JP6897977B2 - Authentication system and its method, and its program - Google Patents

Description

The present invention relates to an authentication system and a method thereof, and a program thereof, and particularly relates to authentication of terminals and users connected via a network.

It is common practice to connect terminals such as personal computers, smartphones, and tablets to target sites and servers via networks to acquire content and use applications. Information such as content to be accessed includes highly secure information such as personal information and confidential information. Therefore, security protection is achieved by denying network connection to requests from unauthorized users such as terminals and spoofing that do not have access authority.

As a user authentication technique for confirming a legitimate user, a method of inputting a password from a user's terminal and verifying the match is common. Further, as a user authentication for enhancing security, for example, as disclosed in Patent Document 1, a composite authentication system that authenticates by combining biometric information such as a user's fingerprint, face, handwriting, and iris is known. Further, as disclosed in Patent Document 1, both the terminal and the user are authenticated by the double authentication by the authentication of the terminal and the personal authentication of the user of the terminal, and the communication network of the terminal. Multiple authentication systems to communication networks are known that issue permissions for.

Japanese Unexamined Patent Publication No. 2003-186836 Japanese Unexamined Patent Publication No. 2014-164359

The techniques described in Patent Documents 1 and 2 can certainly enhance the security as compared with the verification of only the password. On the other hand, there are various terminals used by users, such as those having advanced functions and those with vulnerable security measures, and the environments in which these terminals are used are also various. Furthermore, there are various functions of security measures required by the user. In order to meet the demands of these various security measures, it cannot be said that the security measures described in Patent Documents 1 and 2 are sufficient. Furthermore, the authentication function tends to become more complicated in response to the demand for further strengthening of security, and the cost tends to increase accordingly.

An object of the present invention is to provide an authentication system, a method thereof, and a program capable of taking security measures in response to various environments in which terminals are used and various requests of users who have connection requests via a network. To provide.

Another object of the present invention is to keep the cost for authentication as low as possible so that the operation of authentication is not complicated.

Furthermore, an object of the present invention is to improve the convenience of the user by simplifying the authentication procedure as much as possible for the genuine user.

The authentication system according to the present invention is, in a preferred example, an authentication system in which an authentication server authenticates an access request from a plurality of terminals through a network, and the authentication server is an authentication control unit that controls the authentication. And a storage unit that stores an authentication management table that registers a plurality of authentication sets composed of one or a combination of a plurality of different authentication methods, and the authentication control unit receives an access request from the terminal. If there is, it is characterized in that the authentication set related to the access request is selected with reference to the authentication management table, and authentication is performed based on the authentication method included in the selected set. It is configured as an authentication system.
The present invention is also understood as an authentication method and an authentication program performed by the authentication system.

According to the present invention, security measures can be taken according to various environments in which the terminal is used and various requests of the user who have a connection request via the network. In addition, the cost for authentication can be suppressed as much as possible so that the operation of authentication is not complicated. In addition, it is possible to improve the convenience of the user by simplifying the authentication procedure as much as possible for the genuine user.

It is a figure which shows the configuration example of an authentication system. It is a figure which shows the example of the access permission DB. It is a figure which shows the example of the account authentication DB. It is a figure which shows the example of the authentication method adopted for each type of user. It is a figure which shows the example of the initial registration DB. It is a sequence diagram which shows the processing procedure of the processing performed in the authentication system. It is a figure which shows the example of the account ID input screen. It is a figure which shows the example of the session data. It is a figure which shows the example of the authentication error screen. It is a sequence diagram which shows the processing procedure of the terminal authentication processing. It is a sequence diagram which shows the processing procedure of the mobile terminal authentication process. It is a sequence diagram which shows the processing procedure of the device authentication processing. It is a figure which shows the example of the screen displayed on each PC and a terminal.

The authentication system according to the present invention, the method thereof, and the embodiment of the program will be described in detail with reference to the accompanying drawings.

[System configuration]
FIG. 1 is a diagram showing a configuration example of the authentication system 1000.
As shown in FIG. 1, the authentication system 1000 includes a user PC (Personal Computer) 100 for the user to obtain approval for use of the content, and a mobile terminal (for example, a smartphone) 110 for authenticating the user with the mobile terminal. , A device PC 120 for authenticating a user using a device (for example, USB (Universal Serial Bus)) and an authentication server 200 for authenticating a user using an authentication method according to the user are connected to each other via a network N1. Is connected and configured. The content server 300 is also connected to the network N1. The network N1 is, for example, a general communication network such as a WAN (Wide Area Network). Although FIG. 1 shows one user PC 100, one mobile terminal 110, and one device PC 120, a large number of these devices are actually connected.

As shown in FIG. 1, the user PC 100 includes an application unit 101, a display unit 102, a communication I / F (interface) unit 103, and a control unit 104.

When the application unit 101 receives a usage approval request from a user and is authenticated as a genuine user by using an authentication method corresponding to the user, the application unit 101 views or operates the content stored in the content server 300. The application to run.

The input display unit 102 is composed of, for example, an input / output device such as a touch panel, receives input of various information necessary for the authentication system from the user, and processes various information obtained via the network N1 by the application unit 101. Display the information and various screens used for authentication.

The communication unit I / F unit 103 is composed of, for example, a communication device such as a NIC (Network Interface Card), and controls transmission and reception of various information via the network N1.
The control unit 104 is composed of, for example, a processing device such as a CPU (Central Processing Unit), and controls the operation of each unit of the user PC 100.

Each of the above functions is realized by the control unit 104 executing a program. Specifically, the processing shown below is realized by the CPU reading a program stored in a ROM (Read Only Memory) (not shown), loading it into a RAM (Random access memory), and executing the program.

