WO2018019243A1 - Verification method, apparatus and device, and storage medium - Google Patents

Verification method, apparatus and device, and storage medium Download PDF

Info

Publication number
WO2018019243A1
WO2018019243A1 PCT/CN2017/094399 CN2017094399W WO2018019243A1 WO 2018019243 A1 WO2018019243 A1 WO 2018019243A1 CN 2017094399 W CN2017094399 W CN 2017094399W WO 2018019243 A1 WO2018019243 A1 WO 2018019243A1
Authority
WO
WIPO (PCT)
Prior art keywords
login
verification
instance
user
terminal
Prior art date
Application number
PCT/CN2017/094399
Other languages
French (fr)
Chinese (zh)
Inventor
梁焯佳
龙强
张东何
邓锦福
李素宁
孙骁
古开元
卢洪权
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018019243A1 publication Critical patent/WO2018019243A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates to security technologies in the field of communications, and in particular, to a verification method, apparatus, device, and storage medium.
  • the login is performed for the corresponding account, and the status of the corresponding account in the application of the terminal is updated, and the account of the user is displayed as the logged in state in the terminal, and the user can use the service of the account.
  • the related technology often uses one or two fixed verification methods to verify the user login application. Once the verification information is leaked, there is a risk of account leakage.
  • an embodiment of the present invention is to provide a verification method, device, device, and storage medium, which avoids attack by using a combination of fixed verification methods.
  • the potential risks ensure the security of the account.
  • An embodiment of the present invention provides a verification method, where the method includes:
  • Verifying the login object based on the first verification information for the login instance and the first verification method
  • An embodiment of the present invention provides a verification apparatus, where the apparatus includes:
  • the authentication management part is configured to verify the login object based on the first verification information used for the login instance and the first verification manner;
  • the login abnormality analysis part is configured to perform login abnormality analysis on the login object by logging in to the instance according to the verification result;
  • a decision part configured to determine a candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
  • the identity verification management part is further configured to verify the login object based on the second verification information for the login instance and the second verification mode.
  • An embodiment of the present invention provides a verification device, including:
  • processors and storage medium storing executable instructions for causing the processor to perform the following operations:
  • Verifying the login object based on the first verification information for the login instance and the first verification method
  • Embodiments of the present invention provide a computer readable storage medium, wherein the computer readable storage medium stores a machine instruction, and when the machine instruction is executed by one or more processors, the processor performs the following steps:
  • Verifying the login object based on the first verification information for the login instance and the first verification method
  • the login object is logged in to the instance for login abnormality analysis
  • the login object is verified based on the second verification information for the login instance and the second verification method.
  • the verification method, the device, the device, and the storage medium provided by the embodiment of the present invention verify the login object based on the first verification information used for the login instance and the first verification manner, and log in to the instance to log in to the instance based on the verification result.
  • the second verification mode is obtained by determining the candidate verification mode based on the analysis result, and the second verification mode is different from the first verification mode, and the login object is verified based on the second verification information used for the login instance and the second verification mode.
  • the above-mentioned technical implementation scheme is used to verify the user of the login instance in a secondary verification manner, so as to avoid the problem of high risk of verifying the account at one time; when the login instance of the login object is abnormal for the first time, the intelligent dynamic decision-making verification method is performed.
  • the second verification avoids the potential risk of being attacked by the combination of fixed verification methods.
  • hackers it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure;
  • the legal login object of the account even if the login object is verified for the first time for various reasons (such as forgetting By logging in and implementing the login, it is also possible to pass the verification based on the verification method of the subsequent decision to successfully log in.
  • 1 is an optional schematic flowchart of a verification method in an embodiment of the present invention
  • FIG. 2 is a schematic diagram of an optional scenario of an authentication method according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an implementation interface of a scenario of a verification method according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a scenario of a verification method according to an embodiment of the present invention.
  • 5-1 is a schematic diagram of an implementation interface of a scenario of the verification method provided by the embodiment of the present invention.
  • 5-2 is a schematic diagram of an implementation interface of a scenario of an authentication method according to an embodiment of the present invention.
  • FIG. 6 is a schematic flow chart of a verification method in an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a hardware structure of a verification apparatus in an embodiment of the present invention.
  • 8-1 is a schematic diagram showing a functional structure of a verification apparatus in an embodiment of the present invention.
  • 8-2 is a schematic diagram showing the distribution of the functional structure of the verification apparatus in the embodiment of the present invention.
  • 8-3 is a schematic diagram showing the distribution of the functional structure of the verification apparatus in the embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a framework of dual authentication based on intelligent decision in the embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a scenario of dual identity verification in an embodiment of the present invention.
  • FIG. 11 is a schematic diagram showing a functional structure of a verification device in an embodiment of the present invention.
  • first ⁇ second is merely an object that distinguishes similar objects, and does not represent a specific ordering for an object. It can be understood that “first ⁇ second” is allowed. In this case, a specific order or order can be interchanged. It is to be understood that the "first/second" distinguished objects may be interchanged as appropriate to enable the embodiments of the invention described herein to be carried out in a sequence other than those illustrated or described herein.
  • Some applications only perform verification once for the user, such as one-time authentication methods such as account + password, and the risk of the account being stolen is high.
  • a social application that does not have a device lock (for verifying the login terminal) can be logged in only by using an account and a password; some third-party payment applications do not need to perform secondary verification when logging in with the SMS verification code.
  • Part of the application adopts the method of double verification to reduce the risk of account theft.
  • the strategy of the verification method used by the related technology is relatively fixed, and no intelligent decision is made according to the login environment, which results in low security strength.
  • the verification of the short message is a fixed policy when the device lock is enabled; when the third-party payment application uses the short message verification code to log in, no other way of verifying is a fixed strategy; this adopts a fixed verification method.
  • the strategy has risks in the following areas:
  • the SMS function may be hijacked. There is still a risk trust SMS message by simply using the SMS authentication code to log in. Although there are other authentication methods for third-party payment applications, such as security verification, face recognition, etc., these authentication methods are listed in an optional form. For users to choose, once they break through one of the verification methods, they can log in.
  • the embodiment of the present invention provides a verification method and a verification device for verifying a user login instance, and an application verification method.
  • the embodiment of the present invention is not limited to being provided as a method and an apparatus, and may be various. Implementations, for example, are provided as computer readable storage media (which store instructions for performing the verification methods provided by embodiments of the present invention).
  • Embodiments of the present invention may provide application software designed in a programming language such as C/C++ or Java, or a dedicated software module in a large software system, running on a server (stored in a storage medium of a server in an executable instruction manner, and stored by a server
  • the processor on the side runs, the user is authenticated when the end user submits the authentication information to log in to the instance, and the login initialization is performed for the user when the verification passes.
  • the instance can be run at the terminal (eg, the instance can be a social application), and the server acts as a back-end server for the instance to implement authentication and login control for the user.
  • the instance can also be run on the server (for example, a cloud operating system).
  • the terminal only provides an interface for interacting with the instance running by the server, and submits the verification information input by the user terminal to the server for verification.
  • the embodiment of the present invention can also be provided on a distributed, parallel computing platform composed of multiple servers, equipped with a customized, easy-to-interactive network (Web) interface or other user interface (UI) for submission by the end user.
  • Web easy-to-interactive network
  • UI user interface
  • the embodiments of the present invention can be provided as an application or a module designed by using a programming language such as C/C++ or Java.
  • the module can be embedded into various terminals based on an operating system such as Android (Android) or iOS.
  • Android Android
  • iOS an application
  • an application for example, a social application or the like, stored in a storage medium of the terminal with executable instructions, executed by a processor of the terminal), thereby directly verifying the user using the computing resources of the terminal itself, and performing login for the user when the verification is passed Initialization
  • the result of the verification can also be transmitted to the server through various network communication methods on a regular or irregular basis, or saved locally at the terminal.
  • Terminals including mobile terminals such as smart phones, tablet computers, and vehicle terminals, can also be desktop computers or similar computing terminals.
  • the executable code of the instance can run entirely on the server, providing a graphical interface for logging into the management instance, such as a cloud operating system, at the terminal.
  • the management instance such as a cloud operating system
  • the executable code of the example can be run at the terminal, provided for various applications that can be installed through the installation package, such as social applications, third party payment applications, and the like.
  • Verification mode verifying whether the behavior of the current login instance of the user is a technical means of the user.
  • the verification method includes:
  • Verification of biological characteristics (such as fingerprints, voiceprints, irises, etc.);
  • the trusted terminal is authenticated, for example, by the scan code authorization of the trusted terminal to confirm that the current login of the user is legal; the trusted terminal is, for example, a terminal that has logged into the instance with the current login account, and the user's friend is recently active. Log in to the terminal.
  • the relationship chain verification mode confirms that the user's current login is legal by other legitimate users, for example, by means of friend assisted confirmation.
  • Verification information used in conjunction with the authentication method, is a credential used to verify whether the behavior of the user login instance is legal, such as account + password, account + SMS verification code, biometric, trusted terminal Login confirmation, login confirmation of the relationship chain user, etc.
  • FIG. 1 shows an optional flow diagram of the verification method, including the following steps:
  • Step 101 The terminal submits, to the server, first verification information used by the user to log in to the instance.
  • the examples include the following types:
  • the server is the background server of the application, and the user's authentication information is stored, or the server can read the verification information stored in the database server, and the user needs to submit the verification to the server via the terminal when the terminal logs in to the application.
  • Information the server authenticates the user and activates the login initialization of the application in the terminal after successful authentication, and provides relevant business support for the application.
  • An operating system (such as an operating system) running in the server (or a distributed computing platform formed by the server).
  • the user logs in to the operating system, the user needs to submit the verification information to the server via the terminal, and the server verifies and verifies the user.
  • the login initialization of the cloud operating system in the server is activated for the user.
  • An application (such as a cloud computing service) running in the server (or a distributed computing platform formed by the server).
  • the server authenticates the user and after the verification succeeds. , activates the login initialization of the application in the server for the user.
  • the first verification information is information that the user needs to submit when logging in to the target instance via the terminal, and the type of the verification information depends on the verification mode (also the first verification mode) adopted by the instance.
  • the first authentication information is the account and the password submitted by the user for the login instance.
  • the authentication mode is the account + SMS verification code mode
  • the first authentication information is the login instance of the user.
  • Step 102 The server verifies the user based on the first verification information used by the user for logging in the instance and the first verification mode.
  • the first verification information submitted by the user via the terminal is compared with the legal verification information of the first verification mode (stored locally by the server or read by the server from the verification information database server), according to whether A verification result is formed for success.
  • the comparison between the first verification information and the legal verification information of the first verification mode is successful, the verification result is successful; when the comparison between the first verification information and the legal verification information of the first verification mode fails, the verification result is a failure. .
  • Step 103 The server detects, according to the verification result, whether the user login instance has an abnormality. If no abnormality exists, step 104 is performed; otherwise, step 105 is performed.
  • login initialization can be performed for the user (step 104). The following describes how to detect the abnormality of the login instance.
  • the server detects that there is an abnormality when the user fails to verify based on the first verification information used by the user for the login instance and the first verification manner.
  • the account and password authentication mode is used as an example.
  • the account and the password submitted by the user are inconsistent with the password of the corresponding account queried by the server, it is determined that the user login instance is abnormal.
  • the server detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user is detected.
  • the login terminal of the login instance is different from the historical login terminal, it is determined that the login instance of the user is abnormal.
  • the first authentication mode is an account number (such as a mobile phone number) and a short message verification code mode.
  • account number such as a mobile phone number
  • short message verification code mode When the mobile phone number submitted by the user login instance and the short message verification code sent for the mobile phone number are the same, That is, the verification is successful, but it is detected that the mobile phone is different from the mobile phone used by the user to log in before, that is, it is determined that the user login instance is abnormal.
  • the server when the server detects that the user is successfully authenticated based on the first verification information used by the user for the login instance and the first verification manner, and the user login instance is detected
  • the login terminal runs a malicious code that acquires terminal information.
  • the server detects that the user is successfully authenticated based on the first verification information used by the user to log in to the instance, and the first verification mode. Once the malicious code in the form of malware, malicious plugin, etc. is detected in the terminal, even if the user logs in, The login terminal of the instance has not changed. It is also determined that the login instance of the user is abnormal.
  • step 104 the server performs login initialization for the user.
  • the server After the server performs the login initialization for the user, the user's account is in the login state in the instance, and the user is allowed to obtain various services in the instance.
  • Step 105 The server performs login abnormality analysis on the user login instance.
  • the login abnormality analysis will be described in combination with the aforementioned method of detecting an abnormality.
  • the server analyzes that the number of times the user attempts to log in to the instance based on the first verification information is lower than a preset duration (eg, 1 day or 1 hour, according to the instance
  • a preset duration eg, 1 day or 1 hour
  • the maximum number of false logins within the full policy forming a corresponding analysis result, which records the number of times the user attempts to log in to the instance based on the first authentication information.
  • the potential number of logins exceeds the maximum number of incorrect logins due to potential security.
  • the account is locked by the threat, and the account is temporarily unable to log in until the security threat is excluded.
  • the server compares the login feature of the user login instance with the historical login feature of the user login instance, and determines the abnormal login feature of the user login instance based on the difference of the login features ( It is called the abnormal point) and the abnormality of the corresponding abnormal point. For example, a login feature in which the login feature of each dimension of the login example is different from the historical login feature (or there is a difference and the degree of difference exceeds the corresponding difference degree threshold) is recognized as an abnormal point.
  • the login feature can take the following dimensions:
  • Login method such as login time, login location, type of login account (such as social application account, mobile phone number, email address, etc.), password type (such as social application password, SMS verification code, etc.).
  • the login environment mainly refers to the networking mode of the logged-in terminal.
  • the abnormality of the login terminal refers to, for example, the terminal is an emulator, and other suspicious stolen accounts attempt to log in.
  • the system version of the terminal's operating system is too low, the operating system of the terminal and the user login instance.
  • the operating system of the historical terminal is different. For example, the user of the iOS terminal always uses the iOS system. If the operating system of the login terminal is replaced with the Android system, the terminal is abnormal, and the abnormality is a quantitative representation of the abnormality of the terminal.
  • the credibility of the login terminal If the terminal trusts whether the terminal has a suspicious account login, the terminal that does not have the suspicious account login has a suspicious account login credibility, and the credibility of the terminal and the terminal are suspicious. The number of account logins is negatively correlated.
  • the login status of the account refers to whether the account is already in the login state before the user logs in to the instance based on the account. If the account is already in the login state, the current login instance of the user is abnormal.
  • the login time of the current account of the user is 12 o'clock at night
  • the type of the login account is a social application account
  • the password of the login account is a password of the social application
  • the historical login time of the account is always concentrated in the day, the type of the login account.
  • the password of the login account is the SMS verification code. Because the current user login instance and the user's historical login mode are quite different, there is a potential abnormality in the login mode.
  • the user is currently logged in based on the account.
  • the risk of logged in by the malicious user is high, and there is an abnormality in the dimension of the logged in state.
  • Step 106 The server determines the candidate verification mode based on the analysis result to obtain a second verification mode.
  • the foregoing method 1) in one embodiment, is applicable to a scenario in which the user continuously submits the error verification information of the login instance, and analyzes that the number of times the user attempts to log in the instance based on the first verification information is not higher than the maximum error within the preset duration.
  • the number of logins indicates that the fashion does not need to perform account lockout on the account of the login instance, and it is determined that the user may have forgotten the verification information corresponding to the first verification mode. Therefore, the authentication method supported by the instance account that the user logs in is excluded.
  • the candidate verification mode is obtained by a verification method, and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
  • the server performs authentication feature analysis on different authentication modes, determines the types of login attacks that different candidate authentication modes support, and resolves the login features that are not used by the corresponding types of login attacks to the corresponding verification.
  • the authentication feature analysis of the account + SMS verification code verification method can obtain an attack that the verification method can be used against the login feature of the account + password verification (because the malicious user attempting to log in to the instance may not be able to obtain the SMS verification code).
  • an authentication feature analysis is performed on the fingerprint verification mode, and the verification mode can be used to attack the account + password verification attack and the login feature against the account + SMS verification code (because the malicious user attempting to log in to the instance cannot Get the fingerprint of the legitimate user of the account).
  • the server selects the corresponding candidate verification mode in which the login feature does not involve the abnormal point based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode, and the manner of re-authenticating the user is selected. (Second verification method).
  • the login terminal is abnormal, such as the login record of the suspicious account on the terminal
  • the login method that does not involve the abnormal point is selected, such as the account + SMS verification code verification mode and the fingerprint verification mode.
  • the account + SMS verification code verification mode For the second verification method.
  • the server may determine two or more second verification manners, for example, when the abnormality degree of the abnormal point of the user login instance exceeds the abnormality threshold, two different candidate verification methods are selected as the second verification manner. .
  • two candidate verification methods different from the first verification mode are selected to sequentially verify the user to ensure the account security.
  • the following is an exemplary illustration of selecting two or more modes.
  • the server when the server detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the server selects two scenarios for the scenario in which the submitted verification information is incorrect.
  • the candidate verification mode different from the first verification mode (as the second verification mode) sequentially verifies the user, performs login initialization for the user when the verification is successful, and blocks the user login instance when the verification fails.
  • the foregoing manners 2) and 3) are applied to the server that the verification succeeds based on the first verification mode but the terminal of the user login instance is a new terminal (first used for login instance), or the terminal of the user login instance is implanted maliciously.
  • the server selects two candidate authentication modes different from the first verification mode (as the second verification mode) based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode. The user is authenticated in turn, and the login initialization is performed for the user when the verification is successful, and the user login instance is blocked when the verification fails.
  • the login feature includes different dimensions such as a login terminal, a login history habit, a login environment, and the following, in combination with a specific case, a candidate verification mode different from the first verification mode that does not involve an abnormal point is selected (as a second verification) Method) Description.
  • the abnormal point is that the login terminal (the terminal used by the current login instance of the user) is different from the historical login terminal, for example, when the user attempts to log in to the instance by using a new terminal, and the login terminal has a record of the suspicious account login, if it is detected
  • the login terminal does not involve the use of the short message verification mode to log in, and then determines that the login terminal does not have the ability to steal the short message, and selects the short message verification login mode that does not involve the current abnormal point as the second verification mode.
  • the abnormal point is that the user logs in to the instance with a new account name type in the new location (for example, the user has never logged in to the instance by email/password at the location), indicating that the login terminal is an abnormal login terminal, if the detection is detected If the abnormal login terminal does not have the login record using the voiceprint data, it is determined that the login terminal does not have the ability to steal the voiceprint data, and the voiceprint verification login mode that does not involve the current abnormal point is the second verification mode.
  • the abnormal point is that the user is at the login location and the network connection used for the login has a suspicious account login
  • the current login terminal belongs to a highly abnormal situation, and the current login user is determined not to invade the friend account, and the selection is performed.
  • the contact (friend) secondary authentication mode with the current abnormal point line performs login initialization when a predetermined number of friends are received to determine that the current user is legally logged in.
  • Step 107 The server verifies the user based on the second verification information used by the user for the login instance and the second verification manner.
  • Step 108 The server detects, according to the verification result, whether the user login instance has an abnormality. If no abnormality exists, step 104 is performed; otherwise, step 109 is performed.
  • step 109 the server blocks the user login instance.
  • first verification mode an authentication method
  • second verification mode another alternative verification mode
  • the beneficial effects of the foregoing modes 2) and 3) are described in the scenario where the user logs in to the instance using the new terminal and the first verification is successful, and in the scenario where the first verification is successful and the login instance terminal is implanted with malicious code.
  • the verification mode used for the second verification of the user is dynamically determined based on the login feature of the login instance that cannot be involved (attack), because the login feature involved in the second verification mode is independent of the abnormal point, and is fixed Compared with the secondary verification method, the difficulty of attacking the login by the malicious user is improved, because since the second verification method is unpredictable for the malicious user, the malicious user cannot attack the second verification at the root, and the accurate identification is realized.
  • the technical effect of a malicious user logging in and effectively blocking is effective when the user logs in to the instance using the new terminal.
  • FIG. 2 is a schematic diagram of an optional scenario for verifying a user identity when a user logs in to a WeChat provided by the embodiment of the present invention, where the first verification mode is an account/password verification mode, and the second verification mode is that the login feature does not involve an abnormality.
  • the two verification methods of the point are described as an example:
  • the WeChat account + WeChat password can be used to try to log in to WeChat, and the server performs the WeChat password corresponding to the WeChat account to the user.
  • First test In the actual login, as shown in a in Figure 3, the user first opens the WeChat application on the terminal to enter the login interface.
  • the terminal will display the login that needs to be verified for the first time (ie, input WeChat account and WeChat password).
  • Verification interface the user inputs the corresponding WeChat account in the input box 1a of the login verification interface shown in FIG. 3 in FIG. 3 and inputs the WeChat password in the input box 1b, and then clicks the login button 1c, which assumes that the user forgets the WeChat password. Submitting the wrong WeChat password causes the first verification to fail.
  • the server analyzes the abnormality of the login to determine the abnormal point of the login.
  • the server can determine that the abnormality of the first login is the WeChat password, and then analyze the account settings of the WeChat account to determine The verification mode of the user's WeChat account binding is based on the abnormal point (ie, WeChat password) to make a decision on the verification mode (except WeChat account + WeChat password verification mode), for example, including the following decision: the first verification is non-text message verification and the user's The login terminal does not have the medium message Trojan virus, so select the WeChat account + mobile phone SMS verification method. Underwent secondary verification. At the same time, as shown in the figure b in FIG.
  • the terminal displays a login verification interface that requires a second verification (ie, inputting a WeChat account and a mobile phone SMS verification code); the user is in FIG. Enter the corresponding WeChat account in the input box 2a of the login verification interface shown in the figure, enter the SMS verification code in the input box 2b, and click the button 2c to send the verification code, and then receive it on the mobile phone in the input box 2d. Enter the verification code sent by the operator and click the login button 2e. After that, the server performs the second verification on the user based on the verification code in the short message corresponding to the WeChat account sent by the operator.
  • a second verification ie, inputting a WeChat account and a mobile phone SMS verification code
  • the verification code in the short message sent by the quotient is the same, indicating that the second verification is successful; at this time, the server performs login initialization for the WeChat account, and the terminal will display the interface of entering WeChat as shown in c in FIG. 3, that is, the figure can be The currently received WeChat information is displayed on the positions 3a and 3b on the interface of the c picture in 3; if the mobile phone short message verification code input by the user is in the short message sent by the operator The verification code is different, indicating that the second verification fails.
  • the server determines the third verification mode again based on the abnormal point of the login (ie, the SMS verification code), and sets the voiceprint verification mode; meanwhile, as shown in FIG.
