JP6947529B2 - Judgment device, judgment method and judgment program - Google Patents

Description

The present invention relates to a determination device, a determination method, and a determination program.

In recent years, communication networks have become widespread, and services via networks are being actively provided. For example, a user logs in to a service provided via a network using a communication terminal device and uses the service. The user is required to authenticate the user who uses the service when logging in to the service.

As a technology for personal authentication in a network, there is known a technology that automatically selects an authentication method that uses a sensor suitable for the environment in which the terminal is placed when the terminal is equipped with a plurality of authentication methods (). For example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2015-90589

However, with the above-mentioned conventional technology, it is difficult to perform highly convenient personal authentication. For example, even in an environment where a user can select from a plurality of authentication methods, a complicated procedure such as inputting an answer or inputting biometric information may be required depending on the authentication method. In addition, the user is required to input information each time the authentication is performed, which imposes a burden on the authentication process itself.

The present application has been made in view of the above, and an object of the present application is to provide a determination device, a determination method, and a determination program capable of performing personal authentication with excellent convenience.

The determination device according to the present application includes a receiving unit that receives a request for authentication of the identity of a user who uses the terminal device, an acquisition unit that periodically acquires context information that is information indicating the context of the terminal device, and the above. The determination unit includes a determination unit that makes a determination regarding the authentication requested from the terminal device based on the context information acquired by the acquisition unit, and the determination unit makes a determination regarding the authentication requested from the terminal device in the past. Among the context information periodically acquired during the period from the time when the authentication request is newly received by the receiver, the context information that matches or is similar to any of the previously acquired context information. It is characterized in that it is determined whether or not to perform new authentication based on whether or not is included.

According to one aspect of the embodiment, there is an effect that the person can be authenticated with excellent convenience.

FIG. 1 is a diagram showing an example of a determination process according to the first embodiment. FIG. 2 is a diagram showing a configuration example of the determination processing system according to the first embodiment. FIG. 3 is a diagram showing a configuration example of the determination device according to the first embodiment. FIG. 4 is a diagram showing an example of the registration information storage unit according to the first embodiment. FIG. 5 is a diagram showing an example of the authentication information storage unit according to the first embodiment. FIG. 6 is a diagram showing an example of the authentication log storage unit according to the first embodiment. FIG. 7 is a diagram showing an example of the context log storage unit according to the first embodiment. FIG. 8 is a diagram showing a configuration example of a user terminal according to the first embodiment. FIG. 9 is a flowchart showing a determination processing procedure according to the first embodiment. FIG. 10 is a diagram showing a modified example of the determination process according to the first embodiment. FIG. 11 is a diagram showing an example of the determination process according to the second embodiment. FIG. 12 is a diagram showing a configuration example of the determination device according to the second embodiment. FIG. 13 is a diagram showing a configuration example of the determination device according to the third embodiment. FIG. 14 is a hardware configuration diagram showing an example of a computer that realizes the function of the determination device.

Hereinafter, a determination device, a determination method, and a mode for carrying out the determination program according to the present application (hereinafter, referred to as “the embodiment”) will be described in detail with reference to the drawings. The determination device, determination method, and determination program according to the present application are not limited by this embodiment. In addition, each embodiment can be appropriately combined as long as the processing contents do not contradict each other. Further, in each of the following embodiments, the same parts are designated by the same reference numerals, and duplicate description is omitted.

[1. First Embodiment]
[1-1. Example of judgment processing]
First, an example of the determination process according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram showing an example of a determination process according to the first embodiment. FIG. 1 shows an example in which a determination device 100 according to the present application performs determination processing related to an authentication request transmitted from a user terminal 10.

The determination device 100 shown in FIG. 1 is a server device that determines the authentication of the user terminal 10. Further, the user terminal 10 is an information processing terminal used by the user U01. In FIG. 1, the user terminal 10 is, for example, a smartphone (Smartphone).

The determination device 100 has a function of receiving a request for authentication of the identity of the user U01 using the user terminal 10 and authenticating the user terminal 10 in response to the request. The authentication of the user terminal 10 indicates the personal authentication of the user U01 through the verification that the user terminal 10 is definitely operated by the user U01. For example, when the user terminal 10 tries to access a service (such as a website with access restrictions) to which a predetermined restriction is applied, the determination device 100 authenticates the user terminal 10 to the site. Access control.

The determination device 100 authenticates the user terminal 10 by a predetermined authentication procedure. In the authentication procedure, for example, information proving that the user U01 is the user U01 is received in advance from the user U01 who uses the user terminal 10, and at the time of authentication, information that is collated with the registered information (hereinafter, "" A series of procedures are performed, such as requesting the user terminal 10 to present (denoted as "authentication information"). For example, the determination device 100 accepts the registration of fingerprint data and password for authentication from the user U01 in advance. Then, at the time of authentication, the determination device 100 requests the user U01 to transmit fingerprint data and a password as authentication information. When the registered fingerprint data or password matches the transmitted authentication information, the determination device 100 authenticates the user terminal 10 assuming that the identity of the user U01 using the user terminal 10 can be confirmed. ..

However, while the security is maintained by the access restriction, the user U01 is required to perform an annoying process in which the authentication process is required every time the service is accessed. Therefore, the determination device 100 according to the present application reduces the time and effort required for the authentication process of the user U01 by performing the determination process described below. Hereinafter, an example of the determination process performed by the determination device 100 will be described along the flow with reference to FIG. In the example of FIG. 1, it is assumed that the determination device 100 has previously received information for confirming the identity of the user U01 (for example, the fingerprint data and password of the user U01).

First, the determination device 100 receives in advance the registration of the context used for the determination process from the user terminal 10 to be authenticated (step S01). The determination device 100 stores the received context in the storage unit 120. In the embodiment, the context means a situation in which the user terminal 10 is used. Further, in the embodiment, the information for specifying the context is referred to as context information. The context information includes, for example, device information of the user terminal 10 itself, environment information in which the user terminal 10 is used by the user U01, information indicating a state in which the user U01 possessing the user terminal 10 is placed, and information. Includes information about user U01 and other users associated with user U01. The context may be registered at the same time as the registration of the information for confirming the identity of the user U01 described above.

In the example shown in FIG. 1, the user terminal 10 has the contexts of "the user terminal 10 is located at the home of the user U01", "the communication state between the user terminal 10 and the determination device 100 is established", and "the user terminal 10". It is assumed that a combination of three contexts, "the communication state between the user and the speaker 20 is established", is registered. Here, it is assumed that the speaker 20 is an audio device installed at the home of the user U01 and has a predetermined communication function. Specifically, the speaker 20 has a function of establishing short-range wireless communication with the user terminal 10 and outputting an audio signal transmitted from the user terminal 10 as sound.

After that, the determination device 100 shall perform a predetermined authentication process on the user terminal 10 (step S02). For example, the user terminal 10 accesses a site having a predetermined authentication process (user login process, etc.), and is authenticated by the determination device 100 at the time of access. In the authentication in step S02, the determination device 100 authenticates the user terminal 10 by receiving the authentication information from the user terminal 10 and verifying the match with the registered information.

After the authentication process, the user terminal 10 periodically transmits the context information of the user terminal 10 to the determination device 100 (step S03). For example, the user terminal 10 transmits the environment information detected by the user terminal 10 and the information regarding the communication state between the user terminal 10 and the speaker 20 and the determination device 100 to the determination device 100 every minute. Specifically, the user terminal 10 includes, as information regarding the context registered in step S01, position information indicating whether or not the user terminal 10 is located at the home of the user U01, the user terminal 10 and the speaker 20. , Communicates communication information indicating whether or not the communication state with the determination device 100 is established. The determination device 100 stores the transmitted context information in the storage unit 120.

After that, the user terminal 10 requests access to the site with authentication restrictions (step S04). For example, the user terminal 10 is assumed to access a site different from the site authorized to be accessed by the authentication in step S02. In other words, the access request indicates an authentication request that requires the determination device 100 to authenticate the user terminal 10.

Here, the determination device 100 refers to the storage unit 120 and verifies the change in the context of the user terminal 10 (step S05). Specifically, the determination device 100 verifies the change between the context information at the time of authentication in step S02, the context information periodically acquired in step S03, and the context information at the time of authentication in step S04. ..

For example, the determination device 100 sets the context of the user terminal 10 as "the user terminal 10 is located at the home of the user U01" and "the user terminal 10 and the determination device 100" based on the context information at the time of authentication in step S02. It is determined that the combination of the three contexts of "the communication state of the user terminal 10 is established" and "the communication state of the user terminal 10 and the speaker 20 is established" is established. Further, the determination device 100 determines that the combination of the above three contexts is established even at the time of step S03 and step S04.

Then, when the determination device 100 determines that there is no difference in any of the context information, that is, when the context for which registration has been accepted in advance is established even at the time of step S04, the user terminal 10 is at the time of step S02. It is determined that the operation is performed by the user U01 without changing from. As a result, the determination device 100 determines that the new authentication in step S04 is not required (step S06). In other words, the determination device 100 authenticates the user terminal 10 by omitting the authentication procedure in the authentication in step S04. Then, the determination device 100 approves the access request made in step S04 (step S07).

Subsequently, it is assumed that the user U01 leaves his / her home and goes out (step S08). Also in this case, the user terminal 10 continues to periodically transmit the context information to the determination device 100 (step S09).

Then, the user terminal 10 requests access to the authentication-restricted site on the go (step S10). When the determination device 100 receives the access request from the user terminal 10, the determination device 100 verifies the change in the context of the user terminal 10 (step S11). Specifically, the determination device 100 verifies the change between the context information at the time of steps S02 to S07, the context information periodically acquired in step S09, and the context information at the time of authentication in step S10. ..

