WO2018030421A1 - Système d'authentification, procédé, programme et support d'enregistrement sur lequel un programme est enregistré - Google Patents

Système d'authentification, procédé, programme et support d'enregistrement sur lequel un programme est enregistré Download PDF

Info

Publication number
WO2018030421A1
WO2018030421A1 PCT/JP2017/028806 JP2017028806W WO2018030421A1 WO 2018030421 A1 WO2018030421 A1 WO 2018030421A1 JP 2017028806 W JP2017028806 W JP 2017028806W WO 2018030421 A1 WO2018030421 A1 WO 2018030421A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
push
authentication
identification information
unique
Prior art date
Application number
PCT/JP2017/028806
Other languages
English (en)
Japanese (ja)
Inventor
俊樹 前澤
昂弘 西田
宏幸 菊池
Original Assignee
株式会社Isao
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2016155997A external-priority patent/JP6104439B1/ja
Application filed by 株式会社Isao filed Critical 株式会社Isao
Publication of WO2018030421A1 publication Critical patent/WO2018030421A1/fr
Priority to US16/270,347 priority Critical patent/US10659461B2/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M11/00Telephonic communication systems specially adapted for combination with other electrical systems

Definitions

  • the present invention relates to an authentication system, method, program, and recording medium on which the program is recorded.
  • an authentication method there is a method of performing authentication in two stages using two terminals, and it is necessary to input a password, biometric authentication information, etc. in both stages.
  • an ID and a password are input on a PC ([0019]), and then biometric authentication information such as a user's voice, face, and fingerprint is input from an information portable terminal. There is a need to.
  • the present invention records an authentication system, method, program, and program that do not require input of knowledge authentication information other than identification information such as user ID and card ID, property authentication information, and biometric authentication information at the time of authentication.
  • knowledge authentication information other than identification information such as user ID and card ID, property authentication information, and biometric authentication information at the time of authentication.
  • One of the purposes is to provide a recording medium.
  • One aspect of the present invention includes a first terminal, a second terminal, and an authentication subsystem, wherein the first terminal includes identification information and a first push input to the first terminal.
  • An authentication request is transmitted to the authentication subsystem, and the authentication subsystem collates the identification information received from the first terminal with the identification information stored in association with the unique ID of the second terminal.
  • the second terminal When there is identification information that matches the identification information received from the first terminal, based on the unique ID of the second terminal stored in association with the identification information, the second terminal When the push authentication operation start request is received, the second terminal receives knowledge authentication information, property authentication information, and biometric authentication information for the push authentication. Without a given Encourage work only to users, by the user, when the predetermined operation is performed, there is provided an authentication system for transmitting push authentication operation completion notice to the authentication subsystem.
  • the second terminal Before the first terminal transmits the identification information input to the first terminal and the first push authentication request to the authentication subsystem, the second terminal The unique ID of the second terminal is transmitted to the authentication subsystem, and the authentication subsystem is stored in association with the unique ID of the second terminal received from the second terminal and the identification information. A unique ID of the second terminal that matches the unique ID of the second terminal received from the second terminal, the push authentication permission flag is set to The identification information stored in association with the unique ID of the second terminal is stored, and the first terminal receives the identification information and the first push authentication request input to the first terminal. To the authentication subsystem Later, the authentication subsystem collates the identification information received from the first terminal with the identification information stored in association with the unique ID of the second terminal, and receives it from the first terminal.
  • the push authentication operation start request is not transmitted to the second terminal, or another authentication failure process is performed.
  • One aspect of the present invention includes a first terminal, a second terminal, and an authentication subsystem, wherein the authentication subsystem includes a storage unit, identification information received from the first terminal, An identification information matching unit that matches the identification information stored in the storage unit in association with the unique ID of the second terminal, and the identification information that matches the identification information received from the first terminal.
  • the push ID generation unit that generates the push ID and transmits the push ID to the first terminal, and the identification information that matches the identification information received from the first terminal.
  • the push ID generated by the push ID generation unit on the second terminal based on the unique ID of the second terminal acquired by the cache ID reception unit and the second terminal unique ID acquisition unit;
  • a push authentication operation start request unit that transmits a push authentication operation start request, a push authentication operation completion notification reception unit that receives a push authentication operation completion notification transmitted from the second terminal, and a reception from the second terminal
  • the push ID collation unit that collates the push ID from the first terminal stored in the storage unit, and the first terminal includes the identification information and the first push authentication request.
  • the push ID received from the push ID generation unit is stored, and the push ID is stored in the push ID reception unit.
  • the second terminal receives the push authentication operation start request, the user performs only a predetermined operation without input of knowledge authentication information, property authentication information, and biometric information for the push authentication.
  • An authentication system that transmits the push ID and the push authentication operation completion notification received from the push authentication operation start request unit to the push authentication operation completion notification reception unit when the user performs the predetermined operation. It is to provide.
  • the authentication subsystem includes a token ID generation unit that generates a token ID, a token ID transmission unit that transmits the token ID and push authentication completion notification to the first terminal, and a push ID and token from the first terminal.
  • the push ID / token ID receiving unit that receives the ID, the combination of the push ID and the token ID received from the first terminal, and the combination of the push ID and the token ID stored in the storage unit are collated.
  • a push ID / token ID collation unit wherein the push ID collation unit, when there is a push ID that matches the push ID received from the second terminal,
  • the first ID is stored in the storage unit in association with the push ID received from the first terminal.
  • Upon receiving the completion notification can be made to transmit and the push ID stored in the first terminal, the token ID received from the token ID transmitting section to the push ID ⁇ token ID receiving unit.
  • the input of the identification information to the first terminal prompts the user to input the identification information and information necessary for authentication including selection of an authentication method of push authentication or non-push authentication.
  • the identification information and the push authentication selection may be input by the user.
  • the input of the identification information to the first terminal may be performed by receiving the identification information from a portable information processing apparatus in which the identification information is stored.
  • the first terminal effectively stores the push ID received from the push ID generation unit for a predetermined short time, and / or the push ID collation unit receives the push ID received from the second terminal.
  • the push ID matches the push ID received from the second terminal by comparing the push ID stored in the storage unit with the push ID from the first terminal, the token ID Is associated with the push ID received from the second terminal, and is effectively stored in the storage unit for a predetermined short period of time.
  • the authentication subsystem further includes a second terminal unique ID registration unit that associates the identification information received from the second terminal with the unique ID of the second terminal and stores the second terminal unique ID registration unit in the storage unit, May transmit the identification information input to the second terminal and the unique ID of the second terminal to the second terminal unique ID registration unit.
  • the authentication subsystem collates the unique ID of the second terminal received from the second terminal with the unique ID of the second terminal stored in the storage unit in association with identification information, If there is a unique ID of the second terminal that matches the unique ID of the second terminal received from the second terminal, the push authentication permission flag is associated with the unique ID of the second terminal, and A second terminal unique ID collating unit that stores the identification information stored in the storage unit in association with the identification information stored in the storage unit, wherein the first terminal receives the identification information input to the first terminal and the first terminal; Before transmitting the first push authentication request to the identification information matching unit, the second terminal transmits a third push authentication request and the unique ID of the second terminal to the authentication subsystem, and 1 terminal inputs to the first terminal The identification information and the first push authentication request transmitted to the identification information verification unit, the identification information verification unit receives the identification information received from the first terminal, the unique ID of the second terminal, and When the identification information matched with the identification information stored in the storage unit is matched with the identification information received from the first terminal, the push authentication permission flag
  • the identification information matching unit displays a push authentication permission flag of the second terminal.
