JP7240104B2 - Authentication device, authentication method, authentication program and authentication system - Google Patents

Description

The present invention relates to an authentication device, an authentication method, an authentication program, and an authentication system.

The spread of communication terminal devices equipped with various sensors is progressing. Sensors mounted on terminals convert physical phenomena into digital signals to obtain data indicating various situations (contexts) surrounding the terminal (hereinafter referred to as "context data"). . The context data is transmitted to a predetermined server via a network and used for various information processing.

For example, there is known a technique of authenticating a user based on a combination of context data (terminal usage status) acquired from a plurality of terminals.

Japanese Patent No. 6181716

However, the above conventional techniques have room for improvement. For example, in the conventional technology described above, when authentication is attempted using a specific terminal installed at a home or office, the user is notified of the usage status of location information, etc. that indicates the transition of the user's movement to the home or office. Personal authentication is performed based on the combination of usage statuses obtained from other owned terminals. That is, in the above-described conventional technology, various information such as information specifying the user's home, company, etc., and location information of each terminal before moving to the installation place of the terminal are used for processing, so the processing is complicated. may become

The present application has been made in view of the above, and an object thereof is to provide an authentication device, an authentication method, an authentication program, and an authentication system capable of easily realizing highly secure authentication processing.

An authentication device according to the present application provides, as context data of a first terminal used by a user, a position indicating a relative positional relationship between the first terminal and a second terminal which is a terminal different from the first terminal. An acquisition unit that acquires relationship information, and a model generation unit that generates an authentication model for authenticating the identity of the user based on the positional relationship information acquired by the acquisition unit.

According to one aspect of the embodiment, it is possible to easily implement highly secure authentication processing.

FIG. 1 is a diagram (1) illustrating an example of authentication processing according to an embodiment. FIG. 2 is a diagram (2) illustrating an example of authentication processing according to the embodiment. FIG. 3 is a diagram for explaining context bag generation processing according to the embodiment. FIG. 4 is a diagram illustrating a configuration example of an authentication system according to the embodiment. FIG. 5 is a diagram illustrating a configuration example of an authentication device according to the embodiment; 6 is a diagram illustrating an example of a terminal information storage unit according to the embodiment; FIG. 7 is a diagram illustrating an example of a context data storage unit according to the embodiment; FIG. 8 is a diagram illustrating an example of an authentication model storage unit according to the embodiment; FIG. FIG. 9 is a diagram illustrating a configuration example of the first terminal according to the embodiment; FIG. 10 is a flowchart (1) showing a processing procedure according to the embodiment. FIG. 11 is a flowchart (2) showing a processing procedure according to the embodiment; FIG. 12 is a flowchart (3) showing a processing procedure according to the embodiment. FIG. 13 is a diagram illustrating a configuration example of an authentication device according to a modification; FIG. 14 is a hardware configuration diagram showing an example of a computer that implements the functions of the authentication device.

Modes for implementing an authentication device, an authentication method, an authentication program, and an authentication system (hereinafter referred to as "embodiments") according to the present application will be described in detail below with reference to the drawings. Note that the authentication device, authentication method, authentication program, and authentication system according to the present application are not limited to this embodiment. Further, each embodiment can be appropriately combined within a range that does not contradict the processing contents. Also, in each of the following embodiments, the same parts are denoted by the same reference numerals, and overlapping descriptions are omitted.

[1. Example of authentication process]
First, an example of authentication processing according to the embodiment will be described with reference to FIGS. 1 to 3. FIG. FIG. 1 is a diagram (1) illustrating an example of authentication processing according to an embodiment. FIG. 1 shows an example in which the authentication device 100 according to the present application executes processing for generating an authentication model used in processing for authenticating the identity of a user.

An authentication device 100 illustrated in FIG. 1 is a server device that executes authentication processing according to the embodiment. For example, in a service provided via a network, the authentication device 100 determines whether or not a user attempting to use the service is the user registered for the service. Authenticate the user who accessed the .

A user U01 illustrated in FIG. 1 is an example of a user who is going to be authenticated by the authentication device 100 . For example, the user U01 is a user who has already registered with the service provided by the authentication device 100 and has been issued a user account or the like from the service. The user U01 can use personalized services by having his identity authenticated by the authentication device 100 through the authentication process described below.

In the example shown in FIG. 1, the user U01 possesses a plurality of information processing terminals (devices). For example, the user U01 is a terminal that is mainly used when accessing a service, and is a terminal that transmits context data required for authentication processing according to the embodiment to the authentication device 100 (hereinafter, for distinction, such a terminal is referred to as " It has a smartphone 20 which is called a "first terminal". In addition to the smartphone 20, the user U01 has a plurality of terminals that do not transmit the context data required for the authentication process according to the embodiment to the authentication device 100 (hereinafter, these terminals will be referred to as "second terminals" for distinction). have. For example, the user U01 possesses a so-called wearable device, such as a wristwatch-type terminal 30 that can be worn on the wrist, or an eyeglass-type terminal 40 that is worn around the eyes for use. Note that hereinafter, when there is no need to distinguish between the smart phone 20, the watch-type terminal 30, the glasses-type terminal 40, and the like, these are collectively referred to as the "user terminal 10". Also, hereinafter, the user may be read as the user terminal 10 or the like. For example, the statement "the user transmits the context data" may actually indicate the situation "the user terminal 10 used by the user transmits the context data".

In general, authentication processing in a service is performed by accepting authentication information from registered users. The authentication information is, for example, a password set by the user or biometric information (fingerprint, etc.) of the user. However, since there are many services via networks, it is a burden for the user to remember passwords corresponding to each service and input information such as fingerprints each time authentication is performed.

Therefore, the authentication device 100 according to the embodiment uses a method described below to perform user authentication processing without accepting input of authentication information such as a password from the user. Specifically, the authentication device 100 acquires positional relationship information indicating the relative positional relationship between the first terminal and the second terminal as the context data of the first terminal used by the user. Authentication device 100 then generates an authentication model for authenticating the identity of the user based on the acquired positional relationship information. As a result, the authentication device 100 can authenticate the identity of the user by using the context data of the first terminal acquired when the user accesses the service, without the user performing any particular operation. can. In addition, authentication device 100 does not necessarily require context data such as location information that is positioned using a GPS (Global Positioning System) function, for example, and uses the relative positional relationship between the first terminal and the second terminal. Authentication processing can be easily performed by performing authentication using the The flow of authentication processing according to the embodiment will be described below with reference to FIGS. 1 to 3. FIG.

With reference to FIG. 1, the flow of processing in which the authentication device 100 generates an authentication model corresponding to the user U01 will be described. In the example shown in FIG. 1, the user U01 presents predetermined authentication information (such as a password) to the authentication device 100 and is in a state of being authenticated by the authentication device 100 . For example, the user U01 is in a state of being successfully authenticated by the authentication information and logged in to the service provided by the authentication device 100 .

In this state, the smartphone 20, which is the first terminal, detects the context of its own device (step S11). Here, the context refers to a situation in which the smartphone 20 is used by the user U01, a situation in which the user U01 is placed, and various situations related to the surrounding environment of the smartphone 20. Then, the smartphone 20 acquires context data based on the detected context.

Context data is data indicating the context detected by the smartphone 20 . For example, the context data is data representing the context detected by various sensors of the smartphone 20 by physical numerical values. Context data corresponds to various data surrounding the smartphone 20 . In the example of FIG. 1, the smartphone 20 acquires, as context data, positional relationship information indicating the relative positional relationship between the smartphone 20 and the watch-type terminal 30 or the glasses-type terminal 40, which are the second terminals.

That is, the positional relationship information is information indicating that the smartphone 20 and the second terminal are within a predetermined spatial range (neighborhood). The smartphone 20 detects nearby second terminals at predetermined time intervals (for example, every five minutes). For example, the smartphone 20 detects a nearby second terminal by detecting radio waves such as Wifi (registered trademark) or Bluetooth (registered trademark) or by detecting terminals using the same access point.

Specifically, the smartphone 20 detects the identification information of the surrounding second terminals and the intensity of the radio waves emitted by each of the second terminals, and determines which second terminals are located nearby. As an example, the smartphone 20 detects the relative positional relationship with the second terminal based on the numerical value of RSSI (Received Signal Strength Indication), and determines the second terminal located nearby. Further, the smartphone 20 may detect the second terminal with which pairing has been completed based on the Bluetooth function regardless of the radio field intensity.

Then, the smartphone 20 extracts the second terminal having the relatively closest relationship among the detected second terminals. For example, the smartphone 20 extracts the closest second terminal. Alternatively, the smartphone 20 may preferentially extract the second terminal for which pairing has been completed. Then, the smartphone 20 detects the second terminals extracted within a predefined maximum number (in the example of FIG. 1, the maximum number is “three” including the own device), the detected time, and the are associated to generate positional relationship information. In the example shown in FIG. 1, the positional relationship information is expressed in a format such as [8:00;20,30]. The positional relationship information indicates that the “smartphone 20 (own device)” and the “watch-type terminal 30” are located close to each other at 8:00. In other words, the positional relationship information indicates that the smartphone 20 detected the watch-type terminal 30 as a second terminal closely related to the smartphone 20 at 8:00. Similarly, the positional relationship information expressed in a format such as [8:05; This indicates that the "watch type terminal 30" and the "glasses type terminal 40" have been detected.

Although the details will be described later, the smartphone 20 uses, as context data, position information of its own device when the positional relationship information is acquired, and terminal information of the detected second terminal (whether the second terminal is a mobile terminal or not). A variety of information such as the type, etc., may be acquired.

Subsequently, the smartphone 20 generates information (hereinafter referred to as a “context bag”) in which the acquired positional relationship information is bundled (step S12). For example, a context bag is a bundle of location information acquired during a predefined length of time (eg, 10 minutes). The reason for generating a context bag is that more features can be extracted by processing using a context bag containing multiple pieces of positional relationship information than by processing only one piece of positional relationship information. This is because there is an advantage that efficient learning (model generation) can be performed for the authentication device 100 because it can be performed.

