WO2018108123A1 - Identity authentication method, device and system - Google Patents

Identity authentication method, device and system Download PDF

Info

Publication number
WO2018108123A1
WO2018108123A1 PCT/CN2017/116140 CN2017116140W WO2018108123A1 WO 2018108123 A1 WO2018108123 A1 WO 2018108123A1 CN 2017116140 W CN2017116140 W CN 2017116140W WO 2018108123 A1 WO2018108123 A1 WO 2018108123A1
Authority
WO
WIPO (PCT)
Prior art keywords
verification
seed
token
terminal
server
Prior art date
Application number
PCT/CN2017/116140
Other languages
French (fr)
Chinese (zh)
Inventor
袁丽娜
郝允允
李轶峰
陈云云
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018108123A1 publication Critical patent/WO2018108123A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates to the field of identity verification, and in particular, to an identity verification method, apparatus and system.
  • binding Taobao security center for Taobao account In order to protect account security, users need to set password protection measures in multiple account systems, such as binding Taobao security center for Taobao account, QQ security center for QQ account, etc., which leads to the need for users to use multiple applications at the same time. Binding multiple security centers is cumbersome.
  • the embodiments of the present invention provide an identity verification method, apparatus, and system, and a storage medium.
  • the embodiment of the present invention is specifically implemented by the following technical solutions:
  • an authentication method comprising:
  • the first terminal obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server;
  • the verification server obtains the message number;
  • the second terminal obtains the message number from the first terminal; acquires a verification message corresponding to the message number from the verification server according to the message number; and responds to the confirmation instruction of the verification message, according to the second verification seed Generating a token and transmitting the token and the message number to the verification server;
  • the verification server queries the first verification seed according to the message number obtained from the second terminal; obtains a verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first terminal;
  • the first terminal acquires a verification result from the verification server.
  • an authentication method is applied to a first terminal, where the method includes:
  • the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
  • an authentication method is applied to a second terminal, where the method includes:
  • a fourth aspect is an authentication device, the device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computers Readable instructions configured to be executed by the one or more processors to implement the following steps:
  • the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
  • an authentication device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computers
  • Readable instructions configured to be executed by the one or more processors to implement the following steps:
  • Detecting a user instruction the user instruction including a confirmation instruction
  • a sixth aspect is an identity verification system, where the system includes a first client, a second client, and an authentication server;
  • the first client includes the above device
  • the second client includes the above described device.
  • a non-transitory computer readable storage medium storing computer readable instructions, the computer readable instructions being executable by at least one processor.
  • FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a verification server cluster according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of an identity binding method according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for obtaining a first verification seed according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of naming a seed obtained by a user according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of a token generation algorithm according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of a token verification algorithm according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of another token verification algorithm according to an embodiment of the present invention.
  • FIG. 10 is a flowchart of a time correction method according to an embodiment of the present invention.
  • FIG. 11 is a flowchart of an identity verification method according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of an interface for inputting a token according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an interface of a user selection token according to an embodiment of the present invention.
  • FIG. 14 is a flowchart of another identity verification method according to an embodiment of the present invention.
  • FIG. 15 is a schematic diagram of a page for generating a second verification barcode according to an embodiment of the present invention.
  • 16 is a schematic diagram of an interface for displaying a verification message according to an embodiment of the present invention.
  • FIG. 17 is a flowchart of another identity verification method according to an embodiment of the present invention.
  • FIG. 18 is a block diagram of an identity verification apparatus according to an embodiment of the present invention.
  • 19 is a block diagram of related modules for performing a binding process according to an embodiment of the present invention.
  • FIG. 20 is a block diagram of another identity verification apparatus according to an embodiment of the present invention.
  • FIG. 21 is a block diagram of a token generating module according to an embodiment of the present invention.
  • FIG. 22 is a block diagram of a module related to time correction according to an embodiment of the present invention.
  • FIG. 23 is a schematic diagram of a terminal according to an embodiment of the present invention.
  • FIG. 24 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • FIG. 25 is a schematic diagram of an identity verification system according to an embodiment of the present invention.
  • the secret security issue consists of questions selected by the user and corresponding answers.
  • the security issue is not very convenient, and is often used as a secondary authentication method, such as to retrieve passwords and set other secrets.
  • the secret security problem uses a static password, which is easy to cause security risks.
  • the security card can be regarded as a two-dimensional matrix, each matrix contains a series of numbers, and each security card has a unique identifier, which is between the value of the matrix and the identifier of each user. A correspondence.
  • the user queries the security card information according to the server prompt, and manually enters the security information according to the server requirements to complete the verification process.
  • the secret security card uses a static password, so there is a risk of screen captures and files being stolen, and it is not easy to carry.
  • Secure Mailbox Similar to the secret security issue, the security mailbox is not very convenient, and is often used as a secondary authentication method, such as to retrieve passwords and set other secrets. Mailbox cracking is difficult and can cause security risks.
  • Secret security mobile phone The security of the mobile phone is better. It mainly verifies the identity by verifying the SMS verification code sent to the mobile phone, and is widely used in sensitive operations such as registration, consumption, transfer, and confidentiality. However, the secret mobile phone uses SMS downlink verification, which will result in operating costs paid to the operator, and the confidential mobile phone has the risk of loss and replacement.
  • Digital certificate A digitally signed document containing public key owner information and public key, which is mainly used for website authentication and is not universal to a large user group.
  • Face verification A biometric technology based on human facial feature information for identity verification. Personal identification is performed by verifying the face, but face verification involves sensitive privacy information of the user, and thus its use environment is limited.
  • Fingerprint verification refers to the line created by the unevenness of the skin on the front side of the finger end of a person. The lines are regularly arranged to form different patterns. The identification is performed by comparing the detailed feature points of different fingerprints. It is widely used to open mobile phones, open APP, consumer and other fields. Similar to face verification, fingerprint verification involves sensitive privacy information of users, and therefore its use environment is limited.
  • Iris Verification The iris is an annular portion between the black pupil and the white sclera that includes a number of interlaced spots, filaments, crowns, stripes, crypts, and the like. After the iris is formed in the fetal development stage, it will remain unchanged throughout the life course. Iris verification has high hardware requirements and is generally used in locations that require a high degree of confidentiality. And iris verification involves sensitive privacy information of users, so its use environment is limited.
  • the secret security policy, the secret security card and the security email are static passwords, which are easy to cause security risks.
  • the digital certificate, face verification, fingerprint verification and iris verification use environment are limited, and it is not easy to promote and apply.
  • the mobile phone has the problem of operating cost and the risk of loss of the mobile phone. Therefore, the embodiment of the present invention provides a low risk and a suitable application based on the token mode. An authentication method and a corresponding device that are widely distributed, low in cost, and free from the risk of loss of the mobile phone.
  • the token used in the embodiment of the present invention is a software token, and the software token can be obtained according to a seed for authenticating a user identity and a preset token generation algorithm.
  • the embodiment of the present invention may provide one or more authentication methods for the user, including but not limited to dynamic password verification, scan code verification, and one-click login.
  • FIG. 1 shows a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • the implementation environment includes a first terminal 120, an authentication server 140, and a second terminal 160.
  • the first client 120 runs a first client.
  • the first terminal 120 can be a mobile phone, a tablet computer, a television set, a laptop portable computer, and a desktop computer. It can also be a server, a server cluster composed of several servers, or a cloud computing service center.
  • the verification server 140 can be an authentication server, a server cluster composed of several servers, or a cloud computing service center.
  • a second client is running in the second terminal 160.
  • the second terminal 160 can be a cell phone, a tablet, a laptop portable computer, a desktop computer, and the like.
  • the verification server 140 can establish a communication connection with the first terminal 120 and the second terminal 160 through the communication network, respectively.
  • the network can be either a wireless network or a wired network.
  • the first client may be any client that has a user interface (UI) interface, needs to verify the identity of the user who uses the first client, and can communicate with the authentication server 140.
  • the first client can be a video service class server or client, a cable television server or client, a security service server or client, an instant messaging server or client, a mail service server or client, a game service server, or a client. , payment service server or client, e-commerce service server or client, and so on.
  • the second client may be any client that has a user interface (UI) interface, needs to log in to the first client, and can communicate with the authentication server 140.
  • the second client can be a mobile client, a tablet client, a multimedia client, and the like.
  • the terminal device when a client running in the terminal device is used to implement the function of the first client side in the method example of the present invention, the terminal device is used as the first terminal; when the client running in the terminal device is used to implement When the function of the second client side is used in the method example of the present invention, the terminal device acts as the second terminal.
  • the verification server 140 when the verification server 140 is a cluster architecture, the verification server 140 may include a communication server 142, a seed management server 144, an authentication server 146, and a verification message management server 148.
  • the communication server 142 is configured to provide communication services with the first client and the second client, and provides communication services between the three servers of the seed management server 144, the authentication server 146, and the authentication message management server 148.
  • the seed management server 144, the authentication server 146, and the verification message management server 148 can also communicate freely through the intranet.
  • the seed management server 144 is configured to issue a seed to the first client and perform management of the seed of the authentication server.
  • the authentication server 146 is configured to verify the identity of the second client that needs to log in to the first client.
  • the verification message management server 148 is configured to manage the verification message sent by the first client.
  • a communication connection can be established between the above various servers through a communication network.
  • the network can be either a wireless network or a wired network.
  • FIG. 3 is a flowchart of an identity binding method provided by an embodiment of the present invention. This method can be applied to the implementation environment shown in FIG.
  • the method ie, the identity binding process
  • the method can include the following steps.
  • Step 301 The second client issues a binding instruction to the first client in response to the user operation.
  • FIG. 4 shows the user interface of the second client in the identity binding process.
  • the second client may issue a binding instruction to the first client by acquiring a uniform resource locator of the first client.
  • Step 302 The first client acquires an account of the user in response to the binding instruction.
  • the user account may be applied to the first client in advance by the user, and in step 302, the user inputs a pre-applied account to the first client, where the first client You can get the user's account.
  • the first client before the identity binding process starts, the first client is requested to apply for an account and a corresponding password is set; the first client performs relevant legality verification on the account and the password; After the verification is passed, the first client records the correspondence between the account and the password, and prompts the user to enter the identity binding process by using an interface display or a voice prompt, and directly obtains the user's account in step 302.
  • step 303 the first client obtains the first verification seed.
  • FIG. 5 shows a flow chart of a method for obtaining a first verification seed.
  • the method includes:
  • Step 3031 Acquire an unused seed set, and the unused seeds are all from an authentication server.
  • the first client obtains a batch of seeds from the verification server in advance, and manages the acquired seeds. Specifically, the seed is sent by the verification server to the first client through a secure channel.
  • the seed forms a binding relationship (correspondence relationship) with other users' accounts after being acquired, the seed is a used seed, and if the seed does not form a binding relationship (correspondence relationship) with any account after being acquired, The seed is an unused seed. All unused seeds constitute an unused seed collection.
  • Step 3032 Select one seed in the unused seed set as the first verification seed.
  • the first client may select one of the unused seeds as the first verification seed according to a preset seed selection algorithm, or randomly select one of the unused seed sets as the first verification seed.
  • Step 304 The first client generates a verification seed, where the verification seed is a seed corresponding to the first verification seed and obtainable by the second client.
  • the first client generates the same seed as the first verification seed and uses the seed as a verification seed.
  • the method of making the verification seed obtained by the second client includes, but is not limited to, the following method:
  • the first client directly sends the verification seed to the second client;
  • the first client generates a first verification barcode according to the verification seed.
  • the first verification barcode is a two-dimensional code or barcode that can be scanned by the second client.
  • the verification seed is taken and the token is obtained in step 305, which is a dynamic password.
  • the first client generates a first verification barcode according to the verification seed and other optional information.
  • the first verification barcode is a two-dimensional code or barcode that can be scanned by the second client.
  • the optional information may be a user account and/or a verification seed generation time.
  • the first verification barcode may be generated in an encrypted manner according to a preset encryption algorithm, and correspondingly, the second verification is performed by the second client by using a preset decryption algorithm.
  • the barcode is decrypted.
  • Step 305 The second client obtains a verification seed, generates a token according to the verification seed, and enables the token to be acquired by the first client.
  • the seed obtained by the second client is the verification seed, and generates a token according to a preset token generation algorithm and the seed.
  • the method of making the token obtained by the first client includes, but is not limited to, the following method:
  • the second client directly sends the token to the first client
  • the second client generates a binding verification code according to the token.
  • the binding verification code is a two-dimensional code or barcode that can be scanned by the first client.
  • Step 306 The first client sends the first verification seed and the token to the verification server.
  • step 307 the verification server obtains the verification result.
  • the verification server may verify, according to a preset token verification algorithm, whether the first verification seed has a legal correspondence with the token, thereby obtaining a verification result.
  • the token verification algorithm and the token generation algorithm are related algorithms, and can be obtained by the verification server and the second client through negotiation.
  • Step 308 the verification server sends the verification result to the first client.
  • Step 309 The first client determines whether the verification is passed. If the verification succeeds, the first client stores the first verification seed, and the corresponding relationship between the first verification seed and the second client.
  • the seed obtained by the second client in step 305 is the verification seed generated by the first client. Specifically, the seed obtained by the second client is the same as the first verification seed.
  • the second client stores the obtained seed corresponding to the first verification seed, and the obtained seed is the second verification seed. Further, corresponding to the case of (2) (3) of step 304, in order to facilitate the second client to store the obtained seed, the second client may further verify whether the acquired first verification barcode contains a user account. If yes, the correspondence between the user account and the obtained seed (ie, the correspondence between the first client and the seed) is stored after the identity binding is successful; if not, the user is allowed to The resulting seeds are named and the correspondence between the nomenclature and the obtained seeds is stored. Please refer to FIG. 6, which shows a schematic diagram named by the user for the obtained seed, and the binding number is the obtained seed.
  • the first client may also notify the user that the identity binding process is successfully executed by using an interface display or a voice output.
  • the embodiment of the invention provides a method for performing identity binding before the identity verification, and the method enables the first client to obtain the binding relationship between the legal user and the seed, which is a prerequisite for subsequent use of the token for identity verification.
  • the identity binding method has no limitation on the first client, and therefore can be adapted to provide an identity binding service for multiple first clients.
  • the seed provided by the embodiment of the present invention may be any positive integer.
  • FIG. 7, illustrates a token generation algorithm, which is provided by a second client side according to an embodiment of the present invention.
  • the token generation algorithm can include:
  • step S1 a seed for generating a token is obtained.
  • step S2 the local current system time is obtained.
  • step S3 the token is obtained according to a preset hash algorithm.
  • the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
  • the seed and the time parameter are actual parameters of the hash algorithm.
  • the token in the embodiment of the present invention is composed of six digits.
  • FIG. 8 illustrates a token verification algorithm.
  • the server side token verification algorithm provided by the embodiment of the present invention may include:
  • Step S110 Acquire a seed to be verified and a token to be verified.
  • Step S120 Acquire a local current system time.
  • Step S130 obtaining a target token according to a preset hash algorithm.
  • the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
  • the seed and the time parameter are actual parameters of the hash algorithm.
  • the hash algorithm is the same as the hash algorithm in step S3.
  • Step S140 determining whether the target token is the same as the token to be verified.
  • step S150 if yes, the verification is passed.
  • the target token is the same as the token to be verified, and the seed to be verified is the same as the seed that generates the token to be verified, that is, the seed to be verified has a legal correspondence with the token to be verified. Relationship, therefore, verification passed.
  • Step S160 if no, the verification fails.
  • the above token generation algorithm and token verification algorithm both depend on the current system time of the hardware executing the algorithm, because Therefore, the above token verification algorithm has a small probability that the verification result may be unreliable.
  • a time parameter as an example, if the value of the second unit of the current system time of the token obtained by the second client in S3 is 59, and the obtained token is transmitted to the verification server for 2 seconds, then When the verification server verifies the token, the second unit of the current system time of the verification server is 01, and the time parameter obtained when the S130 is executed by the second client is inconsistent, which inevitably causes the verification to fail.
  • This verification failure is only caused by the time problem and has nothing to do with the seed. It can be seen that the verification result is unreliable. In this case, the verification can only be re-verified, thus wasting the processing resources of the client and the server.
  • FIG. 9 illustrates another token verification algorithm.
  • Another server-side token verification algorithm provided by the embodiment of the present invention includes:
  • Step S210 Acquire a seed to be verified and a token to be verified.
  • Step S220 Acquire a local current system time.
  • Step S230 obtaining a first target token and a second target token according to a preset hash algorithm.
  • the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
  • the first target token is obtained by using the seed and the time parameter as actual parameters of the hash algorithm, and the last time parameter of the seed and the time parameter is used as the actual of the hash algorithm.
  • the parameter gets the second target token.
  • the hash algorithm is the same as the hash algorithm in step S3.
  • Step S240 determining whether the first target token is the same as the token to be verified.
  • step S250 if yes, the verification is passed.
  • Step S260 if no, determining whether the second target token is the same as the token to be verified.
  • step S270 if yes, the verification is passed.
  • Step S280 if no, the verification fails.
  • This token verification algorithm can largely avoid the situation where the verification result is unreliable, thereby avoiding waste of processing resources of the client and the server caused by re-authentication.
  • the verification may be performed according to the verification.
  • the current system time of the server performs time verification on the second client to avoid unreliable verification results due to the synchronization between the current system time of the verification server and the current system time of the second client.
  • correction methods there are four types of correction methods:
  • the verification server actively pushes the first time to the second client periodically or irregularly, and the first time is the current system time when the verification server is pushed.
  • the verification server actively pushes the first time to the first client periodically or irregularly, the first time is Verifying the current system time of the server at the time of push; then the first time is actively pushed by the first client to the second client.
  • the verification server sends the first time to the first client, where the first time is the current system time when the verification server is transmitting; and then at the first client During the interaction with the second client, the first time is actively sent by the first client to the second client.
  • the verification server sends the first time to the second client, where the first time is the current system time when the verification server is transmitting.
  • FIG. 10 illustrates a time correction method of the second client, including:
  • Step T1 acquiring a first time from the verification server; the first time is a current system time of the verification server;
  • Step T2 acquiring a local second time; the second time is a current local system time at the moment of acquiring the first time;
  • Step T3 calculating a difference between the first time and the second time
  • step T4 the difference is stored.
  • step S3 a time correction value is first obtained from the current system time acquired in step S2 and the difference value stored in step T4, and then the time parameter is obtained from the time correction value.
  • the embodiment of the invention provides a time correction method, which can prevent the verification result from being unreliable due to the unsynchronization between the current system time of the verification server and the current system time of the second client, thereby further improving the reliability of the verification result and avoiding The waste of processing resources of the client and server caused by the verification.
  • the token generation algorithm and the token verification algorithm used in the embodiments of the present invention have other forms.
  • the token can be used to complete the legal relationship between the seed and the token. The verification can be done, and will not be described here.
  • the embodiment Based on the token generation algorithm and the token verification algorithm having the corresponding relationship, the embodiment provides an identity verification method based on the successful execution of the identity binding process.
  • the authentication method may be implemented by using a token, a swipe, or a one-click login.
  • the authentication method has no limitation on the first client and the second client, and therefore, may be in multiple
  • the identity of the user is verified before a sensitive operation such as a payment class. It can also be used to verify the identity of the user before modifying the password. The user information is lost and the identity of the user is verified when the application is reported to the first client. Further, the authentication method can also be applied to one or more first clients.
  • FIG. 11 illustrates an authentication method, including:
  • Step 401 The first client acquires an account in response to the identity verification instruction.
  • the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie.
  • the first client also shows the user an interface for inputting a token.
  • the first client is used as a security center, and can be used to input a token generated by the second verification seed corresponding to the security center.
  • the first client may also be based on the self.
  • the user data is stored to verify the identity of the user, that is, the account verification is performed to verify the legality of the account.
  • the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
  • Step 402 The first client queries, according to the account, a first verification seed corresponding to the account.
  • the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
  • Step 403 The second client generates a token according to the second verification seed and enables the token to be obtained by the first client.
  • the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token.
  • the user inputs the token to the first client, and the input page is FIG. 12 .
  • a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed.
  • FIG. 13 shows an interface for a user to select a token.
  • the second client in the binding process can store multiple correspondences, that is, the correspondence between the seed and the first client corresponding to the seed, and the first seed is taken as an example, which corresponds to the webpage mailbox, and is generated.
  • the token is 787246; for example, the second seed corresponds to the security center, and the generated token is 896332. After the user selects the token and presses the OK button, the token can be sent to the first client.
  • Step 404 The first client obtains the token and transmits the first verification seed and the token to an authentication server.
  • step 405 the verification server obtains the verification result.
  • the verification server may verify, according to the token verification algorithm, whether the first verification seed has a legal correspondence with the token, thereby obtaining a verification result.
  • the token verification algorithm of the server and the second client token generation algorithm have an algorithm corresponding to the algorithm, and may be obtained by the verification server and the second client through negotiation.
  • Step 406 The verification server sends the verification result to the first client.
  • Step 407 The first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
  • the second verification seed stored by the second client in step 403 is the same as the first verification seed corresponding to the account of the user in the first client.
  • step 408 if the verification fails, the identity verification fails.
  • the identity verification method provided by the embodiment of the present invention can be applied to multiple applications, and each application (the first client) does not affect each other, thereby solving the problem that if the user uses multiple applications at the same time in the prior art, the binding needs to be multiple. Security center, cumbersome operation.
  • the verification server does not store the correspondence between the account in the first client and the first verification seed, and is only responsible for generating the seed and verifying the correspondence between the seed and the token, so that the application is not involved.
  • Sensitive data of a client fully guarantees the data security of the first client.
  • the authentication server provides an authentication service for the first client without requiring the first client to disclose its data privacy to the authentication server.
  • FIG. 14 illustrates another authentication method, including:
  • Step 501 The first client acquires an account in response to the identity verification instruction.
  • the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie.
  • the first client may also verify the identity of the user according to the stored user data, that is, perform account verification to verify the validity of the account. For example, the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
  • Step 502 The first client queries, according to the account, a first verification seed corresponding to the account.
