WO2016129454A1 - Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification et programme de gestion d'informations d'authentification biométrique - Google Patents

Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification et programme de gestion d'informations d'authentification biométrique Download PDF

Info

Publication number
WO2016129454A1
WO2016129454A1 PCT/JP2016/053037 JP2016053037W WO2016129454A1 WO 2016129454 A1 WO2016129454 A1 WO 2016129454A1 JP 2016053037 W JP2016053037 W JP 2016053037W WO 2016129454 A1 WO2016129454 A1 WO 2016129454A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
biometric
authentication
original
user
Prior art date
Application number
PCT/JP2016/053037
Other languages
English (en)
Japanese (ja)
Inventor
愼一郎 須田
Original Assignee
エヌ・ティ・ティ・インターネット株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by エヌ・ティ・ティ・インターネット株式会社 filed Critical エヌ・ティ・ティ・インターネット株式会社
Publication of WO2016129454A1 publication Critical patent/WO2016129454A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • the present invention relates to a biometric authentication platform system, a biometric authentication information management apparatus, a biometric authentication information management method, and a biometric authentication information management program.
  • This application claims priority based on Japanese Patent Application No. 2015-026665 for which it applied to Japan on February 13, 2015, and uses the content here.
  • biometric authentication systems have been improved in recognition accuracy due to technological advances, and there are many cases of commercial introduction in ATM terminals of banks.
  • This biometric authentication system has the advantage that it is not forgotten like an IC card or a password, and forgery is difficult.
  • Japanese Patent Application Laid-Open No. 2011-154415 discloses a technique related to a biometric authentication system.
  • the present invention has been made in view of the circumstances described above, and provides a biometric authentication platform system, a biometric authentication information management apparatus, a biometric authentication information management method, which provides a biometric authentication service that is economical, popular, and safe. Another object is to provide a biometric information management program.
  • One aspect of the present invention is based on a management unit that manages original correspondence information corresponding to an original of biometric information used when performing biometric authentication of a user with a plurality of services, and the user's biometric information received from the plurality of services.
  • a registration unit that registers the original correspondence information managed by the management unit, the registration unit corresponding to the original based on the biometric information of the user based on a time stamp of the received biometric information of the user. It is a biometric authentication platform system that determines whether or not to register information.
  • the time stamp includes at least information indicating an acquisition date and time when the received biometric information of the user is acquired by a terminal equipped with a sensor function. .
  • the registration unit includes the acquisition date and time of the received user biometric information and the transmission date and time when the biometric information is transmitted from any of the plurality of services. Alternatively, it is determined whether or not to register the original correspondence information based on the biometric information based on a difference from the reception date and time received from any of the plurality of services.
  • the registration unit is configured such that a difference between the acquired date / time of the received user's biometric information and the transmission date / time or the reception date / time is less than a predetermined time.
  • the original correspondence information based on the biometric information is registered, and if it is a predetermined time or more, the original correspondence information based on the biometric information is not registered.
  • the registration unit is capable of identifying the terminal that has acquired the received biometric information of the user, credit information of the user, or contract information of the user Based on the above, it is determined whether or not to register the original correspondence information based on the biometric information of the user.
  • the registration unit registers the original correspondence information for specific biometric information regardless of a time stamp of the biometric information.
  • the registration unit accepts an input of a user's biometric information for registration as the original correspondence information at each input device of the plurality of services. Based on the biometric information of the person, it is determined whether or not to register the original correspondence information based on the biometric information of the user.
  • the registration unit includes the original correspondence information corresponding to the reception person who is managed by the management unit.
  • the original correspondence information based on the biometric information of the user received by the reception staff is registered, and when it is determined that there is no identity, the user received by the reception staff The original correspondence information based on the biometric information is not registered.
  • a management unit that manages original correspondence information corresponding to an original of biometric information used when performing biometric authentication of a user with a plurality of services, and user biometric information received from the plurality of services
  • a registration unit for registering the original correspondence information managed by the management unit, the registration unit based on the biometric information of the user based on a time stamp of the received biometric information of the user.
  • the biometric authentication information management apparatus determines whether or not to register original correspondence information.
  • Another aspect of the present invention is a biometric information management method in a biometric information management apparatus, in which a management unit supports original data corresponding to an original biometric information used when performing biometric authentication of a user with a plurality of services.
  • the biometric authentication information management method determines whether or not to register the original correspondence information based on the biometric information of the user based on the received time stamp of the biometric information of the user.
  • a management procedure for managing original correspondence information corresponding to an original of biometric information used when performing biometric authentication of a user with a plurality of services in a computer as a biometric authentication information management device Biometric authentication information management for executing a registration procedure for determining whether or not to register the original correspondence information based on the biometric information of the user based on time stamps of the biometric information of the user received from a plurality of services It is a program.
  • the figure which shows an example of a biometrics authentication function table The operation
  • the flowchart which shows an example of the process which controls whether execution of an authentication process is permitted according to a utilization purpose.
  • the flowchart which shows an example of the double registration prohibition process of biometrics original information.
  • the 2nd explanatory view explaining the outline of the use scene of a biometrics PF system.
  • the biometric authentication platform system is not a system that is completed for each service provided by a company or the like, but is provided as a social platform system that can be shared by a plurality of services.
  • the platform system is a shared use type system having a basic function.
  • the platform system can share and use various types of information and functions within the system, but it is affected by being able to guarantee independence from others other than those registered with the system and other systems that are not compatible with the system. Can not be.
  • the platform system can receive a connection access for use from a front system or a host system corresponding to the system, and can stably provide a predetermined function or service.
  • the platform system may be constructed as one of ICT (Information and Communication Technology) systems.
  • the social platform system is a platform system having a basic function that enables multiple organizations, companies, individuals, organizations, communities, local governments, etc. to share information and use services. For example, “Social IT-PF System ( Social information technology platform system) ”.
  • the biometric authentication platform system provides a biometric authentication service by sharing and using biometric information in a plurality of services as a social platform system.
  • the biometric authentication platform system according to the present embodiment has the following characteristics. (1) Since it can be shared by a plurality of companies, etc., the biometric authentication function can be changed from individual optimization to centralization, and from single-purpose to multi-purpose. And multipurpose use). (2) It is not necessary to have original correspondence information corresponding to the original biometric information for authentication for each use system, and originality can be guaranteed. In other words, the biometric authentication function can be unified and multi-purpose oriented, and guarantee of original unity can be realized (original unity guarantee).
  • the original correspondence information may be bare information (for example, uncoded image information) of biometric information that is the original, or may be information in which the biometric information that is the original is encoded. Alternatively, it may be information converted into other information associated with the biometric information as the original.
  • this original correspondence information is also referred to as “biometric authentication original information”, or simply “original” or “original information”.
  • biometric authentication original information or simply “original” or “original information”.
  • biometric authentication platform system is also abbreviated as “biometric authentication PF system”.
  • FIG. 1 is an explanatory diagram for explaining the positioning of the biometric authentication PF system according to the present embodiment.
  • the individual service is a service (hereinafter also referred to as “individual service”) provided by each of a plurality of organizations, companies, individuals, groups, communities, local governments, and the like used by the user.
  • individual services are divided into individual services provided by government agencies (countries, local governments, etc.), industry (private companies, etc.), schools (education, research institutions, etc.), and others (individuals, communities, etc.). It is done.
  • the biometric authentication PF system is a part of the social platform system, and the individual services can be regarded as the same or the same.
  • the biometric authentication service is provided from each individual service so that the biometric authentication service can be similarly provided to any of the individual services belonging to government agencies, industry, schools, and others. It has functions necessary for shared use (through function).
  • the social platform system is widely used by harmonizing the social IT-PF system, the social behavior system, and the social system.
  • the social platform system is a social IT-PF system.
  • a function is provided in which a user performs pre-registration of biometric authentication original information to a social IT-PF system (biometric authentication PF system) via an individual service.
  • biometric authentication PF system biometric authentication PF system
  • a function is provided for notifying the user of an authentication result from the social IT-PF system (biometric authentication PF system) via the individual service.
  • it is a platform system, it is a business model in which individual services exist with users. In other words, there are both a case where an end user uses an intermediate service between a platform system and an end user, and a case where an end user directly uses the platform system (details will be described later).
  • FIG. 2 is an explanatory diagram showing more specifically the positioning of the biometric authentication PF system according to the present embodiment.
  • the user layer the individual service layer, the platform layer, the network layer, and the terminal layer are shown separately.
  • the network layer shows a communication network NW that is a base (infrastructure) of information transmission in this configuration.
  • the terminal layer shows the terminal 50 used by the user.
  • the platform layer includes a business platform layer including a business platform system 200 for each business area (an example of a first platform system; hereinafter, abbreviated as “business PF system 200”), and the present embodiment.
  • the biometric authentication PF system 300 is further divided into two layers: a biometric authentication platform layer including the biometric authentication PF system 300.
  • the business PF system 200 is equipped with a necessary business service function specialized for a target market or a target individual service.
  • the biometric PF system 300 does not specialize in the market and individual services, and is equipped with general-purpose functions, so-called subordinate functions.
  • the biometric authentication PF system 300 is configured as one logical server device (an example of a biometric authentication information management device) by combining a plurality of computer devices using cloud computing.
  • the biometric authentication PF system 300 may be configured as a single logical server device (an example of a biometric authentication information management device) by a single computer device.
  • the individual service layer indicates each individual service provided by the individual application system 100 (hereinafter also abbreviated as “individual AP system 100”) from each individual service provider.
  • the individual AP system 100 includes “medical care, nursing care, and health care (for elderly and late elderly)”, “for theme parks”, “for educational institutions”, “for electronic administration”, “IT operator authentication”, Provide individual services by government agencies, industry, schools, and others, such as “for robots”, “identification”, “shopping for daily necessities and foods (for elderly and late elderly)”, etc.
  • the user layer shows users who use the above-mentioned individual services. For example, those who receive administrative services, those who receive care, those who receive medical care, those who receive medical care, those who receive health care, those who are healthy, There are various people, such as those who study, those who are unidentified.
  • biometrics PF system 300 since a user needs user registration with respect to biometrics PF system 300 in order to use the biometric authentication service which concerns on this embodiment, below, the user who uses biometrics PF system 300 is "registered.” Sometimes referred to as "person".
  • the biometric authentication PF system 300 handles various types of biometric authentication information in an integrated manner and performs operations related to biometric authentication information.
  • FIG. 3 is a diagram showing a use case of the biometric PF system according to the present embodiment.
  • biometric authentication PF system 300 There are various individual services that can use the biometric authentication PF system 300.
  • the horizontal axis indicates “public use (use by government offices)” or “private use (use by private companies)”, and the vertical axis shows “pursuit of a safe society” or “pursuit of a convenient and friendly society”.
  • 11 use cases and respective use cases are shown at positions corresponding to the horizontal axis and the vertical axis, respectively.
  • the biometric authentication PF system 300 can be used for many other individual services due to the market trend, the progress of services, the interaction of technological progress, and the like.
  • FIG. 4 is an explanatory diagram for explaining the characteristics of the connection configuration of the biometric PF system according to the present embodiment.
  • A-1 system, A-2 system,... An system “B-1 system, B-2 system,... Bn system”, “Z-1 system, Z- system” 2 systems, ... Zn system "(where n is a positive integer. N may vary depending on the system) is a plurality of individual services.
  • biometric authentication is performed for each individual service, For each individual service, it is necessary to register each biometric authentication original information and provide each biometric authentication function (face authentication function, palm vein authentication function, etc.).
  • the biometric PF system 300 includes biometric authentication original information and each biometric authentication function in a unified manner, and provides a biometric authentication service in common to each individual service.
  • the biometric authentication PF system 300 is configured so that each biometric authentication original information and each biometric authentication original information and each of the individual biometric authentication original information of a specific person, even when there are a plurality of individual services (systems to be used) to be used.
  • the biometric authentication function can be integrated and managed without duplication.
