WO2020060150A1 - Identity authentication system and method - Google Patents

Abstract

Disclosed are an identity authentication system and method, wherein the reuse of authentication information can be prevented and a non-repudiation effect can be obtained by performing identity authentication through a technique of confirming time information input by a user through a voice channel. According to one aspect of the present invention, provided is an identity authentication method including: a step in which an identity authentication system receives an identity authentication request from a user terminal of a user through a wired/wireless data communication network; a step in which the identity authentication system specifies the request time of the identity authentication request; a step in which the identity authentication system connects a phone call with a mobile terminal of the user; a step in which the identity authentication system receives a first voice signal from the mobile terminal through the phone call; a step in which the identity authentication system performs voice recognition on the first voice signal and determines a time expressed through the first voice signal; and a step in which the identity authentication system compares the request time of the identity authentication request with the time expressed through the first voice signal to determine whether the identity authentication is successful.

Description

Personal authentication system and method

The present invention relates to a user authentication system and method for verifying that a user is a legitimate user who has the authority to use his or her predetermined service (for example, online payment) or who has performed an action, and more specifically A user authentication system that prevents reuse of authentication information, has a non-repudiation effect, and is capable of generating timely bio-signatures by performing user authentication in a manner that confirms the point-in-time information input through a voice channel It's about how.

2. Description of the Related Art Recently, as wired / wireless communication networks have been developed, and computers and the Internet are spread to each family, various online services such as online commerce and internet banking have been provided. Due to the nature of these services, it is very important for the user to verify that the user is a legitimate user to use the service.

Self-authentication refers to the process of verifying that a subject requesting a specific service (eg, online payment) is a legitimate user. In order to authenticate the user, a method of authenticating a legitimate user is usually used using a password or security key registered in advance, and this method is used to sign up for membership by using the personal information of the user obtained through an illegal route, or to use the ID. B. There is a problem that the password can be obtained illegally.

Accordingly, there is a personal authentication method that confirms that the person requesting the service and the occupant of the mobile phone are the same person by transmitting the authentication number to the mobile phone and inputting it later, and these methods also transmit data in the middle. A man-in-the-middle attack that is made by intercepting or illegally modifying or generating data, or a retransmission attack that masquerades as a legitimate user by acquiring security information such as a password by illegal methods and then retransmitting it attack). In addition, when such a man-in-the-middle attack or a re-transmission attack is possible, the person performing the authentication request can deny that the authentication request is not by himself, seriously affecting the reliability of the system.

On the other hand, recently, phishing techniques have also become sophisticated, and phishing techniques such as smishing using SMS have appeared. Smishing is a text message that allows you to go to an illegal site, so that when a mobile phone user accesses a website, they steal personal information or inject a Trojan to control an Internet-enabled mobile phone, for example from the outside. This is a phishing method that automatically installs malware when the masquerading as a received event is clicked or causes damage such as approving micropayment by intercepting the user's security information without the user's knowledge. In order to acquire authentication information of a user in a method, such a smishing technique is actively used. Even in this case, there is a problem in that it is difficult to prevent denial by attacking the middle man.

In the case of online payments or financial transactions, irreversible damage may occur due to such an attack, and thus, such Internet service effectively prevents the above-described attacks of man-in-the-middle, re-transmission, and attacks by smishing, etc., thereby preventing repudiation. An authentication method with a high level of security is urgently required.

Therefore, the present invention is an invention devised to solve the above-mentioned problems, and the technical problem to be achieved by the present invention is to secure a high security that can be undeniable, so that it is not vulnerable to man-in-the-middle attacks or re-transmission attacks. And to provide a method for providing the same.

According to an aspect of the present invention, the user authentication system receives a user authentication request from a user's user terminal through a wired or wireless data communication network, the user authentication system specifying a request time point of the user authentication request, the The user authentication system, the step of connecting the user's mobile terminal and a phone call, the user authentication system, receiving a first voice signal from the mobile terminal through the phone call, the user authentication system, the agent Performing a voice recognition on the 1 voice signal and determining a time point expressed through the first voice signal, and the user authentication system determining a request time point of the user authentication request and a time point expressed through the first voice signal A method of authenticating a user is provided, comprising comparing and determining whether or not the authentication is successful.

In one embodiment, the step of determining whether or not the user authentication is successful by comparing the time point of the request for the request for the user authentication with the time point expressed through the first voice signal. If the request time of the user authentication request matches the time point expressed through the first voice signal or the difference between the request time point of the user authentication request and the time point expressed through the first voice signal is within a predetermined period This may include determining to be successful.

In one embodiment, the user authentication method comprises the steps of allowing the user authentication system to transmit one-time authentication information corresponding to the user authentication request to the user terminal, and the user authentication system to receive a call from the mobile terminal. Further comprising the step of receiving a pass code through, the step of authenticating the identity of the identity authentication system by comparing the request time of the identity authentication request and the time expressed through the voice signal, the success of the identity authentication, And determining whether the authentication is successful by further determining whether the passcode received from the mobile terminal matches the one-time authentication information transmitted to the user terminal.

In one embodiment, the personal authentication system, the step of receiving a pass code through the telephone call from the mobile terminal, the personal authentication system, receiving a second voice signal through the telephone call and the personal The authentication system may include recognizing the passcode from the second voice signal through voice recognition.

In one embodiment, the step of the user authentication system, receiving a pass code through the phone call from the mobile terminal, the user authentication system receives a DTMF signal corresponding to the pass code through the phone call It may include steps.

In one embodiment, the identity authentication method further comprises the step of the identity authentication system analyzing the first voice signal to determine whether the first voice signal is uttered by the user, and the identity The authentication system, comparing the request time of the user authentication request with the time point expressed through the first voice signal, and determining whether or not the user authentication is successful includes: the time point of the request of the user authentication request and the utterance by the user And determining whether or not authentication is successful by comparing the time point expressed through the first voice signal determined to be successful.

In one embodiment, the personal authentication method may further include recording at least a portion of the first voice signal and encrypting at least a portion of the recorded first voice signal to generate bio-signature information. .

In one embodiment, the identity authentication request is an authentication request for identity verification of a predetermined electronic document, and the identity authentication method further comprises using the bio signature information as an electronic signature value for the electronic document. It can contain.

In one embodiment, the step of using the bio-signature information as an electronic signature value for the electronic document includes: converting the bio-signature information into an image form to generate image signature information and the image signature information to the electronic document It may include the step of combining with.

According to another aspect of the present invention, there is provided a computer-readable recording medium recording a program for performing the above-described method.

According to another aspect of the present invention, as the identity authentication system, the processor and a memory storing a program, the program, when executed by the processor, the identity authentication system to perform the above-described method A personal authentication system is provided.

