JP4858811B2 - Identification device - Google Patents

Description

The present invention reduces the burden on the user who stores information related to authentication such as user accounts and passwords required to identify individuals in various aspects of social activities, and provides an authentication environment with a high security level It is about how to do.

User accounts and passwords necessary for computer startup, server client configuration computer systems, and multiple member browsing sites on the Internet, and identification information and passwords such as account numbers required for various business transactions via the Internet, and Accurately storing information related to individual authentication such as a password that serves as a password linked to an account number when accessing a bank account from an ATM is a heavy burden on the user. Furthermore, in order to prevent fraud by a third party, it must be changed to a password that is difficult to remember regularly, which further increases the burden. Therefore, how to provide a user authentication method that reduces the burden on the user who stores the authentication information and has a high security level becomes an issue.

Previously proposed personal authentication methods use pre-registered password elements that are familiar to users and scramble elements that are unfamiliar in order, instead of commonly used passwords that are difficult to remember. In addition, a method of authenticating when a familiar password element is correctly selected is disclosed (for example, see Patent Document 1).

Japanese Patent Laid-Open No. 2002-197062

Regarding the invention described in Patent Document 1, in the past life of individual users who do not match others, it is relatively easy to keep in memory, and people who are currently familiar cannot know, or A method for further enhancing the operability and safety of the authentication method when specialized in an authentication method using a first and last name that has a low possibility of knowing and a first and last name that is not familiar to the user as a password element and a scramble element, respectively. Furthermore, when a password element familiar to the user has been correctly selected by a third party, it becomes a problem to provide the user with a means for detecting an unauthorized authentication by the third party. .

The purpose of the present invention is to solve these problems, and instead of using first and last names as password elements, the family names and first names constituting a plurality of first and last names registered in advance are intentionally separated. It becomes possible for the user who desires authentication to provide an authentication device with high safety and operability by collating the first and last names obtained by recombining the family name and the first name with the previously registered first and last names. . Furthermore, after confirming the authentication, the terminal desired by the user, for example, a mobile phone or the like is provided with a function of notifying the authentication action, and if it is determined that the authentication is an unauthorized authentication action by a third party, By disabling the authentication from the telephone, it is possible to provide an authentication device with a high security level.

[0007]
[Means for Solving the Problems]
For the purpose of solving the above-mentioned problem, the personal authentication device according to the invention of claim 1 stores in advance a plurality of extracted recognized first and last names that are stored in advance, and are extracted at random from the user's recognized first and last names. It is obtained by separating the family name and the first name into a combination target family name group and a combination target first name group, and combining the family name of the combination target family name group and the first name of the combination target first name group First name and last name are compared with the extracted recognized first and last name. This makes it possible to perform authentication only with the user's first and last names registered in advance.

In addition, the personal authentication device according to the invention of claim 2 stores in advance one or more extracted recognized first and last names of a user who desires authentication in advance and randomly extracts from the user's first and last names. A family name group to be combined and a first name group to be combined, and further, a mixed family name group in which a family name different from the family name of the user's recognized first and last name is mixed in the family name group to be combined, Generating a mixed first name group in which a first name different from the first name of the user's first and last names is mixed in the first group name to be combined, and the first name of the first family name and the first name of the first group name to be combined In combination with Or a combination of a first name of the mixed first name group and a family name of the family name group to be combined, or a combination of a family name of the mixed family name group and a first name of the mixed first name group First name and last name are compared with the extracted recognized first and last name. This can prevent unauthorized authentication of others and improve safety.

In addition, the personal authentication device according to the invention of claim 3 performs authentication only when the result of collating the first and last names selected by the user with the extracted first and last names on the screen for selecting the combination matches. This prevents a third party from attempting to authenticate by unauthorized access. Further, a signal that clearly indicates that the authentication is confirmed is output to another device that uses the signal as an authentication result.

According to a fourth aspect of the present invention, there is provided a personal authentication apparatus comprising the collating means, the authenticating means, a means for outputting a signal indicating that the authentication has been confirmed, and an apparatus having a computer function. A storage medium readable by the apparatus, for example, a USB type storage medium, an IC card, a mobile phone and an IC card, a storage medium of a reader of information stored in the storage medium of the mobile phone, etc. By providing, it becomes possible to authenticate the device.

