JP2023130280A - Information processing device, information processing method, and program - Google Patents

Abstract

To provide an information processing device, an information processing method, and a program that are capable of preventing an unauthorized login by a third party.SOLUTION: An information processing device is communicable with: a first terminal device that has been authenticated as a terminal device used by a user; and a second terminal device that has not been authenticated yet. The information processing device includes: a code information generation unit that, when a login request is issued from the second terminal device, generates code information that is obtained by coding authentication information; a transmission unit that selectively transmits the code information generated by the code information generation unit to either one of the first terminal device and the second terminal device; a reception unit that receives the authentication information obtained by imaging and decoding the code information, from the other of the first terminal device and the second terminal device; and an authentication unit that authenticates the second terminal device based on the authentication information.SELECTED DRAWING: Figure 3

Description

The present invention relates to an information processing device, an information processing method, and a program.

Authentication services using SMS (Short Message Service) have been known. For example, in Patent Document 1, an SMS authentication value is sent to a pre-registered mobile device, an authentication window is displayed for the user to input the SMS authentication value, and the SMS authentication value input by the user is displayed. An authentication system has been proposed that performs personal authentication based on

Special table 2019-517087 publication

However, with the technology described in Patent Document 1, if the SMS authentication value is stolen on a phishing site or the like, an unauthorized login may be performed by a phisher.

The present invention has been made in consideration of such circumstances, and one of its objects is to provide an information processing device, an information processing method, and a program that can prevent unauthorized login by others.

One aspect of the present invention is an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated, When a login request is received from a second terminal device, a code information generation unit generates code information in which authentication information is encoded, and the code information generated by the code information generation unit is transmitted to the first terminal device. and a transmitting unit that selectively transmits the authentication information obtained by photographing and decoding the code information to either the first terminal device or the second terminal device. The information processing apparatus includes a receiving section that receives data from one of the terminal devices, and an authentication section that authenticates the second terminal device based on the authentication information received by the receiving section.

According to one aspect of the present invention, it is possible to provide an information processing device, an information processing method, and a program that can prevent unauthorized login by others.

1 is a diagram illustrating an example of a configuration for realizing an electronic payment service. It is a diagram illustrating the general flow of electronic payment. 1 is a configuration diagram of a payment server 100. FIG. 3 is a diagram showing an example of the contents of user information 172. FIG. It is a flowchart which shows an example of login authentication processing. FIG. 3 is a sequence diagram illustrating an example of first authentication processing. It is a diagram showing an example of a display screen of the first user terminal device 10A on which a QR code is displayed. It is a sequence diagram which shows an example of the 2nd authentication process based on 1st Embodiment. It is a figure which shows an example of the display screen of the 2nd user terminal device 10B on which the QR code was displayed. It is a sequence diagram which shows an example of the 2nd authentication process based on 2nd Embodiment.

DESCRIPTION OF THE PREFERRED EMBODIMENTS An information processing apparatus, an information processing method, and a program according to the present invention will be described below with reference to the drawings. An information processing device is realized by one or more processors. In the following explanation, the information processing device provides an electronic payment service and is referred to as a "payment server," but the information processing device provides electronic payment services such as shopping, auctions, chats, micro blogs, and other services that involve login. It may provide any service. An electronic payment service is a service that supports payments for purchases of products and services at stores. A store is, for example, a physical store (actual store) that exists in real space.

<First embodiment>
[Electronic payment service]
FIG. 1 is a diagram illustrating an example of a configuration for realizing an electronic payment service. The electronic payment service is realized mainly by the payment server 100. Payment server 100 communicates with each of one or more user terminal devices 10 and one or more store terminal devices 50 via network NW, for example. The network NW includes, for example, the Internet, a LAN (Local Area Network), a wireless base station, a provider device, and the like.

The user terminal device 10 is, for example, a portable terminal device such as a smartphone or a tablet terminal. The user terminal device 10 is a computer device having at least an optical reading function, a communication function, a display function, an input reception function, and a program execution function. In the following description, the configurations for realizing these functions are respectively referred to as a camera, a communication device, a touch panel, a CPU (Central Processing Unit), and the like. In the user terminal device 10, the payment application 20 is executed by a processor such as a CPU, so that the payment application 20 operates in cooperation with the payment server 100 to provide electronic payment services to the user. The payment application 20 controls the camera, communication device, touch panel, etc.

The store terminal device 50 is installed in a store, for example. The store terminal device 50 is a computer device having at least a product price acquisition function, an optical reading function, a program execution function, and a communication function. The store terminal device 50 includes a so-called POS (Point of Sale) device, and the POS device may realize a product price acquisition function and an optical reading function. The store code image 60 is placed in a store, and a code image such as a QR code (registered trademark) is printed on a paper or plastic medium. Note that the store code image 60 may be displayed on a display placed in the store.

The payment server 100 realizes electronic payment based on payment information received from the user terminal device 10 or the store terminal device 50. The payment server 100 performs electronic payment by, for example, increasing or decreasing the charge balance managed in association with the user ID (in other words, depositing and withdrawing electronic money). Electronic payments may include methods such as revolving payment and credit card payments that enable purchases of a larger amount than the charge balance at the time of purchase.

