201236432 六、發明說明: 【發明所屬之技術領域】 本發明是有關於一種結合結合遠端驗證撥入使用者服務 認證的自動觸發式一次性密碼認證系統’特別是有關於一種 結合標準的結合遠端驗證撥入使用者服務通訊協定提供兩 階段認證的認證系統。 【先前技術】 一般而言,網路上的使用者必須先經過身分認證後’才能 使用企業或是服務提供者所提供的各種網路應用服務,例如 虛擬私有網路(VPN)或是無線區域網路(WLAN)。在各種服務 伺服器的認證技術中,RADIUS是目前相當廣泛使用的認證 技術。結合遠端驗證撥入使用者服務通訊協定,其全名為” Remote Authentication Dial-in User Service” ,在 RFC 2865 中說明 RADIUS用來提供驗證(Authentication )服務。 RADIUS用戶端(例如VPN伺服器或無線存取點)會以 RADIUS訊息的格式,將使用者認證資訊傳送到RADIUS伺 服器。RADIUS伺服器會驗證RADIUS用戶端要求,並傳回 RADIUS訊息回應。一般的RADIUS認證採用固定式帳號密 碼認證或是一次性密碼認證,固定式帳號密碼雖然使用方 便,但是卻容易遭受到駭客攻擊破解或是利用社交手法騙 取,因此有安全上的疑慮。一次性密碼認證也就是一般所謂 的動態密碼,密碼具有時效性,一次性的特性,密碼會不斷 自行變更且需於有效期間内使用。一次性密碼雖然具備高安 201236432 全性,但是須要搭配額外的OTP硬體(Token)以及軟體,需 要比較複雜的管理考量,Token的配發和廢止也需要負擔較 大的金錢以及人力成本,包括Token的購置以及日常管理與 佈署成本等。由此可見,上述習用方式仍有諸多缺失,實非 一良善之設計,而亟待加以改良。 本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思 加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研 發完成本件結合結合遠端驗證撥入使用者服務認證的自動 • 觸發式一次性密碼認證系統。 【發明内容】 本發明之目的係提供一種結合結合遠端驗證撥入使用者 服務認證的自動觸發式一次性密碼認證系統,用以讓目前使 用結合遠端驗證撥入使用者服務通訊協定進行身分認證的 服務,能在不改變目前的網路架構或是更新網路設備的條件 下,只需將既有的結合遠端驗證撥入使用者服務認證伺服器 更新為本發明,即可讓既有服務的身分認證具備安全性較強 的兩階段身分認證功能。 為達上述目的,本發明係提供一種結合結合遠端驗證撥入 使用者服務認證的自動觸發式一次性密碼認證系統,包含下 列步驟: (1)客戶端設備向服務伺服器要求提供服務,並提供帳號 密碼進行身分認證; (2)服務伺服器與認證伺服器之間執行結合遠端驗證撥 201236432 入使用者服務協定,服務伺服器將客戶端設備傳送過 來的帳號密碼資訊封裝在結合遠端驗證撥入使用者 服務訊息格式内,傳送給認證伺服器進行第一階段的 身分認證; (3) 認證伺服器執行第一階段的身分認證,認證成功後產 生一具備實效性的OTP密碼,透過行動通訊網路的 簡訊伺服器傳送到使用者的行動通訊設備,同時利用 結合遠端驗證撥入使用者服務協定通知服務伺服器 進行第二階段認證; (4) 使用者的行動通訊設備收到内含OTP密碼的簡訊 後,在有效時限内輸入帳號以及OTP密碼進行第二 階段認證; (5) 服務伺服器將客戶端設備傳送過來的帳號以及OTP 密碼資訊封裝在結合遠端驗證撥入使用者服務訊息 格式内,傳送給認證伺服器進行第二階段的身分認 證; (6) 認證伺服器執行第二階段的身分認證,認證成功後利 用結合遠端驗證撥入使用者服務協定通知服務伺服 器告允許客戶端使用該服務。 【實施方式】 有關本發明之前述及其他技術内容、特點與功效,以下配 201236432 合參考圖式實例的詳細說明中,將可清楚的呈現。 本發明係為提供一種結合結合遠端驗證撥入使用者服務 認證的自動觸發式一次性密碼認證系統,特別是一種結合既 有的結合遠端驗證撥入使用者服務認證通訊協定標準,提供 結合遠端驗證撥入使用者服務認證具備兩階段認證以及一 次性密碼認證的功能。在不影響目前既有的RADISU認證架 構的前提下,提供RADISU認證一個更安全、更方便且導入 費用相對便宜的兩階段認證以及具備一次性密碼認證的功 能。 請參閱圖一所示,為本發明結合結合遠端驗證撥入使用者 服務認證的自動觸發式一次性密碼認證系統之架構示意 圖。在圖一的網路架構中,客戶端設備1 07與服務伺服器1 06 之間可以是有線網路或是無線區域網路1 09。服務伺服器1 06 與認證伺服器1 05之間透過有線網路1 04相連,彼此之間執 行結合遠端驗證撥入使用者服務通訊協定1 08進行身分認 證。認證伺服器1 05透過有線網路1 04連線簡訊伺服器1 02,201236432 VI. Description of the Invention: [Technical Field] The present invention relates to an automatic trigger type one-time password authentication system combined with remote verification dial-in user service authentication, in particular, a combination of a combination standard The end-of-line authentication user system provides a two-stage authentication system. [Prior Art] In general, users on the network must first pass the identity authentication before they can use various network application services provided by enterprises or service providers, such as virtual private networks (VPNs) or wireless area networks. Road (WLAN). Among the authentication technologies of various service servers, RADIUS is a widely used authentication technology. In conjunction with the remote authentication dial-in user service protocol, the full name is "Remote Authentication Dial-in User Service", and in RFC 2865, RADIUS is used to provide the Authentication service. The RADIUS client (such as a VPN server or wireless access point) transmits user authentication information to the RADIUS server in the format of a RADIUS message. The RADIUS server verifies the RADIUS client request and returns a RADIUS message response. The general RADIUS authentication uses fixed account password authentication or one-time password authentication. Although the fixed account password is convenient to use, it is vulnerable to hacking attacks or social scams, so there are security concerns. One-time password authentication is also a so-called dynamic password. Passwords are time-sensitive, one-time