1353156 九、發明說明: 【發明所屬之技術領域】 本發明係關於-種應用認證訊息產生裝置之網 號認證系統與方法,更詳而言之,係—種針對多人共又 5虎之網路帳號認證系統與方法。 【先前技術】 網路使用越來越大眾化,隨著網路的蓬勃發展,網路 的建構及擴展已漸漸地改變人類的行為模式。舉例+之 由於網路相當的普及,使大部分的人類透過網路搜°集」 料、劇覽知識、構買商品、工作、討論問題與交朋友:: 此,各式各樣的網路社群出現於網路上,藉由盥 的網路社群進行互動,使得人類的行為更方便、更快速且 更科技。 λ 一般來說,為辨認每個人類在網路上的身份,必項妗 予網路制者某個代號,當職號出現於敎網路^ 時,其他網路使用者即可得知某個特定人物目前已在線 上,因此可與之作各種互動。通常網路社群網站均會要求 使用者註冊,設定一組帳號與密碼來確定使用者身當 然使用者也可在網站上註冊數個帳號,類似一個人會有姓 名、別名、小名或綽號一樣。 曰 惟此種確定使用者身份之方法在目前網路環境中非 常不安全’肇因於使用者登人網㈣,易遭駿客盜取帳號 或詐騙網站竊取個人資料,又或是帳號密碼洩露時,非法 之用戶即可以該帳號登入網路,假冒使用者身份在網路上 110839 5 1353156 2商業行為,交友或發表言論,使真正使用者造成極大 4貝告。 在數個人共同使用一個帳號的情況,例如電子商務社 群、拍賣社群或網料戲社群,也容易產生網路安全風 險。舉例言之,人類的商業行為有报大一部分是建立在信 用與互相信賴的基礎,當某個人(或法人)在商場上建立起 聲譽後,多數人對之產生信賴感’交易行為自然容易達 成。同樣於電子商務網站或拍賣網站中,如果某個帳號已 經在網路交易平台建立良好的聲譽,多數人均想利用此^ 號進行交易時,就有可能發生數人共用帳號的情況。 由於網路平台係根據帳號密碼的檢查來判斷用戶有 否登入權限’然數人共用帳號即代表相同帳號與密碼必須 告訴每個需要登入之使用者,當該組帳號遭不當使用,或 共用之帳號密碼被駭客截取或洩漏給非授權人員時,帳號 管理者將無法為有效的管理,即會產生資訊安全風險。 综上所述,如何能提供一種具有高安全性之網路帳號 身份遇證系統與方法,來解決帳號共用所產生的資訊安全 風險’遂成為目前亟待解決的課題。 【發明内容】 為解決前述習知技術之缺失,本發明提供一種認證訊 息產生裝置,包括用以儲存特定訊息資料之訊息儲存模 組,用以根據該訊息儲存模組所儲存之特定訊息資料以預 設之演算法來產生認證資訊之訊息產生模組以及用以輸 出該訊息產生模組所產生之認證資訊之訊息輸出模組。 110839 6 1353156 本發明再提供一種應用認證訊息產生裝置之網路帳 號認證系統,係應用於網路系統中,該網路帳號認證系統 包括伺服端裝置以及用戶端裝置,係透過網路與該伺服端 裝置連線。其中,該用戶端裝置包含認證訊息產生裝置, 係提供認證資訊予該伺服端裝置,且該伺服端裝置包含確 認單元,係用以比對該認證訊息產生裝置提供之認證資訊 是否正確,若正確則該伺服端裝置允許該用戶端裝置登 入;若不正確則該伺服端裝置拒絕該用戶端裝置登入。 • 於一較佳之態樣中,本發明之應用認證訊息產生裝置 之網路帳號認證系統中之確認單元進一步包含資料儲存 單元,係用以儲存該認證訊息產生裝置之認證資訊,以及 登入管理單元,係藉由該資料儲存單元之認證資訊對登入 之用戶端裝置進行該認證資訊確認。 本發明更提供一種應用認證訊息產生裝置之共用網 路帳號認證系統,係應用於網路系統中,該網路帳號身份 認證系統包括伺服端裝置以及用戶端裝置,係透過網路與 ®該伺服端裝置連線。其中,該用戶端裝置包含:主要認證 訊息產生裝置,係提供主要認證資訊予該伺服端裝置;次 要認證訊息產生裝置,係提供次要認證資訊予該伺服端裝 置;以及該伺服端裝置包含確認單元,係用以比對該主要 認證訊息產生裝置與次要認證訊息產生裝置所分別對應 之主要與次要認證資訊是否正確。 於一較佳之態樣中,本發明之應用認證訊息產生裝置 之共用網路帳號認證系統之確認單元進一步包含資料儲 7 110839 1353156 存單元,係用以儲存該主要認證訊息產生裝置與次要認證 訊息產生裝置之主要與次要認證資訊,以及登入管理單 元,係藉由該資料儲存單元之認證資訊對登入之該用戶端 裝置進行身份確認。 於再另一較佳之態樣中,該用戶端裝置係由該用戶端 裝置係由一個具有主要認證訊息產生裝置與複數個具有 次要認證訊息產生裝置之用戶端單元所組成。 又另一較佳之態樣中,該用戶端裝置係依據主要認證 #訊息產生裝置提供之主要認證資訊登入該伺服端裝置之 一個或多個帳號。於一示範範例中,依據主要認證訊息產 生裝置登入該伺服端裝置之用戶端裝置具有設定其他用 戶端裝置登入權限的功能。於另一示範範例中,該用戶端 裝置之設定其他用戶端裝置登入權限的功能係為設定特 定次要認證訊息產生裝置提供之次要認證資訊所能登入 之帳號。 本發明又提供一種應用認證訊息產生裝置之網路帳 *號認證方法,係應用於網路系統中,該網路系統包括具有 認證訊息產生裝置之用戶端裝置與具有確認單元之伺服 端裝置,該應用認證訊息產生裝置之網路帳號認證方法包 括(1)令該用戶端裝置輸入帳號、密碼及該認證訊息產生 裝置所提供之認證資訊予該伺服端裝置,進至步驟(2); (2)令該確認單元比對所輸入之帳號密碼以及該認證資訊 與該認證訊息產生裝置之對應關係是否正確,若否,進至 步驟(3),若是,則進至步驟(4) ; (3)令該伺服端裝置拒 8 110839 1353156 絕該用戶端裝置登入 戶端裝置登入。 以及(4)令該伺服端裝置允許該用 於-較佳之態樣,本發明之應用認證訊息產生裝置之 :網路帳號認證方法,其中,該步驟⑴包括:令該用戶端 裝置輸入帳號密碼以登入該飼服端裝置;確認該用戶端裝 置之帳號須使用該認證訊息產生裴置進行登入;令該用戶 端裝置輸入目前所使用之該認證訊息產生裝置所:生的 認證資訊;確認該用戶端裝置之帳號及該認證訊息產生裝 鲁置,在對應關係;以及確認該認證訊息產生裝置為可使用 狀態。 本發明復提供一種應用認證訊息產±^^_ 路帳號設定方法,係應用於網路系統中,該網路系統包括 具有主要認證訊息產生裝置之用戶端裝置與伺服端裝 置,該應用認證訊息產生裝置之共用網路帳號設定方法^ 括:(1)令該用戶端裝置向該伺服端裝置註冊,且該用戶 馨端裝置儲存其資料及帳號並由該用戶端裝置取得主要認 證訊息產生裝置,進至步驟(2); (2)令用戶端裝置輸入= 號、密碼及該主要認證訊息產生裝置所提供之認證資訊予 該伺服端裝置,進至步驟(3) ; (3)令該伺服端裝置比對帳 號密碼以及認證資訊與該主要認證訊息產生裝置之對應 關係是否正確,若否,進至步驟(4),若是,則進至步驟 (5) ; (4)該伺服端裝置拒絕該用戶端裝置之登入,·以及(5) 該用戶端裝置設定依據該次要認證訊息產生裝置登入該 飼服端裝置之其他用戶端裝置之權限與及/或身份資料。 110839 9 1353156 於一較佳之態樣,本發明之共用網路帳號設定方法, 其中,步驟(1)包括··令用戶端裝置向該伺服端裝置註冊; 令用戶端裝置儲存其資料及使用帳號;令用戶端裝置提出 配發認證設備要求;以及令該伺服端裝置依據該用戶端裝 置之註冊資料’配發主要認證訊息產生裝置給該用戶端裝 置,以及配發次要認證訊息產生裝置給其他用戶端裝置: 相較於習知的技術,本發明之認證訊息產生裝置與應 用該裝置之網路帳號認證系統與方法使該用戶端裝置配 ❿置涊證訊息產生裝置,於登入該伺服器裝置時除了輸入特 定帳號密碼外,尚須輸入該認證訊息產生裝置所提供之認 證資訊以供該伺服端裝置之確認單元比對該用戶端裝= =身份,亦即若該用戶端裝置不具備該認證單元,就無法 登入,因此使一般網路平台於帳號身份認證時具備更安全 的環境。於複數個用戶端裝置共同使用一帳號密碼時二 於每一用戶端裝置均須配置一認證訊息產生裝置,故使網 鲁站平σ之帳號官理者能掌握登入之用戶端裝置的身份,故 本發明提供最安全方便的身分認證機制,以保護該用戶端 裝置網路帳號的安全。 【實施方式】 、以下係藉由特定的具體實施例說明本發明之實施方 式,熟悉此技術之人士可由本說明書所揭示之内容輕易地 瞭解本發明之其他優點與功效。本發明亦可藉由其他不同 的具體實施例加以施行或應用。 请參閱第1圖,係為本發明之認證訊息產生裝置之架 110839 10 1353156 構示意®,包括訊息儲存模矣且1〇、訊息產生模植 訊息輸出模組12。 及 訊息儲存模組10係儲存具有可識別性之特 如裝置生產序號或用戶身份資料。亦即不同者:有 =認證訊息產生裝置!,其内部之訊息儲存模組1〇 = 存之訊息均不相同而具有可識別性。 訊息產生模組11係用以根據該訊息儲 之特定訊息資料以預設演算法來產生雄證資訊。: •之,成息產生模組u將該訊息儲存模組1〇所儲存之 訊息進行排列、加密及/或重組等演算法以 形態之認證資訊。 貝似么碼 訊息輸出模組12係用以輸出該訊息產生模組所 之認證資訊。舉例言之’訊息輸出模組12可為顯示螢幕, 俾將認證資訊顯示於螢幕上,或是揚聲單元,俾將認 訊轉換為聲音形態表現於外,為亦可同時包含顯 •揚聲單元。 忠爭。 實際運用時,每-個認證訊息產生裝置内部储存不同 且义具有識別性之訊息,故由訊息產生模組u所產生之認 證資訊也不相同,不同的認證資訊即可區別不同使用者: 身份。 叩 。於一實施例中,訊息儲存模組1〇所儲存之訊息資料 可為裝置生產序號、用戶身份資料及/或特定識別資訊。 另-實施例中’訊息產生模組u可為循環式密碼產生 [組合式密碼產生器、動態密碼產生器及/或隨機密碼 π 110839 1353156 產生器。再另一實施例中,訊自給ψ措Λ 元及/或顯示登幕。^輪出核組12可為揚聲單 5月參閱第2圖’係為本發明之應用認證訊息產生 之網路帳號認證系統2架構示意圖,包括用戶:襄置別 駿訊息產生裝置2。卜網路2卜词服端農置2;盘確切 早兀22卜其中,用戶端震置2〇包含認證訊息產置 2〇1 ’係提供認證資訊予伺服端裝置22, 置 包含確認單元221,係用以比對認證訊息產=== 貞疋否正確右正確,則伺服端裝f 22允哞 用戶端裝置20登入;若不正確,則 ° 戶端裝置20登入。 ⑽裝置22拒絕用 後之置20可例如但不限^為―般可執行網路連 狀貝科處理設備,例如桌上型電腦,筆記型電腦,個人 數位助理與/或行動電話。只要能透過網路連線登 Γ〇台(伺服端裝置22)之設備均可作為此處之用戶端裝置 ’認證訊息產生裝置2G1料能提供認 備’該認證資訊係為飼服端裝置22對登入者進行 證之依據,例如認證訊息產生裝置 他類似之資訊。 捉伢又在碼或其 網:。可為任何形態之連線網路 連連結方式可例如為採用有線式之舰Λ : 之聪連結及/或_純式之網路連α。- ㈣端裝置22可例如但不限定賴供網路服務的飼1353156 IX. Description of the Invention: [Technical Field of the Invention] The present invention relates to a network number authentication system and method for an application authentication message generating device, and more specifically, a system for a plurality of people and a network of 5 tigers Road account authentication system and method. [Prior Art] The use of the Internet has become more and more popular. With the rapid development of the Internet, the construction and expansion of the Internet has gradually changed the behavior patterns of human beings. For example, due to the popularity of the Internet, most of the humans searched through the Internet, collecting knowledge, building goods, working, discussing issues and making friends: This, a variety of networks Communities appear on the web, interacting with awkward online communities to make human behavior easier, faster, and more technological. λ In general, in order to identify each human being's identity on the Internet, it is necessary to give the network administrator a code. When the job number appears on the network ^, other network users can know a specific The