TWI604330B - Methods for dynamic user identity authentication - Google Patents

Methods for dynamic user identity authentication Download PDF

Info

Publication number
TWI604330B
TWI604330B TW105136336A TW105136336A TWI604330B TW I604330 B TWI604330 B TW I604330B TW 105136336 A TW105136336 A TW 105136336A TW 105136336 A TW105136336 A TW 105136336A TW I604330 B TWI604330 B TW I604330B
Authority
TW
Taiwan
Prior art keywords
signature
verification
user
web server
login
Prior art date
Application number
TW105136336A
Other languages
Chinese (zh)
Other versions
TW201727526A (en
Inventor
陳柏愷
Original Assignee
艾爾希格科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US15/007,268 priority Critical patent/US20160226865A1/en
Application filed by 艾爾希格科技股份有限公司 filed Critical 艾爾希格科技股份有限公司
Publication of TW201727526A publication Critical patent/TW201727526A/en
Priority claimed from CN201710750381.9A external-priority patent/CN108063750A/en
Application granted granted Critical
Publication of TWI604330B publication Critical patent/TWI604330B/en

Links

Description

動態使用者身分驗證方法Dynamic user identity verification method

本發明是有關於一種驗證使用者身分的方法,且特別是有關於一種動態的使用者身分驗證方法。The present invention relates to a method of verifying user identity, and more particularly to a dynamic user identity verification method.

隨著網際網路技術的發展,使用者經常會透過電子裝置來使用網路服務或存取網路內容。為了維護使用者帳戶隱私與保障交易或服務的安全性,許多此類服務或內容的存取是受到限制的,亦即,使用者必須透過驗證程序表明其身分,方可使用或存取這些受限的服務或內容。With the development of Internet technology, users often use network services or access network content through electronic devices. In order to maintain the privacy of user accounts and to secure the security of transactions or services, access to many such services or content is restricted, that is, users must indicate their identity through a verification process before they can use or access them. Limited service or content.

傳統上,常會要求使用者輸入使用者帳號與密碼,以驗證使用者身分;然而,若是密碼被他人竊取或破解,則使用者身分就會遭他人冒用。換句話說,傳統的使用者身分驗證無法確認輸入相關帳號、密碼資料的人,是否為真正的使用者本人。Traditionally, users are often required to enter a user account and password to verify the user's identity; however, if the password is stolen or cracked by others, the user's identity will be fraudulently exploited by others. In other words, the traditional user identity verification cannot confirm whether the person who entered the relevant account number and password information is the real user himself.

另一方面,不同的網站對於建立使用者帳號與密碼可能有不同的要求,導致使用者必須管理多種帳號密碼的組合,徒增使用上的困擾。On the other hand, different websites may have different requirements for establishing user accounts and passwords, resulting in users having to manage a combination of multiple account passwords.

為了改善安全性的問題,目前已有一些驗證機制採用生物資訊識別,譬如比對使用者指紋、聲音、五官等特徵。舉例來說,電子裝置可以擷取使用者的影響並使用臉部特徵識別軟體來辨識使用者身分。然而,此類驗證方式僅能提供一定程度的額外保障,無法完全防堵他人冒用使用者身分。以臉部特徵識別為例,他人可能利用使用者的照片來通過驗證。再者,也並非所有的電子裝置都配置了能夠擷取一或多種生物資訊的設備,所以其運用場域也較為受限。In order to improve the security problem, some verification mechanisms have been used to identify biometric information, such as comparing fingerprints, sounds, and facial features of users. For example, the electronic device can capture the influence of the user and use the facial feature recognition software to identify the user identity. However, such verification methods can only provide a certain degree of additional protection, and cannot completely prevent others from using the user identity. Taking facial feature recognition as an example, others may use the user's photo to pass the verification. Furthermore, not all electronic devices are equipped with devices capable of capturing one or more biological information, so the field of use is also limited.

有鑑於上述問題,本領域亟需提出一種更簡便、更安全的使用者身分驗證方法。In view of the above problems, there is a need in the art to provide a simpler and more secure method for user identity verification.

發明內容旨在提供本揭示內容的簡化摘要,以使閱讀者對本揭示內容具備基本的理解。此發明內容並非本揭示內容的完整概述,且其用意並非在指出本發明實施例的重要/關鍵元件或界定本發明的範圍。SUMMARY OF THE INVENTION The Summary of the Disclosure is intended to provide a basic understanding of the present disclosure. This Summary is not an extensive overview of the disclosure, and is not intended to be an

本發明的一態樣是關於一種動態使用者身分驗證方法,此方法的特徵之一在於運用空中簽名驗證技術,以強化使用者帳戶安全之保障。此外,在某些實施方式中,可以利用空中簽名驗證程序來取代傳統的使用者帳號及/或密碼驗證步驟,可進一步簡化使用者身分驗證程序。再者,於可任選的實施方式中,所述的動態使用者身分驗證方法可進一步比對用以進行空中簽名的簽名裝置是否為已登錄的簽名裝置,以進一步提升使用者的帳戶安全性。One aspect of the present invention relates to a dynamic user identity verification method. One of the features of the method is the use of air signature verification technology to enhance the security of user accounts. Moreover, in some embodiments, the air signature verification procedure can be used to replace the traditional user account and/or password verification steps, which further simplifies the user identity verification procedure. Moreover, in an optional implementation manner, the dynamic user identity verification method may further compare whether the signature device used for air signature is a signed signature device to further improve user account security. .

根據本發明某些實施方式,利用所述動態使用者身分驗證方法來驗證登入裝置的使用者身分時,包含下述步驟。首先,利用網頁伺服器接收來自登入裝置的存取請求。接著,利用網頁伺服器基於所接收到的存取請求產生資源位址資訊與工作階段識別碼(session identifier;session ID),並將上述資源位址資訊與工作階段識別碼傳送至登入裝置。其後,利用登入裝置產生啟動信號,並將其傳送至簽名裝置,其中啟動信號包含上述資源位址資訊與工作階段識別碼。接著,利用簽名裝置基於所接收到的啟動信號而啟動空中簽名程序;所述簽名裝置包含移動感測器,可用以感測使用者移動簽名裝置的移動特徵,以產生目標簽名。接著,利用判斷模組來判斷目標簽名是否與基礎簽名相符、基於該判斷結果產生驗證訊息,並將驗證訊息依據資源位址資訊傳送至網頁伺服器;所述的驗證訊息包含簽名相符度資訊與工作階段識別碼。接著,利用網頁伺服器基於所接收到的驗證訊息,決定是否接受存取請求。According to some embodiments of the present invention, when the user identity of the login device is verified by the dynamic user identity verification method, the following steps are included. First, an access request from the login device is received using a web server. Then, the web server generates the resource address information and the session identifier (session identifier) based on the received access request, and transmits the resource address information and the work phase identification code to the login device. Thereafter, the activation signal is generated by the login device and transmitted to the signature device, wherein the activation signal includes the resource address information and the work phase identification code. Next, the signature program is used to initiate an air signature program based on the received activation signal; the signature device includes a motion sensor that can be used to sense a mobile feature of the user's mobile signature device to generate a target signature. Then, the determining module determines whether the target signature matches the basic signature, generates a verification message based on the determination result, and transmits the verification message to the web server according to the resource address information; the verification message includes signature matching degree information and Work phase identification code. Next, the web server determines whether to accept the access request based on the received verification message.

根據可任選的具體實施例,來自登入裝置的存取請求還可以包括輸入於登入裝置中的使用者帳號。同樣可任選地,來自登入裝置的存取請求還可以包括輸入於登入裝置中的使用者帳號與密碼。According to an optional embodiment, the access request from the login device may also include a user account entered in the login device. Also optionally, the access request from the login device may also include a user account and password entered in the login device.

於本發明不同的實施例中,由登入裝置產生並傳送至簽名裝置的啟動信號可編碼為以下任一種型式:光學可識別資料、音調資料與可透過通訊裝置傳輸的資料。In various embodiments of the present invention, the activation signal generated by the login device and transmitted to the signature device can be encoded into any of the following types: optically identifiable data, tone data, and data that can be transmitted through the communication device.

根據本發明多種實施例,簽名裝置中的移動感測器至少可感測使用者於移動簽名裝置時的一或多種以下移動特徵:移動方向、加速度與角速度。According to various embodiments of the present invention, the motion sensor in the signature device can sense at least one or more of the following mobile features of the user when moving the signature device: direction of movement, acceleration, and angular velocity.

在本發明可任選的實施例中,判斷模組內預先儲存有一或多基礎簽名,判斷模組可比對目標簽名和基礎簽名之間至少在移動方向、加速度及/或角速度的相似度,且當所述相似度高於門檻值時,判斷模組判斷目標簽名與基礎簽名相符。In an optional embodiment of the present invention, the determining module pre-stores one or more basic signatures, and the determining module can compare the similarity between the target signature and the basic signature at least in the moving direction, the acceleration, and/or the angular velocity, and When the similarity is higher than the threshold, the determining module determines that the target signature matches the basic signature.

於某些實施例中,所述判斷模組設於簽名裝置內;或者是,所述判斷模組設於空中簽名驗證伺服器內。In some embodiments, the determining module is disposed in the signature device; or the determining module is disposed in the air signature verification server.

根據某些可任選的實施例,所述的驗證訊息更包含簽名裝置的裝置識別碼。在這些實施例中,所述動態驗證方法還包含以下步驟:利用網頁伺服器比對裝置識別碼以及與使用者相關的關聯裝置識別碼,以得到比對結果;以及利用網頁伺服器基於簽名相符度資訊與比對結果,決定是否接受存取請求。According to some optional embodiments, the verification message further includes a device identification code of the signature device. In these embodiments, the dynamic verification method further includes the steps of: using a web server to compare the device identification code and the associated device identification code associated with the user to obtain a comparison result; and using the web server to match the signature based Information and comparison results, decide whether to accept access requests.

本發明之又一態樣係關於一種動態使用者身分驗證方法,此方法的特徵之一在於運用空中簽名驗證技術,並搭配裝置識別碼,以強化使用者帳戶安全之保障。Another aspect of the present invention relates to a dynamic user identity verification method. One of the features of the method is to use an air signature verification technology and a device identification code to enhance user account security.

