JP6235647B2 - Estimation program, estimation apparatus, and estimation method - Google Patents

Description

  The present invention relates to an estimation program, an estimation apparatus, and an estimation method.

  In recent years, communication networks have become widespread, and services via networks are actively provided. For example, a user logs in to a service provided via a network using a communication terminal device and uses the service. When logging in to the service, the user is required to authenticate the user who uses the service.

  As a technique for personal authentication in a network, a technique is known in which a desired service can be used with a single login by establishing reliability of a user's identity (for example, Patent Document 1).

Special table 2013-501984 gazette

  However, in the above-described conventional technology, it may be difficult to perform authentication using an appropriate authentication strength. For example, the user may be required to authenticate stronger than necessary from the service side. That is, even when a user uses a simple service, the user may be required to perform excessive authentication efforts. On the other hand, even when a user uses a service for which high safety is desired to be secured, authentication with weak strength may be required. In such a case, the user is forced to perform authentication with a strength that does not match the usage mode of the service.

  However, as an actual problem, it is difficult to set an authentication strength common to all services according to the mode of the network service. In addition, there is a service in which an appropriate authentication strength is not set in the first place, and the user may not be able to use the service with peace of mind.

  The present application has been made in view of the above, and an object thereof is to provide an estimation program, an estimation apparatus, and an estimation method capable of performing authentication using an appropriate authentication strength.

  The estimation program according to the present application estimates an authentication level of authentication related to the service content based on an acquisition procedure for acquiring service-related information that is information related to predetermined service content and the service-related information acquired by the acquisition procedure. The terminal apparatus is caused to execute an estimation procedure and a response procedure for responding to authentication related to the service content based on the authentication level estimated by the estimation procedure.

  According to one aspect of the embodiment, there is an effect that authentication can be performed using an appropriate authentication strength.

FIG. 1 is a diagram illustrating an example of an estimation process according to the embodiment. FIG. 2 is a diagram illustrating a configuration example of the estimation processing system according to the embodiment. FIG. 3 is a diagram illustrating a configuration example of a user terminal according to the embodiment. FIG. 4 is a diagram illustrating an example of the authentication unit table according to the embodiment. FIG. 5 is a diagram illustrating an example of a context table according to the embodiment. FIG. 6 is a diagram illustrating an example of the definition table according to the embodiment. FIG. 7 is a diagram illustrating an example of a domain table according to the embodiment. FIG. 8 is a diagram illustrating an example of a metadata table according to the embodiment. FIG. 9 is a diagram illustrating an example of a history table according to the embodiment. FIG. 10 is a flowchart illustrating a processing procedure according to the embodiment. FIG. 11 is a hardware configuration diagram illustrating an example of a computer that realizes the function of the estimation device.

  Hereinafter, modes for carrying out an estimation program, an estimation device, and an estimation method according to the present application (hereinafter referred to as “embodiments”) will be described in detail with reference to the drawings. In addition, the estimation program, the estimation apparatus, and the estimation method according to the present application are not limited by this embodiment. In addition, the embodiments can be appropriately combined within a range that does not contradict processing contents. In the following embodiments, the same portions are denoted by the same reference numerals, and redundant description is omitted.

[1. Example of estimation process)
First, an example of the estimation process according to the embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of an estimation process according to the embodiment. FIG. 1 shows an example of processing in which an estimation device that executes an estimation program according to the present application estimates an authentication level in a service (generally expressed as LoA (Levels of Identity Assurance)). In the embodiment, an example in which an authentication level estimation process is performed by the user terminal 10 that is an apparatus corresponding to the estimation apparatus according to the present application will be described.

  A user terminal 10 shown in FIG. 1 is an information processing terminal used by a user U01. In FIG. 1, the user terminal 10 is, for example, a smartphone.

  A service server 100 shown in FIG. 1 is a server device that provides predetermined service content. For example, the service server 100 is a web server. In this case, the service server 100 provides a web page to the user terminal 10 as service content.

  When the user U01 uses service content, the service server 100 side may be required to authenticate the identity of the user U01. For example, when the service server 100 provides service content related to a shopping site, the service server 100 needs to confirm whether the user who intends to purchase a product using the shopping site is really the user U01. Therefore, the user U01 performs a predetermined authentication process on the service server 100 in order to indicate that the user U01 is truly the user U01.

  For example, when the service server 100 provides a portal site, the service server 100 may authenticate the user U01 in order to provide the user U01 with a page customized for the user U01. In this case, the service server 100 may be able to authenticate the user U01 based on a cookie exchanged with the user U01, for example, without receiving information (password or the like) used for authentication from the user U01.

  As illustrated, various authentication processes are performed on the communication network. An authentication level exists in authentication processing performed between the client side such as the user terminal 10 and the server side such as the service server 100. The authentication level indicates the degree of reliability in authentication. In general, the higher the authentication level, the more complicated authentication processing is performed on the client side, and more reliable information is input to confirm the identity. Required. This is because the higher the authentication level, the more strongly the client side needs to be shown to be the user. That is, as the authentication level is higher, the client side is required to execute an authentication means with higher authentication strength. For example, when the service server 100 is a financial institution, it is desirable to strictly confirm the identity of the user who uses the service. Therefore, the authentication level required for the user to use the service is set high. . In the embodiment, it is assumed that the authentication level is indicated by a numerical value in four stages, “4” being the highest authentication level and “1” being the lowest authentication level.

  Generally, an authentication means with high authentication strength is realized by presenting credential information (Credential Information) that is difficult for a third party other than the user to use on the server side. An example is authentication using the user's own biometric information. For example, the user registers his / her fingerprint data, iris data, voiceprint data, and the like as correct answer data, and presents his / her biological information to the server side as information used for authentication. Since the biometric information is extremely difficult for a person other than the user himself / herself, it is determined that the user who presented the information is highly reliable that the user himself / herself is registered in advance on the server side. For authentication, not only correct data is registered on the server side, but also correct data may be registered on the client side. In this case, the user terminal 10 collates the biometric information on the user terminal 10 side, and transmits result information indicating that authentication by biometric information has been performed to the service server 100 as information used for authentication. In this way, authentication processing that requires strong authentication means such as biometric information can be said to be authentication processing with a high authentication level.

  On the other hand, the authentication means using a password or the like can be said to be an authentication means with relatively low authentication strength because it is credential information that can be easily used by someone else impersonating the user. It should be noted that the authentication strength of the password can be increased by increasing the length of the character string used as the password and the type of character. As other authentication means that are difficult for others to use, one-time password authentication and the like can be cited.

  In addition to the above-described authentication means, in the embodiment, the user terminal 10 may adopt a means called context authentication that is authentication using the context of the user U01. This is a means for authenticating the identity of the user U01 based on the daily context of the user U01.

  In the embodiment, the context refers to a situation where the user terminal 10 is used. Information for specifying a context is referred to as context information. The context information includes, for example, device information of the user terminal 10 itself, environment information in which the user terminal 10 is used by the user U01, information indicating a state where the user U01 possessing the user terminal 10 is placed, Information on other users related to the user U01, information on terminals used by the user U01 and other than the user terminal 10, and the like may be included. The context may be specified not only by a single element but also by a combination of a plurality of elements. That is, the context information may be a combination of the device information and environment information described above.

