JP2023146077A - Information processing system, information processing method and information processing apparatus - Google Patents

Abstract

To enable suppressing introduction cost or maintenance management cost of a dedicated terminal for authentication, and preventing masquerading as person in question.SOLUTION: An information processing system according to the present invention comprises: an application execution apparatus that is given service identification means having service identification information and executes an application using a service; a portable terminal that acquires service identification information from service identification means and performs processing corresponding to the service identification information; a service execution apparatus that performs a service corresponding to the service identification information; and an information processing apparatus that intermediates processing between a portable terminal which is a request source and a service execution apparatus which is a request destination on the basis of service request information including the service identification information from the portable terminal, and that gives a result obtained by the service execution apparatus which is the request destination to the portable terminal and the application execution apparatus.SELECTED DRAWING: Figure 1

Description

The present invention relates to an information processing system, an information processing method, and an information processing apparatus.

Conventionally, when authenticating a user, for example, an identification document such as a driver's license, insurance card, or My Number card is used to confirm the user's identity. There are also mechanisms for biometric authentication using biometric information of the user, such as facial feature data, fingerprint data, iris data, etc. of the user. Furthermore, facial recognition services that utilize the functions installed in mobile terminals such as smartphones have recently become popular, and facial feature data, which is the information source for personal authentication, can be photographed with a camera, and driver's licenses can be photographed with a camera. Some photos are taken and registered in the system.

JP2020-21164A JP2017-182326A

However, in the case of the conventional method described above, in order to obtain the user's biometric information, the verification party must prepare a dedicated terminal that reads the user's face, fingerprint, iris, etc., which requires the installation cost and maintenance cost of the dedicated terminal. There is a problem in that the burden of management costs, etc. falls on the person conducting the confirmation.

In addition, regarding facial recognition services that use the user's smartphone, the user uses the smartphone to register facial information, driver's license, etc., so it is easy to impersonate the user. There is also an issue.

Therefore, there is a need for an information processing system, an information processing method, and an information processing device that can reduce the cost of introducing a dedicated terminal for authentication and the cost of maintenance and management, and can prevent identity masquerading.

In order to solve this problem, the information processing system according to the first aspect of the present invention is provided with a service identification means having service identification information that identifies a service to be provided to a user, and is provided with a service identification means that has service identification information that identifies a service to be provided to a user. an execution device, a mobile terminal that acquires service identification information from a service identification means and performs processing corresponding to the service identification information, a service execution device that executes a service corresponding to the service identification information, and service identification information from the mobile terminal. Based on service request information including The present invention is characterized by comprising an information processing device for providing information to the application execution device.

In the information processing method according to the second aspect of the present invention, the mobile terminal acquires service identification information for identifying the service provided to the user from the service identification means attached to the application execution device, and corresponds to the service identification information. the information processing device mediates processing between a mobile terminal that is a request source and a service execution device that is a request destination based on service request information including service identification information from the mobile terminal; It is characterized in that the result from the service execution device that is the request destination is given to the mobile terminal and the application execution device.

The information processing apparatus according to the third aspect of the present invention is provided with a service identification means having service identification information for specifying a service to be provided to a user, and includes an application execution apparatus that executes an application using the service, and a service identification means. An information processing device connected to a mobile terminal that acquires service identification information from a mobile terminal and performs processing corresponding to the service identification information, and a service execution device that executes a service corresponding to the service identification information, the information processing device Based on service request information including identification information, means for mediating processing between a mobile terminal that is a request source and a service execution device that is a request destination; and an application execution device.

According to the present invention, it is possible to reduce the cost of introducing a dedicated terminal for authentication and the cost of maintenance and management, and to prevent identity theft.

1 is an overall configuration diagram showing the overall configuration of a service providing system according to an embodiment. FIG. 2 is an internal configuration diagram showing the internal configurations of a tag device, a service providing device, a company server, and a mobile terminal according to an embodiment. FIG. 2 is an internal configuration diagram showing the internal configuration of a management server according to an embodiment. FIG. 2 is a configuration diagram showing an example of the configuration of history information recorded as history in the integrated database unit according to the embodiment. FIG. 2 is an internal configuration diagram showing the internal configuration of a certification authority server according to an embodiment. FIG. 2 is an operation diagram showing the overall operation of the service providing system according to the embodiment. FIG. 3 is a sequence diagram showing the operation of authentication processing according to the embodiment. FIG. 3 is a sequence diagram showing the operation of voice communication processing according to the embodiment.

(A) Embodiment Hereinafter, embodiments of an information processing system, an information processing method, and an information processing apparatus according to the present invention will be described in detail with reference to the drawings.

(A-1) Configuration of Embodiment FIG. 1 is an overall configuration diagram showing the overall configuration of a service providing system (hereinafter also referred to as an "information processing system") according to an embodiment.