根據本發明多種的實施方式,上述動態使用者身分驗證方法包含下數步驟。首先,利用網頁伺服器接收來自登入裝置的存取請求。接著,利用網頁伺服器基於所述存取請求產生資源位址資訊與工作階段識別碼,並將其傳送至登入裝置。其後,利用登入裝置產生包含資源位址資訊與工作階段識別碼的啟動信號,並將此啟動信號傳送至簽名裝置。接著,利用簽名裝置基於啟動信號啟動空中簽名程序,其中所述的簽名裝置包含移動感測器,可用以感測使用者移動簽名裝置的移動特徵,以產生目標簽名。之後,利用位於簽名裝置中的判斷模組判斷目標簽名是否與基礎簽名相符,且當目標簽名與基礎簽名相符時,利用判斷模組產生包含工作階段識別碼與裝置識別碼之驗證訊息,並將此驗證訊息傳送至網頁伺服器。接著,利用網頁伺服器比對裝置識別碼以及與使用者相關的關聯裝置識別碼,以得到比對結果。之後,利用網頁伺服器基於比對結果,決定是否接受存取請求。According to various embodiments of the present invention, the dynamic user identity verification method includes the following steps. First, an access request from the login device is received using a web server. Then, the resource address information and the work phase identification code are generated by the web server based on the access request and transmitted to the login device. Thereafter, the activation signal including the resource address information and the work phase identification code is generated by the login device, and the activation signal is transmitted to the signature device. Next, the signature process is initiated by the signature device based on the activation signal, wherein the signature device includes a motion sensor that can be used to sense the mobile feature of the user's mobile signature device to generate a target signature. Then, using the determining module located in the signature device to determine whether the target signature matches the basic signature, and when the target signature matches the basic signature, the determining module generates a verification message including the work phase identification code and the device identification code, and This verification message is sent to the web server. Next, the web server is used to compare the device identification code with the associated device identification code associated with the user to obtain a comparison result. Thereafter, the web server determines whether to accept the access request based on the comparison result.

當可想見,本發明前一態樣所述的各種實施例,在可允許的範圍下,亦適用於此一態樣。As can be appreciated, the various embodiments described in the previous aspect of the invention, as per the allowable range, are also applicable to this aspect.

本發明之又一態樣係關於一種動態使用者身分驗證方法,此方法的特徵之一在於運用空中簽名驗證技術,以強化使用者帳戶安全之保障。此外,此方法使簽名裝置不需與網頁伺服器互動,提供了較為便捷的驗證流程。Another aspect of the present invention relates to a dynamic user identity verification method. One of the features of the method is to use an air signature verification technology to enhance the security of user accounts. In addition, this method allows the signature device to interact with the web server without providing a more convenient verification process.

根據本發明多種的實施方式,所述方法包含以下步驟:首先,利用包含移動感測器並儲存有空中簽名程序的簽名裝置來感測使用者移動簽名裝置的移動特徵,以產生一目標簽名。接著,利用判斷模組判斷目標簽名是否與基礎簽名相符。當目標簽名與基礎簽名相符時,本方法接著利用判斷模組或簽名裝置產生驗證通過訊息,並將此驗證通過訊息傳送至登入裝置。In accordance with various embodiments of the present invention, the method includes the steps of first sensing a mobile signature of a user's mobile signature device using a signature device that includes a motion sensor and stored with an air signature program to generate a target signature. Next, the determining module determines whether the target signature matches the basic signature. When the target signature matches the base signature, the method then generates a verification pass message using the decision module or the signature device and transmits the verification message to the login device.

在某些可任選的實施方式中,所述驗證通過訊息包含使用者帳號與密碼,但不含資源位址資訊。此時,本方法包含利用登入裝置接收一資源位址資訊之輸入,並利用登入裝置帶入驗證通過訊息中的使用者帳號與密碼,以完成登入。In some optional implementations, the verification pass message includes a user account and password, but does not include resource address information. At this time, the method includes receiving an input of resource address information by using the login device, and using the login device to bring in the user account and password in the verification pass message to complete the login.

在另一些可任選的實施例中,所述驗證通過訊息同時包含資源位址資訊以及使用者帳號與密碼。在這種情形中,本方法包含利用登入裝置帶入資源位址資訊以及使用者帳號與密碼,以完成登入。In still other optional embodiments, the verification pass message includes both resource address information and a user account and password. In this case, the method includes using the login device to bring in the resource address information and the user account and password to complete the login.

根據另一些可任選的實施方式,所述驗證通過訊息包含資源位址資訊,但不含使用者帳號與密碼。在這類實施方式中,所述的登入裝置可設有外掛模組,於外掛模組中存有使用者帳號與密碼;此時本方法可利用外掛模組先帶入驗證通過訊息中的資源位址資訊,再帶入儲存於外掛模組內的使用者帳號與密碼,以完成登入。According to other optional embodiments, the verification pass message includes resource address information, but does not include a user account and password. In this embodiment, the login device may be provided with an external module, and the user account and password are stored in the plug-in module; in this case, the method may first use the plug-in module to bring in the resources in the verification pass message. Address information, and then bring in the user account and password stored in the plug-in module to complete the login.

當可想見,本發明另一種態樣乃是關於一種電腦可儲存媒體。所述的電腦可儲存媒體其上存有電腦可讀取指令,所述指令經執行時,可用以進行本發明上述各態樣/實施例所述的動態使用者身分驗證方法。As can be appreciated, another aspect of the present invention is directed to a computer storable medium. The computer storable medium has computer readable instructions stored thereon, and when executed, the instructions can be used to perform the dynamic user identity verification method described in the above aspects/embodiments of the present invention.

另一方面,本發明的一態樣是關於一種用以執行上述動態使用者身分驗證方法的系統。舉例來說,所述系統可包含一登入裝置以及一簽名裝置。在某些實施方式中,所述系統還可包含一網頁伺服器及/或一空中簽名驗證伺服器。In another aspect, an aspect of the invention is directed to a system for performing the dynamic user identity verification method described above. For example, the system can include a login device and a signature device. In some embodiments, the system can also include a web server and/or an air signature verification server.

在參閱下文實施方式後,本發明所屬技術領域中具有通常知識者當可輕易瞭解本發明之基本精神及其他發明目的,以及本發明所採用之技術手段與實施態樣。The basic spirit and other objects of the present invention, as well as the technical means and implementations of the present invention, will be readily apparent to those skilled in the art of the invention.

為了使本揭示內容的敘述更加詳盡與完備,下文針對本發明的實施態樣與具體實施例提出了說明性的描述;但這並非實施或運用本發明具體實施例的唯一形式。實施方式中涵蓋多個具體實施例的特徵以及用以建構與操作這些具體實施例的方法步驟及其順序。然而,亦可利用其他具體實施例來達成相同或均等的功能以及步驟順序。The description of the embodiments of the present invention is intended to be illustrative and not restrictive. The features of the various embodiments, as well as the method steps and sequences thereof, are constructed and manipulated in the embodiments. However, other specific embodiments may be utilized to achieve the same or equivalent functions and sequence of steps.

除非本說明書另有定義,此處所用的科學與技術詞彙的含義與本發明所屬技術領域中具有通常知識者所理解與慣用的意義相同。在不和上下文衝突的情形下,本說明書所用的單數名詞涵蓋該名詞的複數型;而所用的複數名詞時亦涵蓋該名詞的單數型。此外,在本說明書與申請專利範圍中,「至少一」與「一或更多」等表述方式的意義相同,兩者都代表包含了一、二、三或更多。更有甚者,在本說明書與申請專利範圍中,「A、B及C其中至少一者」、「A、B或C其中至少一者」以及「A、B和/或C其中至少一者」係指涵蓋了僅有A、僅有B、僅有C、A與B兩者、B與C兩者、A與C兩者、以及A、B與C三者。The scientific and technical terms used herein have the same meaning as commonly understood by those of ordinary skill in the art to which the invention pertains, unless otherwise defined herein. In the absence of conflict with context, the singular noun used in this specification covers the plural of the noun, and the plural noun used also covers the singular of the noun. In addition, in the scope of the present specification and the patent application, the expressions "at least one" and "one or more" have the same meaning, and both represent one, two, three or more. What is more, in the scope of this specification and the patent application, "at least one of A, B and C", "at least one of A, B or C" and at least one of "A, B and / or C" It refers to only A, only B, only C, A and B, B and C, A and C, and A, B and C.

本發明的一態樣是關於一種動態使用者身分驗證方法。當一使用者試圖透過登入裝置存取受到限制的網路服務或內容時,可啟動此處提出的動態使用者身分驗證方法,透過空中簽名程序來驗證該名使用者是否為真正的使用者,以確保帳戶安全。One aspect of the present invention is directed to a dynamic user identity verification method. When a user attempts to access a restricted network service or content through the login device, the dynamic user identity verification method proposed herein can be activated to verify whether the user is a real user through an air signature program. To ensure account security.

第1圖的流程圖繪示一種例示性的動態使用者身分驗證方法100;如圖所示,本實施例之方法步驟以實線表示(步驟S101-S115);而涉及使用者互動的步驟則以點虛線表示(步驟S201、S203);此外,根據替代性實施例之步驟則以虛線表示(步驟S113’)。第2、3圖分別繪示了根據本發明不同實施方式,用以實施動態使用者身分驗證方法(如,方法100)的例示性系統,及系統內各裝置/元件於實作本發明之方法時的互動關係。The flowchart of FIG. 1 illustrates an exemplary dynamic user identity verification method 100; as shown, the method steps of the embodiment are indicated by solid lines (steps S101-S115); and the steps involving user interaction are It is indicated by a dotted line (steps S201, S203); further, the steps according to an alternative embodiment are indicated by broken lines (step S113'). 2 and 3 respectively illustrate an exemplary system for implementing a dynamic user identity verification method (eg, method 100) according to various embodiments of the present invention, and methods and components of the system for implementing the present invention. The interaction of time.

在詳細說明本發明之方法前,先簡要說明用以實作本發明的系統所包含的基本裝置。以第2圖所示的系統200為例,其包括網頁伺服器(web server)210、登入裝置220與簽名裝置230。Before explaining the method of the present invention in detail, the basic apparatus included in the system for carrying out the invention will be briefly described. Taking the system 200 shown in FIG. 2 as an example, it includes a web server 210, a login device 220, and a signature device 230.

一般而言,要在網際網路(World Wide Web)上傳輸資料,需要透過超文字傳輸協定(Hypertext Transfer Protocol,HTTP);而網頁伺服器210就是能夠處理HTTP請求的電腦系統或用來處理HTTP請求的電腦軟體。網頁伺服器210的主要功用是儲存、處理以及傳遞網頁內容(如:文字、圖像、格式、程式碼(scripts)等)。此處所述的網頁伺服器210可設於單一系統或裝置內,或可設於分散式運算環境中。In general, to transfer data over the Internet (World Wide Web), Hypertext Transfer Protocol (HTTP) is required; and web server 210 is a computer system capable of processing HTTP requests or used to process HTTP. Requested computer software. The main function of web server 210 is to store, process, and deliver web content (eg, text, images, formats, scripts, etc.). The web server 210 described herein may be provided in a single system or device, or may be provided in a distributed computing environment.