  For example, when the position information of the user terminal 10 is acquired by the user terminal 10 and the same position information is repeatedly acquired every day from midnight to morning, the position information is estimated to indicate the home of the user U01. Is done. When the user terminal 10 accesses the service server 100, if the location information at the time of access indicates the home of the user U01, it can be said that the user who performed the access is highly likely to be the user U01. .

  The context information has different authentication levels that can be handled depending on the combination of contexts acquired according to the situation of the user terminal 10 or the user U01. For example, when the user terminal 10 accesses the service server 100, the position information is home, and the identification information of the access point when accessed is identification information that is routinely observed, and Other devices that are performing near field communication with the user terminal 10 are nearby (for example, a router for Wi-Fi (registered trademark) connection, a keyboard connected to Bluetooth (registered trademark), etc.), etc. If all the conditions are met. In this case, it can be said that the user who accessed using the user terminal 10 is very likely to be the user U01. When context information with such conditions (in other words, context information in which a plurality of elements are combined) is used for authentication, the authentication level corresponding to the context information is set to be relatively high.

  When context authentication is performed between the service server 100 and the user terminal 10, the user terminal 10 transmits the context information held by the user terminal 10 to the service server 100. For this reason, the user U01 does not need to input a password, fingerprint data, or the like. Thus, the user U01 can use the service without performing troublesome authentication processing.

  As described above, the user U01 can employ various authentication means in order to authenticate the identity of the user U01. Here, there are various service contents provided by the service server 100, and each service side determines what level of credential information (for example, context information) is received from the user terminal 10, and the identity of the user. It may be difficult to determine whether to authenticate, that is, whether the service can be used safely. However, if an excessively high authentication level is requested on the service side, the user may be required to use an unnaturally strong authentication means even if he wants to use the service quickly for a simple service. There is.

  Therefore, the user terminal 10 according to the embodiment estimates an appropriate authentication level for each service on the client side, and responds with credential information that matches the estimated level. Thereby, since the user terminal 10 can perform an authentication process at the authentication level according to the content of the service, it can perform appropriate authentication. In other words, the user terminal 10 can automatically estimate an appropriate authentication level in the service and return the credential information according to the authentication level to the service server 100 without any explicit from the service side.

  In the example of FIG. 1, the user terminal 10 includes an authentication information storage unit 151 that holds information that can be used as credential information (hereinafter referred to as “authentication information”). In the example illustrated in FIG. 1, the user terminal 10 holds context information and information indicating an authentication level corresponding to the context information in the authentication information storage unit 151 as an example of authentication information.

  For example, the context indicated by the context ID “CT01” is context information having a plurality of conditions as described above, and the authentication level is set to “3”. Specifically, the context indicated by the context ID “CT01” is identification information in which the location information of the user U01 (user terminal 10) is home and the identification information of the access point to be connected is routinely observed. There is a context specified by context information indicating that other devices that are in close proximity with the user terminal 10 on a daily basis are in the vicinity. The fact that the authentication level of the context indicated by the context ID “CT01” is set to “3” means that when the user terminal 10 tries to perform the authentication process, the user terminal 10 uses the context information. This means that authentication corresponding to the authentication level “3” can be performed. Although details will be described later, it is assumed that the user terminal 10 holds authentication information other than the context information in the authentication information storage unit 151. Hereinafter, an example of the estimation process performed by the user terminal 10 will be described with reference to FIG.

  First, the user terminal 10 accesses the service server 100 to use predetermined service content (step S01). For example, when the service server 100 is a web server, the user terminal 10 accesses the service server 100 using browser software or the like. Then, the user terminal 10 acquires a web page as service content.

  The service server 100 distributes service content that the user terminal 10 intends to use and has predetermined access restrictions to the user terminal 10 (step S02). In this case, in order to use the restricted service, the user terminal 10 is required to perform an authentication process for confirming that the user who intends to use the service is truly the user U01.

  When authentication is requested, the user terminal 10 analyzes the service content acquired from the service server 100 (step S03). Specifically, the user terminal 10 acquires information related to service content (hereinafter referred to as “service related information”). The service related information includes a file constituting the service content and a data group constituting the service content. Then, the user terminal 10 analyzes the acquired service-related information, and metadata (tag information) which is data indicating the domain corresponding to the service content, the type of business or service related to the service content, and the service content itself To get.

  For example, the user terminal 10 specifies the type of service such as whether the acquired service content relates to a financial institution service or a shopping site based on the service content domain. In this case, the user terminal 10 may hold a database in which the domain and the service type are associated with each other in advance, and appropriately acquire information on the correspondence between the domain and the service type from an external device. May be.

  Further, the user terminal 10 may analyze metadata provided to the service content. Here, the metadata is information used as tag information for service content search or the like, and indicates information set in a service content header or the like by a service content manager. For example, the metadata includes an outline or description of the service content, a word that briefly indicates the content of the service included in the service content, a tag used as a search index for the service content, and the like.

  Further, the user terminal 10 may analyze text data constituting the service content as metadata. That is, the user terminal 10 analyzes the specified text data into words (for example, morphological analysis), and specifies the content that the service content intends to provide to the user, thereby estimating the service content included in the service content. For example, if the user terminal 10 includes text such as “billing” or “transfer” as a result of analyzing text data constituting the service content, the service content is a service page for charging or transferring. presume. Note that, when analyzing the text data of the service content, the user terminal 10 may perform semantic analysis of the text data using predetermined dictionary data or the like. In this case, as a result of analyzing the text data constituting the service content, the user terminal 10 includes a word having the same meaning as “billing” or “transfer”, or the result of analyzing the text data. If a meaning equivalent to “billing”, “transfer”, or the like is extracted based on this, the service content may be estimated to be a service page for charging or transfer.

  Then, the user terminal 10 estimates the authentication level related to the service content based on the analyzed information (step S04). Specifically, the user terminal 10 collates information obtained by analyzing the service content with definition information stored in the estimated information storage unit 155 in advance. The definition information is, for example, information in which an appropriate authentication level is defined for a service type related to service content.

  For example, as a result of analyzing the service content, the user terminal 10 estimates that the service content to be used by the user terminal 10 is a page related to “bank”. In this case, the user terminal 10 refers to the estimated information storage unit 155 and estimates that the required authentication level is “4” for the page whose service type is “bank”. Alternatively, it is assumed that the user terminal 10 estimates that the service content to be used by the user terminal 10 is a page related to “shopping site” as a result of analyzing the service content. In this case, the user terminal 10 refers to the estimated information storage unit 155 and estimates that the required authentication level is “3” for the page whose service type is “shopping site”.

  Alternatively, it is assumed that the user terminal 10 estimates that the service content to be used by the user terminal 10 is a page related to the “portal site”. In this case, the user terminal 10 refers to the estimated information storage unit 155 and estimates that the required authentication level is “1” for the page whose service type is “portal site”. This difference in authentication level is a service that may operate personal assets for banks and shopping sites, whereas the use of portal sites (for example, login as a registered user) This is because there is a relatively low possibility of operating.

  Subsequently, the user terminal 10 responds to the service server 100 with information that matches the estimated authentication level (step S05). As described above, it is assumed that the user terminal 10 has authentication information in the authentication information storage unit 151 and sets an authentication level for each of the authentication information.

  For example, it is assumed that the user terminal 10 estimates the authentication level in the service content as “3” in the estimation process in step S04. Further, the user terminal 10 has contexts at the time when the estimation process is performed, that is, “the state where the user U01 is at home”, “access from a daily access point”, and “a device other than the user terminal 10 is It is determined that the contexts indicated by the context ID “CT01” such as “at a short distance” are prepared.