  • the storage unit can be stored for a predetermined short time in association with the identification information stored in the storage unit in association with a unique ID.
  • identification information and a user agent of the first terminal are stored in association with each other, and the first terminal transmits the user agent of the first terminal to the identification information matching unit,
  • the identification information matching unit includes a combination of the identification information received from the first terminal and the user agent of the first terminal, identification information stored in the storage unit, and a user agent of the first terminal. Combinations can be verified.
  • One aspect of the present invention is the means for receiving the identification information and the first push authentication request transmitted from the first terminal, the identification information received from the first terminal, and the uniqueness of the second terminal.
  • the identification information stored in association with the ID is collated, and when there is identification information that matches the identification information received from the first terminal, the second information stored in association with the identification information.
  • an authentication subsystem comprising means for receiving a Mesh authentication operation completion notification.
  • the third push authentication request and the unique ID of the second terminal transmitted from the second terminal are received.
  • the unique ID of the second terminal received from the second terminal is compared with the unique ID of the second terminal stored in association with the identification information, and the received unique ID of the second terminal is received from the first terminal.
  • the push authentication permission flag is associated with the identification information stored in association with the second terminal unique ID.
  • the storage unit receives the identification information and the first push authentication request transmitted from the first terminal, and associates the identification information with the unique ID of the second terminal.
  • an identification information collation unit that collates the identification information stored in the storage unit and identification information that matches the identification information received from the first terminal
  • a push ID is generated and the push ID is Based on the identification information that matches the identification information received from the first terminal and the identification information received from the first terminal, the push ID generation unit that is transmitted to the first terminal is stored in the storage unit in association with the identification information.
  • the push ID generating unit Based on the push ID receiving unit to be stored and the unique ID of the second terminal acquired by the second terminal unique ID acquiring unit, the push ID generating unit generates the push ID generating unit on the second terminal.
  • the push ID, the push authentication operation start request unit that transmits a push authentication operation start request, the push ID received from the second terminal, and the push from the first terminal stored in the storage unit
  • An authentication subsystem including a push ID verification unit for verifying an ID is provided.
  • a token ID generation unit that generates a token ID, a token ID transmission unit that transmits the token ID and a push authentication completion notification to the first terminal, and a transmission from the first terminal when the push authentication completion notification is received
  • a combination of ID and token ID, and a push ID / token ID collation unit that is stored in the storage unit and that collates the combination of the push ID and token ID received by the first application server,
  • the push ID collation unit is stored in the storage unit and the push ID received from the second terminal.
  • the push ID received from the second terminal is checked if the push ID that matches the push ID received from the second terminal is present, and the push ID that matches the push ID received from the second terminal exists. It can be stored in the storage unit in association with the ID.
  • the first terminal effectively stores the push ID received from the push ID generation unit for a predetermined short time, and / or the push ID collation unit receives the push ID received from the second terminal.
  • the push ID matches the push ID received from the second terminal by comparing the push ID stored in the storage unit with the push ID from the first terminal, the token ID Is associated with the push ID received from the second terminal, and is effectively stored in the storage unit for a predetermined short period of time.
  • It may further include a second terminal unique ID registration unit that stores the identification information received from the second terminal and the unique ID of the second terminal in association with each other.
  • the authentication subsystem collates the unique ID of the second terminal received from the second terminal with the unique ID of the second terminal stored in the storage unit in association with identification information, If there is a unique ID of the second terminal that matches the unique ID of the second terminal received from the second terminal, the push authentication permission flag is associated with the unique ID of the second terminal, and A second terminal unique ID collating unit that stores the identification information stored in the storage unit in association with the identification information stored in the storage unit, wherein the first terminal receives the identification information input to the first terminal and the first terminal; Before transmitting the first push authentication request to the identification information matching unit, the second terminal transmits a third push authentication request and the unique ID of the second terminal to the authentication subsystem, and 1 terminal inputs to the first terminal After the identification information and the first push authentication request transmitted to the identification information verification unit, the identification information verification unit receives the identification information received from the first terminal, the unique ID of the second terminal, When the identification information matched with the identification information stored in the storage unit is matched with the identification information received from the first terminal, the push authentication permission flag
  • the identification information matching unit displays a push authentication permission flag of the second terminal.
  • the storage unit can be stored for a predetermined short time in association with the identification information stored in the storage unit in association with a unique ID.
  • identification information and a user agent of the first terminal are stored in association with each other, and the first terminal transmits the user agent of the first terminal to the identification information matching unit,
  • the identification information matching unit includes a combination of the identification information received from the first terminal and a user agent of the first terminal, identification information stored in the storage unit, and a user agent of the first terminal. Combinations can be verified.
  • One aspect of the present invention is a second terminal, the identification information received from the first terminal by the authentication subsystem, and the unique ID of the second terminal.
  • the identification information stored in association with the identification information matches the identification information received from the first terminal
  • the second information stored in association with the identification information is stored.
  • Means for receiving a push authentication operation start request transmitted based on the unique ID of the terminal; and for the push authentication in response to the push authentication operation start request, knowledge authentication information, property authentication information, and biometrics Means for prompting the user to perform only a predetermined operation without inputting authentication information; and means for transmitting a push authentication operation completion notification to the authentication subsystem when the user performs the predetermined operation.
  • One aspect of the present invention is a second terminal, the identification information received from the first terminal by the authentication subsystem including a storage unit, and input to the first terminal, and the second terminal
  • a push ID is generated and , Means for receiving the push ID and a push authentication operation start request transmitted based on the unique ID of the second terminal stored in the storage unit in association with the identification information, and the push authentication operation start
  • Means for receiving the push ID and a push authentication operation start request transmitted based on the unique ID of the second terminal stored in the storage unit in association with the identification information, and the push authentication operation start In response to the request, for the push authentication, means for prompting the user only for a predetermined operation without input of knowledge authentication information, property authentication information, and biometric authentication information;
  • One aspect of the present invention includes a step in which a first terminal transmits identification information and a first push authentication request input to the first terminal to an authentication subsystem; and The identification information received from the first terminal is matched with the identification information stored in association with the unique ID of the second terminal, and there is identification information that matches the identification information received from the first terminal.
  • the second terminal is intended to provide an authentication method and sending a push authentication operation completion notice to the authentication subsystem.
  • the second terminal Before the step of the first terminal transmitting the identification information input to the first terminal and the first push authentication request to the authentication subsystem, the second terminal performs a third push authentication. Transmitting the request and the unique ID of the second terminal to the authentication subsystem; and the authentication subsystem associates the unique ID of the second terminal received from the second terminal with the identification information. If the unique ID of the second terminal that matches the unique ID of the second terminal received from the second terminal exists, the push authentication permission is granted.
  • the authentication subsystem stores the identification information received from the first terminal and the identification information stored in association with the unique ID of the second terminal.
  • the authentication subsystem does not transmit the push authentication operation start request to the second terminal or performs other authentication failure processing Can be.