  • FIG. The figure shows that when the second verification fails, the terminal will display the login verification community that needs to perform the third verification (that is, collect voiceprint information).
  • the user inputs the WeChat account in the input box 4a of the login verification interface shown in the figure d in FIG. 3, and inputs his own voice information through a voice collecting device such as the microphone 4b, for example, "Please perform authentication”.
  • Voice information if the third verification is successful, the login initialization is performed for the WeChat account, and the WeChat interface shown in Figure 3 is displayed on the terminal. If the third verification fails, the WeChat account is blocked for a period of time.
  • the login indicates that the WeChat account is abnormal. There may be a risk that the WeChat account is not used by the user.
  • the intelligent verification subsequent verification method (the second verification method and the third verification method), and the verification method of the decision is based on the verification method of the abnormal point selection to prevent the login attack, on the one hand, avoiding The user chooses the account risk caused by the authentication method, and on the other hand, the legitimate user of the account can log in successfully.
  • FIG. 4 is a schematic diagram of an optional scenario for verifying a user identity when a user logs in to a WeChat provided by the embodiment of the present invention.
  • the first verification mode is an authentication mode of an account + password + a mobile phone short message verification code
  • the second verification mode is The two verification methods of the login feature that do not involve the abnormal point are described as an example.
  • the terminal performs the WeChat login
  • the user can use the WeChat account + WeChat password + mobile phone short message to try to log in to the WeChat in the new terminal, and the server is based on the storage.
  • the WeChat password corresponding to the WeChat account and the verification code sent by the operator corresponding to the WeChat account are verified for the first time; when actually logging in, the user first opens the terminal as shown in Figure 5-1.
  • the WeChat application enters the login interface.
  • the terminal will display the login verification interface that needs to be verified for the first time (ie, input WeChat account + WeChat password + mobile phone SMS verification code); the user is shown in Figure 5-1.
  • the terminal currently logging in to the WeChat account is different from the terminal that the user has logged into the WeChat account, or The terminal is the terminal used by the user to log in to the WeChat account, but the terminal is embedded with malicious code.
  • the server performs abnormal analysis on the login to determine the abnormality of the login.
  • the server can determine that the abnormality of the login is the abnormality of the commonly used login terminal or the login terminal, and then analyze the account setting of the WeChat account to determine the verification mode of the WeChat account binding of the user. .
  • Two verification methods are used (for the second verification and the third verification); wherein the second and third verification methods may include a trusted terminal scan code authorization, a user voiceprint verification or a friend auxiliary verification, etc.
  • the second verification mode and the third verification mode are different in order to ensure the security of the account; for example, the second verification mode can be a trusted terminal scanning code authorization, and is applicable to the trusted terminal.
  • the trusted terminal has the behavior of logging in to the WeChat account; the third verification method can be used for friend-assisted verification, and is suitable for offline contact with friends online.
  • the terminal displays the login verification interface that needs to perform the second verification (that is, the terminal scan authorization); the user is in Figure 5-1.
  • the login verification interface shown in Figure b scans the two-dimensional code 6a using the function of scanning the two-dimensional code in the WeChat of the trusted terminal, and then the server determines to scan the WeChat account corresponding to the two-dimensional code authorization to use the current scan code in the latest period of time. If the terminal has logged in, it indicates that the second verification is successful; at this time, the terminal displays the login interface that needs to perform the third verification (ie, friend-assisted verification) as shown in c in Figure 5-1, and the user clicks on the map. After the button 7a requesting the friend to be authenticated in the interface of the c map in 5-1, the terminal can jump to the friend interface and click the avatar of the friend to perform the third verification, and display the d diagram in FIG.
  • the third verification ie, friend-assisted verification
  • the foregoing verification method provided by the embodiment of the present invention is implemented on the server side as an example, that is, the verification of the user of the login instance is completed by the service, and the verification method provided by the embodiment of the present invention may also be implemented on the terminal side, that is, by The terminal completes the verification of the user who logs in to the instance.
  • the verification method is implemented on the server side. Compared with the implementation of the verification method on the terminal side, it is possible to prevent the verification processing logic on the terminal side from being maliciously cracked, thereby forging the authentication information to spoof the server to log in the instance.
  • the server submits the verification information and cannot modify the verification logic (because the verification logic is on the server side), thus ensuring the reliability of the verification result.
  • the verification method is implemented on the terminal side. Compared with the verification method being implemented on the server side, since only the user needs to submit the verification information to the terminal during the verification process, the verification process is performed on the terminal side to verify the user login instance, and the verification process is performed. No need for network communication, that is, verification of the user can be completed without relying on network communication, suitable for user authentication in the absence of network communication capability, or adapted to a highly secure closed system (physically and without the Internet) Login verification of the connection, or login verification for a specific application running in a highly secure closed system.
  • the verification method provided by the embodiment of the present invention is described as an example on the terminal side. Unlike the verification method shown in FIG. 1 , the verification methods illustrated in FIG. 6 are all implemented on the terminal side, and are applicable to the terminal running the offline instance and need to be The scenario in which the user authenticates. See Figure 6 for an alternative flow diagram of the verification method, including the following steps:
  • Step 201 The terminal submits the first verification information submitted by the user for the login instance.
  • the examples include the following types:
  • the first verification information is information that the user needs to submit when logging in to the target instance via the terminal, and the type of the verification information depends on the verification mode (also the first verification mode) adopted by the instance.
  • the first authentication information is the account and the password submitted by the user for the login instance.
  • the authentication mode is the account + SMS verification code mode
  • the first authentication information is the login instance of the user.
  • Step 202 The terminal verifies the user based on the first verification information used by the user for the login instance and the first verification manner.
  • the terminal compares the first verification information submitted by the user to the terminal, and the legal verification information of the first verification mode, and successfully forms a verification result according to whether the comparison is successful.
  • Step 203 The terminal detects, according to the verification result, whether the user login instance has an abnormality. If there is no abnormality, the terminal performs step 204; otherwise, step 205 is performed.
  • login initialization can be performed for the user (step 205). The following describes the manner in which the login instance is abnormal.
  • the terminal when the terminal detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the terminal determines that there is an abnormality.
  • the account and password authentication mode is used as an example.
  • the account and password submitted by the user are inconsistent with the password of the corresponding account queried by the terminal, it is determined that the user login instance is abnormal.
  • the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user is detected.
  • the login terminal of the login instance is different from the historical login terminal, it is determined that the login instance of the user is abnormal.
  • the first authentication mode is an account number (such as a mobile phone number) and a short message verification code mode.
  • account number such as a mobile phone number
  • short message verification code mode When the mobile phone number submitted by the user login instance and the short message verification code sent for the mobile phone number are the same, That is, the verification is successful, but it is detected that the mobile phone is different from the mobile phone used by the user to log in before, that is, it is determined that the user login instance is abnormal.
  • the terminal when the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user login instance is detected
  • the login terminal runs a malicious code that acquires terminal information.
  • the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification mode, and detects that the terminal is maliciously injected.
  • malicious code in the form of software or malicious plug-ins, even if the login terminal of the user login instance does not change, it is determined that the user login instance is abnormal.
  • step 204 the terminal performs login initialization for the user.
  • the terminal After the terminal performs the login initialization for the user, the user's account is in the login state in the instance, and the user is allowed to obtain various services in the instance.
  • Step 205 The terminal performs login abnormality analysis on the user login instance.
  • the login abnormality analysis will be described in combination with the aforementioned method of detecting an abnormality.
  • the terminal analyzes the maximum error in the number of times the user attempts to log in to the instance based on the first verification information, which is lower than a preset duration (eg, 1 day or 1 hour, depending on the security policy of the instance).
  • the number of logins forms a corresponding analysis result, in which the number of times the user attempts to log in to the instance based on the first verification information is recorded.
  • the account lock is performed due to a potential security threat, and the account is temporarily Unable to log in until the security threat is excluded.
  • the terminal compares the login feature of the user login instance with the historical login feature of the user login instance, and determines the abnormal login feature of the user login instance based on the difference of the login feature ( It is called the abnormal point) and the abnormality of the corresponding abnormal point. For example, a login feature in which the login feature of each dimension of the login example is different from the historical login feature (or there is a difference and the degree of difference exceeds the corresponding difference degree threshold) is recognized as an abnormal point.
  • the login feature can take the following dimensions:
  • Login method such as login time, login location, type of login account (such as social application account, mobile phone number, email address, etc.), password type (such as social application password, SMS verification code, etc.).
  • the login environment mainly refers to the networking mode of the logged-in terminal.
  • the login status of the account refers to whether the account is already in the login state before the user logs in to the instance based on the account. If the user is already in the login state, the current login instance of the user is abnormal.
  • Step 206 The terminal determines the candidate verification mode based on the analysis result to obtain a second verification mode.
  • the foregoing method 1) in one embodiment, is applicable to a scenario in which the user continuously submits the error verification information of the login instance, and analyzes that the number of times the user attempts to log in the instance based on the first verification information is not higher than the maximum error within the preset duration.
  • the number of logins indicates that the fashion does not need to perform account lockout on the account of the login instance, and it is determined that the user may have forgotten the verification information corresponding to the first verification mode. Therefore, the authentication method supported by the instance account that the user logs in is excluded.
  • the candidate verification mode is obtained by a verification method, and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
  • the terminal performs identity verification analysis on different authentication modes, determines the types of login attacks that different candidate authentication modes support, and parses out the login features that are not used by the corresponding types of login attacks.
  • the authentication feature analysis of the account + SMS verification code verification method can obtain an attack that the verification method can be used against the login feature of the account + password verification (because the malicious user attempting to log in to the instance may not be able to obtain the SMS verification code).
  • an authentication feature analysis is performed on the fingerprint verification mode, and the verification mode can be used to attack the account + password verification attack and the login feature against the account + SMS verification code (because the malicious user attempting to log in to the instance cannot Get the fingerprint of the legitimate user of the account).
  • the terminal selects the corresponding candidate verification mode in which the login feature does not involve the abnormal point based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode, and the method for re-authenticating the user is selected. (Second verification method).
  • the login terminal is abnormal, such as the login record of the suspicious account on the terminal
  • the login method that does not involve the abnormal point is selected, such as the account + SMS verification code verification mode and the fingerprint verification mode.
  • the account + SMS verification code verification mode For the second verification method.
  • the terminal may determine two or more second verification modes. For example, when the abnormality of the abnormal point of the user login instance exceeds the abnormality threshold, two different candidate verification modes are selected as the second verification mode. . For example, for a highly abnormal login, two candidate verification methods different from the first verification mode (as the second verification method) are selected to sequentially verify the user to ensure the account security. The following is an exemplary illustration of selecting two or more modes.
  • the terminal when the terminal detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the terminal selects two scenarios.
  • the candidate verification mode different from the first verification mode (as the second verification mode) sequentially verifies the user, performs login initialization for the user when the verification is successful, and blocks the user login instance when the verification fails.
  • the foregoing manners 2) and 3) are applicable to a scenario in which the terminal successfully authenticates based on the first verification mode but the terminal of the user login instance is a new terminal, or the terminal of the user login instance is implanted with malicious code, and the terminal is based on the user.
  • the login initialization is performed for the user when the verification is successful, and the user login instance is blocked when the verification fails.
  • Step 207 The terminal verifies the user based on the second verification information used by the user for the login instance and the second verification manner.
  • Step 208 The terminal detects, according to the verification result, whether the user login instance has an abnormality. If there is no abnormality, the terminal performs step 204; otherwise, step 209 is performed.
  • Step 209 The terminal blocks the user login instance.
  • first verification mode an authentication method
  • second verification mode another alternative verification mode
  • the beneficial effects of the foregoing modes 2) and 3) are described in the scenario where the user logs in to the instance using the new terminal and the first verification is successful, and in the scenario where the first verification is successful and the login instance terminal is implanted with malicious code.
  • the verification mode used for the second verification of the user is dynamically determined based on the login feature of the login instance that cannot be involved (attack), because the login feature involved in the second verification mode is independent of the abnormal point, and is fixed Compared with the secondary verification method, the difficulty of attacking the login by the malicious user is improved, because the second verification method is unpredictable for the malicious user, and the malicious user cannot completely verify the malicious user through the second verification.
  • the technical effect of login and effective shielding ensures the security of the account when the user logs in to the instance using the new terminal.
  • the verification apparatus 10 includes:
  • the processor 11, the input/output interface 13, the storage medium 14, and the network interface 12, the components can communicate via a system bus connection.
  • the processor 11 can be a central processing unit (CPU), a microprocessor (Microcontroller Unit (MCU), an application specific integrated circuit (ASIC), or a field-programmable gate array (Field-Programmable Gate Array). FPGA) implementation.
  • CPU central processing unit
  • MCU microprocessor
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • the input/output interface 13 can be implemented using input/output devices such as a display screen, a touch screen, and a speaker.
  • the storage medium 14 may be implemented by using a non-volatile storage medium such as a flash memory, a hard disk, or an optical disk, or may be implemented by using a volatile storage medium such as a Double Data Rate (DDR) dynamic cache.
  • a non-volatile storage medium such as a flash memory, a hard disk, or an optical disk
  • a volatile storage medium such as a Double Data Rate (DDR) dynamic cache
  • the storage medium 14 may be Other components in the hardware structure are set together on the same device, or remotely from other components in the hardware structure.
  • DDR Double Data Rate
  • the network interface 12 provides the processor 11 with access to external data such as a remotely located storage medium 14.
  • the network interface 12 may be based on near field communication (NFC) technology, Bluetooth technology, ZigBee technology for short-range communication, and may also be implemented based on code.
  • Communication systems such as Code Division Multiple Access (CDMA) and Wideband Code Division Multiple Access (WCDMA) and their evolutionary systems.
  • the verification apparatus 10 includes:
  • the authentication management part 15 is configured to authenticate the user based on the first verification information used by the user for the login instance and the first verification manner;
  • the login abnormality analysis part 16 is configured to detect that the user login instance is abnormal based on the verification result, and perform login abnormality analysis on the user login instance.
  • the determining part 17 is configured to determine the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
  • the authentication management section 15 is further configured to authenticate the user based on the second verification information used by the user for the login instance and the second verification mode.
  • the login exception analysis section 16 is further configured to detect that the user fails to verify based on the first verification information used by the user for the login instance and the first verification manner;
  • the login exception analysis section 16 is further configured to detect that the user is successfully authenticated based on the first verification information and the first verification manner, and the terminal that detects the user login instance is different from the historical login terminal.
  • the login exception analysis section 16 is further configured to detect that the user is successfully authenticated based on the first verification information used by the user for the login instance and the first verification mode, and the login terminal of the user login instance is detected. Run malicious code that gets terminal information.
  • the login exception analysis section 16 is further configured to compare the login feature of the user login instance with the historical login feature of the user login instance, and determine the abnormal point of the user login instance based on the difference of the login feature.
  • the decision portion 17 is further configured to select, according to the abnormal point of the user login instance and the login feature protected by the candidate verification mode, the corresponding candidate verification mode in which the login feature does not involve the abnormal point is the second verification mode.
  • the verification device 10 further includes:
  • the authentication feature management part 18 is configured to parse the verification feature of the candidate verification mode to obtain the type of the login attack supported by the candidate verification mode, and parse the login feature that is not used by the corresponding type of login attack to be protected by the corresponding verification mode. feature.
  • the verification device 10 further includes:
  • the account setting analysis part 19 is configured to analyze the verification mode supported by the user's instance account
  • the decision part 17 is further configured to exclude the first verification mode from the verification mode supported by the instance account of the user, and obtain the candidate verification mode; and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
  • the determining part 17 is further configured to select two candidate verification modes different from the first verification mode as the second verification mode when the abnormality degree of the abnormal point of the user login instance exceeds the abnormality threshold.
  • the identity verification method provided by the embodiment of the present invention may be implemented on the server side or on the terminal side.
  • the verification apparatus 10 may use hardware resources on the server side (such as the foregoing.
  • the processor, the network interface, and the like are implemented to perform verification on the user who logs in through the terminal in the form of a server.
  • the verification apparatus 10 can be implemented using hardware resources on the terminal side, thereby verifying the user of the login instance without requiring network communication.
  • the verification device 10 is implemented on the server side, and the two-factor authentication is taken as an example. Bright.
  • the function of identity verification includes five parts, namely, an account setting analysis part, a login abnormality analysis part, an authentication characteristic management part, a decision part, and an authentication management part.
  • the password or the mobile phone verification code is verified by the authentication management part, and then the relevant part of the framework is analyzed, and the identity verification method is used for the secondary identity verification based on the domain knowledge decision.
  • the result of each authentication pass will be recorded in the terminal information saved by the server. If the terminal completes sufficient authentication, the terminal can be used as a trusted terminal.
  • the account setting analysis part of the user performs the judgment of the authentication mode supported by the terminal, for example, whether the account registered by the user supports the verification of the short message (whether the mobile phone number is bound), whether the voiceprint is set, and the relationship chain of the account is available for selecting a friend and a friend. Auxiliary verification (for example, whether there is a fixed frequent contact friend), whether the current status of the account supports scanning code authorization login, and the like.
  • the login exception analysis part is responsible for analyzing the abnormality of the user's current login, by analyzing the user history login habits (common login location, common login terminal, login time), current login mode (login time, location, account name type (micro signal, mobile phone). No., QQ number, Email) and password type (WeChat password, QQ password, SMS verification code). Compare the current login behavior with the login habits and login methods of the user history, and analyze the abnormal points. For example, the user has never been in a certain The local login status of the account used by the user, the abnormality and credibility of the current login terminal, the abnormality of the current login environment, etc., the abnormality of the login and The degree of abnormality.
  • the terminal abnormality refers to, for example, the terminal is an emulator terminal, the other suspicious stolen account on the terminal attempts to log in, the system version of the terminal is too low, and the system of the terminal is different from the system of the previous terminal of the user (for example, the system of the previously logged-in terminal) Is iOS, but the system currently logged in to the device is Android), the degree of anomaly is the quantification of terminal anomalies.
  • the terminal abnormality may also refer to whether the terminal has a suspicious user login or the like. If there is a suspicious user login, the abnormality is higher than that of the terminal where the suspicious user does not log in.
  • Terminal trusted means that the terminal of the login instance does not have an abnormal point, and also has trusted features, such as long-term use of the frequently contacted friend account on the terminal, the name information of the terminal and the real name information of the account, etc., and the terminal credibility It is a credible quantification of the terminal.
  • the login environment mainly refers to the terminal that is logged in, the networking mode, and the type of client that is logged in. If the current login terminal and the networking mode (such as the wireless LAN used) already have other suspicious users, the login is very suspicious.
  • the Authentication Feature Management section is the management of which types of authentication methods are available against which attacks.
  • the SMS verification code authentication method is applicable to the case where the user first authenticates to non-sms authentication and the user history terminal does not have a medium-message Trojan virus.
  • the trusted terminal scan code authorization method is applicable to the case where the trusted terminal is online and has recently acted. Friend assistance is suitable for high suspicious logins because it requires offline contact with friends for assistance, has certain operating thresholds and is highly secure.
  • the decision part is a comprehensive analysis of the result of the account setting analysis part, the login abnormality analysis part and the authentication part.
  • the decision uses the appropriate authentication method, and the determined verification method is independent of the currently registered abnormal point, thus avoiding being The situation of malicious attacks.
  • the specific decision-making methods in practical applications can be summarized through the characteristics of historical case analysis and identity verification, and the ABTest is continuously adjusted online.
  • the Authentication Management section is part of the implementation of various authentication methods, including the technical implementation of identity data provisioning and authentication.
  • the authentication method may be mobile phone short message verification, trusted terminal authorization, relationship chain verification, biometric verification, and the like.
  • the abnormal login analysis is triggered to perform the decision of the secondary verification mode.
  • the account setting analysis section found that the account has The conditions for verifying the SMS (bound mobile number) and selecting the buddy avatar (relationship chain confirmation).
  • the login abnormality analysis section finds that the login terminal is a malicious terminal, and there are a large number of remote account logins, and the terminal does not verify the SMS record.
  • the decision-making part starts working.
  • the secondary verification using SMS is based on the attacker using the account name to log in.
  • the mobile phone number bound by the account may not be known. It is speculated that it is difficult to steal the user's short message, and the terminal is on the terminal. The lack of a short record also proves this. Therefore, although the attacker verified the password correctly, but encountered the way to verify the SMS verification code, the SMS verification code could not be obtained, so the login could not be successful.
  • the intelligent or dynamic decision-making method of secondary or multiple verification avoids the potential risk of being attacked by a combination of fixed verification methods
  • the verification method of the decision avoids the abnormal point of the current login.
  • the hacker attacker it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure;
  • the verification method of the subsequent decision is the authentication method supported by the account (bind), so that the user can smoothly Pass verification to log in.
  • the server further includes a storage medium 22, and all preset contents and software codes thereof proposed in the embodiment of the present invention may be stored in the storage medium 22, and the storage medium 22 may be connected to the processor 21 through the system bus 23, wherein Storage medium 22 is configured to store executable program code, including computer operating instructions, storage medium 22 may include high speed RAM memory, and may also include nonvolatile memory, such as at least one disk memory.
  • the above information pushing method is implemented in the form of a software function module, and is sold or used as an independent product, it may also be stored in a computer readable storage. In the storage medium.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • program codes such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • An embodiment of the present invention provides a verification device, including: a storage medium, configured to store executable instructions;
  • a processor configured to execute the stored executable instructions, the executable instructions configured to perform the information push method described above.
  • Embodiments of the present invention provide a computer storage medium in which computer executable instructions are stored, the computer executable instructions being configured to perform the above information pushing method.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units; they may be located in one place or distributed on multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage medium includes: a mobile storage device, a random access memory (RAM), a read-only memory (ROM), a magnetic disk, or an optical disk.
  • RAM random access memory
  • ROM read-only memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.
  • the above-described integrated unit of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a mobile storage device, a ROM, a magnetic disk, or an optical disk.
  • the user of the login instance is verified by the method of secondary verification to avoid the problem of high risk of verifying the account at one time; when the login instance of the login object is abnormal for the first time, the intelligent dynamic decision-making verification method is performed.
  • the second verification eliminates the potential risk of being attacked by a combination of fixed authentication methods. For hacking attackers, it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure; The legal login object, even if the login object is logged in for the first time for various reasons (such as forgetting the password), it can be verified to successfully log in based on the verification method of the subsequent decision.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed in embodiments of the present invention are a verification method, apparatus and device, and a storage medium. The method comprises: verifying a login object according to first verification information and a first verification mode used for logging in to an instance; performing login anomaly analysis on login of the login object to the instance according to the verification result; making a decision on candidate verification modes according to the analysis result so as to obtain a second verification mode, the second verification mode being different from the first verification mode; and verifying the login object according to the second verification information and the second verification mode used for logging in to the instance.

