WO2023132059A1

WO2023132059A1 - System, server device, server device control method, and storage medium

Info

Publication number: WO2023132059A1
Application number: PCT/JP2022/000375
Authority: WO
Inventors: 雄亮佐藤
Original assignee: 日本電気株式会社
Priority date: 2022-01-07
Filing date: 2022-01-07
Publication date: 2023-07-13

Abstract

Provided is a system that maintains and improves the quality of services provided from an information distribution system. This system comprises a first server device and a second server device. The first server device stores a first ID necessary to provide a first service to a user who has logged into a first account, and accumulates data relating to the first service provided to the user. The second server device controls the distribution of the accumulated data for a user who has logged into a second account. The second server device associates the first ID, which is managed using the first account, with a second ID, which is managed using the second account. Then, when a user logs into the first account, the second server device requests that the user perform the same procedure as that for logging into the second account.

Description

SYSTEM, SERVER DEVICE, CONTROL METHOD FOR SERVER DEVICE, AND STORAGE MEDIUM

The present invention relates to a system, a server device, a server device control method, and a storage medium.

There are information distribution systems that provide personal information held by hospitals, etc., to the equipment of information recipients, such as businesses, based on the individual's consent. Such a system includes, for example, an information transaction device managed by an information bank or the like, an information provider device managed by an information provider company, an information provider device managed by an information provider, and the like. The information trading device stores the personal information acquired from the information providing source device. The information trading device transmits the personal information desired by the utilization business operator or the like from among the stored personal information to the information providing destination device.

For example, Patent Document 1 describes providing an information management system, an information management method, and an information management program for conducting transactions using a user's personal information. The information management server of Patent Document 1 includes a registrant information storage unit that stores personal information of registrants, a provision history storage unit that stores a provision history of personal information, and a control unit that is connected to a purchaser terminal. Prepare. The control unit acquires information acquisition conditions from the purchaser terminal, and extracts personal information from the registrant information storage unit based on the information acquisition conditions. The control section provides the extracted personal information to the purchaser terminal, and records the provision history of the personal information in the provision history storage section. The control unit collects the provision fee based on the provision history recorded in the provision history storage unit, and returns the consideration to the registrant who provided the personal information based on the provision fee.

In addition, various technological developments related to user authentication are underway.

For example, Patent Document 2 states that an authentication technology using an IC tag with higher security is provided. The authentication system of Patent Literature 2 includes at least one information terminal and at least one server. The authentication system includes a reader, an acquirer, a decrypter, a verifyer, a first authenticator, and a verifyer. Using one or more PINs, the reading unit reads the personal information from the IC card containing the personal information including the facial image of the rightful owner of the IC card and the electronic signature generated based on the personal information and the private key. Read information and electronic signatures. The acquisition unit acquires imaging data in which the subject's face is captured. The decryption unit decrypts the electronic signature using the public key corresponding to the private key. A verification unit verifies the validity of the personal information based on the decrypted electronic signature and the personal information. The first authentication unit performs face authentication using the imaging data and the face image included in the personal information. The verification unit verifies the identity of the target person based on the verification result of the validity of the personal information and the result of the face authentication.

Patent Document 3 states that it provides an authentication system, an authentication server, a business operator server, and a user terminal that can appropriately determine the combination of authentication methods according to the service. The user terminal of Patent Document 3 includes an authentication requesting unit that requests services, and an authentication information transmitting unit that transmits authentication information for each authentication method. The provider server includes a service point management unit that manages service points that indicate the security of authentication required by services. The authentication server includes an authentication point management section, an authentication method determination section, and an authentication processing section. The authentication point management unit manages authentication points indicating security obtained by combining authentication methods. The authentication method determination unit preferentially determines a combination with a small difference between the authentication points and the service points, among the combinations of the authentication methods whose authentication points are equal to or greater than the service points. The authentication processing unit receives authentication information and performs authentication processing for each of the determined combinations of authentication methods.

Patent Document 4 states that it provides a network system that can identify the same user between user management systems with different methods. The network system of Patent Document 4 includes first and second user management systems and a gateway server. The first user management system manages ID information in a first ID federation information table. The second user management system manages the first and second intermediary ID information in the second ID federation information table. The gateway server associates the ID information with the second intermediation ID information and manages them in the third ID cooperation information table. When there is a login request to the other user management system via one of the user management systems, the gateway server retrieves the notified ID information or the second intermediary ID information from the third ID federation information table. 2 intermediary ID information or ID information. The gateway server outputs the detected information to the other user management system.

JP 2019-128648 A JP 2019-050014 A JP 2017-072979 A JP 2013-114622 A

The information distribution system can provide advanced services by collecting personal data held by service providers (service providers, data holders). At that time, the data provided by the service providing organization must have a certain level of reliability. This is because the use of unreliable data (data provided by a service providing organization with low security level and low identity verification capability) degrades the overall quality of services provided by the information distribution system.

This problem cannot be solved by applying the techniques disclosed in Patent Documents 1 to 4 above. This is particularly because Patent Documents 3 and 4 merely disclose techniques related to user authentication and identification.

The main object of the present invention is to provide a system, a server device, a server device control method, and a storage medium that contribute to maintaining and improving the quality of services provided by an information distribution system.

According to a first aspect of the present invention, a first ID required to provide a first service to a user logged in to a first account is stored, and a first ID provided to the user is stored. a first server device for accumulating service-related data; and a second server device for controlling data distribution of the accumulated data for the user who has logged in to a second account; 2, after the first ID managed by the first account and the second ID managed by the second account are associated with each other, the user can access the first account A system is provided that requires the user to follow the same procedure for logging into the second account when logging into the.

According to a second aspect of the present invention, a first ID required to provide a first service to a user logged in to a first account is stored, and a first ID provided to the user is stored. a communication control unit for accumulating service-related data and communicating with a server; a data distribution control unit for controlling data distribution of the accumulated data for the user who has logged in to a second account; an ID cooperation management unit that associates the first ID managed by the account with the second ID managed by the second account; after the first ID and the second ID are associated a login management unit that requests the user to perform the same procedure as logging in to the second account when the user logs in to the first account. .

