WO2019194170A1 - Serveur mettant en œuvre une authentification à l'aide d'une url à deux étapes, support d'enregistrement de programme et procédé - Google Patents

Serveur mettant en œuvre une authentification à l'aide d'une url à deux étapes, support d'enregistrement de programme et procédé Download PDF

Info

Publication number
WO2019194170A1
WO2019194170A1 PCT/JP2019/014604 JP2019014604W WO2019194170A1 WO 2019194170 A1 WO2019194170 A1 WO 2019194170A1 JP 2019014604 W JP2019014604 W JP 2019014604W WO 2019194170 A1 WO2019194170 A1 WO 2019194170A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
url
authentication
terminal
message
Prior art date
Application number
PCT/JP2019/014604
Other languages
English (en)
Japanese (ja)
Inventor
暁子 中曽根
敏春 加藤
正之 横井
誠 金井
Original Assignee
株式会社Special Medico
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社Special Medico filed Critical 株式会社Special Medico
Publication of WO2019194170A1 publication Critical patent/WO2019194170A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates to a technique in which an authentication server authenticates a user who operates a terminal.
  • a technique for authenticating a user in two stages is applied. According to this technique, the following sequence is executed.
  • the user inputs “wallet ID (Identifier)” and “password” on the login screen of the terminal.
  • the site server authenticates the user from the input wallet ID and password, and transmits a mail describing the login state (time, IP address, browser, OS, etc.) to the user's mailbox.
  • the user confirms the login state described in the mail, and clicks a URL (Uniform Resource Locator) button for login permission.
  • URL Uniform Resource Locator
  • the site server assumes that the first authentication has succeeded for the user operating the terminal.
  • the site server temporarily generates a 5-digit passcode and sends an SMS (Short Messaging Service) message describing the passcode to the user's smartphone (portable terminal).
  • SMS Short Messaging Service
  • the user confirms the SMS message with the smartphone, and inputs the passcode described in the SMS message on the login screen of the terminal.
  • the site server assumes that the second authentication is successful for the user operating the terminal.
  • the two-step authentication process as described above is intended to ensure high security and eliminate access from malicious third parties.
  • Patent Document 1 discloses a technique that allows a user to transmit a message simply by tapping a URL displayed on a terminal.
  • the URL can identify the transmission source user and the destination user.
  • a server receives a page request for a URL, the server uses a source address identified by the URL as a source address, and an address based on the destination user identified by the URL as a destination address. Send a message.
  • Patent Document 2 discloses a technique for temporarily notifying the destination terminal of map information displaying the position of the transmission source terminal.
  • the server stores a first page for a first URL that can identify a transmission source terminal and a destination terminal.
  • the server receives a page request directed to the first URL from the transmission source terminal, the server returns the first page to the transmission source terminal.
  • the transmission source terminal that has reproduced the first page transmits its position information to the server.
  • the server generates a second page in which a map in which the position of the transmission source terminal is plotted is drawn, and a message including the second URL in the second page is identified by the first URL. Send to the terminal.
  • Non-Patent Document 1 the user inputs the login ID and password on the terminal screen during the first authentication, and inputs the passcode received by the smartphone on the terminal screen during the second authentication. There is a need to. That is, in the case of such two-step authentication, the user has to input the code three times on the terminal screen.
  • the inventors of the present application need to input a code (user ID, password, passcode) required for user authentication a plurality of times because all users access the same login screen URL. I thought that would occur.
  • an object of the present invention is to provide an authentication server, a program recording medium, and a method capable of executing two-step user authentication without causing the user to input any code.
  • an authentication server for authenticating a user who operates a terminal, For each user ID, a registration table that stores an address and a first URL that can identify the user of the user ID; When a first page request directed to the first URL is received from the terminal, a user ID of the first page request is identified, and a second URL that can identify the user ID is generated URL generation means, Second message transmitting means for transmitting a second message in which a second URL is described, with the address of the user ID as a destination;
  • An authentication server is provided that includes an authentication unit that determines that the user ID has been successfully authenticated when a second page request directed to the second URL is received from the terminal.
  • the authentication server transmits the first message describing the first URL, with the address of the user ID identified by the first URL as the destination. It is also preferable to further include one message transmission means.
  • the second URL generation means is different as a one-time URL each time the first page request is received for the same user ID. It is also preferable to generate two URLs.
