WO2018090839A1 - 身份认证系统、方法、装置及账号认证方法 - Google Patents

身份认证系统、方法、装置及账号认证方法 Download PDF

Info

Publication number
WO2018090839A1
WO2018090839A1 PCT/CN2017/109215 CN2017109215W WO2018090839A1 WO 2018090839 A1 WO2018090839 A1 WO 2018090839A1 CN 2017109215 W CN2017109215 W CN 2017109215W WO 2018090839 A1 WO2018090839 A1 WO 2018090839A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
evaluation
account
user
user equipment
Prior art date
Application number
PCT/CN2017/109215
Other languages
English (en)
French (fr)
Inventor
王珊珊
陆琴
叶鹏
林晶晶
余莲斌
王盛
朱凯
王炎
薛晖
李东
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2018090839A1 publication Critical patent/WO2018090839A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Definitions

  • the present invention relates to the field of the Internet, and in particular to an identity authentication system, method, device, and account authentication method.
  • the identity authentication process of personal online business has also undergone rapid changes.
  • the authentication method of the personal user's hand-held passport photo was proposed; later, it was gradually upgraded to require the individual user to upload/submit the specified dynamic gesture image; nowadays, in the real person authentication After joining the big data risk management model, the method provides the possibility of expanding the diversification of the technical means of identity authentication.
  • the mainstream identity authentication method adopted in the related art can generally only perform verification on the user identity based on a plurality of information such as a user name, a user's personal identification document, and a user's face image in the authentication phase.
  • a plurality of information such as a user name, a user's personal identification document, and a user's face image in the authentication phase.
  • the embodiments of the present invention provide an identity authentication system, method, device, and account authentication method, so as to at least solve the technical problem that the identity authentication method used in the related technology is relatively simple, and it is difficult to prevent forgery or alteration of false identity information.
  • an identity authentication system including: a user equipment and an authentication server; and a user equipment, configured to run an application, and request the authentication server to perform an authentication status detection on a user account corresponding to the application;
  • the authentication server is configured to: after determining that the user account is an account to be authenticated, use the historical correlation data of the obtained user account to perform an evaluation, obtain an evaluation result, and determine a corresponding identity authentication manner according to the evaluation result, and perform identity authentication, where history
  • the associated data is information associated with the user account acquired during the preset business cycle.
  • the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user service information.
  • the authentication server is further configured to send the authorization authentication information to the user equipment.
  • the authentication server is further configured to analyze historical correlation data, construct an evaluation model, and statistically evaluate a level or a score corresponding to each feature indicator in the model, and obtain an evaluation result.
  • the user equipment information includes at least: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, a usage record of the user equipment, and an authentication server, and is further configured to build an evaluation model according to the user equipment information, and The evaluation results are obtained by statistically evaluating the level or score corresponding to each feature indicator in the model, wherein the feature indicators in the evaluation model include: determining whether the user equipment has performed an illegal operation according to the IP address information, according to the operating system type used by the user equipment. Determine whether the operating system used by the user equipment has a security vulnerability, and determine whether the user equipment has installed a high-risk application according to the usage record of the user equipment.
  • the preset service period includes: a first evaluation period and a second evaluation period
  • the authentication server is further configured to analyze the trend of the historical correlation data in the first evaluation period and the second evaluation period to obtain an evaluation result.
  • the authentication server is further configured to determine, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step, and according to the verification step to be performed and the identity to be collected in each verification step Authentication related information for identity authentication.
  • an identity authentication method for selecting an identity authentication mode, including:
  • the historical association data is information associated with the user account acquired in the preset service period; the historical correlation data is used for evaluation, and the evaluation result is obtained; and the evaluation result is determined according to the evaluation result.
  • the corresponding identity authentication method is used for identity authentication.
  • the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user service information.
  • the method before acquiring the historical association data, further includes: receiving a first request message from the user equipment, where the user equipment is used to run the application; performing the authentication status detection according to the first request message user account, and reporting to the user The device returns a first response message, where the first response message is used to confirm that the user account is an account to be authenticated.
  • the method further includes: receiving a second request message from the user equipment; determining, according to the second request message, the authorization authentication information to be delivered; returning the second response to the user equipment The message, where the second response message carries the authorization authentication information.
  • the historical correlation data is used for evaluation, and the evaluation result includes: dividing historical historical data
  • the evaluation model is constructed, wherein the evaluation model includes: a level or a score corresponding to each feature index in the historical correlation data; a rating or a score corresponding to each feature index in the statistical evaluation model, and the evaluation result is obtained.
  • the user equipment information includes at least the following feature indicators: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, and a usage record of the user equipment; analyzing the historical association data, and constructing the evaluation model includes: Obtain the IP address information, the operating system type, the usage record, and the evaluation model included in the user equipment information; statistically evaluate the level or score corresponding to each feature indicator in the model, and obtain the evaluation result including: determining the user equipment according to the IP address information Whether the illegal operation is performed and the corresponding level or score is counted, and according to the operating system type used by the user equipment, it is determined whether the operating system used by the user equipment has a security vulnerability and the corresponding level or score is counted, and the usage record of the user equipment is determined. Whether the user equipment has installed a high-risk application and counts the corresponding level or score; the evaluation result is obtained by counting the level or score corresponding to each feature indicator.
  • the IP address information, the operating system type, and the usage record are used as input information, and the evaluation model is constructed by using a random forest algorithm.
  • the preset service period includes: a first evaluation period and a second evaluation period
  • the historical correlation data is used for the evaluation
  • the obtained evaluation result includes: obtaining a change trend of the historical correlation data in the first evaluation period and the second evaluation period; Analyze the trends and get the results.
  • determining the identity authentication mode according to the evaluation result, and performing identity authentication includes: determining, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step; according to the verification step to be performed and each verification The identity authentication association information to be collected in the step performs identity authentication.
  • another identity authentication method for selecting an identity authentication mode, including:
  • Running the application triggering the authentication server to perform authentication status detection on the user account corresponding to the application, wherein the authentication status detection is used to perform evaluation by using the historical association data of the obtained user account to obtain an evaluation result, and determine corresponding corresponding according to the evaluation result.
  • the historical association data is information associated with the user account acquired in the preset service period.
  • an account authentication method for determining whether an account operator changes, including:
  • first period association data and second period association data of the account to be authenticated wherein the first period association data is data associated with the account to be authenticated in the first time period, and the second period association data is in the second time period
  • the data associated with the account to be authenticated, and the first time period is not exactly the same as the second time period;
  • the correlation data and the second period correlation data are similarly calculated to obtain a similarity result; and based on the similarity result, it is determined whether the operator of the account to be authenticated changes.
  • the data associated with the account to be authenticated in the first time period is a first operation information set
  • the data associated with the account to be authenticated in the second time period is a second operation information set
  • Performing similarity calculation on the associated data and the second period associated data includes: calculating a difference set of the first operation information set and the second operation information set; determining whether the operator of the account to be authenticated changes according to the similarity result comprises: if the difference set exceeds a predetermined The threshold determines that the operator of the account to be authenticated has changed.
  • the data associated with the account to be authenticated in the first time period is a first device information set
  • the data associated with the account to be authenticated in the second time period is a second device information set
  • Performing similarity calculation on the associated data and the second period associated data includes: calculating a difference set of the first device information set and the second device information set; determining whether the operator of the account to be authenticated changes according to the similarity result comprises: if the difference set exceeds a predetermined The threshold determines that the operator of the account to be authenticated has changed.
  • an identity authentication apparatus for selecting an identity authentication mode, including:
  • An obtaining module configured to acquire historical association data of a user account corresponding to the application, where the historical association data is information associated with the user account acquired in the preset service period; and the evaluation module is configured to use historical correlation data The evaluation results are obtained; the authentication module is configured to determine the corresponding identity authentication method according to the evaluation result, and perform identity authentication.
  • another identity authentication apparatus for selecting an identity authentication mode, including:
  • the running module is configured to run the application, and the triggering module is configured to trigger the authentication server to perform the authentication state detection on the user account corresponding to the application, where the authentication state detection is used to perform the evaluation by using the historical correlation data of the obtained user account to obtain The result is evaluated, and the corresponding identity authentication mode is determined according to the evaluation result, and the historical association data is information associated with the user account acquired in the preset service period.
  • the historical association data of the user account corresponding to the application (that is, the information associated with the user account acquired in the preset service period) is acquired; the historical correlation data is used for evaluation, and the evaluation result is obtained.
  • the method of determining the corresponding identity authentication method through the evaluation result, and then performing the identity authentication process achieves the purpose of separately identifying the user account by the historical association data accumulated by the user account, thereby realizing the long-term real-time monitoring of the user identity.
  • Authenticity and reliability improve the technical effect of the identity security level, and solve the problem of the identity authentication method used in the related technology is relatively simple, it is difficult to prevent counterfeiting, change falsehood Technical issues with identity information.
  • an objective operational basis can also be provided by matching the similarity between the account association information and/or the related operation records in different periods.
  • FIG. 1 is a block diagram showing the hardware structure of an identity authentication system according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an application interface operation of triggering an authentication process according to a preferred embodiment of the present invention
  • FIG. 3 is a flow chart of an identity authentication method according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of another identity authentication method according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of an account authentication method according to an embodiment of the present invention.
  • FIG. 6 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram of an identity authentication apparatus according to a preferred embodiment of the present invention.
  • FIG. 8 is a structural block diagram of another identity authentication apparatus according to an embodiment of the present invention.
  • Intelligent terminal application installed in the intelligent terminal to expand the function of the intelligent terminal itself, Clients that implement user-specific business needs, such as online shopping APP, online payment APP, and second-hand trading APP.
  • Historical association data information associated with the user account that can be obtained in a preset service period, wherein the preset service period can be either from the start of the user account registration success to the triggering of the authentication process, or a specific time period after the user account is successfully registered;
  • the information associated with the user account may include, but is not limited to, at least one of the following: user identity information, user network behavior information, user equipment information used by the user, and user service information, where
  • the user identity information may include, but is not limited to, at least one of: a user account registered by the user for using a function provided by the specific application, information presented by the user in the identity document provided at the time of registration, the user's contact information, and the user's family.
  • user equipment information may include, but is not limited to, at least one of: an operating system used by the user equipment, a model of the user equipment, an International Mobile Subscriber Identity (IMSI) of the user equipment, or an international mobile device Identification code (IMEI), the Internet Protocol (IP) address used by the user equipment / or media access control (MAC) address
  • user network behavior information may include, but is not limited to, at least one of: current authentication operation behavior, past behavior associated with the user account before performing identity authentication (eg, shopping records embodied in shopping records)
  • the user service information may include, but is not limited to, at least one of the following: a shopping record, a user operation track.
  • the user equipment 10 can be connected or electronically connected to one or more authentication servers 20 via a data network.
  • the user equipment 10 may be a personal computer (PC), a smart phone, or a tablet computer.
  • the data network connection can be a local area network connection, a wide area network connection, an internet connection, or other type of data network connection.
  • User device 10 can execute to connect to a network service executed by a server or a group of servers.
  • a web server is a web-based user service such as a social network, cloud resources, email, online payment, or other online application.
  • the user equipment 10 is configured to run an application, and request the authentication server to perform an authentication status detection on the user account corresponding to the application.
  • the authentication server 20 is configured to obtain the user account after determining the account to be authenticated.
  • the historical association data of the obtained user account is evaluated, the evaluation result is obtained, and the corresponding identity authentication mode is determined according to the evaluation result, and the identity authentication is performed, wherein the historical association data is associated with the user account acquired in the preset service period. information.
  • FIG. 2 is a schematic diagram of an application interface operation for triggering an authentication process in accordance with a preferred embodiment of the present invention.
