JP6240349B2 - Providing device, providing method, providing program, and authentication processing system - Google Patents

Description

The present invention provides apparatus, provision method, a providing program, and the authentication processing system.

  In recent years, communication networks have become widespread, and services via networks are actively provided. A user logs in to a service provided via a network using the communication terminal device and uses the service. In using a service via a network, it is desirable to authenticate the identity of a user who uses the service.

  As a technique for personal authentication, there is known a technique for providing personal authentication according to a user's desire or a server policy for biometrics having various system configurations (for example, Patent Document 1). In addition, a technique for determining a user's network environment and performing appropriate user authentication according to the network environment is known (for example, Patent Document 2). Also, a technique is known in which a predetermined authentication function is realized through an interface by using an authentication protocol interface that can be expanded by the authentication apparatus (for example, Patent Document 3).

Japanese Patent Laid-Open No. 2004-362061 JP 2012-103784 A JP 2005-505194 A

  However, with the above-described conventional technology, it is difficult to respond flexibly to authentication requests. For example, the function and technology required for authentication of the personal authentication means via the network may be changed from the viewpoint of ensuring safety and convenience. In this case, since the terminal side requesting the personal authentication is required to have various functions and technologies from the authentication server side, it is difficult to flexibly cope with these requests at all times.

  The present application has been made in view of the above, and an object thereof is to provide a providing device, a terminal device, a providing method, a providing program, and an authentication processing system that can flexibly respond to an authentication request.

  The providing apparatus according to the present application is information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and is processed by a specific authentication procedure. Among functions used in communication with an authentication server that authenticates the identity of the user by verifying a signature of certain authentication result information, a detection unit that detects a function that the terminal device used by the user does not have, Of the terminal device among the search unit searching for an external device having a function detected by the detection unit or a function corresponding to the function detected by the detection unit, and the external device searched by the search unit The function detected by the detection unit or the function detected by the detection unit via one external device determined based on the position information and the position information of the external device A providing unit for providing a response to function to the terminal device, characterized by comprising a.

  According to one aspect of the embodiment, there is an effect that an authentication request can be flexibly handled.

FIG. 1 is a diagram illustrating an example of a providing process according to the embodiment. FIG. 2 is a sequence diagram (1) illustrating the authentication method according to the embodiment. FIG. 3 is a sequence diagram (2) illustrating the authentication method according to the embodiment. FIG. 4 is a diagram illustrating a configuration example of the authentication processing system according to the embodiment. FIG. 5 is a diagram illustrating a configuration example of a user terminal according to the embodiment. FIG. 6 is a diagram illustrating a configuration example of the providing apparatus according to the embodiment. FIG. 7 is a diagram illustrating an example of a terminal information storage unit according to the embodiment. FIG. 8 is a diagram illustrating an example of a user information storage unit according to the embodiment. FIG. 9 is a diagram illustrating a configuration example of the authentication server according to the embodiment. FIG. 10 is a diagram illustrating an example of a registration information storage unit according to the embodiment. FIG. 11 is a flowchart illustrating a providing process procedure according to the embodiment. FIG. 12 is a sequence diagram illustrating an authentication processing procedure according to the embodiment. FIG. 13 is a hardware configuration diagram illustrating an example of a computer that realizes the function of the providing apparatus.

  Hereinafter, a mode for implementing a providing device, a terminal device, a providing method, a providing program, and an authentication processing system according to the present application (hereinafter referred to as “embodiment”) will be described in detail with reference to the drawings. The providing device, the terminal device, the providing method, the providing program, and the authentication processing system according to the present application are not limited by this embodiment. In addition, the embodiments can be appropriately combined within a range that does not contradict processing contents. In the following embodiments, the same portions are denoted by the same reference numerals, and redundant description is omitted.

[1. Example of provision processing)
First, an example of a providing process according to the embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of a providing process according to the embodiment. FIG. 1 shows an example in which the providing device 50 according to the present application provides a lacking function among the functions used for the predetermined communication to the user terminal 10 that performs predetermined communication with the authentication server 100.

  In the example of FIG. 1, the user terminal 10 is an information processing terminal used by a user U01. The user U01 uses the user terminal 10 to use a service provided via a network, for example, a service provided from a web server. In the following description, the user terminal 10 may be referred to as a user U01. That is, in the following, the user U01 can be read as the user terminal 10.

  The authentication server 100 is a server device that acquires information transmitted from the user terminal 10 and authenticates the user U01 based on the acquired information. The authentication server 100 authenticates that the user is U01 based on the acquired information, and generates information indicating that the user has been authenticated. The user terminal 10 transmits information indicating that it has been authenticated from the authentication server 100 to various services (such as a web server), thereby logging in various services, using service IDs issued for each service, It is possible to use services that require personal authentication, such as payment via a network.

  The providing device 50 is an information processing device that provides a function that is insufficient when the user terminal 10 receives user authentication from the authentication server 100 side in a series of communications that occur between the user terminal 10 and the authentication server 100. In the authentication process, the authentication server 100 requests the user terminal 10 for a predetermined processing function in order to ensure the safety and convenience of personal authentication. However, the user terminal 10 that receives the authentication does not necessarily have the function requested from the authentication server 100 side. Therefore, the providing device 50 receives information related to the functions that the user terminal 10 currently has, and detects functions that are insufficient for communication with the authentication server 100 side. Then, the providing device 50 procures a function from another device that can cooperate with the user terminal 10 in order to enable communication for the user terminal 10 side to receive authentication from the authentication server 100 side. Is provided to the user terminal 10 side.

(Authentication method of the authentication server 100)
Here, prior to the description of the providing process performed by the providing device 50, the identity of the user who uses the authentication server 100 using a predetermined information processing terminal (hereinafter referred to as “client 20” for distinction from the user terminal 10). A method for performing authentication will be described with reference to FIGS. Note that the client 20 is assumed to be a terminal that satisfies a function required from the authentication server 100 side in communication related to authentication processing performed by the authentication server 100.

  The authentication server 100 adopts an authentication method based on a so-called public key cryptosystem that ensures the certainty of information by verifying a public key and a secret key issued in advance in the authentication of the client 20. That is, the authentication server 100 performs authentication based on a public / private key pair issued to each authenticator included in the client 20. The authenticator refers to a device having a function that allows the client 20 to perform personal authentication locally. The local authentication refers to authentication performed in a situation where connection to a wide area network (external network) such as the Internet is not required, for example, authentication performed using a function provided in the client 20. The authenticator accepts registration in advance for information that can authenticate the user himself / herself, such as the user's biometric information. And at the time of authentication, the authenticator accepts input of biometric information and the like from the user, and authenticates the person based on the collation result between the registered data and the input data. Specifically, the authenticator includes a fingerprint authenticator, an iris authenticator, a voiceprint authenticator, and the like. The authenticator may be realized by software installed in the client 20 or may be realized by hardware existing within a range connected to the client 20 via a LAN (Local Area Network). That is, the authenticator includes hardware that cooperates with the client 20 by being directly connected to an interface provided in the client 20, for example, without going through an external network such as the Internet.

  First, a procedure in which the authentication server 100 registers the client 20 as an authentication target will be described. FIG. 2 is a sequence diagram (1) illustrating the authentication method according to the embodiment. FIG. 2 shows a flow of processing for registering the client 20 to be authenticated by the authentication server 100 prior to the authentication processing.

  The client 20 accesses the authentication server 100 and requests registration of the authenticator (step S11). In response to the request transmitted from the client 20, the authentication server 100 requests authentication by the authenticator (step S12).

  The user who uses the client 20 operates the authenticator that requested registration to the authentication server 100, and executes authentication by the authenticator locally (step S13). For example, when a user selects a fingerprint authentication device as an authentication device used for authentication, the user performs authentication processing by holding a finger over a location where authentication is performed. If the authentication device on the client 20 side can confirm the user as a legitimate user by comparing the registration data in the authentication device with the input data, the authentication device issues a public key and a private key corresponding to the authentication processing. (Step S14). Then, the client 20 stores the issued secret key in the client 20 and transmits a public key paired with the secret key to the authentication server 100 (step S15). The authentication server 100 receives the public key from the client 20, and stores the public key in association with the authenticator (step S16). In principle, the secret key in the client 20 is stored in an area where access is not accepted, and access is not permitted unless local authentication by the registered authenticator succeeds. As a result, registration of the authenticator included in the client 20 to the authentication server 100 is completed.

  Next, FIG. 3 will be described. FIG. 3 is a sequence diagram (2) illustrating the authentication method according to the embodiment. FIG. 3 shows the flow of processing in a scene where the authentication is actually requested from the authentication server 100 such as when the client 20 uses the service.

  The user requests the authentication server 100 to access a predetermined service with restricted access (step S21). Such a request may be transmitted via, for example, a web server that provides a service via a network. That is, the user may be required to authenticate himself / herself from the connected web server in the process of using the service. In this case, when the user declares that the user authentication is to be performed, the information is transmitted from the client 20 or the connection destination web server to the authentication server 100.

  The authentication server 100 that has received the request requests the client 20 to perform authentication using a pre-registered authenticator (step S22). The user of the client 20 that has received the request executes local authentication using a pre-registered authenticator (step S23).

  When the authentication by the authenticator is successful, that is, when the personal authentication is confirmed locally, the user can access the secret key stored in the client 20. Then, the client 20 generates a signature (hash value) for information related to the authentication result, using a secret key that can be accessed only by a user who is recognized as an authorized user by the authenticator. In other words, the client 20 generates signed information with a secret key that has been issued in advance (step S24). Information generated in this way is referred to as “authentication result information”.

  Subsequently, the client 20 transmits the generated authentication result information using a specific communication procedure defined with the authentication server 100 (step S25), and processes the authentication result information. The authentication server 100 verifies the transmitted authentication result information using the public key paired with the secret key (step S26). That is, the authentication server 100 verifies that the authentication result information is not falsified, in other words, whether the authentication result information is generated with an appropriate secret key. In this way, the authentication server 100 confirms that the authenticator to be authenticated has an appropriate secret key. If this confirmation can be made, the authentication server 100 authenticates that the user who uses the client 20 is a legitimate user based on the authentication result information. Then, the authentication server 100 indicates that it has been authenticated, and transmits to the client 20 information indicating that authentication has been performed, including information on the service requested for access in step S21 (step S27). The information indicating that the authentication has been performed is, for example, an authentication cookie.

  As described above, according to the authentication method, the client 20 does not transmit information used for authentication itself such as a password and a service ID, which are often used for general authentication, to the network. That is, the information transmitted from the client 20 is only information indicating a local authentication result, and even if a third party intercepts the information transmitted from the client 20, the third party must use the intercepted information. I can't. Therefore, it can be said that the authentication method employed by the authentication server 100 is a highly secure method. Further, according to the authentication method employed by the authentication server 100, the user does not need to memorize the password, so the burden on the user can be reduced.

