WO2011074500A1 - Mobile proxy authentication system and mobile proxy authentication method - Google Patents

Mobile proxy authentication system and mobile proxy authentication method Download PDF

Info

Publication number
WO2011074500A1
WO2011074500A1 PCT/JP2010/072285 JP2010072285W WO2011074500A1 WO 2011074500 A1 WO2011074500 A1 WO 2011074500A1 JP 2010072285 W JP2010072285 W JP 2010072285W WO 2011074500 A1 WO2011074500 A1 WO 2011074500A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
unit
mobile terminal
user
information
Prior art date
Application number
PCT/JP2010/072285
Other languages
French (fr)
Japanese (ja)
Inventor
淳 松村
利幸 尾間
Original Assignee
BizMobile株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BizMobile株式会社 filed Critical BizMobile株式会社
Priority to JP2011546094A priority Critical patent/JP5655246B2/en
Publication of WO2011074500A1 publication Critical patent/WO2011074500A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to a mobile authentication agent system and a mobile authentication agent method for authenticating an information processing terminal connected to a communication network using a mobile terminal.
  • Patent Document 1 there has been proposed an authentication system that allows a user to use a network resource from a terminal after confirming the legitimacy of the user (for example, Patent Document 1).
  • a mobile terminal identifier and ID of a mobile terminal registered in advance are used as authentication targets, and a user performs an authentication procedure from the mobile terminal, whereby a temporary password (one-time password) is obtained. And then connect to the server using the temporary password from another communication terminal such as a PC.
  • a mobile terminal different from the communication terminal that uses the service it is possible to provide a user with a secure service.
  • the one-time password is not transmitted on the user's own mobile terminal side, so that the person who owns the mobile terminal that receives the one-time password and the PC The person who logs in from other communication terminals must be the same person.
  • Patent Document 1 cannot be applied to a service system in which the owner of the mobile terminal and the person receiving the service are different.
  • a victim of a crime such as a bank transfer fraud tries to perform a transfer operation from an ATM
  • the victim himself can proceed with the transfer operation because the one-time password is the mobile terminal of an elderly person who performs the transfer operation.
  • the guardian cannot monitor the transfer process remotely, and such a crime cannot be prevented.
  • an object of the present invention is to provide a mobile authentication agent system and a mobile authentication agent method that can achieve a variety of services.
  • the present invention is a mobile authentication agency system that authenticates a user at an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user.
  • An authentication interface unit that accepts input of authentication information on the processing terminal, and a confirmation request that is arranged on the communication network, acquires the authentication information input in the interface unit, and makes a confirmation request to the mobile terminal based on the authentication information
  • a mobile terminal arranged on a communication network, a confirmation operation unit that requests a confirmation operation from a user in response to a confirmation request, and returns approval data to the confirmation request unit in response to the confirmation operation by the user.
  • the authentication processing unit that obtains the approval data and executes the authentication process based on the approval data, and the authentication processing unit The authentication result, and transmits on the communication network with an authentication result transmitting unit.
  • the present invention is a mobile authentication agent method for authenticating a user in an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user, (1) On the information processing terminal, an authentication information input step for inputting authentication information through the authentication interface unit; (2) A confirmation requesting step for obtaining authentication information input in the interface unit in a confirmation requesting unit installed on the communication network and making a confirmation request to the mobile terminal based on the authentication information; (3) In the mobile terminal, in response to the confirmation request, a confirmation operation step of requesting a confirmation operation to the user and returning approval data to the confirmation request unit in response to the confirmation operation by the user; (4) In an authentication processing unit arranged on the communication network, an authentication processing step of acquiring approval data and executing authentication processing based on the approval data; (5) An authentication result transmission step of transmitting the authentication result in the authentication processing step on the communication network.
  • the confirmation request unit on the communication network You can request a confirmation operation for the mobile terminal owned by the user himself / herself and obtain the approval of the user himself / herself (or the user's guardian, etc.) for authentication processing, improving security and ensuring safety. Authentication can be performed.
  • an input operation on the information processing terminal and a confirmation operation on the mobile terminal are performed.
  • This input operation is an operation for inputting the telephone number of the mobile terminal that requests confirmation for receiving the service.
  • the confirmation operation is an operation for returning availability of the confirmation request, the user can If an input operation is performed on the above, the next operation is authenticated only by a confirmation operation, so that the user input procedure can be simplified and the service can be received.
  • the confirmation request can be transmitted to the authentication target user who is operating the information processing terminal as well as to the mobile terminal possessed by another user, and the authentication by the confirmation operation at that time
  • the result can be sent to an authentication server on the service provider side.
  • the remittance service is used by an information processing terminal such as an ATM. Even when trying to do so, since the confirmation request is notified to the user's guardian, it is possible to determine whether or not the transfer process can be performed on the guardian side, and it is possible to prevent a procedure for a transfer fraud or the like.
  • the present invention can be applied to a service system that prevents wire fraud and the like, and can provide a variety of services.
  • an authentication information type determination unit that determines whether a mobile terminal identifier that identifies a predetermined mobile terminal is included in the authentication information that is arranged on the communication network and is input to the authentication interface unit
  • the confirmation request unit preferably makes a confirmation request to the mobile terminal when the authentication information type determination unit determines that the mobile terminal identifier is included.
  • the authentication information type determination unit on the information processing terminal side determines whether the input authentication information is a mobile phone number or a normal ID and password, and notifies the authentication information according to the determination result. Since the destination can be changed, the system according to the present invention can be introduced in combination with a security system in which the same ID and password are input as in the prior art. In addition, according to the present invention as described above, it is possible to easily add an authentication process having an identity verification phase based on a confirmation request only by adding a function of determining a mobile terminal identifier to an interface in an existing authentication system. Thus, the present invention can be introduced with a simple capital investment.
  • the mobile terminal has a position information acquisition unit that measures the current position of the own device, and the confirmation operation unit determines the current position of the own device measured by the position information acquisition unit with respect to the approval data.
  • Approval data is sent back to the confirmation requesting unit, and the authentication processing unit has map information that describes the range for which authentication is permitted. It is preferable to determine whether the position belongs to a predetermined range.
  • the user in addition to the user authentication information and approval data, the user can authenticate with reference to the map information about the location information of the mobile terminal that the user has, based on the location of the mobile terminal that performs the confirmation process, More reliable approval data can be acquired, and the security of the authentication system using the mobile terminal can be increased.
  • the authentication interface unit has a form identifier for identifying the authentication interface unit, the authentication interface unit has a function of adding its own form identifier to the authentication information, and the authentication result transmission unit
  • a database that stores the identifier and a destination address that identifies the authentication processing unit that performs normal authentication processing through the authentication interface unit; the authentication result transmission unit acquires the form identifier of the authentication interface unit; It is preferable to transmit the authentication result toward the destination address obtained by collating the database based on the form identifier.
  • the authentication processing unit since the form identifier of the authentication interface unit is associated with the destination address that specifies the authentication processing unit, the authentication processing unit that is the transmission destination of the authentication result can be specified. By transmitting the authentication result using the key to the authentication processing unit, the authentication processing unit can perform an authentication procedure using the authentication result. Therefore, once the input operation is performed in the information processing terminal, the authentication information associated with the authentication process can be used, and the operation for inputting the authentication information again can be omitted, and the security can be further strengthened. .
  • the service providing unit that performs the user authentication as the normal authentication process based on the authentication information input through the authentication interface unit, and provides the service when the authentication of the normal authentication process is successful
  • the service providing unit side An external confirmation request unit that transmits the confirmation request to the mobile terminal as an external confirmation request based on the authentication information input in the normal authentication process.
  • the authentication result transmission unit transmits an authentication result based on the approval data as an external authentication result to the service providing unit
  • the service providing unit transmits the external authentication result transmitted from the authentication result transmitting unit, the authentication result of the normal authentication process, and It is preferable to determine whether to provide the service based on the above.
  • the service providing unit has an approval function for executing an approval process by a financial institution
  • the external confirmation requesting unit has an external confirmation list of a user who requires an external confirmation request
  • the approval function is an approval function.
  • a service for switching the limit amount can be introduced, so that the convenience and safety of the user can be improved, and the approval process for the financial institution can be made smooth.
  • an information processing terminal connected to a communication network is used for electronic commerce by a personal computer on the Internet, financial approval by an ATM, a dedicated device equipped with a card reader, or the like.
  • a personal computer on the Internet financial approval by an ATM, a dedicated device equipped with a card reader, or the like.
  • FIG. 1 is a conceptual diagram showing the overall configuration of the authentication proxy system according to the present embodiment
  • FIG. 2 is an explanatory diagram showing an overview of the authentication proxy service according to the present embodiment.
  • the authentication agent system is an arbitrary information processing terminal connected to a communication network 5 by performing identity verification and procedure approval using a mobile terminal 2 carried by a user who receives a service.
  • 1 (1a to 1f) is a system that performs or supports user authentication.
  • the communication network 5 is an IP network using a communication protocol TCP / IP such as the Internet, and has various communication lines (public lines such as telephone lines, ISDN lines, ADSL lines, optical lines, private lines, wireless communication networks). It is a distributed communication network constructed by connecting to each other.
  • This communication network 5 includes a LAN such as an intranet (in-house network) or a home network based on 10BASE-T, 100BASE-TX, or the like.
  • the information processing terminal 1 (1a to 1f) is a user terminal having an arithmetic processing function by a CPU and a communication processing function by a communication interface.
  • the information processing terminal 1 (1a to 1f) has functions of a general-purpose computer such as a personal computer, an ATM, and a card reader. It can be realized by a specialized dedicated device, and includes a mobile computer, a PDA (Personal Digital Assistance), a mobile phone, and the like.
  • 1a is a general-purpose computer such as a personal computer
  • 1b is a portable information terminal such as a mobile phone or PDA
  • 1c is an ATM terminal connected to the dedicated line 51
  • 1d to 1f are For example, it is a dedicated device that is installed in a store such as a restaurant or a convenience store and has a card reader function connected to the dedicated line 51.
  • the dedicated line 51 is a dedicated communication line that directly connects the server 4 and terminals 1c to 1f such as ATM, and fixed length data such as an ATM (Asynchronous Transfer Mode) line is transferred by an asynchronous transfer mode or frame relay. Includes lines to send and receive.
  • ATM Asynchronous Transfer Mode
  • an ATM terminal is an automatic teller machine that can be used for depositing, depositing, and transferring money using a card or bankbook.
  • a card reader is a contact-type or non-contact type device that reads information from a card such as a credit card or cash card.
  • the contact-type device includes a card or a magnetic card mounted with an IC chip or the like.
  • the information processing terminals 1a to 1f are provided with a browser function for accessing the Internet, which is the communication network 5, and transmitting / receiving data, or an interactive operation function using a dedicated program.
  • the browser function is an application software that can be executed on a general-purpose computer or PDA to view web pages. Download HTML (HyperText Markup Language) files, image files, music files, etc. from the Internet, analyze the layout, and so on. Display / play.
  • a user transmits data to the service providing server 4 using a form which is a GUI, or operates application software described in JavaScript, Flash, Java (registered trademark), or the like.
  • the interactive operation function is a dedicated program executed in a dedicated device such as ATM, and accepts screen display and input operations to the user through a touch panel, etc. Data is transmitted to and received from the device (for example, the service providing server 4).
  • these browser function and interactive operation function display the login form 111a on the information processing terminals 1a to 1f when the user receives a service, and accept the input of authentication information by the user operation.
  • the authentication information includes a mobile phone number as a mobile terminal identifier in addition to an ID and a password.
  • the information processing terminal 1 determines whether or not the authentication information input through the browser function or the interactive operation function includes a mobile terminal identifier that identifies the mobile terminal 2.
  • the mobile terminal identifier is transmitted as authentication information data D1 to the authentication agent server 3, while when the input authentication information does not include the mobile terminal identifier, The authentication information is transmitted to the service providing server 4 as normal authentication information data D2.
  • the mobile terminal 2 is a portable telephone that can be communicated through wireless communication, and a relay point such as a base station and a portable telephone communicate wirelessly to move communication services such as telephone calls and data communications. Can be received while.
  • Examples of the communication system of the mobile terminal 2 include an FDMA system, a TDMA system, a CDMA system, a W-CDMA system, a PHS (Personal Handyphone System) system, and the like.
  • the mobile terminal 2 is equipped with functions such as a digital camera function, an application software execution function, or a GPS function, and also functions as a personal digital assistant (PDA).
  • PDA personal digital assistant
  • the mobile terminal 2 receives the confirmation request data D3 from the authentication proxy server 3, requests the user for a confirmation operation, and authenticates the approval data D4 according to the confirmation operation by the user. It has a function of returning to the proxy server 3.
  • the user who uses the mobile terminal 2 may be the person who is to be authenticated who performs the authentication process in the information processing terminal 1, or may be a guardian of the person to be authenticated.
  • the reception of the confirmation request data D3, the input of the confirmation operation, and the transmission of the approval data D4 can be performed by a dedicated module or operation button provided in the mobile terminal 2, and the above browser function is moved.
  • Information may be displayed and user operations may be input through a GUI provided in the terminal 2 and configured with a browser function.
  • the information processing terminal 1b and the mobile terminal 2 perform transmission and reception of radio signals through the radio base station 6 to perform a call and data communication.
  • the radio base station 6 is connected to the communication network 5 through the gateway device 8, establishes a radio communication connection between the mobile terminal 2 and the radio base station 6, and performs communication and data communication by the mobile terminal 2.
  • the radio base station 6 may be, for example, a small-scale femtocell base station called a femtocell that covers a narrow area with a radius of about 10 m.
  • the wireless base station 6 is connected to an HSS (Home Subscriber Server) on the network through a communication network 5 such as an optical network as a backbone, a public network such as ADSL, or an IP network (not shown).
  • the HSS is a server that manages in which cell each mobile terminal is located, and functions as a location information acquisition unit.
  • the HSS receives the location registration request transmitted from the mobile terminal 2 together with the base station identification information assigned to the femtocell base station, and specifies the location of the mobile terminal 2.
  • This location registration request is transmitted from the mobile terminal 2 to a femtocell base station that manages a cell that is newly located when the cell that is located is switched due to a user's movement,
  • the base station identification information assigned to the femtocell base station is transmitted to the HSS together with the location registration request, and the location of the user can be grasped in real time in the HSS.
  • the service providing server 4 is a general communication server that is distributed on the communication network 5, and in a document system such as WWW (World Wide Web), HTML (HyperText Markup Language) files, image files, music files, etc.
  • a server computer that transmits information or software having the function thereof, stores information such as HTML documents and images, and responds to requests from applications such as a Web browser executed on the information processing terminal 1 (Web page) is distributed.
  • the service providing server 4 is an organization that executes processing related to a service in response to an instruction from the authentication proxy server 3. Specifically, the service providing server 4 receives the normal authentication information data D2 transmitted from the information processing terminal 1 or the authentication result data D5 transmitted from the authentication proxy server 3, so that the service providing server 4 Perform this authentication process and start providing services to users.
  • the service provider is a server that distributes digital contents such as e-mail and images / videos, it is distribution of e-mail attached with the digital contents, presentation of a web page, etc.
  • the service providing server 4 is a server that performs financial approval, it is possible to present a web page for the financial approval, accept payment processing, or the like.
  • the authentication proxy server 3 is a server device that is arranged on the communication network 5 and manages the authentication proxy for the user.
  • the authentication proxy server 3 is connected to the service providing server 4 via the communication network 5. In cooperation with the service providing server 4, or in addition to the normal authentication process in the service providing server 4, processing related to the authentication proxy is executed.
  • the way of cooperation with the authentication proxy server 3 differs depending on the business condition of the service provided by the service providing server 4 and the level of security in the service providing server 4, and for example, the following patterns can be supported. .
  • the service providing server 4 itself does not have an authentication system, and entrusts the entire authentication process to the authentication agent server 3, and the service providing server 4 itself accepts only the authentication result received from the authentication agent server 3. Manage access from users based.
  • the service providing server 4 itself has a normal authentication system, and when normal authentication information such as an ID and a password is input, the service providing server 4 executes the normal authentication process and is input. If the authentication information is the phone number of the portable terminal, the authentication processing in the authentication proxy server 3 is performed in advance, and the service providing server 4 itself normally uses the authentication result in the authentication proxy server 3 Execute authentication process and manage access from users based on double authentication result.
  • the service providing server 4 itself also has a normal authentication system. Usually, the service providing server 4 itself performs normal authentication processing using an ID and a password, and the input authentication information is that of a specific user. If there is, the authentication proxy server 3 is requested to perform authentication processing, and the access from the user is managed based on the authentication result of the service providing server 4 itself and the authentication result of the authentication proxy server 3.
  • the authentication proxy server 3 sends the mobile terminal 2 to the mobile terminal 2 based on the authentication information data D1 transmitted from the information processing terminal 1 or the external confirmation request data D6 transmitted from the service providing server 4.
  • it has a function of making a confirmation request for confirmation of the authentication operation and executing an approval process based on the approval data D4 returned from the mobile terminal 2.
  • FIG. 3 is a block diagram showing the internal configuration of the information processing terminal 1, the authentication proxy server 3, the mobile terminal 2, and the service providing server 4 constituting the authentication proxy system according to the present embodiment, and FIG. It is explanatory drawing which shows an example of the confirmation request
  • the “module” used in the description refers to a functional unit that is configured by hardware such as an apparatus or a device, software having the function, or a combination thereof, and achieves a predetermined operation. .
  • the information processing terminal 1 includes a communication interface 101 as a communication module, an authentication interface unit 110 as a user interface module, and a control unit 120 as a service execution module that provides a service. I have.
  • the communication interface 101 is a communication interface that transmits various data such as authentication information and receives various data such as authentication permission data and content data. Each data received by the communication interface 101 is input to the control unit 120.
  • the authentication interface unit 110 is a module that accepts input of authentication information based on a user operation on the information processing terminal 1, and includes an output interface 115, a display screen 111, an operation device interface 113, and an operation signal detection unit 112. I have.
  • the output interface 115 is a module that outputs video and audio output signals from the display screen 111 and speakers.
  • the display screen 111 is a display device such as a liquid crystal display, for example, and can display Web information and the like through a login form 111a generated by a Web application or the like.
  • the operation device interface 113 is a module to which an operation / input device such as a mouse, a keyboard, or a reader / writer is connected, and receives an input signal based on a user operation such as an operation button or a touch panel, and information read by the reader / writer.
  • an operation / input device such as a mouse, a keyboard, or a reader / writer is connected, and receives an input signal based on a user operation such as an operation button or a touch panel, and information read by the reader / writer.
  • the user can input a keyword for displaying a Web page, input authentication information such as an ID, password, and telephone number, or authentication information such as a credit card.
  • the operation signal detection unit 112 is a module that acquires an operation signal from an operation device based on a user operation.
  • the operation signal detection unit 112 detects authentication information input by a user operation as data, and transmits this authentication information data to the form identifier addition unit 114.
  • the form identifier adding unit 114 acquires a form identifier set to specify an authentication interface unit that is a target of user operation, and adds the acquired form identifier to authentication information input through the operation device interface 113. It is a module to do.
  • the form identifier is a URL of a Web page displayed on the browser or an identifier given to an input form in the Web page, and is extracted from the Web page when the Web page is read by the browser function. .
  • the form identifier for example, when the information processing terminal 1 is an ATM-like device, it is an identifier for identifying a series of transaction operations (transactions) by the user, and a reference number such as a transaction number is used. It may be used.
  • the authentication interface unit 110 can output video and audio through the output interface 115, and an operation signal from an operation device such as a mouse or a keyboard is input as a user operation through the operation device interface 113.
  • the display screen 111 displays a Web page and allows user operations such as clicking on the Web page and inputting characters, and accepts input of authentication information.
  • the control unit 120 is an arithmetic processing unit such as a CPU, and each function module is virtually constructed by executing various programs on the control unit 120.
  • an application execution unit 123, a content acquisition unit 121, and an execution process determination unit 122 are constructed in the control unit 120 by executing a predetermined program.
  • the content acquisition unit 121 is a module that receives content data such as HTML from the service providing server 4 through the communication network 5.
  • the content data downloaded by the content acquisition unit 121 is video / audio by the application execution unit 123.
  • the signal is converted into a signal and output from the display screen 111 or the speaker through the output interface 115.
  • the execution process determination unit 122 is a module that determines whether or not a condition related to the execution of content data is satisfied and restricts execution of the application by the application execution unit 123.
  • the condition determined by the execution process determination unit 122 is an authentication result transmitted from the service providing server 4, and the execution of the application is regulated based on the authentication result.
  • the application execution unit 123 is a module that executes applications such as a general OS, browser software, and media viewing application, and includes an output signal generation unit 126, an authentication information type determination unit 125, and a connection destination selection unit 124. Yes.
  • the output signal generation unit 126 converts the application execution result by the application execution unit 123 and the content data acquired by the content acquisition unit 121 into a video signal and an audio signal, and generates the signal that can be output by the display screen 111 or the speaker. It is a module to do. Further, since the application execution unit 123 also controls the GUI, the output signal generation unit 126 generates graphics necessary for displaying the GUI, and the generated graphics are displayed on the display screen 111 through the output I / F 115. Is displayed.
  • the authentication information type determination unit 125 is configured with a script embedded in HTML describing a Web page, a module of a dedicated program, or the like.
  • the authentication information input to the authentication interface unit 110 is used as a predetermined mobile terminal.
  • 2 is a module that determines whether or not a mobile terminal identifier that specifies 2 is included.
  • the mobile terminal identifier in the present embodiment is a telephone number that identifies the mobile terminal that performs the confirmation operation
  • the authentication information type determination unit 125 includes the number of characters, the type, and the format of the character string that the user inputs with the operation device.
  • the input authentication information is a character string of only 11 digits and includes “090” or “080” at the beginning
  • the input authentication information is used as a mobile terminal identifier.
  • the character string of the other format is determined to be a normal authentication ID or password.
  • the determination result by the authentication information type determination unit 125 is input to the connection destination selection unit 124.
  • the connection destination selection unit 124 is a module that determines a connection destination via the communication network 5 in accordance with the type of authentication information input to the authentication interface unit 110. In this embodiment, the connection destination selection unit 124 determines the authentication information type. When the determination result in the unit 125 is acquired and the determination result indicates that the mobile terminal identifier is included in the authentication information input by the user, the connection destination is the authentication proxy server 3, and the determination result is included in the authentication information. If the mobile terminal identifier is not included, the connection destination is the service providing server 4.
  • the control unit 120 includes a memory (not shown), a cache memory, and the like.
  • the cache memory is, for example, a volatile memory device, and temporarily stores downloaded content data.
  • the memory is a storage device for writing and storing (main storage) content data when the user downloads the content data and obtains authentication permission, and is realized by a non-volatile memory device, hard disk, etc. can do.
  • the memory may be fixedly incorporated in the information processing terminal, or may be a removable device such as a memory card, or a storage device connected by a USB cable or the like.
  • (2) Authentication proxy server 3 The authentication proxy server 3 can be composed of a single server device and a plurality of types of server groups such as a Web server and a database server.
  • the communication interface 302 is a module that transmits and receives various data as packet data through an IP network such as the communication network 5.
  • the communication interface 302 is connected to the information processing terminal 1 or the service providing server 4 via the communication interface 302. Authentication information data is received, and authentication permission data is transmitted to the service providing server 4.
  • the communication interface 302 is connected to the radio base station 6 through the communication network 5 and the public network, and can transmit and receive various data to and from the mobile terminal 2 through the radio base station 6.
  • confirmation request data is transmitted to the mobile terminal 2, and approval data is received from the mobile terminal 2.
  • the external authentication database 301 is a database device that stores table data T1 and the like in which a telephone number that is a mobile terminal identifier is associated with a form identifier of the information processing terminal 1, an ID that is user information, a password, and a destination address. In accordance with an instruction from the external authentication unit 304, predetermined data is retrieved and output.
  • the table data T1 is a relational database in which a plurality of table data and relations are mutually formed as shown in FIG. 4, and information on services scheduled to be used by the user in the customer master table T10 related to registered users.
  • the registration service data T11 and the card information table T12 related to the credit card used by the user are related by the relation.
  • a registered ID unique to each registered member is assigned as a member registration ID for the authentication agency service. Using this registration ID as an index, customer information, a mobile phone number for identity verification, Alternatively, the mobile phone number of the manager (proceeding minors, elderly guardians, etc.) when the procedure is approved is recorded.
  • the URL of the server that is the access destination is registered in advance for each service used by the user as a destination address. Each destination address includes the form ID that is recognized as the access source, and the login time. Necessary user ID, password, and other necessary authentication information are recorded.
  • the destination address is data such as a URL that identifies the service providing server 4 (this authentication processing unit) that performs normal authentication processing.
  • the card information table T12 is data for providing a card folder service, and a plurality of credit cards that can be used by each user are registered, and the user can set a credit card to be used for each service or make a payment. Any credit card can be selected for each procedure.
  • a mobile phone number is linked to one registered user ID (member registration ID for the authentication agency service), and further, it is necessary for login for each service that the user plans to use.
  • User ID, password, destination address, and form identifier As a result, in the present embodiment, a plurality of services can be associated with the telephone number of one mobile phone, and the external authentication database 301 can be stored by specifying the destination address unique to each service in the information processing terminal 1. By searching, it is possible to identify on the authentication surrogate server 3 side which service providing server provides the authentication process.
  • the log history storage unit 307 is a storage device that accumulates approval data transmitted from the mobile terminal 2 as log data together with authentication information. Specifically, when the authentication result is output to the authentication result transmission unit 303 by the external authentication unit 304, the same information as the authentication result output to the authentication result transmission unit 303 is also stored in the log history storage unit 307. Duplicated and output, and stored as a history (log) of authentication results in chronological order.
  • the external authentication unit 304 is a module that confirms whether or not to approve the authentication process to the user through the mobile terminal 2 based on the authentication information received by the communication interface 302.
  • the external authentication unit 304 A request unit 305 and an external authentication processing unit 306 are provided.
  • the confirmation request unit 305 obtains authentication information from the information processing terminal 1, makes a confirmation request to the mobile terminal 2 based on the authentication information, and obtains approval data by a user confirmation operation according to the confirmation request. It is a module.
  • the authentication information received by the confirmation request unit 305 includes the telephone number of the mobile terminal 2 transmitted from the information processing terminal 1 and the external confirmation request (user ID, etc.) transmitted from the service providing server 4. It is.
  • the confirmation request unit 305 when the mobile terminal identifier (telephone number) is included in the authentication information input in the authentication interface unit 110 of the information processing terminal 1, the mobile terminal identifier included in the authentication information. Referring to the external authentication database 301 based on the above, the name of the customer who owns the mobile terminal and the service content of the confirmation request are acquired to generate confirmation request data.
  • the confirmation request unit 305 transmits the confirmation request data to the mobile terminal 2 having a destination address corresponding to the mobile terminal identifier, and receives the approval data transmitted from the mobile terminal 2.
  • the external authentication processing unit 306 is a module that acquires the approval data transmitted from the mobile terminal 2 and performs proxy processing (external authentication) based on the approval data. Judge whether or not to do.
  • the external authentication processing unit 306 has a map database 308 in which map information describing a range in which authentication is permitted is stored, and the mobile terminal 2 refers to the map information in the map database 308 during the authentication process. It has a function of collating with the position information data acquired from the mobile terminal 2 to determine whether or not the current position of the mobile terminal 2 is within a predetermined range.
  • the external authentication processing unit 306 generates authentication result data by collating the external authentication database 301.
  • the authentication result data is data including the acquired approval data, the user ID and password that are information necessary for normal authentication, and the form identifier included in the acquired authentication information. This authentication result data is transmitted to the service providing server 4 according to the destination address.
  • the authentication result transmission unit 303 is a module that transmits the authentication result data from the external authentication processing unit 306 to the service providing server 4 via the communication network 5. Specifically, the authentication result transmission unit 303 acquires the form identifier or the destination address of the authentication interface unit 110, collates the external authentication database 301 based on the form identifier or the destination address, and obtains the user ID or password that is the authentication result. , Sent as authentication result data to the destination address. In the present embodiment, the authentication result transmission unit 303 also has a function of transmitting an authentication result based on the approval data to the service providing server 4 as external authentication result data.
  • the mobile terminal 2 is an information processing terminal having a communication function such as a mobile telephone or a PDA, and includes an input interface 201, an output interface 202, a position information acquisition unit, together with modules necessary for general wireless communication. 203, a control unit 204, and a wireless interface 206.
  • the wireless interface 206 has a function of executing wireless communication using a mobile communication protocol for performing a call and wireless communication using a data communication protocol such as a wireless LAN.
  • a data communication protocol such as a wireless LAN.
  • the data communication function of the wireless interface 206 can be realized by a wireless LAN adapter or the like when the mobile terminal 2 is a mobile computer or a PDA.
  • the input interface 201 is a device that inputs user operations such as operation buttons, a touch panel, and a jog dial
  • the output interface 202 is a device that outputs video and sound, such as a display and a speaker.
  • the input interface 201 and the output interface 202 display a GUI based on the confirmation request data on the display screen 202a, and whether the user approves with an operation button or the like through this GUI. Confirm whether or not.
  • the position information acquisition unit 203 is a module that measures the current position of the own device. For example, the position information acquisition unit 203 calculates the coordinates of the current position based on the GPS signal from the communication satellite 7, and the base station identifier of the radio base station 6 From the radio wave condition such as the signal strength from the base station, the mobile terminal 2 itself can acquire the location information of the own device. In addition, the location information acquisition unit 203 detects access points installed in the vicinity, inquires the location of the access point from the AP database installed on the communication network, and predicts the current location of the own device. A function may be provided.
  • the connection processing unit 205 is a module for connecting to the wireless base station 6 via wireless communication, and an identifier (telephone number, IP address, user ID) for identifying the own device is a wireless base to be connected. Transmit to the station 6 for authentication.
  • the control unit 204 is an arithmetic processing unit such as a CPU, and is a module that virtually constructs each functional module by executing various programs on the control unit 204.
  • the control unit 204 The confirmation operation unit 207 is constructed.
  • the confirmation operation unit 207 is a module that requests a confirmation operation from the user in response to the confirmation request, and returns approval data to the authentication proxy server 3 in accordance with the confirmation operation by the user. Specifically, the confirmation operation unit 207 displays a confirmation request screen on the display of the output interface 202 according to the confirmation request data transmitted from the confirmation request unit 305. Then, a confirmation operation signal from the input interface 201 is acquired, approval data is generated based on the signal, and the approval data is returned to the confirmation request unit 305.
  • the confirmation operation unit 207 also has a function of adding the current position of the own device measured by the position information acquisition unit 203 to the approval data and returning the approval data to the confirmation request unit 305.
  • the service providing server 4 is a server device for performing various services, and may be a single device or a plurality of server device groups.
  • the service providing server 4 needs to perform an authentication process when providing the service, and the authentication process is performed by an original authentication system, or is entirely delegated to the authentication proxy server 3 or is independently performed.
  • Various forms can be employed, for example, the normal authentication (main authentication process) by the authentication system and the temporary authentication process by the authentication proxy server 3 are used in combination.
  • the normal authentication using an original authentication system and the external authentication processing by the authentication proxy server 3 are used in combination.
  • the service providing server 4 includes a communication interface 402, a content transmission unit 404, a main authentication unit 403, a main authentication database 401, and an approval unit 408.
  • the communication interface 402 is a module that transmits and receives various data as packets via the communication network 5.
  • authentication information is received from the information processing terminal 1 via the communication interface 402, and the authentication proxy server 3 receives the authentication information. While receiving the authentication result, an external confirmation request is transmitted to the authentication proxy server 3.
  • the communication interface 402 is not limited to communication via the IP network. For example, transmission and reception of fixed-length frame data through the dedicated line 51 to the ATM 1c and the dedicated devices 1d to 1f to which the reader / writer is connected. It also supports data communication by.
  • the authentication database 401 is a database device that stores table data T2 for storing personal information, authentication information, and settlement information regarding each user.
  • the authentication database 401 also stores an external confirmation list in which a mobile terminal identifier (mobile phone number) for making an external confirmation request in the external authentication process is associated with each user.
  • the authentication unit 403 is a module that performs authentication processing based on normal authentication information from the information processing terminal 1 and external authentication processing by the authentication proxy server 3 and provides services when these authentication processing is successful.
  • An external confirmation request unit 406 and a main authentication processing unit 407 are provided.
  • the external confirmation request unit 406 is a module that transmits external confirmation request data to the confirmation request unit 305 of the authentication proxy server 3 based on the authentication information input in the normal authentication process.
  • the normal authentication process is a general authentication process, in which the user ID and password input by the user to the authentication interface unit 110 are directly acquired by the service providing server 4, and based on these user ID and password, This is a process for authenticating whether or not the accessor is the principal.
  • the external confirmation request data is data for requesting execution of a confirmation request to the mobile terminal 2 in the authentication proxy server 3.
  • the external confirmation request unit 406 when acquiring the authentication information input in the normal authentication process, the external confirmation request unit 406 identifies the user from the user ID included in the acquired authentication information, and the authentication database The external confirmation list 401 is collated to determine whether or not the user is a user requiring an external confirmation request.
  • external confirmation request data in which the mobile terminal identifier is associated with the form identifier is generated based on the external confirmation list, and this confirmation request data is transmitted to the authentication proxy server 3.
  • the authentication processing unit 407 is a computer that verifies the legitimacy of an accessor or software having a function thereof, acquires authentication information or an authentication result through the communication network 5, and collates the authentication database 401. This is a module for confirming whether the accessor has the right and whether the accessor is the principal.
  • the authentication processing unit 407 transmits a normal authentication process for authenticating a user based on an ID and a password, which are authentication information data input through the authentication interface unit 110, and an authentication result transmission unit 303. Based on the authentication processing for authenticating the user based on the authentication result data including the approved data, the external authentication result data including the approval data transmitted from the authentication result transmitting unit 303, and the authentication result of the normal authentication processing Thus, it has three functions: a function for executing external authentication processing for determining whether or not to provide a service.
  • the approval unit 408 is a module that executes an approval process by a financial institution.
  • the approval unit 408 collates a user's external confirmation list from the authentication database 401 during the approval process, and based on the external confirmation list.
  • a limit changing unit 409 for switching the limit of the amount related to the approval process is provided.
  • the limit amount changing unit 409 has an external confirmation list that is a list of users who require an external confirmation request, and when making a decision, collates the external confirmation list and switches the limit amount of the amount related to the decision processing.