FIG. 2 is a diagram illustrating the general flow of electronic payment. There may be two patterns, pattern 1 and pattern 2, in electronic payment. In the case of pattern 1, the payment application 20 is first activated on the user terminal device 10 and displays a code image such as a QR code or barcode. The user holds (presents) the display surface of the user terminal device 10 over the store terminal device 50. The store terminal device 50 decodes the code image using an optical reading function and acquires information such as an account ID. Then, the store terminal device 50 generates payment information including an account ID, payment amount, store ID, etc., and transmits it to the payment server 100. Information on the payment amount is obtained in advance by barcode reading, manual input, etc. Based on the received information, the payment server 100 transfers the payment amount from the user's electronic payment account to the store's electronic payment account and completes the payment process.

In the case of pattern 2, the user terminal device 10 with the payment application 20 activated decodes the store code image 60 using the optical reading function. The store code image 60 includes information such as the store name. The user inputs the payment amount into the user terminal device 10 on the screen displaying the store name and the like. Then, the user terminal device 10 generates payment information including an account ID, payment amount, store ID, etc., and transmits it to the payment server 100. The payment server 100 performs payment processing based on the received information. Note that electronic payment may be performed only in one of the above patterns. Further, the "account ID" described in FIG. 2 may be other information (for example, a telephone number) that can be used as user identification information.

[Payment server]
FIG. 3 is a configuration diagram of the payment server 100. The payment server 100 includes, for example, a communication unit 110, a payment content providing unit 120, a payment processing unit 122, a code information generation unit 124, a determination unit 126, an authentication unit 128, an information management unit 130, and a storage unit. 170. Components other than the communication unit 110 and the storage unit 170 are realized by, for example, a hardware processor such as a CPU executing a program (software). Some or all of these components are hardware (circuit parts) such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), and GPU (Graphics Processing Unit). (including circuitry), or may be realized by collaboration between software and hardware. The program may be stored in advance in a storage device (a storage device with a non-transitory storage medium) such as an HDD (Hard Disk Drive) or flash memory, or may be stored in a removable storage device such as a DVD or CD-ROM. It may be stored in a medium (non-transitory storage medium), and installed in the storage device by loading the storage medium into a drive device.

The storage unit 170 is an HDD, flash memory, RAM (Random Access Memory), or the like. The storage unit 170 may be a NAS (Network Attached Storage) device that can be accessed by the payment server 100 via a network. The storage unit 170 stores information such as user information 172 and payment content information 174.

The communication unit 110 is a communication interface for connecting to the network NW. Communication unit 110 is, for example, a network interface card. The communication unit 110 has a function as a transmitter that transmits information via the network NW, and a function as a receiver that receives information via the network NW.

The payment content providing unit 120 has, for example, the function of a web server, and provides the user terminal device 10 with information (content) for displaying various screens of the electronic payment service. The payment content providing unit 120 reads necessary content from the payment content information 174 as appropriate and provides it to the user terminal device 10. The user terminal device 10 receives various inputs from the user while the content is being played by the payment application 20, and transmits the above-mentioned payment information and the like to the payment server 100.

The payment processing unit 122 performs payment processing based on payment information transmitted from the user terminal device 10 or the store terminal device 50. The payment processing unit 122 performs payment processing while referring to the user information 172.

[User information]
FIG. 4 is a diagram showing an example of the contents of the user information 172. User information 172 is an example of user registration information. The user information 172 includes, for example, an account ID (which may be omitted), an email address, a user ID, a device ID, a charge balance, and a bank account, in addition to the minimum phone number and password required for new registration. , credit card number, charge history information, payment history information, and other information are associated with each other. Information other than the telephone number, password, device ID, charge balance, charge history information, and payment history information is optional setting information. Hereinafter, the user instance (electronic payment account) to which this information is associated will be referred to as an account. The telephone number may be used as a login ID for the electronic payment service.

The user ID is an example of user identification information for the payment server 100 to identify the user, and is information that can be arbitrarily set by the user, such as the user's nickname. The device ID is an example of information for the payment server 100 to identify the user terminal device 10. For example, the device ID may be information generated by combining information such as an IMEI (International Mobile Equipment Identifier), information regarding the manufacturer of the user terminal device 10, and an OS (Operating System) ID.

The charge balance is information indicating the balance of electronic money set by the user transferring money to the account in advance. Methods of remittance include remittance from an ATM (Automatic Teller Machine) of a designated business (bank), remittance from a registered bank account, etc. The bank account and credit card number are each information about a bank account or credit card number (account number, card number) that can be used to deposit money into the electronic payment service. The charging history information is a history of the user increasing the charging balance by remitting money to the electronic payment service in advance. The payment history information is information that shows details of the payments made by the user (date and time, store ID of the store where the purchase was made, payment amount, etc.) for each payment.