According to a third aspect of the present invention, a first ID required to provide a first service to a user logged in to a first account is stored, and a first ID provided to the user is stored. In a server device that accumulates service-related data and communicates with a server, for said user who has logged in to a second account, data circulation of said accumulated data is controlled, and said first account is managed by said first account. 1 ID and a second ID managed by the second account are associated, and after the first ID and the second ID are associated, the user is associated with the first account A method for controlling a server device is provided, which requests the user to perform the same procedure as the procedure for logging into the second account when logging in.

According to a fourth aspect of the present invention, a first ID required to provide a first service to a user logged in to a first account is stored, and a first ID provided to the user is stored. a process for accumulating service-related data, communicating with a server, and controlling data distribution of the accumulated data for the user who has logged in to a second account in a computer mounted on the server device; A process of associating a first ID managed by the account of and a second ID managed by the second account, and after the first ID and the second ID are associated, the use a computer-readable storage medium for storing a program for executing a process of requesting the user to perform the same procedure as logging in to the second account when the user logs in to the first account; is provided.

Each aspect of the present invention provides a system, a server device, a server device control method, and a storage medium that contribute to maintaining and improving the quality of services provided by an information distribution system. In addition, the effect of this invention is not limited above. Other effects may be achieved by the present invention instead of or in addition to this effect.

FIG. 1 is a diagram for explaining an overview of one embodiment. FIG. 2 is a flow chart illustrating an example of the operation of one embodiment. FIG. 3 is a diagram showing an example of a schematic configuration of an information distribution system according to the first embodiment. FIG. 4 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 5 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 6 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 7 is a diagram for explaining the operation of the information distribution system according to the first embodiment. FIG. 8 is a diagram for explaining the operation of the information distribution system according to the first embodiment. 9 is a diagram illustrating an example of a processing configuration of a portal server according to the first embodiment; FIG. FIG. 10 is a diagram illustrating an example of display on a terminal according to the first embodiment; FIG. 11 is a diagram illustrating an example of display on a terminal according to the first embodiment; FIG. 12 is a diagram illustrating an example of display on the terminal according to the first embodiment; 13 is a diagram illustrating an example of a processing configuration of a distribution control server according to the first embodiment; FIG. FIG. 14 is a diagram illustrating an example of a user information database according to the first embodiment; FIG. 15 is a diagram showing an example of part of the user information database according to the first embodiment. 16 is a flowchart illustrating an example of the operation of the ID federation management unit according to the first embodiment; FIG. 17 is a flowchart illustrating an example of the operation of the ID federation management unit according to the first embodiment; FIG. FIG. 18 is a diagram showing an example of a location information database according to the first embodiment. 19 is a diagram illustrating an example of a processing configuration of a service server according to the first embodiment; FIG. FIG. 20 is a diagram illustrating an example of display on the terminal according to the first embodiment; FIG. 21 is a diagram showing an example of a customer information database according to the first embodiment. 22 is a sequence diagram illustrating an example of the operation of the information distribution system according to the first embodiment; FIG. FIG. 23 is a diagram for explaining ID federation according to the first embodiment. FIG. 24 is a diagram showing an example of a schematic configuration of an information distribution system according to the second embodiment. 25 is a diagram illustrating an example of a processing configuration of a hospital terminal according to the second embodiment; FIG. 26 is a diagram illustrating an example of a processing configuration of a service server according to the second embodiment; FIG. FIG. 27 is a diagram for explaining the operation of the information distribution system according to the second embodiment. FIG. 28 is a diagram for explaining the operation of the information distribution system according to the second embodiment. 29A and 29B are diagrams showing examples of displays on the hospital terminal according to the second embodiment. FIG. 30 is a diagram illustrating an example of a hardware configuration of a distribution control server according to the disclosure of the present application. FIG. 31 is a diagram illustrating an example of a schematic configuration of an information distribution system according to a modification of the disclosure of the present application.

First, an outline of one embodiment will be described. It should be noted that the drawing reference numerals added to this outline are added to each element for convenience as an example to aid understanding, and the description of this outline does not intend any limitation. Also, unless otherwise specified, the blocks depicted in each drawing represent the configuration of each function rather than the configuration of each hardware unit. Connecting lines between blocks in each figure include both bi-directional and uni-directional. The unidirectional arrows schematically show the flow of main signals (data) and do not exclude bidirectionality. In addition, in the present specification and drawings, elements that can be described in the same manner can be omitted from redundant description by assigning the same reference numerals.

A system according to one embodiment includes a first server device 101 and a second server device 102 (see FIG. 1). The first server device 101 stores a first ID required to provide a first service to a user who has logged in to a first account, and stores data regarding the first service provided to the user. accumulate. The second server device 102 controls data distribution of accumulated data for users who have logged in to the second account. The second server device 102 associates the first ID managed by the first account with the second ID managed by the second account (associate the IDs; step S1 in FIG. 2). After that, when the user logs into the first account, the second server device 102 requests the user to perform the same procedure as the procedure for logging into the second account (request for login procedure; step S2).

The procedure or method for logging into the first account of the first server device 101 may have a low security level (authentication strength) or a low identity verification level. Even in such a case, after the first ID of the first account is registered in the system (associated with the second ID), the second server device 102 registers the second account. Require the user to follow the same procedure as when logging in. That is, if multi-factor authentication combining ID authentication, biometric authentication, etc. is required when logging in to the second account, the second server device 102 also performs multi-factor authentication when logging in to the first account. perform authentication. That is, even if the system includes a service provider that employs a method with a low security level when authenticating a user, the system (the second server device 102) sets the security level instead of the service provider. The user is authenticated by a method with a high . As a result, the identities of users to whom services are provided by service providers with low security levels, etc., are more reliably guaranteed, and the reliability of data accumulated by the service providers is also improved. Since the information distribution system uses data whose reliability is guaranteed, it is possible to improve or maintain the service provided.

Specific embodiments will be described in more detail below with reference to the drawings.

[First embodiment]
The first embodiment will be described in more detail with reference to the drawings.