  Furthermore, as described above, the authentication server 100 uses a specific communication procedure defined with the client 20 in the processing of the authentication result information transmitted from the client 20. The communication procedure is an authentication procedure defined between the authentication server 100 and the client 20, and can be read as a protocol related to communication. For example, the authentication server 100 uses a protocol such as UAF (Universal Authentication Framework) or U2F (Universal Second Factor). Thereby, the communication between the authentication server 100 and the client 20 is ensured with higher security.

  As described with reference to FIG. 2 and FIG. 3, when communication is established between the authentication server 100 and the authenticator of the client 20 using an authentication method based on a public key encryption method using a specific protocol. The client 20 can authenticate the authentication server 100 without transmitting authentication information such as a password to the network. However, in the method described above, the user cannot use an authenticator that is not registered in the authentication server 100, and requires new registration for each authenticator, which is troublesome. In addition, when the user does not have an authenticator that performs personal authentication using highly reliable information such as biometric information on the local side, an authentication result for generating authentication result information to be transmitted to the authentication server 100 is obtained. It is not obtained and authentication from the authentication server 100 cannot be received. Furthermore, when the client 20 does not support the protocol defined by the authentication server 100, the user cannot complete the authentication process by the authentication server 100. As described above, there is a problem that the client 20 side that communicates with the authentication server 100 cannot use various services that require personal authentication by the authentication server 100 depending on the functional configuration provided.

  Therefore, the providing device 50 corresponding to the providing device according to the present application cooperates with an information processing terminal (in the example of FIG. 1, corresponding to the user terminal 10) that is difficult to receive the authentication processing by the authentication server 100 alone. As a result, the authentication process by the authentication server 100 can be received. Hereinafter, returning to the description of FIG. 1, an example of the authentication process including the providing device 50 will be described along the flow. In the example illustrated in FIG. 1, it is assumed that the user terminal 10 has previously registered information regarding the functions and devices that the user terminal 10 has in the providing device 50. Further, it is assumed that the user terminal 10 cannot generate information corresponding to a specific protocol used for communication with the authentication server 100 by the user terminal 10 alone.

  In the example illustrated in FIG. 1, the authentication server 100 requests the user terminal 10 for personal authentication (step S01). For example, the authentication server 100 requests the user terminal 10 to authenticate the user in response to a request from the web server when the web server requests user authentication of the user U01 when the user U01 uses a predetermined web service. I do. As described with reference to FIGS. 2 and 3, the user terminal 10 has an authenticator that performs highly reliable authentication on the local side, and can generate authentication result information processed by a specific protocol. In this case, the authentication result information itself is generated and transmitted to the authentication server 100. However, in the example of FIG. 1, the user terminal 10 alone does not have a function of generating authentication result information. Therefore, the user terminal 10 accesses the providing apparatus 50 in order to receive provision of a function corresponding to the insufficient function (step S02).

  The providing device 50 includes a terminal information storage unit 53 in which terminal information such as the user terminal 10 is stored, and a user information storage unit 54 in which user information such as the user U01 is stored. The providing device 50 refers to the information registered in advance in the storage unit and the current information transmitted from the user terminal 10, and detects a function that is insufficient on the user terminal 10 side in communication with the authentication server 100 ( Step S03).

  First, the providing device 50 refers to the terminal information storage unit 53 and detects “10” that is identification information (terminal ID) of the terminal device that has received access. Note that the terminal ID matches the reference symbol assigned to each device. That is, the terminal ID “10” indicates the user terminal 10.

  Subsequently, the providing device 50 refers to the terminal information storage unit 53 and detects the function of the user terminal 10. For example, in the example of FIG. 1, the providing apparatus 50 detects that the item of the generation unit that generates authentication result information is “0” for the user terminal 10, that is, does not have a generation unit that generates authentication result information. To do. Further, in the providing device 50, the user terminal 10 has three types of authentication devices, of which the authentication device “A11” is provided in the user terminal 10 and the authentication device “A11” is the “fingerprint” authentication type. (Hereinafter, the authentication device “A11” is expressed as “fingerprint authentication device A11”). Accordingly, the providing apparatus 50 detects that the user terminal 10 is a terminal that can perform personal authentication by fingerprint authentication inside the user terminal 10 but cannot generate such a result as authentication result information.

  Here, the providing device 50 refers to the user information storage unit 54 and acquires information related to the user U01 who owns the user terminal 10. For example, the providing device 50 has a user U01 identified by identification information (user ID) “U01” as a terminal owned by the user U10 and another terminal “30” (to distinguish the user terminal 10 from It is detected that “representative terminal 30” is registered. In the providing device 50, the user terminal 10 and the proxy terminal 30 use lines provided by the same line providing company, and both are owned by the same user through information registered in the line providing company. As a terminal, it is detected that the registration information is reliable. Furthermore, the providing device 50 refers to the terminal information storage unit 53 and detects that the proxy terminal 30 has a generation unit that generates authentication result information.

  In other words, the providing device 50 detects that the proxy terminal 30 is a terminal having a certain level of reliability and a terminal having means for generating authentication result information in the authentication process of the user U01. Then, the providing device 50 searches for a function that can be used in communication between the user terminal 10 and the authentication server 100 via the network (step S04). For example, the providing device 50 accesses the proxy terminal 30 and searches for a function that can be used in communication between the user terminal 10 and the authentication server 100. When the proxy terminal 30 can proxy the generation means required for the user terminal 10, the providing device 50 procures such a function by means such as operating the generation means of the proxy terminal 30 (step S05). Then, the providing device 50 provides the user terminal 10 with an insufficient function (step S06). For example, the providing apparatus 50 establishes a connection between the user terminal 10 and the proxy terminal 30 and transmits the result of authentication performed by the fingerprint authenticator A11 of the user terminal 10 from the user terminal 10 to the proxy terminal 30. The proxy terminal 30 generates authentication result information based on the result of authentication performed by the fingerprint authenticator A11. Then, the proxy terminal 30 transmits the generated authentication result information to the user terminal 10. The user terminal 10 transmits the transmitted authentication result information to the authentication server 100 (step S07).

  The authentication server 100 verifies the authentication result information generated with the secret key of the proxy terminal 30 using the public key corresponding to the proxy terminal 30 that is owned in advance. At this time, the authentication server 100 may accept information identifying that the generation result of the authentication result information is the proxy terminal 30 separately from the authentication result information. In addition, the authentication server 100 accepts the information regarding the mutual reliability of the user terminal 10 and the proxy terminal 30 to allow the proxy terminal 30 to proxy the generation of the authentication result information transmitted from the user terminal 10. It may be. For example, it is assumed that the user terminal 10 and the proxy terminal 30 use lines provided by the same line provider company C01 and are proved to be owned by the same user U01 by the line provider company C01. In this case, the authentication server 100 may accept the proxy terminal 30 as a terminal acting as the proxy for the user terminal 10 by receiving such reliability information from the providing device 50 or the user terminal 10 side. .

  Then, the authentication server 100 authenticates the user U01 who uses the user terminal 10 when the authentication result information for which the generation process is proxyed by the proxy terminal 30 has been verified (step S08). When the user terminal 10 does not have a function of transmitting authentication result information processed by a specific protocol defined by the authentication server 100, the proxy terminal 30 may act as a proxy for the transmission processing in step S06.

  As described above, the providing device 50 uses the registration information in the user terminal 10 and the current information of the user terminal 10 to detect a function that is insufficient in communication with the authentication server 100 and to provide an external device having a corresponding function. Explore. Then, the providing device 50 procures the function of the searched external device and provides the procured function to the user terminal 10.

  The providing device 50 can also procure functions from devices other than the proxy terminal 30. For example, as illustrated in FIG. 1, the providing device 50 includes information indicating that the user U02 is registered as a user trusted by the user U01. In this case, the providing device 50 searches for a terminal device owned by the user U02 (denoted as “friend terminal 35” for distinction from the user terminal 10). Then, the providing device 50 detects that the friend terminal 35 has a generation unit that generates authentication result information used for communication with the authentication server 100. Then, the providing device 50 procures generation means from the friend terminal 35 and provides the procured function to the user terminal 10.

  As another example, it is assumed that the providing apparatus 50 detects that the fingerprint authentication device A11 provided in the user terminal 10 cannot be used due to some trouble. In this case, the providing device 50 searches for another authenticator based on the registration information of the user terminal 10. For example, the user terminal 10 registers a store terminal 40 provided in a predetermined store (for example, a store operated by a line provider company C01 that provides a line used by the user terminal 10) as an authenticator. In this case, the providing apparatus 50 searches for the authentication device A12 provided in the store terminal 40 as an authentication device acting as an authentication function of the user terminal 10, and procure the function. The providing device 50 provides the procured function to the user terminal 10.

  Specifically, the providing device 50 presents to the user U01 that the authentication device A12 provided in the store terminal 40 is available. For example, the providing device 50 presents that local authentication is possible by establishing communication between the user terminal 10 and the store terminal 40 and transmitting predetermined information from the user terminal 10. Here, it is assumed that the user terminal 10 can authenticate the identity of the user U01 by transmitting an identification number (PIN, Personal Identification Number) given to the user terminal 10 itself to the store terminal 40. Therefore, the providing device 50 causes the user terminal 10 to transmit a PIN in communication established between the user terminal 10 and the store terminal 40. Then, the providing device 50 provides the user terminal 10 with a result indicating the user authentication of the user U01 issued by the authenticator A12 related to the store terminal 40.

  Alternatively, the providing device 50 may use an authentication function that the cloud server 45 has registered in advance by the user U01. For example, it is assumed that the user U01 has stored fingerprint registration data on the cloud as a backup. The providing device 50 refers to the registration information, searches for the authentication device A13 that uses the cloud server 45 as a proxy for the fingerprint authentication device A11, and procure such a function. That is, the providing device 50 establishes a connection between the user terminal 10 and the cloud server 45. The user U01 transmits fingerprint data to the cloud server 45 using the user terminal 10 (or other predetermined terminal device). Then, the providing device 50 provides the authentication result issued from the cloud server 45 to the user U01. In the above process, the providing device 50 may establish communication with each other to mediate transmission / reception of information, or does not transmit / receive information itself, It is also possible to only provide information indicating that the device can be used.

  In the above processing, the providing device 50 provides the user terminal 10 with an insufficient function based on, for example, the reliability of the device serving as the function providing source. For example, since the store terminal 40 is operated by a telecommunications carrier, it is assumed that the reliability of the issued authentication result is relatively high. On the other hand, since there is a possibility of unauthorized use due to third party access to the cloud server 45, it is assumed that the reliability of the issued authentication result is relatively low. In this case, the providing device 50 may prioritize procurement of functions from the highly reliable store terminal 40. Further, the providing device 50 also evaluates the reliability value with the user terminal 10 at the proxy terminal 30 and the friend terminal 35, and the authentication result information generated by the more reliable terminal is transmitted to the authentication server 100. May provide functionality.