  • the authenticating means is configured so that the time from when the second message is transmitted by the second message transmitting means until the second page request is received. It is also preferable that the authentication of the user ID is successful only when it is less than the predetermined time.
  • the second URL generating means When receiving the first page request from the terminal, the second URL generating means generates a cookie value in the HTTP (HyperText Transfer Protocol) cookie protocol, and responds to the terminal with the cookie value. Register in the registration table in association with the user ID identified by the URL, The authentication means has succeeded in authenticating the user ID to the terminal when the cookie value included in the second page request matches the cookie value corresponding to the user registered in the registration table. It is also preferable that
  • the device address is an email address, phone number or account
  • the second message is also preferably an e-mail based on the e-mail address, an SMS (Short Message Service) push message based on the telephone number, or an SNS (Social Networking Service) message based on the account.
  • SMS Short Message Service
  • SNS Social Networking Service
  • the user ID is a user ID of a commercial transaction site or a block chain site, or a wallet ID of a virtual currency, It is also preferable to authenticate the user ID without using a password.
  • a non-transitory computer-readable recording medium that records a program executed by a computer installed in an authentication server that authenticates a user who operates a terminal, For each user ID, a registration table that stores an address and a first URL that can identify the user of the user ID; When a first page request directed to the first URL is received from the terminal, a user ID of the first page request is identified, and a second URL that can identify the user ID is generated URL generation means, Second message transmitting means for transmitting a second message in which a second URL is described, with the address of the user ID as a destination; When a second page request directed to a second URL is received from a terminal, a recording medium is provided that causes a computer to function as authentication means that the user ID has been successfully authenticated.
  • a two-step authentication method is executed by an authentication server that authenticates a user who operates a terminal.
  • the authentication server can identify an address and a user of the user ID for each user ID.
  • the first URL is stored, and this two-step authentication method is: A step of identifying a user ID of the first page request and generating a second URL capable of identifying the user ID when receiving a first page request directed to the first URL from a terminal; , Transmitting a second message in which a second URL is described with the address of the user ID as a destination;
  • a two-step authentication method comprising: a step of assuming that the authentication of the user ID is successful when a second page request directed to the second URL is received from the terminal.
  • two-step user authentication can be executed without requiring the user to input any code (for example, user ID, password, or passcode).
  • FIG. 5 is a sequence diagram showing a second sequence executed following the first sequence in FIG. 4. It is a functional block diagram which shows the function structure in one Embodiment of the authentication server by this invention.
  • FIG. 1 is a sequence diagram showing an embodiment of an authentication method according to the present invention.
  • the user A performs self-authentication from the terminal 2 with respect to the authentication server 1 in order to receive a predetermined service.
  • the access destination for receiving the predetermined service may be, for example, a commercial transaction site or a block chain site, or a virtual currency wallet that requires high security.
  • the authentication server 1 functions as a Web site as well as a message or mail transmission source device for the terminal 2. Further, the authentication server 1 can receive a page request based on the URL by publishing the URL of the Web site.
  • the authentication server 1 of the present invention has a registration table 100.
  • the registration table 100 records, for each user ID, an address and a first URL that can identify the user of the user ID.
  • the address can be a mail address, a telephone number, or an account corresponding to the message or mail described above.
  • the following items are registered in the registration table 100.
  • [User ID] ⁇ -> [Address] [First URL] A A@aaa.com http://www.SM.co.jp/A B B@bbb.com http://www.SM.co.jp/B C C@ccc.com http://www.SM.co.jp/C
  • the authentication server 1 sends the first message describing the first URL (http://www.SM.co.jp/A) to the address (A @ aaa) of the user A identified by the first URL. .com) as a destination.
  • the first URL http://www.SM.co.jp/A
  • the first URL is dedicated to user A and needs only to be recognized by user A, and transmission of the first message is essential. It is not something to do.
  • FIG. 2A and FIG. 2B are schematic diagrams showing examples of a tap operation screen at the time of first authentication in the present invention.
  • the user has tapped the first URL (http://www.SM.co.jp/A) described in the message received in step S0.
  • this URL an identifier “A” that allows the user to be identified is given after the domain name, and this URL is recognized as corresponding to a page dedicated to the user A for the terminal 2.
  • the user is tapping an operation button on which an HTML (HyperText Markup Language) code is displayed on the browser.