Description

一种验证方法、装置、设备及存储介质Authentication method, device, device and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201610613071.8、申请日为2016年07月28日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本申请。The present application is based on a Chinese patent application filed on Jan. 28, 2016, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本发明涉及通信领域的安全技术,尤其涉及一种验证方法、装置、设备及存储介质。The present invention relates to security technologies in the field of communications, and in particular, to a verification method, apparatus, device, and storage medium.
背景技术Background technique
互联网时代,应用的种类日益繁多如社交应用、多媒体应用、网购应用等,这些应用的普遍特点是,基于用户预先注册的账号来识别用户并有针对性提供服务。用户在使用服务之前,需要向终端的运行的应用(客户端)提交所注册账户的验证信息,例如密码、短信验证码等,由应用提交验证信息至相应的后台服务器,当后台服务器在基于验证信息对用户验证成功之后,为相应账号执行登录,并更新终端的应用中相应账号的状态,用户的账号在终端中显示为已经登录状态,用户可以使用账号的服务。In the Internet age, there are more and more types of applications such as social applications, multimedia applications, online shopping applications, etc. The common feature of these applications is that they identify users based on the user's pre-registered accounts and provide targeted services. Before using the service, the user needs to submit the verification information of the registered account to the running application (client) of the terminal, such as a password, a short message verification code, etc., and the application submits the verification information to the corresponding background server, and the background server is based on the verification. After the information is successfully authenticated by the user, the login is performed for the corresponding account, and the status of the corresponding account in the application of the terminal is updated, and the account of the user is displayed as the logged in state in the terminal, and the user can use the service of the account.
目前,相关技术往往是采用一种或两种固定的验证方式结合的方式对用户登录应用进行验证,一旦验证信息泄露就存在账号泄露的风险。At present, the related technology often uses one or two fixed verification methods to verify the user login application. Once the verification information is leaked, there is a risk of account leakage.
发明内容Summary of the invention
为解决上述技术问题,本发明实施例期望提供一种验证方法、装置、设备及存储介质,避免了采用固定的验证方式组合的方式带来的被攻击的 潜在风险,保障了账号的安全。In order to solve the above technical problem, an embodiment of the present invention is to provide a verification method, device, device, and storage medium, which avoids attack by using a combination of fixed verification methods. The potential risks ensure the security of the account.
本发明实施例的技术方案可以如下实现:The technical solution of the embodiment of the present invention can be implemented as follows:
本发明实施例提供一种验证方法,所述方法包括:An embodiment of the present invention provides a verification method, where the method includes:
基于用于登录实例的第一验证信息、以及第一验证方式对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
基于验证结果,对所述登录对象登录所述实例进行登录异常分析;Logging the instance to the login object for abnormality analysis based on the verification result;
基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
基于所述用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。And verifying the login object based on the second verification information for the login instance and the second verification manner.
本发明实施例提供一种验证装置,所述装置包括:An embodiment of the present invention provides a verification apparatus, where the apparatus includes:
身份验证管理部分,配置为基于用于登录实例的第一验证信息以及第一验证方式,对登录对象进行验证;The authentication management part is configured to verify the login object based on the first verification information used for the login instance and the first verification manner;
登录异常分析部分,配置为基于验证结果,对所述登录对象登录所述实例进行登录异常分析;The login abnormality analysis part is configured to perform login abnormality analysis on the login object by logging in to the instance according to the verification result;
决策部分,配置为基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;a decision part, configured to determine a candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
所述身份验证管理部分,还配置为基于所述用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。The identity verification management part is further configured to verify the login object based on the second verification information for the login instance and the second verification mode.
本发明实施例提供一种验证设备,包括:An embodiment of the present invention provides a verification device, including:
处理器和存储介质;所述存储介质中存储有可执行指令,所述可执行指令用于引起所述处理器执行以下的操作:a processor and a storage medium; the storage medium storing executable instructions for causing the processor to perform the following operations:
基于用于登录实例的第一验证信息以及第一验证方式,对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
基于验证结果,对所述登录对象登录所述实例进行登录异常分析; Logging the instance to the login object for abnormality analysis based on the verification result;
基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
基于所述用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。And verifying the login object based on the second verification information for the login instance and the second verification manner.
本发明实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有机器指令,当所述机器指令被一个或多个处理器执行的时候,所述处理器执行以下步骤:Embodiments of the present invention provide a computer readable storage medium, wherein the computer readable storage medium stores a machine instruction, and when the machine instruction is executed by one or more processors, the processor performs the following steps:
基于用于登录实例的第一验证信息以及第一验证方式对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
基于验证结果,对登录对象登录所述实例进行登录异常分析;Based on the verification result, the login object is logged in to the instance for login abnormality analysis;
基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
基于用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。The login object is verified based on the second verification information for the login instance and the second verification method.
本发明实施例提供的验证方法、装置、设备及存储介质,基于用于登录实例的第一验证信息以及第一验证方式对登录对象进行验证,基于验证结果对登录对象登录所述实例进行登录异常分析,基于分析结果对候选验证方式进行决策得到第二验证方式,第二验证方式与第一验证方式不同,基于用于登录实例的第二验证信息以及第二验证方式对登录对象进行验证。采用上述技术实现方案,通过二次验证的方式对登录实例的用户进行验证,避免一次验证账号风险高的问题;当第一次验证登录对象登录实例存在异常时,通过智能动态的决策验证方式进行二次验证,避免了采用固定的验证方式组合的方式带来的被攻击的潜在风险,对于盗号攻击者,要攻破动态的不同类型的验证方式,盗号难度增大,账号安全更有保障;对于账号的合法登录对象,即使登录对象在第一次验证因为各种原因(如忘 记密码)而登录实现,也能够基于后续决策出的验证方式通过验证以顺利登录。The verification method, the device, the device, and the storage medium provided by the embodiment of the present invention verify the login object based on the first verification information used for the login instance and the first verification manner, and log in to the instance to log in to the instance based on the verification result. The second verification mode is obtained by determining the candidate verification mode based on the analysis result, and the second verification mode is different from the first verification mode, and the login object is verified based on the second verification information used for the login instance and the second verification mode. The above-mentioned technical implementation scheme is used to verify the user of the login instance in a secondary verification manner, so as to avoid the problem of high risk of verifying the account at one time; when the login instance of the login object is abnormal for the first time, the intelligent dynamic decision-making verification method is performed. The second verification avoids the potential risk of being attacked by the combination of fixed verification methods. For hackers, it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure; The legal login object of the account, even if the login object is verified for the first time for various reasons (such as forgetting By logging in and implementing the login, it is also possible to pass the verification based on the verification method of the subsequent decision to successfully log in.
附图说明DRAWINGS
图1是本发明实施例中验证方法的一个可选的流程示意图;1 is an optional schematic flowchart of a verification method in an embodiment of the present invention;
图2是本发明实施例提供的验证方法的一个可选的场景示意图;2 is a schematic diagram of an optional scenario of an authentication method according to an embodiment of the present invention;
图3是本发明实施例提供的验证方法的一个场景的实施界面示意图;3 is a schematic diagram of an implementation interface of a scenario of a verification method according to an embodiment of the present invention;
图4是本发明实施例提供的验证方法的一个场景示意图;4 is a schematic diagram of a scenario of a verification method according to an embodiment of the present invention;
图5-1是本发明实施例提供的验证方法的一个场景的实施界面示意图;5-1 is a schematic diagram of an implementation interface of a scenario of the verification method provided by the embodiment of the present invention;
图5-2是本发明实施例提供的验证方法的一个场景的实施界面示意图;5-2 is a schematic diagram of an implementation interface of a scenario of an authentication method according to an embodiment of the present invention;
图6是本发明实施例中验证方法的一个流程示意图;6 is a schematic flow chart of a verification method in an embodiment of the present invention;
图7是本发明实施例中验证装置的一个硬件结构示意图;7 is a schematic diagram of a hardware structure of a verification apparatus in an embodiment of the present invention;
图8-1是本发明实施例中验证装置的一个功能结构示意图;8-1 is a schematic diagram showing a functional structure of a verification apparatus in an embodiment of the present invention;
图8-2是本发明实施例中验证装置的功能结构的一个分布示意图;8-2 is a schematic diagram showing the distribution of the functional structure of the verification apparatus in the embodiment of the present invention;
图8-3是本发明实施例中验证装置的功能结构的一个分布示意图;8-3 is a schematic diagram showing the distribution of the functional structure of the verification apparatus in the embodiment of the present invention;
图9是本发明实施例中基于智能决策的双重身份验证的一个框架示意图;9 is a schematic diagram of a framework of dual authentication based on intelligent decision in the embodiment of the present invention;
图10是本发明实施例中双重身份验证的一个场景示意图;10 is a schematic diagram of a scenario of dual identity verification in an embodiment of the present invention;
图11是本发明实施例中验证设备的一个功能结构示意图。FIG. 11 is a schematic diagram showing a functional structure of a verification device in an embodiment of the present invention.
具体实施方式detailed description
以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所提供的实施例仅仅用以解释本发明,并不用于限定本发明。另外,以下所提供的实施例是用于实施本发明的部分实施例,而非提供实施本发明的全部实施例,在不冲突的情况下,本发明实施例记载的技术方案可以任意组合的方式实施。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is to be understood that the examples are provided to illustrate the invention and not to limit the invention. In addition, the embodiments provided below are part of the embodiments for implementing the present invention, and do not provide all the embodiments for implementing the present invention. In the case of no conflict, the technical solutions described in the embodiments of the present invention may be combined in any combination. Implementation.
需要说明的是,本发明实施例所涉及的术语“第一\第二”仅仅是是区别类似的对象,不代表针对对象的特定排序,可以理解地,“第一\第二”在允许的情况下可以互换特定的顺序或先后次序。应该理解“第一\第二”区分的对象在适当情况下可以互换,以使这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。It should be noted that the term “first\second” according to the embodiment of the present invention is merely an object that distinguishes similar objects, and does not represent a specific ordering for an object. It can be understood that “first\second” is allowed. In this case, a specific order or order can be interchanged. It is to be understood that the "first/second" distinguished objects may be interchanged as appropriate to enable the embodiments of the invention described herein to be carried out in a sequence other than those illustrated or described herein.
发明人在实施本发明的过程中发现,相关技术提供的登录应用的方式至少存在以下问题:In the process of implementing the present invention, the inventors have found that the manner in which the related art provides a login application has at least the following problems:
1)部分应用仅对用户进行一次验证,如账号+密码等一次性的验证方式,账号被盗的风险很高。1) Some applications only perform verification once for the user, such as one-time authentication methods such as account + password, and the risk of the account being stolen is high.
例如,在某些情况下,对可疑登录没有多重身份验证,导致账号被盗风险高。例如没有开启设备锁(用于对登录终端进行验证)的社交应用,只需要账号和密码就能登录;部分第三方支付应用在凭借短信验证码登录时,也不需要进行二次验证。For example, in some cases, there is no multi-authentication for suspicious logins, resulting in a high risk of account theft. For example, a social application that does not have a device lock (for verifying the login terminal) can be logged in only by using an account and a password; some third-party payment applications do not need to perform secondary verification when logging in with the SMS verification code.
2)部分应用采用双重验证的方式以降低账号被盗风险,但是相关技术使用的验证方式的策略比较固定,没有根据登录环境对使用何种验证方式进行智能决策,导致防盗强度低。2) Part of the application adopts the method of double verification to reduce the risk of account theft. However, the strategy of the verification method used by the related technology is relatively fixed, and no intelligent decision is made according to the login environment, which results in low security strength.
例如,对于社交应用来说,开启设备锁时才验证短信是固定的策略;第三方支付应用使用短信验证码登录时,不会进行其他方式的验证是固定的策略;这种采用固定的验证方式的策略存在风险,表现在以下方面:For example, for a social application, the verification of the short message is a fixed policy when the device lock is enabled; when the third-party payment application uses the short message verification code to log in, no other way of verifying is a fixed strategy; this adopts a fixed verification method. The strategy has risks in the following areas:
短信功能可能被劫持,单纯采用短信验证码登录的方式仍然存在风险信任短信;第三方支付应用虽然存在其他验证方式,例如安全问题验证、人脸识别等,但这些验证方式十可选的形式罗列供用户选择,一旦恶意突破其中的一个验证方式即可登录。The SMS function may be hijacked. There is still a risk trust SMS message by simply using the SMS authentication code to log in. Although there are other authentication methods for third-party payment applications, such as security verification, face recognition, etc., these authentication methods are listed in an optional form. For users to choose, once they break through one of the verification methods, they can log in.
3)部分应用的验证方式是固定不变的,当用户不能通过固定验证方式时,没有其他验证方式替代以使用户顺利登录。 3) The verification method of some applications is fixed. When the user cannot pass the fixed verification mode, there is no other verification method to replace the user to log in successfully.
例如,当社交应用使用账号和密码方式进行验证时,如果用户忘记密码而不断进行尝试时会导致账号锁定无法登录;第三方支付应用使用短信验证码进行第二次验证时,当用户手机不在身边时则无法通过验证以登录。For example, when a social application uses an account and password to authenticate, if the user forgets the password and tries repeatedly, the account lock cannot be logged in; when the third-party payment application uses the SMS verification code for the second verification, when the user's mobile phone is not around When you are unable to verify by logging in.
针对上述问题,本发明实施例提供用于对用户登录实例进行验证的验证方法以及应用验证方法的验证装置和终端;当然,本发明实施例不局限于提供为方法和装置,还可有多种实现方式,例如提供为计算机可读存储介质(存储有用于执行本发明实施例提供的验证方法的指令)。The embodiment of the present invention provides a verification method and a verification device for verifying a user login instance, and an application verification method. The embodiment of the present invention is not limited to being provided as a method and an apparatus, and may be various. Implementations, for example, are provided as computer readable storage media (which store instructions for performing the verification methods provided by embodiments of the present invention).
以下对验证方法不同的实现方式举例说明。The following is an example of the different implementation methods of the verification method.
一、在服务器侧实施,服务器应用程序及平台First, implementation on the server side, server applications and platforms
本发明实施例可提供使用C/C++、Java等编程语言设计的应用软件或大型软件系统中的专用软件模块,运行于服务器(以可执行指令的方式在服务器的存储介质中存储,并由服务器端的处理器运行),在终端用户提交验证信息以登录实例时对用户进行验证,在验证通过时为用户执行登录初始化。Embodiments of the present invention may provide application software designed in a programming language such as C/C++ or Java, or a dedicated software module in a large software system, running on a server (stored in a storage medium of a server in an executable instruction manner, and stored by a server The processor on the side runs, the user is authenticated when the end user submits the authentication information to log in to the instance, and the login initialization is performed for the user when the verification passes.
实例可以在终端运行(例如,实例可以为社交应用),服务器作为实例的后台服务器,用于实现对用户的验证以及登录控制。当然,实例也可以在服务器运行(例如,云操作系统),终端仅提供用于与服务器运行的实例进行交互的界面,并将用户终端输入的验证信息提交给服务器进行验证。The instance can be run at the terminal (eg, the instance can be a social application), and the server acts as a back-end server for the instance to implement authentication and login control for the user. Of course, the instance can also be run on the server (for example, a cloud operating system). The terminal only provides an interface for interacting with the instance running by the server, and submits the verification information input by the user terminal to the server for verification.
本发明实施例还可以提供为在多台服务器构成的分布式、并行计算平台上,搭载定制的、易于交互的网络(Web)界面或其他用户界面(User Interface,UI),以在终端用户提交验证信息以登录实例时对用户进行验证,并在验证通过时为用户执行登录初始化。The embodiment of the present invention can also be provided on a distributed, parallel computing platform composed of multiple servers, equipped with a customized, easy-to-interactive network (Web) interface or other user interface (UI) for submission by the end user. The verification information authenticates the user when the instance is logged in, and performs login initialization for the user when the verification passes.
二、在终端侧实施,提供为应用或模块Second, implemented on the terminal side, provided as an application or module
本发明实施例可提供为使用C/C++、Java等编程语言设计的应用或者模块,模块可以嵌入到基于安卓(Android)或iOS等操作系统的各种终端 的应用中(例如社交应用等,以可执行指令存储在终端的存储介质中,由终端的处理器执行),从而直接使用终端自身的计算资源对用户进行验证,在验证通过时为用户执行登录初始化,还可以并且定期或不定期地通过各种网络通信方式将验证的结果传送给服务器,或者在终端本地保存。The embodiments of the present invention can be provided as an application or a module designed by using a programming language such as C/C++ or Java. The module can be embedded into various terminals based on an operating system such as Android (Android) or iOS. In an application (for example, a social application or the like, stored in a storage medium of the terminal with executable instructions, executed by a processor of the terminal), thereby directly verifying the user using the computing resources of the terminal itself, and performing login for the user when the verification is passed Initialization, the result of the verification can also be transmitted to the server through various network communication methods on a regular or irregular basis, or saved locally at the terminal.
对本发明进行进一步详细说明之前,对本发明实施例中涉及的名词和术语进行说明,本发明实施例中涉及的名词和术语适用于如下的解释。Before the present invention is further described in detail, the nouns and terms involved in the embodiments of the present invention are explained, and the nouns and terms involved in the embodiments of the present invention are applied to the following explanations.
1)终端,包括智能手机、平板电脑、车载终端等移动终端,还可以为台式机电脑或类似的计算终端。1) Terminals, including mobile terminals such as smart phones, tablet computers, and vehicle terminals, can also be desktop computers or similar computing terminals.
2)实例,带有验证机制的操作系统和应用等。2) Examples, operating systems and applications with authentication mechanisms.
例如,实例的可执行代码可以完全在服务器运行,在终端提供用于登录管理实例的图形界面,如云操作系统。For example, the executable code of the instance can run entirely on the server, providing a graphical interface for logging into the management instance, such as a cloud operating system, at the terminal.
再例如,实例的可执行代码可以在终端运行,提供为各种可通过安装包安装的应用,如社交应用、第三方支付应用等。As another example, the executable code of the example can be run at the terminal, provided for various applications that can be installed through the installation package, such as social applications, third party payment applications, and the like.
3)验证方式,验证用户当前登录实例的行为是否是用户的技术手段。3) Verification mode, verifying whether the behavior of the current login instance of the user is a technical means of the user.
示例性地,验证方式包括:Illustratively, the verification method includes:
账号+密码验证方式;Account + password verification method;
账号+短信验证码验证方式;Account + SMS verification code verification method;
生物特征(如指纹、声纹、虹膜等)验证方式;Verification of biological characteristics (such as fingerprints, voiceprints, irises, etc.);
可信终端验证方式,例如通过可信终端的扫码授权来确认用户的当前登录合法;可信终端是指,例如,曾经以当前登录账号登录实例的终端,用户的好友中近期处于活跃状态的登录终端。The trusted terminal is authenticated, for example, by the scan code authorization of the trusted terminal to confirm that the current login of the user is legal; the trusted terminal is, for example, a terminal that has logged into the instance with the current login account, and the user's friend is recently active. Log in to the terminal.
关系链验证方式,通过其他合法用户确认用户的当前登录合法,例如通过好友辅助确认的方式登录。The relationship chain verification mode confirms that the user's current login is legal by other legitimate users, for example, by means of friend assisted confirmation.
4)验证信息,与验证方式结合使用,是用于验证用户登录实例的行为是否合法的凭据,如账号+密码、账号+短信验证码、生物特征、可信终端 的登录确认、关系链用户的登录确认等。4) Verification information, used in conjunction with the authentication method, is a credential used to verify whether the behavior of the user login instance is legal, such as account + password, account + SMS verification code, biometric, trusted terminal Login confirmation, login confirmation of the relationship chain user, etc.
以本发明实施例提供的验证方法在服务器侧实施,用户作为登录对象为例进行说明,参见图1示出验证方法的一个可选的流程示意图,包括以下步骤:The verification method provided by the embodiment of the present invention is implemented on the server side, and the user is taken as an example of the login object. For example, FIG. 1 shows an optional flow diagram of the verification method, including the following steps:
步骤101,终端向服务器提交用户用于登录实例的第一验证信息。Step 101: The terminal submits, to the server, first verification information used by the user to log in to the instance.
在一个实施例中,如前所述,实例包括以下几种类型:In one embodiment, as previously mentioned, the examples include the following types:
1)终端中运行的操作系统,用户登录该操作系统时,需要经由终端向服务器提交验证信息,由服务器对用户进行验证并在验证成功后激活终端中操作系统的登录初始化。1) The operating system running in the terminal, when the user logs in to the operating system, the user needs to submit the verification information to the server via the terminal, and the server authenticates the user and activates the login initialization of the operating system in the terminal after the verification succeeds.
2)终端中运行的应用,服务器为应用的后台服务器,并且存储有用户的验证信息,或者,服务器能够读取数据库服务器中存储的验证信息,用户在终端登录应用时需要经由终端向服务器提交验证信息,由服务器对用户进行验证并在验证成功后激活终端中应用的登录初始化,并为应用提供相关的业务支持。2) The application running in the terminal, the server is the background server of the application, and the user's authentication information is stored, or the server can read the verification information stored in the database server, and the user needs to submit the verification to the server via the terminal when the terminal logs in to the application. Information, the server authenticates the user and activates the login initialization of the application in the terminal after successful authentication, and provides relevant business support for the application.
3)服务器(或服务器形成的分布式的计算平台)中运行的操作系统(如操作系统),用户登录该操作系统时,需要经由终端向服务器提交验证信息,由服务器对用户进行验证并在验证成功后,为用户激活服务器中云操作系统的登录初始化。3) An operating system (such as an operating system) running in the server (or a distributed computing platform formed by the server). When the user logs in to the operating system, the user needs to submit the verification information to the server via the terminal, and the server verifies and verifies the user. After successful, the login initialization of the cloud operating system in the server is activated for the user.
4)服务器(或服务器形成的分布式的计算平台)中运行的应用(如云计算服务),用户登录应用时,需要经由终端向服务器提交验证信息,由服务器对用户进行验证并在验证成功后,为用户激活服务器中应用的登录初始化。4) An application (such as a cloud computing service) running in the server (or a distributed computing platform formed by the server). When the user logs in to the application, the user needs to submit the verification information to the server via the terminal, and the server authenticates the user and after the verification succeeds. , activates the login initialization of the application in the server for the user.
在一个实施例中,示例性地,第一验证信息是用户需要经由终端登录目标实例时所需要提交的信息,验证信息的类型取决于实例所采用的验证方式(也成为第一验证方式)。 In one embodiment, exemplarily, the first verification information is information that the user needs to submit when logging in to the target instance via the terminal, and the type of the verification information depends on the verification mode (also the first verification mode) adopted by the instance.
例如,当验证方式为账号+密码验证方式时,第一验证信息为用户为登录实例所提交的账号和密码;当验证方式为账号+短信验证码方式时,第一验证信息为用户为登录实例所提交的账号、以及通过终端接收到的短信验证码;当验证方式为指纹验证时,第一验证信息为用户在终端录入的指纹数据。For example, when the authentication mode is the account and password authentication mode, the first authentication information is the account and the password submitted by the user for the login instance. When the authentication mode is the account + SMS verification code mode, the first authentication information is the login instance of the user. The submitted account number and the SMS verification code received by the terminal; when the verification mode is fingerprint verification, the first verification information is the fingerprint data entered by the user at the terminal.
步骤102,服务器基于用户用于登录实例的第一验证信息以及第一验证方式,对用户进行验证。Step 102: The server verifies the user based on the first verification information used by the user for logging in the instance and the first verification mode.
在一个实施例中,设用户经由终端提交的第一验证信息,与第一验证方式的合法的验证信息(在服务器本地存储,或者由服务器从验证信息数据库服务器读取)比对,根据是否比对成功形成验证结果。当第一验证信息与第一验证方式的合法的验证信息比对成功,说明验证结果为成功;当第一验证信息与第一验证方式的合法的验证信息比对失败时,说明验证结果为失败。In an embodiment, the first verification information submitted by the user via the terminal is compared with the legal verification information of the first verification mode (stored locally by the server or read by the server from the verification information database server), according to whether A verification result is formed for success. When the comparison between the first verification information and the legal verification information of the first verification mode is successful, the verification result is successful; when the comparison between the first verification information and the legal verification information of the first verification mode fails, the verification result is a failure. .
步骤103,服务器基于验证结果,检测用户登录实例是否存在异常,如果未存在异常则执行步骤104;否则执行步骤105。Step 103: The server detects, according to the verification result, whether the user login instance has an abnormality. If no abnormality exists, step 104 is performed; otherwise, step 105 is performed.
当用户登录实例未存在异常时,表明用户登录实例所使用的账号不存在安全威胁,因此可以为用户执行登录初始化(步骤104),下面对检测登录实例异常的方式进行说明。When there is no abnormality in the login instance of the user, it indicates that the account used by the user login instance does not have a security threat. Therefore, login initialization can be performed for the user (step 104). The following describes how to detect the abnormality of the login instance.