These programs may be downloaded from the network N1 via the communication unit I / F unit 103, loaded on the RAM, and executed by the CPU. Alternatively, it may be directly loaded onto the RAM from a computer-readable storage medium such as a CD (Compact Disk) or DVD (Digital Versatile Disk) and executed by the CPU. The specific operation of each part of the user PC 100 will be described later with reference to a sequence diagram and a flowchart.

As shown in FIG. 1, the mobile terminal 110 includes a mobile terminal authentication unit 111, an input display unit 112, a communication I / F (interface) unit 113, and a control unit 114.
The mobile terminal authentication unit 111 is an application that authenticates when the user authentication method for which usage approval is requested from the user PC 100 includes an authentication method using the mobile terminal 110 (mobile terminal authentication).

The input display unit 112 accepts input of various information for authentication, displays authentication results obtained via the network N1, and other various screens used in the present authentication system.

The communication unit I / F unit 113 controls the transmission and reception of various information via the network N1.

The control unit 114 is a processing device such as a CPU, and controls the operation of each unit of the mobile terminal 110.

Each of the above functions is realized by the control unit 114 executing the program. The specific operation of each part of the mobile terminal 110 will be described later with reference to a sequence diagram and a flowchart.

As shown in FIG. 1, the device PC 120 includes an application unit 121, a device authentication unit 122, an input display unit 123, a communication I / F (interface) unit 124, and a device I / F (interface) unit 125. And a control unit 126.

When the application unit 121 receives a content usage approval request from a user and is authenticated as a genuine user by using the authentication method corresponding to the user, the application unit 121 can view the content stored in the content server 300 or view the content. An application that performs an operation.

The device authentication unit 122 is an application that authenticates the user who has requested the usage approval when the authentication method includes an authentication method (device authentication) using the device PC 120.

The input display unit 123 accepts input of various information for authentication, displays authentication results obtained via the network N1, and other various screens used in the present authentication system.

The communication unit I / F unit 124 controls the transmission and reception of various information via the network N1.

The device unit I / F unit 125 is an interface device such as a USB board, and detects the insertion / removal of various devices such as USB.

The control unit 126 is a processing device such as a CPU, and controls the operation of each unit of the device PC 120.

Each of the above functions is realized by the control unit 126 executing the program. The specific operation of each part of the device PC 120 will be described later with reference to a sequence diagram and a flowchart.

The authentication server 200 is a server that selects a user authentication method according to the user account for which usage approval is requested from the user PC 100 or device PC 120, and authenticates the user by the selected authentication method.

As shown in FIG. 1, the authentication server 200 includes a storage unit 201, a communication unit 202, an authentication control unit 204, and a control unit 205. Further, the authentication control unit 204 includes a password authentication unit 2041 that authenticates by matching passwords, a terminal authentication unit 2042 that authenticates to identify a user by using a registered terminal (browser), and registered terminals. It has a mobile terminal authentication unit 2043 that authenticates to identify a user by possession of a mobile terminal, and a device authentication unit 2044 that authenticates to identify a user by possession of a registered device. There is.

The storage unit 201 is composed of a general storage device such as an HDD or SSD, and stores an account authentication DB (Data Base) 2011. The storage unit 201 has an access permission DB 2011 for confirming the authentication time zone of access by the user and a connection source of the usage approval request, and an account authentication DB 2012 for selecting an authentication method according to the account of the user who is permitted to access. It also has a user PC 100 used by the user for usage approval, a mobile terminal 110 used by the user for authentication, and an initial registration DB 2013 for registering the device PC 120. The specific configurations of the access permission DB 2011 (FIG. 2), the account authentication DB 2012 (FIG. 3), and the initial registration DB 2013 (FIG. 5) will be described later.

The communication unit 202 is, for example, a NIC or a modem, and controls the transmission and reception of various information via the network N1. The access control unit 203 receives an access request (use approval request) from the user PC 100 or the like and executes the process.

The authentication control unit 204 refers to the account authentication DB 2012, and depending on the user's account, a predetermined authentication method is selected from the password authentication unit 2041, the terminal authentication unit 2042, the mobile terminal authentication unit 2043, and the device authentication unit 2044. Select and execute.

The password authentication unit 2041 authenticates the user with the account ID and password.
The terminal authentication unit 2042 authenticates the user by terminal authentication.
The mobile terminal authentication unit 2043 authenticates the user by mobile terminal authentication.
The device authentication unit 2044 authenticates the user by device authentication.

The control unit 205 is a processing device such as a CPU, and controls the operation of each unit of the authentication server 200. The specific operation of each part of the authentication server 200 will be described later with reference to a sequence diagram and a flowchart. Each of the above functions is realized by the control unit 205 executing the program.

This authentication system employs four authentication methods, "password authentication", "terminal authentication", "mobile terminal authentication", and "device authentication", for user and / or terminal authentication.
Here, the password authentication authenticates the user by inputting a predetermined password. In that sense, it can be said to be the user authentication method by the simplest method. Further, the terminal authentication authenticates whether the terminal such as the user PC 100 or the device PC 120 is the same as the one registered in the authentication system in advance.

In the mobile terminal authentication, the user is authenticated by using a predetermined mobile terminal to check whether the usage environment such as the installation location and the usage time zone of the user PC 100 or the like is appropriate. Even when a plurality of users are in an environment where the user PC 100 is shared, the users can be authenticated. In this authentication method, the user is authenticated by using personal information such as biometric information and a password registered in advance in the mobile terminal. Since mobile terminals have a high penetration rate, many users carry out their business in a BYOD (Bring Your Own Device) environment. Therefore, by adopting "mobile terminal authentication", it is possible to easily authenticate the user himself / herself with less risk without registering personal information that only the user can know in the authentication server 200.