  • an external confirmation list that is a list of users who require an external confirmation request, and when making a decision, collates the external confirmation list and switches the limit amount of the amount related to the decision processing.
  • This limit setting is effective in minimizing the damage caused by crime, but it does not allow a high transfer even for legitimate purposes, and hinders smooth financial procedures. It has also been pointed out.
  • the authentication agency service according to the present embodiment, it is possible to provide a service for preventing a transfer fraud in ATM or the like. Since there is a low possibility of damage caused by fraud, etc., only the user of the service will switch the limit of approval processing to a high amount, giving priority to the smoothness of financial procedures.
  • the content transmission unit 404 is a module that distributes display information (Web data) that is content information, moving image data, music data, and the like to the information processing terminal 1, and stores information such as HTML documents and images. In accordance with the authentication process from the authentication unit 403, predetermined data is transmitted.
  • the content transmission unit 404 refers to the form identifier included in the authentication information, and transmits the content information to the target information processing terminal 1.
  • FIG. 5 is a flowchart showing the operation of the mobile authentication proxy system according to the present embodiment.
  • Login authentication at a website For example, when the present invention is applied to user authentication when a user logs in to a membership website in online shopping using a general-purpose computer such as a personal computer. Will be described as an example.
  • the user accesses the service providing server 4 on the Internet by using browser software or the like that is activated and executed on the information processing terminal 1 such as a personal computer, and on the browser.
  • a Web site provided by the service providing server 4 is accessed.
  • a login form 111 a as shown in FIG. 6 is displayed on the display screen 111 of the information processing terminal 1.
  • the user inputs authentication information to the login form 111a through the authentication interface unit 110 (S101).
  • the authentication information input by the user is a user ID and password that are normal authentication information, or a mobile phone number that is a mobile terminal identifier.
  • the user has already registered a membership for the Web site, the user ID and password of the Web site are set, and the database 301 is also sent to the authentication proxy server 3.
  • the user ID and password are registered in association with the user's mobile phone number with the URL of the service providing server 4 as the destination address. .
  • the authentication information type determination unit 125 of the information processing terminal 1 includes the mobile phone number that identifies the mobile terminal 2 in the information input to the authentication interface unit 110. It is determined whether or not (S102). Specifically, the authentication information type determination unit 125 analyzes the input character string, and if the character string is [090-xxx-xxx-xxx] or the like, includes the mobile terminal identifier. If the character string is a combination of other characters and numbers, it is determined that the mobile terminal identifier is not included. The data input to the authentication interface unit 110 is input to the connection destination selection unit 124.
  • connection destination selection unit 124 determines that the telephone number is not included in the authentication information (“N” in S102)
  • the connection destination selection unit 124 determines the transmission destination to the service providing server 4 and transmits the authentication information.
  • the authentication unit 403 on the service providing server 4 side receives the authentication information (S103), and performs a normal authentication process based on the authentication information (S112). If the authentication process in step S112 is valid, authentication is permitted (S113), and the authentication permission data is input to the execution process determination unit 122 of the information processing terminal 1 through the communication network 5 to complete the authentication procedure ( S114).
  • the user can receive services from the service providing server 4 on the Web site.
  • the connection destination selection unit 124 determines the transmission destination as the authentication proxy server 3, and the input mobile phone Send the number as authentication information. At this time, the connection destination selection unit 124 transmits, as authentication information, the form identifier of the login form 111a and the URL (destination address) of the service providing server 4 that is the login destination, together with the input mobile phone number. To do.
  • the external authentication unit 304 on the authentication proxy server 3 side acquires the authentication information (including the mobile phone number, form identifier, and destination address) (S104), and collates the external authentication database 301 based on the authentication information (S104). S105). Specifically, after identifying the user based on the mobile phone number, a confirmation request is made to the mobile terminal 2 corresponding to the movement identifier included in the authentication information (S106).
  • the mobile terminal 2 receives the confirmation request data from the authentication proxy server 3 (S107), displays the GUI according to the confirmation request on the output interface 202, and requests a confirmation operation from the user.
  • the user performs a confirmation operation through the input interface 201 (S108).
  • the user performs an operation of approving the procedure if the confirmation request is valid, and performs an operation of rejecting the approval when the confirmation request is not memorized.
  • Information on the confirmation operation input in response to the confirmation operation by the user is input to the confirmation operation unit 207.
  • the confirmation operation unit 207 generates approval data from this information, and uses the approval data as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S109).
  • the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
  • the confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S110), and the external authentication processing unit 306 executes an authentication process based on the approval data. Specifically, when the user approves the confirmation request, authentication result data including a user ID and password registered in advance in the database is generated, and this authentication result data is sent from the authentication result transmission unit 303. The data is transmitted to the authentication processing unit 407 of the service providing server 4 through the communication network 5 (S111).
  • the ID and password are not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4.
  • the procedure in the information processing terminal 1 is forcibly terminated, or the procedure operation in the information processing terminal 1 is provisionally performed.
  • Various measures are conceivable, such as executing emergency processing for unauthorized access on the service providing server 4 side.
  • the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S112), and if the authentication information is valid. Then, access permission is given to the user (S113), and the authentication permission data is input to the execution process determination unit 122 of the information processing terminal 1 through the communication network 5, and the authentication procedure is completed (S114).
  • the authentication proxy server 3 performs identity verification of the person having the mobile terminal. And the security of the authentication process when accessing the service can be improved.
  • FIG. 7 is a flowchart illustrating the case where the mobile authentication agency system and method of the present invention is applied to a financial approval service.
  • This financial approval service uses a mobile information processing terminal 1 used by a salesperson when a user (purchaser) who purchases a product from a salesperson who sells the product uses a credit card for approval.
  • the sales representative inputs the purchaser's mobile phone number as authentication information, and the purchase operation of the purchaser's mobile terminal is requested. After confirming the identity, the service is completed.
  • the user who is the purchaser enters the authentication proxy server 3 with his / her mobile phone number and credit card authentication information (card number, user name, expiration date, other security information). Are registered in advance.
  • a user purchases a car as a product from a sales person in charge of car sales (S201).
  • the sales representative accesses the service providing server 4 which is an approval server by using his / her information processing terminal 1 and Visit the customer approval page for.
  • the authentication interface unit 110 is displayed with an approval input screen for an approval page (S202), and the purchaser is requested to input the mobile phone number on the settlement screen (S203).
  • the sales representative requests the purchaser to input the mobile phone number.
  • the sales representative may input the mobile phone number after hearing from the purchaser.
  • the information processing terminal 1 of the sales staff may be provided with a camera function having a barcode reader or an image analysis function so as to read a pre-coded telephone number.
  • the purchaser inputs his own telephone number on the input screen for approval (S204).
  • the authentication information that is the input mobile phone number is transmitted to the authentication proxy server 3, and the confirmation requesting unit 305 queries the external authentication database 301 based on the authentication information (S205), and searches for the card information of the purchaser.
  • confirmation request data is generated and a confirmation request is transmitted to the purchaser's mobile terminal 2 (S206).
  • the mobile terminal 2 owned by the purchaser receives the confirmation request data from the authentication proxy server 3 (S207), displays the confirmation request information on the display screen 202a of the mobile terminal 2 in response to the confirmation request, and Request confirmation.
  • the confirmation request information confirms whether or not the product price can be paid or transferred to a specific credit card company or a financial institution such as a bank. Display information to be displayed. Then, the purchaser performs a confirmation operation on the confirmation request in the mobile terminal 2 through the input interface 201 (S208).
  • a card folder screen as shown in FIG. 8B may be displayed so that an arbitrary card can be selected.
  • the authentication information of the selected credit card is read from the table data T12 and transmitted to the service providing server 4.
  • the mobile terminal 2 operates in response to the confirmation request, the user (purchaser) is requested to input the minimum necessary security information (for example, the last four digits of the credit number or the security code on the back of the card). May be requested.
  • the confirmation operation unit 207 generates this information as approval data, and this approval data is used as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S209).
  • As the approval data a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected.
  • the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
  • the confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S210), and the external authentication processing unit 306 executes an authentication process based on the approval data (S211). Specifically, when the user approves the confirmation request, authentication result data including the card information and bank account information selected by the user is generated, and the authentication result data is transmitted from the authentication result transmission unit 303 to the communication network. 5 is transmitted to the authentication processing unit 407 of the service providing server 4 (S212). On the other hand, when the user rejects the approval, the card information is not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4.
  • the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S213), and if the authentication information is valid. Then, access permission is given to the user (S214), and the authentication permission data is input to the financial institution through the communication network 5, and the approval process is completed (S214).
  • the user can complete the approval only by inputting the telephone number of the mobile terminal 2 when inputting the authentication information. Therefore, the approval can be completed without the knowledge of the bank card ID and password and the credit card number being known to others.
  • FIG. 9 is a flowchart illustrating the case where the mobile authentication proxy system and method of the present invention are applied to a delivery receiving service.
  • this delivery receipt service when a user who purchases a product through mail order or the like asks the delivery company to deliver the product, the delivery company confirms the identity of the user and delivers the product. Request confirmation from the user.
  • the user who is the purchaser enters the authentication agent server 3 with his / her mobile phone number, transaction number and credit card authentication information (card number, user name, valid It is assumed that the time limit and other security information are registered in advance.
  • the seller side passes through a delivery company.
  • the product is shipped (S303).
  • the delivery company that has received the request delivers the product to the user's home that is the delivery destination (S304, S305).
  • the information processing terminal 1 owned by the delivery company is requested to input a mobile phone number for identity verification as identity verification processing (S306).
  • the delivery company requests the recipient to input the mobile phone number.
  • the delivery company itself may input it after hearing from the recipient.
  • the information processing terminal 1 of the delivery company is provided with a camera function including a barcode reader and an image analysis function, and a barcode or QR code in which a telephone number is coded is described in the delivery slip of the delivery item. You may make it read the telephone number etc. which were encoded with the barcode reader.
  • the user who is the recipient inputs the telephone number owned by the user on the input screen displayed on the information processing terminal 1 (S307).
  • the authentication information that is the input mobile phone number is transmitted to the authentication proxy server 3, and the confirmation requesting unit 305 queries the external authentication database 301 based on the authentication information (S308), and searches for the card information of the purchaser.
  • confirmation request data is generated and a confirmation request is transmitted to the recipient's mobile terminal 2 (S309).
  • the mobile terminal 2 owned by the recipient user receives the confirmation request data (S310), the confirmation request information as shown in FIG. 10 is displayed on the display screen 202a, and a confirmation operation is requested from the user. To do.
  • the user confirms the content of the confirmation request displayed on the display screen 202a of the mobile terminal 2 through the input interface 201, and performs a confirmation operation on the confirmation request (S311).
  • the card folder screen may be accessed, an arbitrary card may be selected, and the payment procedure may be performed simultaneously.
  • the authentication information of the selected credit card is read out and transmitted to the service providing server 4.
  • the user purchases in response to the confirmation request, the user (purchaser) is requested to input the minimum necessary security information (for example, the last four digits of the credit number or the security code on the back of the card). May be requested.
  • the confirmation operation unit 207 generates approval data based on the information on the confirmation operation, and uses the approval data as an authentication agent. It returns to the confirmation request unit 305 of the server 3 (S312). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
  • the confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S313), and the external authentication processing unit 306 executes an authentication process based on the approval data (S314). Specifically, when the user approves the confirmation request, authentication result data including a user ID and password is generated, and this authentication result data is transmitted from the authentication result transmission unit 303 to the service providing server via the communication network 5. 4 to the main authentication processing unit 407 (S315). The authentication processing unit 407 receives the authentication result data and presents to the delivery person that the recipient has approved. On the other hand, when the user rejects the approval, a notification that the approval is rejected is transmitted to the service providing server 4. This approval may be rejected because the entered mobile phone number is incorrect or false, and a confirmation request is sent to a third-party mobile terminal that is not there. The information indicating that the approval has been rejected is presented to the information processing terminal 1 of the delivery person.
  • the authentication processing unit 407 receives the authentication result data, and determines whether or not to deliver the product in response to the service availability notification included in the authentication result data (S316). Specifically, if the authentication information is valid, the authentication permission data is input to the information processing terminal 1 of the delivery company through the communication network 5, the identity verification by the delivery company is completed (S317), and the user selects the product. Can receive.
  • the mobile authentication agency system and method to the delivery receipt service, it is possible to confirm that the recipient is the same person as the recipient at the time of receipt.
  • the delivery of the product is prevented, and the delivery agent can deliver the product to the user himself even if the user is not acquainted.
  • FIG. 11 is a flowchart illustrating a case where the mobile authentication agent system and method of the present invention is applied to an unauthorized operation prevention service in ATM.
  • This unauthorized operation prevention service in ATM is used when a user who owns a cash card of a financial institution such as a bank is an elderly person or a child, and when the user makes a transfer of money at the ATM, the guardian of the user This is a service that makes a request for confirmation to prevent so-called wire fraud.
  • the user is an elderly person and the user is listed on the external confirmation list as a user requiring external authentication.
  • a user reads a cash card and inputs a password, which is authentication information, in accordance with a normal operation in order to perform a transfer process or the like in an ATM machine such as a bank (S401).
  • the connection destination selection unit 124 transmits the authentication information to the service providing server 4 that the bank uniquely has, and the external confirmation request unit 406 of the authentication unit 403 converts the input authentication information into the normal authentication. Obtained as information (S402).
  • the external confirmation request unit 406 collates the external confirmation list of the user who requires the external confirmation request from the authentication database 401 (S403), and the mobile terminal 2 owned by the guardian associated with the normal authentication information. A mobile phone number is searched (S404). Then, the mobile terminal identifier (guardian's mobile phone number) associated with the normal authentication information and the form identifier are generated as external confirmation request data in the external confirmation list, and the external confirmation request data is transmitted to the authentication proxy server 3. (S405).
  • the confirmation request unit 305 of the authentication proxy server 3 receives the external confirmation request data (S407), generates confirmation request data, and transmits the confirmation request data to the guardian's mobile terminal 2 (S407). .
  • the confirmation request data is received and a confirmation screen as shown in FIG. 12 is displayed, and the guardian confirms whether or not to approve the confirmation request information. This is performed (S408).
  • the position information of the ATM machine can be displayed in the confirmation information, and the guardian can determine the confirmation operation including this information.
  • the confirmation operation unit 207 When the guardian performs a confirmation operation, the confirmation operation unit 207 generates approval data based on the confirmation operation, and returns the approval data to the confirmation request unit 305 of the authentication proxy server 3 (S409). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
  • the confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S410), and the external authentication processing unit 306 executes the authentication process based on the approval data (S411). Specifically, when the guardian approves the confirmation request, external authentication result data for notifying that is generated. Then, the external authentication result data is transmitted from the authentication result transmitting unit 303 to the main authentication processing unit 407 of the service providing server 4 through the communication network 5 (S412). On the other hand, when the guardian rejects the approval, a notification that the approval is rejected is transmitted to the service providing server 4.
  • the authentication processing unit 407 receives the authentication result data (S413), and performs the authentication process for determining whether to provide the service based on the external authentication result including the approval data and the authentication result of the normal authentication process. Do. If the authentication information is valid, authentication is permitted (S414), and the authentication permission data is input to the ATM via the communication network 5 to enable the ATM machine procedure (S415). On the other hand, if the administrator's confirmation operation is data that is not approved, the transaction of the ATM machine ends.
  • the user's administrator can confirm the execution of the ATM processing and can prevent a transfer fraud and the like. .
  • FIG. 13 is a flowchart when the authentication agency system according to the present embodiment is applied to a credit approval service in a store
  • FIG. 14 shows a display screen (payment confirmation screen) of the mobile terminal according to the present embodiment. It is explanatory drawing.
  • This credit approval service is for exclusive use with a reader / writer installed in a store when a user who sells the product or purchases a product and makes a payment with a credit card at a store that provides the service.
  • a confirmation operation is required for the purchaser's mobile terminal.
  • the input process such as password or signature is not performed, and the approval is made. It is a service to be completed.
  • a user purchases a product or receives a service at a store (S501).
  • the user selects credit card payment as the purchase method
  • the user presents the credit card (S502)
  • the store salesperson reads the information on the credit card using a dedicated reading device ( S503).
  • the read credit card authentication information is transmitted to the financial institution which is the service providing server 4 (S504).
  • the external confirmation requesting unit 406 when acquiring the authentication information read from the credit card (S505), the external confirmation requesting unit 406 identifies the user from the credit card number included in the acquired authentication information, The external confirmation list in the authentication database 401 is collated (S506), and it is determined whether or not the user is a user who requires an external confirmation request (S507).
  • a password input request message is displayed on the display screen 111 of the store-side reading device, and the user is requested to input the password. (S508).
  • the user inputs his / her password, and this password is transmitted to the authentication processing unit 407.
  • the authentication processing unit 407 receives the password and performs the authentication process for determining whether to provide the service from the credit card number and the password (S519). If the authentication information is valid, the user is permitted access. Is made (S520), and the approval process is completed (S521).
  • the confirmation request unit 305 receives the confirmation request data (S510), queries the external authentication database 301 based on the authentication information, searches the purchaser's card information, generates confirmation request data, and moves the purchaser. A confirmation request is transmitted to the terminal 2 (S511).
  • the mobile terminal 2 owned by the purchaser receives the confirmation request data from the authentication proxy server 3 (S512), displays confirmation request information on the display screen 202a of the mobile terminal 2 in response to the confirmation request, and Request confirmation.
  • the confirmation request information is display information for confirming whether or not the payment process for the commodity price can be executed with respect to a financial institution of a specific credit card company, for example. Then, the purchaser performs a confirmation operation on the confirmation request in the mobile terminal 2 through the input interface 201 (S513).
  • the confirmation operation unit 207 generates this information as approval data, and this approval data is used as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S514).
  • As the approval data a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected.
  • the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
  • the confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S515), and the external authentication processing unit 306 executes the authentication process based on the approval data (S516). Specifically, when the user approves the confirmation request, authentication result data including a credit card ID and password is generated, and this authentication result data is transmitted from the authentication result transmission unit 303 through the communication network 5. This is transmitted to the authentication processing unit 407 of the service providing server 4 (S517). On the other hand, when the user rejects the approval, the card information is not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4.
  • the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S519), and if the authentication information is valid. Then, access permission is given to the user (S520), and the authentication permission data is input to the financial institution through the communication network 5, and the approval process is completed (S521).
  • the result of the payment process is transmitted to the information processing terminal 1, and the information processing terminal 1 receives the result of the payment process (S522), and displays on the display screen 111 of the information processing terminal 1 according to the result of the payment process.
  • the result of the settlement process is displayed (S523).
  • a message input by the user is valid and the approval is completed.
  • the password is invalid.
  • the user receives a product (S524).
  • the user does not need to input a password, and the approval can be completed only by the confirmation operation by the mobile terminal 2.
  • the approval can be completed without any other person knowing the password of the credit card.
  • the confirmation request unit 305 notifies the mobile terminal 2 owned by the user himself / herself whether authentication is permitted or not. Since the user himself / herself can determine whether or not authentication is possible, security can be improved and safe authentication can be performed.
  • the next operation is authenticated only by a confirmation operation. It is possible to receive services by simplifying.
  • the confirmation request can be transmitted from the authentication result transmission unit 303 to any mobile terminal, for example, a user who inputs authentication information in the information processing terminal 1 and the mobile terminal
  • the present invention can be used even when the user who performs the confirmation operation in step 2 is not the same person. For example, even if a child or elderly person who is a user makes a transfer by ATM as in the above-described embodiment, a confirmation request is notified to the guardian of the user, so the withdrawal process is performed on the guardian side. It is possible to decide whether or not it is possible and prevent excessive deductions. Thereby, the diversity of service can be aimed at, such as being able to respond to the service system which prevents a transfer fraud etc.
  • the authentication information type determination unit 125 makes a confirmation request to the mobile terminal 2 when the authentication information type determination unit 125 determines that the mobile terminal identifier is included. Since the notification destination of the authentication information can be changed according to the determination result of the authentication information type determination unit 125, the system according to the present invention can be used in combination with a security system that inputs an ID and password similar to the conventional one. it can.
  • the mobile terminal 2 has a position information acquisition unit 203 that measures the current position of the own device, and the confirmation operation unit 207 includes the current position of the own device measured by the position information acquisition unit 203. The position is added to the approval data, and the approval data is returned to the confirmation request unit 305.
  • the external authentication processing unit 306 has map information describing a range in which the authentication is permitted. Since it is determined whether or not the current location of the mobile terminal falls within a predetermined range, authentication is performed by linking the location information of the mobile terminal held by the user in addition to the user authentication information and approval data. Since it is possible to control whether or not authentication for service provision is possible, the security of the authentication system using the mobile terminal can be increased.
  • the authentication interface unit 110 of the information terminal terminal 1 has a function of adding its own form identifier to the authentication information. Therefore, the authentication proxy server 3 acquires the form identifier of the authentication interface unit 110. The authentication result can be transmitted to the destination address obtained by collating the external authentication database 301 based on the form identifier.
  • the authentication processing unit 407 that is the transmission destination of the authentication result can be specified. If the authentication processing is performed once in the information processing terminal 1, the authentication processing is associated with the authentication processing. Using the authentication information, the authentication procedure for other Web services can be omitted, and the user can simply perform authentication.
  • the user authentication is performed as a normal authentication process by an authentication system unique to ATM, and when the authentication of the normal authentication process is successful, a confirmation request to the mobile terminal 2 is further requested. Is transmitted to the authentication proxy server 3 as an external confirmation request, and an approval procedure through the mobile terminal 2 can be requested.
  • availability of service provision is determined based on the external authentication result transmitted from the authentication agency server 3, and the authentication result of an original normal authentication process. Yes, even if the operator of the information processing terminal 1 is, for example, a child or an elderly person, since the external confirmation request is notified to the guardian who is the external confirmation request destination, Can prevent unintentional transfers. Thereby, the diversity of service can be aimed at, such as being able to respond to the service system which prevents a transfer fraud etc.
  • the service providing server 4 has an approval unit 408 that executes an approval process by a financial institution
  • an external confirmation list of a user who requires an external confirmation request is provided, and the limit change unit 409
  • the approval unit 408 collates the user's external confirmation list, and switches the limit amount for the approval process based on the external confirmation list. Since the rate of incidents and accidents can be reduced by introducing the authentication agency service according to this embodiment, users of this service are listed on the external confirmation list.
  • the change unit 409 can switch the limit amount, for example, by increasing the limit amount of the approval process, thereby improving the convenience and safety of the user and smoothing the approval process for the financial institution.
  • a normal credit settlement process using a credit card at a store also performs a confirmation request to the mobile terminal 2 as an external confirmation request, whereby a password or signature
  • the input process such as the above can be omitted, and in the approval process, the credit card password is not known to others and the approval can be completed.
  • FIG. 15 is a conceptual diagram showing the overall configuration of the authentication agent system according to the present embodiment.
  • the same components as those in the first embodiment described above are denoted by the same reference numerals, and the functions and the like are the same unless otherwise specified, and the description thereof is omitted.
  • the authentication proxy server 3 that performs the authentication proxy process and the main authentication process, the radio base station 6,
  • the mobile terminal 2 capable of wireless communication through the wireless base station 6 or the communication satellite 7 is provided.
  • the authentication proxy server 3 is connected with an approval unit 500 that executes a settlement process. ing.
  • the information processing terminal 1 (1a to 1f) is a user terminal having a calculation processing function by a CPU and a communication processing function by a communication interface.
  • a general-purpose computer such as a personal computer, an ATM
  • This is a dedicated device that specializes functions such as a reader / writer.
  • the dedicated devices 1d to 1f provided with ATM (1c) and a reader / writer are connected to the communication network 5.
  • the authentication proxy server 3 is a server device that is arranged on the communication network 5 and centrally manages the authentication proxy for the user, and executes processing related to normal authentication and authentication proxy. Also in this embodiment, the authentication proxy server 3 can be composed of a plurality of types of server groups such as a Web server and a database server in addition to a single server device.
  • FIG. 16 is a block diagram illustrating an internal configuration of an information processing terminal, a mobile terminal, an approval unit, and an authentication server that constitute an authentication proxy service according to the present embodiment.
  • the information processing terminal 1 includes a form identifier adding unit 114, an application execution unit 123, a content acquisition unit 121, and an execution process determination unit 122.
  • the form identifier adding unit 114 acquires a form identifier set to specify an authentication interface unit that is a target of user operation, and adds the acquired form identifier to authentication information input through the operation device interface 113. Authentication information to which the form identifier is added is transmitted to the application execution unit 123.
  • the application execution unit 123 is a module that executes an application such as a general OS, browser software, or a media viewing application.
  • the application execution unit 123 is transmitted from the authentication interface 110 as shown in FIG.
  • the authentication information is distributed to the authentication proxy server 3 via the communication interface 101 without determining the type of the authentication information.
  • the content acquisition unit 121 is a module that receives content data such as HTML from the authentication proxy server 3 through the communication network 5, and the content data downloaded by the content acquisition unit 121 is video / audio by the application execution unit 123.
  • the signal is converted into a signal and output from the display screen 111 or the speaker through the output interface 115.
  • the execution process determination unit 122 is a module that determines whether or not a condition related to the execution of content data is satisfied and restricts execution of the application by the application execution unit 123.
  • the condition determined by the execution process determination unit 122 is an authentication result transmitted from the authentication proxy server 3, and the execution of the application is restricted based on the authentication result.
  • the authentication proxy server 3 includes an authentication unit 312, an authentication database 310, an authentication information type determination unit 315, a connection destination selection unit 316, a content transmission unit 309, and a log history storage unit 307.
  • the authentication information type determination unit 315 is a module that determines whether or not the authentication information transmitted from the information processing terminal 1 includes a mobile terminal identifier that identifies a predetermined mobile terminal 2.
  • the mobile terminal identifier in the present embodiment is a telephone number that identifies the mobile terminal that performs the confirmation operation
  • the authentication information type determination unit 315 includes the number of characters, the type, and the format of the character string input by the user on the operation device.
  • the input authentication information is a character string of only 11 digits and includes "090" or "080" at the beginning, the input authentication information is set as a mobile terminal identifier.
  • the character string of the other format is determined to be a normal authentication ID or password.
  • the determination result by the authentication information type determination unit 315 is input to the connection destination selection unit 316.
  • the connection destination selection unit 316 is a module that determines a connection destination according to the type of received authentication information.
  • the connection destination selection unit 316 acquires the determination result in the authentication information type determination unit 315, and the determination result is
  • the connection destination is the confirmation request unit 313, and when the determination result indicates that the mobile terminal identifier is not included in the authentication information
  • the connection destination is an authentication processing unit 314.
  • the authentication unit 312 performs an authentication process based on normal authentication information from the information processing terminal 1 and a confirmation request to the mobile terminal 2 and an authentication process based on approval data by a user confirmation operation corresponding to the confirmation request.
  • the confirmation request unit 313 obtains authentication information from the information processing terminal 1, makes a confirmation request to the mobile terminal 2 based on the authentication information, and obtains approval data by a user confirmation operation corresponding to the confirmation request. It is a module.
  • the confirmation request unit 313 refers to the authentication database 310 based on the mobile terminal identifier included in the authentication information transmitted from the connection destination selection unit 316, and confirms the name of the customer who owns the mobile terminal, the confirmation request Acquire the service contents of and generate confirmation request data. Then, the confirmation request unit 313 transmits the confirmation request data to the mobile terminal 2 having a destination address corresponding to the mobile terminal identifier. Further, the confirmation request unit 313 generates confirmation request data in response to the confirmation request transmitted from the authentication processing unit 314, and sends the confirmation request data to the mobile terminal 2 having the destination address corresponding to the mobile terminal identifier. Send confirmation request data.
  • the authentication processing unit 314 is a computer that verifies the legitimacy of an accessor or software having a function thereof.
  • the authentication processing unit 314 acquires authentication information or approval data through the communication network 5, and accesses the authentication database 310 by checking the authentication database 310. This module confirms whether the user has the right and whether the accessor is the person himself / herself.
  • the authentication unit 312 is input to the authentication unit 312 through the authentication interface unit 110 and the normal authentication process for authenticating the user based on the ID and password that are the authentication information data input through the authentication interface unit 110.
  • the mobile terminal 2 is requested for approval data, and based on this approval data, an authentication process for authenticating the user, and the approval data transmitted from the mobile terminal 2 And a function of executing a double authentication process for determining whether or not to provide a service based on the authentication result of the normal authentication process.
  • the normal authentication process refers to acquiring the user ID and password input by the user to the authentication interface unit 110, checking the authentication database 310 based on these user ID and password, and whether or not the accessor is the principal. This is a process of authenticating.
  • the authentication process based on the approval data is a process for acquiring the approval data generated by the confirmation operation according to the confirmation request data and authenticating whether or not the access is the person based on the approval data. is there.
  • the double authentication process is a process for executing a normal authentication process and an authentication process based on the approval data.
  • the double authentication process when the authentication processing unit 314 acquires the authentication information input in the normal authentication process, the user is identified from the user ID included in the acquired authentication information, and the user Then, the confirmation list in the authentication database 310 is collated to determine whether or not the user is a user requiring a confirmation request.
  • confirmation request data in which the mobile terminal identifier is associated with the form identifier is generated based on the confirmation list, and the confirmation request data is transmitted to the confirmation request unit 313.
  • the confirmation request unit 313 makes a confirmation request to the mobile terminal 2 based on the confirmation request data, and the authentication processing unit 314 receives approval data for the confirmation request.
  • the confirmation request unit 313 executes authentication processing based on the approval data transmitted from the mobile terminal 2 and also performs normal authentication processing based on the user ID and password.
  • the authentication database 310 includes table data T1 in which the form identifier of the information processing terminal 1 and the user information ID, password, and destination address are associated with a telephone number that is a mobile terminal identifier, personal information about each user, authentication
  • the database device stores table data T2 and the like for storing information and settlement information, and searches for and outputs predetermined data in accordance with an instruction from the authentication unit 312.
  • the table data T1 is a relational database in which a plurality of table data and relations are mutually formed as shown in FIG. 4, and the service scheduled to be used by the user in the customer master table T10 related to registered users.
  • the registration service data T11 which is information on the credit card, and the card information table T12 related to the credit card used by the user are related by a relation.
  • the content transmission unit 309 is a module that distributes display information (Web data) that is content information, moving image data, music data, and the like to the information processing terminal 1, accumulates information such as HTML documents and images, and performs authentication. Predetermined data is transmitted according to the authentication process from the unit 312.
  • the content transmission unit 309 refers to the form identifier included in the authentication information, and transmits the content information to the target information processing terminal 1.
  • the log history storage unit 307 is a storage device that accumulates approval data transmitted from the mobile terminal 2 as log data together with authentication information. Specifically, when the authentication process is executed by the authentication unit 312, the same information as the authentication result output to the content transmission unit 309 is copied and output to the log history storage unit 307, and the authentication result history (Log) is stored in chronological order.
  • the approval unit 500 is a general server device that can be accessed from the authentication unit 312 of the authentication proxy server 3, and has a function of executing an approval process by a financial institution.
  • the approval unit 500 collates a user confirmation list from the authentication database 310 during the approval process performed by the authentication unit 312, and changes the limit amount for switching the amount limit for the approval process based on the confirmation list.
  • the limit amount changing unit 501 has a confirmation list that is a list of users requiring a confirmation request. When making a decision, the limit amount changing unit 501 checks the confirmation list and switches a limit amount for the decision process.
  • the authentication information type is determined on the authentication proxy server 3 side, and the information processing terminal 1 transmits the authentication information type to the authentication proxy server 3 side without determining the type of authentication information input. Since the authentication result is returned, the processing in the information processing terminal 1 can be reduced, and the apparatus can be reduced in size and weight.
  • the authentication request server 3 executes the confirmation request process and the main authentication process, it is possible to unify the apparatuses that execute the authentication process, thereby reducing the number of parts and collecting information.
  • Control part 121 ... Content acquisition part 122 ... Execution process determination part 123 ... Application execution part 124 ... Connection destination selection part 12 ... Authentication information type determination unit 126 ... Output signal generation unit 201 ... Input interface 202 ... Output interface 202a ... Display screen 203 ... Position information acquisition unit 204 ... Control unit 205 ... Connection processing unit 206 ... Wireless interface 207 ... Confirmation operation unit 301 ... External authentication database 302 ... Communication interface 303 ... Authentication result transmission unit 304 ... External authentication unit 305 ... Confirmation request unit 306 ... External authentication processing unit 307 ... Log history storage unit 308 ... Map database 309 ... Content transmission unit 310 ... Authentication database 312 ...
  • Authentication unit 313 ... Confirmation request unit 314 ... Authentication processing unit 315 ... Authentication information type determination unit 316 ... Connection destination selection unit 401 ... Real authentication database 402 ... Communication interface 403 ... Real authentication unit 404 ... Content transmission unit 406 ... Outside Confirmation request unit 407 ... this authentication processing unit 408 ... decision-making unit 409 ... limit change section 500 ... decision-making unit 501 ... limit change unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Telephonic Communication Services (AREA)

Abstract

In order to authenticate an information processing terminal (1) connected to a communication network (5) using a mobile terminal (2), provided is a mobile proxy authentication system which authenticates a user in the information processing terminal (1) connected to the communication network (5) using the mobile terminal (2) which the user carries. Said mobile proxy authentication system comprises an authentication interface unit (110) which accepts an input of authentication information in the information processing terminal (1), a confirmation request unit (305) which acquires the authentication information inputted in the authentication interface unit (110) and makes a confirmation request to the mobile terminal (2) on the basis of the authentication information, a confirmation operation unit (207) which requests the user to perform a confirmation operation in response to the confirmation request and sends approval data to the confirmation request unit (305) in response to the confirmation operation by the user in the mobile terminal (2), an external authentication processing unit (306) which performs authentication processing on the basis of the approval data, and an authentication result sending unit (303) which sends the result of authentication by the external authentication processing unit (306) to the communication network.

