WO2012130035A1 - Procédé d'authentification et d'autorisation d'utilisateur, et système pour sa mise en œuvre - Google Patents

Procédé d'authentification et d'autorisation d'utilisateur, et système pour sa mise en œuvre Download PDF

Info

Publication number
WO2012130035A1
WO2012130035A1 PCT/CN2012/072224 CN2012072224W WO2012130035A1 WO 2012130035 A1 WO2012130035 A1 WO 2012130035A1 CN 2012072224 W CN2012072224 W CN 2012072224W WO 2012130035 A1 WO2012130035 A1 WO 2012130035A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authentication
service server
identity
password
Prior art date
Application number
PCT/CN2012/072224
Other languages
English (en)
Chinese (zh)
Inventor
王冬梅
Original Assignee
Wang Dongmei
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wang Dongmei filed Critical Wang Dongmei
Publication of WO2012130035A1 publication Critical patent/WO2012130035A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for user authentication and authorization and an implementation system thereof.
  • the general service provider has its own authentication and authorization center responsible for managing the subscription user information in its network. After the user signs the contract, the authentication and authorization center saves the user's subscription information.
  • the service server passes the authentication and authorization center, performs user authentication, and authorizes the user according to the subscription information.
  • the telecom operator when providing the online business hall service, the telecom operator generally uses the mobile phone number + mobile phone random password, or the mobile phone number + service password, or the mobile phone number + mobile phone random password + service password to authenticate the user as a legitimate user.
  • the common method is: login mode of mobile phone number + mobile phone random password.
  • Step 1 After the user enters the URL link URL of the service provider at the client terminal 10, the user server 20 Get the login interface and ask for the user's mobile phone number and random SMS password. At the same time, there is a random SMS acquisition button on the interface.
  • Step 2 The user enters his mobile phone number on the login interface of the user terminal 10, and clicks the random message acquisition button.
  • Step 3 then, the client 10 sends a random password request message to the service server of the service provider in the network.
  • the message contains the user's own mobile number.
  • Step 4 the service provider's business server 20 A random password is randomly generated for the user's mobile phone number and saved, and then the random password is sent to the user's mobile phone through a short message.
  • Step 5 The user reads his own mobile phone short message, enters the obtained random password into the login interface, and then clicks the login button to send a login request to the business server.
  • the login request contains the phone number and its random password.
  • Step 6 The service server 20 passes its contract database and certification authority 30 Checking the received random password and the saved random password. If they are the same, the user identity is considered legal. Otherwise, the user identity is considered illegal. If the user identity is considered legal, the service server 20 Send a service access response to the user's client 10 .
  • the above network user authentication method can use the service provided by the network service provider as long as the user's mobile phone is available. If the user's mobile phone is lost, stolen or not carried, the person using the mobile phone may not be the user himself. The problem is that the user's services and information cannot be effectively protected.
  • the technical problem to be solved by the present invention is to provide a The method for user authentication and authorization and the implementation system thereof overcome the defects described in the background art, and can effectively protect the security of user information and network services.
  • the present invention provides a method of user authentication and authorization, the method comprising:
  • the client initiates a service access request including user identity information, for example, the request includes a username, an account name, and a user ID.
  • user identity information for example, the request includes a username, an account name, and a user ID.
  • the service server determines whether it is a subscription user according to the identity information of the user, and if so, selects a communication mode of at least one social relationship user from the user subscription information, such as a mobile phone number of the social relationship user, an email address, a landline phone, and an instant message.
  • the communication mode is used as the authentication end;
  • the service server determines the legality of the user identity according to the information provided by the authentication end;
  • the service server authorizes the user and performs a corresponding service access response.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server sends a user identity authentication and authorization query to the authentication end;
  • the authentication end responds to the service server with the result of the inquiry
  • the service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
  • the authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
  • the service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
  • the UE sends the received feature string or the randomly generated password to the authentication end.