  As described above, the providing apparatus 50 according to the embodiment detects a function that the user terminal 10 does not have among functions used for communication with the authentication server 100 in the user terminal 10 that communicates with the authentication server 100. Then, the providing device 50 has a function corresponding to the detected function on the user terminal 10 side that transmits authentication result information to the authentication server 100 (the user terminal 10 side is a side that requests authentication from the authentication server 100) The proxy terminal 30 and the friend terminal 35).

  Thus, according to the providing apparatus 50, it is possible to provide a function required for communication to the user terminal 10 that cannot establish communication alone with the authentication server 100 having a predetermined authentication method. That is, the user terminal 10 can establish communication with the authentication server 100 and perform authentication processing without changing the current configuration. Specifically, even when information corresponding to a specific protocol cannot be generated by the user terminal 10 itself, by cooperating with the providing device 50, the user terminal 10 can proxy by a terminal having a predetermined secret key. By performing the process, authentication result information to be transmitted to the authentication server 100 can be generated. Further, according to the providing device 50, for example, even when the authentication method defined by the authentication server 100 is changed, functions required for communication can be procured each time. For this reason, the user terminal 10 side using the providing device 50 can complete the authentication process by receiving provision of a function in accordance with the method each time, regardless of the method defined by the authentication server 100. Further, since the authentication server 100 side receives information transmitted from a reliable device or the like detected by the providing device 50, authentication processing that maintains a certain level of reliability can be performed. In this way, the providing device 50 can flexibly respond to the authentication request without impairing the security of the authentication.

  In the example of FIG. 1, the user terminal 10 and the providing device 50 communicate with each other, and the proxy terminal 30 or the like that is searched for by the providing device 50 and the providing device 50 communicate with each other. . However, as described above, the user terminal 10 and the proxy terminal 30 or the like may directly communicate, and the provision of a function used by the user terminal 10 for communication with the authentication server 100 may be received from the proxy terminal 30. Further, in the authentication process in FIG. 1, the providing apparatus 50 has shown an example of providing a function that is insufficient on the user terminal 10 side in communication with the authentication process. However, the providing device 50 does not necessarily perform processing for providing a function that is insufficient on the user terminal 10 side in communication with the authentication server 100. That is, the user terminal 10 may be able to communicate with the authentication server 100, but may not have other functions detected by the providing device 50. For example, in the example of FIG. 1, the user U01 may desire to use another authentication device (for example, an authentication device that uses an iris or a voiceprint) even if the user terminal 10 includes the fingerprint authentication device A11. is there. As described above, the providing device 50 detects a function that is used in communication with the authentication server 100 and that the user terminal 10 does not have, even if the function is not insufficient for communication with the authentication server 100. That is, according to the providing device 50, the user U01 can flexibly cope with a specific authentication procedure required from the authentication server 100, and can enjoy convenience related to the authentication processing.

[2. Configuration of authentication processing system]
Next, the configuration of the authentication processing system 1 including the providing device 50 according to the embodiment will be described with reference to FIG. FIG. 4 is a diagram illustrating a configuration example of the authentication processing system 1 according to the embodiment. As illustrated in FIG. 4, the authentication processing system 1 according to the embodiment includes a user terminal 10, a providing device 50, an authentication server 100, a web server 200, and devices searched by the providing device 50. . These various devices are communicably connected via a network N by wire or wireless. Note that the number of various devices is not limited to the example illustrated in FIG. 4. For example, the authentication processing system 1 may include a plurality of user terminals 10 and the like.

  The user terminal 10 is an information processing terminal such as a desktop PC (Personal Computer), a notebook PC, a tablet terminal, a mobile phone including a smartphone, or a PDA (Personal Digital Assistant). The user terminal 10 also includes a wearable device that is a glasses-type or watch-type information processing terminal. Furthermore, the user terminal 10 may include various smart devices having an information processing function. For example, the user terminal 10 may include a smart home appliance such as a TV (television), a refrigerator, and a vacuum cleaner, a smart vehicle such as an automobile, a drone, and a home robot.

  The user terminal 10 includes various authenticators. For example, the user terminal 10 includes a biometric authentication device that uses user biometric information. Accordingly, the user terminal 10 locally authenticates the user who uses the user terminal 10. As described above, the authenticator may be software included in the user terminal 10 or hardware connected to the user terminal 10.

  The providing device 50 is an information processing device that cooperates with the user terminal 10 and an authenticator included in the user terminal 10 to provide a function used for the user terminal 10 to receive authentication processing by the authentication server 100 to the user terminal 10 side. is there.

  The authentication server 100 is a server device that performs user authentication of a user who uses the user terminal 10. The authentication server 100 receives the authentication result information transmitted from the user terminal 10 side, and verifies the authentication result information with the corresponding public key. Then, the authentication server 100 returns information indicating that the authentication has been completed (for example, an authentication cookie) to the user terminal 10. The user terminal 10 can perform authentication processing in the service provided by the web server 200 or the like by using the authenticated information. Alternatively, the authentication server 100 transmits the authenticated information to the web server 200, thereby transmitting that the user who uses the service has been authenticated as the user U01.

  The web server 200 is a server device that provides various web pages when accessed from the user terminal 10. The web server 200 provides various web pages related to, for example, a news site, a weather forecast site, a shopping site, a finance (stock price) site, a route search site, a map providing site, a travel site, a restaurant introduction site, and a web blog.

  The web server 200 may request user authentication for providing a service. For example, when the web server 200 provides a payment service, if the user using the user terminal 10 cannot be authenticated as the user U01 without fail, the web server 200 restricts the execution of the payment service by the user terminal 10. can do. On the other hand, when the web server 200 receives information indicating that authentication by the authentication server 100 has been performed, the web server 200 trusts that the user using the user terminal 10 is the user U01. In this case, the web server 200 accepts an action that requires personal authentication, such as payment by the user terminal 10.

  The device searched by the providing device 50 is a device that provides a function used for communication when the user terminal 10 communicates with the authentication server 100. For example, the searched device includes the proxy terminal 30, the friend terminal 35, the store terminal 40, and the cloud server 45. In addition, functions required for communication between the user terminal 10 and the authentication server 100 may differ depending on the function of the user terminal 10 and the situation where the user terminal 10 is placed. For this reason, the searched device may be different each time the search processing by the providing device 50 is performed.

[3. Configuration of user terminal]
Next, the configuration of the user terminal 10 according to the embodiment will be described with reference to FIG. FIG. 5 is a diagram illustrating a configuration example of the user terminal 10 according to the embodiment. As illustrated in FIG. 5, the user terminal 10 includes a communication unit 11, an input unit 12, a display unit 13, an authentication unit 14, and a control unit 15. Note that the connection relationship between the processing units included in the user terminal 10 is not limited to the connection relationship illustrated in FIG. 5, and may be another connection relationship.

  The communication unit 11 is connected to the network N in a wired or wireless manner, and transmits and receives information to and from the providing device 50, the authentication server 100, the web server 200, and the like. For example, the communication unit 11 is realized by a NIC (Network Interface Card) or the like.

  The input unit 12 is an input device that receives various operations from the user. For example, the input unit 12 is realized by an operation key or the like provided in the user terminal 10. The input unit 12 may include an imaging device (such as a camera) for capturing an image and a sound collection device (such as a microphone) that collects sound. The display unit 13 is a display device for displaying various information. For example, the display unit 13 is realized by a liquid crystal display or the like. In addition, when a touch panel is employ | adopted for the user terminal 10, a part of input part 12 and the display part 13 are integrated.

  The authentication unit 14 authenticates a user who uses the user terminal 10. Specifically, the authentication unit 14 receives information input from the user using various authenticators. And the authentication part 14 collates the data previously registered with various authentication devices, and input data. Then, the authentication unit 14 sends the collation result to the control unit 15. Note that data registered in advance in the authenticator is stored in the registration data storage unit 14a. The registration data storage unit 14a stores information related to the authenticator used by the user terminal 10. For example, when the user U01 uses the cloud server 45 as an authenticator, information about the cloud server 45 (for example, an address used for connection) is stored in the registered data storage unit 14a.

  The authentication unit 14 includes, for example, a fingerprint authenticator A11 as an authenticator. The fingerprint authenticator A11 accepts registration of fingerprint data from the user in advance. In the authentication, the fingerprint authenticator A11 accepts a fingerprint input from a user who uses the user terminal 10, and performs personal authentication by collating with the registered fingerprint data. The authentication device is not limited to the fingerprint authentication device, and may be, for example, an iris authentication device or a voiceprint authentication device.

  Further, the user terminal 10 may include an authenticator that uses various types of information other than the above example as an authenticator. For example, the user terminal 10 may include a face authenticator that performs authentication using image data of the user's face. When the user terminal 10 is a wearable device, the user terminal 10 may use various sensors provided as an authentication device. That is, the user terminal 10 holds sensor data acquired from the user in advance, and authenticates the user's identity by collating with the sensor data held in advance when used by the user. To do. The authenticator is not limited to an authenticator that performs authentication using biometric information. For example, the authenticator may be a hardware authenticator that performs authentication by connecting a predetermined physical key owned by the user U01 to the user terminal 10, or may be a SIM card (Subscriber Identity) built in the user terminal 10. A SIM card authenticator that performs authentication by determining the contents of the Module Card) may be used. Further, the user terminal 10 may include an authenticator that authenticates the user based on identification information assigned to a device to which the user terminal 10 is connected. In this case, for example, the authenticator determines identification information (MAC (Media Access Control) address or the like) uniquely assigned to a router or the like that is wirelessly connected to the user terminal 10. Then, when the determined identification information is not inconsistent with the identification information of the device normally used by the user to be authenticated, the authenticator authenticates the user who uses the user terminal 10 as the person himself / herself.

  For example, the control unit 15 executes various programs stored in a storage device inside the user terminal 10 by using a RAM (Random Access Memory) as a work area by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. It is realized by doing. The control unit 15 is realized by an integrated circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).

  The control unit 15 controls processing such as authentication processing performed in the user terminal 10, processing cooperating with the providing device 50, management of information transmitted and received with the authentication server 100 and the web server 200, and the like. As illustrated in FIG. 5, the control unit 15 includes an acquisition unit 16, an authentication control unit 17, and a transmission unit 18, and realizes or executes functions and operations of information processing described below. For example, the control unit 15 implements the acquisition unit 16, the authentication control unit 17, and the transmission unit 18 by executing the above-described application using the RAM as a work area. Note that the internal configuration of the control unit 15 is not limited to the configuration illustrated in FIG. 5, and may be another configuration as long as information processing described later is performed.