[Phishing techniques]
A user may attempt to log in to an electronic payment service using a terminal device other than the terminal device that has already been authenticated as the terminal device used by the user, such as when changing the model of a smartphone. . In this case, the user inputs authentication information from an existing terminal device to perform authentication processing for the new terminal device. However, if the authentication information is illegally obtained by another person, there is a possibility that the user may illegally log in to the electronic payment service from the other person's terminal device. Therefore, the purpose of this embodiment is to prevent unauthorized logins by others (for example, phishers). Therefore, before explaining the details of the processing of this embodiment, the phishing technique will be explained.

Phishing is a fraudulent act performed to obtain information such as a user's login ID, password, and authentication code via the Internet. In recent years, the number of phishing sites has increased rapidly, and there is no end to the number of victims who have their information such as login IDs, passwords, and authentication codes stolen. The present embodiment aims to reduce the number of login attempts by phishers by increasing the login strength, and also to make phishers lose their desire to launch a phishing site.

The phishing criminal obtains the user's login ID (phone number, etc.) and password in the following manner.
(1) Phishers make users access a fake login site and enter their login ID and password.
(2) The phishing criminal attempts to log in to the legitimate login site from the phishing criminal's terminal device using the input login ID and password. At this time, since the access is from a device other than the user's terminal device, a message containing the authentication code is sent to the user's terminal device by SMS (Short Message Service) or the like in order to prevent unauthorized access.
(3) The phishing criminal displays a screen on the fake login site that prompts the user to enter the authentication code notified by SMS.
(4) The phishing criminal uses the phishing criminal's terminal device to enter the authentication code entered into the fake login site by the user into the legitimate login site to complete the login.

The problem with the above-mentioned phishing techniques is that users enter authentication codes on fake login sites. Therefore, in this embodiment, a terminal device that has already been authenticated as a terminal device used by a user (existing environment) and a terminal device that has not yet been authenticated (new environment) are physically close to each other. To enable login using a terminal device in a new environment only in certain situations. The details of this embodiment will be explained below.

[Login authentication processing]
FIG. 5 is a flowchart illustrating an example of login authentication processing. The processing according to this flowchart is executed by the payment server 100. First, the communication unit 110 of the payment server 100 receives a login request from the user terminal device 10 (S11). The login request includes information such as a login ID (phone number, etc.), a password, and a device ID.

Next, the authentication unit 128 compares the login ID (phone number, etc.) and password included in the login request with the user information 172, and determines whether the login authentication is successful (S12). Specifically, the authentication unit 128 determines that the login ID (phone number, etc.) included in the login request is registered in the user information 172, and the password included in the login request matches the password included in the user information 172. If so, it is determined that the login authentication was successful. On the other hand, the authentication unit 128 determines that the login ID (phone number, etc.) included in the login request is not registered in the user information 172, or the password included in the login request does not match the password included in the user information 172. If so, it is determined that login authentication has failed.

If the authentication unit 128 determines that the login authentication has failed, it transmits a login failure notification to the user terminal device 10 (S13), and ends the processing according to this flowchart.

On the other hand, if the authentication unit 128 determines that the login authentication is successful, it compares the device ID included in the login request with the user information 172 to determine whether the login is from a new environment ( S14). Here, the new environment means a terminal device that has not been authenticated as a terminal device used by a user. Moreover, the existing environment means a terminal device that has already been authenticated as a terminal device used by a user.

Specifically, if the device ID included in the login request and the device ID included in the user information 172 do not match, the authentication unit 128 determines that the login is from a new environment. On the other hand, if the device ID included in the login request and the device ID included in the user information 172 match, the authentication unit 128 determines that the login is from an existing environment.

When the authentication unit 128 determines that the login is not from a new environment (that is, when it is determined that the login is from an existing environment), it transmits a login success notification to the user terminal device 10 (S15), and performs the flowchart in this flowchart. Terminates processing.

On the other hand, if the authentication unit 128 determines that the login is from the new environment, the determination unit 126 determines whether the login is from the payment application 20 (S16). If the authentication unit 128 determines that the login is from the payment application 20, it executes a first authentication process to be described later (S17). On the other hand, if the authentication unit 128 determines that the login is not from the payment application 20, it executes a second authentication process to be described later (S18). A case where the login is not from the payment application 20 is a case where the login is from a WEB browser, for example.

The payment application 20 is installed on a terminal device equipped with a camera, such as a smartphone or a tablet terminal. Therefore, in the case of login from the payment application 20, a first authentication process is performed, which is an authentication process using the camera of the user terminal device 10 that transmitted the login request. On the other hand, if the login is not from the payment application 20 (for example, if the login is from a web browser), the user terminal device 10 may not be equipped with a camera. Therefore, if the login is not from the payment application 20, a second authentication process is performed that does not use the camera of the user terminal device 10 that sent the login request. Details of the first authentication process and the second authentication process will be described below.