Then, the determination device 100 determines that the context information at the time of steps S02 to S09 and the context information at the time of authentication in step S10 have changed. Specifically, at the time of step S10, the determination device 100 transmits the information indicating the context "the user terminal 10 has established the communication state with the determination device 100" among the contexts registered in step S01. However, since the information indicating the contexts of "the user terminal 10 is located at the home of the user U01" and "the communication state between the user terminal 10 and the speaker 20 is established" is not transmitted, the context of the user terminal 10 Is determined to have changed.

Then, the determination device 100 determines that new authentication is required for the request in step S10 (step S12). That is, since it cannot be confirmed that the user terminal 10 is still operated by the user U01 due to the change in the context of the user terminal 10, the determination device 100 authenticates the user terminal 10 by re-authentication. It is determined that it is necessary to do so, and authentication is requested (step S13).

In this case, the determination device 100 requests a normal authentication procedure for the access request transmitted from the user terminal 10. That is, the determination device 100 requests the user terminal 10 to transmit authentication information, which is information for confirming the identity of the user U01. In response to the request, the user terminal 10 transmits the authentication information (step S14). The determination device 100 determines that the authentication information matches and authenticates the user terminal 10. That is, the determination device 100 approves the access request in step S10 (step S15).

As described above, the determination device 100 according to the first embodiment receives the request for authentication of the identity of the user U01 who uses the user terminal 10, and also acquires the context information which is the information indicating the context of the user terminal 10. do. Then, the determination device 100 determines the authentication requested from the user terminal 10 based on the acquired context information. For example, the determination device 100 determines whether or not to request the user terminal 10 that has been previously authenticated to perform the authentication procedure again.

That is, the determination device 100 determines whether or not to perform the authentication procedure based on the context of the user terminal 10 to be authenticated. For example, the determination device 100 determines that a new authentication procedure is not required when the context received in advance from the user terminal 10 and the context at the time of authentication are the same. As a result, the determination device 100 can authenticate the user terminal 10 without a new authentication procedure. As described above, according to the determination device 100, the user U01 can perform authentication without being required to perform an authentication procedure such as password input when a certain degree of trust can be obtained from the context. Therefore, the user U01 can reduce the time and effort related to authentication by registering in advance a context or the like that is easily realized in daily life. As a result, the determination device 100 can perform highly convenient personal authentication.

[1-2. Judgment processing system configuration]
Next, the configuration of the determination processing system 1 including the determination device 100 according to the first embodiment will be described with reference to FIG. FIG. 2 is a diagram showing a configuration example of the determination processing system 1 according to the first embodiment. As illustrated in FIG. 2, the determination processing system 1 according to the first embodiment includes a user terminal 10, a device used by the user, a determination device 100, and a web server 60. As shown in FIG. 2, the device used by the user includes a speaker 20 and the like. These various devices are connected via network N so as to be communicable by wire or wirelessly.

The user terminal 10 is an information processing terminal such as a desktop PC (Personal Computer), a notebook PC, a tablet terminal, a mobile phone including a smartphone, and a PDA (Personal Digital Assistant). Further, the user terminal 10 also includes a wearable device which is a glasses-type or watch-type information processing terminal. Further, the user terminal 10 may include various smart devices having an information processing function. For example, the user terminal 10 may include smart home appliances such as TVs (Televisions), refrigerators, and vacuum cleaners, smart vehicles such as automobiles, drones, and domestic robots.

The user terminal 10 acquires context information indicating the context of the user terminal 10 according to an operation by the user or a function of the user terminal 10. For example, the user terminal 10 acquires various physical quantities such as position, acceleration, temperature, gravity, rotation (angular velocity), illuminance, geomagnetism, pressure, proximity, humidity, and rotation vector as context information by various built-in sensors. .. In addition, the user terminal 10 uses the built-in communication function to acquire context information such as connection status with various devices.

The device used by the user is a general term for devices used by the user in addition to the user terminal 10. For example, the device used by the user is various smart devices having an information processing function, similar to the user terminal 10 described above. In the first embodiment, the device used by the user is, for example, the speaker 20. These devices are used, for example, to represent the context of the user terminal 10.

As described above, the determination device 100 is a server device that acquires the context information of the user terminal 10 and makes a determination regarding the authentication of the user terminal 10 based on the acquired context information.

The web server 60 is a server device that provides various web pages when accessed from the user terminal 10. The web server 60 is, for example, various web pages and apps related to news sites, weather forecast sites, shopping sites, finance (stock) sites, route search sites, map providing sites, travel sites, restaurant introduction sites, web blogs, and the like. Provide the displayed contents and the like.

The web server 60 may require the user's personal authentication when providing the service. For example, when the web server 60 provides the payment service, when the user using the user terminal 10 cannot be authenticated to be the user U01 himself / herself, the web server 60 executes the payment service by the user terminal 10. Can be restricted. The web server 60 determines whether or not to allow access from the user terminal 10 according to the authentication result by the determination device 100 that authenticates the user terminal 10. For example, when the determination device 100 authenticates the user terminal 10, the web server 60 approves the access to the site with authentication restrictions by the user terminal 10.

That is, when the web server 60 receives the information indicating that the determination device 100 has authenticated the user U01 from the determination device 100, the web server 60 trusts that the user using the user terminal 10 is the user U01. After the authentication of the user terminal 10, the web server 60 can accept operations such as payment processing by the user terminal 10 that are not permitted until after the personal authentication.

[1-3. Judgment device configuration]
Next, the configuration of the determination device 100 according to the first embodiment will be described with reference to FIG. FIG. 3 is a diagram showing a configuration example of the determination device 100 according to the first embodiment. As shown in FIG. 3, the determination device 100 includes a communication unit 110, a storage unit 120, and a control unit 130. The determination device 100 includes an input unit (for example, a keyboard, a mouse, etc.) that receives various operations from an administrator or the like who uses the determination device 100, and a display unit (for example, a liquid crystal display, etc.) for displaying various information. You may have.

(About communication unit 110)
The communication unit 110 is realized by, for example, a NIC (Network Interface Card) or the like. The communication unit 110 is connected to the network N by wire or wirelessly, and transmits / receives information to / from the user terminal 10 or the like via the network N.

(About storage unit 120)
The storage unit 120 is realized by, for example, a semiconductor memory element such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. The storage unit 120 includes a registration information storage unit 121, an authentication information storage unit 122, an authentication log storage unit 123, and a context log storage unit 124.

(Regarding the registration information storage unit 121)
The registration information storage unit 121 stores information related to the registration information registered by the user terminal 10. Here, FIG. 4 shows an example of the registration information storage unit 121 according to the first embodiment. FIG. 4 is a diagram showing an example of the registration information storage unit 121 according to the first embodiment. In the example shown in FIG. 4, the registration information storage unit 121 has items such as "user ID", "registration ID", and "context".

The "user ID" is identification information that identifies a user who registers a context. It is assumed that the user ID matches the reference code of the user who operates the user terminal 10. For example, the user identified by the user ID "U01" indicates the user U01. Further, the user ID may be treated as information for identifying the terminal device used by the user identified by the user ID.

The "registration ID" is information that identifies the registered context. The "context" is a context registered in advance by the user, and indicates a context used for the above-mentioned determination process. For example, the context is specified by the position information indicating the position where the user terminal 10 is located and the communication information that the user terminal 10 and the determination device 100 are in a communication state.

That is, in FIG. 4, the user U01 identified by the user ID "U01" has "location information G01", "communication with the user terminal 10", and "user terminal 10" as the context identified by the registration ID "R01". It indicates that the context such as "communication with the speaker 20" is registered.

In the example of FIG. 4, the "position information" indicates the position information of the user terminal 10, and an example in which conceptual information such as "G01" is stored in the value indicated by the "position information" is shown. Actually, as the location information, information indicating "latitude and longitude", "address (for example, prefecture or city, ward, town, or village)" or the like is stored. For example, the location information G01 is assumed to be location information indicating the home of the user U01. The user terminal 10 acquires position information as context information by using, for example, GPS (Global Positioning System) or the like.

Further, "communication" is not limited to a wide area network such as the Internet, but short-range communication (for example, Bluetooth (registered trademark)) that is established only between the user terminal 10 and the speaker 20 without going through an external network device or the like. (Establishment of communication by).

(About the authentication information storage unit 122)
The authentication information storage unit 122 stores information related to authentication performed by the determination device 100. Here, FIG. 5 shows an example of the authentication information storage unit 122 according to the first embodiment. FIG. 5 is a diagram showing an example of the authentication information storage unit 122 according to the first embodiment. In the example shown in FIG. 5, the authentication information storage unit 122 has items such as "user ID", "authentication means", and "correct answer data".

The "user ID" corresponds to the same item shown in FIG. “Authentication means” refers to an authentication means used to authenticate a user. For example, the authentication means is a fingerprint, a password, a voice, an iris, a face recognition, or the like. The "correct answer data" indicates the correct answer data used for authenticating the identity of the user corresponding to the authentication means. In FIG. 5, an example in which conceptual information such as “X01” is stored in the value indicated by the “correct answer data” is shown, but in reality, the correct answer data includes the user's fingerprint data or a character string that serves as a password. And voiceprint information of voice is stored.

That is, in FIG. 5, the user U01, which is the target user to be authenticated by the determination device 100 and is identified by the user ID “U01”, registers “fingerprint”, “password”, and “voice” as the authentication means. The correct answer data shows an example of "X01", "X02", and "X03". Although not shown in FIG. 5, the user U01 may register the authentication means for each site to be used, for example. For example, the user U01 makes settings such as using a "fingerprint" as authentication information when authenticating at a bank site and using a "password" as authentication information when authenticating at another site. You may. In this case, the determination device 100 stores such a setting in the authentication information storage unit 122.

