JP3993132B2 - Online authentication device, online authentication system, and online authentication method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to an online authentication device, an online authentication system, and an online authentication method.
[0002]
[Prior art]
Conventionally, there has been an on-line authentication method for a portable terminal using a password. Since this conventional technique does not relate to a so-called document known invention, there is no prior art document information to be described.
[0003]
[Problems to be solved by the invention]
However, the conventional online authentication method has a problem that a portable terminal cannot be specified only by a password.
[0004]
The present invention has been made to solve the above-described problem, and an object thereof is to provide an online authentication method and the like capable of specifying a mobile terminal.
[0005]
[Means for Solving the Problems]
In order to solve the above problems, an online authentication device according to the present invention is an online authentication device for authenticating a mobile terminal, which includes display data displayed on the screen of the mobile terminal and non-display data not displayed on the screen of the mobile terminal. Source code storage means for storing source code configured by: source code transmission means for transmitting source code to a mobile terminal in response to a source code transmission request of the mobile terminal; non-display data of the source code from the mobile terminal Source code receiving means, source code non-display data received by the source code receiving means and source code non-display data stored in the source code storage means It is characterized by that.
[0006]
Of the information included in the source code, only the display data is displayed on the screen of the mobile terminal, and the non-display data is not displayed. Therefore, it is difficult for other mobile terminal users to acquire the non-display data. Therefore, the source code collating means collates the non-display data of the source code transmitted from the mobile terminal and the non-display data of the source code stored in the source code storage means, thereby enabling the identification of the mobile terminal. Become. Since this non-display data is sent back to the mobile terminal from the online authentication device, the mobile terminal can be identified without using information stored in advance in the mobile terminal.
[0007]
The online authentication device of the present invention includes a challenge code generating means for randomly generating a challenge code, a challenge code storing means for storing the challenge code generated by the challenge code generating means, and a challenge code generating means for generating the challenge code on the portable terminal. A challenge code transmitting means for transmitting the challenge code, a challenge code receiving means for receiving a challenge code transmitted from a terminal other than the mobile terminal, a challenge code received by the challenge code receiving means, and a challenge code storage means It is preferable that a challenge code collating unit for collating the stored challenge code is provided.
[0008]
The online authentication device of the present invention authenticates using the challenge code, thereby confirming that the mobile terminal has received the above authentication by the online authentication device of the present invention using a terminal other than the authenticated mobile terminal. can do.
[0009]
An online authentication system according to the present invention includes the above-described online authentication device and a mobile terminal. The mobile terminal receives a source code transmitted from the online authentication device, and a source received by the reception unit. Storage means for storing the code and transmission means for transmitting the non-display data of the source code stored in the storage means to the online authentication device are provided.
[0010]
According to the online authentication system of the present invention, only the display data of the information included in the source code is displayed on the screen of the mobile terminal, and the non-display data is not displayed. It is difficult to get. Therefore, the source code collating unit of the online authentication device collates the non-display data of the source code transmitted from the portable terminal with the non-display data of the source code stored in the source code storage unit of the online authentication device. , The mobile terminal can be specified. Since this non-display data is sent back to the mobile terminal from the online authentication device, the mobile terminal can be identified without using information stored in advance in the mobile terminal.
[0011]
In the online authentication system of the present invention, it is also preferable that the source code transmission means of the online authentication device encrypts and transmits the source code, and the reception means of the mobile terminal decrypts the source code after receiving the source code. Since the source code is encrypted and transmitted / received, the possibility that the source code is obtained and decrypted by a third party is reduced.
[0012]
In the online authentication system of the present invention, it is also preferable that the transmission means of the mobile terminal encrypts and transmits the non-display data, and the source code reception means of the online authentication apparatus decrypts the non-display data after receiving the non-display data. Since the non-display data is encrypted and transmitted / received, the possibility that the non-display data is acquired and decrypted by a third party is reduced.
[0013]
In order to solve the above problems, an online authentication method of the present invention is an online authentication method for authenticating a mobile terminal, which is stored in a source code storage means in the mobile terminal in response to a source code transmission request of the mobile terminal. Source code transmission step for transmitting source code composed of display data displayed on the screen of the mobile terminal and non-display data not displayed on the screen of the mobile terminal, and receiving non-display data of the source code from the mobile terminal A source code receiving step, and a source code collating step for collating the hidden data of the source code received in the source code receiving step with the hidden data of the source code stored in the source code storage means Features.