登入裝置220是一種具處理器的電子裝置;為了能夠實施本案所提出的方法,登入裝置220還可設有適當的輸入、輸出元件以及通訊元件,以利使用者存取網路內容,並使登入裝置220可和網頁伺服器210、簽名裝置230互動。當可理解,所述的登入裝置220通常具備至少某種形式的儲存媒體;所述的儲存媒體包含依電性、及非依電性、可移除及不可移除媒體,可運用適當的方法或技術,使上述媒體能用於儲存所欲資訊(如:電腦可讀取指令、資料結構、應用程式模組、及其他資料)。儲存媒體包含但不限於:RAM、ROM、EEPROM、快閃記憶體、或其他記憶體技術、CD-ROM、數位多功能影音光碟(DVD)、或其他光學儲存器、磁匣、磁帶、磁碟片儲存器、以及其他磁性儲存裝置、或任何能夠用以儲存所需資訊且可供處理器存取之其他媒體。一般而言,通訊元件可將電腦可讀取指令、資料、結構、應用程式模組及其他資料具體實作成各種資料訊號,且可透過任何通訊媒體傳遞之。作為例示而非限制,通訊媒體包含有線媒體(如有線網路或直接有線連線)及無線媒體(如音波、紅外線、無線電、微波、展頻技術、及其他無線媒體技術)。此外,本文所述的電腦可讀取媒體係指可供所述處理器執行存取的任何可用媒體,譬如上述之儲存媒體、通訊元件,或兩者之組合。作為例示而非限制,所述的登入裝置220可以是桌上型電腦、伺服器電腦、手持式或膝上型裝置、個人數位助理、多處理器系統、基於微處理器之系統、機上盒、可程式化消費性電子產品、行動電話(特別是智慧型手機)、網路電腦、迷你電腦、主機電腦、包含任何上述系統或裝置之分散式運算環境及與其相似者。The login device 220 is an electronic device with a processor; in order to implement the method proposed in the present application, the login device 220 can also be provided with appropriate input and output components and communication components for the user to access the network content and The login device 220 can interact with the web server 210 and the signature device 230. As can be understood, the login device 220 generally has at least some form of storage medium; the storage medium includes an electrical, non-electrical, removable, and non-removable media, and an appropriate method can be applied. Or technology that enables the above media to be used to store the desired information (eg, computer readable instructions, data structures, application modules, and other materials). Storage media includes but is not limited to: RAM, ROM, EEPROM, flash memory, or other memory technology, CD-ROM, digital versatile audio and video (DVD), or other optical storage, magnetic tape, tape, disk A slice memory, as well as other magnetic storage devices, or any other medium that can be used to store the required information and be accessible to the processor. In general, communication components can be used to implement computer readable instructions, data, structures, application modules and other data into various data signals and can be transmitted through any communication medium. By way of illustration and not limitation, communication media includes wired media (such as a wired network or direct wired connection) and wireless media (such as sonic, infrared, radio, microwave, spread spectrum, and other wireless media technologies). Furthermore, computer readable media as used herein refers to any available media that can be accessed by the processor, such as the storage media described above, communication components, or a combination of both. By way of illustration and not limitation, the login device 220 can be a desktop computer, a server computer, a handheld or laptop device, a personal digital assistant, a multi-processor system, a microprocessor-based system, a set-top box , programmable consumer electronics, mobile phones (especially smart phones), network computers, mini computers, host computers, distributed computing environments containing any of the above systems or devices, and the like.

簽名裝置230係指能夠執行空中簽名程序,並可感測使用者移動簽名裝置230的過程中所產生的一或多種移動特徵,以產生目標簽名的裝置。為了實踐前述功能,簽名裝置230至少包含處理器、儲存媒體、輸入裝置、輸出裝置、通訊元件,以執行空中簽名程序,並和系統中的其他裝置(如:網頁伺服器210、登入裝置220)互動;上文針對登入裝置220所述的各元件,亦適用於簽名裝置230,此處不再贅述。另外,簽名裝置230還可包含加速度計及/或陀螺儀感測器,以便感測移動特徵。加速度計可用以測量線性加速度;舉例來說,加速度計可以是單軸或多軸的加速度計。加速度計感測到簽名裝置230在各軸向的加速度讀數後,可將其傳送給執行空中簽名程序的應用程式,以供其記錄簽名裝置230在各軸向上的移動速度。在較佳的實施例中,加速度計可提供即時的三維加速度數據。此外,還可利用加速度計讀數來測量地球引力對於簽名裝置230的加速度效應,通過在X、Y及Z軸向上的加速度計讀數,來計算簽名裝置230相對於地球重力方向的傾斜程度。另一方面,陀螺儀感測器則可用以測量簽名裝置230在各種軸向的角速度。所述的簽名裝置230可以是任何可供使用者進行空中簽名動作的電子裝置;當可想見,簽名裝置230應便於移動,以利使用者進行空中簽名。作為例示而非限制,可將簽名裝置230實作為行動電話(特別是智慧型手機)、個人數位助理及其他可程式化消費性電子產品等各種型式。所述的可程式化消費性電子產品可以是平板裝置、穿戴型智慧裝置(如,智慧型手環、智慧型手錶、智慧型戒指)或手持式輸入裝置(如,電子筆、搖桿、遙控器);然本發明不限於此。Signature device 230 is a device that is capable of executing an air signature program and can sense one or more mobile features generated during the user's movement of the signature device 230 to generate a target signature. In order to carry out the aforementioned functions, the signature device 230 includes at least a processor, a storage medium, an input device, an output device, a communication component to execute an air signature program, and other devices in the system (eg, web server 210, login device 220) The components described above for the login device 220 are also applicable to the signature device 230, and are not described herein again. Additionally, the signature device 230 can also include an accelerometer and/or a gyro sensor to sense the moving features. An accelerometer can be used to measure linear acceleration; for example, the accelerometer can be a single or multi-axis accelerometer. After the accelerometer senses the acceleration readings of the various axes in the axial direction, the accelerometer can transmit it to the application executing the air signature program for recording the speed of movement of the signature device 230 in each axial direction. In a preferred embodiment, the accelerometer provides instant three-dimensional acceleration data. In addition, accelerometer readings can be utilized to measure the acceleration effects of the Earth's gravitational force on the signature device 230, and the degree of tilt of the signature device 230 relative to the direction of gravity of the Earth is calculated by accelerometer readings in the X, Y, and Z axes. Gyro sensors, on the other hand, can be used to measure the angular velocity of the signature device 230 at various axial directions. The signature device 230 can be any electronic device that can be used by the user to perform an air signature action; when it is conceivable, the signature device 230 should be easily moved to facilitate the user to perform an air signature. By way of illustration and not limitation, the signature device 230 can be implemented as a variety of types of mobile phones (especially smart phones), personal digital assistants, and other programmable consumer electronics. The programmable consumer electronic product may be a tablet device, a wearable smart device (eg, a smart bracelet, a smart watch, a smart ring) or a handheld input device (eg, an electronic pen, a joystick, a remote control) The invention is not limited thereto.

根據本發明某些實施方式,簽名裝置230內還設有判斷模組240。判斷模組240可用以比對簽名裝置230所接收的目標簽名是否與預先儲存的一基礎簽名相符。According to some embodiments of the present invention, a determination module 240 is further disposed in the signature device 230. The determining module 240 can be used to compare whether the target signature received by the signature device 230 matches a pre-stored basic signature.

接著同時參見第1圖與第2圖,來描述例示的動態使用者認證方法100。根據本發明某些實施方式,使用者欲透過網頁伺服器210存取特定網路服務或內容時,可在使用者互動步驟S201中,利用登入裝置220向網頁伺服器210傳送存取請求(Access request,AR)。Next, referring to FIG. 1 and FIG. 2, the illustrated dynamic user authentication method 100 will be described. According to some embodiments of the present invention, when the user wants to access a specific web service or content through the web server 210, the user may transmit an access request to the web server 210 by using the login device 220 in the user interaction step S201. Request, AR).

根據本發明的原理與精神,所述的特定網路服務或內容屬於限制存取資源;譬如帳號資料、付款授權、客製化頁面(customized page)、印刷特權(printing privilege)、付費內容等。一般來說,欲存取的特定網路服務或內容所在的位址,即為本文所述的資源位址;此種位址通常是以網路位址(uniform resource locator,URL)的型式來表示。In accordance with the principles and spirit of the present invention, the particular network service or content is restricted access resources; such as account data, payment authorization, customized pages, printing privilege, paid content, and the like. In general, the address of the specific network service or content to be accessed is the resource address described in this article; such address is usually in the form of a uniform resource locator (URL). Said.

一般來說,使用者在發出存取請求AR時,可透過儲存於登入裝置220的使用者代理(user agent;如網頁瀏覽器)來啟動登入裝置220與網頁伺服器210之間的通訊。舉例來說,使用者可在網頁瀏覽器輸入一登入位址資訊,此時瀏覽器會呈現一登入頁面,以供使用者進行後續身分驗證步驟。在本實施例中,由登入裝置220發出的存取請求AR會帶有包含登入位址資訊的資訊。Generally, when the user issues the access request AR, the user can initiate communication between the login device 220 and the web server 210 through a user agent (such as a web browser) stored in the login device 220. For example, the user can enter a login address information in the web browser, and the browser will present a login page for the user to perform the subsequent identity verification step. In this embodiment, the access request AR sent by the login device 220 will carry information containing the login address information.

根據本發明某些實施方式,利用下文所述的空中簽名程序來驗證使用者身分,故在使用者發出存取請求AR時,可以不需要輸入使用者帳號及/或密碼。然而,在有需要的情形下,亦可要求使用者先在登入頁面中輸入使用者帳號或使用者帳號與密碼,並將此一帳號及/或密碼資訊作為存取請求AR的一部分,一起傳送至網頁伺服器210。According to some embodiments of the present invention, the user identity is verified using the air signature program described below, so that when the user issues an access request AR, the user account and/or password may not be entered. However, if necessary, the user may be required to first enter the user account or the user account and password in the login page, and transmit the account and/or password information as part of the access request AR. To web server 210.

在本發明步驟S101中,網頁伺服器210接收來自登入裝置220的存取請求AR。之後,網頁伺服器210可基於存取請求AR產生資源位址資訊(URL)與工作階段識別碼(session ID,SID),並將所產生的資源位址資訊URL與工作階段識別碼SID傳送至登入裝置220(本發明步驟S103)。舉例來說,網頁伺服器210可對上述資源位址資訊URL與工作階段識別碼SID兩種資訊進行封包處理(packet processing),並轉換為可供登入裝置220接收與識別的信號。在本發明步驟S103中,網頁伺服器210還會將所產生的信號(即,含有資源位址資訊URL與工作階段識別碼SID的信號)傳送至登入裝置220。In step S101 of the present invention, the web server 210 receives the access request AR from the login device 220. Thereafter, the web server 210 may generate a resource address information (URL) and a session ID (SID) based on the access request AR, and transmit the generated resource address information URL and the work phase identification code SID to The device 220 is logged in (step S103 of the present invention). For example, the web server 210 may perform packet processing on the resource address information URL and the work phase identification code SID, and convert the signal into a signal that can be received and recognized by the login device 220. In step S103 of the present invention, the web server 210 also transmits the generated signal (i.e., the signal including the resource address information URL and the work phase identification code SID) to the login device 220.