(About authentication log storage unit 123)
The authentication log storage unit 123 stores a log related to the authentication performed by the determination device 100. Here, FIG. 6 shows an example of the authentication log storage unit 123 according to the first embodiment. FIG. 6 is a diagram showing an example of the authentication log storage unit 123 according to the first embodiment. In the example shown in FIG. 6, the authentication log storage unit 123 has items such as "user ID", "authentication date and time", and "authentication means".

The "user ID" corresponds to the same item shown in FIG. "Authentication date and time" indicates the date and time when authentication was performed. “Authentication means” refers to the authentication means used in the authentication.

That is, FIG. 6 shows that the user U01 identified by the user ID “U01” was authenticated using the “fingerprint” as the authentication means at “7:00 on November 1, 2015”. .. In addition, "7:10 on November 1, 2015" indicates that the authentication was performed using the "registration data" as the authentication means. The “registration data” indicates a context registered in the registration information storage unit 121. That is, the user U01 shows an example in which the authentication by the normal authentication procedure is skipped and the authentication is performed by the registered context at the time of the authentication of "7:10 on November 1, 2015".

The authentication log storage unit 123 may store the context information of the user terminal 10 when the authentication is performed in association with the information related to the authentication.

(About the context log storage unit 124)
The context log storage unit 124 stores a log related to the context acquired by the determination device 100. Here, FIG. 7 shows an example of the context log storage unit 124 according to the first embodiment. FIG. 7 is a diagram showing an example of the context log storage unit 124 according to the first embodiment. In the example shown in FIG. 7, the context log storage unit 124 has items such as "user ID", "acquisition date and time", and "context information".

The "user ID" corresponds to the same item shown in FIG. "Acquisition date and time" indicates the date and time when the context information was acquired.

The "context information" indicates various information for indicating the context of the terminal device used by the user. Since the context information is information indicating the usage status of the terminal device, various information is included. In the example shown in FIG. 7, the context log storage unit 124 stores information indicating whether or not the registered context has been acquired with respect to the context registered in advance by the user. Specifically, FIG. 7 shows an example in which a log of context information related to the context indicated by the registration ID “R01” is stored among the registration information shown in FIG.

For example, the context information includes sub-items such as "acquired information" and "correctness". The "acquired information" corresponds to the context information regarding the context indicated by the registration ID "R01". For example, in the example shown in FIG. 7, whether or not the "position information G01" has been acquired is stored as the acquired information. Similarly, as the acquired information, the correctness of whether or not "communication with the user terminal 10 (and the determination device 100)" and "communication with the speaker 20 (and the user terminal 10)" is acquired is stored. ..

For example, in FIG. 7, since the “position information G01” is acquired as the context information at “7:00 on November 1, 2015”, it is memorized that the correctness is “positive (1)”. Similarly, since "with communication" is acquired in the "user terminal 10", it is stored that the correctness is "positive (1)". Similarly, since "with communication" is acquired in the "speaker 20", it is stored that the correctness is "positive (1)".

On the other hand, as the context information in "November 1, 2015 9:00", "location information G03" is acquired, which is different from "location information G01" indicating the registered context. Therefore, "No (0)" is stored in the correctness. Similarly, since "no communication" is acquired in the "speaker 20", "no (0)" is stored as the correctness. This indicates that the user U01 has gone out of his / her home (indicated by the position information G01) and the communication between the user terminal 10 and the speaker 20 has been lost. Since the "user terminal 10" still maintains communication with the determination device 100, "with communication" is acquired, and "positive (1)" is stored as the correctness.

In this way, the context log storage unit 124 stores the context information indicating the context of the user terminal 10, and also stores the information as to whether or not the registered context is satisfied as a log. In one example of FIG. 7, the information about the context indicated by the registration ID “R01” is shown as an example, but the context log storage unit 124 also stores the information about the context indicated by the registration ID “R02” at the same time. And.

(About control unit 130)
In the control unit 130, for example, various programs stored in the storage device inside the determination device 100 are executed by the CPU (Central Processing Unit), the MPU (Micro Processing Unit), or the like with the RAM (Random Access Memory) as the work area. It is realized by. Further, the control unit 130 is realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

As shown in FIG. 3, the control unit 130 includes a registration unit 131, a reception unit 132, an authentication unit 133, an acquisition unit 134, a determination unit 135, and a transmission unit 136, and the information described below. Realize or execute the function or action of processing. The internal configuration of the control unit 130 is not limited to the configuration shown in FIG. 3, and may be another configuration as long as it is a configuration for performing information processing described later. Further, the connection relationship of each processing unit included in the control unit 130 is not limited to the connection relationship shown in FIG. 3, and may be another connection relationship.

(Registration unit 131)
The registration unit 131 accepts registration for the context of the user terminal 10 when the user terminal 10 is authenticated. For example, the registration unit 131 accepts registration in advance from the user U01 who uses the user terminal 10 for a context that is frequently observed when performing authentication. The context received by the registration unit 131 is used for the determination process by the determination unit 135, and the authentication procedure required for the user terminal 10 is skipped under predetermined conditions. In this way, the registration unit 131 can improve the convenience in the subsequent authentication process by registering the context in advance.

The registration unit 131 stores the received context in the registration information storage unit 121. In addition, the registration unit 131 may accept changes and updates of the registered context from a user who has already registered the context.

(About receiver 132)
The receiving unit 132 receives various information. For example, the receiving unit 132 receives various requests transmitted from the user terminal 10. Specifically, the receiving unit 132 receives an access request to a predetermined restricted site from the user terminal 10. In addition, the receiving unit 132 receives the request for authentication of the user terminal 10. In addition, the receiving unit 132 receives the authentication information transmitted from the user terminal 10 in the authentication procedure.

In the above process, the receiving unit 132 may receive the access request to the predetermined restricted site and the authentication request of the user terminal 10 via the web server 60. That is, when the user terminal 10 accesses the site managed by the web server 60, the web server 60 determines that the access request has been made and that the user terminal 10 needs to be authenticated in order to approve the access. It is transmitted to the device 100. The receiving unit 132 receives the request transmitted from the web server 60, and appropriately sends the information regarding the received request to each processing unit of the control unit 130.

In addition, the receiving unit 132 receives the authentication means used in the authentication and the correct answer data corresponding to the authentication means. The receiving unit 132 stores the received information in the authentication information storage unit 122.

(About certification unit 133)
The authentication unit 133 authenticates the identity of the user U01 who uses the user terminal 10. Specifically, the authentication unit 133 performs an authentication procedure for the user terminal 10 to be authenticated based on the information stored in the authentication information storage unit 122. That is, the authentication unit 133 receives the authentication information from the user terminal 10 and verifies the match between the received authentication information and the correct answer data. Then, when the match between the received authentication information and the correct answer data is verified, the authentication unit 133 determines that the identity of the user U01 using the user terminal 10 has been confirmed, and authenticates the user terminal 10.

For example, the authentication unit 133 executes an authentication process for the user terminal 10 when the user terminal 10 accesses a restricted site in order to use a predetermined service, or when a login process for using the service is performed. ..

Further, when the determination unit 135, which will be described later, makes a determination, the authentication unit 133 determines whether or not to perform the authentication procedure according to the determination by the determination unit 135. Specifically, when it is determined by the determination unit 135 that the authentication unit 133 needs to perform the authentication procedure for the authentication request, the authentication unit 133 performs the authentication procedure for the user terminal 10. On the other hand, when the determination unit 135 determines that it is not necessary to perform the authentication procedure for the authentication request, the authentication unit 133 omits the authentication procedure and authenticates the user terminal 10. In this case, the authentication unit 133 authenticates the user terminal 10 based on the context of the user terminal 10 instead of the authentication information transmitted from the user terminal 10.

(About acquisition unit 134)
The acquisition unit 134 acquires various types of information. For example, the acquisition unit 134 acquires context information which is information indicating the context of the user terminal 10. Specifically, the acquisition unit 134 communicates with the environment information detected by the user terminal 10, the device information of the user terminal 10 itself, the user information about the user U01 using the user terminal 10, and the user terminal 10 as context information. Acquire information about external devices to be used.

As context information detected by the user terminal 10, the acquisition unit 134 includes, for example, position information indicating the position where the user terminal 10 is located, temperature and humidity information around the user terminal 10, and optical information indicating the intensity of ambient light. , Acquires sound information or the like indicating the ambient noise level of the user terminal 10. Further, the acquisition unit 134 may acquire environmental information around the user terminal 10 based on a photograph or a video taken by a camera included in the user terminal 10. For example, the acquisition unit 134 acquires the environment information around the user terminal 10 based on the image information taken by the camera, the position information included in the image information, the date and time when the image was taken, and the like.

Further, the acquisition unit 134 uses the device information of the user terminal 10 itself as information on the CPU, OS (Operating System), memory, etc. of the user terminal 10, network functions such as antennas, installed software, and browser software to be used. , Acquire information such as the corresponding authentication means (for example, whether or not it has a function of acquiring fingerprint data or a function of acquiring iris).

Further, the acquisition unit 134 may acquire the operating status of the user terminal 10. For example, the acquisition unit 134 determines whether or not the user terminal 10 is in the activated state, and if it is in the activated state, whether the screen is ON / OFF, whether the user terminal 10 is moving / stationary, or the like. Get information. Such information is acquired by, for example, an application having a predetermined sensing function installed in the user terminal 10 and held inside the user terminal 10.

In addition, the acquisition unit 134 includes attribute information, current behavior information, behavior history on the network, interests, etc. of the user who is the target of acquisition of context information or other users who are related to the user. Acquire information about relationships with other users (being physically close, being in the same organization, having a social connection, etc.). Such user information is acquired, for example, by referring to a browser log or the like stored in the user terminal 10.

Further, the acquisition unit 134 acquires information for identifying an external device in a mutual communication state with the user terminal 10, an established communication type, a frequency band, and the like as information regarding an external device that communicates with the user terminal 10. do.