  • the service server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client. If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects a feature string or generates a random password and sends it to the client of the authentication client;
  • the authentication end sends the feature string or the randomly generated password to the user end;
  • the user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
  • the present invention also provides a system for implementing user authentication and authorization, the system comprising: The client, the service server, and the client left when signing up for the service
  • the communication mode of the at least one social relationship user such as the mobile phone number of the social relationship user, the e-mail address, the fixed telephone, the instant message, etc., when the user initiates the service access request
  • the service server judges according to the information of the user. Whether the user is a contracted user, and if so, the communication mode of the at least one social relationship user is selected from the user subscription information as the authentication end, and the legality of the user identity is determined according to the information provided by the authentication end.
  • the client performs authorization and performs corresponding service access response.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server sends a user identity authentication and authorization query to the authentication end;
  • the authentication end responds to the service server with the result of the inquiry, for example, using the IVR.
  • the mode is prompted by the service server to prompt the user of the authentication terminal to perform key operation and confirmation (for example, pressing '1' means confirming authorization, and pressing '2' means rejecting authorization);
  • the service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
  • the authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
  • the service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
  • the UE sends the received feature string or the randomly generated password to the authentication end.
  • the server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects a feature string or generates a random password and sends it to the client of the authentication client;
  • the authentication end sends the feature string or the randomly generated password to the user end;
  • the user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
  • the communication address of the at least one social relationship user is selected as the authentication end by the user information left by the user when signing the service service, and the service server judges the user end according to the information provided by the authentication end.
  • FIG. 1 is a schematic flowchart of a user authentication and authorization method in the prior art
  • FIG. 2 is a schematic structural diagram of a user authentication and authorization system in the prior art
  • FIG. 3 is a schematic flowchart of a method for user authentication and authorization according to the present invention.
  • FIG. 4 is a schematic diagram of a system structure for implementing user authentication and authorization according to the present invention.
  • FIG. 5 is a schematic structural diagram of a process according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a process according to Embodiment 2 of the present invention.
  • FIG. 7 is a schematic structural diagram of a third embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a fourth embodiment of the present invention.
  • this embodiment provides a method for user authentication and authorization, and an implementation system thereof.
  • the system includes: a client terminal 40. , business server 50 and The communication address of at least one social relationship user selected in the social relationship information such as friends and relatives left by the user when signing the business service, such as the mobile phone number, email address, fixed telephone, instant message, etc. of the social relationship user as the authentication end 60.
  • the authentication end 60 It may be a communication method of a social relationship user left by the user when signing the service service, or may be multiple communication methods of multiple social relationship users left by the user when signing the service service, for example, the mobile phone number and the mailbox at the same time. Address, for example 4 is expressed as the first authentication end of social relations, ... the social relationship nth authentication end.
  • Non-strength certification can be used to respond to different levels of user authorization.
  • Step 1 The user sends a service access request to the service server 50 at the user terminal 40, indicating that the user wants to use the service server.
  • the service and application provided, the request information includes the user identity information;
  • Step 2 The service server 50 checks whether the user is a contracted user according to the identity information of the user;
  • Step 3 If the user is a subscription user, select a communication mode of at least one social relationship user from the subscription user information as the authentication end. Authenticate;
  • Step 4 The service server 50 determines the legality of the identity of the client 40 according to the information provided by each authentication terminal 60.