  • This operation button simply displays the first URL (http://www.SM.co.jp/A) for the user A so as to be visible.
  • the authentication server 1 determines whether or not the first URL is registered in the registration table 100. If it is determined to be false, that is, unregistered, the page request is ignored.
  • the authentication server 1 receives a page request (HTTP Get Request) for the first URL (http://www.SM.co.jp/A)
  • the user registered in the registration table 100 is received.
  • A user ID
  • step S13 On the other hand, if it is determined to be true in step S12, that is, registered, a second URL capable of identifying the user ID (of user A) is generated. At this time, for example, the following first URL and second URL correspond to the same user ID, but are different from each other.
  • First URL http://www.SM.co.jp/A
  • Second URL http://www.SM.co.jp/Axx
  • the authentication server 1 transmits a second message in which the second URL is described with the address of the user ID as a destination. According to FIG. 1, the destination address of the second message is set to the address (A@aaa.com) of the user identified by the first URL.
  • the authentication server 1 When the message is, for example, an e-mail based on a mail address, the authentication server 1 has a mail client function and transmits the mail to an external SMTP server. Further, when the message is an SMS push message based on a telephone number, for example, the authentication server 1 has a telephone call function, executes a call connection sequence of the mobile telephone network, and transmits a short message. In this case, the terminal 2 needs to be a smart phone or a portable terminal that can be connected by call. Further, when the message is, for example, an SNS message based on an account, the authentication server 1 has a login function for the SNS site, and notifies the message via the site.
  • FIG. 3 is a schematic diagram showing an example of a tap operation screen at the time of second authentication in the present invention.
  • the text described in the received second message is displayed on the display of the terminal 2.
  • This message describes the following second URL, and the displayed text prompts the user to perform an activation operation (tap or click).
  • (Second URL) http://www.SM.co.jp/Axx This second URL is recognized as a page dedicated to the user A for the authentication server 1.
  • the authentication server 1 may start a timer when the second message is transmitted in step S2. Then, only when the time until the second page request is received from the terminal 2 is equal to or shorter than the predetermined time, the user ID can be successfully authenticated. This predetermined time is set as the effective period of the one-time URL.
  • the terminal 2 transmits a page request to the authentication server 1 and receives a page response from the authentication server 1 using both the first URL and the second URL. That is, the first page is displayed on the browser activated at the time of the first authentication, and the second page is also displayed on the same browser at the time of the second authentication.
  • the authentication server 1 may store a cookie value unique to the user in the browser displayed by the first page response at the time of the first authentication.
  • the terminal 2 transmits a second page request including the cookie value to the authentication server 1 during the second authentication.
  • the authentication server 1 determines whether or not the cookie value included in the second page request is stored in the registration table 100 at the time of the first authentication. If it is determined to be true, that is, the cookie value is stored, the authentication is successful, but if it is determined that the cookie value is not stored in the registration table 100, the authentication fails. Can be determined.
  • FIG. 4 is a sequence diagram showing a first sequence that is the first half of the process of determining authentication based on the cookie value of the terminal.
  • the first sequence shown in FIG. 4 is obtained by replacing step S12 in FIG. 1 with steps S121, S122, and S123 shown below as compared with the sequence in FIG. (S121)
  • the authentication server 1 determines whether or not the URL is registered in the registration table 100. .
  • the authentication server 1 If it is determined to be true in S121, the authentication server 1 generates a cookie value (A1B2C3D4) for the user A and registers it in the registration table 100 in association with the user A.
  • the cookie value is determined by the authentication server 1 as a value unique to the user.
  • the authentication server 1 returns a first page response including the “cookie value” generated in S122 to the terminal 2. As a result, the terminal 2 activates the browser and stores the received “cookie value” in the browser.
  • FIG. 5 is a sequence diagram showing a second sequence executed subsequent to the first sequence in FIG.
  • the second sequence shown in FIG. 5 is obtained by replacing steps S31 and S32 in FIG. 1 with steps S31 and S32 shown below as compared with the sequence in FIG. (S31)
  • the terminal 2 transmits an HTTP Get Request directed to http://www.SM.co.jp/Axx.
  • the cookie value (A1B2C3D4) stored in the browser activated in S123 is included in the HTTP Get Request to be transmitted.
  • the authentication server 1 receives the HTTP Get Request, the URL (http://www.SM.co.jp/Axx) and the cookie value (A1B2C3D4) are registered in the registration table 100. It is determined whether or not. If it is determined to be true, that is, registered, authentication is successful, but if it is false, that is, it is determined that the cookie value is not stored in the registration table 100, it is determined that authentication has failed.