characters are currently online, so they can interact with them. Usually, the online community website will ask the user to register, set a group of accounts and passwords to determine the user. Of course, users can also register several accounts on the website. Similar to a person will have the same name, alias, nickname or nickname. . However, this method of determining the identity of the user is very insecure in the current network environment. Because of the user's access to the network (4), it is vulnerable to theft of accounts or fraudulent websites to steal personal data, or the account password is leaked. At this time, the illegal user can log in to the network with the account, impersonate the user identity on the Internet 110839 5 1353156 2 business conduct, make friends or make comments, so that the real user caused a huge 4 bets. In the case where several individuals use one account together, such as an e-commerce community, an auction community, or a network community, it is also prone to network security risks. For example, a large part of human business behavior is based on credit and mutual trust. When a person (or legal person) establishes a reputation in a shopping mall, most people have a sense of trust. . Similarly, on an e-commerce website or an auction website, if an account has established a good reputation on the online trading platform, and most people want to use this ^ number to conduct transactions, it may happen that several people share the account. Since the network platform checks whether the user has the login right according to the check of the account password, the shared account means that the same account and password must be told to each user who needs to log in, when the account is improperly used, or shared. When the account password is intercepted by a hacker or leaked to an unauthorized person, the account manager will not be able to manage it effectively, which will create an information security risk. In summary, how to provide a high-security network account identity verification system and method to solve the information security risks generated by account sharing has become an urgent problem to be solved. SUMMARY OF THE INVENTION In order to solve the above-mentioned deficiencies of the prior art, the present invention provides an authentication message generating device, including a message storage module for storing specific message data, according to the specific message data stored by the message storage module. The preset algorithm generates a message generating module for the authentication information and a message output module for outputting the authentication information generated by the message generating module. 110839 6 1353156 The present invention further provides a network account authentication system for applying an authentication message generating device, which is applied to a network system, wherein the network account authentication system includes a server device and a client device, and the server is connected to the server. The end device is connected. The client device includes an authentication message generating device, and provides authentication information to the server device, and the server device includes a confirmation unit for correcting the authentication information provided by the authentication message generating device. Then the server device allows the client device to log in; if not, the server device rejects the client device login. In a preferred aspect, the confirmation unit in the network account authentication system of the application authentication message generating apparatus of the present invention further includes a data storage unit for storing the authentication information of the authentication message generating device, and the login management unit. The authentication information is confirmed by the login user device by using the authentication information of the data storage unit. The invention further provides a shared network account authentication system for applying an authentication message generating device, which is applied to a network system, wherein the network account identity authentication system comprises a server device and a client device, and the server is through the network and the server. The end device is connected. The client device includes: a primary authentication message generating device that provides primary authentication information to the server device; a secondary authentication message generating device that provides secondary authentication information to the server device; and the server device includes The confirmation unit is configured to compare whether the primary and secondary authentication information corresponding to the primary authentication message generating device and the secondary authentication message generating device are correct. In a preferred aspect, the confirmation unit of the shared network account authentication system of the application authentication message generating apparatus of the present invention further includes a data storage unit 7110839 1353156 for storing the primary authentication message generating device and the secondary authentication. The primary and secondary authentication information of the message generating device, and the login management unit, identify the identity of the user device that is logged in by using the authentication information of the data storage unit. In still another preferred aspect, the client device is comprised of the client device having a primary authentication message generating device and a plurality of client devices having secondary authentication message