[0014]
Of the information included in the source code, only the display data is displayed on the screen of the mobile terminal, and the non-display data is not displayed. Therefore, it is difficult for other mobile terminal users to acquire the non-display data. Therefore, in the source code collation step, it is possible to identify the portable terminal by collating the hidden data of the source code transmitted from the portable terminal with the hidden data of the source code stored in the source code storage means. Become. Since this non-display data is sent back to the mobile terminal from the online authentication device, the mobile terminal can be identified without using information stored in advance in the mobile terminal.
[0015]
The online authentication method of the present invention includes a challenge code generation step for randomly generating a challenge code, a challenge code storage step for storing the challenge code generated in the challenge code generation step, and a challenge code generation step in the portable terminal. A challenge code transmitting step for transmitting the challenge code, a challenge code receiving means for receiving a challenge code transmitted from a terminal other than the mobile terminal, a challenge code received in the challenge code receiving step, and a challenge code storage means Preferably, the method includes a challenge code verification step of verifying the stored challenge code.
[0016]
Since the online authentication method of the present invention includes the step of authenticating using a challenge code, the mobile terminal has received the above authentication by the online authentication method of the present invention using a terminal other than the authenticated mobile terminal. I can confirm that.
[0017]
The online authentication method of the present invention includes a fixed challenge code receiving step for receiving a fixed challenge code transmitted from a terminal other than a portable terminal, a fixed challenge code received in the fixed challenge code receiving step, and a fixed challenge code storage means. A fixed challenge code verification step for verifying the stored fixed challenge code, an available time setting step for setting an available time of the fixed challenge code according to the verification performed in the source code verification step, It is preferable to include a usage time determination step of determining whether or not a fixed challenge code is received within the available time set in the time setting step.
[0018]
By using a fixed challenge code, it is possible to confirm that the mobile terminal has received the above authentication by the online authentication method of the present invention using a terminal other than the authenticated mobile terminal. It is possible to save the trouble of confirming a different challenge code each time and inputting it to a terminal other than the mobile terminal. Also, since the usage time of the fixed challenge code is limited to the available time set in the available time setting step according to the verification in the source code verification step, authentication by verification in the source code verification step It is possible to prevent a person who has not received authentication from using a fixed challenge code.
[0019]
The online authentication method according to the present invention includes a useable number setting step for setting the number of times a fixed challenge code can be used in response to a check in the source code check step, and reception of a fixed challenge code in the fixed challenge code receiving step. It is preferable to include a usage count determination step for determining whether or not the number of times is within the usage count set in the usage count setting step.
[0020]
By limiting the number of times the fixed challenge code is received, impersonation by a person who is not a holder of the fixed challenge code can be prevented more reliably.
DETAILED DESCRIPTION OF THE INVENTION
DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, exemplary embodiments of an online authentication device, an online authentication system, an online authentication method, an online authentication program, and a recording medium on which an online authentication program is recorded will be described in detail with reference to the accompanying drawings. In addition, the same code | symbol is attached | subjected to the same element in each drawing, and the overlapping description is abbreviate | omitted.
[0021]
First, a functional configuration of the online authentication system of the present embodiment will be described. FIG. 1 is a diagram showing a functional configuration of the online authentication system of the present embodiment. The online authentication system of the present embodiment receives authentication by the authentication server 2 at a store A where the user Y of the mobile phone 1 provides the service X for the service X that can be used only by the user Y holding the specific mobile phone 1. Used for. As shown in FIG. 1, the online authentication system of this embodiment includes a mobile phone 1, an authentication server 2 that functions as an online authentication device that authenticates that a user Y is using the mobile phone 1, and a store A. A store terminal 3 that is installed and requests the authentication server 2 to authenticate that the user Y is using the mobile phone 1 is provided.
[0022]
The authentication server 2 includes a communication unit 202 that functions as a transmission unit and a reception unit for the source code and challenge code (one-time password) of the issuance page including the electronic membership card of the service X, the storage unit 204, and the acquisition qualification information Acquisition credential verification unit 206 for verifying a password for acquisition, issue page serial number verification unit 208 for verifying an issue page serial number that is a key for authenticating the mobile phone 1, issue page generation number (the issue page) Issuance page generation number collation unit 210 that collates the issuance password that is a key for authenticating user Y, and a challenge using a random number. A challenge code generator 214 for randomly generating a code and a challenge code Comprising a challenge code collation unit 216 for engagement. The operation of each functional component of the authentication server 2 will be described in the operation of the online authentication system described later.
