 2041. It is determined whether or not the password is registered in the initial registration DB 2013. When the password authentication unit 2041 requests the input of the password, the password input screen as shown in FIG. 13A is output, and the application unit 101 of the user PC 100 displays the password input screen on the input display unit 102.

When the password authentication unit 2041 determines that the entered password is the password registered in the initial registration DB 2013, the authentication result is written in the corresponding item of the session data as authentication OK (FIG. 8 (c), FIG. 8 (d)). If the password authentication unit 2041 determines that the entered password is not the password registered in the initial registration DB 2013, it determines that the authentication is NG (not permitted) and writes the authentication result to that effect in the corresponding item of the session data. ..

In this way, in "password authentication", authentication is performed only by entering a predetermined password, so that it is possible to authenticate a user who is permitted to access this authentication system by the simplest method. It is possible to reduce the operational burden for authentication for the user.

(Terminal authentication)
FIG. 10 is a sequence diagram showing a processing procedure of the terminal authentication process. In the following, the terminal authentication information used for terminal authentication (in this example, the tally on the server side and the tally on the client side) is registered in advance in the initial registration DB 2013, and the tally on the client side is also registered in the user PC 100. And.

As shown in FIG. 10, when the terminal authentication unit 2042 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the terminal authentication unit 2042 refers to the initial registration DB 2013 using the account ID as a key, and the terminal authentication information corresponding to the account ID. As a result, the tally on the server side (for example, α1 in FIG. 5) is read and the tally on the PC side is requested (S1001).

The application unit 101 of the user PC 100 reads the client-side tally (for example, α2 in FIG. 5) registered in the memory in advance, and transmits the tally to the authentication server 200 (S1002).

The terminal authentication unit 2042 of the authentication server 200 matches the tally on the client side received from the user PC 100 with the tally on the server side, and determines whether or not both match (S1003). If it is determined that the two match, the terminal authentication unit 2042 writes the authentication result in the corresponding item of the session data as authentication OK (FIGS. 8 (c) and 8 (d)). On the other hand, if it is determined that the two do not match, the terminal authentication unit 2042 writes the authentication result to that effect in the corresponding item of the session data as authentication NG (S1004).

Although the terminal authentication using the tally is illustrated in FIG. 10, the terminal authentication using the MAC address of the user PC 100 or the client certificate may be performed. Moreover, it is not always necessary to use a tally.

In this way, in terminal authentication, in order to authenticate a terminal whose usage environment is generally defined, one account is assigned to a plurality of users, and even if the environment is such that a PC is shared, that account is authenticated. Can be done.

(Mobile terminal authentication)
FIG. 11 is a sequence diagram showing a processing procedure of the mobile terminal authentication process. As shown in FIG. 11, when the mobile terminal authentication unit 2043 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, it refers to the initial registration DB 2013 using the account ID as a key, and the mobile terminal corresponding to the account ID. The authentication information (for example, a passcode) is read out (S1101), and a push notification for requesting authentication is given to the mobile terminal 110 (S1102). When the authentication control unit 204 performs the push notification, the authentication control unit 204 transmits an authentication screen for performing authentication by the mobile terminal authentication information to the mobile terminal 110, and the mobile terminal authentication unit 111 of the mobile terminal 100 inputs and displays the input. The authentication screen is displayed on the unit 112 (S1103). On the other hand, the authentication control unit 204 transmits a mobile terminal authentication notification screen indicating that the user PC 100 is being authenticated by the mobile terminal, and the application unit 101 of the user PC 100 carries the user PC 100 to the input display unit 102. The terminal authentication notification screen is displayed (S1104).

FIG. 13B is a diagram showing an example of a screen displayed on a mobile terminal. The right side of FIG. 13B is an example of the authentication screen in S1103, and the left side of FIG. 13B is an example of the mobile terminal authentication notification screen in S1104.

As shown on the right side of FIG. 13B, the authentication screen displays an authentication button for executing authentication using mobile terminal authentication information and a close button for ending the process without executing authentication. When the user presses the authentication button, the mobile terminal authentication unit 111 displays a screen for authenticating with the mobile terminal authentication information (for example, a passcode input screen), and transmits the input information to the authentication server 200. In this way, by displaying the authentication screen on the mobile terminal 110 by the push notification, it is possible to immediately authenticate the user.

