TWM642404U - System for identity verification applied to financial system - Google Patents

System for identity verification applied to financial system Download PDF

Info

Publication number
TWM642404U
TWM642404U TW112200425U TW112200425U TWM642404U TW M642404 U TWM642404 U TW M642404U TW 112200425 U TW112200425 U TW 112200425U TW 112200425 U TW112200425 U TW 112200425U TW M642404 U TWM642404 U TW M642404U
Authority
TW
Taiwan
Prior art keywords
verification
financial
user device
background
information
Prior art date
Application number
TW112200425U
Other languages
Chinese (zh)
Inventor
楊吉閔
蔡佳縈
林昭君
劉明昀
徐忠瑜
李志鴻
陳怡君
賴冠廷
許素雯
林恒茂
徐琡雅
袁育婷
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW112200425U priority Critical patent/TWM642404U/en
Publication of TWM642404U publication Critical patent/TWM642404U/en

Links

Images

Abstract

A system for identity verification applied to a financial system is provided. The system provides a financial machine back-end server and a user device back-end server that provides verification service for a user device. A verification process is initiated by a financial machine for verifying a permission that allows the user device to perform a financial service. The financial machine generates a verification service request. The financial machine back-end server asks the user device back-end server to generate a verification data after receiving the request. The user device back-end server generates the verification data and forwards the verification data to the financial machine via the financial machine back-end server. The user device obtains the verification data from the financial machine, and then transmits to the user device back-end server for verification. The user device is allowed to perform the financial service if the verification is successful.

Description

應用於金融系統的身份驗證系統Identity verification system applied to financial system

說明書公開一種使用不同裝置進行特定金融服務驗證的技術,特別是一種利用金融資訊機進行跨裝置驗證的身份驗證系統。The description discloses a technology for using different devices to verify specific financial services, especially an identity verification system for cross-device verification using a financial information machine.

在金融科技推波助瀾下,讓民眾更方便地執行各種金融服務,隨之而來的就是加入各種資訊安全的技術,包括各種身份驗證的技術也發展出來。常見的是當使用者要進行特定金融服務時,除了傳統的密碼帳號外,還會要求進行使用者裝置的二次驗證服務,例如存取金融服務的銀行網站會要求使用者註冊時的手機號碼電信服務商進行一次式密碼(OTP)的驗證,讓使用者可以此具有時間限制的一次式密碼驗證自己的身份後,取得金融服務。Fueled by financial technology, it is easier for the public to perform various financial services, followed by the addition of various information security technologies, including the development of various identity verification technologies. It is common that when a user wants to perform a specific financial service, in addition to the traditional password account, a second verification service of the user's device is also required. For example, the bank website for accessing financial services will require the user's mobile phone number when registering Telecom service providers conduct one-time password (OTP) verification, allowing users to obtain financial services after verifying their identity with this time-limited one-time password.

為了要通過一跨裝置驗證以提供更安全的金融服務,揭露書提出一種身份驗證系統,身份驗證系統提出一金融資訊機後台,為以一電腦系統實現針對設於各處的金融資訊機的後台管理伺服器,設於金融系統中,以提供金融資訊機的信息往來的服務,以及一使用者裝置後台,為使用者裝置的後台,連接服務使用者裝置的資料庫,用於提供使用者裝置取得金融服務的驗證服務。In order to provide more secure financial services through a cross-device verification, the disclosure document proposes an identity verification system. The identity verification system proposes a financial information machine background, which is to realize the background of financial information machines located in various places with a computer system. The management server is installed in the financial system to provide the information exchange service of the financial information machine, and a user device background, which is the background of the user device, connected to the database serving the user device, and used to provide the user device Get authentication services for financial services.

在身份驗證系統執行的身份驗證方法中,主要流程包括通過金融資訊機啟動一驗證流程,用於驗證是否允許使用者裝置執行特定金融服務,金融資訊機即產生一請求驗證服務的信息至金融資訊機後台。接著,金融資訊機後台向使用者裝置後台要求產生一驗證資訊,即由使用者裝置後台產生驗證資訊,再將驗證資訊回傳至金融資訊機後台,再轉送至金融資訊機。In the identity verification method implemented by the identity verification system, the main process includes starting a verification process through the financial information machine to verify whether the user device is allowed to perform a specific financial service, and the financial information machine generates a message requesting the verification service to the financial information machine background. Then, the background of the financial information machine requests the background of the user device to generate verification information, that is, the background of the user device generates verification information, and then sends the verification information back to the background of the financial information machine, and then forwards it to the financial information machine.

之後,使用者操作使用者裝置自金融資訊機取得驗證資訊,再傳送至使用者裝置後台,由使用者裝置後台比對接收的驗證資訊以及根據金融資訊機後台要求所產生的驗證資訊,產生一驗證結果,當驗證結果為驗證成功,通知使用者裝置執行金融服務。Afterwards, the user operates the user device to obtain verification information from the financial information machine, and then sends it to the background of the user device, and the background of the user device compares the received verification information with the verification information generated according to the background requirements of the financial information machine to generate a The verification result, when the verification result is successful, the user device is notified to execute the financial service.

優選地,使用者使用可識別身份的金融卡片插入至金融資訊機,以啟動驗證流程。Preferably, the user inserts an identifiable financial card into the financial information machine to start the verification process.

進一步地,金融資訊機通過金融卡片取得使用者識別資料,使用者識別資料即隨同請求驗證服務的信息傳送至金融資訊機後台,再傳遞至使用者裝置後台,使得使用者裝置後台能根據使用者識別資料驗證所接收的驗證資訊。Furthermore, the financial information machine obtains the user identification data through the financial card, and the user identification data is sent to the background of the financial information machine along with the information requesting the verification service, and then to the background of the user device, so that the background of the user device can The verification information received by the identification data verification.

優選地,金融資訊機可自金融卡片或使用者裝置的無線訊號接收使用者識別資料,使用者識別資料隨同請求驗證服務的信息傳送至金融資訊機後台,並傳遞至使用者裝置後台,使得使用者裝置後台能根據使用者識別資料驗證所接收的驗證資訊。Preferably, the financial information machine can receive user identification data from the financial card or the wireless signal of the user device, and the user identification data is sent to the background of the financial information machine along with the information requesting the verification service, and then transmitted to the background of the user device, so that the user can use Or the background of the device can verify the received verification information according to the user identification data.

