WO2010050192A1 - Procédé de réémission de mot de passe - Google Patents

Procédé de réémission de mot de passe Download PDF

Info

Publication number
WO2010050192A1
WO2010050192A1 PCT/JP2009/005683 JP2009005683W WO2010050192A1 WO 2010050192 A1 WO2010050192 A1 WO 2010050192A1 JP 2009005683 W JP2009005683 W JP 2009005683W WO 2010050192 A1 WO2010050192 A1 WO 2010050192A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
user
authentication server
temporary
reissue
Prior art date
Application number
PCT/JP2009/005683
Other languages
English (en)
Japanese (ja)
Inventor
木戸啓介
Original Assignee
Gmoグローバルサイン株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gmoグローバルサイン株式会社 filed Critical Gmoグローバルサイン株式会社
Priority to JP2010535666A priority Critical patent/JPWO2010050192A1/ja
Publication of WO2010050192A1 publication Critical patent/WO2010050192A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2131Lost password, e.g. recovery of lost or forgotten passwords

Definitions

  • the present invention relates to a password reissue method in an online service system.
  • electronic mail is a convenient communication means, and is extremely suitable for transmitting various information and data.
  • information is transmitted / received via the Internet
  • eavesdropping on the network.
  • information leakage on the mail server that relays e-mail.
  • It is extremely dangerous for security to send confidential information such as passwords by e-mail. is there.
  • a malicious third party impersonates a legitimate member and makes a password reissue request, there is a risk of serious damage.
  • An object of the present invention is to realize a password reissue method for reissuing a password in an online procedure and in a high security environment for a user who has forgotten the password.
  • the password reissue method is a password reissue method implemented in an online service system in which identity authentication is performed based on a user ID and password
  • the online service system includes an authentication server that performs personal authentication, one or more message transmission units that transmit a message to a user via the Internet, at least a user ID, a password, and a user of the message transmission unit A user information database storing addresses as a pair; A process of requesting reissue of the password by presenting the user ID to the authentication server from the user terminal; A temporary password generated by the user is transmitted from the user terminal to the authentication server, or a temporary password generated by the authentication server is transmitted from the authentication server to the user terminal; and The authentication server receives the temporary password from the user terminal or transmits the temporary password to the user terminal, and then executes the following processes (a) to (d): (A) generating an initialization password, which is data used for authentication processing, storing the generated initialization password and user ID in a temporary storage means; (B) encrypting the initialization
  • Another password reissue method is a password reissue method implemented in an online service system in which personal authentication is performed based on a user ID and password
  • the online service system includes an authentication server that performs personal authentication, one or more message transmission units that transmit a message to a user via the Internet, at least a user ID, a password, and a user of the message transmission unit
  • a user information database storing addresses as a pair
  • a temporary password generated by the user is transmitted from the user terminal to the authentication server, or a temporary password generated by the authentication server is transmitted from the authentication server to the user terminal; and
  • the authentication server receives the temporary password from the user terminal or transmits the temporary password to the user terminal, and then executes the following processes (a) to (d): (A) storing the temporary password received from the user terminal or the temporary password transmitted to the user terminal and the user ID in the temporary storage means; (B) generating a message including
  • a secret password is stored in a user information database at the time of user registration, and when a user issues a password issuance request, the secret password is input to the user. The identity between the entered password and the password stored in the database is verified. However, since the password is reissued after a considerable period of time has elapsed since the user registration, the user information stored in the user information database is likely to be forgotten in the same manner as the password.
  • the date of birth or company name that is easy for the user to remember can be used as a keyword for personal authentication. However, since the date of birth and company name are easily known to a third party, there is a problem that the level of security is lowered.
  • the user information database As authentication information for confirming the relationship between the reissue applicant and the user information stored in the user information database.
  • the user address of the message sending means for example, an e-mail address is used.
  • the user who has applied for the e-mail is asked to input the e-mail address, and the entered e-mail address and the database are registered.
  • a malicious third party may know the e-mail address along with the user ID. Therefore, there is a security problem in the method of verifying the identity by directly inputting the e-mail address to the user.
  • an e-mail or instant messenger as a message transmitting means is used as a tool for authenticating the person.
  • the temporary password generated by the user or the authentication server at the time of reissuance application or the information related to the temporary password (the initialization password in the first embodiment) is used.
  • the authentication server sends an e-mail to a user who has issued a reissue request via e-mail, and is generated by a temporary password created by the user or an authentication server and sent from the authentication server to the user terminal.
  • the user is requested to perform a predetermined process using the temporary password, and the personal authentication is performed based on whether or not an appropriate response is made to the request from the authentication server.
  • the temporary password is information that is created by the user who applied for reissue or the authentication server and is known only to the user
  • the person who can respond to the processing request from the authentication server is the person who received the e-mail.
  • the person who knows the temporary password cannot respond to the eavesdropper. Therefore, it can be determined that the response to the request from the authentication server is an applicant having an e-mail address stored in the user information database, that is, an authorized user.
  • the personal authentication method using message transmission by e-mail is a simple authentication method, there is a risk that the e-mail may be easily eavesdropped, and protection measures against impersonation due to eavesdropping are necessary.
  • the content of the e-mail transmitted from the authentication server is to execute processing using a temporary password that is known only to the user who made the reissue request. Therefore, even if an e-mail transmitted from the authentication server to the user terminal is intercepted by a malicious person, the malicious person cannot know the temporary password, and thus cannot respond to the request from the authentication server.