In the example illustrated in FIG. 1 , the smartphone 20 generates a context bag as a bundle of three pieces of positional relationship information acquired within the last 10 minutes. Specifically, the smartphone 20 has a bundle of positional relationship information such as “[8:00;20,30], [8:05;20,30,40], [8:10; A context bag BG01 is generated. Similarly, the smartphone 20 displays a context in which positional relationship information such as "[8:05;20,30,40],[8:10;20,30,40],[8:15;20]" Generate bag BG02. Similarly, the smartphone 20 generates a context bag BG03 in which positional information such as "[8:10;20,30,40],[8:15;20],[8:20;20]" is bundled. do. It should be noted that the authentication device 100 may define a setting such as how long the context bag contains the positional relationship information.

The smartphone 20 periodically transmits the context bag generated at predetermined time intervals to the authentication device 100 (step S13). For example, the smartphone 20 transmits the generated context bag to the authentication device 100 at predefined time intervals (for example, 5 minutes). Note that the smartphone 20 may store the generated context bags and transmit them collectively at a predetermined timing.

The authentication device 100 acquires the transmitted context bag, associates it with the user U01 logging in to the service, and accumulates the acquired context bag. Then, the authentication device 100 generates an authentication model for the user U01 when a sufficient amount of context bag for model generation (for example, 10 days' worth or one month's worth) is accumulated (step S14).

The context bag transmitted to the authentication device 100 while the smartphone 20 is logged in to the service indicates the positional relationship between the smartphone 20 and the second terminal when the user U01 is authenticated. (hereinafter sometimes referred to as “device context”). For example, the context bag is information indicating that the watch-type terminal 30 or the glasses-type terminal 40 is located nearby in many cases under the condition that the user U01 is authenticated. Then, as a result of accumulating a considerable number of context bags, the authentication device 100 determines that “the user U01 has been authenticated (that the user U01 is the same person)” and “the relative relationship between the first terminal and the second terminal”. Statistical tendency can be obtained for the relationship with the “positional relationship (device context)”. Based on such information, the authentication device 100 generates an authentication model corresponding to the user U01.

For example, the authentication device 100 generates a model that statistically analyzes the feature amount of the accumulated context bag, such as logistic regression or linear regression analysis. Specifically, the authentication device 100 generates a model for calculating the probability that the watch-type terminal 30 and the glasses-type terminal 40 are in the vicinity while the user U01 is being authenticated. In other words, the authentication device 100 uses the fact that the user who is requesting authentication using the smartphone 20 is “the user U01” as an objective variable, and the authentication device 100 determines that “a watch-type terminal 30” or a “glasses-type terminal” is located near the smartphone 20. A regression equation is generated with "the presence of 40" as an explanatory variable. As a result, the authentication device 100 indicates that the user is "user U01" when predetermined information (for example, positional information at the time when user U01 makes a new authentication request) is input to the model. Score can be output. For example, when the authentication model is represented by a regression equation such as logistic regression, based on the input positional relationship information, authentication device 100 sets the score indicating the probability that the user who transmitted the information is “user U01” to 0. to 1.

Although the details will be described later, when generating an authentication model, the authentication device 100 may use position information when the smartphone 20 generated the context bag, time information when the context bag was generated, and the like. .

The authentication device 100 stores the generated authentication model in the authentication model storage unit 123 (step S15). From now on, when the authentication device 100 receives an authentication request from the user U01, the authentication device 100 authenticates the user U01 using the authentication model regardless of authentication information such as a password. Authentication processing according to the embodiment will be described with reference to FIG.

FIG. 2 is a diagram (2) illustrating an example of authentication processing according to the embodiment. FIG. 2 shows an example in which authentication processing for user U01 is executed by authentication device 100 using an authentication model.

In the example of FIG. 2, it is assumed that the user U01 has not been authenticated by the authentication device 100. FIG. For example, the user U01 has once logged out of the service provided by the authentication device 100 and needs to be newly authenticated by the authentication device 100 in order to use the service. In this case, the user U01 transmits an authentication request to the authentication device 100 via the smartphone 20 (step S21). For example, user U01 requests login to the service.

Here, the smartphone 20 transmits the currently detected context data to the authentication device 100 together with the authentication request (step S22). For example, the smartphone 20 transmits the positional relationship information acquired at the time of the authentication request to the authentication device 100 as context data.

In the example of FIG. 2, the smartphone 20 transmits context data in the form of a context bag in which positional relationship information is bundled, as at the time of model generation. For example, the smartphone 20 bundles positional relationship information such as "[12:00; 20,30,40], [12:05; 20,30,40], [12:XX; The new context data DT11 is transmitted. "12:XX" indicates the time when the authentication request was sent.

The authentication device 100 determines the identity of the user U01 based on the context data DT11 at the time of authentication acquired from the smartphone 20 (step S23). For example, the authentication device 100 identifies the authentication model of the user U01 stored in the authentication model storage unit 123 based on the identification information of the user U01 (smartphone 20) that has transmitted the authentication request. Then, the authentication device 100 inputs the context data DT11 to the authentication model, and calculates a score indicating whether the user who sent the context data DT11 is the user U01 himself or not, based on the feature amount of the context data DT11.

Then, when the calculated score exceeds a predetermined threshold (for example, when the score exceeds "0.6" when the score is indicated in the range of 0 to 1), authentication device 100 sets the context data It is determined that the user who sent DT11 is "user U01". Through such processing, the authentication device 100 can authenticate the user U01 without requiring the user U01 to enter a password or the like (step S24). Subsequently, the authentication device 100 notifies the smartphone 20 that the authentication has succeeded (step S25).

If the authentication device 100 cannot confirm the identity of the user U01 in step S23 (for example, if the score is equal to or less than a predetermined threshold value), the authentication device 100 requests authentication information such as a password and fingerprint from the user U01. You may send a notification to

As described with reference to FIGS. 1 and 2, the authentication device 100 according to the embodiment uses the first terminal and the first Acquire positional relationship information indicating a relative positional relationship with two terminals. Then, the authentication device 100 generates an authentication model for authenticating the identity of the user U01 based on the acquired positional relationship information. Further, when receiving a request for authentication from the first terminal, the authentication device 100 authenticates the identity of the user U01 based on the context data of the first terminal acquired together with the request for authentication and the authentication model.

In this way, the authentication device 100 identifies the identity of the user U01 based on the positional relationship between the first terminal, which is the terminal mainly used by the user to be authenticated, and the second terminal located within a predetermined spatial range. process to authenticate. As a result, the authentication device 100 can identify the second terminal located near the first terminal at the time of authentication without specifying absolute location information using a GPS function or the like, or specifying the location of the terminal used for authentication. (For example, the terminal that the user U01 always carries) can be used to authenticate the user U01. That is, the authentication device 100 can authenticate the identity of the user U01 with simple processing without performing complicated processing such as analysis of absolute position information.

1 and 2, the authentication device 100 generates an authentication model based on the context bag generated by the first terminal. Since the context bag includes a plurality of pieces of positional relationship information, the authentication device 100 can extract more feature amounts than a single piece of positional relationship information. Therefore, the accuracy of the model to be generated can be improved.

An example of context bag generation will be described with reference to FIG. FIG. 3 is a diagram for explaining context bag generation processing according to the embodiment. FIG. 3 conceptually illustrates a process in which the first terminal generates a context bag. In the example of FIG. 3, the first terminal is "terminal A (simply denoted as "A" in FIG. 3; the same applies to other terminals)", and the second terminal detected by the first terminal is "terminal B", "terminal C", "terminal D", and "terminal E".

Terminal A detects the second terminal when a preset detection time arrives. For example, terminal A detects the second terminal at "9:00" and detects terminal B as a result of the detection. Also, terminal A detects the relative distance to terminal B. FIG. For example, terminal A measures the distance between itself and terminal B using the strength of radio waves received from terminal B and the like.

Then, terminal A extracts, from the detected second terminals, second terminals detected to be relatively close to the terminal A, and generates positional relationship information. Terminal A may preset the number of terminals to be included in the positional relationship information. For example, as shown in FIGS. 1 and 2, terminal A generates positional relationship information so that up to "three" terminals are included. In the example of FIG. 3, since terminal A detects only terminal B at "9:00", the positional relationship information ( In FIG. 3, [9:00: A, B]) is generated.

Then, terminal A generates a context bag that bundles the positional relationship information at the timing of generating the positional relationship information. At "9:00", terminal A has generated only one piece of positional relationship information, so it generates a context bag BG11 containing one piece of positional relationship information. Note that, if the time range of the positional relationship information included in the context bag is set in advance, the terminal A generates the context bag according to the set time. For example, terminal A generates a context bag in which the time range is set to "10 minutes". In this case, even if the terminal A holds the positional relationship information corresponding to the time of "8:40", the positional relationship information of "8:40" and the positional relationship information of "9:00" are "10:00". Since it is not included in the range of "8:40", the context bag BG11 does not include the positional information of "8:40".

After that, when the timing of the next detection arrives, the terminal A performs the process of detecting the second terminal again. For example, when the detection interval is set to "5 minutes", terminal A detects the surrounding second terminal at "9:05". At this point, if the terminal A does not detect a second terminal other than its own device, it generates positional relationship information that includes only its own device.

Then, at the timing when the positional relationship information of "9:05" is generated, the terminal A creates a context bag that bundles the positional relationship information. For example, terminal A generates a context bag BG12 in which the positional relationship information corresponding to "9:00" and the positional relationship information corresponding to "9:05" are bundled.