  • One aspect of the present invention is an authentication method performed between a first terminal, a second terminal, and an authentication subsystem, the authentication subsystem including a storage unit, an identification information matching unit, a push ID
  • the generation unit, the second terminal unique ID acquisition unit, and the push ID reception unit include a push authentication operation start request unit, a push authentication operation completion notification reception unit, and a push ID collation unit, and the first terminal inputs identification information. And transmitting the identification information and the first push authentication request to the identification information matching unit, the identification information received from the first terminal by the identification information matching unit, and a second terminal.
  • the operation start request unit sends the push signal to the second terminal based on the unique ID of the second terminal acquired by the second terminal unique ID acquisition unit.
  • the authentication subsystem further includes a token ID transmission unit, a push ID / token ID reception unit, and a push ID / token ID verification unit, wherein the token ID generation unit generates a token ID; and the push ID verification And the push ID received from the second terminal by comparing the push ID received from the second terminal with the push ID stored in the storage unit from the first terminal. If there is a matching push ID, the step of storing the token ID in the storage unit in association with the push ID received from the second terminal, and the token ID transmission unit pushes the token ID and the push ID.
  • the terminal transmits the push ID stored in the first terminal and the token ID received from the token ID transmission unit to the push ID / token ID reception unit, and the push ID / token ID reception.
  • the input of the identification information to the first terminal prompts the user to input the identification information and information necessary for authentication including selection of an authentication method of push authentication or non-push authentication.
  • the identification information and the push authentication selection may be input by the user.
  • the input of the identification information to the first terminal may be performed by receiving the identification information from a portable information processing apparatus in which the identification information is stored.
  • the first terminal effectively stores the push ID received from the push ID generation unit for a predetermined short time, and / or the push ID collation unit receives the push ID received from the second terminal.
  • the push ID matches the push ID received from the second terminal by comparing the push ID stored in the storage unit with the push ID from the first terminal, the token ID Is associated with the push ID received from the second terminal, and is effectively stored in the storage unit for a predetermined short period of time.
  • the authentication subsystem further includes a second terminal unique ID registration unit, and the second terminal receives the identification information input to the second terminal and the unique ID of the second terminal as the second terminal unique ID.
  • the authentication subsystem further includes a second terminal unique ID verification unit, and the first terminal transmits the identification information input to the first terminal and the first push authentication request to the identification information verification unit.
  • the second terminal transmits a third push authentication request and a unique ID of the second terminal to the authentication subsystem
  • a second terminal unique ID verification unit includes the first terminal The unique ID of the second terminal received from the second terminal and the unique ID of the second terminal stored in the storage unit in association with the identification information, and received from the second terminal
  • the push authentication permission flag is associated with the unique ID of the second terminal and stored in the storage unit
  • the storage unit in association with information
  • the identification information verification unit includes: The identification information received from the first terminal is matched with the identification information stored in the storage unit in association with the unique ID of the second terminal, and matches the identification information received from
  • the identification information matching unit displays a push authentication permission flag of the second terminal.
  • the storage unit can be stored for a predetermined short time in association with the identification information stored in the storage unit in association with a unique ID.
  • the storage unit stores identification information and a user agent of the first terminal in association with each other, and the first terminal transmits the user agent of the first terminal to the authentication subsystem; A combination of the identification information received from the first terminal and the user agent of the first terminal, an identification information stored in the storage unit, and a user agent of the first terminal And a step of collating the combinations.
  • One aspect of the present invention is the step of receiving the identification information and the first push authentication request transmitted from the first terminal, the identification information received from the first terminal, and the uniqueness of the second terminal.
  • the identification information stored in association with the ID is collated, and when there is identification information that matches the identification information received from the first terminal, the second information stored in association with the identification information.
  • Authentication method comprising receiving a push authentication operation completion notification is there is provided a.
  • the third push authentication request and the unique ID of the second terminal transmitted from the second terminal Before the step of receiving the identification information and the first push authentication request transmitted from the first terminal, the third push authentication request and the unique ID of the second terminal transmitted from the second terminal. , The unique ID of the second terminal received from the second terminal, and the unique ID of the second terminal stored in association with the identification information, and the second terminal The identification stored in association with the unique ID of the second terminal when the unique ID of the second terminal that matches the unique ID of the second terminal received from the second terminal exists. Storing the identification information received from the first terminal after receiving the identification information and the first push authentication request transmitted from the first terminal; The terminal The identification information stored in association with the ID is collated, and when there is identification information that matches the identification information received from the first terminal, a push authentication permission flag is stored for the identification information. A step of checking whether the push authentication permission flag is not stored for the identification information, the push authentication operation start request is not transmitted to the second terminal, or other Authentication failure processing can be performed.
  • One aspect of the present invention includes an authentication sub that includes a storage unit, an identification information verification unit, a push ID generation unit, a second terminal unique ID acquisition unit, a push ID reception unit, a push authentication operation start request unit, and a push ID verification unit.
  • the identification information matching unit receives the identification information and the first push authentication request transmitted from the first terminal, and receives the identification information and the unique ID of the second terminal. Collating the identification information stored in the storage unit in association with the ID, and when the identification information matching the identification information received from the first terminal exists by the push ID generation unit, Generating and transmitting the push ID to the first terminal, and the second terminal unique ID acquisition unit matches the identification information received from the first terminal.
  • the step of receiving the push ID from the first terminal storing the push ID and storing the push ID in the storage unit, and the push authentication operation start request unit are acquired by the second terminal unique ID acquisition unit.
  • a step of transmitting the push ID generated by the push ID generation unit and a push authentication operation start request to the second terminal based on the unique ID of the second terminal; Verifying the push ID received from the second terminal and the push ID from the first terminal stored in the storage unit Authentication method comprising is intended to provide.
  • the authentication subsystem further includes a token ID generation unit, a token ID transmission unit, a push ID / token ID reception unit, and a push ID / token ID verification unit, wherein the token ID generation unit generates a token ID;
  • the push ID collation unit collates the push ID received from the second terminal with the push ID from the first terminal stored in the storage unit, and receives the push ID from the second terminal.
  • the D reception unit receives the push authentication completion notification
  • the push ID stored in the first terminal and the token ID received from the token ID transmission unit are transmitted from the first terminal.
  • the first terminal effectively stores the push ID received from the push ID generation unit for a predetermined short time, and / or the push ID collation unit receives the push ID received from the second terminal.
  • the push ID matches the push ID received from the second terminal by comparing the push ID stored in the storage unit with the push ID from the first terminal, the token ID Is associated with the push ID received from the second terminal, and is effectively stored in the storage unit for a predetermined short period of time.
  • the authentication subsystem further includes a second terminal unique ID verification unit, which is transmitted from the second terminal before the step of receiving the identification information and the first push authentication request transmitted from the first terminal.
  • the received third push authentication request and the unique ID of the second terminal, and the second terminal unique ID collation unit receives the unique ID of the second terminal received from the second terminal, The unique ID of the second terminal that matches the identification information and matches the unique ID of the second terminal stored in the storage unit and matches the unique ID of the second terminal received from the second terminal.
  • a push authentication permission flag is stored in the storage unit in association with the identification information stored in the storage unit in association with the unique ID of the second terminal; Send from 1 terminal
  • the identification information collating unit stores the identification information received from the first terminal in association with the unique ID of the second terminal.