features, passwords are constantly changing and need to be used within a valid period. Although the one-time password has high security 201236432, it needs to be equipped with additional OTP hardware (Token) and software. It requires more complicated management considerations. Token's allotment and abolition also require a lot of money and labor costs, including Token. Purchase and daily management and deployment costs. It can be seen that there are still many shortcomings in the above-mentioned methods of use, which is not a good design, but needs to be improved. In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing the automatic triggering method combined with the remote verification dial-in user service certification. One-time password authentication system. SUMMARY OF THE INVENTION It is an object of the present invention to provide an auto-trigger one-time password authentication system incorporating a remote authentication dial-in user service authentication for the current use of a remote authentication dial-in user service protocol for identity The certified service can update the existing combined remote authentication and user authentication server to the invention without changing the current network architecture or updating the network equipment. The service identity certification has a two-stage identity authentication function with strong security. To achieve the above objective, the present invention provides an automatic triggered one-time password authentication system incorporating a combination of remote verification dial-in user service authentication, comprising the following steps: (1) a client device requests service from a service server, and Provide account password for identity authentication; (2) Perform a combination of remote authentication dialing 201236432 into the user service agreement between the service server and the authentication server, and the service server encapsulates the account password information transmitted by the client device in the remote end. Verify the dial-in user service message format and send it to the authentication server for the first-stage identity authentication. (3) The authentication server performs the first-stage identity authentication. After the authentication succeeds, a valid OTP password is generated. The SMS server of the mobile communication network transmits to the user's mobile communication device, and simultaneously uses the remote authentication dial-in user service agreement notification service server to perform the second-stage authentication; (4) the user's mobile communication device receives the internal communication device After the SMS containing the OTP password, enter the account number and the OTP password within the valid time limit. (2) The service server encapsulates the account number and OTP password information transmitted by the client device in the format of the remote authentication dial-in user service message, and transmits it to the authentication server for the second stage identity authentication; (6) The authentication server performs the second-stage identity authentication. After the authentication succeeds, the service server is notified by the combined remote authentication dial-in user service agreement to allow the client to use the service. [Embodiment] The foregoing and other technical contents, features, and effects of the present invention will be apparent from the following detailed description of the example of the accompanying drawings. The present invention provides an automatic triggered one-time password authentication system combined with remote verification dial-in user