According to another aspect of the present invention, a request receiving module for receiving a user authentication request from a user's user terminal through a wired or wireless data communication network, a point-in-time module for specifying a request time point of the user authentication request, a mobile terminal and a phone of the user A phone call module for connecting a call, a voice signal receiving module for receiving a first voice signal through the phone call from the mobile terminal, and performing voice recognition for the first voice signal and expressed through the first voice signal A self-authentication system is provided that includes a time-recognition module that determines a time point and a control module that determines whether or not the user authentication is successful by comparing the time point requested by the user authentication request with the time point expressed through the first voice signal.

In one embodiment, the control module, the time point of the request of the user authentication request and the time point expressed through the first voice signal coincides, or the time point of the request time of the user authentication request and the time point expressed through the first voice signal. If the difference is within a predetermined period, it can be determined that the user authentication has been successful.

In one embodiment, the identity authentication system, a one-time authentication information module that allows the one-time authentication information corresponding to the identity authentication request is transmitted to the user terminal and a passcode for receiving a passcode through the phone call from the mobile terminal The control module may further include a receiving module, and further determine whether the authentication is successful by further determining whether the passcode received from the mobile terminal matches the one-time authentication information transmitted to the user terminal.

In one embodiment, the passcode receiving module may receive a second voice signal through the telephone call and recognize the passcode from the second voice signal through voice recognition.

In one embodiment, the passcode receiving module may receive a DTMF signal corresponding to the passcode through the telephone call.

In one embodiment, the personal authentication system, the personal authentication system further comprises a voice analysis module for determining whether the first voice signal is spoken by the user by voice-analyzing the first voice signal, The control module may determine whether or not the user authentication is successful by comparing the request time of the user authentication request with the time point expressed through the first voice signal determined to be spoken by the user.

In one embodiment, the identity authentication system further includes a recording module for recording at least a portion of the first voice signal and a biosignature generating module for encoding at least a portion of the recorded first voice signal to generate bio-signature information. It can contain.

In one embodiment, the identity authentication request is an authentication request for identity verification of a predetermined electronic document, and the identity authentication system uses an electronic signature module that uses the bio signature information as an electronic signature value for the electronic document. It may further include.

In one embodiment, the pre-signature module may convert the bio signature information into an image form to generate image signature information, and combine the image signature information with the electronic document.

In addition, according to an embodiment of the present invention, since a channel for which authentication is requested (that is, a data communication network such as a wired or wireless Internet) and a channel for confirming a password (i.e., a telephone network) are distinguished from each other, information leakage in any one channel Even if this happens, security can be maintained.

In one embodiment of the present invention, when a certain period of time has elapsed since the time of requesting the user authentication, the information on when the validity is lost and / or the one-time authentication information that is discarded after being used once is used for the user authentication, thereby vulnerable to a retransmission attack. Can be prevented. In addition, since authentication is performed through a telephone call, it is effective in preventing vulnerabilities against man-in-the-middle attacks.

In addition, by receiving a password through an ARS call, there is a high possibility that information is not leaked through an attack in a data communication network, such as a virus, worm, or malicious code.

In addition, it is possible to effectively prevent vulnerabilities against man-in-the-middle attacks by receiving various information necessary for personal authentication through a telephone call having the characteristic that eavesdropping or eavesdropping is very difficult.

In addition, there is an effect that the security level can be significantly improved by simultaneously using the sex analysis technique.

In addition, since the user directly utters information about the time when the user requested the user authentication at the time of the user authentication, it is possible to clearly prove the time of the authentication request, and if it is used as a biosignature, a biosignature with timeliness can be secured. It has the effect of being.

In the end, according to the technical idea of the present invention, it is possible to have both strong characteristics against man-in-the-middle attacks (due to authentication performed through a telephone call) and strong characteristics against retransmission attacks using one-time authentication information, so high-authentication authentication that can be undeniable is performed. There is an effect that can be.

BRIEF DESCRIPTION OF THE DRAWINGS In order to better understand the drawings cited in the detailed description of the present invention, a brief description of each drawing is provided.

1 is a diagram for conceptually explaining a user authentication system according to an embodiment of the present invention.

2 is a block diagram illustrating a schematic configuration of a personal authentication system according to an embodiment of the present invention.

3 is a view showing an example of information that can be maintained in the identity authentication system according to an embodiment of the present invention.

4 is a view for explaining the flow of the user authentication method according to an embodiment of the present invention.

5 is a view showing an example of a user authentication request UI provided to a user terminal to implement a user authentication method according to an embodiment of the present invention.

The present invention can be applied to various transformations and can have various embodiments, and specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all conversions, equivalents, and substitutes included in the spirit and scope of the present invention. In the description of the present invention, when it is determined that a detailed description of known technologies related to the present invention may obscure the subject matter of the present invention, the detailed description will be omitted.

Terms such as first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from other components.

The terms used in this application are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise.

In this specification, terms such as “include” or “have” are intended to indicate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, one or more other. It should be understood that features or numbers, steps, operations, components, parts, or combinations thereof are not excluded in advance.

In addition, in the present specification, when one component 'transmits' data to another component, the component may directly transmit the data to the other component, or through at least one other component It means that the data may be transmitted to the other components. Conversely, when one component 'directly transmits' data to another component, it means that the data is transmitted from the component to the other component without passing through the other component.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals in each drawing denote the same members.

1 is a diagram for conceptually explaining a user authentication system according to an embodiment of the present invention.

Referring to FIG. 1, in order to implement a personal authentication method according to an embodiment of the present invention, a predetermined personal authentication system 100 may be provided.

The user authentication system 100 may receive a user authentication request from the user terminal 210.

The user authentication request is a request date for authenticating that the user of the user terminal 210 is a legitimate user who can receive a predetermined service (eg, web service, online commerce service, online banking service, online payment service, etc.). You can. Alternatively, the identity authentication request may request to confirm that the identity has been performed. For example, the identity verification request may be an identity verification request for electronic signature of the electronic document.

The user terminal 210 may transmit a user authentication request for a user using the user terminal 210 to the user authentication system 100 together with an online payment request or on the premise of an online payment request. Alternatively, the user terminal 210 may transmit a user authentication request for a user who uses the user terminal 210 to the user authentication system 100 to generate digital signature information.

The user terminal 210 may be used in a sense including all types of data processing devices (for example, laptops, desktops, mobile terminals, set-top boxes, etc.) capable of requesting user authentication with the user authentication system 100. have.

The user authentication system 100 can be accessed by the user terminal 210, and any type of data processing system capable of receiving a user authentication request (for example, a predetermined website, page, interactive broadcast server, etc.) Can provide

In one embodiment, a predetermined affiliate system (not shown) may exist between the user terminal 210 and the identity authentication system 100, and the identity authentication system 100 may request an identity from the affiliate system. I can receive it. That is, the merchant system may receive a user authentication request along with a payment request through the user's terminal 210 and deliver it to the user authentication system 100.

The user authentication request may be performed through a predetermined wired or wireless data communication network, that is, a first communication channel (for example, the Internet as shown in FIG. 1).

The identity authentication system 100 connects a phone number with the mobile terminal 220 possessed by the user in response to the identity authentication request, and information necessary for identity authentication for the user through the connected phone number (hereinafter , 'Personal identification information'), through which it is possible to perform the user authentication for the user.