Further, as shown on the left side of FIG. 13B, the mobile terminal authentication notification screen displays that a push notification has been sent to the mobile terminal 100 in order to authenticate with the mobile terminal 110, and that confirmation is urged. There is. By displaying the mobile terminal authentication notification screen on the user PC 100 in this way, the user can grasp the operation necessary for executing the authentication by the mobile terminal 110.

After that, when the mobile terminal authentication unit 111 transmits the mobile terminal authentication information input from the input display unit 112 to the authentication server 200, the mobile terminal authentication unit 2043 of the authentication server 200 is registered in the initial registration DB 2013. The terminal authentication information and the input mobile terminal authentication information are compared with each other, and it is determined whether or not they match (S1105, S1106). If it is determined that the two match, the mobile terminal authentication unit 2043 writes the authentication result in the corresponding item of the session data as authentication OK (S1106; Yes, S1108, FIG. 8C, FIG. 8D). On the other hand, when the terminal authentication unit 2042 determines that the two do not match (S1106; No, authentication NG, the authentication result to that effect is written in the corresponding item of the session data, and the same as the authentication error screen shown in FIG. Is transmitted to the mobile terminal 110, and the mobile terminal authentication unit 111 of the mobile terminal 110 displays the authentication error screen on the input display unit 112 (S1107).

The mobile terminal authentication unit 2043 reads the authentication result written in the session data and determines whether or not the authentication result is authentication OK (S1109, S1110). When the mobile terminal authentication unit 2043 determines that the authentication result is OK (S1110; Yes), it further determines whether or not the valid time has not elapsed (S1111). The valid time is, for example, the time from the push notification in S1102 to the determination that the authentication is OK in S1110, and the time during which the authentication operation from the mobile terminal 110 times out (for example, 4 minutes). If the mobile terminal authentication unit 2043 determines that the authentication result is not OK, that is, the authentication is NG (S1110; No), the process proceeds to S1112 and the authentication result is confirmed.

When the mobile terminal authentication unit 2043 determines that the valid time has not elapsed (S1111; Yes), the mobile terminal authentication unit 2043 determines the authentication result written in S1107 and S1108 (S1112). On the other hand, when the mobile terminal authentication unit 2043 determines that the valid time has not elapsed, that is, the valid time has passed (S1111; No), the mobile terminal authentication unit 2043 returns to S1104 and continues the subsequent processing. In this case, even if the authentication OK is written in the session data as the authentication result in S1108, the mobile terminal authentication unit 2043 determines that the valid time has elapsed, and in S1112, rewrites the authentication to NG and confirms the authentication result. Let me.

In this example, the push notification is transmitted in step S1102, but the push notification is not limited to the push notification, and the mobile terminal 110 may perform the pull notification.

In this way, in mobile terminal authentication, the user is authenticated using the personal information registered by the user of the mobile terminal, so that the user can be easily authenticated with less risk without registering the personal information in the authentication server 200. be able to. In addition, since the authentication is performed by the mobile terminal that the user is accustomed to, the operation for authentication can be performed without any discomfort.

(Device authentication)
FIG. 12 is a sequence diagram showing a processing procedure of the device authentication process. As shown in FIG. 12, when the device authentication unit 2044 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, it refers to the initial registration DB 2013 using the account ID as a key, and the device authentication information corresponding to the account ID. (For example, the serial number of USB) is read, the read device authentication information is transmitted to the device PC 120 (S1201), a device authentication notification screen prompting the device to authenticate is transmitted to the device PC 120, and the device PC 120. Device authentication unit 121 displays a device authentication notification screen on the input display unit 122 via a browser (S1202).

When the device authentication unit 121 detects that the device has been inserted into the device I / F unit 124 in S1202, the device authentication execution screen for executing device authentication is displayed on the input display unit 122 (S1203).

FIG. 13C is a diagram showing an example of a screen displayed on the device PC. The left side of FIG. 13C is an example of the device authentication notification screen in S1202, and the left side of FIG. 13C is an example of the device authentication execution screen in S1203.

As shown on the left side of FIG. 13C, the device authentication notification screen indicates that a predetermined device 130 is inserted into the device PC 120 to urge authentication in order to authenticate the device. By displaying the device authentication notification screen on the device PC 120 in this way, the user can grasp the operation necessary for device authentication by the device PC 120.

Further, as shown on the right side of FIG. 13C, on the device authentication execution screen, a drive selection field for selecting a drive into which the device 130 is inserted, an authentication button for executing authentication based on the device authentication information, and authentication are performed. A cancel button is displayed to end the process without executing it. By displaying the device authentication execution screen on the device PC 120 in this way, the user can perform device authentication after selecting the drive for device authentication by the device PC 120.

