JP7239795B2 - User authentication system and user authentication method using the same - Google Patents

Description

The present invention relates to user authentication technology, and more particularly to systems and methods using the same.

In order to protect specific services and information on computer systems from unauthorized access by malicious third parties, users who intend to use them are generally required to be "certified". A simple example of user authentication is a scheme using a combination of user ID and password (passcode). Various methods have been proposed for user authentication according to the required security level and user environment. In recent years, various multi-factor and/or multi-path authentication schemes have been proposed to enhance the security level of service systems.

For example, One-Time Password (OTP) authentication is a two-factor user authentication that issues a one-time "throwaway" password, or "one-time password," in addition to a user ID and password combination. method. In OTP authentication, the authenticator's server and the subject's (user's) device share a mutually synchronized OTP. More specifically, the authentication server and user device can each generate the same OTP in time synchronization (eg, 60 seconds) with each other using a common seed (secret key) and random number generation algorithm. In order to realize such time-synchronized OTP, the user is provided with a security token such as a hardware token or a software token in advance by the authenticator.

In addition, due to the advancement of ICT (Information and Communication Technology), mobile intelligent devices such as feature phones and smartphones have become popular, and so-called smartphone authentication using the user's smartphone has become a two-path authentication method. It's being used. Smartphone authentication uses a smartphone, which the user always carries, as a security token, so there is no need to carry a separate hardware token, and users are less likely to shy away from it. In particular, in recent years, in addition to authentication by direct access to the service system (first route), for example, cloud-based push notifications are sent to smartphones (second route), and OTPs are sent from the responding smartphone. Two-factor/two-path user authentication, such as receiving and authenticating, has been put into practical use.

By the way, bar codes and two-dimensional codes (for example, QR code (registered trademark); hereinafter, they are simply referred to as "bar codes" unless there is a particular need to distinguish them) are numbers, letters, and/or symbols. Information based on a digital data string is digital information represented by a geometric pattern converted according to a certain conversion rule so that it can be easily read by an electronic device, and is typically printed on a paper medium or the surface of an article. Due to its ease of use and stability and reliability of reading accuracy, bar codes are widely used as a means of information transmission in various social scenes, such as payment for goods and services, identification, and access to Web spaces. In recent years, barcodes have also been displayed as barcode images (geometric patterns) on smartphone displays. A bar code displayed on such a display is particularly called an electronic bar code. In the present disclosure, "displaying an electronic barcode" is used to include displaying an image or a geometric pattern representing an electronic barcode.

For example, Patent Literature 1 below discloses a technique for improving the reading accuracy of electronic barcodes. Specifically, Patent Document 1 discloses a display for displaying a barcode image, a barcode image information acquisition unit for acquiring barcode image information that is information for generating a barcode image, and a barcode image. The display area acquisition unit that acquires the display area on the display screen to display, and the entire area from the display area to the left and right display edges on the display screen of the acquired display area between the dark color bars of the barcode Disclosed is a barcode display device having a barcode display unit that displays a barcode image using barcode image information obtained as the same color as the filling color or as the same color that is processed when reading the barcode.

Moreover, the following patent document 2 discloses the technique which transmits/receives transaction information by generating a vibration or an ultrasonic wave. Specifically, Patent Document 2 converts transaction information received via a network from the outside into a vibration generation signal based on a predetermined conversion rule, and generates vibration based on the converted vibration generation signal Conversion electronic equipment disclose. The conversion electronics may display the transaction information as a bar code on the information display.

Patent No. 5750744 Patent No. 6362724

Conventionally, as a payment method for electricity, water, gas, etc., the payer (user) has to send a payment slip with a barcode printed on it to a clerk at a point-of-sale information management terminal (POS register) at a convenience store, etc. The method of presenting to the customer and paying the usage fee is widely spread. On the other hand, since electronic barcodes do not require paper media, it is possible to omit the work of printing, packing, and shipping. Attempts are being made to replace it with

However, since electronic barcodes are "electronic information", they have the characteristic of being easily duplicated. For example, a user can copy a document containing an electronic barcode, forward it by e-mail, or use the smartphone's screenshot function to take a screenshot of the smartphone display on which the electronic barcode is displayed. The electronic barcode can be easily duplicated by importing it as a barcode or taking an image with another smartphone.

Therefore, when the user pays the price as in the above settlement method (that is, when the user is the obligor), even if the user duplicates the electronic barcode, at most it is left as a backup, It merely enables others to pay for it, and does no real harm in practical social activities. In other words, in the payment method described above, it is not easy for a malicious user to exploit monetary profits, for example, simply by duplicating the electronic barcode or falsifying the digital information indicated by it. On the other hand, when trying to recognize some value (for example, monetary value) in the electronic barcode itself, if it cannot be determined whether the user who has the electronic barcode is a legitimate user, it will be misused by a malicious user. will allow

For this reason, in actual transactions that require a high level of security, it is not enough to simply use electronic barcodes for convenience, and in the end, some security tokens are used to provide token codes to users. It was troublesome to force the work such as inputting. In particular, assuming a transaction (for example, a withdrawal transaction) at an ATM of a bank used by a large number of people, in addition to displaying the electronic barcode on the display of the smartphone, the user can use the token acquired by the security token. Codes must be entered manually, which slows down ATM operations and increases wait times for those waiting in line.

Therefore, in view of the above circumstances, the present invention provides a technique for realizing practical transactions or information exchange processing using an electronic barcode (that is, a geometric pattern displayed on a display that functions as a barcode). intended to provide

More specifically, one of the objects of the present invention is to provide a system and method that can realize secure transactions only for legitimate users even if electronic barcodes are illegally duplicated. is.

Another object of the present invention is to provide a system and method capable of implementing secure and speedy transactions using an electronic bar code instead of the conventional user ID and password.

Another object of the present invention is to realize secure transactions by realizing multi-factor/multi-path user authentication without requiring high hardware specifications in transactions using electronic barcodes. It is to provide a system and method that can

Another object of the present invention is to ensure a high level of security in transactions using electronic barcodes through multi-factor/multi-path authentication, while eliminating the need for manual input operations by users to ensure a secure and rapid transaction. It is to provide a system and method that can realize a smooth transaction.

Also, one of the objects of the present invention is a system that can realize secure and rapid transactions using electronic barcodes without using conventional security tokens (or without users being aware of security tokens). and methods.

The present invention for solving the above-mentioned problems includes the matters specifying the invention or the technical features described below.

The present invention according to one aspect can be a system that authenticates a user using an information communication terminal device possessed by the user. The system comprises, when a geometric pattern displayed on the display of the information communication terminal device is captured, a user authentication request acquisition unit that acquires a user authentication request based on the captured geometric pattern; a security code generation unit for generating a first security code for the user authentication request in response to the user authentication request; and the information based on a second security code associated with the generated first security code. It may comprise an authenticated security code acquiring unit for acquiring an authenticated security code generated based on a sound wave generated and output by the communication terminal device, and an authentication determination unit for performing an authentication determination for the user. The authentication determination section may perform the authentication determination based on the first security code and the to-be-authenticated security code.

Therefore, by imaging the geometric pattern displayed on the display of the information terminal device, the system transmits the second security code associated with the first security code to the information terminal device, A sound wave is output from the information terminal device based on. Then, since the system can acquire the authenticated security code generated by capturing the sound wave, user authentication can be performed based on the authenticated security code and the first security code. As one aspect of the system, an authentication system can be assumed.

Also, the system may further include a security code storage section that stores the first security code generated by the security code generation section as an original security code.

The authentication determination unit determines the authentication according to whether or not the first security code stored in the security code storage unit matches the authenticated security code acquired by the authenticated security code acquisition unit. can do

Also, the system may further include an authentication database that manages user information including user IDs for identifying users. The authentication determination section may perform the authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request acquired by the user authentication request acquisition section.

When the authentication determination unit determines that the user ID in the authentication database matches the user ID included in the user authentication request acquired by the user authentication request acquisition unit, the security code generation unit A first security code may be generated.

Further, the system transmits the second security code associated with the first security code generated by the security code generation unit to the information communication terminal device in response to obtaining the user authentication request. It may further comprise a security code transmitter.

Also, the system may further include an imaging unit that captures an image of the geometric pattern, and a user authentication request generation unit that generates the user authentication request based on the geometric pattern captured by the imaging unit. As one aspect, the imaging unit and the user authentication request generation unit may be provided in a service terminal device in the system.

Further, the system includes a sound collector for capturing sound waves generated and output by the information communication terminal device, and a security code to be authenticated for generating a security code to be authenticated based on the sound waves captured by the sound collector. and a generator.

