TWI744698B - Authentication system, terminal, authentication method, and program product - Google Patents

Abstract

The identification information obtaining means (102) of the authentication system (1) is for obtaining identification information about the first terminal (20). The first receiving means (104) is to receive the predetermined inquiry repeatedly sent by the first terminal (20). The second receiving means (105) receives the identification information from the second terminal (30) when the identification information of the first terminal (20) is read by the authenticated second terminal (30). The state control means (106) is based on the query received from the first terminal (20) and the identification information received from the second terminal (30), and the first terminal (20) is turned into an authenticated state .

Description

Authentication system, terminal, authentication method, and program product

The invention relates to an authentication system, a terminal, an authentication method, and a program product.

Previously, the technology needed to save the trouble of entering the user ID or password during authentication was studied. For example, Patent Document 1 describes that when a terminal device (such as a personal computer) receives a service from a service providing server device, by using a two-dimensional code containing terminal identification information, the terminal device can be accessed without inputting authentication information. The technology that makes it into a certified state to provide services.

In the technology of Patent Document 1, once the terminal device accesses the service providing server device, the service providing server device sends the terminal identification information together with the issuance request of the QR code to the authentication server. The authentication server device generates a QR code containing terminal identification information and sends it to the service provider server device. Once the service providing server device receives the two-dimensional code, it causes the two-dimensional code to be displayed on the authentication screen of the terminal device.

After that, the user operates a portable communication device (such as a mobile phone) and reads the QR code displayed on the terminal device. The portable communication device will contain the user ID and password that it has memorized. The authentication information of and the information stored in the QR code are sent to the authentication server device. The authentication server device confirms the legitimacy of the authentication information and sends the authentication result to the service providing server device. The service providing server device switches the display of the terminal device from the authentication screen to the service content screen once it receives the indication of successful authentication. In this way, the terminal device becomes an authenticated state, and the user can use the service. [Prior Technical Literature] [Patent Literature]

[Patent Document 1] Japanese Patent No. 4660398

[The problem to be solved by the invention]

However, in the technique of Patent Document 1, since the service providing server device spontaneously turns the terminal device into an authenticated state and switches the display, if there is a temporary communication failure at that moment, the terminal device The display will not be switched, and the user will not be able to use the service content. In this regard, although it is also considered that the service providing server device repeatedly sends the display switching instruction until the communication is restored, as long as the number of terminal devices increases, the processing load of the service providing server device will also become higher. high.

The purpose of the present invention is to reduce the processing load of the computer that turns the terminal into an authenticated state. [Means to solve the problem]

In order to solve the above-mentioned problem, the authentication system of the present invention is characterized in that it includes: identification information obtaining means for obtaining identification information about the first terminal; and a first receiving means for receiving 1 The predetermined query sent repeatedly by the terminal; and the second receiving means is used to read the previous identification information of the first terminal by the authenticated second terminal, and the second terminal from the previous Receiving the preface identification information; and the state control means are used to turn the preface first terminal into authenticated based on the preface query received from the preface first terminal and the preface identification information received from the preface second terminal state.

[1. The overall structure of the authentication system]

Hereinafter, an example of the embodiment related to the present invention will be described in detail based on the drawings. Fig. 1 is a diagram showing an example of the authentication system described in the embodiment. As shown in FIG. 1, for example, the authentication system 1 includes: a server 10, a first terminal 20, and a second terminal 30, which can be connected to a network N such as the Internet. In addition, in FIG. 1, although each of the server 10, the first terminal 20, and the second terminal 30 is shown in the figure, there may be a plurality of these.

The server 10 is a server computer managed by a service provider, and includes, for example, a control unit 11, a memory unit 12, and a communication unit 13. The provider is a financial institution or company, etc., which can provide any kind of service. For example, the service system provided by the provider may be: financial services, e-commerce transaction services, travel reservation services, or insurance services. In addition, in this embodiment, in order to simplify the description, the case of authentication or service provision at the time of login by the server 10 is explained, but the authentication server and the service provision server may be separated.

The control unit 11 includes, for example, at least one microprocessor. The storage unit 12 includes, for example, a main storage unit such as RAM or an auxiliary storage unit such as a hard disk. The control unit 11 executes processing in accordance with the program or data stored in the memory unit 12. The communication part 13 includes a communication interface for wired communication or wireless communication. The communication unit 13 can transmit and receive data to and from external devices through a network N such as the Internet or LAN.

The first terminal 20 is a computer operated by a user, such as a personal computer, a mobile phone (including a smart phone), or a portable information terminal (including a tablet terminal). The first terminal 20 may be the property of the user or may not be the property of the user. In the present embodiment, it is explained that the first terminal 20 is not the user's property, but is installed in a restaurant or public facility, and is a personal computer that can be used by an unspecified number of people.

The first terminal 20 includes a control unit 21, a storage unit 22, a communication unit 23, an operation unit 24, and a display unit 25. The hardware configuration of the control unit 21, the storage unit 22, and the communication unit 23 may be the same as the control unit 11, the storage unit 12, and the communication unit 13, respectively. The operating portion 24 is an input device, such as a pointing device such as a touch panel or a mouse, or a keyboard. The display unit 25 is, for example, a liquid crystal display or an organic EL display.

The second terminal 30 is a computer operated by a user, such as a personal computer, a mobile phone (including a smart phone), or a portable information terminal (including a tablet terminal). The second terminal 30 is the same as the first terminal 20, and may be the property of the user or not the property of the user, but it is assumed that the security level is higher than that of the first terminal 20. In the present embodiment, it is explained that the second terminal 30 is a user's belongings and is a smartphone whose security is ensured by biometric authentication, a passcode, or the like.

The second terminal 30 includes a control unit 31, a storage unit 32, a communication unit 33, an operation unit 34, a display unit 35, and an imaging unit 36. The hardware configuration of the control unit 31, the memory unit 32, the communication unit 33, the operation unit 34, and the display unit 35 can be the same as the control unit 11, the memory unit 12, the communication unit 13, the operation unit 24, and the display unit 25, respectively. . The imaging unit 36 includes at least one camera, and generates an image by an imaging element such as a CCD sensor or a CMOS sensor. The photographing unit 36 may also perform continuous photographing based on a predetermined frame rate, or may perform photographing based on a user's operation.

In addition, the programs or data described as being stored in the memory sections 12, 22, 32 can also be stored in a computer-readable information storage medium (such as a USB memory or SD card) and be supplied to each Computers can also be supplied to each computer via the network. Moreover, the hardware configuration of each computer described in the above note is not limited to the above example, it may also be equipped with, for example, a reading unit (such as an SD card slot) for reading information storage media, or required for direct communication with external devices The input/output part (such as a USB terminal) can also be equipped with a code reader that can read code information.

[2. Overview of the authentication system] In this embodiment, it is explained that the server 10 is managed by a bank and provides financial services to users. It is assumed that the user has opened an account in a bank and has completed the use of Internet banking registration. Therefore, the user must have the user ID and password required to use Internet banking services. In addition, the user can be an individual or a legal person.

An application provided by the bank (hereinafter referred to as a bank application) is installed in the second terminal 30. Once the banking application is activated in the second terminal 30, the user enters the user ID and password to log in, and uses Internet banking services. Although the bank application may require the input of the user ID and password every time it is activated, in this embodiment, in order to save the trouble of input, an authentication method called quick login is prepared.