方式1)Way 1)
在一个实施例中,针对提交的验证信息错误的场景,服务器检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证失败时,即判定存在异常。In one embodiment, for the scenario in which the submitted verification information is incorrect, the server detects that there is an abnormality when the user fails to verify based on the first verification information used by the user for the login instance and the first verification manner.
例如,以第一验证方式为账号+密码验证方式为例,当用户经由终端提交的账号和密码,与服务器查询到的相应账号的密码不一致时,即判定用户登录实例存在异常。 For example, in the first verification mode, the account and password authentication mode is used as an example. When the account and the password submitted by the user are inconsistent with the password of the corresponding account queried by the server, it is determined that the user login instance is abnormal.
方式2)Way 2)
在另一个实施例中,针对用户更换登录实例所使用的终端的场景,服务器检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的登录终端不同于历史登录终端时,即判定用户登录实例存在异常。In another embodiment, for the scenario in which the user replaces the terminal used by the login instance, the server detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user is detected. When the login terminal of the login instance is different from the historical login terminal, it is determined that the login instance of the user is abnormal.
例如,以用户更换新手机登录实例,第一验证方式为账号(如手机号码)+短信验证码方式为例,当用户登录实例提交的手机号码以及针对该手机号码下发的短信验证码一致时,即验证成功,但是检测到该手机与用户之前登录所用的手机不同,即判定用户登录实例存在异常。For example, when the user replaces the new mobile phone login instance, the first authentication mode is an account number (such as a mobile phone number) and a short message verification code mode. When the mobile phone number submitted by the user login instance and the short message verification code sent for the mobile phone number are the same, That is, the verification is successful, but it is detected that the mobile phone is different from the mobile phone used by the user to log in before, that is, it is determined that the user login instance is abnormal.
方式3)Way 3)
在另一个实施例中,针对终端被注入恶意代码的场景,当服务器检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的登录终端运行有获取终端信息的恶意代码。In another embodiment, for the scenario in which the terminal is injected with malicious code, when the server detects that the user is successfully authenticated based on the first verification information used by the user for the login instance and the first verification manner, and the user login instance is detected The login terminal runs a malicious code that acquires terminal information.
例如,服务器检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,一旦检测到终端中注入有恶意软件、恶意插件等形式的恶意代码时,即使用户登录实例的登录终端没有发生变化,也判定用户登录实例存在异常。For example, the server detects that the user is successfully authenticated based on the first verification information used by the user to log in to the instance, and the first verification mode. Once the malicious code in the form of malware, malicious plugin, etc. is detected in the terminal, even if the user logs in, The login terminal of the instance has not changed. It is also determined that the login instance of the user is abnormal.
步骤104,服务器为用户执行登录初始化。In step 104, the server performs login initialization for the user.
服务器为用户执行登录初始化完成后,用户的账号在实例中处于登录状态,支持用户在实例中获取各种业务。After the server performs the login initialization for the user, the user's account is in the login state in the instance, and the user is allowed to obtain various services in the instance.
步骤105,服务器对用户登录实例进行登录异常分析。Step 105: The server performs login abnormality analysis on the user login instance.
结合前述的检测异常的方式对登录异常分析进行说明。The login abnormality analysis will be described in combination with the aforementioned method of detecting an abnormality.
接续前述方式1),在一个实施例中,服务器分析用户基于第一验证信息尝试登录实例的次数低于预设时长(如1天或者1小时,根据实例的安 全策略而定)内的最大错误登录次数,形成相应的分析结果,其中记录有用户基于第一验证信息尝试登录实例的次数,通常,当尝试登录次数超出最大错误登录次数时会因潜在的安全威胁而执行账号锁定,账号暂时处于无法登录的状态,直至排除安全威胁。Following the foregoing manner 1), in one embodiment, the server analyzes that the number of times the user attempts to log in to the instance based on the first verification information is lower than a preset duration (eg, 1 day or 1 hour, according to the instance The maximum number of false logins within the full policy, forming a corresponding analysis result, which records the number of times the user attempts to log in to the instance based on the first authentication information. Usually, the potential number of logins exceeds the maximum number of incorrect logins due to potential security. The account is locked by the threat, and the account is temporarily unable to log in until the security threat is excluded.
接续前述方式2)和方式3),在一个实施例中,服务器比较用户登录实例的登录特征与用户登录实例的历史登录特征,基于登录特征的差异,确定用户登录实例的存在异常的登录特征(称为异常点)以及相应异常点的异常度。例如,将登录示例的各个维度的登录特征与历史登录特征存在差异(或者存在差异且差异程度超出相应差异程度阈值)的登录特征识别为异常点。Following the foregoing manners 2) and 3), in one embodiment, the server compares the login feature of the user login instance with the historical login feature of the user login instance, and determines the abnormal login feature of the user login instance based on the difference of the login features ( It is called the abnormal point) and the abnormality of the corresponding abnormal point. For example, a login feature in which the login feature of each dimension of the login example is different from the historical login feature (or there is a difference and the degree of difference exceeds the corresponding difference degree threshold) is recognized as an abnormal point.
示例性地,登录特征可以采用以下维度:Illustratively, the login feature can take the following dimensions:
维度1)登录方式,如登录时间、登录地点、登录账号的类型(如社交应用账号、手机号码、电子邮箱等)、密码类型(如社交应用的密码、短信验证码等)。Dimensions 1) Login method, such as login time, login location, type of login account (such as social application account, mobile phone number, email address, etc.), password type (such as social application password, SMS verification code, etc.).
维度2)登录历史习惯,常用登录地点、常用登录终端、常用登录时间等。Dimensions 2) Login history habits, common login locations, common login terminals, common login time, etc.
维度3)登录环境,主要是指登录的终端的联网方式。Dimension 3) The login environment mainly refers to the networking mode of the logged-in terminal.
维度4)登录终端的异常度,终端异常是指,例如终端是一个模拟器、并且有其他可疑被盗账号尝试登录过、终端的操作系统的系统版本过低、终端的操作系统与用户登录实例的历史终端的操作系统不同,例如iOS终端的用户,一直使用iOS系统,如果登录终端的操作系统更换为Android系统,则存在终端异常,异常度是对上述终端异常的量化表征。Dimension 4) The abnormality of the login terminal. The terminal exception refers to, for example, the terminal is an emulator, and other suspicious stolen accounts attempt to log in. The system version of the terminal's operating system is too low, the operating system of the terminal and the user login instance. The operating system of the historical terminal is different. For example, the user of the iOS terminal always uses the iOS system. If the operating system of the login terminal is replaced with the Android system, the terminal is abnormal, and the abnormality is a quantitative representation of the abnormality of the terminal.
维度5)登录终端的可信度,终端可信指终端是否有可疑的账号登录的情况的,不存在可疑账号登录的终端较存在可疑账号登录可信,终端的可信度与终端中存在可疑账号登录的数量负相关。 Dimension 5) The credibility of the login terminal. If the terminal trusts whether the terminal has a suspicious account login, the terminal that does not have the suspicious account login has a suspicious account login credibility, and the credibility of the terminal and the terminal are suspicious. The number of account logins is negatively correlated.
维度6)账户的登录状态,登录状态是指用户基于该账户登录实例之前该账户是否处于已经处于登录状态,如果该账户已经处于登录状态,则用户当前登录实例存在异常。Dimensions 6) The login status of the account. The login status refers to whether the account is already in the login state before the user logs in to the instance based on the account. If the account is already in the login state, the current login instance of the user is abnormal.
例如,用户当前账号的登录时间为夜间12点,登录账号的类型为社交应用账号,登录账号的密码为社交应用的密码,而该账号的历史登录时间总是集中在日间,登录账号的类型为手机号码,登录账号的密码为短信验证码,由于当前用户登录实例与用户的历史登录方式存在较大差异,因此登录方式存在潜在的异常点。For example, the login time of the current account of the user is 12 o'clock at night, the type of the login account is a social application account, the password of the login account is a password of the social application, and the historical login time of the account is always concentrated in the day, the type of the login account. For the mobile phone number, the password of the login account is the SMS verification code. Because the current user login instance and the user's historical login mode are quite different, there is a potential abnormality in the login mode.
再例如,用户当前登录的终端被检测到曾经存在大量可疑账号登录的情况,那么在登录终端的可信度这一维度存在异常点。For another example, if the terminal currently logged in by the user is detected to have a large number of suspicious account logins, there is an abnormal point in the dimension of the credibility of the logged-in terminal.
又例如,用户当前登录实例的账号在服务器侧已经被执行登录初始化而处于登录状态,则用户当前基于该账号的登录是恶意用户登录的风险较高,在登录状态这一维度存在异常点。For example, if the account of the currently logged in instance of the user has been logged in and initialized on the server side, the user is currently logged in based on the account. The risk of logged in by the malicious user is high, and there is an abnormality in the dimension of the logged in state.
步骤106,服务器基于分析结果对候选验证方式进行决策得到第二验证方式。Step 106: The server determines the candidate verification mode based on the analysis result to obtain a second verification mode.
接续前述方式1),在一个实施例中,适用于用户连续提交登录实例的错误验证信息的场景,当分析出用户基于第一验证信息尝试登录实例的次数未高于预设时长内的最大错误登录次数时,表明此时尚不需要对登录实例的账号执行账号锁定,并判决为用户可能是忘记了对应第一验证方式的验证信息,因此,在用户登录的实例账号支持的验证方式中排除第一验证方式而得到候选验证方式,在候选验证方式选取终端支持的验证方式为第二验证方式。The foregoing method 1), in one embodiment, is applicable to a scenario in which the user continuously submits the error verification information of the login instance, and analyzes that the number of times the user attempts to log in the instance based on the first verification information is not higher than the maximum error within the preset duration. The number of logins indicates that the fashion does not need to perform account lockout on the account of the login instance, and it is determined that the user may have forgotten the verification information corresponding to the first verification mode. Therefore, the authentication method supported by the instance account that the user logs in is excluded. The candidate verification mode is obtained by a verification method, and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
接续前述方式2)和方式3),适用于基于第一验证方式验证成功但是用户登录实例的终端为新终端,或用户登录实例的终端被植入恶意代码的场景。 Following the foregoing manners 2) and 3), it is applicable to a scenario in which the terminal is successfully authenticated based on the first verification mode but the terminal of the user login instance is a new terminal, or the terminal of the user login instance is implanted with malicious code.
在一个实施例中,服务器通过对不同的验证方式进行身份验证特性分析,确定不同的候选验证方式所支持对抗的登录攻击的类型,并解析出相应类型的登录攻击未使用的登录特征为相应验证方式所防护的登录特征。In one embodiment, the server performs authentication feature analysis on different authentication modes, determines the types of login attacks that different candidate authentication modes support, and resolves the login features that are not used by the corresponding types of login attacks to the corresponding verification. The login feature protected by the mode.
例如对账号+短信验证码验证方式进行身份验证特性分析,可以得到该验证方式可以用于对抗账号+密码验证这一登录特征的攻击(因为企图登录实例的恶意用户可能无法获取短信验证码)。For example, the authentication feature analysis of the account + SMS verification code verification method can obtain an attack that the verification method can be used against the login feature of the account + password verification (because the malicious user attempting to log in to the instance may not be able to obtain the SMS verification code).
再例如,对指纹验证方式进行身份验证特性分析,确定该验证方式可以用于对抗账号+密码验证的攻击、以及对抗账号+短信验证码这一登录特征的攻击(因为企图登录实例的恶意用户无法获取账户合法用户的指纹)。For another example, an authentication feature analysis is performed on the fingerprint verification mode, and the verification mode can be used to attack the account + password verification attack and the login feature against the account + SMS verification code (because the malicious user attempting to log in to the instance cannot Get the fingerprint of the legitimate user of the account).
接续前述方式2)和方式3)说明,服务器基于用户登录实例的异常点,以及候选验证方式所防护的登录特征,选取登录特征不涉及异常点的相应候选验证方式为对用户进行再次验证的方式(第二验证方式)。Following the foregoing method 2) and mode 3), the server selects the corresponding candidate verification mode in which the login feature does not involve the abnormal point based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode, and the manner of re-authenticating the user is selected. (Second verification method).
例如,当使用账号+密码方式对用户验证成功,且登录终端存在异常,如该终端存在可疑账号的登录记录时,选取不涉及异常点的登录方式如账号+短信验证码验证方式、指纹验证方式为第二验证方式。For example, when the user authentication is successful using the account + password method, and the login terminal is abnormal, such as the login record of the suspicious account on the terminal, the login method that does not involve the abnormal point is selected, such as the account + SMS verification code verification mode and the fingerprint verification mode. For the second verification method.
在一个实施例中,服务器可以决策出两种以上的第二验证方式,例如,当用户登录实例的异常点的异常度超出异常度阈值时,选取两种不同的候选验证方式作为第二验证方式。例如,对于高异常度的登录,选取两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,确保账号安全。以下对选取两个以上的方式进行示例性说明。In an embodiment, the server may determine two or more second verification manners, for example, when the abnormality degree of the abnormal point of the user login instance exceeds the abnormality threshold, two different candidate verification methods are selected as the second verification manner. . For example, for a highly abnormal login, two candidate verification methods different from the first verification mode (as the second verification method) are selected to sequentially verify the user to ensure the account security. The following is an exemplary illustration of selecting two or more modes.
示例性地,接续前述方式1),针对提交的验证信息错误的场景,服务器检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证失败时,服务器选取两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,在验证成功时为用户执行登录初始化,在验证失败时屏蔽用户登录实例。 Illustratively, following the foregoing manner 1), when the server detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the server selects two scenarios for the scenario in which the submitted verification information is incorrect. The candidate verification mode different from the first verification mode (as the second verification mode) sequentially verifies the user, performs login initialization for the user when the verification is successful, and blocks the user login instance when the verification fails.
示例性地,接续前述方式2)、3),适用于服务器基于第一验证方式验证成功但是用户登录实例的终端为新终端(首次用于登录实例),或用户登录实例的终端被植入恶意代码的场景,服务器基于用户登录实例的异常点,以及候选验证方式所防护的登录特征,选取登录特征不涉及异常点的两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,在验证成功时为用户执行登录初始化,在验证失败时屏蔽用户登录实例。Exemplarily, the foregoing manners 2) and 3) are applied to the server that the verification succeeds based on the first verification mode but the terminal of the user login instance is a new terminal (first used for login instance), or the terminal of the user login instance is implanted maliciously. In the scenario of the code, the server selects two candidate authentication modes different from the first verification mode (as the second verification mode) based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode. The user is authenticated in turn, and the login initialization is performed for the user when the verification is successful, and the user login instance is blocked when the verification fails.
如前所述,登录特征包括登录终端、登录历史习惯;登录环境等不同的维度,以下再结合具体情况,对选取不涉及异常点的异于第一验证方式的候选验证方式(作为第二验证方式)进行说明。As described above, the login feature includes different dimensions such as a login terminal, a login history habit, a login environment, and the following, in combination with a specific case, a candidate verification mode different from the first verification mode that does not involve an abnormal point is selected (as a second verification) Method) Description.
例如,当异常点为登录终端(用户当前登录实例所使用的终端)与历史登录终端不同时,例如用户在使用一新终端尝试登录实例,并且登录终端存在可疑账号登录的记录时,若检测到所述登录终端未涉及使用短信验证方式登录,则判定所述登录终端不具备盗取短信能力,选取不涉及当前异常点的短信验证登录方式为第二验证方式。For example, when the abnormal point is that the login terminal (the terminal used by the current login instance of the user) is different from the historical login terminal, for example, when the user attempts to log in to the instance by using a new terminal, and the login terminal has a record of the suspicious account login, if it is detected The login terminal does not involve the use of the short message verification mode to log in, and then determines that the login terminal does not have the ability to steal the short message, and selects the short message verification login mode that does not involve the current abnormal point as the second verification mode.
再例如,当异常点为用户在新地点以新的账号名类型登录实例(例如,用户之前从未在该地点以电子邮箱+密码方式登录实例),表明登录终端为异常的登录终端,若检测到异常的登录终端未具有使用声纹数据的登录记录,则判定所述登录终端不具备盗取声纹数据能力,选取不涉及当前异常点的声纹验证登录方式为第二验证方式。For another example, when the abnormal point is that the user logs in to the instance with a new account name type in the new location (for example, the user has never logged in to the instance by email/password at the location), indicating that the login terminal is an abnormal login terminal, if the detection is detected If the abnormal login terminal does not have the login record using the voiceprint data, it is determined that the login terminal does not have the ability to steal the voiceprint data, and the voiceprint verification login mode that does not involve the current abnormal point is the second verification mode.
又例如,当异常点为用户在的登录地点以及登录所使用的网络连接已经存在可疑账号登录的情况,当前的登录终端属于高度异常的情况,判定当前的登录用户没有侵入好友账号的能力,选取与当前异常点线下联系人(好友)辅助验证方式,当接收到预定数量的好友确定当前用户登录合法时执行登录初始化。 For another example, when the abnormal point is that the user is at the login location and the network connection used for the login has a suspicious account login, the current login terminal belongs to a highly abnormal situation, and the current login user is determined not to invade the friend account, and the selection is performed. The contact (friend) secondary authentication mode with the current abnormal point line performs login initialization when a predetermined number of friends are received to determine that the current user is legally logged in.
步骤107,服务器基于用户用于登录实例的第二验证信息、以及第二验证方式对用户进行验证。Step 107: The server verifies the user based on the second verification information used by the user for the login instance and the second verification manner.
步骤108,服务器基于验证结果,检测用户登录实例是否存在异常,如果未存在异常则执行步骤104;否则执行步骤109。Step 108: The server detects, according to the verification result, whether the user login instance has an abnormality. If no abnormality exists, step 104 is performed; otherwise, step 109 is performed.
步骤109,服务器屏蔽用户登录实例。In step 109, the server blocks the user login instance.
接续前述方式1)的有益效果进行说明,在使用一种验证方式(第一验证方式)对用户验证失败时提供另一种替换的验证方式(第二验证方式)对用户登录实例进行验证,避免了用户在忘记第一验证方式的验证信息时即无法登录的情况,实现了帮助用户在忘记一种验证方式的验证信息的情况下也能顺利登录顺利的技术效果。The beneficial effects of the foregoing method 1) are described. When an authentication method (first verification mode) is used, another alternative verification mode (second verification mode) is provided to verify the user login instance, thereby avoiding When the user cannot log in when the user confirms the verification information of the first verification method, the technical effect of facilitating the smooth login of the user when the verification information of the verification method is forgotten is realized.
接续对前述方式2)、3)的有益效果进行说明,在用户使用新终端登录实例且第一次验证成功的场景中,以及第一次验证成功且登录实例终端被植入恶意代码的场景中,基于登录实例的异常点所无法涉及(攻击)的登录特征来动态决策对用户进行第二次验证所使用的验证方式,由于第二验证方式所涉及的登录特征与异常点无关,与使用固定的二次验证方式相比,提升了恶意用户攻击登录的难度,因为既然第二次验证方式对于恶意用户来说是无法预知的,恶意用户无法根本无法攻击登录第二次验证,实现了准确识别恶意用户登录并有效屏蔽的技术效果,在用户使用新终端登录实例时有效保证了账号安全。The beneficial effects of the foregoing modes 2) and 3) are described in the scenario where the user logs in to the instance using the new terminal and the first verification is successful, and in the scenario where the first verification is successful and the login instance terminal is implanted with malicious code. The verification mode used for the second verification of the user is dynamically determined based on the login feature of the login instance that cannot be involved (attack), because the login feature involved in the second verification mode is independent of the abnormal point, and is fixed Compared with the secondary verification method, the difficulty of attacking the login by the malicious user is improved, because since the second verification method is unpredictable for the malicious user, the malicious user cannot attack the second verification at the root, and the accurate identification is realized. The technical effect of a malicious user logging in and effectively blocking is effective when the user logs in to the instance using the new terminal.
下面结合示例对上述实施在服务器侧的验证处理进行说明。The verification processing on the server side of the above embodiment will be described below with reference to an example.
参见图2示出的本发明实施例提供的用户登录微信时验证用户身份的一个可选的场景示意图,以第一验证方式为账号+密码的验证方式,第二验证方式为登录特征不涉及异常点的两种验证方式为例进行说明:在图2中,用户在终端进行微信登录时可以使用微信账号+微信密码的方式尝试登录微信,服务器基于存储的对应该微信账号的微信密码对用户进行第一次验 证;实际登录时如图3中的a图所示用户首先打开终端上的微信应用进入登录界面,此时终端上会显示出需要进行第一次验证(即输入微信账号和微信密码)的登录验证界面;用户在图3中的a图所示的登录验证界面的输入框1a中输入相应的微信账号并在输入框1b中输入微信密码,之后点击登录按钮1c,这里假设用户忘记微信密码而提交错误的微信密码导致第一次验证失败,服务器对登录进行异常分析确定登录的异常点;此次,服务器可以确定第一登录的异常点是微信密码,之后对微信账号进行账号设置分析,确定用户的微信账号绑定的验证方式,基于异常点(即微信密码)对验证方式(除微信账号+微信密码验证方式)进行决策,例如包括如下决策:第一次验证为非短信验证而且用户的登录终端没有中短信木马病毒的情况,因此选取微信账号+手机短信的验证方式进行二次验证。同时,如图3中的b图所示当第一次验证失败后终端会显示需要进行第二次验证(即输入微信账号和手机短信验证码)的登录验证界面;用户在图3中的b图所示的登录验证界面的输入框2a中输入相应的微信账号,在输入框2b中输入手机短信验证码,并点击的发送验证码的按钮2c后,在输入框2d中将手机上接收到的运营商发送的验证码输入并点击登录按钮2e,之后服务器基于运营商发送的对应该微信账号的短信息中的验证码对用户进行第二次验证,如果用户输入的手机短信验证码与运营商发送的短信息中的验证码相同,表明第二次验证成功;此时服务器为微信账号执行登录初始化,终端上会呈现如图3中的c图所示进入微信的界面,即可以在图3中的c图的界面上的位置3a和3b上显示当前接收到的微信信息;如果用户输入的手机短信验证码与运营商发送的短信息中的验证码不相同,表明第二次验证失败,此时服务器基于登录的异常点(即短信验证码)再次决策出第三次验证方式,设为声纹验证方式;同时,如图3中的d图所示当第二次验证失败后终端会显示需要进行第三次验证(即采集声纹信息)的登录验证界 面;用户在图3中的d图所示的登录验证界面的输入框4a中输入微信账号,并通过语音采集设备如话筒4b等输入自己的声音信息,例如可以输入“请进行身份验证”的语音信息,如果第三次验证成功则为微信账号执行登录初始化,终端上会呈现如图3中的c图所示的微信界面,如果第三次验证失败则在一段时间内屏蔽该微信账号的登录,表明该微信账号存在异常,可能存在该微信账号并非用户本人使用有被他人盗取的风险。FIG. 2 is a schematic diagram of an optional scenario for verifying a user identity when a user logs in to a WeChat provided by the embodiment of the present invention, where the first verification mode is an account/password verification mode, and the second verification mode is that the login feature does not involve an abnormality. The two verification methods of the point are described as an example: In FIG. 2, when the terminal performs the WeChat login, the WeChat account + WeChat password can be used to try to log in to WeChat, and the server performs the WeChat password corresponding to the WeChat account to the user. First test In the actual login, as shown in a in Figure 3, the user first opens the WeChat application on the terminal to enter the login interface. At this time, the terminal will display the login that needs to be verified for the first time (ie, input WeChat account and WeChat password). Verification interface; the user inputs the corresponding WeChat account in the input box 1a of the login verification interface shown in FIG. 3 in FIG. 3 and inputs the WeChat password in the input box 1b, and then clicks the login button 1c, which assumes that the user forgets the WeChat password. Submitting the wrong WeChat password causes the first verification to fail. The server analyzes the abnormality of the login to determine the abnormal point of the login. This time, the server can determine that the abnormality of the first login is the WeChat password, and then analyze the account settings of the WeChat account to determine The verification mode of the user's WeChat account binding is based on the abnormal point (ie, WeChat password) to make a decision on the verification mode (except WeChat account + WeChat password verification mode), for example, including the following decision: the first verification is non-text message verification and the user's The login terminal does not have the medium message Trojan virus, so select the WeChat account + mobile phone SMS verification method. Underwent secondary verification. At the same time, as shown in the figure b in FIG. 3, after the first verification fails, the terminal displays a login verification interface that requires a second verification (ie, inputting a WeChat account and a mobile phone SMS verification code); the user is in FIG. Enter the corresponding WeChat account in the input box 2a of the login verification interface shown in the figure, enter the SMS verification code in the input box 2b, and click the button 2c to send the verification code, and then receive it on the mobile phone in the input box 2d. Enter the verification code sent by the operator and click the login button 2e. After that, the server performs the second verification on the user based on the verification code in the short message corresponding to the WeChat account sent by the operator. If the user enters the mobile phone SMS verification code and operation The verification code in the short message sent by the quotient is the same, indicating that the second verification is successful; at this time, the server performs login initialization for the WeChat account, and the terminal will display the interface of entering WeChat as shown in c in FIG. 3, that is, the figure can be The currently received WeChat information is displayed on the positions 3a and 3b on the interface of the c picture in 3; if the mobile phone short message verification code input by the user is in the short message sent by the operator The verification code is different, indicating that the second verification fails. At this time, the server determines the third verification mode again based on the abnormal point of the login (ie, the SMS verification code), and sets the voiceprint verification mode; meanwhile, as shown in FIG. The figure shows that when the second verification fails, the terminal will display the login verification community that needs to perform the third verification (that is, collect voiceprint information). The user inputs the WeChat account in the input box 4a of the login verification interface shown in the figure d in FIG. 3, and inputs his own voice information through a voice collecting device such as the microphone 4b, for example, "Please perform authentication". Voice information, if the third verification is successful, the login initialization is performed for the WeChat account, and the WeChat interface shown in Figure 3 is displayed on the terminal. If the third verification fails, the WeChat account is blocked for a period of time. The login indicates that the WeChat account is abnormal. There may be a risk that the WeChat account is not used by the user.
