JP6178112B2 - Authentication server, authentication system and program - Google Patents

Description

  The present invention relates to an authentication server, an authentication system, and a program.

  Conventionally, there is an authentication server that authenticates a user based on a user ID and a password. Also, in recent years, a system called cloud computing has made it possible for users to access from anywhere via the Internet, and it has become possible to improve user convenience.

  Further, as a conventional technique, there is a technique in which a terminal acquires line identification information from a server and performs settlement processing when the line identification information is stored in advance on the terminal side (see FIG. 1 and paragraph 0009 of Patent Document 1). ).

JP 2006-261991 A

  Conventionally, a user ID and a password input from a terminal are often transmitted to an authentication server via an intranet, and there has been a situation in which security is ensured on a closed network.

  On the other hand, in cloud computing, since it is a wide-area network, the user ID and password input from the terminal are transmitted to the authentication server via the Internet, which is wiretapping compared to the authentication system in the intranet. There is a high possibility that security problems such as spoofing will occur.

  Recently, there is an increasing demand for accessing an organization's system not only from an internal network but also from a specific terminal outside the organization. In such a case, it is a problem to ensure both security and ease of operation and management. ing.

  The present invention has been made in view of the above-described problems, and provides an authentication server, an authentication system, and a program that can perform authentication with high user convenience and high security in cloud computing.

(1) The present invention
An authentication server connected to the first terminal and the second terminal via a network,
When the image code transmission request is received from the first terminal, the first condition regarding the validity of the user ID and password received together with the image code transmission request, and the validity of the address information of the transmission source of the first terminal A second condition is determined, authentication information is generated when the first condition and the second condition are satisfied, and image code information for displaying the authentication information as an image code is transmitted as an image code Image code information transmission processing means for transmitting to the requesting first terminal;
When receiving a registration request for authentication terminal identification information from the second terminal, the first condition relating to the validity of the user ID and password received together with the registration request, and the authentication image code received together with the registration request The third condition relating to the validity of the information is determined, and if the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the authentication received from the second terminal Registration processing means for performing processing for registering the terminal identification information for authentication in the authentication database;
When a given processing request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the given processing request, and the authentication terminal identification information received together with the processing request A fourth condition relating to the validity and a third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, and the first condition, the fourth condition, and the third condition are determined. And an authentication processing unit that determines that the processing requirement is satisfied and permits the given processing request.

  The present invention also relates to a program that can be read by a computer and causes the computer to function as each of the above-described means.

The present invention also provides
An authentication system using a first terminal, a second terminal, and an authentication server,
The first terminal is
Image code transmission request means for transmitting an image code transmission request to the authentication server together with the received user ID and password;
Image code display processing means for receiving image code information transmitted by the authentication server in response to the image code transmission request and displaying the image code on a display unit based on the image code information,
The second terminal is
Photographing means for photographing the image code;
Along with the photographed image code or authentication image code information including at least a part of the authentication information acquired by decoding the image code, the terminal identification information of the own device, the received user ID and password Registration request means for transmitting a registration request for the authentication terminal identification information to the authentication server,
The authentication server is
When the image code transmission request is received from the first terminal, the first condition regarding the validity of the user ID and password received together with the image code transmission request and the validity of the address information of the transmission source of the first terminal Image code information for determining the second condition related to sex, generating authentication information when the first condition and the second condition are satisfied, and displaying the authentication information as an image code. Image code information transmission processing means for transmitting to the first terminal of the transmission request source;
When the registration request is received from the second terminal, the first condition relating to the validity of the user ID and password received together with the registration request, and the validity of the information of the authentication image code received together with the registration request If the third condition is determined, and the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the authentication terminal identification information received from the second terminal is Registration processing means for registering in the authentication database;
When a given processing request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the given processing request, and the authentication terminal identification information received together with the processing request A fourth condition relating to the validity and a third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, and the first condition, the fourth condition, and the third condition are determined. And an authentication processing unit that determines that the processing requirement is satisfied and permits the given processing request.

  The information of the image code for authentication transmitted by the second terminal and the information of the image code when the authentication server determines the third condition may be the image code image data itself or the authentication included in the image code. It may be information or a part thereof.

  The image code information for displaying the authentication information as an image code may be the image information itself of the image code, or information for displaying the image code on the first terminal (for example, authentication information and an image code generation command). Good.

  When the second terminal and the user who has registered the authentication terminal identification information are not linked, the authentication terminal identification information may be registered in the authentication database without being associated with the user ID. When the second terminal is associated with the user who registered the terminal identification information for authentication, the authentication terminal identification information received from the second terminal is associated with the user ID in the authentication database. You may register with.

  The validity of the user ID and password may be determined based on whether or not the user ID and password registered in advance in the authentication database match.

  The authentication information may include, for example, key information for authentication, user identification information, electronic authentication information, and the like. Further, a user ID, a list of domain names and URLs that are allowed to be accessed from the second terminal, electronic authentication information creation date and time, and expiration date and time may be included.

  The second condition regarding the validity of the address information of the transmission source of the first terminal is that the address information of the transmission source of the first terminal is a predetermined address (for example, an address of a network of a predetermined organization). You may judge by no. The address information of the transmission source of the first terminal is, for example, an IP (Internet Protocol) address of a gateway of an organization network.

  The given processing request of the second terminal is, for example, a file or mail browsing request. The fourth condition regarding the validity of the authentication terminal identification information received together with the processing request is that the authentication terminal identification information received from the second terminal matches the authentication terminal identification information registered in the authentication database. You may judge by whether or not.

  The second terminal may be a mobile terminal. A dedicated Web browser application may be installed in the second terminal so that the dedicated Web browser application performs mail browsing restrictions, download restrictions, deletion of information after browsing, and the like. Further, a dedicated Web browser application may generate and store authentication terminal identification information, decode an image code, and request registration of authentication terminal identification information.

  Further, upon receiving the registration request from the second terminal, the registration processing means stores a registration condition in which a user ID received together with the image code transmission request is stored in advance (a user ID that permits registration of authentication terminal identification information). It may be determined that the registration requirement is satisfied when conditions such as whether or not the information and information regarding the period during which registration permission is accepted are satisfied.

  When the registration processing unit receives the registration request from the second terminal, the registration processing unit issues an approval request to another terminal or another server for the user ID received together with the image code transmission request (for example, approves to the administrator terminal). It may be determined that the registration requirement is satisfied on the condition that the approval is permitted.

According to the present invention, authentication of the second terminal is performed using image code information that can be acquired only by a user who can access the first terminal (for example, a terminal connected to the organization network) for which the terminal address information is guaranteed. Terminal identification information can be registered in the authentication server. Therefore, since the legitimacy of the identified terminal that allows access from the network outside the organization can be ensured with a simple user interface, the user's convenience and high security authentication in cloud computing must be performed. Is possible.

(2) In the authentication server, authentication system and program of the present invention,
The image code information transmission processing means includes:
In response to the image code transmission request, authentication information including first key information is generated, the image code information is generated based on the authentication information, and the first key information is transmitted as first key information. Keep it in the storage,
The registration processing means includes
It is determined whether or not the first key information included in the information of the authentication image code received together with the registration request matches the transmitted first key information. Determining that the third condition is satisfied;
The authentication processing means includes
It is determined whether or not the first key information included in the authentication image code information received together with the given processing request matches the transmitted first key information. It may be determined that the condition satisfies the third condition.

  The first key may be a common key used in a common key cryptosystem.

  The authentication server may generate a different first key for each image code transmission request.

  The authentication server stores the transmitted first key in association with the user ID that made the image code transmission request, and registers the authentication terminal identification information when the registration request is made with the same user ID. May be.

  The authentication server may limit the number of authentication terminal identification information that can be registered corresponding to one image code to one. In this case, the terminal identification information for authentication that made the registration request first with respect to the first key may be registered.

  Further, the authentication server may register a plurality of authentication terminal identification information corresponding to one image code.

  In this way, among users who have acquired an image code including authentication information corresponding to the first key information generated by the authentication server, the users who can register the authentication terminal identification information of the second terminal are limited. Or limit the number of terminals that can be registered.

(3) In the authentication server, authentication system, and program of the present invention,
The image code information transmission processing means includes:
Generating authentication information including user identification information corresponding to the user ID received together with the image code transmission request;
The registration processing means includes
It is determined whether or not the user specifying information included in the authentication image code information received together with the registration request corresponds to the received user ID. Judging that the conditions of
The authentication processing means includes
It is determined whether or not the user specifying information included in the information of the image code for authentication received together with the given processing request corresponds to the received user ID. It may be determined that the third condition is satisfied.

If it does in this way, the image code in which the said user specific information was designated with respect to the user who logged in with the 1st terminal will be transmitted, and only if the said user makes a registration request using the said image code, the 2nd Registration of terminal identification information for authentication of the terminal can be accepted. Therefore, even if another person's image code is acquired, registration is not accepted, so that the user who registers the second terminal can be strictly managed, and the security of registration of the authentication terminal identification information can be strengthened. it can.

(4) In the authentication server, authentication system, and program of the present invention,
The image code information transmission processing means includes:
Generating authentication information including electronic authentication information based on a second key associated with the authentication server;
The registration processing means includes
It is determined whether or not electronic authentication information based on a second key included in authentication image code information received together with the registration request corresponds to a second key associated with the authentication server. , On the condition that it corresponds, it is determined that the third condition is satisfied,
The authentication processing means includes
Whether the electronic authentication information based on the second key included in the authentication image code information received together with the given processing request corresponds to the second key associated with the authentication server It may be determined that the third condition is satisfied on the condition that it corresponds.

The image code information transmission processing means includes:
Electronic authentication information may be created using a second key (a secret key of a public key cryptosystem) associated with the authentication server. The electronic authentication information may include a user ID, a list of domain names and URLs that are allowed to be accessed from the second terminal, electronic authentication information creation date, and expiration date.