Description

モバイル認証代行システム及びモバイル認証代行方法Mobile authentication agent system and mobile authentication agent method
 本発明は、移動端末を用いて、通信ネットワークに接続された情報処理端末の認証を行うモバイル認証代行システム及びモバイル認証代行方法に関する。 The present invention relates to a mobile authentication agent system and a mobile authentication agent method for authenticating an information processing terminal connected to a communication network using a mobile terminal.
 昨今、ネットワーク上での電子決済や電子マネーの使用が急激に増大している。このようなネットワーク上の取引においては、セキュリティをいかに確保するかが重要な課題となっており、接続が許可された本人以外の者が不正接続を行うことができないように厳密な本人認証を行う必要がある。 Recently, the use of electronic payments and electronic money on the network is increasing rapidly. In such network transactions, how to ensure security is an important issue, and strict identity authentication is performed to prevent unauthorized connection by anyone other than the authorized user. There is a need.
 ここで、従来より、ユーザーの正当性を確認してからユーザーに対して端末からネットワーク資源の利用を許可する認証システムが提案されている(例えば、特許文献1)。この特許文献1に開示された認証システムでは、予め登録した移動端末の移動端末識別子及びIDを認証対象として用い、ユーザーが移動端末から認証手続を行うことで、一時的なパスワード(ワンタイムパスワード)を入手し、その後、PCなどの他の通信端末からその一時的なパスワードを使用して、サーバーへ接続するものである。このようにサービスを利用する通信端末とは別の移動端末を利用することで、セキュリティが確保されたサービスを利用者に提供できる。 Here, conventionally, there has been proposed an authentication system that allows a user to use a network resource from a terminal after confirming the legitimacy of the user (for example, Patent Document 1). In the authentication system disclosed in Patent Document 1, a mobile terminal identifier and ID of a mobile terminal registered in advance are used as authentication targets, and a user performs an authentication procedure from the mobile terminal, whereby a temporary password (one-time password) is obtained. And then connect to the server using the temporary password from another communication terminal such as a PC. Thus, by using a mobile terminal different from the communication terminal that uses the service, it is possible to provide a user with a secure service.
特開2004-240637号公報Japanese Patent Laid-Open No. 2004-240637
 しかしながら、上述した方法では、先ず、移動端末からIDを入力してワンタイムパスワードを得て、その後、他の通信端末からID及びワンタイムパスワードを入力することで認証が完了されるので、ユーザーに対し、入力操作を二重に要求することとなり、その操作が煩雑であるという問題がある。 However, in the above-described method, first, an ID is input from a mobile terminal to obtain a one-time password, and then authentication is completed by inputting the ID and one-time password from another communication terminal. On the other hand, there is a problem that the input operation is required twice and the operation is complicated.
 また、上記特許文献1に開示された認証システムでは、ワンタイムパスワードが送信されるのは、利用者本人の携帯端末側でならないため、ワンタイムパスワードを受信する移動端末を所有する者と、PCなどの他の通信端末からログイン操作を行う者とが同一人でなくてはならなかった。 Further, in the authentication system disclosed in Patent Document 1, the one-time password is not transmitted on the user's own mobile terminal side, so that the person who owns the mobile terminal that receives the one-time password and the PC The person who logs in from other communication terminals must be the same person.
 このため、移動端末の所有者と、サービスを受ける者とが異なる場合のサービスシステムにおいては、特許文献1に開示された発明を適用することができないという問題があった。例えば、振込め詐欺などの犯罪の被害者が、ATMから振込み操作を行おうとする場合、ワンタイムパスワードが、振込み操作をする高齢者の移動端末であるため、被害者自身が振込操作を進められてしまい、例えば、被害者が高齢者であるときに、その保護者が遠隔的に振込み処理を監視することができず、このような犯罪を未然に防止することができなかった。 For this reason, there is a problem that the invention disclosed in Patent Document 1 cannot be applied to a service system in which the owner of the mobile terminal and the person receiving the service are different. For example, when a victim of a crime such as a bank transfer fraud tries to perform a transfer operation from an ATM, the victim himself can proceed with the transfer operation because the one-time password is the mobile terminal of an elderly person who performs the transfer operation. For example, when the victim is an elderly person, the guardian cannot monitor the transfer process remotely, and such a crime cannot be prevented.
 そこで、本発明は、上記のような問題を解決するものであり、通信ネットワークに接続された情報処理端末の認証を行う場合において、移動端末を利用し、簡易且つ安全に認証を行うことができるとともに、サービスの多様性を図ることができるモバイル認証代行システム及びモバイル認証代行方法を提供することを目的とする。 Therefore, the present invention solves the above-described problems, and when performing authentication of an information processing terminal connected to a communication network, the mobile terminal can be used for simple and safe authentication. In addition, an object of the present invention is to provide a mobile authentication agent system and a mobile authentication agent method that can achieve a variety of services.
 上記課題を解決するために、本発明は、ユーザーが携帯する移動端末機を用いて、通信ネットワークに接続された任意の情報処理端末における当ユーザーの認証を行うモバイル認証代行システムであって、情報処理端末上において認証情報の入力を受付ける認証インターフェース部と、通信ネットワーク上に配置され、インターフェース部において入力された認証情報を取得し、認証情報に基づいて、移動端末機に確認要求を行う確認要求部と、移動端末機において、確認要求に応じ、ユーザーに対して確認操作を要求し、ユーザーによる確認操作に応じて、承認データを確認要求部に返信する確認操作部と、通信ネットワーク上に配置され、承認データを取得し、承認データに基づいて認証処理を実行する認証処理部と、認証処理部による認証結果を、通信ネットワーク上に送信する認証結果送信部とを有する。 In order to solve the above-mentioned problems, the present invention is a mobile authentication agency system that authenticates a user at an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user. An authentication interface unit that accepts input of authentication information on the processing terminal, and a confirmation request that is arranged on the communication network, acquires the authentication information input in the interface unit, and makes a confirmation request to the mobile terminal based on the authentication information And a mobile terminal, arranged on a communication network, a confirmation operation unit that requests a confirmation operation from a user in response to a confirmation request, and returns approval data to the confirmation request unit in response to the confirmation operation by the user. The authentication processing unit that obtains the approval data and executes the authentication process based on the approval data, and the authentication processing unit The authentication result, and transmits on the communication network with an authentication result transmitting unit.
 また、本発明は、ユーザーが携帯する移動端末機を用いて、通信ネットワークに接続された任意の情報処理端末におけるユーザーの認証を行うモバイル認証代行方法であって、
(1)情報処理端末上において、認証インターフェース部を通じて認証情報の入力する認証情報入力ステップと、
(2)インターフェース部で入力された認証情報を、通信ネットワーク上に設置された確認要求部において取得し、認証情報に基づいて、移動端末機に確認要求を行う確認要求ステップと、
(3)移動端末機において、確認要求に応じ、ユーザーに対して確認操作を要求し、ユーザーによる確認操作に応じて、承認データを確認要求部に返信する確認操作ステップと、
(4)通信ネットワーク上に配置された認証処理部において、承認データを取得し、承認データに基づいて認証処理を実行する認証処理ステップと、
(5)認証処理ステップによる認証結果を、通信ネットワーク上に送信する認証結果送信ステップとを有する。 Further, the present invention is a mobile authentication agent method for authenticating a user in an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user,
(1) On the information processing terminal, an authentication information input step for inputting authentication information through the authentication interface unit;
(2) A confirmation requesting step for obtaining authentication information input in the interface unit in a confirmation requesting unit installed on the communication network and making a confirmation request to the mobile terminal based on the authentication information;
(3) In the mobile terminal, in response to the confirmation request, a confirmation operation step of requesting a confirmation operation to the user and returning approval data to the confirmation request unit in response to the confirmation operation by the user;
(4) In an authentication processing unit arranged on the communication network, an authentication processing step of acquiring approval data and executing authentication processing based on the approval data;
(5) An authentication result transmission step of transmitting the authentication result in the authentication processing step on the communication network.
 このような本発明によれば、PCやATM、カードリーダを備えた専用装置などサービスの提供を受けるための情報処理端末に対して認証情報を入力する場合に、通信ネットワーク上の確認要求部からユーザー本人が所有する移動端末に対して確認操作を要求し、ユーザー本人(或いは、ユーザーの保護者等)の承認を得たうえで認証処理を行うことができ、セキュリティを向上させて、安全な認証を行うことができる。 According to the present invention, when the authentication information is input to an information processing terminal for receiving a service such as a dedicated device having a PC, an ATM, or a card reader, the confirmation request unit on the communication network You can request a confirmation operation for the mobile terminal owned by the user himself / herself and obtain the approval of the user himself / herself (or the user's guardian, etc.) for authentication processing, improving security and ensuring safety. Authentication can be performed.
 また、本発明では、ユーザーが通信ネットワークを介したサービスを受ける際、情報処理端末に対する入力操作と、移動端末機における確認操作を行う。この入力操作は、サービスを受けるために確認要求する移動端末機の電話番号を入力する操作である一方、確認操作は、確認要求に対する可否を返信する操作であることから、ユーザーは、情報処理端末に対する入力操作を行えば、次の操作は確認操作のみで認証処理がされるので、ユーザーの入力手続を簡略化してサービスを受けることができる。 In the present invention, when a user receives a service via a communication network, an input operation on the information processing terminal and a confirmation operation on the mobile terminal are performed. This input operation is an operation for inputting the telephone number of the mobile terminal that requests confirmation for receiving the service. On the other hand, since the confirmation operation is an operation for returning availability of the confirmation request, the user can If an input operation is performed on the above, the next operation is authenticated only by a confirmation operation, so that the user input procedure can be simplified and the service can be received.
 なお、本発明によれば、確認要求は、情報処理端末を操作している認証対象のユーザー本人の他、他のユーザーが所持する移動端末に送信することができ、そのときの確認操作による認証結果は、サービス提供者側の認証サーバーなどに送信可能であることから、例えば、認証対象となっているユーザーが、子供や高齢者であるときに、ATM等の情報処理端末により送金サービスを利用しようとする場合であっても、ユーザーの保護者に対して確認要求が通知されるので、振込み処理を保護者側で可否を決定でき、振込詐欺などへの手続を防止することができる。このように本発明は、振り込め詐欺等を防止するサービスシステムに適用することができ、サービスの多様性を図ることができる。 According to the present invention, the confirmation request can be transmitted to the authentication target user who is operating the information processing terminal as well as to the mobile terminal possessed by another user, and the authentication by the confirmation operation at that time The result can be sent to an authentication server on the service provider side. For example, when the user to be authenticated is a child or an elderly person, the remittance service is used by an information processing terminal such as an ATM. Even when trying to do so, since the confirmation request is notified to the user's guardian, it is possible to determine whether or not the transfer process can be performed on the guardian side, and it is possible to prevent a procedure for a transfer fraud or the like. As described above, the present invention can be applied to a service system that prevents wire fraud and the like, and can provide a variety of services.
 上記発明において、通信ネットワーク上に配置され、認証インターフェース部に対して入力された認証情報に、所定の移動端末機を特定する移動端末識別子が含まれているか否かを判断する認証情報種別判断部を備えており、確認要求部は、認証情報種別判断部が移動端末識別子が含まれていると判断した場合に、移動端末機に確認要求を行うことが好ましい。 In the above invention, an authentication information type determination unit that determines whether a mobile terminal identifier that identifies a predetermined mobile terminal is included in the authentication information that is arranged on the communication network and is input to the authentication interface unit The confirmation request unit preferably makes a confirmation request to the mobile terminal when the authentication information type determination unit determines that the mobile terminal identifier is included.
 この場合には、情報処理端末側の認証情報種別判断部によって、入力された認証情報が携帯電話番号であるか、通常のID及びパスワードであるかを判断し、その判断結果によって認証情報の通知先を変更することができるので、従来と同様のID及びパスワードを入力するというセキュリティシステムと併用して本発明に係るシステムを導入することができる。また、このような本発明によれば、既存の認証システムにおけるインターフェースに移動端末識別子を判別する機能を付加するだけで、確認要求による本人確認のフェーズを有する認証処理を容易に追加することができ、簡単な設備投資により本発明を導入することができる。 In this case, the authentication information type determination unit on the information processing terminal side determines whether the input authentication information is a mobile phone number or a normal ID and password, and notifies the authentication information according to the determination result. Since the destination can be changed, the system according to the present invention can be introduced in combination with a security system in which the same ID and password are input as in the prior art. In addition, according to the present invention as described above, it is possible to easily add an authentication process having an identity verification phase based on a confirmation request only by adding a function of determining a mobile terminal identifier to an interface in an existing authentication system. Thus, the present invention can be introduced with a simple capital investment.
 上記発明において、移動端末機は、自機の現在位置を測定する位置情報取得部を有しており、確認操作部は、位置情報取得部が測定した自機の現在位置を、承認データに対して付加して、承認データを確認要求部に返信し、認証処理部は、認証を許可する範囲を記述した地図情報を有し、認証処理に際し、地図情報を参照して、移動端末機の現在位置が所定の範囲内に属するか否かを判断することが好ましい。この場合には、ユーザーの認証情報及び承認データに加え、ユーザーが有する移動端末の位置情報について地図情報を参照して認証を行うことができ、確認処理を行う移動端末機の位置に基づいて、より信頼性のある承認データを取得することができ、移動端末を利用した認証システムのセキュリティを高めることができる。 In the above invention, the mobile terminal has a position information acquisition unit that measures the current position of the own device, and the confirmation operation unit determines the current position of the own device measured by the position information acquisition unit with respect to the approval data. Approval data is sent back to the confirmation requesting unit, and the authentication processing unit has map information that describes the range for which authentication is permitted. It is preferable to determine whether the position belongs to a predetermined range. In this case, in addition to the user authentication information and approval data, the user can authenticate with reference to the map information about the location information of the mobile terminal that the user has, based on the location of the mobile terminal that performs the confirmation process, More reliable approval data can be acquired, and the security of the authentication system using the mobile terminal can be increased.
 上記発明において、認証インターフェース部には、認証インターフェース部を特定するフォーム識別子が設定されており、認証インターフェース部は、認証情報に自己のフォーム識別子を付加する機能を備え、認証結果送信部は、フォーム識別子と、認証インターフェース部を通じて通常の認証処理を行う本認証処理部を特定する宛先アドレスとを関連づけて記憶するデータベースを備えており、認証結果送信部は、認証インターフェース部のフォーム識別子を取得し、フォーム識別子に基づいてデータベースを照合して得られた宛先アドレスに向けて、認証結果を送信することが好ましい。 In the above invention, the authentication interface unit has a form identifier for identifying the authentication interface unit, the authentication interface unit has a function of adding its own form identifier to the authentication information, and the authentication result transmission unit A database that stores the identifier and a destination address that identifies the authentication processing unit that performs normal authentication processing through the authentication interface unit; the authentication result transmission unit acquires the form identifier of the authentication interface unit; It is preferable to transmit the authentication result toward the destination address obtained by collating the database based on the form identifier.
 この場合には、認証インターフェース部のフォーム識別子と、本認証処理部を特定する宛先アドレスとが関連づけられているので、認証結果の送信先である本認証処理部を特定することができ、移動電話機を用いた認証結果を本認証処理部に送信することにより、本認証処理部では、この認証結果を用いて、認証手続を行うことができる。したがって、情報処理端末において入力操作を一回行えば、その認証処理に紐付けられた認証情報を用いることができ、再度認証情報を入力する操作を省略し、さらにセキュリティの強化をすることができる。 In this case, since the form identifier of the authentication interface unit is associated with the destination address that specifies the authentication processing unit, the authentication processing unit that is the transmission destination of the authentication result can be specified. By transmitting the authentication result using the key to the authentication processing unit, the authentication processing unit can perform an authentication procedure using the authentication result. Therefore, once the input operation is performed in the information processing terminal, the authentication information associated with the authentication process can be used, and the operation for inputting the authentication information again can be omitted, and the security can be further strengthened. .
 上記発明において、認証インターフェース部を通じて入力された認証情報に基づいてユーザーの認証を通常認証処理として行い、通常認証処理の認証が成功した場合に、サービス提供を行うサービス提供部と、サービス提供部側に備えられ、通常認証処理において入力された認証情報に基づいて、移動端末機に対する確認要求の実行を、外部確認要求として、確認要求部に対し、送信する外部確認要求部とをさらに有し、認証結果送信部は、承認データに基づく認証結果を外部認証結果として、サービス提供部に送信し、サービス提供部は、認証結果送信部から送信された外部認証結果と、通常認証処理の認証結果とに基づいて、サービス提供の可否を決定することが好ましい。 In the above invention, the service providing unit that performs the user authentication as the normal authentication process based on the authentication information input through the authentication interface unit, and provides the service when the authentication of the normal authentication process is successful, and the service providing unit side An external confirmation request unit that transmits the confirmation request to the mobile terminal as an external confirmation request based on the authentication information input in the normal authentication process. The authentication result transmission unit transmits an authentication result based on the approval data as an external authentication result to the service providing unit, and the service providing unit transmits the external authentication result transmitted from the authentication result transmitting unit, the authentication result of the normal authentication process, and It is preferable to determine whether to provide the service based on the above.
 この場合には、情報処理端末に対してID及びパスワードを入力する通常認証手続を行った場合であっても、確認要求部を通じて移動端末に対して確認操作を要求し、その認証の可否を決定することができるので、サービスの多様性を図ることができるとともに、セキュリティの向上を図ることができる。具体的には、例えば、ユーザーである子供や高齢者がATMでの振込みをする場合であっても、外部確認要求先であるユーザーの保護者に対して外部確認要求が通知されるので、保護者側で振込操作の可否を決定でき、犯罪を防止することができる。 In this case, even if the normal authentication procedure for inputting the ID and password to the information processing terminal is performed, a confirmation operation is requested to the mobile terminal through the confirmation requesting unit, and whether or not the authentication is permitted is determined. Therefore, the diversity of services can be improved and the security can be improved. Specifically, for example, even when a child or elderly person who is a user makes a transfer by ATM, an external confirmation request is notified to the guardian of the user who is the external confirmation request destination. It is possible to determine whether or not the transfer operation can be performed on the person side, and crime can be prevented.
 上記発明において、サービス提供部は、金融機関による決裁処理を実行する決裁機能を有し、外部確認要求部は、外部確認要求を必要とするユーザーの外部確認リストを有し、決裁機能は、決裁処理に際し、ユーザーの外部確認リストを照合し、外部確認リストに基づいて、決裁処理に係る金額の限度額を切り換える限度額変更機能を有することが好ましい。この場合には、本発明を導入することにより事件や事故の発生率を低減することができるため、本発明の利用者をリスト化し、リストアップされたユーザーについては決裁処理の限度額を増加させるなど、限度額を切り換えるサービスを導入することができ、ユーザーの利便性及び安全性を向上させつつ、金融機関に対する決裁処理を円滑なものとすることができる。 In the above invention, the service providing unit has an approval function for executing an approval process by a financial institution, the external confirmation requesting unit has an external confirmation list of a user who requires an external confirmation request, and the approval function is an approval function. In the process, it is preferable to have a limit change function for checking the external confirmation list of the user and switching the limit of the amount related to the approval process based on the external confirmation list. In this case, by introducing the present invention, it is possible to reduce the incidence of incidents and accidents, so list the users of the present invention and increase the limit of the approval process for the listed users For example, a service for switching the limit amount can be introduced, so that the convenience and safety of the user can be improved, and the approval process for the financial institution can be made smooth.
 以上述べたように、この発明によれば、インターネットでのパーソナルコンピュータによる電子商取引や、ATM、カードリーダを備えた専用装置等による金融決裁などを利用する際、通信ネットワークに接続された情報処理端末の認証を行う場合に、ユーザー本人やユーザーの保護者が使用する移動端末を利用して、本人確認や、保護者等による承認を行うことによって、簡易且つ安全に認証を行うことができるとともに、セキュリティサービスの自由度を向上させて、サービス多様化を図ることができる。 As described above, according to the present invention, an information processing terminal connected to a communication network is used for electronic commerce by a personal computer on the Internet, financial approval by an ATM, a dedicated device equipped with a card reader, or the like. When authenticating the user, using the mobile terminal used by the user or the guardian of the user, it is possible to authenticate simply and safely by performing identity verification and approval by the guardian, etc. Diversification of services can be achieved by improving the flexibility of security services.
第1実施形態に係る認証代行システムの全体構成を示す概念図である。It is a conceptual diagram which shows the whole structure of the authentication agency system which concerns on 1st Embodiment. 第1実施形態に係る認証代行サービスの概要を示す説明図である。It is explanatory drawing which shows the outline | summary of the authentication agency service which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを構成する情報処理端末、認証代行サーバー、移動端末機及び本認証サーバーの内部構成を示すブロック図である。It is a block diagram which shows the internal structure of the information processing terminal which comprises the authentication agency system which concerns on 1st Embodiment, an authentication agency server, a mobile terminal, and this authentication server. 第1実施形態に係るテーブルデータT1のデータ構造を示す説明図である。It is explanatory drawing which shows the data structure of the table data T1 which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを、オンラインショッピングのログインサービスに応用した場合のフローチャート図である。It is a flowchart figure at the time of applying the authentication agency system which concerns on 1st Embodiment to the login service of online shopping. 第1実施形態に係る移動端末機の表示画面(ログイン画面)を示す説明図である。It is explanatory drawing which shows the display screen (login screen) of the mobile terminal which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを、商品販売サービスに応用した場合のフローチャート図である。It is a flowchart figure at the time of applying the authentication agency system which concerns on 1st Embodiment to merchandise sales service. 第1実施形態に係る移動端末機の表示画面(支払い確認画面)を示す説明図である。It is explanatory drawing which shows the display screen (payment confirmation screen) of the mobile terminal which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを、宅配受け取サービスに応用した場合のフローチャート図である。It is a flowchart figure at the time of applying the authentication agency system which concerns on 1st Embodiment to a delivery delivery service. 第1実施形態に係る移動端末機の表示画面(受取確認画面)を示す説明図である。It is explanatory drawing which shows the display screen (reception confirmation screen) of the mobile terminal which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを、ATMサービスに応用した場合のフローチャート図である。It is a flowchart figure at the time of applying the authentication agency system which concerns on 1st Embodiment to ATM service. 第1実施形態に係る移動端末機の表示画面(不正決済防止画面)を示す説明図である。It is explanatory drawing which shows the display screen (illegal payment prevention screen) of the mobile terminal which concerns on 1st Embodiment. 第1実施形態に係る認証代行システムを、店舗におけるクレジット決裁サービスに応用した場合のフローチャート図である。It is a flowchart figure at the time of applying the authentication agency system which concerns on 1st Embodiment to the credit approval service in a store. 第1実施形態に係る移動端末機の表示画面(支払い確認画面)を示す説明図である。It is explanatory drawing which shows the display screen (payment confirmation screen) of the mobile terminal which concerns on 1st Embodiment. 第2実施形態に係る認証代行システムの全体構成を示す概念図である。It is a conceptual diagram which shows the whole structure of the authentication agency system which concerns on 2nd Embodiment. 第2実施形態に係る認証代行サービスを構成する情報処理端末、移動端末機、決裁部、及び認証サーバーの内部構成を示すブロック図である。It is a block diagram which shows the internal structure of the information processing terminal which comprises the authentication agency service which concerns on 2nd Embodiment, a mobile terminal, a decision part, and an authentication server.
[第1実施形態]
(認証代行システムの全体構成)
 以下に添付図面を参照して、本発明に係る認証代行システムの第1実施形態を詳細に説明する。図1は、本実施形態に係る認証代行システムの全体構成を示す概念図であり、図2は、本実施形態に係る認証代行サービスの概要を示す説明図である。 [First Embodiment]
(Overall configuration of authentication agency system)
Hereinafter, a first embodiment of an authentication agent system according to the present invention will be described in detail with reference to the accompanying drawings. FIG. 1 is a conceptual diagram showing the overall configuration of the authentication proxy system according to the present embodiment, and FIG. 2 is an explanatory diagram showing an overview of the authentication proxy service according to the present embodiment.
 図1に示すように、認証代行システムは、サービスの提供を受けるユーザーが携帯する移動端末機2を用いて本人確認や手続承認を行うことにより、通信ネットワーク5に接続された任意の情報処理端末1(1a~1f)におけるユーザー認証を、代行若しくは支援するシステムであり、本実施形態では、通信ネットワーク5上に、情報処理端末1(1a~1f)と、サービス提供サーバー4と、認証代行サーバー3と、無線基地局6と、無線基地局6又は通信衛星7を通じて無線通信が可能な移動端末機2とを備えている。 As shown in FIG. 1, the authentication agent system is an arbitrary information processing terminal connected to a communication network 5 by performing identity verification and procedure approval using a mobile terminal 2 carried by a user who receives a service. 1 (1a to 1f) is a system that performs or supports user authentication. In this embodiment, on the communication network 5, the information processing terminals 1 (1a to 1f), the service providing server 4, and the authentication proxy server 3, a wireless base station 6, and a mobile terminal 2 capable of wireless communication through the wireless base station 6 or the communication satellite 7.
 通信ネットワーク5は、インターネットなど通信プロトコルTCP/IPを用いたIP網であって、種々の通信回線(電話回線やISDN回線、ADSL回線、光回線などの公衆回線、専用回線、無線通信網)を相互に接続して構築される分散型の通信ネットワークである。この通信ネットワーク5には、10BASE-Tや100BASE-TX等によるイントラネット(企業内ネットワーク)や家庭内ネットワークなどのLANなども含まれる。 The communication network 5 is an IP network using a communication protocol TCP / IP such as the Internet, and has various communication lines (public lines such as telephone lines, ISDN lines, ADSL lines, optical lines, private lines, wireless communication networks). It is a distributed communication network constructed by connecting to each other. This communication network 5 includes a LAN such as an intranet (in-house network) or a home network based on 10BASE-T, 100BASE-TX, or the like.
 情報処理端末1(1a~1f)は、CPUによる演算処理機能、及び通信インターフェースによる通信処理機能を備えたユーザー端末であり、例えば、パーソナルコンピュータ等の汎用コンピュータや、ATM、カードリーダ等の機能を特化させた専用装置により実現することができ、モバイルコンピュータやPDA(Personal Digital Assistance)、携帯電話機等も含まれる。なお、本実施形態では、1aがパーソナルコンピュータ等の汎用コンピュータであり、1bが移動電話やPDA等の携帯情報端末であり、1cが専用回線51に接続されたATM端末であり、1d~1fは、例えば、飲食店やコンビニエンスストア等の店舗に設置され、専用回線51に接続されたカードリーダ機能を備えた専用装置である。 The information processing terminal 1 (1a to 1f) is a user terminal having an arithmetic processing function by a CPU and a communication processing function by a communication interface. For example, the information processing terminal 1 (1a to 1f) has functions of a general-purpose computer such as a personal computer, an ATM, and a card reader. It can be realized by a specialized dedicated device, and includes a mobile computer, a PDA (Personal Digital Assistance), a mobile phone, and the like. In this embodiment, 1a is a general-purpose computer such as a personal computer, 1b is a portable information terminal such as a mobile phone or PDA, 1c is an ATM terminal connected to the dedicated line 51, and 1d to 1f are For example, it is a dedicated device that is installed in a store such as a restaurant or a convenience store and has a card reader function connected to the dedicated line 51.
 この専用回線51は、サーバ4とATM等の端末1c~1fとを直接接続する専用の通信回線であり、ATM(Asynchronous Transfer Mode)回線など、固定長のデータを、非同期転送モードやフレームリレーにより送受信する回線が含まれる。 The dedicated line 51 is a dedicated communication line that directly connects the server 4 and terminals 1c to 1f such as ATM, and fixed length data such as an ATM (Asynchronous Transfer Mode) line is transferred by an asynchronous transfer mode or frame relay. Includes lines to send and receive.
 また、ATM端末とは、現金自動預け払い機であり、カードや通帳を用いて払い出し、預け入れ、また振り込みが行える装置である。また、カードリーダとは、クレジットカードやキャッシュカードなどカードから情報を読み取る、接触式、非接触式の装置であり、接触式の装置には、ICチップ等が搭載されたカードや磁気カードなどをスロットに挿入する挿入式の装置1dや、カードをスライドさせて磁機部分読み込む機能を備えたレジ装置1eなどがあり、非接触式の装置には、ICチップ搭載のカードの内部に近距離通信用のアンテナを持ち、微弱電波を利用してデータを送受信するリーダライタ装置1fなどがある。 In addition, an ATM terminal is an automatic teller machine that can be used for depositing, depositing, and transferring money using a card or bankbook. A card reader is a contact-type or non-contact type device that reads information from a card such as a credit card or cash card. The contact-type device includes a card or a magnetic card mounted with an IC chip or the like. There are an insertion type device 1d to be inserted into a slot, a cash register device 1e having a function of reading a magnetic part by sliding a card, and the non-contact type device has a short-distance communication inside an IC chip mounted card. For example, there is a reader / writer device 1f that has an antenna for transmitting and receiving data using weak radio waves.
 なお、上記情報処理端末1a~1fには、通信ネットワーク5であるインターネットにアクセスして、データの送受信を行うブラウザ機能、又は専用プログラムによる対話式操作機能が備えられている。ブラウザ機能は、汎用コンピュータやPDAなどで実行され、Webページを閲覧するためのアプリケーションソフトであり、インターネットからHTML(HyperText Markup Language)ファイルや画像ファイル、音楽ファイルなどをダウンロードし、レイアウトを解析して表示・再生する。このブラウザ機能によれば、GUIであるフォームを使用してユーザーがデータをサービス提供サーバー4に送信したり、JavaScriptやFlash、及びJava(登録商標)などで記述されたアプリケーションソフトを動作させたりすることも可能である。また、対話式操作機能は、ATM等の専用装置内で実行される専用プログラムであり、タッチパネルなどを通じて、ユーザーに対して画面表示及び入力操作の受付けを行うとともに、通信機能により、サービス提供者側の装置(例えば、サービス提供サーバー4)との間で、データの送受信を行う。 The information processing terminals 1a to 1f are provided with a browser function for accessing the Internet, which is the communication network 5, and transmitting / receiving data, or an interactive operation function using a dedicated program. The browser function is an application software that can be executed on a general-purpose computer or PDA to view web pages. Download HTML (HyperText Markup Language) files, image files, music files, etc. from the Internet, analyze the layout, and so on. Display / play. According to this browser function, a user transmits data to the service providing server 4 using a form which is a GUI, or operates application software described in JavaScript, Flash, Java (registered trademark), or the like. It is also possible. In addition, the interactive operation function is a dedicated program executed in a dedicated device such as ATM, and accepts screen display and input operations to the user through a touch panel, etc. Data is transmitted to and received from the device (for example, the service providing server 4).
 そして、これらブラウザ機能及び対話式操作機能は、図2に示すように、ユーザーがサービスを受ける際、情報処理端末1a~1f上においてログインフォーム111aを表示させ、ユーザー操作による認証情報の入力を受付ける。ここで、認証情報としては、ID及びパスワードの他、移動端末識別子である携帯電話番号も含まれる。 As shown in FIG. 2, these browser function and interactive operation function display the login form 111a on the information processing terminals 1a to 1f when the user receives a service, and accept the input of authentication information by the user operation. . Here, the authentication information includes a mobile phone number as a mobile terminal identifier in addition to an ID and a password.
 また、本実施形態において、情報処理端末1は、上記ブラウザ機能又は対話式操作機能を通じて入力された認証情報に、移動端末機2を特定する移動端末識別子が含まれているか否かを判断し、移動端末識別子が含まれている場合には、その移動端末識別子を認証情報データD1として認証代行サーバー3に送信し、一方、入力された認証情報に移動端末識別子が含まれていない場合には、その認証情報を通常認証情報データD2としてサービス提供サーバー4へ送信する機能を有している。 In the present embodiment, the information processing terminal 1 determines whether or not the authentication information input through the browser function or the interactive operation function includes a mobile terminal identifier that identifies the mobile terminal 2. When the mobile terminal identifier is included, the mobile terminal identifier is transmitted as authentication information data D1 to the authentication agent server 3, while when the input authentication information does not include the mobile terminal identifier, The authentication information is transmitted to the service providing server 4 as normal authentication information data D2.
 移動端末機2は、無線通信を介した通信が可能で、且つ携帯可能な電話機であり、基地局等の中継点と携帯電話機が無線で通信し、通話やデータ通信等の通信サービスを移動しつつ受けることができる。この移動端末機2の通信方式としては、例えば、FDMA方式、TDMA方式、CDMA方式、W-CDMAの他、PHS(Personal Handyphone System)方式等が挙げられる。また、この移動端末機2は、デジタルカメラ機能、アプリケーションソフトの実行機能、或いはGPS機能等の機能が搭載され、携帯情報端末(PDA)としての機能も果たす。 The mobile terminal 2 is a portable telephone that can be communicated through wireless communication, and a relay point such as a base station and a portable telephone communicate wirelessly to move communication services such as telephone calls and data communications. Can be received while. Examples of the communication system of the mobile terminal 2 include an FDMA system, a TDMA system, a CDMA system, a W-CDMA system, a PHS (Personal Handyphone System) system, and the like. Further, the mobile terminal 2 is equipped with functions such as a digital camera function, an application software execution function, or a GPS function, and also functions as a personal digital assistant (PDA).
 そして、本実施形態において、移動端末機2は、認証代行サーバー3からの確認要求データD3を受信し、ユーザーに対して確認操作を要求し、ユーザーによる確認操作に応じて、承認データD4を認証代行サーバー3に返信する機能を有している。ここで、この移動端末機2を使用するユーザーは、情報処理端末1において認証処理を行う認証対象者本人でもよく、認証対象者の保護者などであってもよい。かかる確認要求データD3の受信や、確認操作の入力、及び承認データD4の送信は、移動端末機2に備えられた専用のモジュールや操作ボタンで行うこともでき、また、上述したブラウザ機能を移動端末機2に設け、ブラウザ機能により構成されるGUIを通じて、情報の表示及びユーザー操作の入力を行う要にしてもよい。 In this embodiment, the mobile terminal 2 receives the confirmation request data D3 from the authentication proxy server 3, requests the user for a confirmation operation, and authenticates the approval data D4 according to the confirmation operation by the user. It has a function of returning to the proxy server 3. Here, the user who uses the mobile terminal 2 may be the person who is to be authenticated who performs the authentication process in the information processing terminal 1, or may be a guardian of the person to be authenticated. The reception of the confirmation request data D3, the input of the confirmation operation, and the transmission of the approval data D4 can be performed by a dedicated module or operation button provided in the mobile terminal 2, and the above browser function is moved. Information may be displayed and user operations may be input through a GUI provided in the terminal 2 and configured with a browser function.
 なお、上記情報処理端末1bや移動端末機2は、無線基地局6を通じて、無線信号の送受信を行い、通話やデータ通信を行う。ここで、無線基地局6は、ゲートウェイ装置8を通じて通信ネットワーク5に接続され、移動端末機2と、無線基地局6との間で無線通信接続を確立し、移動端末機2による通話やデータ通信を提供する装置である。この無線基地局6としては、例えば、フェムトセル(femtocell)と呼ばれる、半径10m程度の狭小なエリアをカバー範囲とする小規模なフェムトセル基地局であってもよい。この場合には、無線基地局6は、バックボーンとしての光ファイバーやADSLなどの公衆回線網やIP網等の通信ネットワーク5を通じて、ネットワーク上のHSS(Home Subscriber Server)に接続される(図示せず。)。このHSSは、各移動端末がどのセルに在圏しているのかを管理するサーバーであり、位置情報取得部としての機能を果たす。 Note that the information processing terminal 1b and the mobile terminal 2 perform transmission and reception of radio signals through the radio base station 6 to perform a call and data communication. Here, the radio base station 6 is connected to the communication network 5 through the gateway device 8, establishes a radio communication connection between the mobile terminal 2 and the radio base station 6, and performs communication and data communication by the mobile terminal 2. Is a device that provides The radio base station 6 may be, for example, a small-scale femtocell base station called a femtocell that covers a narrow area with a radius of about 10 m. In this case, the wireless base station 6 is connected to an HSS (Home Subscriber Server) on the network through a communication network 5 such as an optical network as a backbone, a public network such as ADSL, or an IP network (not shown). ). The HSS is a server that manages in which cell each mobile terminal is located, and functions as a location information acquisition unit.
 具体的に、HSSは、移動端末機2から送信された位置登録の要求を、フェムトセル基地局に割り当てられている基地局識別情報とともに受信し、当該移動端末機2の位置を特定する。この位置登録要求は、ユーザーの移動などによって在圏するセルが切り換えられた場合、移動端末機2から、新たに在圏することになったセルを管理するフェムトセル基地局に対して送信され、この位置登録要求とともにフェムトセル基地局に割り当てられている基地局識別情報がHSSに送信され、HSSにおいてリアルタイムに、ユーザーの位置を把握することができる。 Specifically, the HSS receives the location registration request transmitted from the mobile terminal 2 together with the base station identification information assigned to the femtocell base station, and specifies the location of the mobile terminal 2. This location registration request is transmitted from the mobile terminal 2 to a femtocell base station that manages a cell that is newly located when the cell that is located is switched due to a user's movement, The base station identification information assigned to the femtocell base station is transmitted to the HSS together with the location registration request, and the location of the user can be grasped in real time in the HSS.
 サービス提供サーバー4は、通信ネットワーク5上に分散配置された一般的な通信サーバーであり、WWW(World Wide Web)等のドキュメントシステムにおいて、HTML(HyperText Markup Language)ファイルや画像ファイル、音楽ファイルなどの情報送信を行うサーバーコンピュータ或いはその機能を持ったソフトウェアであり、HTML文書や画像などの情報を蓄積しておき、情報処理端末1上で実行されるWebブラウザなどのアプリケーションの要求に応じて、コンテンツ(Webページ)の配信を行う。 The service providing server 4 is a general communication server that is distributed on the communication network 5, and in a document system such as WWW (World Wide Web), HTML (HyperText Markup Language) files, image files, music files, etc. A server computer that transmits information or software having the function thereof, stores information such as HTML documents and images, and responds to requests from applications such as a Web browser executed on the information processing terminal 1 (Web page) is distributed.
 特に、本実施形態において、サービス提供サーバー4は、認証代行サーバー3からの指示を受けてサービスに関する処理を実行する機関である。具体的に、このサービス提供サーバー4は、情報処理端末1から送信される通常認証情報データD2、又は認証代行サーバー3から送信される認証結果データD5を受信することにより、サービス提供サーバー4において、本認証処理を行い、ユーザーに対してサービスの提供を開始する。このサービスとしては、例えば、サービス提供機関が、電子メールや画像・動画などのデジタルコンテンツを配信するサーバーであれば、そのデジタルコンテンツを添付した電子メールの配信や、Webページの提示などであり、サービス提供サーバー4が、金融決裁に処理するサーバーであれば、その金融決裁用のWebページの提示や、決済処理の受付け等が考えられる。 In particular, in the present embodiment, the service providing server 4 is an organization that executes processing related to a service in response to an instruction from the authentication proxy server 3. Specifically, the service providing server 4 receives the normal authentication information data D2 transmitted from the information processing terminal 1 or the authentication result data D5 transmitted from the authentication proxy server 3, so that the service providing server 4 Perform this authentication process and start providing services to users. As this service, for example, if the service provider is a server that distributes digital contents such as e-mail and images / videos, it is distribution of e-mail attached with the digital contents, presentation of a web page, etc. If the service providing server 4 is a server that performs financial approval, it is possible to present a web page for the financial approval, accept payment processing, or the like.
 前記認証代行サーバー3は、通信ネットワーク5上に配置され、ユーザーに対する認証代行を管理するサーバー装置であり、通信ネットワーク5を介して、サービス提供サーバー4に接続されており、サービス提供サーバー4との連携により、サービス提供サーバー4に代わって、又はサービス提供サーバー4における通常認証処理に加えて、認証代行に関する処理を実行する。 The authentication proxy server 3 is a server device that is arranged on the communication network 5 and manages the authentication proxy for the user. The authentication proxy server 3 is connected to the service providing server 4 via the communication network 5. In cooperation with the service providing server 4, or in addition to the normal authentication process in the service providing server 4, processing related to the authentication proxy is executed.
 すなわち、サービス提供サーバー4が提供するサービスの業態や、サービス提供サーバー4におけるセキュリティの高さにより、認証代行サーバー3との連携の仕方が異なり、例えば、以下のようなパターンに対応することができる。 That is, the way of cooperation with the authentication proxy server 3 differs depending on the business condition of the service provided by the service providing server 4 and the level of security in the service providing server 4, and for example, the following patterns can be supported. .
(a)サービス提供サーバー4自身が認証システムを有さず、認証代行サーバー3に、認証処理の全工程を委任し、サービス提供サーバー4自身は、認証代行サーバー3から受信される認証結果にのみ基づいて、ユーザーからのアクセスを管理する。 (A) The service providing server 4 itself does not have an authentication system, and entrusts the entire authentication process to the authentication agent server 3, and the service providing server 4 itself accepts only the authentication result received from the authentication agent server 3. Manage access from users based.