The sound collector may start capturing the sound waves when the geometric pattern is imaged. This makes it possible to eliminate the capture of unwanted sound waves and to prevent attacks by malicious third parties, for example. Also, the sound collector can capture a trigger sound wave for starting authentication. Then, the imaging unit can start imaging the geometric pattern when a trigger sound wave for starting the authentication is captured by the sound collecting unit.

The security code generator may generate the first security code as a one-time password each time the geometric pattern is captured. This can increase the security level of the system.

The second security code can be generated inside the information communication terminal without the information communication terminal communicating with the system. That is, the system and the information communication terminal device can hold security tokens synchronized with each other (for example, time synchronization or event synchronization). Then, the information communication terminal device can generate a security code synchronized with the security code generated by the security token of the system by using its own security token. This enables user authentication by the system even in an environment where the information communication terminal device cannot use network communication. Furthermore, instead of an information communication terminal device having a network communication function, it is also possible to use a terminal device that does not have such a function.

The output sound wave may comprise a sound wave pattern of predetermined duration. For example, the sound wave pattern consists of sound waves of inaudible frequencies. Alternatively, the sound wave pattern consists of sound waves of frequencies in the audible range, excluding the frequency band of 100 Hz to 4000 Hz. Alternatively, the sound wave pattern consists of a combination of sound waves of different frequencies.

The to-be-authenticated security code obtaining unit can extract a sound wave pattern of a specific frequency from such a sound wave, and restore the to-be-authenticated security code based on the extracted sound wave pattern of the specific frequency.

Moreover, the present invention according to another aspect can be a system that provides a predetermined service to a user using an information communication terminal device possessed by the user. The system may include an authentication server that authenticates the user, and a service terminal device that accepts a transaction request related to the predetermined service from the user. The authentication server includes an authentication database that manages user information including a user ID for identifying a user, a security code generation unit that generates a first security code for the user, and based on the first security code, an authentication decision unit for making an authentication decision. Further, the service terminal device includes an imaging unit for imaging a geometric pattern displayed on a display of the information communication terminal device, and user authentication for the transaction request based on the geometric pattern imaged by the imaging unit. a user authentication request generator that generates a request; a sound collector that captures sound waves generated and output by the information communication terminal device based on a second security code associated with the first security code; an authenticated security code generating unit that generates an authenticated security code based on the sound waves captured by the sound collector. The authentication determination unit performs a first authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request, and further, determines the first security code and the authenticated security code. A second authentication determination may be made based on.

According to another aspect, there is provided a system for providing a predetermined service to a user, comprising: an information communication terminal device possessed by the user; an authentication server for authenticating the user; a service terminal for accepting transaction requests from the user. The information communication terminal device includes a user interface unit having at least a display and a speaker, a geometric pattern generation unit that generates a geometric pattern based on the user profile of the user, and the generated geometric pattern on the display. A display control unit for controlling display, a sound data generation unit for generating a sound source, and a sound output control unit for controlling output of sound waves based on the generated sound source from the speaker. Further, the authentication server includes an authentication database that manages user information including a user ID for identifying a user, a security code generation unit that generates a first security code for the user, and a security code generator based on the first security code. and an authentication determination unit configured to perform an authentication determination. Further, the service terminal device includes an imaging unit for imaging a geometric pattern displayed on a display of the information communication terminal device, and user authentication for the transaction request based on the geometric pattern imaged by the imaging unit. a user authentication request generator that generates a request; a sound collector that captures sound waves generated and output by the information communication terminal device based on a second security code associated with the first security code; an authenticated security code generating unit that generates an authenticated security code based on the sound waves captured by the sound collector. Here, the sound data generator can generate the sound wave based on a second security code associated with the first security code generated by the security code generator. The authentication determination unit performs a first authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request, and determines the first security code and the authenticated security code. Based on this, a second authentication determination can be made.

Moreover, the present invention according to another aspect can be an information communication terminal device used for user authentication for using a predetermined service provided via a service terminal device. The information terminal device controls a geometric pattern generation unit that generates a geometric pattern based on at least a user profile of a user, and displays the generated geometric pattern on a display of the information communication terminal device. a display control unit, and security code acquisition for acquiring a predetermined security code for user authentication transmitted when the geometric pattern displayed on the display of the information communication terminal device is imaged by the service terminal device. a sound data generation unit that generates sound data based on the obtained predetermined security code; and a sound output control that controls the generated sound data to be output as a sound wave from a speaker of the information communication terminal device. and a part.

Furthermore, the present invention can also be understood as a method invention. That is, the present invention according to one aspect can be a user authentication method for authenticating a user using an information communication terminal device possessed by the user. The user authentication method includes, when a geometric pattern displayed on the display of the information communication terminal device is imaged, obtaining a user authentication request based on the imaged geometric pattern; generating a first security code for the user authentication request in response to an authentication request; and generating by the information communication terminal device based on a second security code associated with the generated first security code. obtaining an authenticated security code that is generated based on the sound wave that is output; and making an authentication determination for the user based on the first security code and the authenticated security code. .

Furthermore, the present invention can be understood as an invention relating to a program and an invention relating to a storage medium storing the program. That is, the present invention according to one aspect can be a program executed in an information communication terminal device used for user authentication for using a predetermined service provided via a service terminal device. The program, when executed by a processor, instructs the information communication terminal device to generate a geometric pattern based on at least a user profile of a user; a display control unit that controls display on a display of a communication terminal device; and the user authentication that is transmitted when the geometric pattern displayed on the display of the information communication terminal device is imaged by the service terminal device. a security code acquisition unit that acquires a predetermined security code for the information communication terminal device; a sound data generation unit that generates sound data based on the acquired predetermined security code; and a sound output control unit that controls the sound to be output from the speaker as a sound wave.

In this specification and the like, "means" does not simply mean physical means, but also includes the case where the functions of the means are realized by software. Also, the function of one means may be realized by two or more physical means, or the functions of two or more means may be realized by one physical means.

Other technical features, objects, effects or advantages of the present invention will be made clear by the following embodiments described with reference to the accompanying drawings.

1 is a block diagram for explaining an example of a computer system according to an embodiment of the invention; FIG. 4 is an example of a sequence chart for explaining a user authentication method in the computer system according to one embodiment of the present invention; It is a block diagram showing an outline of an example of composition of an information-communications terminal device concerning one embodiment of the present invention. 1 is a block diagram for explaining an example of the functional configuration of an information communication terminal device according to one embodiment of the present invention; 4 is a flow chart showing an example of processing in the information communication terminal device according to one embodiment of the present invention; It is a block diagram which shows an example of a structure of the service terminal device which concerns on one Embodiment of this invention. 2 is a block diagram for explaining an example of the functional configuration of a service terminal device according to one embodiment of the present invention; FIG. 4 is a flow chart showing an example of processing in the service terminal device according to one embodiment of the present invention; It is a figure which shows an example of the data structure of the authentication database in the authentication system which concerns on one Embodiment of this invention. It is a block diagram showing an example of functional composition of an authentication system concerning one embodiment of the present invention. 4 is a flow chart showing an example of processing in the authentication system according to one embodiment of the present invention; 1 is a block diagram showing an example configuration of a computer system according to an embodiment of the present invention; FIG. It is a figure which shows an example of the screen of the information-communications terminal device which concerns on one Embodiment of this invention. It is a figure which shows an example of the screen of the service terminal device which concerns on one Embodiment of this invention.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, the embodiments described below are merely examples, and are not intended to exclude various modifications and application of techniques not explicitly described below. The present invention can be implemented in various modifications (for example, by combining each embodiment) without departing from the scope of the invention. In addition, in the description of the drawings below, the same or similar parts are denoted by the same or similar reference numerals. The drawings are schematic and do not necessarily correspond to actual dimensions, proportions, and the like. Even between the drawings, there are cases where portions with different dimensional relationships and ratios are included.

(Schematic configuration of the system)
FIG. 1 is a block diagram for explaining an example of a computer system according to one embodiment of the invention. As shown in the figure, the computer system 1 of the present disclosure includes, for example, an information communication terminal device 20, a service terminal device 30, a service host 40, which are communicably connected to each other via a communication network 10, and an authentication system 50.

Communication network 10 may include, for example, an IP-based computer network 12 and a mobile communication network 14 conforming to mobile communication system standards. In the present disclosure, the computer network 12 is used as a broad concept including the Internet constructed by an IP network ("the Internet"), but is not limited to an IP network, and is a network of any protocol that enables communication between nodes. is applicable. For example, although not shown, predetermined nodes such as the service terminal device 30 and the service host 40 and the service host 40 and the authentication system 50 may be connected by a dedicated network. Computer network 12 may also include a wireless network established by wireless base stations (eg, Wi-Fi (registered trademark)) not shown. The computer network 12 and mobile communication network 14 are connected via a gateway 16 or the like, for example.