In one embodiment, the user authentication request may include the mobile phone number of the user's mobile terminal 220 input by the user terminal 210. To this end, the user may enter his / her mobile terminal 220's phone number while making a request for authentication through his / her terminal 210.

In addition, the method for obtaining the phone number (for example, a mobile phone number, a USIM number, etc.) of the mobile terminal 200 by the user authentication system 100 may be various. In another embodiment, the user's mobile phone number may be registered in advance in the identity authentication system 100. The user of the user terminal 210 may register the phone number of his mobile terminal 210 in advance with the user authentication system 100 before making a request for user authentication.

According to an embodiment, the user authentication system 100 may perform a user authentication procedure after confirming whether the user is a party owner of the mobile terminal 200 using the obtained phone number of the mobile terminal 200. have. For example, the user authentication system requests authentication to a system of a mobile communication company (for example, SKTelecom, KT, LG U +) to which the mobile terminal 200 is subscribed, so that the user of the mobile terminal 200 You can check whether you are a party owner.

Depending on the implementation example, the user may further input user identification information (eg, a previously registered ID or name, date of birth, login password, etc.) through the terminal 210, and the user identification is requested in the user authentication request. More information may be included.

The user identification information may be used as predetermined check information. Since the mobile phone number may be information that has already been disclosed to a large number of people, there may be a case where an authentication request is requested using the corresponding mobile phone number and additional information required for authentication (for example, a login password) may be added. Accordingly, when the requester is to be identified by the mobile phone number, which is the disclosed information, stability may be improved by further using predetermined check information. Therefore, the user authentication request may include a mobile phone number and check information. When the identity authentication request is received, the identity authentication system 100 may determine whether the mobile phone number and the check information correspond. And only when it is determined that they correspond to each other, the remaining authentication procedures can be performed as described later. To this end, the mobile phone number and check information corresponding thereto may be stored in the user authentication system 100 in advance. Consequently, according to the present embodiment, such check information can be received together with the mobile phone number, and used as information for primary authentication. There is an effect that the stability of the service can be significantly increased by performing the user authentication as described later as the first authentication after the first authentication using the check information. In addition, when the user authentication request received more than a preset number of times while changing the check information for the same mobile phone number within a certain time, the user authentication system 100 rejects the request or performs a separate additional authentication procedure for stability. Can increase.

Meanwhile, the user authentication system 100 may allow the user terminal 210 that has sent the user authentication request to receive one-time authentication information (for example, one time password (OTP)) corresponding to the user authentication request. . Then, the user terminal 210 may display the received one-time authentication information so that the user can recognize it.

In one embodiment, the one-time authentication information may be issued by the identity authentication system 100. In this case, when the user authentication request is received from the user terminal 210, the user authentication system 100 may issue one-time authentication information and transmit it to the user terminal 210.

Meanwhile, in another embodiment, the one-time authentication information may be issued by another server (for example, the card company system 300) at the request of the identity authentication system 100, in this case, the one-time authentication information The server issuing the server (for example, the card company system 300) may transmit the issued one-time authentication information to the user terminal 210. Then, the user terminal 210 may display the received one-time authentication information so that the user can recognize it.

In another embodiment, the one-time authentication information is issued by another server (for example, the card company system 300) at the request of the identity authentication system 100, but the server that issued the one-time authentication information (eg For example, the card company system 300 may transmit the issued one-time authentication information to the identity authentication system 100. In this case, the subject that transmits the issued one-time authentication information to the user terminal 210 may be the identity authentication system 100.

The one-time authentication information may be a value that is written once and discarded. That is, the one-time authentication information, as described later, can be used for user authentication for a user corresponding to the user terminal 210, and once the one-time authentication information is used for the user authentication, the one-time authentication information is It may be discarded and reused.

Meanwhile, the identity authentication system 100 may perform a predetermined process for identity authentication using the mobile phone number of the mobile terminal 220. To this end, the user authentication system 100 may request predetermined user identification information to be used for user authentication to the user's mobile terminal 220 using the mobile phone number. In addition, the identification information may be received from the mobile terminal 220. At this time, the identity authentication system 100 may request the identity verification information required for authentication through a second communication channel (for example, a mobile communication network as shown in FIG. 1) different from the first communication channel. have.

In one embodiment, the identity authentication system 100 may include a predetermined Auto Response System (ARS) to connect the mobile terminal 220 and a telephone call, and the mobile terminal 220 and the telephone call. You can connect and receive the identity verification information through ARS. Depending on the implementation example, the identity authentication system 100 may be connected to a predetermined ARS to control the ARS to implement the technical idea of the present invention.

That is, in one embodiment, the identity authentication system 100 may make an ARS call to the mobile terminal 220 corresponding to the mobile phone number, and an ARS call, that is, information for identity authentication when a phone call is connected You can ask for input. For example, the identity authentication system 100 may extract the mobile phone number included in the received identity authentication request, and output the extracted mobile phone number to a predetermined ARS. Then, the ARS can connect a wireless call to the mobile terminal 220. That is, you can make a call. Then, the ARS can request the identity verification information required for identity authentication from the mobile terminal 220. When a user inputs identification information in response to a request, the identification system 100 may receive information input from the ARS system and perform identification.

The user may input identification information in a form that can be transmitted through the telephone call. For example, the user may input identification information in the form of voice. Alternatively, the user may input identification information in the form of a DTMF signal.

Meanwhile, the identification information used by the identification system 100 may vary. For example, the identity authentication system 100 may use personal information and / or password registered in advance as an example of identity verification information. That is, the personal authentication system 100 may receive personal identification information corresponding to personal information and / or a password through a phone call connected to the mobile terminal 200 of the user, and the personal authentication system 100 The user authentication may be performed in comparison with personal information and / or password registered in advance.

In another embodiment, the identification information may include predetermined viewpoint information (information indicating a specific time or period). To this end, in this embodiment, the identity authentication system 100 specifies a request time point of the identity authentication request, and the identity authentication system 100 is specified through a telephone call connected to the mobile terminal 200 of the user. The time point to be compared with the request time point can be received in the form of a voice. In one example, the user authentication system 100 guides the request time of the user authentication request in various ways, and the user can utter the guided request time by fostering and provide it to the user authentication system 100 through a telephone call. have.

The method of guiding the request time of the identity authentication request may vary. In one embodiment, the user authentication system 100 transmits a request time point to the user terminal 100 so that the request time point can be displayed on the user terminal 100 and then the user's mobile terminal 200 The request time may be received through a phone call connected to. Alternatively, in another embodiment, the identity authentication system 100 may guide the user to utter the request time through a telephone call connected to the user's mobile terminal 200. For example, the user authentication system 100 may guide through a telephone call, "If you agree, please say June 29, 09:09, 2018", and the user "June 29, 2018 09:10 By "speaking", identity verification information can be transmitted to the identity authentication system 100.