  • the user for example, the user's second-hand sale
  • the user device can log in to the pre-registered user account after running.
  • the user equipment needs to detect whether the user account is opened through the online store account. If it is not yet enabled, the user equipment needs to be triggered to check the user authentication status.
  • the user equipment invokes the real authentication server (ie, the authentication server 20) to determine the current user authentication status, and then determines whether the authentication process needs to be performed on the user.
  • the judgment basis of the real authentication server may include but is not limited to At least one of the following: user identity information (eg, user name, user's ID number), operating system used by the user device (eg, android system, iOS system), performance of the user device itself (eg: hardware configuration, whether Execution of jailbreak operations).
  • user identity information eg, user name, user's ID number
  • operating system used by the user device eg, android system, iOS system
  • performance of the user device itself eg: hardware configuration, whether Execution of jailbreak operations.
  • the authentication server 20 is further configured to send the authorization authentication information to the user equipment.
  • the user equipment needs to send the authorization authentication information, such as a token, to the real authentication server, and obtain the authorization authentication information returned by the real authentication server.
  • the authorization authentication information is used for authentication authority verification, generating an authentication task, and transmitting between different authentication execution entities.
  • Token Take Token as an example, its format can include the following three parts:
  • claims set used to represent stored data, which may include: user authorization information;
  • the authentication server 20 is further configured to analyze historical correlation data, construct an evaluation model, and statistically evaluate a level or a score corresponding to each feature indicator in the model, and obtain an evaluation result.
  • the user equipment After obtaining the Token issued by the real authentication server, the user equipment requests the real authentication server to start the identity authentication process.
  • the real authentication server selects a corresponding authentication channel for the user according to the service type of the application used by the user. During the identity authentication process using the selected authentication channel, the real authentication server can obtain the user identity information uploaded by the user through the user equipment, the network behavior information performed by the user, the user equipment information used by the user, and the user that has been collected.
  • the historical association data such as biometric information is used to establish an evaluation model for comprehensive judgment to determine the degree of risk of the user, and to provide differentiated authentication methods for users of different risk levels
  • the user identity information may include but is not limited to at least one of the following: The user account registered for the function provided by the specific application, the information presented by the user in the identity document provided at the time of registration, the user's contact information, the user's home address, and/or the work unit address; the user device information may include It is not limited to at least one of the following: an operating system used by the user equipment, a model of the user equipment, and an International Mobile Subscriber Identity (IMSI)/International of the user equipment.
  • IMSI International Mobile Subscriber Identity
  • user network behavior information may include, but is not limited to, at least one of: current authentication operation behavior, Past behavior associated with the user account prior to performing identity authentication (eg, shopping records); biometric information may include, but is not limited to, at least one of: voiceprint, fingerprint, eye, iris, static user image, dynamic living detection user image.
  • the live detection requires the user to indicate that the user completes one or more specified actions in a specific scenario, for example, instructing the user to shake the head, instructing the user to nod, and instructing the user to say a sentence, the purpose of which is to determine that the user currently accepting the identity authentication is a real live People are not a photo.
  • the user equipment information includes at least: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, a usage record of the user equipment, and an authentication server, and is further configured to build an evaluation model according to the user equipment information, and The evaluation results are obtained by statistically evaluating the level or score corresponding to each feature indicator in the model, wherein the feature indicators in the evaluation model include: determining whether the user equipment has performed an illegal operation according to the IP address information, according to the operating system type used by the user equipment. Determine whether the operating system used by the user equipment has a security vulnerability, and determine whether the user equipment has installed a high-risk application according to the usage record of the user equipment.
  • a random forest algorithm such as a random forest algorithm may be employed to construct the above evaluation model, and the evaluation model is adopted as a main judgment factor for risk prevention and control.
  • the input information of the evaluation model may include, but is not limited to, the user equipment information, the user identity information, the user network behavior information, and the user service information.
  • the output information obtained by the random forest algorithm is the model score, and finally the model is followed. The score is used to determine the corresponding authentication method.
  • the feature construction is required, that is, the authenticity of the obtained available data is determined;
  • the feature analysis is carried out, that is, the feature quality analysis, feature monotony analysis, feature importance analysis and feature synthesis are performed on the constructed features.
  • the random forest algorithm is used to select the model, and finally the evaluation result is obtained.
  • the historical associated data is used as an example for the user equipment.
  • the comprehensive determination of the user's risk level by constructing the evaluation model may include: if the IP address belongs to the place where the telecom fraud case has occurred before, the IP address may be reduced.
  • the security level of the user equipment for example, the security level is reduced by 1 level
  • the security score for example, the security score is deducted by 1 point
  • the security level of the user device using the IP address for example, the security level is lowered by 1 level
  • the security score for example, : Safety score deducted 1 point
  • the security level for example, the security level is reduced by 1 level
  • the security score for example, the security score is deducted by 1 point
  • other information contained in the historical association data can also be used to construct an evaluation model in turn for security assessment. For example, if there are multiple malicious network behaviors (for example, swipe) under the user account of a specific user device, the credit level before the user device is intent to run the application to perform the shopping operation can be reduced, thereby increasing the identity authentication threshold; The personal information uploaded after logging in to the user account does not match the related information previously stored by the real authentication server, so that the credit level before the user's account intent to run the application to perform the shopping operation or the transfer operation can be reduced, thereby increasing the identity authentication threshold.
  • multiple malicious network behaviors for example, swipe
  • the credit level before the user's account intent to run the application to perform the shopping operation or the transfer operation can be reduced, thereby increasing the identity authentication threshold. If the user places an order for a large number of items in the shopping cart but does not pay on time, then the credit level before the user's account intent to run the application to perform the shopping operation or the transfer operation can be lowered, thereby increasing the identity authentication threshold.
  • the evaluation can be based on only one of the decision factors according to the business type of the application, and can also be scored by combining multiple judgment factors to determine whether the identity authentication threshold needs to be raised.
  • the above examples of historical association data are merely illustrative and are not intended to unduly limit the content contained in historically associated data.
  • the foregoing preset service period includes at least: a first evaluation period and a second evaluation period
  • the authentication server 20 is further configured to analyze, according to the change trend of the historical evaluation data in the first evaluation period and the second evaluation period, evaluation result.
  • the first evaluation period and the second evaluation period may be two pre-selected two adjacent time periods, assuming that the first evaluation period is ten days closest to the current time, and the second evaluation period is adjacent to the last ten days. In the past ten days, the evaluation is determined by comparing the trend of the historical correlation data in the first evaluation period and the second evaluation period, that is, comparing the similarity between the historical correlation data in the first evaluation period and the second evaluation period. result.
  • the sales behavior or shopping behavior of the account A in the first evaluation period is always in a normal state (that is, the goods are normally delivered according to the order and the quality of the articles is good, or the payment is made in time after the order is placed), however
  • Account A has abnormal sales behavior due to account theft during the second evaluation period (for example, due to the original sale of goods at a good price to a low-priced commodity that sells high prices or based on long-term trust of the buyer)
  • the account A has not been shipped for a long time
  • unusual shopping behavior for example: frequent ordering but not paying or frequently complaining to the seller that there is a quality problem in the intact product and asking the seller to return/replace the goods
  • the account can be determined accordingly A may have an exception such as being stolen, and it is necessary to re-authenticate the user who uses account A.
  • the account A uses the Apple mobile phone of the ioS system in the first evaluation period, and the used IP address is displayed in the C place, and the sales behavior during this period is always in a normal state.
  • Account A is converted from an Apple mobile phone using the ioS system to a Huawei mobile phone using the Android system due to account transfer, etc., and the IP address used is changed from C to D, and an abnormality occurs during this period.
  • Sales behavior for example: due to the original sale of goods at a good price to a high-priced inferior goods or after payment based on the buyer's long-term trust, the account A has not been shipped for a long time
  • Sales behavior for example: due to the original sale of goods at a good price to a high-priced inferior goods or after payment based on the buyer's long-term trust, the account A has not been shipped for a long time
  • the account A may have an account If the usage is abnormal, you need to re-authenticate the user who uses Account A.
  • the authentication server 20 is further configured to determine, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step, and according to the verification step to be performed and the to-be-collected in each verification step. Identity authentication associated information for identity authentication.
  • the software development kit (SDK) integrated in the application for performing the identity authentication function collects according to the sequence of steps that the authentication process needs to perform and the identity authentication related information that needs to be collected in each step. And interact with the real authentication server in real time.
  • the evaluation result obtained by the above evaluation model can set the user account as a normal account and a risk account, and for the normal account, the automatic authentication process can be set according to the routine, including: collecting static ID image, dynamic living detection user image and the like;
  • the account needs to add a supplementary data collection process based on the automatic authentication process of the conventional setting, for example, adding a dynamic gesture verification link to collect more user information for further inspection.
  • the real authentication server After completing the above identity authentication process, the real authentication server will feed back the final identity authentication result to the user equipment.
  • the present application provides an identity authentication method as shown in FIG. 3. It should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • FIG. 3 is a flow chart of an identity authentication method in accordance with an embodiment of the present invention. As shown in FIG. 3, the method may include the following processing steps:
  • Step S32 Obtain historical association data of a user account corresponding to the application, where the historical association data Is the information associated with the user account acquired in the preset business cycle;
  • Step S34 using historical correlation data to perform an evaluation, and obtaining an evaluation result
  • Step S36 Determine a corresponding identity authentication mode according to the evaluation result, and perform identity authentication.
  • the foregoing historical association data may include, but is not limited to, at least one of the following: user equipment information, user identity information, user network behavior information, and user service information.
  • step S32 before the obtaining the historical association data in step S32, the following execution steps may also be included:
  • Step S30 receiving a first request message from a user equipment, where the user equipment is used to run an application
  • Step S31 Perform an authentication status detection according to the first request message user account, and return a first response message to the user equipment, where the first response message is used to confirm that the user account is an account to be authenticated.
  • step S31 after the first response message is returned to the user equipment in step S31, the following steps may be further included:
  • Step S37 Receive a second request message from the user equipment.
  • Step S38 determining authorization authorization information to be delivered according to the second request message
  • Step S39 Return a second response message to the user equipment, where the second response message carries the authorization authentication information.
  • step S34 the historical correlation data is used for evaluation, and the obtained evaluation result may include the following execution steps:
  • Step S340 analyzing historical correlation data, and constructing an evaluation model, wherein the evaluation model includes: a level or a score corresponding to each feature index in the historical association data;
  • Step S342 statistically evaluating the level or score corresponding to each feature index in the model, and obtaining the evaluation result.
  • the foregoing user equipment information includes at least the following feature indicators: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, and a usage record of the user equipment;
  • step S340 the historical correlation data is analyzed, and the construction of the evaluation model may include the following steps:
  • Step S3400 Obtain IP address information, operating system type, usage record, and build an evaluation model included in the user equipment information;
  • step S342 the level or score corresponding to each feature indicator in the evaluation model is statistically evaluated, and the obtained evaluation result may include the following execution steps:
  • Step S3420 Determine, according to the IP address information, whether the user equipment performs an illegal operation and counts the corresponding level or score, and determines whether the operating system used by the user equipment exists according to the operating system type used by the user equipment.
  • the security vulnerability is calculated and the corresponding level or score is counted, and the user equipment is installed according to the usage record of the user equipment to determine whether the user equipment has installed the high-risk application and the corresponding level or score is counted; the evaluation result is obtained by counting the level or score corresponding to each characteristic indicator.
  • the preset service period includes: a first evaluation period and a second evaluation period.
  • the historical correlation data is used for evaluation, and the obtained evaluation result may include the following execution steps:
  • Step S344 Obtain a change trend of the historical correlation data in the first evaluation period and the second evaluation period;
  • step S346 the trend of the change is analyzed, and the evaluation result is obtained.
  • step S36 determining an identity authentication mode according to the evaluation result, and performing identity authentication may include the following steps:
  • Step S360 determining, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step;
  • Step S362 Perform identity authentication according to the verification step to be performed and the identity authentication association information to be collected in each verification step.
  • the present application provides another identity authentication method as shown in FIG. 4.