優選地,使用者裝置可通過二維條碼、推播信息、近場通訊信息或簡訊取得驗證資訊。進一步地,可於金融資訊機的螢幕上顯示二維條碼,或以一射頻信號傳遞近場通訊信息,使執行於使用者裝置中的應用程式接收驗證資訊。Preferably, the user device can obtain the verification information through a two-dimensional barcode, push information, near field communication information or short message. Furthermore, a two-dimensional barcode can be displayed on the screen of the financial information machine, or a radio frequency signal can be used to transmit near field communication information, so that the application program running in the user device can receive the verification information.

進一步地,所述應用程式可為安裝於使用者裝置中的網路銀行或行動銀行應用程式,提供選擇要執行的金融服務,金融服務包括需要通過特定交易安全設計的身份驗證的服務。Further, the application program can be an online banking or mobile banking application program installed in the user's device, providing financial services to be selected for execution, and the financial services include services that require authentication through a specific transaction security design.

進一步地,使用者裝置後台產生驗證資訊的方法包括,先以一亂數產生器產生具有時效性的第一亂數與第二亂數,以儲存裝置儲存第二亂數以及自金融資訊機後台取得的使用者識別資料,接著基於第一亂數與一固定字串,以一雜湊演算法演算一雜湊值,再基於使用者識別資料、雜湊值以及第二亂數,以一密碼演算法演算一次式密碼,此一次式密碼與第一亂數即形成驗證資訊。Further, the method for generating verification information in the background of the user device includes firstly generating a time-sensitive first random number and a second random number with a random number generator, storing the second random number with a storage device, and generating the second random number from the background of the financial information machine. The obtained user identification data, then based on the first random number and a fixed word string, a hash value is calculated by a hash algorithm, and then based on the user identification data, the hash value and the second random number, a cryptographic calculation is performed One-time password, the one-time password and the first random number form verification information.

進一步地,當使用者裝置後台自使用者裝置接收驗證資訊時,將從此驗證資訊取得一次式密碼與第一亂數,再從儲存裝置中取得對應本次驗證程序的第二亂數與使用者識別資料,再次演算用於驗證的另一雜湊值,可稱第二雜湊值,並再次基於使用者識別資料、第二雜湊值與第二亂數,以密碼演算法再次演算用於驗證的一次式密碼,可稱第二一次式密碼,用於驗證自使用者裝置接收的一次式密碼。Further, when the background of the user device receives the verification information from the user device, it will obtain the one-time password and the first random number from the verification information, and then obtain the second random number corresponding to the verification procedure and the user password from the storage device. The identification data, another hash value used for verification is calculated again, which can be called the second hash value, and based on the user identification data, the second hash value and the second random number, the first hash value used for verification is calculated again with a cryptographic algorithm A one-time password, which may be called a second one-time password, is used to verify the one-time password received from the user device.

為使能更進一步瞭解本新型的特徵及技術內容,請參閱以下有關本新型的詳細說明與圖式,然而所提供的圖式僅用於提供參考與說明,並非用來對本新型加以限制。In order to further understand the features and technical content of the present invention, please refer to the following detailed description and drawings related to the present invention. However, the provided drawings are only for reference and description, and are not intended to limit the present invention.

以下是通過特定的具體實施例來說明本創作的實施方式,本領域技術人員可由本說明書所公開的內容瞭解本創作的優點與效果。本創作可通過其他不同的具體實施例加以施行或應用,本說明書中的各項細節也可基於不同觀點與應用,在不悖離本創作的構思下進行各種修改與變更。另外,本創作的附圖僅為簡單示意說明,並非依實際尺寸的描繪,事先聲明。以下的實施方式將進一步詳細說明本創作的相關技術內容,但所公開的內容並非用以限制本創作的保護範圍。The implementation of the invention is described below through specific specific examples, and those skilled in the art can understand the advantages and effects of the invention from the content disclosed in this specification. This creation can be implemented or applied through other different specific embodiments, and the details in this specification can also be modified and changed based on different viewpoints and applications without departing from the idea of this creation. In addition, the drawings of this creation are only for simple illustration, not according to the actual size of the depiction, prior statement. The following embodiments will further describe the relevant technical content of this creation in detail, but the disclosed content is not intended to limit the protection scope of this creation.

應當可以理解的是,雖然本文中可能會使用到“第一”、“第二”、“第三”等術語來描述各種元件或者信號,但這些元件或者信號不應受這些術語的限制。這些術語主要是用以區分一元件與另一元件,或者一信號與另一信號。另外,本文中所使用的術語“或”,應視實際情況可能包括相關聯的列出項目中的任一個或者多個的組合。It should be understood that although terms such as "first", "second", and "third" may be used herein to describe various elements or signals, these elements or signals should not be limited by these terms. These terms are mainly used to distinguish one element from another element, or one signal from another signal. In addition, the term "or" used herein may include any one or a combination of more of the associated listed items depending on the actual situation.

揭露書公開一種應用於金融系統的身份驗證系統,其中主要技術概念使通過使用者裝置與金融資訊機以及各自的後台伺服器相互傳遞的驗證資訊確認使用者可以執行一特定金融服務,實現身份驗證的目標,提供更為安全的金融環境。The disclosure document discloses an identity verification system applied to the financial system, in which the main technical concept is to confirm that the user can perform a specific financial service through the verification information transmitted between the user device, the financial information machine, and the respective background servers, and realize identity verification The goal is to provide a safer financial environment.