In FIG. 1, the service providing system 9 of the embodiment includes a management server 1 as an information processing device, a mobile terminal 2 of a user U, a corporate server 4 provided on the service provider side, and a service providing device 5 as an application execution device. , a tag device 3 as a service identification means, one or more certification authority servers 6 (6-1, 6-2, . . . ), and a call center server 7.

Note that the certification authority server 6 and the call center server 7 are examples of a "service execution device."

For example, when the user U holds the mobile terminal 2 over the tag device 3 and starts short-range wireless communication such as NFC (Near Field Communication) between the mobile terminal 2 and the tag device 3, the service providing system 9 Application software (hereinafter also referred to as "app") that performs processing corresponding to the tag information preset in the tag device 3 is started on the mobile terminal 2 and performs voice communication, personal authentication, etc. via the management server 1. This service is provided to user U.

A “service” is a service provided to the user in connection with the purpose in which the user U uses the service providing device (purpose execution device) 5. Examples include voice communication, authentication processing, payment processing, etc. These services can be provided to the user U using an application on the mobile terminal 2 that performs NFC communication with the tag device 3.

[Tag device 3, service providing device 5, company server 4]
FIG. 2 is an internal configuration diagram showing the internal configurations of the tag device 3, service providing device 5, company server 4, and mobile terminal 2 according to the embodiment.

The tag device 3 is, for example, a device equipped with NFC. The tag device 3 includes an IC chip device having a short-range wireless communication section 31, a storage section 32, and a control section 33. The tag device 3 can be, for example, a non-contact IC tag type, an IC card type, a stationary type, or the like. The tag device 3 is installed in a place where the user U receives a service or in a device (such as the service providing device 5) handled by the user U in a manner that corresponds to the service provision situation.

For example, the tag device 3 may be provided for each service such as voice communication, biometric authentication, payment, etc., or the tag device 3 may be capable of supporting multiple services such as voice communication, biometric authentication, payment, etc. good.

In the former case, the tag device 3 provided for each service stores in advance service identification information that uniquely identifies the corresponding service and tag information related to the service. In the latter case, the tag device 3 stores service identification information for each service and tag information for each service, and allows the user U to select which service to use on the mobile terminal 2 that has received the tag information. You can do it like this.

Furthermore, the tag device 3 further includes usage identification information that identifies the usage of the provided service, such as ATM, car sharing, call center, etc., an individual ID that identifies the tag device 3 itself, and a service provider (such as a company) that identifies the service provider. It also remembers the company ID etc.

When the tag device 3 communicates with the mobile terminal 2 using NFC, the tag device 3 transmits tag information including the above-mentioned service identification information, usage identification information, individual ID, company ID, etc. to the mobile terminal 2. Note that the tag information is not limited to the information described above.

The service providing device 5 is a device related to a service provided to the user U. For example, the service providing device 5 may be an ATM (Auto Teller Machine) in financial transactions, or a car in car sharing. It is assumed that the service providing device 5 of this embodiment is handled by the user U. The service providing device 5 includes a control unit 51 that controls the functions of the service providing device 5, and a communication unit 52 that communicates with the corporate server 4.

The company server 4 is a server that connects to the service providing device 5 and controls the operation of the service providing device 5. The company server 4 can be an existing general-purpose server, and includes, for example, a control section 41, a storage section 42, and a communication section 43.

The corporate server 4 is connected to the management server 1 via the network NT, and instructs the corresponding service providing device 5 to perform operations according to the authentication result of user U's personal authentication. That is, the company server 4 instructs the service providing device 5 to perform an operation when the authentication of the user U is successful or an operation when the authentication fails.

The operation that the corporate server 4 instructs the service providing device 5 to perform when authentication is successful varies depending on the type and purpose of the service providing device 5, but for example, if the service providing device 5 is an ATM, the PIN number must be input when the authentication is successful. For example, if the service providing device 5 is a car sharing vehicle, operations such as unlocking the keys of the vehicle may be performed.

[Mobile terminal 2]
The mobile terminal 2 is a terminal owned by the user U, and can be, for example, a smartphone, a tablet terminal, a wearable terminal, or the like. In this embodiment, it is assumed that the mobile terminal 2 has an NFC function. Furthermore, when the mobile terminal 2 communicates with the tag device 3 using NFC, it starts processing such as voice communication and personal authentication, and performs processing through the management server 1 through an application (corresponding to the "NFC utilization processing unit 210" described later). ) is installed.

As illustrated in FIG. 2, the mobile terminal 2 includes a control section 21, a storage section 22, a short-range wireless communication section 23, a camera 24, a position information acquisition section 25, a microphone 26, a speaker 27, a biological sensor 28, and a communication section 29. has.