[System configuration]
FIG. 3 is a diagram showing an example of a schematic configuration of an information distribution system according to the first embodiment. As shown in FIG. 3, the participating members (actors) of the information distribution system include information distributors and service providers.

An information distribution business is the entity that provides services related to data distribution (information distribution service). The information distributor includes a portal server 10 and a distribution control server 20. FIG.

The portal server 10 is a server device that provides a portal site that serves as an interface for users of information distribution services. A user accesses the portal server 10 when using the information distribution service.

The distribution control server 20 is a server device that controls (realizes) data distribution between service providers. The distribution control server 20 is a device that realizes data distribution of data accumulated in service providers.

A service provider is an entity that provides services to individuals. The service provider may be a private business operator or a public institution. Examples of service providers include medical institutions (hospitals, pharmacies, etc.) that provide medical services to users, retailers, and healthcare providers that provide health services to customers.

Each service provider has a service server 30 for providing services to customers. The service server 30 is managed and operated by a service provider. The service server 30 accumulates data generated by the service provider providing the service to the user and data necessary for providing the service to the user (accumulates user data). That is, the service server 30 accumulates data regarding services provided to users.

A user who uses the information distribution system uses a terminal 40.

Each device shown in FIG. 3 is interconnected via a network. For example, the distribution control server 20 and the service server 30 are connected by wired or wireless communication means, and are configured to be able to communicate with each other.

The configuration shown in FIG. 3 is an example, and is not intended to limit the configuration of the information distribution system disclosed in the present application. For example, an information distributor may include two or more distribution control servers 20 .

[Overview of system operation]
Next, an outline of the operation of the information distribution system according to the first embodiment will be described.

In the first embodiment, as examples of service providers, a healthcare provider that provides health advice to users and an EC (Electronic Commerce) provider that sells products on the Internet will be explained. I do.

As shown in FIG. 3, the healthcare provider has a service server 30-1, and the EC provider has a service server 30-2. Further, in the following description, the service servers 30-1 and 30-2 are simply referred to as "service server 30" unless there is a special reason to distinguish them.

In order to receive services from the healthcare provider, the user must log in to the account (first account) managed by the service server 30-1. Specifically, the user logs into the account by providing the ID and password to the service server 30-1. Also, when a healthcare provider creates an account, identity verification is not performed.

The service server 30-1 (first server device) stores an ID (first ID; membership number, etc.) necessary for providing the first service (health advice) to the user logged in to the account. Remember. The service server 30-1 also accumulates data (eg, exercise time, etc.) regarding services provided to users.

We will omit explanations about specific services provided by healthcare providers and e-commerce providers. A healthcare provider collects (accumulates) user's diet-related information and exercise-related data, and provides advice, etc. based on the accumulated data. EC businesses provide commercial transaction services (online shopping) on networks.

"Sharing" and "providing" exist as means of data distribution in an information distribution system. The distribution control server 20 (second server device) controls data distribution of data accumulated by a user who has logged into an account (second account).

"Sharing" is a means for service providers to acquire data accumulated by other service providers. For example, data circulation by “sharing” is used when an EC business acquires data generated by a healthcare business providing a service to a user.

"Sharing" is used to improve the convenience of service users themselves, so in principle there is no compensation for data distribution. In other words, "sharing" is used to utilize data accumulated by other service providers in order for users to receive better services from service providers.

"Provision" is a means for data utilization business operators to acquire data accumulated by other service business operators. For example, when a pharmaceutical company obtains the results of medical checkups and medical examinations from medical institutions, data distribution by "providing" is used.

"Providing" is a means used by data utilization businesses that do not directly provide services to users, so in principle there is a consideration for data distribution. That is, "provide" is used for the user to receive consideration from the data utilization business operator.

Regarding the means of distributing accumulated data, in the first embodiment, "sharing" will be described as an example. However, it is natural that accumulated data can be subject to data distribution by "providing".

<Create system account>
Users of the information distribution system must register in advance (user registration, system registration). More specifically, the user accesses the portal server 10 and performs procedures for creating an account. In the following description, the account created in the information distribution system will be referred to as "system account".

In order to create a system account, the user accesses the portal server 10 by operating the terminal 40 possessed by the user. In response to access from the terminal 40, the portal server 10 displays a WEB page for creating a system account.

The user performs an operation (for example, pressing a predetermined button) to create a system account, and requests the portal server 10 to create a system account (see FIG. 4). The portal server 10 acquires information necessary for creating a user's system account. Specifically, the portal server 10 stores the user's login information (login ID, password), personal information (name, date of birth, etc.), biometric information (e.g., face image), identification documents, etc. (driver's license, etc.). etc.).

The portal server 10 sends an "account creation request" including the acquired login information, personal information, biometric information, identification documents, etc. to the distribution control server 20 (step S01).

The distribution control server 20 performs identity verification using the biometric information included in the account creation request and the biometric information described in the identity verification document. When the distribution control server 20 succeeds in identity verification, it creates a system account for the user. At that time, the distribution control server 20 generates a user ID (Identifier) for uniquely identifying the user in the information distribution system.

The distribution control server 20 associates and stores the generated user ID, login information, personal information (name, date of birth, contact information, etc.), biometric information, and the like. The distribution control server 20 stores this information in the "user information database". Details of the user information database will be described later.

The distribution control server 20 transmits the generated user ID to the portal server 10 (step S02). The portal server 10 issues the user ID obtained from the distribution control server 20 to the user (terminal 40) (step S03). The terminal 40 stores the issued user ID.

<Create service account>
In order to receive services from a service provider, the user needs to create an account with the service provider. More specifically, the user accesses the service server 30 managed by the service provider and performs user registration for creating an account. In the following description, the account generated by the service provider is referred to as "service account".

In order to create a service account, the user operates the terminal 40 they possess to access the target service server 30 . For example, a user who wants to receive services from a healthcare provider accesses the service server 30-1. In response to the access from the terminal 40, the service server 30 displays a WEB page for creating a service account.