service authentication, in particular, a combination of existing combined remote authentication dial-in user service authentication protocol standards, providing a combination The remote authentication dial-in user service authentication has two-stage authentication and one-time password authentication. Providing RADISU certification is a safer, more convenient and relatively inexpensive introduction of two-stage certification and a one-time password authentication function without affecting the existing RADISU certification framework. Please refer to FIG. 1 , which is a schematic diagram of an architecture of an auto-trigger one-time password authentication system combined with remote authentication dial-in user service authentication. In the network architecture of FIG. 1, the client device 107 and the service server 106 may be a wired network or a wireless local area network 109. The service server 106 is connected to the authentication server 105 through the wired network 104, and performs authentication in conjunction with the remote authentication dial-in user service protocol 1 08. The authentication server 105 connects to the SMS server 102 through the wired network 104.
並透過行動通訊網路1 0 1將内含OTP密碼的簡訊傳送到使用 者的行動通訊設備行動通訊設備1 〇 3。 本實施例之客戶端設備107可以包括:桌上型電腦、筆記 型電腦、PDA、智慧型手機、精簡型終端(Thin Client)等具備 連網功能的設備。客戶端設備1 07與服務伺服器之間的網路 環境1 09可以是有線網路,例如網際網路或是企業内部的私 有網路;也可以是無線網路,例如WiFi、WiMAX、3G等系 統。服務伺服器1 06提供的服務可包含VPN服務、無線區域 網路服務或是電子商務服務等。服務伺服器106為結合遠端 201236432 驗證撥入使用者服務cl丨ent ’認證伺服器105為RADIUS server,彼此之間利用標準的結合运端驗證撥入使用者服務 通訊協定108進行身分認證° 請參閱圖二所示’為本發明結合結合遠端驗證撥入使用者 服務認證的自動觸發式一次性密碼認證系統的兩階段認證 流程圖,認證方法包含以下步驟: 步驟201 :客戶端設備107連線服務伺服器106提出服務 申請; 步驟202 :服務伺服器1〇6要求客戶端設備107進行身分 認證步驟。 步驟203 :客戶端設備1 07輸入帳號和密碼。此步驟的密 碼是第一階段認證的密碼或是第二階段認證的OTP密碼,認 證伺服器1 05會自動判斷此帳號目前的認證狀態。若此帳號 已通過第一階段認證’則認證伺服器丨05會進行第二階段認 證的OTP認證;若此帳號尚未通過第一階段認證,則認證祠 服器1 05會進行第一階段認證的認證。 步驟204 :服務伺服器106與認證伺服器1 〇5之間利用結 合遠端驗證撥入使用者服務108進行身份認證’服務飼服器 1 06把客戶端設備107輪入的身份認證資料封裝於結合遠端 驗證撥入使用者服務格式的封包中,傳送給認證伺服器105 進行結合遠端驗證撥入使用者服務認證。 步驟205 :認證伺服器丨〇5進行帳號認證階段確認’確認 此帳號是否已經通過第一階段身分認證。若此帳號已通過第 一階段認證’則認證伺服器1〇5會進行第二階段認證的0TP 認證(步驟209);若此帳號尚未通過第一階段認證,則認證 201236432 伺服器1 05會進行第一階段認證的認證(步驟206)。 步驟206 :進行第一階段身分認證,身份認證成功則進行 步驟207,身份認證失敗則認證伺服器1 05傳送RADIUS認 證失敗(Access-Reject )訊息給服務伺服器106,服務伺服 器1 06進行步驟202,要求客戶端設備1 07重新輸入帳號和 密碼。 步驟207 :認證伺服器1 05產生OTP,將此OTP以及有效 期限寫入資料庫,設定OTP認證失敗次數為0,並註明此帳 ® 號已通過第一階段身分認證。 步驟208 :認證伺服器1 05將此OTP以及有效期限資訊透 過行動網路1 01的簡訊伺服器1 02傳送到使用者的行動通訊 設備103,使用者讀取簡訊内容,進行步驟202,於OTP密 碼有效期限内輸入帳號以及OTP密碼。 步驟209 :進行第二階段身分認證,確認此OTP是否有效。 步驟2 1 0 :若此OTP以經過了有效期限,則更新此帳號的 狀態為尚未通過第一階段身分認證。認證伺服器1 05傳送 ^ RADIUS Access-Reject訊息給月艮務伺月良器106,月艮務伺月艮器 1 06進行步驟202,要求客戶端設備I 07重新輸入帳號和密 碼。 步驟2 11 :進行OTP認證,成功則進行步驟214,失敗則 進行步驟2 1 2。 步驟2 1 2 :若OTP認證失敗,讀取資料庫内的OTP認證失 敗次數,並將其加1。 步驟213:若步驟212的OTP認證失敗次數達到某一設定 值(例如只允許OTP認證錯誤次數為3次),則進行步驟2 1 0, 201236432 更新此帳號的狀態為尚未通過第一階段身分認證。認證祠服 器105傳送RADIUS Access-Reject訊息給服務伺服器106 ’ 服務伺服器106進行步驟202,要求客戶端設備1 〇7重新輸 入帳號和密碼,進行第一階段身分認證。若步驟212的0TP 認證失敗次數尚未達到某一設定值,則進行步驟214 ° 步驟214:更新資料庫内的ΟΤΡ認證失敗次數,認證伺服 器105傳送RADIUS Access-Reject訊息給服務伺服器106 ’ 服務伺服器106進行步驟202 ’要求客戶端設備1〇7重新輸 入帳號和密碼,使用者此時輸入帳號以及步驟208的0TP密 碼,進行第二階段身分認證。 步驟215 :若步驟211 OTP認證成功,認證伺服器1 〇5傳 送RADIUS Access-Accept訊息給服務伺服器1〇6,告知此帳 號身分認證成功,並更新此帳號在資料庫内的認證狀態為尚 未通過第一階段身分認證,因此若使用者登出該服務’想要 在次使用該服務時,則必須重新進行步驟202的第一階段身 分認證。 步驟2 1 6 :服務伺服器1 06收到認證伺服器1 05傳送過來 的RADIUS Access-Accept訊息後,允許客戶端設備107使 用此服務。 請參閱圖三,為本發明結合結合遠端驗證撥入使用者服務 認證的自動觸發式一次性密碼認證系統之認證伺服器105的 功能方塊圖,其具有一結合遠端驗證撥入使用者服務模組 310、一第一階段認證模組320、一第二階段認證模組330、 一簡訊發送模組340以及一資料庫模組350。其中該結合遠 端驗證撥入使用者服務模組3 10具有一結合遠端驗證撥入 201236432 - 使用者服務協定控制單元3 11以及一認證狀態碟認單元 3 1 2。結合遠端驗證撥入使用者服務協定控制單元3 1 1用以 接收來自服務伺服器1 06的結合遠端驗證撥入使用者服務認 證請求,並回覆認證結果。認證狀態確認單元3 12讀取該帳 號於資料庫模組3 5 0内的認證狀態’若尚未通過第一階段認 證則呼叫第一階段認證模組320進行第一階段身分認證。