  • Step 5 If the identity of the client is legal, the service service 50 is to the client 40 Authorize and perform the corresponding service access response, that is, if the user identity is legal, the client 40 is allowed to access the service server, and the services and applications provided by the server are used. Otherwise, the client is not allowed. Access the service server.
  • each authentication terminal 50 may also provide authorization information to the service server 60; the service server 50 integrates the authentication terminals. After the authentication authentication and authorization information is provided, the authorization level to the client 40 is determined.
  • the service server 50 It is also possible to update social relationship information such as friends and relatives of the user according to third party business application information, such as a network address book.
  • the business server 50 Different authentication terminals can be given different weight information weights. For example, some authentication terminals can reject one vote, one ticket, and the like.
  • the client can also specify which social relationships are used for this authentication in the service access request.
  • the user identity information of the service access request may be information such as a username, an account name, and a user ID.
  • a notification may be sent to the authentication end to notify the end result of the authentication end authentication authorization.
  • the service server 50 is based on the authentication end.
  • the information provided to determine the validity of the identity of the client can be described in the following four embodiments.
  • the service server sends at least one social relationship to the selected user.
  • the authentication end of the mobile phone user is directly
  • a user identity authentication and authorization query is sent, and the authentication terminal directly returns the result of the inquiry to the service server.
  • the service server processes the query results, the user authentication conclusion is obtained. For example, if more than half of the authentication end reply results are authenticated, the service server authenticates the user authentication and authorization, otherwise the authentication authorization fails.
  • the service server may consider that the feedback result of the authentication end is that the authentication authorization is passed. For this reason, the service server only sends a notification to the authentication end, and the user is notified that the service request is to be initiated. After the service server obtains the authentication and authorization conclusions, it makes a service access response to the client.
  • the existing bank card user when a bank card account needs to reset the bank card account password for the user reason, the existing bank card user generally operates on the teller machine by using a password, or uses a Token card + username /
  • the password method performs user authentication on the network.
  • the user forgets his or her own password, the user must go to the bank counter in person, check the original ID card, and submit the ID card and other information to modify the password, and the bank needs to verify the identity of the user after one week. You can confirm whether the password change is successful.
  • the banking server to at least one social relationship of the selected user
  • the authentication end of the mobile phone user is directly Sending user identity authentication and authorization Ask the bank to automatically notify the user's relatives and friends, verify and confirm the legality of the identity of the user who submitted the operation request.
  • the bank allows the user to reset their password, thus eliminating the need for the user to personally go to the business hall.
  • the process of being able to handle the business and submitting personal data and waiting for a week to be confirmed makes the resetting of the bank password service fast and secure.
  • a user opens an account with a bank, obtains a bank account number, and leaves his or her own contact number, but also leaves the contact mobile number or EMAIL of at least one of his or her friends and relatives. Address.
  • the user forgets the password of his account and needs to reset the password, the user sends a mobile phone message to the bank's business server, including: user name, user's bank account number, operation instructions (request for resetting the password), new password, and notes. Description (eg: I am Wang Er, the password is forgotten, need to be reset).
  • the user's application 2 friends and relatives send SMS and / or EMAIL Check with your friends and relatives whether it is the application for resetting the password proposed by Wang Er.
  • the text message includes: user name, bank account number, application operation and remarks. Such as: user 'Wang Er' applied to reset bank account 'XXXX 'The password, please check. Please reply 1 Confirmed as a legitimate user, reply 2 Confirmed as an illegal operation. Remarks: 'I am Wang Er, the password is forgotten and needs to be reset.
  • the two friends and relatives of the user verified the business operation request of Wang Er separately, by SMS and / or EMAIL Respond to the bank's inquiry to confirm whether the user who initiated the business request is the user.
  • the bank's business server confirms whether the user is a legitimate user based on the responses of two friends and relatives. If it is a legitimate user, the reset password operation is performed; otherwise, the user's business operation request is rejected.