Further, the personal authentication method according to the invention of claim 5 treats the user authenticated in claim 3 or 4 as an authorized user, and the authorized user further needs to approve an authorized user who performs mutual authentication. Assuming that there is an interdependence relationship, the approval user confirms whether or not to approve the authentication of the user to be approved from the information transmission destination terminal desired, and authenticates when the approval is confirmed Make it possible.

According to this authentication method, for example, a wife who is an authorized user who accesses a bank account from an ATM performs the authentication without using a cash card and a personal identification number in which the account number is stored when accessing a bank account. After confirmation, the husband who is the authorized user who is the account holder can approve after confirming with the mobile phone that the access is by the wife who has the trust relationship, so it is possible to prevent fraud become. Furthermore, if it is applied to the management of a computer system, after a system administrator who is an authorized user accessing an important database confirms the authentication, another system administrator who is in the position of the authorized user can go to the place of home or home. Even if you are present, it is possible to approve after confirming that the system administrator who is the authorized user is in a trust relationship with a mobile phone, etc., so that fraud caused by single access by the authorized user can be prevented in advance Is possible. It should be noted that both the approved user and the approved user are system administrators, and each system administrator cannot perform a single authentication act.

Further, the personal authentication method according to the invention of claim 6 notifies the terminal of the information transmission destination desired by the user authenticated in any one of claims 3 to 5 that the authentication is confirmed, and is further notified. If it is determined from the contents that the authentication is unauthorized, the authentication is invalidated, thereby making it possible to prevent unauthorized authentication.

According to the present invention, instead of a conventional password as verification information necessary for authentication, it is relatively easy to keep in memory and the third party does not know or may not know the burden on the user. The method of combining family names and first names that make up first and last names is an effective authentication means that improves user operability because multiple family names and first names can be presented on the same screen. . In addition, the security level that can confirm that the authentication has been confirmed by using a mobile phone or the like, for example, can take defensive measures such as increasing the number of surnames registered with the intention of the user who discovered fraud by a third party. It is possible to provide a high authentication environment.

Embodiments of the present invention will be described in detail below with reference to the drawings. The following embodiments are examples embodying the present invention, and do not limit the technical scope of the present invention. The authentication requesting terminal and the information transmission destination terminal described below are not particularly limited, and the terminal type is assumed to be a personal computer, a mobile phone, a PDA, etc., and further an ATM. However, a mobile phone that is normally owned by the user and not shared with others is desirable for the reason that it is assumed that important information related to authentication is received for the information transmission destination terminal desired by the user. Therefore, for convenience of explanation, an explanation will be made assuming that the information transmission destination terminal is a mobile phone. It is also assumed that the authentication processing unit is provided in the above-described IC card, mobile phone, USB type storage medium, and the like.

FIG. 1 is a block diagram showing a configuration of a personal authentication method according to the present embodiment. An authentication processing unit 20 including an input / output unit 21, a collation / authentication / approval unit 22, an information storage unit 23, a random information extraction / generation unit 24, and a mail transmission unit 25, and the user is both an authentication request terminal 11 and a mobile phone 12. The user area 10 expressing the range in which can be used, and the mail server 30 (hereinafter, the mail server 30 through which various information described later from the mail transmission unit 25 is transmitted to the information transmission destination terminal Are omitted if necessary.) Are respectively connected by a wired or wireless network. Each function will be described in detail below.

FIG. 2 explains each storage unit of the information storage unit 23 for authentication. The user information storage unit 100 stores a user identifier, a mail address as the information transmission destination, and a session identifier used for specifying a user to be authenticated in association with a user identifier (UID). The nationality information storage unit 101 stores the nationality used for classifying the nationality of the first and last names recognized by the user in association with the nationality identifier (CID). Further, the family name, first name, and nationality identifier of the first and last name, which are recognized by the user, are stored in the first and last name information storage unit 102 in association with the unique first and last name serial number (ID) and the user identifier. In the first and last name information storage unit, the first and last names of the same name and the same name recognized by the user are not redundantly stored.

FIG. 3 illustrates a flowchart for authenticating with a combined first and last name based on the user's memory. An authentication screen, which will be described later, presented to a user who is going to be authenticated by the authentication request terminal 11 differs depending on the object for which authentication is requested. For example, in a computer system with a server client configuration, server authentication is attempted through an authentication screen provided in the client computer. Therefore, although the authentication screen is not necessarily presented from the authentication processing unit 20, here, a member browsing site to be authenticated by the user will be described as an example. When accessing the URL of the member browsing site, an authentication screen is presented from the authentication processing unit 20 to the authentication requesting terminal 11 (step S100), and the user account of the user to be authenticated is input from the presented authentication screen and a send button is pressed. Press to transmit (step S101).