In this way, when the user speaks and uses the time information transmitted through the telephone call as the identification information, the user must express a specific time point (for example, the request time of the user authentication request) in order to authenticate the user. Therefore, it has the effect of recording and storing it so that it can be used as evidence for strong non-repudiation in the future. In addition, the user's utterance point-in-time information may be used later as a bio signature. By applying the call record of the telecommunication company and the request time information of the user authentication request together, it can be a complete bio signature, and the authentication and bio signature can be satisfied at the same time because it can accurately prove the request time compared to a fingerprint or other bio authentication.

In another embodiment, the identification information may further include a passcode to be compared with the one-time authentication information transmitted to the user terminal 210 later. In this case, the user authentication system 100 may compare whether the one-time authentication information and the passcode match.

For higher security, in another embodiment, two pass codes (a first pass code and a second pass code) may be included. In this case, whether the first passcode is set by the user and matches the authentication information previously stored in the user authentication system 100 will be compared, and the second passcode will be transferred to the user terminal 210 later. Whether or not it matches the transmitted one-time authentication information may be compared.

In the embodiment in which the identification information includes two passwords, the user authenticates the first passcode and the second passcode through the phone call (that is, ARS call) formed with the identity verification system 100 to the identity verification system. (100). That is, two passwords may not be transmitted through different phone calls, but may be transmitted to the user authentication system 100 through one phone call. As the length of the passcode increases, it becomes more difficult to find the passcode, so the security can be enhanced. Therefore, for example, by transmitting the passcode of 8 digits combined with the first passcode and the second passcode at a time, rather than transmitting each of the first passcode of 4 digits and the second passcode of 4 digits, Higher security can be secured.

On the other hand, when the identification information is composed of numbers, DTMF tones may be input on a telephone call (for example, an ARS call).

On the other hand, in one embodiment, when the identification information includes time information and / or one-time authentication information, the identification information may be transmitted as a voice signal. In this case, there is no problem even if another person overhears the voice signal corresponding to the identification information. In this case, the user authentication system 100 may include a voice recognition module for voice recognition of the voice signal.

In addition, when the identification information is transmitted as a voice signal, the identity authentication system 100 may verify whether the speech is uttered by the user by analyzing the received voice signal (speaker recognition). To this end, the user authentication system 100 may store the voiceprint information of the user in advance, and may include a voiceprint analysis module.

Voice analysis, that is, speaker recognition, may be a method for identifying the personality of a human voice. Individual voice gates are based on the anatomical shape of the speech organs, i.e., the size, shape, and physical characteristics of the genitals, vocal cords, nasal cavity, teeth, and so on, and the social and linguistic environment and personal vocal habits of acquiring language. It can be determined by pronunciation, vocabulary, intonation, and the like, and the voice analysis module can compare these features and identify the identity between the user's voice stored in advance and the user's voice received through a telephone call.

In the case of the conventional sexual analysis method, the recognition rate may be lower than that of other bio authentications (eg, fingerprint recognition, iris recognition, etc.). However, according to an embodiment of the present invention, since the voice information obtained through the limited communication channel called the speaker's mobile phone is used for voice analysis, it is possible to obtain an effect of increasing the recognition rate. In addition, additional means for identity verification (eg, acquisition and verification of authentication information through DTMF, which will be described later) can be used together with the analysis of the voiceprint, and in this case, the recognition rate can be increased by lowering the threshold of the voiceprint analysis. You can.

As described above, in the embodiment of the present invention, when information required for personal authentication (that is, personal identification information) is received through a telephone call, the mobile terminal 220 may use a predetermined IC chip or a separate IC chip for personal authentication. This has the effect of eliminating the need to install software. Therefore, the service according to the embodiment of the present invention can be utilized in any number of conventional 2G phones.

On the other hand, the mobile terminal 220 may be a computing device including a mobile phone, a smart phone, a tablet PC, a PDA (Personal Digital Assistant), and other wireless computing devices or other handheld devices having a wireless connection function. It may be a processing device connected to a wireless modem.

According to an embodiment of the present invention, the identity authentication system 100 may provide a technical idea that allows a user to identify himself before receiving identity verification information necessary for authentication through the mobile terminal 220. That is, according to an embodiment of the present invention, the identity authentication system 100 can confirm to the user that he is a legitimate identity authentication authority.

To this end, in one embodiment, the user authentication system 100 first causes predetermined system identification information to be output to the user terminal 210, and then inputs user identification information required for authentication through the mobile terminal 220. When receiving, it is possible to display the same system identification information on the mobile terminal 220. For example, the user authentication system 100 may allow the user terminal 210 to output the calling number of the ARS call. Thereafter, when the user authentication system 100 connects the ARS call to the mobile terminal 220 of the user, the calling number of the ARS call may be output to the mobile terminal 220 of the user. Therefore, the user can confirm that the subject who wants to connect the ARS call to his mobile terminal 220 is the identity authentication system 100.

The system identification information need not necessarily be a calling number. When the ARS call is connected through the mobile terminal 220, the user authentication system 100 is reminded in advance of a predetermined guide phrase to be output to the mobile terminal 220 (for example, a guide phrase of the mobile operator's lettering service). It may be displayed on the user terminal 210. In this case, the guide phrase may be changed each time.

Therefore, the user authentication system 100 enables the user to confirm that the system requesting the user authentication through the user terminal 210 and the system requesting the user identification information through the mobile terminal 220 are the same. can do.

The identity verification information and / or the identity verification request may further include additional personal information to be used for identity verification. For example, personal information may include, but is not limited to, a user's social security number, card number, password, and date of birth.

Meanwhile, if necessary, the identity authentication system 100 may transmit / receive data required for the identity authentication process 300 and the identity authentication process. The authentication server 300 may be, for example, a server of a mobile communication company or a server of a credit card company.

In one embodiment, when the authentication server 300 issues the one-time authentication information described above, the identity authentication system 100 transmits the password information received from the mobile terminal 220 to the authentication server 300 By comparing whether the received password is the same as the one-time authentication information.

In addition, in one embodiment, the identity authentication system 100 transmits the personal information and mobile phone number received from the user to the authentication server of the mobile communication company, thereby verifying the identity of the user by confirming whether the user is the identity of the mobile phone number ( That is, the user authentication (ie, the owner authentication of the credit card) is performed by performing the authentication of the owner of the mobile phone or by transmitting the card information input from the user to the credit card company's authentication server, and confirming that the user is the credit card holder. You can also do

2 is a block diagram illustrating a schematic configuration of a personal authentication system according to an embodiment of the present invention. As shown in Figure 2, the identity authentication system 100 is a request receiving module 110, a specific point-of-view module 150, a phone call module 120, a voice signal receiving module 1250, a point-of-view recognition module 130 ), The control module 140. According to an embodiment, the user authentication system 100 may include a one-time authentication information module 150, a pass code receiving module 155, a voice analysis module 160, a recording module 165, and a bio signature generation module 170, The electronic signature module 175 may be further included, and in some cases, the DB 180 may be further included. Depending on the embodiment of the present invention, some of the above-described components may not necessarily correspond to components essential to the implementation of the present invention. Also, according to the embodiment, the identity authentication system 100 is Of course, it may include more components than this.