The acquisition unit 134 acquires the above-mentioned information by periodically receiving the context information from the user terminal 10. Further, the acquisition unit 134 performs a predetermined communication with the user terminal 10 or the like at predetermined time intervals regardless of the transmission from the user terminal 10, and crawls the context information held inside the user terminal 10. , You may get the context information. The acquisition unit 134 stores the acquired information in the authentication log storage unit 123 and the context log storage unit 124.

(About judgment unit 135)
The determination unit 135 determines the authentication requested from the user terminal 10 based on the context information acquired by the acquisition unit 134. For example, the determination unit 135 is based on a change between the context information acquired when the authentication request is received by the reception unit 132 and the context information acquired when the authentication request is previously received. It is determined whether or not it is necessary to perform an authentication procedure for the authentication request received by the receiving unit 132. More specifically, the determination unit 135 performs the authentication procedure for the current request based on the change between the context information acquired at the time of the previous authentication request and the context information acquired at the time of the current authentication request. Determine if it is necessary.

The determination unit 135 verifies whether the existence of the context information itself changes or the value indicated by the context information changes as a change in the context information. The fact that the existence of the context information itself changes means that, for example, the context information such as "mutual communication between the user terminal 10 and the speaker 20 has been established" is no longer observed at a certain point in time, that is, the context information. It means that "yes / no" of is changed. Further, when the value indicated by the context information changes, for example, the context information such as "the position information of the user terminal 10 is G01" is said to be "the position information of the user terminal 10 is G02" at a certain point in time. It means changing to context information.

The determination unit 135 sets a predetermined threshold value for the existence or change of the value of the context information, and determines the change of the context information of the user terminal 10. That is, the determination unit 135 determines whether or not it is necessary to perform the authentication procedure for the current authentication request based on the rate of change or the amount of change in the context information.

For example, the determination unit 135 shall determine several types of context information acquired at the time of the previous authentication. In this case, the determination unit 135 determines the amount of change indicating how many pieces of information have changed among several types of context information. Further, when the context information is information indicating a numerical value, the determination unit 135 determines the rate of change indicating how much the numerical value has changed. For example, the determination unit 135 may determine that there is no change in the context of the user terminal 10 when only one of several types of context information to be determined has changed. Alternatively, even if the acquired position information G01 is changed to the position information G02, the determination unit 135 can use the context of the user terminal 10 as long as the information indicates a range in which the position information G01 and the position information G02 are very close to each other. It may be determined that there is no change in. The amount of change and the threshold value of the rate of change for determining that the context information has changed may be appropriately set through, for example, a known learning process by repeating the process, or may be artificially set by the administrator of the determination device 100 or the like. May be set.

Then, when it is determined that the context information has changed beyond a predetermined threshold value, the determination unit 135 determines that a new authentication procedure for the user terminal 10 is required. On the other hand, when the determination unit 135 determines that the context information has not changed beyond a predetermined threshold value, it determines that a new authentication procedure for the user terminal 10 is not required.

Further, whether or not the determination unit 135 is required to perform the authentication procedure for the current authentication request based on the pattern of change of the context information acquired from the time of the previous authentication request to the time of the current authentication request. May be determined. For example, the determination unit 135 periodically refers to the context log acquired by the acquisition unit 134. Then, the determination unit 135 determines whether or not a new authentication procedure is required according to the change pattern of the context log. For example, the determination unit 135 only repeats such a change even when the context information in which the communication between the user terminal 10 and the speaker 20 is established or interrupted is acquired, and the determination unit 135 only repeats such a change, and the previous authentication and the current time. If it is assumed that there is no significant change in the context of the user terminal 10 at the time of authentication, it may be determined that a new authentication procedure is not required. On the other hand, even if the context information acquired at the time of the previous authentication request and the context information acquired at the time of the current authentication request match, the determination unit 135 is normally observed in the context log periodically acquired during that period. When a change pattern different from the change is observed, it may be determined that the user terminal 10 is required to perform a new authentication procedure in this authentication.

Further, the determination unit 135 may make a determination based on the context registered in advance as described above. That is, when the context information acquired when the authentication request is received by the receiving unit 132 indicates the context registered by the registration unit 131, the determination unit 135 authenticates the authentication request. It may be determined that the procedure does not need to be performed.

(About transmitter 136)
The transmission unit 136 transmits various information. For example, the transmission unit 136 transmits the result of the authentication process performed by the authentication unit 133 to the user terminal 10 that has requested the authentication. For example, when the authentication unit 133 authenticates the user terminal 10, the transmission unit 136 transmits information indicating that the authentication is successful and the connection to the predetermined site is permitted to the user terminal 10.

[1-4. User terminal configuration]
Next, the configuration of the user terminal 10 according to the first embodiment will be described with reference to FIG. FIG. 8 is a diagram showing a configuration example of the user terminal 10 according to the first embodiment. As shown in FIG. 8, the user terminal 10 includes a communication unit 11, an input unit 12, a display unit 13, a detection unit 14, a storage unit 15, and a control unit 16.

(About communication unit 11)
The communication unit 11 is connected to the network N by wire or wirelessly, and transmits / receives information to / from the speaker 20, the determination device 100, and the web server 60. For example, the communication unit 11 is realized by a NIC or the like.

(About input unit 12 and display unit 13)
The input unit 12 is an input device that receives various operations from the user. For example, the input unit 12 is realized by an operation key or the like provided on the user terminal 10. The display unit 13 is a display device for displaying various types of information. For example, the display unit 13 is realized by a liquid crystal display or the like. When a touch panel is adopted for the user terminal 10, a part of the input unit 12 and the display unit 13 are integrated.

(About detection unit 14)
The detection unit 14 detects various information about the user terminal 10. Specifically, the detection unit 14 performs the operation of the user U01 on the user terminal 10, the position information where the user terminal 10 is located, the information about the device connected to the user terminal 10, the environment in the user terminal 10, and the like. Detect. In the example shown in FIG. 8, the detection unit 14 includes an operation detection unit 141, a position detection unit 142, an external device detection unit 143, and an environment detection unit 144.

(About operation detection unit 141)
The operation detection unit 141 detects the operation of the user U01 with respect to the user terminal 10. For example, the operation detection unit 141 detects the operation of the user U01 based on the information input to the input unit 12. That is, the operation detection unit 141 detects that the input unit 12 has been input for an operation of touching the screen, that there has been an input of voice, and the like. Further, the operation detection unit 141 may detect that the predetermined application has been started by the user U01. When such an application is an application that operates an imaging device in the user terminal 10, the operation detection unit 141 detects that the imaging function is being used by the user U01. Further, the operation detection unit 141 may detect an operation such that the user terminal 10 itself is moved based on the data detected by the acceleration sensor, the gyro sensor, or the like provided in the user terminal 10.

(About position detector 142)
The position detection unit 142 detects the current position of the user terminal 10. Specifically, the position detection unit 142 receives radio waves transmitted from GPS satellites, and acquires position information (for example, latitude and longitude) indicating the current position of the user terminal 10 based on the received radio waves.

The position detection unit 142 can acquire position information by various methods. For example, when the user terminal 10 has a function equivalent to that of a contactless IC card used at a station ticket gate, a store, etc. (or, the user terminal 10 has a function of reading the history of a contactless IC card. Case), the used position is recorded together with the information that the user terminal 10 has settled the boarding fee at the station. The position detection unit 142 detects such information and acquires it as position information. Further, when the user terminal 10 communicates with a specific access point, the position detection unit 142 may detect the position information that can be acquired from the access point. Further, the position information may be acquired by an optical sensor, an infrared sensor, a magnetic sensor, or the like provided in the user terminal 10.

(About external device detection unit 143)
The external device detection unit 143 detects an external device connected to the user terminal 10. For example, the external device detection unit 143 detects the external device based on the exchange of communication packets with the external device. Then, the external device detection unit 143 recognizes the detected external device as a terminal connected to the user terminal 10. Further, the external device detection unit 143 may detect the type of connection with the external device. For example, the external device detection unit 143 detects whether the external device is connected by wire or by wireless communication. Further, the external device detection unit 143 may detect a communication method or the like used in wireless communication. Further, the external device detection unit 143 may detect the external device based on the information acquired by the radio wave sensor that detects the radio wave emitted by the external device, the electromagnetic wave sensor that detects the electromagnetic wave, or the like.

(About environment detection unit 144)
The environment detection unit 144 detects the environment in the user terminal 10. The environment detection unit 144 detects information about the environment by using various sensors and functions provided in the user terminal 10. For example, the environment detection unit 144 includes a microphone that collects the sound around the user terminal 10, an illuminance sensor that detects the illuminance around the user terminal 10, and an acceleration sensor (or an acceleration sensor) that detects the physical movement of the user terminal 10. , Gyro sensor, etc.), a humidity sensor that detects the ambient humidity of the user terminal 10, a geomagnetic sensor that detects the magnetic field at the location of the user terminal 10, and the like. Then, the environment detection unit 144 detects various information by using various sensors. For example, the environment detection unit 144 detects the noise level around the user terminal 10 and whether the surroundings of the user terminal 10 have an illuminance suitable for capturing the iris of the user U01. Further, the environment detection unit 144 may detect surrounding environment information based on a photograph or a video taken by the camera.

(About storage unit 15)
The storage unit 15 stores various information. The storage unit 15 is realized by, for example, a semiconductor memory element such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. For example, the storage unit 15 stores various information detected by the detection unit 14 in association with the detected date and time.

(About control unit 16)
The control unit 16 is realized by, for example, a CPU, an MPU, or the like executing various programs stored in a storage device inside the user terminal 10 with the RAM as a work area. Further, the control unit 16 is realized by, for example, an integrated circuit such as an ASIC or FPGA.