After that, terminal A detects the second terminal at "9;10". For example, terminal A detects terminal C and terminal D as second terminals. In this case, terminal A generates positional relationship information indicating only that terminal A, terminal C, and terminal D have a relationship. Then, at the timing when the terminal A generated the positional relation information of "9:10", the positional relational information corresponding to "9:00", the positional relational information corresponding to "9:05", and the positional relation information corresponding to "9:05". A context bag BG13 is generated by bundling together the positional relationship information corresponding to "10".

After that, terminal A detects the second terminal at "9;15". For example, terminal A detects terminal C, terminal D, and terminal E as second terminals. In this case, terminal A compares the relative distances of terminal C, terminal D, and terminal E to itself. Then, terminal A extracts a second terminal that is close to itself. At "9:15", terminal C and terminal D are closer than terminal E, so terminal A extracts terminal C and terminal D as second terminals having a relationship. Then, terminal A generates positional relationship information indicating only that terminal A, terminal C, and terminal D have a relationship.

Then, terminal A generates a context bag BG14 including positional information corresponding to "9:15". At the time "9:15" when the context bag BG14 is generated, the positional information corresponding to "9:00" exceeds the time range "10 minutes" of the context bag, so it is not included in the context bag BG14. . That is, the terminal A corresponds to each of "9:05", "9:10", and "9:15", which are the positional relationship information generated in the time range from "9:15" to "10 minutes". A context bag BG14 is generated by bundling the obtained positional relationship information.

As shown in FIG. 3, terminal A generates a context bag containing a plurality of pieces of positional relationship information according to generation timing. Authentication device 100 then uses a context bag containing a plurality of pieces of positional relationship information to indicate the relationship between the status that the user has been authenticated and the relative positional relationship between the first terminal and the second terminal. Generate an authentication model. In this way, the authentication device 100 can learn efficiently by using a plurality of pieces of positional relationship information, so that the accuracy of the generated authentication model can be improved.

As described above with reference to FIGS. 1 to 3, the authentication device 100 confirms that the user who requested authentication is the user corresponding to the authentication model based on the context data and the authentication model at the time of authentication. User authentication is performed by determining the probability of The authentication device 100 that performs such processing and the authentication system 1 including the authentication device 100 will be described in detail with reference to FIG. 4 and the subsequent figures.

[2. Configuration of authentication system]
The configuration of the authentication system 1 including the authentication device 100 according to the embodiment will be described with reference to FIG. FIG. 4 is a diagram showing a configuration example of the authentication system 1 according to the embodiment. As illustrated in FIG. 4, the authentication system 1 according to the embodiment includes a user terminal 10 and an authentication device 100. As shown in FIG. The user terminal 10 also includes a first terminal such as the smartphone 20 and a second terminal such as the watch-type terminal 30 and the glasses-type terminal 40 . These various devices are communicatively connected via a network N by wire or wirelessly.

The user terminal 10 is, for example, an information processing terminal (device) such as a desktop PC (Personal Computer), a notebook PC, a tablet terminal, a mobile phone including a smart phone, or a PDA (Personal Digital Assistant). The user terminal 10 also includes wearable devices such as the watch-type terminal 30 and the spectacle-type terminal 40 . Furthermore, the user terminal 10 may include various smart devices having information processing capabilities. For example, the user terminal 10 may include smart home appliances such as TVs (Televisions), smart vehicles such as automobiles, drones, home robots, and the like.

Note that the second terminal may be a device that does not have a function of processing an authentication request or the like according to a user's operation, as long as it can communicate with the first terminal using a predetermined communication function. For example, the second terminal includes a router or modem installed at home as a stationary device, or a mobile router.

The authentication device 100 generates an authentication model for authenticating the identity of the user based on the positional relationship information indicating the relative positional relationship between the first terminal and the second terminal, and authenticates the user using the generated authentication model. It is a server device that authenticates. In the embodiment, the authentication device 100 also functions as a service server (for example, a web server) that provides services, but the authentication device 100 and the service server may be separate devices.

[3. Configuration of Authentication Device]
Next, the configuration of the authentication device 100 according to the embodiment will be described using FIG. FIG. 5 is a diagram showing a configuration example of the authentication device 100 according to the embodiment. As shown in FIG. 5 , authentication device 100 has communication unit 110 , storage unit 120 , and control unit 130 . The authentication device 100 includes an input unit (for example, a keyboard, a mouse, etc.) for receiving various operations from an administrator or the like who uses the authentication device 100, and a display unit (for example, a liquid crystal display, etc.) for displaying various information. may have.

(Regarding communication unit 110)
The communication unit 110 is realized by, for example, a NIC (Network Interface Card) or the like. The communication unit 110 is connected to the network N by wire or wirelessly, and transmits/receives information to/from the user terminal 10 or the like via the network N.

(Regarding storage unit 120)
The storage unit 120 is realized by, for example, a semiconductor memory device such as a RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or an optical disk. Storage unit 120 has terminal information storage unit 121 , context data storage unit 122 , and authentication model storage unit 123 .

(Regarding the terminal information storage unit 121)
The terminal information storage unit 121 stores information regarding the user terminal 10 . Here, FIG. 6 shows an example of the terminal information storage unit 121 according to the embodiment. FIG. 6 is a diagram showing an example of the terminal information storage unit 121 according to the embodiment. In the example shown in FIG. 6, the terminal information storage unit 121 has items such as "terminal ID", "terminal name", "terminal type", and "pairing history".

“Terminal ID” indicates identification information for identifying the user terminal 10 . “Terminal name” indicates the name of the user terminal 10 . "Terminal type" indicates the type of the user terminal 10, such as whether it is a stationary device or a mobile terminal. Note that the authentication device 100 may acquire the terminal type by inquiring an external data server or the like based on the terminal ID or the terminal name, or may acquire the terminal type by input by the administrator of the authentication device 100. . "Pairing history" indicates the terminal ID of the other party paired using the Bluetooth function or the like.

That is, in the example of FIG. 6 , the user terminal 10 identified by the terminal ID “C01” has the terminal name “smartphone 20”, the terminal type “mobile”, and the terminal ID “C02” to “C03”. has a pairing history with the user terminal 10 identified by .

(Regarding the context data storage unit 122)
The context data storage unit 122 stores context data acquired from the first terminal. Here, FIG. 7 shows an example of the context data storage unit 122 according to the embodiment. FIG. 7 is a diagram showing an example of the context data storage unit 122 according to the embodiment. In the example shown in FIG. 7, the context data storage unit 122 has items such as "user ID", "terminal ID", and "context bag". The items of the context bag are "bag ID", "acquisition date and time", "individual data ID", "detection date and time", "pairing information", "peripheral terminal", "location information", and "various sensor data". It has small items such as

“User ID” indicates identification information for identifying the user using the user terminal 10 that has transmitted the context data. "Terminal ID" corresponds to the same item shown in FIG. 6, and in the example of FIG. 7, indicates identification information for identifying the first terminal that has transmitted the context data.

A “context bag” is a bundle of context data transmitted from the first terminal, and is data including any number of pieces of positional relationship information and context data acquired together with the positional relationship information. "Bag ID" indicates identification information for identifying a context bag. “Acquisition date and time” indicates the date and time when the context bag was acquired. "Individual data ID" indicates identification information for identifying individual data (positional relationship information, etc.) included in the context bag.

"Pairing information" is information indicating which terminals are in a pairing state in the positional relationship information. In the example of FIG. 7, the pairing information is indicated by a concept such as "F01", but in reality, the item of the pairing information includes information (terminal ID etc.) are stored.

"Peripheral terminal" indicates a terminal ID determined to be located near (determined to be relatively close to) the first terminal that transmitted the context data in the individual data. "Position information" indicates the position information of the first terminal when the context bag was sent. FIG. 7 shows an example in which conceptual information such as "G01" is stored in the item of location information. Information (for example, the IP address of the smart phone 20, etc.), etc., from which position information can be estimated, is stored.

"Various sensor data" indicates information detected by various sensors of the first terminal that transmitted the context data. In FIG. 7, the sensor data is represented by a concept such as "X01", but in reality, specific information obtained by various sensors such as temperature, humidity, and altitude is stored in the sensor data items. be. Note that the position information and various sensor data may be information detected when each individual data is acquired.

That is, in the example of FIG. 7, the user terminal 10, which is used by the user identified by the user ID "U01", receives the context bag identified by the bag ID "BG01" from the user terminal 10 identified by the terminal ID "C01". has been sent. This context bag was acquired by the authentication device 100 at "08:10 on May 1, 2018", and has individual data IDs "BG01-1", "BG01-2", and "BG01-3 "including. Further, for example, the individual data identified by the individual data ID “BG01-1” was detected by the user terminal 10 at “8:00 on May 1, 2018”, and the pairing information is “F01 , indicating that the terminal identified by the terminal ID “C01” has been detected as a peripheral terminal. Also, it indicates that the position information of the user terminal 10 is "G01" and the various sensor data is "X01" when the context bag identified by the bag ID "BG01" is generated.

(Regarding the authentication model storage unit 123)
The authentication model storage unit 123 stores information regarding the generated authentication model. Here, FIG. 8 shows an example of the authentication model storage unit 123 according to the embodiment. FIG. 8 is a diagram showing an example of the authentication model storage unit 123 according to the embodiment. In the example shown in FIG. 8, the authentication model storage unit 123 has items such as "user ID", "authentication target terminal", "model ID", and "learning data".

"User ID" corresponds to the same item shown in FIG. 7 and indicates identification information for identifying a user to be authenticated by the authentication model. "Terminal to be authenticated" corresponds to the item of "Terminal ID" shown in FIG. 6, and is the target of transmitting an authentication request among the user terminals 10 used by the user to be authenticated by the authentication model. It shows identification information for identifying the user terminal 10 . "Model ID" indicates identification information for identifying an authentication model. “Learning data” indicates learning data used to generate the authentication model. In FIG. 8, learning data is represented by a concept such as "H01", but in reality, the item of learning data contains specific information such as context data (context bag) used for learning the authentication model. is stored.

