JP7434655B1 - Authentication system, terminal device, identity verification method, and program - Google Patents

Abstract

[Problem] To construct a system to ensure that a user who has the right to use a storage medium performs identity verification using the storage medium, and as a result, prevents unauthorized use of the storage medium and authenticates the identity verification. We provide authentication systems that can improve strength. [Solution] When a terminal device 20 or an authentication server device 10 executes an identity verification process using an IC card 60, a key code (PIN) is used to read identity verification information stored in the IC card 60. ), as well as performing authentication using a face image and controlling the timing for capturing the face of the user who wishes to register when entering the key code of the IC card 60, the user can authenticate the user in real space. The configuration is such that a user who wishes to register is always present near the IC card 60. [Selection diagram] Figure 4

Description

The present invention relates to an authentication system, a terminal device, an identity verification method, a program, and the like.

2. Description of the Related Art Network services such as Internet banking or mail order sites have been provided to customers via communication networks.

Additionally, recently, it has become common practice to verify your identity when registering to use such network services. Cards for individual identification of citizens or IC cards such as driver's licenses are often used.

For example, a system for verifying identity using such an IC card may include information on the user who has the legal right to the IC card (including personal identification information), in association with key information such as a PIN; Key code authentication using an IC card that stores the user's face image and various information such as electronic certificates, and a face image generated by capturing the face of the person whose identity is desired to be verified. A system is known that performs identity verification while performing face authentication (for example, Patent Document 1).

JP 2019-050014 Publication

However, systems such as those described in Patent Document 1 do not control the timing of capturing the face image of the person who wishes to verify the identity of the person, and fraudulent authentication such as acquiring the face image of the person in advance may occur. However, it cannot be said that the authentication strength for identity verification is high.

The present invention has been made to solve the above-mentioned problems, and its purpose is to control the timing of capturing the face image of a user who wishes to verify his or her identity, so that the user who has the right to use the storage medium can An authentication system that is capable of building a system that reliably performs identity verification using a storage medium, and as a result, prevents unauthorized use of the storage medium and improves the authentication strength of the identity verification. The aim is to provide such things as

(1) In order to solve the above problems, the present invention:
An authentication system that executes electronic authentication processing related to identity verification using a storage medium in which given information for verifying the identity of a user who has usage rights is stored as identity verification information, ,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading control means for controlling a reading means for reading the personal identification information from the storage medium;
Imaging control means for controlling an imaging means for imaging a physical characteristic part of the desired user to generate captured image information;
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
Equipped with
The authentication control means,
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the desired user is identified by the imaging means. has a configuration that allows imaging of physical features of the patient.

With this configuration, the present invention is capable of reading a desired user's physical characteristics, such as a facial image, unless a reading condition such as placing a storage medium such as an IC card at a predetermined reading position with respect to the reading means is provided. Since the captured image information cannot be generated in the first place because the user cannot capture the image, when executing the identity verification process, it is possible to request an input operation by a user who has legitimate ownership of the storage medium.

That is, the present invention can ensure that the desired user is present near the storage medium in real space when the user's identity is authenticated by controlling the timing of capturing the facial image of the desired user.

Therefore, the present invention can construct a system in which a user who has the right to use a storage medium reliably performs identity verification using the storage medium, so that, for example, if the storage medium is used by another user, etc. It is possible to prevent unauthorized use of the storage medium and improve the authentication strength of identity verification using the storage medium.

Note that "storage medium" includes, for example, a storage medium such as an IC card or an IC tag in which given information is stored in an IC chip, and a physical storage in which information is stored using light or magnetism. Includes media, etc.

In particular, the storage medium may be stored in a portable information terminal device such as a smartphone.

A "user with usage rights" includes not only a user who owns a storage medium but also a user who is permitted to use the storage medium, such as a loaner, and has the right to use the storage medium. Indicates a user who has.

Furthermore, "electronic authentication processing related to identity verification" may be identity verification processing, or various authentication processes for executing the identity verification processing (guidance to a web page for identity verification procedures, etc.) The process may be temporary registration of an email address, two-step authentication, one-time password authentication, or processing for accessing a corresponding server device when performing various types of authentication.

The term "image of a characteristic body part" refers to an image of a body part that can be distinguished from others, such as a face, a fingerprint, or a retina. However, basically, it is preferable that the image of the body part be a facial image because the storage medium itself serves as identification.

Further, the "user-related information" includes identification information (personal management number) such as my number or social security number, as well as the user's name, address, data file for electronic certificate, and the like.

The "key information" may be a key (information) such as a text or code directly input by the user such as a PIN (Personal Identification Number) or password, or a text or code obtained via a network. Indicates a key (information) such as.

In addition to the above, the "reading means" and the "imaging means" may be provided separately from the authentication system, or may be provided within the authentication system.

Additionally, "identity verification processing" refers to the process of determining whether or not the user who wishes to verify his or her identity is an authorized user (regular user who has already been registered in the identity verification service). This shows the processing of

For example, the "identity verification process" includes:
(A1) The input key information and the key information stored in the storage medium match, and the stored face image for identity verification and the captured face image are the same or are considered to be the same;
(A2) In the case of (A1), read the identity verification information stored in the storage medium, and user-related information (for example, personal management number) included in the read identity verification information, The user-related information that is already stored (personal management number stored in another device such as a server device) is the same, and
(A3) The user-related information stored on the storage medium, such as electronic certificate information, has been authenticated as publicly issued information that indicates the user's identity (for example, public key encryption such as My Number card) (Including method-based authentication).
etc. are included.

Furthermore, "processing related to identity verification processing" includes, for example, input key information, identity verification image information, generated captured image information, or such information when identity verification processing is executed by another device. This includes a process of providing two or more pieces of information to the other device, or a process of receiving a control instruction such as imaging permission.

(2) The present invention also includes:
The authentication control means,
When the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, only when the reading condition is maintained. It has a configuration that allows the imaging means to take an image of a physical characteristic part of the desired user.

With this configuration, the present invention requires that a user who has the right to use the storage medium be present in the vicinity of the storage medium in real space, in order to successfully authenticate the identity of the user. It is possible to prevent separate use by a user who has the right to use the storage medium.

Note that "permit the imaging means to take images of the desired user's physical features only if the reading conditions are met" means that if the reading conditions are not met, the imaging means Indicates that image capture is not permitted.

(3) Furthermore, the present invention includes:
The reception processing means
The apparatus is configured to accept input of key information from the desired user when the reading conditions are met.

With this configuration, the present invention can avoid pre-input of key information, prevent fraud using the key information, and improve the authentication strength of identity verification using a storage medium. I can do it.

(4) The present invention also includes:
The reception processing means
The apparatus is configured to invalidate the already input key information and accept the desired user to re-enter the key information when the reading condition is no longer met.

With this configuration, the present invention allows the desired user to remain or remain in the real space where the identity verification is performed at least until the imaging of the physical characteristic parts of the desired user is completed, so that the storage medium can be used by others. It is possible to prevent separate use of a storage medium and a user who has the right to use the storage medium.

(5) The present invention also includes:
The personal identification image information indicating an image of a physical characteristic part of the user is a facial image of the user.

With this configuration, the present invention can visually confirm the identity of the person, and thus can be used as an identification card by itself.

(6) Furthermore, in order to solve the above problems, the present invention:
Electronic authentication related to identity verification using a storage medium that is connected to a given server device and stores given information as identity verification information for verifying the identity of a user who has usage rights. A terminal device that executes processing,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading means for reading the identification information from the storage medium;
reading control means for controlling the reading means;
an imaging means for imaging a physical characteristic part of the desired user to generate captured image information;
Imaging control means for controlling the imaging means;
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
Equipped with
The authentication control means,
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the desired user is identified by the imaging means. has a configuration that allows imaging of physical features of the patient.

With this configuration, the present invention can construct a system that allows a user who has the right to use a storage medium such as an IC card to reliably perform identity verification using the storage medium.