(b)サービス提供サーバー4自身も通常の認証システムを有し、ID及びパスワードなどの通常の認証情報が入力された場合には、サービス提供サーバー4自身が通常認証処理を実行し、入力された認証情報が携帯端末機の電話番号であった場合には、認証代行サーバー3における認証処理を先行して行い、その認証代行サーバー3における認証結果を利用して、さらにサービス提供サーバー4自身が通常認証処理を実行し、二重の認証結果に基づいて、ユーザーからのアクセスを管理する。 (B) The service providing server 4 itself has a normal authentication system, and when normal authentication information such as an ID and a password is input, the service providing server 4 executes the normal authentication process and is input. If the authentication information is the phone number of the portable terminal, the authentication processing in the authentication proxy server 3 is performed in advance, and the service providing server 4 itself normally uses the authentication result in the authentication proxy server 3 Execute authentication process and manage access from users based on double authentication result.
(c)サービス提供サーバー4自身も通常の認証システムを有し、通常は、ID及びパスワードなどにより、サービス提供サーバー4自身が通常認証処理を実行し、入力された認証情報が特定ユーザーのものであった場合には、認証代行サーバー3に認証処理を依頼し、サービス提供サーバー4自身による認証結果と、認証代行サーバー3における認証結果とに基づいて、ユーザーからのアクセスを管理する。 (C) The service providing server 4 itself also has a normal authentication system. Usually, the service providing server 4 itself performs normal authentication processing using an ID and a password, and the input authentication information is that of a specific user. If there is, the authentication proxy server 3 is requested to perform authentication processing, and the access from the user is managed based on the authentication result of the service providing server 4 itself and the authentication result of the authentication proxy server 3.
 また、本実施形態において、認証代行サーバー3は、情報処理端末1から送信された認証情報データD1、又はサービス提供サーバー4から送信された外部確認要求データD6に基づいて、移動端末機2に対して、認証操作の確認を求める確認要求を行うとともに、移動端末機2から返信された承認データD4に基づいて承認処理を実行する機能を有している。 Further, in the present embodiment, the authentication proxy server 3 sends the mobile terminal 2 to the mobile terminal 2 based on the authentication information data D1 transmitted from the information processing terminal 1 or the external confirmation request data D6 transmitted from the service providing server 4. In addition, it has a function of making a confirmation request for confirmation of the authentication operation and executing an approval process based on the approval data D4 returned from the mobile terminal 2.
(各装置の内部構造)
 次いで、上述した認証代行システムを構成する各装置の内部構造について説明する。図3は、本実施形態に係る認証代行システムを構成する情報処理端末1、認証代行サーバー3、移動端末機2及びサービス提供サーバー4の内部構成を示すブロック図であり、図4は、本実施形態に係る移動端末機2のディスプレイに表示された確認要求の一例を示す説明図である。なお、説明中で用いられる「モジュール」とは、装置や機器等のハードウェア、或いはその機能を持ったソフトウェア、又はこれらの組み合わせなどによって構成され、所定の動作を達成するための機能単位を示す。 (Internal structure of each device)
Next, the internal structure of each device constituting the above-described authentication proxy system will be described. FIG. 3 is a block diagram showing the internal configuration of the information processing terminal 1, the authentication proxy server 3, the mobile terminal 2, and the service providing server 4 constituting the authentication proxy system according to the present embodiment, and FIG. It is explanatory drawing which shows an example of the confirmation request | requirement displayed on the display of the mobile terminal 2 which concerns on a form. The “module” used in the description refers to a functional unit that is configured by hardware such as an apparatus or a device, software having the function, or a combination thereof, and achieves a predetermined operation. .
(1)情報処理端末1
 図3に示すように、情報処理端末1は、通信系のモジュールとして通信インターフェース101と、ユーザーインターフェース系のモジュールとして認証インターフェース部110と、サービスを提供するサービス実行系のモジュールとして制御部120とを備えている。 (1) Information processing terminal 1
As shown in FIG. 3, the information processing terminal 1 includes a communication interface 101 as a communication module, an authentication interface unit 110 as a user interface module, and a control unit 120 as a service execution module that provides a service. I have.
 通信インターフェース101は、認証情報などの各種データを送信し、認証許可データ、コンテンツデータ等の各種データを受信する通信インターフェースである。この通信インターフェース101により受信された各データは、制御部120に入力される。 The communication interface 101 is a communication interface that transmits various data such as authentication information and receives various data such as authentication permission data and content data. Each data received by the communication interface 101 is input to the control unit 120.
 認証インターフェース部110は、情報処理端末1上において、ユーザー操作に基づく認証情報の入力を受付けるモジュールであり、出力インターフェース115と、表示画面111と、操作デバイスインターフェース113と、操作信号検出部112とを備えている。 The authentication interface unit 110 is a module that accepts input of authentication information based on a user operation on the information processing terminal 1, and includes an output interface 115, a display screen 111, an operation device interface 113, and an operation signal detection unit 112. I have.
 出力インターフェース115は、映像及び音声の出力信号を、表示画面111や、スピーカー等からそれぞれ出力させるモジュールである。表示画面111は、例えば、液晶ディスプレイ等の表示装置であり、Webアプリケーションなどによって生成されるログインフォーム111aを通じて、Web情報などを表示することができる。 The output interface 115 is a module that outputs video and audio output signals from the display screen 111 and speakers. The display screen 111 is a display device such as a liquid crystal display, for example, and can display Web information and the like through a login form 111a generated by a Web application or the like.
 操作デバイスインターフェース113は、マウスやキーボード、或いはリーダライタ等の操作・入力デバイスが接続され、操作ボタンやタッチパネルなどユーザー操作に基づく入力信号や、リーダライタによって読み出された情報を受付けるモジュールである。この操作デバイスによって、ユーザーは、Webページを表示させるためのキーワードを入力したり、IDやパスワード、電話番号等の認証情報や、クレジットカード等の認証情報を入力したりすることができる。 The operation device interface 113 is a module to which an operation / input device such as a mouse, a keyboard, or a reader / writer is connected, and receives an input signal based on a user operation such as an operation button or a touch panel, and information read by the reader / writer. With this operation device, the user can input a keyword for displaying a Web page, input authentication information such as an ID, password, and telephone number, or authentication information such as a credit card.
 操作信号検出部112は、ユーザー操作に基づく操作デバイスからの操作信号を取得するモジュールである。特に、本実施形態において、操作信号検出部112は、ユーザー操作によって入力された認証情報をデータとして検出し、この認証情報データをフォーム識別子付加部114に送信する。 The operation signal detection unit 112 is a module that acquires an operation signal from an operation device based on a user operation. In particular, in the present embodiment, the operation signal detection unit 112 detects authentication information input by a user operation as data, and transmits this authentication information data to the form identifier addition unit 114.
 フォーム識別子付加部114は、ユーザー操作の対象となっている認証インターフェース部を特定するように設定されたフォーム識別子を取得し、操作デバイスインターフェース113を通じて入力された認証情報に、取得したフォーム識別子を付加するモジュールである。このフォーム識別子は、ブラウザに表示されたWebページのURLや、当該Webページ内の入力フォームに付与された識別子であり、ブラウザ機能によりWebページが読み込まれた際に、Webページ内から抽出される。また、このフォーム識別子としては、例えば、情報処理端末1がATMのような装置である場合には、当該ユーザーによる一連の取引操作(トランザクション)を特定する識別子であり、取引番号等の整理番号を用いてもよい。 The form identifier adding unit 114 acquires a form identifier set to specify an authentication interface unit that is a target of user operation, and adds the acquired form identifier to authentication information input through the operation device interface 113. It is a module to do. The form identifier is a URL of a Web page displayed on the browser or an identifier given to an input form in the Web page, and is extracted from the Web page when the Web page is read by the browser function. . Further, as the form identifier, for example, when the information processing terminal 1 is an ATM-like device, it is an identifier for identifying a series of transaction operations (transactions) by the user, and a reference number such as a transaction number is used. It may be used.
 そして、認証インターフェース部110は、出力インターフェース115により、映像や音声を出力することができるとともに、操作デバイスインターフェース113により、マウスやキーボードなどの操作デバイスからの操作信号が、ユーザー操作として入力される。そして、表示画面111によって、Webページを表示するとともに、Webページ上におけるクリックや文字入力などのユーザー操作が可能となり、認証情報の入力を受付ける。 The authentication interface unit 110 can output video and audio through the output interface 115, and an operation signal from an operation device such as a mouse or a keyboard is input as a user operation through the operation device interface 113. The display screen 111 displays a Web page and allows user operations such as clicking on the Web page and inputting characters, and accepts input of authentication information.
 上記制御部120は、CPU等の演算処理装置であり、この制御部120上で各種プログラムを実行することにより、各機能モジュールを仮想的に構築する。本実施形態では、所定のプログラムを実行することにより、制御部120に、アプリケーション実行部123と、コンテンツ取得部121と、実行処理判定部122とが構築される。 The control unit 120 is an arithmetic processing unit such as a CPU, and each function module is virtually constructed by executing various programs on the control unit 120. In the present embodiment, an application execution unit 123, a content acquisition unit 121, and an execution process determination unit 122 are constructed in the control unit 120 by executing a predetermined program.
 コンテンツ取得部121は、サービス提供サーバー4から、通信ネットワーク5を通じて、HTMLなどのコンテンツデータを受信するモジュールであり、このコンテンツ取得部121でダウンロードされたコンテンツデータは、アプリケーション実行部123により映像・音声信号に変換され、出力インターフェース115を通じて、表示画面111やスピーカーから出力される。 The content acquisition unit 121 is a module that receives content data such as HTML from the service providing server 4 through the communication network 5. The content data downloaded by the content acquisition unit 121 is video / audio by the application execution unit 123. The signal is converted into a signal and output from the display screen 111 or the speaker through the output interface 115.
 実行処理判定部122は、コンテンツデータの実行に関する条件が満たされたか否かを判断し、アプリケーション実行部123によるアプリケーションの実行を規制するモジュールである。本実施形態において、この実行処理判定部122で判断される条件とは、サービス提供サーバー4から送信される認証結果であり、この認証結果に基づいてアプリケーションの実行を規制する。 The execution process determination unit 122 is a module that determines whether or not a condition related to the execution of content data is satisfied and restricts execution of the application by the application execution unit 123. In the present embodiment, the condition determined by the execution process determination unit 122 is an authentication result transmitted from the service providing server 4, and the execution of the application is regulated based on the authentication result.
 アプリケーション実行部123は、一般のOSやブラウザソフト、メディア視聴アプリケーションなどのアプリケーションを実行するモジュールであり、出力信号生成部126と、認証情報種別判断部125と、接続先選択部124とを備えている。 The application execution unit 123 is a module that executes applications such as a general OS, browser software, and media viewing application, and includes an output signal generation unit 126, an authentication information type determination unit 125, and a connection destination selection unit 124. Yes.
 出力信号生成部126は、アプリケーション実行部123によるアプリケーションの実行結果や、コンテンツ取得部121で取得されたコンテンツデータを映像信号及び音声信号に変換し、表示画面111やスピーカーで出力可能な信号に生成するモジュールである。また、アプリケーション実行部123は、GUIの制御も行うことから、この出力信号生成部126は、GUIの表示に必要なグラフィックも生成し、生成されたグラフィックは、出力I/F115を通じて、表示画面111に表示される。 The output signal generation unit 126 converts the application execution result by the application execution unit 123 and the content data acquired by the content acquisition unit 121 into a video signal and an audio signal, and generates the signal that can be output by the display screen 111 or the speaker. It is a module to do. Further, since the application execution unit 123 also controls the GUI, the output signal generation unit 126 generates graphics necessary for displaying the GUI, and the generated graphics are displayed on the display screen 111 through the output I / F 115. Is displayed.
 認証情報種別判断部125は、Webページを記述したHTML内に埋め込まれたスクリプトや、専用プログラムのモジュールなどで構成され、認証インターフェース部110に対して入力された認証情報に、所定の移動端末機2を特定する移動端末識別子が含まれているか否かを判断するモジュールである。具体的に、本実施形態における移動端末識別子は、確認操作を行う移動端末を特定する電話番号であり、認証情報種別判断部125は、ユーザーが操作デバイスで入力した文字列の文字数、種別、形式などを解析し、入力された認証情報が、11桁の数字のみの文字列で、且つ先頭に「090」又は「080」が含まれている場合に、入力された認証情報を移動端末識別子と判断し、それ以外の形式の文字列は、通常認証用のID又はパスワードであると判断する。この認証情報種別判断部125による判断結果は、接続先選択部124に入力される。 The authentication information type determination unit 125 is configured with a script embedded in HTML describing a Web page, a module of a dedicated program, or the like. The authentication information input to the authentication interface unit 110 is used as a predetermined mobile terminal. 2 is a module that determines whether or not a mobile terminal identifier that specifies 2 is included. Specifically, the mobile terminal identifier in the present embodiment is a telephone number that identifies the mobile terminal that performs the confirmation operation, and the authentication information type determination unit 125 includes the number of characters, the type, and the format of the character string that the user inputs with the operation device. When the input authentication information is a character string of only 11 digits and includes “090” or “080” at the beginning, the input authentication information is used as a mobile terminal identifier. The character string of the other format is determined to be a normal authentication ID or password. The determination result by the authentication information type determination unit 125 is input to the connection destination selection unit 124.
 接続先選択部124は、認証インターフェース部110に対して入力された認証情報の種別に応じて、通信ネットワーク5を介した接続先を決定するモジュールであり、本実施形態においては、認証情報種別判断部125における判断結果を取得し、その判断結果が、ユーザーが入力した認証情報に移動端末識別子が含まれているとしている場合は、接続先を認証代行サーバー3とし、判断結果が、認証情報に移動端末識別子が含まれていないとした場合には、接続先をサービス提供サーバー4とする。 The connection destination selection unit 124 is a module that determines a connection destination via the communication network 5 in accordance with the type of authentication information input to the authentication interface unit 110. In this embodiment, the connection destination selection unit 124 determines the authentication information type. When the determination result in the unit 125 is acquired and the determination result indicates that the mobile terminal identifier is included in the authentication information input by the user, the connection destination is the authentication proxy server 3, and the determination result is included in the authentication information. If the mobile terminal identifier is not included, the connection destination is the service providing server 4.
 なお、制御部120には、図示しないメモリと、キャッシュメモリ等とを備えている。キャッシュメモリは、例えば揮発性のメモリ装置であり、ダウンロードしたコンテンツデータを一時的に蓄積する。また、メモリは、ユーザーがコンテンツデータをダウンロードし、認証許可が得られた場合に、コンテンツデータを書き込み保存(本保存)するための記憶装置であり、不揮発性のメモリ装置や、ハードディスク等により実現することができる。なお、このメモリは、情報処理端末内に固定内蔵されたものでもよく、また、メモリカードのように着脱自在のもの、或いは、USBケーブル等で接続される記憶装置であってもよい。 
(2)認証代行サーバー3
 認証代行サーバー3は、単一のサーバー装置の他、Webサーバーやデータベースサーバーなど複数種のサーバー群から構成することができ、本実施形態では、通信インターフェース302と、外部認証部304と、確認要求部305と、外部認証データベース301と、ログ履歴記憶部307と、認証結果送信部303とを備えている。 The control unit 120 includes a memory (not shown), a cache memory, and the like. The cache memory is, for example, a volatile memory device, and temporarily stores downloaded content data. In addition, the memory is a storage device for writing and storing (main storage) content data when the user downloads the content data and obtains authentication permission, and is realized by a non-volatile memory device, hard disk, etc. can do. The memory may be fixedly incorporated in the information processing terminal, or may be a removable device such as a memory card, or a storage device connected by a USB cable or the like.
(2) Authentication proxy server 3
The authentication proxy server 3 can be composed of a single server device and a plurality of types of server groups such as a Web server and a database server. In this embodiment, the communication proxy server 302, the external authentication unit 304, and the confirmation request Unit 305, external authentication database 301, log history storage unit 307, and authentication result transmission unit 303.
 通信インターフェース302は、通信ネットワーク5等のIP網を通じて、各種データをパケットデータとして送受信するモジュールであり、本実施形態においては、この通信インターフェース302を介して、情報処理端末1又はサービス提供サーバー4から認証情報データが受信され、サービス提供サーバー4に対して認証許可データが送信される。さらに、通信インターフェース302は、通信ネットワーク5や公衆回線網を通じて無線基地局6に接続されており、この無線基地局6を通じ、移動端末機2に対して種々のデータを送受信することができ、本実施形態では、移動端末機2に対して確認要求データが送信され、移動端末機2から承認データが受信される。 The communication interface 302 is a module that transmits and receives various data as packet data through an IP network such as the communication network 5. In this embodiment, the communication interface 302 is connected to the information processing terminal 1 or the service providing server 4 via the communication interface 302. Authentication information data is received, and authentication permission data is transmitted to the service providing server 4. Further, the communication interface 302 is connected to the radio base station 6 through the communication network 5 and the public network, and can transmit and receive various data to and from the mobile terminal 2 through the radio base station 6. In the embodiment, confirmation request data is transmitted to the mobile terminal 2, and approval data is received from the mobile terminal 2.
 外部認証データベース301は、移動端末識別子である電話番号に、情報処理端末1のフォーム識別子と、ユーザー情報であるID、パスワード、及び宛先アドレスとを関連づけたテーブルデータT1等を格納するデータベース装置であり、外部認証部304からの指示に従って、所定のデータを検索し・出力する。本実施形態においてテーブルデータT1は、図4に示すように、複数のテーブルデータとリレーションを相互に形成したリレーショナルデータベースであり、登録ユーザーに関する顧客マスターテーブルT10に、ユーザーが利用する予定のサービスの情報である登録サービスデータT11と、ユーザーが利用するクレジットカードに関するカード情報テーブルT12がリレーションにより関連づけられている。 The external authentication database 301 is a database device that stores table data T1 and the like in which a telephone number that is a mobile terminal identifier is associated with a form identifier of the information processing terminal 1, an ID that is user information, a password, and a destination address. In accordance with an instruction from the external authentication unit 304, predetermined data is retrieved and output. In this embodiment, the table data T1 is a relational database in which a plurality of table data and relations are mutually formed as shown in FIG. 4, and information on services scheduled to be used by the user in the customer master table T10 related to registered users. The registration service data T11 and the card information table T12 related to the credit card used by the user are related by the relation.
 顧客マスターテーブルT10では、当該認証代行サービスに対する会員登録IDとして、各登録会員に固有の登録IDが付与されており、この登録IDをインデックスとして、顧客情報や、本人確認のための携帯電話番号、若しくは手続承認を行う際の管理者(未成年や高齢者の保護者等)の携帯電話番号が記録されている。登録サービスデータT11は、ユーザーが利用するサービス毎に予め、アクセス先であるサーバーのURLを宛先アドレスとして登録されており、各アレ先アドレスには、アクセス元として認められているフォームID、ログイン時に必要なユーザーID、パスワード、及びその他必要な認証情報が記録されている。なお、宛先アドレスとは、通常の認証処理を行うサービス提供サーバー4(本認証処理部)を特定するURL等のデータである。さらに、カード情報テーブルT12は、カードフォルダーサービスを提供するためのデータであり、各ユーザーが利用可能なクレジットカードが複数登録され、ユーザーは、サービス毎に利用するクレジットカードを設定したり、或いは支払い手続に際し、その都度、任意のクレジットカードを選択することができる。 In the customer master table T10, a registered ID unique to each registered member is assigned as a member registration ID for the authentication agency service. Using this registration ID as an index, customer information, a mobile phone number for identity verification, Alternatively, the mobile phone number of the manager (proceeding minors, elderly guardians, etc.) when the procedure is approved is recorded. In the registered service data T11, the URL of the server that is the access destination is registered in advance for each service used by the user as a destination address. Each destination address includes the form ID that is recognized as the access source, and the login time. Necessary user ID, password, and other necessary authentication information are recorded. The destination address is data such as a URL that identifies the service providing server 4 (this authentication processing unit) that performs normal authentication processing. Further, the card information table T12 is data for providing a card folder service, and a plurality of credit cards that can be used by each user are registered, and the user can set a credit card to be used for each service or make a payment. Any credit card can be selected for each procedure.
 これらのリレーショナル構造により、テーブルデータT1では、一つの登録ユーザーID(認証代行サービスに対する会員登録ID)に携帯電話番号が紐付けられ、さらに、当該ユーザーが利用する予定のサービス毎に、ログインに必要なユーザーID、パスワード、宛先アドレス、及びフォーム識別子と関連づけられる。その結果、本実施形態では、一つの携帯電話の電話番号に、複数のサービスを関連づけることができ、各々のサービス固有の宛先アドレスを、情報処理端末1において特定することで、外部認証データベース301を検索し、これにより、認証代行サーバー3側で当該認証処理が、いずれのサービス提供サーバーが提供しているサービスに関するものであるかを識別することができる。 With these relational structures, in the table data T1, a mobile phone number is linked to one registered user ID (member registration ID for the authentication agency service), and further, it is necessary for login for each service that the user plans to use. User ID, password, destination address, and form identifier. As a result, in the present embodiment, a plurality of services can be associated with the telephone number of one mobile phone, and the external authentication database 301 can be stored by specifying the destination address unique to each service in the information processing terminal 1. By searching, it is possible to identify on the authentication surrogate server 3 side which service providing server provides the authentication process.
 ログ履歴記憶部307は、移動端末機2から送信された承認データを認証情報とともに、ログデータとして蓄積する記憶装置である。具体的には、外部認証部304によって認証結果が認証結果送信部303に対して出力された際、認証結果送信部303に出力された認証結果と同一の情報が、ログ履歴記憶部307にも複製されて出力され、認証結果の履歴(ログ)として時系列に従って格納される。 The log history storage unit 307 is a storage device that accumulates approval data transmitted from the mobile terminal 2 as log data together with authentication information. Specifically, when the authentication result is output to the authentication result transmission unit 303 by the external authentication unit 304, the same information as the authentication result output to the authentication result transmission unit 303 is also stored in the log history storage unit 307. Duplicated and output, and stored as a history (log) of authentication results in chronological order.
 外部認証部304は、通信インターフェース302が受信した認証情報に基づいて、移動端末機2を通じ、ユーザーに対し、その認証処理を承認するか否かについて確認するモジュールであり、本実施形態では、確認要求部305と、外部認証処理部306とを備えている。 The external authentication unit 304 is a module that confirms whether or not to approve the authentication process to the user through the mobile terminal 2 based on the authentication information received by the communication interface 302. In this embodiment, the external authentication unit 304 A request unit 305 and an external authentication processing unit 306 are provided.
 確認要求部305は、認証情報を情報処理端末1から取得し、認証情報に基づいて、移動端末機2に確認要求を行うとともに、その確認要求に応じたユーザーの確認操作による承認データを取得するモジュールである。ここで、確認要求部305が受信する認証情報には、情報処理端末1から送信された移動端末機2の電話番号や、サービス提供サーバー4から送信された外部確認要求(ユーザーID等)が含まれる。 The confirmation request unit 305 obtains authentication information from the information processing terminal 1, makes a confirmation request to the mobile terminal 2 based on the authentication information, and obtains approval data by a user confirmation operation according to the confirmation request. It is a module. Here, the authentication information received by the confirmation request unit 305 includes the telephone number of the mobile terminal 2 transmitted from the information processing terminal 1 and the external confirmation request (user ID, etc.) transmitted from the service providing server 4. It is.
 具体的に、確認要求部305は、情報処理端末1の認証インターフェース部110において入力された認証情報に移動端末識別子(電話番号)が含まれている場合には、認証情報に含まれる移動端末識別子に基づいて外部認証データベース301を参照して、移動端末を所有する顧客名や、確認要求のサービス内容を取得して確認要求データを生成する。そして、確認要求部305は、その確認要求データを移動端末識別子に対応する宛先アドレスを有する移動端末機2に送信するとともに、その移動端末機2から送信された承認データを受信する。 Specifically, the confirmation request unit 305, when the mobile terminal identifier (telephone number) is included in the authentication information input in the authentication interface unit 110 of the information processing terminal 1, the mobile terminal identifier included in the authentication information. Referring to the external authentication database 301 based on the above, the name of the customer who owns the mobile terminal and the service content of the confirmation request are acquired to generate confirmation request data. The confirmation request unit 305 transmits the confirmation request data to the mobile terminal 2 having a destination address corresponding to the mobile terminal identifier, and receives the approval data transmitted from the mobile terminal 2.
 外部認証処理部306は、移動端末機2から送信された承認データを取得し、承認データに基づいて認証処理の代行(外部認証)を実行するモジュールであり、ユーザー承認の有無に応じて、認証するか否かの判断をする。 The external authentication processing unit 306 is a module that acquires the approval data transmitted from the mobile terminal 2 and performs proxy processing (external authentication) based on the approval data. Judge whether or not to do.
 また、外部認証処理部306は、認証を許可する範囲を記述した地図情報が格納された地図データベース308を有し、認証処理に際し、地図データベース308内の地図情報を参照して、移動端末機2から取得した位置情報データと照合させ、移動端末機2の現在位置が所定の範囲内に属するか否かを判断する機能を有している。 In addition, the external authentication processing unit 306 has a map database 308 in which map information describing a range in which authentication is permitted is stored, and the mobile terminal 2 refers to the map information in the map database 308 during the authentication process. It has a function of collating with the position information data acquired from the mobile terminal 2 to determine whether or not the current position of the mobile terminal 2 is within a predetermined range.
 また、外部認証処理部306は、外部認証データベース301を照合することによって認証結果データを生成するようになっている。ここで、認証結果データとは、取得した承認データと、通常認証に必要な情報であるユーザーID及びパスワードと、取得した認証情報に含まれるフォーム識別子とが含まれたデータである。この認証結果データは、宛先アドレスに従って、サービス提供サーバー4に送信される。 Further, the external authentication processing unit 306 generates authentication result data by collating the external authentication database 301. Here, the authentication result data is data including the acquired approval data, the user ID and password that are information necessary for normal authentication, and the form identifier included in the acquired authentication information. This authentication result data is transmitted to the service providing server 4 according to the destination address.
 認証結果送信部303は、外部認証処理部306による認証結果データを、通信ネットワーク5を介してサービス提供サーバー4に送信するモジュールである。具体的に、認証結果送信部303は、認証インターフェース部110のフォーム識別子又は宛先アドレスを取得し、フォーム識別子又は宛先アドレスに基づいて外部認証データベース301を照合し、認証結果であるユーザーIDやパスワードを、宛先アドレスに向けて、認証結果データとして送信する。また、本実施形態において、認証結果送信部303は、承認データに基づく認証結果を外部認証結果データとして、サービス提供サーバー4に送信する機能も有している。 The authentication result transmission unit 303 is a module that transmits the authentication result data from the external authentication processing unit 306 to the service providing server 4 via the communication network 5. Specifically, the authentication result transmission unit 303 acquires the form identifier or the destination address of the authentication interface unit 110, collates the external authentication database 301 based on the form identifier or the destination address, and obtains the user ID or password that is the authentication result. , Sent as authentication result data to the destination address. In the present embodiment, the authentication result transmission unit 303 also has a function of transmitting an authentication result based on the approval data to the service providing server 4 as external authentication result data.
(3)移動端末機2
 移動端末機2は、移動電話機やPDA等の通信機能を有した情報処理端末であり、一般的な無線通話に必要なモジュールと合わせて、入力インターフェース201と、出力インターフェース202と、位置情報取得部203と、制御部204と、無線インターフェース206とを備えている。 (3) Mobile terminal 2
The mobile terminal 2 is an information processing terminal having a communication function such as a mobile telephone or a PDA, and includes an input interface 201, an output interface 202, a position information acquisition unit, together with modules necessary for general wireless communication. 203, a control unit 204, and a wireless interface 206.
 無線インターフェース206は、通話を行うための移動通信用のプロトコルによる無線通信と、例えば無線LAN等のデータ通信用のプロトコルによる無線通信とを実行する機能を備えている。このデータ通信用の機能としては、無線LAN接続を行うためにIEEE 802.11bに準拠した送受信装置があり、本システムによる認証を受けるために、無線基地局6と一致するESSIDが割り当てられている。なお、この無線インターフェース206のデータ通信機能は、移動端末機2がモバイルコンピュータやPDAである場合には、無線LANアダプタ等により実現することができる。 The wireless interface 206 has a function of executing wireless communication using a mobile communication protocol for performing a call and wireless communication using a data communication protocol such as a wireless LAN. As a function for this data communication, there is a transmission / reception device conforming to IEEE 802.11b for performing wireless LAN connection, and an ESSID that matches the wireless base station 6 is assigned to receive authentication by this system. The data communication function of the wireless interface 206 can be realized by a wireless LAN adapter or the like when the mobile terminal 2 is a mobile computer or a PDA.
 入力インターフェース201は、操作ボタンやタッチパネル、ジョグダイヤルなどユーザー操作を入力するデバイスであり、出力インターフェース202は、ディスプレイやスピーカーなど、映像や音響を出力するデバイスである。本実施形態において入力インターフェース201及び出力インターフェース202は、図6などに示すように、確認要求データに基づくGUIを表示画面202aに表示させるとともに、ユーザーは、このGUIを通じ、操作ボタン等で承認するか否かの確認操作を行う。 The input interface 201 is a device that inputs user operations such as operation buttons, a touch panel, and a jog dial, and the output interface 202 is a device that outputs video and sound, such as a display and a speaker. In this embodiment, as shown in FIG. 6 and the like, the input interface 201 and the output interface 202 display a GUI based on the confirmation request data on the display screen 202a, and whether the user approves with an operation button or the like through this GUI. Confirm whether or not.
 位置情報取得部203は、自機の現在位置を測定するモジュールであり、例えば、通信衛星7からのGPS信号に基づいて、現在位置の座標を演算したり、無線基地局6の基地局識別子や、この基地局からの信号強度などの電波状況から、移動端末機2自身で自機の位置情報を取得することが可能となっている。また、この位置情報取得部203には、周囲に設置されたアクセスポイントを検出し、通信ネットワーク上に設置されたAPデータベースに、そのアクセスポイントの位置を問い合わせて、自機の現在位置を予測する機能が備えられていてもよい。 The position information acquisition unit 203 is a module that measures the current position of the own device. For example, the position information acquisition unit 203 calculates the coordinates of the current position based on the GPS signal from the communication satellite 7, and the base station identifier of the radio base station 6 From the radio wave condition such as the signal strength from the base station, the mobile terminal 2 itself can acquire the location information of the own device. In addition, the location information acquisition unit 203 detects access points installed in the vicinity, inquires the location of the access point from the AP database installed on the communication network, and predicts the current location of the own device. A function may be provided.
 接続処理部205は、無線基地局6と無線通信を介して接続するためのモジュールであり、自機を特定するための識別子(電話番号や、IPアドレス、ユーザーID)を接続対象となる無線基地局6に送信して認証を行う。 The connection processing unit 205 is a module for connecting to the wireless base station 6 via wireless communication, and an identifier (telephone number, IP address, user ID) for identifying the own device is a wireless base to be connected. Transmit to the station 6 for authentication.
 制御部は204は、CPU等の演算処理装置であり、この制御部204上で各種プログラムを実行することにより、各機能モジュールを仮想的に構築するモジュールであり、本実施形態において、制御部204には確認操作部207が構築される。 The control unit 204 is an arithmetic processing unit such as a CPU, and is a module that virtually constructs each functional module by executing various programs on the control unit 204. In the present embodiment, the control unit 204 The confirmation operation unit 207 is constructed.
 確認操作部207は、確認要求に応じユーザーに対して確認操作を要求し、ユーザーによる確認操作に応じて、承認データを認証代行サーバー3に返信するモジュールである。具体的には、確認操作部207は、確認要求部305から送信された確認要求データに応じて、出力インターフェース202のディスプレイに確認要求画面を表示させる。そして、入力インターフェース201からの確認操作の信号を取得し、この信号に基づいて承認データを生成し、この承認データを確認要求部305へ返信する。 The confirmation operation unit 207 is a module that requests a confirmation operation from the user in response to the confirmation request, and returns approval data to the authentication proxy server 3 in accordance with the confirmation operation by the user. Specifically, the confirmation operation unit 207 displays a confirmation request screen on the display of the output interface 202 according to the confirmation request data transmitted from the confirmation request unit 305. Then, a confirmation operation signal from the input interface 201 is acquired, approval data is generated based on the signal, and the approval data is returned to the confirmation request unit 305.
 なお、確認操作部207は、位置情報取得部203が測定した自機の現在位置を、承認データに対して付加して、承認データを確認要求部305に返信する機能も有している。 The confirmation operation unit 207 also has a function of adding the current position of the own device measured by the position information acquisition unit 203 to the approval data and returning the approval data to the confirmation request unit 305.
(4)サービス提供サーバー4
 サービス提供サーバー4は、種々のサービスを実施するためのサーバー装置であり、単数の装置でもよく、複数のサーバー装置群で構成してもよい。このサービス提供サーバー4は、サービスを提供する際に認証処理を行う必要があり、その認証処理については、独自の認証システムで行うか、或いは認証代行サーバー3に全面的に委任するか、或いは独自の認証システムによる通常認証(本認証処理)と、認証代行サーバー3による仮認証処理とを併用するなど、種々の形態を採ることができる。なお、本実施形態では、独自の認証システムによる通常認証と、認証代行サーバー3による外部認証処理とを併用する形態を採っている。具体的に、サービス提供サーバー4は、通信インターフェース402と、コンテンツ送信部404と、本認証部403と、本認証データベース401と、決裁部408とを備えている。 (4) Service providing server 4
The service providing server 4 is a server device for performing various services, and may be a single device or a plurality of server device groups. The service providing server 4 needs to perform an authentication process when providing the service, and the authentication process is performed by an original authentication system, or is entirely delegated to the authentication proxy server 3 or is independently performed. Various forms can be employed, for example, the normal authentication (main authentication process) by the authentication system and the temporary authentication process by the authentication proxy server 3 are used in combination. In the present embodiment, the normal authentication using an original authentication system and the external authentication processing by the authentication proxy server 3 are used in combination. Specifically, the service providing server 4 includes a communication interface 402, a content transmission unit 404, a main authentication unit 403, a main authentication database 401, and an approval unit 408.
 通信インターフェース402は、通信ネットワーク5を通じて、各種データをパケットとして送受信するモジュールであり、本実施形態においては、通信インターフェース402を介して、情報処理端末1から認証情報が受信され、認証代行サーバー3から認証結果が受信されるとともに、認証代行サーバー3に対して外部確認要求が送信される。なお、通信インターフェース402は、IP網経由での通信に限られず、例えばATM1cや、リーダライタが接続された専用装置1d~1fなどに対しては、専用回線51を通じて、固定長のフレームデータの送受信によるデータ通信についても対応している。 The communication interface 402 is a module that transmits and receives various data as packets via the communication network 5. In this embodiment, authentication information is received from the information processing terminal 1 via the communication interface 402, and the authentication proxy server 3 receives the authentication information. While receiving the authentication result, an external confirmation request is transmitted to the authentication proxy server 3. The communication interface 402 is not limited to communication via the IP network. For example, transmission and reception of fixed-length frame data through the dedicated line 51 to the ATM 1c and the dedicated devices 1d to 1f to which the reader / writer is connected. It also supports data communication by.
 本認証データベース401は、各ユーザーに関する個人情報、認証情報及び決済情報を記憶するテーブルデータT2を格納するデータベース装置である。また、本認証データベース401は、各ユーザー毎に、外部認証処理における外部確認要求を行うための移動端末識別子(携帯電話番号)を関連づけた外部確認リストも格納されている。 The authentication database 401 is a database device that stores table data T2 for storing personal information, authentication information, and settlement information regarding each user. The authentication database 401 also stores an external confirmation list in which a mobile terminal identifier (mobile phone number) for making an external confirmation request in the external authentication process is associated with each user.
 本認証部403は、情報処理端末1からの通常認証情報に基づく認証処理や、認証代行サーバー3による外部認証処理を行い、これらの認証処理が成功した場合にサービスの提供を行うモジュールであり、外部確認要求部406と、本認証処理部407とを備えている。 The authentication unit 403 is a module that performs authentication processing based on normal authentication information from the information processing terminal 1 and external authentication processing by the authentication proxy server 3 and provides services when these authentication processing is successful. An external confirmation request unit 406 and a main authentication processing unit 407 are provided.
 外部確認要求部406は、通常認証処理において入力された認証情報に基づいて、認証代行サーバー3の確認要求部305に対し、外部確認要求データを送信するモジュールである。ここで、通常認証処理とは、一般的な認証処理であり、ユーザーが認証インターフェース部110に入力したユーザーID及びパスワードを直接サービス提供サーバー4で取得し、これらユーザーID及びパスワードに基づいて、当該アクセス者が本人であるか否かを認証する処理である。また、外部確認要求データとは、認証代行サーバー3における移動端末機2に対する確認要求の実行を依頼するデータである。 The external confirmation request unit 406 is a module that transmits external confirmation request data to the confirmation request unit 305 of the authentication proxy server 3 based on the authentication information input in the normal authentication process. Here, the normal authentication process is a general authentication process, in which the user ID and password input by the user to the authentication interface unit 110 are directly acquired by the service providing server 4, and based on these user ID and password, This is a process for authenticating whether or not the accessor is the principal. The external confirmation request data is data for requesting execution of a confirmation request to the mobile terminal 2 in the authentication proxy server 3.
 具体的には、外部確認要求部406は、通常認証処理において入力された認証情報を取得した際に、取得された認証情報に含まれるユーザーIDからユーザーを特定し、そのユーザーについて、本認証データベース401の外部確認リストを照合し、当該ユーザーが外部確認要求を必要とするユーザーであるか否かを判断する。ユーザーが外部認証を必要としているユーザーであるときには、外部確認リストに基づいて移動端末識別子と、フォーム識別子を関連づけした外部確認要求データを生成し、この確認要求データを認証代行サーバー3へ送信する。 Specifically, when acquiring the authentication information input in the normal authentication process, the external confirmation request unit 406 identifies the user from the user ID included in the acquired authentication information, and the authentication database The external confirmation list 401 is collated to determine whether or not the user is a user requiring an external confirmation request. When the user is a user who requires external authentication, external confirmation request data in which the mobile terminal identifier is associated with the form identifier is generated based on the external confirmation list, and this confirmation request data is transmitted to the authentication proxy server 3.
 本認証処理部407は、アクセス者の正当性を検証するコンピュータ或いはその機能を持ったソフトウェアであり、通信ネットワーク5を通じて認証情報又は、認証結果を取得し、本認証データベース401を照合することによって、アクセス者にその権利があるか否かや、そのアクセス者が本人であるか否かなどを確認するモジュールである。 The authentication processing unit 407 is a computer that verifies the legitimacy of an accessor or software having a function thereof, acquires authentication information or an authentication result through the communication network 5, and collates the authentication database 401. This is a module for confirming whether the accessor has the right and whether the accessor is the principal.
 特に本実施形態において、本認証処理部407には、認証インターフェース部110を通じて入力された認証情報データであるID及びパスワードに基づいてユーザーの認証を行う通常認証処理と、認証結果送信部303から送信された承認データを含む認証結果データに基づいて、ユーザーの認証を行う認証処理と、認証結果送信部303から送信された承認データを含む外部認証結果データと、通常認証処理の認証結果とに基づいて、サービス提供の可否を決定する外部認証処理とを実行する機能との3つの機能を備えている。 In particular, in the present embodiment, the authentication processing unit 407 transmits a normal authentication process for authenticating a user based on an ID and a password, which are authentication information data input through the authentication interface unit 110, and an authentication result transmission unit 303. Based on the authentication processing for authenticating the user based on the authentication result data including the approved data, the external authentication result data including the approval data transmitted from the authentication result transmitting unit 303, and the authentication result of the normal authentication processing Thus, it has three functions: a function for executing external authentication processing for determining whether or not to provide a service.
 決裁部408は、金融機関による決裁処理を実行するモジュールであり、本実施形態において、決裁部408は、決裁処理に際し、本認証データベース401からユーザーの外部確認リストを照合し、外部確認リストに基づいて、決裁処理に係る金額の限度額を切り換える限度額変更部409を有している。 The approval unit 408 is a module that executes an approval process by a financial institution. In this embodiment, the approval unit 408 collates a user's external confirmation list from the authentication database 401 during the approval process, and based on the external confirmation list. Thus, a limit changing unit 409 for switching the limit of the amount related to the approval process is provided.