若 已通過第一階段認證則呼叫第二階段認證模組330進行第二 階段OTP身分認證。第一階段認證模組320的主要功能是進 # 行第一階段認證’認證失敗則通知結合遠端驗證撥入使用者 服務模組310回復認證失敗訊息(RADIUS Access-Reject)給 服務伺服器1 06 ;認證成功則產生一 OTP密碼,呼叫簡訊發 送模組340將此OTP密碼傳送到使用者行動通訊設備丨〇3 ’ 同時將0TP以及有效期限寫入資料庫模組350,設定OTP 認證失敗次數為〇 ’並註明此帳號已通過第一階段身分認 證。另一方面通知結合遠端驗證撥入使用者服務模組3 1 0回 復認證失敗訊息(RADIUS Access-Reject)給服務4司服器 ® 1 06,客戶端設備1 〇7此時尚無法使用服務’必需再進行第 二階段認證。第二階段認證模組330具有一 0TP狀態檢查單 元331以及0TP認證單元332。0TP狀態檢查單元331主要 的功能是確認0TP密碼是否有效’若有效則呼叫0τρ認證 單元3 3 2進行第二階段認證’若無效則更新資料庫模組3 5 0 内此帳號的狀態為尚未通過第一階段身分認證,通知結合遠 端驗證撥入使用者服務模組3 10回復認證失敗訊息(RADIUS Access-Reject)給服務伺服器106。使用者若想繼續使用此服 務必需重新進行第一階段認證。0TP認證單元332的主要功 201236432 能是進行OTP認證,OTP認證成功則通知結合遠端驗證撥入 使用者服務模組 310 回復認證成功訊息(RADIUS Access-Accept)給服務伺服器106,服務伺服器106提供服務 給客戶端設備1 07 ; OTP認證失敗則檢查認證失敗次數是否 已達到設定值(例如設定OTP認證失敗次數為3次,若OTP 認證失敗次數達到3次,則此OTP密碼即失效),若已達到 設定值,則視同2階段認證失敗,此時更新資料庫模組350 内此帳號的狀態為尚未通過第一階段身分認證,通知結合遠 端驗證撥入使用者服務模組3 10回復認證失敗訊息(RADIUS Access-Reject)給服務词服器106。使用者若想繼續使用此服 務必需重新進行第一階段認證。若已達到設定值認證失敗次 數小於設定值,則通知結合遠端驗證撥入使用者服務模組 310回復認證失敗訊息(RADIUS Access-Reject)給服務伺服 器1 06,使用者若重新進行第二階段認證。簡訊發送模組340 主要功能為提供行動通訊網路1 〇 1的簡訊發送服務,將OTP 密碼傳送到使用者的行動通訊設備1 〇3。資料庫模组350儲 存使用者帳號、第一階段認證密碼、第二階段0TP密碼、 〇TP密碼有效期限、認證狀態以及認證失敗次數等資料。 本發明為結合結合遠端驗證撥入使用者服務認證的自動 觸發式一次性密碼認證系統’與其他習用技術相互比較時, 更具備下列優點: 1.本發明可結合結合遠端驗證撥入使用者服務通訊協定’可 提供兩階段身分認證功能’強化目前固定帳號密碼認證的 安全缺點,目前採用結合遠端驗證撥入使用者服務認證的 201236432 - 服務皆可適用,無需更新計有服務的任何網路設備,只需 更新結合遠端驗證撥入使用者服務認證伺服器成本發明 即可。 2. 本發明提供的兩階段身分認證功能,其中第二階段身分認 證採用一次性密碼(OTP)認證,OPT密碼具備時效性以及一 次性。0TP密碼必須在一定時間内使用,逾期則此0TP密 碼即失效。第二階段認證成功,此0TP密碼即失效,無法 • 再使用,可大幅增加身分認證的安全性。 3. 本發明客戶端設備透過服務伺服器即可進行二階段認 證,第一階段認證成功後直接觸發一次性OTP密碼的派 送,二階段的認證可透過相同的認證畫面進行,大幅簡化 目前其他二階段認證方法的複雜性。 4. 本發明使用目前已相當普及的行動電話為OTP載具,無須 使用一般的硬體Token,可大幅降低導入動態密碼所需要 ^ 的Token購置以及曰常管理與佈署成本等。 5. 本發明提供結合遠端驗證撥入使用者服務第一階段身分 認證具備帳號停用功能,當結合遠端驗證撥入使用者服務 第一階段身分認證失敗次數超過預設的次數,認證伺服器 立即停用此帳號,避免帳號密碼被惡意破解。 上列詳細說明乃針對本發明之一可行實施例進行具體說 明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離 本發明技藝精神所為之等效實施或變更,均應包含於本案之 13 201236432 專利範圍中。 综上所述,本案不僅於技術思想上確屬創新,並具備習用 之傳統方法所不及之上述多項功效,已充分符合新穎性及進 步性之法定發明專利要件,爰依法提出申請,懇請 貴局核 准本件發明專利申請案,以勵發明,至感德便。 【圖式簡單說明】 請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發 明之技術内容及其目的功效;有關附圖為: 圖一為本發明結合結合遠端驗證撥入使用者服務認證的自動觸 發式一次性密碼認證系統之架構示意圖; 圖二為本發明結合結合遠端驗證撥入使用者服務認證的自動觸 發式一次性密碼認證系統之兩階段認證流程圖;以及 圖三為本發明結合結合遠端驗證撥入使用者服務認證的自動觸 發式一次性密碼認證系統之認證伺服器功能方塊圖。 【主要元件符號說明】 101行動通訊網路 102簡訊伺服器 103行動通訊設備 104有線網路 201236432 105認證伺服器 106服務伺服器 107客戶端設備 108結合遠端驗證撥入使用者服務通訊協定 109有線網路/無線區域網路 201〜216 步驟 310結合遠端驗證撥入使用者服務模組 311結合遠端驗證撥入使用者服務協定控制單元 312認證狀態確認單元 320第一階段認證模組 330第二階段認證模組 331 OTP狀態檢查單元 332 OTP認證單元 340簡訊發送模組 350資料庫模組 15The short message containing the OTP password is transmitted to the user's mobile communication device mobile communication device 1 透过 3 through the mobile communication network 1 0 1 . The client device 107 of this embodiment may include a networked device such as a desktop computer, a notebook computer, a PDA, a smart phone, or a thin client. The network environment 109 between the client device 107 and the service server may be a wired network, such as the Internet or a private network inside the enterprise; or may be a wireless network, such as WiFi, WiMAX, 3G, etc. system. The services provided by the service server 106 may include VPN services, wireless local area network services, or e-commerce services. The service server 106 authenticates the dial-in user service with the remote end 201236432. The authentication server 105 is a RADIUS server, and uses the standard combined terminal authentication dial-in user service protocol 108 for identity authentication. Referring to FIG. 2, a two-stage authentication flowchart of the automatic triggering one-time password authentication system combined with the remote authentication dial-in user service