  When the image code information created based on the authentication information including the electronic authentication information based on the second key is forged, it can be detected that the image code information has been forged, and therefore forgery is difficult. Therefore, it is difficult to acquire authentication information and image code information by a method other than acquiring an image code from a first terminal whose terminal address information is guaranteed, and the security of registration of authentication terminal identification information is strengthened. be able to.

An example of the network diagram of a 1st embodiment. An example of a functional block diagram of a 1st embodiment. 3A, 3B, and 3C are explanatory diagrams of data stored in a database. 4A and 4B are flowcharts of an access success / failure flow. FIG. 5 is a flowchart of an OTP confirmation flow and a certification information confirmation flow. FIGS. 6A and 6B are flowcharts of a certification information provision flow. The flowchart figure which shows the flow of a process of 1st Embodiment. The flowchart figure which shows the flow of a process of 1st Embodiment. An example of the network diagram of 2nd Embodiment. An example of a functional block diagram of the second embodiment 10A and 10B are explanatory diagrams of data stored in the database. Explanatory drawing of the data stored in a database. The flowchart figure which shows the flow of a process of the authentication system of 2nd Embodiment. The flowchart figure which shows the flow of the image code transmission process of the authentication server of 2nd Embodiment. The flowchart figure which shows the flow of the registration process of the terminal identification information for authentication of the authentication server of 2nd Embodiment. The flowchart figure which shows the flow of the authentication process of the authentication server of 2nd Embodiment.

  Hereinafter, this embodiment will be described. In addition, this embodiment demonstrated below does not unduly limit the content of this invention described in the claim. In addition, all the configurations described in the present embodiment are not necessarily essential configuration requirements of the present invention.

1. First embodiment 1-1. Network FIG. 1 is an example of a network diagram of the first embodiment. The authentication server 10 (ID provider) of the first embodiment performs user authentication based on information (data) transmitted from the user terminal 20.

  The authentication server 10 is connected to a plurality of terminals 20 via a network. For example, the authentication server 10 according to the first embodiment is connected to each terminal 20-A to 20-E configuring the small-scale network 30 such as a company or a school via the Internet. Further, the authentication server 10 is connected to the terminal 20-F of the user A's home 41, the terminal 20-B brought back from the company by the user B, the terminal 20-G of the home 43 of the user C, and the portable terminal 20 of the user D via the Internet. -H (for example, a smartphone) can be connected. Note that the terminal 20 of the first embodiment is connected to the authentication server 10 by wire or wirelessly.

  The authentication server 10 is connected to an authentication database 11 that stores information such as a user ID and a password via a network (intranet or the Internet). The authentication server 10 performs processing for referring to data registered in the authentication database 11. Further, the authentication server 10 can instruct the authentication database 11 to register new data, delete data, and change data.

  The authentication server 10 is connected to various servers (service providing servers) such as a mail server 31, a file server 32, a shopping server 33, and a photo server 34 via a network. For example, the mail server 31 provides a mail service related to the user ID that the authentication server 10 permits authentication. In addition, the file server 32 provides a file service related to the user ID permitted by the authentication server 10 for authentication. In addition, the shopping server 33 provides a shopping service related to the user ID that the authentication server 10 permits authentication. In addition, the photo server 34 provides a photo service related to the user ID that the authentication server 10 has authorized. In other words, the user only needs to remember one user ID and password, and if authentication to the authentication server 10 is permitted, single sign-on that can receive service from various servers 31 to 34 becomes possible. . Note that when data such as authentication permission or disapproval is transmitted between the authentication server 10 and the various servers 31 to 34, data encryption may be performed using SSL / TLS or the like.

1-2. Configuration FIG. 2 is an example of a functional block diagram of the network system according to the first embodiment. Note that the network system according to the first embodiment does not have to include all the units illustrated in FIG. 2, and may have a configuration in which some of the units are omitted.

  First, the function of the authentication server 10 will be described. The storage unit 170 serves as a work area for the processing unit 100 and the like, and its function can be realized by hardware such as RAM (VRAM).

The information storage medium 180 can be read by a computer, and the information storage medium 180 stores programs, data, and the like. That is, the information storage medium 180 stores a program for causing a computer to function as each unit of the first embodiment (a program for causing a computer to execute the processing of each unit). That is, the processing unit 100 can perform various processes of the first embodiment based on data read from a program (data) stored in the information storage medium 180.

  For example, the information recording medium 180 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 100 performs various processes of the first embodiment based on a program (data) stored in the storage unit 170. Note that the processing unit 100 according to the first embodiment reads a program and data stored in the information storage medium 180, stores the read program and data in the storage unit 170, and performs processing based on the program and data. You may go.

  The processing unit 100 (processor) performs various processes using the main storage unit in the storage unit 170 as a work area. The functions of the processing unit 100 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 100 includes a communication control unit 111, a determination unit 112, a group determination unit 113, and an authentication determination unit 114.

  The communication control unit 111 performs a process of transmitting / receiving data to / from the terminal 20 via a network (intranet or the Internet).

  For example, the communication control unit 111 performs a process of receiving a user ID and password transmitted by the terminal 20. Further, the communication control unit 111 may transmit authentication permission or disapproval to the terminal 20.

  In addition, the communication control unit 111 performs processing for transmitting and receiving data to and from the authentication database 11 and various servers such as the mail server 31, the file server 32, the shopping server 33, and the photo server 34 via a network (intranet or the Internet). For example, the communication control unit 111 may transmit authentication permission or disapproval to the various servers 31 to 34.

  In particular, the communication control unit 111 according to the first embodiment, when the terminal 20 is a terminal 20 having a user ID belonging to the second group, the first condition and the second determination of the first determination unit 112A. When the second condition of the unit 112B is satisfied, a process of transmitting certification information to the terminal 20 of the user ID belonging to the second group is performed.

  The determination unit 112 makes a determination for authentication. In particular, the determination unit 112 of the first embodiment includes a first determination unit 112A, a second determination unit 112B, and a third determination unit 112C.

  The first determination unit 112A sets the first condition that the first condition is that the user ID and password received from the terminal 20 match the user ID and password registered in the authentication database 11 in advance. Judge whether to meet or not.

  Whether or not the second determination unit 112B satisfies the second condition where the second condition is that the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance. Judging.

The third determination unit 112C determines that the proof information received from the terminal 20 is the authentication database 1 in advance.
It is determined whether or not the third condition that the third condition is that it matches the certification information registered in No. 1 is satisfied.

  The group determination unit 113 determines a group of user IDs. In the first embodiment, refer to the user information registered in the authentication database 11 as to which group the user ID belongs to among a plurality of groups (for example, first and second groups) of two or more. Judgment.

  The authentication determination unit 114 determines permission or non-permission of user ID authentication. Then, the authentication determination unit 114 permits authentication of user IDs belonging to the first group when the first condition of the first determination unit 112A and the second condition of the second determination unit 112B are satisfied. When the first condition of the first determination unit 112A and the second condition of the second determination unit 112B are satisfied, or the first condition of the first determination unit 112A and the third condition of the third determination unit 112C When the above condition is satisfied, authentication of user IDs belonging to the second group is permitted.

  The authentication server 10 includes an authentication database 11. Information such as a user ID, password, address information, and certification information is registered (stored and stored) in the authentication database 11. In the first embodiment, information may be registered in advance in the authentication database 11 based on input information from the administrator. Information update processing and information deletion processing may be performed based on input information from the administrator. In the first embodiment, the authentication server 10 may perform registration processing. For example, the authentication server 10 may register a user ID, a password, and the like based on a registration request from the terminal 20. In the first embodiment, the authentication server 10 may perform update processing. For example, the authentication server 10 may update the user ID, password, and the like based on an update request from the terminal 20. In the first embodiment, the authentication server 10 may perform the deletion process. For example, the authentication server 10 may delete the user ID, password, and the like based on a deletion request from the terminal 20. In the first embodiment, the storage unit (storage area) of the authentication database 11 is physically separated from the storage unit 170 (storage area) of the authentication server 10. Data in the database 11 may be stored.

  The processing unit 100 according to the first embodiment may include a Web processing unit that functions as a Web server. For example, the Web processing unit receives data transmitted by the Web browser 210 of the terminal 20 through processing of transmitting data in response to a request from the Web browser 210 installed in the terminal 20 through HTTP (Hypertext Transfer Protocol). Process. In particular, in the first embodiment, the Web processing unit provides a login screen for performing user authentication, and performs a process of receiving user information such as a user ID and a password transmitted by the Web browser 210 of the terminal 20. You may do it.

  The terminal 20 is a computer, a smartphone, a tablet computer, a mobile phone, a game machine, or the like.

  The storage unit 270 serves as a work area for the processing unit 200 and the like, and its function can be realized by hardware such as RAM (VRAM).

The information storage medium 280 can be read by a computer, and the information storage medium 280 stores programs, data, and the like. In other words, the information storage medium 280 stores a program for causing a computer to function as each unit of the first embodiment (a program for causing a computer to execute processing of each unit). That is, the processing unit 200 can perform various processes of the first embodiment based on data read from a program (data) stored in the information storage medium 280.

  For example, the information recording medium 280 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 200 performs various processes of the first embodiment based on a program (data) stored in the storage unit 270. Note that the processing unit 200 according to the first embodiment reads a program and data stored in the information storage medium 280, stores the read program and data in the storage unit 270, and performs processing based on the program and data. You may go.

  The processing unit 200 (processor) performs various processes using the main storage unit in the storage unit 270 as a work area. The functions of the processing unit 200 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 200 includes a web browser 210 and a communication control unit 211. The terminal 20 can display information from a Web server specified by a URL (Uniform Resource Locator) via the Internet using the Web browser 210. For example, when the authentication is permitted in the authentication server 10, the terminal 20 displays the mail information (user received mail, transmitted mail, etc.) of the user ID of the terminal 20 from the mail server 31 having the Web server function. Can be made. Further, the web browser 210 of the first embodiment may be a web browser in which file download is prohibited.