The information communication terminal device 20 is typically a portable computing device carried by a user, such as a feature phone, smart phone, PDA, handheld computer, tablet computer, and other intelligent devices. obtain. In this disclosure, the information communication terminal device 20 is assumed to be a smart phone.

Typically, the information communication terminal device 20 includes hardware resources such as a CPU (processor), chipset and memory, communication module, user interface (e.g. display or touch panel, speaker and vibrator), and operating system (e.g. kernel, It can be configured including various device drivers, standard libraries, etc.) (hereinafter referred to as "OS"). Regarding the configuration of the information communication terminal device 20, components relevant to the present disclosure will be described with reference to FIG. The information communication terminal device 20 executes various application programs on the OS under the control of the processor to realize desired functions. In the present disclosure, the information communication terminal device 20 is an application program (hereinafter referred to as "user authentication application program") including a user authentication module for causing the information communication terminal device 20 to function as a personal identification card, as one of the application programs. to implement. As will be described later, the information communication terminal device 20 of the present disclosure displays an electronic barcode on the user interface by executing a user authentication client program under the control of the processor, and emits a predetermined sound wave from the built-in speaker. generate

Also, the information communication terminal device 20 can be connected to the computer network 12 for communication via a Wi-Fi (registered trademark) network (not shown), or can be connected to the computer network 12 from the mobile communication network 14 via the gateway 16 . can be connected for communication. As a result, the information communication terminal device 20 can access various nodes (for example, web servers and cloud servers) on the communication network 10 to obtain desired information resources and enjoy desired services. can. In the user authentication method of the present disclosure, as an alternative example, use of the information communication terminal device 20 in a place or area where WiFi radio waves or carrier radio waves do not reach is assumed.

The service terminal device 30 is a computing device that can be operated by a user to use the service host 40 . As an example, the service terminal device 30 may be a teller machine (ATM) installed in a store such as a financial institution, a convenience store, or a station, a kiosk terminal having an ATM function, a multifunctional ticket vending machine, or the like. Alternatively, the service terminal device 30 may be a point-of-sale information management terminal (POS register) operated by, for example, a convenience store clerk instead of the user. The service terminal device 30 typically includes a user interface for providing interactive operations to the user. In addition, the service terminal device 30 can communicate with the service host 40 via the communication network 10 (for example, a dedicated line) to exchange various information in order to provide the service of the service host 40 to the user. The service terminal device 30 of the present disclosure reads an electronic barcode displayed on the display of the user's information communication terminal device 20, and also captures a predetermined sound wave output from the built-in speaker of the information communication terminal device 20. configured to

The service host 40 is a server system for providing predetermined services to users, and can typically be composed of one or more computing devices. The service host 40 may be, for example, a web server that configures a website or a cloud server that provides cloud services. In another example, the service host 40 may be, for example, a deposit/withdrawal system in an accounting system of a financial institution such as a bank. In yet another example, the service host 40 may be a reservation and issuing system for securities and similar tickets, tickets, and the like. A user may, for example, use a particular service provided by a service host 40 via a service terminal device 30 . In the present disclosure, the service host 40 requires user authentication prior to user usage.

The authentication system 50 is a server system that authenticates a user who intends to use a predetermined service provided by the service host 40 . Authentication system 50 may be implemented, for example, by one or more computing devices. The authentication system 50 includes, for example, an authentication server 60 and an authentication database 70 . The authentication server 60 and the authentication database 70 may each be built on individual computing devices, or may each be built on one physical or logical one computing device. The hardware configuration of such a computing device is illustrated in FIG. 12, but since it is known, its detailed description is omitted. The authentication system 50 constructs a secure communication session with the information communication terminal device 20, the service host 40, and the service terminal device 30 via the communication network 10, for example, by using secure communication technology such as SSL.

The authentication server 60 is a server computer for centrally controlling user authentication processing. In this disclosure, authentication server 60 issues a one-time security code in response to a user authentication request. The security code may be a digital data string that cannot be understood by humans, and may have any data length, for example, from several bytes to several thousand bytes. A user authentication request is typically transmitted from the service terminal device 30 that has received an operation by the user who owns the information communication terminal device 20 . Also, the security code is transmitted to the user's information communication terminal device 20 via the communication network 10 .

The authentication database 70 is a database system that stores and manages user-related information (hereinafter referred to as “user information”) required for user authentication for each user who uses the service of the service host 40 . User information may include, for example, a user ID and password, and card information regarding a personal identification card. The card information includes, for example, a serial code for identifying a specific application program installed in the information communication terminal device 20 of the user. The authentication database 70 may hold, for example, user information in the form of encrypted data.

In the above example, the authentication system 50 and the service host 40 are configured as physically separate systems, but they are not limited to this and may be configured as one system. Moreover, those operation management bodies may be the same or may be separate bodies. In this case, service host 40 may be configured to include the functionality of authentication system 50 (or vice versa). Also, the operation management entity of the service terminal device 30 may not be the same as that of the service host 40. For example, a financial institution, a convenience store, a railway company, etc. may be the owner of the service terminal device 30, and their operation management may be outsourced to a third party.

Next, an outline of a user authentication method in the computer system 1 configured as above will be described. FIG. 2 is an example of a sequence chart for explaining the user authentication method in the computer system according to one embodiment of the present invention. In this example, it is assumed that the user has the information communication terminal device 20 connected to the communication network 10 and is in a position where he/she can directly operate the user interface (for example, touch panel) of the service terminal device 30. .

When executing the user authentication method of the present disclosure, it is assumed that the user is registered in advance in the service host 40 and the authentication system 50 . If the user has not yet registered with the service host 40 and/or the authentication system 50, user registration is performed first. That is, a user who can already use the service of the service host 40 (for example, a user who already has a bank account) can perform the user registration of the user authentication application program, so that the service host 40 and the authentication system can access the present disclosure. can perform user registration related to the user authentication service of For example, the user activates the user authentication application program by installing the user authentication application program in the information communication terminal device 20 and inputting predetermined user information. Thereby, the user information of the user is registered in the authentication database of the authentication system 50 . Known techniques can be used for such activation.

Referring to FIG. 2, first, the user operates information communication terminal device 20 to start or execute a user authentication application program, enter information regarding a desired transaction, and information communication terminal device 20 inputs the information. It is accepted as a transaction request (S201). A transaction is, for example, a cash withdrawal from a bank account, and the user specifies the withdrawal amount. As another example, the transaction is the purchase of concert tickets. When the user authentication application program is activated, the user may be requested to provide, for example, a password or fingerprint authentication. Also, in order to enable the push notification of the information communication terminal device 20, for example, a device ID or a device token can be sent to the authentication system 50 when the user authentication application program is activated. The information communication terminal device 20 generates an electronic barcode based on the received transaction request, and displays the electronic barcode together with the transaction information as shown in FIG. 13(a), for example (S202). The electronic barcode may contain the user's user profile.

The user also operates the service terminal device 30 prior to, in parallel with, or after starting the user authentication application program to cause the service terminal device 30 to read the electronic bar code (S203). For example, the user touches the screen of the service terminal device 30 in the standby state to display a menu, selects a button corresponding to a desired transaction, and an electronic bar appears on the screen of the service terminal device 30. A message appears prompting the user to hold the code over the reader. When the user holds the electronic bar code displayed on the information communication terminal device 20 over the reading port, the service terminal device 30 reads it and displays a screen 1400 on which transaction information is input, as shown in FIG. indicate. Subsequently, the service terminal device 30 generates a user authentication request for the authentication system 50 based on the read electronic barcode, and transmits this to the authentication system 50 (S204). The user authentication request includes, for example, a user ID for the service of service host 40 and may also include its password. The service terminal device 30 may, for example, start listening (sensing) to sound waves, which will be described later, upon transmitting a user authentication request.

Upon receiving the user authentication request from the service terminal device 30, the authentication system 50 refers to the authentication database 70 and makes a first authentication determination for the user based on the user ID included in the received user authentication request (S205). The first authentication determination may be made using a combination of user ID and password. When the first authentication is successful, the authentication system 50 generates a security code, temporarily stores it as an original security code or master security code (first security code) and copies it (second security code). to the user's information communication terminal device 20 (S206). The transmission of the security code may be performed by push notification, for example. A security code can be, for example, a one-time password. If the first authentication of the user fails, the authentication system 50 returns the result of the authentication determination to the service terminal device 30 .