  • since the biometric authentication PF system 300 provides biometric authentication as a platform system, there is no difference between public use and private use, and convenience and pursuit of safety. It can be used for multiple purposes.
  • FIG. 5 is an explanatory diagram illustrating a connection configuration example of the biometric PF system according to the present embodiment.
  • the biometric PF system 300 since the biometric PF system 300 is a platform system, it has a powerful position under the edge and cooperates with the business PF system 200.
  • the business PF system 200 has a business function to be shared in a certain business area and a certain market.
  • the individual AP system 100 has a function for a specific company to execute the business purpose of the company on the business PF system 200.
  • three examples of form 1, form 2, and form 3 will be described as connection configuration examples.
  • the biometric authentication PF system 300 is connected to the business PF system 200 via the communication network NW, and further connected to the individual AP system 100 via the communication network NW.
  • the biometric authentication PF system 300 is connected to the individual AP system 100 via the communication network NW.
  • the individual service provided from the individual AP system 100 is used by the user in the terminal 50 connected to the individual AP system 100 via the communication network NW (for example, Registration of biometric original information, notification of biometric authentication results, etc.).
  • the biometric authentication PF system 300 is directly connected to the user terminal 50 via the communication network NW. In this case, it is assumed that the terminal 50 is loaded with an application program for providing an individual service.
  • the terminal 50 may be a device owned by an individual user, or may be a device installed in a facility of the individual AP system 100.
  • the terminal 50 includes an input device that can input biometric information at the time of authentication, a registration device that can register biometric authentication original information, and a display device that displays an authentication result.
  • the terminal 50 may be a single device in which the input device, the registration device, and the display device are integrated, or may be a device in which each device is configured separately. .
  • FIG. 6 is an explanatory diagram for explaining the characteristics of the configuration of the biometric authentication PF system according to the present embodiment.
  • the biometric authentication PF system 300 includes an authentication service management function unit 310, a user management function unit 320, an authentication data management function unit 330, and an authentication function library function unit 340.
  • the authentication service management function unit 310 is positioned to manage the biometric authentication PF system 300 as a whole, and controls and manages operations of the user management function unit 320, the authentication data management function unit 330, and the authentication function library function unit 340.
  • the authentication service management function unit 310 has a function of a communication interface that connects to the business PF system 200, the individual AP system 100, or the terminal 50 via the communication network NW. Receive biometric information and send biometric authentication results.
  • an API application interface
  • DI data interface
  • direct communication with the end user terminal 50 are performed.
  • a minimum necessary interface is defined for a UI (user interface) used when performing the process.
  • the interface of the installed biometric authentication function should not be changed. In other words, either one that is not subject to regulation or one that takes encapsulation means is employed.
  • the user management function unit 320 includes personal information (address, name, age, gender, company name, etc.), communication connection ID, as registrant information of a user (ie, registrant) registered in the biometric PF system 300. (IP address etc.), contract information, service information, etc. are managed.
  • the authentication data management function unit 330 safely manages the registered biometric original information by a plurality of mechanisms.
  • the authentication function library function unit 340 includes various biometric authentication function vendor products as a library, and selects a corresponding authentication function in the library according to the content of the authentication request. These various biometric authentication functions may be prepared and installed independently in the biometric PF system 300, but there are a plurality of the latest functions of each vendor of development and provision of the biometric authentication function. By installing various types, it is possible to improve the general versatility, convenience, economy, social spread, and authentication accuracy of the system.
  • FIG. 7 is a block diagram illustrating an example of a configuration of the biometric PF system 300 according to the present embodiment.
  • the biometric authentication PF system 300 includes an authentication service management function unit 310, a user management function unit 320, an authentication data management function unit 330, and an authentication function library function unit 340. .
  • the authentication service management function unit 310 includes a communication processing unit 311, a registration unit 314, an authentication permission unit 315, an authentication result acquisition unit 316, and a control information storage unit 318.
  • the communication processing unit 311 includes a reception unit 312 and a transmission unit 313, and transmits and receives information to and from the terminal 50, the individual AP system 100, and the business PF system 200 according to a prescribed communication interface.
  • the receiving unit 312 receives user registration information for using the biometric PF system 300 from any of a plurality of individual services.
  • the user registration information includes user identification information, user personal information (address, name, age, gender, etc.) and other information related to the user.
  • the receiving unit 312 receives the biometric information of the user and the identification information of the user transmitted from each of the plurality of individual services when registering the biometric authentication original information and performing biometric authentication.
  • the receiving unit 312 also includes information indicating the individual AP system 100 that provides the individual service (hereinafter also referred to as “individual APsysID”), and information indicating the business PF system 200 to which the plurality of individual AP systems 100 are connected (hereinafter referred to as “individual AP system ID”). , Also referred to as “business PFsysID”).
  • the receiving unit 312 receives these pieces of information from the terminal 50, the individual AP system 100, or the business PF system 200.
  • the transmission unit 313 transmits the authentication result for the user biometric information received by the reception unit 312. For example, the transmission unit 313 transmits the authentication result to the terminal 50, the individual AP system 100, or the business PF system 200 that has received the biometric information of the user who performed the authentication process.
  • the registration unit 314 acquires the user registration information and passes it to the user management function unit 320. For example, the registration unit 314 performs registration permission determination based on whether or not the acquired user registration information is incomplete, and passes the registered user registration information to the user management function unit 320.
  • This user registration information is stored and managed in the user management function unit 320.
  • the user registration information includes user identification information, personal information, and the like.
  • the registration unit 314 acquires the biometric information for original registration and passes it to the authentication data management function unit 330.
  • the biometric information of the user for original registration is also referred to as “original information biometric information”.
  • the biometric information input when performing biometric authentication in each individual service is also referred to as “authentication biometric information”.
  • authentication biometric information is associated with user identification information and type information indicating the type of biometric information.
  • the authentication permission unit 315 controls whether or not to permit execution of biometric authentication processing for each of the plurality of individual services.
  • the purpose of use of biometric authentication processing in other words, the purpose of use of biometric authentication original information
  • the authentication permission unit 315 permits the biometric authentication process to be executed if the request for the authentication process from the individual service is used within the intended purpose, and prohibits the execution of the biometric authentication process if the request is not intended. The process for prohibiting the use outside the purpose will be described in detail later.
  • the authentication permission unit 315 determines that the use is within the purpose
  • the authentication permission unit 315 permits the biometric authentication process to be executed, and the authentication biometric information received by the receiving unit 312 is received together with the biometric authentication process execution request.
  • the control information storage unit 318 stores information necessary for processing of each unit included in the authentication service management function unit 310.
  • the control information storage unit 318 stores information related to the communication interface, management information related to the purpose of use of biometric authentication for each user, and the like.
  • the user management function unit 320 includes a user information management unit 321 and a user information storage unit 322.
  • the user information management unit 321 acquires user registration information transferred from the authentication service management function unit 310 to the user management function unit 320. Then, the user information management unit 321 stores and manages the acquired user registration information in the user information storage unit 322 as user information of a user (registrant) registered in the biometric authentication PF system 300.
  • FIG. 8 is a diagram illustrating an example of the user information table TBL 321 stored in the user information storage unit 322.
  • a user ID (external) is user identification information included in the user registration information.
  • the user ID (internal) is obtained by converting the user ID (external) into an ID different from the user ID (external), or issued in association with the user ID (external).
  • the user ID (internal) converted from the user ID (external) and the user ID (internal) paid out in association with the user ID (external) are referred to as the user corresponding to the user ID (external). Also called ID (inside).
  • the user ID (internal) corresponding to the user ID (external) of “U1” is “X1”.
  • the biometric authentication PF system 300 safety is enhanced by performing management of biometric authentication original information and authentication processing using a user ID (internal).
  • the personal information is information such as the user's address, name, age, and sex.
  • the original information pointer is information indicating a storage location of the biometric original information of the user.
  • the contract information pointer is information indicating a storage location of contract information in the communication contract of the user.
  • the credit information pointer is information indicating the storage location of the credit information of the user.
  • the authentication data management function unit 330 includes an original information management unit 331 (an example of a management unit), an authentication management unit 332, and an original information storage unit 333.
  • the original information management unit 331 acquires the biometric information for original registration transferred from the authentication service management function unit 310 to the authentication data management function unit 330.
  • the original information management unit 331 stores the acquired original registration biometric information as biometric authentication original information in the original information storage unit 333 so as to be distinguishable for each type of biometric information and for each user.
  • the original information storage unit 333 stores and manages biometric authentication original information for each type of biometric information and for each user as original information.
  • FIG. 9 is a diagram illustrating an example of the original information table TBL 331 stored in the original information storage unit 333.
  • the original information table TBL331 biometric original information is managed for each authentication type (for each type of biometric information).
  • the original information table TBL331 includes an original master pointer table TBL3311, and a biometric original table for each authentication type (face authentication original table TBL3312A, fingerprint authentication original table TBL3312B,).
  • a biometric information type ID, an authentication type, and a table pointer are stored in association with each other.
  • the biometric information type ID is type information indicating the type of biometric information.
  • the authentication type is information indicating the type of authentication processing.
  • S1, S2, S3 are biometric information type IDs of face authentication, fingerprint authentication, finger vein authentication, palm vein authentication, iris authentication, tooth type authentication, voiceprint authentication, and DNA (deoxyribonucleic acid) authentication.
  • S4, S5, S6, S7, and S8 are predetermined.
  • the table pointer is information indicating a biometric authentication original table used in authentication processing of each authentication type (type of biometric information).
  • the face authentication table pointer “Pointer-1” includes information indicating the face authentication original table TBL3312A
  • the fingerprint authentication table pointer “Pointer-2” includes information indicating the fingerprint authentication original table TBL3312B.
  • biometric original table face authentication original table TBL3312A, fingerprint authentication original table TBL3312B, etc.
  • a user ID internal
  • the original number is a management number uniquely assigned to each biometric original information.
  • Biometric authentication original information of each user for each authentication type is stored in the biometric authentication original information.
  • the face authentication original information indicated by the user ID (internal) “X1” is stored with the original number “S1ORG101” in the face authentication original table TBL3312A.
  • the biometric authentication original information of this table stores the file name of each biometric authentication original information, and the actual data of each biometric authentication original information is stored in the original information storage unit 333 with each file name attached. ing.
  • the sequence ID is information that can distinguish the plurality of different biometric authentication original information when the authentication process is performed using the plurality of different biometric authentication original information.
  • the fingerprint authentication original table TBL3312B shows an example in the case where three fingers are registered in the fingerprint authentication, and the sequence ID “1” for each biometric original information of the three fingers of each user. , “2”, “3” are stored in association with each other. Note that all types of biometric original information described above may not be stored. That is, only registered biometric authentication original information is stored, and unregistered biometric authentication original information is not stored.
  • the authentication management unit 332 when the authentication management unit 332 acquires the biometric authentication processing execution request and the authentication biometric information passed from the authentication service management function unit 310 to the authentication data management function unit 330, the authentication function library function unit Instruct 340 to execute biometric authentication processing. Specifically, when the authentication management unit 332 acquires the biometric authentication processing execution request and the authentication biometric information, the authentication management unit 332 obtains a user ID (internal) corresponding to the user ID (external) associated with the authentication biometric information. Obtained from the user management function unit 320.
  • the authentication management part 332 extracts the biometric information for original registration linked
  • the information and the biometric information for authentication are transferred to the authentication function library function unit 340.
  • the authentication management unit 332 acquires the authentication result from the authentication function library function unit 340, the authentication management unit 332 passes the acquired authentication result to the authentication result acquisition unit 316 of the authentication service management function unit 310.
  • the authentication function library function unit 340 includes an authentication unit 341 and an authentication function storage unit 342.
  • the authentication unit 341 acquires the biometric information for original registration and the biometric information for authentication passed from the authentication data management function unit 330 to the authentication function library function unit 340