As shown in FIG. 8, the control unit 16 includes an acquisition unit 161, a reception unit 162, an authentication control unit 163, and a transmission unit 164, and realizes or executes an information processing function or operation described below. do. The internal configuration of the control unit 16 is not limited to the configuration shown in FIG. 8, and may be another configuration as long as it is a configuration for performing information processing described later.

(About acquisition unit 161)
The acquisition unit 161 acquires various types of information. For example, the acquisition unit 161 acquires various information detected by the detection unit 14 as context information indicating the context of the user terminal 10 by controlling the detection unit 14. Specifically, the acquisition unit 161 acquires the position information of the user terminal 10 and the time information corresponding to the time when the position information is detected by controlling the position detection unit 142.

The acquisition unit 161 may acquire the context information at predetermined time intervals. For example, the acquisition unit 161 acquires context information by controlling the detection unit 14 described above on a regular basis (every 1 minute, every 3 minutes, every 5 minutes, etc.). The timing at which the acquisition unit 161 acquires the context information may be set by the determination device 100.

(About receiver 162)
The receiving unit 162 receives various information. For example, the receiving unit 162 receives the request for the authentication information transmitted from the determination device 100. The receiving unit 162 sends the received information to each processing unit of the control unit 16.

(About authentication control unit 163)
The authentication control unit 163 controls the authentication process for the determination device 100. For example, when a request for authentication information is transmitted from the determination device 100, the authentication control unit 163 performs a process related to an authentication procedure corresponding to the requested authentication information. For example, the authentication control unit 163 identifies an authentication means corresponding to the requested authentication information. Then, the authentication control unit 163 executes the process according to the authentication means.

For example, when the requested authentication information is the fingerprint data of the user U01, the authentication control unit 163 causes the display unit 13 to display the fingerprint input screen. Then, when the authentication control unit 163 receives the input of the fingerprint data from the user U01, the authentication control unit 163 performs a process for transmitting the received fingerprint data to the determination device 100. Then, the authentication control unit 163 sends the data to be transmitted to the transmission unit 164.

(About transmitter 164)
The transmission unit 164 transmits the context information acquired by the acquisition unit 161 to the determination device 100. Further, the transmission unit 164 transmits the authentication information acquired by the authentication control unit 163 to the determination device 100.

[1-5. Processing procedure]
Next, the procedure of processing by the determination device 100 according to the first embodiment will be described with reference to FIG. FIG. 9 is a flowchart showing a determination processing procedure according to the first embodiment.

As shown in FIG. 9, the authentication unit 133 authenticates the user U01 using the user terminal 10 (step S101). After that, the acquisition unit 134 periodically acquires the context information of the user terminal 10 (step S102).

Then, the receiving unit 132 determines whether or not a new authentication request has been received from the user terminal 10 (step S103). When the new authentication request is not received (step S103; No), the acquisition unit 134 continues the process of acquiring the context information.

On the other hand, when a new authentication request is received (step S103; Yes), the determination unit 135 determines whether or not a change in the context of the user terminal 10 has been detected (step S104). When the change in context is not detected (step S104; No), the determination unit 135 determines that a new authentication procedure for the user terminal 10 is not required (step S105).

On the other hand, when a change in context is detected (step S104; Yes), the determination unit 135 determines that a new authentication procedure for the user terminal 10 is required (step S106). In this case, the authentication unit 133 requests the user terminal 10 for the authentication information (step S107). Then, the receiving unit 132 receives the authentication information transmitted from the user terminal 10 (step S108).

In the case of step S105, the authentication unit 133 authenticates the user terminal 10 with the acquired context information (step S109). That is, the authentication unit 133 can authenticate the user terminal 10 by omitting the authentication procedure of transmitting the authentication information from the user terminal 10. Further, in the case of step S108, the authentication unit 133 authenticates the user terminal 10 by determining a match with the transmitted authentication information (step S109).

The determination regarding the change in the context in step S104 may be made by comparison with the context registered in advance, or may be made by comparison with the context from the time of the previous authentication.

[1-6. Variations in judgment processing]
In the first embodiment, for example, the process performed by the determination device 100 has been described with reference to an example in which the user terminal 10 accesses a predetermined restricted site. Then, when a predetermined determination is made, the context itself becomes the authentication information, and an example of authenticating the user terminal 10 by omitting the authentication procedure is shown. In this way, the process in which the context itself becomes the authentication information may be applied to various situations. This point will be described with reference to FIG.

FIG. 10 is a diagram showing a modified example of the determination process according to the first embodiment. FIG. 10 shows an example in which a plurality of users, a user U01 and a user U02 who uses the terminal device 30, use the shared file 40. In order to ensure safety, the shared file 40 has a predetermined access restriction, and only a limited number of users can view it. Further, it is assumed that the access to the shared file 40 is controlled by the determination device 100.

In the example of FIG. 10, the user U01 registers the context in the determination device 100 in advance (step S21). For example, the user U01 registers as a context that "short-range communication between the user terminal 10 and the terminal device 30 has been established".

The user U01 requests the determination device 100 for authentication and causes the determination device 100 to execute the authentication process (step S22). As a result, the user U01 is in a state of being authenticated by the determination device 100. Further, at this time, it is assumed that the context of "short-range communication between the user terminal 10 and the terminal device 30 is established" is realized.

After that, the user terminal 10 periodically transmits the context information (step S23). After a predetermined time, the user U01 requests the determination device 100 to view the shared file 40 (step S24). The determination device 100 verifies the context based on the transmitted information (step S25). Then, the determination device 100 determines that the context of "short-range communication between the user terminal 10 and the terminal device 30 is established" is maintained unchanged. In this case, the determination device 100 authenticates the user U01 according to the registered context (step S26). As a result, the user U01 is approved for viewing the shared file 40 (step S27).

After that, it is assumed that the user U02 moves (step S28) and the short-range communication between the user terminal 10 and the terminal device 30 is interrupted. The user terminal 10 periodically transmits such context information to the determination device 100 (step S29). After that, the user terminal 10 requests the determination device 100 to view the shared file 40 (step S30).

The determination device 100 detects a change in context based on the transmitted information (step S31). That is, the determination device 100 determines that the context of "short-range communication between the user terminal 10 and the terminal device 30 is established" has changed. In this case, the determination device 100 determines that the authentication in the registered context cannot be performed (step S32). As a result, the user U01 is denied the request to view the shared file 40 (step S33).

As shown in the example of FIG. 10, the determination device 100 can use not only the determination as to whether or not to perform the authentication procedure for the change in the context but also the change in the context as the authentication information. In this case, if the context of "establishing short-range communication between the user terminal 10 and the terminal device 30" registered in the determination device 100 in advance is not realized, the user U01 cannot use the shared file 40. .. In this way, according to the determination device 100, by determining the change in the context from a certain point in time, it is possible to prevent the already granted access right from being granted. As a result, for example, it is possible to prevent the shared file 40 from being tampered with by a specific user, so that the determination device 100 can provide the user with more secure authentication.

[1-7. effect〕
As described above, the determination device 100 according to the first embodiment includes a reception unit 132, an acquisition unit 134, and a determination unit 135. The receiving unit 132 receives a request for authentication of the identity of the user U01 who uses the user terminal 10. The acquisition unit 134 acquires context information which is information indicating the context of the user terminal 10. The determination unit 135 determines the authentication requested from the user terminal 10 based on the context information acquired by the acquisition unit 134.

In this way, the determination device 100 according to the first embodiment determines whether or not to perform the authentication procedure based on the context of the user terminal 10 to be authenticated. For example, the determination device 100 determines that a new authentication procedure is not required when the context received in advance from the user terminal 10 and the context at the time of authentication are the same. That is, since the determination device 100 can authenticate the user terminal 10 by omitting a new authentication procedure, the time and effort required for authentication can be saved, and the convenience of the user is improved.

Further, the determination unit 135 is based on a change between the context information acquired when the authentication request is received by the reception unit 132 and the context information acquired when the authentication request is previously received. It is determined whether or not it is necessary to perform an authentication procedure for the authentication request received by the receiving unit 132.

As described above, the determination device 100 according to the first embodiment determines based on the change in the context information at the time of the authentication performed in the past (for example, at the time of the previous authentication) and the context information at the time of the current authentication. Perform processing. As a result, the determination device 100 can verify the context information at the timing of each authentication opportunity, so that an appropriate determination process can be performed.

Further, the determination unit 135 is based on the rate of change between the context information acquired when the authentication request is received by the reception unit 132 and the context information acquired when the authentication request is previously received. , It is determined whether or not it is necessary to perform the authentication procedure for the authentication request received by the receiving unit 132.

As described above, the determination device 100 according to the first embodiment performs the determination process based on the rate of change of the context information between the time of the current authentication and the request and the time of the previously performed authentication request. As a result, the determination device 100 can perform flexible processing such as determining that the user terminal 10 is still used by the same user if there is a slight change in the context information.

Further, the determination unit 135 is based on the amount of change between the context information acquired when the authentication request is received by the reception unit 132 and the context information acquired when the authentication request is previously received. , Determine if it is necessary to perform the certification procedure.

As described above, the determination device 100 according to the first embodiment may perform the determination process based on the amount of change in the context information. For example, when the context information is indicated by a numerical value, the determination device 100 sets a predetermined threshold value for the amount of change in the numerical value. Then, the determination device 100 can determine whether or not the context of the user terminal 10 (or the user U01) has changed by determining whether or not the threshold value has been exceeded. That is, the determination device 100 can perform flexible determination processing by adjusting the threshold setting or the like.

Further, the determination unit 135 is based on a pattern of change between the context information acquired when the authentication request is received by the reception unit 132 and the context information acquired when the authentication request is previously received. To determine whether or not it is necessary to carry out the authentication procedure.