  • the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
  • Step 503 The first client generates a verification message according to the account.
  • the verification message may include a verification message generation time and the account number.
  • the content of the verification message may be “XXX time, XXX account performs XXX operation, please confirm whether it is operated by itself”.
  • Step 504 The first client sends the first verification seed and the verification message to the verification server.
  • Step 505 The verification server acquires the first verification seed and the verification message, and generates a corresponding message number.
  • the server also needs to maintain the verification message, such as adding, inserting, and deleting the verification message.
  • the verification server stores the first verification seed and the verification message, and generates a message number according to a preset message number generation algorithm, where the message number corresponds to the verification message, and the message number There is also a one-to-one correspondence with the first verification seed.
  • the message number generation algorithm may be generated in the order of receiving the verification message, or may be generated according to the time when the verification message is received, or may be based on the time and verification of receiving the verification message.
  • the sender identifier of the message (the identifier of the first client, which carries the identifier during communication with the authentication server) is generated.
  • Step 506 The verification server sends the message number to the first client.
  • Step 507 The first client acquires the message number and enables the second client to obtain the message number.
  • FIG. 15 shows a generation page of the second verification barcode.
  • the first client generates a second verification barcode according to the message number
  • the second client obtains a message number by scanning and parsing the second verification barcode
  • the second verification barcode may be a two-dimensional code or a barcode.
  • the message number may also be directly sent by the first client to the second client.
  • Step 508 The second client acquires the verification message corresponding to the message number from the verification server according to the message number.
  • the verification message is displayed by the second client, please refer to FIG. 16, which shows the second client.
  • the interface that displays the verification message. If the user is the person and wants to continue the authentication, click "I am operating", that is, send a confirmation command to the second client; otherwise, click "reject", then the second client directly informs the verification server that the authentication process ends. Correspondingly, the authentication server notifies the first client that the authentication failed, and the authentication process ends.
  • Step 509 The second client generates a token according to the second verification seed in response to the confirmation instruction, and transmits the token and the message number to the verification server.
  • the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token. In another embodiment, a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed.
  • step 510 the verification server obtains the verification result.
  • the verification server queries the first verification seed according to the message number obtained from the second client, and verifies whether the first verification seed has a legal correspondence relationship with the token according to the token verification algorithm, thereby obtaining a verification result.
  • the token verification algorithm of the server and the token generation algorithm of the second client are algorithms corresponding to each other, and may be obtained by the verification server and the second client through negotiation.
  • Step 511 The verification server sends the verification result to the first client.
  • step 512 the first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
  • the second verification seed stored by the second client in step 509 is the same as the first verification seed corresponding to the account of the user in the first client.
  • step 513 if the verification fails, the identity verification fails.
  • This embodiment provides another authentication method different from the method of inputting a token, which enriches the authentication method and avoids the user manually inputting the token, which makes the identity verification more convenient.
  • FIG. 17, illustrates another authentication method, including:
  • Step 601 The first client acquires an account in response to the identity verification instruction.
  • the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie.
  • the first client may also verify the identity of the user according to the stored user data, that is, perform account verification to verify the validity of the account. For example, the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
  • Step 602 The first client queries, according to the account, a first verification seed corresponding to the account.
  • the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
  • Step 603 The first client generates a verification message according to the account.
  • the verification message may include a verification message generation time and the account number.
  • the content of the verification message may be “XXX time, XXX account performs XXX operation, please confirm whether it is operated by itself”.
  • Step 604 The first client sends the first verification seed and the verification message to the verification server, and requests a server push operation from the verification server.
  • Step 605 The verification server acquires the first verification seed and the verification message, and generates a corresponding message number.
  • the server also needs to maintain the verification message, such as adding, inserting, and deleting the verification message.
  • the verification server stores the first verification seed and the verification message, and generates a message number according to a preset message number generation algorithm, where the message number corresponds to the verification message, and the message number There is also a one-to-one correspondence with the first verification seed.
  • the message number generation algorithm may be generated in the order of receiving the verification message, or may be generated according to the time when the verification message is received, or may be based on the time and verification of receiving the verification message.
  • the sender identifier of the message (the identifier of the first client, which carries the identifier during communication with the authentication server) is generated.
  • Step 606 The verification server pushes the message number and the verification message to the second client in response to the request of the server push operation.
  • HTTP hypertext transfer protocol
  • Step 607 The second client acquires the message number and the verification message.
  • the verification message is displayed by the second client, please refer to FIG. 16, which shows an interface of the second client displaying the verification message. If the user is the person and wants to continue the authentication, click "I am operating", that is, send a confirmation command to the second client; otherwise, click "reject", then the second client directly informs the verification server that the authentication process ends. Correspondingly, the authentication server notifies the first client that the authentication failed, and the authentication process ends.
  • Step 608 The second client generates a token according to the second verification seed in response to the confirmation instruction, and transmits the token and the message number to the verification server.
  • the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token. In another embodiment, a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed.
  • step 609 the verification server obtains the verification result.
  • the verification server queries the first verification seed according to the message number obtained from the second client, and verifies whether the first verification seed has a legal correspondence relationship with the token according to the token verification algorithm, thereby obtaining a verification result.
  • the algorithm that the server token verification algorithm and the second client token generation algorithm have a corresponding relationship may be obtained by the verification server and the second client through negotiation.
  • Step 610 The verification server sends the verification result to the first client.
  • step 611 the first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
  • the second verification seed stored by the second client in step 608 is the same as the first verification seed corresponding to the account of the user in the first client.
  • step 612 if the verification fails, the identity verification fails.
  • the identity verification method provided in this embodiment is a one-key login verification method, that is, the user only needs to send a confirmation instruction to the second client, and does not need to perform other operations.
  • the method in this embodiment is more convenient.
  • the identity verification method if the user uses the mobile phone to perform the function of the second client, after the mobile phone is lost, the user may apply to the first client to use the new mobile phone for identity binding or verification, as long as the new one
  • the mobile phone can perform the functions of the second client. It can be seen that the identity binding method and the identity verification method provided by the embodiments of the present invention have the advantages of being not affected by the loss of the mobile phone and having low operation cost compared with the currently used secret security mobile phone authentication method; Compared with other common authentication methods, it has the significant advantages of high safety factor, low cost and wide application range.
  • FIG. 18 shows a block diagram of an identity verification apparatus, which can implement the functions of the first client in the above method example, and the functions can be implemented by hardware or by corresponding software implementation by hardware.
  • the device can include:
  • the account obtaining module 701 is configured to obtain an account. Steps 302, 401, 501, and 601 can be performed to perform the method embodiments.
  • the first verification seed query module 702 is configured to query, according to the account, a first verification seed corresponding to the account. It can be used to perform steps 402, 502, and 602 of the method embodiments.
  • the verification message generating module 703 is configured to generate an authentication message according to the account. It can be used to perform steps 503 and 603 of the method embodiment.
  • the verification message sending module 704 is configured to send the first verification seed and the verification message to the verification server. It can be used to perform steps 504 and 604 of the method embodiment.
  • the verification result obtaining module 705 is configured to obtain the verification result. It can be used to perform steps 308, 406, 511, and 610 of the method embodiments.
  • FIG. 19 shows a block diagram of related modules included in the apparatus for performing a binding process:
  • the first verification seed obtaining module 706 is configured to obtain a first verification seed. It can be used to perform step 303 of the method embodiment.
  • the seed generation module 707 is configured to generate a seed corresponding to the first verification seed. It can be used to perform step 304 of the method embodiment.
  • the token obtaining module 708 is configured to acquire a token generated by the second client. Steps that can be used to perform method embodiments Steps 305 and 403.
  • the combination sending module 709 is configured to send the first verification seed and the token to the verification server. It can be used to perform steps 306 and 404 of the method embodiment.
  • the first verification seed storage module 710 is configured to: after the verification result obtaining module 705 obtains the verification result, if the verification is passed, storing the first verification seed, and the corresponding relationship between the first verification seed and the second client. It can be used to perform step 309 of the method embodiment.
  • the token acquisition module 708 and the combined transmission module 709 can also be used in the identity verification process.
  • the device may further include:
  • a seed sending module configured to send the seed to the second client. It can be used to perform step 305 of the method embodiment.
  • the device may further include:
  • the first verification barcode generating module is configured to generate a first verification barcode according to the seed. It can be used to perform step 305 of the method embodiment.
  • the device may further include:
  • the message number obtaining module is configured to obtain a message number corresponding to the verification message sent by the verification server. It can be used to perform step 506 of the method embodiment.
  • the device may further include:
  • a message number sending module configured to send the message number. It can be used to perform step 507 of the method embodiment.
  • the device may further include:
  • the second verification barcode generating module is configured to generate a second verification barcode according to the message number. It can be used to perform step 507 of the method embodiment.
  • the device may further include:
  • a request module for requesting a server push operation from an authentication server It can be used to perform step 604 of the method embodiment.
  • the first verification seed obtaining module 706 includes:
  • a collection obtaining unit configured to acquire an unused seed set, where the unused seeds are all from an authentication server
  • a selecting unit configured to randomly select one seed in the unused seed set as the first verification seed.
  • FIG. 20 illustrates an identity verification apparatus, which may be used to implement the functions of the second client in the above method example, and the functions may be implemented by hardware, or may be implemented by hardware.
  • the device can include:
  • the message obtaining module 801 is configured to obtain a message number and a verification message. It can be used to perform steps 507, 508, and 607 of the method embodiments.
  • the display module 802 is configured to display a verification message.
  • the user instruction monitoring module 803 is configured to detect a user instruction, and the user instruction includes a confirmation instruction.
  • the second verification seed obtaining module 804 is configured to obtain a second verification seed. It can be used to perform steps 403, 509 and 608 of the method embodiment.
  • the token generation module 805 is configured to generate a token. It can be used to perform steps 305, 403, 509 and 608 of the method embodiment.
  • the transmission module 806 is configured to transmit the message number and the token to the verification server. It can be used to perform steps 509 and 608 of the method embodiment.
  • the device may further include:
  • Verify the seed acquisition module to get the verification seed It can be used to perform step 305 of the method embodiment.
  • a second verification seed storage module configured to store the second verification seed. It can be used to perform step 309 of the method embodiment.
  • the device may further include:
  • a combined storage module configured to store a correspondence between the second verification seed and the first client. It can be used to perform step 309 of the method embodiment.
  • FIG. 21 shows a block diagram of a token generation module, which includes:
  • the time parameter obtaining unit 8051 is configured to obtain a time parameter according to the current system time. It can be used to perform steps S2 and S3 of the method embodiment.
  • the token calculation unit 8052 is configured to calculate a token according to a preset hash algorithm. It can be used to perform step S3 of the method embodiment.
  • FIG. 22 shows a block diagram of a module related to time correction, including:
  • the first time obtaining module 811 is configured to acquire the first time from the verification server. It can be used to perform step T1 of the method embodiment.
  • the second time acquisition module 812 is configured to acquire the local second time. It can be used to perform step T2 of the method embodiment.
  • the difference calculation module 813 is configured to calculate a difference between the first time and the second time. It can be used to perform step T3 of the method embodiment.
  • the difference storage module 814 is configured to store the difference. It can be used to perform step T4 of the method embodiment.
  • the time parameter obtaining unit 8051 includes:
  • the time correction value calculation module is configured to calculate a time correction value according to the current system time and the difference.
  • the time parameter acquisition module is configured to obtain a time parameter according to the time correction value.
  • the message obtaining module 801 may further include:
  • a message number obtaining unit configured to obtain a message number from the first client
  • a verification message obtaining unit configured to acquire the verification message from the verification server according to the message number.
  • the message number obtaining unit may further include:
  • a second verification barcode acquisition module configured to acquire a second verification barcode
  • a parsing module configured to parse the second verification barcode to obtain a message number.
  • the message obtaining module 801 may further include:
  • a direct acquisition unit for directly acquiring a message number and a verification message pushed by the verification server.
  • An exemplary embodiment of the present invention further provides an identity verification system. As shown in FIG. 25, the system includes a first client 901, a second client 902, and an authentication server 903.
  • the first client 901 obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server.
  • 903 Obtain a message number from the verification server 903;
  • the second client 902 obtains the message number from the first client 901; acquires a verification message corresponding to the message number from the verification server 903 according to the message number; in response to the confirmation instruction to the verification message, Generating a token according to the second verification seed, and transmitting the token and the message number to the verification server 903;
  • the verification server 903 queries the first verification seed according to the message number obtained from the second client 902; obtains a verification result by verifying whether the first verification seed has a legal correspondence relationship with the token, and sends the verification result To the first client 901;
  • the first client 901 acquires a verification result from the verification server 903.
  • the first client 901 and the second client 902 may be the identity verification device described above.
  • an exemplary embodiment of the present invention further provides an identity verification system, where the system includes a first client 901, a second client 902, and an authentication server 903;
  • the first client 901 obtains an account in response to the identity verification instruction; queries the first verification seed corresponding to the account according to the account; obtains a token generated by the second client 902; and the first verification seed and the The token is transmitted to the verification server 903 and the verification result is obtained;
  • the second client 902 generates a token according to the second verification seed and enables the token to be obtained by the first client 901;
  • the verification server 903 obtains the verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first client 901.
  • the first client 901 and the second client 902 may be the identity verification device described above.
  • an exemplary embodiment of the present invention further provides an identity verification system, where the system includes a first client 901, a second client 902, and an authentication server 903;
  • the first client 901 obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server. 903, and requesting a server push operation from the verification server 903;
  • the verification server 903 generates a message number corresponding to the first verification seed and the verification message, and pushes the message number and the verification message to the second client 902;
  • the second client 902 generates a token according to the second verification seed in response to the confirmation instruction of the verification message, and transmits the token and the message number to the verification server 903;
  • the verification server 903 queries the first verification seed according to the message number obtained from the second client 902; obtains a verification result by verifying whether the first verification seed has a legal correspondence relationship with the token, and sends the verification result To the first client 901;
  • the first client 901 acquires a verification result from the verification server 903.
  • the first client 901 and the second client 902 may be the identity verification device described above.
  • FIG. 23 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • the terminal is configured to implement the functions of the first client or the second client in the identity verification method provided in the foregoing embodiment.
  • the terminal may include an RF (Radio Frequency) circuit 110, a memory 121 including one or more computer readable storage media, an input unit 130, a display unit 142, a sensor 150, an audio circuit 163, and a WiFi (wireless fidelity,
  • the Wireless Fidelity module 170 includes a processor 180 having one or more processing cores, and a power supply 190 and the like. It will be understood by those skilled in the art that the terminal structure shown in FIG. 23 does not constitute a limitation to the terminal, and may include more or less components than those illustrated, or some components may be combined, or different component arrangements. among them:
  • the RF circuit 110 can be used for transmitting and receiving information or during a call, and receiving and transmitting signals. Specifically, after receiving downlink information of the base station, the downlink information is processed by one or more processors 180. In addition, the data related to the uplink is sent to the base station. .
  • the RF circuit 110 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc.
  • RF circuitry 110 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • e-mail Short Messaging Service
  • the memory 121 can be used to store software programs and modules, and the processor 180 executes various functional applications and data processing by running software programs and modules stored in the memory 121.
  • the memory 121 may mainly include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for the function, and the like; the storage data area may store data or the like created according to the use of the terminal.
  • the memory 121 may include a high speed random access memory, and may also include a nonvolatile memory such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 121 may also include a memory controller to provide access to the memory 121 by the processor 180 and the input unit 130.
  • the input unit 130 can be configured to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
  • input unit 130 can include touch-sensitive surface 131 as well as other input devices 132.
  • Touch-sensitive surface 131 also referred to as a touch display or trackpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any suitable object or accessory on touch-sensitive surface 131 or The operation near the touch-sensitive surface 131) and driving the corresponding connecting device according to a preset program.
  • the touch-sensitive surface 131 can include two portions of a touch detection device and a touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • the processor 180 is provided and can receive commands from the processor 180 and execute them.
  • resistive, capacitive, infrared, and Various types such as surface acoustic waves implement the touch-sensitive surface 131.
  • the input unit 130 can also include other input devices 132.
  • other input devices 132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • Display unit 142 can be used to display information entered by the user or information provided to the user as well as various graphical user interfaces of the terminal, which can be composed of graphics, text, icons, video, and any combination thereof.
  • the display unit 142 may include a display panel 141.
  • the display panel 141 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
  • the touch-sensitive surface 131 may cover the display panel 141, and when the touch-sensitive surface 131 detects a touch operation thereon or nearby, it is transmitted to the processor 180 to determine the type of the touch event, and then the processor 180 according to the touch event The type provides a corresponding visual output on display panel 141.
  • touch-sensitive surface 131 and display panel 141 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 131 can be integrated with display panel 141 for input. And output function.
  • the terminal may also include at least one type of sensor 150, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 141 according to the brightness of the ambient light, and the proximity sensor may close the display panel 141 when the terminal moves to the ear. And / or backlight.
  • the gravity acceleration sensor can detect the magnitude of acceleration in each direction (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity.
  • attitude of the terminal such as horizontal and vertical screen switching, related Game, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the terminal can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, here No longer.
  • An audio circuit 163, a speaker 161, and a microphone 162 can provide an audio interface between the user and the terminal.
  • the audio circuit 163 can transmit the converted electrical data of the received audio data to the speaker 161, and convert it into a sound signal output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal, and the audio circuit 163 After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal, for example, via the RF circuit 110, or outputted to the memory 121 for further processing.
  • the audio circuit 163 may also include an earbud jack to provide communication of the peripheral earphones with the terminal.
  • WiFi is a short-range wireless transmission technology
  • the terminal can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 170, which provides wireless broadband Internet access for users.
  • FIG. 23 shows the WiFi module 170, it can be understood that it does not belong to the essential configuration of the terminal, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the processor 180 is a control center of the terminal, which connects various parts of the entire terminal using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 121, and calling data stored in the memory 121. Performing various functions and processing data of the terminal to perform overall monitoring on the terminal.
  • the processor 180 may include one or more processing cores; preferably, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
  • the modem processor primarily handles wireless communications. It can be understood that the above modem processor may not be integrated into the processor 180.
  • the terminal further includes a power source 190 (such as a battery) for supplying power to each component.
  • a power source 190 such as a battery
  • the power source can be logically connected to the processor 180 through the power management system to manage functions such as charging, discharging, and power management through the power management system.
  • Power supply 190 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
  • the terminal may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
  • the display unit of the terminal is a touch screen display
  • the terminal further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be processed by one or more
  • the program executes one or more programs that include instructions for executing the authentication method of the first client or the second client described above.
  • FIG. 24 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • the server is used to implement the authentication method of the server provided in the above embodiment. Specifically:
  • the server 1200 includes a central processing unit (CPU) 1201, a system memory 1204 including a random access memory (RAM) 1202 and a read only memory (ROM) 1203, and a system bus 1205 that connects the system memory 1204 and the central processing unit 1201.
  • the server 1200 also includes a basic input/output system (I/O system) 1206 that facilitates transfer of information between various devices within the computer, and mass storage for storing the operating system 1213, applications 1214, and other program modules 1215.
  • I/O system basic input/output system
  • the basic input/output system 1206 includes a display 1208 for displaying information and an input device 1209 such as a mouse, keyboard, etc. for user input of information.
  • the display 1208 and the input device 1209 are both connected to the central processing unit 1201 via an input-output controller 1210 that is coupled to the system bus 1205.
  • the basic input/output system 1206 can also include an input output controller 1210 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus.
  • input-output controller 1210 also provides output to a display screen, printer, or other type of output device.
  • the mass storage device 1207 is connected to the central processing unit 1201 by a mass storage controller (not shown) connected to the system bus 1205.
  • the mass storage device 1207 and its associated computer readable medium provide non-volatile storage for the server 1200. That is, the mass storage device 1207 can include a computer readable medium (not shown) such as a hard disk or a CD-ROM drive.
  • the computer readable medium can include computer storage media and communication media.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices.
  • RAM random access memory
  • ROM read only memory
  • EPROM Erasable programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • the server 1200 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1200 can be connected to the network 1212 through the network interface unit 1211 connected to the system bus 1205, or can also be connected to other types using the network interface unit 1211. Network or remote computer system (not shown).
  • the memory also includes one or more programs, the one or more programs being stored in a memory and configured to be executed by one or more processors.
  • the one or more programs described above include instructions for executing the method of the server described above.
  • a non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions executable by a processor of a terminal to perform various steps in the above method embodiments, or The above instructions are executed by the processor of the server to complete the steps of the background server side in the above method embodiment.
  • the non-transitory computer readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device.
  • the embodiments of the present invention can be combined with the existing identity verification methods by using the identity verification method, apparatus, and system provided by the embodiments of the present invention.
  • the user can first pass the identity verification of the first client and generate a token by using the second client that is held by the user. After the token is verified by the token of the verification server, the identity verification can be formally passed, compared to the ordinary identity. Verification, higher security.
  • the authentication server can provide a service for authenticating the user token for multiple first clients, and its function is equivalent to the security center. If the user uses multiple applications, it is no longer necessary to bind multiple security centers, thereby simplifying user operations.
  • a plurality as referred to herein means two or more.
  • "and/or” describing the association relationship of the associated objects, indicating that there may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately.
  • the character "/" generally indicates that the contextual object is an "or" relationship.
  • a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.