  • the reissue request is processed as an error. Therefore, a high security effect and effective protective measures against eavesdropping by a malicious third party are exhibited.
  • protection measures against eavesdropping of electronic mail are taken, and a password can be reissued in a high security environment. *
  • Message sending means used as a tool for personal authentication can use not only e-mail but also instant messenger and short message service that send and receive messages in real time, or both e-mail and instant messenger It is also possible to use.
  • instant messengers include Windowos Live Messenger, AOL Instant Messenger, Yahoo Messenger, Google Talk, and Internet Phone Skype. These message transmission systems are open to general users, and the user can freely use the user ID by acquiring the user ID from the service provider of the instant messenger. The acquired user ID is used as address information. Used. Accordingly, the instant messenger user address (user ID) can be registered together with the electronic mail address at the time of user registration.
  • the authentication server can send a message via an instant messenger server connected to the Internet and request a predetermined process from the user.
  • the password reissue method according to the present invention can appropriately cope with not only forgetting a password but also forgetting both a password and a user ID.
  • the user authentication is performed using the address information of the message transmission means instead of the user ID. That is, an e-mail address is used for e-mail, an instant messenger user ID is used for instant messenger, and a telephone number is used for short message service.
  • This password reissue method is a password reissue method implemented in an online service system in which personal authentication is performed based on a user ID and password
  • the online service system includes an authentication server that performs personal authentication, one or more message transmission units that transmit a message to a user via the Internet, at least a user ID, a password, and a user of the message transmission unit
  • a user information database storing addresses as a pair; Presenting the user address of the message transmission means from the user terminal to the authentication server and requesting reissue of the password;
  • the authentication server accesses a user information database, verifies whether or not the user address presented by the user is registered in the user information database, and if not registered, processes as an error;
  • a temporary password generated by the user is transmitted from the user terminal to the authentication server, or a temporary password generated by the authentication server is transmitted from the authentication server to the user terminal; and
  • the authentication server receives the temporary password from the user terminal or transmits the temporary password to the user terminal, and then executes the following processes (a)
  • the password reissue method according to the present invention is a password reissue method implemented in an online service system in which personal authentication is performed based on a user ID and a password
  • the online service system includes an authentication server that performs personal authentication, one or more message transmission units that transmit a message to a user via the Internet, at least a user ID, a password, and a user of the message transmission unit
  • a user information database storing addresses as a pair; Presenting the user address of the message transmission means from the user terminal to the authentication server and requesting reissue of the password;
  • the authentication server accesses the user information database, verifies whether or not the user address presented by the user is registered in the user information database, and if not registered, processes as an error;
  • a temporary password generated by the user is transmitted from the user terminal to the authentication server, or a temporary password generated by the authentication server is transmitted from the authentication server to the user terminal; and
  • the authentication server receives the temporary password from the user terminal or transmits the temporary password to the user terminal, and then executes
  • the user address such as an e-mail address is input when confirming the identity, and whether the input user address is registered in the user information database. Verify that.
  • the password reissue request is regarded as a request from an authorized member, and the password reissue process is performed. As a result, even for a user who forgets both the password and the user ID, the password can be reissued in a high security environment.
  • identification information unique to the user terminal is stored together with a user ID in the user information database, and the authentication server stores the unique identification information stored in the user terminal.
  • Cookie information or a communication MAC address can be used as identification information unique to the user terminal.
  • a message is transmitted to a user who has issued a reissue request via a message transmission means such as an e-mail or an instant messenger, and the user is temporarily created by the user or an authentication server and only known by the user himself / herself.
  • the user is requested to perform a predetermined process using a password, and personal authentication is performed based on whether or not an appropriate response has been made by the user. Therefore, it is strongly protected from eavesdropping, and the password is reissued in a high security environment.
  • 1 is a diagram showing an overall configuration of an online service system in which a password reissue method according to the present invention is implemented. It is a diagram which shows the structure of an example of the authentication server by this invention. It is a diagram which shows an example of an authentication screen. It is a diagram which shows a temporary password input screen and a password change screen. It is a flowchart which shows a series of operation
  • FIG. 1 is a diagram showing an overall configuration of an online service system in which a password reissue method according to the present invention is implemented.
  • electronic mail is used as means for transmitting a message from the authentication server of the online service system to the user terminal.
  • the network (Internet) 1 Connected to the network (Internet) 1 is an online service system 2 that provides online services related to various operations such as online securities services, online shopping, and online banking, and a plurality of user terminals 3a to 3n. Yes.
  • the online service system 2 performs a communication session protected with SSL encryption with a user terminal via the network 1.
  • the online service system 2 includes an authentication server 4 that performs personal authentication using a user ID and a password, a business application server 5 that provides an online service related to a predetermined business, and a user information database 6 that stores information about users.