generating devices. In another preferred aspect, the client device logs into one or more account numbers of the server device according to the primary authentication information provided by the primary authentication #message generating device. In an exemplary example, the client device that logs in to the server device according to the primary authentication message generating device has a function of setting login rights of other user devices. In another exemplary example, the function of the user equipment to set the login authority of other client devices is to set an account for which the secondary authentication information provided by the specific secondary authentication message generating device can be logged in. The invention further provides a network account number authentication method for applying an authentication message generating device, which is applied to a network system, the network system comprising a client device having an authentication message generating device and a server device having a confirmation unit, The method for authenticating the network account of the application authentication message generating device includes: (1) causing the client device to input an account number, a password, and authentication information provided by the authentication message generating device to the server device, and proceeding to step (2); 2) causing the confirmation unit to compare the entered account password and the correspondence between the authentication information and the authentication message generating device, if not, proceed to step (3), and if yes, proceed to step (4); 3) Let the server device reject 8 110839 1353156. The client device login login to the client device. And (4) the network device authentication method of the application authentication message generating device of the present invention, wherein the step (1) comprises: causing the user device to input an account password. Logging in to the feeding device; confirming that the account of the client device is required to log in using the authentication message generating device; and causing the client device to input the authentication information generated by the authentication message generating device currently used; The account of the client device and the authentication message are generated in a corresponding relationship; and the authentication message generating device is confirmed to be in a usable state. The present invention provides a method for setting an application authentication message, which is applied to a network system, and the network system includes a client device and a server device having a primary authentication message generating device, and the application authentication message The method for setting a shared network account of the generating device includes: (1) causing the client device to register with the server device, and the user terminal device stores its data and account number and obtains the primary authentication message generating device by the client device Go to step (2); (2) Let the user device input the number, password and authentication information provided by the primary authentication message generating device to the server device, and proceed to step (3); The server device compares the account password and the correspondence between the authentication information and the primary authentication message generating device. If not, proceed to step (4), and if yes, proceed to step (5); (4) the server device Rejecting the login of the client device, and (5) setting, by the client device, the rights and/or permissions of the other client devices that log in to the feeding device according to the secondary authentication message generating device Identity. 110839 9 1353156 In a preferred aspect, the method for setting a shared network account of the present invention, wherein the step (1) comprises: causing the client device to register with the server device; and causing the client device to store the data and use the account. And causing the client device to issue a request for allocating the authentication device; and causing the server device to allocate the primary authentication message generating device to the client device according to the registration information of the client device, and allocating the secondary authentication message generating device to Other client device: Compared with the prior art, the authentication message generating device of the present invention and the network account authentication system and method for applying the device enable the client device to be configured with the authentication message generating device to log in to the server. In addition to inputting a specific account password, the device still needs to input the authentication information provided by the authentication message generating device for the confirmation unit of the server device to install the == identity, that is, if the client device does not With this authentication unit, you cannot log in, so the general network platform has a safer environment for account authentication. When a plurality of client devices use an account password together, each client device must be configured with an authentication message generating device, so that the account administrator of the network station can grasp the identity of the user device that is logged in, Therefore, the present invention provides the most secure and convenient identity authentication mechanism to protect the security of the network account of the client device. The embodiments of the present invention are described below by way of specific embodiments, and those skilled in