When the user performs an operation (for example, pressing a predetermined button) for creating a service account, the service server 30 acquires the information necessary for creating the user's service account. Specifically, the service server 30 acquires the user's login information (login ID, password), personal information (name, date of birth, etc.) and the like.

The service server 30 creates a service account for the user. The service server 30 generates identification information (ID, code) for identifying the user in its own company (service provider). In the following description, the identification information generated by the service provider will be referred to as "personal identification ID". For example, a membership number, a patient registration card number, etc. correspond to the personal identification ID (personal identification code).

The service server 30 associates and stores the user's login information, personal information, and personal identification ID. The service server 30 stores this information in the "customer information database". Details of the customer information database will be described later.

The service server 30 issues the generated personal identification ID to the user (terminal 40). The terminal 40 stores the issued personal identification ID.

<Login to system account>
In order to use the information distribution service, the user needs to log in to the system account. For example, the user requests the portal server 10 to log in to the system account by pressing a "login" button displayed on the portal site (see FIG. 5).

When the user requests login, the portal server 10 redirects the user's login request to the distribution control server 20 (authentication redirect). Specifically, the portal server 10 transmits an "authentication request" to the distribution control server 20 (step S11).

Here, the information distribution system adopts multi-factor authentication for user authentication. Specifically, the distribution control server 20 and the terminal 40 execute multi-factor authentication by transmitting and receiving different types of authentication information (step S12).

For example, the terminal 40 transmits login information (ID, password) to the distribution control server 20 as authentication information. When the distribution control server 20 succeeds in ID authentication (password authentication), the distribution control server 20 requests the terminal 40 to provide authentication information related to biometric information. The terminal 40 acquires the biometric information of the user and transmits the biometric information to the distribution control server 20 as the second stage authentication information. The distribution control server 20 executes biometric authentication using biometric information.

The distribution control server 20 transmits the authentication result (authentication result by multi-factor authentication) to the portal server 10 (step S13). At that time, if the authentication is successful, the distribution control server 20 notifies the portal server 10 of the user ID of the user.

The portal server 10 determines that the user corresponding to the notified user ID is the target of service provision. After successfully logging into the system account, the user can change the settings for using the information distribution system on the portal site.

<Login to service account>
A detailed description of logging in to a service account is omitted. The terminal 40 of the user and the service server 30 may authenticate the user using a predetermined ID and password.

<ID cooperation>
In order to distribute the data (user data) accumulated in the service server 30, the user needs to link the ID of the system account (user ID) and the ID of the service account (personal identification ID). be. For example, in order to distribute data accumulated in a healthcare provider, the user must link (link) the user ID of the information distribution system and the personal identification ID issued by the healthcare provider. )There is a need to.

In the following description, linking (associating) the user ID of the system account and the personal identification ID of the service account is referred to as "ID linking".

　In order to realize ID federation, the user logs into the system account. When login is successful, the user performs procedures for ID linkage on the portal site (see FIG. 6). Specifically, the user operates the terminal 40 and presses a predetermined button to request the portal server 10 to issue a "linkage code".

Note that the linkage code is information (data) for realizing ID linkage. More specifically, the linkage code is a token with an expiration date that is associated with the system account (personal information such as name and personal identification information such as biometric information) of the user who desires ID linkage.

Upon receiving an operation for issuing a cooperation code, the portal server 10 transmits a "request for issuance of a cooperation code" to the distribution control server 20 (step S21).

Upon receiving the request for issuing the cooperation code, the distribution control server 20 generates a cooperation code. The distribution control server 20 stores the generated cooperation code in the user information database.

The distribution control server 20 transmits the generated cooperation code to the portal server 10 (step S22). The portal server 10 transmits the received cooperation code to the terminal 40 (step S23). The terminal 40 stores the received cooperation code and manages the cooperation code so that the user can view it.

After obtaining the link code, the user logs in to the service account of the service provider who wishes to link the ID. The user performs procedures for ID linkage on the website provided by the service provider. For example, the user operates the terminal 40 and presses a predetermined button to request the ID federation to the service server 30 (see FIG. 7).

When the user presses a predetermined button, the service server 30 acquires a cooperation code from the user (step S31).

After obtaining the linkage code, the service server 30 requests the distribution control server 20 to perform ID linkage. Specifically, the service server 30 transmits to the distribution control server 20 an "ID cooperation request" including the obtained cooperation code, the personal identification ID of the user logged in to the service account, and the business operator code (step S32). ).

It should be noted that the business operator code is identification information (ID) for identifying the service business operator participating in the information distribution system. For example, different codes are assigned to a healthcare provider (service server 30-1) and an EC provider (service server 30-2).

The business code is shared among system participants (information distributors, service providers) by any means. For example, when a service provider participates in an information distribution system, the information distribution provider generates a provider code to be assigned to the service provider. The information distributor notifies the service provider of the generated provider code.

Upon receiving the ID federation request, the distribution control server 20 searches the user information database using the federation code included in the ID federation request as a key to identify the corresponding user.

After that, the distribution control server 20 requests the terminal 40 possessed by the specified user to provide the biometric information. Specifically, the distribution control server 20 transmits a "biological information provision request" to the terminal 40 (step S33).

Upon receiving the biometric information provision request, the terminal 40 displays a GUI or the like for acquiring the user's biometric information (eg, face image). The terminal 40 transmits the acquired biometric information (face image) to the distribution control server 20 (step S34).

The distribution control server 20 executes biometric authentication (one-to-one authentication) using the user's biometric information (face image) specified using the cooperation code and the biometric information provided from the terminal 40. In other words, the distribution control server 20 confirms the identity of the user requesting ID federation by biometric authentication.

When the biometric authentication is successful, the distribution control server 20 executes ID federation. Specifically, the distribution control server 20 identifies the service provider from the provider code included in the ID cooperation request, and stores the personal identification ID of the identified service provider in the user information database. That is, the distribution control server 20 associates the user ID of the system account with the personal identification ID and registers them in the user information database.

For example, consider a user who is assigned a user ID of "#10" in the system account and a personal identification ID of "#100" in the service account. By the user performing ID linkage, two IDs (#10 and #100) are registered in the system as IDs of the same person.