 限度額変更部409は、外部確認要求を必要とするユーザーの一覧である外部確認リストを有し、決裁に際し、この外部確認リストを照合して、決裁処理に係る金額の限度額を切り換える。近年にあっては、振り込め詐欺などによる不本意な振込手続による損害を最小限に止めるために、ATMによる振込手続の限度額が設定されている場合が多い。この限度額の設定は、犯罪による被害を最小限に抑えるという面では有効であるが、正当な目的であっても高額な振り込みをすることができず、円滑な金融手続の妨げになっているという面も指摘されている。後述するように、本実施形態に係る認証代行サービスによれば、ATMなどにおける振り込め詐欺を防止するサービスを提供することが可能であるため、限度額変更部409により、本サービスを利用したユーザーに関しては、詐欺等による被害が発生する可能性が低いことから、当該サービスの利用者に限り、決裁処理の限度額を高額に切り換え、金融手続の円滑性を優先させる。 The limit amount changing unit 409 has an external confirmation list that is a list of users who require an external confirmation request, and when making a decision, collates the external confirmation list and switches the limit amount of the amount related to the decision processing. In recent years, in order to minimize the damage caused by unintentional transfer procedures due to bank transfer fraud, etc., there is often a limit for the transfer procedures by ATM. This limit setting is effective in minimizing the damage caused by crime, but it does not allow a high transfer even for legitimate purposes, and hinders smooth financial procedures. It has also been pointed out. As will be described later, according to the authentication agency service according to the present embodiment, it is possible to provide a service for preventing a transfer fraud in ATM or the like. Since there is a low possibility of damage caused by fraud, etc., only the user of the service will switch the limit of approval processing to a high amount, giving priority to the smoothness of financial procedures.
 コンテンツ送信部404は、コンテンツ情報である表示情報(Webデータ)や、動画データ及び音楽データ等を情報処理端末1に配信するモジュールであり、HTML文書や画像などの情報を蓄積しておき、本認証部403からの認証処理に従って、所定のデータを送信する。ここで、コンテンツ送信部404は、認証情報に含まれているフォーム識別子を参照し、目的の情報処理端末1にコンテンツ情報を送信する。 The content transmission unit 404 is a module that distributes display information (Web data) that is content information, moving image data, music data, and the like to the information processing terminal 1, and stores information such as HTML documents and images. In accordance with the authentication process from the authentication unit 403, predetermined data is transmitted. Here, the content transmission unit 404 refers to the form identifier included in the authentication information, and transmits the content information to the target information processing terminal 1.
(認証代行方法)
 以上の構成を有するモバイル認証代行システムを動作させることによって、本発明のモバイル認証代行方法を実施することができる。図5は、本実施形態に係るモバイル認証代行システムの動作を示すフローチャート図である。 (Authentication agent method)
By operating the mobile authentication proxy system having the above configuration, the mobile authentication proxy method of the present invention can be implemented. FIG. 5 is a flowchart showing the operation of the mobile authentication proxy system according to the present embodiment.
(1)Webサイトにおけるログイン認証
 ここでは、例えば、ユーザーが、パーソナルコンピュータ等の汎用コンピュータを使用したオンラインショッピングなどにおいて、会員制のWebサイトにログインする際の、ユーザー認証に本発明を適用した場合を例に説明する。 (1) Login authentication at a website Here, for example, when the present invention is applied to user authentication when a user logs in to a membership website in online shopping using a general-purpose computer such as a personal computer. Will be described as an example.
 図5に示すように、先ず、ユーザーは、パーソナルコンピュータ等の情報処理端末1上で起動・実行されているブラウザソフト等を使用して、インターネット上のサービス提供サーバー4にアクセスし、ブラウザ上に当該サービス提供サーバー4が提供するWebサイトにアクセスする。これにより情報処理端末1の表示画面111には、図6に示すような、ログインフォーム111aが表示される。 As shown in FIG. 5, first, the user accesses the service providing server 4 on the Internet by using browser software or the like that is activated and executed on the information processing terminal 1 such as a personal computer, and on the browser. A Web site provided by the service providing server 4 is accessed. As a result, a login form 111 a as shown in FIG. 6 is displayed on the display screen 111 of the information processing terminal 1.
 このログインフォーム111aに対し、ユーザーは、認証インターフェース部110を通じて、認証情報を入力する(S101)。ここで、ユーザーが入力する認証情報は、通常認証情報であるユーザーID及びパスワードか、或いは、移動端末識別子である携帯電話番号である。なお、本実施形態では、上記Webサイトに関し、ユーザーは、予め会員登録を済ませてあり、当該WebサイトのユーザーIDとパスワードが設定されているとともに、認証代行サーバー3に対しても、上記データベース301に、サービス提供サーバー4によるサービスを特定したうえで、そのユーザーIDとパスワードが、当該サービス提供サーバー4のURLを宛先アドレスとして、当該ユーザーの携帯電話番号に関連づけられて登録されているものとする。 The user inputs authentication information to the login form 111a through the authentication interface unit 110 (S101). Here, the authentication information input by the user is a user ID and password that are normal authentication information, or a mobile phone number that is a mobile terminal identifier. In this embodiment, the user has already registered a membership for the Web site, the user ID and password of the Web site are set, and the database 301 is also sent to the authentication proxy server 3. In addition, after identifying the service provided by the service providing server 4, the user ID and password are registered in association with the user's mobile phone number with the URL of the service providing server 4 as the destination address. .
 このユーザーの入力操作に応じて、情報処理端末1の認証情報種別判断部125は、認証インターフェース部110に対して入力された情報に、移動端末機2を特定する携帯電話番号が含まれているか否かを判断する(S102)。具体的には、認証情報種別判断部125は、入力された文字列を解析し、文字列が[090-××××-××××]等である場合には、移動端末識別子を含むと判断し、文字列がそれ以外の文字や数字の組み合わせである場合には、移動端末識別子を含まないと判断する。そして、認証インターフェース部110に入力されたデータは、接続先選択部124へ入力される。 In response to the user's input operation, the authentication information type determination unit 125 of the information processing terminal 1 includes the mobile phone number that identifies the mobile terminal 2 in the information input to the authentication interface unit 110. It is determined whether or not (S102). Specifically, the authentication information type determination unit 125 analyzes the input character string, and if the character string is [090-xxx-xxx-xxx] or the like, includes the mobile terminal identifier. If the character string is a combination of other characters and numbers, it is determined that the mobile terminal identifier is not included. The data input to the authentication interface unit 110 is input to the connection destination selection unit 124.
 接続先選択部124は、 認証情報に電話番号が含まれないと判断した場合には(S102における“N”)、送信先をサービス提供サーバー4に決定し、認証情報を送信する。そして、サービス提供サーバー4側の本認証部403が認証情報を受信し(S103)、この認証情報に基づいて通常認証処理を行う(S112)。このステップS112における認証処理が正当であれば、認証許可がなされ(S113)、その認証許可データは通信ネットワーク5を通じて、情報処理端末1の実行処理判定部122に入力され、認証手続が完了する(S114)。この認証手続の成功により、ユーザーは、当該Webサイトにおいて、サービス提供サーバー4によるサービスを受けることができる。 When the connection destination selection unit 124 determines that the telephone number is not included in the authentication information (“N” in S102), the connection destination selection unit 124 determines the transmission destination to the service providing server 4 and transmits the authentication information. Then, the authentication unit 403 on the service providing server 4 side receives the authentication information (S103), and performs a normal authentication process based on the authentication information (S112). If the authentication process in step S112 is valid, authentication is permitted (S113), and the authentication permission data is input to the execution process determination unit 122 of the information processing terminal 1 through the communication network 5 to complete the authentication procedure ( S114). As a result of the success of this authentication procedure, the user can receive services from the service providing server 4 on the Web site.
 一方、ステップS102において、認証情報に電話番号が含まれている場合には(S102における“Y”)、接続先選択部124は、送信先を認証代行サーバー3に決定し、入力された携帯電話番号を認証情報として送信する。このとき、接続先選択部124は、認証情報として、入力された携帯電話番号と合わせて、当該ログインフォーム111aのフォーム識別子と、ログイン先であるサービス提供サーバー4のURL(宛先アドレス)とを送信する。 On the other hand, if the authentication information includes a telephone number in step S102 (“Y” in S102), the connection destination selection unit 124 determines the transmission destination as the authentication proxy server 3, and the input mobile phone Send the number as authentication information. At this time, the connection destination selection unit 124 transmits, as authentication information, the form identifier of the login form 111a and the URL (destination address) of the service providing server 4 that is the login destination, together with the input mobile phone number. To do.
 そして、認証代行サーバー3側の外部認証部304において上記認証情報(携帯電話番号、フォーム識別子、宛先アドレスを含む)を取得し(S104)、この認証情報に基づいて外部認証データベース301を照合する(S105)。具体的には、携帯電話番号に基づいてユーザーを特定したうえで、認証情報に含まれる移動識別子に対応する移動端末機2に確認要求を行う(S106)。 Then, the external authentication unit 304 on the authentication proxy server 3 side acquires the authentication information (including the mobile phone number, form identifier, and destination address) (S104), and collates the external authentication database 301 based on the authentication information (S104). S105). Specifically, after identifying the user based on the mobile phone number, a confirmation request is made to the mobile terminal 2 corresponding to the movement identifier included in the authentication information (S106).
 移動端末機2では、認証代行サーバー3から確認要求データを受信し(S107)、確認要求に従ったGUIを出力インターフェース202に表示し、ユーザーに対して確認操作を要求する。これに応じユーザーは、入力インターフェース201を通じて、確認操作を行う(S108)。ユーザーは、当該確認要求が正当なものであれば手続を承認する操作を行い、確認要求が身に覚えがないようなときには、承認を拒否する操作を行う。ユーザーによる確認操作に応じて入力された確認操作の情報は、確認操作部207に入力され、確認操作部207は、この情報から承認データを生成し、承認データを認証代行サーバー3の確認要求部305に返信する(S109)。なお、この承認データとしては、ユーザーが当該確認要求が正当であるとして承認する操作であるときにはその旨を、また、承認を拒否するときにはその旨が送信される。また、このとき確認操作部207は、承認の可否に関わらず、位置情報取得部203が測定した自機の現在位置、及び現在時刻を承認データに対して付加する。 The mobile terminal 2 receives the confirmation request data from the authentication proxy server 3 (S107), displays the GUI according to the confirmation request on the output interface 202, and requests a confirmation operation from the user. In response to this, the user performs a confirmation operation through the input interface 201 (S108). The user performs an operation of approving the procedure if the confirmation request is valid, and performs an operation of rejecting the approval when the confirmation request is not memorized. Information on the confirmation operation input in response to the confirmation operation by the user is input to the confirmation operation unit 207. The confirmation operation unit 207 generates approval data from this information, and uses the approval data as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S109). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
 認証代行サーバー3の確認要求部305は、承認データを移動端末機2から取得し、(S110)、外部認証処理部306において、承認データに基づいて認証処理を実行する。具体的には、確認要求に対してユーザーが承認した場合は、データベースに予め登録しておいたユーザーID及びパスワードを含む認証結果データを生成し、この認証結果データを認証結果送信部303から、通信ネットワーク5を通じて、サービス提供サーバー4の本認証処理部407に送信する(S111)。 The confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S110), and the external authentication processing unit 306 executes an authentication process based on the approval data. Specifically, when the user approves the confirmation request, authentication result data including a user ID and password registered in advance in the database is generated, and this authentication result data is sent from the authentication result transmission unit 303. The data is transmitted to the authentication processing unit 407 of the service providing server 4 through the communication network 5 (S111).
 一方、ユーザーが承認を拒否した場合には、ID及びパスワードの送信は行われず、承認が拒否された旨の通知を、サービス提供サーバー4に送信する。なお、このユーザーが承認を拒否した場合の処理としては、サービス提供サーバー4にその旨を通知する他、情報処理端末1における手続を強制終了させる、或いは情報処理端末1における手続操作を暫定的に進行させるが、サービス提供サーバー4側において不正アクセスに対する緊急処理を実行させるなど種々の対応が考えられる。 On the other hand, when the user rejects the approval, the ID and password are not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4. In addition, as a process when this user refuses approval, in addition to notifying the service providing server 4 to that effect, the procedure in the information processing terminal 1 is forcibly terminated, or the procedure operation in the information processing terminal 1 is provisionally performed. Various measures are conceivable, such as executing emergency processing for unauthorized access on the service providing server 4 side.
 次いで、本認証処理部407は、認証結果データを受信し、認証結果データに含まれるユーザーID及びパスワードからサービス提供の可否を決定する本認証処理を行い(S112)、認証情報が正当であれば、ユーザーに対してアクセス許可がなされ(S113)、その認証許可データが通信ネットワーク5を通じて、情報処理端末1の実行処理判定部122に入力され、認証手続が完了する(S114)。 Next, the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S112), and if the authentication information is valid. Then, access permission is given to the user (S113), and the authentication permission data is input to the execution process determination unit 122 of the information processing terminal 1 through the communication network 5, and the authentication procedure is completed (S114).
 このようにWebサイトにおけるログイン認証に本発明を適用した場合には、Webサイトが独自に行っている通常認証処理に加え、認証代行サーバー3によって、移動端末機を有する者の本人確認を行う処理を行うことができ、サービスへのアクセス時における認証処理のセキュリティを向上させることができる。 In this way, when the present invention is applied to login authentication on a website, in addition to the normal authentication process uniquely performed by the website, the authentication proxy server 3 performs identity verification of the person having the mobile terminal. And the security of the authentication process when accessing the service can be improved.
(2)モバイルにおける金融決裁サービス
 次に、本発明を、モバイルにおける金融決裁に適用した場合について説明する。ここでは、例えば自動車販売などの営業担当者が商品を販売する際に、顧客による支払時におけるクレジットカード等の認証情報の入力、及び本人確認といった処理を、本発明により支援することができる。図7は、本発明のモバイル認証代行システム及び方法を、金融決裁サービスに応用した場合を例示したフローチャート図である。 (2) Mobile Financial Approval Service Next, the case where the present invention is applied to mobile financial approval will be described. Here, for example, when a salesperson such as an automobile sales sells a product, the present invention can support processing such as input of authentication information such as a credit card at the time of payment by a customer, and identity verification. FIG. 7 is a flowchart illustrating the case where the mobile authentication agency system and method of the present invention is applied to a financial approval service.
 この金融決裁サービスは、商品を販売する営業担当者から商品を購入したユーザー(購入者)が、クレジットカードにて決裁を行う場合において、営業担当者が使用するモバイル形式の情報処理端末1を利用して営業担当者が、認証情報として購入者の携帯番号を入力することで、購入者の携帯端末機に対して確認操作が要求され、本人確認をしたうえで決裁を完了するサービスである。なお、本実施形態でも、認証代行サーバー3に、購入者であるユーザーが、自己の携帯電話の電話番号と、クレジットカードの認証情報(カード番号、利用者名、有効期限、その他のセキュリティ情報)を予め登録してあるものとする。 This financial approval service uses a mobile information processing terminal 1 used by a salesperson when a user (purchaser) who purchases a product from a salesperson who sells the product uses a credit card for approval. In this service, the sales representative inputs the purchaser's mobile phone number as authentication information, and the purchase operation of the purchaser's mobile terminal is requested. After confirming the identity, the service is completed. Also in this embodiment, the user who is the purchaser enters the authentication proxy server 3 with his / her mobile phone number and credit card authentication information (card number, user name, expiration date, other security information). Are registered in advance.
 図7に示すように、先ず、ユーザーが、自動車販売の営業担当者から商品である自動車を購入する(S201)。そして、ユーザー(購入者)が購入方法として、銀行振込み又はクレジットカード払いを選択した場合に、営業担当者は、自分の情報処理端末1により、決裁サーバーであるサービス提供サーバー4にアクセスし、自社の顧客向け決裁ページにアクセスする。そして、認証インターフェース部110に、決裁ページの決裁用入力画面を表示させ(S202)、購入者に対して、その決済用の画面に、携帯電話番号を入力するように依頼する(S203)。なお、ここでは、営業担当者が、購入者に携帯電話番号の入力を依頼するが、購入者から聞いたうえで営業担当者自身が入力してもよい。また、営業担当者の情報処理端末1にバーコードリーダーや画像解析機能を備えたカメラ機能を設け、予めコード化された電話番号などを読み込むようにしてもよい。 As shown in FIG. 7, first, a user purchases a car as a product from a sales person in charge of car sales (S201). When the user (purchaser) selects bank transfer or credit card payment as the purchase method, the sales representative accesses the service providing server 4 which is an approval server by using his / her information processing terminal 1 and Visit the customer approval page for. Then, the authentication interface unit 110 is displayed with an approval input screen for an approval page (S202), and the purchaser is requested to input the mobile phone number on the settlement screen (S203). In this case, the sales representative requests the purchaser to input the mobile phone number. However, the sales representative may input the mobile phone number after hearing from the purchaser. In addition, the information processing terminal 1 of the sales staff may be provided with a camera function having a barcode reader or an image analysis function so as to read a pre-coded telephone number.
 購入者は、決裁用の入力画面に自己が所有する電話番号を入力する(S204)。入力された携帯電話番号である認証情報は、認証代行サーバー3へ送信され、確認要求部305は、認証情報に基づいて外部認証データベース301を照会し(S205)、購入者のカード情報を検索するとともに、確認要求データを生成し、購入者の移動端末機2に対して確認要求を送信する(S206)。 The purchaser inputs his own telephone number on the input screen for approval (S204). The authentication information that is the input mobile phone number is transmitted to the authentication proxy server 3, and the confirmation requesting unit 305 queries the external authentication database 301 based on the authentication information (S205), and searches for the card information of the purchaser. At the same time, confirmation request data is generated and a confirmation request is transmitted to the purchaser's mobile terminal 2 (S206).
 購入者が所有する移動端末機2は、認証代行サーバー3から確認要求データを受信し(S207)、確認要求に応じて移動端末機2の表示画面202aに確認要求情報を表示し、ユーザーに対して確認操作を要求する。ここで、確認要求情報とは、図8(a)に示すように、例えば、特定のクレジットカード会社や銀行等の金融機関に対して、商品代金の支払い、若しくは振込み処理を実行の可否を確認する表示情報である。そして、購入者は、自己の移動端末機2において、入力インターフェース201を通じて、この確認要求に対して、確認操作を行う(S208)。 The mobile terminal 2 owned by the purchaser receives the confirmation request data from the authentication proxy server 3 (S207), displays the confirmation request information on the display screen 202a of the mobile terminal 2 in response to the confirmation request, and Request confirmation. Here, as shown in FIG. 8 (a), the confirmation request information confirms whether or not the product price can be paid or transferred to a specific credit card company or a financial institution such as a bank. Display information to be displayed. Then, the purchaser performs a confirmation operation on the confirmation request in the mobile terminal 2 through the input interface 201 (S208).
 このとき、購入者が複数のクレジットカードを登録してある場合には、図8(b)に示すような、カードフォルダ画面を表示し、任意のカードを選択できるようにしてもよい。この場合には、テーブルデータT12から、選択されたクレジットカードの認証情報が読み出され、サービス提供サーバー4に送信される。また、この移動端末機2での確認要求に対する操作に際し、必要最低限のセキュリティ情報(例えば、クレジット番号の末尾4桁や、カード裏面のセキュリティコード等)の入力を、ユーザー(購入者)に対して要求するようにしてもよい。 At this time, if the purchaser has registered a plurality of credit cards, a card folder screen as shown in FIG. 8B may be displayed so that an arbitrary card can be selected. In this case, the authentication information of the selected credit card is read from the table data T12 and transmitted to the service providing server 4. In addition, when the mobile terminal 2 operates in response to the confirmation request, the user (purchaser) is requested to input the minimum necessary security information (for example, the last four digits of the credit number or the security code on the back of the card). May be requested.
 ユーザーによる確認操作に応じて入力された確認操作の情報は、確認操作部207に入力され、確認操作部207はこの情報を承認データとして生成し、この承認データを認証代行サーバー3の確認要求部305に返信する(S209)。なお、この承認データとしては、ユーザーが当該確認要求が正当であるとして承認する操作であるときにはその旨を、また、承認を拒否するときにはその旨が送信される。また、このとき確認操作部207は、承認の可否に関わらず、位置情報取得部203が測定した自機の現在位置、及び現在時刻を承認データに対して付加する。 Information on the confirmation operation input in response to the confirmation operation by the user is input to the confirmation operation unit 207. The confirmation operation unit 207 generates this information as approval data, and this approval data is used as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S209). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
 認証代行サーバー3の確認要求部305は、承認データを移動端末機2から取得し、(S210)、外部認証処理部306において、承認データに基づいて認証処理を実行する(S211)。具体的には、確認要求に対してユーザーが承認した場合は、ユーザーが選択したカード情報や銀行アカウント情報を含む認証結果データを生成し、この認証結果データを認証結果送信部303から、通信ネットワーク5を通じて、サービス提供サーバー4の本認証処理部407に送信する(S212)。一方、ユーザーが承認を拒否した場合には、カード情報の送信は行われず、承認が拒否された旨の通知が、サービス提供サーバー4に送信される。 The confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S210), and the external authentication processing unit 306 executes an authentication process based on the approval data (S211). Specifically, when the user approves the confirmation request, authentication result data including the card information and bank account information selected by the user is generated, and the authentication result data is transmitted from the authentication result transmission unit 303 to the communication network. 5 is transmitted to the authentication processing unit 407 of the service providing server 4 (S212). On the other hand, when the user rejects the approval, the card information is not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4.
 次いで、本認証処理部407は、認証結果データを受信し、認証結果データに含まれるユーザーID及びパスワードからサービス提供の可否を決定する本認証処理を行い(S213)、認証情報が正当であれば、ユーザーに対してアクセス許可がなされ(S214)、その認証許可データが通信ネットワーク5を通じて、金融機関に入力され、決裁処理が完了する(S214)。 Next, the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S213), and if the authentication information is valid. Then, access permission is given to the user (S214), and the authentication permission data is input to the financial institution through the communication network 5, and the approval process is completed (S214).
 このように、金融決裁サービスにモバイル認証代行システム及び方法を応用することで、ユーザーにとっては、決裁の認証情報入力の際においては、移動端末機2の電話番号を入力するのみで決裁を完了することができるので、他人に銀行のカードのID及びパスワードや、クレジットカード番号を知られることがなく、決裁を完了することができる。 As described above, by applying the mobile authentication agency system and method to the financial approval service, the user can complete the approval only by inputting the telephone number of the mobile terminal 2 when inputting the authentication information. Therefore, the approval can be completed without the knowledge of the bank card ID and password and the credit card number being known to others.
(3)配送受け取サービス
 さらに、上述したような本発明のモバイル認証代行システム及び方法を応用した配送受け取サービスについて以下に説明する。図9は、本発明のモバイル認証代行システム及び方法を、配送受け取サービスに応用した場合を例示したフローチャート図である。この配送受け取サービスは、通信販売などで商品を購入したユーザーが、商品の配送を配送業者に依頼した場合において、配送業者が本人を確認したうえで商品を受け渡すために、ユーザーによる商品受け取の際に、ユーザー本人に確認要求を行う。なお、本実施形態でも、認証代行サーバー3に、購入者であるユーザーが、自己の携帯電話の電話番号と、当該通信販売における取引番号やクレジットカードの認証情報(カード番号、利用者名、有効期限、その他のセキュリティ情報)を予め登録してあるものとする。 (3) Delivery / Reception Service A delivery / reception service to which the mobile authentication agency system and method of the present invention as described above is applied will be described below. FIG. 9 is a flowchart illustrating the case where the mobile authentication proxy system and method of the present invention are applied to a delivery receiving service. In this delivery receipt service, when a user who purchases a product through mail order or the like asks the delivery company to deliver the product, the delivery company confirms the identity of the user and delivers the product. Request confirmation from the user. In this embodiment as well, the user who is the purchaser enters the authentication agent server 3 with his / her mobile phone number, transaction number and credit card authentication information (card number, user name, valid It is assumed that the time limit and other security information are registered in advance.
 図9に示すように、先ずユーザーが,インターネットのWebサイトなどで商品を購入し(S301、S302)、商品受け取方法として、自宅への配達を選択した場合に、販売者側は、配送業者を通じて、商品を発送する(S303)。依頼を受けた配送業者は、商品を配送先であるユーザー宅へ配送する(S304、S305)。そして、商品を配達先の受取人に対して引き渡す際、本人確認の処理として、配送業者が所有する情報処理端末1に、本人確認用の携帯電話番号の入力を依頼する(S306)。なお、ここでは、配送業者が、受取人に携帯電話番号の入力を依頼するが、受取人から聞いたうえで配送業者自身が入力してもよい。また、配送業者の情報処理端末1にバーコードリーダーや画像解析機能を備えたカメラ機能を設けるとともに、配達物の配送伝票に、電話番号をコード化したバーコードやQRコードを記載しておき、バーコードリーダーでコード化された電話番号などを読み込むようにしてもよい。 As shown in FIG. 9, when a user first purchases a product on an Internet website or the like (S301, S302) and selects delivery to home as a product receiving method, the seller side passes through a delivery company. The product is shipped (S303). The delivery company that has received the request delivers the product to the user's home that is the delivery destination (S304, S305). Then, when delivering the merchandise to the delivery recipient, the information processing terminal 1 owned by the delivery company is requested to input a mobile phone number for identity verification as identity verification processing (S306). In this case, the delivery company requests the recipient to input the mobile phone number. However, the delivery company itself may input it after hearing from the recipient. In addition, the information processing terminal 1 of the delivery company is provided with a camera function including a barcode reader and an image analysis function, and a barcode or QR code in which a telephone number is coded is described in the delivery slip of the delivery item. You may make it read the telephone number etc. which were encoded with the barcode reader.
 そして、受取人であるユーザーは、情報処理端末1に表示された入力画面に自己が所有する電話番号を入力する(S307)。入力された携帯電話番号である認証情報は、認証代行サーバー3へ送信され、確認要求部305は、認証情報に基づいて外部認証データベース301を照会し(S308)、購入者のカード情報を検索するとともに、確認要求データを生成し、受取人の移動端末機2に対して確認要求を送信する(S309)。 Then, the user who is the recipient inputs the telephone number owned by the user on the input screen displayed on the information processing terminal 1 (S307). The authentication information that is the input mobile phone number is transmitted to the authentication proxy server 3, and the confirmation requesting unit 305 queries the external authentication database 301 based on the authentication information (S308), and searches for the card information of the purchaser. At the same time, confirmation request data is generated and a confirmation request is transmitted to the recipient's mobile terminal 2 (S309).
 受取人であるユーザーが所有する移動端末機2では、確認要求データを受信し(S310)、表示画面202aに、図10に示すような確認要求情報が表示され、ユーザーに対して確認操作を要求する。ユーザーは入力インターフェース201を通じて、移動端末機2の表示画面202aに表示された確認要求の内容を確認し、この確認要求に対して、確認操作を行う(S311)。このとき、着払いなど、配送物の受け取の際に支払い手続を必要とするときには、カードフォルダ画面にアクセスし、任意のカードを選択して、支払い手続も同時に行うようにしてもよい。この場合には、選択されたクレジットカードの認証情報が読み出され、サービス提供サーバー4に送信される。また、この移動端末機2での確認要求に対する操作に際し、必要最低限のセキュリティ情報(例えば、クレジット番号の末尾4桁や、カード裏面のセキュリティコード等)の入力を、ユーザー(購入者)に対して要求するようにしてもよい。 The mobile terminal 2 owned by the recipient user receives the confirmation request data (S310), the confirmation request information as shown in FIG. 10 is displayed on the display screen 202a, and a confirmation operation is requested from the user. To do. The user confirms the content of the confirmation request displayed on the display screen 202a of the mobile terminal 2 through the input interface 201, and performs a confirmation operation on the confirmation request (S311). At this time, when a payment procedure is required at the time of receiving a delivery item such as cash on delivery, the card folder screen may be accessed, an arbitrary card may be selected, and the payment procedure may be performed simultaneously. In this case, the authentication information of the selected credit card is read out and transmitted to the service providing server 4. In addition, when the mobile terminal 2 operates in response to the confirmation request, the user (purchaser) is requested to input the minimum necessary security information (for example, the last four digits of the credit number or the security code on the back of the card). May be requested.
 ユーザーによる確認操作に応じて入力された確認操作の情報は、確認操作部207に入力され、確認操作部207はこの確認操作の情報に基づいて、承認データを生成し、この承認データを認証代行サーバー3の確認要求部305に返信する(S312)。なお、この承認データとしては、ユーザーが当該確認要求が正当であるとして承認する操作であるときにはその旨を、また、承認を拒否するときにはその旨が送信される。また、このとき確認操作部207は、承認の可否に関わらず、位置情報取得部203が測定した自機の現在位置、及び現在時刻を承認データに対して付加する。 Information on the confirmation operation input in response to the confirmation operation by the user is input to the confirmation operation unit 207. The confirmation operation unit 207 generates approval data based on the information on the confirmation operation, and uses the approval data as an authentication agent. It returns to the confirmation request unit 305 of the server 3 (S312). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
 認証代行サーバー3の確認要求部305は、承認データを移動端末機2から取得し、(S313)、外部認証処理部306において、承認データに基づいて認証処理を実行する(S314)。具体的には、確認要求に対してユーザーが承認した場合は、ユーザーIDやパスワードを含む認証結果データを生成し、この認証結果データを認証結果送信部303から、通信ネットワーク5を通じて、サービス提供サーバー4の本認証処理部407に送信する(S315)。本認証処理部407は、この認証結果データを受けて、受取人が承認をした旨を、配達員に対して提示する。一方、ユーザーが承認を拒否した場合には、承認が拒否された旨の通知が、サービス提供サーバー4に送信される。この承認が拒否される場合としては、入力された携帯電話番号が誤りや偽りであり、その場に居ない第三者の移動端末機に確認要求が送信されたことなどが考えられ、このときには、承認が拒否した旨が配達員の情報処理端末1に提示される。 The confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S313), and the external authentication processing unit 306 executes an authentication process based on the approval data (S314). Specifically, when the user approves the confirmation request, authentication result data including a user ID and password is generated, and this authentication result data is transmitted from the authentication result transmission unit 303 to the service providing server via the communication network 5. 4 to the main authentication processing unit 407 (S315). The authentication processing unit 407 receives the authentication result data and presents to the delivery person that the recipient has approved. On the other hand, when the user rejects the approval, a notification that the approval is rejected is transmitted to the service providing server 4. This approval may be rejected because the entered mobile phone number is incorrect or false, and a confirmation request is sent to a third-party mobile terminal that is not there. The information indicating that the approval has been rejected is presented to the information processing terminal 1 of the delivery person.
 次いで、本認証処理部407は、認証結果データを受信し、認証結果データに含まれるサービス可否の通知に応じて、商品を受け渡すか否かを決定する(S316)。具体的には、認証情報が正当であれば、その認証許可データが通信ネットワーク5を通じて、配送業者の情報処理端末1に入力され、配送業者による本人確認が完了し(S317)、ユーザーは商品を受け取ることができる。 Next, the authentication processing unit 407 receives the authentication result data, and determines whether or not to deliver the product in response to the service availability notification included in the authentication result data (S316). Specifically, if the authentication information is valid, the authentication permission data is input to the information processing terminal 1 of the delivery company through the communication network 5, the identity verification by the delivery company is completed (S317), and the user selects the product. Can receive.
 このように、配送受け取サービスにモバイル認証代行システム及び方法を応用することで、受け取の際に、受取人が送先人と同一人物であることが確認できるので、ユーザーにおいては、ユーザー本人以外に商品の引き渡されることを防止し、宅配業者においては、面識のないユーザーであっても、ユーザー本人に商品を引き渡すことができる。 In this way, by applying the mobile authentication agency system and method to the delivery receipt service, it is possible to confirm that the recipient is the same person as the recipient at the time of receipt. The delivery of the product is prevented, and the delivery agent can deliver the product to the user himself even if the user is not acquainted.
(ATMにおける不正操作防止サービス)
 次に、本発明のモバイル認証代行システム及び方法を応用した不正操作防止サービスについて以下に説明する。図11は、本発明のモバイル認証代行システム及び方法を、ATMにおける不正操作防止サービスに応用した場合を例示したフローチャート図である。このATMにおける不正操作防止サービスは、銀行などの金融機関のキャッシュカードを所有するユーザーが高齢者や子供である場合において、ユーザーがATMでの金銭の振込み等を行う際に、そのユーザーの保護者に対して確認要求を行い、いわゆる振り込め詐欺などを未然に防止するサービスである。なお、ここでは、ユーザーは、高齢者であり、当該ユーザーは、外部認証が必要なユーザーとして外部確認リストに掲載されているものとする。 (Tampering prevention service at ATM)
Next, an unauthorized operation prevention service to which the mobile authentication agent system and method of the present invention is applied will be described below. FIG. 11 is a flowchart illustrating a case where the mobile authentication agent system and method of the present invention is applied to an unauthorized operation prevention service in ATM. This unauthorized operation prevention service in ATM is used when a user who owns a cash card of a financial institution such as a bank is an elderly person or a child, and when the user makes a transfer of money at the ATM, the guardian of the user This is a service that makes a request for confirmation to prevent so-called wire fraud. Here, it is assumed that the user is an elderly person and the user is listed on the external confirmation list as a user requiring external authentication.
 図11に示すように、先ず、ユーザーは、銀行等のATM機において、振込み等の処理を行うべく、通常操作に従い、キャッシュカードを読み込ませるとともに、認証情報であるパスワードを入力する(S401)。ここでは、接続先選択部124は、認証情報を、銀行が独自に有するサービス提供サーバー4に送信し、本認証部403の外部確認要求部406は、入力された認証情報を、通常認証用の情報として取得する(S402)。 As shown in FIG. 11, first, a user reads a cash card and inputs a password, which is authentication information, in accordance with a normal operation in order to perform a transfer process or the like in an ATM machine such as a bank (S401). Here, the connection destination selection unit 124 transmits the authentication information to the service providing server 4 that the bank uniquely has, and the external confirmation request unit 406 of the authentication unit 403 converts the input authentication information into the normal authentication. Obtained as information (S402).
 外部確認要求部406は、本認証データベース401から外部確認要求を必要とするユーザーの外部確認リストを照合して(S403)、通常認証情報に紐付けされた保護者が所有する移動端末機2の携帯電話番号を検索する(S404)。そして、外部確認リストに通常認証情報と関連づけられた移動端末識別子(保護者の携帯電話番号)と、フォーム識別子とを外部確認要求データとして生成し、この外部確認要求データを認証代行サーバー3へ送信する(S405)。 The external confirmation request unit 406 collates the external confirmation list of the user who requires the external confirmation request from the authentication database 401 (S403), and the mobile terminal 2 owned by the guardian associated with the normal authentication information. A mobile phone number is searched (S404). Then, the mobile terminal identifier (guardian's mobile phone number) associated with the normal authentication information and the form identifier are generated as external confirmation request data in the external confirmation list, and the external confirmation request data is transmitted to the authentication proxy server 3. (S405).
 認証代行サーバー3の確認要求部305は、この外部確認要求データを受信し(S407)、確認要求データを生成し、保護者の移動端末機2に対して、確認要求データを送信する(S407)。保護者側の移動端末機2では、確認要求データを受信し、図12に示すような確認画面が表示され、保護者は、この確認要求情報に対して、承認するか否かの確認操作を行う(S408)。ここで、確認情報には、引落し又は振込みの金額の他、ATM機の位置情報も表示することができ、保護者は、この情報を含めて確認操作の判断を行うことができる。 The confirmation request unit 305 of the authentication proxy server 3 receives the external confirmation request data (S407), generates confirmation request data, and transmits the confirmation request data to the guardian's mobile terminal 2 (S407). . In the mobile terminal 2 on the guardian side, the confirmation request data is received and a confirmation screen as shown in FIG. 12 is displayed, and the guardian confirms whether or not to approve the confirmation request information. This is performed (S408). Here, in addition to the amount of money to be withdrawn or transferred, the position information of the ATM machine can be displayed in the confirmation information, and the guardian can determine the confirmation operation including this information.
 保護者が確認操作を行うと、この確認操作に基づいて確認操作部207は承認データを生成し、この承認データを認証代行サーバー3の確認要求部305に返信する(S409)。なお、この承認データとしては、ユーザーが当該確認要求が正当であるとして承認する操作であるときにはその旨を、また、承認を拒否するときにはその旨が送信される。また、このとき確認操作部207は、承認の可否に関わらず、位置情報取得部203が測定した自機の現在位置、及び現在時刻を承認データに対して付加する。 When the guardian performs a confirmation operation, the confirmation operation unit 207 generates approval data based on the confirmation operation, and returns the approval data to the confirmation request unit 305 of the authentication proxy server 3 (S409). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
 認証代行サーバー3の確認要求部305は、承認データを移動端末機2から取得し、(S410)、外部認証処理部306において、承認データに基づいて認証処理を実行する(S411)。具体的には、確認要求に対して保護者が承認した場合は、その旨を通知する外部認証結果データを生成する。そして、この外部認証結果データを認証結果送信部303から、通信ネットワーク5を通じて、サービス提供サーバー4の本認証処理部407に送信する(S412)。一方、保護者が承認を拒否した場合には、承認が拒否された旨の通知が、サービス提供サーバー4に送信される。 The confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S410), and the external authentication processing unit 306 executes the authentication process based on the approval data (S411). Specifically, when the guardian approves the confirmation request, external authentication result data for notifying that is generated. Then, the external authentication result data is transmitted from the authentication result transmitting unit 303 to the main authentication processing unit 407 of the service providing server 4 through the communication network 5 (S412). On the other hand, when the guardian rejects the approval, a notification that the approval is rejected is transmitted to the service providing server 4.
 次いで、本認証処理部407は、認証結果データを受信し(S413)、承認データを含む外部認証結果と、通常認証処理の認証結果とに基づいて、サービス提供の可否を決定する本認証処理を行う。認証情報が正当であれば、認証許可がなされ(S414)、その認証許可データが通信ネットワーク5を通じて、ATMに入力され、ATM機の手続が可能となる(S415)。一方、管理者の確認操作が承認しないデータである場合には、ATM機の取引は終了となる。 Next, the authentication processing unit 407 receives the authentication result data (S413), and performs the authentication process for determining whether to provide the service based on the external authentication result including the approval data and the authentication result of the normal authentication process. Do. If the authentication information is valid, authentication is permitted (S414), and the authentication permission data is input to the ATM via the communication network 5 to enable the ATM machine procedure (S415). On the other hand, if the administrator's confirmation operation is data that is not approved, the transaction of the ATM machine ends.
 このように、ATMサービスに、モバイル認証代行システム及び方法を応用することで、ユーザーの管理者がATMの処理実行に対して、確認操作をすることができ、振り込め詐欺等を防止することができる。 In this way, by applying the mobile authentication agency system and method to the ATM service, the user's administrator can confirm the execution of the ATM processing and can prevent a transfer fraud and the like. .
(4)クレジット金融決裁サービス 
 次に、本発明のモバイル認証代行システム及び方法を応用したクレジット金融決裁に適用した場合について説明する。ここでは、例えば、ユーザーが、レストランやショップなどの店舗において,サービスを受けたり、商品を購入したりして、クレジットカードを利用してカード決裁を行う際に、パスワードの入力、及び本人確認といった処理を、本発明により支援することができる。図13は本実施形態に係る認証代行システムを、店舗におけるクレジット決裁サービスに応用した場合のフローチャート図であり、図14は、本実施形態に係る移動端末機の表示画面(支払い確認画面)を示す説明図である。 (4) Credit financial approval service
Next, a description will be given of a case where the present invention is applied to credit financial approval applying the mobile authentication agency system and method of the present invention. Here, for example, when a user receives a service or purchases a product at a store such as a restaurant or a shop and makes a card approval using a credit card, the user enters a password and confirms the identity. Processing can be supported by the present invention. FIG. 13 is a flowchart when the authentication agency system according to the present embodiment is applied to a credit approval service in a store, and FIG. 14 shows a display screen (payment confirmation screen) of the mobile terminal according to the present embodiment. It is explanatory drawing.
 このクレジット決裁サービスは、商品を販売したり、サービスを提供する店舗において、商品を購入等したユーザーが、クレジットカードにて決済を行う場合において、店舗内に設置されてあるリーダライタを備えた専用装置1d~1fで、クレジットカードの情報を読み取ることで、購入者の携帯端末機に対して確認操作が要求され、本人確認をすることで、パスワードやサイン等の入力処理を行わず、決裁が完了するサービスである。 This credit approval service is for exclusive use with a reader / writer installed in a store when a user who sells the product or purchases a product and makes a payment with a credit card at a store that provides the service. By reading the credit card information with the devices 1d to 1f, a confirmation operation is required for the purchaser's mobile terminal. By confirming the identity, the input process such as password or signature is not performed, and the approval is made. It is a service to be completed.
 詳述すると、図13に示すように、先ず、ユーザーが店舗において、商品を購入したり、サービスの提供を受けたりする(S501)。そして、ユーザー(購入者)が購入方法として、クレジットカード払いを選択した場合に、ユーザーはクレジットカードを提示し(S502)、店舗の販売員はクレジットカードを専用の読み取り機器において、情報を読み取る(S503)。読み出されたクレジットカードの認証情報は、サービス提供サーバー4である金融機関に送信される(S504)。 More specifically, as shown in FIG. 13, first, a user purchases a product or receives a service at a store (S501). When the user (purchaser) selects credit card payment as the purchase method, the user presents the credit card (S502), and the store salesperson reads the information on the credit card using a dedicated reading device ( S503). The read credit card authentication information is transmitted to the financial institution which is the service providing server 4 (S504).
 ここで、外部確認要求部406は、クレジットカードから読み出された認証情報を取得した際に(S505)、取得された認証情報に含まれるクレジットカード番号からユーザーを特定し、そのユーザーについて、本認証データベース401の外部確認リストを照合し(S506)、当該ユーザーが外部確認要求を必要とするユーザーであるか否かを判断する(S507)。ユーザーが外部認証を必要でないユーザーであるときには(S507における“N”)、店舗側の読み取り装置の表示画面111にパスワードの入力要求のメッセージを表示させ、ユーザーに対して、パスワードの入力依頼を行う(S508)。ユーザーは、自己のパスワードを入力し、このパスワードが本認証処理部407に送信される。次いで、本認証処理部407は、パスワードを受信し、クレジットカード番号及びパスワードからサービス提供の可否を決定する本認証処理を行い(S519)、認証情報が正当であれば、ユーザーに対してアクセス許可がなされ(S520)、決裁処理が完了する(S521)。 Here, when acquiring the authentication information read from the credit card (S505), the external confirmation requesting unit 406 identifies the user from the credit card number included in the acquired authentication information, The external confirmation list in the authentication database 401 is collated (S506), and it is determined whether or not the user is a user who requires an external confirmation request (S507). When the user does not require external authentication (“N” in S507), a password input request message is displayed on the display screen 111 of the store-side reading device, and the user is requested to input the password. (S508). The user inputs his / her password, and this password is transmitted to the authentication processing unit 407. Next, the authentication processing unit 407 receives the password and performs the authentication process for determining whether to provide the service from the credit card number and the password (S519). If the authentication information is valid, the user is permitted access. Is made (S520), and the approval process is completed (S521).