當可想見,在某些實施方式中,本發明步驟S101中輸入的登入位址即為欲存取之服務或內容所在的資源位址。在其他方式中,登入位址與資源位址為不同的位址;亦即,使用者透過瀏覽器輸入登入位址並完成身分驗證後,瀏覽器可基於本發明步驟S103中網頁伺服器210所產生的資源位址資訊,而導向欲存取的特定網路服務或內容所在的位址,並呈現相關內容。It is conceivable that in some embodiments, the login address entered in step S101 of the present invention is the resource address where the service or content to be accessed is located. In other modes, the login address and the resource address are different addresses; that is, after the user inputs the login address through the browser and completes the identity verification, the browser may be based on the web server 210 in step S103 of the present invention. The generated resource address information is directed to the address of the specific network service or content to be accessed, and the related content is presented.

於本發明步驟S105,登入裝置220接收到含有資源位址資訊URL與工作階段識別碼SID的信號之後會產生一啟動信號(initiation signal,I)。所述的啟動信號I包含上述資源位址資訊URL與該工作階段識別碼SID。此外,可將啟動信號I編碼為可供簽名裝置230接收與識別的編碼型式;譬如以下任一種編碼型式:光學可識別資料、音調資料或可透過通訊裝置傳輸的資料。舉例來說,光學可識別資料可以是快速反應碼(quick response code,通稱QR碼)、條碼、圖片、文字串、或光線閃爍頻率組合,或上述信號的組合。在音調資料方面,可將啟動信號I編碼為:雙音多頻(dual tone multi frequency,簡稱DTFM)信號、樂曲、語音或人耳無法聽覺的頻率信號,或上述信號的組合。此外,亦可將啟動信號I編碼為可透過以下通訊裝置而傳輸的資料:近場通信(near field communication,簡稱NFC)、特定網路(ad-hoc)、WiFi無線網路(WiFi)、藍牙裝置(Bluetooth)、Z軸向波(Z-Wave)、XBee無線網路或其他區域無線射頻(local radiofrequency)等。In step S105 of the present invention, the login device 220 generates an initiation signal (I) after receiving the signal including the resource address information URL and the work phase identification code SID. The activation signal I includes the resource address information URL and the work phase identification code SID. In addition, the enable signal I can be encoded as an encoded version that can be received and recognized by the signature device 230; for example, any of the following types of encoding: optically identifiable data, tonal data, or data that can be transmitted through a communication device. For example, the optically identifiable data may be a quick response code (commonly known as a QR code), a bar code, a picture, a text string, or a combination of light flicker frequencies, or a combination of the above signals. In terms of tone data, the enable signal I can be encoded as: a dual tone multi-frequency (DTFM) signal, a music, a voice, or a frequency signal that is inaudible to the human ear, or a combination of the above signals. In addition, the enable signal I can also be encoded as data that can be transmitted through the following communication devices: near field communication (NFC), specific network (ad-hoc), WiFi wireless network (WiFi), Bluetooth Bluetooth, Z-Wave, XBee wireless network or other local radio frequency.

當可理解,當登入裝置220利用所欲的編碼型式將資源位址資訊URL與該工作階段識別碼SID等資訊轉換為啟動信號I時,登入裝置220具備能夠發送此種特定編碼型式信號的輸出元件,而簽名裝置230也需設有可接收此種信號的輸入元件。舉例來說,登入裝置220可將資源位址資訊URL與工作階段識別碼SID打包並轉換為QR碼,此時登入裝置220可配備有一螢幕以呈現此QR碼,而簽名裝置230則可配有影像擷取設備(如,相機),以接收QR碼之輸入。以上所舉的編碼方式與傳送、接受設備僅為例示,本發明不限於此;本發明所屬技術領域具有通常知識者當可利用本領域已知或與其均等的技術與設備來實現登入裝置220與簽名裝置230間的信號傳輸。It can be understood that when the login device 220 converts the resource address information URL and the session identification code SID into the activation signal I by using the desired coding pattern, the login device 220 is provided with an output capable of transmitting such a specific coding type signal. The component, and the signature device 230 also needs to be provided with an input element that can receive such a signal. For example, the login device 220 may package and convert the resource address information URL and the work phase identification code SID into a QR code. At this time, the login device 220 may be equipped with a screen to present the QR code, and the signature device 230 may be equipped with An image capture device (eg, a camera) to receive input of a QR code. The above-mentioned coding modes and transmission and reception devices are merely exemplary, and the present invention is not limited thereto; those skilled in the art having the knowledge of the present invention can implement the login device 220 by using techniques and devices known or equivalent in the art. Signal transmission between signature devices 230.

接著,在本發明步驟S107,當簽名裝置230接收到啟動信號I時,會啟動空中簽名程序(air signature procedure,AS)。空中簽名程序為本案發明人所提出的一種基於動作的身分識別方法。空中簽名程序的特徵在於透過訓練階段來擷取基礎簽名組,並計算與簽名相關聯的嚴謹度;以及透過驗證階段,以比較目標簽名與基礎簽名組,並在目標簽名已到達相對於基礎簽名的相似度臨界值時,視為通過驗證程序而授予使用者相關權限。在一些實施例中,此種空中簽名程序可在少於0.1秒的時間內識別空中簽名特徵,且其準確率高於99%。Next, in step S107 of the present invention, when the signature device 230 receives the activation signal I, an air signature procedure (AS) is started. The air signature procedure is an action-based identity recognition method proposed by the inventor of the present invention. The air signature program is characterized by a basic signature group obtained through the training phase and calculating the rigor associated with the signature; and a comparison phase to compare the target signature with the base signature group, and the target signature has arrived relative to the base signature When the similarity threshold is used, it is considered to grant the user relevant authority through the verification program. In some embodiments, such an air signature program can identify air signature features in less than 0.1 seconds with an accuracy of greater than 99%.

簽名裝置230於啟動空中簽名程序AS時,可透過適當方式向使用者發出一提示(譬如訊息、聲音、震動、閃光等),提醒使用者開始進行空中簽名(使用者互動步驟S203)。此時,使用者可移動簽名裝置230,而簽名裝置230內的移動感測器會感測使用者移動簽名裝置230的過程中所產生的一或多種移動特徵,並產生目標簽名(target signature,TS)。When the signature device 230 is activated, the signature device 230 can issue a prompt (such as message, sound, vibration, flash, etc.) to the user in an appropriate manner to remind the user to start the air signature (user interaction step S203). At this time, the user can move the signature device 230, and the motion sensor in the signature device 230 senses one or more moving features generated by the user during the process of moving the signature device 230, and generates a target signature (target signature, TS).

根據本發明不同的實施例,簽名裝置230的移動感測器可感測至少一種一下參數:簽名裝置230的移動方向、加速度與角速度;以產生目標簽名TS。According to various embodiments of the present invention, the motion sensor of the signature device 230 may sense at least one of the following parameters: the direction of movement of the signature device 230, the acceleration and the angular velocity; to generate the target signature TS.

接著,在本發明步驟S109中,由設於簽名裝置230內的判斷模組240來判斷簽名裝置230產生的目標簽名TS和基礎簽名(reference signature,RS)是否相符。此處所述的基礎簽名RS是透過空中簽名程序AS在先前的訓練階段所擷取並儲存的基礎簽名RS。在不同的實施方式中,判斷模組240可比對目標簽名TS和基礎簽名RS兩者在移動方向、加速度與角速度等特徵中一或多種特徵的相似度,並做成判斷結果。根據本發明的原理與精神,當判斷模組240認定上述相似度高於預先決定的門檻值時,判斷模組240判斷目標簽名TS與基礎簽名RS相符。Next, in step S109 of the present invention, it is determined by the determination module 240 provided in the signature device 230 whether the target signature TS generated by the signature device 230 and the reference signature (RS) match. The base signature RS described herein is the base signature RS captured and stored by the air signature program AS during the previous training phase. In different embodiments, the determining module 240 can compare the similarity of one or more features of the target signature TS and the base signature RS in the moving direction, the acceleration and the angular velocity, and make a determination result. According to the principle and spirit of the present invention, when the determining module 240 determines that the similarity is higher than a predetermined threshold, the determining module 240 determines that the target signature TS matches the basic signature RS.

根據本發明可任選的實施例,空中簽名程序AS可針對單一種簽名方式(譬如,John Smith)儲存一或多個基礎簽名RS。另外,空中簽名程序AS可儲存多種不同簽名方式(如:John Smith、John、Smith、J Smith、JS1或JS2等)各自的一或多種基礎簽名RS。更有甚者,在視需要而採用的實施方式中,可將存取單一種受限制網路資源的權限和上述多種簽名方式中的一或多種簽名方式相關聯;或是可將存取數種受限制網路資源的權限分別和上述多種簽名方式中的一或多種簽名方式相關聯。作為例示而非限制,使用者可預先透過空中簽名程序AS設定以下關聯:將簽名方式「John Smith」、「J Smith」及「JS1」和存取第一網站的權限建立關聯;將簽名方式「John」及「Smith」分別和存取第二、第三網站的權限建立關聯;將簽名方式「JS1」和第一信用卡的網路付款權限建立關聯;以及將簽名方式「JS2」和第二信用卡的網路付款權限建立關聯等。In accordance with an optional embodiment of the present invention, the air signature program AS may store one or more base signature RSs for a single signature scheme (e.g., John Smith). In addition, the air signature program AS can store one or more base signature RSs of a plurality of different signature methods (eg, John Smith, John, Smith, J Smith, JS1, or JS2, etc.). What is more, in the embodiment adopted as needed, the access permission of a restricted network resource may be associated with one or more of the plurality of signature manners; or the number of accesses may be The permissions of the restricted network resources are respectively associated with one or more of the plurality of signature methods described above. By way of illustration and not limitation, the user may pre-set the following associations through the air signature program AS: associate the signatures "John Smith", "J Smith", and "JS1" with the rights to access the first website; "John" and "Smith" respectively associate with the access rights of the second and third websites; associate the signature method "JS1" with the online payment authority of the first credit card; and sign the "JS2" and the second credit card Network payment permissions are associated, etc.

一般來說,可將空中簽名程序實作為一或多種電腦可執行指令(例如程式模組),此種電腦可執行指令可供電腦或具有相當處理能力之各種裝置(如,簽名裝置230)所執行。一般而言,程式模組包含但不限於:常式、程式、物件、元件及資料結構等可執行特定任務或實作特定抽象資料類型者。在採用第2圖所示的系統來實作動態使用者身分驗證方法100時,空中簽名程序實作於單一裝置(如,簽名裝置230)內。然而,亦可將空中簽名程序實作於分散式運算環境中,並由透過通訊網路連接之多個遠端處理裝置協力完成整個空中簽名程序。在分散式運算環境中,各協力裝置可分別包含記憶裝置,以儲存用以實作空中簽名程序AS的程式模組之一部或全部(詳見下文參照第3圖的相關說明)。In general, the air signature program can be implemented as one or more computer executable instructions (eg, a program module) that can be used by a computer or various devices having comparable processing capabilities (eg, signature device 230). carried out. In general, program modules include, but are not limited to, routines, programs, objects, components, and data structures that perform specific tasks or implement specific abstract data types. When the dynamic user identity verification method 100 is implemented using the system shown in FIG. 2, the air signature program is implemented in a single device (e.g., signature device 230). However, the air signature program can also be implemented in a decentralized computing environment, and the entire air signature program can be completed by a plurality of remote processing devices connected through a communication network. In a distributed computing environment, each of the cooperating devices may include a memory device to store one or all of the program modules for implementing the air signature program AS (see the related description of FIG. 3 below).