在第一次验证失败时通过智能决策后续验证方式(第二次验证方式、第三次验证方式),并且决策的验证方式是基于异常点选择的能够防范登录攻击的验证方式,一方面避免由用户选择验证方式导致的账号风险,另一方面也保证账号的合法用户能够顺利登录。In the first verification failure, the intelligent verification subsequent verification method (the second verification method and the third verification method), and the verification method of the decision is based on the verification method of the abnormal point selection to prevent the login attack, on the one hand, avoiding The user chooses the account risk caused by the authentication method, and on the other hand, the legitimate user of the account can log in successfully.
参见图4示出的本发明实施例提供的用户登录微信时验证用户身份的一个可选的场景示意图,以第一验证方式为账号+密码+手机短信验证码的验证方式,第二验证方式为登录特征不涉及异常点的两种验证方式为例进行说明:在图4中,用户在终端进行微信登录时可以使用微信账号+微信密码+手机短信的方式在新终端尝试登录微信,服务器基于存储的对应该微信账号的微信密码和运营商发送的对应该微信账号的短信息中的验证码对用户进行第一次验证;实际登录时如图5-1中a图所示用户首先打开终端上的微信应用进入登录界面,此时终端上会显示出需要进行第一次验证(即输入微信账号+微信密码+手机短信验证码)的登录验证界面;用户在图5-1中a图所示的登录验证界面的输入框5a中输入相应的微信账号、输入框5b中输入微信密码、输入框5c中输入手机号并点击发送验证码的按钮5d,之后收到运营商发送的验证码后将手机短信验证码输入对应的输入框5e中,完成后点击登录按钮5f,这里假设用户输入的微信密码与账号对应并且验证码正确那么第一次验证成功;但是检测到该微信账号存在异常,例如当前登录该微信账号的终端与用户曾经登录该微信账号的终端不同,或者终 端为用户登录微信账号所使用的终端,但是终端中被植入恶意代码。FIG. 4 is a schematic diagram of an optional scenario for verifying a user identity when a user logs in to a WeChat provided by the embodiment of the present invention. The first verification mode is an authentication mode of an account + password + a mobile phone short message verification code, and the second verification mode is The two verification methods of the login feature that do not involve the abnormal point are described as an example. In FIG. 4, when the terminal performs the WeChat login, the user can use the WeChat account + WeChat password + mobile phone short message to try to log in to the WeChat in the new terminal, and the server is based on the storage. The WeChat password corresponding to the WeChat account and the verification code sent by the operator corresponding to the WeChat account are verified for the first time; when actually logging in, the user first opens the terminal as shown in Figure 5-1. The WeChat application enters the login interface. At this time, the terminal will display the login verification interface that needs to be verified for the first time (ie, input WeChat account + WeChat password + mobile phone SMS verification code); the user is shown in Figure 5-1. Enter the corresponding WeChat account in the input box 5a of the login verification interface, enter the WeChat password in the input box 5b, enter the mobile phone number in the input box 5c, and click After sending the verification code button 5d, after receiving the verification code sent by the operator, the mobile phone short message verification code is input into the corresponding input box 5e, and after completion, the login button 5f is clicked, and it is assumed that the WeChat password input by the user corresponds to the account and the verification code Correctly, the first verification succeeds; but the abnormality of the WeChat account is detected. For example, the terminal currently logging in to the WeChat account is different from the terminal that the user has logged into the WeChat account, or The terminal is the terminal used by the user to log in to the WeChat account, but the terminal is embedded with malicious code.
服务器对登录进行异常分析确定登录的异常点,服务器可以确定登录的异常点是常用登录终端或登录终端的异常度,之后对该微信账号进行账号设置分析,确定用户的微信账号绑定的验证方式。基于异常点(即登录终端或登录终端的异常度)以及异常度对验证方式(除微信账号+微信密码+手机短信验证码的验证方式)进行决策,例如,当异常度超出异常度阈值时决策出两种验证方式(用于第二次验证和第三次验证);其中,第二次和第三次验证方式可以包括可信终端扫码授权、用户声纹验证或者好友辅助验证等方式,当然进行一次完整的登录验证时为了保证账户的安全性选取的第二次验证方式和第三次验证方式不同;例如,第二次验证方式可以为可信终端扫码授权,适用于可信终端在线并且最近一段时间可信终端有登录该微信账号行为;第三次验证方式可以为好友辅助验证,适用于线下联系好友在线。同时,如图5-1中的b图所示当异常度超出异常度阈值时终端会显示需要进行第二次验证(即终端扫码授权)的登录验证界面;用户在图5-1中的b图所示的登录验证界面上使用可信终端的微信中的扫描二维码的功能扫描二维码6a,之后服务器判断扫描对应二维码授权的微信账户在最近一段时间内使用当前扫码的终端登录过,那么表明第二次验证成功;此时,终端上显示出如图5-1中的c图所示需要进行第三次验证(即好友辅助验证)的登录界面,用户点击图5-1中的c图的界面中的请求好友帮助验证的按钮7a后,终端可以跳转至好友界面并点选好友的头像进行第三次验证,并显示如图5-1中的d图所示的界面;用户点选对应的微信好友的微信头像后,点击确认按钮8a;如果第三次验证成功则为微信账号执行登录初始化,终端上会呈现如图5-2所示已经进入微信的界面,即可以在图5-2的界面上的位置6a、6b和6c上显示当前接收到的微信信息。需要说明的是,在第一次验证失败时通过智能决策后续验证方式(第二次验证方式、第三 次验证方式),并且决策的验证方式是基于异常点选择的能够防范登录攻击的验证方式,一方面避免由用户选择验证方式导致的账号风险,另一方面通过二次验证的方式保障了账号安全。The server performs abnormal analysis on the login to determine the abnormality of the login. The server can determine that the abnormality of the login is the abnormality of the commonly used login terminal or the login terminal, and then analyze the account setting of the WeChat account to determine the verification mode of the WeChat account binding of the user. . Make a decision based on the abnormal point (that is, the abnormality of the login terminal or the login terminal) and the abnormality (except for the WeChat account + WeChat password + mobile SMS verification code verification method), for example, when the abnormality exceeds the abnormality threshold Two verification methods are used (for the second verification and the third verification); wherein the second and third verification methods may include a trusted terminal scan code authorization, a user voiceprint verification or a friend auxiliary verification, etc. Of course, in the case of performing a complete login verification, the second verification mode and the third verification mode are different in order to ensure the security of the account; for example, the second verification mode can be a trusted terminal scanning code authorization, and is applicable to the trusted terminal. Online and recently, the trusted terminal has the behavior of logging in to the WeChat account; the third verification method can be used for friend-assisted verification, and is suitable for offline contact with friends online. At the same time, as shown in the figure b in Figure 5-1, when the abnormality exceeds the abnormality threshold, the terminal displays the login verification interface that needs to perform the second verification (that is, the terminal scan authorization); the user is in Figure 5-1. The login verification interface shown in Figure b scans the two-dimensional code 6a using the function of scanning the two-dimensional code in the WeChat of the trusted terminal, and then the server determines to scan the WeChat account corresponding to the two-dimensional code authorization to use the current scan code in the latest period of time. If the terminal has logged in, it indicates that the second verification is successful; at this time, the terminal displays the login interface that needs to perform the third verification (ie, friend-assisted verification) as shown in c in Figure 5-1, and the user clicks on the map. After the button 7a requesting the friend to be authenticated in the interface of the c map in 5-1, the terminal can jump to the friend interface and click the avatar of the friend to perform the third verification, and display the d diagram in FIG. 5-1. The interface shown; after the user clicks the WeChat avatar of the corresponding WeChat friend, click the confirmation button 8a; if the third verification is successful, the login initialization is performed for the WeChat account, and the terminal will appear as shown in Figure 5-2. Interface, you can 6a position on the interface of Figure 5-2, the micro-channel display information on the currently received 6b and 6c. It should be noted that the second verification method and the third verification method are adopted when the first verification fails. The sub-authentication method), and the verification method of the decision-making is based on the verification method of the abnormal point selection to prevent the login attack, on the one hand, avoiding the account risk caused by the user selecting the verification mode, and on the other hand, ensuring the account security through the secondary verification method. .
前述以本发明实施例提供的验证方法在服务器侧实施为例进行说明,也就是由服务完成对登录实例的用户的验证,本发明实施例提供的验证方法还可以在终端侧实施,也就是由终端完成对登录实例的用户的验证。The foregoing verification method provided by the embodiment of the present invention is implemented on the server side as an example, that is, the verification of the user of the login instance is completed by the service, and the verification method provided by the embodiment of the present invention may also be implemented on the terminal side, that is, by The terminal completes the verification of the user who logs in to the instance.
将验证方法实施在服务器侧,相较于将验证方法实施在终端侧,能够避免终端侧的验证处理逻辑被恶意破解从而伪造验证信息欺骗服务器以登录实例的情况,对于终端来说,只能向服务器提交验证信息而无法对验证逻辑进行修改(因为验证逻辑在服务器侧),从而保证验证结果的可靠性。The verification method is implemented on the server side. Compared with the implementation of the verification method on the terminal side, it is possible to prevent the verification processing logic on the terminal side from being maliciously cracked, thereby forging the authentication information to spoof the server to log in the instance. The server submits the verification information and cannot modify the verification logic (because the verification logic is on the server side), thus ensuring the reliability of the verification result.
将验证方法实施在终端侧,相较于将验证方法实施在服务器侧,由于在验证过程中只需要用户向终端提交验证信息,在终端侧实施验证处理以对用户登录实例进行验证,验证过程中不需要网络通信,也就是不依赖于网络通信即可完成对用户的验证,适用于缺少网络通信能力的情况下对用户验证,或者适应于安全性较高的封闭系统(在物理上与互联网没有连接)的登录验证,或者适应于安全性较高的封闭系统中运行的特定应用的登录验证。The verification method is implemented on the terminal side. Compared with the verification method being implemented on the server side, since only the user needs to submit the verification information to the terminal during the verification process, the verification process is performed on the terminal side to verify the user login instance, and the verification process is performed. No need for network communication, that is, verification of the user can be completed without relying on network communication, suitable for user authentication in the absence of network communication capability, or adapted to a highly secure closed system (physically and without the Internet) Login verification of the connection, or login verification for a specific application running in a highly secure closed system.
以本发明实施例提供的验证方法在终端侧实施为例进行说明,与图1示出的验证方法不同,图6示出的验证方法全部在终端侧实施,适用于终端运行离线实例并需要对用户进行验证的场景。见图6示出验证方法的一个可选的流程示意图,包括以下步骤:The verification method provided by the embodiment of the present invention is described as an example on the terminal side. Unlike the verification method shown in FIG. 1 , the verification methods illustrated in FIG. 6 are all implemented on the terminal side, and are applicable to the terminal running the offline instance and need to be The scenario in which the user authenticates. See Figure 6 for an alternative flow diagram of the verification method, including the following steps:
步骤201,终端向获取提交用户用于登录实例的第一验证信息。Step 201: The terminal submits the first verification information submitted by the user for the login instance.
在一个实施例中,如前所述,实例包括以下几种类型:In one embodiment, as previously mentioned, the examples include the following types:
1)终端中运行的操作系统,用户登录该操作系统时,需要经由终端对 用户进行验证并在验证成功后激活终端中操作系统的登录初始化。1) The operating system running in the terminal, when the user logs in to the operating system, it needs to be through the terminal pair. The user authenticates and activates the login initialization of the operating system in the terminal after successful authentication.
2)终端中运行的应用,并且存储有用户的验证信息,用户在终端登录应用时需要向终端提交验证信息,由对终端用户进行验证并在验证成功后激活终端中应用的登录初始化,并为应用提供相关的业务支持。2) The application running in the terminal, and storing the user's authentication information, the user needs to submit the verification information to the terminal when the terminal logs in to the application, and the terminal user is authenticated and the login initialization of the application in the terminal is activated after the verification is successful, and The app provides relevant business support.
在一个实施例中,示例性地,第一验证信息是用户需要经由终端登录目标实例时所需要提交的信息,验证信息的类型取决于实例所采用的验证方式(也成为第一验证方式)。In one embodiment, exemplarily, the first verification information is information that the user needs to submit when logging in to the target instance via the terminal, and the type of the verification information depends on the verification mode (also the first verification mode) adopted by the instance.
例如,当验证方式为账号+密码验证方式时,第一验证信息为用户为登录实例所提交的账号和密码;当验证方式为账号+短信验证码方式时,第一验证信息为用户为登录实例所提交的账号、以及通过终端接收到的短信验证码;当验证方式为指纹验证时,第一验证信息为用户在终端录入的指纹数据。For example, when the authentication mode is the account and password authentication mode, the first authentication information is the account and the password submitted by the user for the login instance. When the authentication mode is the account + SMS verification code mode, the first authentication information is the login instance of the user. The submitted account number and the SMS verification code received by the terminal; when the verification mode is fingerprint verification, the first verification information is the fingerprint data entered by the user at the terminal.
步骤202,终端基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证。Step 202: The terminal verifies the user based on the first verification information used by the user for the login instance and the first verification manner.
在一个实施例中,终端将用户经向终端提交的第一验证信息,与第一验证方式的合法的验证信息比对,根据是否比对成功形成验证结果。In an embodiment, the terminal compares the first verification information submitted by the user to the terminal, and the legal verification information of the first verification mode, and successfully forms a verification result according to whether the comparison is successful.
步骤203,终端基于验证结果,检测用户登录实例是否存在异常,如果未存在异常则执行步骤204;否则执行步骤205。Step 203: The terminal detects, according to the verification result, whether the user login instance has an abnormality. If there is no abnormality, the terminal performs step 204; otherwise, step 205 is performed.
当用户登录实例未存在异常时,表明用户登录实例所使用的账号不存在安全威胁,因此可以为用户执行登录初始化(步骤205),下面对检测登录实例异常的方式进行说明。When the user login instance does not have an abnormality, it indicates that the account used by the user login instance does not have a security threat. Therefore, login initialization can be performed for the user (step 205). The following describes the manner in which the login instance is abnormal.
方式1)Way 1)
在一个实施例中,针对提交的验证信息错误的场景,终端检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证失败时,即判定存在异常。 In an embodiment, when the terminal detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the terminal determines that there is an abnormality.
例如,以第一验证方式为账号+密码验证方式为例,当用户经由终端提交的账号和密码,与终端查询到的相应账号的密码不一致时,即判定用户登录实例存在异常。For example, in the first verification mode, the account and password authentication mode is used as an example. When the account and password submitted by the user are inconsistent with the password of the corresponding account queried by the terminal, it is determined that the user login instance is abnormal.
方式2)Way 2)
在另一个实施例中,针对用户更换登录实例所使用的终端的场景,终端检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的登录终端不同于历史登录终端时,即判定用户登录实例存在异常。In another embodiment, for the scenario in which the user replaces the terminal used by the login instance, the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user is detected. When the login terminal of the login instance is different from the historical login terminal, it is determined that the login instance of the user is abnormal.
例如,以用户更换新手机登录实例,第一验证方式为账号(如手机号码)+短信验证码方式为例,当用户登录实例提交的手机号码以及针对该手机号码下发的短信验证码一致时,即验证成功,但是检测到该手机与用户之前登录所用的手机不同,即判定用户登录实例存在异常。For example, when the user replaces the new mobile phone login instance, the first authentication mode is an account number (such as a mobile phone number) and a short message verification code mode. When the mobile phone number submitted by the user login instance and the short message verification code sent for the mobile phone number are the same, That is, the verification is successful, but it is detected that the mobile phone is different from the mobile phone used by the user to log in before, that is, it is determined that the user login instance is abnormal.
方式3)Way 3)
在另一个实施例中,针对终端被注入恶意代码的场景,当终端检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的登录终端运行有获取终端信息的恶意代码。In another embodiment, for the scenario in which the terminal is injected with malicious code, when the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification manner, and the user login instance is detected The login terminal runs a malicious code that acquires terminal information.
例如,针对用户更换登录实例所使用的终端的场景,终端检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,一旦检测到终端中注入有恶意软件、恶意插件等形式的恶意代码时,即使用户登录实例的登录终端没有发生变化,也判定用户登录实例存在异常。For example, for the scenario in which the user replaces the terminal used by the login instance, the terminal detects that the user is successfully authenticated based on the first verification information used by the user for the login instance, and the first verification mode, and detects that the terminal is maliciously injected. In the case of malicious code in the form of software or malicious plug-ins, even if the login terminal of the user login instance does not change, it is determined that the user login instance is abnormal.
步骤204,终端为用户执行登录初始化。In step 204, the terminal performs login initialization for the user.
终端为用户执行登录初始化完成后,用户的账号在实例中处于登录状态,支持用户在实例中获取各种业务。 After the terminal performs the login initialization for the user, the user's account is in the login state in the instance, and the user is allowed to obtain various services in the instance.
步骤205,终端对用户登录实例进行登录异常分析。Step 205: The terminal performs login abnormality analysis on the user login instance.
结合前述的检测异常的方式对登录异常分析进行说明。The login abnormality analysis will be described in combination with the aforementioned method of detecting an abnormality.
接续前述方式1),在一个实施例中,终端分析用户基于第一验证信息尝试登录实例的次数低于预设时长(如1天或者1小时,根据实例的安全策略而定)内的最大错误登录次数,形成相应的分析结果,其中记录有用户基于第一验证信息尝试登录实例的次数,通常,当尝试登录次数超出最大错误登录次数时会因潜在的安全威胁而执行账号锁定,账号暂时处于无法登录的状态,直至排除安全威胁。Following the foregoing manner 1), in one embodiment, the terminal analyzes the maximum error in the number of times the user attempts to log in to the instance based on the first verification information, which is lower than a preset duration (eg, 1 day or 1 hour, depending on the security policy of the instance). The number of logins forms a corresponding analysis result, in which the number of times the user attempts to log in to the instance based on the first verification information is recorded. Generally, when the number of attempts to log in exceeds the maximum number of incorrect logins, the account lock is performed due to a potential security threat, and the account is temporarily Unable to log in until the security threat is excluded.
接续前述方式2)和方式3),在一个实施例中,终端比较用户登录实例的登录特征与用户登录实例的历史登录特征,基于登录特征的差异,确定用户登录实例的存在异常的登录特征(称为异常点)以及相应异常点的异常度。例如,将登录示例的各个维度的登录特征与历史登录特征存在差异(或者存在差异且差异程度超出相应差异程度阈值)的登录特征识别为异常点。Following the foregoing manners 2) and 3), in one embodiment, the terminal compares the login feature of the user login instance with the historical login feature of the user login instance, and determines the abnormal login feature of the user login instance based on the difference of the login feature ( It is called the abnormal point) and the abnormality of the corresponding abnormal point. For example, a login feature in which the login feature of each dimension of the login example is different from the historical login feature (or there is a difference and the degree of difference exceeds the corresponding difference degree threshold) is recognized as an abnormal point.
示例性地,登录特征可以采用以下维度:Illustratively, the login feature can take the following dimensions:
维度1)登录方式,如登录时间、登录地点、登录账号的类型(如社交应用账号、手机号码、电子邮箱等)、密码类型(如社交应用的密码、短信验证码等)。Dimensions 1) Login method, such as login time, login location, type of login account (such as social application account, mobile phone number, email address, etc.), password type (such as social application password, SMS verification code, etc.).
维度2)登录历史习惯,常用登录地点、常用登录时间等。Dimensions 2) Login history habits, common login locations, common login times, etc.
维度3)登录环境,主要是指登录的终端的联网方式。Dimension 3) The login environment mainly refers to the networking mode of the logged-in terminal.
维度4)账户的登录状态,登录状态是指,用户基于该账户登录实例之前,该账户是否处于已经处于登录状态,如果已经处于登录状态,则用户当前登录实例的存在异常。Dimension 4) The login status of the account. The login status refers to whether the account is already in the login state before the user logs in to the instance based on the account. If the user is already in the login state, the current login instance of the user is abnormal.
步骤206,终端基于分析结果对候选验证方式进行决策得到第二验证方式。 Step 206: The terminal determines the candidate verification mode based on the analysis result to obtain a second verification mode.
接续前述方式1),在一个实施例中,适用于用户连续提交登录实例的错误验证信息的场景,当分析出用户基于第一验证信息尝试登录实例的次数未高于预设时长内的最大错误登录次数时,表明此时尚不需要对登录实例的账号执行账号锁定,并判决为用户可能是忘记了对应第一验证方式的验证信息,因此,在用户登录的实例账号支持的验证方式中排除第一验证方式而得到候选验证方式,在候选验证方式选取终端支持的验证方式为第二验证方式。The foregoing method 1), in one embodiment, is applicable to a scenario in which the user continuously submits the error verification information of the login instance, and analyzes that the number of times the user attempts to log in the instance based on the first verification information is not higher than the maximum error within the preset duration. The number of logins indicates that the fashion does not need to perform account lockout on the account of the login instance, and it is determined that the user may have forgotten the verification information corresponding to the first verification mode. Therefore, the authentication method supported by the instance account that the user logs in is excluded. The candidate verification mode is obtained by a verification method, and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
接续前述方式2)和方式3),适用于基于第一验证方式验证成功但是用户登录实例的终端为新终端,或用户登录实例的终端被植入恶意代码的场景。Following the foregoing manners 2) and 3), it is applicable to a scenario in which the terminal is successfully authenticated based on the first verification mode but the terminal of the user login instance is a new terminal, or the terminal of the user login instance is implanted with malicious code.
在一个实施例中,终端通过对不同的验证方式进行身份验证特性分析,确定不同的候选验证方式所支持对抗的登录攻击的类型,并解析出相应类型的登录攻击未使用的登录特征为相应验证方式所防护的登录特征。In an embodiment, the terminal performs identity verification analysis on different authentication modes, determines the types of login attacks that different candidate authentication modes support, and parses out the login features that are not used by the corresponding types of login attacks. The login feature protected by the mode.
例如对账号+短信验证码验证方式进行身份验证特性分析,可以得到该验证方式可以用于对抗账号+密码验证这一登录特征的攻击(因为企图登录实例的恶意用户可能无法获取短信验证码)。For example, the authentication feature analysis of the account + SMS verification code verification method can obtain an attack that the verification method can be used against the login feature of the account + password verification (because the malicious user attempting to log in to the instance may not be able to obtain the SMS verification code).
再例如,对指纹验证方式进行身份验证特性分析,确定该验证方式可以用于对抗账号+密码验证的攻击、以及对抗账号+短信验证码这一登录特征的攻击(因为企图登录实例的恶意用户无法获取账户合法用户的指纹)。For another example, an authentication feature analysis is performed on the fingerprint verification mode, and the verification mode can be used to attack the account + password verification attack and the login feature against the account + SMS verification code (because the malicious user attempting to log in to the instance cannot Get the fingerprint of the legitimate user of the account).
接续前述方式2)和方式3)说明,终端基于用户登录实例的异常点,以及候选验证方式所防护的登录特征,选取登录特征不涉及异常点的相应候选验证方式为对用户进行再次验证的方式(第二验证方式)。Following the foregoing method 2) and mode 3), the terminal selects the corresponding candidate verification mode in which the login feature does not involve the abnormal point based on the abnormal point of the user login instance and the login feature protected by the candidate verification mode, and the method for re-authenticating the user is selected. (Second verification method).
例如,当使用账号+密码方式对用户验证成功,且登录终端存在异常,如该终端存在可疑账号的登录记录时,选取不涉及异常点的登录方式如账号+短信验证码验证方式、指纹验证方式为第二验证方式。 For example, when the user authentication is successful using the account + password method, and the login terminal is abnormal, such as the login record of the suspicious account on the terminal, the login method that does not involve the abnormal point is selected, such as the account + SMS verification code verification mode and the fingerprint verification mode. For the second verification method.
在一个实施例中,终端可以决策出两种以上的第二验证方式,例如,当用户登录实例的异常点的异常度超出异常度阈值时,选取两种不同的候选验证方式作为第二验证方式。例如,对于高异常度的登录,选取两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,确保账号安全。以下对选取两个以上的方式进行示例性说明。In an embodiment, the terminal may determine two or more second verification modes. For example, when the abnormality of the abnormal point of the user login instance exceeds the abnormality threshold, two different candidate verification modes are selected as the second verification mode. . For example, for a highly abnormal login, two candidate verification methods different from the first verification mode (as the second verification method) are selected to sequentially verify the user to ensure the account security. The following is an exemplary illustration of selecting two or more modes.
示例性地,接续前述方式1),针对提交的验证信息错误的场景,终端检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证失败时,终端选取两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,在验证成功时为用户执行登录初始化,在验证失败时屏蔽用户登录实例。Illustratively, following the foregoing manner 1), when the terminal detects that the first verification information for the login instance is used by the user and the first verification mode fails to verify the user, the terminal selects two scenarios. The candidate verification mode different from the first verification mode (as the second verification mode) sequentially verifies the user, performs login initialization for the user when the verification is successful, and blocks the user login instance when the verification fails.