the art can readily appreciate other advantages and advantages of the present invention from the disclosure. The invention may also be embodied or applied by other different embodiments. Please refer to FIG. 1 , which is a frame of the authentication information generating device of the present invention 110839 10 1353156, including a message storage module and a message generating template output module 12. And the message storage module 10 stores the device identification serial number or user identity data with identifiability. That is, different: Yes = authentication message generation device! The internal message storage module 1 〇 = the stored messages are all different and identifiable. The message generating module 11 is configured to generate the male information by using a preset algorithm according to the specific message data stored in the message. : • The interest generation module u aligns, encrypts, and/or reorganizes the information stored in the message storage module 1 into an authentication information in a form. The message output module 12 is used to output the authentication information of the message generating module. For example, the message output module 12 can be a display screen, display the authentication information on the screen, or a speaker unit, and convert the voice into a sound form, which can also include the display sound. unit. Loyalty. In actual use, each authentication message generating device internally stores different and meaningful identification messages, so the authentication information generated by the message generating module u is also different, and different authentication information can distinguish different users: . Oh. In one embodiment, the message data stored in the message storage module 1 can be a device serial number, user identity data, and/or specific identification information. In another embodiment, the message generation module u can be a cyclic password generation [combined password generator, dynamic password generator and/or random password π 110839 1353156 generator. In still another embodiment, the message is self-contained and/or displayed. The round-out core group 12 can be a speakerphone. May is referred to as FIG. 2, which is a schematic diagram of the network account authentication system 2 generated by the application authentication message of the present invention, including a user: a message generation device 2.卜网络2卜词服端农置2; the disk is exactly 22 pm, the user side is set to 2, including the authentication message production 2 〇 1 ' provides authentication information to the server device 22, including the confirmation unit 221 For comparison with the authentication message product === 贞疋 No correct right, the server device f 22 allows the client device 20 to log in; if not, the client device 20 logs in. (10) The device 22 rejects the use of the device 20, for example, but not limited to, an "exclusively executable" network-connected Becco processing device, such as a desktop computer, a notebook computer, a personal digital assistant, and/or a mobile phone. As long as the device capable of connecting to the platform (server device 22) via the network can be used as the client device here, the authentication message generating device 2G1 can provide the identification information. The authentication information is the feeding device 22 The basis for the registrant to be authenticated, such as the authentication message generating device, which is similar to the information. Capture the 伢 again in the code or its net:. The connection method for any form can be, for example, a wired ship: a Cong connection and/or a _ pure network connection α. - (d) end device 22 may, for example but not limited to, feeding for network services
S 110839 12 1353156 服器或網頁平台,能提供登入伺服端裝置12之用戶各項 網路服務。 確認單元221係為能提供登入用戶進行註冊設定、 f份認證與/或認證設備管理之設備,例如應用程式伺服 器(Application Server) ’本發明之確認單元221係用以 比對認證訊息產生裝置2〇1與對應之認證資訊是否正確。 〇本發明於具體實施時,係由該用戶端裝置20輸入帳 旎、密碼及認證資訊進行身份認證,而伺服器裝置Μ可 •判斷該帳號所對應的認證訊息產生裝置2〇1是否正確。更 進一步言之’係利用確認單元221比對認證訊息產生裝置 2〇1及其對應的認證資訊,若比對無誤則允許登入系统, 帳號管理者可依據認證所使用之認證訊息產 2〇1 ’確認實際登入之人員身分。 ^ 於一實施例中,伺服端裝置 且。ώ风伏辨!只服務,俾 用戶透過用戶端裝i 2G進行連線操作。於另-實施S 110839 12 1353156 A server or web platform capable of providing various network services for users who log in to the server device 12. The confirmation unit 221 is a device capable of providing a login user for registration setting, f-part authentication, and/or authentication device management, such as an application server (Application Server). The confirmation unit 221 of the present invention is used for comparing the authentication message generating device. 2〇1 and the corresponding certification information is correct. In the specific implementation of the present invention, the client device 20 inputs the account, password and authentication information for identity authentication, and the server device can determine whether the authentication message generating device 2〇1 corresponding to the account is correct. Further, the system acknowledgment unit 221 compares the authentication message generating device 2〇1 and its corresponding authentication information, and if the comparison is correct, the login system is allowed, and the account manager can generate the authentication message according to the authentication. 'Confirm the identity of the person actually logged in. ^ In one embodiment, the server device is. The wind is raging! Service only, 俾 Users install i 2G through the user terminal for connection operation. In another implementation