  • the steps shown in the flowchart of the accompanying drawings may be in a computer system such as a set of computer executable instructions. The execution is performed, and although the logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • FIG. 4 is a flow chart of another method of identity authentication in accordance with an embodiment of the present invention. As shown in FIG. 4, the method may include the following processing steps:
  • Step S42 running an application
  • the authentication server is configured to perform an authentication state detection on the user account corresponding to the application, where the authentication state detection is used to perform the evaluation by using the historical association data of the obtained user account to obtain an evaluation result, and determine the corresponding identity according to the evaluation result.
  • the authentication mode, the historical association data is information associated with the user account acquired in the preset service period.
  • the present application provides an account authentication method as shown in FIG. 5. It should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
  • FIG. 5 is a flowchart of an account authentication method according to an embodiment of the present invention. As shown in FIG. 5, the method may include the following processing steps:
  • Step S52 acquiring first period association data and second period association data of the account to be authenticated, wherein the first period association data is data associated with the account to be authenticated in the first time period, and the second period association data is in the first Data associated with the account to be authenticated within two time periods, and the first time period is not exactly the same as the second time period;
  • Step S54 performing similarity calculation on the first period correlation data and the second period association data to obtain a similarity result
  • Step S56 determining whether the operator of the account to be authenticated changes according to the similarity result.
  • the first time period and the second time period may be pre-selected two adjacent time periods, that is, the first time period and the second time period do not overlap in the time range, and the first time period is the current distance.
  • the last ten days of the time, and the second time period is the last ten days adjacent to the last ten days; the first time period and the second time period may be two pre-selected overlapping periods, assuming the first
  • the time period is from the first to the tenth of the current month
  • the second time period is from the fifth to the fifteenth of the current month. Whether the operator of the account to be authenticated is changed is determined by comparing the similarity between the first period correlation data and the second period association data.
  • the data associated with the account to be authenticated in the first time period may be a first operational information set; and the data associated with the account to be authenticated in the second time period may be a second operational information set;
  • step S54 performing similarity calculation on the first period association data and the second period association data may include the following execution steps:
  • Step S540 calculating a difference set of the first operation information set and the second operation information set
  • step S56 determining whether the operator of the account to be authenticated changes according to the similarity result may include the following execution steps:
  • Step S560 if the difference set exceeds a predetermined threshold, it is determined that the operator of the account to be authenticated has changed.
  • the sales behavior or shopping behavior of account A in the first time period is always in a normal state (that is, the goods are normally delivered according to the order and the quality of the goods is good, or the payment is made in time after the order is placed), but the account A is in the second time period. Abnormal sales behavior due to account theft, etc.
  • abnormal shopping Behavior for example: frequent ordering but not paying or frequently complaining to the seller that there is a quality problem with the good product and asking the seller to return/exchange
  • compare the data of the first period ie the sales of account A in the first time period
  • the similarity between the data of the second period ie, the sales of the account A in the second time period or the log of the shopping behavior
  • Operators are likely to change and need to re-certify the operator using Account A.
  • the data associated with the account to be authenticated in the first time period is a first device information set; and the data associated with the account to be authenticated in the second time period is a second device information set;
  • step S54 performing similarity calculation on the first period association data and the second period association data may include the following execution steps:
  • Step S542 calculating a difference set of the first device information set and the second device information set
  • step S56 determining whether the operator of the account to be authenticated changes according to the similarity result may include the following execution steps:
  • Step S562 if the difference set exceeds a predetermined threshold, it is determined that the operator of the account to be authenticated changes.
  • account A uses the iOS phone in the first time period.
  • the IP address used is displayed in C.
  • the MNC displayed in the IMSI used is China Mobile, but account A is in the second time period.
  • the Apple mobile phone using the ioS system was changed to the Huawei mobile phone using the Android system, and the IP address used was changed from C to D, and during this period, the MNC displayed in the IMSI used by the operator was changed from China Mobile to China.
  • the data associated with the second period by comparing the first period associated data (ie, the log records related to the user equipment information used by account A in the first time period) (ie, the user used by account A in the second time period) Based on the similarity between the device information related log records, it can be determined that the operator of the account A is likely to change, and the operator who uses the account A needs to be re-authenticated.
  • the first period associated data ie, the log records related to the user equipment information used by account A in the first time period
  • the user used by account A in the second time period Based on the similarity between the device information related log records, it can be determined that the operator of the account A is likely to change, and the operator who uses the account A needs to be re-authenticated.
  • An evaluation model is established by obtaining historical identity data such as user identity information that the individual user has uploaded through the user device, network behavior information that the user has performed, user device information that the user has used, and user biometric information that the user device has collected. Conduct a comprehensive analysis to monitor the risk level/procedure of the user's account in real time, and further upgrade the authentication method to live detection. Not only that, but the real-life authentication business can also be extended to other online businesses that require personal identification.
  • the identity authentication method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases The former is a better implementation.
  • the technical solution of the present invention is essentially or The portion that contributes to the prior art can be embodied in the form of a software product stored in a storage medium (such as a ROM/RAM, a disk, an optical disk), including a number of instructions for making a terminal
  • the device (which may be a cell phone, computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.
  • FIG. 6 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention.
  • the device includes: an obtaining module 10, configured to acquire historical association data of a user account corresponding to an application, where the historical association data is information associated with a user account acquired in a preset service period.
  • the evaluation module 20 is configured to perform evaluation by using historical correlation data to obtain an evaluation result
  • the authentication module 30 is configured to determine a corresponding identity authentication mode according to the evaluation result, and perform identity authentication.
  • FIG. 7 is a structural block diagram of an identity authentication apparatus according to a preferred embodiment of the present invention.
  • the foregoing apparatus may further include: a first receiving module 40, configured to receive a first request message from a user equipment, where the user equipment is used to run an application; and the first response module 50 is configured to The first request message user account performs authentication status detection, and returns a first response message to the user equipment, where the first response message is used to confirm that the user account is an account to be authenticated.
  • the foregoing historical association data may include, but is not limited to, at least one of the following: user equipment information, user identity information, user network behavior information, and user service information.
  • the foregoing apparatus may further include: a second receiving module 60, configured to receive a second request message from the user equipment; and a second response module 70, configured to determine, according to the second request message, The authorization information is sent, and the second response message is returned to the user equipment, where the second response message carries the authorization authentication information.
  • a second receiving module 60 configured to receive a second request message from the user equipment
  • a second response module 70 configured to determine, according to the second request message, The authorization information is sent, and the second response message is returned to the user equipment, where the second response message carries the authorization authentication information.
  • the evaluation module 20 may include: an analysis unit (not shown in the figure), configured to analyze the historical association data, and construct an evaluation model, where the evaluation model includes: corresponding to each feature indicator in the historical association data. Grade or score; the first statistical unit (not shown) is used to statistically evaluate the level or score corresponding to each feature indicator in the model, and obtain the evaluation result.
  • an analysis unit (not shown in the figure) configured to analyze the historical association data, and construct an evaluation model, where the evaluation model includes: corresponding to each feature indicator in the historical association data. Grade or score; the first statistical unit (not shown) is used to statistically evaluate the level or score corresponding to each feature indicator in the model, and obtain the evaluation result.
  • the user equipment information includes at least the following feature indicators: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, a usage record of the user equipment, and an analysis unit (not shown). Obtaining IP address information, operating system type, usage record, and constructing an evaluation model included in the user equipment information; and a statistical unit (not shown) for determining whether the user equipment is executed according to the IP address information If the illegal operation is performed and the corresponding level or score is counted, whether the operating system used by the user equipment has a security vulnerability and the corresponding level or score is determined according to the operating system type used by the user equipment, and the user equipment is determined according to the usage record of the user equipment. Whether the high-risk application has been installed and the corresponding level or score is counted; the evaluation result is obtained by counting the level or score corresponding to each characteristic indicator.
  • the foregoing preset service period includes at least: a first evaluation period and a second evaluation period
  • the evaluation module 20 may include: an acquiring unit (not shown), configured to acquire historical association data in the first evaluation period and The trend of the second evaluation period; the second statistical unit (not shown) is used to analyze the trend of change and obtain the evaluation result.
  • the authentication module 30 may include: a determining unit (not shown in the figure), configured to determine, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step; the authentication unit (in the figure) Not shown), for performing identity authentication according to the verification step to be performed and the identity authentication association information to be collected in each verification step.
  • FIG. 8 is a structural block diagram of another identity authentication apparatus according to an embodiment of the present invention.
  • the device includes: an operation module 80, configured to run an application, and a triggering module 90, configured to trigger an authentication server to perform an authentication status detection on a user account corresponding to the application, where the authentication status detection is used to obtain The historical association data of the obtained user account is evaluated to obtain an evaluation result, and the corresponding identity authentication mode is determined according to the evaluation result, and the historical association data is information associated with the user account acquired in the preset service period.
  • Embodiments of the present invention also provide a storage medium.
  • a person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be completed by a program to instruct terminal device/server device related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium may include a flash disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like.
  • the foregoing storage medium may be used to save the program code executed by the identity authentication method provided in Embodiment 1 above.
  • the foregoing storage medium may be located in any one of the server groups in the computer network. In the server, or in any server in the server group.
  • the storage medium is arranged to store program code for performing the following steps:
  • S1 Obtain historical association data of a user account corresponding to the application, where the historical association data is information associated with the user account acquired in the preset service period;
  • the storage medium is further configured to store program code for: receiving a first request message from the user equipment, wherein the user equipment is configured to run the application; The message user account is requested to perform the authentication status detection, and the first response message is returned to the user equipment, where the first response message is used to confirm that the user account is an account to be authenticated.
  • the storage medium is further configured to store program code for: receiving a second request message from the user equipment; determining, according to the second request message, the authorization authentication information to be delivered. Returning a second response message to the user equipment, where the second response message carries the authorization authentication information.
  • the storage medium is further configured to store program code for performing the following steps: analyzing the historical association data, and constructing an evaluation model, wherein the evaluation model includes: each of the data associated with the history The level or score corresponding to the feature index; the level or score corresponding to each feature index in the statistical evaluation model, and the evaluation result is obtained.
  • the user equipment information includes at least the following feature indicators: Internet Protocol IP address information used by the user equipment, an operating system type used by the user equipment, and a usage record of the user equipment.
  • the storage medium is further configured to Storing program code for performing the following steps: obtaining IP address information, operating system type, usage record, and constructing an evaluation model included in the user equipment information; determining, according to the IP address information, whether the user equipment has performed an illegal operation and counting corresponding Level or scoring, determining whether the operating system used by the user equipment has a security vulnerability and counting the corresponding level or score according to the type of the operating system used by the user equipment, and determining whether the user equipment has installed the high-risk application according to the usage record of the user equipment and counting Corresponding grades or scores; the results of the assessment are obtained by counting the ranks or scores corresponding to each of the feature indicators.
  • the preset service period includes: a first evaluation period and a second evaluation period.
  • the storage medium is further configured to store program code for performing the following steps: acquiring historical association data in the first evaluation The trend of the cycle and the second evaluation cycle; the trend is analyzed and the results are evaluated.
  • the storage medium is further configured to store program code for performing the following steps: determining, according to the evaluation result, the verification step to be performed and the identity authentication association information to be collected in each verification step; The identity authentication is performed according to the verification step to be performed and the identity authentication association information to be collected in each verification step.
  • the disclosed technical contents may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or all or part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开了一种身份认证系统、方法、装置及账号认证方法。其中,该方法包括:获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息;采用历史关联数据进行评估,得到评估结果;根据评估结果确定对应的身份认证方式,进行身份认证。本发明解决了相关技术中所采用的身份认证方式较为单一,难以防止伪造、变造虚假身份信息的技术问题。