  The acquisition unit 16 acquires various information. For example, the acquisition unit 16 receives information transmitted from the authentication server 100 or the web server 200. In addition, the acquisition unit 16 receives a communication packet that is transmitted from the authentication server 100 or the web server 200 and that requests authentication of a user who uses the user terminal 10. The acquisition unit 16 acquires various types of information requested from the authentication unit 14. For example, the acquisition unit 16 acquires fingerprint data of a user who uses the user terminal 10 via the input unit 12. In addition, the acquisition unit 16 acquires information regarding functions provided by the providing device 50.

  The authentication control unit 17 controls processing related to authentication processing. For example, the authentication control unit 17 operates the fingerprint authenticator A <b> 11 included in the authentication unit 14 in accordance with a request for personal authentication from the authentication server 100. And the authentication control part 17 controls the process which receives the input of fingerprint data from the user U01, and the authentication process performed by the fingerprint authenticator A11.

  Further, the authentication control unit 17 controls communication with the providing device 50. For example, the authentication control unit 17 detects information related to the user terminal 10 such as the type of authenticator included in the user terminal 10 and whether the user terminal 10 has a generation unit, which is transmitted to the providing device 50. . In addition, the authentication control unit 17 receives a function provided from the providing device 50. And the authentication control part 17 utilizes the function received from the provision apparatus 50 so that communication with the authentication server 100 is materialized. In addition, when the user terminal 10 does not have a function of using a protocol used for communication with the authentication server 100, the authentication control unit 17 transmits the information to the providing device 50, and other terminals such as the proxy terminal 30 To establish communication using a specific protocol. That is, the authentication control unit 17 controls the authentication process for the authentication server 100 using the function provided by the providing device 50.

  The transmission unit 18 transmits various information. For example, the transmission unit 18 transmits information such as the current function and configuration of the user terminal 10 to the providing device 50. In addition, the transmission unit 18 transmits the authentication result information provided via the providing device 50 to the authentication server 100. In addition, the transmission unit 18 transmits the authenticated information transmitted from the authentication server 100 to the web server 200 or the like.

  Note that the configuration of the user terminal 10 illustrated in FIG. 5 is an example, and the user terminal 10 does not necessarily include the processing units illustrated in FIG. For example, the user terminal 10 may not include an authenticator inside. In this case, the user terminal 10 cooperates with the providing device 50 to provide the user terminal 10 with a function of a predetermined authenticator provided outside.

[4. Configuration of providing device]
Next, the configuration of the providing device 50 according to the embodiment will be described with reference to FIG. FIG. 6 is a diagram illustrating a configuration example of the providing device 50 according to the embodiment. As illustrated in FIG. 6, the providing device 50 includes a communication unit 51, a storage unit 52, and a control unit 55, and performs various processes in cooperation with the user terminal 10. The providing device 50 includes an input unit (for example, a keyboard and a mouse) that receives various operations from an administrator who uses the providing device 50, and a display unit (for example, a liquid crystal display) for displaying various types of information. You may have.

(About the communication unit 51)
The communication part 51 is implement | achieved by NIC etc., for example. The communication unit 51 is connected to the network N in a wired or wireless manner, and transmits and receives information to and from the user terminal 10 and various terminals to be searched via the network N.

(About the storage unit 52)
The storage unit 52 is realized by, for example, a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 52 includes a terminal information storage unit 53 and a user information storage unit 54.

(Terminal information storage unit 53)
The terminal information storage unit 53 stores information related to a terminal device that communicates with the providing device 50. Here, FIG. 7 shows an example of the terminal information storage unit 53 according to the embodiment. FIG. 7 is a diagram illustrating an example of the terminal information storage unit 53 according to the embodiment. In the example illustrated in FIG. 7, the terminal information storage unit 53 includes “terminal ID”, “generation unit”, “authenticator ID”, “registration destination”, “type”, “registration data”, “authenticated user”, It has items such as “reliability” and “secret key”.

  “Terminal ID” indicates identification information for identifying a terminal device. In the embodiment, the terminal ID is assumed to match the reference code of the terminal device. For example, the terminal ID of the user terminal 10 is indicated as “10”, and the terminal ID of the proxy terminal 30 is indicated as “30”.

  “Generating means” indicates whether or not the authentication server 100 has a function of generating authentication result information that can be received. In FIG. 7, when the item of the generation unit is “0”, the generation unit is not included, and when the item of the generation unit is “1”, the generation unit is included.

  “Authenticator ID” indicates identification information for identifying an authenticator. In the embodiment, it is assumed that the authentication device ID matches the reference code of the authentication device. For example, the authentication device ID of the fingerprint authentication device A11 is indicated as “A11”.

  “Registered” indicates the location of the registered authenticator. For example, in FIG. 7, when “inside” is indicated, it indicates that such an authenticator is provided inside the terminal device. In addition, when “store terminal 40” or “cloud server 45” is indicated, it indicates that an authenticator is provided in the indicated device.

  “Type” indicates the type of the authenticator. In an embodiment, the authenticator type is indicated by information that the authenticator can verify. For example, when the type of the authentication device is “fingerprint”, this authentication device indicates that personal authentication is performed using fingerprint data.

  “Registered data” indicates information for identifying data registered in advance in the authenticator for personal authentication. In FIG. 7, “registration data” conceptually shows “B11” or the like, but actually, the registration data items include user fingerprint data, iris data, voiceprint data, and the like. Is memorized. A plurality of registration data may be registered in one authenticator. For example, FIG. 7 shows an example in which two data “B13” and “B33” are registered in the fingerprint authenticator A45. This indicates that even when the same user “U01” registers in the fingerprint authentication device A45, the data itself registered in the fingerprint authentication device A45 is different when the registration source terminal is different.

  “Authenticated user” indicates a user authenticated by the authenticator. A plurality of authenticated users may be registered for one authenticator. In this case, the authenticator sets registration data and authenticated users as one pair, and has at least as many registered data as the number of authenticated users.

  “Reliability” indicates the reliability of the authenticator managed by the providing apparatus 50. In the example of FIG. 7, the reliability is indicated by a numerical value in five stages from 1 to 5, and the reliability is higher as the number is larger. The reliability item may be automatically set by the registration unit 56 of the providing device 50 by referring to a list indicating the authenticity of the authenticator, or set by the administrator of the providing device 50, for example. May be. The reliability item may be set by designation from the authentication server 100. Further, the reliability item may be set not for each authenticator but for each registered data.

  The reliability item is set depending on the type of the authenticator, the location where the authenticator is located, and the like. For example, when the information that authenticates the authenticator is biometric information, it is difficult for a third party to authenticate the person using the authenticator illegally, and thus the authenticity of the authenticator is determined to be high. In addition, since the authenticator on the cloud is likely to be illegally accessed by a third party, the authenticity of the authenticator is determined to be low. In addition, the authenticator in the store terminal 40 placed in a store set up by a line provider company or the like is difficult to be used illegally by a third party. Note that such a reliability setting method is an example, and the providing device 50 or the authentication server 100 may set the reliability by various other methods.

  The “secret key” indicates key information issued for authentication of the authenticator registered with the authentication server 100. The terminal device having a means for generating authentication result information attaches a signature using the secret key to generate the authentication result information as authentication result information. The authentication result information is transmitted to the authentication server 100 using a specific protocol, and authentication processing by the authentication server 100 is performed. Note that the authentication server 100 stores a public key corresponding to the secret key. Even when the terminal does not have a generation unit, a secret key may be issued to an authenticator used by the terminal. For example, when the terminal uses an external authenticator provided in the cloud server 45 or the like and the cloud server 45 can generate authentication result information, the authentication by the authenticator A secret key may be issued.

  That is, in FIG. 7, the terminal device identified by the terminal ID “10” does not have a generation unit, but “A11”, “A40”, and “A45” can be used as authenticators. Yes. Among them, the fingerprint authentication device A11 is provided in the user terminal 10 “inside”, the PIN authentication device A40 is provided in the “shop terminal 40”, and the fingerprint authentication device A45 is provided in the “cloud server 45”. It shows that. The respective registration data are “B11”, “B12”, and “B13”, all of which are registration data used to authenticate the user “U01”. The reliability of each authenticator is “3”, “5”, and “2”. Among the authenticators used by the user terminal 10, the authenticators registered in the authentication server 100 are “A40” and “A45”, and the secret keys are “K121” and “K131”, respectively. An example is shown.

(About the user information storage unit 54)
The user information storage unit 54 stores information related to a user who uses the providing device 50. Here, FIG. 8 shows an example of the user information storage unit 54 according to the embodiment. FIG. 8 is a diagram illustrating an example of the user information storage unit 54 according to the embodiment. In the example illustrated in FIG. 8, the user information storage unit 54 includes “user ID”, “owned terminal ID”, “generation unit”, “line provider”, “trusted user”, “service ID”, “authentication history”. It has items such as “information”.

  “User ID” indicates identification information for identifying a user. It is assumed that the user ID matches the reference code of the user. For example, the user ID of the user U01 is indicated as “U01”.

  “Owned terminal ID” indicates a terminal ID owned by the user. “Generation means” indicates whether each terminal has generation means. “Line provider” indicates information for identifying a company that provides a line used by the terminal. For example, a common store terminal 40 can be used as a terminal shared by the line provider.

  “Trusted user” indicates identification information of a user set as a trusted user from a predetermined user. The trusted user is set, for example, when the user makes a setting with respect to the providing device 50, when the user makes an offer to the line providing company, or makes a setting with respect to the authentication server 100. It is assumed that the user set as a trusted user can share the function of the owned terminal with the user set as the trusted user, or provide the other party with a function that is lacking. For example, the trusted user corresponds to the user's family and friends.

  The “service ID” is user identification information used when using a service provided from the web server 200. The service ID is issued for each service. FIG. 8 shows an example in which one service ID is issued for each user, and the service ID is issued from the same service. The service ID is used as one piece of information indicating the identity of the user, for example.

  “Authentication history information” is information indicating a history of processing performed by the providing device 50 for each user. In FIG. 8, the authentication history information is represented by a concept such as “R01”. Actually, the authentication history information relates to a communication log between the user terminal 10 and the providing device 50 and a device searched by the providing device 50. It is configured by information, a communication log between the user terminal 10 and the authentication server 100, and the like. The providing device 50 can quickly perform the providing process assumed to be suitable for the user by referring to the authentication history information during the providing process.

  That is, in FIG. 8, the user U01 identified by the user ID “U01” owns the terminal identified by the terminal IDs “10” and “30”, and “10” has no generation means, “30” has a generation means, and the line provider of each terminal is “C01”. In addition, the user U01 sets the user U02 as a trusted user, the service ID of the user U01 is “Y01”, and the authentication history information is “R01”.