The identity authentication system 100 may include hardware resources and / or software necessary to implement the technical idea of the present invention, and necessarily means one physical component or one device no. That is, the user authentication system 100 may mean a logical combination of hardware and / or software provided to implement the technical idea of the present invention, and if necessary, are installed in devices spaced apart from each other to perform each function. By performing, it may be implemented as a set of logical components for implementing the technical idea of the present invention. In addition, the user authentication system 100 may mean a set of components that are separately implemented for each function or role for implementing the technical idea of the present invention. For example, the request receiving module 110, the point-in-time module 150, the phone call module 120, the voice signal receiving module 1250, the point-of-view recognition module 130, the control module 140, one-time authentication information The module 150, the passcode receiving module 155, the voice analysis module 160, the recording module 165, the bio-signature generating module 170 and / or the electronic signature module 175 are located in different physical devices. It can be located on the same physical device. In addition, depending on the implementation example, the request receiving module 110, a specific point of view module 150, a phone call module 120, a voice signal receiving module 1250, a point of view recognition module 130, a control module 140, One-time authentication information module (150), pass code receiving module (155), voice analysis module (160), recording module (165), bio-signature generation module (170) and / or electronic signature module (175) The combination of software and / or hardware may also be located in different physical devices, and configurations located in different physical devices may be organically combined with each other to implement the respective modules.

In addition, in this specification, a module may mean a functional and structural combination of hardware for performing the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of a predetermined code and a hardware resource for performing the predetermined code, and does not necessarily mean a physically connected code or a type of hardware. It can be easily deduced from the average expert in the technical field of the present invention.

The control module 140 includes other components included in the user authentication system 100 (for example, a request receiving module 110, a point-in-time module 115, a telephone call module 120, and a voice signal receiving module) (1250), viewpoint recognition module 130, control module 140, one-time authentication information module 150, pass code receiving module 155, voice analysis module 160), recording module 165, bio-signature generation The functions and / or resources of the module 170 and / or the digital signature module 175 may be controlled.

The DB 180 may store various types of information that may be stored or maintained in advance in the identity authentication system 100. 3 is a diagram showing an example of information stored in the DB 180. Referring to FIG. 6, authentication information (password) corresponding to each mobile phone number may be stored in the DB 180. Further, according to the implementation example, identification information, check information, and the like of the user corresponding to each mobile phone number may be further stored.

As described above, the authentication information may be used to verify whether a person who occupies a mobile terminal corresponding to the mobile phone number is a legitimate user together with the one-time authentication information. In addition, the check information may be used to perform primary authentication as to whether a user who has requested a user authentication through the user terminal 210 is a legitimate user. In addition, voice data for each user may be stored in the DB 180.

The request receiving module 110 may receive a user authentication request through a wired or wireless data communication network (eg, the Internet, mobile Internet). The request receiving module 110 may directly receive the user authentication request from the user terminal 210 or may receive it through a predetermined merchant server.

As described above, the user authentication request may include the mobile phone number of the user's mobile terminal 220, and according to an embodiment, the check information corresponding to the mobile phone number and / or the user terminal 210 It may further include the personal information of the user corresponding to.

The viewpoint specific module 115 may specify a predetermined reference viewpoint.

In one embodiment, the point-in-time module 115 may specify the point-in-time of the identity authentication request. The request time of the identity authentication request may be a time point at which the request receiving module 110 receives the identity authentication request or may be a predetermined time point determined based on the identity authentication request.

The phone call module 120 may connect a phone call with the user's mobile terminal 200.

In one embodiment, the phone call module 120 may connect a phone call with the mobile terminal 220 using the mobile phone number included in the identity authentication request. Alternatively, in another embodiment, the phone call module 120 may connect a phone call with the mobile terminal 220 using the mobile phone number stored in advance by the user.

The phone call module 120 may attempt to connect a call to the mobile phone number, and the mobile terminal 220 may connect the phone call by accepting the call connection.

Meanwhile, there may be a case in which a telephone call cannot be connected depending on a user's situation. For example, if the mobile terminal 220 does not receive a call during the preset timeout period or rejects the call connection, and the call connection is not successful, it may be inappropriate to repeatedly connect the phone call. Therefore, in another embodiment of the present invention, it is possible to provide another technical idea to perform identity verification even when the user does not answer the phone. To this end, when the mobile terminal 220 does not answer a call or rejects a call connection during a preset timeout period, the call connection module 120 may transmit a callback message to the mobile phone number. have. Then, the user may select a callback message transmitted to the user terminal 210 when the situation in which the user is to perform authentication is performed. The call back message may include a phone number (ie, caller ID) of the ARS included in or connected to the identity authentication system 100. Therefore, when the user selects the callback message, a phone call may be connected to the ARS.

On the other hand, the phone call module 120 may transmit the call back message to the mobile phone number if the phone call is not connected after attempting to connect the phone call to the mobile phone number. Authentication can also be performed using a back message.

On the other hand, the phone call module 120 may transmit the calling number of the user authentication system 100 to the user terminal 210 before connecting the phone call with the mobile terminal 220. In this case, the user terminal 210 may display the received calling number, so that it is possible to recognize that the subject who wants to connect the ARS call later is the identity authentication system 100.

The voice signal receiving module 125 may receive a first voice signal from the mobile terminal 220 through the phone call. That is, the user can utter a voice for expressing a specific point in time when a phone call is connected between his mobile terminal 220 and the user authentication system 100. Then, the voice signal receiving module 125 may receive a voice signal (first voice signal) corresponding to the voice uttered by the user.

Meanwhile, the viewpoint recognition module 130 may perform voice recognition on the first voice signal and determine a time point expressed through the first voice signal. The voice analysis module 160 may voice-analyze the first voice signal to determine whether the first voice signal is spoken by the user. The user authentication system 100 may store in advance the vocabulary model information or acoustic model information necessary for the viewpoint recognition module 130 to perform voice recognition in the DB 180. Depending on the embodiment, the voice recognition rate may be increased by separately managing acoustic model information for each user. There is no limitation on the speech recognition technology required to implement the present invention, and a detailed description of the known technology for speech recognition will be omitted. In addition, the user authentication system 100 may pre-store information required for the voiceprint analysis module 160 to perform voiceprint analysis, that is, the user's voiceprint information in the DB 180. Since human voice is a complex wave in which various frequency components are mixed, the user's voice information can be grasped by frequency analysis of the user's voice. The voiceprint information may include various acoustic parameters such as resonance frequency, frequency-specific intensity, vocal cord vibration type due to vibration of the vocal cord, and sound height. In one embodiment, the voiceprint analysis module 160 may analyze voice signals received from the mobile terminal 220 to extract voiceprint information, and compare it with previously stored voiceprint information of the user to perform voiceprint analysis.