先參考圖1顯示執行所述身份驗證方法的系統的架構實施例圖,圖示之系統架構包括通過網路10相互串接的各端裝置,其中主要裝置包括設於客戶端的金融資訊機101(如:ATM機台,或是金融卡等金融卡片的讀卡機)以及設於金融系統伺服器端的金融資訊機後台103,金融資訊機後台103為以電腦系統與資料庫等軟體元件與硬體架構實現針對設於各處的金融資訊機101的後台管理伺服器,可通過網路10提供金融資訊機101的信息往來的服務;使用者則持有執行對應金融系統的特定應用程式(如行動網銀APP)的使用者裝置105,伺服器端則設有對應的使用者裝置後台107,使用者裝置後台107為以電腦系統與資料庫等軟體元件與硬體架構實現針對使用者裝置105中執行的應用程式的管理伺服器,使用者裝置後台107應用上如行動裝置的後台,提供使用者裝置取得金融服務的驗證服務,連接服務使用者裝置105的對應資料庫109,資料庫109內容主要是記錄註冊驗證服務的使用者資料,包括綁定的使用者裝置105的相關資訊。Referring first to FIG. 1 , it shows a diagram of an embodiment of the system architecture for executing the identity verification method. The system architecture shown in the figure includes various terminal devices connected in series through the network 10, wherein the main device includes a financial information machine 101 ( Such as: ATM machines, or card readers for financial cards such as financial cards) and the background 103 of the financial information machine located on the server side of the financial system. The background 103 of the financial information machine is composed of software components and hardware such as computer systems and databases. The architecture realizes that the background management server of the financial information machine 101 located in various places can provide the information exchange service of the financial information machine 101 through the network 10; the user holds a specific application program (such as mobile Internet Banking APP) user device 105, the server side is equipped with a corresponding user device background 107, the user device background 107 is implemented for the user device 105 with software components and hardware architecture such as computer systems and databases The management server of the application program, the background 107 of the user device, such as the background of the mobile device, provides the verification service for the user device to obtain financial services, and connects to the corresponding database 109 of the service user device 105. The content of the database 109 is mainly Record the user data of the registration verification service, including the related information of the bound user device 105 .

根據身份驗證方法的實施方式,主要可分為產生驗證資訊的流程以及執行特定金融服務的流程,其中使用者裝置105取得驗證資訊的方式包含但不限於二維條碼(如QR Code)、推播信息、近場通訊信息(NFC)與簡訊等,並可以直接呈現文字由使用者輸入至使用者裝置105的方式。以下實施例列舉裝置綁定、非約定轉帳以及手機號碼收款設定等的流程,其中驗證資訊的流程主要是通過金融資訊機101機驗證使用者手持的使用者裝置105與使用者身份,藉此安全驗證確認可執行通過使用者裝置105中執行的應用程式提出的金融服務。According to the implementation of the identity verification method, it can be mainly divided into the process of generating verification information and the process of executing specific financial services. The ways for the user device 105 to obtain verification information include but are not limited to two-dimensional barcodes (such as QR Code), push broadcast Information, Near Field Communication (NFC) and short messages, etc., and can directly present the way in which text is input by the user to the user device 105 . The following embodiments list the processes of device binding, non-agreed transfer, and mobile phone number collection setting, etc., wherein the process of verifying information is mainly to verify the user device 105 and user identity held by the user through the financial information machine 101, thereby The security verification confirms that the financial service proposed by the application program executed in the user device 105 can be performed.

運行於身份驗證系統的方法可參考圖1中描述的流程,一開始金融資訊機101經觸發後啟動一驗證流程,用於驗證是否允許執行金融系統提供的一金融服務(步驟S101),其中觸發啟動驗證流程的方式可以是,由使用者插入一金融卡片啟動,或是以使用者裝置105接近金融服務機101,通過其中交換的無線訊號啟動。The method running on the identity verification system can refer to the process described in FIG. 1. At the beginning, the financial information machine 101 starts a verification process after being triggered to verify whether it is allowed to execute a financial service provided by the financial system (step S101), wherein the trigger The verification procedure can be started by inserting a financial card by the user, or by approaching the financial service machine 101 with the user device 105 to start by exchanging wireless signals therein.

在上述啟動驗證的流程中,金融資訊機101即接收了使用者識別資料,接著金融資訊機101產生一請求驗證服務的信息至金融系統中的金融資訊機後台103,請求驗證服務將包括使用者識別資料(步驟S103)。In the above-mentioned process of starting verification, the financial information machine 101 has received the user identification data, and then the financial information machine 101 generates a message requesting verification service to the financial information machine background 103 in the financial system, and the requesting verification service will include the user Identification data (step S103).

在上述流程中,金融資訊機101可自金融卡片或使用者裝置105的無線訊號接收使用者識別資料(如user ID),使用者識別資料將隨同請求驗證服務的信息傳送至金融資訊機後台103,請求使用者裝置後台107產生一驗證資訊(步驟S105)。當使用者裝置後台107產生驗證資訊,即將驗證資訊回傳至金融資訊機後台103(步驟S107),再轉送至金融資訊機101(步驟S109)。In the above process, the financial information machine 101 can receive user identification data (such as user ID) from the financial card or the wireless signal of the user device 105, and the user identification data will be sent to the financial information machine background 103 along with the information requesting verification service , requesting the user device background 107 to generate a verification information (step S105). When the user device background 107 generates verification information, the verification information is sent back to the financial information machine background 103 (step S107 ), and then forwarded to the financial information machine 101 (step S109 ).

金融資訊機101接收到驗證資訊後,可以驗證圖形或是驗證碼的形式提供給使用者裝置105(步驟S111),經使用者裝置105自金融資訊機101取得驗證資訊,再傳送至使用者裝置後台107,使用者裝置後台107將根據取得的使用者識別資料,比對接收的驗證資訊以及在此驗證流程中根據金融資訊機後台103要求所產生的驗證資訊,產生一驗證結果(步驟S113)。之後將驗證結果傳送至使用者裝置105,當驗證結果為驗證成功,即通知使用者裝置105可以繼續執行金融服務(步驟S115)。After the financial information machine 101 receives the verification information, it can provide it to the user device 105 in the form of a verification pattern or a verification code (step S111), and the user device 105 obtains the verification information from the financial information machine 101, and then sends it to the user device The background 107, the user device background 107 will compare the received verification information with the verification information generated according to the requirements of the financial information machine background 103 according to the obtained user identification data, and generate a verification result (step S113) . Afterwards, the verification result is sent to the user device 105, and when the verification result is successful, the user device 105 is notified that the financial service can be continued (step S115).