中’網路21可例如但不限定為網際網路、組織内 統、組織間網路系統、區域網路系統、廣域網路系统及 ^虛擬私人網料統。認證訊息產生裝置2gi可為 在又備、組合式密碼設備、動態密碼設備及/或隨 用尸^裒置20可為桌上型電腦、筆記型電腦 個人數位助理及/或行動電話。 月旬 月’考第3圖’係為本發明之應用認證訊息產1 之共用網路帳號認證系統之架構示意圖。如圖所示,^ 明之應用認證訊息產生裝置之共用網路帳號認證系 110839 13 1353156 括用戶端裝置30以及透過網路31與用戶端裝置30連線 之伺服端裝置32。用戶端裝置30包含主要認證訊息產生 裝置301,其係用以提供主要認證資訊予該伺服端裝置, 用戶端裝置30復包含次要認證訊息產生裝置302,則係 用以提供次要認證資訊予伺服端裝置32。 伺服端裝置32包含確認單元321,其係用以比對主 要認證訊息產生裝置301與次要認證訊息產生裝置302 所對應之主要與次要認證資訊是否正確。 確認單元321包含資料儲存單元3211以及登入管理 單元3212。其中,資料儲存單元3211係用以儲存主要認 證訊息產生裝置301與次要認證訊息產生裝置302之主要 與次要認證資訊。登入管理單元3212則係藉由資料儲存 單元3211之認證資訊對登入之用戶端裝置30進行認證資 訊確認。 具體實施時,具有主要認證訊息產生裝置301之特定 用戶依據主要認證訊息產生裝置301所產生之主要認證 資訊登入伺服端裝置32,並由登入管理單元3212進行身 份確認完成後,將具有次要認證訊息產生裝置302之用戶 資料及資訊儲存於資料儲存單元3211,並設定具有次要 認證訊息產生裝置302之用戶所能登入之帳號。 接著,當具有次要認證訊息產生裝置302之用戶登入 伺服端裝置32時,登入管理單元3212即可藉由資料儲存 單元3211之資訊對登入之用戶端裝置30進行身份確認, 以判斷用戶是否可登入系統。 14 110839 1353156 於一實施例中,伺服端裝置32係用以提供網頁服 務,俾使用戶透過用戶端裝置進行連線操作,網路31可 不限疋為網際網路、組織内網路系統、組織間網路 系統、區域網路系統、廣域網路系統及/或虚擬私人網路 y、統主要應用5忍證訊息產生裝置3 01及/或次要應用認 f訊息產生裝置3〇2則可例如為循環式密碼設備、組合式 密碼設備、動態密碼設備及/或隨機密碼設備。用戶端裝 置30可例如為桌上型電腦、筆記型電腦、個人數位助理 _及/或行動電話。 於另一實施例中,用戶端裝置3〇可由一個具有主要 。i »fl心產生裝置301與複數個具有次要認證訊息產生 裝置302之用戶端單元所組成。 於再一實拖例中,用戶端裝置3〇可依據主要認證訊 息產生裝置301提供之主要認證資訊登入伺服端裝置32 之—個或多個帳號,且該用戶端裝置3〇具有設定其他用 瞻戶端裝置登入權限的功能,包含設定特定次要認證訊息產 生裝置302提供之次要認證資訊所能登入之帳號。 於此架構中可發現在複數個用戶於共用網路帳號 時’該具有主要認證訊息產生裝置3〇1之特定用戶可為此 網路帳號之所有人’而由該特定用戶來決定具有次要認證 訊息產生裝置302之其他用戶的登入權限。如此,於其他 用戶以次要認證訊息產生裝置3〇2之認證資訊登入伺服 端裝置32時,帳號管理人與網路帳號所有人即可掌握登 入用戶之身份,因此複數個用戶不但能享受共用網路帳號 110839 15 的好處,也可避免產生資訊安全風險。 ^閱第4圖’其係、為本發明之應用認證訊息產生裝 =用網路帳號認證一具體實施例之架構示意圖,包括 用戶:4〇以及透過網路41與用戶端4。連線之伺服端 :In::包含第一電腦4〇1、第二電腦402與電腦 κ< 八中第电細401具有主密碼鎖4011,而第二電 ,上02與電腦三4。3分別具有第一次密碼鎖4似與第二 /人Γ碼鎖彻卜舰端42包含網頁連線伺服H㈣與媒 = 其中確認單元421包含資料儲存舰器他 與盔入管理伺服器4212。 於此貫施例中,用卢@ d Λ & Λ & — 用戶糕40内之第一電腦4〇1依據主 密碼登入飼服端42之網頁連線健器 雪fl«< 入官理伺服器4212進行身份確認完成後,第一 可將具有第—次㈣(f irst --code ) , 與第一次密碼(sec〇nd sub-code)鎖4031之電 I細用戶貝料儲存於資料儲存飼服器4川並設定其所能登 入之帳號。 舉例言之’當第二電腦4 〇 2之用戶登入網頁連線飼服 。器4422Γι登人管理飼服器他即可藉由資料儲存祠服 : 之貝说比對第-次密碼鎖4〇12與用戶輸入的密碼 疋否正確,以判斷用戶是否可登入系統。 如此即使共用網路帳號外洩或被駭客截取,在不且 備密碼鎖的情況下’非法之用戶仍然無法登入該網頁連線 伺服器420。反言之,許可其登入之用戶,必定是具有密 110839 1353156 碼鎖且於資料儲存舰器4211可找到資料之用戶或有登 入權限口此帳號管理人與網路帳號所有人即可掌握登入 用戶之身份以避免產生資訊安全風險。 明參閱第5圖,其係為本發明之應用認證訊息產生裝 置之網路帳號認證方法5的流程圖。 —如圖所不,於步驟S1中,令用戶端裝置輸入帳號、 密碼及認證訊息產生裝置所提供之認證資訊予伺服端裝 置’接著進至步驟S2。 於v驟S2中,令確認單元比對所輸入之帳號密碼以 及⑽也貝汛與認證訊息產生裝置之對應關係是否正確,若 否,進至步驟S3,若是,則進至步驟S4 ^ 於步驟S3中’令伺服端裝置拒絕該用戶端裝置登入。 2步驟S4中,令伺服端裝置允許該用戶端裝置登入。 μ參閱第6圖,於一較佳實施例中,應用認證訊息產 生裝置之網路帳號認證方法5之步驟復包括以下步驟。 於步驟S10中’令用戶端裝置輸入帳號密碼以登入伺 服端襄置’接著進至步驟S11。 於步驟S11中’確認用戶端裝置之帳號須使用認證訊 息產生裝置進行登入,接著進至步驟S12。 於步驟S12中’令用戶端裝置輸入目前所使用之認證 汛心產生裝置所產生的認證資訊,接著進至步驟S13。 於步驟S13中’確認用戶端裝置之帳號及認證訊息產 生裝置存在對應關係,接著進至步驟S14。 於步驟S14中’確認認證訊息產生裝置為可使用狀 17 110839 1353156 態,接著進至步戰S2。 於步驟S2中,令相、單元比對帳號密碼以及認證資 訊與認證訊息產生裝置之對應關係是否正確,若正確,進 至步驟S4 ;若不正確,則進至步驟S3。 於步驟S3中,令舰端裝置拒絕用戶端裝置之登入。 於步驟S4中,令伺服端裝置允許用戶#裝置之登入。 於另本發明之另-實施例中,於上述流程步驟中執行 之祠服裝置可提供網頁服務,俾使用戶透過用戶端裝置 •進行連線操作,用戶端裝置透過網際網路、__路系 統、組織間網路系統、區域網路系統、廣域網路系統及) 或虛擬私人網路系統與飼服端裝置進行連接,認證訊息產 生裝置為猶環式密碼設備、組合式密碼設備、動態密碼設 備及/或隨機密碼設備。而用戶端裝置為桌上型電腦 記型電腦、個人數位助理及/或行動電話。 ”月參閱第7圖,其係為本發明之應用認證訊息產生裝 鲁置之共用網路帳號設定方法應用於網路系統的流程圖。並 中’網路系統包括飼服端裝置與具有主要與次要認證訊:包 產生裝置之用戶端裝置。 “ ▲如圖所示’於步驟S‘l中,令用戶端裝置向词服端裝 置°主冊,且用戶端裝置儲存其資料及帳號並由用戶端裝置 取得主要認證訊息產生裝置,接著進至步驟s‘2。 ;^驟8 2中,令用戶端裝置輸入帳號、密碼及主要 邁证吼息產生裝置所提供之認證資訊予伺服端裝置, 進至步驟S‘3。 110839 18 1353156 义於步驟S‘3中,令伺服端裝置比對帳號密碼以及認證 貝訊與主要認證訊息產生裝置之對應關係是否正確,若 否,進至步驟S‘ 4 ;若是,則進至步驟& 5。 於:^驟8 4中,令飼服端裝置拒絕該用戶端袭置之登 入0 於步驟S 5中’令用戶端襄置設定依據次要認證訊息 產生裝置登入伺服端裝置之其他用戶端裝置之權限與及/ 或身份資料。 請參閱第8圖,於-較佳實施例中,本發明應用認證 訊息產生裴置之共用網路帳號設定方法6復包括以下之 步驟。 如圖所示’於步驟S‘ 10中,今 τ 7用戶鳊裝置向伺服端 裝置註冊’接著進至步驟s‘ i J。 於步驟S‘ll中,令用戶端奘罟性六甘· 號 用尸知裝置儲存其資料及使用帳 接著進至步驟s‘ 12。 於步驟S12中,令用戶诚货罢担山^;々 求 缟裒置提出配發認證設備要 接著進至步驟S‘ 13。 於步驟S‘13中,令伺服端裝置依據用戶端裝置之古主 冊資料’配發主要認證訊息產生裝置給用戶端裝置,以及 配發次要認證訊息產生裝置給其他用戶端褒置,接著進至 少雜S‘ 2。 於步驟S 2中,令用戶姑梦罢AE u u $ 輸入帳號、密碼及認證 訊心、產生裝置所提供之認證資訊予舰端裝置,接著進至 少驟S‘ 3。 110839 19 !353156 於步驟S‘ 3中’令確認單元比對帳號密碼以及認證資 訊與認證訊息產生裝置之對應關係是否正確,若正確,進 至步驟S‘ 5 ;若不正確,則進至步驟4。 於步驟S‘4中,令伺服端裝置拒絕用戶端裝置之登 入。 於步驟S‘5中’令用戶端裝置設定依據次要認證訊息 產生裝置登入伺服端裝置之其他用戶端裝置之權限與/或 身份資料。 相較於習知技術,本發明之應用認證訊息產生裝置之 網路帳號認證方法以及應用認證訊息產生裝置之共用網 路帳號設定方法至少包括下述之功效: (1) 即使帳號在、碼被竊取或茂露’非法用戶因不具備 認證訊息產生裝置故仍然無法登入該伺服端裝置,可謂獲 得雙重保障。 & (2) 於共用帳號的情況’由於確認單元内必定有認證 訊息產生裝置的資料才能進行資料比對,故當配發認證訊 息產生裝置與數個用戶時可同時取得用戶之身份資料,如 此當用戶以特定認證訊息產生裝置之認證資料登入系統 時,帳號管理人即可掌握登入用戶之身份以避免產生資訊 安全風險。 (3) 於共用帳號的情況時帳號所有人可設定其他用戶 的登入權限,故當某用戶遺失認證訊息產生裝置時仍可進 行管制,防止未知之用戶登入系統。 綜上所述,本發明之認證訊息產生裝置與應用該裝置 110839 20 1353156 之網路帳號認證系統與方法,不但能有效的提升網路帳號 身份認證之安全性,且可應用於複數個用戶共用網路帳號 % 之態樣,使帳號管理人與網路帳號所有人可掌握登入用戶 ' 之身份以避免產生資訊安全風險。 上述實施例僅為例示性說明本發明之原理及其功 效,而非用於限制本發明。任何熟習此項技術之人均可在 不違背本發明之精神及範疇下,對上述實施例進行修飾與 變化。 •【圖式簡單說明】 第1圖為本發明之認證訊息產生裝置之示意圖; 第2圖為本發明之應用認證訊息產生裝置之網路帳 號認證系統架構示意圖; 第3圖為本發明之應用認證訊息產生裝置之共用網 路帳號認證系統架構示意圖; 第4圖為本發明之應用認證訊息產生裝置之共用網 路帳號認證系統一具體實施例架構示意圖; * 第5圖為本發明之應用認證訊息產生裝置之網路帳 號認證方法之流程圖; 第6圖為本發明之應用認證訊息產生裝置之網路帳 號認證方法一較佳實施例之流程圖; 第7圖為本發明之應用認證訊息產生裝置之共用網 路帳號設定方法之流程圖;以及 第8圖為本發明之應用認證訊息產生裝置之共用網 路帳號設定方法一較佳實施例之流程圖。 21 110839 1353156 【主要元件符號說明】 1 認證訊息產生裝置 10 訊息儲存模組 11 訊息產生模組 12 訊息輸出模組 2 本發明之應用認證訊息產生裝置之網路帳號認證系統 20 用戶端裝置 201 認證訊息產生裝置 • 21 網路 22 伺服端裝置 221 確認單元 30 用戶端裝置 301 主要認證訊息產生裝置 302 次要認證訊息產生裝置 31 網路 32 伺服端裝置 ® 321確認單元 3211 資料儲存單元 3212 登入管理單元 40 用戶端 401 第一電腦 4011 主密碼鎖 402 第二電腦 4021 第一次密碼鎖 22 110839 1353156 403 電腦三 4031 第二次密碼鎖 41 網路 42 伺服端 420 網頁連線伺服器 421 確認單元 4211 資料儲存伺服器 4212 登入管理伺服器 5 本發明之應用認證訊息產生裝置之網路帳號認證方法 6 本發明之應用認證訊息產生裝置之共用網路帳號設定方法 S1〜S4 步驟 S10〜S14步驟 S‘ 1〜S‘ 4步驟 S‘10〜S‘13 步驟The medium network 21 can be, for example but not limited to, the Internet, the organization system, the inter-organizational network system, the regional network system, the WAN system, and the virtual private network system. The authentication message generating device 2gi can be a desktop computer, a notebook personal digital assistant, and/or a mobile phone, in addition to, a combined cryptographic device, a dynamic cryptographic device, and/or a scam. The month of the month, the third picture of the test is a schematic diagram of the architecture of the shared network account authentication system of the application