[First authentication process]
FIG. 6 is a sequence diagram showing an example of the first authentication process. In explaining this sequence diagram, a terminal device that has already been authenticated as a terminal device used by a user (existing environment) will be referred to as the first user terminal device 10A, and a terminal device that has not yet been authenticated (new environment) will be referred to as the first user terminal device 10A. ) is the second user terminal device 10B. The first authentication process when a login request is made to the payment server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the payment server 100 transmits an SMS notification to the first user terminal device 10A, which is an existing environment (S101). The SMS notification is a short message notification using the user's phone number. The SMS notification includes a URL (Uniform Resource Locator) for starting the payment application 20.

When the first user terminal device 10A receives the SMS notification from the payment server 100, it starts the payment application 20 (S102). For example, the first user terminal device 10A starts the payment application 20 in response to the user selecting the URL included in the SMS notification.

Next, the code information generation unit 124 of the payment server 100 generates a QR code in which authentication information is encoded (S103). For example, the authentication information may be time-limited information such as a one-time password. Further, the code information generation unit 124 transmits the generated QR code from the communication unit 110 to the first user terminal device 10A (S104). When the first user terminal device 10A receives the QR code from the payment server 100, it displays the QR code on the screen of the payment application 20 (S105).

FIG. 7 is a diagram showing an example of the display screen of the first user terminal device 10A on which the QR code is displayed. As shown in FIG. 7, the QR code C and a message such as "Please read the QR code with a new terminal" are displayed on the display screen of the first user terminal device 10A.

Next, the second user terminal device 10B, which is the new environment, photographs the QR code displayed on the first user terminal device 10A (S106). Specifically, the user uses the camera of the second user terminal device 10B to photograph the QR code displayed on the first user terminal device 10A.

Further, the second user terminal device 10B obtains authentication information by decoding the photographed QR code (S107). Then, the second user terminal device 10B transmits the acquired authentication information to the payment server 100 (S108).

When the communication unit 110 of the payment server 100 receives the authentication information from the second user terminal device 10B, the authentication unit 128 of the payment server 100 performs authentication information verification processing (S109). Specifically, the authentication unit 128 determines whether the authentication information included in the QR code sent to the first user terminal device 10A matches the authentication information received from the second user terminal device 10B. . If the authentication information included in the QR code sent to the first user terminal device 10A and the authentication information received from the second user terminal device 10B do not match, the authentication section 128 sends a login denial notification to the communication section 110. from there to the second user terminal device 10B.

On the other hand, if the authentication information included in the QR code sent to the first user terminal device 10A matches the authentication information received from the second user terminal device 10B, the authentication section 128 sends a login permission notification to the communication section. 110 to the second user terminal device 10B (S110). As a result, login from the second user terminal device 10B, which is a new environment, is permitted.

After that, the information management unit 130 performs update processing of the user information 172 (S111). Specifically, the information management unit 130 uses the device ID included in the login request sent from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) as the login request included in the login request. It is written in the user information 172 in association with an ID (phone number, etc.).

According to the first authentication process described above, it is necessary to photograph the QR code displayed on the first user terminal device 10A with the second user terminal device 10B. That is, since it is necessary to perform authentication in a situation where the first user terminal device 10A and the second user terminal device 10B are physically close to each other, it is possible to prevent unauthorized login by phishers.

[Second authentication process]
FIG. 8 is a sequence diagram showing an example of the second authentication process according to the first embodiment. In the first authentication process described above, the payment server 100 sends the QR code to the first user terminal device 10A, but in the second authentication process, the payment server 100 sends the QR code to the second user terminal device 10B. shall be sent. This is because there is a possibility that the second user terminal device 10B is not equipped with a camera. The second authentication process when a login request is made to the payment server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the payment server 100 transmits an SMS notification to the first user terminal device 10A, which is an existing environment (S201). As described above, the SMS notification is a short message notification using the user's phone number, and includes the URL for starting the payment application 20.

When the first user terminal device 10A receives the SMS notification from the payment server 100, it starts the payment application 20 (S202). For example, the first user terminal device 10A starts the payment application 20 in response to the user selecting the URL included in the SMS notification.

Next, the code information generation unit 124 of the payment server 100 generates a QR code in which authentication information is encoded (S203). For example, the authentication information may be time-limited information such as a one-time password. Further, the code information generation unit 124 transmits the generated QR code from the communication unit 110 to the second user terminal device 10B (S204). When the second user terminal device 10B in the new environment receives the QR code from the payment server 100, it displays the QR code on the display section of the second user terminal device 10B (S205).

FIG. 9 is a diagram showing an example of the display screen of the second user terminal device 10B on which the QR code is displayed. As shown in FIG. 9, the QR code C and a message such as "Please read the QR code with an existing terminal" are displayed on the display screen of the second user terminal device 10B.

Next, the first user terminal device 10A in the existing environment photographs the QR code displayed on the second user terminal device 10B (S206). Specifically, the user uses the camera of the first user terminal device 10A to photograph the QR code displayed on the second user terminal device 10B.

The first user terminal device 10A also acquires authentication information by decoding the captured QR code (S207). The first user terminal device 10A then transmits the acquired authentication information to the payment server 100 (S208).