  That is, the user terminal 10 determines that the current context information matches the authentication level estimated for the service content. In this case, the user terminal 10 transmits the context information as authentication information to the service server 100.

  In addition, when the authentication level estimated by the user terminal 10 is “4” and the context information held by the user terminal 10 does not conform to the authentication level, the user terminal 10 further selects different authentication information. Or may be generated. For example, the user terminal 10 may request the user U01 to perform authentication using biometric information. As an example, the user terminal 10 requests the user U01 for fingerprint authentication. In this case, the user terminal 10 may generate fingerprint data input from the user U01 as authentication information and transmit it to the service server 100. As described above, the user terminal 10 performs a process of selecting or generating authentication information corresponding to the estimated authentication level.

  The service server 100 authenticates the user U01 based on the authentication information transmitted from the user terminal 10 (step S06). Then, the service server 100 transmits to the user terminal 10 that the authentication related to the user U01 has been performed (step S07). As a result, the user terminal 10 can use the acquired service content.

  As described above, the user terminal 10 according to the embodiment acquires service-related information that is information related to predetermined service content. And the user terminal 10 estimates the authentication level of the authentication regarding service content based on the acquired service relevant information. Further, the user terminal 10 responds to the authentication related to the service content based on the estimated authentication level.

  That is, the user terminal 10 obtains service-related information in the authentication process requested by the service content, and estimates the authentication level in the service by analyzing the obtained information. In other words, the user terminal 10 can dynamically set an appropriate authentication level for the service type on the client side and perform authentication at the set level. For this reason, according to the user terminal 10, the user does not need to perform authentication stronger than necessary or authentication with weak strength for the type of service. As a result, the user terminal 10 can perform authentication using an appropriate authentication strength according to the service.

  For example, according to the user terminal 10, for simple service, authentication such as login is immediately performed using context information acquired as a matter of course for a user who uses the user terminal 10 on a daily basis. It can be performed. On the other hand, the user terminal 10 can restrict the user from using the service easily by setting a strict authentication level on the client side in a service that moves assets such as billing and transfer. Thus, the user terminal 10 can improve user usability in authentication by performing authentication using an appropriate authentication strength according to the service.

[2. Configuration of estimation processing system)
Next, the configuration of the estimation processing system 1 including the user terminal 10 according to the embodiment will be described using FIG. FIG. 2 is a diagram illustrating a configuration example of the estimation processing system 1 according to the embodiment. As illustrated in FIG. 2, the estimation processing system 1 according to the embodiment includes a user terminal 10, a device used by the user, and a service server 100. As shown in FIG. 2, devices used by the user include a clock-type terminal 20 and a glasses-type terminal 30. These various devices are communicably connected via a network N by wire or wireless.

  The user terminal 10 is an information processing terminal such as a desktop PC (Personal Computer), a notebook PC, a tablet terminal, a mobile phone including a smartphone, or a PDA (Personal Digital Assistant). Further, the user terminal 10 may be a wearable device which is an eyeglass-type or clock-type information processing terminal. Furthermore, the user terminal 10 may include various smart devices having an information processing function. Further, for example, the user terminal 10 may include a smart home appliance such as a TV (television), a refrigerator, and a vacuum cleaner, a smart vehicle such as an automobile, a drone, and a home robot. Good.

  In addition to the user terminal 10, the device used by the user is a generic name of devices (devices) used by the user. For example, devices used by the user are various smart devices having an information processing function, similar to the user terminal 10 described above. In the embodiment, the device used by the user is, for example, the clock-type terminal 20 or the glasses-type terminal 30. These devices are used to represent the context of the user terminal 10, for example.

  The service server 100 is a server device that provides various web pages when accessed from the user terminal 10. The service server 100 is, for example, various web pages related to news sites, weather forecast sites, financial institution sites, shopping sites, finance (stock price) sites, route search sites, map providing sites, travel sites, restaurant introduction sites, web logs, etc. And provide content displayed in the app.

  In providing a service, the service server 100 may request user authentication. For example, when the service server 100 provides a payment service, if the user using the user terminal 10 cannot be authenticated as the user U01 himself without fail, the service server 100 executes the payment service by the user terminal 10. Restrict. The service server 100 determines whether to allow access from the user terminal 10 according to the result of the authentication process by the user terminal 10.

[3. Configuration of user terminal]
Next, the configuration of the user terminal 10 according to the embodiment will be described with reference to FIG. FIG. 3 is a diagram illustrating a configuration example of the user terminal 10 according to the embodiment. As illustrated in FIG. 3, the user terminal 10 includes a communication unit 11, an input unit 12, a display unit 13, a detection unit 14, a storage unit 15, and a control unit 16.

(About the communication unit 11)
The communication unit 11 is realized by, for example, a NIC (Network Interface Card). The communication unit 11 is connected to the network N in a wired or wireless manner, and transmits / receives information to / from the service server 100, the clock-type terminal 20, and the like via the network N.

(About the input unit 12 and the display unit 13)
The input unit 12 is an input device that receives various operations from the user. For example, the input unit 12 is realized by an operation key or the like provided in the user terminal 10. The display unit 13 is a display device for displaying various information. For example, the display unit 13 is realized by a liquid crystal display or the like. In addition, when a touch panel is employ | adopted for the user terminal 10, a part of input part 12 and the display part 13 are integrated.

(About the detector 14)
The detection unit 14 detects various information related to the user terminal 10. Specifically, the detection unit 14 determines the operation of the user U01 with respect to the user terminal 10, the location information of the user terminal 10, the information related to the device connected to the user terminal 10, the environment in the user terminal 10, and the like. Detect.

  For example, the detection unit 14 detects an operation of the user U01 based on information input to the input unit 12. In other words, the detection unit 14 detects that there has been an input of an operation for touching the screen to the input unit 12, an input of audio, or the like. Moreover, the detection part 14 may detect that the predetermined application was started by the user U01. When such an application is an application that operates the imaging device in the user terminal 10, the detection unit 14 detects that the imaging function is used by the user U01. Further, the detection unit 14 may detect an operation in which the user terminal 10 itself is moved based on data detected by an acceleration sensor, a gyro sensor, or the like provided in the user terminal 10.

  Further, the detection unit 14 detects the current position of the user terminal 10. Specifically, the detection unit 14 receives radio waves transmitted from a GPS (Global Positioning System) satellite, and obtains position information (for example, latitude and longitude) indicating the current position of the user terminal 10 based on the received radio waves. get.

  Moreover, the detection part 14 may acquire position information with various methods. For example, when the user terminal 10 has a function equivalent to that of a contactless IC card used at a station ticket gate or a store (or the user terminal 10 has a function of reading a history of the contactless IC card) ), The used position is recorded together with the information on the settlement of the boarding fee at the station by the user terminal 10. The detection unit 14 detects such information and acquires it as position information. Moreover, the detection part 14 may detect the positional information acquirable from an access point, when the user terminal 10 communicates with a specific access point. The position information may be acquired by an optical sensor, an infrared sensor, a magnetic sensor, or the like included in the user terminal 10.