authentication message product 1 of the present invention. As shown in the figure, the shared network account authentication system 110839 13 1353156 of the application authentication message generating device includes a client device 30 and a server device 32 connected to the client device 30 via the network 31. The client device 30 includes a primary authentication message generating device 301 for providing primary authentication information to the server device, and the client device 30 includes a secondary authentication message generating device 302 for providing secondary authentication information. Servo device 32. The server device 32 includes a confirmation unit 321 for comparing whether the primary and secondary authentication information corresponding to the primary authentication message generating device 301 and the secondary authentication message generating device 302 are correct. The confirmation unit 321 includes a material storage unit 3211 and a login management unit 3212. The data storage unit 3211 is configured to store primary and secondary authentication information of the primary authentication message generating device 301 and the secondary authentication message generating device 302. The login management unit 3212 performs authentication authentication on the logged-in client device 30 by the authentication information of the data storage unit 3211. In a specific implementation, the specific user having the primary authentication message generating device 301 logs in to the server device 32 according to the primary authentication information generated by the primary authentication message generating device 301, and after the identity verification by the login management unit 3212 is completed, the secondary authentication will be performed. The user information and information of the message generating device 302 are stored in the data storage unit 3211, and the account number of the user having the secondary authentication message generating device 302 can be set. Then, when the user having the secondary authentication message generating device 302 logs in to the server device 32, the login management unit 3212 can confirm the identity of the logged-in client device 30 by using the information of the data storage unit 3211 to determine whether the user can Log in to the system. 14 110839 1353156 In an embodiment, the server device 32 is configured to provide a webpage service, so that the user can perform the connection operation through the client device, and the network 31 can be limited to the internet, the intranet system, and the organization. The inter-network system, the regional network system, the WAN system, and/or the virtual private network y, the main application 5, the tolerant message generating device 3 01 and/or the secondary application ACK message generating device 3 〇 2 may for example It is a cyclic cryptographic device, a combined cryptographic device, a dynamic cryptographic device, and/or a random cryptographic device. The client device 30 can be, for example, a desktop computer, a notebook computer, a personal digital assistant _, and/or a mobile phone. In another embodiment, the client device 3 can be primary. The i-fl heart generating device 301 is composed of a plurality of client units having the secondary authentication message generating device 302. In another example, the client device 3 can log in one or more account numbers of the server device 32 according to the primary authentication information provided by the primary authentication message generating device 301, and the client device 3 has other settings. The function of the user device login permission includes setting an account for which the secondary authentication information provided by the specific secondary authentication message generating device 302 can be logged in. In this architecture, it can be found that when a plurality of users share a network account, the specific user having the primary authentication message generating device 3.1 can be the owner of the network account, and the specific user decides to have a secondary The login authority of other users of the authentication message generating device 302. In this way, when the other user logs in to the server device 32 with the authentication information of the secondary authentication message generating device 3〇2, the account administrator and the network account owner can grasp the identity of the login user, so that multiple users can enjoy sharing. The benefits of the network account 110839 15 also avoid information security risks. 4 is a schematic diagram of a specific embodiment of the application authentication message generating device of the present invention. The user is authenticated by a network account, including the user: 4, and the network 41 and the client 4. The server of the connection: In:: contains the first computer 4〇1, the second computer 402 and the computer κ< the eighth middle electric 401 has the master code lock 4011, and the second power, the upper 02 and the computer three 4. 