When the information communication terminal device 20 receives the security code from the authentication system 50 (S207), it generates a sound signal (sound source) based on the received security code, and causes the speaker to ring based on the sound signal to emit sound waves. is output (S208). In other words, the security code as a one-time password is transmitted to the service terminal device 30 as sound waves without further intervention by the user. The sound wave may be a sound wave with a frequency in the audible range, or a sound wave with a frequency in the non-audible range. The service terminal device 30 listens to the sound wave output from the speaker, and when it is successfully captured (S209), it generates a security code to be authenticated based on the sound wave and transmits it to the authentication system 50 (S210).

Upon receiving the authenticated security code from the service terminal device 30, the authentication system 50 makes a second authentication determination for the user based on the temporarily stored original security code and the received authenticated security code (S211). ). Typically, the authentication system 50 determines that authentication is successful if the security code to be authenticated matches the original security code. Subsequently, the authentication system 50 transmits the result of authentication determination to the service terminal device 30 (S212).

Next, the service terminal device 30 receives the result of the authentication determination from the authentication system 50 (S213), and if this indicates successful authentication, the service terminal device 30 initiates the transaction requested by the user (S214). As a result, the service terminal device 30 requests the service host 40 to process the transaction, and the service host 40 processes the transaction (S215). The service terminal device 30 finishes processing the transaction under the control of the service host 40, and when the service to the user is completed, the service terminal device 30 returns to the standby state. In this case, the service terminal device 30 may be configured to notify the user's information communication terminal device 20 of the completion of transaction processing, and the information communication terminal device 20 may display this. For example, the service terminal device 30 may transmit a transaction completion message to the information communication terminal device 20 by acoustic wave, and the information communication terminal device 20 may interpret and display it. That is, when the information communication terminal device 20 captures the sound wave indicating the transaction completion message, the information communication terminal device 20 displays the transaction completion message as shown in FIG. 13(b), for example.

As described above, in the computer system 1 of the present disclosure, the user simply holds the electronic barcode displayed on the information communication terminal device 20 over the service terminal device 30, and user authentication is performed on the service terminal device 30. Can make transaction requests. Also, when authenticating the user for the transaction request, the authentication system 50 transmits the security code to the information communication terminal device 20, which converts it into a sound wave and transmits it to the service terminal device 30 through the speaker. . Therefore, the user does not need to input the security code into the service terminal device 30 while referring to the received security code, and need not be aware of the existence of the security code. In particular, the sound reproduction function is a function standardly equipped in smartphones that is realized at a relatively low cost, so even if there is a low-priced, low-spec smartphone, the information communication terminal in the computer system 1 of the present disclosure It can be used as device 20 .

(Configuration of information communication terminal device)
FIG. 3 is a block diagram showing an outline of an example configuration of an information communication terminal device according to one embodiment of the present invention. In the figure, among various constituent elements (components) of the information communication terminal device 20, constituent elements related to the present disclosure are shown. That is, as shown in the figure, the information communication terminal device 20 includes a control section 210, a storage section 220, a user interface section 230, and a communication interface section 240, for example. Such components can be implemented by the hardware components themselves, or, for example, by the processor of the information communication terminal device 20 executing a user authentication client program on the OS in cooperation with various hardware resources.

The control unit 210 is a component for comprehensively controlling the information communication terminal device 20 so that the information communication terminal device 20 functions as a personal identification card. and an OS (including various device drivers, for example). In other words, the processor 212 causes the information communication terminal device 20 to function as a personal identification card by executing the user authentication application program. The input/output control unit 214 is a component embodied as a function of the OS, and controls input/output access to each of the storage unit 220, the user interface unit 230, and the communication interface unit 240, for example. A display output control unit 2120 and a sound output control unit 2150, which will be described later, are aspects of the input/output control unit 214 (see FIG. 4)).

The storage unit 220 is a component that stores various programs and data sets, and typically includes a memory device used by the processor 212 of the information communication terminal device 20 . As an example, storage unit 220 stores an operating system, a user authentication application program, and a user profile. A user authentication application program is downloaded from a predetermined site, for example. The user authentication application program may be configured including an application program main body for using the service of the service host 40 and a subprogram or module for realizing the user authentication method of the present disclosure. Alternatively, the user authentication application program may consist only of subprograms or modules for implementing the user authentication method of the present disclosure. Also, the user profile is entered by the user, for example, upon activation of the user authentication application program. A user profile may include, for example, a user ID and password as data related to the user authentication method of the present disclosure. At least part of the user profile may constitute at least part of the electronic barcode, as described below.

The user interface unit 230 is a component that enables the user to interactively operate the information communication terminal device 20. For example, a touch panel 232 integrated with a display and a position input mechanism or an input/output device such as a speaker 234 can be used. can be configured to include Also, other input/output devices such as a microphone 236, a vibrator 238, and a camera may be provided. The user interface unit 230 may be configured to have all or part of the functions instead of the input/output control unit 214, for example. As an example, the user interface unit 230 displays a geometric pattern representing an electronic barcode in response to a predetermined operation on the user interface unit 230 by the user.

In general, the speaker of the information communication terminal device 20 is understood as an example of a user interface from the viewpoint that the user directly makes a voice call or listens to music, etc. In the present disclosure, Although the sound waves output from the speaker 234 are not directly used by the user's sense of hearing, the speaker 234 is treated as one of the user interface units 230 in accordance with such convention. In addition, in the present disclosure, a built-in speaker is described as an example, but an external speaker is not excluded. A configuration including is also one aspect of the present disclosure.

The communication interface unit 240 is a component that transmits and receives various data to and from the authentication system 50 and other external devices via the communication network 10, and typically includes a communication interface circuit or chipset. be done. In this disclosure, communication interface unit 240 is used to receive security tokens sent from authentication system 50 .

FIG. 4 is a block diagram for explaining an example of the functional configuration of the information communication terminal device according to one embodiment of the present invention. Although this diagram can be associated with the configuration example shown in FIG. 3, the configuration of the control unit 210 is mainly described in more detail. That is, as shown in the figure, the control unit 210 includes, for example, an electronic barcode generation unit 2110, a display output control unit 2120, a security code acquisition unit 2130, a sound data generation unit 2140, and a sound output control unit 2150. and.

The electronic barcode generation unit 2110 generates an electronic barcode as a geometric pattern displayed on the user interface unit 230 based on a predetermined digital data string including the user profile stored in the storage unit 220 . Also, the electronic barcode generation unit 2110 can generate an electronic barcode based on a predetermined transaction request input from the user interface unit 230 instead of or in addition to the user profile. As another example, the electronic barcode generator 2110 may include the unique device ID assigned to the information communication terminal device 20 and the serial code of the user authentication application program in the electronic barcode. The electronic barcode generation unit 2110 scrambles (encrypts) the digital data string in order to make unauthorized analysis of the displayed electronic barcode difficult by a third party, and based on the scrambled digital data string, An electronic barcode may be generated. For example, a digital data stream can be scrambled based on a seed using a timestamp or the like. The electronic barcode generation unit 2110 outputs the generated electronic barcode to the display output control unit 2120 . The electronic barcode generator 2110 may be one aspect of the geometric pattern generator. Also, the electronic barcode generation unit 2110 can trigger the security code acquisition unit 2130 when generating the electronic barcode.

The display output control unit 2120 performs control so that the geometric pattern representing the electronic barcode generated by the electronic barcode generation unit 2110 is displayed on the touch panel 232 of the user interface unit 230 . Alternatively, all or part of display output control section 2120 may be configured as part of user interface section 230 .

The security code acquisition unit 2130 acquires the security code transmitted from the authentication system 50 and received by the reception unit 242 of the communication interface unit 240 . As an example, when triggered by the electronic barcode generation unit 2110, the security code acquisition unit 2130 is enabled for a predetermined period of time (eg, 30 seconds, 1 minute, 2 minutes, 3 minutes, etc.). Wait for the security code to arrive.

When the security code acquisition unit 2130 acquires the security code, the sound data generation unit 2140 encodes the security code according to a predetermined conversion rule to generate a sequence of sound data (hereinafter simply referred to as “sound data”). It is a component that The predetermined conversion rule may be defined as a different rule for each service host 40 or service (transaction), for example. From the viewpoint of security, the sound data generation unit 2140 may be configured to scramble the security code to generate sound data, or scramble the encoded sound data to generate the final sound data. It may be configured as follows. All or part of the sound data generation unit 2140 can be configured by a sound generator or sound engine built into the chipset or the like of the information communication terminal device 20, for example.