  The detection unit 14 detects an external device connected to the user terminal 10. For example, the detection unit 14 detects the external device based on exchange of communication packets with the external device. Then, the detection unit 14 recognizes the detected external device as a terminal connected to the user terminal 10. The detection unit 14 may detect the type of connection with the external device. For example, the detection unit 14 detects whether it is connected to an external device by wire or wireless communication. Moreover, the detection part 14 may detect the communication system etc. which are used by radio | wireless communication. The detection unit 14 may detect the external device based on information acquired by a radio wave sensor that detects a radio wave emitted by the external device, an electromagnetic wave sensor that detects an electromagnetic wave, or the like. An example of the external device is a smart device used by the user U01 who uses the user terminal 10, for example, the watch-type terminal 20 or the glasses-type terminal 30.

  In addition, the detection unit 14 detects an environment in the user terminal 10. The detection unit 14 uses various sensors and functions provided in the user terminal 10 to detect information about the environment. For example, the detection unit 14 is a microphone that collects sound around the user terminal 10, an illuminance sensor that detects illuminance around the user terminal 10, and an acceleration sensor that detects physical movement of the user terminal 10 (or A gyro sensor), a humidity sensor that detects the humidity around the user terminal 10, a geomagnetic sensor that detects a magnetic field at the location of the user terminal 10, and the like. And the detection part 14 detects various information using various sensors. For example, the detection unit 14 detects the noise level around the user terminal 10 and whether the surroundings of the user terminal 10 have illuminance suitable for imaging the iris of the user U01. Further, the detection unit 14 may detect surrounding environment information based on a photograph or video taken by the camera.

  The user terminal 10 acquires context information indicating the context of the user terminal 10 based on the information detected by the detection unit 14. As described above, the user terminal 10 has various sensors such as position, acceleration, temperature, gravity, rotation (angular velocity), illuminance, geomagnetism, pressure, proximity, humidity, and rotation vector by various built-in sensors (detection unit 14). Is obtained as context information. In addition, the user terminal 10 may acquire context information such as a connection status with various apparatuses using a built-in communication function.

(About the storage unit 15)
The storage unit 15 stores various information. The storage unit 15 is realized by a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk, for example. The storage unit 15 includes an authentication information storage unit 151 and an estimated information storage unit 155.

(About the authentication information storage unit 151)
The authentication information storage unit 151 stores information related to authentication processing performed by the user terminal 10. The authentication information storage unit 151 includes an authentication unit table 152 and a context table 153 as data tables.

(Regarding the authentication means table 152)
The authentication means table 152 stores authentication means related to authentication processing, authentication levels set for each authentication means, and the like. Here, FIG. 4 shows an example of the authentication means table 152 according to the embodiment. FIG. 4 is a diagram illustrating an example of the authentication unit table 152 according to the embodiment. In the example illustrated in FIG. 4, the authentication unit table 152 includes items such as “user ID”, “authentication information ID”, “authentication unit”, and “authentication level”.

  “User ID” is identification information for identifying a user involved in the authentication process. Note that the user ID matches the reference code of the user who operates the user terminal 10. For example, the user identified by the user ID “U01” indicates the user U01. The user ID may be treated as information for identifying a terminal device used by the user identified by the user ID.

  “Authentication information ID” indicates identification information for identifying authentication information. “Authentication means” indicates an authentication means used for authentication processing. As shown in FIG. 4, as the authentication means, there may be means such as “biometric authentication” or “service user ID + hardware token”. In addition to the example shown in FIG. 4, the authentication means table 152 may store authentication means such as a one-time password. Further, the authentication unit may combine various authentication units. Such a combination of authentication means is so-called multi-factor authentication, and can improve the authentication level. The “authentication level” indicates the degree of reliability in the authentication process.

  That is, in FIG. 4, the user U01 identified by the user ID “U01” is a user whose identity is authenticated by the authentication information identified by the authentication information IDs “A01” to “A05”. It shows that there is. For example, the authentication information identified by the authentication information ID “A01” employs “biometric authentication” as an authentication means, and indicates that the authentication level is “4”.

(About the context table 153)
The context table 153 stores information used for authentication processing using context information. Here, FIG. 5 shows an example of the context table 153 according to the embodiment. FIG. 5 is a diagram illustrating an example of the context table 153 according to the embodiment. In the example illustrated in FIG. 5, the context table 153 includes items such as “user ID”, “context ID”, “context”, and “authentication level”.

  “User ID” corresponds to the same item shown in FIG. “Context ID” is identification information for identifying a context used in the authentication process. “Context” is the content of the context that constitutes the context information, in other words, indicates the situation in the user terminal 10 or the user U01. The “authentication level” indicates an authentication level associated with each context. When context information is used as the authentication information, the user terminal 10 performs authentication using the authentication level stored in the context table 153.

  In other words, in the example of FIG. 5, the user U01 registers the context information identified by the context IDs “CT01” to “CT03” in the context table 153. For example, the context information identified by the context ID “CT01” is that the context is “location information is G01”, “short-range communication with two or more own devices” is performed, and “access point is The condition of “home” is met. Further, when authentication is performed in such a situation, the user terminal 10 indicates that authentication at the authentication level “3” can be performed.

(About the estimated information storage unit 155)
The estimation information storage unit 155 stores information related to estimation processing performed by the user terminal 10. The estimated information storage unit 155 includes a definition table 156, a domain table 157, a metadata table 158, and a history table 159 as data tables.

(About the definition table 156)
The definition table 156 stores definitions relating to estimation processing. Here, FIG. 6 shows an example of the definition table 156 according to the embodiment. FIG. 6 is a diagram illustrating an example of the definition table 156 according to the embodiment. In the example illustrated in FIG. 6, the definition table 156 includes items such as “service type” and “request authentication level”.

  “Service type” indicates the type of service to be provided by the service content. The “request authentication level” indicates an authentication level defined as appropriate in the service content.

  That is, the example in FIG. 6 indicates that it is defined that it is appropriate to require “4” as the authentication level in the authentication processing for service content whose service type is “bank”. .

  The service type may be not only a type indicating the content of the service but also information indicating a business type related to the service content.

(Regarding the domain table 157)
The domain table 157 stores information related to service content domains. Here, FIG. 7 shows an example of the domain table 157 according to the embodiment. FIG. 7 is a diagram illustrating an example of the domain table 157 according to the embodiment. In the example illustrated in FIG. 7, the domain table 157 includes items such as “domain” and “service type”.

  “Domain” indicates a domain of service content. “Service type” indicates the type of service associated with the domain. Note that the information on the association between the domain and the service may be stored in advance by the user terminal 10 as a database, or may be acquired by referring to a predetermined external device every time the estimation process is performed. Good.

  That is, in the example of FIG. 7, the service content whose domain is “aaa.co.jp” is associated with the service type “bank”.

(About metadata table 158)
The metadata table 158 stores information regarding service content metadata. Here, FIG. 8 shows an example of the metadata table 158 according to the embodiment. FIG. 8 is a diagram illustrating an example of the metadata table 158 according to the embodiment. In the example illustrated in FIG. 8, the metadata table 158 includes items such as “metadata” and “request authentication level”.

  “Metadata” indicates tag information given to the service content, explanatory text written in the header of the service content, and the like. The example of FIG. 8 shows an example in which the metadata is tag information such as “transfer” or “securities transaction”, but the format of the metadata is not limited to this, and any information can be used as long as it is embedded in the service content. It may be the information.

  The “request authentication level” is an authentication level associated with metadata. For example, service content with “transfer” or “securities transactions” as metadata is likely to be a service related to transfers or securities transactions, or a service related to financial institutions. Is set.