Therefore, the present invention can prevent unauthorized use of the storage medium, such as when the storage medium is used by another user, and improve the authentication strength of identity verification using the storage medium.

(7) The present invention also includes:
The authentication control means,
When executing the process related to the identity verification process, the process related to the identity verification process includes providing information for executing the identity verification process to the server device, and confirming the identity verification process executed by the server device. Perform at least one of the following: receiving and providing the result to the desired user; and performing a process for requesting registration with a given network service if the identity verification is authenticated. It has a configuration.

With this configuration, the present invention works in conjunction with the server device to prevent unauthorized use of the storage medium, such as when the storage medium is used by another user, and improves the authentication strength of identity verification using the storage medium. can be improved.

(8) Furthermore, in order to solve the above problems, the present invention includes:
A program that executes processing related to identity verification using a storage medium in which given information for verifying the identity of a user who has usage rights is stored as identity verification information,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading control means for controlling a reading means for reading the personal identification information from the storage medium;
an imaging control means for controlling an imaging means for imaging a physical characteristic part of the desired user to generate captured image information; and
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
function as
The authentication control means,
When the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, permitting the imaging means to image a physical characteristic part of the desired user; It has a structure.

With this configuration, the present invention can construct a system that allows a user who has the right to use a storage medium such as an IC card to reliably perform identity verification using the storage medium.

Therefore, the present invention can prevent unauthorized use of the storage medium, such as when the storage medium is used by another user, and improve the authentication strength of identity verification using the storage medium.

(9) Furthermore, in order to solve the above problems, the present invention includes:
An identity verification method that uses a storage medium in which the given information for verifying the identity of a user who has usage rights is stored as identity verification information to perform electronic authentication processing related to identity verification. hand,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
Executing a reception process for accepting key information input by the desired user who wishes to verify his/her identity;
controlling a reading means for reading the identification information from the storage medium;
controlling an imaging means that images a physical characteristic part of the desired user to generate captured image information; and
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or Executing processes related to the identity verification process;
including;
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the desired user is identified by the imaging means. has a configuration that allows imaging of physical features of the patient.

With this configuration, the present invention can construct a system that allows a user who has the right to use a storage medium such as an IC card to reliably perform identity verification using the storage medium.

Therefore, the present invention can prevent unauthorized use of the storage medium, such as when the storage medium is used by another user, and improve the authentication strength of identity verification using the storage medium.

FIG. 1 is a system configuration diagram showing the configuration of an authentication management communication system in one embodiment. It is an example of the functional block diagram which shows the structure of the authentication server apparatus in one embodiment. FIG. 2 is a functional block diagram showing an example of the configuration of a terminal device in one embodiment. FIG. 2 is a diagram for explaining authentication processing related to user confirmation processing in the authentication management communication system of one embodiment. FIG. 3 is a diagram illustrating an example of personal identification information stored in an IC card according to one embodiment. 2 is a flowchart illustrating operations when performing authentication processing related to identity verification, including identity verification processing, executed in the terminal device of one embodiment. 2 is a flowchart illustrating operations when performing authentication processing related to identity verification, including identity verification processing, executed in the terminal device of one embodiment. 2 is a flowchart illustrating operations when performing authentication processing related to identity verification, including identity verification processing, executed in the terminal device of one embodiment.

Embodiments according to the present invention will be described below with reference to the drawings.

The embodiment described below includes a terminal device used by a user, an authentication server device that controls various authentication processes, a network service server device that provides network services, and an authentication process related to identity verification. This is an embodiment in which the authentication system of the present application is applied to an authentication management communication system using a storage medium such as an IC card, which has an information management server device to manage the information.

Further, in this embodiment, an IC card will be used as the storage medium. However, storage media include, in addition to IC cards, storage media such as IC tags in which given information is stored on an IC chip, and physical storage in which information is stored using light or magnetism. It may be a medium or the like. Further, the storage medium may be one stored in a portable information terminal device such as a smartphone.

Furthermore, in this embodiment, a user who has usage rights includes a user who owns a storage medium such as an IC card, a user who is permitted to use the storage medium (i.e., a user who is lent the storage medium), etc. and indicates the user who has the right to use the storage medium.

[1] Authentication Management Communication System First, an overview of the authentication management communication system 1 of this embodiment will be explained using FIG.

Note that FIG. 1 is a system configuration diagram showing the configuration of an authentication management communication system 1 in this embodiment.

Furthermore, in order to prevent the diagram from becoming complicated, FIG. 30 (also referred to as "server device") is shown.

That is, in the actual authentication management communication system 1, there are a larger number of IC cards 60, terminal devices 20, and service server devices 30 than shown in FIG.

The authentication management communication system 1 of this embodiment executes the authentication process of a user registered in advance, and when the user authentication is successful, provides various network services to the authenticated user via the network. It is a system.

In particular, the authentication management communication system 1 of the present embodiment provides electronic authentication related to identity verification, including processing for verifying identity using an IC card 60 as a storage medium (hereinafter referred to as "identity verification processing"). The configuration includes a mechanism that allows a user who has the right to use the IC card 60 to reliably perform identification using the IC card 60 when executing processing.

In other words, the authentication management communication system 1 of the present embodiment is a user who wishes to verify his/her identity using the IC card 60 (i.e., a user who wishes to use a network service and wishes to register for the service, hereinafter referred to as "registration request"). A configuration that executes processing for determining whether a user (hereinafter referred to as "user") is a legitimate user whose identity can already be verified (for example, a user who has already been registered in an identity verification service). have.

Specifically, as shown in FIG. 1, the authentication management communication system 1 of this embodiment includes an authentication server that manages authentication processing related to identity verification or various authentication processing such as logging into a network service. The device 10 and a terminal device 20 (for example, a terminal device 20A, 20B, 20C).

Further, as shown in FIG. 1, the authentication management communication system 1 of this embodiment confirms that user registration in an identity verification service (a network service different from the network service for which user registration is desired) has been performed in advance. The premise is that a service server device 30 that provides a predetermined network service and identity verification information for identity verification including identification information unique to each user such as a personal management number (for example, My Number) are required by law. an information management server device 40 that provides and manages identity verification services and public authentication management that manages identity verification information used for identity verification including personal management numbers; It has a server device 50.

The authentication server device 10 uses, for example, an API (application programming interface) or a predetermined platform to store information that executes various processes related to identity verification at the time of registration to a network service and authentication processing after the registration. It is a processing device.

Further, the authentication server device 10 may be configured with one (device, processor), or may be configured with a plurality of (devices, processors).

The authentication server device 10 includes various databases (storage devices and memories in a broad sense) in which various types of information used for identity verification processing or authentication processing are stored. However, the authentication server device 10 of this embodiment may access a database (storage device, memory in a broad sense) connected via a network (intranet or Internet).

Furthermore, the authentication server device 10 has a configuration that works in conjunction with each terminal device 20 to manage the identity verification process and authenticate the user who has each terminal device 20.

The terminal device 20 is a communication terminal device configured by an information processing device such as a PC (personal computer), a tablet type information communication terminal device, a smartphone, a mobile phone, a game device, or an HMD used by a user.

The terminal device 20 is a device that can be connected to the authentication server device 10 via a network such as the Internet (WAN) or LAN, and establishes a communication line with the authentication server device 10 by wire or wirelessly to perform various types of communication. It has a configuration for exchanging data.

The terminal device 20 also has a communication control function for communicating with the authentication server device 10 such as input information input by the user, and data received from the authentication server device 10 and the service server device 30. It has a configuration that includes a display function that uses the display function to perform display control.

The service server device 30 provides banking services for financial institutions, reservation services for restaurants, inns, transportation, etc., product sales services, SNS services, content provision services such as games, music, and videos, and email services. This is a server device for providing various network services including cloud services such as various applications, or information providing services such as search and advertising.