  The communication control unit 211 performs processing for transmitting / receiving data to / from the authentication server 10, various servers 31 to 34, and the like via a network. For example, the communication control unit 211 performs a process of transmitting the user ID and password input from the input unit 220 to the authentication server 10. Further, the communication control unit 211 may transmit the certification information to the authentication server 10 when the certification information is set in the Web browser 210 in advance. Further, the communication control unit 211 may receive the authentication determination result (permitted or not permitted) from the authentication server 10. Further, the communication control unit 211 may receive mail information related to the user ID of the terminal 20 from the mail server 31 when authentication is permitted by the authentication server 10.

  The input unit 220 is an input device (controller) for inputting input information from the user (operator), and outputs the user input information to the processing unit 200. The input unit 220 of the first embodiment may include a detection unit that detects user input information (input signal). For example, the input unit 220 detects input information of a keyboard and detects a touch position (touch position) of a touch panel display.

  The input unit 220 may be an input device including an acceleration sensor that detects triaxial acceleration, a gyro sensor that detects angular velocity, and an imaging unit. The input unit 220 also includes a terminal 20 (smart phone, mobile phone, mobile terminal, portable game device) integrated with an input device.

  The display unit 290 outputs Web browser information and images, and the function can be realized by a CRT, LCD, touch panel display, HMD (head mounted display), or the like.

1-3. Processing method of the first embodiment 1-3-1. Outline The authentication server 10 according to the first embodiment employs a technique of grouping a plurality of users in an organization and performing authentication according to each group. That is, the authentication server 10 employs a method of determining a group of user IDs of the terminal and determining permission or non-permission of user ID authentication based on the group to which the user ID belongs.

  For example, the authentication server 10 (1) The first condition is that the first condition is that the user ID and password received from the terminal match the user ID and password registered in the authentication database 11 in advance. And (2) address information (for example, the IP address of the gateway of the company network) in which the address information of the transmission source of the terminal is registered in the authentication database 11 in advance. A second determination for determining whether or not the second condition is satisfied as a second condition, and (3) a proof in which the certification information received from the terminal is registered in the authentication database 11 in advance A third determination is made to determine whether or not the third condition is satisfied with the third condition being coincident with the information. And the authentication server 10 permits the authentication of the user ID belonging to the first group (for example, the user ID of the group of the development department) when the first condition and the second condition are satisfied, and the first condition When the second condition is satisfied or when the first condition and the third condition are satisfied, authentication of a user ID belonging to the second group (for example, a user ID of the sales department group) is permitted.

  In this way, authentication is determined by different methods / flows for user IDs belonging to the first group and user IDs belonging to the second group, so that convenience and security can be improved and appropriate according to the group. Authentication can be performed. That is, when the IP address of the gateway of the company network is registered in the authentication database 11 in advance, the user ID belonging to the first group (for example, development group) should be restricted to access from the in-house network. Can increase security. In addition, user IDs belonging to the second group (for example, sales group) can be accessed from the internal network, and even if the access is from an external network, the proof information is matched. Allow authentication for the condition. As described above, in the first embodiment, the convenience of the second group of users is improved so as to be accessible from an external network while enhancing security.

1-3-2. Authentication database 1-3-2-1. User Information FIG. 3A is an example of user information registered in the authentication database 11. The user information includes a user ID (user identification information, user name), a password, and a group ID (group identification information) to which the user belongs. In addition, the user information may include a seed number (seed number) of OTP (OTP is an abbreviation for one-time password) and certification information. If the OTP seed number and certification information are not registered, NULL is set. The password, group ID, OTP seed number, and certification information are registered in association with the user ID. The proof information of the first embodiment is one piece of identified information (character string consisting of alphabets and numbers) per user, and different proof information is given to each user. FIG. 3A shows user information of the XX company whose organization ID is 1. In the first embodiment, user information is managed for each organization.

1-3-2-2. Organization Information FIG. 3B is an example of organization information registered in the authentication database 11. For example, the organization information includes an organization ID (organization identification information), an organization name, and an IP address of the network of the organization (IP address of a gateway of the network). That is, the organization name and the IP address of the organization network are registered in association with the organization ID.

1-3-2-3. Flow pattern (processing pattern)
FIG. 3C is an example of various flow patterns (processing patterns, processing types) registered in the authentication database 11. For example, as shown in FIG. 3C, the patterns (types) of the access success / failure flow, the OTP confirmation flow (one-time password confirmation flow), the certification information confirmation flow, and the certification information addition flow are associated with the group ID. ) Is registered.

1-3-2-3-1. Access Success / Failure Flow First, the access success / failure flow will be described. The access success / failure flow is a processing flow for determining success or failure of access from the user terminal 20 to the authentication server 10.

  FIG. 4A shows the A pattern of the access success / failure flow. The A pattern will be described. First, it is determined whether or not the access is from an organization network (step S1). That is, the authentication server 10 determines whether the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (whether the second condition of the second determination unit 112B is satisfied). Or). For example, the authentication server 10 detects the IP address of the transmission source (access source) of the terminal 20 from the packet information received from the terminal 20, and the IP address of the transmission source of the terminal is an IP address registered in the authentication database. To determine whether or not. For example, when the IP address of the transmission source of the terminal 20-A is “122.200.243.240”, as shown in FIG. 3B, the IP address of the transmission source of the terminal 20-A is the authentication database. 11, it can be determined that the access is from the network of “XX company”. That is, it is determined that the access is from an organization (XX company) network.

  If the access is from the organization network (Y in step S1), it is determined to be successful (step S2). On the other hand, if the access is not from the organization network (N in step S1), that is, outside the organization (for example, If the access is from a network outside of “XX Company”), it is determined as failure (step S3). According to the example of FIG. 3C, the group of the development department, the sales department, and the management department determines success / failure of access by the pattern A flow.

  FIG. 4B is a conditional expression of the B pattern of the access success / failure flow. The B pattern will be described. First, it is determined whether or not the access is from an organization network (step S5). If the access is from an organization network (Y in step S5), it is determined whether or not the current time is within a predetermined time zone (for example, from 9 am to 6 pm) (step S6). If the current time is within the predetermined time zone (Y in step S6), it is determined that the process is successful (step S7). On the other hand, if the access is not from the organization network (N in step S5), or if the current time is not in the predetermined time zone (N in step S6), it is determined as failure (step S8). According to the example of FIG. 3C, the part-time job group determines whether access is successful or unsuccessful in the pattern B flow. In the first embodiment, other patterns of access success / failure flow may be prepared. For example, when the domain name of the IP address of the terminal transmission source includes a specific character string (for example, “jp”), it is determined to be successful, and the domain name of the IP address of the terminal transmission source is the specific character string. If it is not included, a flow for determining failure may be prepared as a C pattern.

1-3-2-3-2. OTP Confirmation Flow Next, the OTP confirmation flow (one-time password confirmation flow) will be described. The OTP confirmation flow is a processing flow for determining whether or not OTP confirmation is required for a user terminal.

FIG. 5 is an OTP confirmation flow of the A pattern. For example, it is determined whether the access is from an organization network (step S10). That is, as described above, the authentication server 10 determines whether or not the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (the second determination unit 112B has the second information). Whether or not the condition is satisfied). If the access is from the organization network (Y in step S10), it is determined that the access is unnecessary (step S11). If the access is not from the organization network (N in step S10), that is, outside the organization (for example, “ If the access is from a network outside the company “XX”, it is determined that it is necessary (step S12). According to the example of FIG. 3C, the development department, the management department, the sales department, and the part-time job determine the necessity / unnecessity of OTP confirmation in the pattern A flow. In the first embodiment, another pattern of the OTP confirmation flow may be prepared.

1-3-2-3-3. Certification Information Confirmation Flow Next, the certification information confirmation flow will be described. The certification information confirmation flow is a processing flow for determining whether certification information needs to be confirmed for a user terminal.

  In the first embodiment, the proof information confirmation flow of the A pattern employs the same flow as the A pattern of the OTP confirmation flow. Further, according to the example of FIG. 3C, the development department, the management department, the sales department, and the part-time job determine the necessity / unnecessity of confirmation of the certification information in the pattern A flow. In the first embodiment, a unique certification information confirmation flow may be set, or a plurality of types of certification information confirmation flows may be set.

1-3-2-3-4. Certification Information Granting Flow Next, the certification information granting flow will be described. The certification information provision flow is a processing flow for determining whether or not to provide certification information to a user terminal.

  FIG. 6A is a flow of providing A pattern proof information. For example, it is determined whether the access is from an organization network (step S20). That is, as described above, the authentication server 10 determines whether or not the address information of the transmission source of the terminal 20 matches the address information registered in the authentication database 11 in advance (the second determination unit 112B has the second information). Whether or not the condition is satisfied). If the access is from the organization network (Y in step S20), it is determined that the access is granted (step S21). If the access is not from the organization network (N in step S20), that is, outside the organization (for example, “○ If it is an access from a network outside the company, it is determined not to be granted (step S22). According to the example of FIG. 3C, the sales department determines whether or not to provide certification information in the pattern A certification information provision flow.

  FIG. 6B is a B pattern certification information provision flow. It is determined that the B pattern is not always given (step S23). That is, it is determined that the certification information is not always given regardless of the network inside or outside the organization (for example, XX company). According to the example of FIG. 3C, it is determined that the development unit, the management unit, and the part-time job do not give certification information in the pattern B flow. In this way, security can be further improved by not providing certification information to a group for which access from an external network is prohibited.

1-3-2-4. Explanation of One-Time Password In the first embodiment, since access from an external network has security problems such as fraud and theft, users belonging to a specific group that may be accessed from the external network ( For example, an OTP generation program for generating an OTP (one-time password) having the same algorithm as that of the authentication server 10 is installed in the terminal 20 of a sales department user), and authentication using the one-time password is performed.