The device authentication is an authentication for confirming whether or not a device such as a USB mounted on the device PC 120 has device authentication information registered in advance in the initial registration DB 2013. By changing the device authentication information of the authentication device 130 provided for each user, the authentication device 130 possessed by each of the plurality of users can be attached to the device PC 120 to receive authentication. Therefore, it is possible to authenticate the user by a simple method without incurring a cost, and the device PC 120 can be shared by a plurality of users.

The content server 300 provides the requested content to the user PC 100 and the device PC 120 that the authentication server 200 has authenticated as authentic.

[Authentication management method]
FIG. 2 is a diagram showing an example of the access permission DB 2011. As shown in FIG. 2, in the access permission DB 2011, the connection source condition indicating the condition for permitting access from the IP address of the connection source and the time condition indicating the time zone for permitting access are associated with each other for each account. It is remembered. Since the IP address can be said to represent the location of the terminal having the IP address, the above connection condition can be referred to as a location condition.

In FIG. 2, for a user whose account ID is "E2", for example, when an access is made from a user PC 100 whose IP address is "192.168.0.0/24", it is permitted as a connection source condition. Which indicates that. Further, when the connection is in the working hours zone "9:00 to 17:00", it is shown that the connection is permitted as a time condition. That is, the user whose account ID is "E2" is not subjected to the user authentication process described later unless these connection source conditions and time conditions are permitted.

Further, for example, it is shown that the user whose account ID is "E2" is not permitted to access from the user PC 100 whose IP address is "192.168.20.0/24" regardless of the connection time. ing. Further, when the connection time is "0:00 to 5:00", which is the midnight time zone, it indicates that access is not permitted regardless of the IP address of the connection source. In this way, by confirming "who", "when", and "where" the usage approval request is made, the user who illegally accesses the authentication system 1000 is authenticated before each authentication unit performs the authentication process. In addition, it can be eliminated in advance.

FIG. 3 is a diagram showing an example of the account authentication DB 2012. As shown in FIG. 3, the account authentication DB 2011 includes an account of a user who is permitted to access, an authentication method of the user, an authentication connection source address indicating a location condition for permitting authentication of the account, and an authentication connection source address. The authentication connection time, which indicates the time condition for permitting the authentication of the account that made the authentication request, is stored in association with the authentication connection time.

FIG. 3 shows, for example, that the user of the account "C" needs to be authenticated by two types of authentication methods, "password authentication" and "mobile terminal authentication (smartphone authentication)".

Further, for example, the user of the account "F2" indicates that authentication by two types of authentication methods, "terminal authentication" and "mobile terminal authentication", is required. Further, it is shown that the mobile terminal authentication is performed when the user is accessed from an address other than "192.168.0.0/24" defined as the authentication connection source address.

Further, for example, the user of the account "F3" indicates that authentication by two types of authentication methods, "terminal authentication" and "mobile terminal authentication", is required. Further, it is shown that the mobile terminal authentication is performed for this user when the user is accessed at a time other than "09: 00 to 17:00" (during working hours) defined as the authentication connection time.

Further, for example, the user of the account "G2" indicates that authentication by two types of authentication methods, "terminal authentication" and "device authentication", is required. Further, it is shown that the device authentication is not performed (through) for this user when the user is accessed from the address of "192.168.0.11/32" defined as the authentication connection source address. ..

Further, for example, the user of the account "G3" indicates that authentication by two types of authentication methods, "terminal authentication" and "device authentication", is required. Furthermore, for this user, if the user is accessing "09: 00-17: 00" (during working hours) defined as the authentication connection time, it indicates that device authentication is not performed (through). ..

As described above, in this authentication system, a set of authentication methods suitable for the user can be selected from various authentication methods according to the user's account in response to the usage approval request, and the user can be authenticated. Further, by setting the place condition and the time condition for each account, it is possible to individually authenticate the user of the account and authenticate using the time and place conditions for each user. Moreover, in the authentication using the set of authentication methods, the most convenient authentication method ("password") is selected from the authentication method ("password authentication", "terminal authentication" and "mobile terminal authentication") that guarantees the strongest security. Optimal security can be provided for a wide range of environments, including "authentication" only).

In this authentication system, the access permission DB 2011 shown in FIG. 2 is used to approve the use, and the account authentication DB 2012 shown in FIG. 3 is used to select and authenticate a set of authentication methods. , It is possible to authenticate by the authentication method according to the time condition and the place condition. That is, in this embodiment, the access permission DB 2011 is used to approve whether the time condition and the location condition (referred to as the first condition) are satisfied, and then the account authentication DB 2012 is used to perform the authentication method (second condition). Since the authentication is performed based on the above, the former can be called the first authentication and the latter can be called the second authentication. Furthermore, even in the latter second authentication, since the F2, F3, G2, and G3 accounts perform authentication under locational conditions or temporal conditions, these can be said to be stricter authentications.

FIG. 4 is a diagram showing an example of an authentication method adopted for each type of user. FIG. 4 shows the relationship between the location condition (inside and outside the company) and the time condition for the user types “employee” and “non-employee”. As shown in FIG. 4, when the user's account is an "employee", in the case of access from within the company, the account and password authentication (convenient and light authentication) regardless of whether it is during working hours or after working hours. Method). On the other hand, in the case of access from outside the company, mobile terminal authentication (smartphone authentication) is performed in addition to the above authentication method at any time. This authentication can be said to be a strong authentication method because it uses three authentication methods. In addition, when the user's account is "non-employee", in the case of access from inside the company, the account and password are authenticated during working hours, while in the case of access from outside the company, during working hours. If there is, further terminal authentication and mobile terminal authentication (smartphone authentication) are performed. And, when it is out of working hours, access is prohibited both inside and outside the company.