In particular, when registering a user for a network service, the service server device 30 verifies the identity of the user who wishes to register (hereinafter referred to as "registration-desiring user") through authentication processing related to identity verification processing. If this is confirmed (that is, if the identity verification is successful), the system has a configuration for registering the user who wishes to register as a user who provides a network service (that is, a user who wants to register).

Further, when the authentication server device 10 successfully authenticates the user who wishes to register, the service server device 30 causes the authenticated terminal device 20 to log into the network service provided, and provides the corresponding service to the user. It has a configuration that executes various types of processing to provide services to users.

Note that the service server device 30 may have various functions related to authentication, such as authentication processing of the authentication server device 10.

The information management server device 40 is an information processing device that allows the corresponding terminal device 20 and the public authentication management server device 50 to cooperate when executing processes related to identity verification including identity verification processing.

Further, the information management server device 40 may be configured with one (device, processor), or may be configured with a plurality of (devices, processors).

Specifically, similar to the authentication server device 10, the information management server device 40 uses, for example, an API (application programming interface) or a predetermined platform to communicate with each terminal device 20 and the public authentication management server device. 50 in cooperation with each other to execute authentication based on personal identification information.

The public authentication management server device 50 stores identity verification information for identity verification, including unique identification information (i.e., personal management number) of each user, such as my number, social security number, or driver's license number. , an information processing device that manages (information management) in accordance with legal requirements.

Further, the public authentication management server device 50 may be composed of one (device, processor) or a plurality of (devices, processors).

The public authentication management server device 50 has various databases (storage devices and memories in a broad sense) in which each user's identity verification information and various information used for authentication processing related to identity verification are stored. There is. However, the public authentication management server device 50 of this embodiment may access a database (storage device, memory in a broad sense) connected via a network (intranet or Internet).

Specifically, similar to the authentication server device 10, the public authentication management server device 50 manages the identity verification information of each user using, for example, an API (application programming interface) or a predetermined platform. In addition, when performing authentication processing related to identity verification, it is configured to work in conjunction with the information management server device 40 to execute inquiries regarding identity verification information and other authentication-related processing.

[2] Authentication Server Device Next, the authentication server device 10 of this embodiment will be described using FIG. 2. Note that FIG. 2 is an example of a functional block diagram showing the configuration of the authentication server device 10 of this embodiment.

The authentication server device 10 of this embodiment includes a processing section 100, a database 140, a storage section 170, an information storage medium 180, and a communication section 196, as illustrated in FIG.

Note that the authentication server device 10 does not need to include all of the parts shown in FIG. 2, and may have a configuration in which some of them are omitted.

The storage unit 170 serves as a work area for the processing unit 100 and the like, and its functions can be realized by hardware such as RAM (VRAM). In particular, the storage unit 170 functions as a work area used when performing various processes.

The information storage medium 180 is readable by a computer, and programs, data, etc. are stored in the information storage medium 180. That is, the information storage medium 180 stores a program for making the computer function as each part of this embodiment (a program for making the computer execute the processing of each part).

Note that the processing unit 100 can perform various processes of this embodiment based on data read from the program (data) stored in the information storage medium 180.

For example, the information storage medium 180 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a flash memory such as a solid state drive, a magnetic tape, a memory (ROM), a memory card, etc. .

The database 140 is formed by an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk, a flash memory such as a solid state drive, a magnetic tape, a memory (ROM), a memory card, or the like.

Further, the database 140 is a database in which information regarding each user for performing authentication processing when logging into each service server device 30 is registered as user authentication information.

In particular, the database 140 stores, for each user, a user name, password, and user-related information for authentication (for example, name, credit card number, e-mail, and mobile phone number) in association with each user ID. (contact information, etc.) and user authentication information for identifying the user when performing authentication processing such as symbol information are stored.

The communication unit 196 performs various controls for communicating with the outside (for example, the terminal device 20 or the service server device 30), and its functions are performed by hardware such as various processors or communication ASICs. It is composed of programs, etc.

The processing unit 100 performs various processes of this embodiment based on programs (data) stored in the storage unit 170. Note that the processing unit 100 of this embodiment reads programs and data stored in the information storage medium 180, temporarily stores the read programs and data in the storage unit 170, and performs processing based on the programs and data. You may do so.

Further, the processing unit 100 (processor) performs various processes using the main storage unit in the storage unit 170 as a work area. The functions of the processing unit 100 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

Specifically, the processing section 100 includes a communication control section 101 , a DB management control section 102 , an authentication processing section 103 , an identity verification processing management section 104 , and a timer management section 107 .

The communication control unit 101 establishes a communication line with the terminal device 20, the service server device 30, etc. via the network, and communicates with each other.

The DB management control unit 102 executes processes such as reading, writing, deleting, and updating each data in the database 140.

The authentication processing unit 103 receives, for each terminal device 20, input information input via each terminal device 20, and stores the received input information (specifically, the user name or user ID and password) and the database. The authentication process for each user is executed based on the authentication information (namely, user name or user ID and password) of the user already registered in step 140 .

The identity verification processing management unit 104 works in conjunction with the terminal device 20 and executes identity verification processing indicating a process for verifying the identity or processing related to the identity verification processing.

The timer management unit 107 has a function of measuring from the current date and time or a predetermined timing, and outputs the current time and measurement results when the predetermined timing arrives.

[3] Terminal Device Next, the functions of the terminal device 20 will be explained using FIG. 3. Note that FIG. 3 is a functional block diagram showing an example of the configuration of the terminal device 20 of this embodiment.

As shown in FIG. 3, the terminal device 20 of this embodiment includes a processing section 200, a card reader/writer 240, an imaging section 250, an operation input section 260 including a touch panel, etc., a storage section 270, and an information storage section. It has a medium 280, a display section 290 constituted by a display element such as a liquid crystal panel, a communication section 296, and a sound output section 292.

The card reader/writer 240 reads and writes information to and from the IC card 60 held by the user.

For example, the card reader/writer 240 of this embodiment reads out identity verification information including a personal management number from the IC card 60.

Note that the card reader/writer 240 can be realized by, for example, a card reader for NFC (Near Field Communication).

The imaging unit 250 includes an imaging camera that has a predetermined angle of view and focal length that allows imaging, and includes a predetermined imaging element such as a CCD, and an image generation unit that converts the output of the imaging camera into an image.

Further, the imaging unit 250 works in conjunction with the processing unit 200, and when executing the identity verification process, for example, the imaging unit 250 collects biometric information such as facial image information obtained by capturing an image of the user's face and converting the facial image into data to the authentication server device. Send to 10.

The operation input unit 260 is a device for inputting input information from the player, and outputs the input information from the player to the processing unit 200.

The operation input unit 260 of this embodiment has a configuration that detects user input information (input signals), and is configured with, for example, a lever, a button, a microphone, a touch panel display, a keyboard, a mouse, and the like.

The storage unit 270 serves as a work area for the processing unit 200 and the like, and its functions can be realized by hardware such as RAM (VRAM).

The storage unit 270 of the present embodiment includes a main storage unit 271 used as a work area, an image buffer 272 in which a display image displayed during identity verification processing, etc. is stored, and part of user-related information for authentication. or a user information storage unit 273 in which user information including all user information is stored. Note that a configuration may be adopted in which some of these are omitted.

The information storage medium 280 is readable by a computer, and in addition to various applications and an OS (operating system), in this embodiment, the information storage medium 280 stores the information of the user corresponding to the terminal device 20. Various data including user IDs are stored.

That is, the information storage medium 280 stores an application for making the computer function as each part of the present embodiment (an application for causing the computer to execute the processing of each part) and a user ID.

For example, the information storage medium 280 is an optical disk (CD, DVD), a magneto-optical disk (MO), a magnetic disk, a hard disk drive, a flash memory, a magnetic tape, a memory (ROM), a memory card, or the like.

The communication unit 296 performs various controls for communicating with the outside (for example, other terminal devices 20, authentication server device 10, and service server device 30), and its functions are performed by various processors. Alternatively, it may be configured by hardware such as a communication ASIC, a program, or the like.