The control unit 21 controls operations in the mobile terminal 2. The control unit 21 includes an NFC utilization processing unit 210 that starts processing corresponding to the service identification information of the tag information using the start of communication with the tag device 3 as a trigger.

The NFC utilization processing unit 210 starts a corresponding application (for example, voice communication, authentication processing, etc.) based on the service identification information included in the tag information, and performs the processing through the management server 1. In other words, the NFC utilization processing unit 210 functions as a unit that coordinates application processing with the management server 1.

Here, the application that is activated upon the start of communication with the tag device 3 is exemplified as voice communication and authentication processing for authenticating the user, but is not limited to this, and may perform other processing such as payment processing, for example. You can do it like this. Note that the applications such as the voice communication section 211 and the authentication processing section 212 may be independently installed on the mobile terminal 2 as a prescribed application or a standard application.

The voice communication unit 211 can apply an IP (Internet Protocol) telephone function. The voice communication unit 211 transmits, to the management server 1, call control information whose destination is the destination number (for example, the telephone number of the call center server 7, etc.) included in the tag information. Thereby, call control by the management server 1 enables a call between the mobile terminal 2 and the operator terminal of the call center server 7.

The authentication processing unit 212 performs, for example, face authentication, which performs authentication processing by comparing facial feature data extracted from a face image with pre-registered facial feature registration data, or, for example, reads fingerprint feature data with a fingerprint sensor. , performs fingerprint authentication, etc., which is performed by comparing with pre-registered registration data. The authentication method is not limited to face authentication and fingerprint authentication, and other authentication processes can also be applied.

The service identification information included in the tag information also distinguishes the type of authentication method, and the authentication processing unit 212 operates the corresponding authentication method based on the service identification information.

Further, when the authentication processing unit 212 obtains a successful authentication result through the verification by the authentication authority server 6 through the management server 1, the authentication processing unit 212 uses the result of the current authentication success when authentication is required for another service or the next service. The authentication result cache 221 is stored in the storage unit 22 so that it can be used. Thereby, the user U can receive the service using the authentication result cache 221, and the burden of repeatedly performing the same authentication process by the authentication authority server 6 every time the service is used can be reduced. Note that the storage period or number of times of use of the authentication result cache 221 for successful authentication may be set in advance.

The storage unit 22 stores processing programs executed by the control unit 21 (for example, an application for the NFC utilization processing unit 210, a voice communication program, an authentication processing program, etc.), data necessary for the processing, and the like. The storage unit 22 also temporarily stores an authentication result cache 221.

The short-range wireless communication unit 23 performs NFC short-range wireless communication, and when acquiring tag information from the tag device 3 using NFC, provides the tag information to the control unit 21 .

The camera 24 captures an image of the user U's face during face authentication. The position information acquisition unit 25 acquires position information (latitude and longitude information) from, for example, a GPS satellite.

The microphone and speaker 27 can be those installed in the mobile terminal 2, and are used when performing voice communication.

The biometric sensor 28 can be, for example, a fingerprint sensor that detects the fingerprint of the user U during fingerprint authentication. Note that the biometric sensor 28 may be used for other biometric authentication processing.

[Management server 1, integrated database unit 10]
FIG. 3 is an internal configuration diagram showing the internal configuration of the management server 1 according to the embodiment.

In FIG. 3, the management server 1 is connected to the integrated database section 10 and includes a control section 11, a communication section 12, and a storage section 13.

Here, for convenience of explanation, the management server 1 is physically shown as one device, but the present invention is not limited to this, and each function of the management server 1 may be realized on servers that are distributed.

Further, the management server 1 and the integrated database unit 10 may be realized by a multi-tenant cloud platform.

The communication unit 12 communicates with the mobile terminal 2 and the company server 4 via the network NT. The communication unit 12 also communicates with the certification authority server 6 and the call center server 7 through the network NT.

The storage unit 13 stores processing programs (for example, information processing programs, etc.) by the control unit 11, data necessary for executing the processing programs, and the like.

The control unit 11 controls the functions of the management server 1. The control unit 11 includes a management control unit 110 that mediates, with the call center server 7 or the certification authority server 6, processing requested by the mobile terminal 2 triggered by communication with the tag device 3.

When the management control unit 110 receives a login request from the mobile terminal 2, the management control unit 110 compares the registration data with the login data, returns the result of the login process to the mobile terminal 2, and furthermore, the management control unit 110 checks the login data. The history is recorded in the integrated database unit 10.

When the management control unit 110 receives a request for voice communication from the mobile terminal 2, the management control unit 110 sends an authentication request from the mobile terminal 2 to a voice communication control unit 111 that performs call control between the mobile terminal 2 and the call center server 7. and an authentication control unit 112 that, when received, requests authentication to the certification authority server 6 that performs the corresponding type of authentication processing.