  • FIG. 6 is a functional block diagram showing a functional configuration in an embodiment of the authentication server according to the present invention.
  • the authentication server 1 includes a registration table 100, a first message transmission unit 101, a second URL generation unit 11, a second message transmission unit 12, and an authentication unit. 13. These functional components are realized by a processor having a computer function installed in the authentication server 1 executing an authentication program according to the present invention stored in a memory in the authentication server 1. Further, the processing flow shown by connecting these functional components by arrows is understood as an authentication method according to the present invention.
  • the registration table 100 stores, for each user ID, an address and a first URL that can identify the user (see FIG. 1 described above).
  • the first message transmission unit 101 transmits the first message describing the first URL, with the address of the user ID identified by the first URL as a destination (see S0 in FIG. 1 described above). ).
  • the second URL generation unit 11 When receiving the first page request for the first URL from the terminal 2, the second URL generation unit 11 identifies the user ID and generates a second URL that can identify the user ID. (See S1 in FIG. 1). The second message transmission unit 12 transmits the second message in which the second URL is described, with the address of the user ID as a destination (see S2 in FIG. 1).
  • the authentication unit 13 When the authentication unit 13 receives the second page request for the second URL from the terminal 2, it is assumed that the user ID has been successfully authenticated (see S3 in FIG. 1).
  • two-step user authentication is performed without requiring the user to input any code (for example, user ID, password, or passcode). can do.
  • Non-Patent Document 1 As described above, according to the present invention, user authentication can be executed with only two stages of URL taps.
  • the operation effect of the invention described in Non-Patent Document 1 is compared with the operation effect of the present invention.
  • the invention described in Non-Patent Document 1 inputs a user ID and a password at the time of the first authentication, but the present invention only taps the first URL dedicated to the user ID. . This brings about the same effect as the fact that only the user knows the user ID and password. In fact, the first URL is dedicated to the user and can only be known by the user (first step) ).
  • the invention described in Non-Patent Document 1 transmits an SMS message by telephone call to the user's smartphone at the time of the second authentication.
  • the present invention also performs the same message transmission.
  • Step 3 the pass code of the SMS message is input to the site at the time of the second authentication.
  • the present invention provides a one-time second URL dedicated to the user ID. Just tap. This brings about the same effect as that of validating the passcode in one time. In fact, the second URL is valid only in one time (third step).
  • the message including the one-time second URL reaches only the terminal 2 of the legitimate user.
  • the user ID and the password are concealed by the first URL and the second URL dedicated to the user ID, and the security of user authentication can be improved.
  • the user can be authenticated simply by tapping the two authentication URLs displayed on the terminal 2, there is no need to start a specific application on the terminal 2, and There is no need to access another Web site separately.
  • the present invention ensures the same or higher security as compared with the invention described in Non-Patent Document 1, but provides the user with the first URL and the second URL. It only requires an operation of tapping the URL twice once in total.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un serveur d'authentification, un support d'enregistrement de programme et un procédé pouvant exécuter une authentification d'utilisateur en deux étapes sans qu'un utilisateur n'entre de codes (par exemple, un identifiant d'utilisateur, un mot de passe ou un code secret). Ce serveur d'authentification est un dispositif qui authentifie un utilisateur qui actionne un terminal, et comprend : une table d'enregistrement qui stocke, pour chaque identifiant d'utilisateur, une adresse et une première URL par laquelle un utilisateur de l'identifiant d'utilisateur peut être identifié ; un second moyen de génération d'URL pour, lors de la réception d'une première demande de page dirigée vers une première URL, identifier l'identifiant d'utilisateur de la première requête de page et générer une seconde URL par laquelle l'identifiant d'utilisateur peut être identifié ; un second moyen de transmission de message pour transmettre un second message dans lequel la seconde URL est décrite à l'aide de l'adresse de l'identifiant d'utilisateur en tant que destination ; et un moyen d'authentification pour juger l'authentification de l'identifiant d'utilisateur par rapport au terminal devant être réussi lorsqu'une seconde demande de page dirigée vers la seconde URL est reçue en provenance du terminal.
PCT/JP2019/014604 2018-04-03 2019-04-02 Serveur mettant en œuvre une authentification à l'aide d'une url à deux étapes, support d'enregistrement de programme et procédé WO2019194170A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-071238 2018-04-03
JP2018071238A JP6435456B1 (ja) 2018-04-03 2018-04-03 2段階のurlを用いた認証サーバ、プログラム及び方法