  • the service server checks whether the user is a subscription user according to the identity information of the user, and if so, selects a communication mode of the at least one social relationship user from the subscription user information as the authentication end, and then the service server receives the received information.
  • the service access request is judged. If the request includes the user's own password or feature string, the service server waits for the authentication end to send an authentication message; the authentication end will negotiate the authentication port command word with the user end in advance or The feature string is submitted to the service server; the service server judges the password or the feature string of the client itself sent by the client and the authentication port command word or the feature string submitted by the authentication end. If the match is made, the client is considered to be the client.
  • the identity is legal, otherwise it is not legal.
  • the password or feature string submitted by the authentication end and the user may be the same or different.
  • the time when the authentication end submits the password or the feature string may be earlier than the time when the user sends the service access request, so that the server can quickly authenticate the user.
  • the service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sent to the client and send to the authentication end User identity authentication and authorization query; the client sends the received feature string or randomly generated password to the authentication end; The server judges the query result of the reply by the authentication end. If the query result includes the feature string sent by the service server to the client or randomly generates the password, the user identity is considered to be legal, otherwise it is illegal.
  • the feature strings or random passwords used for different authentication ends may be the same or different.
  • the service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sending to the authentication end; the authentication end sends the feature string or the randomly generated password to the user end; the user end sends the feature string or the randomly generated password to the service server, if the user end received by the service server sends the password If the feature string or the randomly generated password matches the information sent by the service server to the authentication end, the user identity is considered to be legal, otherwise it is illegal.
  • the feature strings or random passwords used for different authentication ends may be the same or different.
  • the message sent by the service server to the authentication end may also carry supplementary information, such as the time and location of the service access request. IP Address, terminal type, description text, etc., to facilitate each authentication terminal to verify the identity of the user.
  • the supplementary information may be directly obtained from the service access request message sent by the client to the service server, or may be obtained by the service server sorting the service access request message and the network information.
  • the supplementary information sent to different people may be the same or different.
  • the authentication method based on the authentication end can also be combined with passwords, multi-factor authentication, and the like. For example, when the user submits a username / After the password information is passed and the authentication is passed, the service server can further select the communication mode of the other social relationship users of the user as the authentication end for authentication.
  • the service server end After the service server end draws the final certification authorization conclusion, it can also send a notification to the authentication end to inform the final result of the authentication authorization.
  • the user when a telecom operator provides an online operation hall service and signs a contract with a user, the user not only has to leave his or her mobile phone number and/or Or the e-mail, but also to leave the mobile phone number, e-mail, instant message, and fixed telephone of at least one relative friend.
  • This embodiment is described by taking the mobile phone number as an example.
  • the user logs in to the online business hall, the user needs to input his mobile phone number and random password, and also needs to input the mobile phone number of his relatives and friends to obtain the random SMS password and the relative friend authentication password.
  • the mobile phone number of at least one relative friend is registered in the contract.
  • the client After the client enters the service provider's web address, the user obtains the login interface from the server, and requests the user's mobile phone number, random SMS password, and relative friend authentication password. At the same time, there is a random SMS acquisition button on the interface. The user enters his mobile phone number on the client login interface and clicks the random SMS acquisition button. Then, the client sends a random password request message to the server of the service provider in the network, and the message contains the user's own mobile phone number. The service provider's service server randomly generates a random password for the user's mobile phone number and saves it, and then sends the random password to the user's mobile phone through a short message.