The voice communication control unit 111 performs call control between the mobile terminal 2 and the call center server 7. Furthermore, when the call between the mobile terminal 2 and the operator terminal of the call center server 7 ends, the voice communication control unit 111 records data regarding the voice communication in the integrated database unit 10.

The voice communication control unit 111 provides a conversion function between a global IP address and a private IP address ( A so-called NAT traversal) may also be provided. For example, as a technique for traversing the NAT of the voice communication control unit 111 of the management server 1, by performing address resolution using STUN (Simple Traversal of UDP Through Nats), ICE (Interactive Connectivity Establishment), etc., B2 BUA (Back-To- Back User Agent) can be configured to ensure voice communication and security between different networks.

Upon receiving an authentication request from the mobile terminal 2, the authentication control unit 112 performs authentication between the mobile terminal 2 and the management server 1 and between the management server 1 and the certification authority server 6 in order to improve information security. to ensure secure information communication. In addition, after ensuring secure information communication, the authentication control unit 112 transmits authentication-related information (for example, information identifying the user U, tag information, location information, facial feature data, fingerprint feature data, etc.).

Further, the authentication control unit 112 records information related to the relayed authentication, information related to the authentication result from the certification authority server 6, etc. in the integrated database unit 10.

Further, upon receiving the authentication result from the authentication authority server 6, the authentication control unit 112 transmits the authentication result to both the corporate server 4 and the mobile terminal 2 in order to cause the service providing device 5 to perform an operation according to the authentication result. let The destination information (for example, IP address, MAC address, etc.) of the company server 4 can be realized by setting, for example, tag information in advance.

Note that here, a case is exemplified in which the authentication control unit 112 transmits the authentication result to the corporate server 4, but if the service providing device 5 can operate according to the authentication result, the authentication result will be sent to the service providing device 5. You may also send it directly. In this case, this can be achieved by including the communication address of the service providing device 5 in the tag information in advance.

The integrated database unit 10 stores information regarding request processing by the mobile terminal 2 triggered by communication with the tag device 3.

FIG. 4 is a configuration diagram showing an example of the configuration of history information recorded as history in the integrated database unit 10 according to the embodiment.

In FIG. 4, for example, the integrated database unit 10 stores "communication ID," "tag information," "location information," "time information," "OS/model type," "dedicated application (AP) ID," "use The items are "person ID" and "authentication result." Furthermore, the item "tag information" has "service identification information", "use identification information", "individual ID", and "company ID" as items.

Note that the items included in the "tag information" are not limited to the items shown in FIG. It may also include "communication destination information of the server 6 (for example, IP address, etc.)", "communication destination information of the company server 4 (for example, IP address, etc.)", and the like. Further, the history information recorded as a history in the integrated database unit 10 is not limited to the items shown in FIG. If it is biometric authentication, it may include "type of face authentication or fingerprint authentication", "characteristic data" used for authentication, etc.

[Certification authority server 6]
FIG. 5 is an internal configuration diagram showing the internal configuration of the certification authority server 6 according to the embodiment.

The authentication agency server 6 is connected to a customer database unit 60 that stores registered information for each user U, in which information necessary for biometric authentication of the user U is pre-registered. This process performs various types of authentication processing.

As shown in FIG. 5, the certification authority server 6 includes a control unit 61, a communication unit 62 that communicates with the management server 1 via the network NT, and a processing program (for example, an authentication execution program) executed by the control unit 61. etc.) and a storage unit 63 that stores data necessary for processing.

The control unit 61 controls various functions of the certification authority server 6. The control unit 61 includes an authentication execution unit 611 that performs a specific type of biometric authentication processing.

The authentication execution unit 611 performs specific types of authentication processing, such as face authentication processing, fingerprint authentication processing, and iris authentication processing. For example, in the case of face authentication processing, when the authentication execution unit 611 acquires the facial feature data of the user U through the communication unit 62, the facial feature data registration information of the user U pre-registered in the customer database unit 60 and the acquired facial feature data are obtained. When the feature data match, the authentication is determined to be successful; otherwise, the authentication is determined to have failed.

The customer database unit 60 stores customer data (for example, user ID, user name, gender, address, etc.) and registered data of biometric information used in biometric verification (facial feature registration data, fingerprint feature registration data, etc.). , biometric information used in authentication (facial feature data, fingerprint feature data, etc.), authentication results, etc. are stored.

[Call center server 7]
The call center server 7 is connected to a plurality of operator terminals and manages calls between operators and users U. As the call center server 7, various existing ones can be widely applied.