[0023]
The storage unit 204 stores a user management table 204a, an issued page management table 204b, and an authentication information table 204c. FIG. 2 is a configuration diagram of the user management table 204a. The user management table 204a includes a user ID field in which the user ID of the user Y is recorded, a name field in which the name of the user Y is recorded, an acquisition qualification information field in which the acquisition qualification information of the user Y is recorded, and an issue password of the user Y Issuance password field and issuance number field in which the number of issuances of the issuance page is recorded.
[0024]
FIG. 3 is a configuration diagram of the issued page management table 204b. The issue page management table 204b records an issue page serial number field in which the serial number of the issue page is recorded, a user ID field, an issue page generation number field in which the issue page generation number is recorded, and a machine number of the mobile phone 1. An issue page use machine number field is provided.
[0025]
FIG. 4 is a configuration diagram of the authentication information table 204c. In the authentication information table 204c, the authentication information number field in which the management number of authentication information is recorded, the user ID field, the challenge code field in which the challenge code generated by the challenge code generation unit 214 is recorded, and the use of the challenge code is completed A usage completion flag field in which a flag indicating whether or not a challenge code is recorded, a usage count field in which the number of times the challenge code can be used are recorded, and an available time field in which the available time of the challenge code is recorded.
[0026]
As shown in FIG. 1, the mobile phone 1 includes a communication unit 12, a storage unit 14, a display unit 16, and an input unit 18. The communication unit 12 functions as a transmission unit and a reception unit for the source code and challenge code of the issued page. The storage unit 14 has a function of storing the source code of the issued page received by the communication unit 12. The display unit 16 has a function of displaying only display data among the data included in the source code of the issue page on the screen. That is, non-display data (data other than display data) included in the source code of the issue page is not displayed on the screen. As a means for storing the entire source code or only the non-display data in the storage unit 14, a function for storing a screen displayed on the display unit 16 of the mobile phone 1 or a predetermined application program is used. The issued page serial number and the issued page generation number are included in the non-display data. A user ID, an issued password, and the like are input to the mobile phone 1 by the input unit 18.
[0027]
The store terminal 3 includes a communication unit 32 that functions as a transmission unit and a reception unit for a challenge code and an authentication result, a display unit 34 that displays the authentication result, and an input unit 36 that is used to input the challenge code to the store terminal 3. When a transaction is made on a Web site, a general-purpose user's personal computer corresponds to this.
[0028]
Next, the operation of the online authentication system of this embodiment will be described. 5 and 6 are flowcharts showing the operation procedure of the online authentication system of the present embodiment. FIG. 7 is a diagram showing a screen of the mobile phone 1.
[0029]
In the user management table 204a, the user ID, name, acquisition qualification number, and issue password of the user Y who is a member of the service X are recorded in advance. The user ID, the acquisition qualification number, and the issued password are notified to the user Y in advance.
[0030]
User Y uses mobile phone 1 to access the issued page acquisition site. User Y selects an issue page issue request on the screen shown in FIG. 7A, and further inputs a user ID and acquisition qualification information on the screen shown in FIG. 7B. The communication unit 12 of the mobile phone 1 transmits a user ID and acquisition qualification information to the authentication server 2 at the same time as a signal requesting issuance of an issue page (S501).
[0031]
The communication unit 202 of the authentication server 2 receives a signal requesting issuance of an issuance page, a user ID, and acquisition qualification information (S502).
[0032]
The acquisition qualification information collation unit 206 collates whether the acquisition qualification information received by the communication unit 202 matches the acquisition qualification information recorded in the user management table 204a (record corresponding to the user ID of the user Y) ( S503). If they match, the acquired qualification information collation unit 206 sets the number of issuances recorded in the user management table 204a and the issuance page generation number recorded in the issuance page management table b (record corresponding to the user ID of the user Y). Update (S504). In the case of the first issue page issue, a unique issue page serial number is written in the issue page management table 204b (record corresponding to the user ID of the user Y). The issued page serial number and the user ID are linked in the issued page management table 204b. When the machine number of the mobile phone 1 is detected by the authentication server 2, the machine number is written in the issued page management table 204 b (record corresponding to the user ID of the user Y). The communication unit 202 transmits the source code of the issued page to the mobile phone 1 (S505). When the communication unit 202 transmits the source code to the mobile phone 1, the issue page serial number and the issue page generation number included in the non-display data of the source code may be encrypted and transmitted. More specifically, the case where the issued page serial number is “123456”, the issued page generation number is “003”, and the encryption key is “9528783.724” will be described as an example. First, character strings are concatenated with the issue page serial number as an integer part and the issue page generation number as a decimal part to generate “123456.003”. The encryption key “9528783.724” is added to the generated result to generate “9652239.727”. The decimal point of the generated result is changed with a hyphen to generate “9652239-727” and the encryption is completed. If they do not match in S503, the communication unit 202 notifies the mobile phone 1 of an error (S514).