  • the authentication unit 341 executes authentication processing. Specifically, the authentication unit 341 selects one of the biometric authentication functions from the library of biometric authentication functions stored in the authentication function storage unit 342, and uses the selected biometric authentication function to acquire the original
  • the biometric information for registration and the biometric information for authentication are compared and verified.
  • the authentication function storage unit 342 stores a library of biometric authentication functions provided by each vendor.
  • a biometric authentication function program capable of executing a biometric authentication function is provided from each vendor to the biometric authentication PF system 300, and each provided biometric authentication function program is stored in the authentication function storage unit 342.
  • the provided biometric authentication function program may be registered in the authentication function library function unit 340 from each vendor, or registered in the authentication function library function unit 340 from each vendor via the authentication service management function unit 310. May be.
  • Each biometric function program provided by each vendor is a program created based on an algorithm that realizes each biometric function of each vendor.
  • the biometric authentication function storage unit 342 stores each biometric authentication function program provided by each vendor (in other words, for each biometric authentication function algorithm), and further each version of each biometric authentication function program (in other words, biometric authentication). For each functional algorithm).
  • FIG. 10 is a diagram illustrating an example of the biometric authentication function table TBL 341 stored in the authentication function storage unit 342.
  • a biometric information type ID is type information indicating the type of biometric information for which each authentication function program performs biometric authentication.
  • the vendor ID is identification information of a vendor who has developed and provided an authentication function program.
  • the library ID is a management ID assigned to each authentication function program. For example, this library ID is a number uniquely assigned to each authentication function program, for example, “product number + product version number”. Each library function ID can be identified by this library ID.
  • the authentication function program stores the file name of each authentication function program. Note that the actual data of each authentication function program is stored separately in the authentication function storage unit 342 with each file name.
  • a biometric authentication function to be applied for each individual service is determined in advance, and the authentication unit 341 selects a biometric authentication function according to which individual service the biometric authentication is from and the type of biometric authentication.
  • Execute authentication process For example, which vendor's biometric authentication function is used can be specified by associating the biometric information for authentication received by the authentication service management function unit 310 with the library ID or the vendor ID and biometric information type ID.
  • vendor information to be applied to each individual service may be stored in the authentication function library function unit 340. In that case, which vendor's biometric authentication function is used can be specified by associating the individual APsysID and the biometric information for authentication with the biometric information for authentication received by the authentication service management function unit 310.
  • the authentication unit 341 returns an authentication result to the authentication management unit 332 of the authentication data management function unit 330.
  • FIG. 11 is an operation diagram illustrating an example of biometric authentication original information registration processing.
  • an example of processing in the case of performing user registration processing and biometric authentication original information registration processing at the same time will be described, but user registration processing is performed first, and then biometric authentication original information registration processing is performed. Also good.
  • a case where the individual AP system 100 or the business PF system 200 mediates information between the terminal 50 and the biometric authentication PF system 300 is shown as an example.
  • step S100 when the user inputs user registration information (for example, user ID (external), password, personal information, etc.) and biometric information for original registration in the terminal 50, the terminal 50 receives the input user registration information. And the biometric information for original registration is transmitted to the individual AP system 100 or the business PF system 200.
  • user registration information for example, user ID (external), password, personal information, etc.
  • biometric information for original registration is transmitted to the individual AP system 100 or the business PF system 200.
  • step S102 the individual AP system 100 or the business PF system 200 receives the user registration information and the biometric information for original registration transmitted from the terminal 50, and the biometric authentication PF system receives the received user registration information and the biometric information for original registration. To 300.
  • step S104 the authentication service management function unit 310 of the biometric authentication PF system 300 receives the user registration information and the biometric information for original registration transmitted from the individual AP system 100 or the business PF system 200.
  • the authentication service management function unit 310 confirms the validity of the server or terminal 50 of the connected individual AP system 100 or business PF system 200 and the communication line (communication network NW).
  • the authentication service management function unit 310 confirms the identity and validity of the received user registration information and original registration biometric information.
  • the authentication service management function unit 310 confirms the identity and validity based on the difference between the shooting date and time and the transmission date and time of biometric information, user credit information, contract information, and the like. The confirmation of the identity and validity will be described in detail later.
  • the authentication service management function unit 310 passes the user registration information whose identity and validity have been confirmed to the user management function unit 320.
  • the authentication service management function unit 310 passes the biometric information for original registration whose identity and validity are confirmed to the authentication data management function unit 330.
  • step S ⁇ b> 106 when the user management function unit 320 acquires user registration information from the authentication service management function unit 310, the acquired user registration information is used as user information of a user (registrant) registered in the biometric PF system 300. Store and manage (see FIG. 8).
  • the user management function unit 320 converts the user ID (external) included in the acquired user registration information into a user ID (internal) (converts from the external ID to the internal ID), encapsulates the converted user ID, and the like The safety process is performed and stored.
  • step S108 when the authentication data management function unit 330 acquires the biometric information for original registration from the authentication service management function unit 310, the acquired biometric information for original registration is used as biometric authentication original information for each type of biometric information and for each user. Are stored and managed in a distinguishable manner (see FIG. 9).
  • the authentication data management function unit 330 performs encoding, encryption, encapsulation, etc. on the acquired biometric information for original registration, and stores and manages it as biometric original information.
  • the authentication data management function unit 330 may perform double encryption, or here, it may be single without being encrypted. .
  • the authentication data management function unit 330 may not perform the double encoding.
  • the coding here includes so-called vectorization.
  • the authentication data management function unit 330 may store and manage biometric original information by dividing and fragmenting.
  • the authentication data management function unit 330 may multiplex (for example, triple) and store and manage biometric authentication original information. Details of the management method of the biometric original information will be described later.
  • FIG. 12 is an operation diagram illustrating an example of the first half of the biometric authentication process (the process before the authentication biometric information is transmitted from the terminal 50 to the biometric PF system 300 and the authentication process is performed).
  • step S200 when the user inputs the user ID (external) and the biometric information for authentication to the user authentication screen for performing user authentication in terminal 50, terminal 50 receives the input user ID (external ) And biometric information for authentication are transmitted to the individual AP system 100 or the business PF system 200.
  • step S202 the individual AP system 100 or the business PF system 200 receives the user ID (external) and authentication biometric information transmitted from the terminal 50, and biometrically authenticates the received user ID (external) and authentication biometric information. Transmit to the PF system 300.
  • the authentication service management function unit 310 of the biometric authentication PF system 300 receives the user ID (external) and authentication biometric information transmitted from the individual AP system 100 or the business PF system 200, and the individual AP system 100 individually. APsysID or business PFsysID of business PF system 200 is received. The authentication service management function unit 310 determines whether or not the authentication process is used for the purpose, and if it is determined that the use is not intended, the authentication process is prohibited and the authentication is prohibited. Information is transmitted to the terminal 50 via the individual AP system 100 or the business PF system 200. On the other hand, if the authentication service management function unit 310 determines that the use is within the purpose, it passes the received user ID (external) and biometric information for authentication to the authentication data management function unit 330.
  • step S206 when the authentication data management function unit 330 acquires the user ID (external) and the biometric information for authentication from the authentication service management function unit 310, the authentication data management function unit 330 passes the acquired user ID to the user management function unit 320, and the user ID (external ) Is acquired from the user management function unit 320. At this time, the authentication data management function unit 330 cancels the security process such as encapsulation and acquires the original user ID (internal). Note that the conversion from the user ID (external) to the user ID (internal) may be performed by the authentication service management function unit 310 passing the user ID (external) to the user management function unit 320.
  • the authentication data management function unit 330 acquires a user ID (internal) and biometric information for authentication from the authentication service management function unit 310. And the authentication data management function part 330 specifies the biometrics original information used for an authentication process from the biometrics original information registered based on user ID (internal).
  • the authentication data management function unit 330 when managing multiple types of biometric authentication original information for biometric authentication, includes a biometric information type ID associated with the biometric information for authentication and a user ID (internal). Based on the above, the biometric authentication original information used for the authentication process is specified from the registered biometric authentication original information.
  • the authentication data management function unit 330 restores the identified biometric authentication original information from a state in which it has been encoded, encapsulated, encrypted, fragmented, or the like. And the authentication data management function part 330 performs the authentication process with the acquired biometric information for authentication using the authentication function of the authentication function library function part 340. Specifically, the authentication data management function unit 330 delivers the specified biometric authentication original information and the acquired biometric information for authentication to the authentication function library function unit 340.
  • FIG. 13 is an operation diagram illustrating an example of the latter half of the biometric authentication process (a process in which the authentication process is performed in the biometric PF system 300 and the authentication result is transmitted to the terminal 50).
  • the authentication function library function unit 340 uses the biometric authentication function in the biometric authentication function library to compare and collate the acquired original registration biometric information and authentication biometric information.
  • the biometric authentication PF system 300 supports a one-to-one comparison authentication method and a one-to-N comparison (N is a positive integer) authentication method as a biometric authentication function.
  • the one-to-one comparison authentication method is an authentication method in which one authentication biometric information and one biometric authentication original information are compared and checked for matching.
  • the one-to-N comparison authentication method compares one authentication biometric information with N pieces of biometric authentication original information, and determines whether or not there is biometric authentication original information that matches among the N pieces of biometric authentication original information. This is an authentication method to be verified. Any one of these authentication methods is used depending on the provided authentication function.
  • the authentication function library function unit 340 then passes the authentication result to the authentication data management function unit 330.
  • FIG. 14 is an image diagram of authentication processing.
  • the biometric authentication original information is registered, added, and deleted from the biometric authentication PF system 300 from a plurality of individual services, and the biometric authentication PF system 300 manages the biometric authentication original information. Then, the biometric PF system 300 verifies the probability of identity between the authentication biometric information of the user received from any one of the plurality of individual services and the managed biometric original information, and the authentication result Information is transmitted to the service at the location.
  • the verification of the probability of identity may be verification of one type of biological information or verification by a combination of a plurality of types of biological information.
  • verification using a combination of a plurality of types of biometric information for example, a combination of face authentication and palm vein authentication, etc.
  • authentication accuracy can be increased and authentication safety can be increased.
  • the probability of identity may be, for example, percentage, M level in L level (for example, 9th level in 10 levels), high, medium or low, etc. Depends on request.
  • the authentication data management function unit 330 acquires the authentication result from the authentication function library function unit 340. Further, the authentication data management function unit 330 performs multiple comparison (for example, triple comparison) with biometric authentication original information managed by multiplexing (for example, triple), and each authentication result is an authentication function library function. Acquired from the unit 340. The authentication data management function unit 330 passes the authentication result to the authentication service management function unit 310.
  • step S304 the user management function unit 320 extracts user information of the user who has been subjected to the authentication process, and passes it to the authentication service management function unit 310.
  • This user information is user information of a user ID (external) associated with the authentication biometric information subjected to the authentication process, and is, for example, a user name.
  • step S ⁇ b> 306 the authentication service management function unit 310 authenticates the terminal 50 with the authentication result acquired from the authentication data management function unit 330 and the user information acquired from the user management function unit 320. Authentication result information for notifying is generated. Then, the authentication service management function unit 310 transmits the generated authentication result information to the individual AP system 100 or the business PF system 200.
  • step S308 the individual AP system 100 or the business PF system 200 receives the authentication result information transmitted from the authentication service management function unit 310, and transmits the received authentication result information to the terminal 50.