Abstract

Provided in the embodiments of the present invention are an identity authentication method, device and system, the method comprising: a first client obtaining an account number in response to an identity authentication instruction; querying a first authentication seed corresponding to the account number; generating an authentication message; sending the first authentication seed and the authentication message to an authentication server; and acquiring a message number from the authentication server. A second terminal obtaining the message number from the first terminal; acquiring an authentication message corresponding to the message number from the verification server according to the message number; and generating a token according to a second authentication seed in response to an acknowledgement instruction for the authentication message, and transmitting the token and the message number to the authentication server. The authentication server querying the first authentication seed according to the message number obtained from the second terminal; acquiring a verification result by means of verifying whether the first authentication seed and the token have a legal correspondence relationship, and sending the verification result to the first terminal. The first terminal acquiring the authentication result from the authentication server.

Description

身份验证方法、装置与系统Authentication method, device and system
本申请要求于2016年12月15日提交中国专利局、申请号为201611160732.2、发明名称为“身份验证方法、装置与系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201611160732.2, entitled "Identification Method, Apparatus and System", filed on December 15, 2016, the entire contents of .
技术领域Technical field
本发明涉及身份验证领域,尤其涉及身份验证方法、装置与系统。The present invention relates to the field of identity verification, and in particular, to an identity verification method, apparatus and system.
发明背景Background of the invention
随着互联网的高速发展,移动社交、网上购物、游戏等互联网业务已经深入到生活各个方面,个人账户在互联网的价值越来越高。同时个人密码泄漏、网络钓鱼、盗号木马、社会工程学等情况导致网络账号被盗的风险也越来越高。传统的用户设置登录密码的方式很容易通过暴力尝试、键盘截取、截屏等方式破解,为此仅仅通过验证密码不足以证明用户的合法性。With the rapid development of the Internet, mobile Internet, online shopping, games and other Internet services have penetrated into all aspects of life, and the value of personal accounts on the Internet is getting higher and higher. At the same time, the risk of personal account password leakage, phishing, hacking Trojans, social engineering, etc., resulting in the theft of network accounts is also increasing. The traditional way for users to set the login password is easy to crack through violent attempts, keyboard interception, screen capture, etc., for this reason only by verifying the password is not enough to prove the legitimacy of the user.
为了保护账号安全,用户需要在多种账号体系设置密码保护措施,比如为淘宝账号绑定淘宝安全中心,QQ账号绑定QQ安全中心等,从而导致了,若用户同时使用多个应用,则需要绑定多个安全中心,操作繁琐。In order to protect account security, users need to set password protection measures in multiple account systems, such as binding Taobao security center for Taobao account, QQ security center for QQ account, etc., which leads to the need for users to use multiple applications at the same time. Binding multiple security centers is cumbersome.
发明内容Summary of the invention
本发明实施例提出了身份验证方法、装置与系统,以及存储介质,本发明实施例具体是以如下技术方案实现的:The embodiments of the present invention provide an identity verification method, apparatus, and system, and a storage medium. The embodiment of the present invention is specifically implemented by the following technical solutions:
第一方面,一种身份验证方法,所述方法包括:In a first aspect, an authentication method, the method comprising:
第一终端响应于身份验证指令,获取账号;根据所述账号查询与所述账号对应的第一验证种子;生成验证消息;将所述第一验证种子和所述验证消息发送至验证服务器;从验证服务器获取消息号;The first terminal obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server; The verification server obtains the message number;
第二终端从第一终端得到所述消息号;根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;响应于对所述验证消息的确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器;The second terminal obtains the message number from the first terminal; acquires a verification message corresponding to the message number from the verification server according to the message number; and responds to the confirmation instruction of the verification message, according to the second verification seed Generating a token and transmitting the token and the message number to the verification server;
所述验证服务器根据从第二终端得到的消息号查询第一验证种子;通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一终端;The verification server queries the first verification seed according to the message number obtained from the second terminal; obtains a verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first terminal;
所述第一终端获取来自所述验证服务器的验证结果。The first terminal acquires a verification result from the verification server.
第二方面,一种身份验证方法,应用于第一终端,所述方法包括:In a second aspect, an authentication method is applied to a first terminal, where the method includes:
响应于身份验证指令,获取账号; Acquiring an account in response to the authentication command;
根据所述账号查询与所述账号对应的第一验证种子;Querying, according to the account, a first verification seed corresponding to the account;
根据所述账号生成验证消息;Generating a verification message according to the account number;
将所述第一验证种子和所述验证消息发送至验证服务器;Sending the first verification seed and the verification message to an authentication server;
从所述验证服务器获取消息号并使得第二终端能够获取所述消息号;Obtaining a message number from the verification server and enabling the second terminal to acquire the message number;
从所述验证服务器获取验证结果;所述验证结果为验证服务器通过验证第一验证种子与令牌是否具有合法的对应关系获得;所述令牌由所述第二终端根据第二验证种子生成。Obtaining a verification result from the verification server; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
第三方面,一种身份验证方法,应用于第二终端,所述方法包括:In a third aspect, an authentication method is applied to a second terminal, where the method includes:
从第一客户端得到消息号;Get the message number from the first client;
从第一终端得到消息号;Obtaining a message number from the first terminal;
根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;Acquiring, according to the message number, a verification message corresponding to the message number from the verification server;
显示所述验证消息并监测用户指令,所述用户指令包括确认指令;Displaying the verification message and monitoring a user instruction, the user instruction including a confirmation instruction;
响应于确认指令,获取第二验证种子并根据所述第二验证种子生成令牌;And in response to the confirmation instruction, acquiring a second verification seed and generating a token according to the second verification seed;
将所述消息号和所述令牌传输至验证服务器,以使得第一终端能够获取来自于验证服务器的验证结果。Transmitting the message number and the token to an authentication server to enable the first terminal to obtain a verification result from the verification server.
第四方面,一种身份验证装置,所述装置包括一个或一个以上处理器和一个或一个以上非易失性存储介质,所述一个或一个以上非易失性存储介质存储一个或多个计算机可读指令,经配置由所述一个或者一个以上处理器执行以实现如下步骤:A fourth aspect is an authentication device, the device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computers Readable instructions configured to be executed by the one or more processors to implement the following steps:
响应于身份验证指令,获取账号;Acquiring an account in response to the authentication command;
根据所述账号查询与所述账号对应的第一验证种子;Querying, according to the account, a first verification seed corresponding to the account;
根据所述账号生成验证消息;Generating a verification message according to the account number;
将所述第一验证种子和所述验证消息发送至验证服务器;Sending the first verification seed and the verification message to an authentication server;
从所述验证服务器获取消息号并使得第二终端能够获取所述消息号;Obtaining a message number from the verification server and enabling the second terminal to acquire the message number;
获取来自验证服务器的验证结果;所述验证结果为验证服务器通过验证第一验证种子与令牌是否具有合法的对应关系获得;所述令牌由所述第二终端根据第二验证种子生成。Obtaining a verification result from the verification server; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
第五方面,一种身份验证装置,所述装置包括一个或一个以上处理器和一个或一个以上非易失性存储介质,所述一个或一个以上非易失性存储介质存储一个或多个计算机可读指令,经配置由所述一个或者一个以上处理器执行以实现如下步骤:In a fifth aspect, an authentication device, the device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computers Readable instructions configured to be executed by the one or more processors to implement the following steps:
从第一终端得到消息号;Obtaining a message number from the first terminal;
根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;Acquiring, according to the message number, a verification message corresponding to the message number from the verification server;
显示所述验证消息;Displaying the verification message;
检测用户指令,所述用户指令包括确认指令;Detecting a user instruction, the user instruction including a confirmation instruction;
响应于确认指令,获取第二验证种子;Acquiring a second verification seed in response to the confirmation instruction;
根据所述第二验证种子生成令牌;Generating a token according to the second verification seed;
将所述消息号和所述令牌传输至验证服务器,以使得第一终端能够获取来自于验证服务器的验证结果。Transmitting the message number and the token to an authentication server to enable the first terminal to obtain a verification result from the verification server.
第六方面,一种身份验证系统,所述系统包括第一客户端、第二客户端和验证服务器; A sixth aspect is an identity verification system, where the system includes a first client, a second client, and an authentication server;
所述第一客户端包括上述的装置;The first client includes the above device;
所述第二客户端包括上述的装置。The second client includes the above described device.
第七方面,一种非易失性计算机可读存储介质,存储有计算机可读指令,所述计算机可读指令能够使至少一个处理器执行上述方法。In a seventh aspect, a non-transitory computer readable storage medium storing computer readable instructions, the computer readable instructions being executable by at least one processor.
附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive effort.
图1是本发明实施例提供的实施环境的示意图;1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention;
图2是本发明实施例提供的验证服务器集群示意图;2 is a schematic diagram of a verification server cluster according to an embodiment of the present invention;
图3是本发明实施例提供的身份绑定方法的流程图;FIG. 3 is a flowchart of an identity binding method according to an embodiment of the present invention;
图4是本发明实施例提供的身份绑定流程的用户界面;4 is a user interface of an identity binding process according to an embodiment of the present invention;
图5是本发明实施例提供的第一验证种子的得到方法流程图;FIG. 5 is a flowchart of a method for obtaining a first verification seed according to an embodiment of the present invention;
图6是本发明实施例提供的用户为得到的种子命名的示意图;FIG. 6 is a schematic diagram of naming a seed obtained by a user according to an embodiment of the present invention; FIG.
图7是本发明实施例提供的令牌生成算法流程图;FIG. 7 is a flowchart of a token generation algorithm according to an embodiment of the present invention;
图8是本发明实施例提供的令牌验证算法流程图;FIG. 8 is a flowchart of a token verification algorithm according to an embodiment of the present invention;
图9是本发明实施例提供的另一种令牌验证算法流程图;FIG. 9 is a flowchart of another token verification algorithm according to an embodiment of the present invention;
图10是本发明实施例提供的时间校正方法流程图;FIG. 10 is a flowchart of a time correction method according to an embodiment of the present invention;
图11是本发明实施例提供的身份验证方法流程图;11 is a flowchart of an identity verification method according to an embodiment of the present invention;
图12是本发明实施例提供的用于输入令牌的界面示意图;FIG. 12 is a schematic diagram of an interface for inputting a token according to an embodiment of the present invention;
图13是本发明实施例提供的用户选择令牌的界面示意图;FIG. 13 is a schematic diagram of an interface of a user selection token according to an embodiment of the present invention;
图14是本发明实施例提供的另一种身份验证方法流程图;FIG. 14 is a flowchart of another identity verification method according to an embodiment of the present invention;
图15是本发明实施例提供的第二验证条码的生成页面示意图;15 is a schematic diagram of a page for generating a second verification barcode according to an embodiment of the present invention;
图16是本发明实施例提供的显示验证消息的界面示意图;16 is a schematic diagram of an interface for displaying a verification message according to an embodiment of the present invention;
图17是本发明实施例提供的另一种身份验证方法流程图;FIG. 17 is a flowchart of another identity verification method according to an embodiment of the present invention;
图18是本发明实施例提供的身份验证装置的框图;FIG. 18 is a block diagram of an identity verification apparatus according to an embodiment of the present invention; FIG.
图19是本发明实施例提供的用于进行绑定流程的相关模块的框图;19 is a block diagram of related modules for performing a binding process according to an embodiment of the present invention;
图20是本发明实施例提供的另一种身份验证装置的框图;20 is a block diagram of another identity verification apparatus according to an embodiment of the present invention;
图21是本发明实施例提供的令牌生成模块的框图;FIG. 21 is a block diagram of a token generating module according to an embodiment of the present invention;
图22是本发明实施例提供的与时间校正相关的模块框图;FIG. 22 is a block diagram of a module related to time correction according to an embodiment of the present invention; FIG.
图23是本发明实施例提供的终端示意图;23 is a schematic diagram of a terminal according to an embodiment of the present invention;
图24是本发明实施例提供的服务器的结构示意图;24 is a schematic structural diagram of a server according to an embodiment of the present invention;
图25是本发明实施例提供的身份验证系统的示意图。 FIG. 25 is a schematic diagram of an identity verification system according to an embodiment of the present invention.
实施本发明的方式Mode for carrying out the invention
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
身份验证方式主要有以下几种,密保问题、密保卡、安全邮箱、密保手机、数字证书、人脸验证、指纹验证以及虹膜验证,下述为对上述身份验证方式的简要分析:There are several types of authentication methods: confidentiality protection, secret security card, secure email, secret mobile phone, digital certificate, face verification, fingerprint verification and iris verification. The following is a brief analysis of the above authentication methods:
密保问题:密保问题是由用户选定的问题及对应答案组成。密保问题的便捷性不强,通常作为辅助的身份验证方法,比如用于找回密码和设置其它密保。密保问题采用静态密码,易引起安全风险。Secret security issue: The secret security issue consists of questions selected by the user and corresponding answers. The security issue is not very convenient, and is often used as a secondary authentication method, such as to retrieve passwords and set other secrets. The secret security problem uses a static password, which is easy to cause security risks.
密保卡:密保卡可以视作一个二维矩阵,每个矩阵中包含一系列数字,同时每张密保卡都有一个唯一标识,该标识与矩阵的数值、每个用户的标识之间都有一个对应关系。在用于验证用户身份时,由用户按照服务器提示查询密保卡信息,并按照服务器要求,手动输入密保信息以完成验证过程。密保卡采用静态密码,因此有截屏和文件被盗取的风险,且不易携带。Secret security card: The security card can be regarded as a two-dimensional matrix, each matrix contains a series of numbers, and each security card has a unique identifier, which is between the value of the matrix and the identifier of each user. A correspondence. When used to authenticate the user identity, the user queries the security card information according to the server prompt, and manually enters the security information according to the server requirements to complete the verification process. The secret security card uses a static password, so there is a risk of screen captures and files being stolen, and it is not easy to carry.
安全邮箱:与密保问题类似,安全邮箱的便捷性不强,通常作为辅助的身份验证方法,比如用于找回密码和设置其它密保。邮箱破解难度低,易引起安全风险。Secure Mailbox: Similar to the secret security issue, the security mailbox is not very convenient, and is often used as a secondary authentication method, such as to retrieve passwords and set other secrets. Mailbox cracking is difficult and can cause security risks.
密保手机:密保手机安全性较好,其主要通过验证发送到手机上的短信验证码验证身份,被广泛运用到注册,消费,转账,改密等敏感操作。但是,密保手机采用短信下行验证的方式,会产生向运营商支付的运营成本,并且密保手机有丢失和更换风险。Secret security mobile phone: The security of the mobile phone is better. It mainly verifies the identity by verifying the SMS verification code sent to the mobile phone, and is widely used in sensitive operations such as registration, consumption, transfer, and confidentiality. However, the secret mobile phone uses SMS downlink verification, which will result in operating costs paid to the operator, and the confidential mobile phone has the risk of loss and replacement.
数字证书:是一个经证书授权中心数字签名的包含公开密钥拥有者信息以及公开密钥的文件,其主要应用于网站的身份验证,对广大的用户群体不具有普适性。Digital certificate: A digitally signed document containing public key owner information and public key, which is mainly used for website authentication and is not universal to a large user group.
人脸验证:基于人的脸部特征信息进行身份验证的一种生物识别技术。通过验证人脸来进行个人身份的鉴定,但是人脸验证涉及用户的敏感隐私信息,因此,其使用环境受到限制。Face verification: A biometric technology based on human facial feature information for identity verification. Personal identification is performed by verifying the face, but face verification involves sensitive privacy information of the user, and thus its use environment is limited.
指纹验证:指纹是指人的手指末端正面皮肤上凸凹不平产生的纹线。纹线有规律的排列形成不同的纹型。通过比较不同指纹的细节特征点来进行鉴别。被广泛应用到开启手机,开启APP,消费等领域。与人脸验证类似,指纹验证涉及用户的敏感隐私信息,因此,其使用环境受到限制。Fingerprint verification: Fingerprint refers to the line created by the unevenness of the skin on the front side of the finger end of a person. The lines are regularly arranged to form different patterns. The identification is performed by comparing the detailed feature points of different fingerprints. It is widely used to open mobile phones, open APP, consumer and other fields. Similar to face verification, fingerprint verification involves sensitive privacy information of users, and therefore its use environment is limited.
虹膜验证:虹膜是位于黑色瞳孔和白色巩膜之间的圆环状部分,其包括很多相互交错的斑点、细丝、冠状、条纹、隐窝等的细节特征。虹膜在胎儿发育阶段形成后,在整个生命历程中将是保持不变的。虹膜验证对硬件要求较高,一般应用于需要高度保密的场所。并且虹膜验证涉及用户的敏感隐私信息,因此,其使用环境受到限制。Iris Verification: The iris is an annular portion between the black pupil and the white sclera that includes a number of interlaced spots, filaments, crowns, stripes, crypts, and the like. After the iris is formed in the fetal development stage, it will remain unchanged throughout the life course. Iris verification has high hardware requirements and is generally used in locations that require a high degree of confidentiality. And iris verification involves sensitive privacy information of users, so its use environment is limited.
综上所述,密保问题、密保卡和安全邮箱均为静态密码,易引起安全风险,数字证书、人脸验证、指纹验证以及虹膜验证使用环境受限,不易进行推广应用,而密保手机又存在运营成本问题以及手机丢失风险,因此,本发明实施例基于令牌方式提供低风险、适用范 围广、成本低并且不存在手机丢失风险的身份验证方法以及相应地装置。In summary, the secret security policy, the secret security card and the security email are static passwords, which are easy to cause security risks. The digital certificate, face verification, fingerprint verification and iris verification use environment are limited, and it is not easy to promote and apply. The mobile phone has the problem of operating cost and the risk of loss of the mobile phone. Therefore, the embodiment of the present invention provides a low risk and a suitable application based on the token mode. An authentication method and a corresponding device that are widely distributed, low in cost, and free from the risk of loss of the mobile phone.
本发明实施例使用的令牌为一种软件令牌,所述软件令牌可根据用于鉴定用户身份的种子以及预设的令牌生成算法获得。具体地,本发明实施例可以为用户提供一种或多种身份验证方式,包括但不限于动态密码验证、扫码验证以及一键登录。The token used in the embodiment of the present invention is a software token, and the software token can be obtained according to a seed for authenticating a user identity and a preset token generation algorithm. Specifically, the embodiment of the present invention may provide one or more authentication methods for the user, including but not limited to dynamic password verification, scan code verification, and one-click login.
请参考图1,其示出了本发明一个实施例提供的实施环境的示意图。该实施环境包括:第一终端120、验证服务器140和第二终端160。Please refer to FIG. 1, which shows a schematic diagram of an implementation environment provided by an embodiment of the present invention. The implementation environment includes a first terminal 120, an authentication server 140, and a second terminal 160.
第一终端120中运行有第一客户端。第一终端120可以是手机、平板电脑、电视机、膝上型便携计算机和台式计算机,也可以是一台服务器,或者是由若干台服务器组成的服务器集群,或者是一个云计算服务中心。The first client 120 runs a first client. The first terminal 120 can be a mobile phone, a tablet computer, a television set, a laptop portable computer, and a desktop computer. It can also be a server, a server cluster composed of several servers, or a cloud computing service center.
验证服务器140可以是一台验证服务器,也可以是由若干台服务器组成的服务器集群,或者是一个云计算服务中心。The verification server 140 can be an authentication server, a server cluster composed of several servers, or a cloud computing service center.
第二终端160中运行有第二客户端。第二终端160可以是手机、平板电脑、膝上型便携计算机和台式计算机等等。A second client is running in the second terminal 160. The second terminal 160 can be a cell phone, a tablet, a laptop portable computer, a desktop computer, and the like.
验证服务器140可以通过通信网络分别与第一终端120和第二终端160建立通信连接。该网络可以是无线网络,也可以是有线网络。The verification server 140 can establish a communication connection with the first terminal 120 and the second terminal 160 through the communication network, respectively. The network can be either a wireless network or a wired network.
在本发明实施例中,第一客户端可以是任何具有用户界面(User Interface,UI)接口、需要对使用所述第一客户端的用户的身份进行验证并能够与验证服务器140通信的客户端。例如,第一客户端可以是视频服务类服务器或客户端、有线电视服务器或客户端、安全服务服务器或客户端、即时通信服务器或客户端、邮箱服务服务器或客户端、游戏服务服务器或客户端、支付服务服务器或客户端、电子商务服务服务器或客户端等等。In the embodiment of the present invention, the first client may be any client that has a user interface (UI) interface, needs to verify the identity of the user who uses the first client, and can communicate with the authentication server 140. For example, the first client can be a video service class server or client, a cable television server or client, a security service server or client, an instant messaging server or client, a mail service server or client, a game service server, or a client. , payment service server or client, e-commerce service server or client, and so on.
在本发明实施例中,第二客户端可以是任何具有用户界面(User Interface,UI)接口、需要登陆第一客户端并能够与验证服务器140通信的客户端。例如,第二客户端可以是手机客户端、平板电脑客户端和多媒体客户端等等。In the embodiment of the present invention, the second client may be any client that has a user interface (UI) interface, needs to log in to the first client, and can communicate with the authentication server 140. For example, the second client can be a mobile client, a tablet client, a multimedia client, and the like.
在实际应用中,当终端设备中运行的客户端用于实现本发明方法示例中第一客户端侧的功能时,该终端设备即作为第一终端;当终端设备中运行的客户端用于实现本发明方法示例中第二客户端侧的功能时,该终端设备即作为第二终端。In a practical application, when a client running in the terminal device is used to implement the function of the first client side in the method example of the present invention, the terminal device is used as the first terminal; when the client running in the terminal device is used to implement When the function of the second client side is used in the method example of the present invention, the terminal device acts as the second terminal.
在一个示例中,如图2所示,当验证服务器140为集群架构时,所述验证服务器140可以包括:通讯服务器142、种子管理服务器144、身份验证服务器146和验证消息管理服务器148。In one example, as shown in FIG. 2, when the verification server 140 is a cluster architecture, the verification server 140 may include a communication server 142, a seed management server 144, an authentication server 146, and a verification message management server 148.
通讯服务器142用于提供与第一客户端和与第二客户端的通讯服务,并提供种子管理服务器144、身份验证服务器146和验证消息管理服务器148三种服务器之间的通讯服务。在另外的实施方式中,种子管理服务器144、身份验证服务器146和验证消息管理服务器148三种服务器之间也可以通过内网自由通讯。The communication server 142 is configured to provide communication services with the first client and the second client, and provides communication services between the three servers of the seed management server 144, the authentication server 146, and the authentication message management server 148. In other embodiments, the seed management server 144, the authentication server 146, and the verification message management server 148 can also communicate freely through the intranet.
种子管理服务器144用于向第一客户端发放种子以及进行验证服务器端的种子的管理。The seed management server 144 is configured to issue a seed to the first client and perform management of the seed of the authentication server.
身份验证服务器146用于对需要登录第一客户端的第二客户端的身份进行验证。 The authentication server 146 is configured to verify the identity of the second client that needs to log in to the first client.
验证消息管理服务器148用于对第一客户端发送的验证消息进行管理。The verification message management server 148 is configured to manage the verification message sent by the first client.
上述各个服务器之间可通过通信网络建立通信连接。该网络可以是无线网络,也可以是有线网络。A communication connection can be established between the above various servers through a communication network. The network can be either a wireless network or a wired network.
请参考图3,其示出了本发明一个实施例提供的身份绑定方法的流程图。该方法可应用于图1所示实施环境中。该方法(即身份绑定流程)可以包括如下步骤。Please refer to FIG. 3, which is a flowchart of an identity binding method provided by an embodiment of the present invention. This method can be applied to the implementation environment shown in FIG. The method (ie, the identity binding process) can include the following steps.
步骤301,第二客户端响应于用户操作,向第一客户端发布绑定指令。Step 301: The second client issues a binding instruction to the first client in response to the user operation.
具体地,请参考图4,其示出了第二客户端在身份绑定流程中的用户界面,用户点击“马上添加”按钮,第二客户端即向第一客户端发布绑定指令。具体地,第二客户端可以通过获取第一客户端的统一资源定位符向第一客户端发布绑定指令。Specifically, please refer to FIG. 4, which shows the user interface of the second client in the identity binding process. The user clicks the “Add Now” button, and the second client issues a binding instruction to the first client. Specifically, the second client may issue a binding instruction to the first client by acquiring a uniform resource locator of the first client.
步骤302,第一客户端响应于所述绑定指令,获取用户的账号。Step 302: The first client acquires an account of the user in response to the binding instruction.
具体地,在一种实施方式中,所述用户账号可由用户预先向所述第一客户端申请,在步骤302中,由所述用户向第一客户端录入预先申请的账号,第一客户端即可获取用户的账号。Specifically, in an implementation manner, the user account may be applied to the first client in advance by the user, and in step 302, the user inputs a pre-applied account to the first client, where the first client You can get the user's account.