  For example, in the OTP generation program installed in the terminal 20 (or the generation program of the OTP generation apparatus) and the OTP generation program installed in the authentication server 10, the algorithm and the seed number (seed number) are the same. As a result, the OTP generated on the terminal side (OTP generation device side given to the user) matches the OTP generated on the authentication server. For example, the one-time password generation program performs a process of generating a one-time password based on the time and seed number (seed number) at a predetermined cycle (every 30 seconds). In the first embodiment, authentication is performed for a specific group such as a sales department including verification processing for a one-time password. However, control may be performed so that verification processing for a one-time password is not performed. .

1-3-2-5. Explanation of certification information In the first embodiment, certification information is assigned to a terminal 20 of a user belonging to a specific group such as a sales department. For example, when the terminal 20 is a terminal 20 having a user ID belonging to the second group (for example, the group of the sales department), the authentication server 10 stores the user ID and password received from the terminal 20 in advance in the authentication database. 11 is registered in advance in the authentication database 11 when the user ID and password registered in the terminal 11 match (when the first condition of the first determination unit 112A satisfies the first condition) and the transmission source address information of the terminal 20. When it matches the address information (when the second condition of the second determination unit 112B is satisfied), the process of transmitting the certification information to the terminal of the user ID belonging to the second group is performed. Further, the terminal 20 communicates between the terminal 20 and the authentication server 10 using a Web browser. For example, when the terminal 20 receives the certification information from the authentication server 10, the terminal 20 transmits the certification information to the Web browser. Process to memorize as cookie. “Cookie” is HTTP cookie and indicates information stored in a Web browser.

  For example, referring to FIG. 1, it is assumed that the IP address (122.200.243.240) of the gateway of the network 30 of “XX company” is registered in the authentication database 11. As shown in FIG. 1, for example, when the user B of the sales department is in the company, the authentication server 10 is accessed from the terminal 20 -B connected to the in-house network, and the authentication is permitted. Receive certification information from. That is, the certification information is stored as a cookie in the Web browser of the terminal 20-B. Then, the user B of the sales department takes home the terminal 20-B, for example, connects the terminal 20-B to a home network, and the terminal 20-B accesses the authentication server 10 via the Internet using a Web browser. The input user ID, password, and certification information set as a cookie of the Web browser are transmitted to the authentication server 10. The authentication server 10 permits authentication when the user ID, password, and certification information received from the terminal 20-B match the user ID, password, and certification information registered in the authentication database 11.

  As described above, the first embodiment provides a mechanism by which the terminal 20-B can acquire certification information when the authentication server 10 is permitted to authenticate the terminal 20-B used by the user B of the sales department. ing. In other words, according to the first embodiment, the certification information can be acquired simply by logging in the authentication server 10 normally as a user ID of a business group from the in-house network using a Web browser, so that convenience can be improved. Further, the authentication server 10 can strengthen the security by giving the certification information to the access from the in-house network. Note that the authentication server 10 may set an expiration date (for example, an expiration date valid for 7 days from the date when the certification information is granted) in the certification information given to the user's terminal. When the information is received, the certification information may be processed as invalid. In this way, security can be further enhanced.

1-3-2-6. Others In the first embodiment, the authentication server 10 refers to user information, organization information, various flows, and the like registered in the authentication database 11. Further, the authentication server 10 may perform user information, organization information, various flow registration processing, update processing, and deletion processing in response to a request from the terminal 20. In the first embodiment, the administrator can manage the authentication database, and user information, organization information, reference to various flows, registration, change, deletion, and the like are performed based on input information from the administrator. Can do. Further, based on input information from the administrator, the flow can be changed, added, deleted, and the like.

1-3-3. Process Flow FIGS. 7A and 7B are flowcharts illustrating a process flow of the authentication server 10 according to the first embodiment. First, the authentication server 10 receives a user ID and a password from the terminal 20 (step S100).

  Next, the source IP address of the received terminal 20 is confirmed (step S101). For example, the authentication server 10 detects the source IP address from the packet information received from the terminal 20. For example, when the IP address of the transmission source of the terminal 20-A is “122.200.243.240”, as shown in FIG. 3B, the network of “XX company” with organization ID = 1 It can be determined that the access is from. On the other hand, when the source IP address of the terminal 20-A is not registered in the authentication database, access from a network outside the company (outside the organization) (from an unspecified terminal on the Internet, an unspecified network) Access).

  Then, it is determined whether or not the user ID and password received from the terminal 20 are correct (step S102). That is, it is determined whether or not the user ID and password received from the terminal 20 match the user ID registered in the authentication database 11 and the password (corresponding to the user ID).

  When the user ID and password received from the terminal 20 are correct, that is, the user ID and password received from the terminal 20 match the user ID registered in the authentication database 11 and the password (corresponding to the user ID). If yes (Y in step S102), the process proceeds to step S103. On the other hand, when the user ID and password received from the terminal 20 are not correct, that is, the user ID and password received from the terminal 20 are the user ID registered in the authentication database 11 (corresponding to the user ID). If it does not match the password (N in Step S102), it is determined that the authentication is not permitted (Step S113).

  Next, the group ID of the received user ID is determined (step S103). That is, as shown in FIG. 3A, the group ID is determined with reference to the group ID corresponding to the user ID registered in the authentication database 11. For example, when the received user ID is “userA”, the group ID of “userA” is “1”.

  Next, it is determined whether the access is successful based on the group ID (step S104). As shown in FIG. 3C, since an access success / failure flow pattern is set for each group ID, access success or failure is determined based on the pattern corresponding to the group ID.

For example, as shown in FIG. 3A, “userA” has a group ID “1” and an access success / failure flow is an A pattern. Therefore, as shown in FIG. 4A, when “userA” is an access from the network of an organization (for example, XX company), it is determined that the access is successful (Y in step S2 and step S104). On the other hand, when “userA” is an access from other than the network of the organization (for example, XX company), it is determined that the access has failed (N in Step S3 and Step S104).

  Also, for example, as shown in FIG. 3A, “userF” has a group ID “4” and an access success / failure flow is a B pattern. Therefore, as shown in FIG. 4B, when “userF” accesses from the network of the organization (for example, XX company), the current time is within a predetermined time zone (for example, 2:00 pm). If there is, it is determined that the access is successful (step S7, Y in step S104). On the other hand, even when “userF” is accessed from a network other than the organization (for example, XX company) or when “userF” is accessed from the network of the organization (for example, XX company), the current time is predetermined. If it is a time other than the time zone (for example, 11:00 pm), it is determined that the access has failed (N in Step S8 and Step S104).

  If it is determined that access is successful (Y in step S104), the process proceeds to step S105. On the other hand, if it is determined that the access has failed (N in step S104), it is determined whether or not the group ID = 2 (step S114). That is, it is determined whether the group is a specific group (for example, the second group). If the group ID = 2 (Y in step S114), the process proceeds to step S105. If the group ID = 2 is not satisfied (N in step S114), it is determined that the authentication is not permitted (step S113).

  Next, it is determined whether or not to confirm the one-time password (OTP) (step S105). As shown in FIG. 3C, since the OTP confirmation flow pattern is set for each group ID, it is determined whether or not to confirm the OTP based on the flow pattern corresponding to the group ID.

  For example, as shown in FIG. 3A, “userA” has a group ID “1” and the OTP confirmation flow is an A pattern. Therefore, as shown in FIG. 5, when “userA” is an access from the network of an organization (for example, XX company), it is judged that OTP confirmation is unnecessary (step S11), and the one-time password is not confirmed (step S11). N) in step S105. On the other hand, if “userA” is an access from other than the network of the organization (for example, XX company), it is determined that OTP confirmation is necessary (step S12), and the one-time password is confirmed (Y in step S105). .

  When confirming the one-time password (Y in step S105), the terminal requests the one-time password (step S106), and determines whether the one-time password received from the terminal is correct (step S107). . That is, it is determined whether or not the one-time password generated by the authentication server 10 matches the one-time password received from the terminal 20. If the one-time password is correct, that is, if the one-time password generated by the authentication server 10 matches the one-time password received from the terminal 20 (Y in step S107), the process proceeds to step S108. On the other hand, if the one-time password is not correct, that is, if the one-time password generated by the authentication server 10 does not match the one-time password received from the terminal 20 (N in step S107), it is determined that authentication is not permitted ( Step S113).

  Next, it is determined whether or not to confirm the certification information (step S108). As shown in FIG. 3C, since a certification information confirmation flow pattern is set for each group ID, it is determined whether or not to confirm certification information based on the flow pattern corresponding to the group ID. .

For example, as shown in FIG. 3A, “userA” has a group ID “1” and the certification information confirmation flow is an A pattern. Therefore, as shown in FIG. 5, if “userA” is an access from the network of an organization (for example, XX company), it is judged that confirmation of certification information is unnecessary (step S11), and certification information is not confirmed (step S11). N of step S108). On the other hand, if “userA” is an access from other than the network of the organization (for example, XX company), it is determined that the certification information needs to be confirmed (step S12), and the certification information is confirmed (Y in step S108). .

  When confirming the certification information (Y in step S108), it is determined whether the certification information received from the terminal is correct (step S109). That is, it is determined whether the certification information received from the terminal 20 matches the certification information corresponding to the user ID registered in the authentication database 11 in advance. For example, when the certification information transmitted from the terminal 20-B with the user ID “userB” is “rg2b9i4g7px”, the certification information “rg2b9i4g7px” corresponding to the user ID “userB” registered in the authentication database 11 ", It is determined that the certification information is correct. If the certification information is correct (Y in step S109), the process proceeds to step S110. On the other hand, when the certification information is not correct (N in step S109), it is determined that the authentication is not permitted (step S113).