  • step S310 the terminal 50 receives the authentication result information transmitted from the individual AP system 100 or the business PF system 200, displays the authentication result based on the received authentication result information, and performs processing according to the authentication result. Do. For example, when the authentication result is authentication OK, information indicating the authentication OK and the user name are displayed, and the individual service is started. On the other hand, when the authentication result is authentication NG, information indicating authentication NG is displayed, and the user authentication screen is displayed again without starting the individual service.
  • the biometric authentication PF system 300 receives user biometric information transmitted from each of a plurality of individual services, and transmits authentication processing result information for the received biometric information to each individual service.
  • Each functional configuration (authentication service management function unit 310, user management function unit 320, authentication data management function unit 330, and authentication function library function unit 340) included in the biometric authentication PF system 300 includes a plurality of individual service terminals 50. Or the individual AP system 100 and the business PF system 200.
  • FIG. 15 is an explanatory diagram illustrating independence and safety of the biometric PF system 300.
  • the biometric PF system 300 is not dependent on the individual service but is independent.
  • interface specifications API, DI, and UI specifications
  • API, DI, and UI specifications related to communication between the biometric authentication PF system 300 and the terminal 50, the individual AP system 100, and the business PF system 200 are defined.
  • the user ID is divided into two different IDs for the outside and inside of the biometric authentication PF system 300. Therefore, the biometric PF system 300 is configured to be unaffected by changes in individual services (terminal 10, individual AP system 100) that use the biometric authentication service. Therefore, the biometric authentication PF system 300 is almost unaffected because it is independent even when a change, malfunction, or failure occurs in the terminal 50, the individual AP system 100, or the business PF system 200. high.
  • the biometric authentication PF system 300 is separated and independent from the individual service (terminal 10 and individual AP system 100) used by the user and the biometric authentication PF system 300 that relays the individual service. It is independent and unaffected by data formats, operations, investments, and management of users. Therefore, the biometric authentication PF system 300 can provide a biometric authentication service having both independence and safety by the platform system.
  • FIG. 16 is an explanatory diagram for explaining an outline of a usage scene of the biometric authentication PF system 300.
  • biometric authentication original information is registered in the biometric PF system 300 based on the voluntary intention of the user. This principle is important because biometric information is immutable personal information and personal identification information.
  • biometric original information is registered in the biometric PF system 300 based on the voluntary intention of the user. This principle is important because biometric information is immutable personal information and personal identification information.
  • social customs such as confirmation of an unidentified person such as a deceased person due to dementia
  • the case of registering biometric original information at the discretion of a family member or an administrative institution is exceptionally permitted.
  • the biometric authentication PF system 300 When using a biometric authentication service When a biometric authentication reason (such as commercial transaction, medical care healthcare, confirmation of unidentified person, issuance of a certificate in electronic administration) occurs, the biometric authentication PF system 300 is registered in advance.
  • the biometric authentication original information and the biometric information for authentication (user's own biometric information) sent from the authentication request source at the time of the occurrence of the event are collated, and the probability of identity or inconsistency is obtained. (Evaluation result information) is notified to the authentication request source. How the received probability value is handled depends on the contents (contents determined by business model, contract, law, etc.) defined in the received business PF system 200, individual AP system 100, or terminal 50.
  • biometric original information is registered based on the user's own intention.
  • the purpose of use of the authentication process based on the registered biometric authentication original information can be limited by the desire of the user himself / herself.
  • authentication processing using registered biometric authentication original information can be made available to a plurality of individual services at the request of the user himself / herself.
  • the biometric authentication PF system 300 manages the purpose of use of authentication processing for each user and for each type of biometric information, and prohibits unintended use.
  • the authentication permission unit 315 of the authentication service management function unit 310 controls whether or not to permit execution of authentication processing for each of a plurality of individual services.
  • management information related to the purpose of use of biometric authentication processing for each user is stored in the control information storage unit 318.
  • the authentication permission unit 315 permits execution of the authentication processing. Control whether to do. For example, in this management information, it is registered in advance that the authentication process within the purpose of use is permitted to be executed.
  • a user registers an individual service that permits execution of an authentication process using the biometric authentication original information when registering his or her biometric authentication original information or as a purpose of use after registration.
  • the registration unit 314 of the authentication service management function unit 310 stores control information for associating biometric authentication original information with information (permitted service information) indicating an individual service that permits execution of authentication processing based on the biometric authentication original information. Store in the unit 318.
  • the authentication permission unit 315 refers to the control information storage unit 318 and permits the execution of the authentication process when permission to execute the authentication process is registered in advance. On the other hand, the authentication permission unit 315 does not permit the execution of the authentication process when permission to execute the authentication process is not registered in advance.
  • an individual AP sysID indicating the individual AP system 100 that permits the execution of the authentication process and a business PF sys ID indicating the business PF system 200 are registered in advance.
  • the authentication permission unit 315 controls whether or not to permit the execution of the authentication process for each individual APsysID indicating the individual AP system 100 that transmits the biometric information for authentication and for each business PFsysID that indicates the business PF system 200.
  • the type of biometric original information that permits the execution of the authentication process is registered in advance.
  • the authentication permission part 315 permits execution of an authentication process for every kind of individual APsysID which shows the individual AP system 100 which transmits biometric information for authentication, business PFsysID which shows the business PF system 200, and biometrics original information. It may be controlled whether or not.
  • it may be registered in advance that the execution of the authentication process is not permitted. In this case, the authentication permission unit 315 does not permit the execution of the authentication process when it is registered in advance that the execution of the authentication process is not permitted.
  • FIG. 17 is an explanatory diagram for explaining an example of prohibiting use other than the purpose of the authentication process.
  • the use information setting table TBL 318A is stored in the control information storage unit 318 of the authentication service management function unit 310.
  • the usage purpose setting table TBL 318A includes a user ID (internal) for identifying a user, an individual AP sysID indicating the individual AP system 100 that permits the execution of the authentication process, and a business that indicates the business PF system 200 that permits the execution of the authentication process.
  • the PFsysID and the biometric information type ID indicating the type of biometric authentication original information that permits the execution of the authentication process are stored in association with each other.
  • the information stored in the use purpose setting table TBL 318A is management information related to the use purpose of the above-described biometric authentication process for each user, and is set at the time of registration of biometric authentication original information according to an instruction from the user himself, for example. After that, changes such as addition and deletion can be made.
  • biometric authentication processing based on face authentication original information (biometric information type ID “S1”) of a user whose user ID (internal) is “X1” (hereinafter also referred to as “user X1”)
  • user X1 user ID
  • E2 user ID
  • biometric authentication PF system 300 permits the individual AP system E2 to execute the face authentication process of the user X1 (authentication execution) and prohibits the other individual AP system 100 (authentication rejection).
  • FIG. 18 is an explanatory diagram for explaining another example of prohibiting use other than the purpose of the authentication process.
  • a use purpose setting table TBL 318B is stored in the control information storage unit 318 of the authentication service management function unit 310.
  • the usage purpose setting table TBL318B as in the usage purpose setting table TBL318A of FIG. 17, it is indicated that the face authentication process based on the face authentication original information of the user X1 is permitted to be executed by the individual AP system E2.
  • the face authentication process based on the face authentication original information of the user X1 is performed by using the individual AP system 100 whose individual APsys ID is “E3” (hereinafter also referred to as “individual AP system E3”) and the business PFsysID.
  • E3 individual AP system
  • business PF system F3 business PF system 200 of “F3”
  • the face authentication process for the user X1 is permitted to be used by both the individual AP system E2 and the individual AP system E3 via the business PF system F3 (a contract relationship is established), and other individual Use of services is restricted.
  • the biometric authentication PF system 300 permits the individual AP system E2 and the individual AP system E3 to execute the face authentication process of the user X1 (authentication execution), and does not perform any other individual AP system 100. Prohibited (authentication denied).
  • FIG. 19 is a flowchart illustrating an example of processing in which the authentication permission unit 315 controls whether to permit execution of authentication processing according to the purpose of use.
  • the process shown in this figure is a part of the process performed in step S204 shown in FIG.
  • the authentication permission unit 315 acquires the biometric information for authentication received by the receiving unit 312 as a biometric authentication request from the individual service.
  • the biometric information for authentication is associated with a user ID (external), a biometric information type ID, an individual AP sysID, and a business PFsys ID.
  • the business PF system 200 is not passed, the business PFsysID is not associated with the authentication biometric information.
  • the receiving unit 312 directly receives from the terminal 50, the individual APsysID corresponding to the individual service using the biometric authentication service in the terminal 50 is associated with the authentication biometric information.
  • step S1012 the authentication permission unit 315 refers to the original information table TBL331, and whether biometric authentication original information is registered based on the user ID and biometric information type ID associated with the authentication biometric information. Determine whether or not.
  • step S1012: NO the process proceeds to step S1018, and the authentication permission unit 315 prohibits the execution of the authentication process.
  • step S1014 the authentication permission unit 315 determines whether or not the execution of the authentication process for the authentication biometric information is permitted (that is, Whether it is within the purpose of use) or not.
  • the authentication permission unit 315 refers to management information (for example, usage purpose setting tables TBL318A and TBL318B) that is stored in the control information storage unit 318 and related to the usage purpose of biometric authentication processing for each user. Authentication processing for the authentication biometric information based on the user ID (external) (corresponding user ID (internal)), biometric information type ID, individual APsysID, business PFsysID, etc. associated with the biometric information for authentication It is determined whether or not execution is permitted.
  • management information for example, usage purpose setting tables TBL318A and TBL318B
  • step S1014 determines that the execution of the authentication process is permitted (step S1014: YES)
  • the authentication permission unit 315 determines that the use is within the purpose, and proceeds to step S1016 to permit the execution of the authentication process.
  • step S1014: NO determines that the execution of the authentication process is not permitted
  • step S1018 determines that the use is not intended, and proceeds to step S1018. Prohibit execution of processing.
  • the authentication permission unit 315 transmits information indicating the prohibition of authentication to the individual service of the biometric authentication request source via the transmission unit 313 and notifies it.
  • the biometric authentication PF system 300 restricts the authentication processing using the biometric original information registered by the user to the use within the purpose by prohibiting the use for the purpose other than the purpose. Can do. For example, since only individual services contracted in advance with the biometric PF system 300 accept biometric authentication, it is safe without reference to one's own biometric information during non-notification, unknowingness, or disapproval. . Further, the biometric authentication PF system 300 can use one piece of biometric authentication original information for biometric authentication in a plurality of individual services based on the desire of the user.
  • the biometric authentication PF system 300 associates one piece of biometric authentication original information with the individual AP system 100 or the business PF system 200 used for biometric authentication even if the user does not register a plurality of pieces of biometric authentication original information. Since one piece of biometric authentication original information can be used for biometric authentication in a plurality of individual services, multiple registration of biometric authentication original information can be avoided.
  • the biometric authentication PF system 300 can register one piece of biometric authentication original information and use the one piece of biometric authentication original information for biometric authentication in a plurality of individual services. It is. Therefore, the biometric authentication PF system 300 performs control so that the same type of biometric information of the same user is not registered twice as biometric authentication original information.
  • FIG. 20 is an explanatory diagram for explaining double registration prohibition processing of biometric authentication original information.
  • the biometric authentication PF system 300 includes biometric information for original registration and biometric authentication original information of the same type among biometric authentication original information already registered (biometric authentication original information-1, biometric authentication original information-2, ..., the process of verifying the probability of identity with biometric authentication original information -m) (identity check) is performed using the biometric authentication function of the authentication function library function unit 340. If it is determined that the same biometric original information exists with high probability, the biometric authentication PF system 300 does not register the biometric information for original registration as biometric original information (cannot register original).
  • the biometric authentication PF system 300 determines that the same biometric original information does not exist with high probability, the biometric authentication PF system 300 permits registration of the original biometric information for biometric authentication as biometric original information (possible to register original data).
  • a first threshold for example, 95%)
  • the biometric authentication PF system 300 determines that the biometric authentication original information is the same with high probability.