此外,在另一种实施方式中,在身份绑定流程开始之前,向第一客户端申请账号并设置对应的密码;第一客户端对于所述账号和密码进行相关的合法性校验;若校验通过,所述第一客户端记录所述账号和所述密码的对应关系,并通过界面显示或语音提示的方式提示用户进入身份绑定流程,并在步骤302中直接获取用户的账号。In addition, in another implementation manner, before the identity binding process starts, the first client is requested to apply for an account and a corresponding password is set; the first client performs relevant legality verification on the account and the password; After the verification is passed, the first client records the correspondence between the account and the password, and prompts the user to enter the identity binding process by using an interface display or a voice prompt, and directly obtains the user's account in step 302.
步骤303,第一客户端得到第一验证种子。In step 303, the first client obtains the first verification seed.
请参考图5,其示出了第一验证种子的得到方法流程图。所述方法包括:Please refer to FIG. 5, which shows a flow chart of a method for obtaining a first verification seed. The method includes:
步骤3031,获取未使用种子集合,所述未使用种子均来自验证服务器。Step 3031: Acquire an unused seed set, and the unused seeds are all from an authentication server.
第一客户端预先向验证服务器获取一批种子,并对获取到的种子进行管理。具体地,所述种子由验证服务器通过安全通道下发至第一客户端。The first client obtains a batch of seeds from the verification server in advance, and manages the acquired seeds. Specifically, the seed is sent by the verification server to the first client through a secure channel.
若种子在被获取后与其它用户的账号形成了绑定关系(对应关系),则所述种子为已使用种子,若种子在被获取后没有与任何账号形成绑定关系(对应关系),则所述种子为未使用种子。所有未使用种子构成了一个未使用种子集合。If the seed forms a binding relationship (correspondence relationship) with other users' accounts after being acquired, the seed is a used seed, and if the seed does not form a binding relationship (correspondence relationship) with any account after being acquired, The seed is an unused seed. All unused seeds constitute an unused seed collection.
步骤3032,在所述未使用种子集合中选取一颗种子作为第一验证种子。Step 3032: Select one seed in the unused seed set as the first verification seed.
第一客户端可以根据预设的种子选取算法从所述未使用种子中选取一个作为第一验证种子,也可以随机从所述未使用种子集合中选取一个作为第一验证种子。The first client may select one of the unused seeds as the first verification seed according to a preset seed selection algorithm, or randomly select one of the unused seed sets as the first verification seed.
步骤304,第一客户端生成验证种子,所述验证种子为与所述第一验证种子相对应的能够被第二客户端得到的种子。Step 304: The first client generates a verification seed, where the verification seed is a seed corresponding to the first verification seed and obtainable by the second client.
具体地,第一客户端生成与所述第一验证种子相同的种子,并将所述种子作为验证种子。Specifically, the first client generates the same seed as the first verification seed and uses the seed as a verification seed.
使得所述验证种子被第二客户端得到的方法包括但不限于下述方法:The method of making the verification seed obtained by the second client includes, but is not limited to, the following method:
(1)第一客户端直接将所述验证种子发送至第二客户端;(1) The first client directly sends the verification seed to the second client;
(2)第一客户端根据所述验证种子生成第一验证条码。所述第一验证条码为能够被第二客户端扫描的二维码或条形码。在图4中,通过扫描二维码(第一验证条码)即可获 取验证种子,并在步骤305中获取令牌,所述令牌即为动态密码。(2) The first client generates a first verification barcode according to the verification seed. The first verification barcode is a two-dimensional code or barcode that can be scanned by the second client. In Figure 4, by scanning the two-dimensional code (the first verification barcode) The verification seed is taken and the token is obtained in step 305, which is a dynamic password.
(3)第一客户端根据所述验证种子以及其它可选信息生成第一验证条码。所述第一验证条码为能够被第二客户端扫描的二维码或条形码。(3) The first client generates a first verification barcode according to the verification seed and other optional information. The first verification barcode is a two-dimensional code or barcode that can be scanned by the second client.
所述可选信息可以为用户账号和/或验证种子生成时间。The optional information may be a user account and/or a verification seed generation time.
进一步地,在(2)(3)中,第一验证条码也可以根据预设的加密算法以加密方式生成,相应地,在第二客户端能够通过预设的解密算法对所述第一验证条码进行解密。Further, in (2) (3), the first verification barcode may be generated in an encrypted manner according to a preset encryption algorithm, and correspondingly, the second verification is performed by the second client by using a preset decryption algorithm. The barcode is decrypted.
步骤305,第二客户端得到验证种子,根据所述验证种子生成令牌并使得所述令牌能够被第一客户端获取。Step 305: The second client obtains a verification seed, generates a token according to the verification seed, and enables the token to be acquired by the first client.
第二客户端得到的种子即为所述验证种子,并根据预设的令牌生成算法和所述种子生成令牌。The seed obtained by the second client is the verification seed, and generates a token according to a preset token generation algorithm and the seed.
使得所述令牌被第一客户端得到的方法包括但不限于下述方法:The method of making the token obtained by the first client includes, but is not limited to, the following method:
(1)第二客户端直接将所述令牌发送至第一客户端;(1) The second client directly sends the token to the first client;
(2)第二客户端根据所述令牌生成绑定验证码。所述绑定验证码为能够被第一客户端扫描的二维码或条形码。(2) The second client generates a binding verification code according to the token. The binding verification code is a two-dimensional code or barcode that can be scanned by the first client.
(3)持有第二客户端的用户向第一客户端输入所述令牌的内容。(3) The user holding the second client inputs the content of the token to the first client.
步骤306,第一客户端将第一验证种子和所述令牌发送至验证服务器。Step 306: The first client sends the first verification seed and the token to the verification server.
步骤307,验证服务器获取验证结果。In step 307, the verification server obtains the verification result.
具体地,验证服务器可以根据预设的令牌验证算法验证第一验证种子与所述令牌是否具有合法的对应关系,从而得到验证结果。所述令牌验证算法与所述令牌生成算法为具有对应关系的算法,可以由验证服务器与第二客户端通过协商获得。Specifically, the verification server may verify, according to a preset token verification algorithm, whether the first verification seed has a legal correspondence with the token, thereby obtaining a verification result. The token verification algorithm and the token generation algorithm are related algorithms, and can be obtained by the verification server and the second client through negotiation.
步骤308,验证服务器将所述验证结果发送至第一客户端。Step 308, the verification server sends the verification result to the first client.
步骤309,第一客户端判断验证是否通过,若验证通过,则第一客户端存储第一验证种子,以及所述第一验证种子与所述第二客户端的对应关系。Step 309: The first client determines whether the verification is passed. If the verification succeeds, the first client stores the first verification seed, and the corresponding relationship between the first verification seed and the second client.
具体地,若验证通过,则说明步骤305中第二客户端得到的种子即为第一客户端生成的验证种子,具体的,所述第二客户端得到的种子与第一验证种子相同。Specifically, if the verification is passed, the seed obtained by the second client in step 305 is the verification seed generated by the first client. Specifically, the seed obtained by the second client is the same as the first verification seed.
第二客户端存储所得到的种子,为与第一验证种子对应,所述得到的种子即为第二验证种子。进一步地,对应于步骤304的(2)(3)的情况,为便于第二客户端存储所述得到的所述种子,第二客户端还可以验证获取的第一验证条码中是否含有用户账号,若含有,则在身份绑定成功后,存储所述用户账号与所述得到的种子的对应关系(即第一客户端与所述种子的对应关系);若不含有,则允许用户自行为得到的种子命名,并存储所述命名与所述得到的种子的对应关系。请参考图6,其示出了由用户为得到的种子命名的示意图,所述绑定号即为得到的种子。The second client stores the obtained seed corresponding to the first verification seed, and the obtained seed is the second verification seed. Further, corresponding to the case of (2) (3) of step 304, in order to facilitate the second client to store the obtained seed, the second client may further verify whether the acquired first verification barcode contains a user account. If yes, the correspondence between the user account and the obtained seed (ie, the correspondence between the first client and the seed) is stored after the identity binding is successful; if not, the user is allowed to The resulting seeds are named and the correspondence between the nomenclature and the obtained seeds is stored. Please refer to FIG. 6, which shows a schematic diagram named by the user for the obtained seed, and the binding number is the obtained seed.
具体地,若验证通过,第一客户端还可以使用界面显示或语音输出的方式告知用户身份绑定流程执行成功。Specifically, if the verification is passed, the first client may also notify the user that the identity binding process is successfully executed by using an interface display or a voice output.
本发明实施例提供了在身份验证之前进行身份绑定的方法,所述方法能够使得第一客户端获取合法用户与种子之间的绑定关系,是后续使用令牌进行身份验证的前提,此外, 所述身份绑定方法对于第一客户端没有限制,因此,可以适用于为多个第一客户端提供身份绑定服务。The embodiment of the invention provides a method for performing identity binding before the identity verification, and the method enables the first client to obtain the binding relationship between the legal user and the seed, which is a prerequisite for subsequent use of the token for identity verification. , The identity binding method has no limitation on the first client, and therefore can be adapted to provide an identity binding service for multiple first clients.
进一步地,本发明实施例提供的种子可以为任意正整数,相应地,请参考图7,其示出了一种令牌生成算法,本发明实施例提供的一种第二客户端一侧的令牌生成算法可以包括:Further, the seed provided by the embodiment of the present invention may be any positive integer. Correspondingly, refer to FIG. 7, which illustrates a token generation algorithm, which is provided by a second client side according to an embodiment of the present invention. The token generation algorithm can include:
步骤S1,获取用于生成令牌的种子。In step S1, a seed for generating a token is obtained.
步骤S2,获取本地的当前系统时间。In step S2, the local current system time is obtained.
步骤S3,根据预设的哈希算法得到令牌。In step S3, the token is obtained according to a preset hash algorithm.
具体地,可以根据所述当前系统时间得到所述当前系统时间对应的时间参量。比如,每60s一个时间参量,则所述当前系统时间只需精确到分即可得到所述时间参量,以60s为一个时间参量,则对应于同一个种子的动态密码每隔60s会改变一次;Specifically, the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
又比如,每30s一个时间参量,则需要先判断当前系统时间在秒单位上的读数是否大于30,然后根据判断结果划分时间参量,以30s为一个时间参量,则对应于同一个种子的动态密码每隔30s会改变一次。For example, if there is a time parameter every 30s, it is necessary to first determine whether the current system time reading in the second unit is greater than 30, and then divide the time parameter according to the judgment result, and use 30s as a time parameter, corresponding to the dynamic password of the same seed. It will change every 30s.
具体地,所述种子及所述时间参量作为所述哈希算法的实际参数。具体地,本发明实施例中的令牌由六位数字构成。Specifically, the seed and the time parameter are actual parameters of the hash algorithm. Specifically, the token in the embodiment of the present invention is composed of six digits.
相应地,请参考图8,其示出了令牌验证算法,本发明实施例提供的一种服务器一侧的令牌验证算法可以包括:Correspondingly, please refer to FIG. 8 , which illustrates a token verification algorithm. The server side token verification algorithm provided by the embodiment of the present invention may include:
步骤S110,获取待验证种子和待验证令牌。Step S110: Acquire a seed to be verified and a token to be verified.
步骤S120,获取本地的当前系统时间。Step S120: Acquire a local current system time.
步骤S130,根据预设的哈希算法得到目标令牌。Step S130, obtaining a target token according to a preset hash algorithm.
具体地,可以根据所述当前系统时间得到所述当前系统时间对应的时间参量。比如,每60s一个时间参量,则所述当前系统时间只需精确到分即可得到所述时间参量,以60s为一个时间参量,则对应于同一个种子的动态密码每隔60s会改变一次;Specifically, the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
又比如,每30s一个时间参量,则需要先判断当前系统时间在秒单位上的读数是否大于30,然后根据判断结果划分时间参量,以30s为一个时间参量,则对应于同一个种子的动态密码每隔30s会改变一次。For example, if there is a time parameter every 30s, it is necessary to first determine whether the current system time reading in the second unit is greater than 30, and then divide the time parameter according to the judgment result, and use 30s as a time parameter, corresponding to the dynamic password of the same seed. It will change every 30s.
具体地,所述种子及所述时间参量作为所述哈希算法的实际参数。所述哈希算法与步骤S3中的哈希算法相同。Specifically, the seed and the time parameter are actual parameters of the hash algorithm. The hash algorithm is the same as the hash algorithm in step S3.
步骤S140,判断所述目标令牌与待验证令牌是否相同。Step S140, determining whether the target token is the same as the token to be verified.
步骤S150,若是,则验证通过。In step S150, if yes, the verification is passed.
所述目标令牌与待验证令牌相同,说明待验证种子与生成所述待验证令牌的种子为相同的种子,即所述待验证种子与所述待验证令牌之间具有合法的对应关系,因此,验证通过。The target token is the same as the token to be verified, and the seed to be verified is the same as the seed that generates the token to be verified, that is, the seed to be verified has a legal correspondence with the token to be verified. Relationship, therefore, verification passed.
步骤S160,若否,则验证不通过。Step S160, if no, the verification fails.
上述令牌生成算法以及令牌验证算法均依赖于执行算法的硬件的当前系统时间,因 此,上述令牌验证算法有较小的概率可能导致验证结果出现不可靠的情况。以60s为一个时间参量为例,若第二客户端在S3中得到令牌的当前系统时间的秒单位的数值为59,将所述得到的令牌传输至验证服务器耗时2秒,则当所述验证服务器对所述令牌进行验证时,验证服务器的当前系统时间的秒单位为可能为01,则执行S130时与第二客户端执行S30时得到的时间参量不一致,这必然导致验证失败,这个验证失败仅仅是由于时间问题导致而与种子无关,可见这个验证结果是不可靠的,出现这种情况只能重新进行验证,从而浪费了客户端及服务器的处理资源。The above token generation algorithm and token verification algorithm both depend on the current system time of the hardware executing the algorithm, because Therefore, the above token verification algorithm has a small probability that the verification result may be unreliable. Taking 60s as a time parameter as an example, if the value of the second unit of the current system time of the token obtained by the second client in S3 is 59, and the obtained token is transmitted to the verification server for 2 seconds, then When the verification server verifies the token, the second unit of the current system time of the verification server is 01, and the time parameter obtained when the S130 is executed by the second client is inconsistent, which inevitably causes the verification to fail. This verification failure is only caused by the time problem and has nothing to do with the seed. It can be seen that the verification result is unreliable. In this case, the verification can only be re-verified, thus wasting the processing resources of the client and the server.
为了提升验证结果的可靠性,请参考图9,其示出了另一种令牌验证算法,本发明实施例提供的另一种服务器一侧的令牌验证算法包括:In order to improve the reliability of the verification result, please refer to FIG. 9 , which illustrates another token verification algorithm. Another server-side token verification algorithm provided by the embodiment of the present invention includes:
步骤S210,获取待验证种子和待验证令牌。Step S210: Acquire a seed to be verified and a token to be verified.
步骤S220,获取本地的当前系统时间。Step S220: Acquire a local current system time.
步骤S230,根据预设的哈希算法得到第一目标令牌和第二目标令牌。Step S230, obtaining a first target token and a second target token according to a preset hash algorithm.
具体地,可以根据所述当前系统时间得到所述当前系统时间对应的时间参量。比如,每60s一个时间参量,则所述当前系统时间只需精确到分即可得到所述时间参量,以60s为一个时间参量,则对应于同一个种子的动态密码每隔60s会改变一次;Specifically, the time parameter corresponding to the current system time may be obtained according to the current system time. For example, if there is a time parameter every 60s, the current system time only needs to be accurate to obtain the time parameter, and 60s is a time parameter, and the dynamic password corresponding to the same seed is changed every 60s;
又比如,每30s一个时间参量,则需要先判断当前系统时间在秒单位上的读数是否大于30,然后根据判断结果划分时间参量,以30s为一个时间参量,则对应于同一个种子的动态密码每隔30s会改变一次。For example, if there is a time parameter every 30s, it is necessary to first determine whether the current system time reading in the second unit is greater than 30, and then divide the time parameter according to the judgment result, and use 30s as a time parameter, corresponding to the dynamic password of the same seed. It will change every 30s.
具体地,以所述种子及所述时间参量作为所述哈希算法的实际参数得到第一目标令牌,以所述种子及所述时间参量的上一个时间参量作为所述哈希算法的实际参数得到第二目标令牌。所述哈希算法与步骤S3中的哈希算法相同。Specifically, the first target token is obtained by using the seed and the time parameter as actual parameters of the hash algorithm, and the last time parameter of the seed and the time parameter is used as the actual of the hash algorithm. The parameter gets the second target token. The hash algorithm is the same as the hash algorithm in step S3.
步骤S240,判断所述第一目标令牌与待验证令牌是否相同。Step S240, determining whether the first target token is the same as the token to be verified.
步骤S250,若是,则验证通过。In step S250, if yes, the verification is passed.
步骤S260,若否,则判断所述第二目标令牌与待验证令牌是否相同。Step S260, if no, determining whether the second target token is the same as the token to be verified.
步骤S270,若是,则验证通过。In step S270, if yes, the verification is passed.
步骤S280,若否,则验证不通过。Step S280, if no, the verification fails.
这种令牌验证算法能够较大限度地避免出现验证结果不可靠的情况,从而避免因重新验证而造成的客户端及服务器的处理资源的浪费。This token verification algorithm can largely avoid the situation where the verification result is unreliable, thereby avoiding waste of processing resources of the client and the server caused by re-authentication.
进一步地,由于第二客户端一侧的令牌生成算法与验证服务器一侧的令牌验证算法依赖于执行算法的硬件的当前系统时间,因此,为进一步提升验证结果的可靠性,可以根据验证服务器的当前系统时间对第二客户端进行时间校验,避免由于验证服务器的当前系统时间与第二客户端的当前系统时间的不同步导致验证结果不可靠。具体地,校正方法可以有以下四种:Further, since the token generation algorithm on the second client side and the token verification algorithm on the verification server side depend on the current system time of the hardware executing the algorithm, in order to further improve the reliability of the verification result, the verification may be performed according to the verification. The current system time of the server performs time verification on the second client to avoid unreliable verification results due to the synchronization between the current system time of the verification server and the current system time of the second client. Specifically, there are four types of correction methods:
(1)验证服务器定时或不定时地向第二客户端主动推送第一时间,所述第一时间为验证服务器在推送时的当前系统时间。(1) The verification server actively pushes the first time to the second client periodically or irregularly, and the first time is the current system time when the verification server is pushed.
(2)验证服务器定时或不定时地向第一客户端主动推送第一时间,所述第一时间为 验证服务器在推送时的当前系统时间;然后由第一客户端立即向第二客户端主动推送所述第一时间。(2) The verification server actively pushes the first time to the first client periodically or irregularly, the first time is Verifying the current system time of the server at the time of push; then the first time is actively pushed by the first client to the second client.
(3)在第一客户端与验证服务器交互的过程中,验证服务器向第一客户端发送第一时间,所述第一时间为验证服务器在发送时的当前系统时间;然后在第一客户端与第二客户端的交互过程中,由第一客户端向第二客户端主动发送所述第一时间。(3) in the process of interacting with the authentication server by the first client, the verification server sends the first time to the first client, where the first time is the current system time when the verification server is transmitting; and then at the first client During the interaction with the second client, the first time is actively sent by the first client to the second client.
(3)在第二客户端与验证服务器交互的过程中,验证服务器向第二客户端发送第一时间,所述第一时间为验证服务器在发送时的当前系统时间。(3) During the interaction between the second client and the verification server, the verification server sends the first time to the second client, where the first time is the current system time when the verification server is transmitting.
具体地,请参考图10,其示出了第二客户端的时间校正方法,包括:Specifically, please refer to FIG. 10, which illustrates a time correction method of the second client, including:
步骤T1,获取来自于验证服务器的第一时间;所述第一时间为验证服务器的当前系统时间;Step T1: acquiring a first time from the verification server; the first time is a current system time of the verification server;
步骤T2,获取本地的第二时间;所述第二时间为获取第一时间那一刻本地的当前系统时间;Step T2: acquiring a local second time; the second time is a current local system time at the moment of acquiring the first time;
步骤T3,计算所述第一时间与所述第二时间的差值;Step T3, calculating a difference between the first time and the second time;
步骤T4,存储所述差值。In step T4, the difference is stored.
相应地,在步骤S3中首先根据步骤S2中获取的当前系统时间和步骤T4中存储的所述差值得到时间校正值,然后根据所述时间校正值得到时间参量。Correspondingly, in step S3, a time correction value is first obtained from the current system time acquired in step S2 and the difference value stored in step T4, and then the time parameter is obtained from the time correction value.
本发明实施例提供了一种时间校正方法,可以避免由于验证服务器的当前系统时间与第二客户端的当前系统时间的不同步导致验证结果不可靠,从而进一步提升验证结果的可靠度,避免因重新验证而造成的客户端及服务器的处理资源的浪费。The embodiment of the invention provides a time correction method, which can prevent the verification result from being unreliable due to the unsynchronization between the current system time of the verification server and the current system time of the second client, thereby further improving the reliability of the verification result and avoiding The waste of processing resources of the client and server caused by the verification.
当然本发明实施例中使用的令牌生成算法和令牌验证算法还有其它形式,只要是令牌生成算法和令牌验证算法具有固定的对应关系,能够用于完成种子与令牌的合法关系的验证即可,在此不再赘述。Of course, the token generation algorithm and the token verification algorithm used in the embodiments of the present invention have other forms. As long as the token generation algorithm and the token verification algorithm have a fixed correspondence, the token can be used to complete the legal relationship between the seed and the token. The verification can be done, and will not be described here.
基于具有对应关系的令牌生成算法与令牌验证算法,在身份绑定流程执行成功的基础上,本实施例提供一种身份验证方法。Based on the token generation algorithm and the token verification algorithm having the corresponding relationship, the embodiment provides an identity verification method based on the successful execution of the identity binding process.
具体地,所述身份验证方法可以通过输入令牌、扫一扫或一键登录等多种方式实现,所述身份验证方法对于第一客户端和第二客户端没有限制,因此,可以在多种应用场景下使用,比如支付类等敏感操作前验证用户身份,也可以用于在修改密码前验证用户身份,用户信息丢失并向第一客户端申请挂失时验证用户身份。进一步地,所述身份验证方法也可以应用于一种或多种第一客户端。Specifically, the authentication method may be implemented by using a token, a swipe, or a one-click login. The authentication method has no limitation on the first client and the second client, and therefore, may be in multiple In an application scenario, the identity of the user is verified before a sensitive operation such as a payment class. It can also be used to verify the identity of the user before modifying the password. The user information is lost and the identity of the user is verified when the application is reported to the first client. Further, the authentication method can also be applied to one or more first clients.
以输入令牌的方式实现身份验证的方法,请参考图11,其示出了一种身份验证方法,包括:A method for implementing authentication by inputting a token, please refer to FIG. 11, which illustrates an authentication method, including:
步骤401,第一客户端响应于身份验证指令,获取账号。Step 401: The first client acquires an account in response to the identity verification instruction.
具体地,所述账号可以由用户输入,也可以依赖于浏览器cookies的记录由第一客户端自行获取。请参考图12,第一客户端还向用户示出用于输入令牌的界面。图12中以第一客户端为安全中心为例,可用于输入安全中心对应的第二验证种子生成的令牌。Specifically, the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie. Referring to FIG. 12, the first client also shows the user an interface for inputting a token. In FIG. 12, the first client is used as a security center, and can be used to input a token generated by the second verification seed corresponding to the security center.
进一步地,为提升身份验证的安全性,在获取账号之前,还可以由第一客户端根据自 身存储用户数据对用户身份进行验证,即进行账号验证以检验账号的合法性。比如,第一客户端可以要求用户输入与账号对应的密码,若密码正确,则账号验证通过,才可以进行下述的身份验证步骤。可见,本发明实施例提供的身份验证方式可以与其它身份验证方式结合使用。Further, in order to improve the security of the authentication, before the account is obtained, the first client may also be based on the self. The user data is stored to verify the identity of the user, that is, the account verification is performed to verify the legality of the account. For example, the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
步骤402,第一客户端根据所述账号查询与所述账号对应的第一验证种子。Step 402: The first client queries, according to the account, a first verification seed corresponding to the account.
具体地,在身份绑定流程中,第一客户端存储有账号以及第一验证种子的对应关系,因此,根据所述账号即可得到对应的第一验证种子。Specifically, in the identity binding process, the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
步骤403,第二客户端根据第二验证种子生成令牌并使得所述令牌能够被第一客户端得到。Step 403: The second client generates a token according to the second verification seed and enables the token to be obtained by the first client.
具体地,第二客户端根据本地存储的第二验证种子和令牌生成算法生成令牌。若第二客户端只存储有一个种子,则所述种子即为第二验证种子;根据所述第二验证种子即可得到令牌;若第二客户端存储有多个种子,则由用户选择一个作为第二验证种子,并生成令牌。Specifically, the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token.
为使得生成的令牌能够被第一客户端得到,本实施例中通过用户向第一客户端输入所述令牌实现,输入页面即为图12。In order to enable the generated token to be obtained by the first client, in this embodiment, the user inputs the token to the first client, and the input page is FIG. 12 .
在另一种实施方式中,也可以针对每一个种子生成一个令牌,由用户自行根据选择的第二验证种子选择相应的令牌。请参考图13,其示出了用户选择令牌的界面。由图13可知,在绑定流程第二客户端可以存储多个对应关系,即种子与所述种子对应的第一客户端的对应关系,以第一个种子为例,其对应于网页邮箱,生成的令牌为787246;以第二个种子为例,其对应于安全中心,生成的令牌为896332。用户选择令牌后按下确定按钮,令牌即可被发送到第一客户端。In another embodiment, a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed. Please refer to FIG. 13, which shows an interface for a user to select a token. It can be seen from FIG. 13 that the second client in the binding process can store multiple correspondences, that is, the correspondence between the seed and the first client corresponding to the seed, and the first seed is taken as an example, which corresponds to the webpage mailbox, and is generated. The token is 787246; for example, the second seed corresponds to the security center, and the generated token is 896332. After the user selects the token and presses the OK button, the token can be sent to the first client.
步骤404,第一客户端得到所述令牌并将所述第一验证种子与所述令牌传输至验证服务器。Step 404: The first client obtains the token and transmits the first verification seed and the token to an authentication server.
步骤405,验证服务器获取验证结果。In step 405, the verification server obtains the verification result.
具体地,验证服务器可以根据令牌验证算法验证第一验证种子与所述令牌是否具有合法的对应关系,从而得到验证结果。所述服务器的令牌验证算法与所述第二客户端令牌生成算法为具有对应关系的算法,可以由验证服务器与第二客户端通过协商获得。Specifically, the verification server may verify, according to the token verification algorithm, whether the first verification seed has a legal correspondence with the token, thereby obtaining a verification result. The token verification algorithm of the server and the second client token generation algorithm have an algorithm corresponding to the algorithm, and may be obtained by the verification server and the second client through negotiation.
步骤406,验证服务器将所述验证结果发送至第一客户端。Step 406: The verification server sends the verification result to the first client.
步骤407,第一客户端判断验证是否通过,若验证通过,则身份验证通过。Step 407: The first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
具体地,若验证通过,则说明步骤403中第二客户端存储的第二验证种子与第一客户端中与用户的账号对应的第一验证种子相同。Specifically, if the verification is passed, the second verification seed stored by the second client in step 403 is the same as the first verification seed corresponding to the account of the user in the first client.