When the communication unit 110 of the payment server 100 receives the authentication information from the first user terminal device 10A, the authentication unit 128 of the payment server 100 performs authentication information verification processing (S209). Specifically, the authentication unit 128 determines whether the authentication information included in the QR code sent to the second user terminal device 10B matches the authentication information received from the first user terminal device 10A. . If the authentication information included in the QR code sent to the second user terminal device 10B and the authentication information received from the first user terminal device 10A do not match, the authentication section 128 sends a login denial notification to the communication section 110. from there to the second user terminal device 10B.

On the other hand, if the authentication information included in the QR code sent to the second user terminal device 10B matches the authentication information received from the first user terminal device 10A, the authentication section 128 sends a login permission notification to the communication section. 110 to the second user terminal device 10B (S210). As a result, login from the second user terminal device 10B, which is a new environment, is permitted.

After that, the information management unit 130 performs update processing of the user information 172 (S211). Specifically, the information management unit 130 uses the device ID included in the login request transmitted from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) as the login request included in the login request. It is written in the user information 172 in association with an ID (phone number, etc.).

According to the second authentication process described above, it is necessary to photograph the QR code displayed on the second user terminal device 10B with the first user terminal device 10A. That is, since it is necessary to perform authentication in a situation where the first user terminal device 10A and the second user terminal device 10B are physically close to each other, it is possible to prevent unauthorized login by phishers. Moreover, even if the second user terminal device 10B, which is a new environment, is not equipped with a camera, unauthorized login can be prevented.

As described above, the payment server 100 (information processing device) of the first embodiment includes the code information generation section 124, the communication section 110, the authentication section 128, and the determination section 126. The code information generation unit 124 generates a QR code (code information) in which authentication information is encoded when there is a login request from the second user terminal device 10B. The communication unit 110 transmits the generated QR code to either one of the first user terminal device 10A and the second user terminal device 10B, and also obtains the QR code by photographing and decoding the QR code. The received authentication information is received from the other of the first user terminal device 10A and the second user terminal device 10B. The authentication unit 128 authenticates the second user terminal device 10B based on the received authentication information. The determining unit 126 determines to which of the first user terminal device 10A and the second user terminal device 10B the QR code is to be sent, depending on the login method of the second user terminal device 10B. This can prevent unauthorized login by others.

Further, in the first embodiment, the determination unit 126 determines whether the login request from the second user terminal device 10B is a login request from the payment application 20 or not. It was decided to determine which of the two user terminal devices 10B the QR code should be sent to. Specifically, if the login request from the second user terminal device 10B is a login request from the payment application 20, the determination unit 126 determines to transmit the QR code to the first user terminal device 10A, and If the login request from the user terminal device 10B is not a login request from the payment application 20, the determination unit 126 determines to transmit the QR code to the first user terminal device 10A. If the login request is from the payment application 20, it is presumed that the second user terminal device 10B is a mobile terminal device with a camera function, but if the login request is not from the payment application 20, the web browser This is because the second user terminal device 10B is presumed to be a PC (Personal Computer) or the like that does not have a camera function. This ensures that the QR code is photographed by the user terminal device 10 equipped with a camera, and the authentication process can be performed reliably.

Furthermore, in the first embodiment, the communication unit 110 sends an SMS notification containing an address for starting the payment application 20 to the first user terminal device 10A before the code information generation unit 124 generates the QR code. I decided to send it to. Thereby, the payment application 20 can be activated without delay on the first user terminal device 10A.

<Second embodiment>
In the first embodiment described above, authentication using the QR code is performed only once. On the other hand, in the second embodiment, security is further strengthened by performing authentication using a QR code multiple times.

As shown in S205 of FIG. 8, in the second authentication process of the first embodiment, a QR code is displayed on the second user terminal device 10B. However, if a phishing criminal displays this QR code on a fake login site and a user photographs the displayed QR code with a user terminal device in an existing environment, there is a possibility that the phishing criminal's terminal device will be used for unauthorized login. be. For this reason, when displaying the QR code on the second user terminal device 10B, it is preferable to display it multiple times and for as short a time as possible. Note that the first authentication process of the second embodiment is the same as the first authentication process of the first embodiment, so a description thereof will be omitted. Details of the second embodiment will be described below.

FIG. 10 is a sequence diagram illustrating an example of the second authentication process according to the second embodiment. The second authentication process when a login request is made to the payment server 100 from the second user terminal device 10B will be described below.

First, the communication unit 110 of the payment server 100 transmits an SMS notification to the first user terminal device 10A, which is an existing environment (S301). As described above, the SMS notification is a short message notification using the user's phone number, and includes the URL for starting the payment application 20.

When the first user terminal device 10A receives the SMS notification from the payment server 100, it starts the payment application 20 (S302). For example, the first user terminal device 10A starts the payment application 20 in response to the user selecting the URL included in the SMS notification.