Meanwhile, the voice signal receiving module 125 may guide a voice to be spoken by the user through the telephone call before receiving the first voice signal. In one embodiment, the voice signal receiving module 125 may guide a specific reference point (for example, a request point of a user authentication request) in the form of voice by the point-in-time module 115. For example, the voice signal receiving module 125 may guide "If you agree, please say June 29, 09:10, 2018", and the user who heard the guidance on the phone "June 29, 2018 It is said to be ignited "09:10 a day." Then, the voice signal receiving module 125 can receive it, and the point-of-view recognition module 130 can recognize the point of time expressed by the user, 'June 29, 2018 09:10'.

Meanwhile, the one-time authentication information module 150 may allow one-time authentication information corresponding to the identity authentication request to be transmitted to the user terminal 210.

In one embodiment, the one-time authentication information module 150 may request to issue a one-time authentication information to a predetermined authentication server 300. The authentication server 300 may be, for example, a card company system or a mobile communication system. The authentication server 300 may issue one-time authentication information in response to the issuance request. The authentication server 300 may directly transmit the issued authentication information to the user terminal 210. Depending on the implementation example, the authentication server 300 may transmit the issued authentication information to the user authentication system 100 so that the one-time authentication information module 150 delivers it to the user terminal 210. In the latter case, the user authentication system 100 may temporarily store the one-time authentication information, and use this to verify the passcode to be received from the mobile terminal 220.

The passcode receiving module 155 may request input of a passcode through a connected telephone call, and may receive a passcode from the mobile terminal 220. The passcode received from the mobile terminal 220 by the passcode receiving module 155 may be transmitted as a second voice signal in the form of voice. In this case, the passcode receiving module 155 performs voice recognition. Through this, a pass code can be recognized from the second audio signal. Also, the voice analysis module 160 may voice-analyze the second voice signal to determine whether the second voice signal is spoken by the user.

Alternatively, in another embodiment, the passcode receiving module 155 may receive a DTMF signal corresponding to the passcode through the telephone call.

According to an embodiment, the passcode may be set in advance and may correspond to authentication information (for example, personal information such as a date of birth) stored in the DB 180 and / or one-time authentication information described above.

In one embodiment, the password may be divided into two parts (first password and second password). In this case, the first password may be a part corresponding to authentication information stored in the DB 180 which is previously set, and the second password may be a part corresponding to the one-time authentication information described above.

At least some of the passcode information that the passcode receiving module 155 receives from the mobile terminal 220 may be a voice signal. Depending on the embodiment, in particular, the second password corresponding to the one-time authentication information among the passcode information may be a voice signal.

The control module 140 may perform identity authentication using the information received from the mobile terminal 220.

In one embodiment, the control module 140 compares the reference point specified by the point-in-time module 115 (for example, the request point of the user authentication request) with the point-in-time expressed through the first voice signal. You can decide whether or not your authentication is successful. More specifically, the control module 140 determines that the user authentication is successful when the request time of the user authentication request and the time point expressed through the first voice signal received by the voice signal receiving module 125 match. You can. Alternatively, if the difference between the reference time point and the time point expressed through the first voice signal is within a predetermined period, it may be determined that the user authentication is successful.

In another embodiment, the control module 140 corresponds to a portion (for example, the passcode described above) corresponding to the one-time authentication information among the information received from the mobile terminal 220 and the one-time authentication information match each other. You can check whether or not. According to an embodiment, the control module 140 transmits the pass code to the authentication server 300 that issued the one-time authentication information, so that the authentication server 300 matches the pass code and the one-time authentication information. You can make a judgment. If the user authentication system 100 stores the one-time authentication information, the control module 140 may directly determine whether the passcode matches the one-time authentication information.

According to an embodiment, the control module 140 may determine whether the authentication is successful by considering whether the reference point coincides with the time point expressed in the first voice signal and whether the one-time authentication information and the passcode match.

Of course, according to an embodiment, the control module 140 further determines whether the part corresponding to the authentication information previously stored in the DB 180 and the previously stored authentication information match among the information received from the mobile terminal 220. I can judge.

Also, according to an embodiment, the control module 140 may improve the security level by further considering the comparison result of the voice analysis module 160.

Meanwhile, the control module 140 may additionally authenticate the user to the user using predetermined personal information. The personal information for the user may include a mobile phone number, resident number, date of birth, credit card number, address, etc. for the user, and such personal information is the identity authentication request transmitted by the user terminal 210 And / or identification information transmitted by the mobile terminal 220. The control module 140 may perform additional identity authentication by transmitting the received personal information to a predetermined authentication server (for example, 300) to request identity authentication for the user.

When the user is authenticated by the above-described method, the control module 140 may allow the requested service to be provided through the user terminal 210. For example, when the user requests authentication for the user to use internet banking, the control module 140 may provide an initial procedure for starting internet banking to the user terminal 210. Of course, if the authentication of the user fails, the control module 140 may transmit a predetermined guide message, and may prevent the user terminal 210 from being provided with a service.

Meanwhile, the recording module 165 may record at least a portion of the first audio signal. Preferably, the recording module 165 may record at least a portion of the first voice signal including a portion in which a viewpoint is expressed.

The bio-signature generating module 170 may generate bio-signature information by encrypting a recording voice that is at least a part of the recorded first voice signal.

The bio-signature generation module 170 may bi-directionally encode the recording sound, or in one-way encryption (eg, hashing) depending on the embodiment.

The bio signature information generated by the bio signature generation module 170 may be stored in the DB 180 and used for post verification. The bio-signature information may be stored together with identification information for identifying the identity authentication request and / or the request time of the identity authentication request. On the other hand, as described above, since the first voice information used for authentication is transmitted through a phone call with the mobile terminal 220, a call record according to the phone call connection may remain in the mobile communication service provider system. By doing so, it can be a more complete post-proof. Upon post-evidence, the voice analysis module 160 may perform speaker recognition of the bio signature information.

In another embodiment, the bio-signature generation module 170 may generate bio-signature information by encrypting the recording voice along with information on the request time of the identity authentication request.

Meanwhile, the identity authentication request may be an authentication request for identity verification of a predetermined electronic document. In this case, the electronic signature module 175 may use the bio signature information as an electronic signature value for the electronic document. In one embodiment, the electronic signature module 175 converts the bio signature information into an image form to generate image signature information, and combines the image signature information with the electronic document to combine the bio signature information with the electronic document. Can be used as the digital signature value for.

Methods for converting the bio-signature information into an image may be various. In one embodiment, the digital signature module 175 may attach a header of an image format such as a bmp header or a jpg header to the bio signature information to convert it into an image format, but there may be various other conversion methods.

Hereinafter, a method of authenticating a user according to an embodiment of the present invention will be described with reference to FIG. 5 with reference to FIG. 4.

4 is a view for explaining the flow of the user authentication method according to an embodiment of the present invention.

Referring to FIG. 4, a user may transmit his / her own authentication request to the user authentication system 100 using his / her user terminal 210 (S100). The personal authentication request may include a mobile phone number, and according to an embodiment, at least a part of the user's personal information may be included.