authentication is provided. The authentication method includes the following steps: Step 201: Client device 107 The line service server 106 proposes a service request; Step 202: The service server 1-6 requests the client device 107 to perform the identity authentication step. Step 203: The client device 107 inputs an account number and a password. The password for this step is the password for the first phase authentication or the password for the second phase authentication. The authentication server will automatically determine the current authentication status of the account. If the account has passed the first stage certification, then the authentication server 丨05 will perform the OTP authentication of the second stage authentication; if the account has not passed the first stage certification, the authentication server 105 will perform the first stage authentication. Certification. Step 204: The service server 106 and the authentication server 1 〇5 use the combined remote authentication dial-in user service 108 for identity authentication. The service server 106 encapsulates the identity authentication data that the client device 107 turns into. In combination with the remote authentication dial-in user service format packet, the authentication server 105 is transmitted to the authentication server 105 for combined remote authentication dial-in user service authentication. Step 205: The authentication server 丨〇5 performs an account authentication phase confirmation to confirm whether the account has passed the first stage identity authentication. If the account has passed the first stage authentication, then the authentication server 1〇5 will perform the 0TP authentication of the second stage authentication (step 209); if the account has not passed the first stage authentication, the authentication 201236432 server 105 will proceed. Certification of the first phase of certification (step 206). Step 206: Perform the first stage identity authentication. If the identity authentication succeeds, proceed to step 207. If the identity authentication fails, the authentication server transmits a RADIUS authentication failure (Access-Reject) message to the service server 106, and the service server 106 performs the steps. 202. Require the client device to re-enter the account number and password. Step 207: The authentication server generates an OTP, writes the OTP and the expiration date to the database, sets the number of OTP authentication failures to 0, and indicates that the account number has passed the first stage identity authentication. Step 208: The authentication server 105 transmits the OTP and the expiration date information to the mobile communication device 103 of the user through the SMS server 102 of the mobile network 01, and the user reads the content of the short message, and proceeds to step 202, at the OTP. Enter the account number and OTP password within the validity period of the password. Step 209: Perform the second stage identity authentication to confirm whether the OTP is valid. Step 2 1 0 : If the OTP has passed the expiration date, the status of the account is updated to have not passed the first stage identity authentication. The authentication server transmits the RADIUS Access-Reject message to the server, and the client device I 07 is required to re-enter the account number and password. Step 2 11: Perform OTP authentication. If successful, proceed to step 214. If it fails, proceed to step 2 1 2. Step 2 1 2 : If the OTP authentication fails, read the number of OTP authentication failures in the database and add 1 to it. Step 213: If the number of OTP authentication failures