[0033]
The communication unit 12 of the mobile phone 1 receives the source code of the issued page (S506), and the storage unit 14 stores the source code (S507). At this time, if the issued page serial number and the issued page generation number included in the received non-display data of the source code are encrypted, they are decrypted. The decryption procedure is performed by reversing the above-described encryption procedure.
[0034]
The display unit 16 displays the cover of the issued page (mobile card) (shown in FIG. 7C) on the screen by the operation of the user Y (S508). User Y makes a screen memo on the issued cover using the screen memo function of the mobile phone. User Y uses the service from the issue page that has been screen-memorated. When the user Y selects the display of the membership card on the screen shown in FIG. 7C, the communication unit 12 simultaneously displays the non-display data of the source code of the issued page at the same time as the signal requesting the authentication server 2 to issue the challenge code. Is transmitted (S509). When the communication unit 12 transmits non-display data of the source code, the issue page serial number and the issue page generation number included in the non-display data of the source code may be encrypted and transmitted. The encryption method described above is employed.
[0035]
The communication unit 202 of the authentication server 2 receives the signal for requesting the issue of the challenge code and the non-display data of the source code of the issued page (S510). At this time, if the issued page serial number and the issued page generation number included in the received non-display data of the source code are encrypted, they are decrypted. The decryption procedure is performed by reversing the above-described encryption procedure.
[0036]
The issued page serial number matching unit 208 refers to the issued serial number field of the issued page management table 204b and matches the issued page serial number (non-display information) included in the source code of the issued page received by the communication unit 202. The one to be searched is searched (S511). By this process, in conjunction with verification of an issue password (which is associated with a user ID in the user management table 204a), which will be described later, an issue page serial included in the source code of the issue page received by the communication unit 202 is obtained. The number (non-display information) and the issued page serial number corresponding to the user ID of the user Y recorded in the issued page management table 204b are collated.
[0037]
If there is a matching issuance page serial number in S511, the issuance page generation number verification unit 210 issues the issuance page generation number (non-display information) and issuance included in the source code of the issuance page received by the communication unit 202. The issued page generation number recorded in the page management table 204b (record corresponding to the issued page serial number) is collated (S512). By this process, it is checked whether the issued page is the latest one.
[0038]
If the issued page generation numbers match in S512, the communication unit 202 transmits a signal requesting the issued password to the mobile phone 1 (S513). If there is no matching issued page serial number in S511, or if the issued page generation number does not match in S512, the communication unit 202 notifies the mobile phone 1 of an error (S515).
[0039]
The display unit 16 of the mobile phone 1 displays the screen shown in FIG. 7D in response to the issued password request from the authentication server 2. The issued password is input to the mobile phone 1 by the operation of the user Y, and the communication unit 12 transmits the issued password to the authentication server 2 (S601).
[0040]
The communication unit 202 of the authentication server 2 receives the issued password (S602).
[0041]
The issuance password verification unit 212 records the issuance password received by the communication unit 202 and the user management table 204a (the record corresponding to the user ID of the user Y (associated with the issuance page serial number as described above)). It is verified whether the recorded issue password matches (S603). With this process, it is confirmed that the authentication requester is the user Y.
[0042]
If they match in S603, the challenge code generation unit 214 randomly generates a challenge code using a random number (S604), and the challenge generated in the authentication information table 204c (record corresponding to the user ID of the user Y). Write the code. In the authentication information table 204c (record corresponding to the user ID of the user Y), the available time (time limit) of the challenge code is written. When the challenge code is used for the number of times of use or when the available time has elapsed, the flag n indicating incomplete use recorded in the use completion flag field is rewritten to the flag y indicating completion of use. The communication unit 202 transmits the challenge code to the mobile phone 1 together with information indicating the available time and the number of times the challenge code can be used (S605). If they do not match in S603, the communication unit 202 notifies the mobile phone 1 of an error (S617).
[0043]
The communication unit 12 of the cellular phone 1 receives the information transmitted from the authentication server 2 in S605 (S606), and the display unit 16 includes the information indicating the name, challenge code, available time and number of times of use of the user Y A certificate (shown in FIG. 7E) is displayed on the screen of the mobile phone 1 (S607).