The distribution control server 20 notifies the service server 30 of the result of the ID cooperation processing. The distribution control server 20 transmits a response (positive response, negative response) to the ID cooperation request to the service server 30 (step S35).

The service server 30 notifies the user of the result of the ID linkage processing.

<Login to service account after ID linkage>
The user logs into the service server 30 via the distribution control server 20 when receiving a service from the service provider with whom the ID linkage has been completed. That is, the user logs into the service server 30 by so-called SSO (Single Sign On).

Specifically, the user operates the terminal 40 to access the service server 30 . When the user performs a login procedure on the WEB page provided by the service server 30 , the service server 30 transmits an authentication redirect to the distribution control server 20 . Specifically, the service server 30 transmits an authentication request to the distribution control server 20 . At that time, the service server 30 transmits to the distribution control server 20 the business code of the service provider that operates the service server 30 and the address of the terminal 40 .

When the distribution control server 20 receives an authentication request (authentication redirect), it requests the user to perform the same procedure as when the user logs into the system account. Specifically, the distribution control server 20 performs multi-factor authentication using different types of authentication information.

When the multi-factor authentication succeeds, the distribution control server 20 reads from the user information database the personal identification ID corresponding to the business operator code included in the authentication request among the personal identification IDs of the user specified by the authentication process.

The distribution control server 20 notifies the service server 30, which is the source of the authentication request, of the read personal identification ID. Having acquired the personal identification ID, the service server 30 determines that the user of the personal identification ID has logged in.

In this way, the distribution control server 20 associates the personal identification ID managed by the service account with the user ID managed by the system account (performs ID cooperation). After the IDs are linked, the distribution control server 20 requests the user to perform the same procedure as the procedure for logging in to the system account when the user logs in to the service account.

The portal server 10 (third server device) also accepts a user's login request to the system account and requests the distribution control server 20 to authenticate the user. The distribution control server 20 executes multi-factor authentication for the user and notifies the portal server 10 of the multi-factor authentication result.

<Accumulation of data and transmission of location information>
Service providers accumulate user data of users. The service provider (service server 30) associates and stores the personal identification code of each user and the data obtained as a result of service provision.

The service provider transmits "location information" to the distribution control server 20 every time it accumulates user data (data generated as a result of service provision, data necessary for service provision). The location information is information about the storage location of data accumulated in the service provider (data storage entity; service provider). Location information includes a personal identification code, a business operator code, the type of stored data, and the like.

The distribution control server 20 stores the acquired location information in the "location information database". Details of the location information database will be described later. The location information database stores personal identification codes, business operator codes, and data types in association with each other.

<Data distribution through sharing>
A service provider who wishes to obtain data accumulated by another service provider obtains the data by "sharing".

Here, referring to FIG. 8, a case will be described in which the EC business operator acquires the user U1's data accumulated in the healthcare business operator by "sharing".

The service server 30-2 of the EC business operator, who is the data sharing requester, transmits a "sharing request" to the distribution control server 20 (step S41).

Based on the sharing request, the distribution control server 20 identifies the data distribution target (user U1) and the data accumulator (healthcare provider) of the data to be distributed. The distribution control server 20 transmits an inquiry regarding data sharing to the terminal 40 possessed by the specified target person (user U1) (step S42).

The terminal 40 that has received the data sharing inquiry acquires the user's intention regarding data sharing. For example, the terminal 40 acquires the intention of the user U1 using a GUI (Graphical User Interface). In the above example, the terminal 40 displays a GUI such as "You can receive better services by sharing the data of the health care business with the EC business. Do you want to share it?" to obtain the intention (agreement or disagreement to data sharing) of

The terminal 40 transmits a response to the data sharing inquiry (agreement to data sharing or refusal to share data) to the distribution control server 20 (step S43).

If the consent of the user is obtained, the distribution control server 20 transmits a sharing instruction to the data accumulator (the service server 30-1 of the healthcare provider) (step S44).

The service server 30-1 of the healthcare provider that has received the sharing instruction refers to the customer information database, and sends the data of the user U1 (eg, exercise time, etc.) to the service server 30-2 of the designated data sharing destination. Send (step S45).

Next, details of each device included in the information distribution system according to the first embodiment will be described.

[Portal Server]
FIG. 9 is a diagram showing an example of the processing configuration (processing modules) of the portal server 10 according to the first embodiment. Referring to FIG. 9 , portal server 10 includes communication control section 201 , account generation control section 202 , login control section 203 , ID cooperation control section 204 , and storage section 205 .

The communication control unit 201 is means for controlling communication with other devices. For example, the communication control unit 201 receives data (packets) from the distribution control server 20 . Also, the communication control unit 201 transmits data to the distribution control server 20 . The communication control unit 201 transfers data received from other devices to other processing modules. The communication control unit 201 transmits data acquired from other processing modules to other devices. In this manner, other processing modules transmit and receive data to and from other devices via the communication control unit 201 . The communication control unit 201 has a function as a receiving unit that receives data from another device and a function as a transmitting unit that transmits data to the other device.

The account generation control unit 202 is means for controlling system account generation. When a user performs a predetermined operation on the portal site, the account generation control unit 202 performs processing related to system account generation for the user. For example, in the portal site shown in FIG. 10, the account creation control unit 202 displays a GUI for acquiring user login information and the like when the "create account" button is pressed.

For example, the account generation control unit 202 displays a GUI as shown in FIG. The account generation control unit 202 acquires login information, personal information, biometric information, a copy of an identification document, etc., using a GUI as shown in FIG. Alternatively, the account generation control unit 202 may instruct the user to take a picture of the face or the identification document regarding the biometric information or the identification document.

When the account generation control unit 202 acquires the user's login information and the like from the terminal 40, it transmits the acquired information (login information, personal information, biometric information, identification documents) to the distribution control server 20. The account generation control unit 202 transmits an “account generation request” including login information and the like to the distribution control server 20 .

The account generation control unit 202 receives a response (positive response, negative response) to the account generation request from the distribution control server 20.