in step 212 reaches a certain set value (for example, only the number of OTP authentication errors is allowed to be 3 times), proceed to step 2 1 0, 201236432 to update the status of the account as not passing the first stage identity authentication. . The authentication server 105 transmits the RADIUS Access-Reject message to the service server 106' service server 106 to perform step 202, requiring the client device 1 〇7 to re-enter the account number and password for the first-stage identity authentication. If the number of 0TP authentication failures in step 212 has not reached a certain set value, then step 214 is performed. Step 214: Update the number of authentication failures in the database, and the authentication server 105 transmits a RADIUS Access-Reject message to the service server 106' service. The server 106 performs step 202' to request the client device 1 to re-enter the account number and password, and the user inputs the account number and the 0TP password of step 208 to perform the second-stage identity authentication. Step 215: If the OTP authentication succeeds in step 211, the authentication server 1 〇5 transmits a RADIUS Access-Accept message to the service server 1〇6, informing the account that the identity authentication is successful, and updating the authentication status of the account in the database is not yet Through the first stage identity authentication, if the user logs out of the service 'when the service is to be used, the first stage identity authentication of step 202 must be re-executed. Step 2 1 6: After receiving the RADIUS Access-Accept message sent by the authentication server 105, the service server 106 allows the client device 107 to use the service. Please refer to FIG. 3 , which is a functional block diagram of the authentication server 105 of the automatic trigger type one-time password authentication system combined with the remote verification dial-in user service authentication, which has a combined remote authentication dial-in user service. The module 310, a first-stage authentication module 320, a second-stage authentication module 330, a short message sending module 340, and a database module 350. The combined remote authentication dial-in user service module 3 10 has a combined remote authentication dial-in 201236432 - user service agreement control unit 31 11 and an authentication status disc recognition unit 3 1 2 . In conjunction with the remote authentication dial-in user service agreement control unit 31 1 1 is configured to receive the combined remote authentication dial-in user service authentication request from the service server 106 and reply the authentication result. The authentication status confirming unit 3 12 reads the authentication status of the account in the database module 350. If the first stage authentication has not passed, the first stage authentication module 320 is called to perform the first stage identity authentication. If the first stage authentication has passed, the second stage authentication module 330 is called to perform the second stage OTP identity authentication. The main function of the first-stage authentication module 320 is to perform the first-stage authentication of the authentication. The authentication failure is combined with the remote authentication dial-in user service module 310 to reply to the authentication failure message (RADIUS Access-Reject) to the service server 1 06. If the authentication succeeds, an OTP password is generated, and the call briefing module 340 transmits the OTP password to the user mobile communication device 丨〇3'. At the same time, the 0TP and the expiration date