  That is, the example in FIG. 8 indicates that “3” is set as the required authentication level for service content whose metadata is “billing”, “purchase”, or “auction bidding”.

(About the history table 159)
The history table 159 stores a history in which the user terminal 10 has estimated the authentication level in the past. Here, FIG. 9 shows an example of the history table 159 according to the embodiment. FIG. 9 is a diagram illustrating an example of the history table 159 according to the embodiment. In the example illustrated in FIG. 9, the history table 159 includes items such as “target ID”, “target”, and “request authentication level”.

  “Target ID” indicates identification information for identifying a target (target) of estimation processing. “Target” is service content subjected to estimation processing, and is represented by, for example, a domain name, a URL (Uniform Resource Locator), or the like. The “authentication level” indicates an authentication level that has been estimated for the target or that has been confirmed as a result of authentication.

  That is, in the example of FIG. 9, in the estimation process for the target “eee.co.jp/bid” identified by the target ID “T01”, a history in which the authentication level is estimated to be “3” is shown.

  Although not shown in FIG. 9, the history table 159 may store service-related information such as the target service type and metadata. For example, the user terminal 10 may update the setting of the estimated authentication level by referring to the history table 159 in a learning process to be described later.

(About the control unit 16)
The control unit 16 is a controller, for example, various programs (for example, in the embodiment) stored in a storage device inside the user terminal 10 by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. This estimation program) is implemented by executing a RAM (Random Access Memory) as a work area. The control unit 16 is a controller, and is realized by an integrated circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).

  As illustrated in FIG. 3, the control unit 16 includes a reception unit 161, an acquisition unit 162, an estimation unit 163, a response unit 166, and a transmission unit 169, and functions and functions of information processing described below. Realize or execute. Note that the internal configuration of the control unit 16 is not limited to the configuration illustrated in FIG. 3, and may be another configuration as long as the information processing described below is performed.

  In addition, the process which the control part 16 performs is performed by being controlled by the estimation program which concerns on embodiment. For example, the process executed by the acquisition unit 162 is realized by an acquisition procedure executed by the estimation program.

(Receiving unit 161)
The receiving unit 161 receives various information. For example, the receiving unit 161 receives service content distributed from the service server 100. The receiving unit 161 sends the received information to each processing unit of the control unit 16.

(About the acquisition unit 162)
The acquisition unit 162 acquires various types of information. For example, the acquisition unit 162 acquires service related information that is information related to predetermined service content. Specifically, the acquisition unit 162 acquires at least one of the business type related to the service content, the type of service provided by the service content, and the text data included in the service content as the service related information. Note that the acquisition unit 162 may acquire the service-related information as a result of analysis of service content by the estimation unit 163 described later.

(About the estimation unit 163)
Based on the service-related information acquired by the acquisition unit 162, the estimation unit 163 estimates the authentication level for authentication related to service content.

  For example, the estimation unit 163 estimates an authentication level for authentication using context information of a user who uses the user terminal 10 as authentication related to service content. Accordingly, the estimation unit 163 estimates an appropriate authentication level for service content that does not require specific authentication information (such as a password) and that performs authentication processing based on context information. be able to.

  As illustrated in FIG. 3, the estimation unit 163 includes an analysis unit 164 and a learning unit 165, and executes an estimation process described below. That is, the process executed by the analysis unit 164 or the learning unit 165 described below may be read as the process executed by the estimation unit 163.

  The analysis unit 164 analyzes the service content acquired by the acquisition unit 162. For example, the analysis unit 164 analyzes the service related information acquired by the acquisition unit 162. As a result, the analysis unit 164 can estimate the authentication level of the service content based on the business type related to the service content, the type of service provided by the service content, and the text data included in the service content. it can.

  For example, the analysis unit 164 identifies the type of service provided by the service content based on the analyzed information. In addition, the analysis unit 164 refers to the estimated information storage unit 155 and acquires the relationship between the predefined service type and the authentication level. And the analysis part 164 estimates the authentication level of the authentication regarding the said service content according to a definition.

  The learning unit 165 performs learning related to the estimation process. For example, the learning unit 165 acquires a history of performing authentication level estimation for predetermined service content. In addition, the learning unit 165 acquires a history in which a terminal device other than the user terminal 10 (for example, a terminal device used by another user who uses service content) estimates the authentication level for the service content. .

  Then, the learning unit 165 updates definition information assumed to be appropriate for the service content and information used for estimating the authentication level of the service content based on, for example, a known learning method or statistical method. . For example, the learning unit 165 defines a low authentication level of the service content by learning the service content that does not require a high authentication level even for service content including text data such as billing and transfer. be able to. In this case, for example, the learning unit 165 updates information related to the service content by specifying a domain of the service content.

  Further, the learning unit 165 increases the authentication level of the service content by learning the service content that should actually require a high authentication level, even for service content that does not include text data such as billing and transfer. Can be defined. In this case, the learning unit 165 may perform learning such as estimating the authentication level high in the subsequent estimation process for the service content in which the word appears for the word included in the service content. The estimation unit 163 performs authentication level estimation processing based on the learning result of the learning unit 165. Thereby, the estimation part 163 can improve the precision of estimation of an authentication level more.

(About the response unit 166)
The response unit 166 responds to authentication related to service content based on the authentication level estimated by the estimation unit 163. Specifically, the response unit 166 selects or generates authentication information for handling authentication related to service content based on the estimated authentication level, and selects the authentication information selected or generated for authentication related to service content. respond.

  As shown in FIG. 3, the response unit 166 includes a selection unit 167 and a generation unit 168, and executes estimation processing described below. That is, the process executed by the selection unit 167 or the generation unit 168 described below may be read as the process executed by the response unit 166.

  The selection unit 167 selects authentication information required from the server side and authentication information corresponding to the estimated authentication level for authentication related to service content. For example, when the authentication level for authentication using the context information of the user who uses the user terminal 10 is estimated, the selection unit 167 selects the user context information corresponding to the authentication level, and selects the selected context information. Respond to authentication for service content.

  Note that the service server 100 may not be able to handle authentication information transmitted from the user terminal 10. For example, even if the service server 100 can process fingerprint data transmitted from the user terminal 10 as authentication information, the service server 100 may not be able to process context information as authentication information. In such a case, the selection unit 167 selects the authentication information to be responded so as to be adapted to the processing on the server side.

  For example, if the service server 100 side that provides the service content cannot perform authentication using the context information of the user who uses the user terminal 10, the selection unit 167 satisfies the authentication level equivalent to the context information. Authentication information is selected, and the selected authentication information is replaced with the context information and responded. For example, when responding context information corresponding to the authentication level “3”, the selection unit 167 selects other authentication information corresponding to the authentication level “3” when the server side cannot process the context information. . For example, the selection unit 167 responds to the service server 100 with a password or the like held on the user terminal 10 side instead of the context information.

  In addition, when appropriate authentication information as information to be selected by the selection unit 167 is not held in the user terminal 10, the generation unit 168 generates appropriate authentication information for responding to authentication.

  For example, when the authentication information corresponding to the authentication level “4” is not held in the user terminal 10 for the authentication whose authentication level is estimated to be “4”, or when the authentication is performed, the authentication is performed. When it is required to generate information, the generation unit 168 generates authentication information. In this case, the generation unit 168 may notify the user through the display unit 13 that the authentication information is generated.