步骤408,若验证不通过,则身份验证不通过。In step 408, if the verification fails, the identity verification fails.
本发明实施例提供的身份验证方法能够适用于多个应用,各个应用(第一客户端)之间互不影响,从而解决了现有技术情况下若用户同时使用多个应用,需要绑定多个安全中心,操作繁琐的问题。此外,验证服务器不会存储第一客户端中的账号与第一验证种子的对应关系,只负责生成种子并验证种子和令牌之间的对应关系,从而不涉及到各个应用(第 一客户端)的敏感数据,充分保障了第一客户端的数据安全。验证服务器在不需要第一客户端向验证服务器泄露其数据隐私的前提下,为第一客户端提供身份验证服务。The identity verification method provided by the embodiment of the present invention can be applied to multiple applications, and each application (the first client) does not affect each other, thereby solving the problem that if the user uses multiple applications at the same time in the prior art, the binding needs to be multiple. Security center, cumbersome operation. In addition, the verification server does not store the correspondence between the account in the first client and the first verification seed, and is only responsible for generating the seed and verifying the correspondence between the seed and the token, so that the application is not involved. Sensitive data of a client) fully guarantees the data security of the first client. The authentication server provides an authentication service for the first client without requiring the first client to disclose its data privacy to the authentication server.
请参考图14,其示出了另一种身份验证方法,包括:Please refer to FIG. 14, which illustrates another authentication method, including:
步骤501,第一客户端响应于身份验证指令,获取账号。Step 501: The first client acquires an account in response to the identity verification instruction.
具体地,所述账号可以由用户输入,也可以依赖于浏览器cookies的记录由第一客户端自行获取。Specifically, the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie.
进一步地,为提升身份验证的安全性,在获取账号之前,还可以由第一客户端根据自身存储用户数据对用户身份进行验证,即进行账号验证以检验账号的合法性。比如,第一客户端可以要求用户输入与账号对应的密码,若密码正确,则账号验证通过,才可以进行下述的身份验证步骤。可见,本发明实施例提供的身份验证方式可以与其它身份验证方式结合使用。Further, in order to improve the security of the identity verification, before the account is obtained, the first client may also verify the identity of the user according to the stored user data, that is, perform account verification to verify the validity of the account. For example, the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
步骤502,第一客户端根据所述账号查询与所述账号对应的第一验证种子。Step 502: The first client queries, according to the account, a first verification seed corresponding to the account.
具体地,在身份绑定流程中,第一客户端存储有账号以及第一验证种子的对应关系,因此,根据所述账号即可得到对应的第一验证种子。Specifically, in the identity binding process, the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
步骤503,第一客户端根据所述账号生成验证消息。Step 503: The first client generates a verification message according to the account.
具体地,所述验证消息可以包括验证消息产生时间和所述账号。比如,所述验证消息的内容可以为“XXX时间,XXX账号进行XXX操作,请确认是否本人操作”。Specifically, the verification message may include a verification message generation time and the account number. For example, the content of the verification message may be “XXX time, XXX account performs XXX operation, please confirm whether it is operated by itself”.
步骤504,第一客户端将所述第一验证种子和所述验证消息发送至验证服务器。Step 504: The first client sends the first verification seed and the verification message to the verification server.
步骤505,验证服务器获取所述第一验证种子和所述验证消息,并生成对应的消息号。Step 505: The verification server acquires the first verification seed and the verification message, and generates a corresponding message number.
具体地,在本实施例中,服务器还需要维护所述验证消息,比如对验证消息进行添加、插入和删除等操作。Specifically, in this embodiment, the server also needs to maintain the verification message, such as adding, inserting, and deleting the verification message.
具体地,验证服务器存储所述第一验证种子与所述验证消息,并根据预设的消息号生成算法生成消息号,所述消息号与所述验证消息一一对应,并且,所述消息号与所述第一验证种子也一一对应。具体地,所述消息号生成算法可以为按照收到所述验证消息的顺序生成,也可以为按照收到所述验证消息的时间生成,也可以为根据收到所述验证消息的时间以及验证消息的发送方标识(第一客户端的标识,与验证服务器通讯过程中携带所述标识)生成。Specifically, the verification server stores the first verification seed and the verification message, and generates a message number according to a preset message number generation algorithm, where the message number corresponds to the verification message, and the message number There is also a one-to-one correspondence with the first verification seed. Specifically, the message number generation algorithm may be generated in the order of receiving the verification message, or may be generated according to the time when the verification message is received, or may be based on the time and verification of receiving the verification message. The sender identifier of the message (the identifier of the first client, which carries the identifier during communication with the authentication server) is generated.
步骤506,验证服务器将所述消息号发送至第一客户端。Step 506: The verification server sends the message number to the first client.
步骤507,第一客户端获取所述消息号并使得第二客户端能够获取所述消息号。Step 507: The first client acquires the message number and enables the second client to obtain the message number.
具体地,在扫一扫身份验证方式中,请参考图15,其示出了第二验证条码的生成页面。第一客户端根据所述消息号生成第二验证条码,第二客户端通过扫描并解析所述第二验证条码获取消息号,所述第二验证条码可以为二维码或条形码。Specifically, in the swipe authentication method, please refer to FIG. 15, which shows a generation page of the second verification barcode. The first client generates a second verification barcode according to the message number, and the second client obtains a message number by scanning and parsing the second verification barcode, and the second verification barcode may be a two-dimensional code or a barcode.
此外,在其它实施例中,还可以由第一客户端直接将所述消息号发送至第二客户端。In addition, in other embodiments, the message number may also be directly sent by the first client to the second client.
步骤508,第二客户端根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息。Step 508: The second client acquires the verification message corresponding to the message number from the verification server according to the message number.
具体地,由第二客户端对所述验证消息进行显示,请参考图16,其示出了第二客户端 显示验证消息的界面。若用户是本人并希望继续进行身份验证,则点击“是我操作”,即向第二客户端发送了确认指令;否则,点击“拒绝”,则第二客户端直接通知验证服务器身份验证流程结束,相应地,验证服务器通知第一客户端身份验证失败,身份验证流程结束。Specifically, the verification message is displayed by the second client, please refer to FIG. 16, which shows the second client. The interface that displays the verification message. If the user is the person and wants to continue the authentication, click "I am operating", that is, send a confirmation command to the second client; otherwise, click "reject", then the second client directly informs the verification server that the authentication process ends. Correspondingly, the authentication server notifies the first client that the authentication failed, and the authentication process ends.
步骤509,第二客户端响应于确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器。Step 509: The second client generates a token according to the second verification seed in response to the confirmation instruction, and transmits the token and the message number to the verification server.
具体地,第二客户端根据本地存储的第二验证种子和令牌生成算法生成令牌。若第二客户端只存储有一个种子,则所述种子即为第二验证种子;根据所述第二验证种子即可得到令牌;若第二客户端存储有多个种子,则由用户选择一个作为第二验证种子,并生成令牌。在另一种实施方式中,也可以针对每一个种子生成一个令牌,由用户自行根据选择的第二验证种子选择相应的令牌。Specifically, the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token. In another embodiment, a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed.
步骤510,验证服务器获取验证结果。In step 510, the verification server obtains the verification result.
具体地,所述验证服务器根据从第二客户端得到的消息号查询第一验证种子,并根据令牌验证算法验证第一验证种子与所述令牌是否具有合法的对应关系,从而得到验证结果。所述服务器的令牌验证算法与所述第二客户端的令牌生成算法为具有对应关系的算法,可以由验证服务器与第二客户端通过协商获得。Specifically, the verification server queries the first verification seed according to the message number obtained from the second client, and verifies whether the first verification seed has a legal correspondence relationship with the token according to the token verification algorithm, thereby obtaining a verification result. . The token verification algorithm of the server and the token generation algorithm of the second client are algorithms corresponding to each other, and may be obtained by the verification server and the second client through negotiation.
步骤511,验证服务器将所述验证结果发送至第一客户端。Step 511: The verification server sends the verification result to the first client.
步骤512,第一客户端判断验证是否通过,若验证通过,则身份验证通过。In step 512, the first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
具体地,若验证通过,则说明步骤509中第二客户端存储的第二验证种子与第一客户端中与用户的账号对应的第一验证种子相同。Specifically, if the verification is passed, the second verification seed stored by the second client in step 509 is the same as the first verification seed corresponding to the account of the user in the first client.
步骤513,若验证不通过,则身份验证不通过。In step 513, if the verification fails, the identity verification fails.
本实施例有别于输入令牌的方式提供了另一种身份验证方法,丰富了身份验证的方式,避免了用户手动输入令牌,使得身份验证更为便捷。This embodiment provides another authentication method different from the method of inputting a token, which enriches the authentication method and avoids the user manually inputting the token, which makes the identity verification more convenient.
请参考图17,其示出了另一种身份验证方法,包括:Please refer to FIG. 17, which illustrates another authentication method, including:
步骤601,第一客户端响应于身份验证指令,获取账号。Step 601: The first client acquires an account in response to the identity verification instruction.
具体地,所述账号可以由用户输入,也可以依赖于浏览器cookies的记录由第一客户端自行获取。Specifically, the account number may be input by the user, or may be obtained by the first client by relying on the record of the browser cookie.
进一步地,为提升身份验证的安全性,在获取账号之前,还可以由第一客户端根据自身存储用户数据对用户身份进行验证,即进行账号验证以检验账号的合法性。比如,第一客户端可以要求用户输入与账号对应的密码,若密码正确,则账号验证通过,才可以进行下述的身份验证步骤。可见,本发明实施例提供的身份验证方式可以与其它身份验证方式结合使用。Further, in order to improve the security of the identity verification, before the account is obtained, the first client may also verify the identity of the user according to the stored user data, that is, perform account verification to verify the validity of the account. For example, the first client may require the user to input a password corresponding to the account. If the password is correct, the account verification is passed before the following authentication step can be performed. It can be seen that the identity verification mode provided by the embodiment of the present invention can be used in combination with other identity verification methods.
步骤602,第一客户端根据所述账号查询与所述账号对应的第一验证种子。Step 602: The first client queries, according to the account, a first verification seed corresponding to the account.
具体地,在身份绑定流程中,第一客户端存储有账号以及第一验证种子的对应关系,因此,根据所述账号即可得到对应的第一验证种子。Specifically, in the identity binding process, the first client stores the corresponding relationship between the account and the first verification seed, and accordingly, the corresponding first verification seed can be obtained according to the account.
步骤603,第一客户端根据所述账号生成验证消息。 Step 603: The first client generates a verification message according to the account.
具体地,所述验证消息可以包括验证消息产生时间和所述账号。比如,所述验证消息的内容可以为“XXX时间,XXX账号进行XXX操作,请确认是否本人操作”。Specifically, the verification message may include a verification message generation time and the account number. For example, the content of the verification message may be “XXX time, XXX account performs XXX operation, please confirm whether it is operated by itself”.
步骤604,第一客户端将所述第一验证种子和所述验证消息发送至验证服务器,并向验证服务器请求服务器推操作。Step 604: The first client sends the first verification seed and the verification message to the verification server, and requests a server push operation from the verification server.
步骤605,验证服务器获取所述第一验证种子和所述验证消息,并生成对应的消息号。Step 605: The verification server acquires the first verification seed and the verification message, and generates a corresponding message number.
具体地,在本实施例中,服务器还需要维护所述验证消息,比如对验证消息进行添加、插入和删除等操作。Specifically, in this embodiment, the server also needs to maintain the verification message, such as adding, inserting, and deleting the verification message.
具体地,验证服务器存储所述第一验证种子与所述验证消息,并根据预设的消息号生成算法生成消息号,所述消息号与所述验证消息一一对应,并且,所述消息号与所述第一验证种子也一一对应。具体地,所述消息号生成算法可以为按照收到所述验证消息的顺序生成,也可以为按照收到所述验证消息的时间生成,也可以为根据收到所述验证消息的时间以及验证消息的发送方标识(第一客户端的标识,与验证服务器通讯过程中携带所述标识)生成。Specifically, the verification server stores the first verification seed and the verification message, and generates a message number according to a preset message number generation algorithm, where the message number corresponds to the verification message, and the message number There is also a one-to-one correspondence with the first verification seed. Specifically, the message number generation algorithm may be generated in the order of receiving the verification message, or may be generated according to the time when the verification message is received, or may be based on the time and verification of receiving the verification message. The sender identifier of the message (the identifier of the first client, which carries the identifier during communication with the authentication server) is generated.
步骤606,验证服务器响应于所述服务器推操作的请求,将所述消息号和所述验证消息推送至第二客户端。Step 606: The verification server pushes the message number and the verification message to the second client in response to the request of the server push operation.
具体地,验证服务器与第二客户端之间建立超文本传输协议(HyperText Transfer Protocol,HTTP)长连接安全通道,并使用服务器推(server push)技术将所述消息号和所述验证消息主动推送至第二客户端。Specifically, a hypertext transfer protocol (HTTP) long connection secure channel is established between the verification server and the second client, and the message number and the verification message are actively pushed by using a server push technology. To the second client.
步骤607,第二客户端获取所述消息号和所述验证消息。Step 607: The second client acquires the message number and the verification message.
具体地,由第二客户端对所述验证消息进行显示,请参考图16,其示出了第二客户端显示验证消息的界面。若用户是本人并希望继续进行身份验证,则点击“是我操作”,即向第二客户端发送了确认指令;否则,点击“拒绝”,则第二客户端直接通知验证服务器身份验证流程结束,相应地,验证服务器通知第一客户端身份验证失败,身份验证流程结束。Specifically, the verification message is displayed by the second client, please refer to FIG. 16, which shows an interface of the second client displaying the verification message. If the user is the person and wants to continue the authentication, click "I am operating", that is, send a confirmation command to the second client; otherwise, click "reject", then the second client directly informs the verification server that the authentication process ends. Correspondingly, the authentication server notifies the first client that the authentication failed, and the authentication process ends.
步骤608,第二客户端响应于确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器。Step 608: The second client generates a token according to the second verification seed in response to the confirmation instruction, and transmits the token and the message number to the verification server.
具体地,第二客户端根据本地存储的第二验证种子和令牌生成算法生成令牌。若第二客户端只存储有一个种子,则所述种子即为第二验证种子;根据所述第二验证种子即可得到令牌;若第二客户端存储有多个种子,则由用户选择一个作为第二验证种子,并生成令牌。在另一种实施方式中,也可以针对每一个种子均生成一个令牌,由用户自行根据选择的第二验证种子选择相应的令牌。Specifically, the second client generates a token according to the locally stored second verification seed and token generation algorithm. If the second client only stores one seed, the seed is a second verification seed; the token is obtained according to the second verification seed; if the second client stores multiple seeds, the user selects One is used as the second verification seed and generates a token. In another embodiment, a token may also be generated for each seed, and the user selects the corresponding token according to the selected second verification seed.
步骤609,验证服务器获取验证结果。In step 609, the verification server obtains the verification result.
具体地,所述验证服务器根据从第二客户端得到的消息号查询第一验证种子,并根据令牌验证算法验证第一验证种子与所述令牌是否具有合法的对应关系,从而得到验证结果。所述服务器令牌验证算法与所述第二客户端令牌生成算法为具有对应关系的算法,可以由验证服务器与第二客户端通过协商获得。 Specifically, the verification server queries the first verification seed according to the message number obtained from the second client, and verifies whether the first verification seed has a legal correspondence relationship with the token according to the token verification algorithm, thereby obtaining a verification result. . The algorithm that the server token verification algorithm and the second client token generation algorithm have a corresponding relationship may be obtained by the verification server and the second client through negotiation.
步骤610,验证服务器将所述验证结果发送至第一客户端。Step 610: The verification server sends the verification result to the first client.
步骤611,第一客户端判断验证是否通过,若验证通过,则身份验证通过。In step 611, the first client determines whether the verification is passed, and if the verification passes, the identity verification passes.
具体地,若验证通过,则说明步骤608中第二客户端存储的第二验证种子与第一客户端中与用户的账号对应的第一验证种子相同。Specifically, if the verification is passed, the second verification seed stored by the second client in step 608 is the same as the first verification seed corresponding to the account of the user in the first client.
步骤612,若验证不通过,则身份验证不通过。In step 612, if the verification fails, the identity verification fails.
本实施例供了另一种身份验证方法,具体地,本实施例提供的身份验证方法为一键登录的验证方法,即用户只需向第二客户端发送确认指令即可,不必进行其它操作,本实施例中的方法更为便捷。This embodiment provides another authentication method. Specifically, the identity verification method provided in this embodiment is a one-key login verification method, that is, the user only needs to send a confirmation instruction to the second client, and does not need to perform other operations. The method in this embodiment is more convenient.
在本发明实施例提供的身份验证方法中,若用户使用手机执行第二客户端的功能,当手机丢失后,用户可以向第一客户端申请使用新的手机进行身份绑定或者验证,只要新的手机可以执行第二客户端的功能即可。由此可见,本发明实施例提供的身份绑定方法以及身份验证方法相较于目前较为常用的密保手机进行身份验证的方式具有不受手机丢失的影响,运营成本低的显著优势;此外,相对于其它常见的身份验证方式,又具有安全系数高、成本低和适用范围广的显著优势。In the identity verification method provided by the embodiment of the present invention, if the user uses the mobile phone to perform the function of the second client, after the mobile phone is lost, the user may apply to the first client to use the new mobile phone for identity binding or verification, as long as the new one The mobile phone can perform the functions of the second client. It can be seen that the identity binding method and the identity verification method provided by the embodiments of the present invention have the advantages of being not affected by the loss of the mobile phone and having low operation cost compared with the currently used secret security mobile phone authentication method; Compared with other common authentication methods, it has the significant advantages of high safety factor, low cost and wide application range.
下述为本发明装置实施例,可以用于执行本发明方法实施例。对于本发明装置实施例中未披露的细节,请参照本发明方法实施例。The following is an embodiment of the apparatus of the present invention, which can be used to carry out the method embodiments of the present invention. For details not disclosed in the embodiment of the device of the present invention, please refer to the method embodiment of the present invention.
请参考图18,其示出了一种身份验证装置的框图,该装置能够实现上述方法示例中第一客户端的功能,所述功能可以由硬件实现,也可以由硬件执行相应的软件实现。该装置可以包括:Please refer to FIG. 18, which shows a block diagram of an identity verification apparatus, which can implement the functions of the first client in the above method example, and the functions can be implemented by hardware or by corresponding software implementation by hardware. The device can include:
账号获取模块701,用于获取账号。可用于执行方法实施例的步骤302、401、501和601。The account obtaining module 701 is configured to obtain an account. Steps 302, 401, 501, and 601 can be performed to perform the method embodiments.
第一验证种子查询模块702,用于根据所述账号查询与所述账号对应的第一验证种子。可用于执行方法实施例的步骤402、502和602。The first verification seed query module 702 is configured to query, according to the account, a first verification seed corresponding to the account. It can be used to perform steps 402, 502, and 602 of the method embodiments.
验证消息生成模块703,用于根据账号生成验证消息。可用于执行方法实施例的步骤503和603。The verification message generating module 703 is configured to generate an authentication message according to the account. It can be used to perform steps 503 and 603 of the method embodiment.
验证消息发送模块704,用于向验证服务器发送第一验证种子和验证消息。可用于执行方法实施例的步骤504和604。The verification message sending module 704 is configured to send the first verification seed and the verification message to the verification server. It can be used to perform steps 504 and 604 of the method embodiment.
验证结果获取模块705,用于获取验证结果。可用于执行方法实施例的步骤308、406、511和610。The verification result obtaining module 705 is configured to obtain the verification result. It can be used to perform steps 308, 406, 511, and 610 of the method embodiments.
进一步地,请参考图19,其示出了所述装置包括的用于进行绑定流程的相关模块的框图:Further, please refer to FIG. 19, which shows a block diagram of related modules included in the apparatus for performing a binding process:
第一验证种子获取模块706,用于得到第一验证种子。可用于执行方法实施例的步骤303。The first verification seed obtaining module 706 is configured to obtain a first verification seed. It can be used to perform step 303 of the method embodiment.
种子生成模块707,用于生成与第一验证种子相对应的种子。可用于执行方法实施例的步骤304。The seed generation module 707 is configured to generate a seed corresponding to the first verification seed. It can be used to perform step 304 of the method embodiment.
令牌获取模块708,用于获取由第二客户端生成的令牌。可用于执行方法实施例的步 骤305和403。The token obtaining module 708 is configured to acquire a token generated by the second client. Steps that can be used to perform method embodiments Steps 305 and 403.
组合发送模块709,用于将第一验证种子和令牌发送至验证服务器。可用于执行方法实施例的步骤306和404。The combination sending module 709 is configured to send the first verification seed and the token to the verification server. It can be used to perform steps 306 and 404 of the method embodiment.
第一验证种子存储模块710,用于在验证结果获取模块705获取验证结果后,若验证通过,存储第一验证种子,以及所述第一验证种子与第二客户端的对应关系。可用于执行方法实施例的步骤309。The first verification seed storage module 710 is configured to: after the verification result obtaining module 705 obtains the verification result, if the verification is passed, storing the first verification seed, and the corresponding relationship between the first verification seed and the second client. It can be used to perform step 309 of the method embodiment.
其中,令牌获取模块708和组合发送模块709也可用于身份验证流程中。The token acquisition module 708 and the combined transmission module 709 can also be used in the identity verification process.
进一步地,所述装置还可以包括:Further, the device may further include:
种子发送模块,用于将种子发送至第二客户端。可用于执行方法实施例的步骤305。a seed sending module, configured to send the seed to the second client. It can be used to perform step 305 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
第一验证条码生成模块,用于根据种子生成第一验证条码。可用于执行方法实施例的步骤305。The first verification barcode generating module is configured to generate a first verification barcode according to the seed. It can be used to perform step 305 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
消息号获取模块,用于获取验证服务器发送的与验证消息对应的消息号。可用于执行方法实施例的步骤506。The message number obtaining module is configured to obtain a message number corresponding to the verification message sent by the verification server. It can be used to perform step 506 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
消息号发送模块,用于发送所述消息号。可用于执行方法实施例的步骤507。A message number sending module, configured to send the message number. It can be used to perform step 507 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
第二验证条码生成模块,用于根据消息号生成第二验证条码。可用于执行方法实施例的步骤507。The second verification barcode generating module is configured to generate a second verification barcode according to the message number. It can be used to perform step 507 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
请求模块,用于向验证服务器请求服务器推操作。可用于执行方法实施例的步骤604。A request module for requesting a server push operation from an authentication server. It can be used to perform step 604 of the method embodiment.
进一步地,所述第一验证种子获取模块706包括:Further, the first verification seed obtaining module 706 includes:
集合获取单元,用于获取未使用种子集合,所述未使用种子均来自验证服务器;a collection obtaining unit, configured to acquire an unused seed set, where the unused seeds are all from an authentication server;
选取单元,用于在所述未使用种子集合中随机选取一颗种子作为第一验证种子。And a selecting unit, configured to randomly select one seed in the unused seed set as the first verification seed.
请参考图20,其示出了一种身份验证装置,该装置可以用于实现上述方法示例中第二客户端的功能,所述功能可以由硬件实现,也可以由硬件执行相应的软件实现。该装置可以包括:Please refer to FIG. 20, which illustrates an identity verification apparatus, which may be used to implement the functions of the second client in the above method example, and the functions may be implemented by hardware, or may be implemented by hardware. The device can include:
消息获取模块801,用于获取消息号和验证消息。可用于执行方法实施例的步骤507、508和607。The message obtaining module 801 is configured to obtain a message number and a verification message. It can be used to perform steps 507, 508, and 607 of the method embodiments.
显示模块802,用于显示验证消息。The display module 802 is configured to display a verification message.
用户指令监测模块803,用于检测用户指令,所述用户指令包括确认指令。The user instruction monitoring module 803 is configured to detect a user instruction, and the user instruction includes a confirmation instruction.
第二验证种子获取模块804,用于获取第二验证种子。可用于执行方法实施例的步骤403,509和608。The second verification seed obtaining module 804 is configured to obtain a second verification seed. It can be used to perform steps 403, 509 and 608 of the method embodiment.
令牌生成模块805,用于生成令牌。可用于执行方法实施例的步骤305,403,509和608。 The token generation module 805 is configured to generate a token. It can be used to perform steps 305, 403, 509 and 608 of the method embodiment.
传输模块806,用于将所述消息号和所述令牌传输至验证服务器。可用于执行方法实施例的步骤509和608。The transmission module 806 is configured to transmit the message number and the token to the verification server. It can be used to perform steps 509 and 608 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
验证种子获取模块,用于得到验证种子。可用于执行方法实施例的步骤305。Verify the seed acquisition module to get the verification seed. It can be used to perform step 305 of the method embodiment.
第二验证种子存储模块,用于存储所述第二验证种子。可用于执行方法实施例的步骤309。And a second verification seed storage module, configured to store the second verification seed. It can be used to perform step 309 of the method embodiment.
进一步地,所述装置还可以包括:Further, the device may further include:
组合存储模块,用于存储第二验证种子与第一客户端的对应关系。可用于执行方法实施例的步骤309。And a combined storage module, configured to store a correspondence between the second verification seed and the first client. It can be used to perform step 309 of the method embodiment.
请参考图21,其示出了令牌生成模块的框图,所述令牌生成模块805包括:Please refer to FIG. 21, which shows a block diagram of a token generation module, which includes:
时间参量获取单元8051,用于根据当前系统时间得到时间参量。可用于执行方法实施例的步骤S2和S3。The time parameter obtaining unit 8051 is configured to obtain a time parameter according to the current system time. It can be used to perform steps S2 and S3 of the method embodiment.
令牌计算单元8052,用于根据预设的哈希算法计算令牌。可用于执行方法实施例的步骤S3。The token calculation unit 8052 is configured to calculate a token according to a preset hash algorithm. It can be used to perform step S3 of the method embodiment.
进一步地,请参考图22,其示出了与时间校正相关的模块框图,包括:Further, please refer to FIG. 22, which shows a block diagram of a module related to time correction, including:
第一时间获取模块811,用于获取来自于验证服务器的第一时间。可用于执行方法实施例的步骤T1。The first time obtaining module 811 is configured to acquire the first time from the verification server. It can be used to perform step T1 of the method embodiment.
第二时间获取模块812,用于获取本地的第二时间。可用于执行方法实施例的步骤T2。The second time acquisition module 812 is configured to acquire the local second time. It can be used to perform step T2 of the method embodiment.
差值计算模块813,用于计算所述第一时间与所述第二时间的差值。可用于执行方法实施例的步骤T3。The difference calculation module 813 is configured to calculate a difference between the first time and the second time. It can be used to perform step T3 of the method embodiment.
差值存储模块814,用于存储所述差值。可用于执行方法实施例的步骤T4。The difference storage module 814 is configured to store the difference. It can be used to perform step T4 of the method embodiment.
相应地,所述时间参量获取单元8051包括:Correspondingly, the time parameter obtaining unit 8051 includes:
时间校正值计算模块,用于根据当前系统时间和所述差值计算时间校正值。The time correction value calculation module is configured to calculate a time correction value according to the current system time and the difference.
时间参量获取模块,用于根据所述时间校正值得到时间参量。The time parameter acquisition module is configured to obtain a time parameter according to the time correction value.
进一步地,所述消息获取模块801还可以包括:Further, the message obtaining module 801 may further include:
消息号获取单元,用于从第一客户端得到消息号;a message number obtaining unit, configured to obtain a message number from the first client;
验证消息获取单元,用于根据所述消息号从验证服务器获取所述验证消息。And a verification message obtaining unit, configured to acquire the verification message from the verification server according to the message number.
进一步地,所述消息号获取单元还可以包括:Further, the message number obtaining unit may further include:
第二验证条码获取模块,用于获取第二验证条码;a second verification barcode acquisition module, configured to acquire a second verification barcode;
解析模块,用于解析所述第二验证条码得到消息号。And a parsing module, configured to parse the second verification barcode to obtain a message number.
进一步地,所述消息获取模块801还可以包括:Further, the message obtaining module 801 may further include:
直接获取单元,用于直接获取由验证服务器推送的消息号和验证消息。A direct acquisition unit for directly acquiring a message number and a verification message pushed by the verification server.
本发明一示例性实施例还提供了一种身份验证系统,如图25所示,所述系统包括第一客户端901、第二客户端902和验证服务器903;An exemplary embodiment of the present invention further provides an identity verification system. As shown in FIG. 25, the system includes a first client 901, a second client 902, and an authentication server 903.
第一客户端901响应于身份验证指令,获取账号;根据所述账号查询与所述账号对应的第一验证种子;生成验证消息;将所述第一验证种子和所述验证消息发送至验证服务器 903;从验证服务器903获取消息号;The first client 901 obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server. 903: Obtain a message number from the verification server 903;
第二客户端902从第一客户端901得到所述消息号;根据所述消息号从所述验证服务器903获取与所述消息号对应的验证消息;响应于对所述验证消息的确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器903;The second client 902 obtains the message number from the first client 901; acquires a verification message corresponding to the message number from the verification server 903 according to the message number; in response to the confirmation instruction to the verification message, Generating a token according to the second verification seed, and transmitting the token and the message number to the verification server 903;
所述验证服务器903根据从第二客户端902得到的消息号查询第一验证种子;通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一客户端901;The verification server 903 queries the first verification seed according to the message number obtained from the second client 902; obtains a verification result by verifying whether the first verification seed has a legal correspondence relationship with the token, and sends the verification result To the first client 901;
所述第一客户端901获取来自所述验证服务器903的验证结果。The first client 901 acquires a verification result from the verification server 903.
具体地,所述第一客户端901和第二客户端902可以为上述的身份验证装置。Specifically, the first client 901 and the second client 902 may be the identity verification device described above.
基于图25所示,本发明一示例性实施例还提供了一种身份验证系统,所述系统包括第一客户端901、第二客户端902和验证服务器903;As shown in FIG. 25, an exemplary embodiment of the present invention further provides an identity verification system, where the system includes a first client 901, a second client 902, and an authentication server 903;
第一客户端901响应于身份验证指令,获取账号;根据所述账号查询与所述账号对应的第一验证种子;得到第二客户端902生成的令牌;将所述第一验证种子与所述令牌传输至验证服务器903并获取验证结果;The first client 901 obtains an account in response to the identity verification instruction; queries the first verification seed corresponding to the account according to the account; obtains a token generated by the second client 902; and the first verification seed and the The token is transmitted to the verification server 903 and the verification result is obtained;
所述第二客户端902根据第二验证种子生成令牌并使得所述令牌能够被第一客户端901得到;The second client 902 generates a token according to the second verification seed and enables the token to be obtained by the first client 901;
所述验证服务器903通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一客户端901。The verification server 903 obtains the verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first client 901.
具体地,所述第一客户端901和第二客户端902可以为上述的身份验证装置。Specifically, the first client 901 and the second client 902 may be the identity verification device described above.
基于图25所示,本发明一示例性实施例还提供了一种身份验证系统,所述系统包括第一客户端901、第二客户端902和验证服务器903;As shown in FIG. 25, an exemplary embodiment of the present invention further provides an identity verification system, where the system includes a first client 901, a second client 902, and an authentication server 903;
第一客户端901响应于身份验证指令,获取账号;根据所述账号查询与所述账号对应的第一验证种子;生成验证消息;将所述第一验证种子和所述验证消息发送至验证服务器903,并向验证服务器903请求服务器推操作;The first client 901 obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server. 903, and requesting a server push operation from the verification server 903;
验证服务器903生成与述第一验证种子和所述验证消息对应的消息号,并将消息号和验证消息推送至第二客户端902;The verification server 903 generates a message number corresponding to the first verification seed and the verification message, and pushes the message number and the verification message to the second client 902;
第二客户端902响应于对所述验证消息的确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器903;The second client 902 generates a token according to the second verification seed in response to the confirmation instruction of the verification message, and transmits the token and the message number to the verification server 903;
所述验证服务器903根据从第二客户端902得到的消息号查询第一验证种子;通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一客户端901;The verification server 903 queries the first verification seed according to the message number obtained from the second client 902; obtains a verification result by verifying whether the first verification seed has a legal correspondence relationship with the token, and sends the verification result To the first client 901;
所述第一客户端901获取来自所述验证服务器903的验证结果。The first client 901 acquires a verification result from the verification server 903.
具体地,所述第一客户端901和第二客户端902可以为上述的身份验证装置。Specifically, the first client 901 and the second client 902 may be the identity verification device described above.
需要说明的是,上述实施例提供的装置和系统,在实现其功能时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。 另外,上述实施例提供的装置与方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that, when the device and the system provided by the foregoing embodiments are implemented, only the division of the foregoing functional modules is illustrated. In actual applications, the function distribution may be completed by different functional modules as needed. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the foregoing embodiments are in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
请参考图23,其示出了本发明一个实施例提供的终端的结构示意图。该终端用于实施上述实施例中提供的身份验证方法中第一客户端或第二客户端的功能。Please refer to FIG. 23, which is a schematic structural diagram of a terminal according to an embodiment of the present invention. The terminal is configured to implement the functions of the first client or the second client in the identity verification method provided in the foregoing embodiment.
所述终端可以包括RF(Radio Frequency,射频)电路110、包括有一个或一个以上计算机可读存储介质的存储器121、输入单元130、显示单元142、传感器150、音频电路163、WiFi(wireless fidelity,无线保真)模块170、包括有一个或者一个以上处理核心的处理器180、以及电源190等部件。本领域技术人员可以理解,图23中示出的终端结构并不构成对终端的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。其中:The terminal may include an RF (Radio Frequency) circuit 110, a memory 121 including one or more computer readable storage media, an input unit 130, a display unit 142, a sensor 150, an audio circuit 163, and a WiFi (wireless fidelity, The Wireless Fidelity module 170 includes a processor 180 having one or more processing cores, and a power supply 190 and the like. It will be understood by those skilled in the art that the terminal structure shown in FIG. 23 does not constitute a limitation to the terminal, and may include more or less components than those illustrated, or some components may be combined, or different component arrangements. among them:
RF电路110可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,交由一个或者一个以上处理器180处理;另外,将涉及上行的数据发送给基站。通常,RF电路110包括但不限于天线、至少一个放大器、调谐器、一个或多个振荡器、用户身份模块(SIM)卡、收发信机、耦合器、LNA(Low Noise Amplifier,低噪声放大器)、双工器等。此外,RF电路110还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议,包括但不限于GSM(Global System of Mobile communication,全球移动通讯系统)、GPRS(General Packet Radio Service,通用分组无线服务)、CDMA(Code Division Multiple Access,码分多址)、WCDMA(Wideband Code Division Multiple Access,宽带码分多址)、LTE(Long Term Evolution,长期演进)、电子邮件、SMS(Short Messaging Service,短消息服务)等。The RF circuit 110 can be used for transmitting and receiving information or during a call, and receiving and transmitting signals. Specifically, after receiving downlink information of the base station, the downlink information is processed by one or more processors 180. In addition, the data related to the uplink is sent to the base station. . Generally, the RF circuit 110 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc. In addition, RF circuitry 110 can also communicate with the network and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
存储器121可用于存储软件程序以及模块,处理器180通过运行存储在存储器121的软件程序以及模块,从而执行各种功能应用以及数据处理。存储器121可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、功能所需的应用程序等;存储数据区可存储根据所述终端的使用所创建的数据等。此外,存储器121可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地,存储器121还可以包括存储器控制器,以提供处理器180和输入单元130对存储器121的访问。The memory 121 can be used to store software programs and modules, and the processor 180 executes various functional applications and data processing by running software programs and modules stored in the memory 121. The memory 121 may mainly include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for the function, and the like; the storage data area may store data or the like created according to the use of the terminal. Further, the memory 121 may include a high speed random access memory, and may also include a nonvolatile memory such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 121 may also include a memory controller to provide access to the memory 121 by the processor 180 and the input unit 130.
输入单元130可用于接收输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入单元130可包括触敏表面131以及其他输入设备132。触敏表面131,也称为触摸显示屏或者触控板,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触敏表面131上或在触敏表面131附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触敏表面131可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器180,并能接收处理器180发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及 表面声波等多种类型实现触敏表面131。除了触敏表面131,输入单元130还可以包括其他输入设备132。具体地,其他输入设备132可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 130 can be configured to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls. In particular, input unit 130 can include touch-sensitive surface 131 as well as other input devices 132. Touch-sensitive surface 131, also referred to as a touch display or trackpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any suitable object or accessory on touch-sensitive surface 131 or The operation near the touch-sensitive surface 131) and driving the corresponding connecting device according to a preset program. Alternatively, the touch-sensitive surface 131 can include two portions of a touch detection device and a touch controller. Wherein, the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information. The processor 180 is provided and can receive commands from the processor 180 and execute them. In addition, resistive, capacitive, infrared, and Various types such as surface acoustic waves implement the touch-sensitive surface 131. In addition to the touch-sensitive surface 131, the input unit 130 can also include other input devices 132. Specifically, other input devices 132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
显示单元142可用于显示由用户输入的信息或提供给用户的信息以及所述终端的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元142可包括显示面板141,可选的,可以采用LCD(Liquid Crystal Display,液晶显示器)、OLED(Organic Light-Emitting Diode,有机发光二极管)等形式来配置显示面板141。进一步的,触敏表面131可覆盖显示面板141,当触敏表面131检测到在其上或附近的触摸操作后,传送给处理器180以确定触摸事件的类型,随后处理器180根据触摸事件的类型在显示面板141上提供相应的视觉输出。虽然在图23中,触敏表面131与显示面板141是作为两个独立的部件来实现输入和输入功能,但是在某些实施例中,可以将触敏表面131与显示面板141集成而实现输入和输出功能。 Display unit 142 can be used to display information entered by the user or information provided to the user as well as various graphical user interfaces of the terminal, which can be composed of graphics, text, icons, video, and any combination thereof. The display unit 142 may include a display panel 141. Alternatively, the display panel 141 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like. Further, the touch-sensitive surface 131 may cover the display panel 141, and when the touch-sensitive surface 131 detects a touch operation thereon or nearby, it is transmitted to the processor 180 to determine the type of the touch event, and then the processor 180 according to the touch event The type provides a corresponding visual output on display panel 141. Although in FIG. 23, touch-sensitive surface 131 and display panel 141 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 131 can be integrated with display panel 141 for input. And output function.
所述终端还可包括至少一种传感器150,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板141的亮度,接近传感器可在所述终端移动到耳边时,关闭显示面板141和/或背光。作为运动传感器的一种,重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别终端姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于所述终端还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The terminal may also include at least one type of sensor 150, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 141 according to the brightness of the ambient light, and the proximity sensor may close the display panel 141 when the terminal moves to the ear. And / or backlight. As a kind of motion sensor, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity. It can be used to identify the attitude of the terminal (such as horizontal and vertical screen switching, related Game, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the terminal can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, here No longer.
音频电路163、扬声器161,传声器162可提供用户与所述终端之间的音频接口。音频电路163可将接收到的音频数据转换后的电信号,传输到扬声器161,由扬声器161转换为声音信号输出;另一方面,传声器162将收集的声音信号转换为电信号,由音频电路163接收后转换为音频数据,再将音频数据输出处理器180处理后,经RF电路110以发送给比如另一终端,或者将音频数据输出至存储器121以便进一步处理。音频电路163还可能包括耳塞插孔,以提供外设耳机与所述终端的通信。An audio circuit 163, a speaker 161, and a microphone 162 can provide an audio interface between the user and the terminal. The audio circuit 163 can transmit the converted electrical data of the received audio data to the speaker 161, and convert it into a sound signal output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal, and the audio circuit 163 After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal, for example, via the RF circuit 110, or outputted to the memory 121 for further processing. The audio circuit 163 may also include an earbud jack to provide communication of the peripheral earphones with the terminal.
WiFi属于短距离无线传输技术,所述终端通过WiFi模块170可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图23示出了WiFi模块170,但是可以理解的是,其并不属于所述终端的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-range wireless transmission technology, and the terminal can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 170, which provides wireless broadband Internet access for users. Although FIG. 23 shows the WiFi module 170, it can be understood that it does not belong to the essential configuration of the terminal, and may be omitted as needed within the scope of not changing the essence of the invention.
处理器180是所述终端的控制中心,利用各种接口和线路连接整个终端的各个部分,通过运行或执行存储在存储器121内的软件程序和/或模块,以及调用存储在存储器121内的数据,执行所述终端的各种功能和处理数据,从而对终端进行整体监控。可选的,处理器180可包括一个或多个处理核心;优选的,处理器180可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器180中。 The processor 180 is a control center of the terminal, which connects various parts of the entire terminal using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 121, and calling data stored in the memory 121. Performing various functions and processing data of the terminal to perform overall monitoring on the terminal. Optionally, the processor 180 may include one or more processing cores; preferably, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. The modem processor primarily handles wireless communications. It can be understood that the above modem processor may not be integrated into the processor 180.
所述终端还包括给各个部件供电的电源190(比如电池),优选的,电源可以通过电源管理系统与处理器180逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。电源190还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。The terminal further includes a power source 190 (such as a battery) for supplying power to each component. Preferably, the power source can be logically connected to the processor 180 through the power management system to manage functions such as charging, discharging, and power management through the power management system. . Power supply 190 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
尽管未示出,所述终端还可以包括摄像头、蓝牙模块等,在此不再赘述。具体在本实施例中,终端的显示单元是触摸屏显示器,终端还包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行述一个或者一个以上程序包含用于执行上述第一客户端或第二客户端的身份验证方法的指令。Although not shown, the terminal may further include a camera, a Bluetooth module, and the like, and details are not described herein again. Specifically, in this embodiment, the display unit of the terminal is a touch screen display, the terminal further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be processed by one or more The program executes one or more programs that include instructions for executing the authentication method of the first client or the second client described above.
请参考图24,其示出了本发明一个实施例提供的服务器的结构示意图。该服务器用于实施上述实施例中提供的服务器的身份验证方法。具体来讲:Please refer to FIG. 24, which is a schematic structural diagram of a server according to an embodiment of the present invention. The server is used to implement the authentication method of the server provided in the above embodiment. Specifically:
所述服务器1200包括中央处理单元(CPU)1201、包括随机存取存储器(RAM)1202和只读存储器(ROM)1203的系统存储器1204,以及连接系统存储器1204和中央处理单元1201的系统总线1205。所述服务器1200还包括帮助计算机内的各个器件之间传输信息的基本输入/输出系统(I/O系统)1206,和用于存储操作系统1213、应用程序1214和其他程序模块1215的大容量存储设备1207。The server 1200 includes a central processing unit (CPU) 1201, a system memory 1204 including a random access memory (RAM) 1202 and a read only memory (ROM) 1203, and a system bus 1205 that connects the system memory 1204 and the central processing unit 1201. The server 1200 also includes a basic input/output system (I/O system) 1206 that facilitates transfer of information between various devices within the computer, and mass storage for storing the operating system 1213, applications 1214, and other program modules 1215. Device 1207.
所述基本输入/输出系统1206包括有用于显示信息的显示器1208和用于用户输入信息的诸如鼠标、键盘之类的输入设备1209。其中所述显示器1208和输入设备1209都通过连接到系统总线1205的输入输出控制器1210连接到中央处理单元1201。所述基本输入/输出系统1206还可以包括输入输出控制器1210以用于接收和处理来自键盘、鼠标、或电子触控笔等多个其他设备的输入。类似地,输入输出控制器1210还提供输出到显示屏、打印机或其他类型的输出设备。The basic input/output system 1206 includes a display 1208 for displaying information and an input device 1209 such as a mouse, keyboard, etc. for user input of information. The display 1208 and the input device 1209 are both connected to the central processing unit 1201 via an input-output controller 1210 that is coupled to the system bus 1205. The basic input/output system 1206 can also include an input output controller 1210 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 1210 also provides output to a display screen, printer, or other type of output device.
所述大容量存储设备1207通过连接到系统总线1205的大容量存储控制器(未示出)连接到中央处理单元1201。所述大容量存储设备1207及其相关联的计算机可读介质为服务器1200提供非易失性存储。也就是说,所述大容量存储设备1207可以包括诸如硬盘或者CD-ROM驱动器之类的计算机可读介质(未示出)。The mass storage device 1207 is connected to the central processing unit 1201 by a mass storage controller (not shown) connected to the system bus 1205. The mass storage device 1207 and its associated computer readable medium provide non-volatile storage for the server 1200. That is, the mass storage device 1207 can include a computer readable medium (not shown) such as a hard disk or a CD-ROM drive.
不失一般性,所述计算机可读介质可以包括计算机存储介质和通信介质。计算机存储介质包括以用于存储诸如计算机可读指令、数据结构、程序模块或其他数据等信息的任何方法或技术实现的易失性和非易失性、可移动和不可移动介质。计算机存储介质包括RAM、ROM、EPROM、EEPROM、闪存或其他固态存储其技术,CD-ROM、DVD或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。当然,本领域技术人员可知所述计算机存储介质不局限于上述几种。上述的系统存储器1204和大容量存储设备1207可以统称为存储器。Without loss of generality, the computer readable medium can include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage medium is not limited to the above. The system memory 1204 and the mass storage device 1207 described above may be collectively referred to as a memory.
根据本发明的各种实施例,所述服务器1200还可以通过诸如因特网等网络连接到网络上的远程计算机运行。也即服务器1200可以通过连接在所述系统总线1205上的网络接口单元1211连接到网络1212,或者说,也可以使用网络接口单元1211来连接到其他类型 的网络或远程计算机系统(未示出)。According to various embodiments of the present invention, the server 1200 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1200 can be connected to the network 1212 through the network interface unit 1211 connected to the system bus 1205, or can also be connected to other types using the network interface unit 1211. Network or remote computer system (not shown).
所述存储器还包括一个或者一个以上的程序,所述一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行。上述一个或者一个以上程序包含用于执行上述服务器的方法的指令。The memory also includes one or more programs, the one or more programs being stored in a memory and configured to be executed by one or more processors. The one or more programs described above include instructions for executing the method of the server described above.
在示例性实施例中,还提供了一种包括指令的非临时性计算机可读存储介质,例如包括指令的存储器,上述指令可由终端的处理器执行以完成上述方法实施例中的各个步骤,或者上述指令由服务器的处理器执行以完成上述方法实施例中后台服务器侧的各个步骤。例如,所述非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium comprising instructions, such as a memory comprising instructions executable by a processor of a terminal to perform various steps in the above method embodiments, or The above instructions are executed by the processor of the server to complete the steps of the background server side in the above method embodiment. For example, the non-transitory computer readable storage medium may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device.
通过本发明实施例提供的身份验证方法、装置与系统,本发明实施例可以与现有的身份验证方法进行组合。用户可以首先通过第一客户端的身份验证,并利用其手持的第二客户端产生令牌,当所述令牌通过验证服务器的令牌验证后,身份验证才能正式通过,相较于普通的身份验证,安全性更高。验证服务器可以为多个第一客户端提供验证用户令牌的服务,其作用相当于安全中心,用户若使用多个应用,不再需要绑定多个安全中心,从而简化用户操作。The embodiments of the present invention can be combined with the existing identity verification methods by using the identity verification method, apparatus, and system provided by the embodiments of the present invention. The user can first pass the identity verification of the first client and generate a token by using the second client that is held by the user. After the token is verified by the token of the verification server, the identity verification can be formally passed, compared to the ordinary identity. Verification, higher security. The authentication server can provide a service for authenticating the user token for multiple first clients, and its function is equivalent to the security center. If the user uses multiple applications, it is no longer necessary to bind multiple security centers, thereby simplifying user operations.
应当理解的是,在本文中提及的“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。It should be understood that "a plurality" as referred to herein means two or more. "and/or", describing the association relationship of the associated objects, indicating that there may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately. The character "/" generally indicates that the contextual object is an "or" relationship.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。A person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium. The storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above are only the preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalents, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims (21)