  • a second threshold for example, 10%
  • the biometric authentication PF system 300 determines that the biometric authentication original information is not the same with high probability.
  • the biometric authentication PF system 300 can avoid the same biometric authentication original information of the same user being registered twice.
  • FIG. 21 is a flowchart illustrating an example of a double registration prohibition process for biometric authentication original information.
  • the process shown in this figure is a part of the process performed in step S104 and step S108 shown in FIG.
  • step S2010 when the receiving unit 312 receives the biometric information for original registration, the registration unit 314 of the authentication service management function unit 310 acquires the received biometric information for original registration.
  • a user ID (external) and a biometric information type ID are associated with the biometric information for original registration.
  • the registration unit 314 passes the acquired biometric information for original registration, the user ID (external), and the biometric information type ID to the authentication data management function unit 330.
  • the authentication data management function unit 330 uses the biometric authentication function of the authentication function library function unit 340 to correspond to the biometric information for original registration and the user ID (external) among the registered biometric original information managed. The identity is verified by comparing the user ID (internal) and the biometric authentication original information associated with the biometric information type ID (one-to-one comparison).
  • the authentication data management function unit 330 compares the biometric information for original registration with the biometric authentication original information of all the users associated with the biometric information type ID among the registered biometric authentication original information managed. Then, the identity may be verified (1 to N comparison). For example, the authentication data management function unit 330 passes information indicating the probability of identity to the registration unit 314 of the authentication service management function unit 310 as the identity verification result.
  • step S2014 the registration unit 314, based on the verification result of the identity from the authentication data management function unit 330, registers the biometric information for original registration registered in the authentication data management function unit 330.
  • step S2014: YES the process proceeds to step S2016 and biometric authentication original information based on the original registration biometric information is not registered (original registration). Impossible).
  • step S2018 the registration unit 314 proceeds to step S2018.
  • the biometric authentication original information based on the biometric information for original registration is registered (original registration is possible).
  • the authentication service management function unit 310 receives the received original registration biometric information and the authentication. To provide a highly secure authentication system because the same biometric information of the same user is not registered twice as biometric original information based on the registered biometric original information managed by the data management function unit 330. Can do.
  • the registration unit 314 obtains user's original registration biometric information received from a plurality of individual services. For example, it is assumed that the registration unit 314 registers the biometric information for original registration acquired from a certain individual service as the biometric authentication original information. In this case, the registration unit 314 acquires the same original registration biometric information for the same user (information for registering as biometric authentication original information) from another individual service even if it is acquired from another individual service. The biometric information for original registration is not registered as biometric original information. Thereby, the biometric authentication PF system 300 can avoid the biometric authentication original information already registered from a certain individual service being double-registered by registration from another individual service.
  • the registration unit 314 registers the same original registration biometric information (biometric authentication original) of the same user after elapse of a predetermined period or more after registering the original registration biometric information acquired from an individual service as biometric authentication original information.
  • Information for registration as information is acquired from any individual service.
  • the registration unit 314 may re-register the acquired biometric information for original registration as biometric authentication original information.
  • the biometric authentication PF system 300 allows the user to re-register biometric authentication original information when a change occurs in the user's biometric information after a long time (for example, 20 years) has elapsed since registration.
  • the authentication process can be appropriately executed.
  • the registration unit 314 registers biometric information for original registration acquired from an individual service as biometric authentication original information, and registers the same original biometric information for original registration (biometric authentication original information for the same user). ) Is obtained from any individual service. In this case, the registration unit 314 re-registers the acquired original registration biometric information as biometric authentication original information. Accordingly, the biometric authentication PF system 300 can limit the type of biometric authentication that can re-register biometric authentication original information to a specific biometric authentication (for example, face authentication) when a long time has elapsed since registration. Can increase the sex.
  • biometric authentication PF system 300 can limit the type of biometric authentication that can re-register biometric authentication original information to a specific biometric authentication (for example, face authentication) when a long time has elapsed since registration. Can increase the sex.
  • the biometric authentication PF system 300 performs double registration of biometric information for original registration through one or more duplication checks such as a user ID (internal), biometric information type ID, vendor ID, library ID, version information, sequence ID, and the like. Processing to prohibit may be added. In this case, the biometric authentication PF system 300 may omit the process of verifying the probability of identity between the biometric information for original registration and the registered biometric original information.
  • the biometric authentication PF system 300 manages biometric authentication original information that has been encoded, encrypted, encapsulated, and divided and fragmented. Note that some of coding, encryption, encapsulation, and fragmentation may be applied.
  • FIG. 22 is an explanatory diagram for explaining a management method of biometric authentication original information.
  • Encoded and encrypted biometric original information (code information) is encapsulated and divided into fragments.
  • Divided and fragmented biometric original information (code information that has been fragmented and fragmented) is stored and managed in the original information storage unit 333.
  • the following forms 1, 2 and Any form 3 may be used, and any form can be adopted depending on the design conditions of a specific project.
  • the original information storage unit 333 is composed of one storage device, and the original information management unit 331 stores and manages each piece of information obtained by dividing biometric authentication original information into the same storage device. To do.
  • the original information storage unit 333 may be configured by a plurality of storage devices, and the original information management unit 331 distributes each piece of information obtained by dividing the biometric original information into a plurality of storage devices. It may be stored and managed.
  • the original information storage unit 333 may be configured by a plurality of storage devices, and the plurality of storage devices may be distributed and installed in a plurality of data centers. Then, the original information management unit 331 may distribute and store each piece of information obtained by dividing the biometric original information into multiple data centers for management.
  • a data center is a facility that installs and operates various computer devices (such as servers) and communication devices such as the Internet and telephone lines.
  • the biometric authentication PF system 300 performs encoding when registering as biometric original information.
  • the biometric authentication PF system 300 does not perform double encoding when the received biometric information for original registration is encoded code information.
  • the biometric authentication PF system 300 does not perform double encoding even when the received biometric information for original registration is encoded and encrypted information.
  • a recoverable coding is adopted according to the specification. Specifically, it is determined according to design requirements.
  • a coding method a known technique (for example, a stable method) can be used.
  • the encoding function is often provided with an authentication function provided by a vendor, and in that case, the function may be used.
  • the biometric authentication PF system 300 appropriately determines a known technique and applies it to all biometric information for original registration in principle. For example, if the received biometric information for original registration is bare information, the biometric authentication PF system 300 encrypts the biometric authentication original information when registering it as biometric original information. The biometric authentication PF system 300 is also encrypted when the received biometric information for original registration is encoded code information (unencrypted code information or unencrypted code information). Turn into. Further, the biometric authentication PF system 300 also performs double encryption even when the received biometric information for original registration is encoded and encrypted code information.
  • the biometric authentication PF system 300 determines whether or not to permit double encryption depending on which biometric authentication biometric information to be registered as biometric authentication original information is used for the biometric authentication function. Thus, it may be controlled whether or not to perform double encryption.
  • the biometric PF system 300 includes a double encryption permission table in which a library ID is associated with information indicating whether or not double encryption is permitted. For example, in general, information indicating that double encryption is permitted is generally set, but when the security is sufficiently secured and the performance target (for example, the authentication speed target) is desired to be cleared, Information indicating that encryption is not permitted is set.
  • the biometric authentication PF system 300 When the biometric authentication PF system 300 receives the biometric information for original registration, the biometric authentication PF system 300 refers to the double encryption permission table to determine whether or not to permit double encryption, and according to the determination result. Controls whether or not to perform double encryption.
  • the biometric authentication PF system 300 refers to the biometric authentication function table TBL 341 and associates the biometric information type ID with the biometric information type ID and the vendor ID when the received biometric information for original registration is associated with the vendor ID.
  • a library ID is specified based on the vendor ID. Further, a library ID may be associated with the received biometric information for original registration. In this case, the biometric authentication PF system 300 is based on the library ID associated with the received biometric information for original registration. It is determined whether or not double encryption is permitted. Accordingly, the biometric authentication PF system 300 can improve performance (for example, authentication speed) by allowing the double encryption not to be performed, for example, when safety is sufficiently ensured. it can.
  • Known encryption methods include a common key method (secret key method), a public key method, a hybrid encryption method, and the like.
  • the common key method (secret key method) includes a block encryption method and a stream encryption (sequential encryption) method.
  • block ciphers include DES (Data Encryption Standard), FEAL (Fast Data Encryption Algorithm), and MULTI2.
  • stream encryption (sequential encryption) methods include RC4, A5, MULTI-S01, and the like.
  • the public key method examples include an RSA method, a DSA (Digital Signature Algorithm) method, and an ECDSA (elliptic curve DSA) method.
  • the hybrid encryption method is a method in which the public key method and the common key method are combined, and is a method that complements the disadvantages of both the processing overhead of the public key method and the key transfer difficulty of the common key method. This is a method in which plaintext is encrypted by a common key method, and the “common key itself” used for the encryption is encrypted by a public key method.
  • Encapsulation will be described.
  • the above encoded and encrypted information is further encapsulated.
  • the authentication function provided by the vendor has a coding function, it is effective to perform encapsulation in order to increase safety in view of the possibility that the specification is specified.
  • Encapsulation may be specified information and fixed length method, or TLV format (Tag + Length + Value), and any of specific character & specific capsule length method (tag length 2 bytes for character A, tag length 3 bytes for character B, etc.), etc. This method may be used.
  • the specific implementation is determined by the design requirements. Note that encapsulation may be further performed after the fragmentation.
  • split fragmentation does not take an overly complex scheme.
  • a simple recombination process in which the first fixed length (128 bytes, 256 bytes, etc.) is the first file and the remaining variable length part is the second file.
  • a method that allows easy recombination processing such as a fixed length for the first file, a fixed length for the second file, and a variable length for the third file is adopted.
  • Each divided fragmented file is also encapsulated.
  • FIG. FIG. 23 is an explanatory diagram for explaining an example of division fragmentation in the two-division method.
  • biometric authentication PF system 300 receives encoded and encrypted biometric information (hereinafter also referred to as “encoded / encrypted biometric information”) as biometric information for original registration (first step), capsule information (header) And the footer) are added to encapsulate the entire “encoded / encrypted biometric information” (second step).
  • the capsule information (header) is information added to the head of “encoded / encrypted biometric information”, and includes information such as a tag (TAG) and a data length (Length).
  • the tag includes identification information for identifying the capsule (here, “A1”), biometric information type ID (here, “S1”), vendor ID (here, “B1”), and the like.
  • the data length is information indicating the data length of “encoded / encrypted biometric information” (here, “L1”).
  • capsule information (footer) is information added to the end of “encoded / encrypted biometric information” and includes information such as check bits and tags.
  • the check bit is a bit error detection bit.
  • the tag of capsule information (footer) includes frame end identification information (here, “FE”) indicating the end of data.
  • the biometric authentication PF system 300 performs “capsule information (header)” and “previous stage of encoded / encrypted biometric information” that have a predetermined fixed length for the encapsulated data generated in the second step.
  • the combined data is used as the first file, and the remaining variable-length "following stage of encoded / encrypted biometric information" and "capsule information (footer)" are used as the second file, divided into two pieces and re-encapsulated. (3rd step).
  • each capsule information (header and footer) is added to the first file and the second file.
  • the capsule information (footer) added to each file includes information such as check bits and tags (here, “FE”).
  • the capsule information (header) of each of the first file and the second file includes information such as a tag and a data length.
  • the tag of each file indicates information that uniquely indicates both of the divided fragments (here, “Y1”), the number of divided fragments (here, “2”), and whether it is a start frame or an end frame.
  • Information here, “S” as information indicating a start frame in the first file and “E” as information indicating an end frame in the second file
  • the data length of the first file (here, “L2-1”) is the sum of the “capsule information (header)” added in the second step and the “previous stage of encoded / encrypted biometric information”. This is information indicating the data length (fixed length).
  • the data length of the second file (here, “L2-2”) is the total data length (variable length) of “encoded / encrypted biometric information” and “capsule information (footer)” It is information which shows.