在判斷模組240完成判斷後,於本發明步驟S111中,由判斷模組240基於所述的判斷結果產生驗證訊息(authentication information,AI),並將驗證訊息AI傳送至網頁伺服器210(譬如,判斷模組240可透過簽名裝置230的通訊元件將驗證訊息AI傳送至網頁伺服器210)。詳言之,驗證訊息AI包含一簽名相符度資訊與工作階段識別碼SID。簽名相符度資訊可用以表示目標簽名TS與基礎簽名RS間的相似度。在一實施例中,簽名相符度資訊僅呈現經判斷模組240判定的相似度。在替代性的實施例中,簽名相符度資訊除了上述相似度之外,還包含預先決定的相似度門檻值。又或者是,簽名相符度資訊可用以表示目標簽名TS與基礎簽名RS間的相似度是否高於預先決定的相似度門檻值。After the determination module 240 completes the determination, in the step S111 of the present invention, the determination module 240 generates an authentication information (AI) based on the determination result, and transmits the verification message AI to the web server 210 (for example, The determining module 240 can transmit the verification message AI to the web server 210 via the communication component of the signature device 230. In detail, the verification message AI includes a signature matching degree information and a work phase identification code SID. The signature match information can be used to indicate the similarity between the target signature TS and the base signature RS. In an embodiment, the signature match information only presents the similarity determined by the determination module 240. In an alternative embodiment, the signature match information includes a predetermined similarity threshold in addition to the similarity described above. Alternatively, the signature match information may be used to indicate whether the similarity between the target signature TS and the base signature RS is higher than a predetermined similarity threshold.

其後,網頁伺服器210至少基於所收到的驗證訊息AI,決定是否接受存取請求AR。Thereafter, the web server 210 determines whether to accept the access request AR based on at least the received verification message AI.

根據某些實施例,在本發明步驟S113中,網頁伺服器210基於驗證訊息AI中的簽名相符度資訊進行判斷;當簽名相符度資訊指出目標簽名TS通過空中簽名程序AS的驗證時,在本發明步驟S115中,網頁伺服器210接受存取請求AR,進而允許使用者存取受到限制的網路資源。According to some embodiments, in step S113 of the present invention, the web server 210 determines based on the signature matching information in the verification message AI; when the signature matching information indicates that the target signature TS is verified by the air signature program AS, In the inventive step S115, the web server 210 accepts the access request AR, thereby allowing the user to access the restricted network resources.

在某些實施例中,驗證訊息AI更包含簽名裝置230的裝置識別碼。另一方面,可預先將簽名裝置230的關聯裝置識別碼儲存於網頁伺服器210中。此時,在本發明步驟S111之後,可進行本發明步驟S113’,由網頁伺服器210比對用以進行空中簽名程序AS之簽名裝置230的裝置識別碼和預先儲存的關聯裝置識別碼是否相同;且網頁伺服器210可基於驗證訊息AI中的簽名相符度資訊以及裝置識別碼的比對結果,決定是否接受存取請求AR。當簽名相符度資訊指出目標簽名TS通過空中簽名程序AS的驗證且網頁伺服器的比對結果顯示簽名裝置230的裝置識別碼與關聯裝置識別碼相同時,在本發明步驟S115中,網頁伺服器210接受存取請求AR,進而允許使用者存取受到限制的網路資源。透過空中簽名程序AS與比對裝置識別碼的雙重機制,可進一步提升使用者帳戶安全。In some embodiments, the verification message AI further includes the device identification code of the signature device 230. On the other hand, the associated device identification code of the signature device 230 can be stored in the web server 210 in advance. At this time, after the step S111 of the present invention, the step S113' of the present invention can be performed, and the web server 210 compares the device identification code of the signature device 230 for performing the air signature program AS with the pre-stored associated device identification code. And the web server 210 can decide whether to accept the access request AR based on the signature matching degree information in the verification message AI and the comparison result of the device identification code. When the signature matching degree information indicates that the target signature TS is verified by the air signature program AS and the comparison result of the web server shows that the device identification code of the signature device 230 is the same as the associated device identification code, in step S115 of the present invention, the web server is used. 210 accepts the access request AR, thereby allowing the user to access restricted network resources. The user account security can be further enhanced by the dual mechanism of the air signature program AS and the comparison device identifier.

或者是,驗證訊息AI亦可不帶有簽名相符度資訊。舉例來說,簽名裝置230於判斷模組340判斷簽名相似度超過門檻值後,始發送驗證訊息AI;此一驗證訊息AI包含工作階段識別碼SID與裝置識別碼,以供網頁伺服器比對。在此種情形中,網頁伺服器210會比對用以進行空中簽名程序AS之簽名裝置230的裝置識別碼和預先儲存的關聯裝置識別碼是否相同,並基於此一比對結果以決定是否接受存取請求AR。Alternatively, the verification message AI may also have no signature match information. For example, after the determining module 340 determines that the signature similarity exceeds the threshold, the signature device 230 sends the verification message AI; the verification message AI includes the work phase identification code SID and the device identification code for comparison by the web server. . In this case, the web server 210 compares the device identification code of the signature device 230 for performing the air signature program AS with the pre-stored associated device identification code, and determines whether to accept based on the comparison result. Access request AR.

除了上文所述的系統200之外,亦可利用第3圖所示的系統300來實作本發明提出的動態使用者身分驗證方法100。第3圖所示的系統300與第2圖所示的系統200相同,兩者的主要差異在於判斷模組340並非設於簽名裝置330內;反之,判斷模組340可設於一空中簽名伺服器350內,並與簽名裝置330通訊連接,以接收來自簽名裝置330的目標簽名TS,並在進行判斷後產生驗證訊息AI。而後,再由空中簽名伺服器350將驗證訊息AI傳送至網頁伺服器310。根據本發明替代性的實施例,簽名裝置330在傳送目標簽名TS給判斷模組340時,亦可同時傳送其裝置識別碼;而判斷模組340在產生驗證訊息AI時,亦可視需要納入裝置識別碼資訊。In addition to the system 200 described above, the system 300 shown in FIG. 3 can also be utilized to implement the dynamic user identity verification method 100 of the present invention. The system 300 shown in FIG. 3 is the same as the system 200 shown in FIG. 2, and the main difference between the two is that the determination module 340 is not disposed in the signature device 330; otherwise, the determination module 340 can be set in an air signature servo. In the device 350, and in communication with the signature device 330, the target signature TS from the signature device 330 is received, and the verification message AI is generated after the determination. The verification message AI is then transmitted by the air signature server 350 to the web server 310. According to an alternative embodiment of the present invention, the signature device 330 can also transmit the device identification code when transmitting the target signature TS to the determination module 340; and the determination module 340 can also be included in the device when the verification message AI is generated. Identification code information.

本發明還提出了另一種動態使用者身分驗證方法,此方法的特徵之一在於運用空中簽名驗證技術,以強化使用者帳戶安全之保障。此外,此方法得使簽名裝置不需與網頁伺服器互動,於簽名裝置與網頁伺服器之間的連線能力受限時,能夠提供較為便捷的驗證流程。The invention also proposes another dynamic user identity verification method. One of the features of the method is to use the air signature verification technology to strengthen the security of the user account. In addition, the method can make the signature device do not need to interact with the web server, and can provide a more convenient verification process when the connection capability between the signature device and the web server is limited.

第4圖的流程圖繪示一種例示性的動態使用者身分驗證方法400;如圖所示,本實施例之方法步驟以實線表示(步驟S401-S409);而涉及使用者互動的步驟則以點虛線表示(步驟S501)。第5、6圖分別繪示了根據本發明不同實施方式,用以實施動態使用者身分驗證方法(如,方法400)的例示性系統,及系統內各裝置/元件於實作本發明之方法時的互動關係。第5圖及第6圖所示系統所含的裝置、元件分別與第2圖及第3圖相似,主要的差異在於裝置/元件於實作動態使用者身分驗證方法時的互動關係不同;下文僅針對差異部分予以說明,至於各裝置/元件的結構以及其可執行的功能,可參見上文針對第1-3圖的相關敘述。The flowchart of FIG. 4 illustrates an exemplary dynamic user identity verification method 400; as shown, the method steps of the embodiment are indicated by solid lines (steps S401-S409); and the steps involving user interaction are It is indicated by a dotted line (step S501). 5 and 6 respectively illustrate an exemplary system for implementing a dynamic user identity verification method (eg, method 400) in accordance with various embodiments of the present invention, and methods of implementing the present invention in various devices/elements within the system The interaction of time. The devices and components included in the systems shown in Figures 5 and 6 are similar to those in Figures 2 and 3, respectively. The main difference is that the interactions of the devices/components in implementing the dynamic user identity verification method are different; Only the differences are explained. For the structure of each device/element and the functions that it can perform, refer to the related description above for Figures 1-3.

根據本發明實施方式,使用動態使用者身分驗證方法400與系統200來進行使用者身分驗證的流程如下。使用者在簽名裝置230中啟動空中簽名程序。舉例來說,使用者可透過空中簽名程序的使用者介面選擇或輸入欲存取的受限制資源的名稱或位址,而後在使用者互動步驟S501進行空中簽名。According to an embodiment of the present invention, the flow of user identity verification using the dynamic user identity verification method 400 and the system 200 is as follows. The user initiates an air signature program in the signature device 230. For example, the user can select or input the name or address of the restricted resource to be accessed through the user interface of the air signature program, and then perform an air signature in the user interaction step S501.

當使用者進行空中簽名時,簽名裝置230會感測使用者移動簽名裝置230的移動特徵,並產生目標簽名TS(本發明步驟S401)。When the user performs an air signature, the signature device 230 senses the movement characteristics of the user's mobile signature device 230 and generates a target signature TS (step S401 of the present invention).

其後,在S403由位於簽名裝置230內的判斷模組240判斷目標簽名TS是否與基礎簽名RS相符,並做出判斷結果。Thereafter, at S403, the determination module 240 located in the signature device 230 determines whether the target signature TS matches the basic signature RS, and makes a determination result.