Meanwhile, in order to receive the user authentication request from the user terminal 210, a UI as shown in FIG. 5 may be displayed on the user terminal 210. FIG. 5 is a diagram illustrating an example of a user authentication request UI provided to a user terminal to implement a user authentication method according to an embodiment of the present invention. Referring to FIG. 5, a user may use a predetermined service (for example, , Online payment), a UI 10 as shown in FIG. 5 may be provided to the user terminal 210. When the user authentication request is made, the user may input a mobile phone number (for example, a mobile phone number) through a predetermined input UI 11 included in the UI 10. Depending on the implementation example, payment information (for example, credit card information, payment amount, etc.) may be input using the payment information input UI 13 for inputting payment information, and the inputted information is sent to the user authentication request. It can be included and transmitted to the identity authentication system 100.

Referring back to FIG. 4, the user authentication system 100 may specify a predetermined reference time point T ₁ (S110). At this time, the reference point may be a request point of the identity authentication request.

In addition, the identity authentication system 100 may allow one-time authentication information (OTP) corresponding to the identity authentication request to be issued (S120). The user authentication system 100 may directly issue one-time authentication information, but may request to issue a one-time authentication information to a predetermined authentication server (for example, the card company system 300) so that the one-time authentication information can be issued. have. Then, the card company system 300 may issue one-time authentication information (OTP). The one-time authentication information (OTP), along with authentication information previously stored in the identity authentication system 100, may be used to perform identity authentication for the user later.

The user authentication system 100 may transmit the issued one-time authentication information (OTP) to the user terminal 210 (S130), and output the one-time authentication information (OTP) received by the user terminal 210. Yes (S140).

Unlike in FIG. 4, when the card company system 300 issues one-time authentication information, the card company system 300 transmits the one-time authentication information issued to the user terminal 210, and the user authentication system 100 It can be notified that one-time authentication information has been issued.

Meanwhile, the user authentication system 100 may connect the user's mobile terminal 220 with a telephone call, and may guide the user to utter a reference time point and / or one-time authentication information through the connected telephone call (S160). . When the user utters the reference time point and the one-time authentication information according to the guidance, the first voice signal representing the reference time point and the second voice signal representing the one-time authentication information may be transmitted to the user authentication system 100 ( S170).

On the other hand, according to the embodiment, unlike in Figure 4, the one-time authentication information is a form of DTMF signal generated by an input through a real or virtual number pad provided in the mobile terminal 220, rather than spoken by the user. As it may be transmitted to the identity authentication system 100.

As described above, the identity authentication system 100 distinguishes a channel (eg, a data communication network such as wired / wireless Internet) from which authentication is requested and a channel (eg, a telephone network) for checking a password, thereby preventing information leakage from any one channel. Even if it happens, it can provide a system structure that can maintain security. In addition, when a password is received through ARS, there is a high possibility that information is not leaked through an attack in a data communication network, for example, a virus, a worm, or a malicious code. Also, in the case of a telephone call, it is very difficult to eavesdrop / tap, unlike a packet communication network. The identity authentication system 100 receives various information necessary for identity authentication through a telephone call having the above characteristics, thereby effectively preventing a vulnerability to man-in-the-middle attacks.

Meanwhile, at least a part of the audio signal (in particular, the first audio signal) may be recorded (S180).

In addition, the user authentication system 100 may determine whether the voice signal has been uttered by the user through voice analysis (S190), and perform voice recognition on the first voice signal to express it through the first voice signal. The determined time point T ₂ may be determined (S200). In addition, the user authentication system 100 may obtain a pass code (P) from the second voice signal (S210).

Thereafter, the identity authentication system 100 may perform identity authentication (S220).

In one embodiment, the user authentication system 100 may determine whether the user authentication is successful by comparing the request time point T ₁ of the request for the user authentication request and the time point T ₂ expressed through the first voice signal. have. In particular, the principal authentication system 100 includes a request time (T ₁₎ and said first point in time represented by the audio signal (T ₂₎ request time of the matched person or the authentication challenge (T ₁₎ of the identity authentication request And if the difference between the time point T ₂ expressed through the first audio signal is within a predetermined period (for example, 1 minute), it may be determined that the user authentication is successful.

As described above, according to the technical idea of the present invention, the user is allowed to utter the point in time at which the user requested authentication, and this is used for authentication in the user. It will no longer be valid later. Therefore, reuse can be prevented and even if others overhear.

On the other hand, in another embodiment, the user authentication system 100 further determines whether the passcode P obtained from the second voice signal and the one-time authentication information (OTP) previously issued match, and whether the user authentication is successful or not. Can decide. That is, when the request time (T1) of the user authentication request matches the time point (T2) expressed through the first voice signal and the pass code (P) and the one-time authentication information (OTP) match, the user authentication is successful. You can judge that.

The one-time authentication information is discarded immediately after the authentication process is finished so that it cannot be used for the next authentication.

In addition, the security level is improved by simultaneously using the method of performing the user authentication through the comparison between the time of requesting the user authentication and the time expressed by the user and / or the method of performing the user authentication using the one-time authentication information together with the voice analysis technique. There is an effect that can be significantly improved. That is, when the identification information necessary for the user authentication as described above is input as a voice signal, it can be guaranteed that the spoken voice information is not previously recorded. Accordingly, by confirming that the voice signal is uttered by a legitimate user through analysis of the voiceprint, it is possible to clearly ensure that the person who uttered the identity verification information (that is, the person who made the identity authentication request) is a legitimate user.

If it is determined that the user is a legitimate user by the user authentication system 100, the service requested by the user may be provided.

On the other hand, if the user authentication is successful, the user authentication system 100 may generate bio-signature information (S230), and if the user authentication request is an authentication request for identification of a predetermined electronic document, the bio-signature Electronic signature may be performed using information as an electronic signature value for the electronic document (S240).

As described above, in one embodiment of the present invention, when a certain period of time has elapsed from a specific time point (that is, a time point for requesting the user authentication), the point-in-time information and / or the one-time authentication information that is discarded after being used once are used for authentication. By using it, it is possible to prevent the vulnerability to replay attacks. In addition, since authentication is performed through a telephone call as described above, there is an effect of preventing a vulnerability to man-in-the-middle attacks. After all, according to the technical idea of the present invention, there is an effect that can be prevented from denying.

Meanwhile, according to an implementation example, the identity authentication system 100 may include a processor and a memory storing a program executed by the processor. The processor may include a single-core CPU or a multi-core CPU. The memory may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state memory devices. Access to memory by the processor and other components can be controlled by a memory controller. Here, when the program is executed by a processor, the user authentication system 100 according to the present embodiment may cause the above-described user authentication method to be performed.

On the other hand, the user authentication method according to an embodiment of the present invention may be implemented in the form of a computer-readable program command and stored in a computer-readable recording medium, and a control program and a target program according to an embodiment of the present invention It may be stored in a computer-readable recording medium. The computer-readable recording medium includes any kind of recording device in which data readable by a computer system is stored.