  1. 一种身份验证方法,所述方法包括:An authentication method, the method comprising:
    第一终端响应于身份验证指令,获取账号;根据所述账号查询与所述账号对应的第一验证种子;生成验证消息;将所述第一验证种子和所述验证消息发送至验证服务器;从验证服务器获取消息号;The first terminal obtains an account in response to the identity verification instruction, queries a first verification seed corresponding to the account according to the account, generates a verification message, and sends the first verification seed and the verification message to the verification server; The verification server obtains the message number;
    第二终端从第一终端得到所述消息号;根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;响应于对所述验证消息的确认指令,根据第二验证种子生成令牌,并将所述令牌与所述消息号传输至所述验证服务器;The second terminal obtains the message number from the first terminal; acquires a verification message corresponding to the message number from the verification server according to the message number; and responds to the confirmation instruction of the verification message, according to the second verification seed Generating a token and transmitting the token and the message number to the verification server;
    所述验证服务器根据从第二终端得到的消息号查询第一验证种子;通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一终端;The verification server queries the first verification seed according to the message number obtained from the second terminal; obtains a verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first terminal;
    所述第一终端获取来自所述验证服务器的验证结果。The first terminal acquires a verification result from the verification server.
  2. 根据权利要求1所述的方法,其中,在所述第一终端响应于身份验证指令之前,还包括:The method of claim 1, wherein before the first terminal is responsive to the authentication command, the method further comprises:
    第一终端响应于绑定指令,获取账号;得到第一验证种子;生成与第一验证种子对应的验证种子并使得所述验证种子能够被第二终端得到;得到第二终端生成的令牌;将所述第一验证种子与所述令牌传输至验证服务器并获取验证结果;若验证通过,则存储所述账号与所述第一验证种子的对应关系;The first terminal acquires an account in response to the binding instruction; obtains a first verification seed; generates a verification seed corresponding to the first verification seed and enables the verification seed to be obtained by the second terminal; and obtains a token generated by the second terminal; Transmitting the first verification seed and the token to the verification server, and obtaining a verification result; if the verification is passed, storing a correspondence between the account and the first verification seed;
    第二终端根据得到的种子生成令牌并使得所述令牌能够被第一终端得到;The second terminal generates a token according to the obtained seed and enables the token to be obtained by the first terminal;
    所述验证服务器通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果,并将所述验证结果发送至第一终端。The verification server obtains a verification result by verifying whether the first verification seed has a legal correspondence with the token, and sends the verification result to the first terminal.
  3. 根据权利要求1所述的方法,其中,所述第二终端还包括:The method of claim 1, wherein the second terminal further comprises:
    若验证通过,则存储所述验证种子,以及所述验证种子与第一终端的对应关系。If the verification is passed, the verification seed is stored, and the corresponding relationship between the verification seed and the first terminal is stored.
  4. 根据权利要求3所述的方法,其中,所述验证服务器通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果包括:The method according to claim 3, wherein the verification server obtains the verification result by verifying whether the first verification seed has a legal correspondence with the token, including:
    根据令牌生成方法和所述第一验证种子生成目标令牌;Generating a target token according to the token generation method and the first verification seed;
    判断所述目标令牌和所述令牌是否为同一个令牌;Determining whether the target token and the token are the same token;
    若是,则验证结果为验证通过;否则,验证结果为验证不通过。If yes, the verification result is the verification pass; otherwise, the verification result is that the verification fails.
  5. 根据权利要求3所述的方法,其中,所述验证服务器通过验证第一验证种子与所述令牌是否具有合法的对应关系获得验证结果包括:The method according to claim 3, wherein the verification server obtains the verification result by verifying whether the first verification seed has a legal correspondence with the token, including:
    根据令牌生成方法和所述第一验证种子生成第一目标令牌和第二目标令牌;Generating a first target token and a second target token according to the token generation method and the first verification seed;
    判断所述第一目标令牌和所述令牌是否为同一个令牌;Determining whether the first target token and the token are the same token;
    若是,则验证结果为验证通过;否则,判断所述第二目标令牌和所述令牌是否为同一个令牌;If yes, the verification result is verification pass; otherwise, determining whether the second target token and the token are the same token;
    若是,则验证结果为验证通过,否则,验证结果为验证不通过。 If yes, the verification result is the verification pass; otherwise, the verification result is that the verification fails.
  6. 一种身份验证方法,应用于第一终端,所述方法包括:An authentication method is applied to a first terminal, and the method includes:
    响应于身份验证指令,获取账号;Acquiring an account in response to the authentication command;
    根据所述账号查询与所述账号对应的第一验证种子;Querying, according to the account, a first verification seed corresponding to the account;
    根据所述账号生成验证消息;Generating a verification message according to the account number;
    将所述第一验证种子和所述验证消息发送至验证服务器;Sending the first verification seed and the verification message to an authentication server;
    从所述验证服务器获取消息号并使得第二终端能够获取所述消息号;Obtaining a message number from the verification server and enabling the second terminal to acquire the message number;
    从所述验证服务器获取验证结果;所述验证结果为验证服务器通过验证第一验证种子与令牌是否具有合法的对应关系获得;所述令牌由所述第二终端根据第二验证种子生成。Obtaining a verification result from the verification server; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
  7. 根据权利要求6所述的方法,其中,在所述响应于身份验证指令之前,还包括:The method of claim 6 further comprising: before said responding to the authentication command;
    响应于绑定指令,获取账号;Acquiring an account in response to the binding instruction;
    得到第一验证种子;Obtaining a first verification seed;
    生成与第一验证种子对应的验证种子并使得所述验证种子能够被第二终端得到;Generating a verification seed corresponding to the first verification seed and enabling the verification seed to be obtained by the second terminal;
    获取由第二终端生成的令牌;Obtaining a token generated by the second terminal;
    将第一验证种子和所述令牌发送至验证服务器;Sending the first verification seed and the token to the verification server;
    获取验证结果;所述验证结果为验证服务器通过验证第一验证种子与所述令牌是否具有合法的对应关系获得;Obtaining a verification result; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token;
    若验证通过,则存储第一验证种子,以及所述第一验证种子与所述第二终端的对应关系。If the verification is passed, storing the first verification seed and the correspondence between the first verification seed and the second terminal.
  8. 根据权利要求6所述的方法,其中,所述验证消息包括验证消息产生时间和所述账号。The method of claim 6, wherein the verification message comprises a verification message generation time and the account number.
  9. 根据权利要求6所述的方法,其中,在所述从所述验证服务器获取消息号之后,还包括:The method according to claim 6, wherein after the obtaining the message number from the verification server, the method further comprises:
    根据所述消息号生成第二验证条码。Generating a second verification barcode according to the message number.
  10. 一种身份验证方法,应用于第二终端,所述方法包括:An authentication method is applied to a second terminal, and the method includes:
    从第一终端得到消息号;Obtaining a message number from the first terminal;
    根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;Acquiring, according to the message number, a verification message corresponding to the message number from the verification server;
    显示所述验证消息并监测用户指令,所述用户指令包括确认指令;Displaying the verification message and monitoring a user instruction, the user instruction including a confirmation instruction;
    响应于确认指令,获取第二验证种子并根据所述第二验证种子生成令牌;And in response to the confirmation instruction, acquiring a second verification seed and generating a token according to the second verification seed;
    将所述消息号和所述令牌传输至验证服务器,以使得第一终端能够获取来自于验证服务器的验证结果。Transmitting the message number and the token to an authentication server to enable the first terminal to obtain a verification result from the verification server.
  11. 根据权利要求10中所述的方法,其中,在所述获取消息号以及验证消息之前,还包括:The method according to claim 10, wherein before the obtaining the message number and the verification message, the method further comprises:
    得到验证种子;Obtain a verification seed;
    根据所述验证种子生成令牌并使得所述令牌能够被第一终端得到。Generating a token based on the verification seed and enabling the token to be obtained by the first terminal.
  12. 根据权利要求11中所述的方法,其中,The method of claim 11 wherein
    若验证通过,则存储所述验证种子,以及所述验证种子与第一终端的对应关系。 If the verification is passed, the verification seed is stored, and the corresponding relationship between the verification seed and the first terminal is stored.
  13. 根据权利要求10中所述的方法,其中,所述从第一终端得到消息号包括:The method of claim 10 wherein said obtaining a message number from said first terminal comprises:
    获取由第一终端根据消息号生成的第二验证条码;Obtaining a second verification barcode generated by the first terminal according to the message number;
    解析所述第二验证条码得到消息号。Parsing the second verification barcode to obtain a message number.
  14. 一种身份验证装置,所述装置包括一个或一个以上处理器和一个或一个以上非易失性存储介质,所述一个或一个以上非易失性存储介质存储一个或多个计算机可读指令,经配置由所述一个或者一个以上处理器执行以实现如下步骤:An authentication device, the device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computer readable instructions, Configuring by the one or more processors to implement the following steps:
    响应于身份验证指令,获取账号;Acquiring an account in response to the authentication command;
    根据所述账号查询与所述账号对应的第一验证种子;Querying, according to the account, a first verification seed corresponding to the account;
    根据所述账号生成验证消息;Generating a verification message according to the account number;
    将所述第一验证种子和所述验证消息发送至验证服务器;Sending the first verification seed and the verification message to an authentication server;
    从所述验证服务器获取消息号并使得第二终端能够获取所述消息号;Obtaining a message number from the verification server and enabling the second terminal to acquire the message number;
    获取来自验证服务器的验证结果;所述验证结果为验证服务器通过验证第一验证种子与令牌是否具有合法的对应关系获得;所述令牌由所述第二终端根据第二验证种子生成。Obtaining a verification result from the verification server; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token; the token is generated by the second terminal according to the second verification seed.
  15. 根据权利要求14所述的装置,其中,所述一个或者一个以上处理器执行所述一个或多个计算机可读指令以进一步实现如下步骤:The apparatus of claim 14, wherein the one or more processors execute the one or more computer readable instructions to further implement the steps of:
    响应于绑定指令,获取账号;Acquiring an account in response to the binding instruction;
    得到第一验证种子;Obtaining a first verification seed;
    生成与第一验证种子对应的验证种子并使得所述验证种子能够被第二终端得到;Generating a verification seed corresponding to the first verification seed and enabling the verification seed to be obtained by the second terminal;
    获取由第二终端生成的令牌;Obtaining a token generated by the second terminal;
    将第一验证种子和所述令牌发送至验证服务器;Sending the first verification seed and the token to the verification server;
    获取验证结果;所述验证结果为验证服务器通过验证第一验证种子与所述令牌是否具有合法的对应关系获得;Obtaining a verification result; the verification result is obtained by the verification server by verifying whether the first verification seed has a legal correspondence with the token;
    若验证通过,存储第一验证种子,以及所述第一验证种子与所述第二终端的对应关系。And if the verification is passed, storing the first verification seed, and the corresponding relationship between the first verification seed and the second terminal.
  16. 根据权利要求14所述的装置,其中,所述一个或者一个以上处理器执行所述一个或多个计算机可读指令以进一步实现如下步骤:The apparatus of claim 14, wherein the one or more processors execute the one or more computer readable instructions to further implement the steps of:
    根据所述消息号生成第二验证条码。Generating a second verification barcode according to the message number.
  17. 一种身份验证装置,所述装置包括一个或一个以上处理器和一个或一个以上非易失性存储介质,所述一个或一个以上非易失性存储介质存储一个或多个计算机可读指令,经配置由所述一个或者一个以上处理器执行以实现如下步骤:An authentication device, the device comprising one or more processors and one or more non-volatile storage media, the one or more non-volatile storage media storing one or more computer readable instructions, Configuring by the one or more processors to implement the following steps:
    从第一终端得到消息号;Obtaining a message number from the first terminal;
    根据所述消息号从所述验证服务器获取与所述消息号对应的验证消息;Acquiring, according to the message number, a verification message corresponding to the message number from the verification server;
    显示所述验证消息;Displaying the verification message;
    检测用户指令,所述用户指令包括确认指令;Detecting a user instruction, the user instruction including a confirmation instruction;
    响应于确认指令,获取第二验证种子;Acquiring a second verification seed in response to the confirmation instruction;
    根据所述第二验证种子生成令牌;Generating a token according to the second verification seed;
    将所述消息号和所述令牌传输至验证服务器,以使得第一终端能够获取来自于验证服 务器的验证结果。Transmitting the message number and the token to an authentication server to enable the first terminal to obtain the verification service Verification result of the server.
  18. 根据权利要求17所述的装置,其中,所述一个或者一个以上处理器执行所述一个或多个计算机可读指令以进一步实现如下步骤:The apparatus of claim 17, wherein the one or more processors execute the one or more computer readable instructions to further implement the steps of:
    得到验证种子;Obtain a verification seed;
    存储第二验证种子。Store the second verification seed.
  19. 根据权利要求17所述的装置,其中,所述一个或者一个以上处理器执行所述一个或多个计算机可读指令以进一步实现如下步骤:The apparatus of claim 17, wherein the one or more processors execute the one or more computer readable instructions to further implement the steps of:
    获取由第一终端根据消息号生成的第二验证条码;Obtaining a second verification barcode generated by the first terminal according to the message number;
    解析所述第二验证条码得到消息号。Parsing the second verification barcode to obtain a message number.
  20. 一种身份验证系统,其特征在于,所述系统包括第一终端、第二终端和验证服务器;An identity verification system, characterized in that the system comprises a first terminal, a second terminal and an authentication server;
    所述第一终端包括权利要求14-16中任一所述的装置;The first terminal comprises the apparatus of any one of claims 14-16;
    所述第二终端包括权利要求17-19中任一所述的装置。The second terminal comprises the apparatus of any of claims 17-19.
  21. 一种非易失性计算机可读存储介质,存储有计算机可读指令,所述计算机可读指令能够使至少一个处理器执行如权利要求1-13任一项所述的方法。 A non-transitory computer readable storage medium storing computer readable instructions capable of causing at least one processor to perform the method of any of claims 1-13.
PCT/CN2017/116140 2016-12-15 2017-12-14 Identity authentication method, device and system WO2018108123A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611160732.2A CN108234124B (en) 2016-12-15 2016-12-15 Identity verification method, device and system
CN201611160732.2 2016-12-15