  • the identification information stored in the unit is collated, and when there is identification information that matches the identification information received from the first terminal, a push authentication permission flag is stored in the storage unit for the identification information
  • the authentication subsystem sends the push to the second terminal.
  • the authentication operation start request may not be transmitted, or other authentication failure processing may be performed.
  • the identification information matching unit displays a push authentication permission flag of the second terminal.
  • the storage unit can be stored for a predetermined short time in association with the identification information stored in the storage unit in association with a unique ID.
  • the storage unit stores the identification information and the user agent of the first terminal in association with each other, and the first terminal transmits the user agent of the first terminal to the authentication subsystem,
  • the identification information collation unit collates the user agent of the first terminal received from the first terminal and the user agent of the first terminal stored in the storage unit in association with the identification information.
  • a step may be further included.
  • the authentication subsystem stores the identification information received from the first terminal and stored in association with the identification information input to the first terminal and the unique ID of the second terminal.
  • the information is collated and transmitted based on the unique ID of the second terminal stored in association with the identification information.
  • An authentication method comprising: prompting the user to perform only an operation; and transmitting a push authentication operation completion notification to the authentication subsystem when the predetermined operation is performed by the user. It is intended to provide.
  • the authentication subsystem including a storage unit associates the identification information input to the first terminal received from the first terminal with the unique ID of the second terminal.
  • a push ID is generated and associated with the identification information.
  • An authentication method is provided that is collated with the push ID stored in the section.
  • One aspect of the present invention provides a program for causing a computer to execute the authentication method.
  • One aspect of the present invention provides a computer-readable recording medium in which the program is recorded.
  • server means one or more servers, and includes a plurality of servers.
  • push authentication means that the second terminal that has received the push notification for authentication is the knowledge authentication information in response to the identification information being input to the first terminal. This means authentication that is performed based on the user performing only the predetermined operation that does not involve the input of property authentication information and biometric authentication information, and the user performs the predetermined operation.
  • an authentication system for example, an authentication system, a method, and a program that do not require input of knowledge authentication information other than identification information such as user ID and card ID, property authentication information, and biometric authentication information
  • a recording medium on which the program is recorded can be provided.
  • FIG. 1 is a diagram showing an overall configuration of an authentication system according to the first embodiment of the present invention.
  • FIG. 2 is a diagram showing a functional configuration of the authentication subsystem according to the first embodiment of the present invention.
  • FIG. 3 is a diagram showing a hardware configuration of the authentication subsystem according to the first embodiment of the present invention.
  • the authentication system 1 includes a first terminal 3, a second terminal 4, a web server 5, a first application server 6, a second application server 7 capable of asynchronous communication, and a push notification server 8, each of which Are connected via the network 20.
  • the web server 5, the first application server 6, the second application server 7, and the push notification server 8 constitute an authentication subsystem 2.
  • Each of the authentication subsystem 2, the first terminal 3, the second terminal 4, the web server 5, the first application server 6, the second application server 7, and the push notification server 8 is a single physical device. It does not need to be configured, and may be configured from a plurality of physical devices.
  • any appropriate terminal such as a PC, a smartphone, a tablet terminal, a terminal provided with an IC card reader / writer, a terminal capable of communicating with a portable terminal, or the like can be used.
  • the second terminal 4 is typically a mobile terminal such as a smartphone, a tablet terminal, or a mobile phone, but any appropriate terminal such as a PC can also be used.
  • the authentication subsystem 2 includes a second terminal unique ID registration unit 201, an identification information matching unit 203, a push ID generation unit 205, a second terminal unique ID acquisition unit 207, a push ID reception unit 209, a push authentication operation start request unit 211, Push authentication operation completion notification reception unit 212, token ID generation unit 213, push ID verification unit 214, token ID transmission unit 215, push ID / token ID reception unit 217, push ID / token ID verification unit 219, post-verification processing unit 221 And a storage unit 223.
  • the second terminal unique ID registration unit 201 stores the identification information received from the second terminal 4 and the unique ID of the second terminal in the storage unit 223 in association with each other.
  • the identification information and the unique ID of the second terminal may be directly associated with each other and stored in the storage unit 223, or a table in which the identification information and other types of identification information are associated with each other. With the table in which the other types of identification information and the unique ID of the second terminal are associated, the identification information and the unique ID of the second terminal are indirectly associated with each other and stored in the storage unit 223. Also good.
  • the identification information collation unit 203 collates the identification information received from the first terminal 3 with the identification information stored in the storage unit 9.
  • the push ID generation unit 205 When the identification information that matches the identification information received from the first terminal 3 is stored in the storage unit 223, the push ID generation unit 205 generates a push ID and transmits the push ID to the first terminal 3. Send to.
  • the second terminal unique ID acquisition unit 207 is associated with the identification information and stored in the storage unit 223. To get.
  • the push ID reception unit 209 causes the storage unit 223 to store the push ID received from the first terminal 3.
  • the push authentication operation start request unit 211 sends the push ID generated by the push ID generation unit 205 to the second terminal 4 based on the unique ID of the second terminal acquired by the second terminal unique ID acquisition unit 207. Then, a push authentication operation start request is transmitted.
  • the push authentication operation completion notification reception unit 212 receives the push authentication operation completion notification transmitted from the second terminal 4.
  • the token ID generation unit 213 generates a token ID when the push authentication operation completion notification reception unit 212 receives the push authentication operation completion notification.
  • the push ID collation unit 214 collates the push ID received from the second terminal 4 with the push ID from the first terminal 3 stored in the storage unit 223 and receives the push ID received from the second terminal 4. If there is a push ID that matches, the token ID is associated with the push ID received from the second terminal 4 and is effectively stored in the storage unit 223 for a predetermined short time.
  • the “effectively storing” configuration may be a configuration in which the stored token ID is deleted after a predetermined short time, or a configuration in which the valid period of the token ID is a predetermined short time.
  • the token ID transmission unit 215 transmits the token ID generated by the token ID generation unit 213 and the push authentication completion notification to the first terminal 3.
  • the push ID / token ID reception unit 217 receives the push ID and the token ID from the first terminal 3.
  • the push ID / token ID collation unit 219 collates the combination of the push ID and the token ID received from the first terminal 3 and the combination of the push ID and the token ID stored in the storage unit 223.
  • the post-collation processing unit 221 performs processing according to the collation result by the push ID / token ID collation unit 219.
  • the storage unit 223 stores various information such as identification information, a unique ID of the second terminal, a push ID, a token ID, a session key in an unlogged state, a session key in a logged in state, and corresponds to them as necessary. Add and remember.
  • the storage unit 223 may be configured as one physical device, or may be distributed and arranged in a plurality of physical devices.
  • the first terminal 3 transmits the input identification information and the first push authentication request to the identification information matching unit 203. Further, the push ID received from the push ID generation unit 205 is effectively stored for a predetermined short time, and the push ID is transmitted to the push ID reception unit 209. When the push authentication completion notification is received, the push ID stored in the first terminal 3 and the token ID received from the token ID transmission unit 215 are transmitted to the push ID / token ID reception unit 217.
  • the configuration of “effectively storing” may be a configuration in which the stored push ID is erased after a predetermined short time as described above, or a configuration in which the valid period of the token ID is a predetermined short time. Also good.
  • the second terminal 4 transmits the identification information input to the second terminal 4 and the unique ID of the second terminal 4 to the second terminal unique ID registration unit 201.
  • the user is prompted only for a predetermined operation without input of knowledge authentication information, property authentication information, and biometric information for push authentication.
  • the push ID received from the push authentication operation start request unit 211 and the push authentication operation completion notification are transmitted to the push authentication operation completion notification reception unit 212.
  • the web server 5 includes a second terminal unique ID registration unit 201, a user ID verification unit 203, a push ID generation unit 205, a push ID / token ID reception unit 217, and a post-verification processing unit 221 in the authentication subsystem 2. .