Description

身份认证系统、方法、装置及账号认证方法
本申请要求2016年11月16日递交的申请号为201611010182.6、发明名称为“身份认证系统、方法、装置及账号认证方法”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本发明涉及互联网领域,具体而言,涉及一种身份认证系统、方法、装置及账号认证方法。
背景技术
目前,随着科学技术不断创新,开展个人网上业务(例如:在购物平台网站上开设个人网店)的身份认证过程也发生了日新月异的变化。从最初的身份认证,为确保“人证合一”,提出了个人用户手持证件照的认证方式;后来,逐步升级为要求个人用户上传/提交指定的动态手势图像;现如今,在实人认证方式加入到大数据风险管理模式后,为身份认证的技术手段的丰富多样化提供了拓展可能性。
然而,相关技术中所采用的主流身份认证方式通常仅能够实现在认证阶段开展基于用户姓名,用户个人身份证件以及用户面部图像等多项信息对用户身份进行核实。然而,却无法长期对用户身份的真实性进行实时监控,由此造成安全可靠性较低。
针对上述的问题,目前尚未提出有效的解决方案。
发明内容
本发明实施例提供了一种身份认证系统、方法、装置及账号认证方法,以至少解决相关技术中所采用的身份认证方式较为单一,难以防止伪造、变造虚假身份信息的技术问题。
根据本发明实施例的一个方面,提供了一种身份认证系统,包括:用户设备和认证服务器;用户设备,用于运行应用程序,并请求认证服务器对应用程序对应的用户账户进行认证状态检测;认证服务器,用于在确定用户账户为待认证账户后,采用获取到的用户账户的历史关联数据进行评估,得到评估结果,并根据评估结果确定对应的身份认证方式,进行身份认证,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
可选地,上述历史关联数据包括以下至少之一:用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
可选地,认证服务器,还用于向用户设备下发授权认证信息。
可选地,认证服务器,还用于对历史关联数据进行分析,构建评估模型,并统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
可选地,用户设备信息至少包括:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录,认证服务器,还用于根据用户设备信息构建评估模型,并统计评估模型中每个特征指标对应的等级或评分,得到评估结果,其中,评估模型中的特征指标包括:根据IP地址信息确定用户设备是否执行过违法操作、根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在安全漏洞、根据用户设备的使用记录确定用户设备是否安装过高危应用。
可选地,预设业务周期包括:第一评估周期和第二评估周期,认证服务器,还用于对历史关联数据在第一评估周期与第二评估周期的变化趋势进行分析,得到评估结果。
可选地,认证服务器,还用于根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息,并按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
根据本发明实施例的另一方面,还提供了一种身份认证方法,用于选择身份认证方式,包括:
获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息;采用历史关联数据进行评估,得到评估结果;根据评估结果确定对应的身份认证方式,进行身份认证。
可选地,历史关联数据包括以下至少之一:用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
可选地,在获取历史关联数据之前,还包括:接收来自于用户设备的第一请求消息,其中,用户设备用于运行应用程序;根据第一请求消息用户账户进行认证状态检测,并向用户设备返回第一响应消息,其中,第一响应消息用于确认用户账户为待认证账户。
可选地,在向用户设备返回第一响应消息之后,还包括:接收来自于用户设备的第二请求消息;根据第二请求消息确定待下发的授权认证信息;向用户设备返回第二响应消息,其中,第二响应消息中携带有授权认证信息。
可选地,采用历史关联数据进行评估,得到评估结果包括:对历史关联数据进行分 析,构建评估模型,其中,评估模型包括:与历史关联数据中每个特征指标对应的等级或评分;统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
可选地,用户设备信息至少包括以下特征指标:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录;对历史关联数据进行分析,构建评估模型包括:获取用户设备信息中所包含的IP地址信息,操作系统类型,使用记录,并构建评估模型;统计评估模型中每个特征指标对应的等级或评分,得到评估结果包括:根据IP地址信息确定用户设备是否执行过违法操作并统计对应的等级或评分,根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在安全漏洞并统计对应的等级或评分,以及根据用户设备的使用记录确定用户设备是否安装过高危应用并统计对应的等级或评分;通过统计每个特征指标对应的等级或评分,得到评估结果。
可选地,将IP地址信息,操作系统类型,使用记录作为输入信息,通过采用随机森林算法构建评估模型。
可选地,预设业务周期包括:第一评估周期和第二评估周期,采用历史关联数据进行评估,得到评估结果包括:获取历史关联数据在第一评估周期与第二评估周期的变化趋势;对变化趋势进行分析,得到评估结果。
可选地,根据评估结果确定身份认证方式,进行身份认证包括:根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息;按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
根据本发明实施例的又一方面,还提供了另一种身份认证方法,用于选择身份认证方式,包括:
运行应用程序;触发认证服务器对应用程序对应的用户账户进行认证状态检测,其中,认证状态检测用于采用获取到的用户账户的历史关联数据进行评估以得到评估结果,并根据评估结果确定对应的身份认证方式,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
根据本发明实施例的再一方面,还提供了一种账号认证方法,用于判断账号操作者是否改变,包括:
获取待认证账户的第一期间关联数据和第二期间关联数据,其中,第一期间关联数据是在第一时间周期内与待认证账户关联的数据,第二期间关联数据是在第二时间周期内与待认证账户关联的数据,并且第一时间周期与第二时间周期不完全相同;对第一期 间关联数据和第二期间关联数据进行相似度计算,得到相似度结果;根据相似度结果判断待认证账户的操作者是否改变。
可选地,在第一时间周期内与待认证账户关联的数据,为第一操作信息集合;在第二时间周期内与待认证账户关联的数据,为第二操作信息集合;对第一期间关联数据和第二期间关联数据进行相似度计算包括:计算第一操作信息集合和第二操作信息集合的差集;根据相似度结果判断待认证账户的操作者是否改变包括:如果差集超过预定阈值,则确定待认证账户的操作者发生改变。
可选地,在第一时间周期内与待认证账户关联的数据,为第一设备信息集合;在第二时间周期内与待认证账户关联的数据,为第二设备信息集合;对第一期间关联数据和第二期间关联数据进行相似度计算包括:计算第一设备信息集合和第二设备信息集合的差集;根据相似度结果判断待认证账户的操作者是否改变包括:如果差集超过预定阈值,则确定待认证账户的操作者发生改变。
根据本发明实施例的再一方面,还提供了一种身份认证装置,用于选择身份认证方式,包括:
获取模块,用于获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息;评估模块,用于采用历史关联数据进行评估,得到评估结果;认证模块,用于根据评估结果确定对应的身份认证方式,进行身份认证。
根据本发明实施例的再一方面,还提供了另一种身份认证装置,用于选择身份认证方式,包括:
运行模块,用于运行应用程序;触发模块,用于触发认证服务器对应用程序对应的用户账户进行认证状态检测,其中,认证状态检测用于采用获取到的用户账户的历史关联数据进行评估以得到评估结果,并根据评估结果确定对应的身份认证方式,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
在本发明实施例中,采用获取与应用程序对应的用户账户的历史关联数据(即,在预设业务周期内获取到的与用户账户关联的信息);采用历史关联数据进行评估,得到评估结果的方式,通过评估结果确定对应的身份认证方式,进而执行身份认证流程,达到了通过对用户账户积累的历史关联数据进行分别识别用户账户是否存在风险的目的,从而实现了长期实时监控用户身份的真实性与可靠性,提升身份认证安全等级的技术效果,进而解决了相关技术中所采用的身份认证方式较为单一,难以防止伪造、变造虚假 身份信息的技术问题。另外,对于账号交易导致的账号操作者改变,通过不同周期内的账户关联信息和/或相关操作记录之间相似度的匹配,也能提供客观的操作依据。
附图说明
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1是根据本发明实施例的身份认证系统的硬件结构框图;
图2是根据本发明优选实施例的触发认证流程的应用界面操作示意图;
图3是根据本发明实施例的身份认证方法的流程图;
图4是根据本发明实施例的另一种身份认证方法的流程图;
图5是根据本发明实施例的账号认证方法的流程图;
图6是根据本发明实施例的身份认证装置的结构框图;
图7是根据本发明优选实施例的身份认证装置的结构框图;
图8是根据本发明实施例的另一种身份认证装置的结构框图。
具体实施方式
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。
首先,在对本申请实施例进行描述的过程中出现的部分名词或术语适用于如下解释:
(1)智能终端应用(APP):安装于智能终端,对智能终端本身功能进行扩展,用 于实现用户个性化业务需求的客户端,例如:网上购物类APP、网上支付类APP、二手货买卖APP。
(2)用户账户:为了使用应用程序提供的完整性功能服务,通过在注册页面填写用户个人信息,生成的独立信息存储区域。
(3)历史关联数据:在预设业务周期内所能够获取到的与该用户账户关联的信息,其中,预设业务周期既可以从用户账户注册成功开始至触发认证流程时刻截止,也可以是用户账户注册成功后的特定时间段;与该用户账户关联的信息可以包括但不限于以下至少之一:用户身份信息、用户网络行为信息、用户所使用的用户设备信息、用户业务信息,其中,用户身份信息可以包括但不限于以下至少之一:用户为使用特定应用程序提供的功能而注册的用户账号、用户在注册时所提供的身份证件中呈现的信息、用户的联系方式、用户的家庭住址和/或工作单位住址;用户设备信息可以包括但不限于以下至少之一:用户设备所使用的操作系统、用户设备的机型、用户设备的国际移动用户识别码(IMSI)/国际移动设备识别码(IMEI)、用户设备所使用的互联网协议(IP)地址和/或媒体接入控制(MAC)地址;用户网络行为信息可以包括但不限于以下至少之一:当前认证操作行为、在执行身份认证之前与用户账户关联的过往行为(例如:购物记录体现的购物行为);用户业务信息可以包括但不限于以下至少之一:购物记录、用户操作轨迹。
实施例1
图1是根据本发明实施例的身份认证系统的硬件结构框图,如图1所示,用户设备10可以经由数据网络连接或电子连接到一个或多个认证服务器20。一种可选实施例中,上述用户设备10可以是个人计算机(PC)、智能手机、平板电脑。数据网络连接可以是局域网连接、广域网连接、因特网连接,或其他类型的数据网络连接。用户设备10可以执行以连接到由一个服务器或一组服务器执行的网络服务。网络服务器是基于网络的用户服务,诸如社交网络、云资源、电子邮件、在线支付或其他在线应用。
在本实施例中,用户设备10,用于运行应用程序,并请求认证服务器对应用程序对应的用户账户进行认证状态检测;认证服务器20,用于在确定用户账户为待认证账户后,采用获取到的用户账户的历史关联数据进行评估,得到评估结果,并根据评估结果确定对应的身份认证方式,进行身份认证,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