(Regarding the controller 55)
The control unit 55 is realized, for example, by executing various programs (corresponding to an example of a provided program) stored in a storage device inside the providing device 50 using the RAM as a work area by a CPU, an MPU, or the like. The control unit 55 is realized by an integrated circuit such as ASIC or FPGA, for example.

  As shown in FIG. 6, the control unit 55 includes a registration unit 56, a detection unit 57, a search unit 58, and a provision unit 59, and realizes or executes the information processing functions and operations described below. . The internal configuration of the control unit 55 is not limited to the configuration illustrated in FIG. 6, and may be another configuration as long as the information processing described later is performed. Further, the connection relationship between the processing units included in the control unit 55 is not limited to the connection relationship illustrated in FIG. 6, and may be another connection relationship.

(Registration unit 56)
The registration unit 56 registers information regarding a terminal and a user using the providing device 50. For example, the registration unit 56 accepts registration of an authenticator for the user U01 using the user terminal 10 to perform authentication. Note that the registration unit 56 may register information by accepting a registration offer from the user U01, or register information on the terminal acquired as a result of processing performed by the detection unit 57 and the search unit 58. May be. For example, the registration unit 56 registers information related to the user terminal 10 used by the user U01 receiving authentication, information related to the user U01, and the like. In addition, the registration unit 56 receives information on a terminal device other than the user terminal 10 used by the user U01 (for example, the proxy terminal 30) and information on the friend terminal 35 used by the user U02 who is a user trusted by the user U01. sign up. The registration unit 56 stores the registered information in the terminal information storage unit 53 and the user information storage unit 54 as appropriate.

  The registration unit 56 updates the registered information. For example, after registering information related to the authenticity of the authenticator, the registration unit 56 detects an event that decreases the reliability of the authenticator (for example, when unauthorized use by a third party is detected). If this happens, the information is updated so that the authenticator becomes less reliable. Further, the registration unit 56 may update information on the authenticator based on information transmitted from the authentication server 100. For example, the registration unit 56 updates the reliability value set in the authenticator based on the reliability value designated by the authentication server 100. As described above, the registration unit 56 manages information such as an authenticator provided in each terminal and ensures the authenticity of the authenticator, thereby ensuring the appropriateness of user authentication performed locally.

(About the detection unit 57)
The detection unit 57 is information generated by attaching a signature using a predetermined secret key to an authentication result by an authenticator that performs user authentication, and is processed by a specific authentication procedure. By verifying the signature of certain authentication result information, a function that the user terminal 10 used by the user does not have is detected from among the functions used in communication with the authentication server 100 that authenticates the identity of the user.

  Here, the functions detected by the detection unit 57 are organized as follows. In other words, the detection unit 57 performs a function of an authenticator (authentication function) used on the user terminal 10 side that requests authentication or a specific authentication procedure defined by the authentication server 100 in the process of receiving user authentication from the authentication server 100. A function (generation function) for generating authentication result information that is processed by (protocol) and generated based on the authentication result of the authenticator is detected. The detection unit 57 also detects various functions (means) for realizing the authentication function and the generation function. For example, the detection unit 57 may detect an authenticator that can perform the personal authentication using an authentication function different from the authenticator provided on the terminal side among the authenticators.

  That is, the detection unit 57 first detects whether or not the user terminal 10 has a function of performing authentication on the local side as detection of a function that the user terminal 10 does not have. Then, when the user terminal 10 does not have the authentication function itself, the detection unit 57 detects one of the authentication devices so that any one of the authentication devices can be provided to the user terminal 10. The detecting unit 57 may select and detect a suitable authenticator based on the usage status of the user terminal 10 among the detected authenticators. On the other hand, when the user terminal 10 has the authentication function itself, the detection unit 57 detects an authenticator having a further different authentication function (authentication method) so as to enable more convenient authentication for the user. May be.

  For example, when the terminal side is provided with the fingerprint authenticator A11 and has a function of performing user identity authentication, the detector 57 detects an authenticator using another authentication method. Specifically, the detection unit 57 has a function that the user terminal 10 does not have, such as an iris authenticator that has a function of performing authentication by collating user iris data, or authentication by collating user voice data. A voiceprint authenticator having a function to perform can be detected. For example, the detection unit 57 has a function of generating authentication result information corresponding to a certain protocol on the terminal side, but does not have a function of generating authentication result information corresponding to another protocol. Detects a function for generating authentication result information corresponding to the protocol. As described above, the detection unit 57 detects a function used in communication with the authentication server 100 and a function (means) for realizing the function as functions that the terminal side does not have. Thus, the detection unit 57 detects a function used for communication with the authentication server 100 when the user terminal 10 used by the user receives authentication from the authentication server 100. Thereby, even if the user terminal 10 has a certain authenticator, for example, when the user terminal 10 does not have an authenticator that adopts another authentication method, the user device 10 uses the providing device 50. Thus, an authenticator that employs another authentication method can be detected and used.

  In addition, the detection unit 57 detects a function that is insufficient for the user terminal 10 attempting communication among various functions required for communication with the authentication server 100, so that the user terminal 10 side receives authentication from the authentication server 100. Identify the functions that should be provided.

  For example, the detection unit 57 detects a function used for communication with the authentication server 100 according to the situation of the user terminal 10 at the time when communication is requested from the authentication server 100. That is, the detection unit 57 acquires the status of the user terminal 10 when the user terminal 10 is requested to authenticate by the authentication device from the authentication server 100. And the detection part 57 detects the function which the user terminal 10 lacks based on the acquired information, for example. Thus, the detection unit 57 can preferentially detect a function suitable for the situation by performing the detection process based on the situation when the user terminal 10 is requested to authenticate. The detection unit 57 can detect a function used for communication with the authentication server 100 based on the environment in which the user terminal 10 is placed. For example, when the user terminal 10 includes an iris authenticator, and the illuminance is low and the iris cannot be photographed in the environment where the user terminal 10 is placed, the detection unit 57 may Based on the above, it is possible to detect an authenticator that uses an authentication method different from the iris authenticator. In this process, for example, the detection unit 57 may appropriately acquire information on various sensors (such as an illuminance sensor) included in the user terminal 10 and use the acquired information.

  The detection unit 57 may detect a function used to generate authentication result information that satisfies the authentication strength required from the authentication server 100. Here, the authentication strength refers to an index value indicating the certainty that the user is definitely the person in the authentication process. For example, the authentication server 100 may limit the proxying process by the providing device 50 in order to ensure the safety of the service. For example, in the local authentication process, the authentication server 100 authenticates the authentication result information generated on behalf of the proxy process performed by a low-reliability device such as the cloud server 45 on the assumption that the required authentication strength cannot be secured. It may not be possible. In response to such a request from the authentication server 100, the detection unit 57 detects a function that satisfies the authentication strength. For example, when there are a plurality of authenticators in the user terminal 10, the detecting unit 57 detects the most reliable authenticator. In this way, the detection unit 57 can preferentially detect a function assumed to satisfy the request of the authentication server 100.

  Further, the detection unit 57 detects a function that is insufficient for communication with the authentication server 100 when the user terminal 10 transmits the authentication result information to the authentication server 100 based on the information registered by the registration unit 56. It may be. For example, as illustrated in FIG. 7, information that the user terminal 10 does not have a generation unit is stored in the terminal information storage unit 53 by the registration unit 56. In this case, the detection unit 57 can detect that the function of the generation unit is lacking without referring to the terminal information storage unit 53 without acquiring information from the user terminal 10. As described above, the detection unit 57 can reduce the processing load and improve the processing efficiency by using information registered in advance.

(About the search unit 58)
The search unit 58 searches for an external device having a function corresponding to the function detected by the detection unit 57. For example, when the detecting unit 57 detects an insufficient function in the user terminal 10 that communicates with the authentication server 100 by the detecting unit 57, the searching unit 58 acts as a proxy for the detected function. Search for an external device.

  The search unit 58 may search for an external device with reference to information stored in the terminal information storage unit 53 and the user information storage unit 54, or may use an external device using a predetermined crawl function for searching the network. You may search for a device. For example, the search unit 58 is a proxy terminal 30 that is a terminal other than the user terminal 10 owned by the user, or a terminal owned by a person related to the user (for example, a family member or friend) as an external device acting as the proxy for the user terminal 10. A certain friend terminal 35, a store terminal 40 installed in a store operated by a predetermined business operator, a cloud server 45 on a cloud that can be used via a network, and the like are searched. As described above, the search unit 58 may search for various external devices and procure available authenticator functions and generation means.

(Providing unit 59)
The providing unit 59 provides a function corresponding to the function detected by the detecting unit 57 to the user terminal 10 that transmits the authentication result information to the authentication server 100. That is, the providing unit 59 obtains information regarding the functions used in communication with the authentication server 100 detected by the detecting unit 57, and provides these functions to the user terminal 10 side. Specifically, the providing unit 59 provides the user terminal 10 with a function that is detected by the detecting unit 57 and that corresponds to the function that the user terminal 10 lacks.

  The providing unit 59 cooperates with the detecting unit 57 and the searching unit 58 to provide various functions so that the user terminal 10 can communicate with the authentication server 100 without any problem. For example, the providing unit 59 responds to the insufficient function when a function insufficient for communication with the authentication server 100 is detected according to the situation of the user terminal 10 at the time when communication is requested from the authentication server 100. To the user terminal 10 side. Further, when the user terminal 10 side requests the authentication server 100 to transmit authentication result information having a predetermined authentication strength, the providing unit 59 provides a function that satisfies the request to the user terminal 10 side.

  Further, the provision unit 59 appropriately uses information stored in the terminal information storage unit 53 or the user information storage unit 54 when providing the function. For example, if the providing unit 59 obtains information that there are a plurality of terminals owned by the user U01 to be authenticated, and the proxy terminal 30 having a generation unit is included in the terminal owned by the user U01, the proxy terminal 30 Is provided to the user terminal 10 side. As described above, the providing unit 59 may preferentially provide such a function when there is a function that can be used by the user to be authenticated.

  Further, the providing unit 59 provides an authenticator that authenticates the user U01 based on a predetermined condition when the user terminal 10 does not have an authenticator or when the terminal of the user terminal 10 cannot be used. Also good. For example, when the user terminal 10 receives an authentication request from the authentication server 100, the providing unit 59 refers to the required authentication reliability. For example, the authentication server 100 confirms that authentication performed by the user terminal 10 is performed by a highly reliable authenticator when the service to be used by the user terminal 10 requires high reliability for personal authentication. Can be sought. Specifically, the web server 200 that provides a settlement service or the like desires that highly reliable authentication is performed for the user U01 who uses the user terminal 10.