  Next, it is determined whether or not to provide certification information (step S110). As shown in FIG. 3C, since a proof information grant flow pattern is set for each group ID, it is determined whether or not proof information is given based on the flow pattern corresponding to the group ID. .

  For example, as shown in FIG. 3A, “userB” has the group ID “2” and the certification information provision flow is the A pattern. Therefore, as shown in FIG. 6A, if “userB” is an access from the network of an organization (for example, XX company), it is determined that certification information is to be given (step S21, Y in step S110). On the other hand, if “userB” is an access from other than the network of the organization (for example, XX company), it is determined that the certification information is not given (N in Step S22 and Step S110).

  Also, for example, as shown in FIG. 3A, “userA” has a group ID “1” and the certification information provision flow has a B pattern. Therefore, as shown in FIG. 6B, it is determined that no certification information is given regardless of whether or not “userA” is an access from the in-house network of the XX company (step S23, step S110 N) .

  When the certification information is given (step S110: Y), the certification information is transmitted to the terminal 20 (step S111). Then, after step S111 or N in step S110, it is determined that the authentication is permitted (step S112). The process ends here.

1-3-4. Example of Using SSL Client Certificate The authentication server 10 of the first embodiment adds to the verification of certification information (or instead of verification of certification information) from the terminal to the terminal that requests certification information. You may make it authenticate using the SSL (Secure Socket Layer) client certificate transmitted. When performing such authentication, an SSL client certificate is set in advance in the Web browser of the terminal 20.

For example, the terminal 20 makes an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) connection to the authentication server 10, and the authentication server 10 requests the terminal 20 for an SSL client certificate. Then, the terminal 20 transmits an SSL client certificate to the authentication server 10. Then, the authentication server 10 decrypts the signed SSL client certificate and acquires the public key of the client (terminal 20). The terminal 20 adds a digest to the sent message and encrypts it with the private key that the terminal 20 has. Then, the authentication server 10 decrypts the message using the public key of the terminal 20, creates a message digest from the decrypted message, and compares it with the message digest added by the terminal 20. When the match is confirmed, a message that has not been tampered with is received from the reliable terminal 20, and it is determined that authentication is permitted.

1-3-5. Example of Using a Special Web Browser In the first embodiment, when the Web browser 50 in which file download is prohibited is set in the terminal 20 and certification information is set in the Web browser 50 in advance as a cookie, The certification information may be transmitted to the authentication server 10. In this way, it is possible to prompt the user to use a special Web browser 50 that is prohibited from downloading files. Further, by promoting the use of a special Web browser 50 in which file download is prohibited, file download can be prevented and security can be further improved.

  For example, as shown in FIG. 1, it is assumed that a special Web browser 50 in which file download is prohibited is installed in a personal terminal 20-H of userD (for example, a smartphone or a personal computer). Then, certification information is set in advance in the web browser 50 (certification information is set as a cookie of the web browser). Note that the certification information may be set in the Web browser of the terminal 20-H based on the input from the administrator.

  Then, userD is permitted to authenticate to the authentication server 10 from the private terminal 20-H even in an external network, and can log in to a service providing server such as the mail server 31, which is more convenient. A network system can be realized. In addition, security information can be managed for the private terminal 20-H by enabling the certification information to be set only in the special Web browser 50 without being set in the normal Web browser.

1-3-6. Others In the first embodiment, as an example of multi-factor authentication other than the user ID / password, authentication using certification information, OTP verification, SSL client certificate, etc. has been described. However, other multi-factor authentication is performed. It may be.

  In the first embodiment, as an example of the user ID / password determination process, the authentication server has described the determination process using a password stored in advance in the authentication database. However, the password is not stored in the authentication database. Thus, the user ID / password determination process may be delegated to another system.

2. Second Embodiment Hereinafter, a second embodiment will be described. Note that the second embodiment described below does not unduly limit the contents of the present invention described in the claims. Further, not all the configurations described in the second embodiment are essential constituent requirements of the present invention.

2-1. Network FIG. 8 is an example of a network diagram according to the second embodiment. The authentication server 10 (ID provider) of the second embodiment performs user authentication based on information (data) transmitted from the user terminal 20.

The authentication server 10 is connected to a plurality of terminals 20 via a network. For example, the authentication server 10 of the second embodiment is connected to each of the terminals 20-A and 20-B (an example of the first terminal) constituting the small-scale network 30 such as a company or a school via the Internet. ing. In addition, the authentication server 10 transmits a user A portable terminal 20-C (an example of a second terminal, for example, a smartphone) and a user B portable terminal 20 via the Internet.
It is connectable with -D (an example of a 2nd terminal, for example, a smart phone). Note that the terminal 20 of the second embodiment is connected to the authentication server 10 by wire or wirelessly.

  The authentication server 10 is connected to an authentication database 11 that stores information such as a user ID and a password via a network (intranet or the Internet). The authentication server 10 performs processing for referring to data registered in the authentication database 11. Further, the authentication server 10 can instruct the authentication database 11 to register new data, delete data, and change data.

  The authentication server 10 is connected to various servers (service providing servers) such as a mail server 31, a file server 32, a shopping server 33, and a photo server 34 via a network. For example, the mail server 31 provides a mail service related to the user ID that the authentication server 10 permits authentication. In addition, the file server 32 provides a file service related to the user ID permitted by the authentication server 10 for authentication. In addition, the shopping server 33 provides a shopping service related to the user ID that the authentication server 10 permits authentication. In addition, the photo server 34 provides a photo service related to the user ID that the authentication server 10 has authorized. In other words, the user only needs to remember one user ID and password, and if authentication to the authentication server 10 is permitted, single sign-on that can receive service from various servers 31 to 34 becomes possible. . Note that when data such as authentication permission or disapproval is transmitted between the authentication server 10 and the various servers 31 to 34, data encryption may be performed using SSL / TLS or the like.

2-2. Configuration FIG. 9 is an example of a functional block diagram of the authentication system according to the second embodiment. Note that the authentication system according to the second embodiment does not need to include all the units illustrated in FIG. 9, and may have a configuration in which some are omitted.

  First, the function of the authentication server 10 will be described. The storage unit 170 serves as a work area for the processing unit 100 and the like, and its function can be realized by hardware such as RAM (VRAM).

  The information storage medium 180 can be read by a computer, and the information storage medium 180 stores programs, data, and the like. That is, the information storage medium 180 stores a program for causing a computer to function as each unit of the second embodiment (a program for causing a computer to execute the processing of each unit). That is, the processing unit 100 can perform various processes of the second embodiment based on data read from a program (data) stored in the information storage medium 180.

  For example, the information recording medium 180 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 100 performs various processes of the second embodiment based on a program (data) stored in the storage unit 170. Note that the processing unit 100 according to the second embodiment reads a program and data stored in the information storage medium 180, stores the read program and data in the storage unit 170, and performs processing based on the program and data. You may go.

  The processing unit 100 (processor) performs various processes using the main storage unit in the storage unit 170 as a work area. The functions of the processing unit 100 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 100 includes a communication control unit 111, an image code information transmission processing unit 116, a registration processing unit 118, and an authentication determination unit 114.

  The communication control unit 111 performs a process of transmitting / receiving data to / from the terminal 20 via a network (intranet or the Internet).

  For example, the communication control unit 111 performs a process of receiving a user ID and password transmitted by the terminal 20. Further, the communication control unit 111 may transmit authentication permission or disapproval to the terminal 20.

  In addition, the communication control unit 111 performs processing for transmitting and receiving data to and from the authentication database 11 and various servers such as the mail server 31, the file server 32, the shopping server 33, and the photo server 34 via a network (intranet or the Internet). For example, the communication control unit 111 may transmit authentication permission or disapproval to the various servers 31 to 34.

  When receiving the image code transmission request from the first terminal, the image code information transmission processing unit 116 receives the first condition regarding the validity of the user ID and the password received together with the image code transmission request, and the first terminal. To determine a second condition relating to the validity of the address information of the transmission source, generate authentication information when the first condition and the second condition are satisfied, and display the authentication information as an image code The image code information is transmitted to the first terminal that requested the image code transmission.

  When the registration processing unit 118 receives the registration request for the authentication terminal identification information from the second terminal, the registration processing unit 118 receives the first condition regarding the validity of the user ID and the password received together with the registration request, and the registration request. A third condition relating to the validity of the information of the image code for authentication is determined, and if the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the second condition The terminal identification information for authentication received from the terminal is registered in the authentication database.

  Upon receipt of the given processing request from the second terminal, the authentication determination unit 114 receives the first condition regarding the validity of the user ID and password received together with the given processing request, and the processing request. The fourth condition relating to the validity of the authentication terminal identification information and the third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, the first condition, the fourth condition If the condition and the third condition are satisfied, it is determined that the processing requirement is satisfied, and the given processing request is permitted.

  The image code information transmission processing unit 116 generates authentication information including first key information in response to the image code transmission request, generates the image code information based on the authentication information, and also generates the first key information. The information may be stored in the storage unit as transmitted first key information.

  In addition, the registration processing unit 118 determines whether or not the first key information included in the authentication image code information received together with the registration request matches the transmitted first key information. It may be determined that the third condition is satisfied on the condition that

  Further, the authentication determination unit 114 determines whether or not the first key information included in the information of the authentication image code received together with the given processing request matches the transmitted first key information, It may be determined that the third condition is satisfied on condition that they match.

  The image code information transmission processing unit 116 may generate authentication information including user specifying information corresponding to the user ID received together with the image code transmission request.

  In addition, the registration processing unit 118 determines whether or not the user specifying information included in the authentication image code information received together with the registration request corresponds to the received user ID. It may be determined that the third condition is satisfied.

  Further, the authentication determination unit 114 determines whether or not the user specifying information included in the authentication image code information received together with the given processing request corresponds to the received user ID. It may be determined that the third condition is satisfied on the condition that

  The image code information transmission processing unit 116 may generate authentication information including electronic authentication information based on the second key associated with the authentication server.