图2是根据本发明优选实施例的触发认证流程的应用界面操作示意图。如图2所示,用户如果需要在网上执行二手货交易,则用户设备上安装的应用程序(例如:用户二手货买卖)在运行后,用户可以登入预先注册的用户账号。用户设备需要检测该用户账号是否开通过网上店铺账号,如果尚未开通,则需要触发用户设备对用户认证状态进行检查。而用户设备则会调用实人认证服务器(即上述认证服务器20)来判断当前的用户认证状态,进而确定是否需要对该用户执行认证流程,其中,实人认证服务器的判断依据可以包括但不限于以下至少之一:用户身份信息(例如:用户姓名、用户的身份证号)、用户设备所使用的操作系统(例如:android系统、iOS系统)、用户设备自身的性能(例如:硬件配置、是否执行过越狱操作)。
可选地,认证服务器20,还用于向用户设备下发授权认证信息。
如果实人认证服务器确定需要对该用户执行认证流程,则用户设备需要向实人认证服务器请求下发授权认证信息,例如:令牌(Token),并获取实人认证服务器返回的授权认证信息,其中,上述授权认证信息用于认证权限校验,生成认证任务以及在不同认证执行主体之间传递。
以Token为例,其格式可以包括以下三个部分:
(1)header,用于表示该Token的类型;
(2)claims set,用于表示存储的数据,其可以包括:用户授权信息;
(3)signature,用于验证Token的真伪。
可选地,认证服务器20,还用于对历史关联数据进行分析,构建评估模型,并统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
用户设备在获取到实人认证服务器颁发的Token之后,向实人认证服务器请求开始身份认证流程。实人认证服务器根据用户使用的应用程序的业务类型为该用户选取对应的认证通道。在利用选取的认证通道进行身份认证过程中,实人认证服务器可以获取用户通过用户设备上传过的用户身份信息、用户执行过的网络行为信息、用户所使用的用户设备信息、曾经采集过的用户生物特征信息等历史关联数据建立评估模型进行综合判断,以确定用户的风险程度,并为不同风险程度的用户提供差异化认证方式,其中,用户身份信息可以包括但不限于以下至少之一:用户为使用特定应用程序提供的功能而注册的用户账号、用户在注册时所提供的身份证件中呈现的信息、用户的联系方式、用户的家庭住址和/或工作单位住址;用户设备信息可以包括但不限于以下至少之一:用户设备所使用的操作系统、用户设备的机型、用户设备的国际移动用户识别码(IMSI)/国际 移动设备识别码(IMEI)、用户设备所使用的互联网协议(IP)地址和/或媒体接入控制(MAC)地址;用户网络行为信息可以包括但不限于以下至少之一:当前认证操作行为、在执行身份认证之前与用户账户关联的过往行为(例如:购物记录);生物特征信息可以包括但不限于以下至少之一:声纹、指纹、眼纹、虹膜、静态用户图像、动态活体检测用户图像。
活体检测通过要求用户在特定场景下指示用户完成一个或多个指定动作,例如:指示用户摇头、指示用户点头、指示用户说一句话,其目的在于:判定当前接受身份认证的用户为真实的活人而并非是一张照片。
可选地,用户设备信息至少包括:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录,认证服务器,还用于根据用户设备信息构建评估模型,并统计评估模型中每个特征指标对应的等级或评分,得到评估结果,其中,评估模型中的特征指标包括:根据IP地址信息确定用户设备是否执行过违法操作、根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在安全漏洞、根据用户设备的使用记录确定用户设备是否安装过高危应用。
作为本发明的一个优选实施例,可以采用诸如随机森林算法来构建上述评估模型,并采用该评估模型作为风险防控的主要判断因子。该评估模型的输入信息可以包括但不限于上述用户设备信息、用户身份信息、用户网络行为信息、用户业务信息,通过随机森林算法进行计算后得到的输出信息即为模型分值,然后最终依照模型分值来确定对应的身份认证方式。具体地,首先需要获取可用数据(例如:用户设备信息、用户身份信息、用户网络行为信息、用户业务信息);其次,需要进行特征构建,即判定获取到的可用数据的真实度;再次,需要进行特征分析,即,对构建的特征进行特征质量分析、特征单调情况分析、特征重要性分析以及特征合成;然后,再选用随机森林算法来进行模型选连,并最终得到评估结果。
在优选实施过程中,以历史关联数据为用户设备为例加以说明,通过构建评估模型综合判断用户的风险程度可以包括:如果IP地址归属地先前发生过电信诈骗案件,那么可以降低使用该IP地址的用户设备的安全等级(例如:安全等级降低1级)或安全评分(例如:安全评分扣去1分),进而降低意图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛;如果用户设备使用的是android系统或者执行过越狱操作的iOS系统,由于存在安全漏洞,因此可以降低使用该IP地址的用户设备的安全等级(例如:安全等级降低1级)或安全评分(例如:安全评分扣去1分),进而降低意 图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛;如果用户设备安装过作弊软件或浏览过非法(例如:色情、赌博)网站,那么可以降低使用该IP地址的用户设备的安全等级(例如:安全等级降低1级)或安全评分(例如:安全评分扣去1分),进而降低意图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛。
此外,针对历史关联数据包含的其他信息同样也可以依次构建评估模型,进行安全评估。例如:如果在特定用户设备的用户账户下存在多次恶意网络行为(例如:刷单)那么可以降低使用该用户设备意图运行应用程序执行购物操作前的信用度,进而提升身份认证门槛;如果用户在登录用户账户后上传的个人信息与实人认证服务器先前存储过的相关信息不符,那么可以降低使用该用户账户意图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛。如果用户登记过的用户的联系方式、用户的家庭住址和/或工作单位住址存在虚假信息,那么可以降低使用该用户账户意图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛。如果用户在购物车内放入大量商品的订单却并未按时付款,那么可以降低使用该用户账户意图运行应用程序执行购物操作或转账操作前的信用度,进而提升身份认证门槛。
需要说明的是,评估可以根据应用程序的业务类型仅针对其中一种判定因素进行评分,还可以同时综合多种判定因素进行评分,最终确定是否需要提升身份认证门槛。上述关于历史关联数据的示例仅为举例说明,而并非对历史关联数据所包含的内容构成不当限制。
可选地,上述预设业务周期至少包括:第一评估周期和第二评估周期,认证服务器20,还用于对历史关联数据在第一评估周期与第二评估周期的变化趋势进行分析,得到评估结果。
上述第一评估周期与上述第二评估周期可以是预先选取的两个相邻时间段,假设第一评估周期为距离当前时间最近的十天,而第二评估周期为与最近十天相邻的过去十天,那么通过比对历史关联数据在第一评估周期与第二评估周期的变化趋势,即比对历史关联数据在第一评估周期内与在第二评估周期内的相似度来确定评估结果。
以用户网络行为信息为例,假设账户A在第一评估周期内的销售行为或者购物行为始终保持正常状态(即正常按照订单进行发货且物品质量良好,或者,在下订单后及时付款),然而账户A在第二评估周期内由于账户被盗等缘故出现异常销售行为(例如:由于原先销售物美价钱的商品转变为销售高价的劣质商品或者基于买家的长期信任进行 付款后,该账户A长时间没有发货)或者异常购物行为(例如:频繁下单但不支付或频繁向卖家投诉完好商品存在质量问题并要求卖家退/换货),那么可以据此判定账户A可能存在被盗号等异常,需要重新对使用账户A的用户进行实人认证。
以用户设备信息和用户网络行为信息为例,假设账户A在第一评估周期内使用的是ioS系统的苹果手机,使用的IP地址显示在C地,在此期间的销售行为始终处于正常状态,然而账户A在第二评估周期内由于账户转让等缘故,由使用ioS系统的苹果手机转变为使用Android系统的华为手机,使用的IP地址显示由C地转变为D地,并且在此期间出现异常销售行为(例如:由于原先销售物美价钱的商品转变为销售高价的劣质商品或者基于买家的长期信任进行付款后,该账户A长时间没有发货),那么可以据此判定账户A可能存在账户使用用途发生异常,需要重新对使用账户A的用户进行实人认证。
可选地,认证服务器20,还用于根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息,并按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
在身份认证过程中,集成在应用程序内部的用于执行身份认证功能的软件开发工具包(SDK)按照认证流程所需要执行的步骤序列以及每个步骤中需要采集的身份认证相关信息进行采集,并实时与实人认证服务器进行交互。通过上述评估模型得到的评估结果可以将用户账户为正常账户与风险账户,对于正常账户则可以按照常规设置的自动化认证流程,包括:采集静态身份证件图像、动态活体检测用户图像等信息;对于危险账户则需要在常规设置的自动化认证流程基础上增加补充资料采集过程,例如:增加动态手势验证环节,以采集更多用户信息,便于进一步查验。
在完成上述身份认证流程之后,实人认证服务器会向用户设备反馈最终的身份认证结果。
在上述运行环境下,本申请提供了如图3所示的身份认证方法,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
图3是根据本发明实施例的身份认证方法的流程图。如图3所示,该方法可以包括以下处理步骤:
步骤S32,获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据 是在预设业务周期内获取到的与用户账户关联的信息;
步骤S34,采用历史关联数据进行评估,得到评估结果;
步骤S36,根据评估结果确定对应的身份认证方式,进行身份认证。
在优选实施过程中,上述历史关联数据可以包括但不限于以下至少之一:用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
可选地,在步骤S32,获取历史关联数据之前,还可以包括以下执行步骤:
步骤S30,接收来自于用户设备的第一请求消息,其中,用户设备用于运行应用程序;
步骤S31,根据第一请求消息用户账户进行认证状态检测,并向用户设备返回第一响应消息,其中,第一响应消息用于确认用户账户为待认证账户。
可选地,在步骤S31,向用户设备返回第一响应消息之后,还可以包括以下执行步骤:
步骤S37,接收来自于用户设备的第二请求消息;
步骤S38,根据第二请求消息确定待下发的授权认证信息;
步骤S39,向用户设备返回第二响应消息,其中,第二响应消息中携带有授权认证信息。
可选地,在步骤S34中,采用历史关联数据进行评估,得到评估结果可以包括以下执行步骤:
步骤S340,对历史关联数据进行分析,构建评估模型,其中,评估模型包括:与历史关联数据中每个特征指标对应的等级或评分;
步骤S342,统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
可选地,上述用户设备信息至少包括以下特征指标:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录;
在步骤S340中,对历史关联数据进行分析,构建评估模型可以包括以下执行步骤:
步骤S3400,获取用户设备信息中所包含的IP地址信息,操作系统类型,使用记录,并构建评估模型;
在步骤S342中,统计评估模型中每个特征指标对应的等级或评分,得到评估结果可以包括以下执行步骤:
步骤S3420,根据IP地址信息确定用户设备是否执行过违法操作并统计对应的等级或评分,根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在 安全漏洞并统计对应的等级或评分,以及根据用户设备的使用记录确定用户设备是否安装过高危应用并统计对应的等级或评分;通过统计每个特征指标对应的等级或评分,得到评估结果。
可选地,预设业务周期包括:第一评估周期和第二评估周期,在步骤S34中,采用历史关联数据进行评估,得到评估结果可以包括以下执行步骤:
步骤S344,获取历史关联数据在第一评估周期与第二评估周期的变化趋势;
步骤S346,对变化趋势进行分析,得到评估结果。
可选地,在步骤S36中,根据评估结果确定身份认证方式,进行身份认证可以包括以下执行步骤:
步骤S360,根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息;
步骤S362,按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