  • the service server retrieves the mobile phone number of the relatives and friends registered by the user, and randomly generates a random password for the mobile phone number of the relative friend and saves the password, and then sends the random password as a friend and friend authentication password to the mobile phone of the relative friend through the short message.
  • the user reads the mobile phone short message to obtain a random password, communicates with the relatives and friends to obtain the relative friend authentication password, and inputs the obtained random password and the relative friend authentication password into the login interface, and then clicks the login button to send the login request to the service server.
  • the login request contains the phone number, random password, and friend and friend authentication password.
  • the service server checks the received login request with the random password and the friend authentication password stored in the service server. If the user is a legitimate user, the login is successful; otherwise, the user authentication fails, and the user's login request is rejected.
  • e-commerce operations generally use a mobile phone short message password to verify the legitimacy of the user.
  • the e-commerce service provider will send a random message to the user's mobile phone through a text message, and then the user submits through the network to confirm that the user is a legitimate user.
  • the phone is unavailable, the account cannot be accessed and traded.
  • the user s mobile phone is stolen, or SIM
  • the card is cloned, the user's account information can be changed all including the contact mobile number used for authentication. In this way, even if the user retrieves his mobile phone, the user will completely lose his online account.
  • SIM The card thus leads to the leakage of critical information.
  • the user's legality is verified by providing a random password through the existing mobile phone short message.
  • the e-commerce service provider When the user needs to query and modify key sensitive information such as account information, transaction limit control, mobile phone number for user transaction confirmation, the e-commerce service provider automatically informs the user's relatives and friends through SMS, MMS, etc., and the relatives and friends verify and confirm the proposed The user who operates the application is a legitimate user. After confirmation, the e-commerce service provider allows the user to query and modify the key sensitive information of the account.
  • the specific implementation process is as follows: When the user opens the e-commerce service, in addition to his mobile phone number, the user registers the information of two relatives and friends and leaves their mobile phone number. When the user operates on his own client, log in to the account and obtain daily transaction rights by means of a random password. This permission cannot query and modify the user's account profile information.
  • the client After the user clicks the button of 'acquire relatives and friends authentication passwords' on the client, the client sends a request message for obtaining the relative friend authentication password to the service server of the e-commerce service provider.
  • the service server queries the user's account information, obtains the user's relatives and friends information, generates a random password for the user account data query and a random password modified by the account data for each relative and friend, and sends the message to the mobile phone of the user's relatives and friends through the short message.
  • the user obtains a random password that can query the user account information or a random password that can modify the account information from the two relatives and friends as the friend and friend authentication password, input to the login interface of the client, and click the login button, and the client then sends the account login request to the server.
  • the request message contains the password for the relatives and friends.
  • the service server confirms that the received friend and friend authentication password is correct, thereby upgrading the access authority of the user, allowing the user to query the account profile information, or allowing the user to query the account profile information and modify it.
  • the above embodiment can also be applied in the process of authenticating a mobile phone card.
  • a mobile phone card For example, when a user's mobile phone is stolen or lost, the user generally needs to carry his/her ID card and personally add a SIM to the telecom operator's business hall. Card. The telecom operator must devote sufficient resources to review the identity of the user and serve the user's replenishment application. The user has spent a lot of time and effort because he has to go to the telecom business hall in person. At the same time, because users need to carry their own identity documents and copy copies at the telecom operators, the risk of personal identity data leakage is objectively increased.
  • SIM card When the method and system provided by the embodiment are used, it is only necessary to fill in a list of key social relationships such as contact numbers of friends and relatives in the account opening application of the telecommunication service when the user opens an account.
  • telecom operators can issue temporary payments like prepaid recharge cards.
  • SIM card to the retail store.