  For example, when the user's biometric information is required for authentication, the generation unit 168 notifies the user of a request for biometric information input. The user inputs biometric information to the user terminal 10 by the notification. As an example, the user inputs his / her fingerprint data into the user terminal 10. Then, the generation unit 168 checks the identity of the user who uses the user terminal 10 by comparing the input fingerprint data with the fingerprint data held in advance. And the production | generation part 168 newly produces | generates the information which shows having authenticated the user using the biometric information by the user terminal 10 side as authentication information. Then, the generation unit 168 responds to the authentication regarding the service content using the generated authentication information.

  Note that the selection unit 167 or the generation unit 168 may transmit the selected or generated authentication information in addition to the authentication information held in advance. For example, when the context information of the user who uses the user terminal 10 does not satisfy the authentication level as the authentication information with respect to the estimated authentication level, the selection unit 167 or the generation unit 168 performs other authentication that satisfies the authentication level. Information may be added to the context information to respond.

  As described above, in authentication, the authentication information obtained by a plurality of authentication means (multi-factor authentication) is more reliable than the authentication information obtained by a single authentication means. For this reason, the selection unit 167 or the generation unit 168 may present authentication information that satisfies the estimated authentication level to the service server 100 by responding to the selected or generated authentication information, for example, by adding to the context information. it can.

(About the transmitter 169)
The transmission unit 169 transmits various information. For example, the transmission unit 169 transmits a service content acquisition request to the service server 100. In addition, the transmission unit 169 transmits the authentication information selected or generated by the response unit 166 to the service server 100.

[4. Processing procedure)
Next, a processing procedure performed by the user terminal 10 according to the embodiment will be described with reference to FIG. FIG. 10 is a flowchart illustrating an estimation processing procedure according to the embodiment.

  As illustrated in FIG. 10, the receiving unit 161 according to the user terminal 10 receives service content distributed from the service server 100 (step S101). And the acquisition part 162 acquires service relevant information as information regarding a service content (step S102).

  The estimation unit 163 estimates an authentication level of authentication related to service content based on the service related information (step S103). Subsequently, the response unit 166 determines whether or not authentication information corresponding to the estimated authentication level is held in the user terminal 10 (step S104).

  When the authentication information is held (step S104; Yes), the response unit 166 selects the held authentication information (step S105). On the other hand, when the authentication information corresponding to the authentication level is not held (step S104; No), the response unit 166 generates authentication information corresponding to the authentication level (step S106).

  Then, the response unit 166 responds to the service server 100 with the selected or generated authentication information (step S107). Thereby, the estimation process regarding authentication by the user terminal 10 is completed.

[5. (Modification)
The user terminal 10 described above may be implemented in various different forms other than the above embodiment. Therefore, in the following, another embodiment of the user terminal 10 will be described.

[5-1. (Process by page)
In the said embodiment, the user terminal 10 showed the example which estimates the authentication level regarding the authentication regarding a service content based on service relevant information, such as a domain. Here, even if the service content belongs to the same domain, the user terminal 10 may estimate a different authentication level for each service content.

  For example, the user terminal 10 may estimate different authentication levels for each page in a website having a predetermined bank domain. Specifically, the user terminal 10 may estimate the authentication level on the page for performing the balance inquiry and the authentication level on the page for performing the transfer as different levels.

  For example, it is assumed that a user using the user terminal 10 accesses a bank site and requests a balance inquiry of his / her account. In this case, the user terminal 10 determines that the balance inquiry page is a page in which an operation such as moving assets is not performed, and the authentication level is “2” even in the authentication on the page included in the bank site. ", Etc. In this case, the user can skip troublesome authentication processing by using the context information that is held in the user terminal 10 and that satisfies the authentication level “2” as the authentication information.

  On the other hand, it is assumed that the user accesses the bank site and requests to transfer money from his / her own account. In this case, the user terminal 10 determines that the page instructing the transfer is a page on which an operation for moving the asset is performed, and estimates the authentication level as a high numerical value such as “4”. In this case, the user is required to perform an authentication process such as inputting biometric information to the user terminal 10.

  As described above, the user terminal 10 can estimate different authentication levels for each service content by analyzing the contents of the service content even in the same domain or the same service industry. That is, the user terminal 10 estimates the authentication level suitable for each service content in detail and performs the authentication process. For this reason, since the user terminal 10 does not require the user to perform complicated authentication processing for all service contents, the user terminal 10 can perform processing with excellent usability.

[5-2. (Estimation of authentication information)
In the above embodiment, the user terminal 10 estimates the authentication level of the authentication related to the service content and responds to the service server 100 using the authentication information that matches the estimated authentication level. Here, if the user terminal 10 has acquired service content in which the authentication level requested by the service server 100 is specified, the user terminal 10 may perform a process of estimating authentication information suitable for the requested authentication level. Good.

  That is, the user terminal 10 acquires an authentication level set in advance on the service content side for authentication related to service content as service related information that is information related to predetermined service content. Then, based on the acquired authentication level, the user terminal 10 estimates information that satisfies the authentication level and can be used for authentication related to service content. Further, based on the estimated information, the user terminal 10 selects or generates authentication information that responds to the authentication regarding the service content, and responds with the authentication information selected or generated for the authentication regarding the service content.

  In this case, when the authentication level specified from the service server 100 is “3”, the user terminal 10 is information corresponding to the authentication level “3” and can be used for authentication (that is, Information that can be processed by the service server 100 side). For example, if there is authentication information that responded to the service server 100 in the past, the user terminal 10 is authentication information obtained by the same authentication means as the authentication information, and the authentication information corresponding to the authentication level “3” is Estimated as information that can be used for authentication. Then, the user terminal 10 responds with the estimated information as authentication information used for the current authentication.

  As described above, the user terminal 10 performs a process of estimating authentication information that can be used in the authentication with respect to the authentication whose authentication level is set in advance. Thereby, since the user terminal 10 can respond to the server side with appropriate authentication information, it can suppress requesting the user for an excessively complicated authentication process.

[5-3. (Setting the authentication level from the user side)
When the user terminal 10 determines that the authentication level requested by the service server 100 is inconsistent between the service content related to the authentication and the authentication level, the authentication process using the authentication level estimated on the user side May be performed.

  A specific example will be described. For example, it is assumed that the user terminal 10 has received an authentication request that requires only a several-digit password input on a bank transfer page. In this case, the user terminal 10 estimates “1” as the authentication level requested for authentication related to the service content. However, the user terminal 10 estimates that the appropriate authentication level is “4” based on the service content (transfer at the bank site) in the service content.

  In such a case, the user terminal 10 determines that the authentication level required by the server side is a level vulnerable to the content of the service. And the user terminal 10 requests | requires the authentication process by the authentication level estimated to be suitable for a service content with respect to a user. For example, the user terminal 10 requests the user to input biometric information. Then, the user terminal 10 may perform a process of permitting the use of the service when biometric information is collated on the user terminal 10 side and the identity of the user is authenticated.

  That is, even if the server side permits authentication by a weak authentication means, the user terminal 10 may restrict the use of the service by estimating the authentication level according to the content of the service content. . For this reason, for example, even when the user terminal 10 is lost or stolen, a situation in which the service is used without permission from a third party via the user terminal 10 is prevented. Can do. Further, for example, even if the user erroneously selects an area for charging in the service page (for example, a button clicked when charging is permitted in the web page), the user is permitted to perform the operation. Since the user terminal 10 requests the authentication process, it is possible to prevent the billing process from being performed erroneously. Thus, the user terminal 10 can improve the safety of the user who uses the service by performing the process of estimating the authentication level on the client side.