  • the user information database 6 stores various information such as a user ID, password, e-mail address, name, telephone number, address, organization information, authority information, and electronic certificate when performing user registration.
  • the user information database can store cookie information and communication MAC address, which are identification information unique to the user terminal used by each member, together with the user ID.
  • the online service system 2 is connected to an e-mail server 7 for sending various information to the user terminal, and various messages are transmitted using an e-mail address registered in advance when the account is issued.
  • the authentication server 4 and the business application server 5 can be configured as individual Web servers.
  • FIG. 2 is a diagram showing an example of the authentication server according to the present invention
  • FIGS. 3 and 4 show screen information displayed on the monitor of the user terminal when the password reissue process is performed.
  • the authentication server includes a communication unit 10 and a session management unit 11, and performs a communication session protected with SSL encryption with the user terminals 3a to 3n.
  • the authentication screen transmission unit 12 is activated and transmits an authentication screen to the user terminal.
  • An example of the authentication screen is shown in FIG. 3A.
  • the authentication screen displays an input field 12a for inputting a user ID, an input field 12b for inputting a password, and a click button 12c for making a password reissue request. Therefore, a user who has forgotten the password can perform the password reissue request procedure simply by looking at the authentication screen and pressing the password reissue click button 12c.
  • the authentication unit 13 is activated to perform personal authentication.
  • the personal authentication first, it is examined whether or not the input user ID is a user ID of an official member of the online service system. When it is confirmed that the user ID is an official member ID, the user information database 6 is checked using the input user ID as a key, and it is determined whether or not the user ID and password match, and the password matches. If it is, the person is determined to be the person.
  • the authentication unit 13 terminates the personal authentication, establishes login, and shifts to the initial screen of the business application 5.
  • the authentication server accesses the user information database and examines whether or not the input user ID is an official user ID. If it is determined that the user ID is an official member ID, it is determined that a password reissue request procedure from the official member has been performed, and the process proceeds to password reissue processing.
  • the authentication server requests the reissue requester to input information pre-registered in the user information database.
  • the name and e-mail address that cannot be forgotten by the person are essential items.
  • the authentication server searches the user information database 6 using the input e-mail address as a key, and checks whether the same e-mail address as the input e-mail address exists in the user information database. When the same e-mail address as the input e-mail address is searched, the process proceeds to the password reissue process.
  • the temporary password input screen transmission means 14 When the password reissue request button 12c is clicked by the user, the temporary password input screen transmission means 14 is activated, transmits the temporary password input screen information shown in FIG. 4A to the user terminal, and requests the input of the temporary password.
  • the user views the temporary password input screen displayed on the monitor and inputs an arbitrary temporary password.
  • the temporary password is a password that is temporarily used for an encryption process to be described later and is known only to a person who has made a reissue request. For example, a 4-digit or 8-digit sequence can be used as the temporary password.
  • the authentication server When the authentication server confirms that the temporary password has been input from the user, the authentication server operates the initialization password generation means 15 to generate an initialization password with a random number.
  • This initialization password is a password used to log in temporarily.
  • the generated initialization password and user ID are stored in the update temporary database 16 together with the reissue request date / time information.
  • the authentication server activates the encryption means 17 and encrypts the generated initialization password with the temporary password input by the user.
  • the user information database 6 is accessed using the user ID, and an e-mail address corresponding to the user ID is acquired. Then, the encrypted file is transmitted to the user terminal of the mail address via the e-mail server 7, and it is requested to decrypt the encrypted file using the temporary password.
  • a zip format file or a Lha format file in which compression and encryption are integrated can be used.
  • the decryption program is generally installed in the user terminal, and can be downloaded from an appropriate site if it is not installed.
  • the specified URL is written as text and the encrypted initialization password is sent as an attached file. Therefore, the user decrypts the encrypted initialization password with the temporary password set by the user according to the guide described in the text, logs in from the specified URL, and inputs the decrypted initialization password.
  • the verification unit 18 verifies whether the initialization password input by the user matches the initialization password stored in the temporary update database. Depending on whether or not this encrypted initialization password can be decrypted, identity verification between the user ID and identity verification between the person who performed the reissue procedure and the person who issued the password reissue request Verification operations are performed simultaneously.
  • the person who presented the user ID and made the password reissue request is a legitimate owner of the user ID is confirmed depending on whether or not the electronic mail transmitted from the authentication server can be received. Furthermore, the identity between the person who performed the reissue procedure and the person who made the password reissue request is confirmed. That is, the initialization password set by the user and encrypted with the temporary password known only to the user himself / herself is transmitted to an e-mail address having a pair relationship with the user ID. Therefore, only the official owner of the user ID can receive the e-mail, and only the person who knows the temporary password can decrypt it. Therefore, by confirming that the initialization password sent from the user terminal matches the initialization password stored in the temporary update database, the person and password who performed the reissue procedure together with the identity verification for the user ID The identity is confirmed with the person who has issued the reissue request.