When the distribution control server 20 has successfully generated a system account (received an acknowledgment), the account generation control unit 202 transmits the user ID included in the acknowledgment to the terminal 40.

When the distribution control server 20 fails to generate the system account (receives a negative response), the account generation control unit 202 notifies the user to that effect.

The login control unit 203 is means for controlling login to the system account. For example, when the "login" button is pressed in FIG. 10, the login control unit 203 redirects the distribution control server 20 for authentication.

Specifically, the login control unit 203 transmits an "authentication request" including the address of the terminal 40 to the distribution control server 20. The login control unit 203 receives a response (positive response, negative response) to the authentication request from the distribution control server 20 .

If the login fails (if a negative response is received), the login control unit 203 notifies the user to that effect. If the login is successful (if an affirmative response is received), the login control unit 203 notifies the user to that effect, and stores the user ID included in the affirmative response as the ID of the system user (during login). user).

The ID cooperation control unit 204 is means for controlling the cooperation between the system account ID and the service account ID.

When the user who is logged in to the system account performs a predetermined operation (for example, presses the ID cooperation button), the ID cooperation control unit 204 displays a GUI as shown in FIG. 12 on the terminal 40. The ID federation control unit 204 acquires information of service providers to be ID federated using a GUI as shown in FIG.

When the information of the service provider (for example, the provider code of the service provider to be ID federated) is acquired, the ID federation control unit 204 issues a federation code including the user ID of the logged-in user and the provider code. Send the request to the distribution control server 20 .

The ID collaboration control unit 204 receives a response (positive response, negative response) to the request for issuing the collaboration code.

If no cooperation code is issued (if a negative response is received), the ID cooperation control unit 204 notifies the user that ID cooperation is not possible.

When a cooperation code is issued (when an affirmative response is received), the ID cooperation control unit 204 transmits the cooperation code to the terminal 40 together with the company code of the ID cooperation destination.

The storage unit 205 stores information necessary for the operation of the portal server 10. For example, the storage unit 205 stores table information or the like that associates service provider names with provider codes.

[Distribution control server]
FIG. 13 is a diagram showing an example of the processing configuration (processing modules) of the distribution control server 20 according to the first embodiment. 13, the distribution control server 20 includes a communication control unit 301, an account management unit 302, a login management unit 303, an ID cooperation management unit 304, a location information management unit 305, a data distribution control unit 306, A storage unit 307 is provided.

The communication control unit 301 is means for controlling communication with other devices. For example, the communication control unit 301 receives data (packets) from the service server 30 . Also, the communication control unit 301 transmits data to the service server 30 . The communication control unit 301 passes data received from other devices to other processing modules. The communication control unit 301 transmits data acquired from other processing modules to other devices. In this way, other processing modules transmit and receive data to and from other devices via the communication control unit 301 . The communication control unit 301 has a function as a receiving unit that receives data from another device and a function as a transmitting unit that transmits data to the other device.

The account management unit 302 is means for controlling and managing users' system accounts.

The account management unit 302 receives an account creation request from the portal server 10. The account management unit 302 uses the biometric information (face image) obtained from the portal server 10 and the biometric information described in the identification document to perform identity verification.

Specifically, the account management unit 302 generates a feature amount from each of the two pieces of biometric information (face image). Since existing technology can be used for the feature amount generation processing, detailed description thereof will be omitted. For example, the account management unit 302 extracts the eyes, nose, mouth, etc. from the face image as feature points. After that, the account management unit 302 calculates the position of each feature point and the distance between each feature point as a feature amount, and generates a feature vector (vector information that characterizes the face image) composed of a plurality of feature amounts.

The account management unit 302 performs authentication processing (one-to-one authentication) using the two feature values generated above. Specifically, the account management unit 302 calculates the degree of similarity between the two feature quantities. Chi-square distance, Euclidean distance, or the like can be used for the degree of similarity. Note that the greater the distance, the lower the similarity, and the closer the distance, the higher the similarity.

If the degree of similarity is greater than or equal to a predetermined value, the account management unit 302 determines that personal identification has succeeded. If the degree of similarity is smaller than a predetermined value, the account management unit 302 determines that personal identification has failed.

If the identity verification fails, the account management unit 302 notifies the portal server 10 that account generation has failed. Specifically, the account management unit 302 transmits a negative response to the account creation request to the portal server 10 .

When the identity verification is successful, the account management unit 302 creates a system account for the user. Specifically, the account management unit 302 generates a user ID for uniquely identifying the user in the information distribution system. Note that the user ID may be any information as long as it can uniquely identify the user. For example, the account management unit 302 may assign a unique value as a user ID each time an account creation request is processed.

The account management unit 302 associates and stores the generated user ID, login information, personal information (name, date of birth, contact information, etc.), biometric information, and the like. The distribution control server 20 stores this information in the "user information database" (see FIG. 14).

As shown in FIG. 14, the user information database (DB; Data Base) includes fields for storing login information, etc., fields for storing information related to ID federation (ID federation information), and individual identification fields for each service provider. A field for storing an ID is provided. "HL" described in the personal identification ID field indicates the business code of the health care business, and "EC" indicates the business code of the EC business.

Although the ID federation information is shown collectively in FIG. 14, the actual ID federation information is associated with the user ID as a set of federation code, business operator code, and validity period, as shown in FIG. ing.

It should be noted that the user information databases shown in FIGS. 14 and 15 are examples, and are not meant to limit the items to be stored. For example, an identification document obtained from the portal server 10 may be registered in the user information database.

After creating the user's system account, the account management unit 302 notifies the portal server 10 that the account has been successfully created. Specifically, the account management unit 302 transmits an affirmative response to the account generation request to the portal server 10 . At that time, the account management unit 302 transmits to the portal server 10 a positive response including the generated user ID of the user.

The login management unit 303 is means for controlling and managing logins to system accounts by users. Upon receiving an authentication request (authentication redirect) from the portal server 10, the login management unit 303 targets the terminal 40 with the address included in the authentication request and performs control related to multi-factor authentication.

First, the login management unit 303 requests the terminal 40 to provide login information (combination of ID and password). The login management unit 303 searches the user information database using the login information acquired from the terminal 40 as a key, and attempts to identify the corresponding user.