根據實施方式,相關細節流程可參考圖2顯示運行於使用者裝置105、金融資訊機101、使用者裝置後台107以及金融資訊機後台103之間的身份驗證方法實施例流程圖,以及參考圖3的流程文字說明。According to the embodiment, the relevant detailed process can refer to FIG. 2, which shows the flow chart of an embodiment of the identity verification method running between the user device 105, the financial information machine 101, the user device background 107, and the financial information machine background 103, and refer to FIG. 3 text description of the process.

一開始,使用者操作金融資訊機101,例如插入金融卡、信用卡等相關可識別身份的金融卡片,即可通過金融資訊機101執行驗證,其中金融資訊機101可通過金融卡片取得的信息包括使用者識別資料(步驟S301)。另有實施例是由使用者裝置105發出無線訊號,如一種射頻識別訊號(RFID),讓金融資訊機101接收到無線訊號後取得其中識別碼。At the beginning, the user operates the financial information machine 101, such as inserting a financial card, a credit card, and other relevant financial cards with identifiable identities, and can perform verification through the financial information machine 101, wherein the information that the financial information machine 101 can obtain through the financial card includes the use of identification data of the user (step S301). In another embodiment, the user device 105 sends out a wireless signal, such as a radio frequency identification signal (RFID), so that the financial information machine 101 can obtain the identification code after receiving the wireless signal.

在此一提的是,驗證流程的主要目的是要驗證使用者操作使用者裝置105所要執行的金融服務,使用者可以通過應用程式選擇要執行的金融服務,特別的是,金融服務可指需要通過特定交易安全設計的身份驗證的服務,如(但不限制)使用者裝置105綁定、轉帳、提款、存款或借貸等,主要是達成客戶可確認各筆交易內容且防止身份確認資料與交易內容被竄改的目標。而此執行金融服務的時機可以在啟動驗證流程之前、之中,或是得到驗證資訊之後。What is mentioned here is that the main purpose of the verification process is to verify the financial service to be executed by the user operating the user device 105. The user can select the financial service to be executed through the application program. In particular, the financial service can refer to the required The service of identity verification through specific transaction security design, such as (but not limited to) user device 105 binding, transfer, withdrawal, deposit or loan, etc., is mainly to enable customers to confirm the content of each transaction and prevent identity confirmation data from being associated with Targets whose transaction contents have been falsified. The timing for executing the financial service can be before, during, or after the verification process is started, or after the verification information is obtained.

接著,金融資訊機101啟動驗證流程,通過網路連線並通知金融資訊機後台103,請求驗證服務(步驟S303),先經金融資訊機後台103回應信息,可以通過金融資訊機101以顯示的信息要求使用者確認開始驗證服務,例如顯示一個開始驗證的按鈕,使用者可以按下確認開始驗證流程(步驟S305)。Then, the financial information machine 101 starts the verification process, connects through the network and notifies the financial information machine background 103, requests verification service (step S303), and first responds to the information through the financial information machine background 103, which can be displayed by the financial information machine 101. The message requires the user to confirm to start the verification service, for example, a button to start the verification is displayed, and the user can press the confirmation button to start the verification process (step S305 ).

經使用者確認開始驗證流程,相關信息傳送到金融資訊機後台103(步驟S307),再由金融資訊機後台103通知使用者裝置後台107,要求產生驗證資訊,使用者裝置後台107可從接收的信息中取得使用者識別資料(如user ID)(步驟S309)。After the user confirms to start the verification process, the relevant information is sent to the financial information machine background 103 (step S307), and then the financial information machine background 103 notifies the user device background 107, requesting to generate verification information, and the user device background 107 can receive it from Obtain user identification information (such as user ID) from the information (step S309).

在產生驗證資訊的實施例中,使用者裝置後台107將先產生驗證用的數值,舉例來說,可通過亂數產生器產生亂數,根據其中之一實施方式,可提出具有時效性的第一亂數(random1)與第二亂數(random2),可由使用者裝置後台設定一有效時間,過了有效時間即失效,驗證也就失敗。使用者裝置後台107通過其中儲存裝置儲存當下取得的使用者識別資料以及第二亂數,作為之後驗證使用者裝置105傳送的驗證資訊之用(步驟S311)。In the embodiment of generating verification information, the user device background 107 will first generate a value for verification. For example, a random number can be generated by a random number generator. According to one of the implementation methods, a time-sensitive first The first random number (random1) and the second random number (random2) can set a valid time in the background of the user's device. After the valid time expires, they will become invalid and the verification will fail. The user device background 107 stores the currently obtained user identification data and the second random number through the storage device therein, for later verification of the verification information sent by the user device 105 (step S311 ).

使用者裝置後台107接著通過一密碼演算法根據取得的資訊(例如使用者識別資料與特定值)演算出一次式密碼(one-time password,OTP),所述特定值可以是通過雜湊演算法(hash algorithm)基於第一亂數與特定數值(如一系統提供的固定字串(fixedstring))演算得出的雜湊值(hash value)(步驟S313)。舉例來說,使用者裝置後台107執行的密碼演算法使用了使用者識別資料(如後台取得的user ID)、基於第一亂數與特定數值演算得出的雜湊值以及第二亂數演算產生提供使用者裝置取得一次式密碼(OTP),並可以是一種基於雜湊信息驗證碼的一次式密碼(HOTP,HMAC-based One-Time Password,HMAC: hashed message authentication code)。The user device background 107 then calculates a one-time password (one-time password, OTP) through a cryptographic algorithm based on the obtained information (such as user identification data and a specific value), and the specific value can be obtained through a hash algorithm ( hash algorithm) based on the first random number and a specific value (such as a fixed string (fixed string) provided by a system) to calculate a hash value (hash value) (step S313 ). For example, the cryptographic algorithm executed by the background 107 of the user device uses user identification information (such as the user ID obtained from the background), a hash value calculated based on the first random number and a specific value, and a hash value generated by the second random number calculation. The user device is provided to obtain a one-time password (OTP), which may be a hashed message authentication code-based one-time password (HOTP, HMAC-based One-Time Password, HMAC: hashed message authentication code).