The verification / authentication / approval unit 22 performs verification based on whether or not the received user account is stored in the user information storage unit 100 (step S102), and when the verification result does not match (step S103 “NO”). The explanation is omitted, but the number of mismatches is counted. As a result, when the number of mismatches is within an arbitrarily specified number (step S104 “NO”), the process returns to step 100, and the authentication screen is presented to the user again to prompt the user to input a correct user account. If the specified number of times has been exceeded (“YES” in step S104), it is determined that the user is an unauthorized user, authentication is rejected, and the flow is terminated (step S105).

When the collation results match (step S103 “YES”), a session identifier for managing the session is generated and stored in the user information storage unit 100. Hereinafter, a method for generating the combination target family name group and the mixed first name group presented to the authentication request terminal 11 will be exemplified. The first and last name information combination screen 105 represents a form selected from the combinations of the family name group to be combined and the mixed first name group presented to the user.

As an example of generating the combination target family name group, in the family name identifier field of the record position randomly selected from the records stored in the full name information storage unit 102 in association with the user identifier specified from the user account, Family name identifiers from 1 to a number that matches the number of family names presented in the family name list 103 of the surname / name information combination screen 105 are sequentially stored. In association with the family name identifier, it is stored in the combination target family name storage memory. Furthermore, each first name and nationality identifier stored in the record position is stored in the combination target first name storage memory. The family name identifier field at the record position not selected is set to “0”, and the record related to the user identifier in the collation status field in the first and last name information storage unit 102 is also set to “0”. Shall be.

Next, as an example of generating the mixed first name group, for each first name stored in the first name storage memory to be combined, a record other than the record stored in the first and last name information storage unit 102 in association with the same user identifier A first name of a record position randomly selected from the first record, and an arbitrarily determined number of first names that do not match the first name associated with the user identifier and stored in the first and last name information storage unit 102 Is stored in the mixed first name memory. Further, the first name stored in the combination target first name storage memory is arranged and stored at a randomly determined record position in the mixed first name storage memory. In addition, by randomly selecting a first name in which the nationality identifier for each first name stored in the combination target first name storage memory and the nationality identifier stored in the first and last name information storage unit 102 match, a family name and Since the nationality of the first name is unified, it becomes possible for a third party to present the surname information combination screen 105 that is not easily analogized.

The combination target family name group and the mixed first name group obtained from the combination target family name storage memory and the mixed first name storage memory obtained by the exemplified method are transmitted to the authentication requesting terminal 11 together with the session identifier ( Step S106).

In the family name information combination screen 105 presented to the authentication request terminal 11, the family name list 103 is presented with family names together with numbers that match the family name identifiers of the family name group to be combined. In the first name list 104, the first names of the mixed first name group are presented in a format in which the numbers can be selected. Accordingly, the user combines the correct first names corresponding to the respective family names, selects all the combinations, and then presses the send button to transmit the selected number, the first name, and the session identifier (step S107). ).

In order to increase the safety, as many surnames as possible are stored in the surname information storage unit 102, for example, the number of family names presented in the family name list 103 or presented in the first name list 104 Increasing the number of first names to do is also an effective means. In addition, as a method not illustrated, the family name stored by the other user who is not stored in the first and last name information storage unit 102 by the user who performs authentication is intentionally added to the family name presented in the family name list 103. The legitimate user expects not to combine the family name and the first name presented in the first name list 104 by intentionally removing the first name corresponding to the family name presented in the family name list. The method is also an effective means for preventing unauthorized access.

Next, after the transmission in step S107, the number and the received session for the first name and the number “1” or more (matching the number of the family name identifier) received by the verification / authentication / authorization unit 22 Whether the first name that matches the family name identifier stored in the first and last name information storage unit 102 in association with the user identifier specified from the user information storage unit 100 based on the identifier matches the received first name. The collation is sequentially performed, and “1” is set in the collation status field corresponding to the matched record. Further, in order to confirm whether or not the user has correctly selected all combinations of the family name and the first name on the surname information combination screen 105, the user identifier and other than “0” are stored in the surname information storage unit 102. It is further verified whether or not all the verification status fields corresponding to the set family name identifiers are set to “1” (step S108). As a result of the collation, when “0” is still set in the collation status field in which “1” is expected to be set, that is, when the collation results do not match (step S109 “NO”), the explanation will be given. Is omitted, but the number of mismatches is counted, and if the number of mismatches is within an arbitrarily prescribed number as a result ("NO" in step S110), the process returns to step S106 and the family name group to be combined and mixed in the same manner as described above A first name group is newly generated and the first and last name information combination screen 105 is re-presented to prompt the user to make a correct combination of the family name and the first name.