  • the authentication server has time confirmation means 19 for confirming whether or not the initialization password has been input within a predetermined time period after sending the e-mail to the user terminal, and the e-mail is sent from the authentication server to the user terminal. If a temporary password is not input from the user terminal within a predetermined time period after being transmitted, the password reissue request is rejected. In other words, since the email sent from the authentication server to the user terminal is sent to the official email address of the user ID registered in the user information data, the email is sent within a predetermined time period. If there is no response from the user terminal, it is recognized that the person who made the reissue request does not have the proper authority to reissue the password, and rejects the reissue request. This prevents impersonation.
  • the password change screen transmission means 20 is operated to transmit the password change screen information to the user terminal.
  • the user inputs the initialization password decrypted with the temporary password in the input field of the initialization password shown in FIG. 4B and logs in, and inputs the changed new password in the input field. Enter the change password.
  • the input changed password is supplied to the password update means 21, the password of the user in the user information database is updated to a new password, and the password reissue process is completed. It is also possible to use a temporary password transmitted from the user terminal to the authentication server as a new password. In this case, the temporary password input screen shown in FIG. 4A displays that the temporary password is used as a new changed password. Alternatively, a temporary password may be input as a change password together with the initialization password on the password change screen shown in FIG.
  • FIG. 5 is a flowchart showing a series of operations of password reissue processing executed in the online service system according to the present invention.
  • authentication screen information is transmitted to the user terminal (step 1).
  • the user information database is checked and the user ID and password are verified.
  • the screen shifts to the initial screen of the business application server.
  • the password reissue request button is clicked, the password is reissued, and the process proceeds to a reissue process (step 2).
  • Authentication server sends temporary password input screen information to user terminal.
  • the user arbitrarily generates a temporary password and inputs the created temporary password in the input field (step 3).
  • the authentication server When a temporary password is input from the user terminal, the authentication server generates an initialization password using a random number (step 4).
  • the generated initialization password is stored in the temporary storage database together with the user ID (step 5).
  • Authentication server creates an encrypted file by encrypting the generated initialization password using a temporary password.
  • a message requesting to decrypt the attached encrypted file using a temporary password is created.
  • the user information database is accessed, the e-mail address paired with the user ID is extracted, and a message with the encrypted file attached is transmitted to the user terminal of the searched e-mail address (step 6).
  • the user receives the email and decrypts the received encrypted file using the temporary password set by the user (Step 7). Further, the user inputs the decrypted initialization password on the input screen (step 8).
  • the entered initialization password is confirmed by the time confirmation means whether it is entered within a predetermined time period after the e-mail is transmitted (step 9). If the password is not entered within a predetermined time period, the password reissue request is processed as an error. On the other hand, if it is entered within the specified time period, it is verified whether the entered initialization password matches the initialization password stored in the update temporary database, and if it does not match, the password reissue request is an error. Process as. If they match, it is determined that the reissue request is a reissue request from a user having a legitimate authority (step 10).
  • a password change screen is sent and a new password is entered by the user.
  • the password changing means rewrites the password of the user ID in the user information database with the new password that has been changed, and the password reissue process ends.
  • FIG. 6 is a diagram showing the configuration of the authentication server.
  • identity verification is performed using a message in which a URL and URL parameters are embedded.
  • the temporary password input screen transmission means 14 is activated, and the temporary password input screen information is transmitted to the user terminal.
  • the user creates a temporary password and inputs it on the input screen.
  • the temporary password is input, the user ID and the temporary password are stored in the updated temporary database 16 as a set.
  • the initialization URL creating means 30 operates, and encrypts information including at least the user ID and the date / time information (time information) of the change request with the encryption key of the authentication server to generate a URL parameter.
  • An e-mail including the generated URL parameter and a URL for guiding to the password change screen is created and transmitted to the user terminal via the e-mail server 7.
  • the electronic mail address of the user ID is extracted by collating with the user information database, and the electronic mail address is transmitted to the electronic mail address corresponding to the user ID.
  • An example of the created e-mail is shown in FIG. 7A.
  • the password change screen transmission means 31 When the user accesses the specified URL, the password change screen transmission means 31 operates to display the password change screen information.
  • An example of the password change screen is shown in FIG. 7B.
  • the password change screen includes an input field 31a for inputting a temporary password, an input field 31b for inputting a changed new password, and an input field 31c for inputting a changed password for confirmation.
  • the user inputs the temporary password and the changed new password in the input field on the password change screen.
  • the input temporary password is read, and verified by the verification means 18 against the temporary password stored in the update temporary database, and verified whether or not it matches the stored temporary password.
  • the e-mail address is an address that only the owner of the user ID knows, and the temporary password is a password that only the set user knows, so the entered temporary password and the temporary password stored in the temporary database are By collating, identity verification is performed, and identity verification between the person who made the reissue request and the person who performed the reissue procedure is performed at the same time.
  • a temporary password has been input from the user terminal within a predetermined time period after the e-mail is transmitted from the authentication server to the user terminal is confirmed by the time confirmation means 19, and If a temporary password is not entered from the user terminal within a specified period of time after the e-mail is sent, it will be regarded as a password reissue request by a person without legitimate authority, and the password reissue request will be processed as an error .
  • the input new password is supplied to the password update means 21 and the password of the user ID stored in the user information database. Is replaced with a new password, and the password reissue process ends. It is also possible to use a temporary password transmitted from the user terminal to the authentication server as a new password.