在此一提的是,上述實施例所描述的亂數與一次式密碼等的描述並非用於限制揭露書提出的身份驗證方法的實施範圍,而是可以應用以密碼學方式傳遞隨機產生的一組隨機值或者是經過演算的任何參數值。What should be mentioned here is that the descriptions of random numbers and one-time passwords described in the above embodiments are not used to limit the scope of implementation of the identity verification method proposed in the disclosure document, but can be used to transfer a randomly generated password in a cryptographic manner. Set random values or any parameter values that have been calculated.

上述一次式密碼與基於本案驗證流程產生的第一亂數將形成驗證資訊,使用者裝置後台107即將此驗證資訊傳送至金融資訊機後台103(步驟S315),再由金融資訊機後台103將驗證資訊轉送至金融資訊機101(步驟S317)。The above-mentioned one-time password and the first random number generated based on the verification process of this case will form verification information, and the user device background 107 will send the verification information to the financial information machine background 103 (step S315), and then the financial information machine background 103 will verify The information is forwarded to the financial information machine 101 (step S317).

在金融資訊機101中,可以通過轉換程式將一次式密碼(或加上第一亂數)轉換為驗證圖形,此例如QR碼(還可為其他形式的驗證資訊),再將QR碼顯示在螢幕上,作為提供使用者的驗證資料(步驟S319)。另有方法可以使用一種無線驗證碼,如以近場通信(NFC)格式編碼的射頻信號傳遞近場通訊信息,可以通過無線通訊方式傳送至使用者裝置105。In the financial information machine 101, the one-time password (or adding the first random number) can be converted into a verification graphic through a conversion program, such as a QR code (also other forms of verification information), and then the QR code is displayed on the On the screen, as the user's verification information (step S319). Another method can use a wireless verification code, such as transmitting NFC information in a near field communication (NFC) format encoded radio frequency signal, which can be transmitted to the user device 105 through wireless communication.

當使用者看到驗證圖形或是特定要求驗證的信息時,使用者可在其使用者裝置105上操作應用程式(如網路銀行應用程式(APP)),選擇要執行的金融服務(步驟S321),例如使用者裝置105綁定、轉帳、提款、存款或借貸等。此步驟可以是在上述流程之前、之中或之後進行,接著使用者操作應用程式讀取金融資訊機101上顯示的驗證資訊,或是以無線方式接收到驗證資訊,也就是得到上述使用者裝置後台107為了本次驗證需求產生的一次式密碼(步驟S323)。When the user sees the verification graphic or the information that specifically requires verification, the user can operate an application program (such as an online banking application program (APP)) on the user device 105 to select the financial service to be executed (step S321 ), such as user device 105 binding, transfer, withdrawal, deposit or loan, etc. This step can be performed before, during or after the above process, and then the user operates the application program to read the verification information displayed on the financial information machine 101, or receives the verification information wirelessly, that is, obtains the above user device The background 107 generates a one-time password for this verification requirement (step S323).

使用者繼續操作應用程式,將得到的驗證資訊傳送至使用者裝置後台107(步驟S325),由使用者裝置後台107中的驗證程式轉碼為密碼字串後,比對在此流程中產生的一次式密碼,進行驗證(步驟S327),經驗證成功後,將同意使用者繼續執行使用者裝置105上所選擇要進行的金融服務。(步驟S329)。The user continues to operate the application program, and sends the obtained verification information to the user device background 107 (step S325). The one-time password is verified (step S327 ). After the verification is successful, the user is allowed to continue executing the financial service selected on the user device 105 . (step S329).

進一步地,上述身份驗證方法流程中,其中 特別的是由使用者裝置後台107產生驗證資訊,其中的方法主要可以軟體方法搭配硬體運算的方式,先以一亂數產生器產生具有時效性的第一亂數(random1)與第二亂數(random2),並以一儲存裝置儲存第二亂數以及自金融資訊機後台取得的使用者識別資料,用於之後驗證使用者裝置回傳的驗證資訊之用。Further, in the process of the above-mentioned identity verification method, especially the verification information is generated by the user device background 107, the method can mainly be a software method combined with a hardware operation method, and first a random number generator is used to generate a time-sensitive The first random number (random1) and the second random number (random2), and use a storage device to store the second random number and the user identification data obtained from the background of the financial information machine, which will be used to verify the verification returned by the user device Informational Purposes.

接著,在使用者裝置後台中,基於第一亂數與一固定字串(fixedstring),以一雜湊演算法演算雜湊值,再基於所述使用者識別資料、雜湊值以及第二亂數,以一密碼演算法演算一次式密碼,此一次式密碼與第一亂數可形成傳送至使用者裝置的驗證資訊。Then, in the background of the user device, based on the first random number and a fixed string (fixed string), a hash value is calculated by a hash algorithm, and then based on the user identification data, the hash value and the second random number, to A cryptographic algorithm calculates a one-time password, and the one-time password and the first random number can form verification information sent to the user device.

在驗證程序中,當使用者裝置從金融資訊機讀取到驗證資訊後,傳送至使用者裝置後台,使用者裝置後台中的軟體程序可以從驗證資訊取得其中的一次式密碼與第一亂數,這時,再從儲存裝置中取得之前儲存的第二亂數與使用者識別資料,再次以相同演算法演算用於驗證的第二雜湊值,並再次基於使用者識別資料、第二雜湊值與第二亂數,以密碼演算法(如方程式一)再次演算出第二一次式密碼,用於比對之前為了本次驗證流程產生的一次式密碼,即驗證自使用者裝置接收的一次式密碼,產生驗證結果。In the verification procedure, after the user device reads the verification information from the financial information machine, it is sent to the background of the user device, and the software program in the background of the user device can obtain the one-time password and the first random number from the verification information , at this time, obtain the previously stored second random number and user identification data from the storage device, calculate the second hash value used for verification with the same algorithm again, and again based on the user identification data, the second hash value and The second random number is to calculate the second one-time password again with a cryptographic algorithm (such as Equation 1), which is used to compare the one-time password generated for this verification process before, that is, to verify the one-time password received from the user device password to generate the verification result.

在此一提的是,身份驗證方法所運用的一次式密碼可以具備時效性,並且其中時間會以使用者裝置後台進行控管;另一實施方式是可採用基於時間的一次性密碼演算法(TOTP algorithm)產生具有時效性的一次式密碼。What is mentioned here is that the one-time password used in the identity verification method can be time-sensitive, and the time will be controlled by the background of the user device; another implementation method can use a time-based one-time password algorithm ( TOTP algorithm) to generate time-sensitive one-time passwords.