  • FIG. 24 is an explanatory diagram for explaining an example of division fragmentation in the three-division method.
  • the biometric authentication PF system 300 combines the encapsulated data generated in the second step with “capsule information (header)” and “previous stage of encoded / encrypted biometric information” having a predetermined fixed length. Is the first file, “middle level of encoded / encrypted biometric information” having a predetermined fixed length among the remaining data is set as the second file, and the last “encoded / encrypted biometric” having a variable length is left.
  • the “second stage of information” and “capsule information (footer)” are divided into three pieces as a third file and re-encapsulated (third step). Each capsule information (header and footer) is added to the first file, the second file, and the third file.
  • the capsule information (footer) added to each file includes information such as check bits and tags (here, “FE”).
  • the capsule information (header) of each of the first file, the second file, and the third file includes information such as a tag and a data length.
  • the tag of each file includes information indicating uniquely both of the divided fragments (here, “Y1”), the number of divided fragments (here, “3”), start frame, intermediate frame, or end frame. (In this case, “S” as information indicating the start frame in the first file, “M” as information indicating the intermediate frame in the second file, and “E” as information indicating the end frame in the third file) ]) And the like.
  • the data length of the first file (here, “L2-1”) is the total data of “capsule information (header)” added in the second step and “previous stage of encoded / encrypted biometric information”.
  • the data length of the second file (here, “L2-2”) is information indicating the data length (fixed length) of “middle of the encoded / encrypted biometric information”.
  • the data length of the third file (here, “L2-3”) is the total data length (variable length) of “encoded / encrypted biometric information” and “capsule information (footer)”. It is information which shows.
  • the method of division fragmentation is not limited to the above-described method, and if there is a specific method with a high recombination processing speed established, that method may be adopted. In a specific implementation, it is determined by a request (the size of biometric authentication original information, the processing time allowed for authentication processing, the hardware to be installed, the performance of software, etc.). For example, in the above-described example, the example in which the capsule information of the header and footer is added at the time of encapsulation has been described, but only the capsule information of the header may be added at the time of encapsulation. In addition, the biometric PF system 300 may perform only one or both of the encapsulation and the fragmentation.
  • the original information management unit 331 of the authentication data management function unit 330 further encodes and encrypts a plurality of types of biometric authentication original information for each type of biometric information and for each user. Manage by performing either or both of encapsulation and split fragmentation. For example, when biometric authentication function programs are provided from a plurality of vendors, biometric authentication function programs with different algorithms may be used as a library. Therefore, the original information management unit 331 further encodes and encrypts multiple types of biometric authentication original information for each algorithm of the biometric authentication function, and further performs either or both of encapsulation and division fragmentation. May be managed.
  • the original information management unit 331 further encapsulates or divides a plurality of types of biometric authentication original information by further encoding and encrypting each version of the biometric authentication function algorithm (each program version). Either one or both may be managed.
  • the original information management unit 331 may manage a plurality of types of biometric authentication original information encoded and encrypted for each vendor by further performing either or both of encapsulation and divided fragmentation. .
  • the biometric authentication PF system 300 does not hold the biometric authentication original information as bare information, but encodes and encrypts an irreversible one, and further encapsulates or divides and / or divides the fragmented information. Therefore, it is possible to construct a database of original biometric information with high safety and reliability. In order to construct a database of original biometric authentication information with higher safety and reliability, for example, all of the above encoding, encryption, encapsulation, and division fragmentation are applied.
  • the original information management unit 331 encodes, encrypts, and encapsulates the biometric authentication original information, further divides the encapsulated information into fragments, and encapsulates and manages each piece of divided information. The safety and reliability of biometric original information can be further increased.
  • the original information management unit 331 acquires a plurality of types of user biometric information received from a plurality of individual services, and compares the acquired biometric information with the biometric authentication original information for at least one type of biometric information, Based on the collation result, the biometric authentication original information obtained by adding other types of acquired biometric information to the biometric authentication original information is encoded and encrypted, and either encapsulated or divided fragmented or You may manage by doing both. Accordingly, for example, when the user has already registered biometric authentication original information for fingerprint authentication, and the user subsequently requests registration of biometric authentication original information for fingerprint authentication and palm vein authentication, the biometric authentication PF system 300 The biometric authentication original information for palm vein authentication can be additionally registered on condition that the identity is confirmed by fingerprint authentication. In this case, to confirm the identity in fingerprint authentication, the original information management unit 331 may cause the authentication function library function unit 340 to perform authentication processing.
  • biometric authentication original information for example, data destruction, falsification, etc.
  • a defect in biometric authentication original information occurs probabilistically by hardware, software, operation, etc., and it is difficult to make it zero.
  • the biometric authentication PF system 300 Biometric original information may be multiplexed and held.
  • the original information management unit 331 of the authentication data management function unit 330 generates a plurality of pieces of the same biometric original information based on the user's original registration biometric information received from a plurality of individual services. to manage.
  • the plurality of identical biometric authentication original information is a plurality of pieces of biometric authentication original information obtained by multiplexing the same user and the same type of biometric information. Multiplexed identical biometric authentication original information may be generated by duplicating from one authentication biometric information or one biometric authentication original information, or obtaining a plurality of authentication biometric information of the same type from the same user May be generated.
  • the authentication unit 341 of the authentication function library function unit 340 uses majority logic based on user authentication biometric information received from a plurality of individual services and a plurality of the same biometric original information managed by the original information management unit 331. Thus, the authentication result of the authentication process between the biometric information for authentication and the biometric authentication original information is determined. For example, the authentication unit 341 performs an authentication process based on biometric information for user authentication received from a plurality of individual services and each of a plurality of identical biometric authentication original information managed by the original information management unit 331. An authentication result is determined using majority logic for each authentication result.
  • biometric authentication original information is tripled will be described as an example.
  • determining the authentication result using majority logic means adopting the majority authentication result. For example, in the case of triple, when the three authentication results comparing the biometric information for authentication with each of the three pieces of biometric authentication original information are three-party match, the authentication result is selected, and in the case of two-to-one Selects the authentication result of the second.
  • FIG. 25 is an explanatory diagram for explaining the high safety due to the triple of the biometric authentication original information.
  • an example of triple of biometric original information stored in the original information storage unit 333 and an example of duplex for comparison are shown.
  • three pieces of biometric authentication original information “A”, “B”, and “C” are managed as a plurality of pieces of the same biometric authentication original information, and authentication results with each of the three pieces of biometric authentication original information are displayed. Show. If the managed biometric original information is normal, the identity authentication is accepted (correct authentication result), and if the managed biometric original information is defective, the identity is rejected false (incorrect authentication result). Then, either a correct authentication result or an incorrect authentication result is selected using majority logic.
  • the multiplexing is not limited to triple, and more multiplexing is also possible. Increasing the number of multiplexes reduces the likelihood of inducing incorrect selections and increases the effect. In the case of not multiplexing, if a defect occurs in one piece of biometric authentication original information, the selection is incorrect by 100%.
  • the multiplexing process increases the overhead of authentication processing.
  • hardware and software systems and specifications for executing authentication processing are selected with emphasis on processing speed.
  • hardware for executing the authentication process employs a high-speed CPU and a large capacity memory
  • a data storage method is basically an in-memory database.
  • the storage device (storage) is basically SSD / flash storage. Specifically, depending on the number of multiplexing, the required processing speed, and the like, it is selected as appropriate so as to satisfy the required specifications, and if low specifications are acceptable, it is acceptable.
  • the biometric authentication PF system 300 executes authentication processing by multiplexing for each transaction in principle, but even if it is executed at regular intervals (every hour, every 12 hours, every 24 hours (nighttime), etc.). Good.
  • the biometric authentication PF system 300 may execute the authentication process at regular intervals depending on the purpose of the authentication process, required specifications, and the like.
  • the biometric authentication PF system 300 multiplexes (for example, triples) the biometric authentication original information and determines the authentication result using the majority logic. And the validity of the authentication result can be improved, and a highly secure and reliable biometric authentication service can be provided.
  • the number of multiplexing can be any number of 3 or more depending on the required specifications, hardware specifications, etc. as described above, but is preferably an odd number in order to use majority logic. However, for example, if the number of authentication results is “correct” and “incorrect” and the number is the same, by predetermining a rule such as “correct”, the majority logic is used with an even number of multiplexing. Is also possible.
  • the biometric authentication PF system 300 may manage a plurality of identical biometric authentication original information or one biometric authentication original information that is multiplexed according to the type of biometric authentication. Then, the biometric PF system 300 may execute an authentication process based on a plurality of the same biometric original information or one piece of biometric original information multiplexed according to the type of biometric authentication.
  • the type of biometric authentication may be based on the authentication accuracy for each type of biometric authentication.
  • the biometric PF system 300 can execute the authentication process based on a plurality of identical biometric original information or one biometric original information multiplexed according to the accuracy of each type of biometric authentication. Good.
  • the biometric authentication PF system 300 can provide an authentication service of an authentication method suitable for each type of biometric authentication.
  • the biometric authentication PF system 300 may manage a plurality of identical biometric authentication original information or a single biometric authentication original information in response to requests from a plurality of individual services. Then, the biometric authentication PF system 300 can execute authentication processing based on a plurality of identical biometric original information or one biometric original information in response to requests from a plurality of individual services. Good. Thereby, the biometric authentication PF system 300 can provide an authentication service of an authentication method suitable for each individual service.
  • the biometric authentication PF system 300 when the biometric authentication PF system 300 multiplexes and holds the biometric authentication original information, the biometric authentication PF system 300 performs a matching process between the multiplexed biometric authentication original information, thereby obtaining a plurality of multiplexed biometric authentication original information.
  • An original check of whether or not each is normal (that is, whether or not there is identity) may be performed.
  • the original information management unit 331 executes a matching process for matching each of a plurality of identical biometric authentication original information at a predetermined opportunity, and whether or not each biometric authentication original information is identical. Determine.
  • the original information management unit 331 performs the matching process using an authentication function by the authentication unit 341.
  • the original information management unit 331 uses majority logic for the determination result to determine that the majority biometric authentication original information is normal and to determine that the minority biometric original information is abnormal.
  • the predetermined trigger for executing the matching process between the multiplexed biometric authentication original information is, for example, every hour, every 12 hours, every 24 hours (nighttime), every transaction, or the like.
  • the trigger for performing the matching process is set in consideration of the balance of the transaction amount, transaction frequency, ICT device performance, software performance, and the like.
  • the biometric PF system 300 can construct a database of biometric original information with high safety and reliability by performing an original check on the multiplexed biometric original information.
  • the original information management unit 331 uses the biometric authentication original information determined to be abnormal in the matching process or the plurality of identical biometric original information including the biometric original information determined to be abnormal for the authentication process. Use is prohibited. Thereby, the biometric authentication PF system 300 can increase the validity of the original and the validity of the authentication result, and provide a biometric authentication service with high safety and reliability.
  • the original information management unit 331 may replace the minority biometric original information with the majority biometric original information based on the determination result of the matching process. Thereby, the biometric authentication PF system 300 can restore the biometric authentication original information database by replacing the biometric authentication original information determined to be abnormal in the matching process with the biometric authentication original information determined to be normal.
  • the original information management unit 331 manages biometric authentication original information by converting it into a predetermined code that can be compared, and whether or not each of the plurality of identical biometric original information is identical at a predetermined opportunity. Is compared with a predetermined code that can be compared, and majority determination logic is used for the determination result to determine that the majority biometric authentication original information is normal, and that the minority biometric authentication original information is abnormal. You may judge.
  • the original information management unit 331 may have a function of performing comparison using a predetermined code that can be compared. When comparing with a predetermined code that can be compared, for example, comparison of binary data may be performed, or comparison of data by an algorithm unique to each vendor may be performed. As a result, the biometric PF system 300 can increase the processing speed of the original check rather than using the authentication function by the authentication unit 341.