在上述运行环境下,本申请提供了如图4所示的另一种身份认证方法,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
图4是根据本发明实施例的另一种身份认证方法的流程图。如图4所示,该方法可以包括以下处理步骤:
步骤S42,运行应用程序;
步骤S44,触发认证服务器对应用程序对应的用户账户进行认证状态检测,其中,认证状态检测用于采用获取到的用户账户的历史关联数据进行评估以得到评估结果,并根据评估结果确定对应的身份认证方式,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
在上述运行环境下,本申请提供了如图5所示的账号认证方法,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。
图5是根据本发明实施例的账号认证方法的流程图。如图5所示,该方法可以包括以下处理步骤:
步骤S52,获取待认证账户的第一期间关联数据和第二期间关联数据,其中,第一期间关联数据是在第一时间周期内与待认证账户关联的数据,第二期间关联数据是在第二时间周期内与待认证账户关联的数据,并且第一时间周期与第二时间周期不完全相同;
步骤S54,对第一期间关联数据和第二期间关联数据进行相似度计算,得到相似度结果;
步骤S56,根据相似度结果判断待认证账户的操作者是否改变。
上述第一时间周期与上述第二时间周期可以是预先选取的两个相邻时间段,即第一时间周期与第二时间周期在时间范围上并不发生重叠,假设第一时间周期为距离当前时间最近的十天,而第二时间周期为与最近十天相邻的过去十天;上述第一时间周期与上述第二时间周期可以是预先选取的两个部分重叠的时间段,假设第一时间周期为当月的一号至十号,而第二时间周期为当月的五号至十五号。通过对第一期间关联数据和第二期间关联数据进行相似度比较,来判断待认证账户的操作者是否改变。
在优选实施过程中,在第一时间周期内与待认证账户关联的数据可以为第一操作信息集合;在第二时间周期内与待认证账户关联的数据可以为第二操作信息集合;
在步骤S54中,对第一期间关联数据和第二期间关联数据进行相似度计算可以包括以下执行步骤:
步骤S540,计算第一操作信息集合和第二操作信息集合的差集;
在步骤S56中,根据相似度结果判断待认证账户的操作者是否改变可以包括以下执行步骤:
步骤S560,如果差集超过预定阈值,则确定待认证账户的操作者发生改变。
假设账户A在第一时间周期内的销售行为或者购物行为始终保持正常状态(即正常按照订单进行发货且物品质量良好,或者,在下订单后及时付款),然而账户A在第二时间周期内由于账户被盗等缘故出现异常销售行为(例如:由于原先销售物美价钱的商品转变为销售高价的劣质商品或者基于买家的长期信任进行付款后,该账户A长时间没有发货)或者异常购物行为(例如:频繁下单但不支付或频繁向卖家投诉完好商品存在质量问题并要求卖家退/换货),那么通过比对第一期间关联数据(即账户A在第一时间周期内的销售行为或者购物行为的日志记录)与第二期间关联数据(即账户A在第二时间周期内的销售行为或者购物行为的日志记录)之间的相似度,可以据此判定账户A的 操作人员很有可能发生变化,需要重新对使用账户A的操作人员进行实人认证。
在优选实施过程中,在第一时间周期内与待认证账户关联的数据,为第一设备信息集合;在第二时间周期内与待认证账户关联的数据,为第二设备信息集合;
在步骤S54中,对第一期间关联数据和第二期间关联数据进行相似度计算可以包括以下执行步骤:
步骤S542,计算第一设备信息集合和第二设备信息集合的差集;
在步骤S56中,根据相似度结果判断待认证账户的操作者是否改变可以包括以下执行步骤:
步骤S562,如果差集超过预定阈值,则确定待认证账户的操作者发生改变。
假设账户A在第一时间周期内使用的是ioS系统的苹果手机,使用的IP地址显示在C地,使用的IMSI中MNC显示的运营商为中国移动,然而账户A在第二时间周期内由使用ioS系统的苹果手机转变为使用Android系统的华为手机,使用的IP地址显示由C地转变为D地,并且在此期间还发现其使用的IMSI中MNC显示的运营商由中国移动转变为中国联通,那么通过比对第一期间关联数据(即账户A在第一时间周期内使用的用户设备信息相关的日志记录)与第二期间关联数据(即账户A在第二时间周期内使用的用户设备信息相关的日志记录)之间的相似度,可以据此判定账户A的操作人员很有可能发生变化,需要重新对使用账户A的操作人员进行实人认证。
通过获取个人用户通过用户设备曾经上传过的用户身份信息、用户曾经执行过的网络行为信息、用户曾经所使用的用户设备信息、用户设备曾经采集过的用户生物特征信息等历史关联数据建立评估模型进行综合分析,对用户账户的风险程度/程序进行实时监控,同时还将认证手段进一步升级为活体检测。不仅如此,实人认证业务还可以被拓展到其他需要通过个人身份认证才能够开展的网上业务。
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的身份认证方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者 说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。
实施例2
根据本发明实施例,还提供了一种用于实施上述身份认证方法的装置实施例。图6是根据本发明实施例的身份认证装置的结构框图。如图6所示,该装置包括:获取模块10,用于获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息;评估模块20,用于采用历史关联数据进行评估,得到评估结果;认证模块30,用于根据评估结果确定对应的身份认证方式,进行身份认证。
可选地,图7是根据本发明优选实施例的身份认证装置的结构框图。如图7所示,上述装置还可以包括:第一接收模块40,用于接收来自于用户设备的第一请求消息,其中,用户设备用于运行应用程序;第一响应模块50,用于根据第一请求消息用户账户进行认证状态检测,并向用户设备返回第一响应消息,其中,第一响应消息用于确认用户账户为待认证账户。
在优选实施过程中,上述历史关联数据可以包括但不限于以下至少之一:用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
可选地,如图7所示,上述装置还可以包括:第二接收模块60,用于接收来自于用户设备的第二请求消息;第二响应模块70,用于根据第二请求消息确定待下发的授权认证信息,并向用户设备返回第二响应消息,其中,第二响应消息中携带有授权认证信息。
可选地,评估模块20可以包括:分析单元(图中未示出),用于对历史关联数据进行分析,构建评估模型,其中,评估模型包括:与历史关联数据中每个特征指标对应的等级或评分;第一统计单元(图中未示出),用于统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
可选地,上述用户设备信息至少包括以下特征指标:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录;分析单元(图中未示出),用于获取用户设备信息中所包含的IP地址信息,操作系统类型,使用记录,并构建评估模型;统计单元(图中未示出),用于根据IP地址信息确定用户设备是否执行 过违法操作并统计对应的等级或评分,根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在安全漏洞并统计对应的等级或评分,以及根据用户设备的使用记录确定用户设备是否安装过高危应用并统计对应的等级或评分;通过统计每个特征指标对应的等级或评分,得到评估结果。
可选地,上述预设业务周期至少包括:第一评估周期和第二评估周期,评估模块20可以包括:获取单元(图中未示出),用于获取历史关联数据在第一评估周期与第二评估周期的变化趋势;第二统计单元(图中未示出),用于对变化趋势进行分析,得到评估结果。
可选地,认证模块30可以包括:确定单元(图中未示出),用于根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息;认证单元(图中未示出),用于按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
根据本发明实施例,还提供了另一种用于实施上述身份认证方法的装置实施例。图8是根据本发明实施例的另一种身份认证装置的结构框图。如图8所示,该装置包括:运行模块80,用于运行应用程序;触发模块90,用于触发认证服务器对应用程序对应的用户账户进行认证状态检测,其中,认证状态检测用于采用获取到的用户账户的历史关联数据进行评估以得到评估结果,并根据评估结果确定对应的身份认证方式,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息。
实施例3
本发明的实施例还提供了一种存储介质。本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令终端设备/服务端设备相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:闪存盘、只读存储器(Read-Only Memory,ROM)、随机存取器(Random Access Memory,RAM)、磁盘或光盘等。
可选地,在本实施例中,上述存储介质可以用于保存上述实施例一所提供的身份认证方法所执行的程序代码。
可选地,在本实施例中,上述存储介质可以位于计算机网络中服务端群中的任意一 个服务器中,或者位于服务端群中的任意一个服务器中。
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:
S1,获取与应用程序对应的用户账户的历史关联数据,其中,历史关联数据是在预设业务周期内获取到的与用户账户关联的信息;
S2,采用历史关联数据进行评估,得到评估结果;
S3,根据评估结果确定对应的身份认证方式,进行身份认证。
可选地,在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:接收来自于用户设备的第一请求消息,其中,用户设备用于运行应用程序;根据第一请求消息用户账户进行认证状态检测,并向用户设备返回第一响应消息,其中,第一响应消息用于确认用户账户为待认证账户。
可选地,在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:接收来自于用户设备的第二请求消息;根据第二请求消息确定待下发的授权认证信息;向用户设备返回第二响应消息,其中,第二响应消息中携带有授权认证信息。
可选地,在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:对历史关联数据进行分析,构建评估模型,其中,评估模型包括:与历史关联数据中每个特征指标对应的等级或评分;统计评估模型中每个特征指标对应的等级或评分,得到评估结果。
可选地,用户设备信息至少包括以下特征指标:用户设备使用的互联网协议IP地址信息,用户设备所使用的操作系统类型,用户设备的使用记录;在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:获取用户设备信息中所包含的IP地址信息,操作系统类型,使用记录,并构建评估模型;根据IP地址信息确定用户设备是否执行过违法操作并统计对应的等级或评分,根据用户设备所使用的操作系统类型确定用户设备所使用的操作系统是否存在安全漏洞并统计对应的等级或评分,以及根据用户设备的使用记录确定用户设备是否安装过高危应用并统计对应的等级或评分;通过统计每个特征指标对应的等级或评分,得到评估结果。
可选地,预设业务周期包括:第一评估周期和第二评估周期,在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:获取历史关联数据在第一评估周期与第二评估周期的变化趋势;对变化趋势进行分析,得到评估结果。
可选地,在本实施例中,存储介质还被设置为存储用于执行以下步骤的程序代码:根据评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息; 按照待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行身份认证。
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。
在本发明的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。
在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。