在一實施例中,使用者裝置105執行相關金融服務的應用程式,於應用程式執行某特定金融服務時,將等待通過金融資訊機101執行身份驗證的驗證結果,最後,當自使用者裝置105後台取得驗證成功的信息,即繼續執行最初所要進行的金融服務,例如以下實施例所描述的裝置綁定、非約定轉帳與手機號碼收款等服務。In one embodiment, the user device 105 executes an application program related to financial services. When the application program executes a specific financial service, it will wait for the verification result of the identity verification performed by the financial information machine 101. Finally, when the user device 105 The background obtains the information of successful verification, that is, continues to execute the financial services to be performed initially, such as device binding, non-agreed transfer and mobile phone number collection services described in the following embodiments.

身份驗證方法應用於特定交易程序驗證的流程之一可參考圖4所示執行使用者裝置綁定的實施範例流程圖,其中流程可配合圖5A至圖5E。One of the processes of applying the identity verification method to the verification of a specific transaction program can refer to the flow chart of an implementation example of performing user device binding shown in FIG. 4 , wherein the process can cooperate with FIGS. 5A to 5E .

使用者操作一使用者裝置進入一綁定流程(步驟S401),可以運用使用者裝置安裝的一應用程式,如圖5A所示應用程式啟始的一裝置綁定頁面501的實施例示意圖,使用者可以點擊其中按鈕開始綁定流程。The user operates a user device to enter a binding process (step S401), and can use an application program installed on the user device, as shown in Figure 5A, a schematic diagram of an embodiment of a device binding page 501 initiated by the application program, using Users can click the button to start the binding process.

接著應用程式引導使用者進入如圖5B示意顯示的驗證方法選擇頁面50,所示範例包括有語音OTP503、SIM卡認證504與ATM驗證505等選項,在所述身份驗證方法中主要是通過金融資訊機進行驗證(選項505)(步驟S403)。Then the application program guides the user to enter the authentication method selection page 50 shown schematically in Figure 5B. The example shown includes options such as voice OTP 503, SIM card authentication 504, and ATM authentication 505. Among the identity authentication methods, financial information is mainly used. machine for authentication (option 505) (step S403).

根據上述身份驗證方法流程實施例中,通過金融資訊機啟動驗證流程,由金融資訊機向其後台請求驗證服務,再由金融資訊機後台向使用者裝置後台要求產生驗證資訊,經使用者裝置後台產生本次驗證流程中的驗證資訊後,將通過金融資訊機後台轉送至使用者面前的金融資訊機。According to the embodiment of the above-mentioned identity verification method flow, the verification process is started by the financial information machine, the financial information machine requests verification services from its background, and then the financial information machine background requests the user device background to generate verification information, and the user device background After the verification information in this verification process is generated, it will be transferred to the financial information machine in front of the user through the background of the financial information machine.

當金融資訊機自金融資訊機後台接收驗證資訊時,通過一轉換程式轉換驗證資訊為驗證圖形(如QR碼)、驗證碼字串或一無線驗證碼,使得使用者裝置可以讀取驗證資訊(步驟S405)。實施例之一可參考圖5C所示的ATM驗證掃描頁面506,應用程式啟始一掃描視窗507,用於掃描顯示在金融資訊機上的驗證圖形,實施範例可參考圖5D顯示以使用者裝置50,利用其中應用程式掃描顯示在金融資訊機500上的驗證圖形510,能讀取其中驗證資訊,之後再傳送驗證資訊至使用者裝置後台(步驟S407)。When the financial information machine receives verification information from the background of the financial information machine, a conversion program converts the verification information into a verification pattern (such as a QR code), a verification code string or a wireless verification code, so that the user device can read the verification information ( Step S405). One of the embodiments can refer to the ATM verification scanning page 506 shown in FIG. 5C. The application program starts a scanning window 507 for scanning the verification graphics displayed on the financial information machine. The implementation example can refer to FIG. 5D shown in the user device 50, using the application to scan the verification graphic 510 displayed on the financial information machine 500 to read the verification information, and then send the verification information to the background of the user device (step S407).

接著在伺服器端,由使用者裝置後台驗證自使用者裝置傳送的驗證資訊,產生驗證結果,再由使用者裝置接收驗證結果(步驟S409),判斷是否驗證成功(步驟S411)。如果驗證不成功,將終止此裝置綁定流程,顯示驗證錯誤信息(步驟S413);若驗證成功,使用者裝置可接收到相關信息後,如圖5E所示之綁定成功頁面508,讓使用者確認後可點擊其中按鈕後繼續綁定流程(步驟S415)。Next, on the server side, the user device background verifies the verification information sent from the user device to generate a verification result, and then the user device receives the verification result (step S409 ), and determines whether the verification is successful (step S411 ). If the verification is unsuccessful, the device binding process will be terminated, and a verification error message will be displayed (step S413); if the verification is successful, the user device will display the binding success page 508 shown in Figure 5E after receiving the relevant information, allowing the user to use After confirmation, the user can click one of the buttons to continue the binding process (step S415).

綜上所述,根據上述實施例所描述應用於金融系統的身份驗證系統,因應金融服務愈來愈重視的資安需求,身份驗證的技術概念即以設於各處的金融資訊機(如金融櫃員機ATM或是讀卡機)驗證使用者操作使用者裝置(如手機等行動裝置)所要進行的金融服務,實作即採用兩階段驗證,第一階段驗證即為使用者登入金融機構提供的應用程式,第二階段即通過金融資訊機取得驗證資訊,再由使用者裝置後台進行驗證,如此可有效提升使用者交易安全。To sum up, according to the identity verification system applied to the financial system described in the above-mentioned embodiments, in response to the information security requirements that financial services pay more and more attention to, the technical concept of identity verification is based on the financial information machines (such as financial Teller machine (ATM or card reader) to verify the financial services that users want to perform when operating user devices (such as mobile phones and other mobile devices). The implementation adopts two-stage verification. The first-stage verification is for the user to log in to the application provided by the financial institution In the second stage, the verification information is obtained through the financial information machine, and then verified by the background of the user's device, which can effectively improve the user's transaction security.