  In this case, the providing unit 59 selects an authenticator serving as a basis for generating authentication result information based on information related to the authenticity of the authenticator. Specifically, the providing unit 59 preferentially provides an authenticator having a reliability of “4” or higher to the user U01. For example, the user terminal 10 may display the fact on the display unit 13 and notify the user to that effect. As an example, the user terminal 10 notifies the user of the selected authenticator by displaying the message “Please authenticate via the store terminal 40” on the display corresponding to the display unit 13. At this time, the providing unit 59 provides a function by a highly reliable authenticator by, for example, establishing a connection between the user terminal 10 and the store terminal 40 and prompting the user terminal 10 to transmit a PIN code.

  The providing unit 59 may provide the user terminal 10 with the function detected by the detecting unit 57 in response to a request received from the user terminal 10. For example, the providing unit 59 receives from the user terminal 10 a request for using an external terminal or an external function that is more convenient than the user terminal 10 that the user is currently using. Then, the providing unit 59 provides the detected function to the user terminal 10 in response to the request received from the user terminal 10. Thus, the user can perform the authentication process by using the providing device 50 while using a desired function.

[5. Authentication server configuration]
Next, the configuration of the authentication server 100 according to the embodiment will be described with reference to FIG. FIG. 9 is a diagram illustrating a configuration example of the authentication server 100 according to the embodiment. As illustrated in FIG. 9, the authentication server 100 includes a communication unit 110, a storage unit 120, and a control unit 130. The authentication server 100 includes an input unit (for example, a keyboard and a mouse) that receives various operations from an administrator who uses the authentication server 100, and a display unit (for example, a liquid crystal display) for displaying various types of information. You may have.

(About the communication unit 110)
The communication unit 110 is realized by a NIC or the like, for example. The communication unit 110 is connected to the network N in a wired or wireless manner, and transmits and receives information to and from the user terminal 10 and the web server 200 via the network N. The communication unit 110 performs communication using a specific protocol with high safety when transmitting / receiving authentication result information to / from the user terminal 10.

(About the storage unit 120)
The storage unit 120 is realized by, for example, a semiconductor memory device such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 120 includes a registration information storage unit 121.

(Registered information storage unit 121)
The registration information storage unit 121 stores information related to the authentication device registered in the authentication server 100. Here, FIG. 10 illustrates an example of the registration information storage unit 121 according to the embodiment. FIG. 10 is a diagram illustrating an example of the registration information storage unit 121 according to the embodiment. In the example illustrated in FIG. 10, the registration information storage unit 121 includes “communication destination information”, “authenticator ID”, “type”, “registration data”, “authentication user”, “trust”, and “public key”. It has items such as.

  “Communication destination information” indicates a communication destination where the authenticator is located. The communication destination is, for example, a terminal device or a server device. Specifically, information for identifying the proxy terminal 30 that is a terminal device capable of communicating with the authentication server 100 is stored in the item of communication destination information.

  Each item of “authenticator ID”, “type”, “registration data”, “authenticated user”, and “reliability” corresponds to the item described in FIG. The “public key” is key information transmitted from the authenticator when registering the authenticator, and indicates a key that is paired with a secret key issued simultaneously. Since the public key is issued for each registration data, it is stored in association with the registration data.

  That is, in FIG. 10, in the “proxy terminal 30” that is the communication destination, the registered authenticators are “A31” and “A32”, and the respective authentication types are “iris” and “voiceprint”. The respective registration data are “B31” and “B32”, both of which are for authenticating the user “U01”, and the reliability of each authenticator is “4” and “3”, respectively. The public keys are “K312” and “K322”. In this example, in other words, in the iris authenticator A31, when the user U01 authenticates and collates with the registration data B31, and the authentication result information is generated using the result, the authentication server 100 This indicates that the authentication result information is verified using the public key “K312”.

(About the control unit 130)
The control unit 130 is realized by, for example, a CPU, an MPU, or the like executing various programs (corresponding to an example of a generation program) stored in a storage device inside the authentication server 100 using the RAM as a work area. The control unit 130 is realized by an integrated circuit such as an ASIC or FPGA, for example.

  As illustrated in FIG. 9, the control unit 130 includes a reception unit 131, a registration unit 132, an analysis unit 133, and a transmission unit 134, and realizes or executes information processing functions and operations described below. . Note that the internal configuration of the control unit 130 is not limited to the configuration illustrated in FIG. 9, and may be another configuration as long as information processing described later is performed. Further, the connection relationship between the processing units included in the control unit 130 is not limited to the connection relationship illustrated in FIG. 9, and may be another connection relationship.

(About the receiver 131)
The receiving unit 131 receives various information. For example, the receiving unit 131 receives a request for registration of an authenticator from a device that desires authentication in the authentication server 100. In addition, for example, when the user terminal 10 accesses the web server 200 and the service provided by the access destination web server 200 requests the user terminal 10 to authenticate, the receiving unit 131 sends the authentication request from the web server 200. Receive. In this case, in response to the authentication request received by the reception unit 131, the transmission unit 134, which will be described later, transmits a notification that the user terminal 10 performs authentication. In addition, the receiving unit 131 receives authentication result information that is information generated based on a locally performed authentication result in the authentication process. The receiving unit 131 transmits / receives authentication result information to / from the user terminal 10 using a specific protocol defined by the authentication server 100.

(Registration unit 132)
The registration unit 132 registers information related to the authentication device. For example, the registration unit 132 registers the authenticator included in the terminal device that has requested registration based on the information received by the reception unit 131. The registration unit 132 stores the registered information in the registration information storage unit 121.

  In addition, the registration unit 132 stores the public key in association with the registration data among the public key and the secret key that are paired between the authentication server 100 and the registration data of the authenticator. When analyzing the authentication result information, the analysis unit 133 refers to the public key registered by the registration unit 132 and verifies the authentication result information. The registration unit 132 manages the authenticity of the authenticator. For example, the registration unit 132 is stored in the registration information storage unit 121 by referring to a terminal device that requests authentication from the authentication server 100 or an authentication device used by the providing device 50 and determining the reliability of each authentication device. Update the authenticator's reliability value. For example, the registration unit 132 updates the authenticity of the authenticator according to the setting by the administrator of the authentication server 100. In addition, when the authentication process is repeated, the registration unit 132 may update the authenticity of the authenticator through a learning process. For example, when it is observed that authentication for a specific user by a predetermined authenticator is repeated and authentication is performed without a problem with a certain number or more, the registration unit 132 increases the reliability of the authenticator. Updates may be made.

  Note that the authentication device registered by the registration unit 132 is not limited to a terminal device used by a user who requests authentication processing. For example, the authentication device provided in the store terminal 40 or the cloud server 45 used by a plurality of users. It may be. In this case, for example, the registration unit 132 accepts registration of a public key for each user who has registered registration data in an authenticator provided in the store terminal 40.

(About the analysis unit 133)
The analysis unit 133 analyzes the authentication result information. Specifically, the analysis unit 133 analyzes the authentication result information transmitted from the user terminal 10 and specifies a user to be authenticated based on the authentication result information. At this time, the analysis unit 133 verifies the authentication result information using the public key corresponding to the authenticator that is the generation source of the authentication result information via the registration unit 132.

  And the analysis part 133 recognizes the authentication result information transmitted from the user terminal 10 as regular authentication information, when verification by the public key corresponding to the private key at the time of the authentication result information being generated is confirmed. Then, the analysis unit 133 sends information indicating that the authentication result information has been authenticated to the transmission unit 134 and causes the user terminal 10 (or the web server 200) to transmit the information.

  The analysis unit 133 may not recognize the identity of the user indicated by the authentication result information when the authenticator that generated the authentication result information is a device that is less reliable than a predetermined standard. . For example, when the authentication unit that generated the authentication result information is not stored in the registration information storage unit 121 managed by the registration unit 132 or the reliability value of the generation source authentication unit is particularly low, the analysis unit 133 May not recognize the identity of the user indicated by the authentication result information.

(About the transmitter 134)
The transmission unit 134 transmits various types of information. For example, when it is requested to authenticate the identity of the user who uses the user terminal 10 when using the service, the transmission unit 134 transmits information indicating that authentication is requested to the user terminal 10. In addition, the transmission unit 134 transmits information signed with the public key by the analysis unit 133 that has analyzed the authentication result information to the user terminal 10 or the web server 200.

[6. Processing procedure)
[6-1. Processing procedure of providing device
Next, a processing procedure performed by the providing apparatus 50 according to the embodiment will be described with reference to FIG. FIG. 11 is a flowchart illustrating a providing process procedure according to the embodiment.

  As illustrated in FIG. 11, the providing apparatus 50 determines whether access has been received from a terminal such as the user terminal 10 (step S101). Providing device 50 waits until it accepts access when it has not accepted access (step S101; No).

  On the other hand, when access is accepted (step S101; Yes), the providing apparatus 50 acquires information about the terminal (step S102). In addition, about the information, such as a function structure of a terminal, the provision apparatus 50 may receive registration from a terminal in advance.

  The providing apparatus 50 detects a function that is insufficient in communication with the authentication server 100 with respect to the accessed terminal (step S103). Then, the providing device 50 procures the detected insufficient function (step S104).

  Then, the providing device 50 provides the procured function to the terminal side (step S105). Accordingly, the terminal can communicate with the authentication server 100 and can receive authentication from the authentication server 100.

[6-2. Processing procedure of authentication processing system)
Next, a processing procedure performed by the authentication processing system 1 according to the embodiment will be described with reference to FIG. FIG. 12 is a sequence diagram illustrating an authentication processing procedure according to the embodiment.

  First, the user terminal 10 requests the web server 200 to use a service (step S201). In response to the service use request, the web server 200 requests the authentication server 100 to authenticate the user terminal 10 (step S202).

  In response to the request from the web server 200, the authentication server 100 requests the user terminal 10 for authentication using a specified authentication method (step S203). Therefore, the user terminal 10 that cannot complete the authentication process for the authentication server 100 alone accesses the providing device 50 and provides its own terminal information (step S204).

  The providing device 50 detects a function that is insufficient for communication with the authentication server 100 for the user terminal 10 that has received access. Also, the providing device 50 procures a function corresponding to the detected function (step S205).

  Then, the providing device 50 provides the procured function to the user terminal 10 (Step S206). And the user terminal 10 authenticates locally using the function provided from the provision apparatus 50, and produces | generates the authentication result information based on this result. Then, the user terminal 10 transmits authentication result information in accordance with a method requested from the authentication server 100 (step S207).

  The authentication server 100 analyzes the authentication result information transmitted from the user terminal 10 (step S208). Specifically, the authentication server 100 verifies the authentication result information using the corresponding public key. Then, the authentication server 100 completes the user authentication process when the authentication result information is verified. Then, the authentication server 100 notifies the web server 200 of the result of the personal authentication indicating that the user has been authenticated (step S209).