在本發明步驟S405中,當判斷模組240認定目標簽名TS是否與基礎簽名RS之間的相似度高於門檻值時,判斷模組240判斷目標簽名與基礎簽名相符,並產生驗證通過訊息(PASS)。同樣在本發明步驟S405中,簽名裝置230將驗證通過訊息PASS編碼為適當的型式並傳送至登入裝置220。舉例來說,簽名裝置230將驗證通過訊息PASS編碼為QR碼之型式,再由登入裝置220的影像擷取設備擷取QR碼。In the step S405 of the present invention, when the determining module 240 determines whether the similarity between the target signature TS and the basic signature RS is higher than the threshold, the determining module 240 determines that the target signature matches the basic signature, and generates a verification pass message ( PASS). Also in step S405 of the present invention, the signature device 230 encodes the verification pass message PASS into an appropriate format and transmits it to the login device 220. For example, the signature device 230 encodes the verification message PASS into a QR code, and the image capture device of the login device 220 retrieves the QR code.

在某些可任選的實施方式中,驗證通過訊息PASS包含使用者帳號與密碼,但不含資源位址資訊URL。此時,方法400包含利用登入裝置220接收資源位址資訊URL之輸入,並利用登入裝置220帶入驗證通過訊息PASS中的使用者帳號與密碼。舉例來說,登入裝置220可呈現一瀏覽器介面供使用者輸入資源位址資訊URL,之後從登入裝置220接收到QR碼後,自動帶入編碼於QR碼中該資源位址資訊URL指向之網頁伺服器210所需的使用者帳號與密碼(本發明步驟407)。In some optional implementations, the verification pass message PASS includes the user account and password, but does not include the resource address information URL. At this time, the method 400 includes receiving the input of the resource address information URL by using the login device 220, and using the login device 220 to bring in the user account and password in the verification pass message PASS. For example, the login device 220 can present a browser interface for the user to input the resource address information URL. After receiving the QR code from the login device 220, the login device 220 automatically brings in the QR code to point to the resource address information URL. User account and password required by web server 210 (step 407 of the present invention).

或者是,驗證通過訊息PASS同時包含資源位址資訊URL以及使用者帳號與密碼。在這種情形中,方法400包含利用登入裝置220帶入資源位址資訊URL以及使用者帳號與密碼。換句話說,登入裝置220接收到QR碼後會呈現一瀏覽器介面,且該瀏覽器介面已自動帶入編碼於QR碼中的資源位址資訊URL、使用者帳號與密碼(本發明步驟407)。Alternatively, the verification pass message PASS includes both the resource address information URL and the user account and password. In this case, method 400 includes utilizing login device 220 to bring in a resource address information URL and a user account and password. In other words, after receiving the QR code, the login device 220 presents a browser interface, and the browser interface has automatically brought in the resource address information URL, user account and password encoded in the QR code (step 407 of the present invention). ).

根據另一些可任選的實施方式,驗證通過訊息PASS包含資源位址資訊URL,但不含使用者帳號與密碼。在這類實施方式中,所述的登入裝置220可設有外掛模組,於外掛模組中存有使用者帳號與密碼;此時本方法400可利用外掛模組先帶入驗證通過訊息中的資源位址資訊URL,再帶入儲存於外掛模組內的使用者帳號與密碼。在此類實施例中,登入裝置220接收到QR碼後會呈現啟用上述外掛模組之瀏覽器介面,且該瀏覽器介面已自動帶入編碼於QR碼中的資源位址資訊URL以及預先儲存於外掛模組中的使用者帳號與密碼(本發明步驟407)。According to other optional embodiments, the verification pass message PASS includes the resource address information URL, but does not include the user account and password. In this embodiment, the login device 220 can be provided with a plug-in module, and the user account and password are stored in the plug-in module; in this case, the method 400 can be brought into the verification pass message by using the plug-in module. The resource address information URL is then brought into the user account and password stored in the plug-in module. In such an embodiment, after receiving the QR code, the login device 220 presents a browser interface that enables the plug-in module, and the browser interface automatically brings in the resource address information URL encoded in the QR code and pre-stored. User account and password in the plug-in module (step 407 of the present invention).

之後,在本發明步驟S409,登入裝置220向網頁伺服器210傳送存取請求AR。根據本發明的原理與精神,此一存取請求AR包含資源位址資訊URL、使用者帳號與密碼等資訊,網頁伺服器210即可基於此一存取請求AR決定接受或拒絕使用者使用受限制的資源。Thereafter, in step S409 of the present invention, the login device 220 transmits an access request AR to the web server 210. According to the principle and spirit of the present invention, the access request AR includes information such as a resource address information URL, a user account and a password, and the web server 210 can decide to accept or reject the user's use based on the access request AR. Restricted resources.

此外,根據本發明某些實施方式,動態使用者身分驗證方法400亦可運用於系統300中。第5圖所示之系統200與第6圖所示之系統300間的差異如上文所述,下文參照第4圖與第6圖,並針對其與運用系統200實作動態使用者身分驗證方法400的差異加以說明。Moreover, dynamic user identity verification method 400 can also be utilized in system 300 in accordance with certain embodiments of the present invention. The difference between the system 200 shown in FIG. 5 and the system 300 shown in FIG. 6 is as described above, and reference is made to FIGS. 4 and 6 below, and a dynamic user identity verification method is implemented for the same with the operating system 200. The difference of 400 is explained.

於本實施例中,使用者在簽名裝置330中啟動空中簽名程序,並藉由移動簽名裝置330進行空中簽名(使用者互動步驟S501)。簽名裝置330產生目標簽名TS後(本發明步驟S401),透過通訊元件將目標簽名TS傳送至判斷模組340(譬如,設於空中簽名伺服器350內的判斷模組340),再由判斷模組340判斷目標簽名TS與基礎簽名RS的相似度(本發明步驟S403)。判斷模組340基於上述判斷結果產生驗證訊息AI,並將透過空中簽名伺服器350之通訊元件將其傳送至簽名裝置330。在本發明步驟S405中,當驗證訊息AI指出TS與基礎簽名RS間的相似度高於門檻值時,簽名裝置330判斷目標簽名與基礎簽名相符,並產生驗證通過訊息(PASS)。同樣在本發明步驟S405中,簽名裝置330將驗證通過訊息PASS編碼為適當的型式並傳送至登入裝置320。之後,在本發明步驟407中,登入裝置320於接收到驗證通過訊息PASS後,可利用上文所述的任一種方法,在瀏覽器介面中帶入編碼於驗證通過訊息PASS中或使用者透過登入裝置220之輸入裝置輸入的資源位址資訊URL,以及帶入編碼於驗證通過訊息PASS中或由外掛模組帶入的使用者帳號與密碼。最後,於本發明步驟S409中,登入裝置320向網頁伺服器310傳送存取請求AR,而網頁伺服器210基於存取請求AR中的資源位址資訊URL與使用者帳號與密碼,決定是否接受使用者使用受限制的資源。In the present embodiment, the user activates the air signature program in the signature device 330 and performs an air signature by the mobile signature device 330 (user interaction step S501). After the signature device 330 generates the target signature TS (step S401 of the present invention), the target signature TS is transmitted to the determination module 340 via the communication component (for example, the determination module 340 disposed in the air signature server 350), and then the determination module The group 340 judges the similarity between the target signature TS and the base signature RS (step S403 of the present invention). The determination module 340 generates a verification message AI based on the above determination result, and transmits it to the signature device 330 through the communication component of the air signature server 350. In step S405 of the present invention, when the verification message AI indicates that the similarity between the TS and the base signature RS is higher than the threshold value, the signature device 330 determines that the target signature matches the base signature and generates a verification pass message (PASS). Also in step S405 of the present invention, the signature device 330 encodes the verification pass message PASS into an appropriate format and transmits it to the login device 320. Then, in step 407 of the present invention, after receiving the verification pass message PASS, the login device 320 can use any of the methods described above to bring the code into the verification pass message PASS or the user through the browser interface. The resource address information URL input by the input device of the login device 220, and the user account and password encoded in the verification pass message PASS or brought by the plug-in module. Finally, in step S409 of the present invention, the login device 320 transmits an access request AR to the web server 310, and the web server 210 determines whether to accept based on the resource address information URL and the user account and password in the access request AR. Users use restricted resources.

上文所述的動態使用者身分驗證方法100、400都是從完成整個動態使用者身分驗證流程的角度出發。當可想見,本發明之範圍亦涵蓋從網頁伺服器端、登入裝置端、簽名裝置端或判斷模組端任一者之角度所完成的方法流程。The dynamic user identity verification methods 100, 400 described above are all from the perspective of completing the entire dynamic user identity verification process. As can be imagined, the scope of the present invention also covers the flow of methods performed from the perspective of any of the web server, the login device, the signature device, or the judging module.

從網頁伺服器執行的動作出發,根據發明某些實施方式所述的動態使用者身分驗證方法包含以下步驟:(1)利用一網頁伺服器接收來自該登入裝置的一存取請求;(2)利用該網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼,並將其傳送至該登入裝置,其中該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號並將其傳送至一簽名裝置,藉使該簽名裝置基於該啟動信號啟動一空中簽名程序,透過利用一移動感測器來感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名,當一判斷模組判斷該目標簽名是否與一基礎簽名相符後,產生一驗證訊息,並將該驗證訊息傳送至該網頁伺服器,該驗證訊息包含一簽名相符度資訊與該工作階段識別碼;以及(3)利用該網頁伺服器基於該驗證訊息,決定是否接受該存取請求。Starting from the action performed by the web server, the dynamic user identity verification method according to some embodiments of the present invention includes the following steps: (1) receiving an access request from the login device by using a web server; (2) Generating, by the web server, a resource address information and a work phase identification code based on the access request, and transmitting the same to the login device, wherein the login device generates the resource address information and the work phase identification code. Transmitting a signal and transmitting it to a signature device, wherein the signature device activates an air signature program based on the activation signal, by using a motion sensor to sense a movement feature of the user moving the signature device to generate a a target signature, when a determining module determines whether the target signature matches a basic signature, generates a verification message, and transmits the verification message to the web server, the verification message includes a signature matching degree information and the working stage An identification code; and (3) using the web server to determine whether to accept the access request based on the verification message

從登入裝置執行的動作出發,根據發明某些實施方式所述的動態使用者身分驗證方法包含以下步驟:(1)利用登入裝置發送存取請求至網頁伺服器,其中網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼,並將其傳送至該登入裝置時;以及(2)利用該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號並將其傳送至一簽名裝置,藉使該簽名裝置基於該啟動信號啟動一空中簽名程序,以透過一移動感測器來以感測使用者移動該簽名裝置的移動特徵,並產生一目標簽名,當一判斷模組判斷該目標簽名是否與一基礎簽名相符時,產生一驗證訊息,並將該驗證訊息傳送至該網頁伺服器,該驗證訊息包含一簽名相符度資訊與該工作階段識別碼,以及利用該網頁伺服器基於該驗證訊息,決定是否接受該存取請求。Starting from the action performed by the login device, the dynamic user identity verification method according to some embodiments of the present invention includes the following steps: (1) sending an access request to the web server by using the login device, wherein the web server is based on the access Requesting to generate a resource address information and a work phase identifier and transmitting the same to the login device; and (2) using the login device to generate a start signal including the resource address information and the session identifier Transmitting it to a signature device, such that the signature device activates an air signature program based on the activation signal to sense a user moving the signature feature of the signature device through a motion sensor and generate a target signature. When the determining module determines whether the target signature matches a basic signature, generating a verification message, and transmitting the verification message to the webpage server, the verification message includes a signature matching degree information and the session identifier. And using the web server to determine whether to accept the access request based on the verification message.