In S1203, when the authentication button is pressed by the user, the device authentication unit 121 collates the device authentication information transmitted from the authentication server 200 in S1201 with the authentication information of the device inserted in S1203, and both match. It is determined whether or not to do so, and the authentication result is transmitted to the authentication server 200. In this example, the device authentication unit 121 of the device PC 120 executes device authentication, but the device authentication unit 2044 of the authentication server 200 may execute device authentication.

When the device authentication unit 2044 of the authentication server 200 receives the authentication result from the device PC 120, the device authentication unit 2044 writes the authentication result in the corresponding item of the session data (S1204, FIG. 8C, FIG. 8D).

The device authentication unit 2044 reads the authentication result written in the session data (S1205), and determines whether or not the authentication result is authentication OK (S1206). When the device authentication unit 2044 determines that the authentication result is OK (S1206; Yes), the device authentication unit 2044 further determines whether or not the valid time has not elapsed (S1207). Since the valid time is the same as in the case of the mobile terminal authentication shown in FIG. 11, the description thereof will be omitted here. If the device authentication unit 2044 determines that the authentication result is not OK, that is, the authentication is NG (S1206; No), the device authentication unit 2044 proceeds to S1208 and confirms the authentication result.

When the device authentication unit 2044 determines that the valid time has not elapsed (S1207; Yes), the device authentication unit 2044 determines the authentication result written in S1204 (S1208). On the other hand, when it is determined that the valid time has not elapsed, that is, the valid time has passed (S1207; No), the mobile terminal authentication unit 2043 returns to S1202 and continues the subsequent processing. In this case, even if the authentication OK is written in the session data as the authentication result in S1204, the device authentication unit 2044 determines that the valid time has elapsed, and in S1208, rewrites the authentication to NG and confirms the authentication result. ..

As described above, in the device authentication, the user can be authenticated by a simple method without incurring a cost by authenticating the user by using an inexpensive device such as USB.
Further, since the device connects to the network as needed via the device PC, it is possible to manage the information necessary for authentication independently of the network.

[Alternative, modified example]
Although the preferred embodiment has been described above, the present invention is not limited to this, and can be appropriately modified or substituted without departing from the gist thereof.

For example, in the above embodiment, the user PC 100 and the device PC 120 are shown separately in FIG. However, in the modified example, if the user PC 100 is provided with a connector for attaching the authentication device 130, the user PC 100 can be used as the device PC. In that case, a plurality of users possessing the authentication device 130 can share the user PC 100.

Further, in the above embodiment, in the control with reference to FIG. 6, both step S603 (determination of temporal condition) and step S604 (determination of spatial condition) are performed. In the alternative example, there may be an example in which the processing of either of these steps S603 or S604 is performed.

Further, in the above embodiment, in step S604 with reference to FIG. 6, the location condition is determined using the IP address which is the connection source address, but the alternative example is not limited to this. For example, the authentication control unit 204 can acquire the location information (GPS information) in which the connection source user PC 100 and device PC 120 are installed to determine the location condition.

Further, in the above embodiment, the authentication control unit 204 of the authentication server 200 generates a session in response to the request from the terminal, and the authentication method and the authentication result are registered in the session. According to another example, in a server including an access control unit 203 that controls an access request from the outside, the access control unit 203 may generate a session. In that case, the authentication control unit 204 of the authentication server 200 can register various information related to the authentication for the generated session. As yet another example, the access control unit 203 may perform a part of the control operation of FIG. 6, for example, the operation of steps S602 to S604. In this case, the authentication control unit may be regarded as having a broad meaning including the operations or functions of the above S602 to S604 performed by the access control unit.

Further, in the above embodiment, the authentication server 200 has a password authentication unit 2041, a terminal authentication unit 2042, a mobile terminal authentication unit 2043, and a device authentication unit 2044. According to the alternative example, one or a plurality of parts of the authentication units 2041 to 2044 may be realized by a server different from the authentication server 200. For example, the terminal authentication unit 2042 and / or other parts can be realized on a cloud computer. Even in that case, the authentication unit realized by another server is controlled under the control of the authentication control unit 204.

Further, in the above embodiment, the access permission DB 2011, the account authentication DB 2012, and the initial registration DB 2013 are referred to, but these may be referred to as an access permission management table, an account authentication management table, and an initial registration management table, respectively.