[5-4. (Authentication level)
In the above embodiment, the authentication level is indicated by a numerical value from “1” to “4”. However, the authentication level may not be indicated by such a specific numerical value.

[5-5. Configuration of user terminal]
In the above embodiment, the configuration example of the user terminal 10 has been described with reference to FIG. However, the user terminal 10 does not necessarily include all the processing units illustrated in FIG. For example, the user terminal 10 does not necessarily include the display unit 13 and the detection unit 14. Further, the user terminal 10 may be separated into two or more devices to realize the configuration illustrated in FIG. For example, the user terminal 10 may be realized by two or more devices having a configuration in which a detection device having at least the detection unit 14 and a communication device having at least the communication unit 11 are separated.

[5-6. (Service providing equipment)
In the above embodiment, the service server 100 has been described as an example of an apparatus that provides an authentication-restricted site accessed by the user terminal 10. However, an apparatus that provides such a service is not limited to the service server 100. For example, a device that provides a service is not limited to a web service, but is a device that provides a network service that handles a protocol other than HTTP (Hypertext Transfer Protocol), and a communication or application that handles IoT (Internet of Things). Also good. That is, the apparatus that provides the service is not limited to the service server 100 as long as it can communicate with the user terminal 10 and the like and has a function of distributing service content, and may be realized by any apparatus.

[5-7. Service content)
In the above embodiment, the website has been described as an example of the service content. However, service content is not limited to this example. For example, the service content may be content provided via a smartphone application.

[5-8. (Type of user terminal)
The user terminal 10 may determine the type of the terminal device and use it for estimation processing and response processing. For example, when the user terminal 10 is a desktop PC, it is assumed that there is less risk of being taken out by a third party or stolen than a device such as a smartphone. In this case, the user terminal 10 may perform processing such as estimating the authentication level to be estimated slightly lower than when the user terminal 10 is a smartphone. Further, when the user terminal 10 has the setting information set as the shared personal computer, the user terminal 10 estimates the authentication level to be estimated slightly higher than the device set for personal use, You may make it ensure safety.

[5-9. (Estimation of certification level)
In the said embodiment, the user terminal 10 showed the example which uses the industry type and classification of a service, and text data among service related information in estimation of an authentication level. Among these, for service content that satisfies a plurality of conditions, the user terminal 10 has the highest level among the authentication levels held in the domain table 157, the metadata table 158, and the history table 159, for example. The authentication level may be flexibly estimated, for example, by adopting or by adopting an average level.

[6. Hardware configuration)
The estimation apparatus according to the embodiment described above is realized by a computer 1000 having a configuration as shown in FIG. 11, for example. FIG. 11 is a hardware configuration diagram illustrating an example of a computer 1000 that realizes the function of the estimation device. The computer 1000 includes a CPU 1100, RAM 1200, ROM 1300, HDD 1400, communication interface (I / F) 1500, input / output interface (I / F) 1600, and media interface (I / F) 1700.

  The CPU 1100 operates based on a program stored in the ROM 1300 or the HDD 1400 and controls each unit. The ROM 1300 stores a boot program executed by the CPU 1100 when the computer 1000 is started up, a program depending on the hardware of the computer 1000, and the like.

  The HDD 1400 stores a program executed by the CPU 1100, data used by the program, and the like. The communication interface 1500 receives data from other devices via the communication network 500 (corresponding to the network N shown in FIG. 2) and sends the data to the CPU 1100, and the data generated by the CPU 1100 is transferred to other devices via the communication network 500. Send to device.

  The CPU 1100 controls an output device such as a display and a printer and an input device such as a keyboard and a mouse via the input / output interface 1600. The CPU 1100 acquires data from the input device via the input / output interface 1600. Further, the CPU 1100 outputs the data generated via the input / output interface 1600 to the output device.

  The media interface 1700 reads a program (for example, an estimation program) or data stored in the recording medium 1800 and provides it to the CPU 1100 via the RAM 1200. The CPU 1100 loads such a program from the recording medium 1800 onto the RAM 1200 via the media interface 1700, and executes the loaded program. The recording medium 1800 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or PD (Phase change rewritable disk), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. Etc.

  For example, when the computer 1000 functions as the user terminal 10 according to the embodiment, the CPU 1100 of the computer 1000 implements the function of the control unit 16 by executing a program loaded on the RAM 1200. The HDD 1400 stores data in the storage unit 15. The CPU 1100 of the computer 1000 reads these programs from the recording medium 1800 and executes them, but as another example, these programs may be acquired from other devices via the communication network 500.

[7. Others]
In addition, among the processes described in the above embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified. For example, the various types of information illustrated in each drawing is not limited to the illustrated information.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the analysis unit 164 and the learning unit 165 illustrated in FIG. 3 may be integrated. Further, for example, information stored in the storage unit 15 may be stored in a storage device provided outside via the network N.

  Further, for example, in the above-described embodiment, an example has been described in which the user terminal 10 performs an acquisition process for acquiring information related to service content, an estimation process for estimating an authentication level, and a response process in response to authentication. However, the user terminal 10 described above may be separated into an acquisition device that performs an acquisition process, an estimation device that performs an estimation process, and a response device that performs a response process. In this case, for example, the processing by the user terminal 10 according to the embodiment is realized by the estimation processing system 1 including each device such as an acquisition device, an estimation device, and a response device.

  Moreover, each embodiment and modification which were mentioned above can be combined suitably in the range which does not contradict a process content.

[8. effect〕
As described above, the user terminal 10 corresponding to the estimation apparatus according to the embodiment includes the acquisition unit 162, the estimation unit 163, and the response unit 166. The acquisition unit 162 acquires service related information that is information related to predetermined service content. Based on the service-related information acquired by the acquisition unit 162, the estimation unit 163 estimates the authentication level for authentication related to service content. The response unit 166 responds to authentication related to service content based on the authentication level estimated by the estimation unit 163.

  As described above, the user terminal 10 according to the embodiment acquires service-related information in the authentication process requested by the service content, and estimates the authentication level in the authentication process based on the acquired information. Accordingly, the user terminal 10 can dynamically set an appropriate authentication level on the client side at the time of authentication, and can perform authentication at the set level. That is, the user terminal 10 can perform authentication using an appropriate authentication strength according to the service.

  Further, the response unit 166 selects or generates authentication information for responding to authentication related to service content based on the authentication level estimated by the estimation unit 163, and the authentication information selected or generated for authentication related to service content Respond.

  As described above, the user terminal 10 according to the embodiment can respond to the server side to perform authentication using the authentication information corresponding to the estimated authentication level. For example, according to the user terminal 10, it is possible to automatically select authentication information obtained by an authentication unit corresponding to the authentication level, or to notify the user of generation of authentication information. That is, since the user terminal 10 can reduce the user's troublesome effort during the authentication process, usability can be improved.

  Moreover, the estimation part 163 estimates the authentication level about the authentication using the user's context information using the user terminal 10 as authentication regarding service content. The response unit 166 responds to the authentication related to the service content with the user context information corresponding to the authentication level estimated by the estimation unit 163.

  Thus, the user terminal 10 according to the embodiment can use user context information as authentication information. By using the context information for authentication, the user can save time and effort such as inputting a password. In addition, even when context authentication is performed, the user terminal 10 can perform authentication using an appropriate authentication level according to the service, so that authentication that maintains appropriate safety according to the service is realized. it can.