  • the temporary password may be input as a change password together with the temporary password on the password change screen shown in FIG.
  • the change password field can be deleted and a description can be made that the temporary password is used as a new password.
  • the password updating unit 21 can rewrite the corresponding password in the user information database with the temporary password using the temporary password stored in the updated temporary database.
  • FIG. 8 is a flowchart showing a series of operations in the authentication server reissue process described above.
  • authentication screen information is transmitted from the authentication server to the user terminal (step 20).
  • the user presents the user ID and makes a password reissue request (step 21).
  • the authentication server transmits the temporary password input screen information to the user terminal (step 22).
  • the input temporary password is stored in the update temporary database together with the user ID (step 23).
  • the URL parameter is created by encrypting information including the user ID and the date and time information of the reissue request with the encryption key of the authentication server (step 24). Then, an e-mail including the created URL parameter and the URL for guiding to the password change screen is created, and the e-mail is transmitted to the e-mail address of the user ID (step 25).
  • the user receives the e-mail including the URL, accesses the specified URL, and re-enters the temporary password (step 26).
  • the authentication server confirms whether or not the user has entered a temporary password within a predetermined time period after sending the e-mail (step 27).
  • the authentication server processes the reissue request as an error when the temporary password is not input within a predetermined time period.
  • a temporary password is input within a predetermined time period, it is verified whether or not the input temporary password matches the temporary password stored in the updated temporary database (step 28).
  • the password of the user ID stored in the user information database is rewritten with a new password (step 28), and the reissue process ends. .
  • the temporary password is generated by the user, and the temporary password generated by the user is transmitted from the user terminal to the authentication server.
  • the temporary password is generated by the authentication server, and the temporary password generated by the authentication server can be transmitted from the authentication server to the user terminal.
  • the temporary password is transmitted from the authentication server to the user terminal, the user can know the temporary password, and the temporary password is shared between the authentication server and the user. Therefore, the user can execute the subsequent processing using the temporary password sent from the authentication server.
  • the temporary password input screen transmission unit 14 of the authentication server shown in FIG. 6 is used to generate the temporary password and transmit the generated temporary password to the user terminal. Change to Further, Step 22 and Step 23 shown in FIG.
  • step 8 are changed as follows.
  • a password reissue request is made from the user terminal to the authentication server.
  • the authentication server generates a temporary password instead of transmitting the temporary password input screen information to the user terminal, and transmits the generated temporary password to the user terminal.
  • the authentication server stores the generated temporary password as a pair with the user ID in the temporary database. Thereafter, the processing after step 24 is executed using the temporary password generated by the authentication server.
  • step 3 the authentication server generates a temporary password instead of transmitting the temporary password input screen information to the user terminal, and transmits the generated temporary password to the user terminal.
  • step 6 the authentication server encrypts the initialization password using the generated temporary password.
  • step 7 the user decrypts the received encrypted file using the temporary password received from the authentication server.
  • the authentication server encrypts identification information unique to the user terminal and stores it as cookie information at the time of user registration or password update. Means for storing the cookie information together with the user ID in a user information database. Further, when a password change request is made by the user, the authentication server compares the cookie information stored in the user terminal 33 with the cookie information stored in the user information database. Means 34.
  • the authentication server detects the cookie information stored in the user terminal, and compares the detected cookie information with the cookie information stored in the user information database 6. Then, it is confirmed whether or not the detected cookie information matches the cookie information of the user ID stored in the database. If they match, it is determined that this is a password reissue request from a legitimate user, and the process proceeds to password reissue processing.
  • the function of the cookie is inactivated on the user terminal side or when the cookie does not match, the password change request from the user terminal is rejected. If the cookie function is deactivated on the user terminal side, it is also possible to confirm whether the request is a password change request from a legitimate user by performing an offline confirmation operation such as a telephone call.
  • the terminal When registering a user or updating a password, it is possible to use unique information of the terminal such as a communication MAC address of the terminal and a CPU-ID as identification information unique to the user terminal.
  • the local information reading module of the terminal by ActiveX or JavaAplet is downloaded from the authentication server side to the terminal side, and the terminal-specific information such as the communication MAC address is read.
  • the read terminal unique information is stored in the user information database of the corresponding user ID, and can be collated with the unique information stored in the user terminal when a password reissue request is made.
  • These local information reading modules are preferably signed using a signature electronic certificate issued by an appropriate certificate authority.
  • FIG. 9 shows an online service system that uses an instant messenger as message transmission means for transmitting a message from the authentication server of the online service system to the user terminal.
  • symbol is attached
  • Instant messengers have been put into practical use together with electronic mail as means for transmitting and receiving messages via the Internet.
  • Instant messenger is a means to send messages in real time, and Yahoo messenger, Google Talk, Windows Live messenger, AOL instant messenger and Skype messenger are put into practical use. These instant messengers are open to third parties, and the user can use them freely by receiving interface software from an instant messenger service provider and given a user ID.