  In addition, the registration processing unit 118 has electronic authentication information based on the second key included in the information of the authentication image code received together with the registration request corresponding to the second key associated with the authentication server. It may be determined whether the third condition is satisfied on the condition that it is a corresponding one.

  In addition, the authentication determination unit 114 receives electronic authentication information based on the second key included in the authentication image code information received together with the given processing request as the second key associated with the authentication server. It may be determined whether or not it corresponds, and it may be determined that the third condition is satisfied on the condition that it corresponds.

  The authentication determination unit 114 determines permission or disapproval of a given processing request (for example, a request for browsing a file or mail) from the terminal. First, when the first condition of whether or not the received user ID and password are valid (for example, whether or not the user ID and password registered in the authentication database in advance matches) is judged to be valid Includes the third condition whether the address information of the transmission source is a predetermined address (for example, the IP address of the gateway of the organization network), or the authentication terminal identification information received together with the given processing request Determines whether or not it matches the authentication terminal identification information registered in the authentication database and satisfies the first condition and the third condition, or the first condition If the fourth condition is satisfied, a given processing request may be permitted.

  The authentication determination unit 114 determines whether or not a given processing request (for example, a file or mail browsing request) is legitimate. The authentication processing unit 114 uses the first condition as to whether the received user ID and password are valid, and the authentication terminal identification information received from the second terminal for the authentication registered in the authentication database. The fourth condition for determining whether or not it matches the terminal identification information is determined, and if the first condition and the fourth condition are satisfied, a given processing request (for example, a file or mail browsing request) is legitimate. It may be from a legitimate user's legitimate terminal and allow a given processing request.

The authentication server 10 includes an authentication database 11. Information such as a user ID, password, address information, certification information, and authentication terminal identification information is registered (stored and stored) in the authentication database 11. In the second embodiment, information may be registered in the authentication database 11 in advance based on input information from the administrator. Information update processing and information deletion processing may be performed based on input information from the administrator. In the second embodiment, the authentication server 10 may perform a registration process. For example, the authentication server 10 may register a user ID, a password, authentication terminal identification information, and the like based on a registration request from the terminal 20. In the second embodiment, the authentication server 10 may perform update processing. For example, the authentication server 10 may update the user ID, password, and the like based on an update request from the terminal 20. In the second embodiment, the authentication server 10 may perform the deletion process. For example, the authentication server 10 may delete the user ID, password, and the like based on a deletion request from the terminal 20. In the second embodiment, the storage unit (storage area) of the authentication database 11 is physically separated from the storage unit 170 (storage area) of the authentication server 10. Data in the database 11 may be stored.

  The processing unit 100 according to the second embodiment may include a Web processing unit (not shown) that functions as a Web server. For example, the Web processing unit receives data transmitted by the Web browser 210 of the terminal 20 through processing of transmitting data in response to a request from the Web browser 210 installed in the terminal 20 through HTTP (Hypertext Transfer Protocol). Process. In particular, in the second embodiment, the Web processing unit provides a login screen for performing user authentication, and performs a process of receiving user information such as a user ID and a password transmitted by the Web browser 210 of the terminal 20. You may do it.

  The first terminal 20 is a computer, a smartphone, a tablet computer, a mobile phone, a game machine, or the like.

  The storage unit 270 serves as a work area for the processing unit 200 and the like, and its function can be realized by hardware such as RAM (VRAM).

  The information storage medium 280 can be read by a computer, and the information storage medium 280 stores programs, data, and the like. That is, the information storage medium 280 stores a program for causing a computer to function as each unit of the second embodiment (a program for causing a computer to execute the processing of each unit). That is, the processing unit 200 can perform various processes of the second embodiment based on data read from a program (data) stored in the information storage medium 280.

  For example, the information recording medium 280 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a magnetic tape, a memory (ROM), a memory card, or the like.

  The processing unit 200 performs various processes of the second embodiment based on a program (data) stored in the storage unit 270. Note that the processing unit 200 according to the second embodiment reads a program or data stored in the information storage medium 280, stores the read program or data in the storage unit 270, and performs processing based on the program or data. You may go.

  The processing unit 200 (processor) performs various processes using the main storage unit in the storage unit 270 as a work area. The functions of the processing unit 200 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

  The processing unit 200 includes a web browser 210 and a communication control unit 211. The terminal 20 can display information from a Web server specified by a URL (Uniform Resource Locator) via the Internet using the Web browser 210. For example, when the authentication is permitted in the authentication server 10, the terminal 20 displays the mail information (user received mail, transmitted mail, etc.) of the user ID of the terminal 20 from the mail server 31 having the Web server function. Can be made.

  The communication control unit 211 performs processing for transmitting / receiving data to / from the authentication server 10, various servers 31 to 34, and the like via a network. For example, the communication control unit 211 performs a process of transmitting the user ID and password input from the input unit 220 to the authentication server 10. Further, the communication control unit 211 may transmit the certification information to the authentication server 10 when the certification information is set in the Web browser 210 in advance. Further, the communication control unit 211 may receive the authentication determination result (permitted or not permitted) from the authentication server 10. Further, the communication control unit 211 may receive mail information related to the user ID of the terminal 20 from the mail server 31 when authentication is permitted by the authentication server 10.

  The input unit 220 is an input device (controller) for inputting input information from the user (operator), and outputs the user input information to the processing unit 200. The input unit 220 of the second embodiment may include a detection unit that detects user input information (input signal). For example, the input unit 220 detects input information of a keyboard and detects a touch position (touch position) of a touch panel display.

  The input unit 220 may be an input device including an acceleration sensor that detects triaxial acceleration, a gyro sensor that detects angular velocity, and an imaging unit. The input unit 220 also includes a terminal 20 (smart phone, mobile phone, mobile terminal, portable game device) integrated with an input device.

  The display unit 290 outputs Web browser information and images, and the function can be realized by a CRT, LCD, touch panel display, HMD (head mounted display), or the like.

  The Web browser 210 and the communication control unit 211 function as an image code transmission request unit that transmits an image code transmission request to the authentication server together with the received user ID and password.

  Web browser 210 and display unit 290 receive image code information transmitted by the authentication server in response to the image code transmission request, and display an image code on the display unit based on the image code information Functions as a means.

  The second terminal 20 is a computer, a smartphone, a tablet computer, a mobile phone, a game machine, or the like. The same components as those of the first terminal are denoted by the same reference numerals and description thereof is omitted.

  The second terminal includes a photographing unit 250 and functions as photographing means for photographing the image code.

  In addition, a dedicated Web browser application is installed in the second terminal, and functions as a dedicated Web browser 210 ′ with limited functions as a normal Web browser.

  The dedicated web browser 210 ′ may be a web browser in which file download is prohibited. Further, the file may be deleted after browsing the file. Further, it may be a Web browser in which updating, copying, etc. of the file being browsed is prohibited.

The dedicated web browser 210 ′ and the communication control unit 211 include the captured image code or the authentication information obtained by decoding the image code, the terminal identification information for authentication of the own device, the received user ID and password, It functions as a registration request means for transmitting a registration request for authentication terminal identification information to the authentication server.

  The dedicated Web browser 210 ′ may generate and store authentication terminal identification information of the second terminal, decode an image code, request registration of authentication terminal identification information, and the like.

2-3. Process 2-3-1 of the second embodiment. Outline of Processing In the second embodiment, a smartphone for user A to access various service providing servers (for example, 31, 32, 33, and 34 in FIG. 8) using a smartphone (an example of a second terminal). An example of registering the authentication terminal identification information in the authentication server will be described. The user A logs in to a first terminal (for example, 20-A in FIG. 8) connected to the organization network and makes an image code transmission request to the authentication server. Upon receiving the image code transmission request, the authentication server 10 determines the validity of the request. If the authentication server 10 determines that the request is valid, the authentication server 10 generates authentication information and displays image code information for displaying the authentication information as an image code. The image code transmission request is transmitted to the first terminal.

  The first terminal (for example, 20-A in FIG. 8) that has received the image code information displays the image code (90 in FIG. 8) on the display unit. The user A captures the image code (90 in FIG. 8) displayed on the display unit of the first terminal with the second terminal (for example, 20-C in FIG. 8), and acquires the image code. Then, a request for registration of the authentication terminal identification information is transmitted to the authentication server together with the authentication image code information and the authentication terminal identification information of the own device.

  The authentication server that has received the registration request determines the validity of the registration request, and if it is determined to be valid, registers the authentication terminal identification information of the second terminal in the authentication server.

  When the terminal identification information for authentication of the second terminal is registered in the authentication server, the user A accesses various service providing servers (for example, 31, 32, 33, and 34 in FIG. 8) using the second terminal. Will be able to.

  Thus, the terminal identification information for authentication of the second terminal can be registered in the authentication server using the image code information that can be acquired only by the user who can access the terminal connected to the organization network. Accordingly, it is possible to ensure the legitimacy of the identified terminal that permits access from a network outside the organization with a simple user interface.

  In addition, when the identity of the user who made the image code information transmission request and the user who made the registration request is the registration requirement of the authentication terminal identification information, the user B uses the image code transmitted to the user A himself / herself. Even if the image is taken with a smartphone (for example, the terminal 20-D in FIG. 8) and a registration request for authentication terminal identification information is transmitted, registration of the authentication terminal identification information of the own smartphone is not permitted.

  When permitting registration of one piece of authentication terminal identification information for the transmitted image code, the user A photographs the image code at the terminal 20-C and makes a registration request. When the image code is photographed at -D and a registration request is made, registration of only the terminal 20-C related to the earliest registration request may be permitted.

2.3.2 Authentication Database FIG. 10A is an example of user authentication information registered in the authentication database 11. The user authentication information 300 includes a user ID (user identification information, user name) 310 and a password 320. Further, authentication terminal identification information 330 may be included, and when authentication terminal identification information 330 is not registered, NULL may be set. Password 3
20. The authentication terminal identification information 330 may be registered in association with the user ID 310.