The first name received by the verification / authentication / approval unit 22 and the first name that matches the user identifier and the family name identifier stored in the first and last name information storage unit 102 match the first name received. If they do not match, it is considered that an incorrect combination has been made, and even if all other combinations are correct, it is determined that the matching results do not match (step S109 “NO”). In addition, when verification fails, it is not a method of newly generating a combination target family name group and a mixed first name group, but a method of reusing the combination target family name group and the mixed first name group that have already been generated. There may be.

If the specified number of times has been exceeded ("YES" in step S110), it is determined that the user is an unauthorized user, authentication is rejected, and the flow is terminated (step S105). When the collation results match (step S109 “YES”), a process of giving authentication to the user operating from the authentication requesting terminal 11 is performed (step S111), and that the authentication requesting terminal 11 has been authenticated. Is notified (step S112).

FIG. 4 illustrates a flowchart for authenticating by an authorized user and an authorized user. It is assumed that the above-mentioned user who has confirmed authentication is treated as an authorized user, and the authorized user has a relationship that further requires the approval of the authorized user to authenticate each other.

For convenience of explanation, assume that there are two users having a mutual dependency relationship, the user account already stored in the user information storage unit 100 is a user 1 user, an authorized user, and a user account having a mutual dependency relationship with the user. Attempts to explain the user 2 as an authorized user. A form in which an e-mail address, which is an information transmission destination that the approved user desires to transmit information, is stored in association with the user identifier (UID) of the approved user is expressed as a user information storage unit 200. Further, the approved user information storage unit 201 stores the user identifier of the approved user as an approved user identifier in association with the user identifier (UID) of the approved user. At this timing, the record related to the user identifier in the approval status field in the approved user information storage unit 201 is set to “0”.

After the approved user confirms the authentication, the authentication processing unit 20 uses the method described later, and the randomly generated unique approval information used by the approved user to approve the authentication of the approved user. Is stored in the approved user information storage unit 201 in association with the user identifier of the user to be approved and the approved user identifier of the approved user, and is then associated with the user identifier specified from the user information storage unit 200 based on the approved user identifier A message confirming whether to approve the approval information and the authentication of the user to be approved is transmitted to the e-mail address of the mobile phone 12 stored in step S200. Further, when the approval user determines that the authentication request received by the mobile phone 12 is valid, the approval user returns an approval information by pressing an approval button from the approval screen of the mobile phone (step S201).

Next, the collation / authentication / approval unit 22 confirms that the received approval information matches with the approval information stored in the approval user information storage unit 201. “1” is set in the approval status field corresponding to the approval information (step S202). In addition, when a plurality of approval users are assumed, the above approval information is returned from all the approval users, and it is further checked whether or not all of the corresponding approval status fields are set to “1”. If approval has not been obtained from all the approved users, the system waits for approval (step S203 “NO”). Further, when approval is obtained from all the corresponding approved users (step S203 “YES”), a process of giving mutual authentication to the approved user operated from the authentication requesting terminal 11 is performed (step S204), Further, the authentication requesting terminal 11 is notified that the authentication has been confirmed (step S205).

If it is assumed that the user to be approved and the user to be approved are the same user, the user to be approved who has confirmed the authentication further confirms the mutual authentication by approving the user as the approval user, and the authentication request terminal 11 Individual authentication with a high security level by the mobile phone 12 alone can be realized.