  • the authentication server can transmit a message to each user terminal by implementing an API (program interface) provided by the service provider of the instant messenger. It is also possible to send a message from the authentication server to the user terminal using both electronic mail and instant messenger. In this case, the user responds to the message from the electronic mail as well as the message from the instant messenger. The authentication server verifies the two response results, and can certify that the request is a password reissue request from a user having a legitimate authority only when the two response results are both proper. Note that a message is transmitted by e-mail to a user who has registered only an e-mail address.
  • API program interface
  • the instant messenger type and user address are registered as a pair together with the user ID, password, and e-mail address.
  • the authentication server creates a message including the encrypted file or a message including a predetermined URL in response to a temporary password input from the user.
  • the user information database 6 is accessed, and the user ID (user address) of the instant messenger paired with the input user ID is searched. Send a message to the instant messenger user ID found.
  • the message is transmitted to the user terminal of the corresponding address via the network 1 and the instant messenger server 8 connected to the network 1.
  • the user responds to the received message using the temporary password.
  • the password reissue request is processed as an error if the user terminal is not activated when the message is transmitted.
  • FIG. 10 is an example of an online service system that uses a short message service of a mobile phone as a message transmission means for transmitting a message from an authentication server of the online service system to a user terminal.
  • symbol is attached
  • mobile phone short message services have also become widespread. Short messages are sent as short messages of about 140 characters via the short message service center operated by each mobile phone company.
  • a short message is transmitted to the mobile phone via SKYPE.
  • SKYPE provides free telephone and message services between SKYPE users via the Internet.
  • SKYPE provides an inexpensive pay service that allows users to call landlines and mobile phones all over the world, and a service for sending short messages to mobile phones around the world.
  • the API is released to third parties for free download, and the user can use it by receiving software and being given a user ID.
  • the authentication server that implements the SKYPE API creates a message including a predetermined URL in response to a temporary password input from the user.
  • the user information database 6 is accessed to search for the user ID of the short message telephone number that is paired with the input telephone number.
  • a short message is sent to the retrieved user ID via SKYPE.
  • the message is transmitted to the user's mobile phone via the network 1 and the short message service server 10 of the mobile phone company corresponding to the SKYPE server 9 connected to the network 1.
  • the user accesses the URL described in the message received by the mobile phone from the terminal that applied for the password reissue, and inputs the temporary password.
  • Security can be further improved by authenticating each person using an electronic mail and either an instant messenger or a short message. For example, confirmation of identity by e-mail and temporary password followed by identity confirmation by instant messenger and temporary password enables confirmation of message delivery via two different routes, realizing a password reissue method with higher security strength. it can.
  • the present invention is not only used for confirming the identity based on the user ID, but also for address information registered in advance by the user, such as an e-mail address, a user ID of an instant messenger, or a short message mobile phone. You can authenticate yourself using the number.
  • the user address of the message transmission means such as an e-mail address is first input.
  • the authentication server accesses the user information database and verifies whether the user address input by the user is registered in the user information database. If the input user address is not registered, the password reissue request is processed as an error.
  • the password reissue request is regarded as a request from a legitimate member, and the process proceeds to the password reissue process. . That is, when the reissue process shown in FIG.
  • the initialization password may be stored in the temporary storage means as a pair with the input e-mail address, or as a pair with the user ID corresponding to the input e-mail address. It is also possible to memorize.
  • the temporary password input by the user is stored in the temporary storage unit in a pair with the e-mail address or the corresponding user ID.
  • the user can be authenticated using a temporary password generated by the authentication server and transmitted from the authentication server to the user terminal.
  • the authentication server searches the user information database, the user ID forgotten by the user is searched for the user ID corresponding to the user address. Therefore, the searched user ID is transmitted to the user terminal together with the temporary password input screen information. Also good.
  • the retrieved user ID may be attached to a message transmitted from the authentication server to the user terminal.
  • the password reissue method according to the present invention can reissue a password in a high security environment even for a user who has forgotten both the password and the user ID.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L’invention concerne un procédé de réémission de mot de passe pour réémettre un nouveau mot de passe pour l'utilisateur qui a oublié le mot de passe par une procédure en ligne dans un environnement à sécurité élevée. Pour qu'un mot de passe soit réémis, l'utilisateur (demandeur) envoie un mot de passe temporaire créé par l'utilisateur à un serveur d'authentification. Lors de la réception du mot de passe temporaire, le serveur d'authentification mémorise le mot de passe temporaire ou un mot de passe d'initialisation dans un moyen de mémorisation temporaire. Le serveur d'authentification crée un message demandant à l'utilisateur d'effectuer un traitement prédéterminé en utilisant le mot de passe temporaire, accède à une base de données d'informations d'utilisateur, recherche l'adresse de courrier électronique ou l’adresse de messagerie instantanée correspondant à l'identification d'utilisateur, et envoie un message au terminal d'utilisateur ayant l'adresse récupérée au moyen d'un courrier électronique ou d'une messagerie instantanée. Lors de la réception du message, l'utilisateur effectue le traitement prédéterminé et envoie le mot de passe temporaire ou le mot de passe d'initialisation au serveur d'authentification. Le serveur d'authentification vérifie si le mot de passe temporaire ou le mot de passe d'initialisation reçu du terminal d'utilisateur est en accord avec le mot de passe temporaire ou le mot de passe d'initialisation mémorisé dans le moyen de mémorisation temporaire.
PCT/JP2009/005683 2008-10-29 2009-10-28 Procédé de réémission de mot de passe WO2010050192A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2010535666A JPWO2010050192A1 (ja) 2008-10-29 2009-10-28 パスワード再発行方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008278026 2008-10-29
JP2008-278026 2008-10-29