That is, in the example of FIG. 8, the user identified by the user ID "U01" is authenticated using the context data transmitted from the user terminal 10 whose authentication target terminal (first terminal) is identified by "C01". The model ID of the authentication model corresponding to the user is "M01", and the learning data is "H01".

The authentication model according to the embodiment includes an input layer in which the context data (positional relationship information) of the first terminal is input, an output layer, and one of the layers from the input layer to the output layer. The configuration may include a first element belonging to a layer other than the first element and a second element whose value is calculated based on the first element and the weight of the first element. The authentication model uses each element belonging to each layer other than the output layer as the first element for the information input to the input layer, and performs an operation based on the first element and the weight of the first element. The computer is operated to output a score indicating the probability that the output layer is. Note that, when the model generation unit 132 does not perform multi-layered learning such as deep learning, the above "one of the layers from the input layer to the output layer and other than the output layer" or , "each layer other than the output layer" indicates the input layer.

For example, when the authentication model according to the embodiment is realized by a regression model such as logistic regression, the first element included in the model is input data x _i (i is an arbitrary number)) and the weight of the first element corresponds to the coefficient ω _i corresponding to x _i . In general, a regression model can be regarded as a simple perceptron having an input layer and an output layer. The two elements can be regarded as nodes that the output layer has.

Furthermore, when each model is realized by a neural network having one or more intermediate layers, such as a DNN (Deep Neural Network), the first element included in each model is either the input layer or the intermediate layer. The second element corresponds to a node to which the value is transmitted from the node corresponding to the first element, i.e., the next node, and the weight of the first element is the weight of the first element. It is the weight, ie the connection coefficient, that is taken into account for the value transferred from the corresponding node to the second element and the corresponding node.

The model generation unit 132 generates an authentication model having an arbitrary structure such as the regression model and DNN described above. More specifically, the model generation unit 132 learns the relationship between the context data indicating the second terminal located relatively close to the first terminal and the fact that the user is the person himself/herself, and performs authentication. Generate a model.

(Regarding the control unit 130)
The control unit 130 is, for example, a controller, and various programs (authentication according to the embodiment) stored in a storage device inside the authentication device 100 are executed by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. (equivalent to an example of a program) is executed using the RAM as a work area. Also, the control unit 130 is a controller, and is implemented by an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

As shown in FIG. 5, the control unit 130 includes an acquisition unit 131, a model generation unit 132, an authentication unit 133, and a transmission unit 134, and implements or executes information processing functions and actions described below. do. Note that the internal configuration of the control unit 130 is not limited to the configuration shown in FIG. 5, and may be another configuration as long as it performs information processing described later. Further, the connection relationship between the processing units of the control unit 130 is not limited to the connection relationship shown in FIG. 5, and may be another connection relationship.

(Regarding the acquisition unit 131)
Acquisition unit 131 acquires various types of information. When generating an authentication model, the acquisition unit 131 obtains the context of a user who has requested authentication for a service or a user who has already completed authentication and is currently using the service (that is, a user whose identity has been authenticated). Get data. In other words, until the authentication model corresponding to the user is generated, the acquisition unit 131 acquires context data labeled as correct data that "the user is the person himself/herself". In this way, context data obtained from an authenticated user becomes learning data for generating an authentication model for that user.

For example, the acquisition unit 131 obtains positional relationship information indicating the relative positional relationship between the first terminal and a second terminal, which is a terminal different from the first terminal, as the context data of the first terminal used by the user. to get For example, the acquisition unit 131 acquires context data from the first terminal of the user who has completed authentication at predetermined time intervals (for example, every 5 minutes).

In addition to the positional relationship information, the acquisition unit 131 may acquire information indicating the context of the first terminal. For example, the acquisition unit 131 may acquire positional information indicating the position of the first terminal together with the positional relationship information. Specifically, the acquisition unit 131 acquires the location information detected by the first terminal using the GPS function or the like, together with the location relationship information.

Acquisition unit 131 also acquires the time information when the positional relationship information was generated together with the positional relationship information. For example, the acquisition unit 131 acquires positional relationship information including time information indicating the time when the first terminal detected the surrounding second terminal.

Note that the acquisition unit 131 may acquire positional relationship information indicating relative positional relationships between the first terminal and the plurality of second terminals. For example, the acquiring unit 131 selects a second terminal that is closer to the first terminal (for example, a second terminal that is estimated to be located closer to the first terminal based on the radio wave intensity) from among the plurality of second terminals. Acquire location information that includes identifying information. As a result, the acquiring unit 131 obtains not only the information that any second terminal is located near the first terminal, but also the position information indicating which second terminal is located closest to the first terminal. Relevant information can be obtained.

Also, the acquisition unit 131 may acquire information in which a plurality of pieces of positional relationship information are combined. Specifically, the acquisition unit 131 acquires a plurality of pieces of positional relationship information from the first terminal in the form of the context bag shown in FIG. 7 and the like. That is, when acquiring context data at predetermined time intervals, the acquisition unit 131 acquires a plurality of pieces of positional relationship information covering a certain time range, so that generation processing and authentication processing, which will be described later, can be efficiently executed. .

After generating the authentication model, the acquisition unit 131 acquires context data used for authentication from the first terminal when receiving a request for authentication from the first terminal.

The acquisition unit 131 can acquire various information as context data used for authentication, as long as the information indicates the relative positional relationship between the first terminal and the second terminal. For example, the acquisition unit 131 may acquire the positional relationship information from the first terminal in the same manner as when the authentication model is generated.

Alternatively, the acquisition unit 131 may acquire the radio wave intensity between the first terminal and the second terminal as the context data acquired together with the authentication request. In this case, the authentication unit 133, which will be described later, estimates the second terminal located near the first terminal based on the radio wave intensity between the first terminal and the second terminal. Then, the authentication unit 133 authenticates the identity of the user based on the estimated information.

Further, the acquisition unit 131 may acquire the communication status between the first terminal and the second terminal as context data acquired together with the authentication request. For example, the acquisition unit 131 acquires information indicating whether or not the first terminal and the second terminal are paired. Note that the acquisition unit 131 performs not only pairing but also information indicating that the first terminal and the second terminal are mutually transmitting and receiving information, communication connection information between the first terminal and the second terminal ( For example, information indicating that the same access point is used) and information indicating that the first terminal and the second terminal are used by the same user (for example, the same account on the cloud) information indicating that the linked data is being used), etc. may be acquired.

In addition, the acquisition unit 131 acquires the context data together with the authentication request as the context data of the first terminal at the time of the authentication request, the context data of the first terminal and the second Positional relationship information indicating a relative positional relationship with the terminal may be acquired. Specifically, the acquisition unit 131 acquires context data (context data DT11 corresponds to the example shown in FIG. 2) including a plurality of pieces of positional relationship information generated over a plurality of points in time.

Furthermore, the acquisition unit 131 acquires the context data along with the authentication request, in addition to the information indicating the positional relationship between the first terminal and the second terminal, the positional information of the first terminal, and the information detected by various sensors of the first terminal. Information may be obtained that indicates the context in which the call was made. In addition, the acquisition unit 131 acquires the attribute information of the user who uses the first terminal that has transmitted the authentication request (sex, age, residence, etc. of the user registered in the service), or the first terminal and the second terminal. terminal information (for example, type such as whether it is a stationary device, a mobile terminal, or a wearable terminal), etc. may be acquired.

The acquisition unit 131 stores the acquired information in the storage unit 120 as appropriate. Also, the acquisition unit 131 may acquire information from the storage unit 120 as appropriate. Further, when acquiring various types of information such as context data from the first terminal, the acquiring unit 131 acquires various types of information by crawling the first terminal without transmission from the first terminal. good too.

Note that the acquisition unit 131 may acquire not only the context data when the user attempts authentication or when the user is authenticated by the service, but also the context data when the user is not authenticated. For example, the acquisition unit 131 may acquire context data acquired when the user is not authenticated as a negative example in learning. Further, when the user tries to authenticate but the authentication fails, the acquiring unit 131 may acquire the context data acquired at that time as a negative example in learning.

(Regarding the model generator 132)
The model generation unit 132 generates an authentication model for authenticating the identity of the user based on the positional relationship information acquired by the acquisition unit 131 .

For example, the model generation unit 132 generates an authentication model corresponding to the user based on the positional relationship information acquired from the first terminal used by the user whose identity has been authenticated based on existing authentication information such as a password. do.

Model generator 132 may generate an authentication model based on various known techniques. For example, the model generator 132 may generate an authentication model by statistically analyzing location information. As an example, the model generation unit 132 generates a regression equation or the like based on context data (positional relationship information), which is correct data obtained from a user whose identity has been authenticated, and determines a score indicating the identity of the user. You may generate an authentication model for

For example, the model generating unit 132 generates a formula using the event "the user himself/herself" as the objective variable and "the second terminal located near the first terminal" as the explanatory variable. For example, the model generation unit 132 generates a formula corresponding to the number of context data acquired by the acquisition unit 131 . The model generation unit 132 generates an authentication model including the recursively obtained weight values by proceeding with learning (that is, recursively calculating a sufficient number of samples) using a formula corresponding to the context data. can do. More specifically, when the authentication is requested, the model generating unit 132 determines that information such as “which second terminal is located near the first terminal” is an event that “the user is the person himself/herself”. An authentication model is generated by calculating a weight value such as what kind of weight should be given to .

For example, when an authentication model is generated based on context data indicating that the watch-type terminal 30 or the glasses-type terminal 40 was located near the first terminal at the time the user's identity was authenticated, then At the time of authentication, a relatively high weight value is set for the event that the "watch-type terminal 30" or the "glasses-type terminal 40" is located near the first terminal. In other words, if the context data transmitted together with the authentication request includes data indicating that the "watch-type terminal 30" or the "glasses-type terminal 40" is located near the first terminal, the request is accepted. The probability that the user who performed the authentication is determined to be the user corresponding to the authentication model is increased.