3 Each has a first password lock 4 and a second/person weight lock. The dock 42 includes a webpage connection servo H (four) and a medium = wherein the confirmation unit 421 includes a data storage vessel and a helmet into the management server 4212. In this example, use @@ Λ & Λ & - the first computer in the user's cake 40 4〇1 according to the master password to enter the web page of the feeding end 42 connection line health equipment snow fl«< After the identity verification server 4212 performs identity verification, the first one may have the first (four) (f irst --code ) and the first cipher ( sub code sub-code) lock 4031. In the data storage service device 4 and set the account that can be logged in. For example, when the user of the second computer 4 〇 2 logs in to the web page to feed the service. The device 4422 Γ 登 管理 管理 管理 管理 管理 管理 管理 管理 管理 管理 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 442 Thus, even if the shared network account is leaked or intercepted by the hacker, the illegal user cannot log in to the web connection server 420 without the password lock. Conversely, the user who is allowed to log in must be a user with a confidential 110839 1353156 code lock and can find the data in the data storage device 4211 or have the login authority. The account administrator and the network account owner can master the login user. Identity to avoid information security risks. Referring to Fig. 5, it is a flowchart of the network account authentication method 5 of the application authentication message generating apparatus of the present invention. - If not, in step S1, the client device inputs the authentication information provided by the account number, the password, and the authentication message generating means to the server device', and then proceeds to step S2. In step S2, the confirmation unit compares the input account password and (10) the correspondence between the authentication and the authentication information generating device, and if not, proceeds to step S3, and if yes, proceeds to step S4. In S3, 'the server device is denied the login of the client device. In step S4, the server device is allowed to log in to the client device. Referring to Figure 6, in a preferred embodiment, the step of applying the authentication method of the authentication account generating device 5 includes the following steps. In step S10, 'the client device inputs the account password to log in to the server device', and then proceeds to step S11. In step S11, it is confirmed that the account of the client device is required to log in using the authentication information generating means, and then proceeds to step S12. In step S12, the client device is caused to input the authentication information generated by the authentication center generating device currently used, and then proceeds to step S13. In step S13, it is confirmed that there is a correspondence between the account number of the client device and the authentication message generating device, and then proceeds to step S14. In step S14, it is confirmed that the authentication message generating means is in the usable state 17 110839 1353156 state, and then proceeds to step S2. In step S2, the phase, the unit comparison account password, and the correspondence between the authentication information and the authentication message generating device are correct. If yes, proceed to step S4; if not, proceed to step S3. In step S3, the shipping device is caused to reject the login of the client device. In step S4, the server device is allowed to log in by the user # device. In another embodiment of the present invention, the server device executed in the above process step can provide a webpage service, so that the user can perform a connection operation through the client device, and the client device transmits through the Internet, __路The system, the inter-organizational network system, the regional network system, the WAN system, and the virtual private network system are connected to the feeding device, and the authentication message generating device is a cryptographic device, a combined cryptographic device, and a dynamic password. Equipment and / or random password devices. The client device is a desktop computer, a personal digital assistant, and/or a mobile phone. "Monthly, refer to FIG. 7, which is a flow chart of applying the common network account setting method of the application authentication message generation to the network system of the present invention. And the 'network system includes the feeding end device and has the main And the secondary authentication message: the client device of the packet generating device. " ▲ as shown in the figure 'in step S'l, the user device is directed to the vocabulary device, and the user device stores its data and account number. The main authentication message generating means is obtained by the client device, and then proceeds to step s'2. In step 8 2, the client device inputs the account number, the password, and the authentication information provided by the main certificate generating device to the server device, and proceeds to step S3. 110839 18 1353156 In step S'3, the server device compares the account password and the correspondence between the authentication and the primary authentication message generating device, and if not, proceeds to step S'4; if yes, proceeds to Step & 5. In step 8 4, the feeding device rejects the login of the user-side device. In step S5, the user terminal is configured to log in to the other client device of the server device according to the secondary authentication message generating device. Permissions and / or identity information. Referring to FIG. 8, in the preferred embodiment, the method for setting a shared network account for applying the authentication message generating apparatus of the present invention includes the following steps. As shown in the figure 'in step S'10, the current user's device registers with the server device' and proceeds to step s'i J. In step S'll, the user terminal 六 六 · 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存 储存In step S12, the user is urged to strike the mountain; the request is made to issue the allotment authentication device to proceed to step S'13. In step S'13, the server device allocates the primary authentication message generating device to the client device according to the ancient book data of the user device, and distributes the secondary authentication message generating device to the other user terminal, and then At least miscellaneous S' 2. In step S2, the user is asked to enter the account number, the password and the authentication message, and the authentication information provided by the generating device is sent to the ship-side device, and then the process proceeds to at least S'3. 