 一方、ユーザーが外部認証を必要としているユーザーであるときには(S507における“Y”)、外部確認リストに基づいて移動端末識別子と、フォーム識別子を関連づけした外部確認要求データを生成し、この確認要求データを認証代行サーバー3へ送信する(S509)。 On the other hand, if the user is a user who requires external authentication (“Y” in S507), external confirmation request data in which the mobile terminal identifier is associated with the form identifier is generated based on the external confirmation list, and this confirmation request data is generated. Is transmitted to the authentication proxy server 3 (S509).
 確認要求部305は、確認要求データを受信し(S510)、認証情報に基づいて外部認証データベース301を照会し、購入者のカード情報を検索するとともに、確認要求データを生成し、購入者の移動端末機2に対して確認要求を送信する(S511)。 The confirmation request unit 305 receives the confirmation request data (S510), queries the external authentication database 301 based on the authentication information, searches the purchaser's card information, generates confirmation request data, and moves the purchaser. A confirmation request is transmitted to the terminal 2 (S511).
 購入者が所有する移動端末機2は、認証代行サーバー3から確認要求データを受信し(S512)、確認要求に応じて移動端末機2の表示画面202aに確認要求情報を表示し、ユーザーに対して確認操作を要求する。ここで、確認要求情報とは、図14に示すように、例えば、特定のクレジットカード会社の金融機関に対して、商品代金の支払い処理を実行の可否を確認する表示情報である。そして、購入者は、自己の移動端末機2において、入力インターフェース201を通じて、この確認要求に対して、確認操作を行う(S513)。 The mobile terminal 2 owned by the purchaser receives the confirmation request data from the authentication proxy server 3 (S512), displays confirmation request information on the display screen 202a of the mobile terminal 2 in response to the confirmation request, and Request confirmation. Here, as shown in FIG. 14, the confirmation request information is display information for confirming whether or not the payment process for the commodity price can be executed with respect to a financial institution of a specific credit card company, for example. Then, the purchaser performs a confirmation operation on the confirmation request in the mobile terminal 2 through the input interface 201 (S513).
 ユーザーによる確認操作に応じて入力された確認操作の情報は、確認操作部207に入力され、確認操作部207はこの情報を承認データとして生成し、この承認データを認証代行サーバー3の確認要求部305に返信する(S514)。なお、この承認データとしては、ユーザーが当該確認要求が正当であるとして承認する操作であるときにはその旨を、また、承認を拒否するときにはその旨が送信される。また、このとき確認操作部207は、承認の可否に関わらず、位置情報取得部203が測定した自機の現在位置、及び現在時刻を承認データに対して付加する。 Information on the confirmation operation input in response to the confirmation operation by the user is input to the confirmation operation unit 207. The confirmation operation unit 207 generates this information as approval data, and this approval data is used as the confirmation request unit of the authentication proxy server 3. It returns to 305 (S514). As the approval data, a message to that effect is transmitted when the user confirms that the confirmation request is valid, and a message to that effect is transmitted when the approval is rejected. At this time, the confirmation operation unit 207 adds the current position and the current time of the own device measured by the position information acquisition unit 203 to the approval data regardless of whether approval is possible.
 認証代行サーバー3の確認要求部305は、承認データを移動端末機2から取得し(S515)、外部認証処理部306において、承認データに基づいて認証処理を実行する(S516)。具体的には、確認要求に対してユーザーが承認した場合は、クレジットカードのID、及びパスワードを含む認証結果データを生成し、この認証結果データを認証結果送信部303から、通信ネットワーク5を通じて、サービス提供サーバー4の本認証処理部407に送信する(S517)。一方、ユーザーが承認を拒否した場合には、カード情報の送信は行われず、承認が拒否された旨の通知が、サービス提供サーバー4に送信される。 The confirmation request unit 305 of the authentication proxy server 3 acquires the approval data from the mobile terminal 2 (S515), and the external authentication processing unit 306 executes the authentication process based on the approval data (S516). Specifically, when the user approves the confirmation request, authentication result data including a credit card ID and password is generated, and this authentication result data is transmitted from the authentication result transmission unit 303 through the communication network 5. This is transmitted to the authentication processing unit 407 of the service providing server 4 (S517). On the other hand, when the user rejects the approval, the card information is not transmitted, and a notification that the approval is rejected is transmitted to the service providing server 4.
 次いで、本認証処理部407は、認証結果データを受信し、認証結果データに含まれるユーザーID及びパスワードからサービス提供の可否を決定する本認証処理を行い(S519)、認証情報が正当であれば、ユーザーに対してアクセス許可がなされ(S520)、その認証許可データが通信ネットワーク5を通じて、金融機関に入力され、決裁処理が完了する(S521)。 Next, the authentication processing unit 407 receives the authentication result data, performs the authentication process for determining whether or not to provide the service from the user ID and password included in the authentication result data (S519), and if the authentication information is valid. Then, access permission is given to the user (S520), and the authentication permission data is input to the financial institution through the communication network 5, and the approval process is completed (S521).
 この際、この決済処理の結果が情報処理端末1に送信され、情報処理端末1は、決済処理の結果を受信し(S522)、決済処理の結果に応じて情報処理端末1の表示画面111に決済処理の結果を表示する(S523)。この決済処理の結果としては、ユーザーの入力したパスワードが正当であり、決裁完了であるときにはその旨を、また、パスワードが不当として、決裁完了を拒否するときにはその旨が送信される。そして決裁が完了した場合には、ユーザーは、商品を受け取る(S524)。 At this time, the result of the payment process is transmitted to the information processing terminal 1, and the information processing terminal 1 receives the result of the payment process (S522), and displays on the display screen 111 of the information processing terminal 1 according to the result of the payment process. The result of the settlement process is displayed (S523). As a result of this settlement process, a message input by the user is valid and the approval is completed. When the approval is completed, the password is invalid. When the approval is completed, the user receives a product (S524).
 このように、クレジット決裁サービスにモバイル認証代行システム及び方法を応用することで、ユーザーにとっては、パスワードを入力する必要がなく、移動端末機2による確認操作のみで決裁を完了することができるので、決裁処理において、他人にクレジットカードのパスワードを知られることがなく、決裁を完了することができる。 As described above, by applying the mobile authentication agency system and method to the credit approval service, the user does not need to input a password, and the approval can be completed only by the confirmation operation by the mobile terminal 2. In the approval process, the approval can be completed without any other person knowing the password of the credit card.
(作用効果)
 このような本実施形態によれば、情報処理端末1に対して認証操作を行う際に、確認要求部305によって、ユーザー本人が所有する移動端末機2に対して認証の可否を決定する通知がされ、ユーザー本人が認証の可否を決定することができるので、セキュリティを高め、安全な認証を行うことができる。 (Function and effect)
According to the present embodiment, when the authentication operation is performed on the information processing terminal 1, the confirmation request unit 305 notifies the mobile terminal 2 owned by the user himself / herself whether authentication is permitted or not. Since the user himself / herself can determine whether or not authentication is possible, security can be improved and safe authentication can be performed.
 また、本実施形態によれば、情報処理端末1に対してサービスを受けるために携帯電話番号等を入力する操作を行えば、次の操作は確認操作のみで認証されるので、ユーザーの入力手続を簡略化してサービスを受けることができる。 In addition, according to the present embodiment, if an operation of inputting a mobile phone number or the like to receive a service with respect to the information processing terminal 1 is performed, the next operation is authenticated only by a confirmation operation. It is possible to receive services by simplifying.
 さらに、本実施形態によれば、確認要求は、認証結果送信部303から任意の移動端末機に向けて送信できるので、例えば、情報処理端末1での認証情報を入力するユーザーと、移動端末機2とで確認操作をするユーザーとが同一人でない場合であっても、本発明を利用することができる。例えば、上述した実施形態のように、ユーザーである子供や高齢者がATMで振込みをする場合であっても、ユーザーの保護者に対して確認要求が通知されるので、引き落とし処理を保護者側で可否を決定でき、過度の金額引き落としなどを防止することができる。これにより、振り込め詐欺等を防止するサービスシステムに対応することができるなど、サービスの多様性を図ることができる。 Furthermore, according to the present embodiment, since the confirmation request can be transmitted from the authentication result transmission unit 303 to any mobile terminal, for example, a user who inputs authentication information in the information processing terminal 1 and the mobile terminal The present invention can be used even when the user who performs the confirmation operation in step 2 is not the same person. For example, even if a child or elderly person who is a user makes a transfer by ATM as in the above-described embodiment, a confirmation request is notified to the guardian of the user, so the withdrawal process is performed on the guardian side. It is possible to decide whether or not it is possible and prevent excessive deductions. Thereby, the diversity of service can be aimed at, such as being able to respond to the service system which prevents a transfer fraud etc.
 さらに、本実施形態では、通信ネットワーク5上に配置され、認証インターフェース部110に対して入力された認証情報に、所定の移動端末機2を特定する移動端末識別子が含まれているか否かを判断する認証情報種別判断部125を備えており、確認要求部305は、認証情報種別判断部125において移動端末識別子が含まれていると判断した場合に、移動端末機2に確認要求を行うので、認証情報種別判断部125の判断結果によって認証情報の通知先を変更することができるので、従来と同様のID及びパスワードを入力するというセキュリティシステムと併用して本発明に係るシステムを利用することができる。 Further, in the present embodiment, it is determined whether or not the mobile terminal identifier that identifies the predetermined mobile terminal 2 is included in the authentication information that is arranged on the communication network 5 and input to the authentication interface unit 110. The authentication information type determination unit 125, and the confirmation request unit 305 makes a confirmation request to the mobile terminal 2 when the authentication information type determination unit 125 determines that the mobile terminal identifier is included. Since the notification destination of the authentication information can be changed according to the determination result of the authentication information type determination unit 125, the system according to the present invention can be used in combination with a security system that inputs an ID and password similar to the conventional one. it can.
 さらに、本実施形態では、移動端末機2は、自機の現在位置を測定する位置情報取得部203を有しており、確認操作部207は、位置情報取得部203が測定した自機の現在位置を、承認データに対して付加して、承認データを確認要求部305に返信し、外部認証処理部306は、認証を許可する範囲を記述した地図情報を有し、認証処理に際し、地図情報を参照して、移動端末機の現在位置が所定の範囲内に属するか否かを判断するので、ユーザーの認証情報及び承認データに加え、ユーザーが有する移動端末の位置情報を絡めて認証を行うことができ、よりサービス提供に対する認証の可否を制御することができるので、移動端末を利用した認証システムのセキュリティを高めることができる。 Further, in the present embodiment, the mobile terminal 2 has a position information acquisition unit 203 that measures the current position of the own device, and the confirmation operation unit 207 includes the current position of the own device measured by the position information acquisition unit 203. The position is added to the approval data, and the approval data is returned to the confirmation request unit 305. The external authentication processing unit 306 has map information describing a range in which the authentication is permitted. Since it is determined whether or not the current location of the mobile terminal falls within a predetermined range, authentication is performed by linking the location information of the mobile terminal held by the user in addition to the user authentication information and approval data. Since it is possible to control whether or not authentication for service provision is possible, the security of the authentication system using the mobile terminal can be increased.
 さらに、本実施形態では、情報端末端末1の認証インターフェース部110は、認証情報に自己のフォーム識別子を付加する機能を有することから、認証代行サーバー3では、認証インターフェース部110のフォーム識別子を取得し、フォーム識別子に基づいて外部認証データベース301を照合して得られた宛先アドレスに向けて、認証結果を送信することができる。この結果、本実施形態によれば、認証結果の送信先である本認証処理部407を特定することができ、情報処理端末1において認証処理を一回行えば、その認証処理に紐付けられた認証情報を用いて、他のWebサービスの認証手続を省略することができ、ユーザーにとっては、簡易的に認証を行うことができる。 Furthermore, in the present embodiment, the authentication interface unit 110 of the information terminal terminal 1 has a function of adding its own form identifier to the authentication information. Therefore, the authentication proxy server 3 acquires the form identifier of the authentication interface unit 110. The authentication result can be transmitted to the destination address obtained by collating the external authentication database 301 based on the form identifier. As a result, according to the present embodiment, the authentication processing unit 407 that is the transmission destination of the authentication result can be specified. If the authentication processing is performed once in the information processing terminal 1, the authentication processing is associated with the authentication processing. Using the authentication information, the authentication procedure for other Web services can be omitted, and the user can simply perform authentication.
 さらに、本実施形態では、上述した銀行ATMのように、ATM独自の認証システムによってユーザーの認証を通常認証処理として行い、通常認証処理の認証が成功した場合に、さらに移動端末機2に対する確認要求の実行を、外部確認要求として、認証代行サーバー3に送信し、移動端末機2を通じての承認手続を依頼することができる。 Further, in the present embodiment, as in the bank ATM described above, the user authentication is performed as a normal authentication process by an authentication system unique to ATM, and when the authentication of the normal authentication process is successful, a confirmation request to the mobile terminal 2 is further requested. Is transmitted to the authentication proxy server 3 as an external confirmation request, and an approval procedure through the mobile terminal 2 can be requested.
 これにより、本実施形態によれば、銀行ATMなどにおいて、認証代行サーバー3から送信された外部認証結果と、独自の通常認証処理の認証結果とに基づいて、サービス提供の可否を決定することができ、情報処理端末1の操作者が、例えば、子供や高齢者であっても、外部確認要求先である保護者に対して外部確認要求が通知されるので、振込み処理の可否を保護者側で決定でき、不本意な振込みなどを防止することができる。これにより、振り込め詐欺等を防止するサービスシステムに対応することができるなど、サービスの多様性を図ることができる。 Thereby, according to this embodiment, in bank ATM etc., the decision | availability of service provision is determined based on the external authentication result transmitted from the authentication agency server 3, and the authentication result of an original normal authentication process. Yes, even if the operator of the information processing terminal 1 is, for example, a child or an elderly person, since the external confirmation request is notified to the guardian who is the external confirmation request destination, Can prevent unintentional transfers. Thereby, the diversity of service can be aimed at, such as being able to respond to the service system which prevents a transfer fraud etc.
 さらに、本実施形態では、サービス提供サーバー4が、金融機関による決裁処理を実行する決裁部408を有する場合に、外部確認要求を必要とするユーザーの外部確認リストを設け、限度額変更部409により決裁部408は、決裁処理に際し、ユーザーの外部確認リストを照合し、外部確認リストに基づいて、決裁処理に係る金額の限度額を切り換える。本実施形態に係る認証代行サービスを導入することにより事件や事故の発生率を低減することができるため、外部確認リストにより本サービスの利用者をリスト化し、リストアップされたユーザーについては、限度額変更部409により、決裁処理の限度額を増加させるなど、限度額を切り換えることができ、ユーザーの利便性・安全性を向上させつつ、金融機関に対する決裁処理を円滑なものとすることができる。 Furthermore, in the present embodiment, when the service providing server 4 has an approval unit 408 that executes an approval process by a financial institution, an external confirmation list of a user who requires an external confirmation request is provided, and the limit change unit 409 In the approval process, the approval unit 408 collates the user's external confirmation list, and switches the limit amount for the approval process based on the external confirmation list. Since the rate of incidents and accidents can be reduced by introducing the authentication agency service according to this embodiment, users of this service are listed on the external confirmation list. The change unit 409 can switch the limit amount, for example, by increasing the limit amount of the approval process, thereby improving the convenience and safety of the user and smoothing the approval process for the financial institution.
 また、本実施形態では、上述したクレジット決裁のように、店舗においてクレジットカードを使用した通常のクレジット決済処理についても、外部確認要求として、移動端末機2に確認要求を行うことで、パスワードやサインなどの入力処理を省略することができ、決裁処理において、他人にクレジットカードのパスワードを知られることがなく、決裁を完了することができる。 In the present embodiment, as in the credit settlement described above, a normal credit settlement process using a credit card at a store also performs a confirmation request to the mobile terminal 2 as an external confirmation request, whereby a password or signature The input process such as the above can be omitted, and in the approval process, the credit card password is not known to others and the approval can be completed.
[第2実施形態]
 次いで、本発明の第2実施形態について説明する。第1実施形態では、確認要求処理を認証代行サーバーで実行し、本認証処理をサービス提供サーバーで実行したが、本実施形態では、認証代行サーバーにおいて確認要求処理と本認証処理との処理を実行する例について説明する。図15は、本実施形態に係る認証代行システムの全体構成を示す概念図である。なお、本実施形態において、上述した第1実施形態と同一の構成要素には同一の符号を付し、その機能等は特に言及しない限り同一であり、その説明は省略する。 [Second Embodiment]
Next, a second embodiment of the present invention will be described. In the first embodiment, the confirmation request process is executed by the authentication proxy server and the authentication process is executed by the service providing server. However, in the present embodiment, the confirmation request process and the authentication process are executed by the authentication proxy server. An example will be described. FIG. 15 is a conceptual diagram showing the overall configuration of the authentication agent system according to the present embodiment. In the present embodiment, the same components as those in the first embodiment described above are denoted by the same reference numerals, and the functions and the like are the same unless otherwise specified, and the description thereof is omitted.
(認証代行システムの全体構成)
 図15に示すように、本実施形態では、通信ネットワーク5上に、情報処理端末1(1a~1f)と、認証代行処理と本認証処理とを行う認証代行サーバー3と、無線基地局6と、無線基地局6又は通信衛星7を通じて無線通信が可能な移動端末機2とを備えており、特に、本実施形態においては、認証代行サーバー3に、決済処理を実行する決裁部500が接続されている。 (Overall configuration of authentication agency system)
As shown in FIG. 15, in the present embodiment, on the communication network 5, the information processing terminal 1 (1a to 1f), the authentication proxy server 3 that performs the authentication proxy process and the main authentication process, the radio base station 6, The mobile terminal 2 capable of wireless communication through the wireless base station 6 or the communication satellite 7 is provided. In particular, in this embodiment, the authentication proxy server 3 is connected with an approval unit 500 that executes a settlement process. ing.
 情報処理端末1(1a~1f)は、本実施形態においても、CPUによる演算処理機能、及び通信インターフェースによる通信処理機能を備えたユーザー端末であり、例えば、パーソナルコンピュータ等の汎用コンピュータや、ATMやリーダライタ等の機能を特化させた専用装置である。なお、本実施形態では、ATM(1c)やリーダライタを備えた専用装置1d~1fは、通信ネットワーク5に接続されている。 In this embodiment, the information processing terminal 1 (1a to 1f) is a user terminal having a calculation processing function by a CPU and a communication processing function by a communication interface. For example, a general-purpose computer such as a personal computer, an ATM, This is a dedicated device that specializes functions such as a reader / writer. In the present embodiment, the dedicated devices 1d to 1f provided with ATM (1c) and a reader / writer are connected to the communication network 5.
 認証代行サーバー3は、通信ネットワーク5上に配置され、ユーザーに対する認証代行を一元的に管理するサーバー装置であり、通常認証や認証代行に関する処理を実行する。また、本実施形態においても、認証代行サーバー3は、単一のサーバー装置の他、Webサーバーやデータベースサーバーなど複数種のサーバー群から構成することができる。 The authentication proxy server 3 is a server device that is arranged on the communication network 5 and centrally manages the authentication proxy for the user, and executes processing related to normal authentication and authentication proxy. Also in this embodiment, the authentication proxy server 3 can be composed of a plurality of types of server groups such as a Web server and a database server in addition to a single server device.
(各装置の内部構造)
 次いで、上述した認証代行システムを構成する各装置の内部構造について説明する。図16は、本実施形態に係る認証代行サービスを構成する情報処理端末、移動端末機、決裁部、及び認証サーバーの内部構成を示すブロック図である。 (Internal structure of each device)
Next, the internal structure of each device constituting the above-described authentication proxy system will be described. FIG. 16 is a block diagram illustrating an internal configuration of an information processing terminal, a mobile terminal, an approval unit, and an authentication server that constitute an authentication proxy service according to the present embodiment.
(1)情報処理端末1
 情報処理端末1には、フォーム識別子付加部114と、アプリケーション実行部123と、コンテンツ取得部121と、実行処理判定部122とを備えている。 (1) Information processing terminal 1
The information processing terminal 1 includes a form identifier adding unit 114, an application execution unit 123, a content acquisition unit 121, and an execution process determination unit 122.
 フォーム識別子付加部114は、ユーザー操作の対象となっている認証インターフェース部を特定するように設定されたフォーム識別子を取得し、操作デバイスインターフェース113を通じて入力された認証情報に、取得したフォーム識別子を付加するモジュールであり、このフォーム識別子が付加された認証情報をアプリケーション実行部123へ送信する。 The form identifier adding unit 114 acquires a form identifier set to specify an authentication interface unit that is a target of user operation, and adds the acquired form identifier to authentication information input through the operation device interface 113. Authentication information to which the form identifier is added is transmitted to the application execution unit 123.
 アプリケーション実行部123は、一般のOSやブラウザソフト、メディア視聴アプリケーションなどのアプリケーションを実行するモジュールであり、本実施形態では、図16に示すように、アプリケーション実行部123は、認証インターフェイス110から送信された認証情報に対して、認証情報の種別を判断することなく、通信インターフェース101を介して、認証代行サーバー3に配信する。 The application execution unit 123 is a module that executes an application such as a general OS, browser software, or a media viewing application. In this embodiment, the application execution unit 123 is transmitted from the authentication interface 110 as shown in FIG. The authentication information is distributed to the authentication proxy server 3 via the communication interface 101 without determining the type of the authentication information.
 コンテンツ取得部121は、認証代行サーバー3から、通信ネットワーク5を通じて、HTMLなどのコンテンツデータを受信するモジュールであり、このコンテンツ取得部121でダウンロードされたコンテンツデータは、アプリケーション実行部123により映像・音声信号に変換され、出力インターフェース115を通じて、表示画面111やスピーカーから出力される。 The content acquisition unit 121 is a module that receives content data such as HTML from the authentication proxy server 3 through the communication network 5, and the content data downloaded by the content acquisition unit 121 is video / audio by the application execution unit 123. The signal is converted into a signal and output from the display screen 111 or the speaker through the output interface 115.
 実行処理判定部122は、コンテンツデータの実行に関する条件が満たされたか否かを判断し、アプリケーション実行部123によるアプリケーションの実行を規制するモジュールである。本実施形態において、この実行処理判定部122で判断される条件とは、認証代行サーバー3から送信される認証結果であり、この認証結果に基づいてアプリケーションの実行を規制する。 The execution process determination unit 122 is a module that determines whether or not a condition related to the execution of content data is satisfied and restricts execution of the application by the application execution unit 123. In the present embodiment, the condition determined by the execution process determination unit 122 is an authentication result transmitted from the authentication proxy server 3, and the execution of the application is restricted based on the authentication result.
(2)認証代行サーバー3
 認証代行サーバー3は、認証部312と、認証データベース310と、認証情報種別判断部315と、接続先選択部316と、コンテンツ送信部309と、ログ履歴記憶部307とを備えている。 (2) Authentication proxy server 3
The authentication proxy server 3 includes an authentication unit 312, an authentication database 310, an authentication information type determination unit 315, a connection destination selection unit 316, a content transmission unit 309, and a log history storage unit 307.
 認証情報種別判断部315は、情報処理端末1から送信された認証情報に、所定の移動端末機2を特定する移動端末識別子が含まれているか否かを判断するモジュールである。具体的に、本実施形態における移動端末識別子は、確認操作を行う移動端末を特定する電話番号であり、認証情報種別判断部315は、ユーザーが操作デバイスで入力した文字列の文字数、種別、形式などを解析し、入力された認証情報が、11桁の数字のみの文字列で、且つ先頭に「090」又は「080」が含まれている場合に、入力された認証情報を移動端末識別子と判断し、それ以外の形式の文字列は、通常認証用のID又はパスワードであると判断する。この認証情報種別判断部315による判断結果は、接続先選択部316に入力される。 The authentication information type determination unit 315 is a module that determines whether or not the authentication information transmitted from the information processing terminal 1 includes a mobile terminal identifier that identifies a predetermined mobile terminal 2. Specifically, the mobile terminal identifier in the present embodiment is a telephone number that identifies the mobile terminal that performs the confirmation operation, and the authentication information type determination unit 315 includes the number of characters, the type, and the format of the character string input by the user on the operation device. And the input authentication information is a character string of only 11 digits and includes "090" or "080" at the beginning, the input authentication information is set as a mobile terminal identifier. The character string of the other format is determined to be a normal authentication ID or password. The determination result by the authentication information type determination unit 315 is input to the connection destination selection unit 316.
 接続先選択部316は、受信された認証情報の種別に応じて、接続先を決定するモジュールであり、本実施形態においては、認証情報種別判断部315における判断結果を取得し、その判断結果が、ユーザーが入力した認証情報に移動端末識別子が含まれているとしている場合は、接続先を確認要求部313とし、判断結果が、認証情報に移動端末識別子が含まれていないとした場合には、接続先を認証処理部314とする。 The connection destination selection unit 316 is a module that determines a connection destination according to the type of received authentication information. In this embodiment, the connection destination selection unit 316 acquires the determination result in the authentication information type determination unit 315, and the determination result is When the mobile terminal identifier is included in the authentication information input by the user, the connection destination is the confirmation request unit 313, and when the determination result indicates that the mobile terminal identifier is not included in the authentication information The connection destination is an authentication processing unit 314.
 認証部312は、情報処理端末1からの通常認証情報に基づく認証処理や、移動端末機2に確認要求を行うとともに、その確認要求に応じたユーザーの確認操作による承認データに基づく認証処理を行い、これらの認証処理が成功した場合にサービスの提供を行うモジュールであり、確認要求部313と、認証処理部314とを備えている。 The authentication unit 312 performs an authentication process based on normal authentication information from the information processing terminal 1 and a confirmation request to the mobile terminal 2 and an authentication process based on approval data by a user confirmation operation corresponding to the confirmation request. A module that provides a service when these authentication processes are successful, and includes a confirmation request unit 313 and an authentication processing unit 314.
 確認要求部313は、認証情報を情報処理端末1から取得し、認証情報に基づいて、移動端末機2に確認要求を行うとともに、その確認要求に応じたユーザーの確認操作による承認データを取得するモジュールである。 The confirmation request unit 313 obtains authentication information from the information processing terminal 1, makes a confirmation request to the mobile terminal 2 based on the authentication information, and obtains approval data by a user confirmation operation corresponding to the confirmation request. It is a module.
 具体的に、確認要求部313は、接続先選択部316から送信された、認証情報に含まれる移動端末識別子に基づいて認証データベース310を参照して、移動端末を所有する顧客名や、確認要求のサービス内容を取得して確認要求データを生成する。そして、確認要求部313は、その確認要求データを移動端末識別子に対応する宛先アドレスを有する移動端末機2に送信する。また、確認要求部313は、認証処理部314から送信される確認要求の依頼に応じて、確認要求データを生成し、移動端末識別子に対応する宛先アドレスを有する移動端末機2に対して、その確認要求データを送信する。 Specifically, the confirmation request unit 313 refers to the authentication database 310 based on the mobile terminal identifier included in the authentication information transmitted from the connection destination selection unit 316, and confirms the name of the customer who owns the mobile terminal, the confirmation request Acquire the service contents of and generate confirmation request data. Then, the confirmation request unit 313 transmits the confirmation request data to the mobile terminal 2 having a destination address corresponding to the mobile terminal identifier. Further, the confirmation request unit 313 generates confirmation request data in response to the confirmation request transmitted from the authentication processing unit 314, and sends the confirmation request data to the mobile terminal 2 having the destination address corresponding to the mobile terminal identifier. Send confirmation request data.
 認証処理部314は、アクセス者の正当性を検証するコンピュータ或いはその機能を持ったソフトウェアであり、通信ネットワーク5を通じて、認証情報又は、承認データを取得し、認証データベース310を照合することによって、アクセス者にその権利があるか否かや、そのアクセス者が本人であるか否かなどを確認するモジュールである。 The authentication processing unit 314 is a computer that verifies the legitimacy of an accessor or software having a function thereof. The authentication processing unit 314 acquires authentication information or approval data through the communication network 5, and accesses the authentication database 310 by checking the authentication database 310. This module confirms whether the user has the right and whether the accessor is the person himself / herself.
 特に、本実施形態において、認証部312には、認証インターフェース部110を通じて入力された認証情報データであるID及びパスワードに基づいてユーザーの認証を行う通常認証処理と、認証インターフェース部110を通じて入力された認証情報データである移動端末識別子に基づいて、移動端末機2に承認データを要求し、この承認データに基づいて、ユーザーの認証を行う認証処理と、移動端末機2から送信された承認データと、通常認証処理の認証結果とに基づいて、サービス提供の可否を決定する二重認証処理とを実行する機能との3つの機能を備えている。 In particular, in the present embodiment, the authentication unit 312 is input to the authentication unit 312 through the authentication interface unit 110 and the normal authentication process for authenticating the user based on the ID and password that are the authentication information data input through the authentication interface unit 110. Based on the mobile terminal identifier that is authentication information data, the mobile terminal 2 is requested for approval data, and based on this approval data, an authentication process for authenticating the user, and the approval data transmitted from the mobile terminal 2 And a function of executing a double authentication process for determining whether or not to provide a service based on the authentication result of the normal authentication process.
 ここで、通常認証処理とは、ユーザーが認証インターフェース部110に入力したユーザーID及びパスワードを取得し、これらユーザーID及びパスワードに基づいて認証データベース310を照合し、当該アクセス者が本人であるか否かを認証する処理である。また、承認データに基づく認証処理とは、確認要求データに応じた確認操作によって生成された承認データを取得し、この承認データに基づいて、当該アクセスが本人であるか否かを認証する処理である。 Here, the normal authentication process refers to acquiring the user ID and password input by the user to the authentication interface unit 110, checking the authentication database 310 based on these user ID and password, and whether or not the accessor is the principal. This is a process of authenticating. The authentication process based on the approval data is a process for acquiring the approval data generated by the confirmation operation according to the confirmation request data and authenticating whether or not the access is the person based on the approval data. is there.
 さらに、二重認証処理とは、通常認証処理と、承認データに基づく認証処理とを実行する処理である。具体的に、二重認証処理では、認証処理部314は、通常認証処理において入力された認証情報を取得した際に、取得された認証情報に含まれるユーザーIDからユーザーを特定し、そのユーザーについて、認証データベース310の確認リストを照合し、当該ユーザーが確認要求を必要とするユーザーであるか否かを判断する。ユーザーが確認要求を必要としているユーザーであるときには、確認リストに基づいて移動端末識別子と、フォーム識別子を関連づけした確認要求データを生成し、この確認要求データを確認要求部313へ送信する。確認要求部313は、この確認要求データに基づいて、移動端末機2に対する確認要求を行い、認証処理部314は、確認要求に対する承認データを受信する。そして、確認要求部313は、この移動端末機2から送信された承認データに基づいて認証処理を実行するとともに、ユーザーID及びパスワードに基づいた通常認証処理を実行する。 Furthermore, the double authentication process is a process for executing a normal authentication process and an authentication process based on the approval data. Specifically, in the double authentication process, when the authentication processing unit 314 acquires the authentication information input in the normal authentication process, the user is identified from the user ID included in the acquired authentication information, and the user Then, the confirmation list in the authentication database 310 is collated to determine whether or not the user is a user requiring a confirmation request. When the user is a user who needs a confirmation request, confirmation request data in which the mobile terminal identifier is associated with the form identifier is generated based on the confirmation list, and the confirmation request data is transmitted to the confirmation request unit 313. The confirmation request unit 313 makes a confirmation request to the mobile terminal 2 based on the confirmation request data, and the authentication processing unit 314 receives approval data for the confirmation request. The confirmation request unit 313 executes authentication processing based on the approval data transmitted from the mobile terminal 2 and also performs normal authentication processing based on the user ID and password.
 認証データベース310は、移動端末識別子である電話番号に、情報処理端末1のフォーム識別子と、ユーザー情報であるID、パスワード、及び宛先アドレスとを関連づけたテーブルデータT1や、各ユーザーに関する個人情報、認証情報及び決済情報を記憶するテーブルデータT2等を格納するデータベース装置であり、認証部312からの指示に従って、所定のデータを検索し・出力する。本実施形態においても、テーブルデータT1は、図4に示すように、複数のテーブルデータとリレーションを相互に形成したリレーショナルデータベースであり、登録ユーザーに関する顧客マスターテーブルT10に、ユーザーが利用する予定のサービスの情報である登録サービスデータT11と、ユーザーが利用するクレジットカードに関するカード情報テーブルT12がリレーションにより関連づけられている。 The authentication database 310 includes table data T1 in which the form identifier of the information processing terminal 1 and the user information ID, password, and destination address are associated with a telephone number that is a mobile terminal identifier, personal information about each user, authentication The database device stores table data T2 and the like for storing information and settlement information, and searches for and outputs predetermined data in accordance with an instruction from the authentication unit 312. Also in the present embodiment, the table data T1 is a relational database in which a plurality of table data and relations are mutually formed as shown in FIG. 4, and the service scheduled to be used by the user in the customer master table T10 related to registered users. The registration service data T11, which is information on the credit card, and the card information table T12 related to the credit card used by the user are related by a relation.
 コンテンツ送信部309は、コンテンツ情報である表示情報(Webデータ)や、動画データ及び音楽データ等を情報処理端末1に配信するモジュールであり、HTML文書や画像などの情報を蓄積しておき、認証部312からの認証処理に従って、所定のデータを送信する。ここで、コンテンツ送信部309は、認証情報に含まれているフォーム識別子を参照し、目的の情報処理端末1にコンテンツ情報を送信する。 The content transmission unit 309 is a module that distributes display information (Web data) that is content information, moving image data, music data, and the like to the information processing terminal 1, accumulates information such as HTML documents and images, and performs authentication. Predetermined data is transmitted according to the authentication process from the unit 312. Here, the content transmission unit 309 refers to the form identifier included in the authentication information, and transmits the content information to the target information processing terminal 1.
 ログ履歴記憶部307は、移動端末機2から送信された承認データを認証情報とともに、ログデータとして蓄積する記憶装置である。具体的には、認証部312によって認証処理が実行された際、コンテンツ送信部309に出力された認証結果と同一の情報が、ログ履歴記憶部307にも複製されて出力され、認証結果の履歴(ログ)として時系列に従って格納される。 The log history storage unit 307 is a storage device that accumulates approval data transmitted from the mobile terminal 2 as log data together with authentication information. Specifically, when the authentication process is executed by the authentication unit 312, the same information as the authentication result output to the content transmission unit 309 is copied and output to the log history storage unit 307, and the authentication result history (Log) is stored in chronological order.
(3)決裁部
 決裁部500は、認証代行サーバー3の認証部312からアクセス可能な一般的なサーバー装置であり、金融機関による決裁処理を実行する機能を備えている。本実施形態において、決裁部500は、認証部312が行う決裁処理に際し、認証データベース310からユーザーの確認リストを照合し、確認リストに基づいて、決裁処理に係る金額の限度額を切り換える限度額変更部501を有している。限度額変更部501は、確認要求を必要とするユーザーの一覧である確認リストを有し、決裁に際し、この確認リストを照合して、決裁処理に係る金額の限度額を切り換える。 (3) Approval Unit The approval unit 500 is a general server device that can be accessed from the authentication unit 312 of the authentication proxy server 3, and has a function of executing an approval process by a financial institution. In the present embodiment, the approval unit 500 collates a user confirmation list from the authentication database 310 during the approval process performed by the authentication unit 312, and changes the limit amount for switching the amount limit for the approval process based on the confirmation list. Part 501. The limit amount changing unit 501 has a confirmation list that is a list of users requiring a confirmation request. When making a decision, the limit amount changing unit 501 checks the confirmation list and switches a limit amount for the decision process.
(作用・効果)
 このような実施形態によれば、認証情報種別の判断を認証代行サーバー3側で行い、情報処理端末1では、入力された認証情報の種別を判断することなく、認証代行サーバー3側に送信し、その認証結果の返信を受けるので、情報処理端末1での処理を軽減し、装置の小型・軽量化を図ることができる。 (Action / Effect)
According to such an embodiment, the authentication information type is determined on the authentication proxy server 3 side, and the information processing terminal 1 transmits the authentication information type to the authentication proxy server 3 side without determining the type of authentication information input. Since the authentication result is returned, the processing in the information processing terminal 1 can be reduced, and the apparatus can be reduced in size and weight.
 また、認証代行サーバー3において確認要求処理と本認証処理との処理を実行するので、認証処理を実行する装置を一元化することができ、部品点数の軽減や、情報の集約を図ることができる。 Also, since the authentication request server 3 executes the confirmation request process and the main authentication process, it is possible to unify the apparatuses that execute the authentication process, thereby reducing the number of parts and collecting information.
 D1…認証情報データ
 D2…通常認証情報データ
 D3…確認要求データ
 D4…承認データ
 D5…認証結果データ
 D6…外部確認要求データ
 T1,T2…テーブルデータ
 1(1a~1f)…情報処理端末
 2…移動端末機
 3…認証代行サーバー
 4…サービス提供サーバー
 5…通信ネットワーク
 6…無線基地局
 7…通信衛星
 8…ゲートウェイ装置
 51…専用回線
 101…通信インターフェース
 110…認証インターフェース部
 111…表示画面
 111a…ログインフォーム
 112…操作信号検出部
 113…操作デバイスインターフェース
 114…フォーム識別子付加部
 115…出力インターフェース
 120…制御部
 121…コンテンツ取得部
 122…実行処理判定部
 123…アプリケーション実行部
 124…接続先選択部
 125…認証情報種別判断部
 126…出力信号生成部
 201…入力インターフェース
 202…出力インターフェース
 202a…表示画面
 203…位置情報取得部
 204…制御部
 205…接続処理部
 206…無線インターフェース
 207…確認操作部
 301…外部認証データベース
 302…通信インターフェース
 303…認証結果送信部
 304…外部認証部
 305…確認要求部
 306…外部認証処理部
 307…ログ履歴記憶部
 308…地図データベース
 309…コンテンツ送信部
 310…認証データベース
 312…認証部
 313…確認要求部
 314…認証処理部
 315…認証情報種別判断部
 316…接続先選択部
 401…本認証データベース
 402…通信インターフェース
 403…本認証部
 404…コンテンツ送信部
 406…外部確認要求部
 407…本認証処理部
 408…決裁部
 409…限度額変更部
 500…決裁部
 501…限度額変更部 D1 ... Authentication information data D2 ... Normal authentication information data D3 ... Confirmation request data D4 ... Authorization data D5 ... Authentication result data D6 ... External confirmation request data T1, T2 ... Table data 1 (1a to 1f) ... Information processing terminal 2 ... Movement Terminal 3 ... Authentication proxy server 4 ... Service providing server 5 ... Communication network 6 ... Wireless base station 7 ... Communication satellite 8 ... Gateway device 51 ... Dedicated line 101 ... Communication interface 110 ... Authentication interface unit 111 ... Display screen 111a ... Login form DESCRIPTION OF SYMBOLS 112 ... Operation signal detection part 113 ... Operation device interface 114 ... Form identifier addition part 115 ... Output interface 120 ... Control part 121 ... Content acquisition part 122 ... Execution process determination part 123 ... Application execution part 124 ... Connection destination selection part 12 ... Authentication information type determination unit 126 ... Output signal generation unit 201 ... Input interface 202 ... Output interface 202a ... Display screen 203 ... Position information acquisition unit 204 ... Control unit 205 ... Connection processing unit 206 ... Wireless interface 207 ... Confirmation operation unit 301 ... External authentication database 302 ... Communication interface 303 ... Authentication result transmission unit 304 ... External authentication unit 305 ... Confirmation request unit 306 ... External authentication processing unit 307 ... Log history storage unit 308 ... Map database 309 ... Content transmission unit 310 ... Authentication database 312 ... Authentication unit 313 ... Confirmation request unit 314 ... Authentication processing unit 315 ... Authentication information type determination unit 316 ... Connection destination selection unit 401 ... Real authentication database 402 ... Communication interface 403 ... Real authentication unit 404 ... Content transmission unit 406 ... Outside Confirmation request unit 407 ... this authentication processing unit 408 ... decision-making unit 409 ... limit change section 500 ... decision-making unit 501 ... limit change unit