  • the first application server 6 includes the second terminal unique ID acquisition unit 207, the push authentication operation completion notification reception unit 212, the token ID generation unit 213, the push ID collation unit 214, the push ID / token in the authentication subsystem 2.
  • An ID verification unit 219 is provided.
  • the second application server 7 includes a push ID reception unit 209 and a token ID transmission unit 215 in the authentication subsystem 2.
  • the push notification server 8 includes a push authentication operation start request unit 211 in the authentication subsystem 2.
  • the database 9 includes a storage unit 223 in the authentication subsystem 2.
  • FIG. 3 is a diagram illustrating an example of a hardware configuration of the first terminal 3 according to the present embodiment.
  • the first terminal 3 includes a CPU 30a, a RAM 30b, a ROM 30c, an external memory 30d, an input unit 30e, an output unit 30f, and a communication unit 30g.
  • the RAM 30b, ROM 30c, external memory 30d, input unit 30e, output unit 30f, and communication unit 30g are connected to the CPU 30a via a system bus 30h.
  • the CPU 30a comprehensively controls each device connected to the system bus 30h.
  • the ROM 30c and the external memory 30d store various programs and data necessary for realizing the functions executed by the computer and the BIOS and OS that are control programs of the CPU 30a.
  • the RAM 30b functions as a main memory and work area of the CPU.
  • the CPU 30a implements various operations by loading a program or the like necessary for executing the processing from the ROM 30c or the external memory 30d to the RAM 30b and executing the loaded program.
  • the external memory 30d includes, for example, a flash memory, a hard disk, a DVD-RAM, a USB memory, and the like.
  • the input unit 30e receives an operation instruction from a user or the like.
  • the input unit 30e includes input devices such as an input button, a keyboard, a pointing device, a wireless remote controller, a microphone, and a camera, for example.
  • the output unit 30f outputs data processed by the CPU 30a and data stored in the RAM 30b, the ROM 30c, and the external memory 30d.
  • the output unit 30f includes an output device such as a CRT display, an LCD, an organic EL panel, a printer, and a speaker.
  • the communication unit 30g is an interface for connecting / communication with an external device via a network or directly.
  • the communication unit 30g includes an interface such as a serial interface or a LAN interface.
  • the hardware configurations of the second terminal 4, the web server 5, the first application server 6, the second application server 7, and the push notification server 8 are the same.
  • Each part of the authentication subsystem 2 shown in FIG. 2 allows various programs stored in the ROM or external memory to use the CPU, RAM, ROM, external memory, input unit, output unit, communication unit, etc. as resources. Realized.
  • FIG. 4 is a sequence diagram of an example of registration processing of information necessary for using push authentication which is the authentication method of the present invention.
  • the user accesses the web server 5 from the second terminal 4 (S101). Then, an input screen for a user ID and a password as identification information is transmitted from the web server 5 to the second terminal 4 (S102). When the user inputs the user ID and password, they are transmitted to the web server 52 (S103). When the verification of the user ID and the password (S105) is successful, a push authentication registration screen is transmitted from the web server 5 to the second terminal 4 (S106). When the user inputs the user ID (S107), the second terminal 4 generates a unique ID of the second terminal 4, and transmits the user ID and the unique ID of the second terminal 4 to the web server 5 ( S107). The web server 5 associates the received user ID with the unique ID of the second terminal 4 and stores it in the database 9 (storage unit 223) (S109). The web server 5 may generate the unique ID of the second terminal 4.
  • ⁇ Push authentication> 5A to 5E are sequence diagrams illustrating an example of the push authentication process.
  • FIG. 6 is a diagram illustrating an example of a login screen.
  • FIG. 7 is a diagram illustrating an example of the push authentication operation screen.
  • the user accesses the web server 5 from the first terminal 3 (S201). Then, the login screen 30 is transmitted from the web server 5 to the first terminal 3 (S203), and the first terminal 3 displays the login screen.
  • the web server 5 generates an unlogged session key (S204) and stores it in the database 9 (storage unit 223) (S205).
  • the login screen 30 displays a user ID input field 301, a password input field 303, a login button 305, and a push authentication button 307, and the user is a user ID and an authentication method of whether password authentication is push authentication or non-push authentication (S207).
  • the first terminal 3 receives the user ID and the first push authentication.
  • the request is transmitted to the web server 5 (S211).
  • only the push authentication may be performed such as displaying only the user ID input field and the push authentication button.
  • the web server 5 (identification information collation unit 203) collates the user ID received from the first terminal with the user ID stored in the database 9 (storage unit 223) in step S105 (S213). If there is a user ID that matches the user ID received from the first terminal 3, the web server 5 (push ID generation unit 205) generates a push ID (S215). Then, the web server 5 stores the generated push ID in the database 9 (storage unit 223) in association with the unlogged session key stored in the database 9 (storage unit 223) (S217). Further, the web server 5 (push ID generation unit 205) transmits the push ID, the user ID, and the second push authentication request to the first application server 6 (S219).
  • the web server 5 (push ID generation unit 205) transmits a screen indicating the push ID and the authentication process to the first terminal 3 (S221).
  • the push ID may be embedded in a screen indicating that the authentication process is being performed.
  • the push ID may be generated by another server at another appropriate timing.
  • the first application server 6 (second terminal unique ID acquisition unit 207) receives the second push authentication request from the web server 5
  • the first application server 6 second terminal unique ID acquisition unit 207
  • the unique ID of the second terminal 4 stored in the database 9 (storage unit 223) in association is acquired (S223) and transmitted to the push notification server 8 together with the push ID received together with the second push authentication request (S225). ).
  • the first terminal 3 stores the push ID received from the web server 5 effectively for a predetermined short time, for example, 30 seconds (S227), and asynchronously receives the received push ID to the second application server 7. It transmits by communication (S229).
  • asynchronous communication method any appropriate method such as Websocket can be used. By using asynchronous communication, the waiting load of the web server 5 can be reduced.
  • the second application server 7 stores the push ID received from the first terminal 3 in the storage unit 9 (S231).
  • the push notification server 8 (push authentication operation start request unit 211) sends the second terminal 4 to the second application server 6 from the first application server 6.
  • the received push ID and a push authentication operation start request are transmitted (S233).
  • the push notification compatible application software stored in the second terminal 4 is activated by using the received push authentication operation start request as a trigger.
  • a push authentication selection pop-up 401 is displayed on the display screen 40 to select whether or not to log in by push authentication by tapping the “Yes” button or the “No” button.
  • Knowledge authentication information The user is prompted only for a tap that is a predetermined operation that does not involve the input of property authentication information and biometric authentication information (S235).
  • the push notification to the second terminal may be a push notification that is not a conventional push-type email method.
  • GCM Google Cloud Messaging for Android
  • APNS Apple Push Notification Service
  • the second terminal 4 When the user taps the “Yes” button on the push authentication selection pop-up 401 (S237), the second terminal 4 sends the push ID received from the push notification server 8 and the push authentication operation completion notification to the first application. It transmits to the server 6 (S239).
  • the first application server 6 When receiving the push authentication operation completion notification, the first application server 6 (push authentication operation completion notification reception unit 212, token ID generation unit 213) generates a token ID (S241). Then, the first application server 6 (push ID collation unit 214) receives the push ID received from the second terminal 4 together with the push authentication operation completion notification and the first database stored in the database 9 (storage unit 223). The push ID from the terminal 3 is collated (S243). Note that the token ID may be generated after collating the push ID. If the verification is successful, the token ID is effectively stored in the database 9 (storage unit 223) in association with the push ID received from the second terminal 4 together with the push authentication operation completion notification for a predetermined short time, for example, 1 minute. (S245). Further, the first application server 6 (token ID transmission unit 215) transmits the generated token ID to the second application server 7 (S247). Here, the token ID may be generated by another server at another appropriate timing.
  • the second application server 7 transmits the received token ID and push authentication completion notification to the first terminal 3 (S249).
  • the first terminal 3 When the first terminal 3 receives the push authentication completion notification, the re-authentication process is started.
  • the first terminal 3 transmits the push ID stored in the first terminal 3 and the token ID received from the second application server 7 to the web server 5 (S251).
  • the stored push ID is erased after the predetermined short time.
  • the push ID is not transmitted from the first terminal 3 after a predetermined short time has elapsed after storage in the first terminal 3.
  • the web server 5 receives the push ID and token ID from the first terminal 3, and transmits the received push ID and token ID to the first application server 6 (S253). .
  • the first application server 6 (push ID / token ID collation unit 219) is effectively stored for a predetermined short time in the combination of the push ID and token ID received from the web server 5 and the database 9 (storage unit 223).
  • the combination of the push ID and token ID received by the first application server 7 is collated (S255), and the collation result is transmitted to the web server 5 (S228).
  • the token ID stored in the database 9 (storage unit 223) is effectively stored for a predetermined short period of time