示例性地,接续前述方式2)、3),适用于终端基于第一验证方式验证成功但是用户登录实例的终端为新终端,或用户登录实例的终端被植入恶意代码的场景,终端基于用户登录实例的异常点,以及候选验证方式所防护的登录特征,选取登录特征不涉及异常点的两种异于第一验证方式的候选验证方式(作为第二验证方式)依次对用户进行验证,在验证成功时为用户执行登录初始化,在验证失败时屏蔽用户登录实例。Exemplarily, the foregoing manners 2) and 3) are applicable to a scenario in which the terminal successfully authenticates based on the first verification mode but the terminal of the user login instance is a new terminal, or the terminal of the user login instance is implanted with malicious code, and the terminal is based on the user. The abnormality of the login instance and the login feature protected by the candidate verification mode, and selecting two candidate authentication modes different from the first verification mode (as the second verification mode) that the login feature does not involve the abnormal point, sequentially verify the user, The login initialization is performed for the user when the verification is successful, and the user login instance is blocked when the verification fails.
步骤207,终端基于用户用于登录实例的第二验证信息、以及第二验证方式对用户进行验证。Step 207: The terminal verifies the user based on the second verification information used by the user for the login instance and the second verification manner.
步骤208,终端基于验证结果,检测用户登录实例是否存在异常,如果未存在异常则执行步骤204;否则执行步骤209。Step 208: The terminal detects, according to the verification result, whether the user login instance has an abnormality. If there is no abnormality, the terminal performs step 204; otherwise, step 209 is performed.
步骤209,终端屏蔽用户登录实例。Step 209: The terminal blocks the user login instance.
接续前述方式1)的有益效果进行说明,在使用一种验证方式(第一验证方式)对用户验证失败时提供另一种替换的验证方式(第二验证方式)对用户登录实例进行验证,避免了用户在忘记第一验证方式的验证信息时即无法登录的情况,实现了帮助用户在忘记一种验证方式的验证信息的情 况下,也能顺利登录顺利的技术效果。The beneficial effects of the foregoing method 1) are described. When an authentication method (first verification mode) is used, another alternative verification mode (second verification mode) is provided to verify the user login instance, thereby avoiding When the user cannot log in when forgetting the verification information of the first verification mode, the user is authenticated to forget the verification information of a verification method. In the case, you can successfully log in smoothly and smoothly.
接续对前述方式2)、3)的有益效果进行说明,在用户使用新终端登录实例且第一次验证成功的场景中,以及第一次验证成功且登录实例终端被植入恶意代码的场景中,基于登录实例的异常点所无法涉及(攻击)的登录特征来动态决策对用户进行第二次验证所使用的验证方式,由于第二验证方式所涉及的登录特征与异常点无关,与使用固定的二次验证方式相比,提升了恶意用户攻击登录的难度,因为第二次验证方式对于恶意用户来说是无法预知的,恶意用户无法根本无法通过第二次验证,实现了准确识别恶意用户登录并有效屏蔽的技术效果,在用户使用新终端登录实例时有效保证了账号安全。The beneficial effects of the foregoing modes 2) and 3) are described in the scenario where the user logs in to the instance using the new terminal and the first verification is successful, and in the scenario where the first verification is successful and the login instance terminal is implanted with malicious code. The verification mode used for the second verification of the user is dynamically determined based on the login feature of the login instance that cannot be involved (attack), because the login feature involved in the second verification mode is independent of the abnormal point, and is fixed Compared with the secondary verification method, the difficulty of attacking the login by the malicious user is improved, because the second verification method is unpredictable for the malicious user, and the malicious user cannot completely verify the malicious user through the second verification. The technical effect of login and effective shielding ensures the security of the account when the user logs in to the instance using the new terminal.
对前述验证装置的硬件结构和逻辑功能结构进行说明,参见图7示出的验证装置10的一个可选的硬件结构示意图,验证装置10包括:The hardware structure and the logical function structure of the foregoing verification apparatus are described. Referring to an optional hardware structure diagram of the verification apparatus 10 shown in FIG. 7, the verification apparatus 10 includes:
处理器11、输入/输出接口13,存储介质14以及网络接口12,组件可以经系统总线连接通信。The processor 11, the input/output interface 13, the storage medium 14, and the network interface 12, the components can communicate via a system bus connection.
处理器11可以采用中央处理器(Central Processing Unit,CPU)、微处理器(Microcontroller Unit,MCU)、专用集成电路(Application Specific Integrated Circuit,ASIC)或逻辑可编程门阵列(Field-Programmable Gate Array,FPGA)实现。The processor 11 can be a central processing unit (CPU), a microprocessor (Microcontroller Unit (MCU), an application specific integrated circuit (ASIC), or a field-programmable gate array (Field-Programmable Gate Array). FPGA) implementation.
输入/输出接口13可以采用如显示屏、触摸屏、扬声器等输入/输出器件实现。The input/output interface 13 can be implemented using input/output devices such as a display screen, a touch screen, and a speaker.
存储介质14可以采用闪存、硬盘、光盘等非易失性存储介质实现,也可以采用双倍率(Double Data Rate,DDR)动态缓存等易失性存储介质实现,示例性地,存储介质14可以与硬件结构中的其他组件共同在同一设备设置,也可以相对硬件结构中的其他组件异地远程设置。The storage medium 14 may be implemented by using a non-volatile storage medium such as a flash memory, a hard disk, or an optical disk, or may be implemented by using a volatile storage medium such as a Double Data Rate (DDR) dynamic cache. For example, the storage medium 14 may be Other components in the hardware structure are set together on the same device, or remotely from other components in the hardware structure.
网络接口12向处理器11提供外部数据如异地设置的存储介质14的访 问能力,示例性地,网络接口12可以基于近场通信(Near Field Communication,NFC)技术、蓝牙(Bluetooth)技术、紫蜂(ZigBee)技术进行的近距离通信,另外,还可以实现如基于码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)等通信制式及其演进制式的通信。The network interface 12 provides the processor 11 with access to external data such as a remotely located storage medium 14. For example, the network interface 12 may be based on near field communication (NFC) technology, Bluetooth technology, ZigBee technology for short-range communication, and may also be implemented based on code. Communication systems such as Code Division Multiple Access (CDMA) and Wideband Code Division Multiple Access (WCDMA) and their evolutionary systems.
参见图8-1示出的验证装置10的一个可选的功能结构示意图,验证装置10包括:Referring to an optional functional structure diagram of the verification apparatus 10 shown in FIG. 8-1, the verification apparatus 10 includes:
身份验证管理部分15,配置为基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证;The authentication management part 15 is configured to authenticate the user based on the first verification information used by the user for the login instance and the first verification manner;
登录异常分析部分16,配置为基于验证结果,检测到用户登录实例存在异常,对用户登录实例进行登录异常分析;The login abnormality analysis part 16 is configured to detect that the user login instance is abnormal based on the verification result, and perform login abnormality analysis on the user login instance.
决策部分17,配置为基于分析结果对候选验证方式进行决策得到第二验证方式;其中,第二验证方式与第一验证方式不同;The determining part 17 is configured to determine the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
身份验证管理部分15,还配置为基于用户用于登录实例的第二验证信息、以及第二验证方式对用户进行验证。The authentication management section 15 is further configured to authenticate the user based on the second verification information used by the user for the login instance and the second verification mode.
在一个实施例中,登录异常分析部分16,还配置为检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证失败;In one embodiment, the login exception analysis section 16 is further configured to detect that the user fails to verify based on the first verification information used by the user for the login instance and the first verification manner;
分析出用户基于第一验证信息尝试登录实例的次数是否高于预设时长内的最大错误登录次数。It is analyzed whether the number of times the user attempts to log in to the instance based on the first verification information is higher than the maximum number of incorrect logins within the preset duration.
在一个实施例中,登录异常分析部分16,还配置为检测到基于第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的终端不同于历史登录终端。In one embodiment, the login exception analysis section 16 is further configured to detect that the user is successfully authenticated based on the first verification information and the first verification manner, and the terminal that detects the user login instance is different from the historical login terminal.
在一个实施例中,登录异常分析部分16,还配置为检测到基于用户用于登录实例的第一验证信息、以及第一验证方式对用户进行验证成功,并且,检测到用户登录实例的登录终端运行有获取终端信息的恶意代码。 In one embodiment, the login exception analysis section 16 is further configured to detect that the user is successfully authenticated based on the first verification information used by the user for the login instance and the first verification mode, and the login terminal of the user login instance is detected. Run malicious code that gets terminal information.
在一个实施例中,登录异常分析部分16,还配置为比较用户登录实例的登录特征与用户登录实例的历史登录特征,基于登录特征的差异确定用户登录实例的异常点。In one embodiment, the login exception analysis section 16 is further configured to compare the login feature of the user login instance with the historical login feature of the user login instance, and determine the abnormal point of the user login instance based on the difference of the login feature.
在一个实施例中,决策部分17,还配置为基于用户登录实例的异常点,以及候选验证方式所防护的登录特征,选取登录特征不涉及异常点的相应候选验证方式为第二验证方式。In an embodiment, the decision portion 17 is further configured to select, according to the abnormal point of the user login instance and the login feature protected by the candidate verification mode, the corresponding candidate verification mode in which the login feature does not involve the abnormal point is the second verification mode.
在一个实施例中,验证装置10还包括:In one embodiment, the verification device 10 further includes:
身份验证特性管理部分18,配置为解析候选验证方式的验证特性得到候选验证方式所支持对抗的登录攻击的类型,并解析出相应类型的登录攻击未使用的登录特征为相应验证方式所防护的登录特征。The authentication feature management part 18 is configured to parse the verification feature of the candidate verification mode to obtain the type of the login attack supported by the candidate verification mode, and parse the login feature that is not used by the corresponding type of login attack to be protected by the corresponding verification mode. feature.
在一个实施例中,验证装置10还包括:In one embodiment, the verification device 10 further includes:
账号设置分析部分19,配置为分析出用户的实例账号支持的验证方式;The account setting analysis part 19 is configured to analyze the verification mode supported by the user's instance account;
决策部分17,还配置为在用户的实例账号支持的验证方式中排除第一验证方式,得到候选验证方式;在候选验证方式选取终端支持的验证方式为第二验证方式。The decision part 17 is further configured to exclude the first verification mode from the verification mode supported by the instance account of the user, and obtain the candidate verification mode; and the verification mode supported by the terminal in the candidate verification mode is the second verification mode.
在一个实施例中,决策部分17,还配置为当用户登录实例的异常点的异常度超出异常度阈值时,选取两种不同于第一验证方式的候选验证方式作为第二验证方式。In an embodiment, the determining part 17 is further configured to select two candidate verification modes different from the first verification mode as the second verification mode when the abnormality degree of the abnormal point of the user login instance exceeds the abnormality threshold.
如前,本发明实施例提供的身份验证方法可以在服务器侧实施,也可以在终端侧实施,相应地,如图8-2所示,验证装置10可以使用服务器侧的硬件资源(如前述的处理器、网络接口等)实现,以实施为服务器的形式对通过终端登录实例的用户进行验证。或者,如图8-3所示,验证装置10可以使用终端侧的硬件资源实现,从而在不需要网络通信的情况下对登录实例的用户进行验证。As described above, the identity verification method provided by the embodiment of the present invention may be implemented on the server side or on the terminal side. Accordingly, as shown in FIG. 8-2, the verification apparatus 10 may use hardware resources on the server side (such as the foregoing. The processor, the network interface, and the like are implemented to perform verification on the user who logs in through the terminal in the form of a server. Alternatively, as shown in FIG. 8-3, the verification apparatus 10 can be implemented using hardware resources on the terminal side, thereby verifying the user of the login instance without requiring network communication.
下面以验证装置10在服务器侧实施,进行双重身份验证为例再进行说 明。In the following, the verification device 10 is implemented on the server side, and the two-factor authentication is taken as an example. Bright.
参见图9示出的基于智能决策的双重身份验证的一个可选的框架示意图、以及图10示出的双重身份验证的一个可选的场景示意图。在图9中,身份验证的功能包括5个部分来实现,分别是账号设置分析部分、登录异常分析部分、身份验证特性管理部分、决策部分和身份验证管理部分。See an alternative frame diagram of intelligent decision based dual authentication shown in FIG. 9, and an alternative scenario diagram of dual authentication shown in FIG. In FIG. 9, the function of identity verification includes five parts, namely, an account setting analysis part, a login abnormality analysis part, an authentication characteristic management part, a decision part, and an authentication management part.
当用户尝试使用新终端登录时,以密码或者手机验证码通过身份验证管理部分的验证后,会由该框架中的相关部分进行分析,基于领域知识决策使用身份验证方式进行二次身份验证。每次身份验证通过的结果将记录在服务器保存的终端信息中,如果该终端完成了足够的身份验证,那么这个终端后续可以作为可信终端。When the user attempts to log in with the new terminal, the password or the mobile phone verification code is verified by the authentication management part, and then the relevant part of the framework is analyzed, and the identity verification method is used for the secondary identity verification based on the domain knowledge decision. The result of each authentication pass will be recorded in the terminal information saved by the server. If the terminal completes sufficient authentication, the terminal can be used as a trusted terminal.
账号设置分析部分用户进行终端可支持的身份验证方式的判断,例如用户登录的账号是否支持验证短信(是否绑定手机号码)、是否设置了声纹、账号的关系链是否可用于选择好友和好友辅助验证(例如,是否有固定经常联系的好友)、账号当前状态是否支持扫码授权登录等。The account setting analysis part of the user performs the judgment of the authentication mode supported by the terminal, for example, whether the account registered by the user supports the verification of the short message (whether the mobile phone number is bound), whether the voiceprint is set, and the relationship chain of the account is available for selecting a friend and a friend. Auxiliary verification (for example, whether there is a fixed frequent contact friend), whether the current status of the account supports scanning code authorization login, and the like.
登录异常分析部分负责分析出用户当前登录的异常度,通过分析用户历史登录习惯(常用登录地点、常用登录终端、登录时间)、当前登录方式(登录时间、地点、账号名类型(微信号、手机号、QQ号、Email)和密码类型(微信密码、QQ密码、短信验证码)。将当前登录的行为与用户历史的登录习惯、登录方式比较,分析出异常点。例如用户之前从来没在某个地方登录、从来没使用过email登录等等)、该用户登录使用的账号的当前在线情况、当前登录终端异常度与可信度、当前登录环境异常度等,得到该次登录的异常点和异常程度。The login exception analysis part is responsible for analyzing the abnormality of the user's current login, by analyzing the user history login habits (common login location, common login terminal, login time), current login mode (login time, location, account name type (micro signal, mobile phone). No., QQ number, Email) and password type (WeChat password, QQ password, SMS verification code). Compare the current login behavior with the login habits and login methods of the user history, and analyze the abnormal points. For example, the user has never been in a certain The local login status of the account used by the user, the abnormality and credibility of the current login terminal, the abnormality of the current login environment, etc., the abnormality of the login and The degree of abnormality.
终端异常是指,例如终端是一个模拟器终端、终端上有其他可疑被盗账号尝试登录过、终端的系统版本过低、终端的系统与用户之前终端的系统不同(例如之前登录的终端的系统为iOS,但是当前登录设备的系统为 android),异常程度是对终端异常的量化。终端异常还可以是指,终端是否有可疑的用户登录过等情况,如果有可疑用户登录的情况,则异常度相对于不存在可疑的用户登录的终端要高。The terminal abnormality refers to, for example, the terminal is an emulator terminal, the other suspicious stolen account on the terminal attempts to log in, the system version of the terminal is too low, and the system of the terminal is different from the system of the previous terminal of the user (for example, the system of the previously logged-in terminal) Is iOS, but the system currently logged in to the device is Android), the degree of anomaly is the quantification of terminal anomalies. The terminal abnormality may also refer to whether the terminal has a suspicious user login or the like. If there is a suspicious user login, the abnormality is higher than that of the terminal where the suspicious user does not log in.
终端可信是指,登录实例的终端不存在异常点的同时,还具有可信特征,例如终端上有经常联系的好友账号长期使用、终端的名称信息与账号实名信息对应等,终端可信度是对终端可信的量化。Terminal trusted means that the terminal of the login instance does not have an abnormal point, and also has trusted features, such as long-term use of the frequently contacted friend account on the terminal, the name information of the terminal and the real name information of the account, etc., and the terminal credibility It is a credible quantification of the terminal.
登录环境主要是指登录的终端、联网方式、登录的客户端类型等,如果当前登录终端和联网方式(如使用的无线局域网)已经有其他可疑被盗用户,那这次登录是十分可疑的。The login environment mainly refers to the terminal that is logged in, the networking mode, and the type of client that is logged in. If the current login terminal and the networking mode (such as the wireless LAN used) already have other suspicious users, the login is very suspicious.
身份验证特性管理部分是对各种身份验证方式适用于对抗何种攻击的管理。例如短信验证码身份验证方式适用于用户首次身份验证为非短信验证而且用户历史使用终端没有中短信木马病毒的情况。可信终端扫码授权方式适用于可信终端在线并且最近有行为的情况。好友辅助因为需要线下联系好友进行辅助,有一定的操作门槛并且安全度高,所以适用于高可疑登录的情况。The Authentication Feature Management section is the management of which types of authentication methods are available against which attacks. For example, the SMS verification code authentication method is applicable to the case where the user first authenticates to non-sms authentication and the user history terminal does not have a medium-message Trojan virus. The trusted terminal scan code authorization method is applicable to the case where the trusted terminal is online and has recently acted. Friend assistance is suitable for high suspicious logins because it requires offline contact with friends for assistance, has certain operating thresholds and is highly secure.
决策部分是对账号设置分析部分、登录异常度分析部分和身份验证特性部分得到的结果的综合分析,决策使用适合的身份验证方式,决策出的验证方式与当前登录的异常点无关,从而避免被恶意攻击的情况。实际应用中具体的决策方式,可以通过历史案例分析与身份验证的特性归纳得到,并在线上进行ABTest不断调整得到。The decision part is a comprehensive analysis of the result of the account setting analysis part, the login abnormality analysis part and the authentication part. The decision uses the appropriate authentication method, and the determined verification method is independent of the currently registered abnormal point, thus avoiding being The situation of malicious attacks. The specific decision-making methods in practical applications can be summarized through the characteristics of historical case analysis and identity verification, and the ABTest is continuously adjusted online.
身份验证管理部分是各种身份验证方法实现的部分,包括身份数据提供和验证的技术实现。身份验证方法可以是手机短信验证、可信终端授权、关系链验证、生物识别验证等。The Authentication Management section is part of the implementation of various authentication methods, including the technical implementation of identity data provisioning and authentication. The authentication method may be mobile phone short message verification, trusted terminal authorization, relationship chain verification, biometric verification, and the like.
结合示例说明,当用户使用账号名+密码登录在新终端登录时,触发异常登录分析以二次验证方式决策的处理。账号设置分析部分发现该账号具 备验证短信(绑定了手机号码)和选择好友头像(关系链确认)的条件。登录异常分析部分发现该登录终端是恶意终端,上面有大量异地账号登录,终端无验证短信记录。决策部分开始工作,根据基于领域知识决策使用短信的二次验证,依据是攻击者使用账号名登录,账号绑定的手机号码很大可能是不知道的,推测难以盗取用户短信,而且终端上没验短记录,也证明了这一点。于是,攻击者虽然密码验证正确,但遇到了验证短信验证码的方式,由于无法获取短信验证码,因此不能成功登录。According to the example, when the user logs in to the new terminal by using the account name + password, the abnormal login analysis is triggered to perform the decision of the secondary verification mode. The account setting analysis section found that the account has The conditions for verifying the SMS (bound mobile number) and selecting the buddy avatar (relationship chain confirmation). The login abnormality analysis section finds that the login terminal is a malicious terminal, and there are a large number of remote account logins, and the terminal does not verify the SMS record. The decision-making part starts working. According to the domain-based knowledge decision-making, the secondary verification using SMS is based on the attacker using the account name to log in. The mobile phone number bound by the account may not be known. It is speculated that it is difficult to steal the user's short message, and the terminal is on the terminal. The lack of a short record also proves this. Therefore, although the attacker verified the password correctly, but encountered the way to verify the SMS verification code, the SMS verification code could not be obtained, so the login could not be successful.
综上所述,本发明实施例实现以下有益效果:In summary, the embodiments of the present invention achieve the following beneficial effects:
通过智能动态的决策二次或多次的验证方式,避免了采用固定的验证方式组合的方式带来的被攻击的潜在风险;The intelligent or dynamic decision-making method of secondary or multiple verification avoids the potential risk of being attacked by a combination of fixed verification methods;
决策的验证方式避开了当前登录的异常点,对于盗号攻击者,要攻破动态的不同类型的身份验证方式,盗号难度增大,账号安全更有保障;The verification method of the decision avoids the abnormal point of the current login. For the hacker attacker, it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure;
对于账号的合法用户,即使用户在第一次验证因为各种原因(如忘记密码)而登录实现,由于后续决策出的验证方式是与账号所支持(绑定)的验证方式,使得用户能够顺利通过验证以登录。For a legitimate user of an account, even if the user logs in for the first time for various reasons (such as forgetting the password), the verification method of the subsequent decision is the authentication method supported by the account (bind), so that the user can smoothly Pass verification to log in.
如图11所示,在实际应用中,上述身份验证管理部分15、登录异常分析部分16、决策部分17、身份验证特性管理部分18和账号设置分析部分19都可由位于验证设备上的处理器21实现,该服务器还包括存储介质22,本发明实施例中提出的所有预设的内容及其软件代码可以保存在存储介质22中,该存储介质22可以通过系统总线23与处理器21连接,其中,存储介质22配置为存储可执行程序代码,该程序代码包括计算机操作指令,存储介质22可能包含高速RAM存储器,也可能还包括非易失性存储器,例如,至少一个磁盘存储器。As shown in FIG. 11, in the actual application, the above-described identity verification management section 15, login abnormality analysis section 16, decision section 17, identity verification property management section 18, and account setting analysis section 19 are all available to the processor 21 located on the verification device. The server further includes a storage medium 22, and all preset contents and software codes thereof proposed in the embodiment of the present invention may be stored in the storage medium 22, and the storage medium 22 may be connected to the processor 21 through the system bus 23, wherein Storage medium 22 is configured to store executable program code, including computer operating instructions, storage medium 22 may include high speed RAM memory, and may also include nonvolatile memory, such as at least one disk memory.
本发明实施例中,如果以软件功能模块的形式实现上述的信息推送方法,并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存 储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。In the embodiment of the present invention, if the above information pushing method is implemented in the form of a software function module, and is sold or used as an independent product, it may also be stored in a computer readable storage. In the storage medium. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
本发明实施例提供一种验证设备,包括:存储介质,配置为存储可执行指令;An embodiment of the present invention provides a verification device, including: a storage medium, configured to store executable instructions;
处理器,配置为执行存储的可执行指令,可执行指令配置为执行上述的信息推送方法。A processor configured to execute the stored executable instructions, the executable instructions configured to perform the information push method described above.
本发明实施例提供一种计算机存储介质,计算机存储介质中存储有计算机可执行指令,该计算机可执行指令配置为执行上述的信息推送方法。Embodiments of the present invention provide a computer storage medium in which computer executable instructions are stored, the computer executable instructions being configured to perform the above information pushing method.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本发明的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。It is to be understood that the phrase "one embodiment" or "an embodiment" or "an" Thus, "in one embodiment" or "in an embodiment" or "an" In addition, these particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be taken to the embodiments of the present invention. The implementation process constitutes any limitation. The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多 限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It is to be understood that the term "comprises", "comprising", or any other variants thereof, is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device comprising a series of elements includes those elements. It also includes other elements that are not explicitly listed, or elements that are inherent to such a process, method, article, or device. No more In the case of a limitation, an element defined by the phrase "comprising a ..." does not exclude the presence of the same element in the process, method, article, or device that comprises the element.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元;既可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units; they may be located in one place or distributed on multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储装置、随机存取存储器(RAM,Random Access Memory)、只读存储器(ROM,Read-Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to the program instructions. The foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing storage medium includes: a mobile storage device, a random access memory (RAM), a read-only memory (ROM), a magnetic disk, or an optical disk. A medium that can store program code.
或者,本发明上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。 基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, the above-described integrated unit of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a standalone product. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes various media that can store program codes, such as a mobile storage device, a ROM, a magnetic disk, or an optical disk.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.
工业实用性Industrial applicability
本实施例中,通过二次验证的方式对登录实例的用户进行验证,避免一次验证账号风险高的问题;当第一次验证登录对象登录实例存在异常时,通过智能动态的决策验证方式进行二次验证,避免了采用固定的验证方式组合的方式带来的被攻击的潜在风险,对于盗号攻击者,要攻破动态的不同类型的验证方式,盗号难度增大,账号安全更有保障;对于账号的合法登录对象,即使登录对象在第一次验证因为各种原因(如忘记密码)而登录实现,也能够基于后续决策出的验证方式通过验证以顺利登录。 In this embodiment, the user of the login instance is verified by the method of secondary verification to avoid the problem of high risk of verifying the account at one time; when the login instance of the login object is abnormal for the first time, the intelligent dynamic decision-making verification method is performed. The second verification eliminates the potential risk of being attacked by a combination of fixed authentication methods. For hacking attackers, it is necessary to break the dynamic different types of authentication methods, the difficulty of hacking is increased, and the account security is more secure; The legal login object, even if the login object is logged in for the first time for various reasons (such as forgetting the password), it can be verified to successfully log in based on the verification method of the subsequent decision.