The processing unit 200 can perform various processes of this embodiment by reading and executing the application stored in the information storage medium 280. Note that the type of application stored in the information storage medium 280 is arbitrary.

The processing unit 200 performs various processes of this embodiment based on the application stored in the information storage medium 280. Note that the processing unit 200 of this embodiment reads programs and data stored in the information storage medium 280, temporarily stores the read programs and data in the storage unit 270, and performs processing based on the programs and data. You may do so.

Further, the processing unit 200 (processor) performs various processes using the main storage unit in the storage unit 270 as a work area. The functions of the processing unit 200 can be realized by hardware such as various processors (CPU, DSP, etc.) and programs.

The processing unit 200 includes a communication control unit 210, a web browser 211, an imaging control unit 212, a display control unit 213, an input reception processing unit 214, a reading control unit 215, an identity verification processing unit 216, a drawing unit 220, and a sound processing unit 230. include. Note that a configuration may be adopted in which some of these are omitted.

The communication control unit 210 performs a process of transmitting and receiving data with the authentication server device 10, the service server device 30, or the information management server device 40.

The communication control unit 210 also receives data transmitted from the authentication server device 10, the service server device 30, or the information management server device 40, stores the received data in the storage unit 270, and processes the received data. Performs processing to analyze data and control processing related to transmission and reception of other data.

Note that the communication control unit 210 stores destination information (IP address, port number) of the authentication server device 10, the service server device 30, or the information management server device 40 in the information storage medium 280, and performs a process of managing the destination information. You may also do so.

The communication control unit 210 may communicate with the authentication server device 10, the service server device 30, or the information management server device 40 when receiving input information from the user to start communication.

Further, the communication control unit 210 may communicate with the information management server device 40 via the authentication server device 10.

Note that the communication control unit 210 may transmit and receive data with the authentication server device 10, the service server device 30, or the information management server device 40 at a predetermined period, or when receiving input information from the operation input unit 260. Additionally, data may be transmitted and received with the authentication server device 10, the service server device 30, or the information management server device 40.

The web browser 211 is an application program for viewing web pages (authentication screen, identity verification processing screen, or service enjoyment screen), and is a web server (authentication server device 10, service server device 30, or information server device 10, service server device 30, or information HTML files, image files, etc. are downloaded from the management server device 40), the layout is analyzed, and the display is controlled.

The web browser 211 also transmits data to the web server (authentication server device 10, service server device 30, or information management server device 40) using an input form (link, button, text box, etc.).

Note that the terminal device 20 can display information from a Web server (for example, the service server device 30) specified by a URL via the Internet using the Web browser 211.

For example, the terminal device 20 can display each content (data such as HTML) received from the authentication server device 10, the service server device 30, or the information management server device 40 using the Web browser 211.

When executing the identity verification process in conjunction with the authentication server device 10, the imaging control unit 212 causes the imaging unit 250 to image the user's face and collect facial image information (hereinafter referred to as “captured facial image information”). , "captured image information").

The display control unit 213 performs processing for displaying on the display unit 290. For example, the display control unit 213 may display using the Web browser 211.

The input reception processing unit 214 recognizes input information input by the user from the operation input unit 260, and accepts the recognized information.

The reading control unit 215 controls a card reader/writer 240 that reads personal identification information from the IC card 60.

The identity verification processing unit 216 performs a process for identity verification based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information. Executes identity verification processing or processing related to the identity verification processing.

The drawing unit 220 performs drawing processing based on various processes performed by the processing unit 200, thereby generating an image, and outputting the image to the display unit 290 by the display control unit 213.

The sound processing unit 230 performs sound processing based on the results of various processes performed by the processing unit 200, generates BGM, sound effects, audio, etc., and outputs it to the sound output unit 292.

[4] Technique of this embodiment [4.1] Overview Next, the authentication process related to the person confirmation process in the authentication management communication system 1 of this embodiment will be described using FIG.

Note that FIG. 4 is a diagram for explaining the authentication process related to the person confirmation process in the authentication management communication system 1 of this embodiment.

The authentication management communication system 1 of the present embodiment uses an IC card 60 in which given information for verifying the identity of a user who has usage rights is stored as identity verification information, and electronic information related to identity verification. It has a configuration that executes standard authentication processing.

That is, the authentication management communication system 1 of the present embodiment uses the IC card 60 in which personal identification information including unique identification information (i.e., personal management number) for identifying the user is stored, to access the service server device. 30, and performs authentication processing related to identity verification, including user registration for the network service provided by 30 and accompanying identity verification processing.

Further, the IC card 60 includes user-related information regarding the user including at least , and identity verification image information showing an image of the user's physical characteristics such as the face, which are valid as identity verification information. It is stored in association with key information (that is, a key code such as a PIN) for authenticating whether the user is an authorized user.

In particular, the IC card 60 stores personal identification information that cannot be read unless a proper key code is input.

Then, the terminal device 20 reads the identification information stored in the IC card 60 based on the user's instructions and the key code input by the user, and based on the read identification information, the authentication server device 10 or the information management server device 40, or independently, it has a configuration that executes electronic authentication processing related to identity verification.

In addition, when reading identity verification information from the IC card 60, the terminal device 20 not only inputs a key code, but also inputs the face of the user who wishes to register under the instructions of the user who wishes to register for a network service. It has a configuration that captures images of physical features such as.

At this time, in order to ensure that the desired user is present near the IC card 60 in real space, the terminal device 20 of this embodiment is independently linked with the authentication server device 10, the information management server device 40, or both. Accordingly, the configuration is configured to control the timing of capturing a facial image of a user who desires registration.

That is, the terminal device 20, the authentication server device 10, the information management server device 40, or a combination thereof of the present embodiment has reading conditions such as placing the IC card 60 at a predetermined reading position with respect to the terminal device 20. Otherwise, the configuration is such that capturing of physical features of the user desiring registration, such as a facial image, is not permitted.

For example, in order to realize the above configuration, the terminal device 20 of the present embodiment has the following configuration as shown in FIG.
(A1) A reception process that accepts a key code input by a user who wishes to register;
(A2) reading control processing for controlling reading of personal identification information from the IC card 60;
(A3) Imaging control processing that controls imaging of a physical characteristic part of a user who desires registration and generation of captured image information;
(A4) Identity verification processing that performs electronic authentication processing related to identity verification based on the input key code, the identity verification image information included in the read identity verification information, and the generated captured image information. ,
It has a configuration that executes.

Then, as shown in FIG. 4, when the terminal device 20 executes the identity verification process, the key code is accepted, and the location of the storage medium when reading user-related information from the storage medium is set to a given value. It has a configuration that allows imaging of the physical characteristic parts of the user who wishes to be registered when the reading conditions are met.

Note that FIG. 4 shows a case where the authentication process for identity verification is executed by the information management server device 40 under the management of the authentication server device 10, and the IC card 60 meets the reading conditions. An example is shown.

In FIG. 4, as the identity verification process in the terminal device 20,
(B1) Permission to capture the face of user P who wishes to register;
(B2) Determining the identity of the input key code and the stored key code stored in the IC card 60;
(B3) Determining the identity of the captured facial image and the facial image stored in the IC card 60; (B4) determining the identity of the captured facial image and the facial image stored in the IC card 60; (B4) determining the encrypted electronic certificate for authentication processing to the information management server device 40; Sending data files, etc., and
(B5) Receiving authentication results;
An example is shown in which this is executed.

In addition to the terminal device 20, FIG. 4 also includes an authentication server device 10 that manages authentication processing related to the identity verification process, a service server device 30 that provides a given network service, and an identity verification process. When executing processing related to identity verification, an information management server device 40 that links the corresponding terminal device 20 and the public authentication management server device 50, and a public authentication management server device 50 that manages identity verification information. It is shown.