  • the temporary SIM card is only allowed to dial the special service number of the telecommunications carrier. After the user’s mobile phone is stolen or lost, he only needs to purchase a temporary SIM card at any retail store.
  • SIM calls the special service number, requests the temporary SIM card as the replacement card of the original phone number, and leaves a message 'I am XXX If the mobile phone is lost, you need to reissue the card.
  • the telecom operator notifies the user's relatives and friends through SMS, MMS, voicemail, etc., and verifies that the user confirms the legitimate user number of the original phone number, and confirms that the user has successfully completed the card.
  • the temporary SIM thus becomes the replacement card for the original telephone number.
  • the above embodiments can also be applied in the process of key information access control.
  • a company's key information assets are generally strictly protected to limit access by unrelated people.
  • the usual practice is for a company to establish a dedicated approval electronic stream and user group, to approve who has access to key information assets through electronic flow auditing, and to add people who have access and no access to different user groups. Only employees belonging to a specific user group can pass the enterprise IT The system accesses these key information assets.
  • the workload of managing these key information assets is very high because of the loss or replenishment of corporate personnel, the changing role of the participants, the mistakes of the staff responsible for deleting the members of the user group, and the fact that the enterprise does not allow access anytime, anywhere.
  • the enterprise employee can pass the enterprise at any time.
  • IT The network applies to read key information assets without the electronic flow approval process.
  • the management personnel are used as the authentication end, and the request for accessing the key information assets is sent to the management personnel of the information assets through SMS, mail, instant message, etc., because the management personnel knows whether the user is a legitimate user, and therefore, the authentication end of the management personnel is confirmed. If the authentication of the user is passed, the key information asset will allow the employee's reading request. It can be seen that the solution does not require electronic flow approval, and does not need to manage various user groups, so that the management of key information assets of the enterprise can timely match the changes of the enterprise.
  • the UE can also specify the scope of the authentication client in the service access request. For example, in the service access request initiated by the user to the service server, the user specifies the authenticator as 'father' and 'wife'. When the service server selects the authentication client for authentication, only the 'father' and 'wife' are selected, and both of them are required to be authenticated at the same time, indicating that the user authentication is passed.
  • the service server can update the social relationship information of the user's relatives and friends according to the third party's business application information such as a network address book.
  • the embodiment of the present invention select at least one social relationship mobile phone user and/or user information left by the user when signing the business service Or the e-mail user is used as the authentication end, and the service server judges the legality of the identity of the user end according to the information provided by the authentication end, overcomes the defects described in the background art, and effectively protects the security of the user information and the network service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente invention se rapporte à un procédé d'authentification et d'autorisation d'utilisateur, et à un système pour sa mise en œuvre. Quand le côté utilisateur initie une demande d'accès aux services, un serveur de service vérifie si l'utilisateur est un abonné ou non, sur la base des données d'identité relatives à l'utilisateur. Si l'utilisateur est un abonné, le mode de communication d'au moins un utilisateur formant relation sociale pris dans les données d'abonnement relatives à l'utilisateur est sélectionné en tant qu'un côté d'authentification; le serveur de service détermine si l'identité de l'utilisateur est légale ou non, sur la base des informations fournies par le côté d'authentification; si l'identité de l'utilisateur est légale, le serveur de service autorise le côté utilisateur et exécute une réponse d'accès aux services correspondante. Selon le procédé et le système pour sa mise en œuvre qui sont décrits dans la présente invention, en sélectionnant le mode de communication d'au moins un utilisateur formant relation sociale pris dans les données d'abonnement laissées par l'utilisateur quand il souscrit à un service en tant que le côté d'authentification, et en amenant le serveur de service à déterminer si l'identité du côté utilisateur est légale ou non sur la base des données fournies par le côté d'authentification et à autoriser ledit côté, les inconvénients rencontrés dans l'état de la technique sont résolus, et la sécurité des données d'utilisateur et le service de réseau sont garantis efficacement.
PCT/CN2012/072224 2011-04-01 2012-03-13 Procédé d'authentification et d'autorisation d'utilisateur, et système pour sa mise en œuvre WO2012130035A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110081289.0 2011-04-01
CN201110081289.0A CN102111275B (zh) 2011-04-01 2011-04-01 一种用户认证授权的方法及其实现系统