Claims (23)

  1. 一种验证方法,所述方法包括:A verification method, the method comprising:
    基于用于登录实例的第一验证信息以及第一验证方式,对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
    基于验证结果,对所述登录对象登录所述实例进行登录异常分析;Logging the instance to the login object for abnormality analysis based on the verification result;
    基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
    基于用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。The login object is verified based on the second verification information for the login instance and the second verification method.
  2. 根据权利要求1所述的方法,所述基于验证结果,对所述用户登录所述实例进行登录异常分析,包括:The method according to claim 1, wherein the login abnormality analysis is performed on the user by logging in to the instance based on the verification result, including:
    基于验证结果,检测所述登录对象登录所述实例是否存在异常,当存在异常时对所述登录对象登录所述实例进行登录异常分析。Based on the verification result, detecting whether the login object logs in the instance has an abnormality, and when there is an abnormality, logging the login object to the login object to perform login abnormality analysis.
  3. 根据权利要求1所述的方法,所述基于验证结果,对登录对象登录所述实例进行登录异常分析,包括:The method according to claim 1, wherein the login abnormality analysis is performed on the login object by logging in to the instance based on the verification result, including:
    检测到基于所述第一验证信息以及所述第一验证方式对所述登录对象进行验证失败时,判定登录所述实例存在异常;When it is detected that the verification of the login object fails based on the first verification information and the first verification manner, it is determined that there is an abnormality in logging in the instance;
    分析出所述登录对象基于所述第一验证信息尝试登录所述实例的次数是否高于预设时长内的最大错误登录次数。It is analyzed whether the number of times the login object attempts to log in to the instance based on the first verification information is higher than a maximum number of incorrect logins within a preset duration.
  4. 根据权利要求1所述的方法,所述基于验证结果,对所述登录对象登录所述实例进行登录异常分析,包括:The method according to claim 1, wherein the login abnormality analysis is performed on the login object by logging in to the instance based on the verification result, including:
    检测到基于所述第一验证信息以及第一验证方式对所述登录对象进行验证成功,并且,检测到所述登录对象登录所述实例的终端不同于历史登录终端时,判定所述登录对象登录所述实例存在异常。Detecting that the login object is successfully verified based on the first verification information and the first verification manner, and detecting that the login target is different from the historical login terminal, determining that the login object is logged in The instance has an exception.
  5. 根据权利要求1所述的方法,所述基于验证结果,对所述登录对 象登录所述实例进行登录异常分析,包括:The method of claim 1, the verifying result, the login pair Log in to the instance for login exception analysis, including:
    检测到基于所述第一验证信息以及第一验证方式对所述登录对象进行验证成功,并且,检测到所述登录对象登录所述实例的终端运行有获取终端信息的恶意代码时,判定所述登录对象登录所述实例存在异常。Detecting that the login object is successfully verified based on the first verification information and the first verification manner, and detecting that the login object logs in to the instance of the terminal and runs a malicious code that acquires terminal information, determining that the The login object logs in to the instance with an exception.
  6. 根据权利要求1所述的方法,所述对登录对象登录所述实例进行登录异常分析,包括:The method according to claim 1, wherein the login object is logged in to the instance for login abnormality analysis, including:
    比较所述登录对象登录所述实例的登录特征与所述登录对象登录所述实例的历史登录特征,基于登录特征的差异确定所述登录对象登录所述实例的异常点。Comparing the login feature of the login object to the instance and the historical login feature of the login object to the instance, and determining, according to the difference of the login feature, the login object logs in to the abnormal point of the instance.
  7. 根据权利要求6所述的方法,所述登录对象登录所述实例的登录特征包括以下之一的维度:The method of claim 6, the login object logging into the login feature of the instance comprises a dimension of one of:
    登录方式;登录历史习惯;登录环境;登录终端的异常度;登录终端的可信度;登录所述实例的账户的登录状态。Login mode; login history habit; login environment; abnormality of the login terminal; credibility of the login terminal; login status of the account logged into the instance.
  8. 根据权利要求1所述的方法,所述基于分析结果对候选验证方式进行决策得到第二验证方式,包括:The method according to claim 1, wherein the determining the candidate verification mode based on the analysis result to obtain the second verification mode comprises:
    基于所述登录对象登录所述实例的异常点,以及所述候选验证方式所防护的登录特征,选取登录特征不涉及所述异常点的候选验证方式为所述第二验证方式。And selecting, according to the abnormality point of the login object to log in the instance, and the login feature protected by the candidate verification mode, selecting a candidate verification mode that the login feature does not involve the abnormal point is the second verification mode.
  9. 根据权利要求1所述的方法,所述方法还包括:The method of claim 1 further comprising:
    解析所述候选验证方式的验证特性得到所述候选验证方式所支持对抗的登录攻击的类型,解析出相应类型的登录攻击未攻击的登录特征为相应验证方式所防护的登录特征。The verification feature of the candidate verification mode is obtained by the type of the login attack that is supported by the candidate verification mode, and the login feature that is not attacked by the corresponding type of login attack is parsed as the login feature protected by the corresponding verification mode.
  10. 根据权利要求1所述的方法,所述基于分析结果对候选验证方式进行决策得到第二验证方式,包括:The method according to claim 1, wherein the determining the candidate verification mode based on the analysis result to obtain the second verification mode comprises:
    在所述登录对象的实例账号绑定的验证方式中排除所述第一验证方 式,得到所述候选验证方式;Excluding the first authenticator in the verification mode of the instance account binding of the login object To obtain the candidate verification method;
    在所述候选验证方式中选取所述登录对象登录所述实例的登录终端支持的验证方式为所述第二验证方式。The verification mode supported by the login terminal that logs in to the instance by the login object is the second verification mode.
  11. 根据权利要求1所述的方法,所述基于分析结果对候选验证方式进行决策得到第二验证方式,包括:The method according to claim 1, wherein the determining the candidate verification mode based on the analysis result to obtain the second verification mode comprises:
    当所述登录对象登录所述实例的异常点的异常度超出异常度阈值时,选取两种不同于所述第一验证方式的候选验证方式作为所述第二验证方式。When the abnormality degree of the abnormal point of the login object logging in the instance exceeds the abnormality threshold, two candidate verification modes different from the first verification mode are selected as the second verification mode.
  12. 一种验证装置,所述装置包括:A verification device, the device comprising:
    身份验证管理部分,配置为基于用于登录实例的第一验证信息以及第一验证方式,对登录对象进行验证;The authentication management part is configured to verify the login object based on the first verification information used for the login instance and the first verification manner;
    登录异常分析部分,配置为基于验证结果,对所述登录对象登录所述实例进行登录异常分析;The login abnormality analysis part is configured to perform login abnormality analysis on the login object by logging in to the instance according to the verification result;
    决策部分,配置为基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;a decision part, configured to determine a candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
    所述身份验证管理部分,还配置为基于用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。The identity verification management portion is further configured to verify the login object based on the second verification information for the login instance and the second verification mode.
  13. 根据权利要求12所述的装置,所述登录异常分析部分,还配置为基于验证结果,检测所述登录对象登录所述实例是否存在异常,当存在异常时对所述登录对象登录所述实例进行登录异常分析。The device according to claim 12, wherein the login abnormality analysis portion is further configured to detect, based on the verification result, whether the login object logs in to the instance for an abnormality, and when the abnormality exists, log in to the instance for logging in to the instance Login exception analysis.
  14. 根据权利要求12所述的装置,所述登录异常分析部分,还配置为检测到基于所述第一验证信息以及第一验证方式对所述登录对象进行验证失败时,判定所述登录对象登录所述实例存在异常;分析出所述登录对象基于所述第一验证信息尝试登录所述实例的次数是否高于预设时长内的最大错误登录次数。 The device according to claim 12, wherein the login abnormality analysis portion is further configured to: when detecting that the login object fails to be verified based on the first verification information and the first verification method, determine the login target login location The instance has an abnormality; and it is analyzed whether the number of times the login object attempts to log in to the instance based on the first verification information is higher than a maximum number of incorrect logins within a preset duration.
  15. 根据权利要求12所述的装置,所述登录异常分析部分,还配置为检测到基于所述第一验证信息以及第一验证方式对所述登录对象进行验证成功,并且,检测到所述登录对象登录所述实例的终端不同于历史登录终端时,判定所述登录对象登录所述实例存在异常。The device according to claim 12, wherein the login abnormality analysis portion is further configured to detect that the login object is successfully verified based on the first verification information and the first verification manner, and the login object is detected When the terminal that logs in to the instance is different from the historical login terminal, it is determined that the login object logs in the instance and there is an abnormality.
  16. 根据权利要求12所述的装置,所述登录异常分析部分,还配置为检测到基于所述第一验证信息以及第一验证方式对所述登录对象进行验证成功,并且,检测到所述登录对象登录所述实例的登录终端运行有获取终端信息的恶意代码时,判定所述登录对象登录所述实例存在异常。The device according to claim 12, wherein the login abnormality analysis portion is further configured to detect that the login object is successfully verified based on the first verification information and the first verification manner, and the login object is detected When the login terminal that logs in to the instance runs the malicious code that acquires the terminal information, it is determined that the login object logs in the instance and there is an abnormality.
  17. 根据权利要求12所述的装置,所述登录异常分析部分,还配置为比较所述登录对象登录所述实例的登录特征与所述登录对象登录所述实例的历史登录特征,基于登录特征的差异确定所述登录对象登录所述实例的异常点。The device according to claim 12, wherein the login abnormality analysis portion is further configured to compare the login feature of the login object to the instance and the historical login feature of the login object to log in the instance, based on the difference of the login feature Determining an abnormal point at which the login object logs into the instance.
  18. 根据权利要求12所述的装置,所述决策部分,还配置为基于所述登录对象登录所述实例的异常点,以及所述候选验证方式所防护的登录特征,选取登录特征不涉及所述异常点的候选验证方式为所述第二验证方式。The apparatus according to claim 12, wherein the determining portion is further configured to: based on the abnormality point of the login object logging in the instance, and the login feature protected by the candidate verification mode, selecting the login feature does not involve the abnormality The candidate verification mode of the point is the second verification mode.
  19. 根据权利要求12所述的装置,所述装置还包括:The device of claim 12, the device further comprising:
    身份验证特性管理部分,配置为解析所述候选验证方式的验证特性得到所述候选验证方式所支持对抗的登录攻击的类型,并解析出相应类型的登录攻击未使用的登录特征为相应验证方式所防护的登录特征。The authentication feature management part is configured to parse the verification feature of the candidate verification mode to obtain the type of the login attack supported by the candidate verification mode, and parse out the login feature that is not used by the corresponding type of login attack as the corresponding verification mode. Protected login features.
  20. 根据权利要求12所述的装置,所述装置还包括:The device of claim 12, the device further comprising:
    账号设置分析部分,配置为分析出所述用户的实例账号支持的验证方式;The account setting analysis part is configured to analyze the verification mode supported by the instance account of the user;
    所述决策部分,还配置为在所述登录对象的实例账号支持的验证方式中排除所述第一验证方式,得到所述候选验证方式;在所述候选验证 方式中选取所述登录对象登录所述实例的登录终端支持的验证方式为所述第二验证方式。The determining part is further configured to exclude the first verification mode from the verification mode supported by the instance account of the login object, to obtain the candidate verification mode; and in the candidate verification The verification mode supported by the login terminal that logs in to the instance by the login object is the second verification mode.
  21. 根据权利要求12所述的装置,所述决策部分,还配置为当所述登录对象登录所述实例的异常点的异常度超出异常度阈值时,选取两种不同于所述第一验证方式的候选验证方式作为所述第二验证方式。The apparatus according to claim 12, wherein the determining portion is further configured to: when the abnormality degree of the abnormal point of the login object logging in the instance exceeds an abnormality threshold, select two different manners from the first verification mode The candidate verification mode is used as the second verification mode.
  22. 一种验证设备,包括:A verification device comprising:
    存储介质,配置为存储可执行指令;a storage medium configured to store executable instructions;
    处理器,配置为执行存储的可执行指令,所述可执行指令配置为执行以下操作:A processor configured to execute the stored executable instructions, the executable instructions configured to perform the following operations:
    基于用于登录实例的第一验证信息、以及第一验证方式对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
    基于验证结果,对所述登录对象登录所述实例进行登录异常分析;Logging the instance to the login object for abnormality analysis based on the verification result;
    基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
    基于所述用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。And verifying the login object based on the second verification information for the login instance and the second verification manner.
  23. 一种计算机可读存储介质,存储有机器指令,当所述机器指令被一个或多个处理器执行的时候,所述处理器执行以下步骤:A computer readable storage medium storing machine instructions that, when executed by one or more processors, perform the following steps:
    基于用于登录实例的第一验证信息以及第一验证方式对登录对象进行验证;Verifying the login object based on the first verification information for the login instance and the first verification method;
    基于验证结果,对所述登录对象登录所述实例进行登录异常分析;Logging the instance to the login object for abnormality analysis based on the verification result;
    基于分析结果对候选验证方式进行决策得到第二验证方式;其中,所述第二验证方式与所述第一验证方式不同;Determining the candidate verification mode based on the analysis result to obtain a second verification mode; wherein the second verification mode is different from the first verification mode;
    基于用于登录实例的第二验证信息以及所述第二验证方式,对所述登录对象进行验证。 The login object is verified based on the second verification information for the login instance and the second verification method.
PCT/CN2017/094399 2016-07-28 2017-07-25 Verification method, apparatus and device, and storage medium WO2018019243A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610613071.8 2016-07-28
CN201610613071.8A CN107665301B (en) 2016-07-28 2016-07-28 Verification method and device