In this way, by performing authentication using the access permission DB 2011 and the account authentication DB 2012, the authentication method can be changed according to the user type, location condition, and time condition so that the authentication method is simple for a genuine user. Can be changed. That is, it is possible to set 401 that dynamically changes the authentication method according to the type of user, setting 402 that dynamically changes the authentication method depending on the location, and setting 403 that dynamically changes the authentication method depending on the time. Conventionally, when authenticating an account, it was necessary to combine each system such as an authentication infrastructure, VPN, and an authentication authority, but in the authentication system of this embodiment, highly secure authentication is performed for each user on the authentication server 200. It can be realized. In the case of authentication by a combination of systems as in the past, in general, the introduction cost becomes expensive, the operation management becomes complicated, and the settings for authentication such as account definition and linkage become incorrect. Although there is a risk, according to the authentication system of this embodiment, easy and safe operation management is possible at a low introduction cost.

FIG. 5 is a diagram showing an example of the initial registration DB 2013. As shown in FIG. 5, the initial registration DB 2013 stores the account of the user who uses this authentication system and the password information, terminal authentication information, mobile terminal authentication information, and device authentication information of the user in association with each other. .. In FIG. 5, for example, the user of the account "A" has the password "123" registered as the password information, the tally "α (α1, α2)" registered as the terminal authentication information, and the biocode "α1, α2" as the mobile terminal authentication information. “A” is registered, indicating that the USB serial number “X0001” is registered as device authentication information. Note that FIG. 5 illustrates the case where all authentication methods are registered, but at least the authentication methods corresponding to the user's account may be registered.

[Authentication control]
FIG. 6 is a sequence diagram showing a processing procedure of processing performed by the authentication system 1000. As shown in FIG. 6, first, the application unit 101 of the user PC 100 displays an account ID input screen for the user to input an account on the input display unit 102 (S601).

FIG. 7 is a diagram showing an example of an account ID input screen. As shown in FIG. 7, the account ID input screen includes an input field for inputting the account of the user requesting usage approval from the user PC 100, and an OK button for transmitting the input account ID to the authentication server 200. Is displayed.

When the OK button is pressed, the application unit 101 of the user PC 100 transmits the input account ID to the authentication server 200. The authentication control unit 204 of the authentication server 200 registers the account ID received from the user PC 100 in the session (S602). Specifically, the authentication control unit 204 generates session data, which is an example of a session management table to which a session ID corresponding to the account ID is assigned, and holds the session data in the storage unit 201.

FIG. 8 is a diagram showing an example of session data. A session is a series of processes via a network from the time when a user makes a usage approval request until the result for the request is obtained, and the session data is the result of the processes performed in one series of sessions. It is the data to be included. The items retained by the session data change according to the results of the processing shown below. Here, as shown in FIG. 8A, session data in which the session ID and the account ID are associated with each other is held. FIG. 8A shows that the session ID “S0001” has been assigned to the account ID “E”. The authentication control unit 204 refers to the access permission DB 2011 using the account ID associated with the session ID as a key, reads out the connection source condition and the time condition for the user of the account ID to access, and satisfies these conditions. It is determined whether or not it is an access (S603, S604).

When the authentication control unit 204 determines in S603 that the access does not satisfy these conditions (S603; No, or / and S604; No), it transmits that fact to the user PC 100, and the application unit of the user PC 100. 101 displays the authentication error screen on the input display unit 102 (S605).

FIG. 9 is a diagram showing an example of an authentication error screen. As shown in FIG. 9, the authentication error screen indicates that the authentication has failed. By displaying the authentication error screen, the user can recognize that he / she does not satisfy the access permission conditions for this authentication system.

When the authentication control unit 204 determines that the account of the user whose usage approval is requested satisfies both the connection source condition and the time condition (first condition) (S603; Yes, S604; Yes), further. Using the account ID as a key, the account authentication DB 2012 is referred to, and the authentication method (second condition) is read out corresponding to the account ID (S606).

For example, when the account ID is "E", the authentication control unit 204 reads "password authentication" and "device authentication" as the authentication method. At this time, the authentication control unit 204 adds an item indicating the authentication result of each authentication method to the session data generated in S602, and adds information "-" indicating that the item is not used for authentication to the item not adopted as the authentication method. "Written. FIG. 8B is a diagram showing an example of session data to which an item indicating the authentication result of each authentication method is added. In FIG. 8 (b), among the items indicating the authentication results of each authentication method added to the session data shown in FIG. 8 (a), "-" is added to the "terminal authentication" and "mobile terminal authentication" that are not adopted. You can see that it has been written.

Further, the authentication control unit 204 refers to the account authentication DB 2012 using the account ID as a key, and determines whether or not the user of the account ID is a user who satisfies the connection source address and / and the connection time (S607). , S608). Here, the user who satisfies the connection source address and / and the connection time is a user who can not execute (through) the authentication by each authentication method by satisfying these conditions.

When the authentication control unit 204 determines that the user of the account ID is a user who satisfies the authentication source connection address and / and the authentication connection time (S607; Yes, S608; Yes), the process proceeds to S615. On the other hand, when the authentication control unit 204 determines that the user of the account ID does not satisfy at least either the connection source address or the connection time (S607; No, or S608; No), the process proceeds to S609.

When the authentication control unit 204 determines that the user of the account ID does not satisfy at least either the connection source address or the connection time (S607; No or S608; No), the authentication control unit 204 associates that fact and the account ID. An instruction for authenticating the user by the authentication method defined in the above is transmitted to the user PC 100, and the application unit 101 of the user PC 100 redirects to each authentication unit according to the instruction (S609). For example, when the authentication methods corresponding to the account ID are "password authentication" and "device authentication", the application unit 101 first calls the password authentication unit 2041 that executes "password authentication", and the password authentication unit 2041 authenticates. Let the process be executed. The same applies to the case where the terminal authentication unit 2042 authenticates, the mobile terminal authentication unit 2043 authenticates, and the device authentication unit 2044 authenticates.