FIG. 5 illustrates a flowchart for notifying that authentication has been confirmed or canceling unauthorized authentication. After the user confirms the authentication, the authentication processing unit 20 is stored in the user information storage unit 100, which is the information transmission destination of the user, in order to check whether the user has been authenticated by the authorized user. This is easily done by notifying the e-mail address of the mobile phone 12 that the authentication is confirmed. In addition, in the method described later, in order to notify the confirmation of the authentication and invalid authentication is performed, the release information generated at random when the above-mentioned authentication is confirmed is used as the user's user in order to invalidate the authentication. A form stored in association with an identifier (UID) is expressed as a user information storage unit 300. After the storage, the cancellation information and the fact that the user has been authenticated are transmitted to the mobile phone 12 (step S300). Further, when the authentication user determines that the authentication received by the mobile phone 12 is not due to his / her authentication, the authentication user presses the authentication cancel button from the authentication notification screen of the mobile phone and returns the cancel information (step) S301).

Next, the verification / authentication / approval unit 22 confirms that the received cancellation information matches the cancellation information stored in the user information storage unit 300 (step S302 “YES”). Processing for canceling the user authentication is performed (step S304), and further, the authentication requesting terminal 11 is notified that the authentication has been canceled (step S305). If the release information is not transmitted from the mobile phone 12, the authentication is continued assuming that the above-described authentication action has been performed by a legitimate user ("NO" at step S303).

The block diagram which shows the structure of the personal authentication method which concerns on this Embodiment. Description of each storage unit of the information storage unit. Flowchart for authenticating with combined first and last names The flowchart which authenticates with a to-be-approved user and an approval user. 6 is a flowchart for canceling authentication notification or unauthorized authentication.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... User area 11 ... Authentication request terminal 12 ... Mobile phone 20 ... Authentication processing unit 21 ... Input / output unit 22 ... Verification / authentication / approval unit 23 ··· Information storage unit 24 ··· Random information extraction / generation unit 25 ··· Mail transmission unit 30 ··· Mail server 100 ··· User information storage unit 101 · · · Nationality information storage unit 102 Name information storage unit 103 Family name list 104 First name list 105 Name information combination screen 200 User information storage unit 201 Approved user information storage unit 300 User information storage

Claims (6)

First name and last name storage means for storing the first name and last name of the user who desires authentication, and a plurality of extracted recognized first and last names randomly extracted from the user's first name and last name stored in the first name and last name storage means are combined into a family name and a first name Means for generating a target family name group and a combination target first name group; means for presenting to the user a screen for selecting a combination of a family name of the combination target family name group and a first name of the combination target first name group; A personal authentication device, comprising: collation means for collating the first and last names selected by the user on the screen with the extracted recognized first and last names. First and last name storage means for storing the first name and last name of the user who desires authentication, and one or more extracted recognized first and last names randomly extracted from the user's first name and last name stored in the first name and last name storage means are separated into a family name and a first name Means for generating a combination target family name group and a combination target first name group; and means for generating a mixed family name group in which a family name different from the family name of the user's cognitive family name is mixed in the combination target family name group; , Means for generating a mixed first name group in which a first name different from the first name of the user's first and last names is mixed in the first name group to be combined, and a family name of the mixed family name group and a first name group to be combined First name A combination of the first name of the mixed first name group and the family name of the family name group to be combined, or the combination of the family name of the mixed family name group and the first name of the mixed first name group. A personal authentication apparatus, comprising: means for presenting a screen for selecting one to the user; and collation means for collating the first and last names selected by the user on the screen with the extracted recognized first and last names. An authentication unit that authenticates when the first and last names selected by the user on the screen match the extracted first and last names, and a unit that outputs a signal that clearly indicates that the authentication has been confirmed. The personal authentication device according to claim 1, wherein the personal authentication device is characterized. A storage medium readable by the apparatus includes the verification means, the authentication means, a means for outputting a signal indicating that the authentication is confirmed, and a means for executing the means from a device having a computer function. The personal authentication device according to claim 3. Treating the user authenticated by the authenticating means as an approved user, and assuming that the approved user has an interdependent relationship that further requires the approval of the approved user to authenticate each other. After being authenticated, an approval determining means for determining whether to approve the authentication of the approved user from the terminal of the information transmission destination desired by the approved user, and the approval determining means confirms the approval of the approved user. 5. The apparatus according to claim 3, further comprising: a mutual authentication unit that mutually authenticates the authorized user, and a unit that outputs a signal indicating that the authentication is confirmed by the mutual authentication unit. Personal authentication device. Means for notifying the terminal of the information transmission destination desired by the user that authentication has been confirmed by the authentication means, and authentication by the authentication means when it is determined that the authentication is invalid from the notified content The personal authentication device according to claim 3, further comprising: means for invalidating the password.

Images