  • the token ID stored in the database 9 (storage unit 223) is 1 After a minute, the verification is unsuccessful. If the verification is successful, the push ID is transmitted to the web server 5 in addition to the verification result.
  • the web server 5 performs processing according to the collation result received from the first application server 6. That is, if the collation result is “success”, the web server 5 acquires the session key in the unlogged state corresponding to the received push ID from the database 9 (storage unit 223) (S259) A session key in the login state is generated (S261), the session key in the unlogged state is replaced with a new session key in the login state, and stored in the database 9 (storage unit 223) (S263). Then, the first terminal 3 is redirected to the screen after login (S265). If the collation result is “unsuccessful”, information for displaying a screen indicating that authentication is unsuccessful is transmitted to the first terminal 3.
  • the identification information input to the first terminal is the user ID input by the user.
  • the identification information is not limited to this, and any appropriate identification information is used. be able to.
  • identification information received from a portable information processing device such as an IC card or a portable terminal can be used. That is, for example, considering a case where an IC card is used as a portable information processing apparatus and a card ID is used as identification information, a first terminal equipped with an IC card reader / writer receives the card ID from the IC card and receives the received card.
  • the ID may be transmitted to the web server, and the web server may collate the card ID with reference to a table in which the card ID and the unique ID of the second terminal are associated with each other.
  • the card ID and the unique ID of the second terminal are associated with each other by the table in which the card ID and the user ID are associated with each other and the table in which the user ID and the unique ID of the second terminal are associated with each other.
  • the card ID may be collated by referring to a database stored not by direct association but by indirect association.
  • the authentication at the time of login has been described as an example.
  • the present invention is not limited to this, and it is needless to say that the authentication can be applied to a wide range of authentication such as entrance / exit management.
  • the combination of the push ID and the token ID is verified.
  • only the push ID may be verified.
  • a push ID is generated and transmitted to the first terminal and the second terminal, and the push ID via the first terminal and the second terminal are passed.
  • a token ID is generated in addition to the push ID, and the combination of the push ID and the token ID is also verified, so that a more secure authentication method can be realized.
  • the valid time is provided for the push ID and the token ID, it is possible to realize a more secure authentication method.
  • This embodiment requires not only the push authentication request from the first terminal but also the push authentication request from the second terminal in addition to the first embodiment, and the push authentication request from the second terminal. If the push authentication permission flag is stored, the push authentication permission flag is stored, and it is determined whether the push authentication request flag from the first terminal is stored in consideration of whether the push authentication permission flag is stored. To do.
  • FIG. 8 is a diagram showing a functional configuration of the authentication subsystem according to the second embodiment of the present invention.
  • 9A to 9C are a part of a sequence diagram of an example of the push authentication process according to the second embodiment of the present invention.
  • An example of an authentication system and an authentication process of the authentication system according to the second embodiment of the present invention will be described with reference to FIGS. 8 and 9A to 9C.
  • 9A to 9C parts corresponding to those in FIGS. 2, 5A to 5B are denoted by the same reference numerals, and the description overlapping with the first embodiment is omitted.
  • the overall configuration and hardware configuration of the authentication system according to the second embodiment are the same as those in the first embodiment, and a description thereof will be omitted.
  • the authentication subsystem 2 includes a second terminal unique ID verification unit 202 in addition to the configuration of the first embodiment.
  • the second terminal unique ID matching unit 202 uses the unique ID of the second terminal 4 received from the second terminal 4 and the unique ID of the second terminal stored in the storage unit 223 in association with the identification information.
  • the push authentication permission flag corresponds to the unique ID of the second terminal 4.
  • the storage unit 223 is associated with the identification information attached and stored in the storage unit 223 and is effectively stored for a predetermined short time.
  • the configuration of “effectively storing” may be a configuration in which the stored push authentication permission flag is erased after a predetermined short time in the same manner as described above, or the valid period of the push authentication permission flag is a predetermined short time. It is good also as composition which is.
  • the identification information matching unit 203 receives the first terminal 3 from the first terminal 3 after transmitting the identification information input to the first terminal 3 and the first push authentication request to the identification information matching unit 203.
  • the identification information associated with the unique ID of the second terminal and the identification information stored in the storage unit 223 is collated, and there is identification information that matches the identification information received from the first terminal 3. Then, it is checked whether or not the push authentication permission flag is effectively stored in the storage unit 223 for the identification information.
  • the second terminal 4 transmits the identification information input to the second terminal 4 and the unique ID of the second terminal 4 to the second terminal unique ID registration unit 201. Further, before the first terminal 3 transmits the identification information input to the first terminal 3 and the first push authentication request to the identification information matching unit 203, the third push authentication request and the second terminal 4 is sent to the authentication subsystem 2. In addition, when a push authentication operation start request is received, the user is prompted only for a predetermined operation without input of knowledge authentication information, property authentication information, and biometric information for push authentication. When the user performs the predetermined operation, the push ID received from the push authentication operation start request unit 211 and the push authentication operation completion notification are transmitted to the push authentication operation completion notification reception unit 212.
  • the first application server 6 includes the second terminal unique ID verification unit 202, the second terminal unique ID acquisition unit 207, the push authentication operation completion notification reception unit 212, the token ID generation unit 213, the push of the authentication subsystem 2.
  • An ID verification unit 214 and a push ID / token ID verification unit 219 are provided.
  • the user accesses the first application server 6 from the second terminal 4 (S151). Then, a push authentication start desired input screen is transmitted from the first application server 6 to the second terminal 4 (S153), and the second terminal 4 displays the push authentication start desired input screen.
  • the second terminal 4 transmits the third push authentication request and the unique ID of the second terminal 4 to the first application server 6. (S155).
  • the first application server 6 (second terminal unique ID matching unit 202) stores the unique ID of the second terminal 4 received from the second terminal 4 and the database 9 (storage unit 223) in step S105.
  • the unique ID of the second terminal is collated (S157).
  • the first application server 6 (second terminal unique ID collation unit 202) pushes
  • the authentication permission flag is associated with the unique ID of the second terminal 4 and is effectively stored in the database 9 (storage unit 223) for a predetermined short time, for example, 30 seconds (S159).
  • the first application server 6 (second terminal unique ID collation unit) displays a second guidance screen indicating that it is necessary to make a push authentication request from the first terminal 3 within the predetermined short time. (S161).
  • the user accesses the web server 5 from the first terminal 3 (S201). Then, the login screen 30 is transmitted from the web server 5 to the first terminal 3 (S203), and the first terminal 3 displays the login screen.
  • the web server 5 generates an unlogged session key (S204) and stores it in the database 9 (storage unit 223) (S205).
  • the login screen 30 displays a user ID input field 301, a password input field 303, a login button 305, and a push authentication button 307, and the user is a user ID and an authentication method of whether password authentication is push authentication or non-push authentication (S207).
  • the first terminal 3 When the user inputs the user ID into the user ID input field 301 (S209) and push authentication is selected by pressing the push authentication button 307, the first terminal 3 receives the user ID and the first push authentication. The request is transmitted to the web server 5 (S211).
  • the web server 5 (identification information collation unit 203) collates the user ID received from the first terminal with the user ID stored in the database 9 (storage unit 223) in step S105, and receives it from the first terminal 3. If there is a user ID that matches the user ID, it is checked whether a push authentication permission flag is effectively stored in the database 9 (storage unit 223) for the user ID (S213 ′). When a user ID that matches the user ID received from the first terminal 3 exists and the push authentication permission flag is effectively stored for the user ID, the web server 5 (push ID generation unit 205) A push ID is generated (S215).
  • the web server 5 stores the generated push ID in the database 9 (storage unit 223) in association with the unlogged session key stored in the database 9 (storage unit 223) (S217). Further, the web server 5 (push ID generation unit 205) transmits the push ID, the user ID, and the second push authentication request to the first application server 6 (S219). At the same time, the web server 5 (push ID generation unit 205) transmits a screen indicating the push ID and the authentication process to the first terminal 3 (S221 '). At this time, the push ID may be embedded in a screen indicating that the authentication process is being performed.