When each authentication unit receives an execution instruction from the authentication control unit 204 of the authentication server 200, each authentication unit executes authentication by each authentication method (S610). The authentication process by each authentication unit is realized by, for example, a CGI (Common Gateway Interface) program. Each authentication method will be described later using a flowchart.

In S610, when authentication is executed by each authentication unit and the authentication result is written in the session data, each authentication unit transmits to the user PC 100 that the authentication result has been obtained, and the application unit 101 of the user PC 100 , Redirect to the authentication control unit 204 (S611).

Then, the authentication control unit 204 starts a session check (S612), and determines whether or not the authentication result by each authentication unit is authentication OK (permission) (S613). For example, when the authentication method is "password authentication", the authentication control unit 204 can authenticate the item indicating the authentication processing result by the password authentication unit 2041 in the session data as shown in FIG. 8 (c). Confirm that the mark) is written.

When the authentication control unit 204 determines that the authentication result by each authentication unit is not OK (not permitted) (S613; No), the authentication control unit 204 transmits to that effect to the user PC 100, and the application unit 101 of the user PC 100 displays the figure. The authentication error screen shown in 9 is displayed on the input display unit 112 (S614).

On the other hand, when the authentication control unit 204 determines that the authentication result by each authentication unit is OK (S613; Yes), it further determines whether or not there is an unexecuted authentication method added to the session data (S613; Yes). S615). When the authentication control unit 204 determines that there is an authentication method that has not been implemented (S615; Yes), the authentication control unit 204 returns to S607 and repeats the subsequent processing for the other authentication methods.

When the authentication control unit 204 determines that there is no authentication method that has not been implemented (S615; No), that is, as shown in FIG. 8D, an item indicating all the authentication processing results of each authentication unit of the session data. When it is confirmed that the authentication OK is written in, the SSO (single sign-on) process is executed (S616). Although SSO has been illustrated in this example, reverse proxy processing of HTTP (Hypertext Transfer Protocol) may be executed.

The authentication control unit 204 sends an instruction to redirect to the single sign-on destination to the user PC 100 (S617), and the application unit 101 of the user PC 100 sends an authorization request to the site of the content server 300 according to the instruction. Then, the content server 300 executes the login process to the site in accordance with the authorization request (S618). The content server 300 transmits the site screen after the login process to the user PC 100, and the application unit 101 of the user PC 100 displays the site screen on the display unit 102 (S619). When the processing of S619 is completed, all the processing shown in FIG. 6 is completed, and only the user of the account who is approved for use and authenticated by all the authentication methods determined according to the user becomes the content of the content server 300. You will be able to access it. Next, authentication by each authentication method will be described.

[Authentication by each authentication method]
(Password authentication)
The password authentication unit 2041 authenticates the user using a predetermined password. When the password authentication unit 2041 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the password authentication unit 2041 refers to the initial registration DB 2013 using the account ID as a key, and the password that the password authentication unit 2041 requests to input is entered. It is determined whether or not the password is registered in the initial registration DB 2013. When requesting the input of the password, the password authentication unit 2041 outputs a password input screen as shown in FIG. 13A, and the application unit 101 of the user PC 100 displays the password input screen on the input display unit 102.

When the password authentication unit 2041 determines that the entered password is the password registered in the initial registration DB 2013, it writes the authentication result in the corresponding item of the session data as authentication OK (FIG. 8 (c), FIG. 8 (d)). If the password authentication unit 2041 determines that the entered password is not the password registered in the initial registration DB 2013, it considers the authentication NG (not permitted) and writes the authentication result to that effect in the corresponding item of the session data. ..

In this way, in "password authentication", authentication is performed simply by entering a predetermined password, so that it is possible to authenticate a user who is permitted to access this authentication system by the simplest method. It is possible to reduce the operational burden for authentication for the user.

(Terminal authentication)
FIG. 10 is a sequence diagram showing a processing procedure of the terminal authentication process. In the following, the terminal authentication information used for terminal authentication (in this example, the tally on the server side and the tally on the client side) is registered in advance in the initial registration DB 2013, and the tally on the client side is also registered in the user PC 100. And.

As shown in FIG. 10, when the terminal authentication unit 2042 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the terminal authentication unit 2042 refers to the initial registration DB 2013 using the account ID as a key, and the terminal authentication information corresponding to the account ID. As a result, the tally on the server side (for example, α1 in FIG. 5) is read and the tally on the PC side is requested (S1001).

The application unit 101 of the user PC 100 reads the client-side tally (for example, α2 in FIG. 5) registered in the memory in advance, and transmits the tally to the authentication server 200 (S1002).

The terminal authentication unit 2042 of the authentication server 200 matches the tally on the client side received from the user PC 100 with the tally on the server side, and determines whether or not both match (S1003). When it is determined that the two match, the terminal authentication unit 2042 writes the authentication result in the corresponding item of the session data as authentication OK (FIGS. 8 (c) and 8 (d)). On the other hand, when it is determined that the two do not match, the terminal authentication unit 2042 writes the authentication result to that effect in the corresponding item of the session data as authentication NG (S1004).

Although the terminal authentication using the tally is illustrated in FIG. 10, the terminal authentication may be performed using the MAC address of the user PC100 or the client certificate. Moreover, it is not always necessary to use a tally.

In this way, in terminal authentication, in order to authenticate a terminal whose usage environment is generally defined, one account is assigned to a plurality of users, and even if the environment is such that a PC is shared, that account is authenticated. Can be done.