Publications (1)

Publication Number Publication Date
WO2012130035A1 true WO2012130035A1 (fr) 2012-10-04

Family

ID=44175310

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/072224 WO2012130035A1 (fr) 2011-04-01 2012-03-13 Procédé d'authentification et d'autorisation d'utilisateur, et système pour sa mise en œuvre

Country Status (2)

Country Link
CN (1) CN102111275B (fr)
WO (1) WO2012130035A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109635531A (zh) * 2018-11-26 2019-04-16 北京金钝宏安科技有限公司 一种以身份信息认证为载体的信息认证方法及装置
CN110727933A (zh) * 2019-09-10 2020-01-24 阿里巴巴集团控股有限公司 身份认证方法、装置、电子设备及存储介质
CN111581613A (zh) * 2020-04-29 2020-08-25 支付宝(杭州)信息技术有限公司 一种账户登录验证方法及系统
CN117349811A (zh) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111275B (zh) * 2011-04-01 2014-12-03 王冬梅 一种用户认证授权的方法及其实现系统
CN102255923A (zh) * 2011-08-25 2011-11-23 盛大计算机(上海)有限公司 一种用户身份认证系统及方法
CN103179098B (zh) * 2011-12-23 2017-03-01 阿里巴巴集团控股有限公司 一种网络账号的密码找回方法和装置
CN103188218B (zh) * 2011-12-28 2018-01-05 富泰华工业(深圳)有限公司 密码找回系统及密码找回方法
CN102811228B (zh) * 2012-08-31 2016-07-06 中国联合网络通信集团有限公司 网络业务登录方法、设备和系统
CN102984335B (zh) * 2012-12-03 2015-07-29 中国联合网络通信集团有限公司 拨打固定电话的身份认证方法、设备和系统
CN103905400B (zh) * 2012-12-27 2017-06-23 中国移动通信集团公司 一种业务认证方法、装置及系统
CN104009844B (zh) * 2013-02-26 2018-10-19 勤智数码科技股份有限公司 一种基于安全管理的多级密码处理方法
CN103501292B (zh) * 2013-09-24 2017-05-17 长沙裕邦软件开发有限公司 利用备用手机实现保护数据安全的方法及系统
CN104732376B (zh) * 2013-12-24 2020-01-24 腾讯科技(深圳)有限公司 支付密码的重置方法、终端及系统
CN104901925A (zh) * 2014-03-05 2015-09-09 中国移动通信集团北京有限公司 终端用户身份认证方法、装置、系统及终端设备
CN106941475B (zh) * 2016-01-04 2020-09-25 阿里巴巴集团控股有限公司 一种基于信任关系的认证方法及装置
CN107347054B (zh) * 2016-05-05 2021-08-03 腾讯科技(深圳)有限公司 一种身份验证方法和装置
CN107203830A (zh) * 2016-12-22 2017-09-26 中企云链(北京)金融信息服务有限公司 一种企业组织架构自管理的众认机制实现方法及系统
CN107104979B (zh) * 2017-05-25 2020-01-14 杭州东信北邮信息技术有限公司 一种语音回拨验证业务的实现方法和系统
CN108364416A (zh) * 2018-01-08 2018-08-03 四川省茂扬科技有限公司 一种24小时智能图书馆的自助控制方法
CN108615160A (zh) * 2018-03-15 2018-10-02 阿里巴巴集团控股有限公司 认证方法及装置
CN108418830A (zh) * 2018-03-23 2018-08-17 无锡海德曼医疗设备有限公司 牙科注油机物料加注的控制方法及控制系统
CN109067791B (zh) * 2018-09-25 2020-05-12 阿里巴巴集团控股有限公司 网络中用户身份认证方法和装置
US10880436B2 (en) 2019-01-23 2020-12-29 Weils Fargo Bank, N.A. Transaction fraud prevention tool

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246715A (ja) * 2003-02-14 2004-09-02 Fujitsu Ltd 認証情報処理方法
CN1620166A (zh) * 2003-11-21 2005-05-25 华为技术有限公司 一种验证移动终端用户合法性的方法
CN101291217A (zh) * 2007-04-20 2008-10-22 章灵军 网络身份认证方法
CN101605331A (zh) * 2008-06-12 2009-12-16 中国移动通信集团公司 移动终端的消费方法、装置及系统
CN102111275A (zh) * 2011-04-01 2011-06-29 王冬梅 一种用户认证授权的方法及其实现系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101015166A (zh) * 2004-08-20 2007-08-08 身份警报有限公司 身份盗窃保护和通知系统
US8103874B2 (en) * 2005-11-18 2012-01-24 Tp Lab Inc. Object delivery authentication
CN100593297C (zh) * 2007-11-26 2010-03-03 唐荣华 一种具有双身份认证的安全保护方法及其系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246715A (ja) * 2003-02-14 2004-09-02 Fujitsu Ltd 認証情報処理方法
CN1620166A (zh) * 2003-11-21 2005-05-25 华为技术有限公司 一种验证移动终端用户合法性的方法
CN101291217A (zh) * 2007-04-20 2008-10-22 章灵军 网络身份认证方法
CN101605331A (zh) * 2008-06-12 2009-12-16 中国移动通信集团公司 移动终端的消费方法、装置及系统
CN102111275A (zh) * 2011-04-01 2011-06-29 王冬梅 一种用户认证授权的方法及其实现系统