(A-2) Operation of the embodiment FIG. 6 is an operation diagram showing the overall operation of the service providing system 9 according to the embodiment.

Below, a service providing method (information processing method) in the service providing system 9 according to the embodiment will be explained using the drawings.

In the following operation description, the following usage environment will be exemplified and explained. Of course, the usage environment is not limited to the following.

For example, it is assumed that the tag device 3 is attached to an ATM serving as the service providing device 5 or near the ATM. It is assumed that the user U authenticates his/her identity by using NFC between the mobile terminal 2 and the tag device 3, and then the user U can use the ATM. Further, for example, when a user U makes an inquiry to a call center when using an ATM, a case will be exemplified in which NFC between the mobile terminal 2 and the tag device 3 is used to make the call to the call center possible.

(A-2-1) Authentication Processing FIG. 7 is a sequence diagram showing the operation of authentication processing according to the embodiment.

First, the mobile terminal 2 is installed with an NFC utilization processing unit 210 as application software that starts processing such as voice communication and personal authentication when communicating with the tag device 3 using NFC, and performs processing through the management server 1. It is assumed that there is

Further, it is assumed that the registered face data, in which feature data is extracted from the face information of the user U, has been registered in advance in the certification authority server 6 (S330).

In the situation described above, it is assumed that the user U holds the mobile terminal 2 over the tag device 3 and authenticates himself/herself using the user U's biometric information before using the ATM.

In this example, for example, the tag information of the tag device 3 is "Service identification information: Biometric authentication (for example, "Face authentication")", "Use identification information: ATM", "Individual ID: A54321", " Company ID: XYZ-01", etc.

User U holds mobile terminal 2 over tag device 3. When the mobile terminal 2 and the tag device 3 start NFC communication, this serves as a trigger, and the NFC utilization processing unit 210 is activated.

In order for the NFC utilization processing unit 210 to operate effectively on the mobile terminal 2, it is assumed that the user U has completed the login to the management server 1. The login method is not particularly limited, but for example, the following method can be applied.

The user U logs in and inputs the ID and password into the mobile terminal 2 (S101). The NFC utilization processing unit 210 on the mobile terminal 2 makes a login request to the management control unit 110 of the management server 1 (S102), and the management control unit 110 stores the input login data and the integrated database unit 10 in advance. The registered data is compared with the registered data (S103).

As a result, if the data verification is OK (S104), the authentication result is returned to the management control unit 110 (S105), and the management control unit 110 returns the login OK to the NFC utilization processing unit 210 (S106). The utilization processing unit 210 indicates to the user U that the login has been completed (S107).

Furthermore, the management control unit 110 that received the authentication result records the authentication result of the user U in the integrated database unit 10 (S108). In this way, it is assumed that the NFC utilization processing unit 210 operates effectively on the mobile terminal 2.

The tag information includes service identification information that identifies biometric authentication to be executed as a service, and the mobile terminal 2 that receives the tag information from the tag device 3 using NFC uses the service identification information included in the tag information. The authentication processing unit 212 corresponding to the authentication processing unit 212 starts up (S300).

Here, for example, if the biometric authentication is face authentication, the camera 24 is activated to obtain user U's face information, the camera 24 captures an image of the user U's face (S301), and the authentication processing unit 212 The facial image of the camera 24 is analyzed to extract facial feature data of the user U.

At this time, for example, when a transmission confirmation display to the authentication authority is displayed on the display of the mobile terminal 2 and the user U selects OK to send, the authentication processing unit 212 sends the extracted facial feature data to the authentication authority for information security. is encrypted (S302). Further, in the mobile terminal 2, the location information acquisition unit 25, which serves as a GPS function, for example, is activated, and location information, such as latitude and longitude information, is provided to the authentication processing unit 212 (S303).

In order to transmit information to the authentication authority server 6 via the management server 1, the authentication processing unit 212 uses the tag information acquired from the tag device 3, facial feature data as biometric information of the user U, location information, and the mobile terminal 2. Data such as OS/model information of the computer is encrypted (S304).

Note that time information may be included as information transmitted to the certification authority server 6. That is, the time information may be the time recorded in the integrated database unit 10 of the management server 1, or may be the time information on the mobile terminal 2.

When transmitting to the certification authority server 6, in order to ensure the safety of the transmitted information, the management control unit 110 of the management server 1 communicates with the authentication processing unit 212 of the mobile terminal 2 the authentication included in the tag information. Address information (for example, IP address, etc.) of the institution server 6 is acquired, and negotiations are performed to ensure secure communication.

For example, the management control unit 110 operates between the authentication processing unit 212 of the mobile terminal 2 and the authentication control unit 112 of the management server 1, and between the authentication execution unit 611 of the certification authority server 6 and the authentication control unit 112 of the management server 1. A secure bidirectional tunnel is secured for information communication both with and between the host and the host (S305, S306).