(Mobile terminal authentication)
FIG. 11 is a sequence diagram showing a processing procedure of the mobile terminal authentication process. As shown in FIG. 11, when the mobile terminal authentication unit 2043 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the mobile terminal authentication unit 2043 refers to the initial registration DB 2013 using the account ID as a key, and the mobile terminal corresponding to the account ID. The authentication information (for example, a passcode) is read (S1101), and a push notification for requesting authentication is given to the mobile terminal 110 (S1102). When the authentication control unit 204 gives a push notification, the authentication control unit 204 transmits an authentication screen for performing authentication based on the mobile terminal authentication information to the mobile terminal 110, and the mobile terminal authentication unit 111 of the mobile terminal 100 inputs and displays. The authentication screen is displayed on the unit 112 (S1103). On the other hand, the authentication control unit 204 transmits a mobile terminal authentication notification screen indicating that the user PC 100 is being authenticated by the mobile terminal, and the application unit 101 of the user PC 100 carries the user PC 100 to the input display unit 102. The terminal authentication notification screen is displayed (S1104).

FIG. 13B is a diagram showing an example of a screen displayed on the mobile terminal. The right side of FIG. 13B is an example of the authentication screen in S1103, and the left side of FIG. 13B is an example of the mobile terminal authentication notification screen in S1104.

As shown on the right side of FIG. 13B, an authentication button for executing authentication based on mobile terminal authentication information and a close button for ending processing without executing authentication are displayed on the authentication screen. When the user presses the authentication button, the mobile terminal authentication unit 111 displays a screen for authenticating with the mobile terminal authentication information (for example, a passcode input screen), and transmits the input information to the authentication server 200. In this way, by displaying the authentication screen on the mobile terminal 110 by the push notification, the user can be immediately authenticated.

Further, as shown on the left side of FIG. 13B, the mobile terminal authentication notification screen displays that a push notification has been sent to the mobile terminal 100 and that confirmation is urged in order to authenticate with the mobile terminal 110. There is. By displaying the mobile terminal authentication notification screen on the user PC 100 in this way, the user can grasp the operation necessary for executing the authentication by the mobile terminal 110.

After that, when the mobile terminal authentication unit 111 transmits the mobile terminal authentication information input from the input display unit 112 to the authentication server 200, the mobile terminal authentication unit 2043 of the authentication server 200 is registered in the initial registration DB 2013. The terminal authentication information is compared with the input mobile terminal authentication information, and it is determined whether or not they match (S1105, S1106). When it is determined that the two match, the mobile terminal authentication unit 2043 writes the authentication result in the corresponding item of the session data as authentication OK (S1106; Yes, S1108, FIG. 8C, FIG. 8D). On the other hand, when the terminal authentication unit 2042 determines that the two do not match (S1106; No, as authentication NG, the authentication result to that effect is written in the corresponding item of the session data, and the same as the authentication error screen shown in FIG. Is transmitted to the mobile terminal 110, and the mobile terminal authentication unit 111 of the mobile terminal 110 displays the authentication error screen on the input display unit 112 (S1107).

The mobile terminal authentication unit 2043 reads the authentication result written in the session data and determines whether or not the authentication result is authentication OK (S1109, S1110). When the mobile terminal authentication unit 2043 determines that the authentication result is OK (S1110; Yes), it further determines whether or not the valid time has not elapsed (S1111). The valid time is, for example, the time from the push notification in S1102 to the determination that the authentication is OK in S1110, and is the time (for example, 4 minutes) in which the authentication operation from the mobile terminal 110 times out. If the mobile terminal authentication unit 2043 determines that the authentication result is not OK, that is, the authentication is NG (S1110; No), the mobile terminal authentication unit 2043 proceeds to S1112 and confirms the authentication result.

When the mobile terminal authentication unit 2043 determines that the valid time has not elapsed (S1111; Yes), the mobile terminal authentication unit 2043 determines the authentication result written in S1107 and S1108 (S1112). On the other hand, when the mobile terminal authentication unit 2043 determines that the valid time has not elapsed, that is, the valid time has passed (S1111; No), the mobile terminal authentication unit 2043 returns to S1104 and continues the subsequent processing. In this case, even if the authentication OK is written in the session data as the authentication result in S1108, the mobile terminal authentication unit 2043 determines that the valid time has passed, and in S1112, rewrites the authentication result to NG and confirms the authentication result. Let me.

In this example, the push notification is transmitted in step S1102, but the push notification is not limited to the push notification, and the mobile terminal 110 may perform the pull notification.

In this way, in the mobile terminal authentication, the user is authenticated using the personal information registered by the user of the mobile terminal, so that the user can be easily authenticated with less risk without registering the personal information in the authentication server 200. be able to. In addition, since the authentication is performed by the mobile terminal that the user is accustomed to, the operation for authentication can be performed without any discomfort.

(Device authentication)
FIG. 12 is a sequence diagram showing a processing procedure of the device authentication process. As shown in FIG. 12, when the device authentication unit 2044 receives an instruction from the authentication control unit 204 in S610 of FIG. 6, the device authentication unit 2044 refers to the initial registration DB 2013 using the account ID as a key, and the device authentication information corresponding to the account ID. (For example, the serial number of USB) is read, the read device authentication information is transmitted to the device PC 120 (S1201), a device authentication notification screen prompting the device to authenticate is transmitted to the device PC 120, and the device PC 120. Device authentication unit 121 displays a device authentication notification screen on the input display unit 122 via a browser (S1202).

When the device authentication unit 121 detects that the device has been inserted into the device I / F unit 124 in S1202, the device authentication execution screen for executing the device authentication is displayed on the input display unit 122 (S1203).