For example, once the user ID and password are entered and the authentication is successful, the server 10 issues quick login information, and then uses the quick login information for authentication. The quick login information is information indicating that this is an authenticated user, for example, a random token row generated by the server 10. The server 10 memorizes the issued quick login information, and sends the quick login information to the second terminal 30. The second terminal 30 memorizes the quick login information, and once the time sequence that must be authenticated is reached (for example, when the banking application is started, when a meeting with the server 10 is established, when the deposit and withdrawal process is executed, or when the remittance is executed, etc.), By using the quick login information, the trouble of inputting during authentication is saved.

For example, in quick login, even if the user does not enter a user ID, he still only needs to enter a password to complete the login. In this case, the password entered by the user and the quick login information memorized in the second terminal 30 are sent to the server 10, and the server 10 performs authentication. For another example, in quick login, biometric authentication (such as fingerprint authentication or face authentication) can also be used. In the case of performing biometric authentication on the second terminal 30, the user ID and password do not need to be input to complete the login. In this case, the information indicating that the biometric authentication has been completed and the quick login information memorized in the second terminal 30 are sent to the server 10, and the server 10 performs authentication.

On the other hand, in this embodiment, the first terminal 20 does not have a banking application installed and does not memorize quick login information. The first terminal 20 can display any website on a web browser. For example, in the first terminal 20, once the URL of the bank website is input, the first terminal 20 sends an access request to the server 10, and a conversation is established between the first terminal 20 and the server 10. The establishment of the meeting is carried out by following the procedures established by any communication protocol such as HTTP. The server 10 generates and memorizes the meeting information, and sends the meeting information to the first terminal 20.

The meeting information is information also called meeting ID or meeting key, which is used to uniquely identify the meeting. The meeting information is generated by the method established by the communication protocol, and is composed of, for example, random strings. The meeting information is available until the meeting is disconnected, and the first terminal 20 communicates with the server 10 by using the meeting information. Once the meeting is established, the login screen of the bank website is displayed on the first terminal 20.

FIG. 2 is a diagram showing an example of a login screen displayed on the first terminal 20. As shown in FIG. As shown in FIG. 2, the login screen G1 is displayed with an input form F10 for inputting a user ID and an input form F11 for inputting a password. Once the user selects the button B12, the user ID that has been entered into the input form F10 and the password that has been entered into the input form F11 are encrypted by HTTPS and the like and sent to the server 10. Thereafter, once the authentication by the server 10 is successful, the user becomes logged in, and the Internet banking service can be used on the web browser of the first terminal 20.

For example, if the user usually uses the quick login of the banking application, since there is no need to enter the user ID or password, they will be forgotten. In this case, since the user cannot log in on the first terminal 20, it is necessary to check with a customer service center or the like every time. Even if the user remembers the user ID and password, he still needs to input the user ID and password to the first terminal 20, which is troublesome. Also, like this embodiment, the first terminal 20 is a terminal that can be used by an unspecified number of people. Therefore, if the security level is low, the user ID and password entered by the user are recorded by the keyboard. It may also be stolen. In addition, this type of terminal may be connected to a free wireless LAN that does not guarantee security, etc., and there is a possibility that the user ID and password may be stolen in the communication.

Therefore, the authentication system 1 provides a mechanism that allows the user to log in on the first terminal 20 without inputting the user ID and password to the first terminal 20. In this embodiment, as an example of this mechanism, an authentication method of two-dimensional code login using a two-dimensional code is described. The two-dimensional code contains information necessary for the two-dimensional code to log in, such as the URL of the server 10 or the identification information about the first terminal 20. The details will be described later, but at the time when the QR code is generated, since it is not known which user will use it, the information inherent to the user, such as user ID or account information, is not included in the QR code. middle.

Regarding the identification information of the first terminal 20, any information that can identify the first terminal 20 or the information assigned to the first terminal 20 may be, for example, a string of randomly generated marks. In this embodiment, the identification information is not long-term constant information such as line number or address information, but is temporarily assigned one-time information. The identification information is issued after a meeting between the first terminal 20 and the server 10 is established, and the first terminal 20 sends a predetermined issuance request to the server 10. The issuance request only needs to be sent to the server 10 at any timing. The issuance request can also be sent when the login screen G1 is displayed. However, in this embodiment, it is assumed that the corresponding button B13 has already been sent. Choose, and send the release request.

In addition, the identification information may not be random, but a string of tokens generated based on a predetermined rule. In addition, for one first terminal 20, only one piece of identification information may be issued, or plural pieces of identification information may be issued. When multiple pieces of identification information are issued to one first terminal 20, different identification information may be issued for each page or window of the web browser. That is, when the user opens multiple tabs or multiple windows, and multiple login screens G1 are displayed, identification information can also be issued according to each login screen G1.

In this embodiment, the identification information is information that is different from the conference information. The identification information and the conference information are different from each other, and the identification information is not used for the maintenance of the conference. That is, even if the identification information is retained, the meeting cannot be maintained. During the period that the meeting is maintained, the meeting information system is not changed in principle, but the identification information is issued in response to each issuance request. Although the server 10 associates and memorizes the identification information and the meeting information, the two-dimensional code displayed on the first terminal 20 does not contain the meeting information. For example, once the user selects the button B13 of the login screen G1, a two-dimensional code containing identification information will be displayed in the login screen G1.

FIG. 3 is an illustration of a two-dimensional code displayed on the login screen G1. As shown in Figure 3, once the user selects the button B13, the button B13 disappears and the two-dimensional code C14 is displayed. In this embodiment, a command code is embedded in the display data (such as HTML data) of the login screen G1. Once the two-dimensional code C14 is displayed, the first terminal 20 queries the server 10 for the first terminal 20 The state.

The status indicates whether it is the status before authentication when the QR code is logged in, or the status after authentication. In other words, the status indicates whether the login caused by the QR code login is in a permitted state or not in a permitted state. In the two-dimensional code login, if the second terminal 30 that has quickly logged in reads the two-dimensional code C14, the first terminal 20 where the two-dimensional code C14 should be displayed becomes the login. The current status is "before authentication", and the subsequent status becomes "authenticated".

The two-dimensional code C14 does not need to specifically set the effective period, but in this embodiment, it is assumed that the effective period is set. The length of the valid period may be arbitrary, and in this embodiment, it is a fixed value (for example, about 10 seconds to 5 minutes), and may be a variable value like the modification described later. The first terminal 20 performs state inquiries during the effective period, and stops state inquiries after the effective period.

FIG. 4 is a diagram showing an example of the login screen G1 after the valid period. As shown in FIG. 4, once the validity period has passed, the two-dimensional code C14 disappears from the login screen G1, and the button B15 required to retrieve the two-dimensional code C14 is displayed on the login screen G1. Once it becomes this state, the aforementioned query is stopped. Once the user selects the button B15 and obtains the two-dimensional code C14 again, the login screen G1 will return to the state of FIG. 3.

Once the two-dimensional code C14 is displayed on the login screen G1, the user uses the imaging unit 36 of the second terminal 30 to read the two-dimensional code C14. In this embodiment, the bank application has a code reader function, and the user activates the bank application of the second terminal 30, and uses the code reader function of the bank application to read the QR code C14.

Figure 5 is a diagram showing how the two-dimensional code C14 is read. As shown in FIG. 5, once the bank application is activated in the second terminal 30, the menu screen G2 is displayed on the display unit 35. In the menu screen G2, information such as the balance of the user’s account will be displayed, such as the display of deposit and withdrawal details, account information display, deposit and withdrawal procedures, remittance procedures, display of services provided, or display of ATM information. , Will be provided.

The button B20 required for QR code login will be displayed in the menu screen G2. Once the user selects the button B20, the confirmation screen G3 representing the procedure of the QR code login is displayed. On the confirmation screen G3, a button B30 required to activate the imaging unit 36 of the second terminal 30 is displayed. The banking application is pre-authorized to access the photographing unit 36. Once the user selects the button B30, the photographing unit 36 will be activated.

Once the photographing unit 36 is activated, the photographing screen G4 showing the image being photographed is displayed on the display unit 35. For example, in the shooting screen G4, the frame F40 required to guide the shooting position of the two-dimensional code C14 is displayed near the center, and the user aligns the frame F40 to capture the two-dimensional image of the login screen G1. Code C14. Once the two-dimensional code C14 is photographed, the bank application program obtains and sends the URL and identification information of the server 10 contained in the two-dimensional code C14 to the server 10 based on a well-known code analysis algorithm. In addition, here, the quick login information memorized in the second terminal 30 can also be sent, but the second terminal 30 has already completed the authentication by quick login etc. at the time when the menu screen G2 is displayed, so It is also unnecessary to send quick login information at this timing.

Once the server 10 confirms the legitimacy of the quick login information of the second terminal 30, it changes the state in which the identification information received from the second terminal 30 is linked to "authenticated". Thereafter, in the second terminal 30, a completion screen G5 indicating that the two-dimensional code login has been completed is displayed, urging to confirm the display unit 25 of the first terminal 20. In addition, once the button B50 of the completion screen G5 is selected, it returns to the menu screen G2.

The first terminal 20 will always inquire the server 10 during the period when the QR code C14 is displayed on the login screen G1 (during the validity period of the QR code C14). Therefore, once the status of the server 10 becomes " After receiving the query after authentication, the user is permitted to log in to the first terminal 20 (that is, to log in using the account of the authenticated user on the second terminal 30), so that it can be used to use Internet banking services. The necessary use screen is displayed on the display unit 35.

FIG. 6 is a diagram showing an example of a utilization screen displayed on the first terminal 20. As shown in FIG. As shown in Figure 6, the user's account balance and other information will be displayed on the use screen G6, deposit and withdrawal details display, account information display, deposit and withdrawal procedures, remittance procedures, service provision display, or ATM information Show these various services and become available. That is, even if the user does not input the user ID and password, the first terminal 20 will be in the logged-in state. After that, the same service will be provided as if the user entered the user ID and password and logged in.

As described above, the authentication system 1 of this embodiment has a command code embedded in the display data of the login screen G1, the first terminal 20 sends queries repeatedly based on the command code, and the server 10 logs in with a QR code If the authentication of is successful, the use screen G6 is displayed in response to the inquiry from the first terminal 20. Therefore, when the authentication of the two-dimensional code login is successful, even if a temporary communication failure occurs, the server 10 does not need to repeatedly send instructions to the first terminal 20 (the server 10 only needs to wait for the query from the first terminal 20) ), therefore, the load on the server 10 can be reduced. Hereinafter, the details of the configuration of the authentication system 1 will be described.

[3. Functions realized in this embodiment] Fig. 7 is a functional block diagram of the function implemented in this embodiment. Here, the functions implemented in each of the server 10, the first terminal 20, and the second terminal 30 are explained.

[3-1. Functions implemented in the server] As shown in FIG. 7, the server 10 includes: a data storage unit 100, a second terminal authentication unit 101, an identification information acquisition unit 102, a transmission unit 103, a first reception unit 104, and a second reception unit 105 , And the status control unit 106 is realized. The data storage unit 100 is realized mainly by the storage unit 12, and the other functions are realized mainly by the control unit 11.

[Data Memory Department] The data storage unit 100 stores data necessary for realizing two-dimensional code login or quick login. Here, as an example of the data stored in the data storage unit 100, the user database DB1 and the two-dimensional code database DB2 will be described.

FIG. 8 is a diagram showing an example of data storage in the user database DB1. As shown in Figure 8, the user database DB1 is a database where information about the user is stored. For example, user ID, password, quick login information, and user account information are stored in the user database DB1.

In this embodiment, as the information that uniquely identifies the user, although the user ID is described, the information can also be information called a user account, and can also use mail addresses or phone numbers. The password, as long as it is an arbitrary symbol row designated by the user. The quick log-in information may be any token row. In this embodiment, although the case of a token row generated randomly is described, it may not be random but a token row generated based on a predetermined rule. Account information, as long as it is the information needed to identify the bank account, such as: branch name, account number, account nominee, balance information, personal authentication number, and deposit and withdrawal details.

Figure 9 is an illustration of a data storage example of the two-dimensional code database DB2. As shown in Figure 9, the two-dimensional code database DB2 is a database where information about the two-dimensional code login is stored. The two-dimensional code database DB2 is stored with: meeting information, identification information, validity period information, user's account branch name, account number, and status.

Once the identification information is issued, a new record will be created in the two-dimensional code database DB2 to establish a connection with the meeting information indicating the meeting between the first terminal 20 and the server 10, and the identification information and validity period information will be stored . In addition, before the QR code C14 is read, since it is unknown which user is using it, the branch name and account number are not stored, and the status is one of the initial values "before authentication".

The valid period information is only information that can specify the valid period, for example, it indicates at least one of the start time and the end time of the valid period. The start time is the time when the identification information is issued or within a certain period of time from that time. The end time is also called the validity period, which is after a predetermined time from the start time.

The branch name/account number of the user’s account is the branch name/account number stored in the account information of the user who has read the QR code C14 using the banking application. In this embodiment, once the QR code C14 is read, the quick login information will be sent together with the identification information contained in the QR code C14. Therefore, in the user database DB1, the quick login information is created The branch name and account number indicated by the related account information will be stored in the QR code database DB2. Thereby, login using the user ID of the user who has the appropriate quick login information becomes possible in the first terminal 20.

In addition, in this embodiment, although the state is stored in the two-dimensional code database DB2, it can also be regarded as a case where the branch name and account number are already stored in the two-dimensional code database DB2 The first terminal 20 is in an authenticated state. In other words, the status of the QR code login can also be confirmed with the presence or absence of the branch name and account number.

[Second Terminal Authentication Section] The second terminal authentication unit 101 authenticates the second terminal 30 based on the user ID and password input in the second terminal 30. The second terminal authentication unit 101 determines that the authentication is successful when the combination of the user ID and password input in the second terminal 30 already exists in the user database DB1.

In addition, in this embodiment, although the case where the user ID and password are used as authentication information is described, the authentication information may be information that can authenticate the user, and it may be, for example, personal authentication of the account. Number, password, biometric authentication information, or IC card information, etc. The method of inputting the authentication information may be arbitrary, for example, it may be inputted from the communication unit 33, the operation unit 34, or the photographing unit 36.

The second terminal authentication unit 101 issues quick login information indicating that it has been authenticated and sends it to the second terminal 30 when the second terminal 30 has been authenticated. In this embodiment, although it is explained that the quick login information is used as authenticated information, the authenticated information may be information issued to authenticated users, for example, Information such as electronic certificates.

[Identification Information Acquisition Department] The identification information acquisition unit 102 acquires identification information about the first terminal 20. In the present embodiment, the identification information is not inherent information such as the serial number of the first terminal 20, but is dynamically assigned information. Therefore, the identification information acquisition unit 102 issues identification information. As mentioned above, the identification information only needs to be issued based on the predetermined issuance rules, and the identification information acquisition unit 102 issues the identification information in a manner that does not overlap with other identification information.

In the present embodiment, the identification information acquisition unit 102 associates the identification information with the interview information and records the identification information in the data storage unit 100 when a meeting has been established with the first terminal 20. In addition, the identification information acquisition unit 102 may also create new identification information after establishing a conversation with the first terminal 20, or may create identification information in advance and store it in the list, and add the identification information stored in the list to the identification information. It is acquired and distributed to the first terminal 20, whereby identification information is issued to the first terminal 20. In addition, when the first terminal 20 and the server 10 have not specifically established a meeting, the identification information acquisition unit 102 may issue identification information when the access from the first terminal 20 is accepted. .

In this embodiment, since the identification information has a valid period that will be set, the identification information acquisition unit 102 sets the valid period for the issued identification information. For example, the identification information acquisition unit 102 establishes a connection with the identification information and stores the effective period information in the two-dimensional code database DB2, thereby setting the effective period for the identification information. In this embodiment, the expiration date information is sent to the second terminal 30.

The identification information acquisition unit 102 acquires the identification information again when the first terminal 20 has been subjected to an operation of reacquiring identification information after the valid period. The reacquisition operation may be an arbitrary operation performed on the first terminal 20, and in this embodiment, it is an operation to select the button B15. The method of reacquiring the identification information only needs to use the same method as the first time, but the reacquired identification information is different from the content (symbol row) of the first time. The valid period of the reacquired identification information may be the same or different from the valid period of the first identification information.

[Communication Department] The transmitting unit 103 transmits identification information to the first terminal 20. In this embodiment, a command code is executed on the first terminal 20, so the sending unit 103 sends the identification information and the command code required to make it repeatedly perform a predetermined query. Inquiries can be made only by sending information in a predetermined form. The query may contain identification information, but since the identification information can be specified based on the interview information, the identification information may not be included in the query.

The instruction code can be any type of instruction code, for example, it can be a Java instruction code (registered trademark). The script is described as a command that repeatedly executes the sending command of the query to the server 10. In this embodiment, the query is performed periodically, and the cycle (time interval) of the query is specified in the instruction code, but the query may be performed irregularly.

In this embodiment, the first terminal 20 stops inquiring once the valid period has elapsed. Therefore, the command code is to make it repeat the inquiry during the valid period, and to stop the inquiry of the required instruction code after the valid period. There is a command described in the instruction code to determine whether the valid period has passed. In addition, in the instruction code, in order to execute the sending instruction of the inquiry during the valid period, the sending instruction of the inquiry is not executed after the valid period, and the divergence is described by using the if syntax and so on.

In this embodiment, the first terminal 20 and the server 10 maintain the meeting based on the meeting information. Therefore, the sending unit 103 transmits identification information to the first terminal 20 based on the meeting information. In this embodiment, the identification information is displayed in the form of a two-dimensional code C14, so the transmitting unit 103 sends the image data of the two-dimensional code C14 containing the identification information to the first terminal 20.

In this embodiment, the identification information is included in the two-dimensional code C14, so the command code is to make the first terminal 20 display the two-dimensional code C14 containing the identification information during the valid period. Then, the instruction code required to stop the display of the two-dimensional code C14. As for the order to determine whether the validity period has passed, it is the same as described above. In the instruction code, in order to execute the command to display the two-dimensional code C14 within the valid period, the appropriate command or the command to stop the display is not executed after the valid period, and the divergence is described using if syntax.

In addition, in this embodiment, although the case where the two-dimensional code C14 is equivalent to an image containing identification information, the image is not limited to a two-dimensional code, and may be a barcode or information other than the code. For example, if the second terminal 30 is capable of using optical character recognition, the image of the symbol row indicating the recognition information may be directly displayed on the first terminal 20.

In this embodiment, the identification information will be acquired again after the expiration date, so the sending unit 103 sends the identification information that has been acquired again. The transmission method of the newly acquired identification information is the same as the first transmission method of the identification information, and the validity period information of the newly acquired identification information is also sent to the first terminal 20.

[First Receiving Department] The first receiving unit 104 receives the predetermined inquiry repeatedly transmitted by the first terminal 20. In this embodiment, since the query is performed using the command code, the first receiving unit 104 receives the query from the first terminal 20 when the command code is executed by the first terminal 20. The first terminal 20 repeatedly sends inquiries based on the command code, so the first receiving unit 104 repeatedly receives the inquiries from the first terminal 20. Once the first terminal 20 stops polling, the first receiving unit 104 will not receive the polling from the first terminal 20.

[Second Receiving Department] The second receiving unit 105 receives the identification information from the second terminal 30 when the identification information about the first terminal 20 is read by the authenticated second terminal 30. In this embodiment, since the two-dimensional code C14 is used, the second receiving unit 105 is used when the two-dimensional code C14 displayed on the first terminal 20 has been read by the second terminal 30 , Then from the second terminal 30, the identification information contained in the two-dimensional code C14 is received. In this embodiment, although it is described that after the second terminal 30 reads the two-dimensional code C14, the identification information is sent to the server 10 without the user's operation, but it can also be based on the touch The identification information will be sent to the server 10 for operations such as the confirmation message displayed on the screen.

[Status Control Department] The state control unit 106 turns the first terminal 20 into an authenticated state based on the query received from the first terminal 20 and the identification information received from the second terminal 30. The so-called authenticated state is the login of the user ID of the user who is permitted to use the second terminal 30, and is the state in which the user is set to use the service. In this embodiment, since the status of the first terminal 20 is stored in the two-dimensional code database DB2, the status is changed to "authenticated", and it is logged in to the first terminal with the conference information that is related to the identification information. This matter of the terminal 20 is equivalent to turning the first terminal 20 into an authenticated state.

The state control unit 106 changes the first terminal 20 to an authenticated state when receiving an inquiry from the first terminal 20 after the state of the first terminal 20 has changed to "authenticated". That is, the status control unit 106 does not receive the query from the first terminal 20 even if the status of the first terminal 20 becomes "authenticated" after receiving the query from the first terminal 20. The first terminal 20 is turned into an authenticated state. The state control unit 106 does not spontaneously change the first terminal 20 into an authenticated state, but only receives an inquiry from the first terminal 20 as a condition (that is, it is in a passive state), and sets the first terminal 20 to an authenticated state. The terminal 20 becomes an authenticated state.

In this embodiment, the first terminal 20 and the server 10 maintain the meeting based on the meeting information, so the state control unit 106 is based on the meeting information that is related to the identification information received from the second terminal 30. And turn the first terminal into an authenticated state. The first terminal 20 performs inquiries along with the meeting information. Therefore, when the status control unit 106 receives an inquiry from the first terminal 20 with legitimate meeting information, if the status of the first terminal 20 is "authenticated" ", the first terminal 20 is turned into a logged-in state.

In addition, even if the identification information of the first terminal 20 is stolen by another terminal, the other terminal does not hold the meeting information of the first terminal 20. Therefore, even if the other terminal performs an inquiry along with the identification information, it cannot log in. Therefore, the state control unit 106 can specify the first terminal 20 to be in an authenticated state based on the meeting information that is related to the identification information. In other words, the status control unit 106 is based on the interview information received from the first terminal 20 and the status of "authenticated" when the status control unit 106 receives an inquiry from the first terminal 20. Establish the related meeting information, and decide whether to turn the first terminal 20 into an authenticated state.

[3-2. Functions implemented in the first terminal] As shown in FIG. 7, in the first terminal 20, the data storage unit 200, the determination unit 201, the query unit 202, and the display control unit 203 are realized. The data storage unit 200 is realized mainly by the storage unit 22, and the other functions are realized by the control unit 21 mainly.

[Data Memory Department] The data storage unit 200 stores data necessary for realizing two-dimensional code login and the like. For example, the data storage unit 200 memorizes the image data of the two-dimensional code C13 containing identification information received from the server 10, the interview information, and the instruction code. For another example, the data storage unit 200 stores the display data of the login screen G1 or the use screen G6.

[Judgment Department] The determining unit 201 determines whether the valid period of the identification information has passed. The determining unit 201 obtains the current date and time by using real-time clock or GPS information, etc., to determine whether the valid period has passed. In this embodiment, the judging unit 201 executes the judging process based on the instruction code.

[Inquiry Department] The query unit 202 is to query the authentication system 1 repeatedly. For example, if there is a cycle indicating a transmission command and a query in the command code, the first terminal 20 executes the transmission command and sends the query every time the period comes. In addition, as mentioned above, the query unit 202 can also query regularly or irregularly. In this embodiment, the query unit 202 performs the query based on the instruction code.

In the present embodiment, the query unit 202 repeatedly performs the query during the valid period, and stops the query after the valid period. The query unit 202 continues the query when it is determined by the determination unit 201 to be in the valid period, and when it is determined by the determination unit 201 to be after the valid period, it stops the query so that No enquiries will be made afterwards.

[Display Control Unit] The display control unit 203 performs display control of various screens. For example, the display control unit 203 causes the login screen G1 or the utilization screen G6 to be displayed on the display unit 25. For another example, the display control unit 203 causes the two-dimensional code C14 to be displayed during the valid period, and stops the display of the two-dimensional code C14 after the valid period. The display control unit 203 causes the two-dimensional code C14 to be displayed when it is determined to be in the valid period by the determining unit 201; when it is determined to be after the valid period by the determining unit 201, then Make the two-dimensional code C14 disappear and not be displayed afterwards. In this embodiment, the display control unit 203 executes display control based on the instruction code.

[3-3. Functions implemented in the second terminal] As shown in FIG. 7, in the second terminal 30, a data storage unit 300, a reading unit 301, and a transmission unit 302 are realized. The data storage unit 300 is realized mainly by the storage unit 32, and the other functions are realized by the control unit 31 mainly.

[Data Memory Department] The data storage unit 300 stores the data necessary for realizing two-dimensional code login or quick login. For example, the data storage unit 300 stores the quick login information. For another example, in this embodiment, although the data storage unit 300 is designed to not memorize the user ID and password, the data storage unit 300 can also memorize the user ID and password. In addition to this, for example, the data storage unit 300 can also store biometric authentication information such as the user's fingerprint or face.

[Reading Department] The reading unit 301 reads the identification information of the first terminal 20. In this embodiment, the reading unit 301 reads the identification information contained in the two-dimensional code C13 based on the photographed image captured by the photographing unit 36. The reading unit 301 analyzes the two-dimensional code C13 contained in the photographed image based on a well-known code analysis algorithm, and reads the identification information or the URL of the server 10, etc.

In addition, the method of reading the identification information is not limited to the method using images. As long as the second terminal 30 is located near the first terminal 20 and can recognize that the identification information has been read, for example, the short-range wireless communication by the communication unit 23 and the communication unit 33 can also be used to read the identification information. When the first terminal 20 has a speaker and the second terminal has a microphone, it is also possible to read the identification information using sound waves.

In addition, in this embodiment, it is explained that when the identification information is read, the second terminal 30 is authenticated by quick login, but the authentication method of the second terminal 30 is not limited to quick login. Any authentication method is applicable. For example, it is also possible to read the identification information by the second terminal 30 that has been authenticated by the usual authentication using user ID and password, or the second terminal that has been authenticated by other authentication methods such as biometric authentication or passphrase. 30 to read the identification information.

[Communication Department] The sending unit 302 sends the identification information of the first terminal 20 that has been read by the reading unit 301 to the server 10. In this embodiment, because the data storage unit 300 stores the quick login information, the sending unit 302 does not require the input of the user ID and password when the identification information is read. Based on the quick login information, The identification information is sent to the authentication system 1.

The so-called "no input" means that the screen for prompting the input of the user ID and password is not displayed. As explained with reference to FIG. 5, after the two-dimensional code C14 is read on the photographing screen G4, the user does not need to input the user ID and password to complete the two-dimensional code login. In addition, although it is described here that neither the user ID nor the password need to be input, the input of either one of them can be omitted.

In addition, the sending unit 302 may also send information other than the identification information to the server 10. For example, the sending unit 302 may also send the user ID and password that have been input by the user. For another example, the sending part 302 can also send the fast login information memorized in the data storage part 300 during fast login.

[4. Processing executed in this embodiment] Figures 10 and 11 are flowcharts of the processing executed in this embodiment. The processing shown in FIGS. 10 and 11 is executed by each of the control units 11, 21, and 31 in accordance with the programs stored in the storage units 12, 22, and 32. These processes are an example of the processes executed by each functional block. In addition, when the processing of FIG. 10 and FIG. 11 is executed, it is assumed that the second terminal 30 has been quickly logged in.

As shown in FIG. 10, first, on the first terminal 20, once the user specifies the URL of the bank’s website, the first terminal 20 accesses the server 10, and the first terminal 20 and the server 10 A meeting will be established in time (S1). In S1, a conversation is established between the first terminal 20 and the server 10 in accordance with the procedure defined by the communication protocol. In the server 10, the control unit 11 generates the meeting information, stores it in the memory unit 12, and sends the meeting information to the first terminal 20. In the first terminal 20, the control unit 21 records the meeting information in the storage unit 22 once it receives the meeting information. In the future, if the first terminal 20 sends any information to the server 10, the conference information will also be sent. The server 10 maintains the meeting based on the meeting information.

Once the meeting between the first terminal 20 and the server 10 is established, in the server 10, the control unit 21 sends the display data of the login screen G1 to the first terminal 20 (S2). In the first terminal 20, once Upon receiving the display data, the control unit 21 causes the login screen G1 to be displayed on the display unit 25 (S3). In addition, the display data can be in any format, such as HTML format or XML format. In S3, since the button B13 has not yet been selected, the two-dimensional code C14 is not displayed in the login screen G1, and it is in the state of FIG. 2. In this state, once the user ID and password are input to the input forms F10 and F11 and the button B12 is selected, normal login processing is executed. The following describes the processing when the button B13 is selected.

Once the button B13 of the login screen G1 is selected, the control unit 21 sends a request for issuance of the two-dimensional code C14 to the server 10 (S4). The issuance request only needs to be made by sending information in a predetermined format.

When the server 10 receives the issuance request, the control unit 11 issues the identification information (S5). In S5, the control unit 11 generates a random mark string and obtains it as identification information.

The control unit 11 establishes a connection with the meeting information of the first terminal 20, and stores the identification information in the two-dimensional code database DB2 (S6). In S6, the control unit 11 generates a new record in the two-dimensional code database DB2, and stores the meeting information issued in S1 and the identification information issued in S5 in the corresponding record. In addition, the control unit 11 stores the current date and time as valid period information and stores it in the appropriate record, and the status is set to the initial value "before authentication".

The control unit 11 transmits the display data of the login screen G1 including the two-dimensional code C14 to the first terminal 20 (S7). In S7, the control unit 11 generates a two-dimensional code C14 containing the URL of the server 10 and the identification information issued in S5. This URL is required for the second terminal 30 to access the server 10, so it is not the URL of the login screen G1, as long as it is any URL assigned to the server 10. It is assumed that the URL is stored in the storage unit 12 in advance.

In addition, assuming that it will make repeated queries during the valid period, the command code required to stop the query after the valid period, and the QR code C14 will be displayed during the valid period, and the display will stop after the valid period. The required instruction code is stored in the memory 12 in advance. These instruction codes can be integrated or independent of each other. The control unit 11 generates and sends display data containing the instruction code, the image data of the two-dimensional code C14, and the validity period information of the two-dimensional code C14.

In the first terminal 20, upon receiving the display data, the control unit 21 causes the login screen G1 containing the two-dimensional code C14 to be displayed (S8). In S8, the two-dimensional code C14 will be displayed in the login screen G1, and it becomes the state of FIG. 3. From now on, the control unit 21 executes the instruction code contained in the display data, and executes the processing of S9 to S12 described below. In addition, the script system can also be independent of the display data and be executed by external calls.

The control unit 21 determines whether the valid period has passed (S9). In S9, the control unit 21 obtains the current date and time based on the real-time clock, GPS information, etc., and determines whether the valid period indicated by the valid period information has passed. Here, since the valid period information indicates the start time of the valid period, the control unit 21 determines whether the time after the predetermined time has passed since the start of the valid period.

When it is not determined that the valid period has passed (S9; N), since it is in the valid period, the control unit 21 sends a status inquiry to the server 10 (S10), returns to the processing of S9, and repeats the inquiry. Send the message until the validity period has passed.

On the other hand, in S9, when it is determined that the valid period has passed (S9; Y), the control unit 21 causes the two-dimensional code C14 to disappear from the login screen G1 (S11), and stops the inquiry of the state (S12). In S12, the button B15 is displayed on the login screen G1, and it becomes the state of FIG. 4. In this state, once the user ID and password are input to the input forms F10 and F11 and the button B12 is selected, normal login processing is executed. Once the button B15 is selected, it returns to the processing of S4 and obtains the two-dimensional code C14 again.

Entering FIG. 11, once the bank application is activated in the second terminal 30, the menu screen G2 and the confirmation screen G3 are displayed. When the button B30 is selected, the control unit 31 activates the imaging unit 36 to display the imaging screen G4 (S13). In S13, the control unit 31 analyzes the photographed image of the photographing unit 36 to determine whether the two-dimensional code C14 is detected.

Once the control unit 31 detects the two-dimensional code C14, it refers to the URL of the server 10 contained in the two-dimensional code C14, and sends the quick login information memorized in the memory unit 12 to the server 10, and two The identification information contained in the dimension code C14 (S14).

In the server 10, once the quick login information and identification information are received, the control unit 11 confirms the legitimacy of the received quick login information based on the user database DB1 (S15). In S15, the control unit 11 determines whether the quick login information received from the first terminal 20 exists in the user database DB1. The control unit 11 determines that it is legitimate if the quick login information exists in the user database DB1, and does not determine it as legitimate if the quick login information does not exist in the user database DB1.

In the case where the legitimacy of the quick login information has been confirmed (S15; Y), the control unit 11 based on the two-dimensional code database DB2, changes the status of establishing a connection with the identification information received in S15 to "Authenticated" (S16). In S16, the control unit 11 changes the status of the record stored in the identification information received in S15 from "before authentication" to "authenticated" in the two-dimensional code database DB2, and also saves it for use Account information of the person. In addition, the user's account information can also be obtained from the user database DB1, or the account information can be stored in the second terminal 30 first and then obtained from the second terminal 30. After that, when an inquiry from the first terminal 20 is received, the use screen G6 can be displayed on the first terminal 20.

The control unit 11 determines whether or not an inquiry from the first terminal 20 is received (S17). The first terminal 20 continues to send queries during the valid period through the processing of S10, but until the status becomes "authenticated", the server 10 ignores it even if it receives the appropriate query and does not permit the first terminal 20 Of login.

When a query is received (S17; Y), the control unit 11 generates display data using the screen G6 based on the user database DB1, and sends it to the first terminal 20 (S18). In S18, the control unit 11 permits the user who has the quick login information received in S15 to log in on the first terminal 20, and generates the display data using the screen G6 based on the account information of the user.

In the first terminal 20, upon receiving the display data, the control unit 21 causes the use screen G6 to be displayed on the display unit 25 (S19), and this processing system ends. From now on, the user can use the online banking service by operating the first terminal 20.

According to the authentication system 1, the server 10 does not spontaneously change the first terminal 20 into an authenticated state when the authentication of the two-dimensional code login is successful, but responds to the query from the first terminal 20 It becomes an authenticated state, so the load on the server 10 can be reduced. For example, even if there is a temporary communication failure in the network N, the server 10 does not need to repeatedly send the display data using the screen G6 to the first terminal 20, and respond to the query from the first terminal 20 (that is, the network The restoration of N is confirmed by query), and the display data using the screen G6 is sent, so the load on the server 10 can be reduced.

In addition, if the number of connected units of the first terminal 20 increases, the load on the server 10 may increase if the server 10 continues to receive inquiries, but the first terminal 20 will be repeated during the valid period of the identification information. The query is stopped after the valid period, thereby reducing the load on the server 10. In addition, a malicious third party puts the QR code C14 in a disturbing email and sends it to the user as an attachment. Once the user is cheated and reads it with a banking application, it will be sent to the user by the third party. The terminal may be logged in, but by setting a valid period for the identification information, no time will be given to carry out such illegal acts, which can effectively improve security. In addition, by making the first terminal 20 execute the process of determining the valid period, the server 10 does not need to determine the valid period for all the first terminals 20 in the connection, and the load on the server 10 can be reduced.

In addition, since the meeting information is not used as the identification information, the chance of sending the meeting information on the network N can be reduced, and the security can be improved. In addition, even if a third party only steals the identification information, if the meeting information is not kept, the login is still not allowed, so the security can be improved. In addition, the identification information is dynamically generated information, and is not a fixed line number assigned to the first terminal 20. Therefore, the service can be used regardless of the terminal, and the user's degree of freedom can also be increased.

In addition, by using the quick login information memorized in the second terminal 30, after the QR code C14 has been read, no authentication information such as a password is required, and the identification information contained in the QR code C14 will be Send to the server 10, thereby reducing the user's trouble. In addition, if a valid period is set for the identification information, the period of time for the user to input a password, etc. causes the valid period to elapse. If the QR code C14 is retrieved again, the password must be entered again, but By omitting the input of passwords and the like and quickly sending identification information, such troubles will not occur.

In addition, when the valid period has passed, the two-dimensional code C14 is disappeared from the login screen G1, thereby allowing the user to perceive that the valid period has passed. In addition, if the two-dimensional code C14 is photographed without noticing that the validity period has passed, it will cause unnecessary trouble, but it can prevent such trouble from happening.

In addition, once the valid period has passed, the button B15 is displayed on the login screen G1, and the two-dimensional code C14 can be retrieved. Therefore, it is possible to reduce the trouble of the user who does not pass the valid period. Even when the talk information is used as identification information as in the prior art, every time the validity period has passed, it is necessary to connect to the talk again in order to issue new identification information. However, in the authentication system 1, the talk can be maintained. Re-obtaining the identification information directly can alleviate the user's troubles.

[5. Modifications] In addition, the present invention is not limited to the embodiment described above. Appropriate changes can be made without departing from the scope of the present invention.

(1) For example, when a large number of first terminals 20 are connected to the server 10, since each first terminal 20 will make an inquiry, the load on the server 10 will increase. Therefore, the length of the valid period may be adjusted according to the number of connected first terminals 20, etc., to reduce the load on the server 10.

Fig. 12 is a functional block diagram of a modified example. As shown in FIG. 12, in the modified example, the load information acquisition unit 107 and the determination unit 108 are realized. These systems are realized mainly by the control unit 11. The load information acquisition unit 107 acquires load information about the load of the authentication system 1. The load information is only information about the load of the authentication system 1. It can be, for example, the number of connected units of the first terminal 20, the CPU usage rate of the server 10, or the communication volume of the server 10 (network usage rate). ). For example, the load information acquisition unit 107 can acquire the number of meetings as the number of connected units of the first terminal 20. For another example, the load information obtaining unit 107 executes a predetermined command to obtain the CPU usage rate or communication volume. The load information acquisition unit 107 acquires the acquired information as load information.

The determination unit 108 determines the length of the valid period based on the load information. The determining unit 108 sets a shorter effective period as the load indicated by the load information is higher, and sets a longer effective period as the load indicated by the load information is lower. The relationship between the load and the length of the valid period only needs to be stored in the data storage unit 100 in advance. The identification information acquisition unit 102 only needs to set a valid period of the length determined by the determination unit 108 for the issued identification information.

For example, the determining unit 108 sets a shorter effective period as the number of connected first terminals 20 is greater, and sets a longer effective period as the number of connected first terminals 20 is smaller. For example, the determining unit 108 sets a shorter effective period as the CPU usage rate of the server 10 is higher, and sets a longer effective period as the CPU usage rate of the server 10 lowers. For example, the determining unit 108 sets a shorter effective period as the amount of communication of the server 10 increases, and sets a longer effective period as the amount of communication of the server 10 decreases.

According to the modified example (1), by setting the effective period corresponding to the length of the load, the load of the server 10 can be effectively reduced.

(2) For another example, the number of connected units of the first terminal 20 varies with time. Therefore, the determination unit 108 determines the length of the valid period based on the time zone. The time zone is the current time zone, such as the time zone when the length of the valid period is determined, the time zone when the identification information is issued, or the time zone when logging in with a QR code. The relationship between the time zone and the length of the valid period only needs to be stored in the data storage unit 100 in advance. For example, from late night to morning (for example, 0 o'clock to 6 o'clock), since the number of connected units of the first terminal 20 is small, it is also possible to set an effective period longer than other time zones. For another example, from evening to night, since the number of connected units of the first terminal 20 is large, it is also possible to set an effective period shorter than other time zones.

According to the modified example (2), by setting the effective period corresponding to the length of the time zone used by the user, the load on the server 10 can be effectively reduced.

(3) For another example, in the embodiment, although it is described that the user uses the banking application to read the QR code C14, the second terminal 30 can still read the QR code even if the banking application is not installed. Code C14. In this case, since the bank application is not activated and quick login cannot be used, the first terminal 20 will not become an authenticated state. Therefore, the second terminal 30 can also be redirected to the designated website and urge it to use the banking application.

As described in the embodiment, the second terminal 30 stores the bank application. The bank application is an example of the application required to use the predetermined service, and the second terminal 30 only needs to memorize the application corresponding to the provided service. For example: applications used in e-commerce transaction services to purchase goods, applications used in travel reservation services to book hotels or air tickets, or applications used in insurance services to complete various insurance procedures The program can also be memorized by the second terminal 30.

The state control unit 106 changes the first terminal 20 to an authenticated state when the identification information about the first terminal 20 is read by the bank application of the second terminal 30. That is, the state control unit 106 changes the first terminal 20 into an authenticated state on the condition that the second terminal 30 activates the banking application and reads the identification information. For example, the status control unit 106 determines that the bank application has been used when the quick login information is received, and does not determine that the bank application has been used if the quick login information is not received.

In addition, whether the bank application is used or not can be determined by any information other than the quick login information. For example, if the user ID or account information is stored in the second terminal 30 in advance, the status control unit 106 It can also determine whether the user ID or account information is received. In addition to this, for example, the information inherent to the banking application is stored in the second terminal 30 in advance, and the state control unit 106 determines whether or not the appropriate information is received.

The state control unit 106 does not turn the first terminal 20 into an authenticated state and makes the second terminal 30 connect when the application program of the second terminal 30 is used but the identification information of the first terminal 20 is not read. To the designated website. The website can be any website, for example, a website used to urge the use or download of a bank application, or a website used to urge the opening of an account. The URL of the website is previously memorized in the data storage unit 100, and the state control unit 106 redirects the second terminal 30 to the corresponding URL through a well-known redirection process. The web browser of the second terminal 30 will display the redirected website.

According to the modified example (3), by connecting the second terminal 30 to a predetermined website, the user can easily grasp the fact that the first terminal 20 has not become an authenticated state.

(4) For another example, the above-mentioned modification examples can also be combined.

For another example, in the embodiment, although it has been described that a command code is sent from the server 10 to the first terminal 20, and when the command code is executed by the first terminal 20, the transmission of the query will be executed, but it is also It may be that the first terminal 20 stores the native application program, and the first terminal 20 executes the native application program to perform query sending and so on. That is, instead of displaying the two-dimensional code C13 or sending an inquiry on the web browser, it is also possible to display the two-dimensional code C13 or sending an inquiry on the native application. The native application may be the same as the banking application of the second terminal 30, and is created for the first terminal 20.

For example, the determination unit 201 of the first terminal 20 may also determine whether the valid period of the identification information has passed based on the native application. For another example, the query unit 202 of the first terminal 20 can also perform queries based on a native application. For another example, the display control unit 203 of the first terminal 20 can also perform display control of the two-dimensional code C13 based on a native application. These processes are only the difference between being executed by the script code or being executed by the native application program. The details of the processing content are as described in the embodiment. In addition to this, for example, although the case where the identification information is issued in the server 10 is explained, the identification information may also be issued by the native application of the first terminal 20. In this case, the native application program assigns a randomly generated token row to inherent information such as the serial number or IP address of the first terminal 20, so that the identification information does not overlap with other terminals. When the identification information is issued by the native application, the first terminal 20 sends the identification information to the server 10, and the identification information is shared between the first terminal 20 and the server 10.

For another example, in the embodiment, although it is explained that the identification information is different from the meeting information, the meeting information can also be used as the identification information. In addition to this, for example, the identification information is not information assigned to the first terminal 20 on the spot, but information such as a serial number or an IP address possessed by the first terminal 20 in advance. In this case, the identification information acquisition unit 102 of the server 10 acquires identification information from the first terminal 20. For another example, in the embodiment, although it has been described that a meeting is established between the first terminal 20 and the server 10, the meeting may not be established specifically, and communication between the first terminal 20 and the server 10 may be performed. For another example, although it has been described that the processing for determining whether the valid period has passed is executed on the side of the first terminal 20, the processing system may also be executed on the side of the server 10. For another example, the valid period of the identification information may not be specially set. For another example, in the first terminal 20, the login screen G1 may also be displayed in each of the plural tabs or windows, and identification information may also be issued according to each login screen G1. For another example, instead of inquiring the status from the first terminal 20 to the server 10, the server 10 may spontaneously display the status of the first terminal 20 when the status of the first terminal 20 becomes "authenticated" Use screen G6 to exit.

For another example, in the embodiment, it is explained that the first feature of the query executed by the first terminal 20, the identification information is the second feature different from the interview information, and the quick login information is used to save the data after reading the two-dimensional code C14. The third feature that is troublesome to input, the fourth feature that controls the display stop of the two-dimensional code C14 by the first terminal 20, and the fifth feature of the two-dimensional code C14 that is re-acquired following the reacquisition operation after the valid period. The authentication system 1 only needs to have at least one of the first to fifth features, and it is not necessary to have all of these features. For example, in the embodiment, the description is based on the premise that the authentication system 1 has the first feature, but the authentication system 1 may not have the first feature, but at least one of the second to fifth features. In this case, the server 10 spontaneously turns the first terminal 20 into an authenticated state when the authentication of the two-dimensional code login is successful.

For another example, although it has been described that the functions shown in FIG. 7 are implemented in the server 10, the functions may also be implemented by other computers. For example, the data storage unit 100 can also be implemented by a database server different from the server 10. In addition to this, it can also be, for example, that each function is shared by a plurality of computers. For example, each function may be shared by each of the server 10, the native application of the first terminal 20, and the banking application of the second terminal 30.

1: Authentication system N: Network 10: Server 11, 21, 31: Control Department 12, 22, 32: Memory Department 13,23,33: Ministry of Communications 24, 34: Operation Department 25, 35: Display 36: Photography Department G1: Login screen G2: Menu screen G3: Confirmation screen G4: Photography screen G5: Complete screen G6: Use the screen 100: Data Memory Department 101: The second terminal authentication department 102: Identification Information Acquisition Department 103: Communication Department 104: First reception department 105: The second receiving part 106: State Control Department 107: Load Information Acquisition Department 108: Decision Department F10, F11: input form B12, B13, B15, B20, B30, B50: buttons C14: QR code F40: Box DB1: user database DB2: QR code database 20: Terminal 1 200: Data Memory Department 201: Judgment Department 202: Inquiry Department 203: Display Control Unit 30: 2nd terminal 300: Data Memory Department 301: Reading Department 302: Communication Department

[Fig. 1] An illustration of an example of the authentication system described in the embodiment. [Figure 2] An illustration of an example of the login screen displayed on the first terminal. [Figure 3] An icon that looks like a QR code is displayed on the login screen. [Figure 4] An illustration of an example of the login screen after the valid period. [Figure 5] An illustration of how the QR code is read. [Fig. 6] An illustration of an example of the use screen displayed on the first terminal. [Figure 7] A functional block diagram of the functions implemented in this embodiment. [Figure 8] The icon of the data storage example of the user database. [Figure 9] The icon of the data storage example of the QR code database. [Fig. 10] A flowchart of the processing executed in this embodiment. [Fig. 11] A flowchart of the processing executed in this embodiment. [Figure 12] Functional block diagram of the modified example.

10: Server

20: Terminal 1

30: 2nd terminal

100: Data Memory Department

101: The second terminal authentication department

102: Identification Information Acquisition Department

103: Communication Department

104: First reception department

105: The second receiving part

106: State Control Department

200: Data Memory Department

201: Judgment Department

202: Inquiry Department

203: Display Control Unit

300: Data Memory Department

301: Reading Department

302: Communication Department

DB1: user database

DB2: QR code database

Claims (11)

An authentication system, which is characterized by including: identification information acquisition means for acquiring identification information about the first terminal that has been set with a valid time; and first receiving means for receiving the first terminal described in the preceding paragraph The predetermined query sent repeatedly; and the second receiving means is used to receive the prescript from the prescript second terminal when the prescript identification information of the prescript first terminal is read by the authenticated second terminal Identification information; and state control means, which are used to turn the first terminal into an authenticated state based on the previous query received from the first terminal of the previous note and the previous identification information received from the second terminal of the previous note; The sum determination method is used to determine the length of the valid period of the pre-record based on the status in the authentication system. For example, the authentication system described in claim 1, in which the prescript authentication system also contains: load information acquisition means to obtain load information about the load of the prescript authentication system; prescript determination means are determined based on the prescript load information Note the length of the valid period. For example, the authentication system described in claim 1 or 2, wherein the pre-determined means determines the length of the pre-determined valid period based on the time zone. For example, the authentication system described in claim 1 or 2, in which, the pre-identification information is set with a valid period; the first terminal of the pre-script is repeated inquiries during the validity period of the pre-record, and it stops after the valid period of the pre-record Pre-recorded query. For example, the authentication system described in claim 1 or 2, wherein the pre-identification information acquisition means is to establish a connection between the pre-identification information and the interview information and record it in the memory when the meeting with the first terminal of the preceding paragraph has been established. Among the means; the prescriptive state control means is based on the prescriptive interview information that is related to the prescriptive identification information received by the prescript second terminal, and the prescriptive first terminal becomes the authenticated state. For example, the authentication system described in claim 1 or 2, wherein the preceding authentication system further includes: a second terminal authentication means, which is used to provide the second terminal of the preceding description based on the authentication information entered in the second terminal of the preceding description Authentication; the second terminal authentication method mentioned above is to issue the authenticated information indicating that the second terminal has been authenticated and send it to the second terminal mentioned above; the second terminal mentioned above is to write the authenticated information before the second terminal. To remember, in the case of reading the previous identification information of the first terminal of the previous note, the input of the previous authentication information is not required, and the previous authentication information is based on the previous authentication information. The system sends pre-recorded identification information. For example, the authentication system described in claim 1 or 2, in which the first terminal of the preamble is to display the image containing the identification information of the preamble during the validity period of the preamble, and the display of the preamble image is stopped after the validity period of the preamble; The second receiving means of the previous note is to receive the previous identification information contained in the second terminal of the previous note when the previous note image displayed in the first terminal of the previous note has been read by the second terminal of the previous note . For example, in the authentication system described in claim 1 or 2, the pre-identification information will be re-acquired if the pre-identification information is re-acquired on the first terminal after the validity period of the pre-indication. For example, the authentication system described in claim 1 or 2, in which the second terminal of the preceding note is an application program that is memorized to use the predetermined service; 2 If the terminal’s preface application program reads the preface identification information of the preface first terminal, the preface first terminal is turned into an authenticated state; if it is not received from the preface second terminal, it means to use the preface second terminal Before you can read the pre-recognition information of the first terminal In the case of recording information, the first terminal in the preceding paragraph will not be turned into an authenticated state, and the second terminal in the preceding paragraph will be connected to the specified website. An authentication method, which is characterized by comprising: an identification information obtaining step, which is used to obtain identification information about a first terminal that has been set with a valid time; and a first receiving step, which is used to receive the first terminal described above The predetermined query sent repeatedly; and the second receiving step is used to receive the prescript from the second terminal of the preamble when the prescript identification information of the first terminal is read by the authenticated second terminal Identification information; and a state control step, which is used to turn the first terminal into an authenticated state based on the previous query received from the first terminal of the previous note and the previous identification information received from the second terminal of the previous note; And the decision step is used to determine the length of the valid period of the previous note based on the conditions in the authentication system. A program product that is used to make the computer perform its functions: the identification information acquisition means is used to obtain the identification information about the first terminal that has been set with a valid time; the first receiving means is used to receive the pre-recorded A predetermined query sent repeatedly by the first terminal; the second receiving means is used to read the previous identification information of the first terminal by the authenticated second terminal, and the second terminal from the previous Receive pre-identification information; The state control means is used to change the first terminal of the previous note into an authenticated state based on the previous query received from the first terminal of the previous note and the previous identification information received from the second terminal of the previous note; It is used to determine the length of the valid period of the previous note based on the status in the authentication system.

Images