Note that the model generation unit 132 can improve the accuracy of determining the person's identity by performing learning using not only the positional relationship information but also various context data. For example, the model generation unit 132 may generate an authentication model based on the positional relationship information and the positional information of the first terminal corresponding to the positional relationship information. As a result, the model generation unit 132 can generate an authentication model that reflects information such as at which location (user's home, place of work, etc.) the user is more likely to request authentication. It is possible to improve the accuracy of authentication for a user who authenticates.

Also, the model generation unit 132 may generate an authentication model based on positional relationship information and time information corresponding to the positional relationship information. As a result, the model generation unit 132 can generate an authentication model that reflects information such as what time zone the user tends to request authentication. Accuracy can be improved. Note that the time information may include information on dates and days of the week.

Note that the model generation unit 132 may generate an authentication model based on information in which a plurality of pieces of positional relationship information are combined. Specifically, the model generating unit 132 generates an authentication model using a context bag, which is information obtained by combining a plurality of pieces of positional relationship information, as learning data. That is, the model generation unit 132 can perform learning efficiently by performing learning using a context bag having more feature amounts as one piece of learning data.

Also, the model generation unit 132 may generate an authentication model using any context data, not limited to the position information and time information described above. For example, the model generation unit 132 generates the name and type of the second terminal (stationary device or mobile, etc.), radio wave intensity, pairing state, temperature, brightness of the second terminal, ambient sound information, humidity, etc. For example, the authentication model may be generated using various information including the surrounding environment of the user.

The model generation unit 132 stores the generated authentication model in the authentication model storage unit 123 in association with the identification information of the user corresponding to the authentication model.

(Regarding the authentication unit 133)
When receiving a request for authentication from the first terminal, the authenticating unit 133, based on the context data of the first terminal acquired together with the request for authentication and the authentication model generated by the model generating unit 132, Authenticate your identity.

For example, as context data used for authentication, the authentication unit 133 uses positional relationship information indicating the relative positional relationship between the first terminal and the second terminal in the same manner as when the authentication model is generated. Authenticate the user's identity. Specifically, when receiving a request for authentication from a first terminal, the authentication unit 133 inputs the existence of a second terminal located near the first terminal into the authentication model, Based on this, the user's identity is authenticated.

Note that the authenticating unit 133 may authenticate the identity of the user based on information indicating the radio wave intensity between the first terminal and the second terminal, instead of the positional relationship information, as the context data acquired together with the authentication request. good. For example, the authentication unit 133 determines a second terminal located near the first terminal based on the radio wave intensity between the first terminal and the second terminal, and inputs the existence of the determined second terminal into the authentication model. By doing so, the identity of the user is authenticated.

Further, the authentication unit 133 may authenticate the identity of the user based on the communication status between the first terminal and the second terminal as context data acquired together with the request for authentication. For example, the authenticating unit 133 authenticates the identity of the user based on the existence of the second terminal that is paired with the first terminal. For example, when the authentication model is generated, it is assumed that relatively many cases of pairing between the first terminal and the predetermined second terminal are observed in the acquired context data. In this case, in the generated authentication model, a relatively high weight value is set for the situation where the first terminal and the predetermined second terminal are paired. For this reason, in the context data at the time of authentication request, when a situation in which the first terminal and the predetermined second terminal are paired is observed, it is estimated that a relatively high score is output from the authentication model. be. The authentication unit 133 can authenticate the identity of the user with high accuracy based on the score output in this way.

In addition, the authenticating unit 133 acquires context data together with the authentication request as context data of the first terminal at the time of the authentication request, and the context data of the first terminal and the second terminal before the authentication request. The identity of the user may be authenticated based on the information combined with the positional relationship information indicating the relative positional relationship with the terminal. Specifically, the authentication unit 133 authenticates the identity of the user based on a context bag containing a plurality of pieces of context data rather than the context data at one point in time when the authentication is requested. That is, the authentication unit 133 can improve the accuracy of user authentication by performing authentication determination based on the context bag including more feature amounts. For example, the authentication unit 133 uses the context bag used to generate the authentication model (for example, the time interval at which the context bag is generated, the time range of information included in the context bag, and the second terminal including one positional relationship information). The user may be authenticated based on a context bag having the same amount of information as the number of

Note that the authentication unit 133 may authenticate the identity of the user based on at least one of the time when the request for authentication was received and the location information of the first terminal that transmitted the request for authentication. As a result, the authentication unit 133 can be used when the authentication is requested at a time when the user normally does not request authentication, or when the authentication is performed at a location extremely far away from the location where the user normally requests authentication. When a request is made in , processing can be performed so that the user who made the request is not authenticated as the user himself/herself. That is, the authentication unit 133 can improve security of authentication.

Also, the authentication unit 133 authenticates the identity of the user based on at least one of the attribute information of the user who uses the first terminal that transmitted the authentication request, or the terminal information of the first terminal and the second terminal. You may As a result, the authenticating unit 133 can usually more accurately determine the identity of the user corresponding to the authentication model and the user to be newly authenticated, thereby improving the accuracy of authentication.

(Regarding the transmission unit 134)
The transmission unit 134 transmits various information. For example, the transmission unit 134 transmits the result of personal authentication by the authentication unit 133 to the first terminal that requested the authentication. In addition, when transmitting that the authentication has not been performed, the transmission unit 134 may also transmit a notification requesting transmission of existing authentication information such as a password, for example.

[4. Configuration of User Terminal]
Next, the configuration of the user terminal 10 according to the embodiment will be described using FIG. FIG. 9 is a diagram showing a configuration example of the user terminal 10 according to the embodiment. As shown in FIG. 9 , the user terminal 10 has a communication section 11 , an input section 12 , a display section 13 , a detection section 14 , a storage section 15 and a control section 16 .

(Regarding communication unit 11)
The communication unit 11 is implemented by, for example, a NIC. The communication unit 11 is connected to the network N by wire or wirelessly, and transmits/receives information to/from the authentication device 100 or any second terminal or the like via the network N.

(Regarding the input unit 12 and the display unit 13)
The input unit 12 is an input device that receives various operations from the user. For example, the input unit 12 is implemented by operation keys or the like provided on the user terminal 10 . The display unit 13 is a display device for displaying various information. For example, the display unit 13 is implemented by a liquid crystal display or the like. Note that when a touch panel is adopted for the user terminal 10, part of the input unit 12 and the display unit 13 are integrated.

(Regarding the detection unit 14)
The detection unit 14 detects various types of information regarding the user terminal 10 . Specifically, the detection unit 14 detects user operations on the user terminal 10, location information where the user terminal 10 is located, information on equipment connected to the user terminal 10, environment in the user terminal 10, and the like. do.

For example, the detection unit 14 detects user operations based on information input to the input unit 12 . That is, the detection unit 14 detects that there is an input of an operation of touching the screen on the input unit 12, that there is an input of voice, and the like. Further, the detection unit 14 may detect that a predetermined application program (hereinafter simply referred to as an “app”) has been activated by the user. When such an application is an application that operates an imaging function (for example, a camera) in the user terminal 10, the detection unit 14 detects that the imaging function is used by the user. Further, the detection unit 14 may detect an operation such as physically moving the user terminal 10 itself based on data detected by an acceleration sensor, a gyro sensor, or the like provided in the user terminal 10 .

Also, the detection unit 14 detects the current position of the user terminal 10 . Specifically, the detection unit 14 receives radio waves transmitted from GPS satellites and acquires position information (for example, latitude and longitude) indicating the current position of the user terminal 10 based on the received radio waves.

Further, the detection unit 14 may acquire position information by various methods. For example, if the user terminal 10 has a function equivalent to that of a contactless IC card used at station ticket gates, shops, etc. (or if the user terminal 10 has a function of reading the history of the contactless IC card) case), the user terminal 10 records the information that the fare is paid at the station and the location of use. The detection unit 14 detects such information and acquires it as position information. Further, when the user terminal 10 communicates with a specific access point, the detection unit 14 may detect location information obtainable from the access point. Also, the position information may be acquired by an optical sensor, an infrared sensor, a magnetic sensor, or the like provided in the user terminal 10 . Further, when the location of the user terminal 10 can be estimated from the IP address or the like, the detection unit 14 may acquire the IP address or the like as an example of the location information.

Also, the detection unit 14 detects an external device connected to the user terminal 10 . Note that the external device is a device other than the target user terminal 10, and may include another user terminal 10 different from the target (that is, the second terminal). For example, when the smartphone 20 is the first terminal, the watch-type terminal 30 and the glasses-type terminal 40 are recognized as external devices (second terminals).

The detection unit 14 detects an external device, for example, based on exchange of communication packets with the external device, signals emitted by the external device, and the like. Specifically, the detection unit 14 detects radio waves such as Wifi and Bluetooth used by the external device. Further, the detection unit 14 may detect the type of connection with the external device when communication with the external device is established. For example, the detection unit 14 detects whether the external device is connected by wire or by wireless communication. Further, the detection unit 14 may detect a communication method or the like used in wireless communication. Further, the detection unit 14 may detect the external device based on information acquired by a radio wave sensor that detects radio waves emitted by the external device, an electromagnetic wave sensor that detects electromagnetic waves, or the like.

Also, the detection unit 14 uses various sensors and functions provided in the user terminal 10 to detect information about the environment. For example, the detection unit 14 may include a microphone that collects sounds around the user terminal 10, an illuminance sensor that detects the illuminance around the user terminal 10, an acceleration sensor that detects physical movement of the user terminal 10 (or gyro sensor, etc.), a humidity sensor that detects the humidity around the user terminal 10, a geomagnetic sensor that detects the magnetic field at the location of the user terminal 10, and the like. And the detection part 14 detects various information using various sensors. For example, the detection unit 14 detects the noise level around the user terminal 10, whether the illuminance around the user terminal 10 is suitable for imaging the user's iris, and the like. Furthermore, the detection unit 14 may detect surrounding environment information based on photographs or images taken by a camera.