  Based on the notified information, the web server 200 permits the use of the service for the requested service on the assumption that the user authentication of the user using the user terminal 10 is guaranteed (step S210).

[7. (Modification)
The providing process by the providing device 50 described above may be implemented in various different forms other than the above embodiment. Therefore, in the following, another embodiment of the providing device 50 will be described.

[7-1. Form of providing device]
In the embodiment described above, the providing apparatus 50 has been described as an example in which the providing process is performed as an independent information processing apparatus. However, the providing device 50 may be realized in various forms. For example, the providing device 50 may be realized as an IC chip embedded in the user terminal 10. The providing device 50 may be realized as a program (application) in which the functions of the communication unit 51 and the control unit 55 are integrated. When the providing device 50 is an application, the application is executed by being installed in the user terminal 10 in accordance with a user operation. In this case, the storage unit 52 is realized by using a predetermined storage area of the user terminal 10 or the like.

[7-2. Operation of authentication processing system)
In the above-described embodiment, the providing apparatus 50 searches for a predetermined external apparatus such as the proxy terminal 30 and procures a function used for the authentication process. Here, the providing device 50 may detect and procure the function of each device by using a predetermined application for each device included in the authentication processing system 1.

  That is, a common application provided by an administrator (for example, a provider providing a predetermined service) that manages the providing device 50 is installed in the user terminal 10, the proxy terminal 30, the friend terminal 35, and the like. Shall be. For example, the providing device 50 controls the application so that the proxy terminal 30 and the friend terminal 35 have functions that are insufficient in the user terminal 10 and functions that can supplement the user terminal 10. Get information about. Further, the providing device 50 provides the user terminal 10 with the functions of the proxy terminal 30 and the friend terminal 35 via the application. In this way, by installing a common application in each device included in the authentication processing system 1, the providing device 50 can quickly and accurately realize the processing described in the above embodiment.

[7-3. (Multi-factor authentication)
In the above-described embodiment, it is shown that some functions are represented in the communication to the authentication server 100 performed by the user terminal 10 by providing the function to the user terminal 10 by the providing device 50. Here, the providing device 50 may adopt multi-factor authentication in order to increase the security of the authentication process when the process to be originally performed is represented.

  For example, when the authentication process provided by the cloud server 45 is used as a proxy for the authentication process on the user terminal 10 side, the providing device 50 does not perform authentication using one piece of biometric information, but performs authentication using a combination of other elements. It may be done. For example, it is assumed that fingerprint data is transmitted from the user terminal 10 to the cloud server 45 and authentication is performed based on the fingerprint data. In this case, when the providing device 50 provides the function of the authenticator of the cloud server 45, for example, the condition of the line to the cloud server 45 is set. For example, the providing device 50 employs line authentication such as allowing only a line provided by the line providing company C01 for communication from the user terminal 10 to the cloud server 45 as one element. In this case, even if the fingerprint data is transmitted via a different line, the cloud server 45 cannot regard the data as valid. In this way, by limiting the lines assumed to be used by the user terminal 10, the providing apparatus 50 can prevent misuse of the authentication process due to impersonation of a third party or the like. The example of multi-factor authentication is not limited to the above, and can be performed by combining the authentication means by the authenticator described in the above embodiment, a service ID, and the like (for example, the cloud server 45 includes a service ID together with fingerprint data) May be requested, and the user authentication may be performed based on the information).

[7-4. station〕
The store terminal 40 and the cloud server 45 described in the above embodiment may be realized in different forms. For example, the store terminal 40 and the cloud server 45 may be realized in the form of an authentication station installed at a predetermined location such as in a town. In this case, the providing apparatus 50 notifies the user U01 using the user terminal 10 of the location of the authentication station when the function for the user terminal 10 to receive authentication by the authentication server 100 is insufficient. In the form, a function used for authentication may be provided. The user U01 is authenticated by the authentication server 100 by using the authentication station and proxying the function that the user terminal 10 lacks. For example, when the user terminal 10 is not equipped with an authentication device, the authentication station acts as a function of the authentication device and a process of attaching a signature to the authentication result and transmitting it to the authentication server 100. The providing device 50 may request the user U01 to pre-register the user U01 with the authentication station or input an ID used to use the authentication station, for the user authentication of the user U01.

[7-5. Function detection)
In the above embodiment, the providing apparatus 50 has shown an example in which a function is detected or a function is provided to the user terminal 10 based on reliability corresponding to a function that can be used by the user. Here, the providing device 50 may provide a function based on an index value other than reliability.

  For example, the providing device 50 may select a function to be provided to the user terminal 10 using the cost for providing the function as an index value. The cost for providing a function refers to, for example, the time and effort required for the user to use the function. In other words, the providing device 50 can perform a providing process that is highly convenient for the user by preferentially providing functions that are easy for the user to use.

  For example, the providing device 50 determines which one of the detected external devices having the detected function is convenient for the user. In this case, the providing device 50 provides a function that is more easily used by the user of the user terminal 10 by acquiring the position information of the user terminal 10 and the position information of the external device having the detected function. For example, the providing apparatus 50 may register information related to the store provided with the store terminal 40 in the storage unit 52 and acquire the information. Even if the providing device 50 is an external device or the like that has not been registered by the registration unit 56, the providing device 50 may search the network by using a predetermined crawl function and acquire the position information of the external device. The providing device 50 may specify position information of the user terminal 10 and the external device using a GPS (Global Positioning System) system or the like.

  Thus, the providing device 50 may provide the detected function to the user terminal 10 based on the procurement cost corresponding to the function that can be used by the user. Accordingly, the providing device 50 can present an external device that is assumed to be easier to use to the user and prompt the user to use the external device.

[7-6. Configuration of each device]
In the above embodiment, the configuration examples of the user terminal 10, the providing device 50, and the authentication server 100 have been described with reference to FIGS. However, each device included in the authentication processing system 1 does not necessarily have to be realized by the exemplified configuration. For example, the user terminal 10 does not necessarily include all the processing units illustrated in FIG. That is, the user terminal 10 does not necessarily include the display unit 13 and the authentication unit 14 inside. Further, the user terminal 10 may be separated into two or more devices to realize the configuration illustrated in FIG. For example, the user terminal 10 includes two or more devices having a configuration in which an authentication device having at least the authentication unit 14 and the authentication control unit 17 and a communication device having at least the communication unit 11 and the transmission unit 18 are separated. May be realized.

[8. Hardware configuration)
The user terminal 10, the providing device 50, and the authentication server 100 according to the above-described embodiments are realized by a computer 1000 having a configuration as illustrated in FIG. Hereinafter, the providing apparatus 50 will be described as an example. FIG. 13 is a hardware configuration diagram illustrating an example of a computer 1000 that implements the functions of the providing device 50. The computer 1000 includes a CPU 1100, RAM 1200, ROM 1300, HDD 1400, communication interface (I / F) 1500, input / output interface (I / F) 1600, and media interface (I / F) 1700.

  The CPU 1100 operates based on a program stored in the ROM 1300 or the HDD 1400 and controls each unit. The ROM 1300 stores a boot program executed by the CPU 1100 when the computer 1000 is started up, a program depending on the hardware of the computer 1000, and the like.

  The HDD 1400 stores a program executed by the CPU 1100, data used by the program, and the like. The communication interface 1500 receives data from other devices via the communication network 500 (corresponding to the network N shown in FIG. 4), sends the data to the CPU 1100, and transmits the data generated by the CPU 1100 to the other devices via the communication network 500. Send to device.

  The CPU 1100 controls an output device such as a display and a printer and an input device such as a keyboard and a mouse via the input / output interface 1600. The CPU 1100 acquires data from the input device via the input / output interface 1600. Further, the CPU 1100 outputs the data generated via the input / output interface 1600 to the output device.

  The media interface 1700 reads a program or data stored in the recording medium 1800 and provides it to the CPU 1100 via the RAM 1200. The CPU 1100 loads such a program from the recording medium 1800 onto the RAM 1200 via the media interface 1700, and executes the loaded program. The recording medium 1800 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or PD (Phase change rewritable disk), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. Etc.

  For example, when the computer 1000 functions as the providing device 50 according to the embodiment, the CPU 1100 of the computer 1000 implements the function of the control unit 55 by executing a program loaded on the RAM 1200. The HDD 1400 stores data in the storage unit 52. The CPU 1100 of the computer 1000 reads these programs from the recording medium 1800 and executes them, but as another example, these programs may be acquired from other devices via the communication network 500.

[9. Others]
In addition, among the processes described in the above embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified. For example, the various types of information illustrated in each drawing is not limited to the illustrated information.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, the registration unit 56 and the detection unit 57 illustrated in FIG. 6 may be integrated. Further, for example, information stored in the storage unit 52 may be stored in a storage device provided outside via the network N.

  In addition, the above-described embodiments and modifications can be combined as appropriate within a range that does not contradict processing contents.

[10. effect〕
As described above, the providing device 50 according to the embodiment includes the detection unit 57 and the providing unit 59. The detection unit 57 is information generated by attaching a signature using a predetermined secret key to an authentication result by an authenticator that performs user authentication, and is information processed in a specific authentication procedure. By verifying the signature of the authentication result information, a function that the user terminal 10 used by the user does not have is detected among the functions used in communication with the authentication server that authenticates the identity of the user. The providing unit 59 provides the function detected by the detecting unit 57 to the user terminal 10 used by the user.

  As described above, the providing device 50 according to the embodiment detects a function used for communication with the authentication server 100 and provides the detected function to the user terminal 10. As a result, the providing device 50 can satisfy the functions required by the authentication server 100 without changing the configuration of the user terminal 10 or provide the functions that are highly convenient for the user. Thus, authentication processing can be performed. That is, according to the providing device 50, it is possible to flexibly cope with an authentication request required from the authentication server 100.

  The providing unit 59 provides the user terminal 10 with the function detected by the detecting unit 57 in response to a request received from the user terminal 10.

  That is, the providing device 50 according to the embodiment can provide the detected function to the user terminal 10 in response to a user request. Accordingly, the user can use an external terminal or an external function that is easier to use, for example. As described above, the providing device 50 can improve usability in the authentication process.

  Further, the detection unit 57 detects a function used for communication with the authentication server 100 according to the situation of the user terminal 10 at the time when communication is requested from the authentication server 100.

  That is, the providing device 50 according to the embodiment provides a function required by the user terminal 10 based on a situation where the user terminal 10 is placed. As described above, the providing device 50 can perform dynamic processing according to the situation, and thus can cope with flexible authentication processing.

  Further, the detection unit 57 detects a function that is insufficient for communication with the authentication server 100 when the user terminal 10 used by the user transmits the authentication result information to the authentication server 100. The providing unit 59 provides a function corresponding to the insufficient function detected by the detecting unit 57 to the user terminal 10 side.