[0044]
User Y presents an electronic membership card to the store clerk of store A and conveys the user ID. The store clerk of the store A inputs the challenge code displayed on the electronic membership card and the user ID notified from the user Y to the store terminal 3 (S608). Furthermore, by the operation of the store clerk of the store A, the communication unit 32 transmits a user ID and a challenge code to the authentication server 2 simultaneously with a signal indicating a request for service provision authentication (S609).
[0045]
The communication unit 202 of the authentication server 2 receives a signal indicating a request for service provision authentication, a user ID, and a challenge code (S610).
[0046]
The challenge code collation unit 216 collates the challenge code received by the communication unit 202 and the challenge code recorded in the authentication information table 204c (record corresponding to the user ID of the user Y) (S611). If they match, the challenge code verification unit 216 refers to the authentication information table 204c (a record corresponding to the user ID of the user Y) and checks whether the use completion flag is n (S612).
[0047]
When the use completion flag is n in S612, the challenge code verification unit 216 determines an authentication result indicating that service provision is permitted (S613), and the challenge code does not match in S611 or is used in S612. If the completion flag is y, an authentication result indicating that service provision is not permitted is determined (S614). By this processing, the person who requested authentication to the store clerk of the store A is the user Y who has been authenticated by the processing up to S603, and the mobile phone presented by this person is the mobile phone 1 which has been authenticated by the processing up to S603. It is confirmed that there is.
[0048]
The communication unit 202 transmits the authentication result to the store terminal 3 (S615).
[0049]
The communication unit 32 of the store terminal 3 receives the authentication result (S616).
[0050]
Next, the operation and effect of the online authentication system of the present embodiment that performs the above operation will be described. Since the hidden data (including the issued page serial number and the issued page generation number) is not displayed on the screen of the mobile phone 1 in the source code of the issued page, the hidden data stored in the mobile phone 1 by other parties is not displayed. It is difficult to get. Therefore, a person who can acquire the challenge code is limited to a person who knows the issue password and possesses the mobile phone 1 storing the source code of the issue page. As a result, it becomes possible to specify the mobile phone used for the authentication request together with the authentication requester by the processing up to S603. In this way, it is possible to identify the terminal without using a unique number for the mobile phone, so it is possible to identify the terminal without notifying the number unique to the mobile phone from the communication carrier, which is a service for the communication carrier. It is easy to build a system that does not depend on it.
[0051]
Further, through the processing after S604, the store clerk of the store A can confirm that the authentication processing up to S603 has been performed using a terminal (store terminal 3) other than the mobile phone 1.
[0052]
By using the issuance page serial number as an authentication key, for example, even when the user ID is changed, the user keeps the source code of the issuance page recorded in the screen (stored in the storage unit 14) as it is. Can be used. Further, by sharing the issuance page serial number, for example, the issuance page can be used as a common ID that can be commonly used among the A company, the B company, and the C company. That is, if the parent company A discloses only the issue page serial number of the issue page management table 204b shown in FIG. 3 to the child companies B and C, the child company side discloses the issued page serial number disclosed. Based on the above, it is possible to configure the issue page management view unique to the child company. As a result, the authentication requester can use the services of all operators A, B, and C on the same issue page. By applying this, for example, the parent company can realize an authentication method that can be used by the child company while keeping the confidentiality of various information (name, mobile phone number, etc.) of the user.
[0053]
In addition, the user ID often uses an existing number such as an employee number or a member number, so that it is easy to specify a target person for the service. On the other hand, the issued page serial number is a number that is unrelated to the user attribute associated with the user ID on the server side. Therefore, even if an illegal packet sniffer (peep) is received between the server and the mobile phone, the service target person cannot be specified only by the issued page serial number. Therefore, high security can be realized by using the issued page serial number.
[0054]
Conventional one-time passwords have to have a separate token (physical medium for issuing one-time passwords). In the present embodiment, a challenge code generated by the authentication server can be acquired using a mobile phone possessed by a user with a high (temporal) ratio. This eliminates the need for the user to have a separate token. Since ordinary tokens require sophisticated security calculation functions, the medium itself is expensive, and operations such as distribution and token updating are difficult. However, in this embodiment, the user can use a normal mobile phone simply by providing the authentication server with a challenge code generation function, so that the cost can be reduced. As described above, the challenge code authentication using the mobile phone according to the present embodiment makes it possible to realize an authentication service that is highly convenient for both the user and the service provider.