The user terminal 10 acquires context data of the user terminal 10 based on information detected by the detection unit 14 . As described above, the user terminal 10 detects various signals such as position, acceleration, temperature, gravity, rotation (angular velocity), illuminance, geomagnetism, pressure, proximity, humidity, and rotation vector by using various built-in sensors (detection unit 14). may be acquired as context data.

(Regarding storage unit 15)
The storage unit 15 stores various information. The storage unit 15 is realized by, for example, a semiconductor memory device such as a RAM or flash memory, or a storage device such as a hard disk or an optical disk.

For example, the storage unit 15 stores the context data detected by the detection unit 14 in association with the detected date and time. The storage unit 15 may also store access information (cookie information, etc.) to services that require authentication, usage history of services, and the like.

(Regarding the control unit 16)
The control unit 16 is a controller, and is implemented, for example, by executing various programs stored in a storage device inside the user terminal 10 using a RAM as a work area by means of a CPU, MPU, or the like. Also, the control unit 16 is a controller, and is realized by an integrated circuit such as ASIC or FPGA, for example.

As shown in FIG. 9, the control unit 16 has an acquisition unit 161, a generation unit 162, and a transmission unit 163, and implements or executes the information processing functions and actions described below. Note that the internal configuration of the control unit 16 is not limited to the configuration shown in FIG. 9, and may be another configuration as long as it performs the information processing described later.

(Regarding the acquisition unit 161)
Acquisition unit 161 acquires various types of information. For example, the acquisition unit 161 acquires various information detected by the detection unit 14 as context data. For example, the acquisition unit 161 detects the context of the device itself at preset time intervals, and acquires the context data based on the detected information. Acquisition unit 161 may acquire context data at intervals set by authentication device 100 , for example, under the control of an application provided by authentication device 100 .

(Regarding the generation unit 162)
The generation unit 162 generates various information based on the context data acquired by the acquisition unit 161 . For example, the generation unit 162 generates positional relationship information indicating second terminals located near the first terminal, based on the radio wave intensity of each second terminal acquired by the acquisition unit 161 . In addition, the generation unit 162 generates a context bag in which a plurality of pieces of context data including positional relationship information are bundled at a preset timing (for example, every 5 minutes or 10 minutes).

(Regarding the transmission unit 163)
The transmission unit 163 transmits various information. For example, the transmission unit 163 transmits the context data and the context bag generated by the generation unit 162 to the authentication device 100 under the control of the authentication device 100 .

Further, when receiving an operation requesting authentication from the user, the transmitting unit 163 transmits a request for authentication to the authentication device 100 . In this case, the transmission unit 163 transmits the authentication request and the context data at the time of the authentication request to the authentication device 100 . Note that the transmitting unit 163 may bundle not only the context data at the time of the authentication request but also the context data acquired within a predetermined time range (for example, the past 10 minutes) and transmit the bundle to the authentication device 100 .

[5. Processing procedure]
Next, a procedure of authentication processing according to the embodiment will be described with reference to FIGS. 10 to 12. FIG. First, with reference to FIG. 10, a procedure of processing regarding the user terminal 10 will be described. FIG. 10 is a flowchart (1) showing a processing procedure according to the embodiment.

As shown in FIG. 10, the user terminal 10 determines whether or not the timing for detecting the context of the user terminal 10 has arrived (step S101). If the timing for detection has not arrived (step S101; No), the user terminal 10 waits until the timing arrives.

On the other hand, when the timing for detection has arrived (step S101; Yes), the user terminal 10 detects context data (step S102).

After that, the user terminal 10 determines whether or not the timing for generating the context bag has arrived (step S103). If the timing to generate the context bag has not arrived (step S103; No), the user terminal 10 returns the process to step S101.

On the other hand, when the timing to generate the context bag has arrived (step S103; Yes), the user terminal 10 generates the context bag (step S104). After that, the user terminal 10 determines whether or not it is time to transmit the context bag (step S105). If the timing to send the context bag has not arrived (step S105; No), the user terminal 10 waits until the timing arrives.

On the other hand, when the timing for transmitting the context bag has arrived (step S105; Yes), the user terminal 10 transmits the context bag to the authentication device 100 (step S106).

Next, the procedure of generation processing by the authentication device 100 will be described with reference to FIG. 11 . FIG. 11 is a flowchart (2) showing a processing procedure according to the embodiment;

As shown in FIG. 11, the authentication device 100 determines whether or not a context bag has been acquired from the user terminal 10 (step S201). If the context bag has not been acquired (step S201; No), the authentication device 100 waits until the context bag is acquired.

On the other hand, when the context bag is acquired (step S201; Yes), the authentication device 100 stores the context bag in the storage unit 120 (step S202).

Subsequently, the authentication device 100 determines whether or not sufficient information (context bag) for model generation has been accumulated (step S203). If sufficient information is not accumulated (step S203; No), the authentication device 100 repeats the process of acquiring the context bag.

On the other hand, when sufficient information is accumulated (step S203; Yes), the authentication device 100 generates an authentication model corresponding to the user who sent the context bag based on the accumulated information (step S204). The authentication device 100 then stores the generated authentication model in the storage unit 120 (step S205).

Next, a procedure of authentication processing by the authentication device 100 will be described with reference to FIG. 12 . FIG. 12 is a flowchart (3) showing a processing procedure according to the embodiment.

As shown in FIG. 12, the authentication device 100 determines whether or not a request for authentication has been received from the user terminal 10 (step S301). If a request for authentication has not been received (step S301; No), the authentication device 100 waits until a request for authentication is received.

On the other hand, when a request for authentication has been received (step S301; Yes), the authentication device 100 acquires context data of the user terminal 10 at the time of authentication (at the time of requesting authentication) (step S302).

Subsequently, the authentication device 100 inputs the acquired context data into the authentication model (step S303). The authentication device 100 then determines whether or not the output of the authentication model exceeds a predetermined threshold (step S304). If the output exceeds the predetermined threshold (step S304; Yes), the authentication device 100 authenticates the user who sent the authentication request as the user (step S305).

On the other hand, if the output does not exceed the predetermined threshold (step S304; No), the authentication device 100 does not authenticate the user who sent the authentication request as the user (step S306). The authentication device 100 then transmits the authentication result to the user (step S307).

[6. Modification]
The authentication processing by the authentication device 100 described above may be implemented in various different forms other than the above embodiment. Therefore, other embodiments relating to the authentication device 100 and authentication processing will be described below.

[6-1. Generation of context bag]
In the above-described embodiment, an example in which the context bag used for authentication model generation processing is generated by the first terminal has been described. However, the context bag may be generated at the device that generates the authentication model. This point will be described with reference to FIG. FIG. 13 is a diagram showing a configuration example of an authentication device 200 according to a modification.

As shown in FIG. 13, the authentication device 200 further has a bag generator 232 as compared with the authentication device 100 shown in FIG. In this case, the acquisition unit 131 sequentially acquires, for example, context data detected by the first terminal at predetermined time intervals. Such context data may be information indicating nearby second terminals like the positional relationship information shown in the embodiment, or simply information covering all the second terminals detected by the first terminal. may If the acquired context data is information that covers all the second terminals detected by the first terminal, the bag generation unit 232, based on the radio wave intensity etc. acquired together with the information, The positional relationship information may be generated by extracting a predetermined number of second terminals located nearby.

Then, the bag generation unit 232 follows the information defined as the context bag (the timing of generating the context bag, the time range of information included in the context bag, the number of second terminals included in one piece of positional relationship information, etc.), Generate a context bag. Model generator 132 generates an authentication model based on the context bag generated by bag generator 232 .

In this way, the process of generating the context bag and the process of generating the positional relationship information may be executed on the authentication device 200 side. As a result, the authentication device 200 can perform authentication-related processing with a flexible configuration.

[6-2. Authentication process]
In the above embodiment, the authentication device 100 authenticates the identity of the user who uses the first terminal. Here, such authentication processing may be performed by the first terminal.

For example, the process of authenticating the identity of the user is not limited to being performed on a server like the authentication device 100, and may be performed on the first terminal side without going through the network. Specifically, the first terminal may authenticate the identity of the user who attempts to log in to its own device.

In this case, the first terminal may acquire the authentication model generated by the authentication device 100 or use the authentication model generated by the first terminal to authenticate the user. That is, the first terminal acquires its own context data at the timing when the user requests authentication (for example, attempts to log in to the first terminal). Specifically, the first terminal detects a second terminal existing in the surroundings. Then, the first terminal generates positional relationship information indicating a relative positional relationship with the second terminal based on the detected context.

Then, the first terminal authenticates the user who requested the authentication based on the generated positional relationship information and the authentication model. For example, if the user wears the watch-type terminal 30 or the glasses-type terminal 40 on a daily basis, these terminals are detected as the second terminal when attempting to log in to the first terminal. is assumed. In this case, the authentication model is that "those terminals are located near the first terminal" and that the user who attempts to log in is the "user" who logs in to the first terminal on a daily basis. It is assumed that the relationship between Therefore, the first terminal, based on the positional information indicating that the watch-type terminal 30 and the glasses-type terminal 40 are located nearby, can access the first terminal without inputting authentication information such as a password from the user. A user attempting to log in can be authenticated as "the user himself."

As described above, the authentication process according to the embodiment is not necessarily performed by the server, but may be performed by the local side (first terminal side). In other words, the authentication device according to the embodiment is not limited to the authentication device 100, which is a server, and may be the first terminal (user terminal 10).

[6-3. Learning process]
In the above embodiment, in the authentication model generation process, the context bag is acquired from the first terminal of the user who has already completed authentication, and the acquired context bag is used as correct data (positive example) for learning. . Here, the authentication device 100 may accept settings from the user regarding what kind of context data is treated as a positive example (or negative example).