  • step S213 there is no user ID that matches the user ID received from the first terminal 3, or the push authentication permission flag is valid for the user ID that matches the user ID received from the first terminal 3. If not stored, the web server 5 (identification information collation unit 203) transmits a screen indicating authentication failure to the first terminal 3 (S221 ′). Instead of the configuration in which the screen indicating the authentication failure is transmitted to the first terminal 3, the authentication process is terminated at a later appropriate time, or the authentication process is terminated in consideration of other conditions. The authentication failure process may be performed.
  • the push authentication request from the second terminal is required, and the push authentication request from the second terminal is valid
  • the push authentication request from the second terminal is valid
  • FIG. 10 is a diagram showing a functional configuration of the authentication subsystem according to the third embodiment of the present invention.
  • 11A to 11C are a part of a sequence diagram illustrating an example of push authentication processing according to the third embodiment of the present invention.
  • An example of the authentication system and the authentication process of the authentication system according to the third embodiment of the present invention will be described with reference to FIGS. 10 and 11A to 11C.
  • 9A to 9C parts corresponding to those in FIGS. 5A to 5C and FIGS. 8A to 8C are denoted by the same reference numerals, and the description overlapping with the first and second embodiments is omitted.
  • the overall configuration and hardware configuration of the authentication system according to the third embodiment are the same as those in the first and second embodiments, and a description thereof will be omitted.
  • the authentication subsystem 2 includes a user agent reception unit 210 in addition to the configuration of the second embodiment.
  • the identification information matching unit 203 receives the first terminal 3 from the first terminal 3 after transmitting the identification information input to the first terminal 3 and the first push authentication request to the identification information matching unit 203.
  • the identification information associated with the unique ID of the second terminal and the identification information stored in the storage unit 223 is collated, and there is identification information that matches the identification information received from the first terminal 3. Then, it is checked whether or not the push authentication permission flag is effectively stored in the storage unit 223 for the identification information.
  • the identification information matching unit 203 also includes a combination of the identification information received from the first terminal 3 and the user agent of the first terminal 3, the identification information stored in the storage unit 223, and the user agent of the first terminal. Match combinations of.
  • the user agent reception unit 210 Upon receiving the user agent from the second terminal 4, the user agent reception unit 210 stores the user agent in association with the user ID received from the push ID generation unit 205 and stores the storage unit 223 and starts a push authentication operation. A user agent registration completion notification is transmitted to the request unit.
  • the first terminal 3 transmits the input identification information and the first push authentication request to the identification information matching unit 203. Further, the push ID received from the push ID generation unit 205 is effectively stored for a predetermined short time, and the push ID is transmitted to the push ID reception unit 209. When the push authentication completion notification is received, the push ID stored in the first terminal 3 and the token ID received from the token ID transmission unit 215 are transmitted to the push ID / token ID reception unit 217. In addition, the user agent of the first terminal 3 is transmitted to the identification information matching unit 203.
  • the first application server 6 includes, in the authentication subsystem 2, a second terminal unique ID collation unit 202, a second terminal unique ID acquisition unit 207, a push authentication operation completion notification reception unit 212, a user agent reception unit 210, a token ID A generation unit 213, a push ID verification unit 214, and a push ID / token ID verification unit 219 are provided.
  • Steps S151 to S159 are the same as those in the second embodiment, and a description thereof will be omitted.
  • the user accesses the web server 5 from the first terminal 3 (S201).
  • the web server 5 since the user agent of the first terminal 3 is transmitted from the first terminal 3 to the web server 5, the web server 5 stores the received user agent of the first terminal 3 in the database 9. (Storage unit 223).
  • the web server 5 transmits the login screen 30 to the first terminal 3 (S203), and the first terminal 3 displays the login screen.
  • the web server 5 generates an unlogged session key (S204) and stores it in the database 9 (storage unit 223) (S205).
  • the login screen 30 displays a user ID input field 301, a password input field 303, a login button 305, and a push authentication button 307, and the user is a user ID and an authentication method of whether password authentication is push authentication or non-push authentication (S207).
  • the first terminal 3 When the user inputs the user ID into the user ID input field 301 (S209) and push authentication is selected by pressing the push authentication button 307, the first terminal 3 receives the user ID and the first push authentication. The request is transmitted to the web server 5 (S211).
  • the web server 5 (identification information collation unit 203) collates the user ID received from the first terminal with the user ID stored in the database 9 (storage unit 223) in step S105, and receives it from the first terminal 3. If there is a user ID that matches the selected user ID, it is checked whether a push authentication permission flag is effectively stored in the database 9 (storage unit 223) for the user ID, and the first terminal 3 is compared with the user agent stored in the database 9 (storage unit 223) and the user agent stored in the database 9 (storage unit 223) in step S233c described later (S213 ′′).
  • the web server 5 When a user ID that matches the user ID received from the first terminal 3 exists and the push authentication permission flag is effectively stored for the user ID, the web server 5 (push ID generation unit 205) A push ID is generated (S215). Then, the web server 5 stores the generated push ID in the database 9 (storage unit 223) in association with the unlogged session key stored in the database 9 (storage unit 223) (S217). Further, the web server 5 (push ID generation unit 205) transmits the push ID, the user ID, and the second push authentication request to the first application server 6 (S219 ′′).
  • the user agent received from the first terminal 3 and matched with the user agent stored in the database 9 (storage unit 223) is associated with the user ID corresponding to the user agent in step S233c described later.
  • the web server 5 push ID generation unit 205) determines the first ID in addition to the push ID, the user ID, and the second push authentication request.
  • the user agent received and stored from the terminal 3 is transmitted to the first application server 6.
  • the web server 5 push ID generation unit 205) transmits a screen indicating the push ID and the authentication process to the first terminal 3 (S221 ').
  • the push ID may be embedded in a screen indicating that the authentication process is being performed.
  • step 213 ′′ there is no user ID that matches the user ID received from the first terminal 3, or the push authentication permission flag is set for the user ID that matches the user ID received from the first terminal 3. If not stored effectively, the web server 5 (identification information collation unit 203) transmits a screen indicating authentication failure to the first terminal 3 (S221 ′).
  • the first application server 6 (second terminal unique ID acquisition unit 207) receives the second push authentication request from the web server 5
  • the first application server 6 second terminal unique ID acquisition unit 207
  • the unique ID of the second terminal 4 stored in the database 9 storage unit 223)
  • the push ID and user agent received together with the second push authentication request are received It is transmitted to the push notification server 8 together with the user agent (S225 ′′).
  • the first terminal 3 stores the push ID received from the web server 5 effectively for a predetermined short time, for example, 30 seconds (S227), and asynchronously receives the received push ID to the second application server 7. It transmits by communication (S229).
  • asynchronous communication method any appropriate method such as Websocket can be used. By using asynchronous communication, the waiting load of the web server 5 can be reduced.
  • the second application server 7 stores the push ID received from the first terminal 3 in the storage unit 9 (S231).
  • the push notification server 8 (push authentication operation start request unit 211) does not receive the user agent
  • the push notification server 8 (the push authentication operation start request unit 211), based on the unique ID of the second terminal 4 received from the first application server 6, 4, the push ID received from the first application server 6 and the push authentication operation start request are transmitted (S233).
  • the push notification server 8 (the push authentication operation start request unit 211) receives the user agent
  • the push notification server 8 (the push authentication operation start request unit 211), based on the unique ID of the second terminal 4 received from the first application server 6, 4 indicates that a push authentication request has been received from a terminal (browser) without registration, and transmits a user agent registration permission / prohibition screen for inputting whether to permit registration of the terminal (browser) (S233a).
  • the second terminal 4 transmits the user agent to the first application server 6 (user agent reception unit 210) ( S233b).
  • the first application server 6 user agent receiving unit 210) stores the user agent in the database 9 (storage unit 223) in association with the user ID received in step 219 ′′ (step 219 ′′).
  • a user agent registration completion notification is transmitted to the push notification server 8 (push authentication operation start request unit 211) (S233d).
  • the push notification server 8 push authentication operation start request unit 211) sends the push ID received from the first application server 6 and the push authentication operation start request to the second terminal 4. Transmit (S233).
  • the registration of the user agent is performed by allowing the user to register when the user agent is determined to be unregistered.
  • the use of push authentication in the first embodiment is used. It can be performed at any appropriate timing, for example, in the registration process of information necessary for the above.
  • a verification method with higher security can be realized by collating the user agent of the first terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Lock And Its Accessories (AREA)