By having such a configuration, the authentication management communication system 1 of the present embodiment can detect the body image of the user who wishes to register, such as a facial image, unless the reading conditions such as placing the IC card 60 at a predetermined reading position are met. Since it is not possible to image a characteristic part (for example, a face), it is impossible to generate captured image information in the first place.

Therefore, the authentication management communication system 1 of this embodiment is capable of requesting an input operation by a user who has legitimate ownership of the storage medium when executing the identity verification process.

That is, the authentication management communication system 1 of the present embodiment controls the timing of capturing the facial image of the desired user, so that the desired user is placed near the IC card 60 in real space when the identity is authenticated. is guaranteed to exist.

As a result, the authentication management communication system 1 of the present embodiment can construct a mechanism that allows a user who has the right to use the IC card 60 to reliably perform identity verification using the IC card 60. It is possible to prevent unauthorized use of the IC card 60, such as when the card 60 is used by another user, and to improve the authentication strength of identity verification using the IC card 60.

Note that in the present embodiment, the authentication server device 10 or the information management server device 40 may execute one or all of the reading control processing, the imaging control processing, and the identity verification processing. However, in this case, it is assumed that each process of inputting a key code, reading from the IC card 60, and capturing an image of a physical characteristic part is executed in the terminal device 20.

In addition, in the following embodiment, a case where the terminal device 20 executes reading control processing, imaging control processing, and identity verification processing will be described as an example, and some of the reading control processing, imaging control processing, and identity verification processing will be described. Alternatively, a case where the entire process is executed by either the authentication server device 10, the information management server device 40, or both will be described in a modified example.

Furthermore, in this embodiment, an image of a physical characteristic part refers to an image of a physical part that can be identified from other people, such as a face, a fingerprint, or a retina. However, basically, it is preferable that the image of the body part be a facial image because the IC card 60 itself serves as identification. Therefore, this embodiment will be explained using a face image.

[4.2] Identity Verification Information Next, the identity verification information of this embodiment will be explained using FIG. 5. Note that FIG. 5 is a diagram showing an example of personal identification information stored in the IC card 60 of this embodiment.

The IC card 60 is a storage medium that stores identification information such as user-related information regarding the user who has the right to use the card, and also functions as an identification card on which the face photo of the user is printed. .

For example, as shown in FIG. 5, each IC card 60 contains information such as a personal management number already assigned to the user (that is, a user with usage rights), the user's name, and a data file of an electronic certificate. Related information and information on a face image of the user (hereinafter referred to as "face image information for identity verification") are stored as identity verification information in association with a key code such as a PIN.

In particular, the personal identification information is stored with the readout locked based on a key code for authenticating whether the user has legitimate authority determined in advance at the time of registration of the personal identification information by the user or the like.

Specifically, a personal management number is a number issued by a public organization such as an administrative agency to a desired user or forcibly to identify an individual, such as My Number, Social Security Number, etc. Or identification information such as a driver's license number.

In addition to the user's name, user-related information includes four basic information such as address, date of birth, and gender, an electronic certificate data file, an irremovable private key, and information encrypted with the private key. A public key for decrypting data is stored.

In addition, if user-related information includes contact information such as a phone number, the user's nickname, or rewritable data, it may be stored as electronic money, digital legal currency, or have monetary value in a specific trade area. It may also include information on points or specific currency, and information on its usage history.

The face image information for identity verification may basically be information on the image of the printed surface (ticket surface) on which the face image of the IC card 60 is printed, or may simply be information on the face image. .

The electronic certificate data file includes, for example, signature private key information, user lighting private key information, public key information, and information on the certificate authority that issued the electronic certificate.

Note that, when the IC card 60 is issued, the personal identification information is stored in the public authentication management server device 50 (specifically, a database (not shown)) in association with the personal management number and the like.

[4.3] Reception Process Next, the reception process executed by the terminal device 20 of this embodiment will be described.

(Reception process regarding key code input)
For example, as shown in FIG. 4, the input reception processing unit 214 inputs a key code input by a registration-desiring user who wishes to perform the identity verification and register for a network service when the identity verification process is executed. Execute the reception process to accept the request.

Specifically, when the identity verification processing unit 216 starts executing the identity verification process under the instruction of the user who wishes to register, the input reception processing unit 214 works in conjunction with the display control unit 213 to display the information on the display unit 290. While displaying a given key button, an image prompting the user to input a key code (hereinafter referred to as "input key code") is displayed.

At this time, the input acceptance processing section 214 works in conjunction with the operation input section 260 to perform an acceptance process of recognizing and accepting the key information input by the user from the operation input section 260 as an input key code.

In particular, when the display unit 290 displays numeric keypad buttons or various QWERTY-arranged key buttons that prompt the input of an input key code such as a PIN, the input reception processing unit 214 uses the operation input unit 260 to perform registration. A reception process is executed in which a plurality of press-down operations (that is, contact operations) on a key button by a desired user are recognized, and the recognized key buttons are recognized and accepted as an input key code.

The input reception processing unit 214 then provides the received input key code to the identity verification processing unit 216.

(Reception process regarding input of imaging instructions)
For example, as shown in FIG. 4, the input acceptance processing unit 214 executes an acceptance process of accepting an imaging instruction input by a user who wishes to register and who wishes to verify his/her identity.

Specifically, when the execution of the identity verification process is started and the input key code is input, and when the imaging control unit 212 allows the imaging unit 250 to take an image, the input reception processing unit 214 performs the following operations. In conjunction with the display control unit 213, the display unit 290 displays a display prompting the user to take an image of the physical characteristics of the user who wishes to register, and performs a reception process for receiving an input of an imaging instruction when the imaging unit 250 performs imaging. Execute.

At this time, the input reception processing unit 214 displays an imaging area image specifying the imaging range on the display unit 290, and detects a pressing operation (i.e., a contact operation) of the imaging button displayed together with the imaging area image. By doing so, input of an imaging instruction is accepted.

The input reception processing unit 214 then provides the received imaging instruction to the identity verification processing unit 216.

[4.4] Reading Control Process Next, the reading control process executed by the terminal device 20 of this embodiment will be described.

The reading control unit 215 controls a card reader/writer 240 that reads the identification information from the IC card 60.

In particular, the reading control section 215 uses a key code such as a PIN (hereinafter referred to as a "stored key code") stored in the IC card 60 by the card reader/writer 240 under instructions from the identity verification processing section 216. read out.

Then, when it is determined that the input key code and the stored key code match under the instruction of the identity verification processing unit 216, the reading control unit 215 reads the identity verification information as shown in FIG. 4, for example. and provides the read identity verification information to the identity verification processing unit 216.

That is, the reading control unit 215 receives the key code, detects that the input key code matches the stored key code, detects proximity placement or contact of the IC card 60 to the card reader/writer 240, and registers the key code. When an image of a physical characteristic part such as the face of the desired user is captured, an instruction to read the identification information is received from the identification processing unit 216.

When the read control unit 215 receives the instruction to read the personal identification information, the read control unit 215 causes the card reader/writer 240 to read the identification information if the IC card 60 is placed close to or in contact with the card reader/writer 240. The personal identification information stored in the IC card 60 is read out, and the read personal identification information is provided to the personal identification processing section 216.

Note that even if the reading control unit 215 receives an instruction to read the identification information, if the IC card 60 is not placed close to or in contact with the card reader/writer 240, the reading control unit 215 detects the identification information. The identification information processing unit 216 is notified of the error in reading the confirmation information.

[4.5] Image Capture Control Process Next, the image capture control process executed by the terminal device 20 of this embodiment will be described.

For example, as shown in FIG. 4, the imaging control unit 212 is an imaging unit that generates captured image information by imaging a physical characteristic part such as the face of a user desiring registration based on an imaging instruction from the user desiring registration. 250 is executed.

Specifically, the imaging control unit 212 works in conjunction with the display control unit 213 under instructions from the identity verification processing unit 216 to display an imaging area image for specifying the imaging range on the display unit 290 and in conjunction with the operation input unit 260. An image capture button for capturing an image is displayed.