Next, the code information generation unit 124 of the payment server 100 generates a first QR code in which the first authentication information is encoded (S303). For example, the first authentication information may be time-limited information such as a one-time password. Further, the code information generation unit 124 transmits the generated first QR code from the communication unit 110 to the second user terminal device 10B (S304).

When the second user terminal device 10B in the new environment receives the first QR code from the payment server 100, it displays the first QR code on the display section of the second user terminal device 10B (S305). At this time, the second user terminal device 10B displays the first QR code for a first time (for example, 30 seconds). For example, in S304, the second user terminal device 10B receives information about the first time together with the first QR code from the payment server 100, and displays the first QR code for a time corresponding to the received information about the first time. It's fine.

Next, the first user terminal device 10A in the existing environment photographs the first QR code displayed on the second user terminal device 10B (S306). Specifically, the user uses the camera of the first user terminal device 10A to photograph the first QR code displayed on the second user terminal device 10B.

The first user terminal device 10A also acquires first authentication information by decoding the captured first QR code (S307). The first user terminal device 10A then transmits the acquired first authentication information to the payment server 100 (S308).

When the communication unit 110 of the payment server 100 receives the first authentication information from the first user terminal device 10A, the authentication unit 128 of the payment server 100 performs a verification process of the first authentication information (S309). Specifically, the authentication unit 128 determines whether the first authentication information included in the first QR code sent to the second user terminal device 10B matches the first authentication information received from the first user terminal device 10A. Determine whether or not. If the first authentication information included in the first QR code sent to the second user terminal device 10B and the first authentication information received from the first user terminal device 10A do not match, the authentication unit 128 disallows login. The notification is transmitted from the communication unit 110 to the second user terminal device 10B.

On the other hand, if the first authentication information included in the first QR code transmitted to the second user terminal device 10B and the first authentication information received from the first user terminal device 10A match, the code information generation unit 124 , generates a second QR code encoded with second authentication information different from the first authentication information (S310). For example, the second authentication information may be time-limited information such as a one-time password. Further, the code information generation unit 124 transmits the generated second QR code from the communication unit 110 to the second user terminal device 10B (S311).

When the second user terminal device 10B in the new environment receives the second QR code from the payment server 100, it displays the second QR code on the display section of the second user terminal device 10B (S312). At this time, the second user terminal device 10B displays the second QR code for a second time period (for example, 5 seconds) that is shorter than the first time period. For example, in S311, the second user terminal device 10B receives information about the second time together with the second QR code from the payment server 100, and displays the second QR code for a time corresponding to the received information about the second time. It's fine.

In addition, when photographing the first QR code in S306, since it is the first photograph, the first QR code is displayed for a relatively long time (for example, 30 seconds), taking into account the startup time of the camera function. . On the other hand, when photographing the second QR code in S313, since the camera function has already been activated, the display time of the second QR code is set to be short (for example, 5 seconds). This makes it possible to more reliably prevent the second authentication information from being illegally acquired by a phishing criminal.

Next, the first user terminal device 10A in the existing environment photographs the second QR code displayed on the second user terminal device 10B (S313). Specifically, the user uses the camera of the first user terminal device 10A to photograph the second QR code displayed on the second user terminal device 10B.

The first user terminal device 10A also acquires second authentication information by decoding the second QR code that has been photographed (S314). Then, the first user terminal device 10A transmits the acquired second authentication information to the payment server 100 (S315).

When the communication unit 110 of the payment server 100 receives the second authentication information from the first user terminal device 10A, the authentication unit 128 of the payment server 100 performs a verification process of the second authentication information (S316). Specifically, the authentication unit 128 determines whether the second authentication information included in the second QR code sent to the second user terminal device 10B matches the second authentication information received from the first user terminal device 10A. Determine whether or not. If the second authentication information included in the second QR code sent to the second user terminal device 10B and the second authentication information received from the first user terminal device 10A do not match, the authentication unit 128 disallows login. The notification is transmitted from the communication unit 110 to the second user terminal device 10B.

On the other hand, if the second authentication information included in the second QR code transmitted to the second user terminal device 10B and the second authentication information received from the first user terminal device 10A match, the authentication unit 128 logs in. A permission notification is transmitted from the communication unit 110 to the second user terminal device 10B (S317). As a result, login from the second user terminal device 10B, which is a new environment, is permitted.

After that, the information management unit 130 performs update processing of the user information 172 (S318). Specifically, the information management unit 130 uses the device ID included in the login request transmitted from the second user terminal device 10B (that is, the device ID of the second user terminal device 10B) as the login request included in the login request. It is written in the user information 172 in association with an ID (phone number, etc.).

According to the second embodiment described above, similar to the first embodiment, unauthorized login by another person can be prevented. Further, according to the second embodiment, after the code information generation unit 124 generates a first QR code (first code information) in which the first authentication information is encoded, a second authentication information different from the first authentication information is generated. The authentication unit 128 generates a second QR code (second code information) in which the information is encoded, and when the authentication based on the first QR code and the authentication based on the second QR code are both successful, the second QR code is used by the user. It was decided that the second user terminal device 10B would be authenticated as a terminal device. This makes it possible to more reliably prevent unauthorized logins by phishers.