  As described above, the providing device 50 according to the embodiment provides a predetermined proxy function even when the user terminal 10 itself cannot generate information corresponding to a specific protocol, thereby providing a connection with the authentication server 100. Information that can be communicated between each other can be generated. As described above, according to the providing device 50, it is possible to cause the user terminal 10 that cannot perform authentication processing with the authentication server 100 alone to perform authentication processing.

  The detection unit 57 detects a function used to generate authentication result information that satisfies the authentication strength required from the authentication server 100. The providing unit 59 provides a function for the user terminal 10 to generate authentication result information that satisfies the authentication strength required from the authentication server 100.

  As described above, the providing device 50 according to the embodiment adjusts the function provided to the user terminal 10 in response to a request from the authentication server 100. In other words, the providing device 50 can provide a function for performing authentication processing with the authentication strength corresponding to each of the various services that require personal authentication when a service corresponding to each authentication strength is provided. .

  The providing device 50 according to the embodiment includes a user terminal 10 used by a user and a registration unit 56 that registers information about the user. The detection unit 57 detects a function used for communication with the authentication server 100 when the user terminal 10 transmits the authentication result information to the authentication server 100 based on the information registered by the registration unit 56. The providing unit 59 provides the function detected by the detecting unit 57 to the user terminal 10 side.

  As described above, the providing device 50 according to the embodiment accepts registration of information related to the user terminal 10 and the like in advance. And the provision apparatus 50 can provide the function which the user terminal 10 requires quickly and correctly by detecting and providing a function based on the registered information.

  The registration unit 56 registers information related to a plurality of terminal devices used by the user or information related to terminal devices used by a user trusted by the user. The providing unit 59 provides the function detected by the detecting unit 57 to the user terminal 10 using any of the terminal devices registered by the registering unit 56.

  As described above, the providing device 50 according to the embodiment includes, among registered information, a user terminal that has a function possessed by a terminal owned by the same user, a terminal owned by a trusted user associated with the user, or the like Provided on the 10th side. Thereby, the user who uses the user terminal 10 can receive provision of an easy-to-use function. That is, the providing device 50 can perform a providing process with excellent usability.

  In addition, the registration unit 56 registers the reliability corresponding to the function that can be used by the user. The providing unit 59 provides the function detected by the detecting unit 57 to the user terminal 10 side based on the reliability registered by the registration unit 56.

  As described above, the providing apparatus 50 according to the embodiment accepts registration of authenticity of the authenticator related to authentication performed locally. Thereby, when providing the function, the providing apparatus 50 can perform adjustment such as providing a more reliable function of the authenticator and performing highly secure authentication.

  The providing device 50 according to the embodiment further includes a search unit 58 that searches for an external device having a function corresponding to the function detected by the detection unit 57. The providing unit 59 provides the function corresponding to the function detected by the detecting unit 57 to the user terminal 10 side by using the external device searched by the searching unit 58.

  As described above, the providing device 50 according to the embodiment can provide a function to the user terminal 10 by searching not only the registered information but also the external device itself. As a result, the providing device 50 can procure a wide range of functions via, for example, a network, and can respond to various authentication processing requests more flexibly.

  Moreover, the search part 58 is a terminal device (For example, the proxy terminal 30) other than the user terminal 10 which a user owns as an external device, and the terminal device (for example, a family and a friend) which a user concerned (for example, a family and a friend) owns. In the embodiment, a friend terminal 35), a terminal device (store terminal 40 in the embodiment) installed in a store operated by a predetermined operator, a predetermined server on the cloud that can be used via the network (implementation) In the example, one of the cloud servers 45) is searched. The providing unit 59 provides the user terminal 10 with the function of any of the external devices searched by the searching unit 58.

  As described above, the providing device 50 according to the embodiment searches for a terminal device used by another person, a server on the cloud, and the like as an example of the external device. In other words, the providing device 50 can provide a function of an external device that is easy for the user to access, and thus can provide a function that is convenient for the user.

  As described above, some of the embodiments of the present application have been described in detail with reference to the drawings. However, these are merely examples, and various modifications, including the aspects described in the disclosure section of the invention, based on the knowledge of those skilled in the art, It is possible to implement the present invention in other forms with improvements.

  In addition, the “section (module, unit)” described above can be read as “means” or “circuit”. For example, the generation unit can be read as generation means or a generation circuit.

DESCRIPTION OF SYMBOLS 1 Authentication processing system 10 User terminal 20 Client 30 Proxy terminal 35 Friend terminal 40 Shop terminal 45 Cloud server 50 Providing device 51 Communication part 52 Storage part 53 Terminal information storage part 54 User information storage part 55 Control part 56 Registration part 57 Detection part 58 Search unit 59 Providing unit 100 Authentication server 200 Web server

Claims (16)

Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection unit that detects a function that the terminal device used by the user does not have,
A search unit for searching for an external device having a function detected by the detection unit or a function corresponding to the function detected by the detection unit;
Among the external devices searched by the search unit, the function detected by the detection unit via one external device determined based on the location information of the terminal device and the location information of the external device, or A providing unit that provides the terminal device with a function corresponding to the function detected by the detecting unit;
A providing device comprising: Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection unit that detects a function that the terminal device used by the user does not have,
A search unit for searching for an external device installed at a predetermined position, which is an external device having a function detected by the detection unit or a function corresponding to the function detected by the detection unit;
The position information indicating the position where the external device searched by the search unit is installed is presented to the terminal device, and the function detected by the detection unit or detected by the detection unit via the external device. A providing unit that provides the terminal device with a function corresponding to the function performed;
A providing device comprising: The providing unit includes:
In response to a request received from the terminal device, the function detected by the detection unit is provided to the terminal device.
The providing apparatus according to claim 1, wherein: The detector is
According to the state of the terminal device at the time when communication is requested from the authentication server, a function that the terminal device does not have is detected.
The providing device according to any one of claims 1 to 3. The detector is
Among the functions imposed in communication between the terminal device and the authentication server, detect a function that is insufficient for the terminal device,
The providing unit includes:
Providing the terminal device with a function corresponding to the deficient function detected by the detection unit;
The providing apparatus according to any one of claims 1 to 4, wherein The detector is
Detecting a function used to generate the authentication result information that satisfies the authentication strength required from the authentication server,
The providing unit includes:
Providing the terminal device with a function for generating the authentication result information that satisfies the authentication strength required by the authentication server from the terminal device;
The providing device according to any one of claims 1 to 5, wherein A terminal unit used by the user, and a registration unit for registering information on the user,
Further comprising
The detector is
Based on the information registered by the registration unit, detect the function that the terminal device does not have,
The providing unit includes:
Providing the terminal device with the function detected by the detection unit;
The providing apparatus according to any one of claims 1 to 6. The registration unit
Register information on a plurality of terminal devices used by the user, or information on terminal devices used by a user trusted by the user,
The providing unit includes:
Using any of the terminal devices registered by the registration unit, the function detected by the detection unit is provided to the terminal device.
The providing device according to claim 7. The registration unit
Register the reliability corresponding to the functions available to the user,
The providing unit includes:
Providing the terminal device with the function detected by the detection unit based on the reliability registered by the registration unit;
The providing device according to claim 7 or 8, wherein The search unit
As the external device, another terminal device used by the user, a terminal device used by a person concerned with the user, a terminal device installed in a store operated by a predetermined operator, a cloud usable via a network Search for at least one of the given servers above,
The providing unit includes:
Providing the terminal device with the function of any of the external devices searched by the search unit;
The providing device according to any one of claims 1 to 9, wherein A providing method executed by a computer,
Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with an authentication server that authenticates the identity of the user by verifying, a detection step of detecting a function that the terminal device used by the user does not have,
A search step for searching for an external device having a function detected by the detection step or a function corresponding to the function detected by the detection step;
Among the external devices searched by the search step, the function detected by the detection step via one external device determined based on the location information of the terminal device and the location information of the external device, or A providing step of providing the terminal device with a function corresponding to the function detected by the detecting step;
The providing method characterized by including. Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection procedure for detecting a function that the terminal device used by the user does not have,
A search procedure for searching for an external device having a function detected by the detection procedure or a function corresponding to the function detected by the detection procedure;
Among the external devices searched for by the search procedure, the function detected by the detection procedure via one external device determined based on the location information of the terminal device and the location information of the external device, or Providing a function corresponding to the function detected by the detection procedure to the terminal device;
A program for causing a computer to execute. An authentication processing system including a providing device, a terminal device, and an authentication server,
The providing device includes:
Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection unit that detects a function that the terminal device used by the user does not have,
A search unit for searching for an external device having a function detected by the detection unit or a function corresponding to the function detected by the detection unit;
Among the external devices searched by the search unit, the function detected by the detection unit via one external device determined based on the location information of the terminal device and the location information of the external device, or A providing unit that provides the terminal device with a function corresponding to the function detected by the detecting unit;
The terminal device
An authentication control unit for controlling an authentication process for the authentication server by using a function provided by the providing device;
An authentication processing system comprising: A providing method executed by a computer,
Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with an authentication server that authenticates the identity of the user by verifying, a detection step of detecting a function that the terminal device used by the user does not have,
A search step for searching for an external device installed at a predetermined position, which is an external device having a function corresponding to the function detected by the detection step or the function detected by the detection step;
The position information indicating the position where the external device searched in the search step is installed is presented to the terminal device, and the function detected by the detection step or detected by the detection step via the external device. Providing the terminal device with a function corresponding to the function performed,
The providing method characterized by including. Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection procedure for detecting a function that the terminal device used by the user does not have,
A search procedure for searching for an external device installed at a predetermined position, which is an external device having a function detected by the detection procedure or a function corresponding to the function detected by the detection procedure,
The position information indicating the position where the external device searched by the search procedure is installed is presented to the terminal device, and the function detected by the detection procedure or the detection procedure is detected via the external device. A provision procedure for providing the terminal device with a function corresponding to the function performed;
A program for causing a computer to execute. An authentication processing system including a providing device, a terminal device, and an authentication server,
The providing device includes:
Information generated by attaching a signature using a predetermined key to an authentication result by an authenticator that performs user authentication, and authentication information information that is processed in a specific authentication procedure is signed. Among the functions used in communication with the authentication server that authenticates the identity of the user by verifying, a detection unit that detects a function that the terminal device used by the user does not have,
A search unit for searching for an external device installed at a predetermined position, which is an external device having a function detected by the detection unit or a function corresponding to the function detected by the detection unit;
The position information indicating the position where the external device searched by the search unit is installed is presented to the terminal device, and the function detected by the detection unit or detected by the detection unit via the external device. A providing unit that provides the terminal device with a function corresponding to the function performed,
The terminal device
An authentication control unit for controlling an authentication process for the authentication server by using a function provided by the providing device;
An authentication processing system comprising:

Images