Publications (1)

Publication Number Publication Date
WO2018019243A1 true WO2018019243A1 (en) 2018-02-01

Family

ID=61016381

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/094399 WO2018019243A1 (en) 2016-07-28 2017-07-25 Verification method, apparatus and device, and storage medium

Country Status (2)

Country Link
CN (1) CN107665301B (en)
WO (1) WO2018019243A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639724A (en) * 2019-01-14 2019-04-16 平安科技(深圳)有限公司 Password method for retrieving, password device for retrieving, computer equipment and storage medium
CN110334559A (en) * 2019-05-31 2019-10-15 努比亚技术有限公司 A kind of barcode scanning recognition methods, terminal and computer readable storage medium
CN111835765A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 Verification method and device
CN112309008A (en) * 2020-10-29 2021-02-02 一汽奔腾轿车有限公司 Safety management platform of automobile digital key
CN112613020A (en) * 2020-12-31 2021-04-06 中国农业银行股份有限公司 Identity verification method and device
CN113627208A (en) * 2021-08-17 2021-11-09 上海源慧信息科技股份有限公司 Code scanning login early warning method and device, computer equipment and storage medium
CN114172717A (en) * 2021-12-03 2022-03-11 武汉极意网络科技有限公司 Account risk evaluation method based on event tracking
CN114449519A (en) * 2022-01-12 2022-05-06 中车唐山机车车辆有限公司 Method, device and system for accessing wireless network
CN115022002A (en) * 2022-05-27 2022-09-06 中国电信股份有限公司 Verification mode determination method and device, storage medium and electronic equipment
CN115080941A (en) * 2022-08-19 2022-09-20 荣耀终端有限公司 Account login method and electronic equipment

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232270B (en) * 2018-03-06 2022-06-10 中移动信息技术有限公司 Security authentication method, equipment, device and storage medium
CN108418829B (en) * 2018-03-22 2020-10-27 平安科技(深圳)有限公司 Account login verification method and device, computer equipment and storage medium
CN108650226B (en) * 2018-03-30 2019-10-29 平安科技(深圳)有限公司 A kind of login validation method, device, terminal device and storage medium
CN108833258A (en) * 2018-06-12 2018-11-16 广东睿江云计算股份有限公司 A kind of mail service actively discovers abnormal method
CN108960839B (en) * 2018-06-20 2021-04-23 创新先进技术有限公司 Payment method and device
CN109218170A (en) * 2018-10-18 2019-01-15 杭州安恒信息技术股份有限公司 A kind of IP address-based mail abnormal login detecting method and system
CN109493089A (en) * 2018-11-02 2019-03-19 南方电网调峰调频发电有限公司 A kind of Subscriber Management System for more renting family based on database
CN109753772A (en) * 2018-11-29 2019-05-14 武汉极意网络科技有限公司 A kind of account safety verification method and system
CN109753778A (en) * 2018-12-30 2019-05-14 北京城市网邻信息技术有限公司 Checking method, device, equipment and the storage medium of user
CN109889507B (en) * 2019-01-24 2021-08-06 印象(山东)大数据有限公司 Monitoring method and system for monitoring mailbox operation safety
CN110224992B (en) * 2019-05-14 2022-11-29 北京百度网讯科技有限公司 Method, apparatus, system and computer readable medium for shared resource restriction reuse
CN110321688A (en) * 2019-06-10 2019-10-11 许超贤 A kind of financial terminal and method for processing business preventing information leakage
CN112183167B (en) * 2019-07-04 2023-09-22 钉钉控股(开曼)有限公司 Attendance checking method, authentication method, living body detection method, device and equipment
CN110414198A (en) * 2019-08-07 2019-11-05 Oppo(重庆)智能科技有限公司 A kind of privacy application guard method, device and computer readable storage medium
CN110535850B (en) * 2019-08-26 2022-07-29 腾讯科技(武汉)有限公司 Processing method and device for account login, storage medium and electronic device
CN110874460A (en) * 2019-11-14 2020-03-10 江苏税软软件科技有限公司 App security verification method
CN117436051A (en) * 2020-04-29 2024-01-23 支付宝(杭州)信息技术有限公司 Account login verification method and system
CN113709082B (en) * 2020-05-20 2023-07-21 腾讯科技(深圳)有限公司 Application login method and device and account login mode setting method
CN113849786A (en) * 2021-08-13 2021-12-28 广州酷狗计算机科技有限公司 Abnormal user detection method and device, electronic equipment and storage medium
CN113674085A (en) * 2021-08-19 2021-11-19 支付宝(杭州)信息技术有限公司 Account limitation-removing method, device and equipment
CN114205119B (en) * 2021-11-17 2023-11-21 南方电网数字电网研究院有限公司 Data security protection abnormal login corresponding method for power grid control platform
CN114237144B (en) * 2021-11-22 2024-04-02 上海交通大学宁波人工智能研究院 System and method for PLC security and credibility based on embedded type
CN114186209B (en) * 2022-02-15 2022-06-28 北京安帝科技有限公司 Identity verification method and system
CN116244684A (en) * 2023-05-11 2023-06-09 深圳奥联信息安全技术有限公司 Password management method, password management system, computer equipment and storage medium
CN116881890B (en) * 2023-09-08 2023-12-26 深圳市普惠智助医疗设备有限公司 User identity identification management method and system for self-service list printer

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120123920A1 (en) * 2010-11-10 2012-05-17 Fraser Norman M User Authentication System and Method Thereof
CN104125062A (en) * 2013-04-26 2014-10-29 腾讯科技(深圳)有限公司 Login method, device, login authentication device, server, terminals and system
CN104144419A (en) * 2014-01-24 2014-11-12 腾讯科技(深圳)有限公司 Identity authentication method, device and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325062A (en) * 2011-09-20 2012-01-18 北京神州绿盟信息安全科技股份有限公司 Abnormal login detecting method and device
CN102664877A (en) * 2012-03-30 2012-09-12 北京千橡网景科技发展有限公司 Method and device for exception handling in login process
CN103532797B (en) * 2013-11-06 2017-07-04 网之易信息技术(北京)有限公司 A kind of User logs in method for monitoring abnormality and device
CN105516138B (en) * 2015-12-09 2019-02-15 广州密码科技有限公司 A kind of verification method and device based on login log analysis

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120123920A1 (en) * 2010-11-10 2012-05-17 Fraser Norman M User Authentication System and Method Thereof
CN104125062A (en) * 2013-04-26 2014-10-29 腾讯科技(深圳)有限公司 Login method, device, login authentication device, server, terminals and system
CN104144419A (en) * 2014-01-24 2014-11-12 腾讯科技(深圳)有限公司 Identity authentication method, device and system

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639724A (en) * 2019-01-14 2019-04-16 平安科技(深圳)有限公司 Password method for retrieving, password device for retrieving, computer equipment and storage medium
CN110334559B (en) * 2019-05-31 2024-03-15 努比亚技术有限公司 Code scanning identification method, terminal and computer readable storage medium
CN110334559A (en) * 2019-05-31 2019-10-15 努比亚技术有限公司 A kind of barcode scanning recognition methods, terminal and computer readable storage medium
CN111835765A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 Verification method and device
CN111835765B (en) * 2020-07-13 2022-09-23 中国联合网络通信集团有限公司 Verification method and device
CN112309008A (en) * 2020-10-29 2021-02-02 一汽奔腾轿车有限公司 Safety management platform of automobile digital key
CN112613020A (en) * 2020-12-31 2021-04-06 中国农业银行股份有限公司 Identity verification method and device
CN112613020B (en) * 2020-12-31 2024-05-28 中国农业银行股份有限公司 Identity verification method and device
CN113627208A (en) * 2021-08-17 2021-11-09 上海源慧信息科技股份有限公司 Code scanning login early warning method and device, computer equipment and storage medium
CN113627208B (en) * 2021-08-17 2024-04-05 上海源慧信息科技股份有限公司 Code scanning login early warning method and device, computer equipment and storage medium
CN114172717A (en) * 2021-12-03 2022-03-11 武汉极意网络科技有限公司 Account risk evaluation method based on event tracking
CN114449519A (en) * 2022-01-12 2022-05-06 中车唐山机车车辆有限公司 Method, device and system for accessing wireless network
CN115022002A (en) * 2022-05-27 2022-09-06 中国电信股份有限公司 Verification mode determination method and device, storage medium and electronic equipment
CN115022002B (en) * 2022-05-27 2024-02-06 中国电信股份有限公司 Verification mode determining method and device, storage medium and electronic equipment
CN115080941B (en) * 2022-08-19 2023-04-28 荣耀终端有限公司 Account login method and electronic equipment
CN115080941A (en) * 2022-08-19 2022-09-20 荣耀终端有限公司 Account login method and electronic equipment

Also Published As

Publication number Publication date
CN107665301A (en) 2018-02-06
CN107665301B (en) 2021-03-19

Similar Documents

Publication Publication Date Title
WO2018019243A1 (en) Verification method, apparatus and device, and storage medium
US11716324B2 (en) Systems and methods for location-based authentication
US10791126B2 (en) System and methods for protecting users from malicious content
US11341475B2 (en) System and method of notifying mobile devices to complete transactions after additional agent verification
US10693880B2 (en) Multi-stage authentication of an electronic communication
KR102457683B1 (en) System and method for performing authentication using data analytics
US10462665B2 (en) Multifactor network authentication
KR102035312B1 (en) User centric authentication mehtod and system
US11714886B2 (en) Modifying application function based on login attempt confidence score
WO2019015516A1 (en) Methods and apparatus for authentication of joint account login
US10462126B2 (en) Self-adjusting multifactor network authentication
CN116583861A (en) Defensive multi-factor authentication for phishing
US11909746B2 (en) Multi-path user authentication and threat detection system and related methods
KR102284876B1 (en) System and method for federated authentication based on biometrics
SHAKIR User authentication in public cloud computing through adoption of electronic personal synthesis behavior
US20240250942A1 (en) Risk-Based Factor Selection
Aljohani Authentication Based on Disposable Password and Touch Pattern Data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17833546

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17833546

Country of ref document: EP

Kind code of ref document: A1