Then, the authentication processing unit 212 of the mobile terminal 2 transmits information (encrypted data) addressed to the authentication agency server 6 including tag information, facial feature data, location information, OS/model information, etc. to the management server 1. (S307). Furthermore, the management server 1 transfers information addressed to the certification authority server 6 from the authentication processing unit 212 of the mobile terminal 2 to the certification authority server 6 (S308).

Here, in the management server 1, the authentication control unit 112 decrypts the information (encrypted data) received from the authentication processing unit 212 of the mobile terminal 2 (S309), and the information including the decrypted tag information and location information is used for authentication. The control unit 112 records it in the integrated database unit 10 (S310).

At this time, the authentication processing section 212 decrypts the information recorded in the integrated database section 10. Therefore, although the description will be made assuming that the authentication processing unit 212 decodes information such as tag information, location information, OS/model information, etc., it is assumed that the facial feature data of the user U itself also needs to be recorded in the integrated database unit 10. If there is, facial feature data may also be decoded. However, in this embodiment, from the viewpoint of ensuring security, a case will be exemplified in which facial feature data is not recorded and not decoded.

When the authentication authority server 6 receives the information from the mobile terminal 2 via the management server 1, the authentication execution unit 611 decodes the received information and decodes the facial feature data of the user U (S311).

Then, the authentication execution unit 611 searches the customer database unit 60 for the registered face data of the user U based on the user ID included in the received information, and the authentication execution unit 611 searches the received facial feature data. and the registered face data (S312).

In this example, it is assumed that a successful authentication result (authentication OK) has been obtained, and the authentication authority server 6 transmits the authentication result by the authentication execution unit 611 to the management server 1 (S313).

In the management server 1, the authentication control unit 121 transmits the authentication result of the face authentication of the user U by the authentication authority server 6 to both the mobile terminal 2 and the corporate server 4 (S314, S315).

Thereby, in the mobile terminal 2, the authentication processing unit 212 can display the authentication result on a display or the like to notify the user U (S316). Further, the authentication processing unit 212 stores the successful authentication result in the storage unit 22 as the authentication result cache 221 .

On the other hand, the company server 4 instructs the service providing apparatus 5 to perform an operation according to the authentication result (S317), and the service providing apparatus 5 performs an operation according to the authentication result (S318).

In this way, by transmitting the authentication result to both the mobile terminal 2 and the corporate server 4, the authentication control unit 121 not only informs the user U of the authentication result through the mobile terminal 2 but also allows the service providing device 5 to Actions will be taken depending on the authentication result.

For example, in the case of successful authentication (authentication OK), the ATM serving as the service providing device 5 assumes that the user U has been authenticated, permits the financial transaction by the user U, and displays, for example, a transaction menu screen. , for example, to allow entry of a PIN number to initiate a transaction.

As described above, according to this embodiment, when the legitimacy (authenticity) of the user U is obtained through biometric authentication or the like, the service providing device 5 handled by the user U is operated according to the result. Can be done. From the user U's point of view, he or she can use the service providing device 5 in conjunction with his or her own legitimacy, which gives him a sense of security. Furthermore, from the perspective of the service provider, it is possible to allow the user U to use the service providing device 5 with trust based on the user U's legitimacy.

Although the case where the service providing device 5 is operated via the corporate server 4 has been illustrated, since it is sufficient that the service providing device 5 can operate according to the authentication result of the user U, the management server can be operated without going through the corporate server 4. 1 may directly transmit the authentication result to the service providing apparatus 5, and the service providing apparatus 5 may operate according to the authentication result.

Further, in this embodiment, although the case where the validity (authenticity) of the user U is proved by biometric authentication is illustrated, the authentication method is not limited to biometric authentication, and other authentication methods may be applied.

The management server 1 records the authentication result received from the certification authority server 6 in the integrated database unit 10 (S319).

For example, the management server 1 may record billing information related to authentication processing requested to the certification authority server 6 in the integrated database unit 10.

Thereafter, the management control unit 110 of the management server 1 performs authentication control between the authentication processing unit 212 of the mobile terminal 2 and the authentication control unit 112 of the management server 1, and between the authentication execution unit 611 of the certification authority server 6 and the management server 1. Both bidirectional tunnels with the unit 112 are canceled (S321, S322).

(A-2-2) Modifications (a) In the operation description using FIG. 7 described above, the case where the authentication result by the authentication authority server 6 is a successful authentication is exemplified. If the authentication fails, the process returns to S301 in FIG. 7 again and the process is repeated, and an authentication request is sent to the certification authority server 6 through the management server 1. In other words, it is possible to retry authentication to the certification authority server 6. Even in that case, the management server 1 records information regarding processing exchanged between the mobile terminal 1 and the certification authority server 6 as a history in the integrated database unit 10.