[0055]
The authentication process according to the above procedure using the online authentication system of the present embodiment is also an embodiment of the online authentication method of the present invention. According to the online authentication method according to this embodiment, the same operation and effect as the authentication processing by the above-described online authentication system of this embodiment can be obtained.
[0056]
Next, the online authentication program 8 and the recording medium 9 on which the online authentication program 8 is recorded will be described. FIG. 8 is a configuration diagram of the recording medium 9. The online authentication program 8 is recorded in the program area of the recording medium 9, and the communication module 802, the acquired qualification information verification module 806, the issued page serial number verification module 808, and the issued page generation number verification module 810 are included as components. , An issue password verification module 812, a challenge code generation module 815, and a challenge code verification module 816. A communication module 802, an acquired qualification information collation module 806, an issuance page serial number collation module 808, an issuance page generation number collation module 810, an issuance password collation module 812, a challenge code generation module 815, and a challenge code collation module 816 are described later. By executing the online authentication program 8 using the computer 4, the communication unit 802, the acquired qualification information verification unit 806, the issued page serial number verification unit 808, the issued page generation number verification unit 810, the issue password of the authentication server 2 described above. It functions similarly to the collation unit 812, the challenge code generation unit 815, and the challenge code collation unit 816.
[0057]
In the data area of the recording medium 9, a user management table 204a, an issued page management table 204b, and an authentication information table 204c are recorded.
[0058]
FIG. 9 is a diagram showing a physical configuration of the computer 4 on which the online authentication program 8 is executed. The computer 4 includes a central processing unit (CPU) 42, a work memory 44 in which an operating system is resident, a reading device 46, a communication device 47, and a storage device 48 as physical components.
[0059]
When the recording medium 9 is inserted into the reading device 46, information recorded on the recording medium 9 becomes accessible from the reading device 46, and the online authentication program 8 recorded in the program area of the recording medium 9 is executed by the computer 4. The computer 4 operates in the same manner as the authentication server 2 and has the same operations and effects.
[0060]
In the above embodiment, an example has been described in which the challenge code is changed for each use, that is, used as a one-time password. However, the challenge code may be fixedly used. Fixing the challenge code means that the challenge code that is always issued is the same, which means that it looks the same as normal password authentication from the user's viewpoint, but the difference is large. The difference between an example of using a fixed challenge code and normal password authentication is shown below. As an example, a usage form in which a fixed challenge code (eg, 1234) is input after the processing from S509 to S603 is completed is shown. In this case, the available time setting unit of the authentication server sets the available time (for example, 60 seconds) of the fixed challenge code. This set information is transmitted and displayed on the mobile phone used by the user (shown in FIG. 7 (f)). When a signal (user ID and fixed challenge code) indicating a request for service provision authentication is transmitted from the store terminal, the usage time determination unit of the authentication server performs fixed challenge within the available time in addition to the verification of the fixed challenge code. Determine whether a code has been received. The authentication server determines an authentication result indicating that the service provision is permitted only when it is determined by the usage time determination unit that the fixed challenge code is received within the available time. This time constraint is the biggest difference from normal password authentication. In other words, if a fixed challenge code is input to the store terminal even though the authentication process of the authentication server (the process up to S603) is not performed, it is assumed that a person other than the user has illegally accessed the service. Deny.
[0061]
As a precondition for performing authentication processing (processing up to S603) of the authentication server, it is necessary to use the mobile phone that has acquired the issued page, as shown in the flow shown in FIGS. Therefore, the service authentication cannot be received unless the mobile phone of the authorized user is possessed. Also, even if a user's mobile phone is illegally obtained, permission to use the service cannot be obtained unless the fixed challenge code (1234) is known. For this reason, it works in the same way as a normal password. In addition, the use of a fixed challenge code greatly contributes to user convenience. That is, it is possible to save the user's trouble of inputting a challenge code that is changed every time. As a result, it is possible to provide an authentication system that does not impair user convenience while maintaining security to some extent. Note that when the challenge code is randomly generated and used as described above, although the number of authentication procedures is increased, the accuracy of security is improved.