Claims (12)

  1.  ユーザーが携帯する移動端末機を用いて、通信ネットワークに接続された任意の情報処理端末における当該ユーザーの認証を行うモバイル認証代行システムであって、
     前記情報処理端末上において認証情報の入力を受付ける認証インターフェース部と、
     前記通信ネットワーク上に配置され、前記インターフェース部において入力された認証情報を取得し、該認証情報に基づいて、当該移動端末機に確認要求を行う確認要求部と、
     前記移動端末機において、前記確認要求に応じ、前記ユーザーに対して確認操作を要求し、該ユーザーによる確認操作に応じて、承認データを前記確認要求部に返信する確認操作部と、
     前記通信ネットワーク上に配置され、前記承認データを取得し、該承認データに基づいて認証処理を実行する認証処理部と、
     前記認証処理部による認証結果を、前記通信ネットワーク上に送信する認証結果送信部と
    を有することを特徴とするモバイル認証代行システム。     A mobile authentication agent system that performs authentication of a user in an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user,
    An authentication interface unit that accepts input of authentication information on the information processing terminal;
    A confirmation request unit that is arranged on the communication network and obtains authentication information input in the interface unit, and that makes a confirmation request to the mobile terminal based on the authentication information;
    In the mobile terminal, in response to the confirmation request, a confirmation operation unit that requests a confirmation operation from the user, and in response to the confirmation operation by the user, a confirmation operation unit that returns approval data to the confirmation request unit;
    An authentication processing unit that is arranged on the communication network, acquires the approval data, and executes an authentication process based on the approval data;
    A mobile authentication proxy system comprising: an authentication result transmission unit configured to transmit an authentication result by the authentication processing unit to the communication network.
  2. (電話番号を識別)
     前記通信ネットワーク上に配置され、前記認証インターフェース部に対して入力された前記認証情報に、所定の移動端末機を特定する移動端末識別子が含まれているか否かを判断する認証情報種別判断部を備えており、
     前記確認要求部は、前記認証情報種別判断部が移動端末識別子が含まれていると判断した場合に、当該移動端末機に確認要求を行う
    ことを特徴とする請求項1に記載のモバイル認証代行システム。     (Identify phone number)
    An authentication information type determination unit that determines whether or not a mobile terminal identifier that identifies a predetermined mobile terminal is included in the authentication information that is arranged on the communication network and is input to the authentication interface unit; Has
    The mobile authentication agency according to claim 1, wherein the confirmation request unit makes a confirmation request to the mobile terminal when the authentication information type determination unit determines that the mobile terminal identifier is included. system.
  3. (位置情報付加)
     前記移動端末機は、自機の現在位置を測定する位置情報取得部を有しており、
     前記確認操作部は、前記位置情報取得部が測定した自機の現在位置を、前記承認データに対して付加して、該承認データを前記確認要求部に返信し、
     前記認証処理部は、認証を許可する範囲を記述した地図情報を有し、前記認証処理に際し、該地図情報を参照して、当該移動端末機の前記現在位置が所定の範囲内に属するか否かを判断する
    ことを特徴とする請求項1又は2に記載のモバイル認証代行システム。     (Add location information)
    The mobile terminal has a position information acquisition unit that measures the current position of the mobile terminal,
    The confirmation operation unit adds the current position of the own device measured by the position information acquisition unit to the approval data, and returns the approval data to the confirmation request unit.
    The authentication processing unit has map information describing a range in which authentication is permitted, and refers to the map information during the authentication process to determine whether the current position of the mobile terminal belongs within a predetermined range. The mobile authentication agent system according to claim 1, wherein the mobile authentication agent system according to claim 1 is determined.
  4. (認証結果の通知先)
     前記認証インターフェース部には、当該認証インターフェース部を特定するフォーム識別子が設定されており、該認証インターフェース部は、前記認証情報に自己のフォーム識別子を付加する機能を備え、
     前記認証結果送信部は、前記フォーム識別子と、前記認証インターフェース部を通じて通常の認証処理を行う本認証処理部を特定する宛先アドレスとを関連づけて記憶するデータベースを備えており、
     前記認証結果送信部は、前記認証インターフェース部のフォーム識別子を取得し、該フォーム識別子に基づいて前記データベースを照合して得られた宛先アドレスに向けて、前記認証結果を送信する
    ことを特徴とする請求項1乃至3のいずれかに記載のモバイル認証代行システム。     (Notification destination of authentication result)
    The authentication interface unit is set with a form identifier that identifies the authentication interface unit, and the authentication interface unit has a function of adding its own form identifier to the authentication information,
    The authentication result transmission unit includes a database that associates and stores the form identifier and a destination address that identifies the authentication processing unit that performs normal authentication processing through the authentication interface unit,
    The authentication result transmitting unit acquires a form identifier of the authentication interface unit, and transmits the authentication result toward a destination address obtained by collating the database based on the form identifier. The mobile authentication agency system according to any one of claims 1 to 3.
  5. (オレオレストッパー:ATMから外部確認要求)
     前記認証インターフェース部を通じて入力された認証情報に基づいてユーザーの認証を通常認証処理として行い、該通常認証処理の認証が成功した場合に、サービス提供を行うサービス提供部と、
     前記サービス提供部側に備えられ、前記通常認証処理において入力された認証情報に基づいて、前記移動端末機に対する確認要求の実行を、外部確認要求として、前記確認要求部に対し、送信する外部確認要求部と
    をさらに有し、
     前記認証結果送信部は、前記承認データに基づく認証結果を外部認証結果として、前記サービス提供部に送信し、
     前記サービス提供部は、前記認証結果送信部から送信された前記外部認証結果と、前記通常認証処理の認証結果とに基づいて、前記サービス提供の可否を決定する
    ことを特徴とする請求項1乃至4のいずれかに記載のモバイル認証代行システム。     (Oreo Restper: Request for external confirmation from ATM)
    A service providing unit that performs user authentication as a normal authentication process based on authentication information input through the authentication interface unit, and provides a service when the authentication of the normal authentication process is successful;
    External confirmation that is provided on the service providing unit side and that transmits the confirmation request to the mobile terminal as an external confirmation request to the confirmation requesting unit based on the authentication information input in the normal authentication process. And a request unit,
    The authentication result transmitting unit transmits an authentication result based on the approval data as an external authentication result to the service providing unit,
    The service providing unit determines whether or not to provide the service based on the external authentication result transmitted from the authentication result transmitting unit and an authentication result of the normal authentication process. 4. The mobile authentication agency system according to any one of 4 above.
  6. (オレオレストッパー特典)
     前記サービス提供部は、金融機関による決裁処理を実行する決裁機能を有し、
     前記外部確認要求部は、前記外部確認要求を必要とするユーザーの外部確認リストを有し、
     前記決裁機能は、決裁処理に際し、前記ユーザーの外部確認リストを照合し、該外部確認リストに基づいて、当該決裁処理に係る金額の限度額を切り換える限度額変更機能を有する
    ことを特徴とする請求項5に記載のモバイル認証代行システム。     (Oreo Restper benefits)
    The service providing unit has an approval function for executing an approval process by a financial institution,
    The external confirmation request unit has an external confirmation list of users who require the external confirmation request,
    The approval function includes a limit amount changing function for checking an external confirmation list of the user at the time of approval processing, and switching a limit amount of the amount related to the approval process based on the external confirmation list. Item 6. The mobile authentication agent system according to Item 5.
  7.  ユーザーが携帯する移動端末機を用いて、通信ネットワークに接続された任意の情報処理端末における当該ユーザーの認証を行うモバイル認証代行方法であって、
     前記情報処理端末上において、認証インターフェース部を通じて認証情報の入力する認証情報入力ステップと、
     前記インターフェース部で入力された認証情報を、前記通信ネットワーク上に設置された確認要求部において取得し、該認証情報に基づいて、当該移動端末機に確認要求を行う確認要求ステップと、
     前記移動端末機において、前記確認要求に応じ、前記ユーザーに対して確認操作を要求し、該ユーザーによる確認操作に応じて、承認データを前記確認要求部に返信する確認操作ステップと、
     前記通信ネットワーク上に配置された認証処理部において、前記承認データを取得し、該承認データに基づいて認証処理を実行する認証処理ステップと、
     前記認証処理ステップによる認証結果を、前記通信ネットワーク上に送信する認証結果送信ステップと
    を有することを特徴とするモバイル認証代行方法。     A mobile authentication agent method for authenticating a user in an arbitrary information processing terminal connected to a communication network using a mobile terminal carried by the user,
    On the information processing terminal, an authentication information input step for inputting authentication information through an authentication interface unit;
    The authentication request input in the interface unit is obtained in a confirmation request unit installed on the communication network, and based on the authentication information, a confirmation request step for making a confirmation request to the mobile terminal,
    In the mobile terminal, in response to the confirmation request, a confirmation operation step for requesting a confirmation operation to the user, and in response to the confirmation operation by the user, a confirmation operation step of returning approval data to the confirmation request unit;
    In an authentication processing unit arranged on the communication network, an authentication processing step of acquiring the approval data and executing an authentication process based on the approval data;
    An authentication result transmitting step of transmitting an authentication result in the authentication processing step on the communication network.
  8.  前記認証情報入力ステップでは、前記認証インターフェース部に対して入力された前記認証情報に、所定の移動端末機を特定する移動端末識別子が含まれているか否かを判断し、 前記確認要求ステップでは、前記認証情報に移動端末識別子が含まれていると判断した場合に、当該移動端末機に確認要求を行う
    ことを特徴とする請求項7に記載のモバイル認証代行方法。     In the authentication information input step, it is determined whether or not the authentication information input to the authentication interface unit includes a mobile terminal identifier that identifies a predetermined mobile terminal, and in the confirmation request step, 8. The mobile authentication proxy method according to claim 7, wherein when it is determined that the authentication information includes a mobile terminal identifier, a confirmation request is sent to the mobile terminal.
  9.  前記移動端末機は、自機の現在位置を測定する位置情報取得部を有しており、
     前記確認操作ステップでは、前記位置情報取得部が測定した自機の現在位置を、前記承認データに対して付加して、該承認データを前記確認要求部に返信し、
     前記認証処理ステップでは、前記認証処理に際し、認証を許可する範囲を記述した地図情報を参照して、当該移動端末機の前記現在位置が所定の範囲内に属するか否かを判断する
    ことを特徴とする請求項7又は8に記載のモバイル認証代行方法。     The mobile terminal has a position information acquisition unit that measures the current position of the mobile terminal,
    In the confirmation operation step, the current position of the own device measured by the position information acquisition unit is added to the approval data, and the approval data is returned to the confirmation request unit.
    In the authentication processing step, it is determined whether or not the current position of the mobile terminal belongs to a predetermined range with reference to map information describing a range in which authentication is permitted in the authentication processing. The mobile authentication proxy method according to claim 7 or 8.
  10.  前記認証インターフェース部には、当該認証インターフェース部を特定するフォーム識別子が設定されており、該認証インターフェース部は、前記認証情報に自己のフォーム識別子を付加する機能を備え、
     前記認証結果送信ステップでは、
     前記フォーム識別子と、前記認証インターフェース部を通じて通常の認証処理を行う本認証処理部を特定する宛先アドレスとを関連づけて記憶するデータベースを照合し、
     前記認証インターフェース部のフォーム識別子を取得し、該フォーム識別子に基づいて前記データベースを照合して得られた宛先アドレスに向けて、前記認証結果を送信する
    ことを特徴とする請求項7乃至9のいずれかに記載のモバイル認証代行方法。     The authentication interface unit is set with a form identifier that identifies the authentication interface unit, and the authentication interface unit has a function of adding its own form identifier to the authentication information,
    In the authentication result transmission step,
    Collating a database that stores the form identifier in association with a destination address that identifies the authentication processing unit that performs normal authentication processing through the authentication interface unit;
    The form of the authentication interface unit is acquired, and the authentication result is transmitted to a destination address obtained by collating the database based on the form identifier. The mobile authentication agent method described in the above.
  11. (オレオレストッパー:ATMから外部確認要求)
     前記確認要求ステップに代えて、前記認証インターフェース部を通じて入力された認証情報に基づいてユーザーの認証を通常認証処理として行う通常認証ステップと、
     前記通常認証処理において入力された認証情報に基づいて、前記移動端末機に対する確認要求の実行を、外部確認要求として、前記確認要求部に対し、送信する外部確認要求ステップと
    をさらに有し、
     前記認証結果送信ステップでは、前記通常認証処理の認証が成功した場合にサービス提供を行うサービス提供部に対し、前記承認データに基づく認証結果を外部認証結果として送信し、該サービス提供部は、前記認証結果送信部から送信された前記外部認証結果と、前記通常認証処理の認証結果とに基づいて、前記サービス提供の可否を決定する
    ことを特徴とする請求項7乃至10のいずれかに記載のモバイル認証代行方法。     (Oreo Restper: Request for external confirmation from ATM)
    Instead of the confirmation request step, a normal authentication step of performing user authentication as a normal authentication process based on authentication information input through the authentication interface unit;
    Based on the authentication information input in the normal authentication process, further comprising an external confirmation request step for transmitting the confirmation request to the mobile terminal as an external confirmation request to the confirmation request unit.
    In the authentication result transmission step, an authentication result based on the approval data is transmitted as an external authentication result to a service providing unit that provides a service when the authentication of the normal authentication process is successful. The determination as to whether or not to provide the service is made based on the external authentication result transmitted from the authentication result transmitting unit and the authentication result of the normal authentication process. Mobile authentication agent method.
  12. (オレオレストッパー特典)
     前記サービス提供部は、金融機関による決裁処理を実行する決裁機能を有し、
     前記決裁機能は、前記決裁処理に際し、前記外部確認要求を必要とするユーザーの外部確認リストを照合し、該外部確認リストに基づいて、当該決裁処理に係る金額の限度額を切り換える限度額変更機能を有する
    ことを特徴とする請求項11に記載のモバイル認証代行方法。     (Oreo Restper benefits)
    The service providing unit has an approval function for executing an approval process by a financial institution,
    The approval function is a limit change function for checking an external confirmation list of a user who requires the external confirmation request and switching a limit amount of the amount related to the approval process based on the external confirmation list at the time of the approval process. The mobile authentication proxy method according to claim 11, further comprising:
PCT/JP2010/072285 2009-12-15 2010-12-10 Mobile proxy authentication system and mobile proxy authentication method WO2011074500A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2011546094A JP5655246B2 (en) 2009-12-15 2010-12-10 Mobile authentication agent system and mobile authentication agent method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009-283753 2009-12-15
JP2009283753 2009-12-15