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109635531A (zh) * 2018-11-26 2019-04-16 北京金钝宏安科技有限公司 一种以身份信息认证为载体的信息认证方法及装置
CN110727933A (zh) * 2019-09-10 2020-01-24 阿里巴巴集团控股有限公司 身份认证方法、装置、电子设备及存储介质
CN111581613A (zh) * 2020-04-29 2020-08-25 支付宝(杭州)信息技术有限公司 一种账户登录验证方法及系统
CN111581613B (zh) * 2020-04-29 2023-11-14 支付宝(杭州)信息技术有限公司 一种账户登录验证方法及系统
CN117349811A (zh) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统
CN117349811B (zh) * 2023-10-18 2024-04-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统

Also Published As

Publication number Publication date
CN102111275A (zh) 2011-06-29
CN102111275B (zh) 2014-12-03

Similar Documents

Publication Publication Date Title
WO2012130035A1 (fr) Procédé d'authentification et d'autorisation d'utilisateur, et système pour sa mise en œuvre
US7707626B2 (en) Authentication management platform for managed security service providers
EP2873192B1 (fr) Procédés et systèmes pour utiliser des justificatifs d'identité dérivés pour authentifier un dispositif à travers de multiples plateformes
WO2019091000A1 (fr) Procédé de traitement de service de rapport/de déverrouillage de compte bancaire, système, terminal et support de stockage
WO2016197330A1 (fr) Procédé et système de gestion de commande d'accès
US20080181380A1 (en) Proxy for authenticated caller name
JP5764501B2 (ja) 認証装置、認証方法、及び、プログラム
US9256724B2 (en) Method and system for authorizing an action at a site
WO2019100604A1 (fr) Procédé et appareil d'interrogation de compte, dispositif, et support de stockage lisible par ordinateur
JP2007264835A (ja) 認証方法およびシステム
US20060294387A1 (en) Method of controlling access
WO2019090995A1 (fr) Procédé d'émission de carte et d'ouverture de compte en libre-service, terminal en libre-service et support d'informations lisible par ordinateur
US20200036525A1 (en) Method for determining approval for access to gate through network, and server and computer-readable recording media using the same
JP2005216250A (ja) 受付システム、受付補助サーバおよび受付処理サーバ
WO2020141783A1 (fr) Procédé et serveur de gestion d'identité d'utilisateur à l'aide d'un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2022163893A1 (fr) Procédé de fourniture de service de paiement et dispositif électronique l'exécutant
WO2021066271A1 (fr) Terminal de communication mobile pour réaliser une authentification personnelle, système d'authentification personnelle et procédé d'authentification personnelle utilisant un terminal de communication mobile
KR100563544B1 (ko) 일회용 비밀번호를 이용한 사용자 인증 방법
WO2021096206A1 (fr) Procédé capable de prendre en charge un service otp en confirmant l'utilisateur par l'intermédiaire d'un support url personnel, d'informations confidentielles ou similaires
WO2019234801A1 (fr) Système et procédé de fourniture de service
WO2018209623A1 (fr) Systèmes, dispositifs et procédés destinés à effectuer une vérification de communications reçues d'un ou plusieurs dispositifs informatiques
KR100545551B1 (ko) 가상 주민등록번호를 이용한 신원인증 서비스 시스템 및 그 방법
WO2016019535A1 (fr) Procédé de paiement par boîte aux lettres et système de paiement par boîte aux lettres
US20220245629A1 (en) A computer implemented method of authorizing a user of a communication device access to restricted content on a server.
KR20020041354A (ko) 회원전화번호인증식 인터넷 사이트 로그인 서비스 방법 및시스템

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12763055

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12763055

Country of ref document: EP

Kind code of ref document: A1