Further, according to the second embodiment, the time during which the second QR code (second code information) can be photographed is shorter than the time during which the first QR code (first code information) can be photographed. This makes it possible to more reliably prevent the second authentication information from being illegally acquired by a phishing criminal.

Note that, according to the second embodiment, as an example, authentication based on the first QR code and the second QR code is performed in the second authentication process, but the present invention is not limited to this. For example, in the first authentication process, authentication may be performed based on the first QR code and the second QR code. This means that even if a phishing criminal somehow manages to photograph the QR code displayed on the first user terminal device 10A, which is an existing environment, it is difficult to display the QR code multiple times in as short a time as possible. This is because it is effective in preventing unauthorized login. In this case, the communication unit 110 of the payment server 100 transmits the first QR code and the second QR code to the first user terminal device 10A, and the second user terminal device 10B is displayed on the first user terminal device 10A. The authentication unit 128 of the payment server 100 photographs the first QR code and the second QR code, and if both the authentication based on the first QR code and the authentication based on the second QR code are successful, the authentication unit 128 photographs the first QR code and the second QR code. The second user terminal device 10B may be authenticated as follows.

Note that in the first and second embodiments, the communication unit 110 first sends an SMS notification containing an address for starting the payment application 20 before the code information generation unit 124 generates the QR code. Although the information is transmitted to the user terminal device 10A, the information is not limited thereto. For example, the communication unit 110 may transmit a push notification for starting the payment application 20 to the first user terminal device 10A before the code information generation unit 124 generates the QR code. The push notification is a message that can be directly transmitted to the first user terminal device 10A, and is displayed on the first user terminal device 10A together with a notification sound. In this case, the user will start the payment application 20 on the first user terminal device 10A based on the push notification.

Further, in the first embodiment and the second embodiment, the explanation was given on the premise that the payment application 20 was installed in the first user terminal device 10A. However, if the payment application 20 is not installed on the first user terminal device 10A, the communication unit 110 may transmit an SMS notification for installing the payment application 20 to the first user terminal device 10A. This makes it possible to use the payment application 20 on the first user terminal device 10A, and to start the camera function from the payment application 20.

Further, in the first embodiment and the second embodiment, the communication unit 110 is configured to provide information regarding the location information based on the IP (Internet Protocol) address of the second user terminal device 10B or the purpose of login (for example, the service to which the user is attempting to log in). The information may be transmitted to the first user terminal device 10A and displayed. This allows the user who owns the first user terminal device 10A to determine whether or not an unauthorized login by a phishing criminal is about to occur.

In addition to the authentication processing of the first embodiment and the second embodiment, the authentication unit 128 acquires the location information of the first user terminal device 10A and the location information of the second user terminal device 10B, and When the distance between the user terminal device 10A and the second user terminal device 10B is within a predetermined distance, the same person is operating the first user terminal device 10A and the second user terminal device 10B. It can be determined that The position information may be, for example, information obtained by GPS (Global Positioning System). In addition to location information, the authentication unit 128 also uses sensor information obtained from the first user terminal device 10A and the second user terminal device 10B (degree of inclination of the user terminal device during operation, temperature information, humidity information, etc.). etc.), it may be determined whether the same person is operating the first user terminal device 10A and the second user terminal device 10B.

Note that in the first embodiment and the second embodiment, the payment server 100 performs the authentication process, but the present invention is not limited to this. For example, an authentication server as an information processing device that performs authentication processing may be constructed separately from the payment server 100.

Although the mode for implementing the present invention has been described above using embodiments, the present invention is not limited to these embodiments in any way, and various modifications and substitutions can be made without departing from the gist of the present invention. can be added.

10 User terminal device 20 Payment application 50 Store terminal device 60 Store code image 100 Payment server 110 Communication unit (transmission unit, reception unit)
120 Payment content providing unit 122 Payment processing unit 124 Code information generation unit 126 Determination unit 128 Authentication unit 130 Information management unit 170 Storage unit

One aspect of the present invention is an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated, When a login request is received from a second terminal device, after generating first code information in which first authentication information is encoded , a second code information in which second authentication information different from the first authentication information is encoded is generated. a code information generation unit that generates code information; and a code information generation unit that generates code information, and transmits the first code information and second code information generated by the code information generation unit to one of the first terminal device and the second terminal device. the first authentication information obtained by photographing and decoding the first code information; and the second authentication information obtained by photographing and decoding the second code information. a receiving unit that receives information from the other of the first terminal device and the second terminal device; and based on the first authentication information and the second authentication information received by the receiving unit, the an authentication unit that authenticates a second terminal device; and an authentication unit that authenticates the first code information and the second code information in either the first terminal device or the second terminal device depending on the login method of the second terminal device The information processing apparatus includes a determination unit that determines whether to transmit the information .