Publications (1)

Publication Number Publication Date
WO2010050192A1 true WO2010050192A1 (fr) 2010-05-06

Family

ID=42128563

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/005683 WO2010050192A1 (fr) 2008-10-29 2009-10-28 Procédé de réémission de mot de passe

Country Status (2)

Country Link
JP (1) JPWO2010050192A1 (fr)
WO (1) WO2010050192A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103246841A (zh) * 2012-02-09 2013-08-14 富泰华工业(深圳)有限公司 电子装置的解锁密码重置系统及方法
WO2017110709A1 (fr) * 2015-12-24 2017-06-29 日本電気株式会社 Dispositif et procédé de contrôle de courriel et support d'enregistrement de programme
CN108170482A (zh) * 2018-01-17 2018-06-15 联想(北京)有限公司 信息处理方法及计算机设备
JP2019518285A (ja) * 2016-06-07 2019-06-27 華為技術有限公司Huawei Technologies Co.,Ltd. 情報セキュリティを強化する方法及び端末
US10498710B2 (en) 2016-04-13 2019-12-03 Canon Kabushiki Kaisha System, relay client, control method, and storage medium having password reset for authentication
JP2020071620A (ja) * 2018-10-30 2020-05-07 ウイングアーク1st株式会社 認証システム、認証サーバおよび認証方法
US20230396617A1 (en) * 2021-02-03 2023-12-07 Capital One Services, Llc Url-based authentication for payment cards