As described above, the determination device 100 according to the first embodiment may perform the determination process based on the pattern of change in the context information. As a result, the determination device 100 determines that the user terminal 10 may be used by another user even if a similar context is observed at the timing of authentication, and requests the authentication procedure. be able to. Therefore, the determination device 100 can ensure higher safety.

Further, the determination device 100 according to the first embodiment further includes a registration unit 131 that accepts registration regarding the context of the user terminal 10 when the user terminal 10 is authenticated. If the context information acquired when the authentication request is received indicates the context registered by the registration unit 131, the determination unit 135 is required to perform the authentication procedure for the authentication request. Judge not to.

As described above, the determination device 100 according to the first embodiment can accept the registration of the context in advance and perform the determination process based on the comparison with the registered context. By registering a context or the like in which authentication is likely to occur in advance, the user can omit the authentication procedure when the registered context is observed. As a result, the determination device 100 can improve the convenience of authentication.

Further, when the determination device 100 according to the first embodiment determines that it is necessary for the determination unit 135 to perform the authentication procedure for the authentication request, the determination unit 135 performs the authentication procedure for the user terminal 10. If it is determined that it is not necessary to perform the authentication procedure for the authentication request, the authentication unit 133 that authenticates the user terminal 10 by omitting the authentication procedure is further provided.

In this way, the determination device 100 according to the first embodiment can determine whether or not to perform the authentication procedure according to the determination process. Therefore, the determination device 100 can improve the convenience of the user by omitting the authentication procedure when the context information is reliable, and when the context information is unreliable, the determination device 100 authenticates. By performing the procedure, the security of authentication can be enhanced. In this way, the determination device 100 can perform a convenient authentication process while ensuring safety.

[2. Second Embodiment]
In the first embodiment described above, an example of determining whether or not an authentication procedure is required is shown based on a change between the context information at the time of the previous authentication and the context information when a new authentication request is made. In addition, in the determination process, the user accepts the registration of the context used for authentication in advance, and whether or not the authentication procedure is required based on the change between the registered context and the context when a new authentication request is made. An example of judgment is shown. Here, the present invention may perform the determination process by estimating the context used for the determination instead of accepting the registration in advance. This point will be described as a second embodiment. The same matters as those described in the first embodiment will be omitted.

[2-1. Example of judgment processing]
First, an example of the determination process according to the second embodiment will be described with reference to FIG. FIG. 11 is a diagram showing an example of the determination process according to the second embodiment. The determination device 200 shown in FIG. 11 estimates a predetermined context regarding the user terminal 10, and performs determination processing based on the estimated context.

The user U01 shown in FIG. 11 is a user who uses the user terminal 10 and the clock-type terminal 50. For example, the user U01 requests the determination device 200 to authenticate when accessing a predetermined restricted site by using the user terminal 10. The user U01 transmits the context information regarding the user terminal 10 together with the authentication request (step S41). In this case, the context information transmitted from the user terminal 10 is, for example, "short-range communication between the user terminal 10 and the clock-type terminal 50 is established" and the like.

The determination device 200 stores the acquired context log in the storage unit 120 (step S42). Then, the determination device 200 estimates the context used in the authentication according to a predetermined estimation rule (step S43). Although details will be described later, for example, when the user terminal 10 is authenticated, the determination device 200 acquires context information that "short-range communication between the user terminal 10 and the clock-type terminal 50 is established" with a high probability. It shall be. Further, the determination device 200 has a rule that, when the same context information is acquired a certain number of times out of a predetermined number of times of authentication, the context indicated by the context information is estimated as the context used in the authentication. .. In this case, the determination device 200 estimates that "short-range communication between the user terminal 10 and the clock-type terminal 50 is established" as the context used for authentication.

After that, the user terminal 10 periodically transmits the context information to the determination device 200 (step S44). Then, at a certain timing, the user terminal 10 requests access to the site with authentication restrictions (step S45). At this time, the determination device 200 verifies that the context indicated by the periodically transmitted context information and the context indicated by the context information when the access is requested matches the estimated context (step S46). .. This is the same as the process in which the determination device 100 verifies the match between the pre-registered context information and the periodically transmitted content information and the context information when the access is requested in the first embodiment. It can be said that it is a process of.

Then, the determination device 200 determines that the estimated context matches the context when the access is requested. That is, the determination device 200 normally authenticates with the same context information from the user terminal 10 that authenticates with the context information that "short-range communication between the user terminal 10 and the clock-type terminal 50 is established". Since there is a request, it is highly probable that the user terminal 10 is determined to be operated by the user U01 who is normally authenticating.

Then, the determination device 200 determines that a new authentication procedure is not required at the time of the access request in step S45 (step S47). Then, the determination device 200 approves the access request of the user terminal 10 by omitting the new authentication procedure (step S48).

As described above, the determination device 200 according to the second embodiment has a context estimation means. Then, the determination device 200 performs a determination process related to the authentication of the user U01 based on the estimated change in the context. As a result, the determination device 200 can determine the agreement of the contexts without accepting the registration of the context from the user U01 in advance. Therefore, the determination device 200 can perform an appropriate determination process without imposing a complicated process on the user U01.

[2-2. Judgment device configuration]
Next, the configuration of the determination device 200 according to the second embodiment will be described with reference to FIG. FIG. 12 is a diagram showing a configuration example of the determination device 200 according to the second embodiment. As shown in FIG. 12, the determination device 200 has an estimation rule storage unit 225 and an estimation unit 237.

(About the estimation rule storage unit 225)
The estimation rule storage unit 225 stores a rule for estimating the context. For example, the estimation rule storage unit 225 stores rules such as calculation of the similarity of the context used for estimating the context. Further, the estimation rule storage unit 225 may store, for example, a rule of estimating as a context to be used for the determination process when the context log is accumulated more than a predetermined number of times. The estimation rule stored in the estimation rule storage unit 225 is artificially set and stored by, for example, the administrator of the determination device 200 or the like.

(About estimation unit 237)
The estimation unit 237 estimates the context of the user terminal 10 when the user terminal 10 is authenticated, based on the context information acquired by the acquisition unit 134. In this case, if the context information acquired when the authentication request is received indicates the context estimated by the estimation unit 237, the determination unit 135 performs the authentication procedure for the authentication request. It may be determined that this is not necessary.

The estimation unit 237 estimates the context used for the determination process based on the estimation rule stored in the estimation rule storage unit 225. Further, the estimation unit 237 may perform a process of estimating the context when the context of the user terminal 10 cannot be definitively determined from the context information acquired by the acquisition unit 134.

That is, when the context cannot be definitively determined, the estimation unit 237 calculates the similarity of the context using as much context information as is obtained. Specifically, the estimation unit 237 derives a similar context by referring to the context log, the authentication log, and the context information included in the authentication log. Then, the estimation unit 237 estimates the derived similar context as the context indicated by the context information.

As described in the first embodiment, the acquisition unit 134 acquires various information as context information. On the other hand, the acquisition unit 134 cannot always acquire the content information that determines the context of the user terminal 10. In this case, the estimation unit 237 performs a process of estimating the context based on the acquired context information according to a predetermined rule. As a result, the determination device 200 can appropriately perform the determination process even in a situation where relatively little context information is acquired.

[2-3. effect〕
As described above, the determination device 200 according to the second embodiment is an estimation unit that estimates the context of the user terminal 10 when the user terminal 10 is authenticated based on the context information acquired by the acquisition unit 134. 237 is provided. Further, when the context information acquired when the authentication request is received indicates the context estimated by the estimation unit 237, the determination unit 135 performs the authentication procedure for the authentication request. Is not required.

In this way, the determination device 200 according to the second embodiment can estimate the context used in the determination process. For example, according to the determination device 200, a context that is likely to occur at the time of user authentication is estimated without requiring a prior registration process, and a determination process using the estimated context is performed. As a result, the user can omit the authentication procedure when the identity verification is ensured by the context without the trouble of pre-registration or the like. That is, the determination device 200 can improve the convenience of the user.

Further, the estimation unit 237 authenticates the user terminal 10 based on the similarity between the context information log acquired by the acquisition unit 134 and the context information log when the user terminal 10 was previously authenticated. The context of the user terminal 10 is estimated.

In this way, the determination device 200 according to the second embodiment estimates the context of the user terminal 10 based on the context log. As a result, the determination device 200 can improve the estimation accuracy of the context and perform an appropriate determination process.

[3. Third Embodiment]
In the second embodiment, an example is shown in which the determination device 200 includes an estimation unit 237 and an estimation rule storage unit 225. Here, the present invention may be configured to include a learning unit that performs predetermined learning based on the estimation process by the estimation unit 237 and updates the estimation rule by learning. This point will be described as a third embodiment. The same matters as those described in the first and second embodiments will be omitted.

[3-1. Judgment device configuration]
The configuration of the determination device 300 according to the third embodiment will be described with reference to FIG. FIG. 13 is a diagram showing a configuration example of the determination device 300 according to the third embodiment. As shown in FIG. 13, the determination device 300 has a learning unit 338.

(About Learning Department 338)
The learning unit 338 learns about the estimation rule used when the context is estimated by the estimation unit 237. As described in the second embodiment, the estimation unit 237 is based on a predetermined estimation rule, for example, the similarity between the log of the context information and the log of the context information when the user terminal 10 is previously authenticated. Based on, the context when the user terminal 10 is authenticated is estimated. The learning unit 338 improves the accuracy of the estimation process by the estimation unit 237 by updating the estimation rule based on the result of the estimation process by the estimation unit 237.

For example, the learning unit 338 determines the context after the estimation process by the estimation unit 237, or when the context is determined based on the context information newly acquired at the time of authentication. Learn the correctness of the estimation. Then, the learning unit 338 learns the estimation rule of the context according to the accumulation of the result of the estimation process. For example, the learning unit 338 performs learning based on the estimation result of the context regarding the user U01, which is accumulated by repeating the estimation process regarding the user U01 which is a specific user. As a result, the learning unit 338 can accurately update the estimation rule based on the environment, device information, etc. that the user U01 always uses, so that the accuracy of the estimation process can be improved. Further, the learning unit 338 may generate a new rule by using the existing estimation rule in the past when the user terminal 10 is placed in a context without information as a log.