以上所公開的內容僅為本新型的優選可行實施例,並非因此侷限本新型的申請專利範圍,所以凡是運用本新型說明書及圖式內容所做的等效技術變化,均包含於本新型的申請專利範圍內。The content disclosed above is only the preferred feasible embodiment of the new model, and does not limit the scope of the patent application of the new model, so all equivalent technical changes made by using the description and drawings of the new model are included in the application of the new model within the scope of the patent.

10:網路 101:金融資訊機 103:金融資訊機後台 105:使用者裝置 107:使用者裝置後台 109:資料庫 50:使用者裝置 500:金融資訊機 510:驗證圖形 501:裝置綁定頁面 502:驗證方法選擇頁面 503:語音OTP 504:SIM卡認證 505:ATM驗證 506:ATM驗證掃描頁面 507:掃描視窗 508:綁定成功頁面 步驟S101~S115身份驗證流程 步驟S301~S329身份驗證流程 步驟S401~S415使用者裝置綁定流程10: Internet 101: Financial information machine 103: Financial information machine background 105: User device 107: User device background 109: Database 50: User device 500: Financial information machine 510: verify graphics 501: Device binding page 502: Verification method selection page 503: Voice OTP 504: SIM card authentication 505: ATM verification 506: ATM verification scan page 507: Scan window 508: binding success page Steps S101-S115 identity verification process Steps S301-S329 identity verification process Steps S401-S415 User Device Binding Process

圖1顯示執行身份驗證方法的系統架構實施例示意圖;Fig. 1 shows the schematic diagram of the embodiment of the system framework of carrying out identity verification method;

圖2顯示運行於使用者裝置、金融資訊機、使用者裝置後台以及金融資訊機後台之間的身份驗證方法實施例流程圖;Figure 2 shows a flow chart of an embodiment of an identity verification method running between the user device, the financial information machine, the background of the user device, and the background of the financial information machine;

圖3顯示為身份驗證方法實施例流程圖;Fig. 3 is shown as the flowchart of identity verification method embodiment;

圖4顯示利用身份驗證方法執行使用者裝置綁定的實施範例流程圖;以及FIG. 4 shows a flow chart of an implementation example of binding a user device using an identity verification method; and

圖5A至圖5E顯示使用者裝置執行裝置綁定的實施例圖。FIG. 5A to FIG. 5E are diagrams showing embodiments of device binding performed by a user device.

101:金融資訊機 101: Financial information machine

103:金融資訊機後台 103: Financial information machine background

105:使用者裝置 105: User device

107:使用者裝置後台 107: User device background

步驟S301~S329:身份驗證流程 Steps S301~S329: identity verification process

Claims (10)