Claims (20)

An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
a code information generation unit that generates code information in which authentication information is encoded when a login request is received from the second terminal device;
a transmitter that selectively transmits the code information generated by the code information generator to either the first terminal device or the second terminal device;
a receiving unit that receives the authentication information obtained by photographing and decoding the code information from the other of the first terminal device and the second terminal device;
an authentication unit that authenticates the second terminal device based on the authentication information received by the reception unit;
An information processing device comprising: Depending on whether the login request from the second terminal device is a login request from a payment application for electronic payment at a store, the further comprising a determination unit that determines whether to transmit code information;
The information processing device according to claim 1. If the login request from the second terminal device is a login request from the payment application, the determination unit determines to transmit the code information to the first terminal device,
If the login request from the second terminal device is not a login request from the payment application, the determination unit determines to transmit the code information to the second terminal device.
The information processing device according to claim 2. The transmitting unit transmits an SMS (Short Message Service) notification containing an address for starting the payment application to the first terminal device before the code information generating unit generates the code information.
The information processing device according to claim 3. The transmitting unit transmits a push notification for starting the payment application to the first terminal device before the code information generating unit generates the code information.
The information processing device according to claim 3. If the payment application is not installed on the first terminal device, the transmitting unit transmits an SMS notification to the first terminal device for installing the payment application.
The information processing device according to claim 2. The code information generation unit generates first code information in which first authentication information is encoded, and then generates second code information in which second authentication information different from the first authentication information is encoded,
The authentication unit authenticates the second terminal device as a terminal device used by the user when both the authentication based on the first code information and the authentication based on the second code information are successful. ,
The information processing device according to any one of claims 1 to 6. The time during which the second code information can be photographed is shorter than the time during which the first code information can be photographed.
The information processing device according to claim 7. The transmitting unit transmits location information based on the IP (Internet Protocol) address of the second terminal device or information regarding the purpose of login to the first terminal device for display.
The information processing device according to any one of claims 1 to 8. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2. a code information generation unit that generates code information;
a transmitter that transmits the first code information and the second code information generated by the code information generator to either the first terminal device or the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. and a receiving unit that receives from the other of the second terminal devices;
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
An information processing device comprising: An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2. a code information generation unit that generates code information;
a transmitter that transmits the first code information and the second code information generated by the code information generator to the first terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the second terminal device. a receiving unit that receives data from the
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
An information processing device comprising: An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2. a code information generation unit that generates code information;
a transmitter that transmits the first code information and the second code information generated by the code information generator to the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. a receiving unit that receives data from the
an authentication unit that authenticates the second terminal device based on the first authentication information and the second authentication information received by the reception unit;
An information processing device comprising: An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, generating code information in which authentication information is encoded;
selectively transmitting the code information to either one of the first terminal device and the second terminal device;
receiving the authentication information obtained by photographing and decoding the code information from the other of the first terminal device and the second terminal device;
authenticating the second terminal device based on the received authentication information;
Information processing method. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to either one of the first terminal device and the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. and received from the other of the second terminal device,
authenticating the second terminal device based on the received first authentication information and second authentication information;
Information processing method. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to the first terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the second terminal device. received from
authenticating the second terminal device based on the received first authentication information and second authentication information;
Information processing method. An information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated,
When a login request is received from the second terminal device, first code information in which first authentication information is encoded is generated, and then second code information in which second authentication information different from the first authentication information is encoded is generated. 2 Generate code information,
transmitting the first code information and the second code information to the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. received from
authenticating the second terminal device based on the received first authentication information and second authentication information;
Information processing method. an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated;
When a login request is received from the second terminal device, generating code information in which authentication information is encoded;
selectively transmitting the code information to either one of the first terminal device and the second terminal device;
receiving the authentication information obtained by photographing and decoding the code information from the other of the first terminal device and the second terminal device;
authenticating the second terminal device based on the received authentication information;
program. an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated;
When a login request is received from the second terminal device, first code information in which the first authentication information is encoded is generated, and then second authentication information different from the first authentication information is encoded. Generate second code information,
transmitting the first code information and the second code information to either one of the first terminal device and the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. and receiving from the other of the second terminal devices,
authenticating the second terminal device based on the received first authentication information and second authentication information;
program. an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated;
When a login request is received from the second terminal device, first code information in which the first authentication information is encoded is generated, and then second authentication information different from the first authentication information is encoded. Generate second code information,
transmitting the first code information and the second code information to the first terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the second terminal device. receive it from
authenticating the second terminal device based on the received first authentication information and second authentication information;
program. an information processing device capable of communicating with a first terminal device that has already been authenticated as a terminal device used by a user and a second terminal device that has not yet been authenticated;
When a login request is received from the second terminal device, first code information in which the first authentication information is encoded is generated, and then second authentication information different from the first authentication information is encoded. Generate second code information,
transmitting the first code information and the second code information to the second terminal device;
The first authentication information obtained by photographing and decoding the first code information and the second authentication information obtained by photographing and decoding the second code information are transmitted to the first terminal device. receive it from
authenticating the second terminal device based on the received first authentication information and second authentication information;
program.

Images