are written into the database module 350, and the number of OTP authentication failures is set. “〇” and indicate that this account has passed the first stage of identity certification. On the other hand, the notification is combined with the remote authentication dial-in user service module 3 1 0 to reply to the authentication failure message (RADIUS Access-Reject) to the service 4 server® 1 06, the client device 1 〇 7 this fashion cannot use the service' A second phase of certification is required. The second stage authentication module 330 has an 0TP status checking unit 331 and an 0TP authentication unit 332. The main function of the 0TP status checking unit 331 is to confirm whether the 0TP password is valid. If it is valid, the call 0τρ authentication unit 3 3 2 performs the second stage authentication. 'If it is invalid, update the database module 3 5 0. The status of this account is not yet passed the first stage identity authentication. The notification is combined with the remote authentication dial-in user service module 3 10 to reply to the authentication failure message (RADIUS Access-Reject). The service server 106 is provided. Users who wish to continue using this service must re-certify the first stage. The main function 201236432 of the 0TP authentication unit 332 can be OTP authentication. When the OTP authentication succeeds, the notification is combined with the remote authentication dial-in user service module 310 to reply to the authentication success message (RADIUS Access-Accept) to the service server 106, the service server. 106. The OTP authentication fails to check whether the number of authentication failures has reached the set value (for example, the number of OTP authentication failures is set to 3, and if the number of OTP authentication failures reaches 3, the OTP password is invalid) If the set value is reached, it is regarded as the 2nd stage authentication failure. At this time, the status of the account in the update database module 350 is that the first stage identity authentication has not yet passed, and the notification is combined with the remote verification dial-in user service module 3 10 RADIUS Access-Reject is sent to the service word server 106. Users who wish to continue using this service must re-certify the first stage. If the number of failed authentication attempts is less than the set value, the notification is combined with the remote authentication dial-in user service module 310 to reply to the authentication failure message (RADIUS Access-Reject) to the service server 106. Stage certification. The main function of the short message sending module 340 is to provide a short message sending service of the mobile communication network 1 〇 1, and transmit the OTP password to the user's mobile communication device 1 〇 3. The database module 350 stores the user account, the first-stage authentication password, the second-stage 0TP password, the 〇TP password expiration date, the authentication status, and the number of authentication failures. The invention combines the advantages of the automatic triggering one-time password authentication system combined with the remote verification dial-in user service authentication with other conventional technologies. The invention has the following advantages: 1. The invention can be combined with remote verification dial-in use. Service Service Agreement 'provides two-stage identity authentication function' to strengthen the security shortcomings of current fixed account password authentication. Currently, 201236432 combined with remote authentication dial-in user service authentication is applicable. Any