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005216085A (ja) * 2004-01-30 2005-08-11 All Nippon Airways Co Ltd パスワード提供システムおよびその方法
JP2006311529A (ja) * 2005-03-30 2006-11-09 Seiko Epson Corp 認証システムおよびその認証方法、認証サーバおよびその認証方法、記録媒体、プログラム
JP2008217814A (ja) * 2006-01-13 2008-09-18 Keytel:Kk 暗号化ファイル受渡システム、電子ファイル暗号化プログラム及び暗号化ファイル受渡方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005216085A (ja) * 2004-01-30 2005-08-11 All Nippon Airways Co Ltd パスワード提供システムおよびその方法
JP2006311529A (ja) * 2005-03-30 2006-11-09 Seiko Epson Corp 認証システムおよびその認証方法、認証サーバおよびその認証方法、記録媒体、プログラム
JP2008217814A (ja) * 2006-01-13 2008-09-18 Keytel:Kk 暗号化ファイル受渡システム、電子ファイル暗号化プログラム及び暗号化ファイル受渡方法

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103246841A (zh) * 2012-02-09 2013-08-14 富泰华工业(深圳)有限公司 电子装置的解锁密码重置系统及方法
WO2017110709A1 (fr) * 2015-12-24 2017-06-29 日本電気株式会社 Dispositif et procédé de contrôle de courriel et support d'enregistrement de programme
US10498710B2 (en) 2016-04-13 2019-12-03 Canon Kabushiki Kaisha System, relay client, control method, and storage medium having password reset for authentication
JP2019518285A (ja) * 2016-06-07 2019-06-27 華為技術有限公司Huawei Technologies Co.,Ltd. 情報セキュリティを強化する方法及び端末
US10831881B2 (en) 2016-06-07 2020-11-10 Huawei Technologies Co., Ltd. Method and terminal for enhancing information security
CN108170482A (zh) * 2018-01-17 2018-06-15 联想(北京)有限公司 信息处理方法及计算机设备
JP2020071620A (ja) * 2018-10-30 2020-05-07 ウイングアーク1st株式会社 認証システム、認証サーバおよび認証方法
JP7100561B2 (ja) 2018-10-30 2022-07-13 ウイングアーク1st株式会社 認証システム、認証サーバおよび認証方法
US20230396617A1 (en) * 2021-02-03 2023-12-07 Capital One Services, Llc Url-based authentication for payment cards

Also Published As

Publication number Publication date
JPWO2010050192A1 (ja) 2012-03-29

Similar Documents

Publication Publication Date Title
CN107690788B (zh) 识别和/或认证系统和方法
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
JP5066827B2 (ja) 移動装置を用いる認証サービスのための方法及び装置
US8656180B2 (en) Token activation
US8555079B2 (en) Token management
US7730321B2 (en) System and method for authentication of users and communications received from computer systems
KR101019458B1 (ko) 확장된 일회용 암호 방법 및 장치
US8751801B2 (en) System and method for authenticating users using two or more factors
JP4350769B2 (ja) 認証サーバ及びオンラインサービスシステム
JP5619007B2 (ja) サーバ・オペレーションの認可を行うための装置、システムおよびコンピュータ・プログラム
JP4755866B2 (ja) 認証システム、認証サーバ、認証方法および認証プログラム
US7366904B2 (en) Method for modifying validity of a certificate using biometric information in public key infrastructure-based authentication system
EP1719283B1 (fr) Procede et appareil d'authentification d'utilisateurs et de communications recues de systemes informatiques
US20130145148A1 (en) Passcode restoration
WO2009101549A2 (fr) Procédé et dispositif mobile permettant d'enregistrer et d'authentifier un utilisateur auprès d'un fournisseur de services
JP2017507549A (ja) ブルートゥースインタフェースを備える認証装置
WO2010050192A1 (fr) Procédé de réémission de mot de passe
JP2002215582A (ja) 認証方法及び装置
CA2525121A1 (fr) Procede et appareil d'authentification d'utilisateurs et de sites web
CN106416336B (zh) 识别和/或认证系统和方法
CN101517562A (zh) 通过多个模式对一次性密码的用户进行注册和验证的方法以及记录有执行该方法的程序的计算机可读记录介质
EP3824592A1 (fr) Gestionnaire de mots de passe protégé par une paire de clés publique-privée
KR101025807B1 (ko) 인증방법 및 인증서버
KR101001400B1 (ko) 온라인 상호 인증 방법 및 그 시스템
JP5919497B2 (ja) ユーザ認証システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09823305

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2010535666

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09823305

Country of ref document: EP

Kind code of ref document: A1