For example, assume that the user uses the service while wearing only the watch-type terminal 30 on a daily basis. Under such circumstances, when the learning of the authentication model by the authentication device 100 progresses, a phenomenon occurs in which the user authentication succeeds as long as "only the watch-shaped terminal 30" is located near the first terminal. sell. For this reason, there is a possibility that the security of authentication processing may be lowered.

Therefore, the authentication device 100 may receive from the user in advance what kind of positional relationship information is to be defined as a positive example. For example, the user may make a setting that defines as a positive example that "at least two types of second terminals" are located near the first terminal. In this case, even if the authentication device 100 acquires the positional relationship information in which only one second terminal, the watch-shaped terminal 30, is observed as the context data when the user is successfully authenticated, the authentication device 100 uses this information as a positive example. You can choose not to handle it. On the other hand, when the authentication device 100 acquires the positional relationship information in which the two second terminals, the watch-type terminal 30 and the glasses-type terminal 40, are observed as the context data when the user is successfully authenticated, the information is treated as a positive example.

In this way, authentication device 100 does not use all of the positional relationship information (context data) when authentication is successful as positive examples, but uses positional relationship information assumed to be more secure as positive examples. may be used as As a result, the authentication device 100 can improve security of authentication. Note that the setting of the positive example may be performed by the administrator of the authentication device 100 instead of by the user. Alternatively, the setting of the positive example may be automatically set by the authentication device 100 .

[6-4. first terminal]
The distinction between the first terminal and the second terminal shown in the above embodiments is relative, and a terminal that is the first terminal in one situation may be treated as the second terminal in another situation.

For example, when logging into a certain service is performed not only by the smartphone 20 but also by the watch-type terminal 30, authentication models for the smartphone 20 and by the watch-type terminal 30 are generated for the user. Regarding authentication model generation processing and authentication processing corresponding to the smartphone 20, the smartphone 20 is treated as the first terminal, and the watch-type terminal 30 is treated as the second terminal. On the other hand, regarding authentication model generation processing and authentication processing corresponding to the watch-shaped terminal 30, the watch-shaped terminal 30 is treated as the first terminal, and the smartphone 20 is treated as the second terminal.

[6-5. Acquisition process]
In the process of acquiring the context data from the first terminal, the authentication device 100 may perform the acquisition process at a predetermined timing instead of always continuing the acquisition process. For example, the authentication device 100 may collectively acquire the past context data when a predetermined application is activated on the smartphone 20 as a predetermined timing. In addition, authentication device 100 logs the location information only when specific location information is observed (such as a base location of user U01's home or office, a predetermined spot set in advance, etc.). It may be held.

In this way, the authentication device 100 can appropriately select the timing of acquiring various types of information and the information to be held. As a result, the authentication device 100 can reduce the processing load according to the embodiment, reduce the load on the storage device for holding information, and reduce the cost of power consumption and communication traffic related to processing. .

[6-6. User terminal]
In the above embodiment, the configuration example of the user terminal 10 was shown using FIG. 9, but the user terminal 10 does not necessarily have to have all of the configurations shown in FIG. As described above, the user terminal 10 includes not only smart devices such as the smartphone 20 and the watch-type terminal 30, but also the glasses-type terminal 40 having a communication function, a heart rate measuring device that stores the user's heart rate, and the like. Various wearable devices are included. In this case, the user terminal 10 does not necessarily receive input from the user, but can have functions such as automatically acquiring user information and transmitting such information to the communication network. That is, the user terminal 10 does not necessarily have the configuration shown in FIG. 9 as long as it is a device or information equipment having a function of mutually communicating with the first terminal.

[6-7. Authentication model]
In the above embodiment, an example in which an authentication model is generated by regression analysis such as logistic regression has been described, but the authentication model is not limited to this example. For example, the authentication device 100 may generate an authentication model based on information indicating the presence of a predetermined number of second terminals detected by the first terminal when the user has successfully authenticated. For example, the authentication device 100 expresses the presence of the second terminal as a vector of a predetermined number of dimensions indicating "Yes (1)" or "No (0)", so that the user may generate an authentication model that indicates the context of the second terminal around . In this case, when the user makes a new authentication request, authentication device 100 acquires, as context data, vector information indicating the presence of the surrounding second terminal detected by the first terminal. Then, the authentication device 100 authenticates the identity of the user by determining the degree of similarity (cosine similarity or the like) between the acquired vector information and the authentication model. Note that authentication device 100 may make adjustments such as weighting a second terminal paired with the first terminal or a second terminal located closer to the first terminal. With this technique, the authentication device 100 can also authenticate the identity of the user based on the relationship between the first terminal and the second terminals located around the first terminal. That is, authentication device 100 may generate an authentication model using any method as long as it is an authentication model that can verify the identity of the user based on the positional relationship between the first terminal and the second terminal.

[7. Hardware configuration]
The authentication device 100 and the user terminal 10 according to the embodiments described above are implemented by a computer 1000 configured as shown in FIG. 14, for example. The authentication device 100 will be described below as an example. FIG. 14 is a hardware configuration diagram showing an example of a computer 1000 that implements the functions of the authentication device 100. As shown in FIG. Computer 1000 has CPU 1100 , RAM 1200 , ROM 1300 , HDD 1400 , communication interface (I/F) 1500 , input/output interface (I/F) 1600 and media interface (I/F) 1700 .

The CPU 1100 operates based on programs stored in the ROM 1300 or HDD 1400 and controls each section. The ROM 1300 stores a boot program executed by the CPU 1100 when the computer 1000 is started, programs depending on the hardware of the computer 1000, and the like.

The HDD 1400 stores programs executed by the CPU 1100, data used by the programs, and the like. Communication interface 1500 receives data from other devices via communication network 500 (corresponding to network N shown in FIG. 4), sends data to CPU 1100, and transmits data generated by CPU 1100 to other devices via communication network 500. Send to device.

The CPU 1100 controls output devices such as displays and printers, and input devices such as keyboards and mice, through an input/output interface 1600 . CPU 1100 acquires data from an input device via input/output interface 1600 . Also, CPU 1100 outputs the generated data to an output device via input/output interface 1600 .

Media interface 1700 reads programs or data stored in recording medium 1800 and provides them to CPU 1100 via RAM 1200 . CPU 1100 loads such a program from recording medium 1800 onto RAM 1200 via media interface 1700, and executes the loaded program. The recording medium 1800 is, for example, an optical recording medium such as a DVD (Digital Versatile Disc) or a PD (Phase change rewritable disc), a magneto-optical recording medium such as an MO (Magneto-Optical disk), a tape medium, a magnetic recording medium, or a semiconductor memory. etc.

For example, when the computer 1000 functions as the authentication device 100 according to the embodiment, the CPU 1100 of the computer 1000 executes a program (for example, an authentication program according to the embodiment) loaded on the RAM 1200 to Realize the function. In addition, the data in storage unit 120 is stored in HDD 1400 . CPU 1100 of computer 1000 reads these programs from recording medium 1800 and executes them, but as another example, these programs may be obtained from other devices via communication network 500 .

[8. others〕
Further, among the processes described in the above embodiments, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being performed manually can be performed manually. All or part of this can also be done automatically by known methods. In addition, information including processing procedures, specific names, various data and parameters shown in the above documents and drawings can be arbitrarily changed unless otherwise specified. For example, the various information shown in each drawing is not limited to the illustrated information.

Also, each component of each device illustrated is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution and integration of each device is not limited to the one shown in the figure, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured. For example, the model generation unit 132 and the authentication unit 133 shown in FIG. 5 may be integrated. Further, for example, the information stored in the storage unit 120 may be stored via the network N in an external storage device.

Further, for example, in the above-described embodiment, the authentication device 100 performs acquisition processing for acquiring context data, generation processing for generating an authentication model, and authentication processing for authenticating the identity of the user. However, the authentication device 100 described above may be separated into an acquisition device that performs acquisition processing, a generation device that performs generation processing, and an authentication device that performs authentication processing. In this case, the processing by the authentication device 100 according to the embodiment is realized by the authentication system 1 having an acquisition device, a generation device, and an authentication device.

Also, the above-described embodiments and modifications can be appropriately combined within a range that does not contradict the processing content.

[9. effect〕
As described above, the authentication device 100 according to the embodiment has the acquisition unit 131 and the model generation unit 132 . The acquisition unit 131 acquires, as context data of the first terminal used by the user, positional relationship information indicating the relative positional relationship between the first terminal and a second terminal that is a terminal different from the first terminal. to get The model generation unit 132 generates an authentication model for authenticating the identity of the user based on the positional relationship information acquired by the acquisition unit 131 .

As described above, the authentication device 100 according to the embodiment uses a method for authenticating the user based on the relationship with the second terminal (for example, the terminal that the user always carries) located near the first terminal. By generating an authentication model, it is possible to easily implement highly secure authentication processing without performing complicated processing such as analysis of position information.

Acquisition section 131 also acquires position information indicating the position of the first terminal together with the positional relationship information. The model generation unit 132 generates an authentication model based on the positional relationship information and the positional information of the first terminal corresponding to the positional relationship information.

As described above, the authentication device 100 according to the embodiment generates an authentication model by adding location information, so that, for example, authentication processing including a location where a user tends to perform authentication can be performed. Authentication can be made more secure.

Acquisition unit 131 also acquires the time information when the positional relationship information was generated together with the positional relationship information. The model generator 132 generates an authentication model based on the positional relationship information and the time information corresponding to the positional relationship information.

As described above, the authentication device 100 according to the embodiment generates an authentication model by adding time information at which authentication is likely to be performed. Therefore, the security of authentication can be further enhanced.

Acquisition section 131 also acquires positional relationship information indicating relative positional relationships between the first terminal and the plurality of second terminals.

As described above, the authentication device 100 according to the embodiment generates an authentication model using information indicating the positional relationship with a plurality of second terminals, so that the situation of the second terminals located near the user can be more accurately understood. Since it can be determined in detail, the accuracy of authentication can be improved.