Then, when the imaging control unit 212 recognizes a pressing operation (i.e., a contact operation) on the imaging button by the user who wishes to register using the operation input unit 260, the imaging control unit 212 uses the imaging area imaged by the imaging unit 250 (for example, (face area) to generate captured image information, and provide the generated captured image information to the identity verification processing unit 216.

Note that the imaging control unit 212 may control the imaging unit 250 to change the imaging range, to control the imaging direction, etc., based on the operation input via the operation input unit 260 by the user who wishes to register. good.

[4.6] Identity Verification Processing Including Imaging Permission When Executing Authentication Processing Related to Identity Verification Next, the identity verification processing of this embodiment will be described.

(Basic principle of identity verification processing)
The identity verification processing unit 216 processes the input key code (that is, the input key code), the identity verification image information included in the read identity verification information, and the captured image information captured and generated by the imaging unit 250. The identity verification process is executed based on the following.

In particular, the identity verification processing unit 216 executes the identity verification process when an input key code is accepted and the reading position of the IC card 60 with respect to the card reader/writer 240 satisfies a given reading condition. , has a configuration that allows the image capturing unit 250 to capture an image of a physical characteristic part (i.e., face) of a user desiring registration.

That is, the identity verification processing unit 216 places the IC card 60 at a predetermined reading position of the card reader/writer 240 in order to ensure that the user who has the right to use the IC card 60 executes the identity verification process using the IC card 60. The system is configured to not allow imaging of the physical characteristic parts of the user wishing to be registered, such as a facial image, unless reading conditions such as presence of the user's face are met, thereby improving the strength of authentication for identity verification.

Specifically, the identity verification processing unit 216 performs the identity verification process, for example, as shown in FIG.
(A1) A reading condition determination process that determines whether the reading conditions are met when the input key code is accepted;
(A2) If the reading conditions are satisfied by the reading condition determination process and this state is maintained, the image capturing unit 250 is allowed to capture an image of the face of the user who wishes to register, in conjunction with the imaging control unit 212. Imaging permission processing,
(A3) Execute key code identity determination processing to determine the identity of the input key code and the stored key code stored in the IC card 60, and if the input key code and the stored key code are the same, Authentication processing for acquiring identity verification information from the IC card 60 and verifying the identity of the user who wishes to register based on the acquired identity verification information;
Execute.

(Reading condition judgment processing)
The identity verification processing unit 216 performs a reading condition determination process to determine whether or not proximity placement or contact of the IC card 60 to the card reader/writer 240 is detected when the input key code is accepted in the reception process. Execute.

In particular, the identity verification processing unit 216 determines that the reading conditions are met when the IC card 60 is placed close to or in contact with the card reader/writer 240, or when this state is maintained.

On the other hand, if the IC card 60 is not placed close to or in contact with the card reader/writer 240, or if the IC card 60 is placed close to the card reader/writer 240 after reading conditions are met, If the state of placement or contact is canceled, it is determined that the reading conditions are not met.

That is, in order to determine whether the IC card 60 and the user wishing to register are used separately, the identity verification processing unit 216 accepts the input key code and determines the reading position of the IC card 60 relative to the card reader/writer 240. It is determined whether or not a given reading condition is satisfied.

(Image capture permission processing)
If the proximity placement or contact of the IC card 60 to the card reader/writer 240 is detected and reading conditions are met, the identity verification processing unit 216 determines that image capture is permitted and allows the user to press down the image capture button (contact). (possible).

Then, if the IC card 60 remains in close proximity to or in contact with the card reader/writer 240, the identity verification processing unit 216 determines that permission for imaging continues and presses the imaging button. Continue to display as possible (touchable).

On the other hand, when the IC card 60 is placed close to the card reader/writer 240 or the contact is canceled, the identity verification processing unit 216 determines that the image capturing button has been changed to unauthorized and makes it impossible to press the touchable image capture button. Change the display to (unreachable).

At this time, if the IC card 60 is disposed close to or in contact with the card reader/writer 240 (that is, the state where the reading conditions are met is discontinued), the identity verification processing unit 216 performs the following operations: The input key code accepted by the reception process may be invalidated to prompt the user to re-enter the input key code, or when the IC card 60 is placed close to or in contact with the card reader/writer 240 again. , display the image capture button so that it can be pressed down (touchable).

Additionally, in this case, the input reception processing unit 214 invalidates the already input key code when the condition in which the above reading conditions are met is canceled, and the input reception processing unit 214 disables the key code that has already been input and asks the user who wishes to register to re-enter the key code. It may also accept input.

Note that when the imaging control unit 212 detects that the imaging button displayed in a depressable manner is pressed, the imaging control unit 212 converts the imaging area (for example, a face area) imaged by the imaging unit 250 into an image and displays the captured image. Generate information.

(Identity verification process including key code identity determination process)
The personal identification processing section 216 controls the reading control section 215 to read out the stored key code stored in the IC card 60 when the image capturing section 250 generates facial image information after being permitted to capture the image.

The identity verification processing unit 216 then uses a key code to determine whether or not the input key code (PIN) input through the reception process matches the stored key code stored in the read IC card 60. Execute identity determination processing.

Further, the identity verification processing unit 216 executes identity verification information acquisition processing to acquire identity verification information from the IC card 60 when the input key code and the stored key code are the same.

In particular, the identity verification processing unit 216 collects, as identity verification information, user-related information such as a personal management number, the name of the user, and an electronic certificate data file, and facial image information for identity verification of the user who wishes to register. get.

Then, as an identity verification process, the identity verification processing unit 216 determines the identity between the stored face image for identity verification and the captured face image, and compares the stored face image for identity verification with the captured face image. If the registered face image is the same or is deemed to be the same, the user who desires registration is authenticated as the user himself/herself.

The identity verification processing unit 216 determines the facial skeleton and skin based on the stored face image for identity verification, the captured face image, and the feature amount of each pixel in the facial region of each face image. The feature quantities of each facial image extracted from the color and the position and shape of the eyes, nose, mouth, and other facial parts are digitized.

Then, the identity verification processing unit 216 determines that the stored face image for identity verification and the captured face image are the same when they have the same feature amount based on the feature amount of each face image. do.

In particular, the identity verification processing unit 216 determines that the facial images are considered to be the same not only when the feature amounts of each facial image completely match, but also when they match more than a certain percentage (for example, 90% or more). .

On the other hand, the identity verification processing unit 216 may perform identity verification processing for verifying the identity of the user who wishes to register, in conjunction with the information management server device 40 under the management of the authentication server device 10.

For example, the identity verification processing unit 216
(A1) Determine the identity of the face image for identity verification and the captured face image,
(A2) When the stored face image for identity verification and the captured face image are the same or are deemed to be the same, the read control unit 215 works with the user-related information (for example, personal management number and name ),
(A3) Determine the identity of the read user-related information and the user-related information registered in the public authentication management server device 50,
(A4) If the read user-related information and the user-related information already registered in the public authentication management server device 50 are the same, the user who wishes to be registered may be authenticated as the user himself/herself.

In this case, the identity verification processing unit 216 may acquire the registered user-related information from the public authentication management server device 50 via the information management server device 40, or the information management server device 40 The user-related information read out may be provided to the user, a determination of identity may be requested, and based on the result, the user may be authenticated as the user who wishes to register.

On the other hand, for example, the identity verification processing unit 216 may, instead of the above,
(B1) Determine the identity of the face image for identity verification and the captured face image,
(B2) When the stored face image for identity verification and the captured face image are the same or are deemed to be the same, the data of the electronic certificate is selected from among the user related information in conjunction with the reading control unit 215. Read the file, private key information and public key information,
(B3) Generate an encrypted electronic certificate by encrypting the read electronic certificate data file with a private key,
(B4) Send the data file of the encrypted electronic certificate and public key information to the information management server device 40, request identity verification,
(B5) When the information management server device 40 authenticates the identity based on the data file of the encrypted electronic certificate and the public key information, the user who wishes to register may be authenticated as the individual.