Further, in the above embodiment, the authentication control unit 204 is realized as a functional unit of the authentication server 200, but this functional unit can also be realized as a proxy server.

Further, in this embodiment, PCs, smartphones, and devices are exemplified as devices used for authentication, but various contents including media playback devices such as video players and music players are used via a network. The same can be applied to the devices and devices for performing the above.

As described above, in the authentication system of the present embodiment, each of a plurality of different authentication methods is used as an authentication element, and a plurality of sets (authentication groups) including a combination of one or a plurality of authentication elements are defined. Then, depending on the user (in one example, the user's account), one authentication group is selected and executed by the authentication unit corresponding to one or a plurality of authentication elements included in the authentication group to request the user or the connection request. Authenticate the existing terminal. As a result, security measures can be taken according to various environments in which the terminal is used and various requests of the user who have a connection request via the network. In addition, since the authentication server performs authentication control and authentication by each authentication method, the cost for authentication can be suppressed as much as possible and the operation of authentication can be simplified. Further, for a genuine user, as shown in FIG. 4, the authentication procedure can be simplified as much as possible to improve the convenience of the user.

The authentication system according to this embodiment can be called a multi-factor authentication system because it authenticates a user and a terminal using a plurality of authentication sets (which may be called an authentication pattern) composed of a combination of different authentication elements.

1000 Authentication system 100 User PC
101 Application unit 102 Input display unit 103 Communication I / F unit 104 Control unit 110 Mobile terminal 111 Authentication unit for mobile terminal 112 Input display unit 113 Communication I / F unit 114 Control unit 120 PC for device
121 Application unit 122 Device authentication unit 123 Input display unit 124 Communication I / F unit 125 Device I / F unit 126 Control unit 130 Authentication device 200 Authentication server 201 Storage unit 2011 Access permission DB
2012 account verification DB
2013 initial registration DB
202 Communication unit 203 Access control unit 204 Authentication control unit 2041 Password authentication unit 2042 Terminal authentication unit 2043 Mobile terminal authentication unit 2044 Device authentication unit 205 Control unit 300 Content server N1 network.

Claims (16)