  When the user and the authentication terminal identification information 330 are not associated with each other, the authentication terminal identification information may be registered without being associated with the user ID.

  FIG. 10B is an example of address authentication information registered in the authentication database 11. The address authentication information 350 includes an organization ID (organization identification information) 360, an organization name 370, and an IP address of the network of the organization (IP address of the gateway of the network) 380. That is, the organization name and the IP address of the organization network may be registered in association with the organization ID.

  FIG. 11 is an example of management information stored in the authentication database. The management information 400 includes information necessary for authentication of a registration request corresponding to the transmitted image code information in relation to the transmission of the image code information.

  When image code information including the first key information is transmitted, the management information 400 may include the transmitted first key information 420. Also, the image code creation date and time information 430, the image code expiration date and time information (registration request acceptance time limit information corresponding to the image code) 440, the user ID 450 that transmitted the image code, the registration status 460 for the image code, and the like. The image code management number 410 may be stored in association with it. Note that the image information itself of the image code may be stored.

2-3-3. Processing of Authentication System FIG. 12 is a diagram illustrating an example of processing of the authentication system.

  The second terminal 20-2 may be a mobile terminal such as a smartphone. In the second terminal 20-2, a dedicated Web browser application is installed at least before t9, and the authentication terminal identification information of the own device is generated. The second terminal 20-2 communicates with the authentication server 10 using the dedicated Web browser. Moreover, you may perform the process which memorize | stores the produced | generated authentication terminal identification information as a cookie of a web browser. “Cookie” is HTTP cookie and indicates information stored in a Web browser. For example, when the second terminal 20-2 accesses the authentication server 10 via the Internet using a dedicated Web browser, the input user ID, password, and authentication terminal identification information set as a Web browser cookie May be transmitted to the authentication server 10.

  The second terminal 20-2 uses a dedicated Web browser when accessing various service providing servers (for example, 31, 32, 33, 34 in FIG. 8) managed by the authentication server. In a dedicated Web browser, the functions of a normal Web browser are limited, file downloading, etc. are prohibited, information is deleted after browsing, etc., updating, copying, etc. of the file being browsed is prohibited ing.

  The first terminal 20-1 is, for example, a terminal having a predetermined IP address (a terminal connected to a LAN in a predetermined organization such as the terminals 20-A and 20-B in FIG. 8).

  For example, when the user A inputs an image code transmission request instruction from the first terminal 20-1, the first terminal 20-1 uses the logged-in user ID and password to the authentication server for an image for registration authentication. A code transmission request is transmitted (t1).

Upon receiving the image code transmission request, the authentication server 10 performs a transmission source address determination process for determining whether the transmission source address information is an access from a network in the organization (t2). The authentication server 10 may determine whether or not the address information of the transmission source of the terminal 20-1 matches the address information of the network of the organization registered in the authentication database 11 (second condition). Specifically, the IP address of the transmission source (access source) of the terminal 20-1 is detected from the packet information received from the terminal 20-1, and the IP address of the transmission source is registered in the authentication database. To determine whether or not. For example, when the IP address of the transmission source of the terminal 20-A is “122.200.243.240”, as shown in FIG. 10B, the authentication database is used as the IP address of the network “XX company”. 11, it is determined that the access is from the network of the organization (XX company).

  Further, it is determined whether the user ID and password received from the first terminal 20-1 are correct (first condition) (t3). That is, it is determined whether or not the user ID and password received from the terminal 20-1 match the user ID registered in the authentication database 11 and the password (corresponding to the user ID).

  If it is determined that the first condition and the second condition are satisfied, the authentication server generates authentication information. The authentication information may include information on a first key for authentication (for example, a common key generated for each image code transmission request). The authentication information may include user identification information such as a user ID. Further, the authentication information may include electronic authentication information based on second key information (for example, a public key cryptosystem private key possessed by the authentication server). The authentication information may also include a list of domain names and URLs that are allowed to be accessed from the second terminal, the date and time when the authentication information was created, the date and time of expiration, and the like.

  A different first key for authentication may be generated for each image code transmission request.

  An image code is generated based on the authentication information (t5). The image code may be a QR code (registered trademark) or a barcode, or other two-dimensional code or three-dimensional code.

  Then, the image code information is transmitted to the first terminal 20-1 that is the image code transmission request source (t7), and information necessary for collating the registration request in association with the transmitted image code information is used as the management information 400. Store in the storage unit (t6). Note that the image code information may be image information itself of the image code, or information (for example, authentication information and an image code generation command) for displaying the image code on the first terminal. Alternatively, the transmitted first key may be stored in association with the user ID that has requested the image code transmission, and the authentication terminal identification information may be registered when a registration request is made with the same user ID.

  The first terminal 20-1 that has received the image code information displays the image code on the display unit (t8).

  The first terminal 20-1 may automatically end the display of the image code after a predetermined time has elapsed. In this way, it is possible to prevent a third party from acquiring the image code.

  When the user A photographs the image code displayed on the display unit of the first terminal 20-1 with the photographing unit of the second terminal 20-2, the second terminal 20-2 acquires the image code. (T9).

Then, the second terminal 20-2 uses the logged-in user ID and password to the authentication server to obtain the authentication image code information (the image information itself of the image code or the authentication information included in the image code). And the authentication terminal identification information registration information (information generated by the dedicated Web browser application) is transmitted (t10). The second terminal 20-2 may transmit the image information of the image code to the authentication server, acquire the authentication information by decoding the image code, and authenticate the acquired authentication information or part of the information. It may be sent to the server.

  The authentication server 10 that has received the registration request determines whether or not the user ID and password received from the second terminal 20-2 are correct (first condition) (t11).

  Next, a process for determining the validity of the received authentication information or image code (third condition) is performed (t12). For example, the validity of the image code may be determined by determining whether or not the image code itself matches the image code transmitted from the authentication server. Alternatively, the authentication information may be acquired by decoding the image code, and it may be determined whether the acquired authentication information is valid. For example, when the authentication information includes first key information, it may be determined whether or not the first key information matches any of the first key information stored as management information. When requesting that the user who made the image code transmission request and the user making the registration request by acquiring the image code transmitted in response to the image code transmission request match, FIG. ), The image code is stored in association with the user ID, and the first key information and user ID received together with the registration request correspond to the first key registered as management information. May be determined to be valid.

  For example, when the authentication information includes user specifying information, it may be determined whether or not the user specifying information corresponds to the user ID that has made the registration request.

  Further, for example, when the authentication information includes electronic authentication information based on the second key (for example, the public key cryptosystem private key possessed by the authentication server) information, the received authentication image code information (image code) It may be determined whether the image information or the authentication information included in the image code corresponds to the second key. By doing so, it can be assured that the image code and the authentication information are not forged and acquired by photographing what is displayed on the first terminal.

  For example, when the authentication information includes an authentication information creation date and time, an expiration date and time, etc., it may be determined whether or not the registration request reception date and time is permitted. The authentication information itself may be stored as management information without including the authentication information creation date and time, the expiration date and time, and the like. Then, the reception date / time of the registration request is determined based on the authentication information creation date / time, expiration date / time, etc. (refer to 420 and 430 in FIG. 11) stored as management information corresponding to the registration request (for example, management information matching the first key). It may be determined whether or not it is permitted. In this way, it is possible to permit only a registration request made within a predetermined period from the time of image code transmission or to prompt re-registration.

  If it is determined that the registration request is valid, the authentication terminal identification information related to the registration request is registered in the authentication database (t13).

  For the user ID received together with the image code transmission request, an approval request is made to another terminal or another server (for example, an approval request is issued to the administrator terminal), and if it is approved, the authentication terminal identification related to the registration request Information may be registered in the authentication database.

  The authentication terminal identification information that can be registered corresponding to one image code may be limited to one. In this case, the terminal identification information for authentication that made the registration request first with respect to the first key may be registered. For example, the registration status may be managed in the registration status 460 shown in FIG. 11 and may not be registered if the same image code has already been registered. In this way, the authentication terminal identification information that can be registered corresponding to one image code can be limited to one.

  Further, a plurality of authentication terminal identification information may be registered corresponding to one image code.

  Further, when accessing the various service providing servers (for example, 31, 32, 33, 34 in FIG. 8) managed by the authentication server from the second terminal 20-2, the authentication server is used with the logged-in user ID and password. An authentication request is transmitted to (t14). At this time, the terminal identification information for authentication and the authentication information acquired by decoding the image information or the image code of the image code, or a part of the authentication information may be transmitted to the authentication server.

  Upon receiving the authentication request, the authentication server 10 determines whether the user ID and password received from the second terminal 20-2 are correct (first condition) (t15).

  Next, a validity judgment process (fourth condition) of the authentication terminal identification information of the second terminal received together with the authentication request is performed (t16).

  Next, a process for determining the validity of the received authentication information or image code (third condition) is performed (t17).

  If the first condition, the fourth condition, and the third condition are satisfied, it is determined that the access is valid.

2-3-4. Processing Flow of Authentication Server FIG. 13 is a flowchart showing a flow of image code transmission processing of the authentication server according to the second embodiment.

  Upon receiving the image code transmission request, the authentication server performs the following process (Y in step S210). Determine whether access is from the organization's network. Whether the access is from the organization network may be determined, for example, based on the IP address of the image code transmission request source. If it is determined that the access is from the organization network (Y in step S220), it is determined whether the user ID and password are valid. Whether the user ID and password are valid may be determined based on whether or not the user ID and password are registered in the authentication database with reference to the authentication database.

  If it is determined that the user ID and password are valid (Y in step S230), authentication information is generated (step S240), and an image code is generated based on the authentication information (step S250).