Abstract

L'invention concerne un système d'authentification, comportant un premier terminal, un deuxième terminal et un sous-système d'authentification. Le premier terminal envoie au sous-système d'authentification des informations d'authentification et une première demande d'authentification de distribution sélective qui ont été introduites dans le premier terminal. Le sous-système d'authentification compare les informations d'identification qui ont été reçues en provenance du premier terminal avec des informations d'identification qui sont stockées en association avec un identifiant unique du deuxième terminal, et si des informations d'identification qui sont présentes concordent avec les informations d'identification qui ont été reçues en provenance du premier terminal, envoie une demande de commencement d'opération d'authentification de distribution sélective au deuxième terminal sur la base de l'identifiant unique du deuxième terminal qui est stocké en association avec les informations d'identification. À réception de la demande de commencement d'opération d'authentification de distribution sélective, le deuxième terminal sollicite un utilisateur de l'authentification de distribution sélective uniquement pour une opération prescrite qui n'est pas associée à une saisie d'informations d'authentification de ce que l'utilisateur connaît, d'informations d'authentification de ce que l'utilisateur possède, ou d'informations d'authentification biométrique de l'utilisateur. Lorsque l'opération prescrite est réalisée par l'utilisateur, le deuxième terminal envoie une notification d'achèvement d'opération d'authentification de distribution sélective au sous-système d'authentification.
PCT/JP2017/028806 2016-08-08 2017-08-08 Système d'authentification, procédé, programme et support d'enregistrement sur lequel un programme est enregistré WO2018030421A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/270,347 US10659461B2 (en) 2016-08-08 2019-02-07 System, method, and recording medium storing program for authentication

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2016155997A JP6104439B1 (ja) 2016-08-08 2016-08-08 認証のためのシステム、方法、プログラム、及びプログラムを記録した記録媒体
JP2016-155997 2016-08-08
JP2017-004428 2017-01-13
JP2017004428A JP6321834B2 (ja) 2016-08-08 2017-01-13 認証のためのシステム、方法、プログラム、及びプログラムを記録した記録媒体

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/270,347 Continuation US10659461B2 (en) 2016-08-08 2019-02-07 System, method, and recording medium storing program for authentication

Publications (1)

Publication Number Publication Date
WO2018030421A1 true WO2018030421A1 (fr) 2018-02-15

Family

ID=61162310

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/028806 WO2018030421A1 (fr) 2016-08-08 2017-08-08 Système d'authentification, procédé, programme et support d'enregistrement sur lequel un programme est enregistré

Country Status (1)

Country Link
WO (1) WO2018030421A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006018892A1 (fr) * 2004-08-20 2006-02-23 Yoshiaki Kosaka Systeme d’authentification telephonique empechant la mystification meme lorsque des informations personnelles sont divulguees
JP2014215620A (ja) * 2013-04-22 2014-11-17 株式会社日立システムズ 認証システムおよび認証方法
JP2015111329A (ja) * 2013-11-06 2015-06-18 株式会社あいびし ネットワークサービス提供システム、ネットワークサービス提供方法、及びプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006018892A1 (fr) * 2004-08-20 2006-02-23 Yoshiaki Kosaka Systeme d’authentification telephonique empechant la mystification meme lorsque des informations personnelles sont divulguees
JP2014215620A (ja) * 2013-04-22 2014-11-17 株式会社日立システムズ 認証システムおよび認証方法
JP2015111329A (ja) * 2013-11-06 2015-06-18 株式会社あいびし ネットワークサービス提供システム、ネットワークサービス提供方法、及びプログラム

Similar Documents

Publication Publication Date Title
JP6321834B2 (ja) 認証のためのシステム、方法、プログラム、及びプログラムを記録した記録媒体
US11847199B2 (en) Remote usage of locally stored biometric authentication data
CN107430654B (zh) 切换生物特征认证的方法和系统
CN111241517B (zh) 一种生物特征验证问答库的构建方法和装置
US9762573B2 (en) Biometric framework allowing independent application control
US11128634B1 (en) System and method for providing a web service using a mobile device capturing dual images
CN105100108B (zh) 一种基于人脸识别的登录认证方法、装置及系统
US9830445B1 (en) Personal identification number (PIN) replacement in a one-time passcode based two factor authentication system
CN110781468A (zh) 一种身份认证的处理方法、装置、电子设备及存储介质
US11245695B2 (en) Secure two-way authentication using encoded mobile image
KR20180096457A (ko) 인증 관리 방법 및 시스템
CN103795716A (zh) 登录网络账户的方法、登录网络账户的装置及终端
US10936705B2 (en) Authentication method, electronic device, and computer-readable program medium
EP3118760B1 (fr) Système de gestion d'informations d'authentification, dispositif de gestion d'informations d'authentification, programme, support d'enregistrement et procédé de gestion d'informations d'authentification
US20180373861A1 (en) Time-Based Digit Entry Method to Verify Identification Constructs
CN112292845A (zh) 信息处理设备、信息处理方法和程序
CN110709783A (zh) 使用生物计量签名来对用户进行认证的方法、系统和介质
CN111756703A (zh) 调试接口管理方法、装置和电子设备
WO2018030421A1 (fr) Système d'authentification, procédé, programme et support d'enregistrement sur lequel un programme est enregistré
US10778434B2 (en) Smart login method using messenger service and apparatus thereof
JP4698502B2 (ja) 携帯電話を利用した端末装置認証システム、認証方法およびそのプログラム
CN108418829B (zh) 账号登陆验证方法、装置、计算机设备及存储介质
US12021860B2 (en) Systems and methods for multi-stage, identity-based, digital authentication
KR101699167B1 (ko) Otp 인증 시스템, 단말 및 이를 이용한 인증 방법
US20230379324A1 (en) Systems and methods for multi-stage, biometric-based, digital authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17839491

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17839491

Country of ref document: EP

Kind code of ref document: A1