The program instructions recorded on the recording medium may be specially designed and constructed for the present invention or may be known and usable by those skilled in the software art.

Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs, DVDs, and floptical disks. Hardware devices specifically configured to store and execute program instructions, such as magneto-optical media and ROM, RAM, flash memory, and the like, are included. In addition, the above-described medium may be a transmission medium such as an optical or metal wire or a waveguide including a carrier wave that transmits a signal specifying a program command, data structure, or the like. The computer-readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

Examples of program instructions include machine language codes such as those produced by a compiler, as well as high-level language codes that can be executed by a device that processes information electronically using an interpreter or the like, for example, a computer.

The hardware device described above may be configured to operate as one or more software modules to perform the operation of the present invention, and vice versa.

The above description of the present invention is for illustration only, and those of ordinary skill in the art to which the present invention pertains can understand that it can be easily modified into other specific forms without changing the technical spirit or essential features of the present invention. will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive. For example, each component described as a single type may be implemented in a distributed manner, and components described as distributed may be implemented in a combined form.

The scope of the present invention is indicated by the following claims rather than the above detailed description, and all changes or modifications derived from the meaning and scope of the claims and their equivalent concepts should be interpreted to be included in the scope of the present invention. .

The present invention can be used in "person authentication system and method".

Claims (20)

1. The user authentication system, receiving a user authentication request from the user's user terminal through a wired or wireless data communication network;

   Determining, by the user authentication system, a time point of the request for the user authentication request;

   Connecting, by the user authentication system, the mobile terminal of the user to a telephone call;

   The identity authentication system receiving a first voice signal from the mobile terminal through the phone call;

   The user authentication system performing voice recognition on the first voice signal and determining a time point expressed through the first voice signal; And

   And determining, by the user authentication system, whether the user authentication is successful by comparing the request time point of the user authentication request with a time point expressed through the first voice signal.
2. According to claim 1,

   In the step of determining whether or not the user authentication is successful, the user authentication system compares a request time point of the user authentication request with a time point expressed through the first voice signal.

   If the request time of the user authentication request matches the time point expressed through the first voice signal or the difference between the request time point of the user authentication request and the time point expressed through the first voice signal is within a predetermined period A method of authenticating yourself comprising determining that this is successful.
3. The method of claim 1, wherein the identity authentication method is:

   Allowing the user authentication system to transmit one-time authentication information corresponding to the user authentication request to the user terminal; And

   The identity authentication system further comprises the step of receiving a pass code through the phone call from the mobile terminal,

   The step of determining whether or not the user authentication is successful by comparing the time point of the request for the request for the user authentication with the time point expressed through the voice signal,

   And determining whether the authentication is successful by further determining whether the passcode received from the mobile terminal matches the one-time authentication information transmitted to the user terminal.
4. According to claim 3,

   The identity authentication system, receiving a pass code from the mobile terminal through the phone call,

   Receiving, by the user authentication system, a second voice signal through the telephone call; And

   And recognizing the pass code from the second voice signal through voice recognition by the user authentication system.
5. According to claim 3,

   The identity authentication system, receiving a pass code from the mobile terminal through the phone call,

   And the user authentication system receiving a DTMF signal corresponding to the passcode through the telephone call.
6. The method of claim 1, wherein the identity authentication method is:

   The identity authentication system further includes a step of analyzing the first voice signal by voice analysis to determine whether the first voice signal is spoken by the user,

   The step of determining whether or not the authentication of the user is successful by comparing the time of the request of the request of the user's authentication with the time expressed through the first voice signal,

   And comparing the time point of the request of the user authentication request with the time point expressed through the first voice signal judged to have been uttered by the user to determine whether or not the user authentication is successful.
7. The method of claim 1, wherein the identity authentication method is:

   Recording at least a portion of the first audio signal; And

   And generating bio-signature information by encrypting at least a portion of the recorded first voice signal.
8. The method of claim 7,

   The above authentication request,

   It is an authentication request for identification of a given electronic document.

   The above authentication method,

   And using the bio signature information as an electronic signature value for the electronic document.
9. The method of claim 8,

   Using the bio signature information as the digital signature value for the electronic document,

   Generating the image signature information by converting the bio signature information into an image format; And

   And combining the image signature information with the electronic document.
10. A computer-readable recording medium recording a program for performing the method according to claim 1.
11. As a user authentication system,

    Processor;

    Contains the memory that stores the program,

    When the program is executed by the processor, the user authentication system to cause the user authentication system to perform the method according to any one of claims 1 to 9.
12. A request receiving module for receiving a user authentication request from a user's user terminal through a wired or wireless data communication network;

    A time-specific module for specifying a time point of the request for the user authentication;

    A telephone call module connecting the user's mobile terminal with a telephone call;

    A voice signal receiving module that receives a first voice signal from the mobile terminal through the telephone call;

    A viewpoint recognition module that performs voice recognition on the first voice signal and determines a time point expressed through the first voice signal; And

    A user authentication system including a control module that determines whether or not the user authentication is successful by comparing the request time point of the user authentication request with a time point expressed through the first voice signal.
13. The method of claim 12,

    The control module,

    If the request time of the user authentication request matches the time point expressed through the first voice signal or the difference between the request time point of the user authentication request and the time point expressed through the first voice signal is within a predetermined period The identity verification system that determines this success.
14. The method of claim 12, wherein the identity authentication system,

    A one-time authentication information module that allows one-time authentication information corresponding to the user authentication request to be transmitted to the user terminal; And

    Further comprising a pass code receiving module for receiving a pass code from the mobile terminal through the phone call,

    The control module,

    A user authentication system that determines whether or not the user authentication is successful by further determining whether the passcode received from the mobile terminal matches the one-time authentication information transmitted to the user terminal.
15. The method of claim 14,

    The pass code receiving module,

    A user authentication system that receives a second voice signal through the telephone call and recognizes the passcode from the second voice signal through voice recognition.
16. The method of claim 14,

    The pass code receiving module,

    A user authentication system that receives a DTMF signal corresponding to the passcode through the phone call.
17. The method of claim 12, wherein the identity authentication system,

    The identity authentication system further includes a voice analysis module that analyzes the first voice signal to determine whether the first voice signal is spoken by the user,

    The control module,

    A user authentication system that determines whether or not authentication is successful by comparing the request time of the user authentication request with the time point expressed through the first voice signal determined to be spoken by the user.
18. The method of claim 12, wherein the identity authentication system,

    A recording module recording at least a portion of the first audio signal; And

    And a bio-signature generation module that generates bio-signature information by encrypting at least a portion of the recorded first voice signal.
19. The method of claim 18,

    The above authentication request,

    It is an authentication request for identification of a given electronic document.

    The identity authentication system,

    And an electronic signature module that uses the bio signature information as an electronic signature value for the electronic document.
20. The method of claim 19,

    The electronic signature module,

    A personal authentication system that converts the bio signature information into an image form to generate image signature information, and combines the image signature information with the electronic document.

Images