從簽名裝置執行的動作出發,根據發明某些實施方式所述的動態使用者身分驗證方法包含以下步驟:(1)當一網頁伺服器接收來自登入裝置的一存取請求,網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼並將其傳送至該登入裝置,該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號時,利用一簽名裝置接收一啟動信號並基於該啟動信號啟動一空中簽名程序,其中該簽名裝置包含一移動感測器,用以感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名;以及(2)利用該簽名裝置的一判斷模組判斷該目標簽名是否與一基礎簽名相符,以產生一驗證訊息,並將該驗證訊息傳送至該網頁伺服器,該驗證訊息包含一簽名相符度資訊與該工作階段識別碼,藉使該網頁伺服器基於該驗證訊息,決定是否接受該存取請求。Starting from the action performed by the signature device, the dynamic user identity verification method according to some embodiments of the present invention includes the following steps: (1) when a web server receives an access request from the login device, the web server is based on the The access request generates a resource address information and a work phase identification code and transmits the same to the login device, and the login device generates a start signal including the resource address information and the work phase identification code, and uses a signature device Receiving an activation signal and initiating an air signature program based on the activation signal, wherein the signature device includes a motion sensor for sensing a movement feature of the user to move the signature device to generate a target signature; and (2) Determining whether the target signature matches a basic signature by using a determining module of the signature device to generate a verification message, and transmitting the verification message to the web server, the verification message including a signature matching degree information and the work The stage identification code, if the web server determines whether to accept the access based on the verification message .

從簽名裝置執行的動作出發,根據發明某些實施方式所述的動態使用者身分驗證方法包含以下步驟:(1)當一網頁伺服器接收來自登入裝置的一存取請求,網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼並將其傳送至該登入裝置,該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號時,利用一簽名裝置接收一啟動信號並基於該啟動信號啟動一空中簽名程序,其中該簽名裝置包含一移動感測器,用以感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名;以及(2)利用該簽名裝置將目標簽名傳送至一判斷模組,藉使該判斷模組判斷該目標簽名是否與一基礎簽名相符,以產生一驗證訊息,並將該驗證訊息傳送至該網頁伺服器,該驗證訊息包含一簽名相符度資訊與該工作階段識別碼,以及該網頁伺服器基於該驗證訊息,決定是否接受該存取請求。Starting from the action performed by the signature device, the dynamic user identity verification method according to some embodiments of the present invention includes the following steps: (1) when a web server receives an access request from the login device, the web server is based on the The access request generates a resource address information and a work phase identification code and transmits the same to the login device, and the login device generates a start signal including the resource address information and the work phase identification code, and uses a signature device Receiving an activation signal and initiating an air signature program based on the activation signal, wherein the signature device includes a motion sensor for sensing a movement feature of the user to move the signature device to generate a target signature; and (2) Using the signature device to transmit the target signature to a determination module, if the determination module determines whether the target signature matches a basic signature, to generate a verification message, and transmit the verification message to the web server, The verification message includes a signature match information and the session ID, and the web server is based on the Card message, decide whether to accept the access request.

當可想見,本發明另一種態樣乃是關於一種電腦可儲存媒體(例如程式模組)。所述的電腦可儲存媒體其上存有電腦可讀取指令,所述指令經執行時,可用以進行本發明上述各態樣/實施例所述的動態使用者身分驗證方法。以程式模組為例,用以執行所述方法的網頁伺服器、登入裝置、簽名裝置及/或判斷模組各別儲存有此一程式模組的一部或全部,以便協同作動而完成所述動態使用者身分驗證方法。或者是,上述程式模組之一部或全部可儲存於網頁伺服器、登入裝置、簽名裝置與判斷模組其中一或多者以外的裝置或位置,並於有需要時透過適當傳輸機制(如通訊元件)傳輸至該些裝置/元件。As can be appreciated, another aspect of the present invention is directed to a computer storable medium (e.g., a program module). The computer storable medium has computer readable instructions stored thereon, and when executed, the instructions can be used to perform the dynamic user identity verification method described in the above aspects/embodiments of the present invention. Taking a program module as an example, the web server, the login device, the signature device and/or the determination module for executing the method respectively store one or all of the program modules in order to cooperate with each other to complete the operation. The dynamic user identity verification method. Alternatively, one or all of the program modules may be stored in a device or location other than one or more of the web server, the login device, the signature device, and the determination module, and may be transmitted through an appropriate transmission mechanism (eg, The communication component is transmitted to the devices/components.

另一方面,本發明的一態樣是關於一種用以執行上述動態使用者身分驗證方法的系統。舉例來說,所述系統可包含一登入裝置以及一簽名裝置。在某些實施方式中,所述系統還可包含一網頁伺服器及/或一空中簽名驗證伺服器。所述系統所包含的各種裝置/元件之結構與功能,如上文所述。In another aspect, an aspect of the invention is directed to a system for performing the dynamic user identity verification method described above. For example, the system can include a login device and a signature device. In some embodiments, the system can also include a web server and/or an air signature verification server. The structure and function of the various devices/elements included in the system are as described above.

雖然上文實施方式中揭露了本發明的具體實施例,然其並非用以限定本發明,本發明所屬技術領域中具有通常知識者,在不悖離本發明之原理與精神的情形下,當可對其進行各種更動與修飾,因此本發明之保護範圍當以附隨申請專利範圍所界定者為準。Although the embodiments of the present invention are disclosed in the above embodiments, the present invention is not intended to limit the invention, and the present invention may be practiced without departing from the spirit and scope of the invention. Various changes and modifications may be made thereto, and the scope of the invention is defined by the scope of the appended claims.

符號說明如下:
100、400‧‧‧方法
S101~S115、S201~S203、S401~S409、S501‧‧‧步驟
200、300‧‧‧系統
210、310‧‧‧網頁伺服器
220、320‧‧‧登入裝置
230、330‧‧‧簽名裝置
240、340‧‧‧判斷模組
350‧‧‧空中簽名伺服器
AI‧‧‧驗證訊息
AR‧‧‧存取請求
I‧‧‧啟動信號
PASS‧‧‧驗證通過訊息
SID‧‧‧工作階段識別碼
TS‧‧‧目標簽名
URL‧‧‧資源位址資訊
The symbols are as follows:
100, 400‧‧‧ method
S101~S115, S201~S203, S401~S409, S501‧‧‧ steps
200, 300‧‧‧ system
210, 310‧‧‧Web server
220, 320‧‧‧ Login device
230, 330‧‧‧ Signature device
240, 340‧‧‧ judgment module
350‧‧‧Air signature server
AI‧‧‧ verification message
AR‧‧‧ access request
I‧‧‧ start signal
PASS‧‧‧Verification pass message
SID‧‧‧Working Stage ID
TS‧‧‧Target Signature
URL‧‧‧Resource Address Information

為讓本發明的上述與其他目的、特徵、優點與實施例能更明顯易懂,所附圖式之說明如下: 第1圖為流程圖,其繪示根據本發明一實施例之動態使用者身分驗證方法; 第2圖為示意圖,其繪示根據本發明一實施例,用以執行動態使用者身分驗證方法100的系統及裝置/元件間的互動; 第3圖為示意圖,其繪示根據本發明另一實施例,用以執行動態使用者身分驗證方法100的系統及裝置/元件間的互動; 第4圖為流程圖,其繪示根據本發明另一實施例之動態使用者身分驗證方法; 第5圖為示意圖,其繪示根據本發明又一實施例,用以執行動態使用者身分驗證方法400的系統及裝置/元件間的互動;以及 第6圖為示意圖,其繪示根據本發明另一實施例,用以執行動態使用者身分驗證方法400的系統及裝置/元件間的互動。The above and other objects, features, advantages and embodiments of the present invention will become more apparent and understood. The description of the drawings is as follows: FIG. 1 is a flow chart illustrating a dynamic user in accordance with an embodiment of the present invention. FIG. 2 is a schematic diagram showing the interaction between the system and the device/component for performing the dynamic user identity verification method 100 according to an embodiment of the invention; FIG. 3 is a schematic diagram showing Another embodiment of the present invention is a system and apparatus/component interaction for performing the dynamic user identity verification method 100. FIG. 4 is a flow chart illustrating dynamic user identity verification according to another embodiment of the present invention. FIG. 5 is a schematic diagram showing a system and apparatus/component interaction for performing a dynamic user identity verification method 400 according to still another embodiment of the present invention; and FIG. 6 is a schematic diagram showing Another embodiment of the present invention is used to perform the interaction between the system and device/components of the dynamic user identity verification method 400.

根據慣常的作業方式,圖中各種特徵與元件並未依比例繪製,其繪製方式是為了以最佳的方式呈現與本發明相關的具體特徵與元件。此外,在不同圖式間,以相同或相似的元件符號來指稱相似的元件/部件。The various features and elements in the figures are not drawn to scale, and are in the In addition, similar elements/components are referred to by the same or similar element symbols throughout the different drawings.

100‧‧‧方法 100‧‧‧ method

S101~S203‧‧‧步驟 S101~S203‧‧‧Steps

Claims (16)