Claims (22)

  1. 一种身份认证系统,其特征在于,包括:用户设备和认证服务器;
    所述用户设备,用于运行应用程序,并请求认证服务器对所述应用程序对应的用户账户进行认证状态检测;
    所述认证服务器,用于在确定所述用户账户为待认证账户后,采用获取到的所述用户账户的历史关联数据进行评估,得到评估结果,并根据所述评估结果确定对应的身份认证方式,进行身份认证,其中,所述历史关联数据是在预设业务周期内获取到的与所述用户账户关联的信息。
  2. 根据权利要求1所述的系统,其特征在于,所述历史关联数据包括以下至少之一:
    用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
  3. 根据权利要求1所述的系统,其特征在于,所述认证服务器,还用于向所述用户设备下发授权认证信息。
  4. 根据权利要求2所述的系统,其特征在于,所述认证服务器,还用于对所述历史关联数据进行分析,构建评估模型,并统计所述评估模型中每个特征指标对应的等级或评分,得到所述评估结果。
  5. 根据权利要求4所述的系统,其特征在于,用户设备信息至少包括:所述用户设备使用的互联网协议IP地址信息,所述用户设备所使用的操作系统类型,所述用户设备的使用记录,所述认证服务器,还用于根据所述用户设备信息构建评估模型,并统计所述评估模型中每个特征指标对应的等级或评分,得到所述评估结果,其中,所述评估模型中的特征指标包括:根据所述IP地址信息确定所述用户设备是否执行过违法操作、根据所述用户设备所使用的操作系统类型确定所述用户设备所使用的操作系统是否存在安全漏洞、根据所述用户设备的使用记录确定所述用户设备是否安装过高危应用。
  6. 根据权利要求2所述的系统,其特征在于,所述预设业务周期包括:第一评估周期和第二评估周期,所述认证服务器,还用于对所述历史关联数据在所述第一评估周期与所述第二评估周期的变化趋势进行分析,得到所述评估结果。
  7. 根据权利要求5或6所述的系统,其特征在于,所述认证服务器,还用于根据所述评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息,并按照所述待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行所述身份认证。
  8. 一种身份认证方法,用于选择身份认证方式,其特征在于,包括:
    获取与应用程序对应的用户账户的历史关联数据,其中,所述历史关联数据是在预设业务周期内获取到的与所述用户账户关联的信息;
    采用所述历史关联数据进行评估,得到评估结果;
    根据所述评估结果确定对应的身份认证方式,进行身份认证。
  9. 根据权利要求8所述的方法,其特征在于,所述历史关联数据包括以下至少之一:
    用户设备信息、用户身份信息、用户网络行为信息、用户业务信息。
  10. 根据权利要求8所述的方法,其特征在于,在获取所述历史关联数据之前,还包括:
    接收来自于用户设备的第一请求消息,其中,所述用户设备用于运行所述应用程序;
    根据所述第一请求消息所述用户账户进行认证状态检测,并向所述用户设备返回第一响应消息,其中,所述第一响应消息用于确认所述用户账户为待认证账户。
  11. 根据权利要求10所述的方法,其特征在于,在向所述用户设备返回所述第一响应消息之后,还包括:
    接收来自于所述用户设备的第二请求消息;
    根据所述第二请求消息确定待下发的授权认证信息;
    向所述用户设备返回第二响应消息,其中,所述第二响应消息中携带有所述授权认证信息。
  12. 根据权利要求9所述的方法,其特征在于,采用所述历史关联数据进行所述评估,得到所述评估结果包括:
    对所述历史关联数据进行分析,构建评估模型,其中,所述评估模型包括:与所述历史关联数据中每个特征指标对应的等级或评分;
    统计所述评估模型中每个特征指标对应的等级或评分,得到所述评估结果。
  13. 根据权利要求12所述的方法,其特征在于,用户设备信息至少包括以下特征指标:所述用户设备使用的互联网协议IP地址信息,所述用户设备所使用的操作系统类型,所述用户设备的使用记录;
    对所述历史关联数据进行分析,构建评估模型包括:
    获取所述用户设备信息中所包含的所述IP地址信息,所述操作系统类型,所述使用记录,并构建评估模型;
    统计所述评估模型中每个特征指标对应的等级或评分,得到所述评估结果包括:
    根据所述IP地址信息确定所述用户设备是否执行过违法操作并统计对应的等级或评分,根据所述用户设备所使用的操作系统类型确定所述用户设备所使用的操作系统是否存在安全漏洞并统计对应的等级或评分,以及根据所述用户设备的使用记录确定所述用户设备是否安装过高危应用并统计对应的等级或评分;通过统计每个特征指标对应的等级或评分,得到所述评估结果。
  14. 根据权利要求13所述的方法,其特征在于,将所述IP地址信息,所述操作系统类型,所述使用记录作为输入信息,通过采用随机森林算法构建评估模型。
  15. 根据权利要求9所述的方法,其特征在于,所述预设业务周期包括:第一评估周期和第二评估周期,采用所述历史关联数据进行评估,得到所述评估结果包括:
    获取所述历史关联数据在所述第一评估周期与所述第二评估周期的变化趋势;
    对所述变化趋势进行分析,得到所述评估结果。
  16. 根据权利要求13或15所述的方法,其特征在于,根据所述评估结果确定所述身份认证方式,进行所述身份认证包括:
    根据所述评估结果确定待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息;
    按照所述待执行的验证步骤以及每个验证步骤中待采集的身份认证关联信息进行所述身份认证。
  17. 一种身份认证方法,用于选择身份认证方式,其特征在于,包括:
    运行应用程序;
    触发认证服务器对所述应用程序对应的用户账户进行认证状态检测,其中,所述认证状态检测用于采用获取到的所述用户账户的历史关联数据进行评估以得到评估结果,并根据所述评估结果确定对应的身份认证方式,所述历史关联数据是在预设业务周期内获取到的与所述用户账户关联的信息。
  18. 一种账号认证方法,用于判断账号操作者是否改变,其特征在于,包括:
    获取待认证账户的第一期间关联数据和第二期间关联数据,其中,所述第一期间关联数据是在第一时间周期内与所述待认证账户关联的数据,所述第二期间关联数据是在第二时间周期内与所述待认证账户关联的数据,并且第一时间周期与第二时间周期不完全相同;
    对第一期间关联数据和第二期间关联数据进行相似度计算,得到相似度结果;
    根据所述相似度结果判断所述待认证账户的操作者是否改变。
  19. 根据权利要求18所述的方法,其特征在于,所述在第一时间周期内与所述待认证账户关联的数据,为第一操作信息集合;所述在第二时间周期内与所述待认证账户关联的数据,为第二操作信息集合;
    对第一期间关联数据和第二期间关联数据进行相似度计算包括:
    计算所述第一操作信息集合和第二操作信息集合的差集;
    根据所述相似度结果判断所述待认证账户的操作者是否改变包括:
    如果所述差集超过预定阈值,则确定所述待认证账户的操作者发生改变。
  20. 根据权利要求18所述的方法,其特征在于,所述在第一时间周期内与所述待认证账户关联的数据,为第一设备信息集合;所述在第二时间周期内与所述待认证账户关联的数据,为第二设备信息集合;
    对第一期间关联数据和第二期间关联数据进行相似度计算包括:
    计算所述第一设备信息集合和第二设备信息集合的差集;
    根据所述相似度结果判断所述待认证账户的操作者是否改变包括:
    如果所述差集超过预定阈值,则确定所述待认证账户的操作者发生改变。
  21. 一种身份认证装置,用于选择身份认证方式,其特征在于,包括:
    获取模块,用于获取与应用程序对应的用户账户的历史关联数据,其中,所述历史关联数据是在预设业务周期内获取到的与所述用户账户关联的信息;
    评估模块,用于采用所述历史关联数据进行评估,得到评估结果;
    认证模块,用于根据所述评估结果确定对应的身份认证方式,进行身份认证。
  22. 一种身份认证装置,用于选择身份认证方式,其特征在于,包括:
    运行模块,用于运行应用程序;
    触发模块,用于触发认证服务器对所述应用程序对应的用户账户进行认证状态检测,其中,所述认证状态检测用于采用获取到的所述用户账户的历史关联数据进行评估以得到评估结果,并根据所述评估结果确定对应的身份认证方式,所述历史关联数据是在预设业务周期内获取到的与所述用户账户关联的信息。
PCT/CN2017/109215 2016-11-16 2017-11-03 身份认证系统、方法、装置及账号认证方法 WO2018090839A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611010182.6A CN108076018A (zh) 2016-11-16 2016-11-16 身份认证系统、方法、装置及账号认证方法
CN201611010182.6 2016-11-16

Publications (1)

Publication Number Publication Date
WO2018090839A1 true WO2018090839A1 (zh) 2018-05-24

Family

ID=62146141

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/109215 WO2018090839A1 (zh) 2016-11-16 2017-11-03 身份认证系统、方法、装置及账号认证方法

Country Status (3)

Country Link
CN (1) CN108076018A (zh)
TW (1) TW201820194A (zh)
WO (1) WO2018090839A1 (zh)

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109102159A (zh) * 2018-07-18 2018-12-28 平安科技(深圳)有限公司 旅客评级模型生成方法、装置、计算机设备和存储介质
CN109636607A (zh) * 2018-12-18 2019-04-16 平安科技(深圳)有限公司 基于模型部署的业务数据处理方法、装置和计算机设备
CN109905369A (zh) * 2019-01-24 2019-06-18 平安科技(深圳)有限公司 员工账号被盗的预警方法、装置及计算机可读存储介质
CN110069414A (zh) * 2019-04-25 2019-07-30 浙江吉利控股集团有限公司 回归测试方法及系统
CN110245474A (zh) * 2019-04-19 2019-09-17 阿里巴巴集团控股有限公司 一种针对公有账户的处理方法及系统
CN110569418A (zh) * 2019-07-24 2019-12-13 阿里巴巴集团控股有限公司 学历信息验证方法以及装置
CN110675197A (zh) * 2019-09-30 2020-01-10 北京达佳互联信息技术有限公司 评估数据的方法、装置、设备及存储介质
CN110879820A (zh) * 2018-09-06 2020-03-13 阿里巴巴集团控股有限公司 工业数据处理方法、装置
WO2020063176A1 (zh) * 2018-09-25 2020-04-02 阿里巴巴集团控股有限公司 网络中用户身份认证方法和装置
CN111178949A (zh) * 2019-12-18 2020-05-19 北京文思海辉金信软件有限公司 服务资源匹配参考数据确定方法、装置、设备和存储介质
CN111385136A (zh) * 2018-12-29 2020-07-07 华为技术服务有限公司 一种用户通信标识的确定方法和装置
CN111652596A (zh) * 2020-06-15 2020-09-11 深圳前海微众银行股份有限公司 信贷业务的反欺诈方法、装置、终端设备及存储介质
CN111708995A (zh) * 2020-06-12 2020-09-25 中国建设银行股份有限公司 一种业务处理方法、装置及设备
CN111815457A (zh) * 2020-07-01 2020-10-23 北京金堤征信服务有限公司 目标对象的评估方法以及装置
CN112231692A (zh) * 2020-10-13 2021-01-15 中移(杭州)信息技术有限公司 安全认证方法、装置、设备及存储介质
CN112633986A (zh) * 2020-12-31 2021-04-09 北京华录新媒信息技术有限公司 一种智能化在线电影票兑换方法和系统
EP3719678A4 (en) * 2018-05-28 2021-06-02 Advanced New Technologies Co., Ltd. IDENTITY VERIFICATION APPARATUS AND METHOD
CN113452795A (zh) * 2020-07-27 2021-09-28 费希敏 一种相关联设备访问权限设置系统
CN113553158A (zh) * 2021-07-29 2021-10-26 北京达佳互联信息技术有限公司 一种数据处理方法、装置、电子设备及存储介质
CN113779632A (zh) * 2021-09-14 2021-12-10 深圳市神州路路通网络科技有限公司 车辆敏感信息保护方法、系统、设备及可读存储介质
CN113949585A (zh) * 2019-12-17 2022-01-18 支付宝(杭州)信息技术有限公司 基于信用的信息标识生成方法及装置
CN115022002A (zh) * 2022-05-27 2022-09-06 中国电信股份有限公司 验证方式确定方法、装置、存储介质和电子设备
CN115408673A (zh) * 2022-11-02 2022-11-29 深圳市诚王创硕科技有限公司 软件有效期访问控制管理系统及方法
CN117349811A (zh) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统
CN118261768A (zh) * 2024-05-27 2024-06-28 山东恒宇电子有限公司 一种基于多维度信息结合的公交乘客识别分析方法
CN118631594A (zh) * 2024-08-13 2024-09-10 深圳雪峰电子有限公司 一种双向认证的电子雷管系统及其控制方法