The sound output control unit 2150 performs control so that sound waves based on the sound data generated by the sound data generation unit 2140 are output from the speaker 234 . For example, the sound output control section 2150 modulates sound data to generate an audio output signal and outputs it to the speaker 234 . As a result, the speaker 234 sounds and emits sound waves according to the audio output signal. For example, a configuration including a standard audio driver in the information communication terminal device 20 can be one aspect of the sound output control section. The output sound waves are collected, captured, and processed by the service terminal device 30 . In this case, the service terminal device 30 may reply to the information communication terminal device 20 by sound waves to the effect that the sound waves have been successfully captured. or vibration may be used to notify the user.

Acoustic data based sound waves comprise a sound wave pattern of a predetermined length of time, which typically depends on the amount of data to be transmitted. As an example, the predetermined length of time can be from a few milliseconds to one second or several seconds. Also, the sound wave may have a frequency in the audible range (approximately 20 Hz to approximately 20,000 Hz), and as an example, the sound of the environment where the service terminal device 30 is installed (for example, noise of automobiles and trains and human conversation). In consideration of the above frequency band, the frequency band from about 100 Hz to about 4000 Hz may be excluded. Alternatively, the sound waves may have frequencies in the non-audible range (eg, approximately 20,000 Hz or higher). Also, the sound wave may be composed of a single frequency, or may be composed of a combination of two or more different frequencies. The sound waves may also contain dummy sound waves that are not processed by the service terminal device 30 .

Also, the control unit 210 of the information communication terminal device 20 may be configured to output a trigger sound wave for starting authentication when displaying the electronic barcode. In response to this, the service terminal device 30 can start imaging the electronic code.

(Processing operation of information communication terminal device)
FIG. 5 is a flow chart showing an example of processing in the information communication terminal device according to one embodiment of the present invention. Such processing is realized by the information communication terminal device 20 executing a user authentication application program under the control of the processor 212, for example. Such processes may be executed sequentially, or may be executed in parallel or in parallel as long as the results of the processes are not inconsistent.

Referring to FIG. 1, a user operates information communication terminal device 20 to start or execute a user authentication application program, and input information about a desired transaction on the screen of touch panel 232 to perform information communication. The terminal device 20 accepts this as a transaction request (S501). Subsequently, the information communication terminal device 20 generates an electronic barcode based on the accepted transaction request and user profile and displays it on the screen (S502). Wait (S503). In this state, the user operates the service terminal device 30 to cause the service terminal device 30 to read the electronic bar code. As a result, a user authentication request is sent from the service terminal device 30 to the authentication system 50 and a security code is sent to the information communication terminal device 20 .

When the information communication terminal device 20 receives the security code (Yes in S503), it generates a sound source based on the received security code (S504), and outputs a sound wave by sounding the speaker based on the sound source ( S505).

As described above, when the user operates the information communication terminal device 20 to input a transaction request, it is converted into an electronic bar code and read by the service terminal device 30 . The electronic barcode read by the service terminal device 30 is sent to the authentication system 50 as a user authentication request, and the security code is sent from the authentication system 50 accordingly. When the information communication terminal device 20 receives the security code, it converts it into a sound wave and transmits it to the service terminal device 30, so the user is not required to perform any further operation for user authentication.

(Configuration of service terminal device)
FIG. 6 is a block diagram showing an example of the configuration of a service terminal device according to one embodiment of the present invention. The figure shows components related to the present disclosure among various components of the service terminal device 30 . That is, as shown in the figure, the service terminal device 30 includes, for example, a control unit 310, a storage unit 320, a user interface unit 330, an imaging unit 340, a sound collecting unit 350, and a communication interface unit 360. Consists of. Also, as described in other examples, the service terminal device 30 may include a sound data generator and a speaker for outputting sound waves. Although not shown, the service terminal device 30 may include components such as a deposit/withdrawal mechanism, a motion sensor, a security camera, etc., depending on its application, for example, in the case of an ATM. Such a component can be implemented by the hardware component itself, or by cooperating with various hardware resources, for example, by the processor 312 of the service terminal device 30 executing a service client program on the OS.

The control unit 310 is a component for comprehensively controlling the service terminal device 30 so that the service terminal device 30 functions as a terminal device that enables the service host 40 to provide services to users. includes the processor 312 of the service terminal device 30, an OS, various device drivers, and the like. The input/output control unit 314 is a component embodied as functions of the OS and various device drivers, and controls input/output access to various components, for example. The transaction processing unit 316 is a component that, under the control of the service host 40, processes transactions related to services requiring the user authentication method according to the present disclosure based on requests from users. In the present disclosure, the control unit 310 may further include, for example, an imaging data processing unit 3110, a user authentication request generation unit 3120, a sound wave decoding unit 3130, and an authenticated security code transmission unit 3140, as described later.

The storage unit 320 is a component that stores various programs and data sets, and typically includes a memory device and the like used by the processor 312 of the service terminal device 30 . As an example, the storage unit 320 stores an OS, various device drivers, and service client programs. The service client program may be installed, for example, when the service terminal device 30 is manufactured or installed, or may be downloaded from the service host 40 by remote control of the service host 40 .

The user interface unit 330 is a component that enables the user to interactively operate the service terminal device 30. For example, various inputs and outputs such as a touch panel 332 that integrates a display and a position input mechanism and a speaker 334 It consists of devices. As an example, when the user taps the touch panel to use the service, the user interface unit 330 displays guidance or a guide menu for using the service on the touch panel 332 and/or outputs guidance voice from the speaker 334.

The imaging unit 340 electronically captures an electronic barcode displayed on the user interface unit 230 of the user's information communication terminal device 20 under the control of the control unit 310, and outputs image data based on the image signal. is a component. The imaging unit 340 may be configured including, for example, a scanner. (Electronically) imaging is typically performed by a light receiving element such as a photodiode or a CCD sensor or CMOS sensor, also known as a solid state image sensor (image sensor), in response to the geometric pattern indicated by the electronic barcode. Means generating an electrical signal and placing it in a state that can be processed by a computer, but should not be construed as limiting. As an example, the imaging unit 340 scans an electronic barcode with light emitted from a light-emitting element (that is, active light), receives the reflected light with a light-receiving element, extracts an electrical signal, and amplifies and analogizes it. - configured to perform digital conversion (AD conversion) and output as imaging data; As another example, the imaging unit 340 is configured to receive light by light-receiving elements arranged in a two-dimensional array and extract electrical signals without using active light.

The sound collector 350 is a component for the service terminal device 30 to capture (sound collect) ambient sounds, particularly sound waves output by the information communication terminal device 20, under the control of the control unit 310. includes a microphone and the like. A directional microphone can be used for the sound collector 350 to efficiently capture sound waves. The sound wave captured by the sound collector 350 is converted into sound data based on an audio signal by, for example, an audio driver (not shown) and sent to the controller 310 .

Note that the control unit 310 starts listening for capturing sound waves triggered by, for example, the transmission of a user authentication request, which will be described later, after the electronic data is captured by the imaging unit 340. It may be configured to Alternatively or in addition to this, the control unit 310 causes the imaging unit 350 to It may be configured to initiate imaging of the barcode.

The communication interface unit 360 is a component that transmits and receives various data to and from the service host 40, the authentication system 50, and other external devices via the communication network 10, and is typically a communication interface circuit or chip. Consists of sets. In the present disclosure, the communication interface unit 360 is used to receive commands from the service host 40 and transmit responses thereto, and transmit security tokens from the user's information communication terminal device 20 to the authentication system 50. be done.

FIG. 7 is a block diagram for explaining an example of the functional configuration of the service terminal device according to one embodiment of the present invention. Although this diagram can be associated with the configuration example shown in FIG. 6, the configuration of the control unit 310 is mainly described in more detail.

The imaging data processing unit 3110 decodes the imaging data output by the imaging unit 340 and generates a predetermined data string related to the electronic barcode. That is, when the electronic barcode adapted to the computer system 1 of the present disclosure is imaged by the imaging unit 340, the data string indicated by the original electronic barcode is correctly decoded or restored (that is, reconstructed ). Thus, the recovered data strings include user profiles and/or transaction requests. Alternatively, if the electronic barcode is based on digital data scrambled based on a seed using a timestamp, the imaging data processor 3110 descrambles the recovered data stream using the timestamp as a seed. In this case, the time from the start of generation of the electronic barcode to a predetermined time (for example, 1 minute, 3 minutes, 5 minutes, etc.) is regarded as the same time stamp. and the restored data string in the service terminal device 30 are guaranteed.