It is an authentication system that authenticates with an authentication server in response to an access request from a terminal through a network.
The authentication server is
An authentication management table that registers authentication pairs that include multiple different authentication methods, depending on the user's account.
A first authentication unit that determines whether the time when the access request is received satisfies a predetermined time condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification unit,
As a result of the authentication by the first authentication unit, when the time condition is satisfied, the second authentication unit selects and selects the authentication set corresponding to the account registered in the authentication management table. An authentication system characterized in that authentication is performed based on one or a plurality of authentication methods included in the authentication set. It is an authentication system that authenticates with an authentication server in response to an access request from a terminal through a network.
The authentication server is
An authentication management table that registers authentication pairs that include multiple different authentication methods, depending on the user's account.
A first authentication unit that determines whether the time when the access request is received satisfies a predetermined location condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification unit,
If the location condition is satisfied as a result of the authentication by the first authentication unit, the second authentication unit selects and selects the authentication set corresponding to the account registered in the authentication management table. An authentication system characterized in that authentication is performed based on one or a plurality of authentication methods included in the authentication set. The first authentication unit further determines whether the access request satisfies a predetermined location condition, and if the access request does not satisfy the time condition or the location condition, it is determined as an authentication error. Authentication system described in 1. The authentication management table corresponds to a user's account and has a first authentication method having a time condition and a second authentication method different from the first authentication method and having no time condition. Register the set of authentication including the method,
When the access request satisfies the time condition of the first authentication method, the second authentication unit authenticates the first authentication method included in the selected authentication set. Instead, the authentication of the second authentication method is performed, and the authentication is performed.
When the access request does not meet the time condition of the first authentication method, the second authentication unit includes the first authentication method and the second authentication method included in the selected authentication set. The authentication system according to claim 1, which authenticates the authentication method of. The authentication management table corresponds to a user's account and has a first authentication method having a location condition and a second authentication method different from the first authentication method and having no location condition. Register the set of authentication including the method,
When the access request satisfies the location condition of the first authentication method, the second authentication unit authenticates the first authentication method included in the selected authentication set. Instead, the authentication of the second authentication method is performed, and the authentication is performed.
If the access request does not meet the locational conditions of the first authentication method, the second authentication unit includes the first authentication method and the second authentication method included in the selected authentication set. The authentication system according to claim 2, which authenticates the authentication method of. The authentication system according to claim 3, wherein the second authentication unit does not perform authentication when the time condition or the location condition is not satisfied as a result of the authentication by the first authentication unit. It has an authentication control unit that controls the first authentication unit and the second authentication unit.
As a result of the authentication by the first authentication unit, when the time condition is satisfied, but the access request is within a specific range of the location condition, the authentication control unit uses the authentication management table to display the above. Select the authentication set according to your account and select
The second authentication unit authenticates based on one or more authentication methods included in the selected set of authentications.
The authentication system according to claim 3. It has an authentication control unit that controls the first authentication unit and the second authentication unit.
The set of authentications registered in the authentication management table is
Password authentication that authenticates the authenticity of the user of the terminal,
Terminal authentication that authenticates the authenticity of the terminal and
Mobile terminal authentication that authenticates the authenticity of the user by receiving permission for input from a second terminal other than the terminal,
Device authentication that authenticates using the unique information of the device that the user has,
Consists of a combination of multiple authentication methods,
The authentication system according to claim 3. The location condition is the IP address of the connection source of the access request.
If the time condition and the IP address are satisfied as a result of the authentication by the first authentication unit, the authentication control unit selects a set of authentication including the password authentication from the authentication management table according to the account. Let me choose
The second authentication unit performs the password authentication included in the selected authentication set.
The authentication system according to claim 8. As a result of the authentication by the first authentication unit, when the IP address is satisfied and the IP address of the access request is in a specific range, the authentication control unit can be used from the authentication management table according to the account. A pair of authentication including the password authentication, the terminal authentication, the mobile terminal authentication, and the device authentication is selected.
The second authentication unit performs the authentication included in the selected set of authentications.
The authentication system according to claim 8. It is an authentication method that authenticates with an authentication server in response to an access request from a terminal through a network.
The authentication server is
A step to register a set of authentications including multiple different authentication methods in the authentication management table according to the user's account, and
A first authentication step for determining whether the time when the access request is received satisfies a predetermined time condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification step,
If the time condition is satisfied as a result of the authentication by the first authentication step, the second authentication step is selected by selecting the authentication set corresponding to the account registered in the authentication management table. An authentication method comprising one or a plurality of authentication methods included in the authentication set. It is an authentication method that authenticates with an authentication server in response to an access request from a terminal through a network.
The authentication server is
A step to register a set of authentications including multiple different authentication methods in the authentication management table according to the user's account, and
A first authentication step for determining whether the time when the access request is received satisfies a predetermined location condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification step,
If the location condition is satisfied as a result of the authentication by the first authentication step, the second authentication step is selected by selecting the authentication set corresponding to the account registered in the authentication management table. An authentication method comprising one or a plurality of authentication methods included in the authentication set. The first authentication step further determines whether the access request satisfies a predetermined location condition, and if the access request does not satisfy the time condition or the location condition, it is determined as an authentication error. The authentication method according to 11. An authentication program executed by an authentication server in response to an access request from a terminal through a network.
The authentication server is
A step to register a set of authentications including multiple different authentication methods in the authentication management table according to the user's account, and
A first authentication step for determining whether the time when the access request is received satisfies a predetermined time condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification step,
If the time condition is satisfied as a result of the authentication by the first authentication step, the second authentication step is selected by selecting the authentication set corresponding to the account registered in the authentication management table. An authentication program characterized by performing authentication based on one or more authentication methods included in the authentication set. An authentication program executed by an authentication server in response to an access request from a terminal through a network.
The authentication server is
A step to register a set of authentications including multiple different authentication methods in the authentication management table according to the user's account, and
A first authentication step for determining whether the time when the access request is received satisfies a predetermined location condition, and
Based on the account possessed by the access request, the authentication set corresponding to the account registered in the authentication management table is selected, and authentication based on one or more authentication methods included in the authentication set is performed. Has a second certification step,
If the location condition is satisfied as a result of the authentication by the first authentication step, the second authentication step is selected by selecting the authentication set corresponding to the account registered in the authentication management table. An authentication program characterized by performing authentication based on one or more authentication methods included in the authentication set. The first authentication step further determines whether the access request satisfies a predetermined location condition, and if the access request does not satisfy the time condition or the location condition, it is determined as an authentication error. Item 14. The program according to item 14.

Images