When the corresponding user is specified, the login management unit 303 determines that the first authentication using the first authentication information (login information) has succeeded. If the corresponding user is not identified, the login management unit 303 determines that the first authentication using the first authentication information has failed.

When the first authentication succeeds, the login management unit 303 requests the terminal 40 to provide biometric information (face image). The login management unit 303 attempts authentication using the biometric information acquired from the terminal 40 and the biometric information of the user specified in the first authentication. That is, the login management unit 303 performs the second authentication using the second authentication information (biometric information).

When the second authentication (biometric authentication) is also successful, the login management unit 303 determines that the multi-factor authentication for the user possessing the terminal 40 has been successful. If the first or second authentication (biometric authentication) fails, the login management unit 303 determines that the multi-factor authentication of the user who owns the terminal 40 has failed.

The login management unit 303 notifies the portal server 10 of the authentication result (multi-factor authentication result). If the multi-factor authentication has failed, the login manager 303 sends a negative response to the portal server 10 . If the multi-factor authentication is successful, the login management unit 303 will send a positive response to the portal server 10 . When notifying success of authentication, the login management unit 303 transmits an affirmative response including the user ID of the user (successful login person).

The login management unit 303 processes the authentication request received from the service server 30 in the same manner as the authentication request received from the portal server 10 . When the multi-factor authentication is successful, the login management unit 303 may notify the service server 30 of the personal identification ID corresponding to the business operator code included in the authentication request acquired from the service server 30 .

The ID federation management unit 304 is means for controlling and managing ID federation. The operation of the ID linkage management unit 304 will be described with reference to FIGS. 16 and 17. FIG.

The ID federation management unit 304 processes the "request to issue a federation code" received from the portal server 10. FIG. 16 is a flow chart showing an example of the operation of the ID federation management unit 304 when processing a federation code issuance request.

The ID linkage management unit 304 searches the user information database using the user ID included in the linkage code issuance request as a key, and attempts to identify the corresponding user (step S101).

If the identification of the user fails (Step S102, No branch), the ID linkage management unit 304 notifies the portal server 10 that the linkage code cannot be issued. Specifically, ID federation management unit 304 transmits a negative response to the federation code issuance request to portal server 10 (step S103).

If the identification of the user is successful (step S102, Yes branch), the ID linkage management unit 304 generates a linkage code (step S104). As described above, the federation code is a token with an expiration date associated with the system account of the user who desires ID federation. For example, the ID federation management unit 304 calculates a concatenated value such as the user ID of the user, the current time, and the operator code of the service provider to be ID federated, and calculates a hash value of the calculated concatenated value. to generate the link code.

The ID linkage management unit 304 registers the generated linkage code in the user information database (step S105). The ID linkage management unit 304 associates the operator code included in the linkage code issue request with the generated linkage code and stores them in the user information database. At that time, the ID cooperation management unit 304 also registers the effective period of the cooperation code in the user information database. In the example of FIG. 15, the date and time when the effective period of the cooperation code expires is registered in the user information database.

It should be noted that the ID federation management unit 304 may set a predetermined period as the valid period, or may determine the valid period based on a predetermined rule or the like. For example, the ID federation management unit 304 may set a different validity period for each service provider.

When the generation and registration of the linkage code are completed, the ID linkage management unit 304 notifies the portal server 10 of the generated linkage code. Specifically, ID federation management unit 304 transmits a positive response (response to the federation code issuance request) including the generated federation code to portal server 10 (step S106).

The ID federation management unit 304 also processes the "ID federation request" received from the service server 30. FIG. 17 is a flow chart showing an example of the operation of ID federation management section 304 when processing an ID federation request.

Upon receiving the ID federation request, the ID federation management unit 304 searches the user information database using the federation code included in the ID federation request as a key. If the search succeeds, the ID federation management unit 304 verifies the validity period of the specified federation code (step S201).

If the validity period of the cooperation code has passed (step S202, No branch), the ID cooperation management unit 304 sets the ID cooperation processing result to "ID cooperation failure" (step S203).

If the validity period of the cooperation code has not passed (step S202, Yes branch), the ID cooperation management unit 304 sends the user's contact information (address of the terminal 40) specified based on the cooperation code to the "biometric Information provision request” is transmitted (step S204).

If the biometric information is not provided (if a negative response to the biometric information provision request is received; step S205, No branch), the ID federation management unit 304 sets the ID federation processing result to "ID federation failure" (step S203). .

When the biometric information is provided (when an affirmative response to the biometric information provision request is received; step S205, Yes branch), the ID cooperation management unit 304 executes biometric authentication (step S206). Specifically, the ID linkage management unit 304 executes biometric authentication (one-to-one authentication) using the user's biometric information (face image) specified using the link code and the biometric information provided from the terminal 40. do.

When biometric authentication fails (step S207, No branch), the ID federation management unit 304 sets the ID federation processing result to "ID federation failure" (step S203).

When the biometric authentication is successful (step S207, Yes branch), the ID federation management unit 304 executes ID federation (step S208). Specifically, the ID federation management unit 304 identifies a service provider to be ID federated from the business operator code included in the ID federation request, and identifies a personal identification ID (ID federation ID) generated by the identified service provider. The personal identification ID included in the request) is stored in the user information database.

For example, in the example of FIG. 15, the user with the user ID "uID01" requests ID cooperation from the healthcare provider (see line 1). When ID linkage is executed for the user, the personal identification ID of the user (personal identification ID generated by the ) is set. As a result, the user ID "uID01" of the user with the name U1 and the personal identification ID of the healthcare provider are registered in the system as the ID of the same person.

When the ID federation is completed, the ID federation management unit 304 sets the ID federation processing result to "ID federation successful" (step S209).

The ID federation management unit 304 notifies the service server 30 of the result of the ID federation processing (step S210). If the ID federation is successful, the ID federation management unit 304 transmits an affirmative response to the service server 30 . If the ID federation fails, the ID federation manager 304 sends a negative response to the service server 30 .