A user authentication request generation unit 3120 generates a user authentication request to the authentication system 50 based on the data string restored by the imaging data processing unit 3110 . A user authentication request may include, for example, a user ID and password combination. User authentication request generating section 3120 passes the generated user authentication request to communication interface section 360 , whereby transmitting section 3610 of communication interface section 360 transmits the user authentication request to authentication system 50 . Also, upon generating the user authentication request, the user authentication request generation unit 3120 can notify the transaction processing unit 316 that there is a transaction request. Note that the user authentication request generator 3120 may trigger the sound collector 350 after the user authentication request is transmitted, for example. Note that at least one of the imaging unit 340, the captured data processing unit 3110, and the user authentication request generation unit 3120 or a combination thereof may be one aspect of the user authentication request acquisition unit.

The sound wave decoding unit 3130 decodes an audio signal based on sound waves output from the user's information communication terminal device 20 and captured by the sound collecting unit 350 according to a predetermined inverse conversion rule, and converts the sound data into sound data. Generate. The predetermined inverse conversion rule is complementary to the predetermined conversion rule in information communication terminal device 20 . In other words, when the sound collecting unit 350 correctly collects the sound waves output by the information communication terminal device 20 , the sound data restored by the sound wave decoding unit 3130 is the same as the sound data in the information communication terminal device 20 . Therefore, when the sound wave output by the information communication terminal device 20 depends on the security code transmitted from the authentication system 50, the service terminal device 30 correctly restores the sound data based on the original security code. Also, if the sound wave relies on scrambled sound data, the sound wave decoding unit 3130 performs descrambling. Sound wave decoding section 3130 delivers the restored sound data as a security code to be authenticated to communication interface section 360 , whereby communication interface section 360 transmits the security code to be authenticated to authentication system 50 .

Although the service terminal device 30 may restore the security code based on the sound wave, the scrambled sound data (that is, the sound data scrambled by the information communication terminal device 20) is transmitted to the authentication system 50, and the authentication system At 50, the security code may be recovered by descrambling the scrambled sound data.

As described above, the transaction processing unit 316 is a component that, under the control of the service host 40, processes transactions related to services requiring the user authentication method according to the present disclosure based on requests from users. For example, when the transaction processing unit 316 receives a notification of a transaction request from the user authentication request generation unit 3120, the transaction processing unit 316 waits for the authentication determination result that will be sent later, and receives the authentication determination result. Then, the processing is performed according to the result of the authentication determination.

(Processing operation of service terminal device)
FIG. 8 is a flow chart showing an example of processing in the service terminal device according to one embodiment of the present invention. Such processing is realized, for example, by having the service terminal device 30 execute a service client program under the control of the processor 312 . Such processes may be executed sequentially, or may be executed in parallel or in parallel as long as the results of the processes are not inconsistent.

Referring to FIG. 3, service terminal device 30 in the standby state, for example, when touch panel 332 of user interface unit 330 is touched by the user, displays a menu screen regarding various transactions (S801). The selection of one transaction is accepted (S802). For example, in the case of an ATM, the menu screen includes deposit processing, cash withdrawal processing, transfer processing, balance inquiry, and the like.

When the service terminal device 30 receives the selection of one transaction from the user (Yes in S802), for example, a message is displayed on the touch panel 332 to prompt the user to hold the electronic barcode over the reading port. When the electronic barcode displayed on the information communication terminal device 20 is held over the reading opening, the electronic barcode is read (S803). Subsequently, the service terminal device 30 generates a user authentication request based on the read electronic barcode and transmits it to the authentication system 50 (S804). As a result, the service terminal device 30 starts listening to acquire a predetermined sound wave (S805).

When the service terminal device 30 captures the predetermined sound wave (Yes in S805), the service terminal device 30 decodes the captured sound wave to restore the sound data and transmits it to the authentication system 50 as the security code to be authenticated (S806). Thereby, the service terminal device 30 waits for the arrival of the result of the authentication determination from the authentication system 50 (S807).

When the service terminal device 30 receives the authentication determination result from the authentication system 50 (Yes in S807), it checks whether the received authentication determination result is authentication success or authentication failure (S808). When the service terminal device 30 determines that the received result of the authentication determination indicates successful authentication (Yes in S808), the service terminal device 30 requests the service host 40 to process the requested transaction, and executes the transaction (S809). . When the transaction processing is completed, the service terminal device 30 terminates the user's service processing. On the other hand, when the service terminal device 30 determines that the received result of the authentication determination is authentication failure (No in S808), for example, an error message is displayed on the touch panel 332 (S810), and the process ends.

As described above, the service terminal device 30 transmits a user authentication request to the authentication system 50 when the electronic barcode is read by the user based on the user's transaction request. When the information communication terminal device 20 outputs a sound wave based on the security code transmitted from the authentication system 50 to the information communication terminal device 20, the service terminal device 30 captures the sound wave and authenticates the user based on the captured sound wave. A security code can be sent to the authentication system 50 . As a result, the service terminal device 30 can perform processing based on the result of authentication determination returned from the authentication system 50 .

(Authentication system configuration)
Next, the authentication system 50 will be explained. As shown in FIG. 1, authentication system 50 may be configured including authentication server 60 and authentication database 70 . FIG. 9 is a diagram showing an example of the data structure of the authentication database in the authentication system according to one embodiment of the present invention. The authentication database 70 manages, for example, user information for each user as one record for each service host 40 .

That is, as shown in the figure, one record in the authentication database 70 can be configured including fields such as service ID, user ID, password, device ID, and serial code. The service ID is an ID for identifying services of the service host 40 that can be used by the user. One service ID may be assigned to the service host 40 , or may be assigned to any one of a plurality of services provided by the service host 40 . A user ID is a system user name assigned to each user. Password is a password data string set by the user. Passwords can be managed, for example, as shadow passwords from the viewpoint of security. The device ID is a unique device ID assigned to the information communication terminal device 20 of the user. Alternatively, the device ID can be a MAC address, for example. The serial code is a unique license authorization number assigned to the user authentication application program installed in the information communication terminal device 20 of the user.

In this example, the user "matsubara" is registered as a user who can use the services of the service host 40 indicated by the service IDs "a1234" and "a5678". Also, as the information communication terminal device 20 used by the user "matsubara" for user authentication, the information communication terminal device indicated by the device ID "77:88:AA:BB:CC" is set, and as the user authentication application program, the serial code "2018-987654-3210" is registered.

FIG. 10 is a block diagram showing an example of the functional configuration of an authentication system according to one embodiment of the invention. This figure shows components related to the present disclosure among various components of the authentication system 50 . That is, as shown in the figure, the authentication server 60 of the authentication system 50 includes, for example, a user authentication request reception unit 610, a first authentication determination unit 620, a security code generation unit 630, a security code storage unit 640, It can be configured including a security code transmission unit 650 , an authenticated security code reception unit 660 , a second authentication determination unit 670 , and an authentication determination result transmission unit 680 .

The user authentication request receiving unit 610 receives or acquires a user authentication request from the service terminal device 30 . The user authentication request receiving unit 610 may be one aspect of the user authentication request acquiring unit. As an example, the user authentication request receiving unit 610 assigns thread IDs to received user authentication requests in order to manage user authentication requests sent from a plurality of users. User authentication request receiving section 610 passes the received user authentication request to first authentication determining section 620 . Note that user authentication request receiving unit 610 temporarily stores the received user authentication request in a storage unit (not shown) instead of directly handing over the received user authentication request to first authentication determining unit 620, and sets the storage address of the storage unit to It may be configured to hand over.

The first authentication determination unit 620 refers to the authentication database 70 and performs first user authentication based on the user profile included in the received user authentication request. As an example, the first authentication determination unit 620 performs first user authentication based on the user ID and/or password. As another example, the first authentication determination unit 620 may use the device ID and serial code for authentication determination in addition to the user ID and/or password. When the first authentication determination unit 620 determines that the authentication is successful as a result of the first authentication determination, the first authentication determination unit 620 notifies the security code generation unit 630 .

Security code generation unit 630 generates a security code according to a predetermined algorithm when notified by first authentication determination unit 620 that authentication has been successful. For example, the security code generator 630 uses a random number function to generate the security code. Alternatively, a security code may be generated using a hash function using a time stamp, user ID, or the like as a seed. The security code may be a digital data string that cannot be understood by humans, and may have any data length, for example, from several bytes to several thousand bytes. The security code generation unit 630 writes the generated security code to the security code storage unit 640 and hands it over to the security code transmission unit 650 .

Security code storage unit 640 temporarily stores a security code generated for each user authentication request as an original security code. The stored original security code is purged, for example, when user authentication is completed by the second authentication determination unit 670 .

The security code transmission unit 650 transmits the security code handed over from the security code generation unit 630 to the information communication terminal device 20 of the user who transmitted the user authentication request. If the push notification function of the information communication terminal device 20 is valid, the security code transmission unit 650 may transmit the security code to the information communication terminal device 20 by push notification.