  • the index information The biometric authentication original information to be determined may be specified using.
  • the original information table TBL331 shown in FIG. 9 when biometric authentication original information is multiplexed and stored, an original number is assigned to each of the plurality of multiplexed and stored biometric authentication original information.
  • the biometric PF system 300 can perform index search of each biometric original information, and can increase the processing speed.
  • the biometric authentication PF system 300 performs the original check by the matching process between the biometric authentication original information, at least one biometric authentication original information determined to be normal among a plurality of the same biometric original information, You may perform the authentication process with the biometric information for authentication. In this case, the processing speed can be increased and the processing load can be reduced as compared with the case where authentication processing is performed for each piece of multiplexed biometric authentication original information.
  • the biometric authentication PF system 300 holds the biometric authentication original information multiplexed (for example, triple) and determines the authentication result using the majority logic directly or indirectly. Therefore, it is possible to increase the validity of the original and the validity of the authentication result, and provide a biometric authentication service with high safety and reliability.
  • FIG. 26 is a second explanatory diagram for explaining the outline of the usage scene of the biometric authentication PF system 300.
  • biometric information for original registration is acquired in principle at stores and offices of telecommunications carriers nationwide. For example, the user himself / herself visits a telecommunications carrier's store, government office, etc., and the biometric information is registered on the terminal 50 in accordance with the instructions of the reception staff (operator, witness, etc.) Perform (form 1).
  • biometric information is acquired in principle at stores and offices of telecommunications carriers nationwide. For example, the user himself / herself visits a telecommunications carrier's store, government office, etc., and the biometric information is registered on the terminal 50 in accordance with the instructions of the reception staff (operator, witness, etc.) Perform (form 1).
  • the reception staff an operator, witness, etc.
  • a sensor for acquiring the biological information
  • a sensor sensor function for acquiring the biological information
  • this sensor may be provided in an input device different from the terminal 50, and biological information acquired by the input device may be sent to the terminal 50.
  • Photographic data such as a certificate (form 2) and student card (form 3) may be used as biometric information for original registration. In the case of form 2 and form 3, it is not necessary to take another user's photograph.
  • the biometric authentication PF system 300 can identify the terminal 50 that acquired the user's original registration biometric information in order to determine whether or not the terminal 50 that acquired the biometric information for original registration is a trusted place. Whether or not to register biometric original information based on the biometric information for original registration of the user may be determined based on such identification information.
  • the identification information that can identify the terminal 50 includes a terminal physical ID, a terminal logical ID, and the like (hereinafter also referred to as “terminal ID”). This terminal ID is transmitted from the terminal 50 in association with the biometric information for original registration.
  • the function of this determination processing is a function provided in the registration unit 314, for example.
  • the biometric authentication PF system 300 can ensure the strictness (identity and validity) of original registration, and can provide an authentication system with high spread and safety.
  • the terminal 50 is a mobility terminal such as a smartphone
  • it is determined whether biometric authentication original information is to be registered by confirming the coincidence of the physical line ID and the logical line ID (Internet address, etc.). May be.
  • the biometric authentication PF system 300 may perform biometric authentication of the person in charge of reception when acquiring biometric information for original registration with the terminal 50.
  • the registration unit 314 determines the user's original registration biometric information based on the biometric information of the person in charge who receives the input of each of the terminals 50 (an example of input devices) of the individual services. Whether or not to register biometric original information based on the biometric information for original registration may be determined. For example, if the registration unit 314 determines that the biometric information for authentication of the receptionist is identical to the biometric original information corresponding to the receptionist managed by the original information management unit 331, the registration unit 314 Biometric authentication original information based on the user's original registration biometric information received by the person is registered.
  • the registration unit 314 does not register the biometric authentication original information based on the user's original registration biometric information received by the reception staff.
  • the biometric authentication PF system 300 registers the biometric original information after confirming the credibility of the person in charge of reception, so that a highly secure authentication system can be provided.
  • the identity verification presentation of photo identification such as a driver's license, passport, etc.
  • financial institutions is also conducted in principle.
  • the biometric PF system 300 executes the conversion function from the external ID to convert the user ID into the internal ID. Further, when considering strictness, the biometric authentication PF system 300 performs encryption. Note that if the conversion function implementation is considered to have substantially the same effect as the encryption, the encryption may be omitted again. For the conversion function and encryption, a known and stable method (such as a method using a hash function) can be applied.
  • C Personal information (address, name, age (date of birth), gender, etc.) of the original registered user shall be provided on the assumption that the original registration will not be violated in order to ensure the strictness of the original registration. It collates with credit information used at financial institutions, etc., and communication contract information at communication carriers, etc., and confirms that it is not impersonation and that it is a person who exists.
  • the registration unit 314 acquires biometric information for user's original registration
  • the biometric information based on the user's original registration biometric information is obtained based on the user's credit information or the user's communication contract information. It is determined whether or not authentication original information is registered.
  • the registration unit 314 collates the user information of the user with the credit information of the user or the communication contract information of the user, and the identity of the user, When the validity or the like is confirmed, biometric authentication original information based on the user's original registration biometric information is registered.
  • the biometric authentication PF system 300 can ensure the strictness (personality and validity) of original registration and provide a highly secure authentication system.
  • the registration unit 314 manages the management information related to the purpose of use of the biometric authentication process for each user described above (for example, the purpose of use setting table TBL318A in FIG. 17 and the purpose of use setting table TBL318B in FIG. 18). ). Specifically, when the registration unit 314 acquires the user information of the user, the biometric information for original registration, and the permission service information, the user information (personal information) and the credit information of the user or the communication contract information of the user And biometric authentication original information is registered based on the user's original registration biometric information. The registration unit 314 associates the biometric original information with the permitted service information.
  • the biometric authentication PF system 300 obtains the biometric information for original registration from the terminal 50 of the biometric information for original registration and the acquisition date of the biometric information for original registration from the terminal 50. Check that the difference between the date and time of transmission is within the reasonable time required for the transmission procedure. If the difference is not a reasonable time, the biometric authentication PF system 300 determines that there is a possibility that the biometric information for original registration has been replaced, and rejects the original registration.
  • FIG. 27 is an explanatory diagram for explaining the flow of processing for preventing spoofing and replacement of biometric information during original registration.
  • a process for preventing spoofing and replacement of biometric information will be described with reference to FIG. (1)
  • the terminal 50 acquires biometric information for original registration using a sensor function. For example, when performing original registration for face authentication, the terminal 50 captures the face of the user for original registration and acquires it as biometric information for original registration.
  • the terminal 50 transmits the acquired original registration biometric information to the biometric authentication PF system 300.
  • the biometric authentication PF system 300 receives the biometric information for original registration transmitted from the terminal 50.
  • the biometric authentication PF system 300 Upon receipt of the biometric information for original registration, the biometric authentication PF system 300 performs impersonation determination and replacement determination. As described above, the impersonation determination is performed based on the terminal ID from which the user's original registration biometric information is acquired, the user's credit information, the user's communication contract information, and the like. In addition, the biometric information replacement determination is performed based on the difference between the acquisition date and time (for example, the shooting date and time) of the biometric information for original registration and the transmission date and time when the biometric information for original registration is transmitted from the terminal 50.
  • the acquisition date and time for example, the shooting date and time
  • the biometric authentication PF system 300 determines whether or not replacement is performed based on whether or not the difference between the acquisition date and the transmission date and time of the biometric information for original registration is equal to or greater than a preset threshold (predetermined time).
  • a preset threshold predetermined time
  • this preset threshold value will be referred to as a “GAP limit value”.
  • the biometric authentication PF system 300 permits the original registration when the difference between the acquisition date and the transmission date and time of the biometric information for original registration is less than the GAP limit value (for example, less than 1 minute).
  • the biometric authentication PF system 300 rejects the original registration when the difference between the acquisition date and the transmission date and time of the biometric information for original registration is equal to or greater than the GAP limit value (for example, 1 minute or more).
  • the transmission date and time here, transmission date and time T1
  • the transmission date and time T1 is less than the GAP limit value with respect to the acquisition date and time (for example, the photographing date and time T0) of the biometric information for original registration
  • the original registration is not permitted (registration refusal).
  • the transmission date / time here, transmission date / time T2
  • the reception date / time when the biometric authentication PF system 300 received the biometric information for original registration may be used.
  • the registration unit 314 registers biometric original information based on the received biometric information for original registration of the user based on the received time stamp of the biometric information for original registration of the user. It is determined whether or not.
  • the time stamp includes at least information indicating the acquisition date and time when the received biometric information for original registration of the user is acquired by the terminal 50 equipped with the sensor function.
  • the registration unit 314 obtains the received date and time (for example, photographing date and time) of the biometric information for original registration of the user and the transmission date and time (for example, the terminal 50) that transmits the biometric information for original registration from any of a plurality of individual services. Whether or not biometric authentication original information based on the biometric information for original registration is to be registered based on the difference from the reception date and time received by the receiving unit 312 from any one of the plurality of individual services. judge.
  • the registration unit 314 determines that the difference between the acquisition date (for example, photographing date) of the received user's original registration biometric information and the transmission date / time or the reception date / time is less than the GAP limit value (less than a predetermined time). In some cases, biometric authentication original information based on the biometric information for original registration is registered. (5) On the other hand, the registration unit 314 determines that the difference between the acquisition date and time (for example, the shooting date and time) of the biometric information for original registration and the transmission date and time or the reception date and time is greater than or equal to the GAP limit value (a predetermined time or more). Does not register biometric original information based on the biometric information for original registration. In this case, the biometric authentication PF system 300 transmits notification information (original registration rejection notification) indicating that original registration is not permitted to the terminal 50.
  • notification information original registration rejection notification
  • the biometric authentication PF system 300 determines the strictness (identity and validity) of biometric information original registration by determining whether or not impersonation and biometric information are replaced at the time of original registration. And a database of original biometric information with high safety and reliability can be constructed.
  • the registration unit 314 may register biometric authentication original information for specific biometric information regardless of the time stamp of the original registration biometric information.
  • the specific biological information is, for example, highly reliable biological information.
  • the biometric authentication PF system 300 can provide a biometric authentication service that is economical, popular, and safe.
  • biometric authentication PF system 300 authentication services using a plurality of biometric information such as face authentication, fingerprint authentication, finger vein authentication, palm vein authentication, iris authentication, tooth type authentication, voiceprint authentication, and DNA authentication.
  • biometric authentication PF system 300 may be applied to biometric authentication other than face authentication, fingerprint authentication, finger vein authentication, palm vein authentication, iris authentication, tooth type authentication, voiceprint authentication, and DNA authentication.
  • a program for realizing the above-described function is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to realize the above-described function.
  • the “computer system” is a computer system built in the terminal device, and includes an OS and hardware such as peripheral devices.
  • the “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM or a CD-ROM, and a hard disk incorporated in a computer system.
  • the “computer-readable recording medium” is a medium that dynamically holds a program for a short time, such as a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line,
  • a volatile memory inside a computer system that serves as a server or a client may be included that holds a program for a certain period of time.
  • the program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.
  • a part or all of the biometric authentication PF system 300 in the above-described embodiment may be realized as an integrated circuit such as an LSI (Large Scale Integration).
  • LSI Large Scale Integration
  • Each functional block of the biometric authentication PF system 300 may be individually made into a processor, or a part or all of them may be integrated into a processor.
  • the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor.
  • an integrated circuit based on the technology may be used.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Collating Specific Patterns (AREA)