Publications (1)

Publication Number Publication Date
WO2011074500A1 true WO2011074500A1 (en) 2011-06-23

Family

ID=44167256

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/072285 WO2011074500A1 (en) 2009-12-15 2010-12-10 Mobile proxy authentication system and mobile proxy authentication method

Country Status (2)

Country Link
JP (1) JP5655246B2 (en)
WO (1) WO2011074500A1 (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014039158A (en) * 2012-08-16 2014-02-27 Nec Biglobe Ltd Use control device, use control system, and use control method program
WO2014184771A1 (en) * 2013-05-15 2014-11-20 Visa International Service Association Methods and systems for provisioning payment credentials
JP2015503135A (en) * 2011-09-29 2015-01-29 アップル インコーポレイテッド Authentication by secondary approver
JP2015519637A (en) * 2012-04-10 2015-07-09 アクセルズ テクノロジーズ (2009) リミテッド System and method for secure transaction processing by a mobile device
JP2016529590A (en) * 2013-06-17 2016-09-23 シンクエーティー カンパニー リミテッドThinkat Co., Ltd. Information authentication method and system for telephone authentication infrastructure
JP6072954B1 (en) * 2016-03-02 2017-02-01 株式会社リクルートホールディングス Authentication processing apparatus and authentication processing method
US9781105B2 (en) 2015-05-04 2017-10-03 Ping Identity Corporation Fallback identity authentication techniques
US9830594B2 (en) 2011-05-17 2017-11-28 Ping Identity Corporation System and method for performing a secure transaction
JP2017220260A (en) * 2013-03-12 2017-12-14 ユナイテッド パーセル サービス オブ アメリカ インコーポレイテッドUnited Parcel Service of America, Inc. Systems and methods of managing item pickup at attended delivery/pickup locations
EP3285456A1 (en) 2016-08-17 2018-02-21 Fujitsu Limited Information processing apparatus, non-transitory computer-readable storage medium, information processing method, and information processing system
JP2018036790A (en) * 2016-08-30 2018-03-08 エヌ・ティ・ティ・コミュニケーションズ株式会社 Authentication device, identity confirmation method, and program
JP6355797B1 (en) * 2017-05-16 2018-07-11 ヤフー株式会社 Determination apparatus, determination method, and determination program
JP2018533131A (en) * 2015-09-17 2018-11-08 マスターカード インターナシヨナル インコーポレーテツド Authentication service customer data management method and system
US10210474B2 (en) 2013-10-14 2019-02-19 United Parcel Service Of America, Inc. Systems and methods for confirming an identity of an individual, for example, at a locker bank
US10395128B2 (en) 2017-09-09 2019-08-27 Apple Inc. Implementation of biometric authentication
US10410165B2 (en) 2014-11-14 2019-09-10 United Parcel Service Of America, Inc. Systems and methods for facilitating shipping of parcels for returning items
US10410164B2 (en) 2014-11-14 2019-09-10 United Parcel Service Of America, Inc Systems and methods for facilitating shipping of parcels
US10445682B2 (en) 2013-02-01 2019-10-15 United Parcel Service Of America, Inc. Systems and methods for parcel delivery to alternate delivery locations
US10521579B2 (en) 2017-09-09 2019-12-31 Apple Inc. Implementation of biometric authentication
US10600022B2 (en) 2016-08-31 2020-03-24 United Parcel Service Of America, Inc. Systems and methods for synchronizing delivery of related parcels via a computerized locker bank
US11170085B2 (en) 2018-06-03 2021-11-09 Apple Inc. Implementation of biometric authentication
JP6994595B1 (en) 2020-09-29 2022-01-14 PayPay株式会社 Information processing equipment, information processing methods and information processing programs
KR102448625B1 (en) * 2021-12-30 2022-09-28 주식회사 디사일로 Method and system for detecting fraudulent transaction using homomorphic encrypted data

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6728574B2 (en) * 2015-05-01 2020-07-22 株式会社リコー Communication system, communication method, communication device, and program
JP6390064B2 (en) * 2016-07-05 2018-09-19 株式会社日本総合研究所 Product purchasing system using pictorial symbols, product purchasing method and program thereof
JP6890202B1 (en) * 2020-09-29 2021-06-18 PayPay株式会社 Information processing equipment, information processing methods and information processing programs
JP7455898B2 (en) * 2022-06-03 2024-03-26 デジタルアーツ株式会社 Information processing device, authentication system, information processing method, and information processing program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH04353972A (en) * 1991-05-31 1992-12-08 Nec Corp User certifying system
JPH10198636A (en) * 1997-01-13 1998-07-31 Nri & Ncc Co Ltd System and method for personal authentication
JP2002109436A (en) * 2000-09-29 2002-04-12 Casio Comput Co Ltd Credit card certification method, card certification equipment, and recording medium in which card certification program is recorded
JP2002298054A (en) * 2001-03-29 2002-10-11 J-Phone East Co Ltd User authentication method, settlement method, information processing method for user authentication, information processing method for settlement, information processing system for user authentication, information processing system for settlement, and program
JP2006033780A (en) * 2004-07-16 2006-02-02 Third Networks Kk Network authentication system using identification by calling-back

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002091917A (en) * 2000-09-12 2002-03-29 Fuji Xerox Co Ltd Network security system and connection managing method utilizing the same
KR100412510B1 (en) * 2002-03-30 2004-01-07 한민규 An instant log-in method for authentificating a user and settling bills by using two different communication channels and a system thereof
JPWO2006018892A1 (en) * 2004-08-20 2008-05-01 禎亮 高坂 Telephone authentication system that prevents spoofing even if personal information is leaked
JP2008287321A (en) * 2007-05-15 2008-11-27 Mitsubishi Heavy Ind Ltd User authentication system, authentication server and network user authentication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH04353972A (en) * 1991-05-31 1992-12-08 Nec Corp User certifying system
JPH10198636A (en) * 1997-01-13 1998-07-31 Nri & Ncc Co Ltd System and method for personal authentication
JP2002109436A (en) * 2000-09-29 2002-04-12 Casio Comput Co Ltd Credit card certification method, card certification equipment, and recording medium in which card certification program is recorded
JP2002298054A (en) * 2001-03-29 2002-10-11 J-Phone East Co Ltd User authentication method, settlement method, information processing method for user authentication, information processing method for settlement, information processing system for user authentication, information processing system for settlement, and program
JP2006033780A (en) * 2004-07-16 2006-02-02 Third Networks Kk Network authentication system using identification by calling-back

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9830594B2 (en) 2011-05-17 2017-11-28 Ping Identity Corporation System and method for performing a secure transaction
US11200309B2 (en) 2011-09-29 2021-12-14 Apple Inc. Authentication with secondary approver
US10142835B2 (en) 2011-09-29 2018-11-27 Apple Inc. Authentication with secondary approver
JP2015503135A (en) * 2011-09-29 2015-01-29 アップル インコーポレイテッド Authentication by secondary approver
US10419933B2 (en) 2011-09-29 2019-09-17 Apple Inc. Authentication with secondary approver
US11755712B2 (en) 2011-09-29 2023-09-12 Apple Inc. Authentication with secondary approver
US10516997B2 (en) 2011-09-29 2019-12-24 Apple Inc. Authentication with secondary approver
JP2015519637A (en) * 2012-04-10 2015-07-09 アクセルズ テクノロジーズ (2009) リミテッド System and method for secure transaction processing by a mobile device
US10108963B2 (en) 2012-04-10 2018-10-23 Ping Identity Corporation System and method for secure transaction process via mobile device
JP2014039158A (en) * 2012-08-16 2014-02-27 Nec Biglobe Ltd Use control device, use control system, and use control method program
US10445682B2 (en) 2013-02-01 2019-10-15 United Parcel Service Of America, Inc. Systems and methods for parcel delivery to alternate delivery locations
JP2017220260A (en) * 2013-03-12 2017-12-14 ユナイテッド パーセル サービス オブ アメリカ インコーポレイテッドUnited Parcel Service of America, Inc. Systems and methods of managing item pickup at attended delivery/pickup locations
US10558942B2 (en) 2013-03-12 2020-02-11 United Parcel Service Of America, Inc. Systems and methods for returning one or more items via an attended delivery/pickup location
US10929806B2 (en) 2013-03-12 2021-02-23 United Parcel Service Of America, Inc. Systems and methods of managing item pickup at attended delivery/pickup locations
US11620611B2 (en) 2013-03-12 2023-04-04 United Parcel Service Of America, Inc. Systems and methods of locating and selling items at attended delivery/pickup locations
US10909497B2 (en) 2013-03-12 2021-02-02 United Parcel Service Of America, Inc. Systems and methods of reserving space attended delivery/pickup locations
US10783488B2 (en) 2013-03-12 2020-09-22 United Parcel Service Of America, Inc. Systems and methods of locating and selling items at attended delivery/pickup locations
US10521761B2 (en) 2013-03-12 2019-12-31 United Parcel Service Of America, Inc. Systems and methods of delivering parcels using attended delivery/pickup locations
US10402775B2 (en) 2013-03-12 2019-09-03 United Parcel Services Of America, Inc. Systems and methods of re-routing parcels intended for delivery to attended delivery/pickup locations
WO2014184771A1 (en) * 2013-05-15 2014-11-20 Visa International Service Association Methods and systems for provisioning payment credentials
US10198728B2 (en) 2013-05-15 2019-02-05 Visa International Service Association Methods and systems for provisioning payment credentials
US9736161B2 (en) 2013-06-17 2017-08-15 Thinkat Co., Ltd. Method and system for preventing information leakage based on telephone
JP2016529590A (en) * 2013-06-17 2016-09-23 シンクエーティー カンパニー リミテッドThinkat Co., Ltd. Information authentication method and system for telephone authentication infrastructure
US10217079B2 (en) 2013-10-14 2019-02-26 United Parcel Service Of America, Inc. Systems and methods for confirming an identity of an individual, for example, at a locker bank
US10210474B2 (en) 2013-10-14 2019-02-19 United Parcel Service Of America, Inc. Systems and methods for confirming an identity of an individual, for example, at a locker bank
US11182733B2 (en) 2013-10-14 2021-11-23 United Parcel Service Of America, Inc. Systems and methods for confirming an identity of an individual, for example, at a locker bank
US11562318B2 (en) 2013-10-14 2023-01-24 United Parcel Service Of America, Inc. Systems and methods for conveying a parcel to a consignee, for example, after an unsuccessful delivery attempt
US10410164B2 (en) 2014-11-14 2019-09-10 United Parcel Service Of America, Inc Systems and methods for facilitating shipping of parcels
US10410165B2 (en) 2014-11-14 2019-09-10 United Parcel Service Of America, Inc. Systems and methods for facilitating shipping of parcels for returning items
US9781105B2 (en) 2015-05-04 2017-10-03 Ping Identity Corporation Fallback identity authentication techniques
JP2018533131A (en) * 2015-09-17 2018-11-08 マスターカード インターナシヨナル インコーポレーテツド Authentication service customer data management method and system
JP6072954B1 (en) * 2016-03-02 2017-02-01 株式会社リクルートホールディングス Authentication processing apparatus and authentication processing method
WO2017150083A1 (en) * 2016-03-02 2017-09-08 株式会社リクルートホールディングス Authentication processing device and authentication processing method
US10425400B2 (en) 2016-08-17 2019-09-24 Fujitsu Limited Information processing apparatus, non-transitory computer-readable storage medium, and information processing method
EP3285456A1 (en) 2016-08-17 2018-02-21 Fujitsu Limited Information processing apparatus, non-transitory computer-readable storage medium, information processing method, and information processing system
JP2018036790A (en) * 2016-08-30 2018-03-08 エヌ・ティ・ティ・コミュニケーションズ株式会社 Authentication device, identity confirmation method, and program
US11587020B2 (en) 2016-08-31 2023-02-21 United Parcel Service Of America, Inc. Systems and methods for synchronizing delivery of related parcels via computerized locker bank
US10600022B2 (en) 2016-08-31 2020-03-24 United Parcel Service Of America, Inc. Systems and methods for synchronizing delivery of related parcels via a computerized locker bank
JP2018195023A (en) * 2017-05-16 2018-12-06 ヤフー株式会社 Determination device, determination method, and determination program
JP6355797B1 (en) * 2017-05-16 2018-07-11 ヤフー株式会社 Determination apparatus, determination method, and determination program
US10783227B2 (en) 2017-09-09 2020-09-22 Apple Inc. Implementation of biometric authentication
US10872256B2 (en) 2017-09-09 2020-12-22 Apple Inc. Implementation of biometric authentication
US11765163B2 (en) 2017-09-09 2023-09-19 Apple Inc. Implementation of biometric authentication
US10410076B2 (en) 2017-09-09 2019-09-10 Apple Inc. Implementation of biometric authentication
US11386189B2 (en) 2017-09-09 2022-07-12 Apple Inc. Implementation of biometric authentication
US11393258B2 (en) 2017-09-09 2022-07-19 Apple Inc. Implementation of biometric authentication
US10521579B2 (en) 2017-09-09 2019-12-31 Apple Inc. Implementation of biometric authentication
US10395128B2 (en) 2017-09-09 2019-08-27 Apple Inc. Implementation of biometric authentication
US11170085B2 (en) 2018-06-03 2021-11-09 Apple Inc. Implementation of biometric authentication
US11928200B2 (en) 2018-06-03 2024-03-12 Apple Inc. Implementation of biometric authentication
JP2022056329A (en) * 2020-09-29 2022-04-08 PayPay株式会社 Information processing apparatus, information processing method and information processing program
JP6994595B1 (en) 2020-09-29 2022-01-14 PayPay株式会社 Information processing equipment, information processing methods and information processing programs
KR102448625B1 (en) * 2021-12-30 2022-09-28 주식회사 디사일로 Method and system for detecting fraudulent transaction using homomorphic encrypted data
WO2023128341A1 (en) * 2021-12-30 2023-07-06 주식회사 디사일로 Method and system for fraudulent transaction detection using homomorphically encrypted data

Also Published As

Publication number Publication date
JP5655246B2 (en) 2015-01-21
JPWO2011074500A1 (en) 2013-04-25

Similar Documents

Publication Publication Date Title
JP5655246B2 (en) Mobile authentication agent system and mobile authentication agent method
RU2608002C2 (en) Handling encoded information
KR101078173B1 (en) Assured payment system using mobile phones and the payment system, payment methods using
KR100858144B1 (en) User authentication method in internet site using mobile and device thereof
JP2002074188A (en) Method and device for registering member information, method and device for certifying member and server computer
US10810820B2 (en) Payment system using biometric data having security secured, and biometric data registration system
EP1852816A1 (en) Network settling card, network settling program, authentication server, and shopping system and settling method
JP4278404B2 (en) Mobile information terminal payment method and mobile information terminal payment system
JP4588529B2 (en) Service system and optimum service providing method
JP2001338251A (en) Card-authenticating method, settlement method using the card, settlement method for electronic commercial transaction, provider for the electronic commercial transaction, communication terminal equipment and storage medium
KR101139407B1 (en) Security authentication method and system
KR20020021853A (en) Method for shopping, settlement, and delivery of gift by internet service
JP2008059356A (en) System for settling by credit card
JP4071445B2 (en) Transaction mediation system, transaction mediation apparatus and program
JP4463497B2 (en) Point management system
KR20000037267A (en) System and method for internet certificating client using finger pattern
WO2018164243A1 (en) Transaction support program and system
JP2004102875A (en) Settlement processing device, system, method and program, and recording medium recorded with the program
JP2008046717A (en) Settlement system utilizing mobile terminal
JP2002229956A (en) Biometrics certification system, biometrics certification autority, service provision server, biometrics certification method and program, and service provision method and program
KR101169181B1 (en) Payment processing system and control method thereof, and payment processing agency server comprised in the system and control method thereof
JP2005275923A (en) Individual authentication method at the time of card settlement, individual authentication system at the time of card settlement, shop information processing system, credit-card company information processing system, portable terminal, and program therefor
JP2003187170A (en) Authentication processing system and authentication processing method using cellular phone
KR102300754B1 (en) Living related method management method according to offile transaction, information transmitting apparauts for managing the same living related method, justification verificartion method regarding the offilne transaction, and infortmation transmitting apparatus for proceeding the justification verificartion
JP3689071B2 (en) Recipient authentication method for bank transfer

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10837527

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011546094

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10837527

Country of ref document: EP

Kind code of ref document: A1