In this case, if the data file of the encrypted electronic certificate can be decrypted using the public key information, the information management server device 40 determines that the identity verification has been authenticated and notifies the identity verification processing unit 216 to that effect. do.

[4.7] Registration and Login to Network Service Next, registration to the network service provided by the service server device 30 of this embodiment will be described.

When the identity verification process of the user who wishes to register is completed and the identity verification of the user who wishes to register is authenticated, the service server device 30 interlocks with the corresponding terminal device 20 under the management of the authentication server device 10. The registered user is registered as a registered user who will enjoy the corresponding network service.

Specifically, the service server device 30 works in conjunction with the authentication server device 10 to register desired user information such as a user name or user ID and password in the database 140.

Then, when a user who wishes to register logs in, the service server device 30 works in conjunction with the authentication server device 10 to provide information input via the terminal device 20 (specifically, the user name or Based on the information stored in the database 140 (user ID and password) and the information stored in the database 140, authentication processing is performed for the user who wishes to register.

Then, if the authentication of the user desiring registration is successful, the authentication processing unit 103 causes the user to log in to the network service provided by the service server device 30.

[4.8] Modification Next, a modification of this embodiment will be described.

(Identity verification processing using authentication server equipment, etc.)
In this embodiment, the identity verification process may be executed in the authentication server device 10.

That is, the authentication server device 10 may operate in conjunction with the terminal device 20 of the user who wishes to register who wishes to verify his/her identity, and may execute each process of the authentication process related to the identity verification process.

In this case, the authentication server device 10 includes an identity verification processing management section 104 that has some or all of the functions of the identity verification processing section 216 of the terminal device 20 .

The authentication server device 10 executes each process of the authentication process related to the identity verification process in conjunction with the card reader/writer 240 and the imaging unit 250 of the terminal device 20.

Specifically, the identity verification processing management unit 104 performs the following as the identity verification processing:
(A1) A reading condition determination process that determines whether the reading conditions are met when the input key code is accepted in the terminal device 20;
(A2) When the reading condition is satisfied by the reading condition determination process and the condition is maintained, the face of the user who wishes to be registered is detected by the imaging unit 250 of the terminal device 20 in conjunction with the terminal device 20. Imaging permission processing to permit imaging;
(A3) Execute key code identity determination processing to determine the identity of the input key code and the stored key code stored in the IC card 60, and if the input key code and the stored key code are the same, an identity verification process of transmitting an acquisition instruction to acquire identity verification information from the IC card 60 to the terminal device 20 and verifying the identity of the user who wishes to register based on the acquired identity verification information;
Execute.

Note that the identity verification processing management unit 104 may execute each process of the authentication process related to the identity verification process in conjunction with the information management server device 40.

Further, in this case, the terminal device 20 executes various processes related to transmission and reception of various information, instructions, control data, etc. as processes related to the identity verification process.

That is, in this case, the terminal device 20 (identity verification processing unit 216) provides information for executing the identity verification process to the authentication server device 10 or the information management server device 40 as a process related to the identity verification process. , receiving the result of the identity verification process executed by the authentication server device 10 or the information management server device 40 and providing it to the user who wishes to register; and, if the identity verification is authenticated, to a given network service. executing at least one process of requesting registration of the user;

On the other hand, the authentication server device 10 executes only the above-mentioned (A3) identity verification process, and the terminal device 20 executes the above-mentioned (A1) condition determination process and the above-mentioned (A2) imaging permission process. The authentication server device 10 (including interlocking with the information management server device 40) and the terminal device 20 may execute each process of the authentication process related to the identity verification process.

Further, in this modification, each process of the authentication process related to the identity verification process may be executed by the information management server device 40 instead of the authentication server device 10.

(Other examples of authentication server device and service server device)
In this embodiment, the authentication server device 10 may have the function of the information management server device 40.

Further, in this embodiment, the service server device 30 may have the function of the authentication server device 10.

(Key information obtained via network etc.)
In this embodiment, the key code is explained using an example in which the key code is directly input by the user who wishes to register via the operation input unit 260, but the key code may also be obtained via a network, or may be entered in advance in the terminal device 20. It may also be acquired by being stored and read out in response to an instruction from a user who wishes to register.

(Key code reception timing)
In this embodiment, after the key code is input, in order to determine whether or not to permit the imaging unit 250 to take an image, a reading condition determination process is performed to determine whether the IC card 60 is present at a predetermined reading position of the card reader/writer 240. However, if the imaging unit 250 is permitted to take an image by the reading condition determination process, the user who wishes to register may be requested to input a key code.

That is, the input acceptance processing unit 214 may accept the input of a key code from a user who wishes to register if the reading conditions are met in the reading condition determination process.

[5] Operations in this Embodiment Next, operations when performing authentication processing related to identity verification including identity verification processing executed in the terminal device 20 of this embodiment will be described using FIGS. 6 to 8.

Note that FIGS. 6 to 8 are flowcharts showing operations when executing authentication processing related to identity verification, including identity verification processing, executed in the terminal device 20 of this embodiment.

In this operation, it is assumed that a personal management number has already been issued and an IC card 60 has been issued.

Further, this operation will be explained using authentication processing related to identity verification, including identity verification processing when initially registering for a given network service.

First, when the Web browser 211 detects the start of authentication processing related to identity verification including identity verification processing in user registration for a given network service (step S101), the identity verification processing unit 216 controls the communication control unit 210 and A request is made to the service server device 30 via the communication unit 296 to perform authentication processing related to identity verification (step S102).

In addition, at this time, the service server device 30 accesses the authentication server device 10 and performs the issuance of a session ID and the accompanying authentication, etc., to obtain information about the principal of the authentication server device 10, the corresponding terminal device 20, and the service server device 30. Processing for establishing cooperation accompanying execution of confirmation processing (hereinafter referred to as "cooperation establishment processing") is executed.

Next, when the cooperation between the authentication server device 10, the corresponding terminal device 20, and the service server device 30 is established (step S103), the identity verification processing unit 216 works in conjunction with the service server device 30 to complete user registration. Execute processes related to preparations for identity verification, such as confirming the intention of the user wishing to register, registering the email address of the user wishing to register, and agreeing to the terms of use (hereinafter referred to as "identity verification preparation process"). (Step S104).

Next, when the identity verification processing unit 216 detects completion of the identity verification preparation process (step S105), the identity verification processing unit 216 controls the display control unit 213 to prompt the user who wishes to register to read the identity verification information from the IC card 60. Guidance processing (hereinafter referred to as "key code input guidance processing") for prompting the input of an input key code such as a PIN is executed (step S106).

For example, the display control unit 213 uses the operation input unit 260 to display a screen prompting the user who wishes to register to input a PIN, and when the PIN is input, displays a display indicating that the PIN has been input.

Next, when the input acceptance processing unit 214 accepts the input key code (step S107), the identity verification processing unit 216 controls the display control unit 213 to prompt the user who wishes to register to enter the card reader/writer 240. Guidance processing (hereinafter referred to as "IC card contact guidance processing") for prompting contact or proximity of the IC card 60 is executed (step S108).

For example, the display control unit 213 displays a screen on the display unit 290 that displays the position where the IC card 60 is to be contacted and prompts the IC card 60 to be contacted or placed close to the card reader/writer 240 .

Next, when the reading control unit 215 detects contact or proximity placement of the IC card 60 by the card reader/writer 240 (step S111), the identity verification processing unit 216 determines that the reading conditions are met and controls the display control unit 213. Then, guidance processing (hereinafter referred to as "imaging guidance processing") for prompting the imaging unit 250 to take an image of the face of the user desiring registration is executed (step S112).

Note that at this time, the display control unit 213 causes the display unit 290 to display an imaging area image for specifying the imaging range and an imaging button for performing imaging in conjunction with the operation input unit 260.