service is applicable, no need to update any service with any service. For network devices, simply update the invention with the remote authentication dial-in user service authentication server cost. 2. The two-stage identity authentication function provided by the present invention, wherein the second-stage identity authentication adopts one-time password (OTP) authentication, and the OPT password has timeliness and one-timeness. The 0TP password must be used within a certain period of time. If it is overdue, the 0TP password will be invalid. The second phase of the authentication is successful. The 0TP password is invalid and cannot be used again. This can greatly increase the security of identity authentication. 3. The client device of the present invention can perform two-stage authentication through the service server, and the first-stage authentication succeeds in triggering the delivery of the one-time OTP password, and the second-stage authentication can be performed through the same authentication screen, which greatly simplifies the current other two. The complexity of the stage certification method. 4. The present invention uses the currently popular mobile phone as an OTP carrier, and does not require the use of a general hardware Token, which can greatly reduce the Token purchase and the usual management and deployment costs required for importing a dynamic password. 5. The present invention provides an account deactivation function in combination with the first-stage identity authentication of the remote authentication dial-in user service. When the number of authentication failures in the first phase of the dial-in user service combined with the remote authentication exceeds a preset number of times, the authentication server is authenticated. The account is immediately disabled to prevent the account password from being maliciously cracked. The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The scope of this patent is 13 201236432. To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue. BRIEF DESCRIPTION OF THE DRAWINGS The technical content of the present invention and its effects can be further understood by referring to the detailed description of the present invention and the accompanying drawings. FIG. 1 is a combination of the present invention and the remote verification dial-in. Schematic diagram of an automatic triggered one-time password authentication system for user service authentication; FIG. 2 is a two-stage authentication flowchart of an automatic trigger type one-time password authentication system combined with remote authentication dial-in user service authentication; FIG. 3 is a functional block diagram of an authentication server of the automatic trigger type one-time password authentication system combined with the remote verification dial-in user service authentication according to the present invention. [Main component symbol description] 101 mobile communication network 102 short message server 103 mobile communication device 104 wired network 201236432 105 authentication server 106 service server 107 client device 108 combined with remote authentication dial-in user service communication protocol 109 wired network The path/wireless area network 201 to 216 is combined with the remote verification dial-in user service module 311 in combination with the remote verification dial-in user service agreement control unit 312, the authentication status confirming unit 320, the first stage authentication module 330, and the second. Stage authentication module 331 OTP status checking unit 332 OTP authentication unit 340 SMS sending module 350 database module 15