Further, the estimation unit 237 sets the context of the user terminal 10 based on the estimation rule learned by the learning unit 338 and is learned corresponding to the user other than the user U01 who uses the user terminal 10. You may estimate. That is, the learning unit 338 can apply the estimation rule obtained as a result of learning about a user other than the user U01 to the user U01 as a meta rule. That is, the learning unit 338 can apply the estimation rule generated as a result of learning not only to a specific user but also to a general user. As a result, the estimation unit 237 can further improve the estimation accuracy of the context. The learning process by the learning unit 338 as described above may be performed by combining known learning processing methods.

[3-2. effect〕
As described above, the determination device 300 according to the third embodiment includes a learning unit 338 that learns about the estimation rule used when the context is estimated by the estimation unit 237. Further, the estimation unit 237 estimates the context of the user terminal 10 based on the estimation rule learned by the learning unit 338 and is learned corresponding to the user U01 who uses the user terminal 10.

As described above, the determination device 300 according to the third embodiment can obtain the rules used for the estimation process by learning. Therefore, the determination device 300 can estimate the context with high accuracy as the processing progresses. As a result, the determination device 300 can appropriately determine whether or not to allow the user to perform the authentication procedure, so that the convenience of the user can be improved.

Further, the estimation unit 237 sets the context of the user terminal 10 based on the estimation rule learned by the learning unit 338 and is learned corresponding to the user other than the user U01 who uses the user terminal 10. presume.

As described above, the determination device 300 according to the third embodiment can apply the data learned corresponding to a predetermined user to other users as metadata. Therefore, the determination device 300 can estimate the context with high accuracy even when unknown context information is acquired, so that the accuracy of each process executed by the determination device 300 can be improved. ..

[4. Modification example]
The determination device 100 described above may be implemented in various different forms other than the above embodiment. Therefore, in the following, another embodiment of the determination device 100 (including the determination device 200 and the determination device 300) will be described.

[4-1. Authentication in the terminal]
In the above embodiment, the determination device 100 shows an example of authenticating the user terminal 10 based on the authentication information transmitted from the user terminal 10. Here, the user terminal 10 does not transmit the authentication information itself to the determination device 100, but adopts a method of executing the authentication of the user U01 inside the user terminal 10 and transmitting only such a result to the determination device 100. You may.

In this case, the user terminal 10 stores the correct answer data inside the user terminal 10 in order to authenticate the user U01. Then, when the user terminal 10 receives the request for the authentication procedure, the user terminal 10 authenticates the user U01 by a predetermined authentication means. For example, the user terminal 10 holds the correct answer data of the fingerprint data of the user U01 in advance, and requests the user U01 to input the fingerprint data at the time of authentication. Then, the user terminal 10 transmits only the information indicating that the authentication is completed inside the user terminal 10 to the determination device 100. As a result, the user terminal 10 can perform the authentication procedure without transmitting the authentication information itself such as fingerprint data and password on the network. As a result, the processing by the determination device 100 is more secure.

[4-2. Judgment of authentication means]
In the above embodiment, the determination device 100 has been described to determine whether or not to perform a new authentication procedure. Here, as a determination regarding authentication, the determination device 100 may not only determine whether or not to perform a new authentication procedure, but may also perform another determination.

For example, the determination device 100 may determine the authentication means used in the authentication procedure. Specifically, the determination device 100 may infer the context of the user terminal 10 based on the information acquired from various sensors used by the user terminal 10 and determine the authentication means suitable for the context. For example, when the illuminance around the user terminal 10 is insufficient to capture the iris, the determination device 100 determines that the authentication procedure is performed using another authentication means instead of the iris-based authentication means. Alternatively, when the noise level around the user terminal 10 is so high that it is not suitable for the microphone of the user terminal 10 to recognize the voice, the determination device 100 uses another authentication means instead of the voice authentication means. Determine to perform the authentication procedure. Further, based on the authentication log, the context log, and the like, the determination device 100 determines that when the authentication is performed in a context similar to that at the time of the previous authentication, the determination device 100 performs the authentication procedure by the authentication means used at the time of the previous authentication. You may. In this way, the determination device 100 may perform a process of determining the optimum authentication means based on the context information of the user terminal 10.

[4-3. Identification of user terminal]
In the first embodiment, the determination device 100 shows an example of acquiring a user ID in identifying a plurality of user terminals 10. Here, the determination device 100 does not necessarily have to acquire a global identifier that is common to other devices with respect to the identification of the plurality of user terminals 10. That is, the determination device 100 only needs to acquire an identifier capable of uniquely identifying the user terminal 10 in the process to be executed, and does not necessarily have to acquire an identifier that is permanently determined.

Further, when the determination process is performed based on the context information by the one-to-one communication such as the communication between the user terminal 10 and another terminal device as shown in FIGS. 1 and 10, the user ID and the user ID are not necessarily used. It is not necessary to acquire the device ID. Further, even when the determination process is performed by communication between three or more devices, the determination device 100 only needs to acquire an identifier capable of uniquely identifying each terminal, for example, for example. The identifier may be obtained in a format that issues a temporary identifier as appropriate.

[4-4. User terminal configuration]
In the first embodiment, the configuration example of the user terminal 10 has been described with reference to FIG. However, the user terminal 10 does not necessarily have to include all the processing units illustrated in FIG. For example, the user terminal 10 does not necessarily have to include the display unit 13 and the detection unit 14. Further, the user terminal 10 may be separated into two or more devices to realize the configuration shown in FIG. For example, the user terminal 10 may be realized by two or more devices having a configuration in which a detection device having at least the detection unit 14 and a communication device having at least the communication unit 11 are separated.

[4-5. Equipment that provides services]
In the above embodiment, the web server 60 has been illustrated and described as a device that provides a site with authentication restrictions accessed by the user terminal 10. However, the device that provides such a service is not limited to the web server 60. For example, devices that provide services are not limited to web services, but are network services that handle types of protocols other than HTTP (Hypertext Transfer Protocol), and devices that provide communications and applications that handle IoT (Internet of Things). May be good. That is, the device that provides the service is not limited to the web server 60 as long as it can communicate with the determination device 100, the user terminal 10, and the like, and has a function of using the determination process and the authentication process by the determination device 100. It may be realized by any device.

[4-6. Determination process〕
In the above embodiment, the determination device 100 shows an example of determining whether or not to perform the authentication procedure, for example, as shown in FIG. Here, the determination device 100 may make a determination regarding the strength of the authentication procedure.

For example, the determination device 100 determines the strength of the authentication procedure based on the change in the context information. The determination of the authentication strength refers to a process of determining what kind of authentication information is required for identity verification in the authentication process, such as whether or not to carry out multi-factor authentication.

For example, it is assumed that the determination device 100 normally requires the user to perform multi-factor authentication using a password and a fingerprint. Then, when the change of the context information acquired from the user is within a predetermined threshold value, the determination device 100 determines that there is a high possibility that the terminal is operated by the same user without change, and the authentication procedure is performed. The strength can be weakened. Specifically, the determination device 100 can change the strength of the authentication process, such as authenticating the user only by the authentication procedure using a password. Alternatively, the determination device 100 may perform authentication processing such as requesting a voiceprint as authentication information in addition to the password and fingerprint for the user whose authentication itself has been performed for the first time in a year, although the same context as that at the time of the previous authentication is assumed. The strength can be increased.

Further, the determination device 100 may perform a learning process for determining the strength of the authentication process as described above. For example, it is assumed that the determination device 100 may set "registered context" and "triple authentication means (for example, password, fingerprint, and voiceprint)" as conditions for authentication processing for a predetermined user. Then, the determination device 100 acquires a history that the user has performed an authentication process using the "registered context" and the "triple authentication means" for, for example, three months. Based on such a history, the determination device 100 uses the authentication means that was the "triple authentication means" as the "double authentication means", the "single authentication means", or the "authentication" with respect to the authentication of the user. It can be changed to "no means". That is, the determination device 100 appropriately determines that the authentication means is changed by learning that the user whose authentication process is accurately performed in the same context for a predetermined period or longer is highly reliable. Can be done. In other words, the determination device 100 can use the context itself that "authentication is continued in the same context for three months every day" as a determination element.

[4-7. Acquisition process]
In the above embodiment, the determination device 100 shows an example of periodically acquiring the context information from the user terminal 10. However, the determination device 100 does not necessarily have to continuously acquire the context information on a regular basis, and may acquire only the context information used for the determination process.

For example, the determination device 100 may use only the difference in context information between the time of the current authentication and the time of the previous authentication as a determination element. In this case, the determination device 100 may determine the presence or absence of the authentication procedure at the timing of authentication regardless of the user's behavior during the authentication. Further, the determination device 100 may periodically acquire the context information during the authentication as described in the first embodiment. In this case, the determination device 100 may request the authentication procedure even if the same context is observed at the timing at the time of authentication according to the change of the context information during the authentication. A specific example will be described. It is assumed that the determination device 100 authenticates a predetermined user in the conference room. After that, the user leaves the conference room once on the way and tries to authenticate again in the conference room. In this case, the determination device 100 may or may not request the user to perform the authentication procedure. In this way, the determination device 100 can determine whether or not to request authentication even when the same context is observed at the timing when the user tries to authenticate. As a result, the determination device 100 can realize access control at an appropriate level without becoming too complicated for the user.