[0062]
FIG. 10 is a diagram showing a functional configuration of an online authentication system using a fixed challenge code. FIG. 11 is a configuration diagram of the authentication information table 504c. The authentication server 5 in this embodiment includes a fixed challenge code verification unit 514, an available time setting unit 516, and a usage time determination unit 518 instead of the challenge code generation unit 214 and the challenge code verification unit 216. The storage unit 214 stores an authentication information table 504c instead of the authentication information table 204c. The available time setting unit 516 sets the available time of the fixed challenge code and writes it in the available time field of the authentication information table 504c when the issued password verification unit 212 confirms that the issued password matches. The usage time determination unit 518 confirms that the input time of the fixed challenge code acquired from the store terminal 3 is within the available time (available time set by the available time setting unit 516) of the authentication information table 504c. . The challenge code collation unit 514 collates the fixed challenge code transmitted from the store terminal 3 with the fixed challenge code in the authentication information table 504c, and determines an authentication result indicating that service provision is permitted when the two match.
[0063]
FIG. 12 is a configuration diagram of the recording medium 11 on which the online authentication program 10 using the fixed challenge code is recorded. The online authentication program 10 includes a fixed challenge code verification module 1014, an available time setting module 1016, and a usage time determination module 1018 instead of the challenge code generation module 814 and the challenge code verification module 816. Further, an authentication information table 504c is stored in the data area of the recording medium 11 instead of the authentication information table 204c. The fixed challenge code verification module 1014, the available time setting module 1016, and the usage time determination module 1018 execute the online authentication program 10 using the computer 4, respectively, so that the fixed challenge code verification unit 514 and the available time described above are executed. It functions in the same manner as the setting unit 516 and the usage time determination unit 518.
[0064]
Further, in the embodiment using the above-described fixed challenge code, the useable number setting unit of the authentication server sets the useable number of fixed challenge codes, and the use number determining unit sets the fixed challenge code by the authentication server. It is preferable to determine whether or not the number of receptions is within the set number of uses.
[0065]
FIG. 13 is a diagram illustrating a functional configuration of an online authentication system that limits the number of times the fixed challenge code is received. FIG. 14 is a configuration diagram of the authentication information table 604c. The authentication server 6 in this embodiment includes a useable number setting unit 620 and a use number determination unit 622. The storage unit 204 stores an authentication information table 604c instead of the authentication information table 504c. The authentication information table 604c includes an available number field and a reception number field.
[0066]
When the issuance password matching unit 212 confirms that the issued password matches, the available number setting unit 620 sets the number of times that the fixed challenge code can be used and writes it in the available number field of the authentication information table 604c. The number-of-uses determination unit 622 sets the number of times the fixed challenge code has been received since the number of times the fixed challenge code can be used is set to the number-of-uses field of the authentication information table 604c ) Is confirmed. The challenge code verification unit 514 compares the fixed challenge code transmitted from the store terminal 3 with the fixed challenge code in the authentication information table 604c, and determines an authentication result that permits service provision when both match, If they do not match, the reception count field of the authentication information table 604c is updated.
[0067]
As described above, by limiting the number of times of reception (usable number of times) as well as the time of use of the fixed challenge code, impersonation by a person who is not a holder of the fixed challenge code can be prevented more reliably.
[0068]
In the description of the fixed challenge code, an example in which information is input and transmitted from the store terminal 3 is shown, but an information communication terminal that is connected to the Internet and capable of transmitting and receiving information is not a terminal installed in the store (WEB terminal) may be used.
[0069]
【The invention's effect】
As described above, according to the online authentication device, online authentication system, online authentication method, online authentication program, and recording medium on which the online authentication program of the present invention is recorded, an online authentication method capable of specifying a mobile terminal is realized. Is done.
[Brief description of the drawings]
FIG. 1 is a diagram illustrating a functional configuration of an online authentication system according to an embodiment.
FIG. 2 is a configuration diagram of a user management table 204a.
FIG. 3 is a configuration diagram of an issued page management table 204b.
FIG. 4 is a configuration diagram of an authentication information table 204c.
FIG. 5 is a first flowchart showing an operation procedure of the online authentication system of the present embodiment.
FIG. 6 is a second flowchart showing the operation procedure of the online authentication system of the present embodiment.
7 is a diagram showing a screen of the mobile phone 1. FIG.
8 is a configuration diagram of a recording medium 9. FIG.
FIG. 9 is a diagram showing a physical configuration of the computer 4 on which the online authentication program 8 is executed.
FIG. 10 is a diagram showing a functional configuration of an online authentication system using a fixed challenge code.
FIG. 11 is a configuration diagram of an authentication information table 504c.
FIG. 12 is a configuration diagram of a recording medium 11 on which an online authentication program 10 using a fixed challenge code is recorded.
FIG. 13 is a diagram showing a functional configuration of an online authentication system that limits the number of times a fixed challenge code is received.