  Then, the authentication server transmits the image code information to the first terminal that requested the image code transmission (step S260), and stores management information corresponding to the transmitted image code information in the storage unit (step S270).

  FIG. 14 is a flowchart illustrating the flow of registration processing of authentication terminal identification information of the authentication server according to the second embodiment.

  When receiving the registration request for authentication terminal identification information, the authentication server performs the following process (Y in step S310). It is determined whether the user ID and password are valid. Whether the user ID and password are valid may be determined based on whether or not the user ID and password are registered in the authentication database with reference to the authentication database.

  If it is determined that the user ID and password are valid (Y in step S320), it is determined whether or not the information of the image code for authentication is valid. The validity of the authentication image code information is determined whether or not the authentication image code information matches the authentication image code information sent by the authentication server. You may judge.

  When it is determined that the authentication image code information is valid (Y in step S330), the authentication terminal identification information is registered in the authentication database (step S340).

  FIG. 15 is a flowchart illustrating a flow of authentication processing of the authentication server according to the second embodiment.

  When receiving the given processing request, the authentication server performs the following processing (Y in step S410). It is determined whether the user ID and password are valid. Whether the user ID and password are valid may be determined based on whether or not the user ID and password are registered in the authentication database with reference to the authentication database.

  If it is determined that the user ID and password are valid (Y in step S420), it is determined whether the access is from an organization network. Whether the access is from an organization network may be determined by the IP address of a given processing request source. If it is determined that the access is not from the network of the organization (N in step S430), it is determined whether or not authentication terminal identification information has been received. If received (Y in step S440), the received authentication It is determined whether the terminal identification information matches the authentication terminal identification information registered in the authentication database. If it is determined that they match (Y in step S450), it is determined whether or not the information of the image code for authentication is valid. If it is determined that the image code information for authentication is valid (Y in step S455), the given processing request is permitted (step S460).

2-3-5. Second Terminal In the second embodiment, a dedicated Web browser 50 that is prohibited from downloading files may be installed in the second terminal 20-2. The dedicated Web browser is a Web browser used when accessing various service providing servers (for example, 31, 32, 33, 34 in FIG. 8) managed by the authentication server. The dedicated Web browser may perform processing of deleting a file after browsing or prohibiting copying of an elephant in the document of the file being browsed.

  The dedicated Web browser may generate the terminal identification information for authentication of the installed terminal and store it in the terminal. Further, when receiving an instruction input for a registration request for authentication terminal identification information from a user, a process for generating a registration request and transmitting it to the authentication server as authentication terminal identification information of the terminal may be performed.

  Further, when accessing various service providing servers (for example, 31, 32, 33, 34 in FIG. 8) managed by the authentication server, an authentication request is transmitted to the authentication server together with authentication terminal identification information, and the access is made. Access processing may be performed when permission is obtained.

2-3-6. Others In the above-described embodiment, the case where the authentication server 10 generates an image code has been described. However, the present invention is not limited to this. The authentication server 10 may be configured to transmit authentication information and an image code such as an image code generation command as image code information for displaying on the first terminal. Then, the first terminal that has received the image code information may generate an image code based on the authentication information.

  In the above embodiment, the authentication information included in the image code is determined by the authentication server as an example. However, the second terminal 20-2 may determine the authentication information included in the image code. .

  For example, the second terminal 20-2 decodes the acquired image code to acquire authentication information. If the authentication information includes user information, does the second terminal 20-2 correspond to the currently logged-in user ID? It is also possible to make a registration request for authentication terminal identification information on the condition that it is determined whether or not to respond.

  In addition, the second terminal 20-2 acquires authentication information by decoding the acquired image code, and when the authentication information includes electronic authentication information based on a second key (a secret key of a public key cryptosystem) It may be determined whether or not it corresponds to the second key, and a request for registration of authentication terminal identification information may be made on the condition that it corresponds.

  In the above embodiment, as an example of the user ID / password determination process, the authentication server has described the process of determining using the password stored in the authentication database in advance, but without storing the password in the authentication database, The user ID / password determination process may be delegated to another system.

10 authentication server, 11 authentication database, 100 processing unit, 111 communication control unit,
112 determination unit, 112A first determination unit, 112B second determination unit,
112C third determination unit, 113 group determination unit, 114 authentication determination unit, 116 image code information transmission processing unit, 118 registration processing unit, 170 storage unit, 180 information storage medium, 20 terminals, 20-1 first terminal, 20-2 second terminal, 200 processing unit, 210 Web browser, 210 dedicated Web browser, 211 communication control unit, 220 input unit, 250 photographing unit, 270 storage unit, 280 information storage medium,
290 Display unit, 50 Web browsers forbidden to download

Claims (6)

An authentication server connected to the first terminal and the second terminal via a network,
When the image code transmission request is received from the first terminal, the first condition regarding the validity of the user ID and password received together with the image code transmission request, and the validity of the address information of the transmission source of the first terminal A second condition is determined, authentication information is generated when the first condition and the second condition are satisfied, and image code information for displaying the authentication information as an image code is transmitted as an image code Image code information transmission processing means for transmitting to the requesting first terminal;
When receiving a registration request for authentication terminal identification information from the second terminal, the first condition relating to the validity of the user ID and password received together with the registration request, and the authentication image code received together with the registration request The third condition relating to the validity of the information is determined, and if the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the authentication received from the second terminal Registration processing means for performing processing for registering the terminal identification information for authentication in the authentication database;
When a given processing request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the given processing request, and the authentication terminal identification information received together with the processing request A fourth condition relating to the validity and a third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, and the first condition, the fourth condition, and the third condition are determined. And an authentication processing unit that determines that the processing requirement is satisfied and permits the given processing request. In claim 1,
The image code information transmission processing means includes:
In response to the image code transmission request, authentication information including first key information is generated, the image code information is generated based on the authentication information, and the first key information is transmitted as first key information. Keep it in the storage,
The registration processing means includes
It is determined whether or not the first key information included in the information of the authentication image code received together with the registration request matches the transmitted first key information. Determining that the third condition is satisfied;
The authentication processing means includes
It is determined whether or not the first key information included in the authentication image code information received together with the given processing request matches the transmitted first key information. An authentication server that determines that the condition satisfies the third condition. In claim 1 or 2,
The image code information transmission processing means includes:
Generating authentication information including user identification information corresponding to the user ID received together with the image code transmission request;
The registration processing means includes
It is determined whether or not the user specifying information included in the authentication image code information received together with the registration request corresponds to the received user ID. Judging that the conditions of
The authentication processing means includes
It is determined whether or not the user specifying information included in the information of the image code for authentication received together with the given processing request corresponds to the received user ID. An authentication server that judges that the third condition is satisfied. In any one of Claims 1 thru | or 3,
The image code information transmission processing means includes:
Generating authentication information including electronic authentication information based on a second key associated with the authentication server;
The registration processing means includes
It is determined whether or not electronic authentication information based on a second key included in authentication image code information received together with the registration request corresponds to a second key associated with the authentication server. , On the condition that it corresponds, it is determined that the third condition is satisfied,
The authentication processing means includes
Whether the electronic authentication information based on the second key included in the authentication image code information received together with the given processing request corresponds to the second key associated with the authentication server And determining that the third condition is satisfied on the condition that it corresponds to the authentication server. An authentication system using a first terminal, a second terminal, and an authentication server,
The first terminal is
Image code transmission request means for transmitting an image code transmission request to the authentication server together with the received user ID and password;
Image code display processing means for receiving image code information transmitted by the authentication server in response to the image code transmission request and displaying the image code on a display unit based on the image code information,
The second terminal is
Photographing means for photographing the image code;
Along with the photographed image code or authentication image code information including at least a part of the authentication information acquired by decoding the image code, the terminal identification information of the own device, the received user ID and password Registration request means for transmitting a registration request for the authentication terminal identification information to the authentication server,
The authentication server is
When the image code transmission request is received from the first terminal, the first condition regarding the validity of the user ID and password received together with the image code transmission request and the validity of the address information of the transmission source of the first terminal Image code information for determining the second condition related to sex, generating authentication information when the first condition and the second condition are satisfied, and displaying the authentication information as an image code. Image code information transmission processing means for transmitting to the first terminal of the transmission request source;
When the registration request is received from the second terminal, the first condition relating to the validity of the user ID and password received together with the registration request, and the validity of the information of the authentication image code received together with the registration request If the third condition is determined, and the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the authentication terminal identification information received from the second terminal is Registration processing means for registering in the authentication database;
When a given processing request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the given processing request, and the authentication terminal identification information received together with the processing request A fourth condition relating to the validity and a third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, and the first condition, the fourth condition, and the third condition are determined. And an authentication processing unit that determines that the processing requirements are satisfied and permits the given processing request. A program for an authentication server connected to a first terminal, a second terminal, and a network,
When the image code transmission request is received from the first terminal, the first condition regarding the validity of the user ID and password received together with the image code transmission request, and the validity of the address information of the transmission source of the first terminal Determining a second condition relating to the first condition and the first condition.

Image code information transmission processing means for generating authentication information when the condition of 2 is satisfied and transmitting image code information for displaying the authentication information as an image code to the first terminal of the image code transmission request source; ,
When the registration request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the registration request, and the validity of the information of the image code for authentication received together with the registration request. 3 is determined, and if the first condition and the third condition are satisfied, it is determined that the registration requirement is satisfied, and the authentication terminal identification information received from the second terminal is authenticated. Registration processing means for registering in the database;
When a given processing request is received from the second terminal, the first condition regarding the validity of the user ID and password received together with the given processing request, and the authentication terminal identification information received together with the processing request A fourth condition relating to the validity and a third condition relating to the validity of the information of the authentication image code received together with the processing request are determined, and the first condition, the fourth condition, and the third condition are determined. When the above condition is satisfied, it is determined that the processing requirement is satisfied, and the computer functions as an authentication processing unit that permits the given processing request.

Images