In addition, in order to measure the time from the generation/transmission of the security code to the reception of the security code, for example, the security code generation unit 630 or the security code transmission unit 650 obtains the time when the security code was transmitted, and It may be associated with the security code stored in the security code storage unit 640 .

The to-be-authenticated security code receiving unit 660 receives or acquires the to-be-authenticated security code transmitted from the service terminal device 30 . The authenticated security code receiving unit 660 may be one aspect of the authenticated security code acquisition unit. As an example, when the sound data restored by the service terminal device 30 is transmitted as it is as the authenticated security code, and the authenticated security code receiving unit 660 receives it, the authenticated security code receiving unit 660 receives the received sound data. Encode or descramble to recover the final authenticated security code. The authenticated security code receiving unit 660 passes the received (or restored) authenticated security code to the second authentication determination unit 670 . Also, for example, the authenticated security code receiving unit 660 can acquire the time when the authenticated security code is received.

Second authentication determination section 670 performs second authentication based on the received security code to be authenticated and the original security code temporarily stored in the security code storage section. Specifically, the second authentication determination unit 670 compares the received security code to be authenticated with the original security code temporarily stored in the security code storage unit, and as a result of the comparison, they are the same. If so, it is determined that the authentication has succeeded, and if they are not the same, it is determined that the authentication has failed. The second authentication determination unit 670 transfers the result of such authentication determination to the authentication determination result transmission unit 680 . Further, the second authentication determination unit 670 determines that the time from the generation/transmission of the security code to the reception of the security code to be authenticated is within a predetermined time (for example, 10 seconds, 20 seconds, 30 seconds, 1 minute, 3 minutes, or 5 minutes or any time therebetween).

Note that the first authentication determination unit 620 and the second authentication determination unit 670 can constitute an authentication determination unit. Also, the authentication determination unit may be configured including the security code storage unit 640 .

The authentication determination result transmitting section 680 transmits the result of authentication determination by the second authentication determining section 670 to the service terminal device 30 . Thereby, the service terminal device 30 starts a predetermined process according to the result of the authentication determination. For example, the service terminal device 30 starts processing according to the transaction request if the result of the authentication determination is authentication success. Further, if the result of the authentication determination is authentication failure, the service terminal device 30 displays, for example, a message on the screen of the user interface unit 330 to the effect that processing according to the transaction request cannot be performed. As another example, the authentication determination result transmitting section 680 may additionally transmit the authentication determination result to the information communication terminal device 20 . As a result, for example, even if a malicious third party makes a transaction request from the service terminal device 30 using another information communication terminal device 20, the result of the authentication determination is not transmitted to the legitimate information communication terminal device 20. Therefore, the user can know such fraudulent acts of the third party and can take prompt countermeasures. As yet another example, the service terminal device 30 may transmit the authentication determination result to the information communication terminal device 20 by sound waves.

Alternatively, the authentication determination result transmission unit 680 may be configured to transmit the result of authentication determination by the second authentication determination unit 670 to the service host 40 . In this case, for example, the service terminal device 30 accepts the transaction request from the user as it is and starts processing it, and the service host 40 refuses to process the transaction when the result of the authentication determination indicates authentication failure, It can return the result to the service terminal.

(Processing operation of authentication system)
FIG. 11 is a flow chart showing an example of processing in the authentication system according to one embodiment of the present invention. Such processing is realized, for example, by the authentication server 60 of the authentication system 50 executing an authentication program under the control of a processor (processor module). Such processes may be executed sequentially, or may be executed in parallel or in parallel as long as the results of the processes are not inconsistent.

That is, as shown in the figure, the authentication server 60 waits until it receives a user authentication request from the service terminal device 30 (S1101). Upon receiving the user authentication request from the service terminal device 30 (Yes in S1101), the authentication server 60 performs first authentication based on the received user authentication request (S1102). For example, the authentication server 60 refers to the authentication database 70 and performs so-called password authentication based on the user ID and password included in the user authentication request. When the authentication server 60 determines that the authentication is successful in the first authentication (Yes in S1103), it generates a security code, temporarily stores it as an original security code (S1104), and sends a copy of it to the user. to the information communication terminal device 20 (S1105). The transmission of the security code may be performed by push notification, for example. If the first authentication for the user fails, the authentication server 60 transmits the result of the authentication determination indicating authentication failure to the service terminal device 30 (S1110).

After transmitting the security code to the information communication terminal device 20, the authentication server 60 waits for the arrival of the authenticated security code transmitted from the service terminal device 30 (S1106). If the authentication server 60 does not receive the security code to be authenticated within a predetermined period of time, the authentication server 60 may terminate the user authentication process for the user authentication request. When the authentication server 60 receives the to-be-authenticated security code (Yes in S1106), the authentication server 60 makes a second authentication determination based on the to-be-authenticated security code (S1107). Specifically, the authentication server 60 makes a second authentication determination for the user based on the temporarily stored original security code and the received authenticated security code. Typically, the authentication server 60 determines that authentication is successful if the security code to be authenticated matches the original security code. When the authentication server 60 determines that the authentication is successful by the second authentication (Yes in S1108), the authentication server 60 transmits the authentication determination result indicating the authentication success to the service terminal device 30 (S1109). On the other hand, when the authentication server 60 determines that the authentication has failed in the second authentication (Yes in S1108), the authentication determination result indicating the authentication failure is transmitted to the service terminal device 30 (S1110).

(effect or advantage)
According to the technology according to the present disclosure (the present technology), in addition to the effects and advantages described above, at least one of the various effects and advantages described below can be obtained.

For example, according to the present technology, practical transactions or information exchange processing using electronic barcodes can be realized.

Moreover, according to the present technology, even if the electronic barcode is illegally duplicated, it is possible to realize secure transactions only for legitimate users.

Moreover, according to the present technology, secure and quick transactions can be realized by using an electronic barcode instead of a conventional user ID and password.

In addition, according to this technology, in transactions using electronic barcodes, multi-factor/multi-path user authentication can be realized without requiring high hardware specifications, thereby realizing secure transactions. .

In addition, in transactions using electronic barcodes, this technology ensures a high level of security through multi-factor/multi-path authentication, while eliminating the need for manual input by users, enabling secure and prompt transactions. can be realized.

Moreover, according to the present technology, secure and rapid transactions using electronic barcodes can be realized without using conventional security tokens (or without the user being aware of security tokens).

Each of the above embodiments is an example for explaining the present invention, and is not intended to limit the present invention only to these embodiments. The present invention can be embodied in various forms without departing from the gist thereof.

For example, in the methods disclosed herein, steps, actions or functions may be performed in parallel or in a different order without conflicting results. The steps, acts and functions described are provided as examples only and some of the steps, acts and functions may be omitted or combined together without departing from the scope of the invention. one, and other steps, operations, or functions may be added.

In addition, although various embodiments are disclosed in this specification, specific features (technical matters) in one embodiment may be added to other embodiments or Certain features in the embodiments can be substituted and such forms are included in the gist of the invention.

As an example, in the present disclosure, the computer system 1 has been described as a configuration in which the authentication system 50 transmits the security code to the information communication terminal device 20 and the information communication terminal device 20 receives it. do not have. For example, the information communication terminal device 20 and the authentication system 50 each hold a security token that is configured to synchronize with each other (for example, time synchronization or event synchronization), and instead of transmitting the security code, the security token User authentication may be performed based on a generated one-time security code (security token code). Such synchronization is done using the same security code generation algorithm and seed as each other. That is, when the information communication terminal device 20 receives from the service terminal device 30 that the imaging of the electronic barcode has been completed, the software security token incorporated in the user authentication application program generates a security code, which is then sent to the service by sound waves. It is transmitted to the terminal device 30 . The authentication system 50 performs the second authentication based on the security code to be authenticated based on the sound wave transmitted from the service terminal device 30 and the security code generated by its own software security token. As a result, the information communication terminal device 20 does not need to directly communicate with the authentication system 50 at the time of user authentication (or at the time of transaction request), and can transmit the authenticated security code to the service terminal device 30 by sound waves. will be able to

As another example, in the present disclosure, the authentication system 50 transmits a security code to the information communication terminal device 20, and when the information communication terminal device 20 receives the security code, the information communication terminal device 20 receives the security code as it is (through the user's operation). Although it has been described as a configuration for outputting as a sound wave, it is not limited to this. For example, at the stage when the information communication terminal device 20 receives the security code, it may be configured to prompt the user for confirmation, receive the operation of the send button, and output sound waves.