FIG. 13C is a diagram showing an example of a screen displayed on the device PC. The left side of FIG. 13C is an example of the device authentication notification screen in S1202, and the left side of FIG. 13C is an example of the device authentication execution screen in S1203.

As shown on the left side of FIG. 13C, the device authentication notification screen indicates that a predetermined device 130 is inserted into the device PC 120 to urge authentication in order to authenticate the device. By displaying the device authentication notification screen on the device PC 120 in this way, the user can grasp the operation required for device authentication by the device PC 120.

Further, as shown on the right side of FIG. 13C, on the device authentication execution screen, a drive selection field for selecting a drive into which the device 130 is inserted, an authentication button for executing authentication based on the device authentication information, and authentication are performed. A cancel button is displayed to end the process without executing it. By displaying the device authentication execution screen on the device PC 120 in this way, the user can perform device authentication after selecting the drive for device authentication by the device PC 120.

In S1203, when the authentication button is pressed by the user, the device authentication unit 121 collates the device authentication information transmitted from the authentication server 200 in S1201 with the device authentication information inserted in S1203, and both match. It is determined whether or not to do so, and the authentication result is transmitted to the authentication server 200. In this example, the device authentication unit 121 of the device PC 120 executes the device authentication, but the device authentication unit 2044 of the authentication server 200 may execute the device authentication.

When the device authentication unit 2044 of the authentication server 200 receives the authentication result from the device PC 120, the device authentication unit 2044 writes the authentication result in the corresponding item of the session data (S1204, FIG. 8C, FIG. 8D).

The device authentication unit 2044 reads the authentication result written in the session data (S1205), and determines whether or not the authentication result is authentication OK (S1206). When the device authentication unit 2044 determines that the authentication result is OK (S1206; Yes), it further determines whether or not the valid time has not elapsed (S1207). Since the valid time is the same as that of the mobile terminal authentication shown in FIG. 11, the description thereof will be omitted here. If the device authentication unit 2044 determines that the authentication result is not OK, that is, the authentication is NG (S1206; No), the device authentication unit 2044 proceeds to S1208 and confirms the authentication result.

When the device authentication unit 2044 determines that the valid time has not elapsed (S1207; Yes), the device authentication unit 2044 determines the authentication result written in S1204 (S1208). On the other hand, when the mobile terminal authentication unit 2043 determines that the valid time has not elapsed, that is, the valid time has passed (S1207; No), the mobile terminal authentication unit 2043 returns to S1202 and continues the subsequent processing. In this case, even if the authentication OK is written in the session data as the authentication result in S1204, the device authentication unit 2044 determines that the valid time has elapsed, and rewrites the authentication result to NG in S1208 to confirm the authentication result. ..

As described above, in the device authentication, the user can be authenticated by a simple method without incurring a cost by authenticating the user using an inexpensive device such as USB. Further, since the device connects to the network as needed via the device PC, the information necessary for authentication can be managed independently of the network.

[Alternative, modified example]
Although the preferred embodiment has been described above, the present invention is not limited to this, and can be appropriately modified or substituted without departing from the gist thereof.

For example, in the above embodiment, the user PC 100 and the device PC 120 are shown separately in FIG. However, in the modified example, if the user PC 100 is provided with a connector for attaching the authentication device 130, the user PC 100 can be used as the device PC. In that case, a plurality of users possessing the authentication device 130 can share the user PC 100.

Further, in the above embodiment, in the control with reference to FIG. 6, both step S603 (determination of the temporal condition) and step S604 (determination of the location condition) are performed. In the alternative example, there may be an example in which the processing of either of these steps S603 or S604 is performed.

Further, in the above embodiment, in step S604 with reference to FIG. 6, the location condition is determined using the IP address which is the connection source address, but the alternative example is not limited to this. For example, the authentication control unit 204 can acquire the location information (GPS information) in which the connection source user PC 100 and device PC 120 are installed to determine the location condition.

Further, in the above embodiment, the authentication control unit 204 of the authentication server 200 generates a session in response to the request from the terminal, and registers the authentication method and the authentication result in the session. According to another example, in a server including an access control unit 203 that controls an access request from the outside, the access control unit 203 may generate a session. In that case, the authentication control unit 204 of the authentication server 200 can register various information related to the authentication for the generated session. As yet another example, the access control unit 203 may perform a part of the control operation of FIG. 6, for example, the operation of steps S602 to S604. In this case, the authentication control unit may be regarded as having a broad meaning including the operations or functions of S602 to S604 performed by the access control unit.

Further, in the above embodiment, the authentication server 200 has a password authentication unit 2041, a terminal authentication unit 2042, a mobile terminal authentication unit 2043, and a device authentication unit 2044. According to the alternative example, one or a plurality of parts of the authentication units 2041 to 2044 may be realized by a server different from the authentication server 200. For example, the terminal authentication unit 2042 and / or other parts can be realized on a cloud computer. Even in that case, the authentication unit realized by another server is controlled under the control of the authentication control unit 204.

Further, in the above embodiment, the access permission DB 2011, the account authentication DB 2012, and the initial registration DB 2013 are referred to, but these may be referred to as an access permission management table, an account authentication management table, and an initial registration management table, respectively.

Further, in the above embodiment, the authentication control unit 204 is realized as a functional unit of the authentication server 200, but this functional unit can also be realized as a proxy server.

Further, in this embodiment, PCs, smartphones, and devices are exemplified as devices used for authentication, but various contents such as media playback devices such as video players and music players are used via a network. The same can be applied to devices and devices for this purpose.