Furthermore, if the number of retries exceeds the threshold, the user can also make an inquiry to the operator using, for example, (A-2-3) voice communication processing, which will be described later.

(b) In the operation description using FIG. 7, the case where the tag device 3 is installed in an ATM is illustrated. It can also be used to unlock the car upon successful authentication (S318 in FIG. 7).

In that case, if the user U does not use the vehicle (service providing device 5) for a predetermined period of time (for example, 5 minutes, etc.) after unlocking the vehicle, a process such as locking the key again may be performed.

(c) When using the authentication result cache 221 that has been successfully authenticated, after the NFC utilization processing unit 210 is activated on the mobile terminal 2 by NFC with the tag device 3, the processes of S101 to S108 in FIG. 7 are performed, for example. , at the time of the login request in S102, the NFC utilization processing unit 210 may also transmit the tag information to the management server 1 in addition to the login request. Thereby, even when using the authentication result cache 221, history information including tag information can be recorded in the integrated database unit 10.

(A-2-3) Voice Communication Processing FIG. 8 is a sequence diagram showing the operation of voice communication processing according to the embodiment.

In order for the NFC utilization processing unit 210 to operate effectively on the mobile terminal 2, it is assumed that the user U has completed the login to the management server 1.

For example, when a user U uses an ATM serving as a service providing device 5, the user U holds the mobile terminal 2 over the tag device 3, and the user U uses his or her mobile terminal 2 to make an inquiry to the operator. shall be carried out.

In this example, the tag information of the tag device 3 is, for example, "service identification information: voice communication", "purpose identification information: call center", "individual ID: OP9087", "company ID: HII-02", etc. .

The processes in S101 to S108 in FIG. 8 are basically the same as the processes explained in FIG. The tag information may be notified to the management control unit 110 in steps. Thereby, log information including tag information can be recorded in the integrated database unit 10 in advance.

A user U who wishes to make an inquiry to a call center operator holds the mobile terminal 2 over the tag device 3. When the mobile terminal 2 and the tag device 3 start NFC communication, this serves as a trigger, and the NFC utilization processing unit 210 is activated.

The tag information includes service identification information that specifies voice communication, and the mobile terminal 2 that receives the tag information from the tag device 3 using NFC uses the voice communication that corresponds to the service identification information included in the tag information. The communication unit 211 starts up (S200).

In the tag information of the tag device 3, destination information (for example, a telephone number, an IP address, etc.) to a call center is set in advance.

The NFC utilization processing unit 210 displays the telephone number of the call center server 7 included in the tag information on the display of the mobile terminal 2, and allows the user U to operate the mobile terminal 2 to call the call center server 7. A call is made (S201).

The voice communication unit 211 of the mobile terminal 2 transmits a call control signal (destination calling signal) to the address of the call center server 7 to the management server 1 (S202). At this time, the voice communication unit 211 of the mobile terminal 2 displays on the display of the mobile terminal 2 that the call center is being called (S203).

When the voice communication control unit 111 in the management server 1 receives the call control signal (calling signal to the other party) from the mobile terminal 2, it transfers the call control signal (calling signal) to the call center server 7 (S204).

The call center server 7, which connects a plurality of operator terminals, calls an operator from one of the operator terminals (S205), and when the operator responds (S206), sends a response signal (call center response) to the management server 1. A reply is sent (S207). Note that various methods can be widely applied to the selection method of the operator terminal in the call center and the processing related to call connection with the operator terminal.

When the voice communication control unit 111 in the management server 1 receives the response signal (call center response) from the call center server 7, it transfers the response signal to the mobile terminal 2 (S208).

Here, for example, some conventional call centers connected to an ATM belong to a private network depending on their operation. In that case, the problem of NAT crossing may occur, and the problem may arise that a call connection between the mobile terminal 2 and the operator terminal of the call center cannot be established.

Therefore, the voice communication control unit 111 of the management server 1 may be provided with an address resolution function that allows conversion between global addresses and private addresses. For example, the voice communication control unit 111 performs address/port resolution negotiation with the NFC utilization processing unit 210 of the mobile terminal 2 and the call center server 7, respectively, and performs address/port resolution (S209, S210).

Thereafter, a call (call path) is established between the mobile terminal 2 and the operator terminal of the call center, and the user U and the operator communicate (S211).

When the call ends (S212) and the voice communication unit 211 of the mobile terminal 2 transmits a control signal indicating the end of the call to the voice communication control unit 111 of the management server 1 (S213), the call (call path) is disconnected. (S214).