As still another example, the information communication terminal device 20 and the service terminal device 30 may be configured to bi-directionally exchange predetermined information using sound waves. That is, the service terminal device 30 also outputs sound waves based on the data, and the information communication terminal device 20 can also be configured to capture and process sound waves using built-in microphones. For example, the service terminal device 30 may transmit the transaction completion message to the information communication terminal device 20 by sound waves, and the information communication terminal device 20 may interpret this and display it on the user interface.

DESCRIPTION OF SYMBOLS 1... Computer system 10... Communication network 12... Computer network 14... Mobile communication network 16... Gateway 20... Information communication terminal device 210... Control part 212... Processor 2110... Electronic barcode generation part 2120... Display output control part 2130... Security code Acquisition unit 2140 Sound data generation unit 2150 Sound output control unit 220 Storage unit 230 User interface unit 240 Communication interface unit 30 Service terminal device 310 Control unit 312 Processor 314 Input/output control unit 316 Transaction processing Part 3110... Imaging data processing part 3120... User authentication request generation part 3130... Sound wave decoding part 3140... Security code transmission part to be authenticated 320... Storage part 330... User interface part 340... Imaging part 330... Sound collecting part 360... Communication interface part 40... Service host 50... Authentication system 60... Authentication server 610... User authentication request receiving unit 620... First authentication determining unit 630... Security code generating unit 640... Security code storage unit 650... Security code transmitting unit 660... Security code to be authenticated Reception unit 670 Second authentication determination unit 680 Authentication determination result transmission unit 70 Authentication database

Claims (22)

A system for authenticating a user using an information communication terminal device possessed by the user,
User authentication for acquiring a user authentication request based on the imaged geometric pattern when a geometric pattern based on a transaction request corresponding to the input content of the user displayed on the display of the information communication terminal device is imaged. a request acquisition unit;
a security code generation unit that generates a first security code for the user authentication request according to the acquired user authentication request;
An authenticated security code for acquiring an authenticated security code generated based on sound waves generated and output by said information communication terminal device based on a second security code associated with said generated first security code an acquisition unit;
an authentication determination unit that determines authentication of the user, wherein the authentication determination unit performs the authentication determination based on the first security code and the authenticated security code;
system. The system further comprises a security code storage unit that stores the first security code generated by the security code generation unit.
The system of claim 1. The authentication determination unit determines the authentication according to whether or not the first security code stored in the security code storage unit matches the authenticated security code acquired by the authenticated security code acquisition unit. I do,
3. The system of claim 2 . The system includes:
Further comprising an authentication database that manages user information including user IDs for identifying users,
The authentication determination unit performs the authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request acquired by the user authentication request acquisition unit.
4. A system according to any one of claims 1-3. When the authentication determination unit determines that the user ID in the authentication database matches the user ID included in the user authentication request acquired by the user authentication request acquisition unit, the security code generation unit generate a first security code;
5. The system of claim 4. The system transmits the second security code associated with the first security code generated by the security code generation unit to the information communication terminal device in response to acquisition of the user authentication request. further comprising a code transmission unit;
6. A system according to any one of claims 1-5. The system includes:
an imaging unit that images the geometric pattern;
a user authentication request generation unit that generates the user authentication request based on the geometric pattern imaged by the imaging unit;
7. A system according to any one of claims 1-6. The system includes:
a sound collecting unit that captures sound waves generated and output by the information communication terminal device;
an authenticated security code generation unit that generates an authenticated security code based on the sound waves captured by the sound collector;
8. The system of claim 7. The sound collector starts capturing the sound waves when the geometric pattern is imaged.
9. System according to claim 8. The sound collector captures a trigger sound wave for starting authentication,
The imaging unit starts imaging the geometric pattern when a trigger sound wave for starting the authentication is captured by the sound collecting unit.
9. System according to claim 8. The system according to any one of claims 1 to 10, wherein said security code generator generates said first security code as a one-time password each time said geometric pattern is imaged. 2. The system according to claim 1, wherein said second security code is generated inside said information communication terminal device without said information communication terminal device communicating with said system. 13. The system of any one of claims 1-12, wherein the output sound wave comprises a sound wave pattern of a predetermined duration. 14. The system of claim 13, wherein the sound wave pattern comprises sound waves at inaudible frequencies. 14. The system of claim 13, wherein the sound wave pattern consists of sound waves of audible frequencies excluding the frequency band of 100 Hz to 4000 Hz. 14. The system of claim 13, wherein the sound wave pattern consists of a combination of sound waves of different frequencies. 17. The system according to claim 16, wherein said to-be-authenticated security code acquisition unit extracts a sound wave pattern of a specific frequency, and restores the to-be-authenticated security code based on the extracted sound wave pattern of the specific frequency. A system for providing a predetermined service to a user using an information communication terminal device possessed by the user,
an authentication server that authenticates the user;
a service terminal device for accepting a transaction request related to the predetermined service from the user;
The authentication server is
an authentication database that manages user information including user IDs to identify users;
a security code generator that generates a first security code for the user;
an authentication determination unit that performs authentication determination based on the first security code;
The service terminal device
an imaging unit that captures a geometric pattern based on a transaction request according to the user's input content displayed on the display of the information communication terminal device;
a user authentication request generating unit that generates a user authentication request for the transaction request based on the geometric pattern captured by the imaging unit;
a sound collector that captures sound waves generated and output by the information communication terminal device based on a second security code associated with the first security code;
an authenticated security code generation unit that generates an authenticated security code based on the sound wave captured by the sound collector;
The authentication determination unit is
making a first authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request;
making a second authentication determination based on the first security code and the authenticated security code;
system. A system that provides a predetermined service to a user,
an information communication terminal device possessed by the user;
an authentication server that authenticates the user;
a service terminal device for accepting a transaction request related to the predetermined service from the user;
The information communication terminal device
a user interface unit having at least a display and a speaker;
a geometric pattern generation unit that generates a geometric pattern based on the user profile of the user and a transaction request according to the input content of the user ;
a display control unit that controls to display the generated geometric pattern on the display;
a sound data generation unit that generates a sound source;
A sound output control unit that controls to output a sound wave based on the generated sound source from the speaker,
The authentication server is
an authentication database that manages user information including user IDs to identify users;
a security code generator that generates a first security code for the user;
an authentication determination unit that performs authentication determination based on the first security code;
The service terminal device
an imaging unit for imaging the geometric pattern displayed on the display of the information communication terminal device;
a user authentication request generating unit that generates a user authentication request for the transaction request based on the geometric pattern captured by the imaging unit;
a sound collector that captures sound waves generated and output by the information communication terminal device based on a second security code associated with the first security code;
an authenticated security code generation unit that generates an authenticated security code based on the sound wave captured by the sound collector;
The sound data generation unit
generating the sound wave based on a second security code associated with the first security code generated by the security code generator;
The authentication determination unit is
making a first authentication determination based on the user ID in the authentication database and the user ID included in the user authentication request;
making a second authentication determination based on the first security code and the authenticated security code;
system. An information communication terminal device used for user authentication for using a predetermined service provided via a service terminal device,
a geometric pattern generation unit that generates a geometric pattern based on a user profile of the user and a transaction request according to the input content of the user ;
a display control unit that controls the generated geometric pattern to be displayed on the display of the information communication terminal device;
a security code acquisition unit for acquiring a predetermined security code for user authentication that is transmitted when the geometric pattern displayed on the display of the information communication terminal device is imaged by the service terminal device;
a sound data generation unit that generates sound data based on the acquired predetermined security code;
a sound output control unit that controls to output the generated sound data from a speaker of the information communication terminal device as a sound wave,
Information communication terminal equipment. A user authentication method by an authentication server for authenticating a user using an information communication terminal device possessed by the user,
Acquiring a user authentication request based on the imaged geometric pattern when a geometric pattern based on the transaction request corresponding to the input content of the user displayed on the display of the information communication terminal device is imaged; ,
generating a first security code for the user authentication request in response to the obtained user authentication request;
obtaining an authenticated security code generated based on sound waves generated and output by the information communication terminal device based on a second security code associated with the generated first security code;
making an authentication determination for the user based on the first security code and the authenticated security code;
User authentication method. A program executed in an information communication terminal device used for user authentication for using a predetermined service provided via a service terminal device,
In the information communication terminal device,
a geometric pattern generation unit that generates a geometric pattern based on a user profile of the user and a transaction request according to the input content of the user ;
a display control unit that controls the generated geometric pattern to be displayed on the display of the information communication terminal device;
a security code acquisition unit for acquiring a predetermined security code for user authentication that is transmitted when the geometric pattern displayed on the display of the information communication terminal device is imaged by the service terminal device;
a sound data generation unit that generates sound data based on the acquired predetermined security code;
a sound output control unit for controlling the generated sound data to be output as a sound wave from a speaker of the information communication terminal device;
program to make it happen.

Images