FIG. 14 is a configuration diagram of an authentication information table 604c.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1 ... Mobile phone, 12 ... Communication part, 14 ... Storage part, 16 ... Display part, 18 ... Input part, 2 ... Authentication server, 202 ... Communication part, 204 ... Storage part, 204a ... User management table, 204b ... Issue page Management table, 204c ... authentication information table, 206 ... acquired qualification information verification unit, 208 ... issue page serial number verification unit, 210 ... issue page generation number verification unit, 212 ... issue password verification unit, 214 ... challenge code generation unit, 216 ... Challenge code verification unit, 3 ... Store terminal, 32 ... Communication unit, 34 ... Display unit, 36 ... Input unit, 8 ... Online authentication program, 802 ... Communication module, 806 ... Acquired qualification information verification module, 808 ... Issued page serial Number verification module, 810... Issued page generation number verification module, 812. 814 ... Challenge code generation module, 816 ... Challenge code verification module, 9 ... Recording medium, 4 ... Computer, 44 ... Working memory, 46 ... Reading device, 47 ... Communication device, 48 ... Storage device, 5 ... Authentication server 514 ... Fixed challenge code verification unit, 516 ... Usable time setting unit, 518 ... Usage time determination unit, 504c ... Authentication information table, 11 ... Recording medium, 1014 ... Fixed challenge code verification module, 1016 ... Available time setting module DESCRIPTION OF SYMBOLS 1018 ... Usage time judgment module, 6 ... Authentication server, 620 ... Usable frequency setting part, 622 ... Usage frequency judgment part, 604c ... Authentication information table.

Claims (1)

An online authentication method in which an online authentication device authenticates a mobile terminal,
  The communication unit of the mobile terminal transmits an issuance request for an issuance page, a user ID for identifying the user of the mobile terminal, and acquisition qualification information to the online authentication device;
  The communication unit of the online authentication device receives the transmitted issuance request, user ID, and acquisition qualification information;
  The acquired qualification information matching unit of the online authentication device compares the acquired qualification information received by the communication unit with the acquired qualification information recorded in the user management table, and is recorded in the user management table only when they match. Updating the issued page generation number recorded in the issued page management table and the issued page management table;
  The communication unit of the online authentication device transmits a source code including, as non-display data, an issue page serial number for specifying the issue page and the issue page generation number to the mobile terminal,
  A communication unit of the mobile terminal receiving the transmitted source code;
  The display unit of the mobile terminal displaying an issue page corresponding to the received source code;
  In response to a challenge code issuance request input to the displayed issuance page, the communication unit of the mobile terminal is included in the source code together with the challenge code issuance request for the online authentication device. Transmitting an issue page serial number and the issue page generation number;
  The communication unit of the online authentication device receives the issued challenge code issue request, the issued page serial number, and the issued page generation number;
  The issue page serial number verification unit of the online authentication device compares the received issue page serial number with the issue page serial number stored in the issue page management table;
  The issue page generation number collation unit of the online authentication device only receives the issue page generation number received by the communication unit of the online authentication device and the issue page management only when the issue page serial number that matches as a result of the collation exists. Checking the published page generation number recorded in the table;
  Only when the respective issued page generation numbers match as a result of the matching, the communication unit of the online authentication device transmits information requesting an issue password to the mobile terminal; and
  The communication unit of the mobile terminal receiving information requesting the transmitted issuance password;
  The communication unit of the mobile terminal displays information prompting the input of an issue password based on the information requesting the received issue password;
  In response to the display, the issue password input to the mobile terminal is transmitted by the communication unit of the mobile terminal to the online authentication device;
  The communication unit of the online authentication device receiving the transmitted issued password;
  A step of verifying an issue password received by the communication unit and an issue password recorded in the user management table;
  Only when each issued password matches as a result of the verification, the challenge code generation unit of the online authentication device generates a challenge code randomly and stores it in the authentication information table;
  The communication unit of the online authentication device transmits the generated challenge code to the mobile terminal;
  The communication unit of the mobile terminal receiving the transmitted challenge code;
  Displaying the received challenge code on the display unit of the mobile terminal;
  The challenge code and the user ID input to a terminal other than the portable terminal in response to the display are transmitted from the terminal to the online authentication device;
  The communication unit of the online authentication device receives the transmitted challenge code and user ID;
  The challenge code collation unit of the online authentication device collates the received challenge code with the challenge code recorded in the authentication information table, and determines the validity of the challenge code;
  A step of transmitting a result of the determination to the terminal by the communication unit of the online authentication device;
An online authentication method comprising:

Images