Abstract

La présente invention concerne un système de plate-forme d'authentification biométrique qui est pourvu : d'une unité de gestion permettant de gérer des informations de correspondance d'enregistrement d'origine correspondant à un enregistrement d'origine d'informations biométriques utilisées lorsque l'authentification biométrique d'un utilisateur est effectuée par une pluralité de services; et d'une unité d'inscription pour inscrire les informations de correspondance d'enregistrement d'origine gérées par l'unité de gestion sur la base des informations biométriques pour un utilisateur reçu en provenance de n'importe quel service d'une pluralité de services. L'unité d'inscription détermine s'il faut inscrire les informations de correspondance d'enregistrement d'origine sur la base des informations biométriques pour un utilisateur sur la base de l'estampille temporelle des informations biométriques reçues pour l'utilisateur.
PCT/JP2016/053037 2015-02-13 2016-02-02 Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification et programme de gestion d'informations d'authentification biométrique WO2016129454A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015026665A JP5951057B1 (ja) 2015-02-13 2015-02-13 生体認証プラットフォームシステム、生体認証情報管理装置、生体認証情報管理方法、及び生体認証情報管理プログラム
JP2015-026665 2015-02-13

Publications (1)

Publication Number Publication Date
WO2016129454A1 true WO2016129454A1 (fr) 2016-08-18

Family

ID=56375197

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/053037 WO2016129454A1 (fr) 2015-02-13 2016-02-02 Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification et programme de gestion d'informations d'authentification biométrique

Country Status (2)

Country Link
JP (1) JP5951057B1 (fr)
WO (1) WO2016129454A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019168910A (ja) * 2018-03-23 2019-10-03 富士通株式会社 生体認証装置、生体認証方法及びプログラム
JP2020087461A (ja) * 2018-11-14 2020-06-04 大日本印刷株式会社 本人認証システム、認証器、プログラム及び本人認証方法
JP2021002084A (ja) * 2019-06-19 2021-01-07 株式会社セブン銀行 認証システム、認証方法、および認証プログラム
JP2022521880A (ja) * 2020-01-30 2022-04-13 アルチェラ インコーポレイテッド 生体情報分散管理システム及びこれを用いた生体認証方法

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2024053488A (ja) * 2022-10-03 2024-04-15 株式会社日立システムズ サービス管理装置、サービス管理システム、サービス管理プログラム及びサービス管理方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001117876A (ja) * 1999-10-15 2001-04-27 Fujitsu Ltd 生体情報を用いた認証装置及びその方法
WO2004012383A1 (fr) * 2002-07-25 2004-02-05 Bio-Key International, Inc. Dispositif biometrique fiable
JP2011134030A (ja) * 2009-12-24 2011-07-07 Hitachi Ltd 生体認証システム
JP2014026482A (ja) * 2012-07-27 2014-02-06 Hitachi Ltd 生体情報登録方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006227747A (ja) * 2005-02-15 2006-08-31 Nec Corp 認証システム及び方法並びに認証用プログラム

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001117876A (ja) * 1999-10-15 2001-04-27 Fujitsu Ltd 生体情報を用いた認証装置及びその方法
WO2004012383A1 (fr) * 2002-07-25 2004-02-05 Bio-Key International, Inc. Dispositif biometrique fiable
JP2011134030A (ja) * 2009-12-24 2011-07-07 Hitachi Ltd 生体認証システム
JP2014026482A (ja) * 2012-07-27 2014-02-06 Hitachi Ltd 生体情報登録方法

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019168910A (ja) * 2018-03-23 2019-10-03 富士通株式会社 生体認証装置、生体認証方法及びプログラム
JP2020087461A (ja) * 2018-11-14 2020-06-04 大日本印刷株式会社 本人認証システム、認証器、プログラム及び本人認証方法
JP2021002084A (ja) * 2019-06-19 2021-01-07 株式会社セブン銀行 認証システム、認証方法、および認証プログラム
JP2022521880A (ja) * 2020-01-30 2022-04-13 アルチェラ インコーポレイテッド 生体情報分散管理システム及びこれを用いた生体認証方法
JP7274183B2 (ja) 2020-01-30 2023-05-16 アルチェラ インコーポレイテッド 生体情報分散管理システム及びこれを用いた生体認証方法
US11977555B2 (en) 2020-01-30 2024-05-07 Alchera Inc. Biometric data distributed management system, and biometric recognition method using same

Also Published As

Publication number Publication date
JP5951057B1 (ja) 2016-07-13
JP2016149087A (ja) 2016-08-18

Similar Documents

Publication Publication Date Title
US11200340B2 (en) Method and system for managing personal information within independent computer systems and digital networks
US11108546B2 (en) Biometric verification of a blockchain database transaction contributor
US20220417739A1 (en) Secure data communication
US8347101B2 (en) System and method for anonymously indexing electronic record systems
US11669605B1 (en) Dynamic enrollment using biometric tokenization
US20130318361A1 (en) Encrypting and storing biometric information on a storage device
WO2016129454A1 (fr) Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification et programme de gestion d'informations d'authentification biométrique
WO2016129453A1 (fr) Système de plate-forme d'authentification biométrique, dispositif, procédé et programme de gestion d'informations d'authentification biométrique
US10291611B2 (en) Confidential information storing method, information processing terminal, and computer-readable recording medium
US20210327547A1 (en) Systems, methods, and non-transitory computer-readable media for secure biometrically-enhanced data exchanges and data storage
TW202022666A (zh) 健康資訊之存取系統、存取裝置及存取方法
CN112804218A (zh) 基于区块链的数据处理方法、装置、设备及储存介质
JP5977846B2 (ja) 生体認証プラットフォームシステム、生体認証情報管理装置、生体認証情報管理方法、及び生体認証情報管理プログラム
WO2016129445A1 (fr) Système de plateforme d'authentification biométrique, dispositif de gestion d'informations d'authentification biométrique, procédé de gestion d'informations d'authentification biométrique et programme de gestion d'informations d'authentification biométrique
CN104038509A (zh) 指纹认证云系统
JP5940186B1 (ja) 生体認証プラットフォームシステム、生体認証情報管理装置、生体認証情報管理方法、及び生体認証情報管理プログラム
Choosang et al. Using fingerprints to identify personal health record users in an emergency situation
CN110914821B (zh) 用于身份原子化的系统和方法以及用途
US11514144B1 (en) Universal identification device
Gerdes Jr et al. Incorporating biometrics into veiled certificates: preventing unauthorized use of anonymous certificates
KR100788429B1 (ko) 거래내역 검증방법
AU2005220988B2 (en) System and method for anonymously indexing electronic record systems
Meinel et al. Identity Management in Telemedicine
KR20200114687A (ko) 블록체인을 기반으로 하는 전자 처방 정보 기록 시스템

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16749098

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16749098

Country of ref document: EP

Kind code of ref document: A1