Next, the identity verification processing unit 216 determines whether or not the input reception processing unit 214 detects an imaging instruction (pressing down the imaging button) and cancels the reading condition (whether the IC card 60 contacts or approaches the card reader/writer 240). It is repeatedly determined whether or not the state (hereinafter also referred to as "contact state") is released (step S113 and step S114).

At this time, if the identity verification processing unit 216 determines that the IC card 60 is no longer in contact with or in close proximity to the card reader/writer 240, the process returns to step S108.

At this time, the identity verification processing unit 216 receives an imaging instruction based on the imaging button through the input reception processing unit 214 while the IC card 60 is in contact with or in close proximity to the card reader/writer 240. (Step S115), the imaging control unit 212 causes the imaging unit 250 to image the imaging range under the instruction of the identity verification processing unit 216, and generates image information of the captured image (i.e., captured face image information). (Step S115).

Next, the identity verification processing unit 216 determines whether the input key code (PIN) matches the stored key code stored in the IC card 60 (step S116), and determines whether the key code matches. If it is determined not to do so, the process moves to step S108.

On the other hand, if the identity verification processing unit 216 determines that the input key code (PIN) matches the stored key code, the identity verification processing unit 216 causes the reading control unit 215 to read the identity verification information stored in the IC card 60. (Step S121).

Next, the identity verification processing unit 216 determines whether the identity verification image information included in the read identity verification information and the captured facial image information are the same or within a range that is considered to be the same (step S122). .

At this time, if the identity verification processing unit 216 determines that the identity verification image information and the captured face image information are the same or not in the range that is considered to be the same, the process proceeds to step S108, and the identity verification image information and the captured face image information are not in the same range. , and the captured face image information are determined to be the same or within a range that is considered to be the same, the process moves to step S123.

Next, the identity verification processing unit 216 transmits the read identity verification information to the information management server device 40 via the authentication server device 10, and waits to receive an authentication result based on the identity verification information (step S123). .

At this time, the information management server device 40 determines whether the received identity verification information matches the identity verification information already stored in the database, and if the identity verification information matches, If the identity verification is successful, a notification to that effect is provided to the terminal device 20 via the authentication server device 10, and if the identity verification information does not match, a notification to that effect is provided to the terminal device 20 as the identity verification has failed. do.

Next, upon receiving the authentication result (step S124), the identity verification processing unit 216 determines whether the received authentication result is successful (step S125).

At this time, if the identity verification processing unit 216 determines that the authentication result is successful, it starts executing processing related to new user registration in conjunction with the authentication server device 10 and the service server device 30. (Step S126), this operation is ended.

On the other hand, if the identity verification processing unit 216 determines that the authentication result is not successful (that is, failure), it controls the display control unit 213 to display that on the display unit 290 (step S127). This operation ends.

[6] Others The present invention is not limited to what has been described in the above embodiments, and various modifications can be made. For example, terms cited as broad or synonymous terms in the description or drawings can be replaced with broad or synonymous terms in other descriptions in the specification or drawings.

The present invention includes configurations that are substantially the same as those described in the embodiments (for example, configurations that have the same functions, methods, and results, or configurations that have the same objectives and effects). Further, the present invention includes a configuration in which non-essential parts of the configuration described in the embodiments are replaced. Further, the present invention includes a configuration that has the same effects or a configuration that can achieve the same purpose as the configuration described in the embodiment. Further, the present invention includes a configuration in which a known technique is added to the configuration described in the embodiment.

As mentioned above, the embodiments of the present invention have been described in detail, but those skilled in the art will easily understand that many modifications can be made without substantially departing from the novelty and effects of the present invention. . Therefore, all such modifications are included within the scope of the present invention.

1: Authentication management communication system 10: Authentication server device 20: Terminal device 30: Service server device 40: Information management server device 50: Public authentication management server device 60: IC card 100: Processing unit 101: Communication control unit 102 :DB management control section 103:Authentication processing section 104:Personal verification processing management section 107:Timer management section 140:Database 170:Storage section 180:Information storage medium 196:Communication section 200:Processing section 210:Communication control section 211:Web Browser 212: Imaging control unit 213: Display control unit 214: Input reception processing unit 215: Reading control unit 216: Identity verification processing unit 220: Drawing unit 230: Sound processing unit 240: Reader/writer 250: Imaging unit 260: Operation Input section 270: Storage section 271: Main storage section 272: Image buffer 273: User information storage section 280: Information storage medium 290: Display section 292: Sound output section 296: Communication section

Claims (9)

An authentication system that executes electronic authentication processing related to identity verification using a storage medium in which given information for verifying the identity of a user who has usage rights is stored as identity verification information, ,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading control means for controlling a reading means for reading the personal identification information from the storage medium;
Imaging control means for controlling an imaging means for imaging a physical characteristic part of the desired user to generate captured image information;
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
Equipped with
The authentication control means,
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the desired user is identified by the imaging means. An authentication system characterized by allowing imaging of a physical characteristic part of a person. The authentication system according to claim 1,
The authentication control means,
When the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, only when the reading condition is maintained. An authentication system that permits imaging of a physical characteristic part of the desired user by an imaging means. The authentication system according to claim 1 or 2,
The reception processing means
An authentication system that accepts input of key information from the desired user when the reading conditions are met. The authentication system according to claim 1 or 2,
The reception processing means
An authentication system that invalidates the already input key information and accepts the desired user to re-enter the key information when the state in which the reading condition is satisfied is canceled. The authentication system according to claim 1 or 2,
An authentication system, wherein the identity verification image information indicating an image of a physical characteristic part of the user is a face image of the user. Electronic authentication related to identity verification using a storage medium that is connected to a given server device and stores given information as identity verification information for verifying the identity of a user who has usage rights. A terminal device that executes processing,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading means for reading the identification information from the storage medium;
reading control means for controlling the reading means;
an imaging means for imaging a physical characteristic part of the desired user to generate captured image information;
Imaging control means for controlling the imaging means;
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
Equipped with
The authentication control means,
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the desired user is identified by the imaging means. A terminal device that allows imaging of a physical characteristic part of a person. The terminal device according to claim 6,
The authentication control means,
When executing the process related to the identity verification process, the process related to the identity verification process includes providing information for executing the identity verification process to the server device, and confirming the identity verification process executed by the server device. Perform at least one of the following: receiving and providing the result to the desired user; and performing a process for requesting registration with a given network service if the identity verification is authenticated. terminal device. A program that executes processing related to identity verification using a storage medium in which given information for verifying the identity of a user who has usage rights is stored as identity verification information,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
reception processing means for executing reception processing for accepting key information input by the desired user who wishes to verify his/her identity;
reading control means for controlling a reading means for reading the personal identification information from the storage medium;
an imaging control means for controlling an imaging means for imaging a physical characteristic part of the desired user to generate captured image information; and
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or an authentication control means that executes processing related to the identity verification processing;
function as
The authentication control means,
When the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, permitting the imaging means to take an image of a physical characteristic part of the desired user. A program featuring. By controlling a computer to perform electronic authentication processing related to identity verification using a storage medium in which given information for verifying the identity of a user who has usage rights is stored as identity verification information. , an identity verification method to perform,
The storage medium includes user-related information about the user, including at least unique identification information for identifying the user, and identity verification image information showing an image of the user's physical characteristics. As confirmation information, it is stored in association with key information for authenticating whether the user has legitimate authority.
Executing a reception process for accepting key information input by the desired user who wishes to verify his/her identity;
controlling a reading means for reading the identification information from the storage medium;
controlling an imaging means that images a physical characteristic part of the desired user to generate captured image information; and
an identity verification process indicating a process for verifying the identity based on the input key information, the identity verification image information included in the read identity verification information, and the generated captured image information; or Executing processes related to the identity verification process;
cause the computer to execute
When executing the identity verification process, when the key information is accepted and the reading position of the storage medium with respect to the reading means satisfies a given reading condition, the computer causes the image capturing means to An identity verification method characterized by executing control for permitting imaging of a physical characteristic part of the desired user.

Images