Also, the acquisition unit 131 acquires information in which a plurality of pieces of positional relationship information are combined. The model generation unit 132 generates an authentication model based on information in which a plurality of pieces of positional relationship information are combined.

In this way, the authentication device 100 according to the embodiment uses information (context bag) in which a plurality of pieces of positional relationship information are combined, so that an authentication model can be generated based on learning data including more feature amounts. , can improve the accuracy of authentication.

Further, when receiving a request for authentication from the first terminal, the authentication device 100 according to the embodiment identifies the identity of the user based on the context data of the first terminal acquired together with the request for authentication and the authentication model. It further has an authentication unit 133 that authenticates the identity.

As described above, the authentication device 100 according to the embodiment can implement authentication processing that does not require authentication information such as a password by using the context data and the authentication model. Specifically, according to the authentication device 100, the user can perform a process of inputting authentication information such as a password, or an explicit process for generating the authentication information (for example, a gesture of holding a fingerprint, a touch on the screen, a screen, etc.). tap operation, etc.). As a result, the authentication device 100 can improve usability regarding authentication.

In addition, the acquiring unit 131 acquires the radio wave intensity between the first terminal and the second terminal as context data acquired together with the authentication request. The authentication unit 133 authenticates the identity of the user based on the radio wave intensity.

As described above, the authentication device 100 according to the embodiment can identify the second terminal located near the first terminal by measuring the positional relationship between the first terminal and the second terminal using the radio wave intensity. can. As a result, since the authentication device 100 can obtain the positional relationship between the first terminal and the second terminal at the time of the authentication request, it is possible to accurately determine whether the user is the person himself/herself.

In addition, the acquisition unit 131 acquires the communication status between the first terminal and the second terminal as context data acquired together with the authentication request. The authentication unit 133 authenticates the identity of the user based on the communication status between the first terminal and the second terminal.

As described above, the authentication device 100 according to the embodiment measures the positional relationship between the first terminal and the second terminal using the communication status (for example, pairing), thereby determining the position of the second terminal located near the first terminal. A terminal can be specified. As a result, since the authentication device 100 can obtain the positional relationship between the first terminal and the second terminal at the time of the authentication request, it is possible to accurately determine whether the user is the person himself/herself.

In addition, the acquisition unit 131 acquires the context data together with the authentication request as the context data of the first terminal at the time when the authentication is requested, and the context data of the first terminal in the past after the authentication request. and the positional relationship information indicating the relative positional relationship with the second terminal. The authentication unit 133 authenticates the identity of the user based on information obtained by combining the context data of the first terminal and the positional relationship information at the time when the authentication is requested.

In this manner, the authentication device 100 according to the embodiment may perform authentication processing including past context data as well as the time of the authentication request. As a result, the authentication device 100 can match information having more feature amounts, thereby improving the accuracy of authentication.

Further, the authentication unit 133 authenticates the identity of the user based on at least one of the time when the request for authentication was received and the location information of the first terminal that transmitted the request for authentication.

As described above, the authentication device 100 according to the embodiment performs authentication processing including time information and location information, so that the context data at the time of the authentication request is the time and location at which the user tends to perform authentication on a daily basis. Since the identity of the user can be determined including whether or not there is a close relationship with the user, the accuracy of authentication can be improved.

Further, the authentication unit 133 identifies the identity of the user based on at least one of the attribute information of the user who uses the first terminal that has transmitted the authentication request and the terminal information of the first terminal and the second terminal. to authenticate.

As described above, the authentication device 100 according to the embodiment performs authentication processing including attribute information and terminal information, so that the context data at the time of authentication request indicates the attributes of the user himself/herself, or the first terminal It is possible to determine in detail whether the second terminal located near is a second terminal that exists on a daily basis. Thereby, the authentication device 100 can improve the accuracy of authentication.

As described above, some of the embodiments of the present application have been described in detail based on the drawings. It is possible to carry out the invention in other forms with modifications.

Also, the above-mentioned "section, module, unit" can be read as "means" or "circuit". For example, the acquisition unit can be read as acquisition means or an acquisition circuit.

1 authentication system 10 user terminal 20 smartphone 30 watch-type terminal 40 glasses-type terminal 100 authentication device 110 communication unit 120 storage unit 121 terminal information storage unit 122 context data storage unit 123 authentication model storage unit 130 control unit 131 acquisition unit 132 model generation unit 133 authentication unit 134 transmission unit

Claims (13)

As the context data of the first terminal used by the user, the relative positional relationship between the first terminal and a plurality of second terminals which are terminals different from the first terminal located in a predetermined spatial range an acquisition unit that acquires positional relationship information indicating
Information that is a bundle of positional relationship information with one or more second terminals extracted as having a close relationship based on the positional relationship information acquired by the acquisition unit, and a situation in which the user is authenticated a model generation unit that generates an authentication model for authenticating the identity of the user based on information indicating the positional relationship below;
with
The model generation unit
generating the authentication model for calculating the probability that the second terminal is located in the vicinity while the user is being authenticated;
An authentication device characterized by: The acquisition unit
Acquiring location information indicating the location of the first terminal together with the location information;
The model generation unit
generating the authentication model based on the positional relationship information and positional information of the first terminal corresponding to the positional relationship information;
The authentication device according to claim 1, characterized by: The acquisition unit
Acquiring time information when the positional relationship information was generated together with the positional relationship information;
The model generation unit
generating the authentication model based on the positional relationship information and time information corresponding to the positional relationship information;
3. The authentication device according to claim 1 or 2, characterized by: The acquisition unit
Acquiring information in which a plurality of the positional relationship information are combined,
The model generation unit
generating the authentication model based on information obtained by combining a plurality of the positional relationship information;
The authentication device according to any one of claims 1 to 3, characterized in that: an authentication unit that, when receiving an authentication request from the first terminal, authenticates the identity of the user based on the context data of the first terminal acquired together with the authentication request and the authentication model;
The authentication device according to any one of claims 1 to 4, further comprising: The acquisition unit
Acquiring the radio field strength between the first terminal and the second terminal as context data acquired together with the authentication request,
The authentication unit
authenticating the identity of the user based on the relative positional relationship between the first terminal and the second terminal based on the radio field intensity;
6. The authentication device according to claim 5, characterized by: The acquisition unit
Acquiring the communication status between the first terminal and the second terminal as context data acquired together with the request for authentication;
The authentication unit
Authenticating the identity of the user based on the relative positional relationship between the first terminal and the second terminal based on the communication status between the first terminal and the second terminal;
7. The authentication device according to claim 5 or 6, characterized by: The acquisition unit
The context data to be acquired together with the request for authentication includes the context data of the first terminal at the time when the request for authentication was made, and the first terminal and the second terminal before the time when the request for authentication was made. Acquire positional relationship information indicating the relative positional relationship of
The authentication unit
authenticating the identity of the user based on information obtained by combining the context data of the first terminal at the time of requesting the authentication and the positional relationship information;
The authentication device according to any one of claims 5 to 7, characterized in that: The authentication unit
The relationship between the time when the request for authentication is received and the time when the user routinely requests authentication, or the location information of the first terminal that transmitted the request for authentication and the time when the user routinely authenticates authenticate the identity of the user based on at least one of the relationship with the location information making the request for
The authentication device according to any one of claims 5 to 8, characterized in that: The authentication unit
A relationship based on attribute information between the user using the first terminal who sent the authentication request and the user to be newly authenticated, or used by the first terminal and the second terminal and the user to be newly authenticated Authenticating the identity of the user based on at least one of the relationships based on the terminal information with the first terminal and the second terminal,
The authentication device according to any one of claims 5 to 9, characterized in that: A computer-implemented authentication method comprising:
As the context data of the first terminal used by the user, the relative positional relationship between the first terminal and a plurality of second terminals which are terminals different from the first terminal located in a predetermined spatial range an acquisition step of acquiring positional relationship information indicating
Information that is a bundle of positional relationship information with one or more second terminals extracted as having a close relationship based on the positional relationship information acquired in the acquisition step, and a situation in which the user is authenticated a model generation step of generating an authentication model for authenticating the identity of the user based on information indicating the positional relationship below;
including
The model generation step includes:
generating the authentication model for calculating the probability that the second terminal is located in the vicinity while the user is being authenticated;
An authentication method characterized by: As the context data of the first terminal used by the user, the relative positional relationship between the first terminal and a plurality of second terminals which are terminals different from the first terminal located in a predetermined spatial range an acquisition procedure for acquiring positional relationship information indicating
Information that is a bundle of positional relationship information with one or more second terminals that are extracted as having a close relationship based on the positional relationship information acquired by the acquisition procedure, and where the user is authenticated a model generation procedure for generating an authentication model for authenticating the identity of the user based on information indicating the positional relationship below;
on the computer , and
The model generation procedure includes:
generating the authentication model for calculating the probability that the second terminal is located in the vicinity while the user is being authenticated;
An authentication program characterized by: An authentication system including a first terminal used by a user and an authentication device for performing personal authentication of the user requested by the first terminal,
The first terminal is
a detection unit that detects a plurality of second terminals, which are terminals different from the first terminal, located within a predetermined spatial range;
a generating unit configured to generate positional relationship information indicating a relative positional relationship between each of the plurality of second terminals detected by the detecting unit and the first terminal at predetermined time intervals;
a transmission unit that transmits the positional relationship information generated by the generation unit to the authentication device;
with
The authentication device
an acquisition unit that acquires the positional relationship information transmitted by the transmission unit;
Information that is a bundle of positional relationship information with one or more second terminals extracted as having a close relationship based on the positional relationship information acquired by the acquisition unit, and a situation in which the user is authenticated a model generation unit that generates an authentication model for authenticating the identity of the user based on information indicating the positional relationship below;
with
The model generation unit
generating the authentication model for calculating the probability that the second terminal is located in the vicinity while the user is being authenticated;
An authentication system characterized by:

Images