Publications (1)

Publication Number Publication Date
WO2018108123A1 true WO2018108123A1 (en) 2018-06-21

Family

ID=62558031

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/116140 WO2018108123A1 (en) 2016-12-15 2017-12-14 Identity authentication method, device and system

Country Status (2)

Country Link
CN (1) CN108234124B (en)
WO (1) WO2018108123A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108920917A (en) * 2018-06-27 2018-11-30 努比亚技术有限公司 Log in end switching method, mobile terminal and computer readable storage medium
CN110751129A (en) * 2019-10-30 2020-02-04 深圳市丰巢科技有限公司 Express delivery service identity verification method, device, equipment and storage medium
CN111105207A (en) * 2019-12-11 2020-05-05 深圳供电局有限公司 Random transmission line field operation method and system
US11677555B2 (en) 2018-10-25 2023-06-13 Advanced New Technologies Co., Ltd. Identity authentication, number saving and sending, and number binding method, apparatus and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109376818A (en) * 2018-10-09 2019-02-22 杭州收盈科技有限公司 A kind of encryption time synchronization method based on offline dynamic two-dimension code
CN111126533B (en) * 2020-01-08 2023-06-23 牛津(海南)区块链研究院有限公司 Identity authentication method and device based on dynamic password and dynamic token
CN114553445A (en) * 2020-11-10 2022-05-27 腾讯科技(深圳)有限公司 Equipment method, device, electronic equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582886A (en) * 2009-04-02 2009-11-18 北京飞天诚信科技有限公司 Method and system for identity authentication based on dynamic password
US20140006775A1 (en) * 2012-06-28 2014-01-02 International Business Machines Corporation Message originator token verification
CN103546430A (en) * 2012-07-11 2014-01-29 网易(杭州)网络有限公司 Mobile terminal, and method, server and system for authenticating identities on basis of mobile terminal
WO2015179681A1 (en) * 2014-05-21 2015-11-26 Square, Inc. Verified purchasing by email
CN105119722A (en) * 2015-08-07 2015-12-02 杭州朗和科技有限公司 Identity verification method, equipment and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345620A (en) * 2007-07-10 2009-01-14 吕秀娥 Internet user account cipher protection method of on-line token
CN103297403B (en) * 2012-03-01 2018-11-30 盛趣信息技术(上海)有限公司 A kind of method and system for realizing dynamic cipher verification
US9130753B1 (en) * 2013-03-14 2015-09-08 Emc Corporation Authentication using security device with electronic interface
CN112134708A (en) * 2014-04-15 2020-12-25 创新先进技术有限公司 Authorization method, authorization request method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582886A (en) * 2009-04-02 2009-11-18 北京飞天诚信科技有限公司 Method and system for identity authentication based on dynamic password
US20140006775A1 (en) * 2012-06-28 2014-01-02 International Business Machines Corporation Message originator token verification
CN103546430A (en) * 2012-07-11 2014-01-29 网易(杭州)网络有限公司 Mobile terminal, and method, server and system for authenticating identities on basis of mobile terminal
WO2015179681A1 (en) * 2014-05-21 2015-11-26 Square, Inc. Verified purchasing by email
CN105119722A (en) * 2015-08-07 2015-12-02 杭州朗和科技有限公司 Identity verification method, equipment and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108920917A (en) * 2018-06-27 2018-11-30 努比亚技术有限公司 Log in end switching method, mobile terminal and computer readable storage medium
US11677555B2 (en) 2018-10-25 2023-06-13 Advanced New Technologies Co., Ltd. Identity authentication, number saving and sending, and number binding method, apparatus and device
CN110751129A (en) * 2019-10-30 2020-02-04 深圳市丰巢科技有限公司 Express delivery service identity verification method, device, equipment and storage medium
CN110751129B (en) * 2019-10-30 2023-05-30 深圳市丰巢科技有限公司 Identity verification method, device and equipment for express service and storage medium
CN111105207A (en) * 2019-12-11 2020-05-05 深圳供电局有限公司 Random transmission line field operation method and system
CN111105207B (en) * 2019-12-11 2023-03-24 深圳供电局有限公司 Random transmission line field operation method and system

Also Published As

Publication number Publication date
CN108234124A (en) 2018-06-29
CN108234124B (en) 2020-10-16

Similar Documents

Publication Publication Date Title
CN112733107B (en) Information verification method, related device, equipment and storage medium
US10637668B2 (en) Authentication method, system and equipment
WO2018108123A1 (en) Identity authentication method, device and system
US20210336780A1 (en) Key updating method, apparatus, and system
CN109600223B (en) Verification method, activation method, device, equipment and storage medium
CN111193695B (en) Encryption method and device for third party account login and storage medium
WO2018157858A1 (en) Information storage method, device, and computer-readable storage medium
WO2018177124A1 (en) Service processing method and device, data sharing system and storage medium
US11488234B2 (en) Method, apparatus, and system for processing order information
WO2017185711A1 (en) Method, apparatus and system for controlling smart device, and storage medium
WO2018108062A1 (en) Method and device for identity verification, and storage medium
WO2017041599A1 (en) Service processing method and electronic device
WO2015101273A1 (en) Security verification method, and related device and system
WO2017118437A1 (en) Service processing method, device, and system
US9635018B2 (en) User identity verification method and system, password protection apparatus and storage medium
WO2017084288A1 (en) Method and device for verifying identity
CN110198301B (en) Service data acquisition method, device and equipment
US20210273794A1 (en) Method employed in user authentication system and information processing apparatus included in user authentication system
CN107154935B (en) Service request method and device
CN104954126B (en) Sensitive operation verification method, device and system
WO2016078504A1 (en) Identity authentication method and device
CN111478849B (en) Service access method, device and storage medium
WO2017113119A1 (en) Method and device for associating application with biological characteristic, and mobile terminal
CN110474864B (en) Method for registering and logging in mobile application program and electronic equipment
CN113037741A (en) Authentication method and related device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17880850

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17880850

Country of ref document: EP

Kind code of ref document: A1