一種身份驗證系統,包括: 一金融資訊機後台,為以一電腦系統實現針對設於各處的一金融資訊機的一後台管理伺服器,設於一金融系統中,連線該金融資訊機,提供該金融資訊機的信息往來的服務;以及 一使用者裝置後台,為一使用者裝置的後台,連接服務該使用者裝置的一資料庫,該使用者裝置後台提供該使用者裝置取得一金融服務的驗證服務,以及該使用者裝置執行對應該金融系統的一應用程式; 其中,於該身份驗證系統中,藉由一使用者的操作,該金融資訊機啟動一驗證流程,用於驗證是否允許該使用者裝置執行該金融服務,於該驗證流程中,該金融資訊機產生一請求驗證服務的信息至該金融資訊機後台,該請求驗證服務包括一使用者識別資料; 該金融資訊機後台向該使用者裝置後台要求產生一驗證資訊,由該使用者裝置後台產生該驗證資訊,並將該驗證資訊經該金融資訊機後台轉送至該金融資訊機,以使該使用者裝置自該金融資訊機取得該驗證資訊,再傳送至該使用者裝置後台,由該使用者裝置後台根據該驗證資訊產生一驗證結果;其中,當該驗證結果為驗證成功,通知該使用者裝置執行該金融服務。 An identity verification system comprising: A financial information machine backend is a background management server for a financial information machine installed in various places by means of a computer system, which is installed in a financial system, connected to the financial information machine, and provides information on the financial information machine services to and from; and A background of a user device is a background of a user device connected to a database serving the user device, the background of the user device provides a verification service for the user device to obtain a financial service, and the user device executes the verification service An application for the financial system; Wherein, in the identity verification system, through a user's operation, the financial information machine starts a verification process for verifying whether the user's device is allowed to execute the financial service, and in the verification process, the financial information machine generating a message requesting a verification service to the background of the financial information machine, the requesting verification service including a user identification data; The background of the financial information machine requests the background of the user device to generate verification information, and the background of the user device generates the verification information, and transmits the verification information to the financial information machine through the background of the financial information machine, so that the user The or device obtains the verification information from the financial information machine, and then sends it to the background of the user device, and the background of the user device generates a verification result based on the verification information; wherein, when the verification result is a successful verification, the user is notified The device performs the financial service. 如請求項1所述的身份驗證系統,其中該使用者使用一可識別身份的一金融卡片插入至該金融資訊機,以啟動該驗證流程。The identity verification system as claimed in claim 1, wherein the user inserts an identifiable financial card into the financial information machine to start the verification process. 如請求項2所述的身份驗證系統,其中該金融資訊機通過該金融卡片取得該使用者識別資料,該使用者識別資料隨同該請求驗證服務的信息傳送至該金融資訊機後台,並傳遞至該使用者裝置後台,使得該使用者裝置後台能根據該使用者識別資料驗證所接收的該驗證資訊。The identity verification system as described in claim 2, wherein the financial information machine obtains the user identification data through the financial card, and the user identification data is sent to the background of the financial information machine along with the information requesting the verification service, and then transmitted to The user device background enables the user device background to verify the received verification information according to the user identification data. 如請求項1所述的身份驗證系統,其中該金融資訊機自該使用者裝置的無線訊號接收該使用者識別資料,該使用者識別資料隨同該請求驗證服務的信息傳送至該金融資訊機後台,並傳遞至該使用者裝置後台,使得該使用者裝置後台能根據該使用者識別資料驗證所接收的該驗證資訊。The identity verification system as described in Claim 1, wherein the financial information machine receives the user identification data from the wireless signal of the user device, and the user identification data is sent to the background of the financial information machine along with the information requesting the verification service , and transmitted to the user device background, so that the user device background can verify the received verification information according to the user identification data. 如請求項4所述的身份驗證系統,其中該使用者裝置通過一二維條碼、一推播信息、一近場通訊信息或一簡訊取得該驗證資訊。The identity verification system as described in claim 4, wherein the user device obtains the verification information through a two-dimensional barcode, a push message, a near field communication message or a short message. 如請求項5所述的身份驗證系統,其中,於該金融資訊機的一螢幕上顯示該二維條碼,或以一射頻信號傳遞該近場通訊信息,使執行於該使用者裝置中的該應用程式接收該驗證資訊。The identity verification system as described in claim 5, wherein the two-dimensional barcode is displayed on a screen of the financial information machine, or the near field communication information is transmitted by a radio frequency signal, so that the The application receives the authentication information. 如請求項6所述的身份驗證系統,其中,於該金融資訊機自該金融資訊機後台接收該驗證資訊時,在該金融資訊機中,通過一轉換程式轉換該驗證資訊為該二維條碼或該射頻信號,再由該使用者裝置讀取後取得該驗證資訊。The identity verification system as described in Claim 6, wherein, when the financial information machine receives the verification information from the background of the financial information machine, in the financial information machine, the verification information is converted into the two-dimensional barcode by a conversion program Or the radio frequency signal is read by the user device to obtain the verification information. 如請求項1所述的身份驗證系統,其中該應用程式為安裝於該使用者裝置中的一網路銀行應用程式,提供選擇要執行的該金融服務,該金融服務包括需要通過特定交易安全設計的身份驗證的服務。The identity verification system as described in Claim 1, wherein the application program is an online banking application program installed in the user device, providing the financial service to be selected for execution, and the financial service includes the need to pass a specific transaction security design authentication service. 如請求項1至8中任一項所述的身份驗證系統,其中該使用者裝置後台產生該驗證資訊的方法包括: 以一亂數產生器產生具有時效性的一第一亂數與一第二亂數,其中以一儲存裝置儲存該第二亂數以及自該金融資訊機後台取得的該使用者識別資料; 基於該第一亂數與一固定字串,以一雜湊演算法演算一雜湊值;以及 基於該使用者識別資料、該雜湊值以及該第二亂數,以一密碼演算法演算一一次式密碼,該一次式密碼與該第一亂數形成該驗證資訊。 The identity verification system as described in any one of claims 1 to 8, wherein the method for generating the verification information in the background of the user device includes: A random number generator is used to generate a time-sensitive first random number and a second random number, wherein a storage device is used to store the second random number and the user identification data obtained from the backend of the financial information machine; calculating a hash value with a hash algorithm based on the first random number and a fixed string; and Based on the user identification data, the hash value and the second random number, a cryptographic algorithm is used to calculate a one-time password, and the one-time password and the first random number form the verification information. 如請求項9所述的身份驗證系統,其中,於該使用者裝置後台自該使用者裝置接收該驗證資訊時,從該驗證資訊取得該一次式密碼與該第一亂數,再從該儲存裝置中取得該第二亂數與該使用者識別資料,再次演算用於驗證的一第二雜湊值,並再次基於該使用者識別資料、該第二雜湊值與該第二亂數,以該密碼演算法再次演算一第二一次式密碼,用於驗證自該使用者裝置接收的該一次式密碼。The identity verification system as described in Claim 9, wherein, when receiving the verification information from the user device in the background of the user device, the one-time password and the first random number are obtained from the verification information, and then stored Obtaining the second random number and the user identification data in the device, recalculating a second hash value for verification, and again based on the user identification data, the second hash value and the second random number, the The cryptographic algorithm recalculates a second one-time password for verifying the one-time password received from the user device.
TW112200425U 2023-01-13 2023-01-13 System for identity verification applied to financial system TWM642404U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112200425U TWM642404U (en) 2023-01-13 2023-01-13 System for identity verification applied to financial system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112200425U TWM642404U (en) 2023-01-13 2023-01-13 System for identity verification applied to financial system

Publications (1)

Publication Number Publication Date
TWM642404U true TWM642404U (en) 2023-06-11

Family

ID=87804590

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112200425U TWM642404U (en) 2023-01-13 2023-01-13 System for identity verification applied to financial system

Country Status (1)

Country Link
TW (1) TWM642404U (en)

Similar Documents

Publication Publication Date Title
US11405380B2 (en) Systems and methods for using imaging to authenticate online users
US10475015B2 (en) Token-based security processing
EP2693687B1 (en) Method for generating a code, authorization method and authorization system for authorizing an operation
US8555355B2 (en) Mobile pin pad
RU2698767C2 (en) Remote variable authentication processing
US8869255B2 (en) Method and system for abstracted and randomized one-time use passwords for transactional authentication
US10439813B2 (en) Authentication and fraud prevention architecture
US20120054046A1 (en) Mobile Payment Using Picture Messaging
US20090172402A1 (en) Multi-factor authentication and certification system for electronic transactions
US20150046330A1 (en) Transaction processing system and method
CA3142324A1 (en) Method, device and system for transferring data
EP1807966A1 (en) Authentication method
WO2016022058A1 (en) Method and system for authenticating a user
US20120303527A1 (en) Process and host and computer system for card-free authentication
WO2016022057A1 (en) Method and system for authenticating a user
CN112889046A (en) System and method for password authentication of contactless cards
CN101699892A (en) Method and device for generating dynamic passwords and network system
US20130046689A1 (en) System and Method for Facilitating Transactions
CN103942897A (en) Method for money withdrawing without card on ATM
KR20210039920A (en) Mobile communication terminal for personal authentification, personal authentification system and personal authentification method using the mobile communication terminal
KR20070084801A (en) Creating and authenticating one time password using smartcard and the smartcard therefor
CN101958024B (en) Financial transaction system, automated teller machine and method for operating automated teller machine
CN113169873A (en) System and method for password authentication of contactless cards
TWM642404U (en) System for identity verification applied to financial system
KR20120007434A (en) Settlement process sever and the driving method