As described above, in the authentication system of this embodiment, a plurality of sets (authentication sets) including a combination of one or a plurality of authentication elements are defined with each of a plurality of different authentication methods as an authentication element. Then, one authentication group is selected according to the user (in one example, the user's account) and executed by the authentication unit corresponding to one or a plurality of authentication elements included in the authentication group to request the user or the connection request. Authenticate the existing terminal. As a result, security measures can be taken according to various environments in which the terminal is used and various requests of the user who have a connection request via the network. In addition, since the authentication server performs authentication control and authentication by each authentication method, the cost for authentication can be suppressed as much as possible and the operation of authentication can be simplified. Further, for a genuine user, as shown in FIG. 4, the authentication procedure can be simplified as much as possible to improve the convenience of the user.

The authentication system according to this embodiment can be called a multi-factor authentication system because it authenticates users and terminals using a plurality of authentication sets (which may be called authentication patterns) composed of a combination of different authentication elements.

1000 Authentication system 100 User PC
101 Application unit 102 Input display unit 103 Communication I / F unit 104 Control unit 110 Mobile terminal 111 Authentication unit for mobile terminal 112 Input display unit 113 Communication I / F unit 114 Control unit 120 PC for device
121 Application unit 122 Device authentication unit 123 Input display unit 124 Communication I / F unit 125 Device I / F unit 126 Control unit 130 Authentication device 200 Authentication server 201 Storage unit 2011 Access permission DB
2012 account authentication DB
2013 initial registration DB
202 Communication unit 203 Access control unit 204 Authentication control unit 2041 Password authentication unit 2042 Terminal authentication unit 2043 Mobile terminal authentication unit 2044 Device authentication unit 205 Control unit 300 Content server N1 network.

Claims (5)

An authentication system in which an authentication server authenticates an access request with a user's account sent from a terminal used by the user via a network.
The authentication server
An authentication control unit that controls the authentication,
It has one or a plurality of authentication sets having different authentication methods, and has a storage unit for storing an authentication management table for registering a plurality of authentication sets so that each authentication set corresponds to the account. ,
In addition, for the plurality of authentication sets in the authentication management table,
There are two different authentication methods , one is the authentication method (first authentication method) in which the location conditions for permitting the authentication of the account associated with the access request are registered in association with one authentication method, and the other one. those wherein locational condition in association with the authentication scheme associated with the access request contains authentication set having the authentication method that is not registered (second authentication method), a (set of predetermined authentication) Yes,
The authentication control unit, when a set of predetermined authentication corresponding to said account access request has from the terminal selected from the authentication management table,
It is determined whether the access request satisfies the location condition registered in association with the first authentication method included in the selected predetermined authentication set.
A result of the determination, the case the access request is the locational conditions are satisfied, without authentication by the first authentication method included in the set of the predetermined authentication is selected, the authentication of the second authentication method Let me do it
As a result of the determination, when the access request does not satisfy the location condition, the authentication by the first authentication method included in the selected predetermined authentication set and the authentication of the second authentication method are performed. Let, let
An authentication system characterized by the fact that. In the set of predetermined authentication registered in the authentication management table,
The first authentication method is a mobile terminal authentication method that authenticates the authenticity of a user by receiving input permission from a second terminal other than the terminal.
The second authentication method, a terminal authentication method authenticating the authenticity of the terminal,
The authentication system according to claim 1. The authentication system according to claim 1, wherein the location condition is a connection source IP address in which the access request is predetermined. This is an authentication method in which the authentication server authenticates an access request with a user's account sent from the terminal used by the user via the network.
The authentication server
An authentication control unit that controls the authentication,
It has one or a plurality of authentication sets having different authentication methods, and has a storage unit for storing an authentication management table for registering a plurality of authentication sets so that each authentication set corresponds to the account. ,
In addition, for the plurality of authentication sets in the authentication management table,
There are two different authentication methods , one is the authentication method (first authentication method) in which the location conditions for permitting the authentication of the account associated with the access request are registered in association with one authentication method, and the other one. those wherein locational condition in association with the authentication scheme associated with the access request contains authentication set having the authentication method that is not registered (second authentication method), a (set of predetermined authentication) Yes,
The authentication control unit, when a set of predetermined authentication corresponding to said account access request has from the terminal selected from the authentication management table,
It is determined whether the access request satisfies the location condition registered in association with the first authentication method included in the selected predetermined authentication set.
A result of the determination, the case the access request is the locational conditions are satisfied, without authentication by the first authentication method included in the set of the predetermined authentication is selected, the authentication of the second authentication method Let me do it
As a result of the determination, when the access request does not satisfy the location condition, the authentication by the first authentication method included in the selected predetermined authentication set and the authentication of the second authentication method are performed. Let, let
An authentication method characterized by the fact that. An authentication program executed by the authentication server in response to an access request with a user's account sent from the terminal used by the user over the network.
The authentication server is an authentication set having one or a plurality of different authentication methods, and stores an authentication management table for registering a plurality of authentication sets in a storage unit so that each authentication set corresponds to the account. And
In addition, for the plurality of authentication sets in the authentication management table,
There are two different authentication methods , one is the authentication method (first authentication method) in which the location conditions for permitting the authentication of the account associated with the access request are registered in association with one authentication method, and the other one. those wherein locational condition in association with the authentication scheme associated with the access request contains authentication set having the authentication method that is not registered (second authentication method), a (set of predetermined authentication) Yes,
The authentication server, if a set of predetermined authentication corresponding to said account access request has from the terminal selected from the authentication management table,
It is determined whether the access request satisfies the location condition registered in association with the first authentication method included in the selected predetermined authentication set.
A result of the determination, the case the access request is the locational conditions are satisfied, without authentication by the first authentication method included in the set of the predetermined authentication is selected, the authentication of the second authentication method Let me do it
As a result of the determination, when the access request does not satisfy the location condition, the authentication by the first authentication method included in the selected predetermined authentication set and the authentication of the second authentication method are performed. Let, let
An authentication program characterized by the fact that.

Images