110839 19 !353156 In step S'3, 'the confirmation unit compares the account password and the correspondence between the authentication information and the authentication message generating device. If yes, go to step S'5; if not, go to step 4. In step S'4, the server device is caused to reject the login of the client device. In step S'5, the client device sets the rights and/or identity data of the other client devices that log in to the server device according to the secondary authentication message generating device. Compared with the prior art, the network account authentication method of the application authentication message generating apparatus of the present invention and the shared network account setting method of the application authentication message generating apparatus include at least the following effects: (1) even if the account number is in, the code is Stealing or Maolu's illegal users can't log in to the server device because they don't have the authentication message generating device. & (2) In the case of a shared account 'Because the information of the authentication message generating device must be available in the confirmation unit, the data can be compared. Therefore, when the authentication message generating device and the plurality of users are allotted, the identity data of the user can be obtained at the same time. Thus, when the user logs in to the system with the authentication data of the specific authentication message generating device, the account manager can grasp the identity of the logged-in user to avoid information security risks. (3) In the case of a shared account, the account owner can set the login rights of other users, so when a user loses the authentication message generating device, it can still be controlled to prevent unknown users from logging into the system. In summary, the authentication information generating apparatus of the present invention and the network account authentication system and method using the apparatus 110839 20 1353156 can not only effectively improve the security of the network account identity authentication, but also can be applied to a plurality of users. The network account % is so that the account administrator and the network account owner can grasp the identity of the logged-in user to avoid information security risks. The above embodiments are merely illustrative of the principles and effects of the invention and are not intended to limit the invention. Modifications and variations of the above-described embodiments can be made by those skilled in the art without departing from the spirit and scope of the invention. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of an authentication message generating apparatus of the present invention; FIG. 2 is a schematic diagram of a network account authentication system architecture of an application authentication message generating apparatus of the present invention; Schematic diagram of the architecture of the shared network account authentication system of the authentication message generating device; FIG. 4 is a schematic diagram of a specific embodiment of the shared network account authentication system of the application authentication message generating device of the present invention; A flowchart of a method for authenticating a network account of a message generating device; FIG. 6 is a flow chart of a preferred embodiment of a method for authenticating a network account of an application authentication message generating device of the present invention; FIG. 7 is an application authentication message of the present invention A flowchart of a method for setting a shared network account of the generating device; and FIG. 8 is a flow chart of a preferred embodiment of a method for setting a shared network account of the application authentication message generating device of the present invention. 21 110839 1353156 [Description of main component symbols] 1 authentication message generating device 10 message storage module 11 message generating module 12 message output module 2 network account authentication system 20 of the application authentication message generating device of the present invention Message generating device • 21 Network 22 Servo device 221 Confirmation unit 30 Client device 301 Primary authentication message generating device 302 Secondary authentication message generating device 31 Network 32 Server device 321 Confirmation unit 3211 Data storage unit 3212 Login management unit 40 Client 401 First computer 4011 Master password lock 402 Second computer 4021 First password lock 22 110839 1353156 403 Computer three 4031 Second password lock 41 Network 42 Server 420 Web connection server 421 Confirmation unit 4211 Data Storage server 4212 Login management server 5 Network account authentication method of application authentication message generating device of the present invention 6 Shared network account setting method S1 to S4 of application authentication message generating device of the present invention Steps S10 to S14 Step S'1 ~S' 4 steps S'10~S'13 steps
23 11083923 110839