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110728290B (zh) * 2018-07-17 2020-07-31 阿里巴巴集团控股有限公司 检测数据模型安全性的方法及装置
CN109165328A (zh) * 2018-07-27 2019-01-08 阿里巴巴集团控股有限公司 一种用户身份认证方法及装置
CN110399713B (zh) * 2018-07-27 2024-06-25 腾讯科技(北京)有限公司 一种信息认证的方法及相关装置
CN109120605A (zh) 2018-07-27 2019-01-01 阿里巴巴集团控股有限公司 身份验证及账户信息变更方法和装置
CN110798432A (zh) * 2018-08-03 2020-02-14 京东数字科技控股有限公司 安全认证方法、装置和系统,移动终端
CN109359972B (zh) * 2018-08-15 2020-10-30 创新先进技术有限公司 核身产品推送及核身方法和系统
CN109344582B (zh) * 2018-08-21 2021-12-14 中国联合网络通信集团有限公司 认证方法、装置和存储介质
CN111104658A (zh) * 2018-10-25 2020-05-05 北京嘀嘀无限科技发展有限公司 注册方法及装置、认证方法及装置
CN110033362B (zh) * 2018-11-14 2023-07-18 创新先进技术有限公司 一种打款方法、装置及设备
CN111245770B (zh) * 2018-11-28 2023-03-24 北京默契破冰科技有限公司 用户账户管理的方法、设备和计算机存储介质
CN109635872B (zh) * 2018-12-17 2020-08-04 上海观安信息技术股份有限公司 身份识别方法、电子设备及计算机程序产品
CN109815853A (zh) * 2019-01-04 2019-05-28 深圳壹账通智能科技有限公司 活体检测方法、装置、计算机设备和存储介质
CN109933974B (zh) * 2019-02-14 2024-06-18 平安科技(深圳)有限公司 密码初始化方法、装置、计算机设备及存储介质
CN110084011A (zh) * 2019-05-08 2019-08-02 北京芯盾时代科技有限公司 一种用户操作的验证的方法及装置
CN110245475B (zh) * 2019-05-30 2023-08-22 创新先进技术有限公司 身份验证方法和装置
CN110348188B (zh) * 2019-05-31 2021-08-27 创新先进技术有限公司 一种核身校验方法及装置
US11218493B2 (en) 2019-05-31 2022-01-04 Advanced New Technologies Co., Ltd. Identity verification
CN112183167B (zh) * 2019-07-04 2023-09-22 钉钉控股(开曼)有限公司 考勤方法、认证方法、活体检测方法、装置及设备
CN111339829B (zh) * 2020-01-19 2021-04-06 海通证券股份有限公司 用户身份鉴定方法、装置、计算机设备和存储介质
CN112199652B (zh) * 2020-10-23 2023-08-25 网易(杭州)网络有限公司 应用程序的登录方法、终端、服务器、系统、介质和设备
CN112653679B (zh) * 2020-12-14 2022-11-15 北京指掌易科技有限公司 一种动态身份认证方法、装置、服务器及存储介质
CN115017509A (zh) * 2021-03-05 2022-09-06 华为技术有限公司 一种用户账号的风险度量方法及相关装置
CN112966243B (zh) * 2021-03-30 2022-09-09 支付宝(杭州)信息技术有限公司 保护隐私的核身校验处理方法及装置
CN113779521B (zh) * 2021-09-09 2024-05-24 北京安天网络安全技术有限公司 身份认证方法、装置、存储介质及电子设备
CN114244582B (zh) * 2021-11-29 2023-06-20 国网江西省电力有限公司电力科学研究院 一种物联网中数据关联的低配数据采集终端认证方法
CN114285614A (zh) * 2021-12-16 2022-04-05 北京安捷金科信息技术有限公司 身份认证方法、身份认证系统和可读存储介质
CN113987466B (zh) * 2021-12-27 2022-04-12 国网浙江省电力有限公司 基于中台的信息排序审核方法、装置及存储介质
CN114329386A (zh) * 2021-12-28 2022-04-12 奇安信科技集团股份有限公司 用户身份认证方法、装置、计算设备及计算机存储介质
CN115964687A (zh) * 2022-12-14 2023-04-14 武汉卓讯互动信息科技有限公司 基于区块链的企业统一账号认证方法和认证平台
CN116738509B (zh) * 2023-08-14 2023-12-22 深圳市龙勤信息技术有限公司 一种基于区块链的电子盘加密存储系统及方法
CN116976897A (zh) * 2023-09-20 2023-10-31 青岛华正信息技术股份有限公司 一种综合安全管理指标数字化执行系统及方法

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102510337A (zh) * 2011-12-15 2012-06-20 复旦大学 一种量化风险和收益自适应的动态多因子认证方法
WO2012116944A1 (fr) * 2011-02-28 2012-09-07 Gemalto Sa Procede d'authentification d'un utilisateur
WO2012120355A1 (en) * 2011-03-08 2012-09-13 Trusted Logic Mobility (Sas) User authentication method for accessing an online service
CN103646197A (zh) * 2013-12-12 2014-03-19 中国石油大学(华东) 基于用户行为的用户可信度认证系统及方法
CN104426884A (zh) * 2013-09-03 2015-03-18 深圳市腾讯计算机系统有限公司 身份鉴权的方法及装置
CN104426847A (zh) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 互联网服务安全访问和验证的方法、系统和服务器
CN107172049A (zh) * 2017-05-19 2017-09-15 北京信安世纪科技有限公司 一种智能身份认证系统

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012116944A1 (fr) * 2011-02-28 2012-09-07 Gemalto Sa Procede d'authentification d'un utilisateur
WO2012120355A1 (en) * 2011-03-08 2012-09-13 Trusted Logic Mobility (Sas) User authentication method for accessing an online service
CN102510337A (zh) * 2011-12-15 2012-06-20 复旦大学 一种量化风险和收益自适应的动态多因子认证方法
CN104426847A (zh) * 2013-08-22 2015-03-18 腾讯科技(深圳)有限公司 互联网服务安全访问和验证的方法、系统和服务器
CN104426884A (zh) * 2013-09-03 2015-03-18 深圳市腾讯计算机系统有限公司 身份鉴权的方法及装置
CN103646197A (zh) * 2013-12-12 2014-03-19 中国石油大学(华东) 基于用户行为的用户可信度认证系统及方法
CN107172049A (zh) * 2017-05-19 2017-09-15 北京信安世纪科技有限公司 一种智能身份认证系统

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11153311B2 (en) 2018-05-28 2021-10-19 Advanced New Technologies Co., Ltd. Identity verification method and apparatus
EP3719678A4 (en) * 2018-05-28 2021-06-02 Advanced New Technologies Co., Ltd. IDENTITY VERIFICATION APPARATUS AND METHOD
CN109102159A (zh) * 2018-07-18 2018-12-28 平安科技(深圳)有限公司 旅客评级模型生成方法、装置、计算机设备和存储介质
CN110879820A (zh) * 2018-09-06 2020-03-13 阿里巴巴集团控股有限公司 工业数据处理方法、装置
CN110879820B (zh) * 2018-09-06 2023-05-26 阿里巴巴集团控股有限公司 工业数据处理方法、装置
WO2020063176A1 (zh) * 2018-09-25 2020-04-02 阿里巴巴集团控股有限公司 网络中用户身份认证方法和装置
CN109636607A (zh) * 2018-12-18 2019-04-16 平安科技(深圳)有限公司 基于模型部署的业务数据处理方法、装置和计算机设备
CN109636607B (zh) * 2018-12-18 2024-03-15 平安科技(深圳)有限公司 基于模型部署的业务数据处理方法、装置和计算机设备
CN111385136A (zh) * 2018-12-29 2020-07-07 华为技术服务有限公司 一种用户通信标识的确定方法和装置
CN109905369A (zh) * 2019-01-24 2019-06-18 平安科技(深圳)有限公司 员工账号被盗的预警方法、装置及计算机可读存储介质
CN110245474A (zh) * 2019-04-19 2019-09-17 阿里巴巴集团控股有限公司 一种针对公有账户的处理方法及系统
CN110069414A (zh) * 2019-04-25 2019-07-30 浙江吉利控股集团有限公司 回归测试方法及系统
CN110569418A (zh) * 2019-07-24 2019-12-13 阿里巴巴集团控股有限公司 学历信息验证方法以及装置
CN110675197A (zh) * 2019-09-30 2020-01-10 北京达佳互联信息技术有限公司 评估数据的方法、装置、设备及存储介质
CN110675197B (zh) * 2019-09-30 2023-09-26 北京达佳互联信息技术有限公司 评估数据的方法、装置、设备及存储介质
CN113949585A (zh) * 2019-12-17 2022-01-18 支付宝(杭州)信息技术有限公司 基于信用的信息标识生成方法及装置
CN111178949A (zh) * 2019-12-18 2020-05-19 北京文思海辉金信软件有限公司 服务资源匹配参考数据确定方法、装置、设备和存储介质
CN111708995A (zh) * 2020-06-12 2020-09-25 中国建设银行股份有限公司 一种业务处理方法、装置及设备
CN111652596A (zh) * 2020-06-15 2020-09-11 深圳前海微众银行股份有限公司 信贷业务的反欺诈方法、装置、终端设备及存储介质
CN111815457A (zh) * 2020-07-01 2020-10-23 北京金堤征信服务有限公司 目标对象的评估方法以及装置
CN113452795A (zh) * 2020-07-27 2021-09-28 费希敏 一种相关联设备访问权限设置系统
CN112231692A (zh) * 2020-10-13 2021-01-15 中移(杭州)信息技术有限公司 安全认证方法、装置、设备及存储介质
CN112633986A (zh) * 2020-12-31 2021-04-09 北京华录新媒信息技术有限公司 一种智能化在线电影票兑换方法和系统
CN112633986B (zh) * 2020-12-31 2022-07-22 北京华录新媒信息技术有限公司 一种智能化在线电影票兑换方法和系统
CN113553158A (zh) * 2021-07-29 2021-10-26 北京达佳互联信息技术有限公司 一种数据处理方法、装置、电子设备及存储介质
CN113779632A (zh) * 2021-09-14 2021-12-10 深圳市神州路路通网络科技有限公司 车辆敏感信息保护方法、系统、设备及可读存储介质
CN113779632B (zh) * 2021-09-14 2023-08-22 深圳市神州路路通网络科技有限公司 车辆敏感信息保护方法、系统、设备及可读存储介质
CN115022002A (zh) * 2022-05-27 2022-09-06 中国电信股份有限公司 验证方式确定方法、装置、存储介质和电子设备
CN115022002B (zh) * 2022-05-27 2024-02-06 中国电信股份有限公司 验证方式确定方法、装置、存储介质和电子设备
CN115408673B (zh) * 2022-11-02 2023-10-27 杭州优百顺科技有限公司 软件有效期访问控制管理系统及方法
CN115408673A (zh) * 2022-11-02 2022-11-29 深圳市诚王创硕科技有限公司 软件有效期访问控制管理系统及方法
CN117349811A (zh) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统
CN117349811B (zh) * 2023-10-18 2024-04-05 广州元沣智能科技有限公司 一种基于用户身份的信息认证系统
CN118261768A (zh) * 2024-05-27 2024-06-28 山东恒宇电子有限公司 一种基于多维度信息结合的公交乘客识别分析方法
CN118631594A (zh) * 2024-08-13 2024-09-10 深圳雪峰电子有限公司 一种双向认证的电子雷管系统及其控制方法

Also Published As

Publication number Publication date
CN108076018A (zh) 2018-05-25
TW201820194A (zh) 2018-06-01

Similar Documents

Publication Publication Date Title
WO2018090839A1 (zh) 身份认证系统、方法、装置及账号认证方法
US11792176B1 (en) Scalable risk-based authentication methods and systems
US11507645B1 (en) Behavioral profiling method and system to authenticate a user
US10091180B1 (en) Behavioral profiling method and system to authenticate a user
US10600055B2 (en) Authentication and interaction tracking system and method
US9697521B2 (en) Authentication system and method
US9348896B2 (en) Dynamic network analytics system
US11151566B2 (en) Authentication and fraud prevention in provisioning a mobile wallet
EP2748781B1 (en) Multi-factor identity fingerprinting with user behavior
US10074089B1 (en) Smart authentication and identification via voiceprints
CA2990101A1 (en) Systems and methods for detecting resources responsible for events
CN106780012A (zh) 一种互联网信贷方法及系统
US20060248019A1 (en) Method and system to detect fraud using voice data
CN103530772A (zh) 一种移动互联支付风险控制方法及系统
CN106779608B (zh) 一种基于微信平台的信息处理方法及信息处理系统
CN104704521B (zh) 多因素简档和安全指纹分析
CN109670929A (zh) 贷款预警的控制方法、装置、设备及计算机可读存储介质
US10003464B1 (en) Biometric identification system and associated methods
CN111047341B (zh) 信息处理方法、装置、服务器及终端设备
KR102445252B1 (ko) 판매자정보를 이용한 불법 상품 및 판매자 검출 방법 및 그를 위한 장치 및 시스템
KR102445251B1 (ko) 불법 상품 및 판매자 검출 방법 및 그를 위한 장치 및 시스템
CN111447082B (zh) 关联账号的确定方法、装置和关联数据对象的确定方法
US20240129284A1 (en) Method and system for influencing user interactions
CN114240655A (zh) 基于区块链的业务交互方法及装置、电子设备、存储介质
CN116739346A (zh) 一种行为风险识别方法及电子设备、存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17872278

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17872278

Country of ref document: EP

Kind code of ref document: A1