  In addition, when the server side that provides the service content cannot perform authentication using the context information of the user who uses the user terminal 10, the response unit 166 performs another authentication that satisfies the authentication level equivalent to the context information. Replies information instead of context information.

  As described above, when the context information cannot be used as authentication information in the authentication process, the user terminal 10 according to the embodiment may respond with authentication information corresponding to an equivalent authentication level. That is, the user terminal 10 responds with authentication information (for example, password, fingerprint data, etc.) that can be handled by the server side in such a manner that context information is wrapped on the user terminal 10 side. Thus, the user terminal 10 can perform a flexible process in the authentication process. Also, since the user terminal 10 automatically responds with authentication information that can be processed on the server side without the user being aware of it, the user can save troublesome authentication processing.

  In addition, when the context information of the user who uses the user terminal 10 does not satisfy the authentication level as authentication information with respect to the authentication level estimated by the estimation unit 163, the response unit 166 performs another authentication that satisfies the authentication level. Responds with the information added to the context information.

  As described above, the user terminal 10 according to the embodiment can respond to the server side by adding further authentication information to the context information so that the authentication information satisfies the authentication level. In other words, the user terminal 10 can realize multi-factor authentication that satisfies the estimated authentication level. Thereby, the user terminal 10 can be used by the user by adding authentication information to service content that does not satisfy the authentication level only by the context information. For this reason, the user terminal 10 can improve the usability regarding an authentication process.

  In addition, the acquisition unit 162 acquires at least one of the business type related to the service content, the type of service provided by the service content, and the text data included in the service content as the service related information. Based on the service-related information acquired by the acquisition unit 162, the estimation unit 163 estimates the authentication level for authentication related to service content.

  As described above, the user terminal 10 according to the embodiment acquires various pieces of information indicating service content by analyzing the service related information. Then, the user terminal 10 estimates the authentication level using the acquired information. Thereby, the user terminal 10 can perform the estimation process with high accuracy.

  Further, the estimation unit 163 is based on the history of the authentication level estimation for the predetermined service content or the history of the terminal device other than the user terminal 10 estimating the authentication level for the predetermined service content. The authentication level of the target service content is estimated.

  As described above, the user terminal 10 according to the embodiment may perform learning regarding past estimation processing or estimation processing performed by another terminal device, and perform the estimation processing by reflecting the learning processing. Thereby, the user terminal 10 can perform the estimation process with high accuracy.

  In addition, the user terminal 10 may include an acquisition unit 162 that performs the following processing, an estimation unit 163, and a response unit 166. That is, the acquisition unit 162 acquires an authentication level set in advance on the service content side for authentication related to service content, as service related information that is information related to predetermined service content. Based on the authentication level acquired by the acquisition unit 162, the estimation unit 163 estimates information that satisfies the authentication level and can be used for authentication related to service content. Based on the information estimated by the estimation unit 163, the response unit 166 selects or generates authentication information that responds to authentication related to service content, and responds to the authentication information that is selected or generated for authentication related to service content. .

  Thus, the user terminal 10 according to the embodiment may perform processing for estimating information for satisfying the authentication level when the authentication level is set on the server side in advance. Then, the user terminal 10 responds to the server side with authentication information used for authentication based on the estimated information. Thereby, the user terminal 10 can appropriately select or generate authentication information used for the authentication process. For example, the user terminal 10 can estimate the authentication means corresponding to the authentication level on the user terminal 10 side and return the authentication information based on the estimated authentication means, even if the authentication means is not specified from the server side. Thereby, the user of the user terminal 10 can perform authentication processing at an appropriate level without the user being particularly conscious.

  As described above, some of the embodiments of the present application have been described in detail based on the drawings. It is possible to implement the present invention in other forms with improvements.

  In addition, the “section (module, unit)” described above can be read as “means” or “circuit”. For example, the acquisition unit can be read as acquisition means or an acquisition circuit.

DESCRIPTION OF SYMBOLS 1 Estimation processing system 10 User terminal 11 Communication part 12 Input part 13 Display part 14 Detection part 15 Storage part 151 Authentication information storage part 152 Authentication means table 153 Context table 155 Estimation information storage part 156 Definition table 157 Domain table 158 Metadata table 159 History table 16 Control unit 161 Reception unit 162 Acquisition unit 163 Estimation unit 164 Analysis unit 165 Learning unit 166 Response unit 167 Selection unit 168 Generation unit 169 Transmission unit 100 Service server

Claims (10)

An acquisition procedure for acquiring service-related information, which is information relating to a predetermined service content;
An estimation procedure for estimating an authentication level of authentication related to the service content based on the service related information acquired by the acquisition procedure;
A response procedure for responding to authentication for the service content based on the authentication level estimated by the estimation procedure;
Is executed by a terminal device. The response procedure is:
Based on the authentication level estimated by the estimation procedure, select or generate authentication information for responding to authentication related to the service content, and respond to the authentication information selected or generated for authentication related to the service content;
The estimation program according to claim 1, wherein: The estimation procedure includes:
As the authentication related to the service content, an authentication level for authentication using context information of a user who uses the terminal device is estimated,
The response procedure is:
Responding to the authentication for the service content with user context information corresponding to the authentication level estimated by the estimation procedure;
The estimation program according to claim 1 or 2, characterized in that. The response procedure is:
If the server providing the service content cannot perform authentication using the context information of the user who uses the terminal device, other authentication information that satisfies the authentication level equivalent to the context information is assigned to the context. Respond instead of information,
The estimation program according to claim 3, wherein: The response procedure is:
When the context information of the user who uses the terminal device does not satisfy the authentication level as authentication information with respect to the authentication level estimated by the estimation procedure, other authentication information satisfying the authentication level is replaced with the context information. To respond with
The estimation program according to claim 3 or 4, characterized in that. The acquisition procedure is as follows:
As the service related information, obtain at least one of a business type related to the service content, a type of service provided by the service content, and text data included in the service content,
The estimation procedure includes:
Estimating an authentication level of authentication related to the service content based on service-related information acquired by the acquisition procedure;
The estimation program according to claim 1, wherein: The estimation procedure includes:
Target service content based on the history of the authentication level estimation for the predetermined service content or the history of the terminal device other than the terminal device estimating the authentication level for the predetermined service content Estimate the authentication level of
The estimation program according to claim 1, wherein: An acquisition unit that acquires service-related information that is information related to predetermined service content;
An estimation unit that estimates an authentication level of authentication related to the service content based on the service-related information acquired by the acquisition unit;
A response unit that responds to authentication related to the service content based on the authentication level estimated by the estimation unit;
An estimation device comprising: An estimation method executed by an estimation device,
An acquisition step of acquiring service-related information that is information relating to a predetermined service content;
An estimation step of estimating an authentication level of authentication related to the service content based on the service-related information acquired by the acquisition step;
A response step for responding to authentication for the service content based on the authentication level estimated by the estimation step;
The estimation method characterized by including. An acquisition procedure for acquiring an authentication level set in advance on the service content side for authentication related to the service content as service related information that is information related to a predetermined service content;
Based on the authentication level acquired by the acquisition procedure, an estimation procedure for estimating information that satisfies the authentication level and can be used for authentication related to the service content;
A response procedure for selecting or generating authentication information that responds to authentication related to the service content based on the information estimated by the estimation procedure, and for responding to the authentication information selected or generated for authentication related to the service content; ,
Is executed by an estimation device.

Images