Publications (1)

Publication Number Publication Date
WO2019194170A1 true WO2019194170A1 (fr) 2019-10-10

Family

ID=64655826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/014604 WO2019194170A1 (fr) 2018-04-03 2019-04-02 Serveur mettant en œuvre une authentification à l'aide d'une url à deux étapes, support d'enregistrement de programme et procédé

Country Status (2)

Country Link
JP (1) JP6435456B1 (fr)
WO (1) WO2019194170A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7302193B2 (ja) 2019-02-15 2023-07-04 株式会社リコー 情報処理装置
JP7081773B1 (ja) 2022-03-31 2022-06-07 株式会社エルブズ 認証方法、認証プログラム及び認証システム

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003016349A (ja) * 2001-07-05 2003-01-17 J-Phone East Co Ltd 電子商取引支援方法、商品購入方法、電子商取引支援用情報処理装置、情報通信端末及びプログラム
JP2008171087A (ja) * 2007-01-09 2008-07-24 Taito Corp 認証システム、認証プログラム
JP2010079795A (ja) * 2008-09-29 2010-04-08 Fujifilm Corp クライアント認証システム
JP2010262532A (ja) * 2009-05-08 2010-11-18 Yahoo Japan Corp ログインを管理するサーバ、方法、およびプログラム
JP2013088877A (ja) * 2011-10-13 2013-05-13 Nomura Research Institute Ltd アクセス制御システム、アクセス制御方法及びコンピュータプログラム
JP2015103194A (ja) * 2013-11-28 2015-06-04 キヤノン株式会社 メールアドレス管理システム
JP2017175227A (ja) * 2016-03-18 2017-09-28 株式会社リコー 証明書管理システム、証明書管理方法及びプログラム

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003016349A (ja) * 2001-07-05 2003-01-17 J-Phone East Co Ltd 電子商取引支援方法、商品購入方法、電子商取引支援用情報処理装置、情報通信端末及びプログラム
JP2008171087A (ja) * 2007-01-09 2008-07-24 Taito Corp 認証システム、認証プログラム
JP2010079795A (ja) * 2008-09-29 2010-04-08 Fujifilm Corp クライアント認証システム
JP2010262532A (ja) * 2009-05-08 2010-11-18 Yahoo Japan Corp ログインを管理するサーバ、方法、およびプログラム
JP2013088877A (ja) * 2011-10-13 2013-05-13 Nomura Research Institute Ltd アクセス制御システム、アクセス制御方法及びコンピュータプログラム
JP2015103194A (ja) * 2013-11-28 2015-06-04 キヤノン株式会社 メールアドレス管理システム
JP2017175227A (ja) * 2016-03-18 2017-09-28 株式会社リコー 証明書管理システム、証明書管理方法及びプログラム

Also Published As

Publication number Publication date
JP6435456B1 (ja) 2018-12-12
JP2019185146A (ja) 2019-10-24

Similar Documents

Publication Publication Date Title
US9979719B2 (en) System and method for converting one-time passcodes to app-based authentication
US9923876B2 (en) Secure randomized input
EP4152188B1 (fr) Procédés, systèmes et appareil d'authentification multifactorielle améliorée dans un système de communication multi-applications
US9038157B1 (en) Method and apparatus for integrating a dynamic token generator into a mobile device
TW201635181A (zh) 隨選密碼
JP2018500619A (ja) 検証情報を送信するための方法および端末
US9197646B2 (en) Verifying source of email
KR20100049653A (ko) 통보 방법 및 통보 장치
Ferry et al. Security evaluation of the OAuth 2.0 framework
US20150365420A1 (en) A secure user interaction method performing defined actions on web resources over a separate channel and a system thereof
US11165768B2 (en) Technique for connecting to a service
WO2019194170A1 (fr) Serveur mettant en œuvre une authentification à l'aide d'une url à deux étapes, support d'enregistrement de programme et procédé
KR20140081041A (ko) 전화번호를 이용한 인터넷 사이트 서비스 접속 인증 방법 및 시스템
JP2015130028A (ja) 代行ログイン装置、端末、制御方法およびプログラム
KR101739446B1 (ko) 사용자 인증 시스템 및 인증 방법
Gibbons et al. Security evaluation of the OAuth 2.0 framework
CN104301285A (zh) 用于web系统的登录方法
TW202105205A (zh) 認證系統及認證方法
JP4961058B1 (ja) 認証システム
JP7519977B2 (ja) 認証システム、認証端末及び認証プログラム
EP3582469B1 (fr) Authentification au moyen d'un système d'opérateur de réseau mobile
AU2014101079A4 (en) Secure communication method
US20100175118A1 (en) Access to service
IE20140024A1 (en) Web application protection system with transaction signing using near field communication (NFC) capable devices
KR20140007984A (ko) 인스턴트메시지에 의한 로그인 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19782350

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19782350

Country of ref document: EP

Kind code of ref document: A1