一種動態使用者身分驗證方法,其係用以驗證一登入裝置的使用者身分,包含以下步驟:利用一網頁伺服器接收來自該登入裝置的一存取請求;利用該網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼,並將其傳送至該登入裝置;利用該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號並將其傳送至與該登入裝置不同的一簽名裝置;利用該簽名裝置基於該啟動信號啟動一空中簽名程序,其中該簽名裝置包含一移動感測器,用以感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名;利用一判斷模組判斷該目標簽名是否與一基礎簽名相符,以產生一驗證訊息,並將該驗證訊息依據該資源位址資訊傳送至該網頁伺服器,該驗證訊息包含一簽名相符度資訊與該工作階段識別碼;以及利用該網頁伺服器基於該驗證訊息,決定是否接受該存取請求。 A dynamic user identity verification method for verifying a user identity of a login device includes the steps of: receiving an access request from the login device using a web server; and utilizing the web server based on the access Requesting to generate a resource address information and a work phase identification code, and transmitting the same to the login device; using the login device to generate an activation signal including the resource address information and the work phase identification code and transmitting the same to the The signing device is different from a signature device; the signature device is used to activate an air signature program based on the activation signal, wherein the signature device includes a motion sensor for sensing a movement feature of the user to move the signature device to generate a target signature; determining whether the target signature matches a basic signature by using a determining module to generate a verification message, and transmitting the verification message to the web server according to the resource address information, the verification message including a signature Conformity information and the work phase identification code; and using the web server based on the verification message Decide whether to accept the access request. 如請求項1所述的方法,其中該存取請求包含:輸入於該登入裝置中的使用者帳號或輸入使用者帳號與密碼。 The method of claim 1, wherein the access request comprises: a user account entered in the login device or inputting a user account and password. 如請求項1所述的方法,其中該啟動信號係編碼為一光學可識別資料、音調資料或可透過通訊裝置傳輸的資料。 The method of claim 1, wherein the activation signal is encoded as an optically identifiable material, tonal data, or data transmittable by the communication device. 如請求項3所述的方法,其中該光學可識別資料為一快速回應(QR)碼、條碼、圖片、文字串、或光線閃爍頻率組合。 The method of claim 3, wherein the optically identifiable material is a quick response (QR) code, a bar code, a picture, a text string, or a combination of light flicker frequencies. 如請求項1所述的方法,其中該移動特徵包括以下至少一者:移動方向、加速度與角速度。 The method of claim 1, wherein the moving feature comprises at least one of: a moving direction, an acceleration, and an angular velocity. 如請求項5所述的方法,其中該判斷模組比對該目標簽名的移動方向、加速度及/或角速度與該基礎簽名的移動方向、加速度及/或角速度之間的相似度,且當該相似度高於一門檻值時,該判斷模組判斷該目標簽名與該基礎簽名相符。 The method of claim 5, wherein the determining module compares a moving direction, an acceleration, and/or an angular velocity of the target signature with a moving direction, an acceleration, and/or an angular velocity of the base signature, and when When the similarity is higher than a threshold, the determining module determines that the target signature matches the basic signature. 如請求項1所述的方法,其中該驗證訊息更包含該簽名裝置的一裝置識別碼,且該方法更包含:利用該網頁伺服器比對該裝置識別碼以及與該使用者相關的一關聯裝置識別碼,以得到一比對結果;以及利用該網頁伺服器基於該簽名相符度資訊與該比對結果,決定是否接受該存取請求。 The method of claim 1, wherein the verification message further comprises a device identification code of the signature device, and the method further comprises: utilizing the web server to associate the device identification code with an associated with the user The device identification code is used to obtain a comparison result; and the web server is used to determine whether to accept the access request based on the signature matching degree information and the comparison result. 如請求項1所述的方法,其中該判斷模組設於該簽名裝置內。 The method of claim 1, wherein the determining module is disposed in the signature device. 如請求項1所述的方法,其中該判斷模組設於一空中簽名驗證伺服器內。 The method of claim 1, wherein the determining module is disposed in an air signature verification server. 一種動態使用者身分驗證方法,其係用以驗證一登入裝置的使用者身分,包含以下步驟:利用一網頁伺服器接收來自該登入裝置的一存取請求;利用該網頁伺服器基於該存取請求產生一資源位址資訊與一工作階段識別碼,並將其傳送至該登入裝置;利用該登入裝置產生包含該資源位址資訊與該工作階段識別碼的一啟動信號並將其傳送至與該登入裝置不同的一簽名裝置; 利用該簽名裝置基於該啟動信號啟動一空中簽名程序,其中該簽名裝置包含一移動感測器,用以感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名;利用一判斷模組判斷該目標簽名是否與一基礎簽名相符,其中該判斷模組位於該簽名裝置中,且當該目標簽名與該基礎簽名相符時,利用判斷模組產生一驗證訊息,並將該驗證訊息依據該資源位址資訊傳送至該網頁伺服器,該驗證訊息包含該工作階段識別碼與一裝置識別碼;利用該網頁伺服器比對該裝置識別碼以及與該使用者相關的一關聯裝置識別碼,以得到一比對結果;以及利用該網頁伺服器基於該比對結果,決定是否接受該存取請求。 A dynamic user identity verification method for verifying a user identity of a login device includes the steps of: receiving an access request from the login device using a web server; and utilizing the web server based on the access Requesting to generate a resource address information and a work phase identification code, and transmitting the same to the login device; using the login device to generate an activation signal including the resource address information and the work phase identification code and transmitting the same to the a different signature device of the login device; Using the signature device to initiate an air signature program based on the activation signal, wherein the signature device includes a motion sensor for sensing a movement feature of the user to move the signature device to generate a target signature; using a determination module Determining whether the target signature is consistent with a basic signature, wherein the determining module is located in the signature device, and when the target signature matches the basic signature, the determining module generates a verification message, and the verification message is The resource address information is transmitted to the webpage server, and the verification message includes the work phase identification code and a device identification code; the server identifier is used to compare the device identification code with an associated device identification code associated with the user, To obtain a comparison result; and using the web server to determine whether to accept the access request based on the comparison result. 如請求項10所述的方法,其中該存取請求包含:輸入於該登入裝置中的使用者帳號或輸入使用者帳號與密碼。 The method of claim 10, wherein the access request comprises: a user account entered in the login device or a user account and password. 如請求項10所述的方法,其中該啟動信號係編碼為一光學可識別資料、音調資料或可透過通訊裝置傳輸的資料。 The method of claim 10, wherein the activation signal is encoded as an optically identifiable material, tonal data, or data transmittable by the communication device. 如請求項12所述的方法,其中該光學可識別資料為一快速回應(QR)碼、條碼、圖片、文字串、或光線閃爍頻率組合。 The method of claim 12, wherein the optically identifiable material is a quick response (QR) code, a bar code, a picture, a text string, or a combination of light flicker frequencies. 如請求項10所述的方法,其中該移動特徵包括以下至少一者:移動方向、加速度與角速度。 The method of claim 10, wherein the moving feature comprises at least one of: a moving direction, an acceleration, and an angular velocity. 如請求項14所述的方法,其中該判斷模組比對該目標簽名的移動方向、加速度及/或角速度與該基礎簽名的移動方向、加速度及/或角速度之間的相似度,且當該相似度高於一門檻值時,該判斷模組判斷該目標簽名與該基礎簽名相符。 The method of claim 14, wherein the determining module compares a moving direction, an acceleration, and/or an angular velocity of the target signature with a moving direction, an acceleration, and/or an angular velocity of the base signature, and when When the similarity is higher than a threshold, the determining module determines that the target signature matches the basic signature. 一種動態使用者身分驗證方法,其係用以驗證一登入裝置的使用者身分,包含以下步驟:利用與該登入裝置不同的一簽名裝置感測使用者移動該簽名裝置的移動特徵,以產生一目標簽名,其中該簽名裝置包含一移動感測器並儲存有一空中簽名程序;利用一判斷模組判斷該目標簽名是否與一基礎簽名相符;當該目標簽名與該基礎簽名相符時,利用該判斷模組或簽名裝置產生一驗證通過訊息並將其傳送至該登入裝置,該驗證通過訊息可包含資源位址資訊及/或使用者帳號與密碼;其中:(1)當該驗證通過訊息僅包含該使用者帳號與密碼時,利用該登入裝置接收一資源位址資訊之輸入,並帶入該驗證通過訊息中的使用者帳號與密碼;(2)當該驗證通過訊息包含該資源位址資訊及該使用者帳號與密碼時,利用該登入裝置帶入該資源位址資訊以及該使用者帳號與密碼;或(3)當該驗證通過訊息僅含該資源位址資訊時,該登入裝置包含一外掛模組,該外掛模組中存有該使用者帳號與密碼,其中利用該外掛模組先帶入該驗證通過訊息中的該資源位址資訊再帶入該使用者帳號與密碼;利用登入裝置向一網頁伺服器傳送一存取請求,其中該存取請求包括一資源位址資訊以及該使用者帳號與密碼;以及 利用該網頁伺服器基於該存取請求,決定是否接受使用者使用受限制的資源。A dynamic user identity verification method for verifying a user identity of a login device includes the steps of: sensing, by a signature device different from the login device, a user moving a mobile feature of the signature device to generate a a target signature, wherein the signature device includes a mobile sensor and stores an air signature program; determining, by a determining module, whether the target signature matches a basic signature; and when the target signature matches the basic signature, using the determination The module or signature device generates a verification pass message and transmits it to the login device, the verification pass message may include resource address information and/or a user account and password; wherein: (1) when the verification pass message only contains When the user account and the password are used, the login device receives the input of the resource address information and brings in the user account and password in the verification pass message; (2) when the verification pass message includes the resource address information And the user account and password, using the login device to bring in the resource address information and the user account and password Or (3) when the verification pass message contains only the resource address information, the login device includes an external module, and the user account and password are stored in the plug-in module, wherein the plug-in module is used first Bringing the resource address information in the verification pass message to the user account and password; using the login device to transmit an access request to a web server, wherein the access request includes a resource address information and the User account and password; and Based on the access request, the web server determines whether to accept the user's use of the restricted resource.
TW105136336A 2015-01-29 2016-11-08 Methods for dynamic user identity authentication TWI604330B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/007,268 US20160226865A1 (en) 2015-01-29 2016-01-27 Motion based authentication systems and methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710750381.9A CN108063750A (en) 2015-01-29 2017-08-28 dynamic user identity verification method

Publications (2)

Publication Number Publication Date
TW201727526A TW201727526A (en) 2017-08-01
TWI604330B true TWI604330B (en) 2017-11-01

Family

ID=60190966

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105136336A TWI604330B (en) 2015-01-29 2016-11-08 Methods for dynamic user identity authentication

Country Status (1)

Country Link
TW (1) TWI604330B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI638307B (en) * 2017-08-04 2018-10-11 台灣資服科技股份有限公司 Multi-factor login system and login method

Also Published As

Publication number Publication date
TW201727526A (en) 2017-08-01

Similar Documents

Publication Publication Date Title
US10708257B2 (en) Systems and methods for using imaging to authenticate online users
EP3108397B1 (en) Trust broker authentication method for mobile devices
US9032498B1 (en) Method for changing authentication for a legacy access interface
CN108063750A (en) dynamic user identity verification method
KR100992573B1 (en) Authentication method and system using mobile terminal
US10440019B2 (en) Method, computer program, and system for identifying multiple users based on their behavior
JP2020509475A (en) Reliable login methods, servers, and systems
US10015171B1 (en) Authentication using metadata from posts made to social networking websites
KR20170126444A (en) Face detection
JP4960738B2 (en) Authentication system, authentication method, and authentication program
EP3673398B1 (en) Secure authorization for access to private data in virtual reality
CN105656850B (en) Data processing method, related device and system
TWI548249B (en) Method for verifying secruity data, system, and a computer-readable storage device
US11057372B1 (en) System and method for authenticating a user to provide a web service
US10936705B2 (en) Authentication method, electronic device, and computer-readable program medium
TWI604330B (en) Methods for dynamic user identity authentication
KR102284876B1 (en) System and method for federated authentication based on biometrics
US10367805B2 (en) Methods for dynamic user identity authentication
KR101768318B1 (en) Method, apparatus, and computer program for user authentication
CN112154636A (en) Deep link authentication
KR20140127669A (en) Method and apparatus for authentication based on image
US11405380B2 (en) Systems and methods for using imaging to authenticate online users
US10848309B2 (en) Fido authentication with behavior report to maintain secure data connection
WO2019001566A1 (en) Authentication method and device

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees