TWI772225B - An attendance punch system and method based on fido, and computer-readable medium thereof - Google Patents

An attendance punch system and method based on fido, and computer-readable medium thereof Download PDF

Info

Publication number
TWI772225B
TWI772225B TW110142036A TW110142036A TWI772225B TW I772225 B TWI772225 B TW I772225B TW 110142036 A TW110142036 A TW 110142036A TW 110142036 A TW110142036 A TW 110142036A TW I772225 B TWI772225 B TW I772225B
Authority
TW
Taiwan
Prior art keywords
fido
authentication
punch
terminal device
barcode
Prior art date
Application number
TW110142036A
Other languages
Chinese (zh)
Other versions
TW202320509A (en
Inventor
陳婉宜
賴弘文
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW110142036A priority Critical patent/TWI772225B/en
Application granted granted Critical
Publication of TWI772225B publication Critical patent/TWI772225B/en
Publication of TW202320509A publication Critical patent/TW202320509A/en

Links

Images

Landscapes

  • Ticket-Dispensing Machines (AREA)
  • Electrical Discharge Machining, Electrochemical Machining, And Combined Machining (AREA)
  • Time Recorders, Dirve Recorders, Access Control (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention provides an attendance punch system and method based on FIDO (Fast IDentity Online), and a computer-readable medium thereof, including an attendance management device, a FIDO device, a card punch device, and at least one mobile device, wherein the mobile device scans a punch bar code on the card punch device to send a punch authentication request with the punch bar code into the attendance management device, and the attendance management device sends back an initiating punch authentication packet to the mobile device, so that the mobile device triggers a FIDO authentication process to perform biometric authentication and produce a FIDO authentication packet. And the mobile device provides the FIDO authentication packet to the FIDO device for analysis. When the analysis is successful, complete the FIDO attendance punching operation. In this way, the present invention combines FIDO key and biometric authentication to perform card punching operation, so as to prevent others from fraudulent use of identity, thereby improving the company's personnel management efficiency and the security of the attendance punch system.

Description

一種基於FIDO之打卡系統、方法及其電腦可讀媒介 A FIDO-based punch card system, method and computer-readable medium thereof

本發明關於一種打卡技術,尤其指一種基於FIDO(Fast IDentity Online)之打卡系統、方法及其電腦可讀媒介。 The present invention relates to a punch-in technology, in particular to a punch-in system and method based on FIDO (Fast IDentity Online) and a computer-readable medium thereof.

於習知技術中,公司管理員工的出勤裝況皆使用傳統打卡鐘或感應式卡片以進行出勤打卡。然而,現有的打卡方式僅需取得他人之打卡紙或感應式卡片就可假冒身分進行打卡。 In the conventional technology, the company manages the attendance status of employees using traditional clock clocks or proximity cards for attendance clocking. However, in the existing punch-in method, it is only necessary to obtain the punch-in paper or the proximity card of another person to punch in with a fake identity.

此外,習知技術中雖有其他出勤打卡技術,可防止假冒身分進行打卡,惟通常具有侵犯員工個資疑慮。 In addition, although there are other attendance punch-in technologies in the prior art, which can prevent punch-in with counterfeit identities, they usually have the concern of infringing on employees' personal information.

對此,公司難以透過習知技術,在不侵犯員工個資下有效判別是否員工本人進行打卡,故造成公司無法有效管理員工出缺勤情況,且產生與多不可預期的隱患。 In this regard, it is difficult for the company to use conventional techniques to effectively determine whether the employee punches in or not without infringing on the employee's personal information, which results in the company's inability to effectively manage employee absence from work, and creates many unpredictable hidden dangers.

因此,如何提供一種出勤打卡機制,以在不侵犯員工個資下,能確認打卡當下確實為員工本人,進而能有效避免他人冒用身分進行打卡, 並提升公司在人員上的管理效率及打卡系統之安全性,遂成為業界亟待解決的課題。 Therefore, how to provide an attendance punch-in mechanism to confirm that the punch-in is indeed the employee himself without infringing on the employee's personal information, so as to effectively prevent others from using their identities to punch-in effectively. And improving the management efficiency of the company's personnel and the security of the punch-in system has become an urgent issue for the industry to solve.

為解決前述習知的技術問題或提供相關之功效,本發明提供一種基於FIDO(Fast IDentity Online)之打卡系統,係包括:一打卡裝置,係顯示一第一打卡條碼;至少一終端裝置,係掃描該打卡裝置所顯示之該第一打卡條碼,以於掃描該第一打卡條碼後,發出一具有該第一打卡條碼及一識別資料之第一打卡認證請求;一管理裝置,係通訊連接該終端裝置,以於接收該第一打卡認證請求後,令該管理裝置確認該第一打卡認證請求中之該第一打卡條碼是否在時效內且未被使用過;一FIDO裝置,係通訊連接該管理裝置,以於該管理裝置確認該第一打卡條碼在時效內且未被使用過時,令該管理裝置依據該第一打卡認證請求中之該識別資料向該FIDO裝置取得該識別資料相對應之一憑證識別碼清單,其中,該管理裝置係依據該憑證識別碼清單產生一啟動打卡認證封包後,係傳送該啟動打卡認證封包至該終端裝置,以於該終端裝置收到該啟動打卡認證封包時,觸發FIDO認證流程而令該終端裝置產製一FIDO認證封包,俾供該終端裝置透過該管理裝置將該FIDO認證封包提供給該FIDO裝置進行解析,經該FIDO裝置解析後,若該FIDO認證封包係為合法、有效及/或正確,則令該FIDO裝置通知該管理裝置及該終端裝置完成打卡作業。 In order to solve the aforementioned conventional technical problems or provide related effects, the present invention provides a card punching system based on FIDO (Fast IDentity Online), which includes: a punching device, which displays a first punching barcode; at least one terminal device, which is Scan the first punching barcode displayed by the punching device, so that after scanning the first punching barcode, a first punching authentication request with the first punching barcode and an identification data is sent; a management device is communicatively connected to the a terminal device, after receiving the first punch-in authentication request, to make the management device confirm whether the first punch-in barcode in the first punch-in authentication request is within the time limit and has not been used; a FIDO device, which is communicatively connected to the The management device, so that when the management device confirms that the first punch-in barcode is within the time limit and has not been used out of date, the management device obtains the identification data corresponding to the identification data from the FIDO device according to the identification data in the first punch-in authentication request A certificate identification code list, wherein after the management device generates a punch-in authentication packet according to the certificate identification code list, it transmits the punch-in authentication packet to the terminal device, so that the terminal device receives the punch-in authentication packet When the FIDO authentication process is triggered, the terminal device generates a FIDO authentication packet for the terminal device to provide the FIDO authentication packet to the FIDO device through the management device for parsing. After parsing by the FIDO device, if the FIDO If the authentication packet is legal, valid and/or correct, the FIDO device is made to notify the management device and the terminal device to complete the punch-in operation.

本發明復提供一種基於FIDO之打卡方法,係包括:由至少一終端裝置掃描一打卡裝置所顯示之第一打卡條碼,以於該終端裝置掃描該 第一打卡條碼後,令該終端裝置發出一具有該第一打卡條碼及一識別資料之第一打卡認證請求;由一管理裝置接收來自該終端裝置之具有該第一打卡條碼及該識別資料之第一打卡認證請求,以於該管理裝置確認該第一打卡認證請求中之第一打卡條碼在時效內且未被使用過時,由該管理裝置依據該第一打卡認證請求中之識別資料向一FIDO裝置取得該識別資料相對應之一憑證識別碼清單;以及由該管理裝置依據該憑證識別碼清單產生一啟動打卡認證封包,再由該管理裝置傳送該啟動打卡認證封包至該終端裝置,以於該終端裝置收到該啟動打卡認證封包時,觸發FIDO認證流程,俾令該終端裝置產製一FIDO認證封包,再由該終端裝置透過該管理裝置將該FIDO認證封包提供給該FIDO裝置進行解析,以於經該FIDO裝置解析後確認該FIDO認證封包係為合法、有效及/或正確時,則由該FIDO裝置通知該管理裝置及該終端裝置完成打卡作業。 The present invention further provides a card punching method based on FIDO, which includes: scanning a first punching barcode displayed by a punching device by at least one terminal device, so that the terminal device scans the punching card After the first punching barcode, make the terminal device send a first punching authentication request with the first punching barcode and an identification data; a management device receives the first punching barcode and the identification data from the terminal device. The first punch-in authentication request, so that when the management device confirms that the first punch-in barcode in the first punch-in authentication request is within the time limit and has not been used out of date, the management device sends a punch-in authentication request based on the identification data in the first punch-in authentication request to a The FIDO device obtains a certificate identification code list corresponding to the identification data; and the management device generates a punch-in authentication packet according to the certificate identification code list, and then the management device transmits the punch-in activation authentication packet to the terminal device to When the terminal device receives the punch-in authentication packet, trigger the FIDO authentication process, so that the terminal device produces a FIDO authentication packet, and then the terminal device provides the FIDO authentication packet to the FIDO device through the management device for processing. Analysis, so that when it is confirmed that the FIDO authentication packet is legal, valid and/or correct after analysis by the FIDO device, the FIDO device notifies the management device and the terminal device to complete the punch-in operation.

於一實施例中,當該終端裝置收到該啟動打卡認證封包而觸發FIDO認證流程時,係令該終端裝置進行生物識別認證,若該生物識別認證成功,則令該終端裝置利用該啟動打卡認證封包中之憑證識別碼清單比對該終端裝置中之一FIDO私鑰之綁定憑證識別碼,以於該終端裝置所比對出之該FIDO私鑰的綁定憑證識別碼確出現於該憑證識別碼清單中時,令該終端裝置利用該FIDO私鑰產製該FIDO認證封包。 In one embodiment, when the terminal device receives the activation punch-in authentication packet and triggers the FIDO authentication process, the terminal device is instructed to perform biometric authentication, and if the biometric authentication is successful, the terminal device is instructed to use the activation punch-in. The certificate identification code list in the authentication packet is compared with the binding certificate identification code of a FIDO private key in the terminal device, so that the binding certificate identification code of the FIDO private key that is compared by the terminal device does appear in the terminal device. When the certificate identification code is in the list, make the terminal device use the FIDO private key to generate the FIDO authentication packet.

於一實施例中,該管理裝置接收到來自該終端裝置之FIDO認證封包後,係令該管理裝置將該FIDO認證封包傳送給該FIDO裝置,以令該FIDO裝置依據該FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從該 FIDO裝置之公鑰庫中找出相對應之FIDO公鑰,再令該FIDO裝置利用該FIDO公鑰經由非對稱式加密演算法對該FIDO認證封包進行解析。 In one embodiment, after the management device receives the FIDO authentication packet from the terminal device, it instructs the management device to transmit the FIDO authentication packet to the FIDO device, so that the FIDO device can rely on the FIDO in the FIDO authentication packet. The binding certificate identifier of the private key is derived from this Find the corresponding FIDO public key in the public key library of the FIDO device, and then make the FIDO device use the FIDO public key to parse the FIDO authentication packet through an asymmetric encryption algorithm.

於一實施例中,該管理裝置接收到來自該終端裝置之FIDO認證封包後,係令該管理裝置依據該FIDO認證封包產製一認證條碼,再將該認證條碼回送給該終端裝置,以將之顯示於該終端裝置上,俾供該打卡裝置掃描該認證條碼。 In one embodiment, after the management device receives the FIDO authentication packet from the terminal device, it instructs the management device to generate an authentication barcode according to the FIDO authentication packet, and then returns the authentication barcode to the terminal device to It is displayed on the terminal device for the punching device to scan the authentication barcode.

於一實施例中,該打卡裝置掃描該認證條碼後,係令該打卡裝置解析該認證條碼以產生具有認證條碼之第二打卡認證請求,再將該第二打卡認證請求傳送至該管理裝置,以於該管理裝置確認該第二打卡認證請求中之認證條碼係在時效內且未被使用過後,由該管理裝置將該認證條碼還原成該FIDO認證封包,以將該FIDO認證封包傳送至該FIDO裝置進行解析。 In one embodiment, after the punching device scans the authentication barcode, the punching device is instructed to parse the authentication barcode to generate a second punching authentication request with the authentication barcode, and then transmit the second punching authentication request to the management device, After the management device confirms that the authentication barcode in the second punch-in authentication request is within the time limit and has not been used, the management device restores the authentication barcode to the FIDO authentication packet, so as to transmit the FIDO authentication packet to the FIDO device for analysis.

於一實施例中,該終端裝置所產製之FIDO認證封包中更包括該終端裝置之定位資訊,以於該FIDO裝置通知該管理裝置該FIDO認證封包係為合法、有效及/或正確時,由該管理裝置依據該FIDO認證封包中之該終端裝置之定位資訊,判別該終端裝置是否位於合法區域範圍中進行打卡作業,俾於該管理裝置確認該終端裝置係位於合法區域範圍中進行打卡作業時,完成打卡作業。 In one embodiment, the FIDO authentication packet produced by the terminal device further includes the positioning information of the terminal device, so that when the FIDO device notifies the management device that the FIDO authentication packet is legal, valid and/or correct, According to the positioning information of the terminal device in the FIDO authentication packet, the management device determines whether the terminal device is located in the legal area to perform the punch-in operation, so that the management device confirms that the terminal device is located in the legal area to perform the punch-in operation. , complete the punching job.

本發明又提供一種電腦可讀媒介,應用於具有處理器及/或記憶體的電腦或計算裝置中,該電腦或該計算裝置透過處理器及/或記憶體執行一目標程式及電腦可讀媒介,並用於執行電腦可讀媒介時執行如上所述之基於FIDO之打卡方法。 The present invention further provides a computer-readable medium for use in a computer or computing device having a processor and/or memory, the computer or the computing device executes an object program and the computer-readable medium through the processor and/or memory , and is used to execute the FIDO-based punching method described above when the computer-readable medium is executed.

由上可知,本發明之基於FIDO之打卡系統、方法及其電腦可讀媒介,係藉由終端裝置利用FIDO金鑰所產製之FIDO認證封包,以及透過觸發FIDO認證流程令終端裝置對使用者執行生物識別認證,俾能明確綁定且驗證終端裝置與使用者之間的關係,故相較於習知技術會產生代打卡的問題,本發明結合FIDO金鑰以及生物識別認證,進行打卡作業,並透過FIDO協定強化認證流程安全性,以達到身份審核、防止借與他人使用的不可冒用性,進而提升公司在人員上的管理效率及打卡系統之安全性。 As can be seen from the above, the FIDO-based card punching system, method and computer-readable medium of the present invention utilizes the FIDO authentication packet produced by the terminal device using the FIDO key, and triggers the FIDO authentication process to enable the terminal device to authenticate the user to the user. The biometric authentication is performed so that the relationship between the terminal device and the user can be clearly bound and verified. Therefore, compared with the conventional technology, the problem of punch-in will occur. The present invention combines the FIDO key and biometric authentication to perform punch-in operation. , and strengthen the security of the certification process through the FIDO agreement to achieve identity verification, prevent borrowing and use by others, and improve the management efficiency of the company's personnel and the security of the punch-in system.

1:基於FIDO之打卡系統 1: Punch card system based on FIDO

10:管理裝置 10: Management device

101:實名審核模組 101: Real-name audit module

102:終端綁定模組 102: Terminal binding module

103:打卡認證模組 103: punch-in authentication module

104:條碼產生模組 104: Barcode generation module

20:FIDO裝置 20: FIDO device

201:FIDO驗證模組 201:FIDO Verification Module

202:公鑰庫 202: Public key library

30:打卡裝置 30: Punch card device

301:條碼顯示模組 301: Barcode Display Module

302:條碼掃描模組 302: Barcode Scanning Module

40:終端裝置 40: Terminal device

S21至S24:步驟 S21 to S24: Steps

S31至S37:步驟 S31 to S37: Steps

S41至S44:步驟 S41 to S44: Steps

圖1係為本發明之基於FIDO之打卡系統之架構示意圖; FIG. 1 is a schematic diagram of the architecture of the FIDO-based punch card system of the present invention;

圖2係為本發明之綁定終端裝置之方法流程示意圖; 2 is a schematic flowchart of a method for binding a terminal device according to the present invention;

圖3係為本發明之打卡之第一實施例之方法流程示意圖;以及 FIG. 3 is a schematic flowchart of a method of punching a card according to a first embodiment of the present invention; and

圖4係為本發明之打卡之第二實施例之方法流程示意圖。 FIG. 4 is a schematic flowchart of a method of punching a card according to a second embodiment of the present invention.

以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之其他優點及功效。 The following specific embodiments are used to illustrate the implementation of the present invention, and those skilled in the art can easily understand other advantages and effects of the present invention from the contents disclosed in this specification.

須知,本說明書所附圖式所繪示之結構、比例、大小等,均僅用以配合說明書所揭示之內容,以供熟悉此技藝之人士之瞭解與閱讀,並非用以限定本發明可實施之限定條件,故不具技術上之實質意義,任何 結構之修飾、比例關係之改變或大小之調整,在不影響本發明所能產生之功效及所能達成之目的下,均應仍落在本發明所揭示之技術內容得能涵蓋之範圍內。同時,本說明書中所引用之如「一」、「第一」、「第二」、「上」及「下」等之用語,亦僅為便於敘述之明瞭,而非用以限定本發明可實施之範圍,其相對關係之改變或調整,在無實質變更技術內容下,當視為本發明可實施之範疇。 It should be noted that the structures, proportions, sizes, etc. shown in the drawings in this specification are only used to cooperate with the contents disclosed in the specification for the understanding and reading of those who are familiar with the art, and are not intended to limit the implementation of the present invention. It has no technical substantive significance, and any The modification of the structure, the change of the proportional relationship or the adjustment of the size should still fall within the scope that the technical content disclosed in the present invention can cover without affecting the effect and the purpose that the present invention can produce. At the same time, terms such as "a", "first", "second", "upper" and "lower" quoted in this specification are only for the convenience of description and are not used to limit the scope of the present invention. The scope of implementation and the change or adjustment of its relative relationship shall be regarded as the scope of implementation of the present invention without substantially changing the technical content.

圖1係為本發明之基於FIDO(Fast IDentity Online)之打卡系統1之架構示意圖。如圖1所示,基於FIDO之打卡系統1係包括:一管理裝置10、一FIDO裝置20、一打卡裝置30以及至少一終端裝置40,其中,管理裝置10包括一實名審核模組101、一終端綁定模組102、一打卡認證模組103及條碼產生模組104;FIDO裝置20包括一FIDO驗證模組201及一公鑰庫202;以及打卡裝置30包括一條碼顯示模組301及一條碼掃描模組302。另一方面,管理裝置10係利用各種網路(如網際網路)分別通訊連接FIDO裝置20、打卡裝置30及終端裝置40。 FIG. 1 is a schematic diagram of the structure of a punch card system 1 based on FIDO (Fast IDentity Online) of the present invention. As shown in FIG. 1 , the FIDO-based punch card system 1 includes: a management device 10 , a FIDO device 20 , a punch card device 30 and at least one terminal device 40 , wherein the management device 10 includes a real-name verification module 101 , a The terminal binding module 102, a punch card authentication module 103 and a barcode generation module 104; the FIDO device 20 includes a FIDO verification module 201 and a public key library 202; and the punch card device 30 includes a barcode display module 301 and a The barcode scanning module 302 . On the other hand, the management device 10 communicates with the FIDO device 20 , the card punching device 30 and the terminal device 40 by using various networks (eg, the Internet).

具體而言,管理裝置10及FIDO裝置20皆可建立於伺服器(如通用型伺服器、檔案型伺服器、儲存單元型伺服器等)及電腦等具有適當演算機制之電子設備中,而打卡裝置30係可建立於單晶片微控制器、平板電腦、電腦等具有適當演算機制之電子設備中,其中,管理裝置10、FIDO裝置20及打卡裝置30中之各個模組均可為軟體、硬體或韌體;若為硬體,則可為具有資料處理與運算能力之處理單元、處理器、電腦或伺服器;若為軟體或韌體,則可包括處理單元、處理器、電腦或伺服器可執行之指令,且可安裝於同一硬體裝置或分布於不同的複數硬體裝置。此外,終端裝置 40係為使用者A之智慧型手機、平板電腦、個人電腦或其他可攜式電子裝置等,但不限於上述。 Specifically, both the management device 10 and the FIDO device 20 can be built in a server (such as a general-purpose server, a file-type server, a storage unit-type server, etc.) and an electronic device with a suitable computing mechanism, such as a computer. The device 30 can be built in a single-chip microcontroller, a tablet computer, a computer, or other electronic equipment with a suitable calculation mechanism, wherein, each module in the management device 10, the FIDO device 20 and the punching device 30 can be software, hardware, or software. firmware or firmware; in the case of hardware, it may be a processing unit, processor, computer or server with data processing and computing capabilities; in the case of software or firmware, it may include a processing unit, processor, computer or server It is an instruction that can be executed by the server, and can be installed on the same hardware device or distributed in different multiple hardware devices. In addition, the terminal device 40 is User A's smart phone, tablet computer, personal computer or other portable electronic device, etc., but not limited to the above.

圖2係為本發明之綁定終端裝置之方法流程示意圖,且一併參閱圖1說明之,其中,該方法流程包含下列步驟S21至步驟S24: FIG. 2 is a schematic flowchart of a method for binding a terminal device according to the present invention, and is also described with reference to FIG. 1 , wherein the method process includes the following steps S21 to S24:

於步驟S21中,管理裝置10之終端綁定模組102係接收來自一使用者之終端裝置40所發出之一具有識別資料之綁定請求,其中,以公司員工為例,識別資料係包含員工姓名、員工編號或手機號碼等,但於此不限。 In step S21, the terminal binding module 102 of the management device 10 receives a binding request with identification data from the terminal device 40 of a user, wherein, taking the employee of the company as an example, the identification data includes the employee. Name, employee number or mobile phone number, etc., but not limited.

於步驟S22中,由管理裝置10之實名審核模組101對終端裝置40所發出之綁定請求中之識別資料進行實名審核,以於終端裝置40通過實名審核後,由終端綁定模組102產生一允許綁定封包,以將允許綁定封包回傳至終端裝置40。 In step S22, the real-name verification module 101 of the management device 10 performs real-name verification on the identification data in the binding request sent by the terminal device 40, so that after the terminal device 40 passes the real-name verification, the terminal binding module 102 An allow-binding packet is generated to transmit the allow-binding packet back to the terminal device 40 .

於步驟S23中,終端裝置40收到來自管理裝置10之允許綁定封包後,觸發FIDO認證流程,以供終端裝置40對員工進行生物識別認證,當生物識別認證成功,亦即確認打卡的員工為本人時,令終端裝置40產生FIDO公鑰及相對應之FIDO私鑰以產製一FIDO註冊封包。 In step S23, after the terminal device 40 receives the permission binding packet from the management device 10, it triggers the FIDO authentication process for the terminal device 40 to perform biometric authentication on the employee. When the biometric authentication is successful, the employee who punched the card is confirmed. When it is the user, make the terminal device 40 generate the FIDO public key and the corresponding FIDO private key to generate a FIDO registration packet.

在一實施例中,FIDO認證流程可採用FIDO1或FIDO2協定,且FIDO公鑰及FIDO私鑰具有相同的唯一之綁定憑證識別碼(或稱綁定憑證ID),而FIDO註冊封包係包含由終端裝置40利用FIDO私鑰所加密之識別資料,以及FIDO公鑰。 In one embodiment, the FIDO authentication process can use the FIDO1 or FIDO2 protocol, and the FIDO public key and the FIDO private key have the same unique binding certificate identification code (or binding certificate ID), and the FIDO registration packet contains the The terminal device 40 uses the identification data encrypted by the FIDO private key and the FIDO public key.

在一實施例中,終端裝置40係利用指紋辨識或臉部辨識等生物識別技術對員工進行生物識別認證,以確認打卡的員工是否為本人,其中,於本發明中並不限以任何方式進行生物識別認證。 In one embodiment, the terminal device 40 uses biometric identification technologies such as fingerprint identification or face identification to perform biometric authentication on the employee to confirm whether the employee who punched the card is the person himself, which is not limited to any method in the present invention. Biometric authentication.

於步驟S24中,由FIDO裝置20之FIDO驗證模組201透過管理裝置10接收來自終端裝置40之FIDO註冊封包,以供FIDO驗證模組201利用FIDO註冊封包中之FIDO公鑰經由非對稱式加密演算法對FIDO註冊封包中之經加密之識別資料進行解析,若FIDO註冊封包合法、有效及/或正確,則由FIDO驗證模組201將FIDO公鑰及其綁定憑證識別碼、識別資料等資訊儲存至FIDO裝置20之公鑰庫202,以完成綁定終端裝置40。 In step S24, the FIDO verification module 201 of the FIDO device 20 receives the FIDO registration packet from the terminal device 40 through the management device 10, so that the FIDO verification module 201 uses the FIDO public key in the FIDO registration packet to perform asymmetric encryption The algorithm parses the encrypted identification data in the FIDO registration packet. If the FIDO registration packet is legal, valid and/or correct, the FIDO verification module 201 will parse the FIDO public key and its binding certificate identification code, identification data, etc. The information is stored in the public key database 202 of the FIDO device 20 to complete the binding of the terminal device 40 .

在一實施例中,公鑰庫202係將FIDO公鑰及FIDO私鑰之綁定憑證識別碼係紀錄於此員工之一憑證識別碼清單中。換言之,一員工可使用不同的終端裝置來進行綁定請求,且公鑰庫202利用此員工之憑證識別碼清單紀錄此員工在使用不同的終端裝置40進行綁定時所產生之FIDO公鑰及FIDO私鑰之綁定憑證識別碼。 In one embodiment, the public key library 202 records the bound certificate identifiers of the FIDO public key and the FIDO private key in a certificate identifier list of the employee. In other words, an employee can use different terminal devices to make a binding request, and the public key database 202 records the FIDO public key and The binding certificate identifier of the FIDO private key.

在一實施例中,FIDO驗證模組201係採用基於橢圓曲線密碼學(Elliptic Curve Cryptography,簡稱ECC)之非對稱式加密演算法對FIDO註冊封包進行解析。 In one embodiment, the FIDO verification module 201 uses an asymmetric encryption algorithm based on Elliptic Curve Cryptography (ECC) to parse the FIDO registration packet.

圖3係為本發明之打卡之第一實施例之方法流程示意圖,且一併參閱圖1及圖2說明之,其中,該方法流程包含下列步驟S31至步驟S37: FIG. 3 is a schematic flow chart of the method of punching a card according to the first embodiment of the present invention, and is described with reference to FIG. 1 and FIG. 2 , wherein the method flow includes the following steps S31 to S37:

於步驟S31中,一員工透過經綁定之終端裝置40掃描一打卡裝置30之條碼顯示模組301所顯示的一第一打卡條碼(如一維條碼或二維條碼等),進行打卡作業,俾於終端裝置40中啟動一出勤打卡網頁或一出勤打 卡應用程式(Application,簡稱APP),再透過出勤打卡網頁或出勤打卡應用程式向管理裝置10發出一具有第一打卡條碼及識別資料之第一打卡認證請求,其中,第一打卡條碼可為QR碼、PDF417碼等,但於此不限。 In step S31, an employee scans a first punch-in barcode (such as a one-dimensional barcode or a two-dimensional barcode, etc.) displayed by the barcode display module 301 of a punch-in device 30 through the bound terminal device 40 to perform punch-in operation, so that Launch an attendance check-in webpage or an attendance check-in in the terminal device 40 A card application (Application, APP for short), and then send a first punch authentication request with the first punch barcode and identification information to the management device 10 through the attendance punch webpage or the attendance punch application, wherein the first punch barcode can be QR code, PDF417 code, etc., but this is not limited.

於步驟S32中,由管理裝置10之打卡認證模組103接收來自終端裝置40之第一打卡認證請求,供打卡認證模組103確認第一打卡認證請求中之第一打卡條碼是否在時效內且未被使用過。 In step S32, the punch-in authentication module 103 of the management device 10 receives the first punch-in authentication request from the terminal device 40 for the punch-in authentication module 103 to confirm whether the first punch-in barcode in the first punch-in authentication request is within the time limit and not used.

於步驟S33中,當打卡認證模組103確認第一打卡認證請求中之第一打卡條碼在時效內且未被使用過時,由打卡認證模組103通知管理裝置10之條碼產生模組104產生一第二打卡條碼(如一維條碼或二維條碼等),其中,第二打卡條碼可為QR碼、PDF417碼等,但於此不限。 In step S33, when the punch-in authentication module 103 confirms that the first punch-in barcode in the first punch-in authentication request is within the time limit and has not been used, the punch-in authentication module 103 notifies the barcode generation module 104 of the management device 10 to generate a barcode. The second punch-in barcode (such as a one-dimensional barcode or a two-dimensional barcode, etc.), wherein the second punch-in barcode may be a QR code, a PDF417 code, etc., but not limited thereto.

於步驟S34中,由管理裝置10將條碼產生模組104所產生之第二打卡條碼傳送至打卡裝置30,以由條碼顯示模組301將第二打卡條碼取代第一打卡條碼,第二打卡條碼顯示於打卡裝置30上。 In step S34, the management device 10 transmits the second punch barcode generated by the barcode generating module 104 to the punch device 30, so that the barcode display module 301 replaces the first punch barcode and the second punch barcode with the second punch barcode. displayed on the punching device 30 .

於步驟S35中,由打卡認證模組103依據第一打卡認證請求中之識別資料向FIDO裝置20之公鑰庫202取得識別資料相對應之憑證識別碼清單。 In step S35, the punch-in authentication module 103 obtains a certificate identification code list corresponding to the identification data from the public key database 202 of the FIDO device 20 according to the identification data in the first punch-in authentication request.

於步驟S36中,由打卡認證模組103依據憑證識別碼清單產生一啟動打卡認證封包,再將之傳送至終端裝置40,以於終端裝置40收到啟動打卡認證封包時,觸發FIDO認證流程而令終端裝置40對員工進行生物識別認證;若生物識別認證成功,則由終端裝置40利用啟動打卡認證封包中之憑證識別碼清單比對終端裝置40中之FIDO私鑰之綁定憑證識別碼。是以,當終端裝置40比對出其FIDO私鑰之綁定憑證識別碼出現於憑證識別碼清單中時,令終端裝置40利用FIDO私鑰產製一FIDO認證封包。 In step S36, the punch-in authentication module 103 generates a punch-in authentication packet according to the certificate identification code list, and then transmits it to the terminal device 40, so that when the terminal device 40 receives the punch-in authentication packet, it triggers the FIDO authentication process. The terminal device 40 is asked to perform biometric authentication on the employee; if the biometric authentication is successful, the terminal device 40 compares the binding certificate identification code of the FIDO private key in the terminal device 40 with the certificate identification code list in the activation punch authentication packet. Therefore, when the terminal device 40 compares the bound certificate identifier of its FIDO private key to appear in the certificate identifier list, the terminal device 40 uses the FIDO private key to generate a FIDO authentication packet.

於步驟S37中,由FIDO裝置20之FIDO驗證模組201透過管理裝置10接收到來自終端裝置40之FIDO認證封包後,令FIDO驗證模組201依據FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從公鑰庫202中找出相對應之FIDO公鑰,且FIDO驗證模組201利用FIDO公鑰經由非對稱式加密演算法對FIDO認證封包進行解析,經解析後,若FIDO認證封包係為合法、有效及/或正確,即通知管理裝置10完成打卡作業,以及透過管理裝置10通知終端裝置40完成打卡作業。 In step S37, after the FIDO authentication module 201 of the FIDO device 20 receives the FIDO authentication packet from the terminal device 40 through the management device 10, the FIDO authentication module 201 is made to rely on the binding certificate of the FIDO private key in the FIDO authentication packet The identification code finds the corresponding FIDO public key from the public key base 202, and the FIDO verification module 201 uses the FIDO public key to parse the FIDO authentication packet through an asymmetric encryption algorithm. After parsing, if the FIDO authentication packet is To be legal, valid and/or correct, that is, the management device 10 is notified to complete the punch-in operation, and the terminal device 40 is notified through the management device 10 to complete the punch-in operation.

在一實施例中,FIDO驗證模組201係採用基於橢圓曲線密碼學(Elliptic Curve Cryptography,簡稱ECC)之非對稱式加密演算法對FIDO認證封包進行解析。 In one embodiment, the FIDO authentication module 201 uses an asymmetric encryption algorithm based on Elliptic Curve Cryptography (ECC) to parse the FIDO authentication packet.

圖4係為本發明之打卡之第二實施例之方法流程示意圖,且一併參閱圖1至圖3說明之。此外,第二實施例與第一實施例中之相同處不再贅述。 FIG. 4 is a schematic flowchart of a method of punching a card according to a second embodiment of the present invention, and is described with reference to FIGS. 1 to 3 together. In addition, the same points between the second embodiment and the first embodiment will not be repeated.

於本實施例中,第二實施例與第一實施例同樣執行上述步驟S31至步驟S36,以於終端裝置40利用FIDO私鑰產製一FIDO認證封包後,第二實施例執行以下方法流程,俾進行打卡作業。該方法流程包含下列步驟S41至步驟S44: In this embodiment, the second embodiment executes the above steps S31 to S36 similarly to the first embodiment, so that after the terminal device 40 uses the FIDO private key to generate a FIDO authentication packet, the second embodiment executes the following method flow: To perform punch-in work. The method flow includes the following steps S41 to S44:

於步驟S41中,由管理裝置10之打卡認證模組103接收來自終端裝置40之FIDO認證封包,供管理裝置10之條碼產生模組104依據FIDO認證封包產製一認證條碼(如一維條碼或二維條碼等),以使管理裝置10將認證條碼透過一出勤打卡網頁或一出勤打卡應用程式回傳給終端裝置40, 再於終端裝置40上顯示認證條碼,其中,認證條碼係可為QR碼、PDF417碼等,但於此不限。 In step S41, the punch-in authentication module 103 of the management device 10 receives the FIDO authentication packet from the terminal device 40, and the barcode generating module 104 of the management device 10 generates an authentication barcode (such as a one-dimensional barcode or a two-dimensional barcode) according to the FIDO authentication packet. dimensional barcode, etc.), so that the management device 10 sends the authentication barcode back to the terminal device 40 through an attendance check-in webpage or an attendance check-in application program, The authentication barcode is then displayed on the terminal device 40, wherein the authentication barcode can be a QR code, a PDF417 code, etc., but is not limited thereto.

於步驟S42中,由打卡裝置30之條碼掃描模組302掃描顯示於終端裝置40上之認證條碼,以由條碼掃描模組302解析認證條碼而產生具有認證條碼之第二打卡認證請求,再將第二打卡認證請求傳送至管理裝置10之打卡認證模組103。 In step S42, the barcode scanning module 302 of the punching device 30 scans the authentication barcode displayed on the terminal device 40, so that the barcode scanning module 302 parses the authentication barcode to generate a second punching authentication request with the authentication barcode, and then The second punch-in authentication request is transmitted to the punch-in authentication module 103 of the management device 10 .

於步驟S43中,由打卡認證模組103確認第二打卡認證請求中之認證條碼是否在時效內且未被使用過,以於打卡認證模組103確認第二打卡認證請求中之認證條碼在時效內且未被使用過時,由打卡認證模組103將認證條碼還原成FIDO認證封包,再將FIDO認證封包傳送至FIDO裝置20。 In step S43, the punch-in authentication module 103 confirms whether the authentication barcode in the second punch-in authentication request is within the validity period and has not been used, so that the punch-in authentication module 103 confirms that the authentication barcode in the second punch-in authentication request is within the validity period. If it is not used, the punch-in authentication module 103 restores the authentication barcode to a FIDO authentication packet, and then transmits the FIDO authentication packet to the FIDO device 20 .

於步驟S44中,由FIDO驗證模組201依據FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從公鑰庫202中找出相對應之FIDO公鑰,且FIDO驗證模組201利用FIDO公鑰經由非對稱式加密演算法對FIDO認證封包進行解析,經解析後,若FIDO認證封包係為合法、有效及/或正確,即通知管理裝置10完成打卡作業,以及透過管理裝置10通知終端裝置40完成打卡作業。 In step S44, the FIDO verification module 201 finds out the corresponding FIDO public key from the public key database 202 according to the binding certificate identification code of the FIDO private key in the FIDO verification packet, and the FIDO verification module 201 uses the FIDO public key to obtain the corresponding FIDO public key. The key parses the FIDO authentication packet through an asymmetric encryption algorithm. After parsing, if the FIDO authentication packet is legal, valid and/or correct, the management device 10 is notified to complete the punch-in operation, and the terminal device is notified through the management device 10. 40 Complete the punch-in assignment.

於另一實施例中,終端裝置40所產製之FIDO認證封包中更包括終端裝置40之定位資訊,如地理座標之經緯度,以於FIDO裝置20之FIDO驗證模組201通知管理裝置10之打卡認證模組103FIDO認證封包係為合法、有效及/或正確時,由打卡認證模組103依據FIDO認證封包中之終端裝置40之定位資訊,判別終端裝置40是否位於合法區域範圍中進行打卡 作業。是以,當打卡認證模組103確認終端裝置40係位於合法區域範圍中進行打卡作業時,即完成打卡作業。 In another embodiment, the FIDO authentication packet produced by the terminal device 40 further includes the positioning information of the terminal device 40 , such as the latitude and longitude of geographic coordinates, so that the FIDO authentication module 201 of the FIDO device 20 notifies the management device 10 of the punch card When the authentication module 103 FIDO authentication packet is legal, valid and/or correct, the punch-in authentication module 103 determines whether the terminal device 40 is located in a legal area to punch in according to the positioning information of the terminal device 40 in the FIDO authentication packet. Operation. Therefore, when the punch-in authentication module 103 confirms that the terminal device 40 is located in a legal area to perform the punch-in operation, the punch-in operation is completed.

此外,本發明還揭示一種電腦可讀媒介,係應用於具有處理器(例如,CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於執行此電腦可讀媒介時執行上述之方法及各步驟。 In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (eg, CPU, GPU, etc.) and/or memory, and stores instructions, and can utilize the computing device or computer. The computer executes the computer-readable medium through a processor and/or a memory, so as to execute the above-mentioned methods and steps when executing the computer-readable medium.

以下舉例說明本發明之實際執行FIDO出勤打卡作業之實施例,且一併參閱圖1至圖4。 The following example illustrates an embodiment of the present invention for actually executing the FIDO attendance punching operation, and referring to FIG. 1 to FIG. 4 together.

於本實施例中,一員工透過已綁定之智慧型手機(如終端裝置40)掃描顯示於打卡裝置30上之QR碼(如第一打卡條碼),以進行FIDO出勤打卡作業,且該員工之智慧型手機掃描QR碼後令啟動瀏覽器APP(如Google chrome、Safari等)以顯示一出勤打卡網頁,或是啟動已安裝於該員工之智慧型手機中之一出勤打卡應用程式,而使該員工之智慧型手機藉由出勤打卡網頁或出勤打卡應用程式向管理裝置10發出一具有QR碼及該員工之識別資料之第一打卡認證請求。 In this embodiment, an employee scans the QR code (such as the first punch barcode) displayed on the punching device 30 through a bound smartphone (such as the terminal device 40 ) to perform the FIDO attendance punching operation, and the employee After scanning the QR code on the employee’s smartphone, start the browser APP (such as Google chrome, Safari, etc.) to display an attendance check-in webpage, or launch an attendance check-in application installed on the employee’s smartphone, so that The employee's smartphone sends a first punch-in authentication request with the QR code and the employee's identification information to the management device 10 through the attendance punch-in webpage or the attendance punch-in application.

再者,管理裝置10收到來自該員工之智慧型手機之第一打卡認證請求後,會確認第一打卡認證請求中之QR碼是否在時效內且未被使用過,以在確認QR碼在時效內且未被使用過時,由管理裝置10依據第一打卡認證請求中之該員工之識別資料向FIDO裝置20之公鑰庫202取得該員工之識別資料相對應的該員工之憑證識別碼清單。 Furthermore, after receiving the first punch-in authentication request from the employee's smartphone, the management device 10 will confirm whether the QR code in the first punch-in authentication request is within the time limit and has not been used, so as to confirm that the QR code is in the Within the time limit and not out of date, the management device 10 obtains the employee's certificate identification code list corresponding to the employee's identification data from the public key database 202 of the FIDO device 20 according to the employee's identification data in the first punch-in authentication request. .

是以,管理裝置10依據該員工之憑證識別碼清單產生一啟動打卡認證封包,再將之傳送至該員工之智慧型手機,藉此觸發FIDO認證流 程,以供該員工之智慧型手機對該員工進行指紋辨識、臉部辨識等生物識別認證,若該員工之生物識別認證成功,則該員工之智慧型手機利用啟動打卡認證封包中之該員工之憑證識別碼清單比對該員工之智慧型手機中之FIDO私鑰之綁定憑證識別碼,以於該員工之智慧型手機比對出其FIDO私鑰之綁定憑證識別碼出現於憑證識別碼清單中時,由該員工之智慧型手機利用FIDO私鑰產製一FIDO認證封包。 Therefore, the management device 10 generates a punch-in authentication packet according to the employee's certificate identification code list, and then transmits it to the employee's smartphone, thereby triggering the FIDO authentication flow process, so that the employee's smartphone can perform biometric authentication such as fingerprint recognition and face recognition. The certificate identification code list of the employee is compared with the binding certificate identification code of the FIDO private key in the employee's smartphone, so that the binding certificate identification code of the FIDO private key of the employee's smartphone is compared to the certificate identification code. When it is in the code list, a FIDO authentication package is produced by the employee's smartphone using the FIDO private key.

於一實施例中,FIDO裝置20接收到來自該員工之智慧型手機之FIDO認證封包後,FIDO裝置20依據FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從公鑰庫202中找出相對應之FIDO公鑰,再由FIDO裝置20利用FIDO公鑰經由基於橢圓曲線密碼學(ECC)之非對稱式加密演算法對FIDO認證封包進行解析,經解析後,若FIDO認證封包係為合法、有效及/或正確,即通知管理裝置10及該員工之智慧型手機完成FIDO出勤打卡作業。 In one embodiment, after the FIDO device 20 receives the FIDO authentication packet from the employee's smartphone, the FIDO device 20 searches the public key database 202 according to the binding certificate identifier of the FIDO private key in the FIDO authentication packet. The corresponding FIDO public key is then used by the FIDO device 20 to parse the FIDO authentication packet through an asymmetric encryption algorithm based on Elliptic Curve Cryptography (ECC). After parsing, if the FIDO authentication packet is valid , valid and/or correct, that is, the management device 10 and the employee's smart phone are notified to complete the FIDO attendance punch-in operation.

於另一實施例中,管理裝置10依據FIDO認證封包產製一認證QR碼(如認證條碼),再透過該員工之智慧型手機中之出勤打卡網頁或出勤打卡應用程式將認證QR碼回傳給該員工之智慧型手機,使該認證QR碼顯示於該員工之智慧型手機上,以供該員工手持其智慧型手機,將認證QR碼供打卡裝置30進行掃描,俾於打卡裝置30掃描並解析認證QR碼後產生具有認證QR碼之第二打卡認證請求,以將第二打卡認證請求傳送至管理裝置10。 In another embodiment, the management device 10 produces an authentication QR code (such as an authentication barcode) according to the FIDO authentication packet, and then returns the authentication QR code through the attendance check-in webpage or attendance check-in application on the employee's smartphone Give the employee's smart phone to display the authentication QR code on the employee's smart phone, so that the employee can hold his smart phone and scan the authentication QR code for the punch-in device 30 to scan the punch-in device 30 After parsing the authentication QR code, a second punch-in authentication request with the authentication QR code is generated, so as to transmit the second punch-in authentication request to the management device 10 .

接著,管理裝置10確認第二打卡認證請求中之認證QR碼在時效內且未被使用過後,管理裝置10將認證QR碼還原成FIDO認證封包, 再將FIDO認證封包傳送至FIDO裝置20,以由FIDO裝置20對FIDO認證封包進行解析。 Next, after the management device 10 confirms that the authentication QR code in the second punch-in authentication request is within the time limit and has not been used, the management device 10 restores the authentication QR code to a FIDO authentication packet, Then, the FIDO authentication packet is transmitted to the FIDO device 20 for analysis of the FIDO authentication packet by the FIDO device 20 .

綜上所述,本發明之基於FIDO之打卡系統、方法及其電腦可讀媒介,係藉由終端裝置利用FIDO金鑰所產製之FIDO認證封包,以及透過觸發FIDO認證流程令終端裝置對使用者執行生物識別認證,能明確綁定且驗證終端裝置與使用者之間的關係,故相較於習知技術會產生代打卡的問題,本發明能有效避免使用者冒用他人身分進行打卡,且進一步提升公司在人員上的管理效率及打卡系統之安全性。 To sum up, the FIDO-based punch card system, method and computer-readable medium of the present invention utilize the FIDO authentication packet produced by the terminal device using the FIDO key, and trigger the FIDO authentication process to enable the terminal device to use the FIDO key. The user performs biometric authentication, which can clearly bind and verify the relationship between the terminal device and the user. Therefore, compared with the conventional technology, the problem of punching the card on behalf of the user can be avoided. And further improve the management efficiency of the company's personnel and the security of the punch card system.

此外,本發明之基於FIDO之打卡系統、方法及其電腦可讀媒介,係具備下列優點或技術功效。 In addition, the FIDO-based punch card system, method and computer-readable medium thereof of the present invention have the following advantages or technical effects.

一、本發明解決傳統打卡鐘或感應式卡片打卡所產生的代刷問題,結合FIDO金鑰以及行動裝置(如智慧型手機)之生物識別認證,進行FIDO出勤打卡作業,藉此透過本發明強化認證流程安全性,以達到身份審核、防止借與他人使用的不可冒用性。 1. The present invention solves the problem of swiping on behalf of traditional clocks or inductive card punching, and combines the FIDO key and the biometric authentication of the mobile device (such as a smart phone) to perform the FIDO attendance punching operation, thereby strengthening the present invention. Authentication process security to achieve identity audit and prevent others from being used for non-fraudulent use.

二、根據歐盟一般資料保護規範(General Data Protection Regulation,簡稱GDPR),本發明考慮到使用者個資問題,透過上述內容,本發明並不會儲存使用者之個人生物特徵隱私於第三方系統上,可減少使用者使用上的疑慮,對於公司來說也不須耗費心力保管員工的生物資訊外洩,進而避免增加公司營運成本,且避免個資問題。 2. According to the EU General Data Protection Regulation (GDPR), the present invention takes into account the user's personal information. Through the above content, the present invention does not store the user's personal biometric privacy on a third-party system. , which can reduce the user's doubts in use, and it is not necessary for the company to spend effort to protect the leakage of employees' biological information, thereby avoiding increasing the company's operating costs and avoiding personal data problems.

三、本發明可利用員工之行動裝置(如智慧型手機)直接進行FIDO出勤打卡作業,而不須額外安裝其他應用程式,也不需採購特殊裝置。再者,打卡裝置也可利用智慧型裝置(智慧型手機、平板電腦)來進行建置,藉此避免公司花費額外的成本建置打卡系統,且提升建置打卡系統的意願。 3. The present invention can utilize the employee's mobile device (such as a smart phone) to directly perform the FIDO attendance check-in operation without additionally installing other application programs or purchasing a special device. Furthermore, the punching device can also be constructed by using smart devices (smartphones, tablet computers), so as to avoid companies from spending extra costs to construct punching systems, and increase the willingness to build punching systems.

四、本發明在不破壞FIDO協定原則下,拆解FIDO協定網路通訊流程,以將條碼呈現在打卡裝置及行動裝置(如智慧型手機)上,進而透過掃瞄條碼之行為接續流程,以避免他人冒用身分進行打卡。此外,本發明也能應用在線上登入情境、門禁、快速實名認證通關情境。 4. The present invention disassembles the FIDO protocol network communication process under the principle of not destroying the FIDO protocol, so as to present the barcode on the punch card device and mobile device (such as a smart phone), and then connect the process through the behavior of scanning the barcode, to Prevent others from using their identities to punch cards. In addition, the present invention can also be applied to online login scenarios, access control, and fast real-name authentication and customs clearance scenarios.

上述實施形態僅例示性說明本發明之原理及其功效,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。因此,本發明之權利保護範圍應如申請專利範圍所列。 The above-mentioned embodiments are only used to illustrate the principle and effect of the present invention, but are not intended to limit the present invention. Any person skilled in the art can modify and change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention should be listed in the scope of the patent application.

1:基於FIDO之打卡系統 1: Punch card system based on FIDO

10:管理裝置 10: Management device

101:實名審核模組 101: Real-name audit module

102:終端綁定模組 102: Terminal binding module

103:打卡認證模組 103: punch-in authentication module

104:條碼產生模組 104: Barcode generation module

20:FIDO裝置 20: FIDO device

201:FIDO驗證模組 201:FIDO Verification Module

202:公鑰庫 202: Public key library

30:打卡裝置 30: Punch card device

301:條碼顯示模組 301: Barcode Display Module

302:條碼掃描模組 302: Barcode Scanning Module

40:終端裝置 40: Terminal device

Claims (13)

一種基於FIDO(Fast IDentity Online)之打卡系統,係包括: A punch card system based on FIDO (Fast IDentity Online), including: 一打卡裝置,係顯示一第一打卡條碼; a punch-in device, displaying a first punch-in barcode; 至少一終端裝置,係掃描該打卡裝置所顯示之該第一打卡條碼,以於掃描該第一打卡條碼後,發出一具有該第一打卡條碼及一識別資料之第一打卡認證請求; At least one terminal device scans the first punching barcode displayed by the punching device, so as to issue a first punching authentication request with the first punching barcode and an identification data after scanning the first punching barcode; 一管理裝置,係通訊連接該終端裝置,以於接收該第一打卡認證請求後,令該管理裝置確認該第一打卡認證請求中之該第一打卡條碼是否在時效內且未被使用過; a management device, which is communicatively connected to the terminal device, so as to enable the management device to confirm whether the first punch-in barcode in the first punch-in authentication request is within the time limit and has not been used after receiving the first punch-in authentication request; 一FIDO裝置,係通訊連接該管理裝置,以於該管理裝置確認該第一打卡條碼在時效內且未被使用過時,令該管理裝置依據該第一打卡認證請求中之該識別資料向該FIDO裝置取得該識別資料相對應之一憑證識別碼清單, A FIDO device, which is communicatively connected to the management device, so that when the management device confirms that the first punch-in barcode is within the time limit and has not been used out of date, the management device can send the FIDO to the FIDO according to the identification data in the first punch-in authentication request. The device obtains a certificate identification code list corresponding to the identification data, 其中,該管理裝置係依據該憑證識別碼清單產生一啟動打卡認證封包後,係傳送該啟動打卡認證封包至該終端裝置,以於該終端裝置收到該啟動打卡認證封包時,觸發FIDO認證流程而令該終端裝置產製一FIDO認證封包,俾供該終端裝置透過該管理裝置將該FIDO認證封包提供給該FIDO裝置進行解析,經該FIDO裝置解析後,若該FIDO認證封包係為合法、有效及/或正確,則令該FIDO裝置通知該管理裝置及該終端裝置完成打卡作業。 Wherein, after the management device generates a punch-in authentication packet according to the certificate identification code list, it transmits the punch-in authentication packet to the terminal device, so as to trigger the FIDO authentication process when the terminal device receives the punch-in authentication packet And make the terminal device produce a FIDO authentication packet for the terminal device to provide the FIDO authentication packet to the FIDO device through the management device for analysis. After the FIDO device is parsed, if the FIDO authentication packet is legal, If valid and/or correct, the FIDO device will notify the management device and the terminal device to complete the punch-in operation. 如請求項1所述之基於FIDO之打卡系統,其中,當該終端裝置收到該啟動打卡認證封包而觸發FIDO認證流程時,係令該終端裝置進 行生物識別認證,若該生物識別認證成功,則令該終端裝置利用該啟動打卡認證封包中之憑證識別碼清單比對該終端裝置中之一FIDO私鑰之綁定憑證識別碼,以於該終端裝置所比對出之該FIDO私鑰的綁定憑證識別碼確出現於該憑證識別碼清單中時,令該終端裝置利用該FIDO私鑰產製該FIDO認證封包。 The FIDO-based punch-in system according to claim 1, wherein when the terminal device receives the punch-in authentication packet and triggers the FIDO authentication process, the terminal device is instructed to enter the punch-in authentication process. Perform biometric authentication, if the biometric authentication is successful, then make the terminal device use the certificate identifier list in the punch-in authentication packet to compare the binding certificate identifier of a FIDO private key in the terminal device, so that the When the binding certificate identification code of the FIDO private key compared by the terminal device does appear in the certificate identification code list, the terminal device uses the FIDO private key to generate the FIDO authentication packet. 如請求項1所述之基於FIDO之打卡系統,其中,該管理裝置接收到來自該終端裝置之FIDO認證封包後,係令該管理裝置將該FIDO認證封包傳送給該FIDO裝置,以令該FIDO裝置依據該FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從該FIDO裝置之公鑰庫中找出相對應之FIDO公鑰,再令該FIDO裝置利用該FIDO公鑰經由非對稱式加密演算法對該FIDO認證封包進行解析。 The FIDO-based punch card system according to claim 1, wherein after the management device receives the FIDO authentication packet from the terminal device, it instructs the management device to transmit the FIDO authentication packet to the FIDO device, so that the FIDO The device finds out the corresponding FIDO public key from the public key database of the FIDO device according to the binding certificate identifier of the FIDO private key in the FIDO authentication packet, and then makes the FIDO device use the FIDO public key to perform asymmetric encryption The algorithm parses the FIDO authentication packet. 如請求項1所述之基於FIDO之打卡系統,其中,該管理裝置接收到來自該終端裝置之FIDO認證封包後,係令該管理裝置依據該FIDO認證封包產製一認證條碼,再將該認證條碼回送給該終端裝置,以將之顯示於該終端裝置上,俾供該打卡裝置掃描該認證條碼。 The FIDO-based punch card system according to claim 1, wherein, after the management device receives the FIDO authentication packet from the terminal device, it instructs the management device to produce an authentication barcode according to the FIDO authentication packet, and then authenticate the The barcode is sent back to the terminal device to be displayed on the terminal device for the punching device to scan the authentication barcode. 如請求項4所述之基於FIDO之打卡系統,其中,該打卡裝置掃描該認證條碼後,係令該打卡裝置解析該認證條碼以產生具有該認證條碼之第二打卡認證請求,再將該第二打卡認證請求傳送至該管理裝置,以於該管理裝置確認該第二打卡認證請求中之認證條碼係在時效內且未被使用過後,由該管理裝置將該認證條碼還原成該FIDO認證封包,以將該FIDO認證封包傳送至該FIDO裝置進行解析。 The FIDO-based card punching system according to claim 4, wherein after the punching device scans the authentication barcode, the punching device is instructed to parse the authentication barcode to generate a second punching authentication request with the authentication barcode, and then the first punching authentication request is generated. The second punch-in authentication request is sent to the management device, so that after the management device confirms that the authentication barcode in the second punch-in authentication request is within the time limit and has not been used, the management device restores the authentication barcode to the FIDO authentication packet , to transmit the FIDO authentication packet to the FIDO device for analysis. 如請求項1所述之基於FIDO之打卡系統,其中,該終端裝置所產製之FIDO認證封包中更包括該終端裝置之定位資訊,以於該FIDO裝置通知該管理裝置該FIDO認證封包係為合法、有效及/或正確時,由該管理裝置依據該FIDO認證封包中之該終端裝置之定位資訊,判別該終端裝置是否位於合法區域範圍中,若是,則進行該打卡作業。 The FIDO-based punch card system according to claim 1, wherein the FIDO authentication packet produced by the terminal device further includes the positioning information of the terminal device, so that the FIDO device notifies the management device that the FIDO authentication packet is When it is legal, valid and/or correct, the management device determines whether the terminal device is located in the legal area according to the positioning information of the terminal device in the FIDO authentication packet, and if so, performs the punching operation. 一種基於FIDO(Fast IDentity Online)之打卡方法,係包括: A punch-in method based on FIDO (Fast IDentity Online), comprising: 由至少一終端裝置掃描一打卡裝置所顯示之第一打卡條碼,以於該終端裝置掃描該第一打卡條碼後,令該終端裝置發出一具有該第一打卡條碼及一識別資料之第一打卡認證請求; At least one terminal device scans the first punching barcode displayed by a punching device, so that after the terminal device scans the first punching barcode, the terminal device sends out a first punching card having the first punching barcode and an identification data authentication request; 由一管理裝置接收該第一打卡認證請求,以於該管理裝置確認該第一打卡認證請求中之該第一打卡條碼在時效內且未被使用過時,由該管理裝置依據該第一打卡認證請求中之該識別資料向一FIDO裝置取得該識別資料相對應之一憑證識別碼清單;以及 The first punch-in authentication request is received by a management device, so that when the management device confirms that the first punch-in barcode in the first punch-in authentication request is within the time limit and has not been used out of date, the management device is based on the first punch-in authentication obtaining a list of certificate identifiers corresponding to the identification data from a FIDO device for the identification data in the request; and 由該管理裝置依據該憑證識別碼清單產生一啟動打卡認證封包,再由該管理裝置傳送該啟動打卡認證封包至該終端裝置,以於該終端裝置收到該啟動打卡認證封包時,觸發FIDO認證流程,俾令該終端裝置產製一FIDO認證封包,再由該終端裝置透過該管理裝置將該FIDO認證封包提供給該FIDO裝置進行解析,以於經該FIDO裝置解析後確認該FIDO認證封包係為合法、有效及/或正確時,由該FIDO裝置通知該管理裝置及該終端裝置完成打卡作業。 The management device generates a punch-in authentication packet according to the certificate identification code list, and then the management device transmits the punch-in authentication packet to the terminal device, so as to trigger the FIDO authentication when the terminal device receives the punch-in authentication packet The process is to make the terminal device produce a FIDO authentication packet, and then the terminal device provides the FIDO authentication packet to the FIDO device through the management device for analysis, so as to confirm that the FIDO authentication packet is parsed by the FIDO device. When it is legal, valid and/or correct, the FIDO device notifies the management device and the terminal device to complete the punch-in operation. 如請求項7所述之基於FIDO之打卡方法,更包括當該終端裝置收到該啟動打卡認證封包而觸發FIDO認證流程時,由該終端裝置進行生物識別認證,其中,若該生物識別認證成功,則由該終端裝置利用該啟動打卡認證封包中之憑證識別碼清單比對該終端裝置中之一FIDO私鑰之綁定憑證識別碼,以於該終端裝置所比對出之該FIDO私鑰的綁定憑證識別碼確出現於該憑證識別碼清單中時,由該終端裝置利用該FIDO私鑰產製該FIDO認證封包。 The FIDO-based punch-in method as described in claim 7, further comprising: when the terminal device receives the punch-in authentication packet and triggers the FIDO authentication process, the terminal device performs biometric authentication, wherein if the biometric authentication is successful , then the terminal device compares the binding certificate identification code of a FIDO private key in the terminal device with the certificate identification code list in the activation punch authentication packet, so as to compare the FIDO private key with the terminal device When the binding certificate identification code of the certificate does appear in the certificate identification code list, the terminal device uses the FIDO private key to generate the FIDO authentication packet. 如請求項7所述之基於FIDO之打卡方法,更包括於該管理裝置接收到來自該終端裝置之FIDO認證封包後,由該管理裝置將該FIDO認證封包傳送給該FIDO裝置,以由該FIDO裝置依據該FIDO認證封包中之FIDO私鑰之綁定憑證識別碼從該FIDO裝置之公鑰庫中找出相對應之FIDO公鑰,俾令該FIDO裝置利用該FIDO公鑰經由非對稱式加密演算法對該FIDO認證封包進行解析。 The FIDO-based punching method according to claim 7, further comprising, after the management device receives the FIDO authentication packet from the terminal device, the management device transmits the FIDO authentication packet to the FIDO device, so that the FIDO authentication packet can be sent to the FIDO device by the management device. The device finds out the corresponding FIDO public key from the public key database of the FIDO device according to the binding certificate identifier of the FIDO private key in the FIDO authentication packet, so that the FIDO device can use the FIDO public key to perform asymmetric encryption The algorithm parses the FIDO authentication packet. 如請求項7所述之基於FIDO之打卡方法,更包括於該管理裝置接收到來自該終端裝置之FIDO認證封包後,由該管理裝置依據該FIDO認證封包產製一認證條碼,再將該認證條碼回送給該終端裝置,以將之顯示於該終端裝置上,而供該打卡裝置掃描該認證條碼。 The FIDO-based punching method as described in claim 7, further comprising, after the management device receives the FIDO authentication packet from the terminal device, the management device produces an authentication barcode according to the FIDO authentication packet, and then authenticates the The barcode is sent back to the terminal device to be displayed on the terminal device for the punching device to scan the authentication barcode. 如請求項10所述之基於FIDO之打卡方法,更包括於該打卡裝置掃描該認證條碼後,由該打卡裝置解析該認證條碼以產生具有該認證條碼之第二打卡認證請求,俾將該第二打卡認證請求傳送至該管理裝置,再於該管理裝置確認該第二打卡認證請求中之認證條碼係在時效內且未被 使用過後,由該管理裝置將該認證條碼還原成該FIDO認證封包,以將該FIDO認證封包傳送至該FIDO裝置進行解析。 The FIDO-based punching method as described in claim 10, further comprising, after the punching device scans the authentication barcode, the punching device parses the authentication barcode to generate a second punching authentication request with the authentication barcode, so as to serve the first punching authentication request. The second punch-in authentication request is sent to the management device, and the management device confirms that the authentication barcode in the second punch-in authentication request is within the time limit and has not been After use, the management device restores the authentication barcode to the FIDO authentication packet, so as to transmit the FIDO authentication packet to the FIDO device for analysis. 如請求項7所述之基於FIDO之打卡方法,其中,該終端裝置所產製之FIDO認證封包中更包括該終端裝置之定位資訊,以於該FIDO裝置通知該管理裝置該FIDO認證封包係為合法、有效及/或正確時,由該管理裝置依據該FIDO認證封包中之該終端裝置之定位資訊,判別該終端裝置是否位於合法區域範圍中,若是,則進行該打卡作業。 The FIDO-based punching method according to claim 7, wherein the FIDO authentication packet produced by the terminal device further includes the positioning information of the terminal device, so that the FIDO device notifies the management device that the FIDO authentication packet is When it is legal, valid and/or correct, the management device determines whether the terminal device is located in the legal area according to the positioning information of the terminal device in the FIDO authentication packet, and if so, performs the punching operation. 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項7至12之任一者所述之基於FIDO之打卡方法。 A computer-readable medium used in a computing device or a computer and storing instructions to execute the FIDO-based punching method as described in any one of claims 7 to 12.
TW110142036A 2021-11-11 2021-11-11 An attendance punch system and method based on fido, and computer-readable medium thereof TWI772225B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110142036A TWI772225B (en) 2021-11-11 2021-11-11 An attendance punch system and method based on fido, and computer-readable medium thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110142036A TWI772225B (en) 2021-11-11 2021-11-11 An attendance punch system and method based on fido, and computer-readable medium thereof

Publications (2)

Publication Number Publication Date
TWI772225B true TWI772225B (en) 2022-07-21
TW202320509A TW202320509A (en) 2023-05-16

Family

ID=83439827

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110142036A TWI772225B (en) 2021-11-11 2021-11-11 An attendance punch system and method based on fido, and computer-readable medium thereof

Country Status (1)

Country Link
TW (1) TWI772225B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI495321B (en) * 2012-06-28 2015-08-01 Chunghwa Telecom Co Ltd Qr code authentication system combining dynamic passwords and method thereof
TWM547146U (en) * 2017-06-07 2017-08-11 Dong Ya International Beauty Business Co Ltd Punch-in system for chain franchise
TW201743248A (en) * 2016-06-08 2017-12-16 xin feng Li Attendance system and method using two-dimensional bar codes and a computer program product thereof timely provides the attendance of employees and provides convenient processing at the end of each month for calculation
CN110070636A (en) * 2019-04-23 2019-07-30 安徽致远慧联电子科技有限公司 Work attendance management system and management method based on all-purpose card two dimensional code
US20190273607A1 (en) * 2017-11-15 2019-09-05 Alexander J.M. VAN DER VELDEN System for digital identity authentication and methods of use
TWM592121U (en) * 2019-11-27 2020-03-11 臺灣銀行股份有限公司 Online smart phone check-in confirmation device
TWM606867U (en) * 2020-09-26 2021-01-21 臺灣網路認證股份有限公司 System for enabling digital certificate with certificate mechanism of online fast authentication

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI495321B (en) * 2012-06-28 2015-08-01 Chunghwa Telecom Co Ltd Qr code authentication system combining dynamic passwords and method thereof
TW201743248A (en) * 2016-06-08 2017-12-16 xin feng Li Attendance system and method using two-dimensional bar codes and a computer program product thereof timely provides the attendance of employees and provides convenient processing at the end of each month for calculation
TWM547146U (en) * 2017-06-07 2017-08-11 Dong Ya International Beauty Business Co Ltd Punch-in system for chain franchise
US20190273607A1 (en) * 2017-11-15 2019-09-05 Alexander J.M. VAN DER VELDEN System for digital identity authentication and methods of use
CN110070636A (en) * 2019-04-23 2019-07-30 安徽致远慧联电子科技有限公司 Work attendance management system and management method based on all-purpose card two dimensional code
TWM592121U (en) * 2019-11-27 2020-03-11 臺灣銀行股份有限公司 Online smart phone check-in confirmation device
TWM606867U (en) * 2020-09-26 2021-01-21 臺灣網路認證股份有限公司 System for enabling digital certificate with certificate mechanism of online fast authentication

Also Published As

Publication number Publication date
TW202320509A (en) 2023-05-16

Similar Documents

Publication Publication Date Title
JP6768960B2 (en) 2D barcode processing methods, devices, and systems
US20210314174A1 (en) System and method for verifying an identity of a user using a cryptographic challenge based on a cryptographic operation
CN106688004B (en) Transaction authentication method and device, mobile terminal, POS terminal and server
CN110462658A (en) For providing system and method for the digital identity record to verify the identity of user
TW201741922A (en) Biological feature based safety certification method and device
JP2007108973A (en) Authentication server device, authentication system and authentication method
KR20120070079A (en) User authenication system by using personal identification number, user terminal device, inquiry apparatus, authenication server, and user authenication method therefor
KR20070084801A (en) Creating and authenticating one time password using smartcard and the smartcard therefor
AU2020329197A1 (en) Systems and methods for use in provisioning tokens associated with digital identities
CN108512660B (en) Virtual card verification method
TWI666565B (en) Identity authentication system and method thereof
WO2017076202A1 (en) Smart card, mobile terminal, and method for using smart card to implement network identity authentication
TWM589842U (en) Mobile trading desk with real-name phone
KR102336416B1 (en) A system and method for logging in to a website through identification of the mobile phone by combining the website ID and password with a mobile phone number and entering the mobile phone number on the website
US20230394179A1 (en) Information processing apparatus, information processing method, and non-transitory computer-readable storage medium
JP2006155547A (en) Individual authentication system, terminal device and server
CN102938116A (en) Full-link protection and management method for ensuring safety of transaction
TWI772225B (en) An attendance punch system and method based on fido, and computer-readable medium thereof
US20160342996A1 (en) Two-factor authentication method
CN105429986B (en) A kind of system of genuine cyber identification verifying and secret protection
KR20140063256A (en) Payment method and system
Jacob et al. QR based Card-less ATM Transactions
CN111489211A (en) Billing processing method, billing processing device and billing processing medium
TWM595276U (en) Paying system using quick response code to verify user identity
JP2005275923A (en) Individual authentication method at the time of card settlement, individual authentication system at the time of card settlement, shop information processing system, credit-card company information processing system, portable terminal, and program therefor