Then, the voice communication control unit 111 transmits a control signal indicating the end of the call to the call center server 7 (S215), and the call ends (S216).

In the management server 1, the voice communication control unit 111 records information related to the call (for example, call time, call history, billing information related to the call, etc.) in the integrated database unit 10 (S217).

(A-3) Effects of Embodiment As described above, according to this embodiment, by providing a tag device that performs near field communication (NFC) and a management server that controls the system, a business operator can The cost of introducing dedicated devices and communication costs can be reduced. Furthermore, since the authentication authority handles the registration and management of facial information, conventional countermeasures against identity spoofing can be taken.

(B) Other Embodiments Although various modified embodiments have been mentioned in the embodiments described above, the present invention can also be applied to the following modified embodiments.

(B-1) In the explanation of the operation of the embodiment described above, two cases of authentication processing and voice communication processing were illustrated, but it is also possible to combine the respective operations. That is, in operating the ATM, authentication processing and voice communication processing using NFC with the tag device 3 may be performed.

(B-2) In the above-described embodiments, face authentication using a camera was described, but biometric authentication may be performed using a fingerprint authentication device installed in recent smartphones in addition to iris authentication using a camera.

Regarding tag devices, QR codes (registered trademarks) etc. may be used as identification means for dedicated apps, and targets that can be controlled according to the verification results are not only cars, but also ATMs, entrance/exit management systems, and counters. It can be widely applied to applications that require confirmation.

DESCRIPTION OF SYMBOLS 1... Management server, 10... Integrated database unit, 11... Control unit, 110... Management control unit, 111... Voice communication control unit, 112... Authentication control unit, 121... Authentication control unit, 12... Communication unit, 13... Storage unit ,
2...Mobile terminal, 21...Control unit, 210...NFC utilization processing unit, 211...Voice communication unit, 212...Authentication processing unit, 221...Authentication result cache, 22...Storage unit, 23...Near field communication unit, 24... Camera, 25... Position information acquisition unit, 26... Microphone, 27... Speaker, 28... Biosensor, 29... Communication unit,
3...Tag device, 31...Near field communication unit, 32...Storage unit, 33...Control unit,
4...Company server, 41...Control unit, 42...Storage unit, 43...Communication unit,
5...Service providing device, 51...Control unit, 52...Communication unit,
6... Certification agency server, 60... Customer database unit, 61... Control unit, 611... Authentication execution unit, 62... Communication unit, 63... Storage unit,
7...Call center server, 9...Service providing system.

Claims (6)

an application execution device that is provided with a service identification means having service identification information that identifies a service to be provided to a user, and that executes an application using the service;
a mobile terminal that acquires the service identification information from the service identification means and performs processing corresponding to the service identification information;
a service execution device that executes a service corresponding to the service identification information;
Based on the service request information including the service identification information from the mobile terminal, the service mediates processing between the mobile terminal that is the request source and the service execution device that is the request destination. An information processing system comprising: an information processing device that provides a result from a certain service execution device to the mobile terminal and the application execution device. the service includes authentication processing of the user;
The mobile terminal includes authentication information acquisition means for acquiring authentication information from the user,
The service execution device executes authentication processing,
The information processing device
providing information including the authentication information of the user from the mobile terminal to the service execution device to execute an authentication process;
providing the authentication result obtained from the service execution device to the mobile terminal and the application execution device;
The information processing system according to claim 1, wherein the application execution device performs an operation according to the authentication result. the service includes voice communication processing;
The mobile terminal includes a voice communication means for performing voice communication,
The service execution device includes means for responding to calls by voice communication,
The information processing system according to claim 1 or 2, wherein the information processing device performs a call connection between the mobile terminal and the call handling means of the service execution device. 3. The information processing system according to claim 1, wherein the information processing apparatus includes information storage means for storing information regarding processing executed between the mobile terminal and the service execution apparatus. The mobile terminal acquires service identification information that identifies a service to be provided to the user from a service identification means attached to the application execution device, and performs processing corresponding to the service identification information,
The information processing device
Mediating processing between the mobile terminal that is a request source and a service execution device that is a request destination based on service request information including the service identification information from the mobile terminal;
An information processing method characterized in that a result from the service execution device that is a request destination is provided to the mobile terminal and the application execution device. an application execution device that is provided with a service identification means having service identification information that identifies a service to be provided to a user, and that executes an application using the service;
a mobile terminal that acquires the service identification information from the service identification means and performs processing corresponding to the service identification information;
an information processing device connected to a service execution device that executes a service corresponding to the service identification information;
means for mediating processing between the mobile terminal that is a request source and the service execution device that is a request destination based on service request information including the service identification information from the mobile terminal;
An information processing device comprising: means for providing a result from the service execution device that is a request destination to the mobile terminal and the application execution device.

Images