[5. Hardware configuration]
The determination device according to each of the above-described embodiments is realized by, for example, a computer 1000 having a configuration as shown in FIG. Hereinafter, the determination device 100 will be described as an example. FIG. 14 is a hardware configuration diagram showing an example of the computer 1000 that realizes the function of the determination device. The computer 1000 has a CPU 1100, a RAM 1200, a ROM 1300, an HDD 1400, a communication interface (I / F) 1500, an input / output interface (I / F) 1600, and a media interface (I / F) 1700.

The CPU 1100 operates based on a program stored in the ROM 1300 or the HDD 1400, and controls each part. The ROM 1300 stores a boot program executed by the CPU 1100 when the computer 1000 is started, a program that depends on the hardware of the computer 1000, and the like.

The HDD 1400 stores a program executed by the CPU 1100, data used by such a program, and the like. The communication interface 1500 receives data from another device via the communication network 500 (corresponding to the network N shown in FIG. 2) and sends the data to the CPU 1100, and the data generated by the CPU 1100 is transmitted to the other device via the communication network 500. Send to the device.

The CPU 1100 controls an output device such as a display or a printer, and an input device such as a keyboard or a mouse via the input / output interface 1600. The CPU 1100 acquires data from the input device via the input / output interface 1600. Further, the CPU 1100 outputs the data generated via the input / output interface 1600 to the output device.

The media interface 1700 reads a program or data stored in the recording medium 1800 and provides the program or data to the CPU 1100 via the RAM 1200. The CPU 1100 loads the program from the recording medium 1800 onto the RAM 1200 via the media interface 1700, and executes the loaded program. The recording medium 1800 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or PD (Phase change rewritable Disk), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. And so on.

For example, when the computer 1000 functions as the determination device 100 according to the first embodiment, the CPU 1100 of the computer 1000 realizes the function of the control unit 130 by executing the program loaded on the RAM 1200. Further, the data in the storage unit 120 is stored in the HDD 1400. The CPU 1100 of the computer 1000 reads and executes these programs from the recording medium 1800, but as another example, these programs may be acquired from another device via the communication network 500.

[6. others〕
Further, among the processes described in the above-described embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or part of it can be done automatically by a known method. In addition, the processing procedure, specific name, and information including various data and parameters shown in the above document and drawings can be arbitrarily changed unless otherwise specified. For example, the various information shown in each figure is not limited to the illustrated information.

Further, each component of each of the illustrated devices is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of the device is functionally or physically dispersed / physically distributed in any unit according to various loads and usage conditions. Can be integrated and configured. For example, the authentication unit 133 shown in FIG. 3 and the acquisition unit 134 may be integrated. Further, for example, the information stored in the storage unit 120 may be stored in an externally provided storage device via the network N.

Further, for example, in the above embodiment, an example is shown in which the determination device 100 performs an acquisition process for acquiring the context information of the user terminal 10, a determination process for determining the necessity of authentication, and an authentication process for authenticating the user. rice field. However, the above-mentioned determination device 100 may be separated into an acquisition device that performs acquisition processing, a determination device that performs determination processing, and an authentication device that performs authentication processing. In this case, for example, the processing by the determination device 100 according to the first embodiment is realized by the determination processing system 1 having each device such as an acquisition device, a determination device, and an authentication device.

In addition, the above-described embodiments and modifications can be appropriately combined as long as the processing contents do not contradict each other.

Although some of the embodiments of the present application have been described in detail with reference to the drawings, these are examples, and various modifications are made based on the knowledge of those skilled in the art, including the embodiments described in the disclosure column of the invention. It is possible to practice the present invention in other improved forms.

Further, the above-mentioned "section, module, unit" can be read as "means" or "circuit". For example, the acquisition unit can be read as an acquisition means or an acquisition circuit.

1 Judgment processing system 10 User terminal 20 Speaker 30 Terminal device 40 Shared file 50 Clock type terminal 60 Web server 100 Judgment device 110 Communication unit 120 Storage unit 121 Registration information storage unit 122 Authentication information storage unit 123 Authentication log storage unit 124 Context log storage Unit 130 Control unit 131 Registration unit 132 Reception unit 133 Authentication unit 134 Acquisition unit 135 Judgment unit 136 Transmission unit 200 Judgment device 225 Estimate rule storage unit 237 Estimate unit 300 Judgment device 338 Learning unit

Claims (12)

A receiver that receives a request for authentication of the identity of the user who uses the terminal device,
An acquisition unit that periodically acquires context information, which is information indicating the context of the terminal device,
If the requested authentication, and a determination unit which, based on the obtained context information by the acquisition unit, to determine whether to request to perform an authentication procedure for the request of this authentication,
With
The determination unit
The change between the context indicated by the context information acquired at the time of the previous authentication request and the context indicated by the context information acquired at the time of the current authentication request falls within the predetermined first range, and at the time of the previous authentication request. If the change in context indicated by the context information acquired periodically from the time of the request for this authentication falls within the predetermined second range, it is determined that a new authentication procedure is not required.
If the change in context indicated by the context information acquired periodically from the time of the previous authentication request to the time of the current authentication request does not fall within the second range, the context acquired at the time of the previous authentication request. Even if the change between the context indicated by the information and the context indicated by the context information acquired at the time of requesting this authentication falls within the first range, it is determined that a new authentication procedure is required in this authentication. A judgment device characterized by the fact that. The determination unit
Based on the rate of change of the context indicated by the context information is periodically acquired by the time required for this authentication from the time of request for the previous registration, a new authenticate to the requirements of the received authenticated by the receiving unit It determines whether to request to carry out procedures,
The determination device according to claim 1, wherein the determination device is characterized by the above. The determination unit
Based on the amount of change in the context indicated by the context information is periodically acquired by the time required for this authentication from the previous authentication requests, a new authenticate to the requirements of the received authenticated by the receiving unit It determines whether to request to carry out procedures,
The determination device according to claim 1 or 2. The determination unit
Based on since the last authentication request until the request for this certificate to the pattern of change in the context indicated by the context information is acquired periodically, new and pairs to a request received authentication by said receiving unit determines whether or not to request to carry out an authentication procedure,
The determination device according to any one of claims 1 to 3. A registration unit that accepts registration for the context of the terminal device when the terminal device is authenticated.
With more
The determination unit
The context information request is acquired if it is received authentication, wherein, when the registration unit shows the registered context request in pairs to request a-out new authentication procedure with the the authentication Judge not to
The determination device according to any one of claims 1 to 4, wherein the determination device is characterized by the above. An estimation unit that estimates the context of the terminal device when the terminal device is authenticated, based on the context information acquired by the acquisition unit.
With more
The determination unit
The context information request is acquired if it is received authentication, wherein when estimating section shows the context estimated by the requested paired to seek essential to-out new authentication procedure of the authentication Judge not to
The determination device according to any one of claims 1 to 5, wherein the determination device is characterized. The estimation unit
Wherein the context information obtained by the obtaining unit, based on the similarity between the context information when the terminal device is authenticated previously estimated context of the terminal device when the terminal device is authenticated do,
The determination device according to claim 6, wherein the determination device is characterized by the above. A learning unit that learns about the estimation rules used when the context is estimated by the estimation unit,
With more
The estimation unit
The estimation rule learned by the learning unit, and the context of the terminal device is estimated based on the estimation rule learned corresponding to the user who uses the terminal device.
The determination device according to claim 6 or 7. The estimation unit
The context of the terminal device is estimated based on the estimation rule learned by the learning unit and corresponding to a user other than the user who uses the terminal device.
8. The determination device according to claim 8. Wherein when it is requested result determined-out new authentication procedure in pairs to a request of the authentication by the determining unit performs an authentication procedure for the terminal device, the new and against the request of the authentication by the determination unit do when a-out authentication procedure is determined not to request, the authentication unit by omitting the authentication procedure to authenticate the terminal device,
The determination device according to any one of claims 1 to 9, further comprising. It is a judgment method executed by a computer.
The receiving process that receives the request for authentication of the identity of the user who uses the terminal device,
An acquisition process for acquiring context information, which is information indicating the context of the terminal device,
If the requested authentication, a determination step based on said context information acquired by the acquisition step, determining whether to request to perform an authentication procedure for the request of this authentication,
Including
The determination step is
The change between the context indicated by the context information acquired at the time of the previous authentication request and the context indicated by the context information acquired at the time of the current authentication request falls within the predetermined first range, and at the time of the previous authentication request. If the change in context indicated by the context information acquired periodically from the time of the request for this authentication falls within the predetermined second range, it is determined that a new authentication procedure is not required.
If the change in context indicated by the context information acquired periodically from the time of the previous authentication request to the time of the current authentication request does not fall within the second range, the context acquired at the time of the previous authentication request. Even if the change between the context indicated by the information and the context indicated by the context information acquired at the time of requesting this authentication falls within the first range, it is determined that a new authentication procedure is required in this authentication. Judgment method characterized by that. The receiving procedure for receiving the request for authentication of the identity of the user who uses the terminal device, and
An acquisition procedure for acquiring context information, which is information indicating the context of the terminal device, and
If requested the authentication, a determination procedure for determining based on the obtained context information by the acquisition procedure, whether to request to perform an authentication procedure for the request of this authentication,
Let the computer run
The judgment procedure is
The change between the context indicated by the context information acquired at the time of the previous authentication request and the context indicated by the context information acquired at the time of the current authentication request falls within the predetermined first range, and at the time of the previous authentication request. If the change in context indicated by the context information acquired periodically from the time of the request for this authentication falls within the predetermined second range, it is determined that a new authentication procedure is not required.
If the change in context indicated by the context information acquired periodically from the time of the previous authentication request to the time of the current authentication request does not fall within the second range, the context acquired at the time of the previous authentication request. Even if the change between the context indicated by the information and the context indicated by the context information acquired at the time of requesting this authentication falls within the first range, it is determined that a new authentication procedure is required in this authentication. Judgment program characterized by that.

Images