The location information management unit 305 is means for managing location information acquired from service providers. The location information management unit 305 stores the location information acquired from each service server 30 in the location information database (see FIG. 18). As shown in FIG. 18, the location information database stores personal identification codes, business operator codes, and data types in association with each other. Note that the location information database shown in FIG. 18 is an example, and is not meant to limit the items to be stored. For example, the date and time when the location information was registered may be registered in the location information database.

The data distribution control unit 306 is means for controlling the data distribution of the user's accumulated data (user data held by the service provider). For example, the data distribution control unit 306 controls data distribution related to "sharing".

The data distribution control unit 306 receives a sharing request from the service server 30. The sharing request includes the personal identification code of the user whose data is to be acquired, the business operator code, the type of data that the data sharing party wishes to acquire, and information on the data sharing party (data transmission destination).

The data distribution control unit 306 identifies the target of data distribution based on the individual identification code and business operator code included in the sharing request. Specifically, the data distribution control unit 306 refers to the user information database shown in FIG. 14 and identifies the target person.

The data distribution control unit 306 uses the personal identification code of the identified user and the data type included in the sharing request to identify the service provider that accumulates the necessary data. Specifically, the data distribution control unit 306 refers to the location information database shown in FIG. 18 and identifies the service provider that accumulates the data corresponding to the data type included in the sharing request.

When the data distribution target person and the accumulator of the data to be distributed are specified, the data distribution control unit 306 inquires of the data distribution target person about data sharing. The inquiry about data sharing includes information such as the requester of data sharing, the data accumulator, and the type of data to be shared.

The data distribution control unit 306 receives a response to the data sharing inquiry from the terminal 40 .

If the user refuses to share data, the data distribution control unit 306 notifies the data sharing requestor that data sharing is not possible. When the user agrees to data sharing, the data distribution control unit 306 transmits a sharing instruction to the data accumulator.

The sharing instruction includes the personal identification code generated by the data accumulator, information on the data sharing destination, and the type of data to be shared.

The storage unit 307 stores information necessary for the operation of the distribution control server 20. The storage unit 307 stores at least biometric information for authenticating a user who logs into the system account. A user information database is constructed in the storage unit 307 . Further, the storage unit 307 is constructed with a database or the like that stores the name of the service provider and the provider code in association with each other.

[Service server]
FIG. 19 is a diagram showing an example of a processing configuration (processing modules) of the service server 30 according to the first embodiment. Referring to FIG. 19, the service server 30 includes a communication control unit 401, a customer management unit 402, a sharing request unit 403, a data accumulation unit 404, a data circulation unit 405, and a storage unit 406.

The communication control unit 401 is means for controlling communication with other devices. For example, the communication control unit 401 receives data (packets) from the distribution control server 20 . Also, the communication control unit 401 transmits data to the distribution control server 20 . The communication control unit 401 transfers data received from other devices to other processing modules. The communication control unit 401 transmits data acquired from other processing modules to other devices. In this manner, other processing modules transmit and receive data to and from other devices via the communication control unit 401 . The communication control unit 401 has a function as a receiving unit that receives data from another device and a function as a transmitting unit that transmits data to the other device.

The customer management unit 402 is means for controlling and managing customers of service providers. Specifically, the customer management unit 402 generates a user's service account and controls user's login. Furthermore, the customer management unit 402 controls and manages ID linkage.

The customer management unit 402 displays on the terminal 40 a GUI or the like for obtaining a cooperation code when the user performs a predetermined action on the WEB page. For example, the customer management unit 402 displays as shown in FIG.

After obtaining the cooperation code, the customer management unit 402 transmits to the distribution control server 20 an "ID cooperation request" including the obtained cooperation code, the user's personal identification ID, and the business operator code.

The customer management unit 402 receives a response (positive response, negative response) to the ID cooperation request from the distribution control server 20. The customer management unit 402 notifies the user of the ID federation result (ID federation success, ID federation failure).

In addition, the customer management unit 402 stores the address of the terminal 40 used by the user whose ID has been successfully linked as an ID-linked address. Specifically, customer management unit 402 adds the address of terminal 40 to the ID linkage completed list.

The customer management unit 402 processes the user's login to the service account. When processing the user's login operation, the customer management unit 402 refers to the ID federation completion list and determines whether or not the login request is from the ID federated terminal 40 .

If the login request is from the terminal 40 that has not completed ID linkage, the customer management unit 402 requests the terminal 40 of the user to provide login information. That is, the customer management unit 402 authenticates the user by a method unique to the service provider.

If the login request is from the terminal 40 for which ID linkage has been completed, the customer management unit 402 transmits an authentication request to the distribution control server 20 . The customer management unit 402 receives responses (positive response, negative response) from the distribution control server 20 . The customer management unit 402 operates according to the response from the distribution control server 20 . In this way, the customer management unit 402 requests the user to perform a procedure equivalent to login to the system account by performing authentication redirect to the information distribution system for the login process for the ID-linked user.

The detailed description of the operation related to service account generation by the customer management unit 402 will be omitted. This is because the operation is obvious to those skilled in the art.

When providing services to a new customer, the customer management unit 402 may generate a personal identification ID for the customer. Alternatively, the customer management unit 402 may acquire a personal identification ID generated by staff members of the service provider.

The sharing request unit 403 is a means of requesting the information distributor to "share" the user's data. The sharing request unit 403 transmits a sharing request to the distribution control server 20 according to the operation of the staff of the service provider. Specifically, the sharing request unit 403 circulates a sharing request that includes the personal identification code of the user whose data is to be acquired, the company code of the own device, the type of data to be acquired, information on the data sharing destination, etc. Send to control server 20 .

The data storage unit 404 is means for storing user data of users (data generated as a result of providing services to users or data necessary for providing services to users). The data storage unit 404 associates the personal identification code of the user with the user data and stores them in the storage database (see FIG. 21).

As shown in FIG. 21, the data storage unit 404 stores information on generated data in fields corresponding to the types of generated data. Note that FIG. 21 shows an example of a storage database built in the service server 30-1 of the healthcare provider.

The data storage unit 404 transmits location information to the distribution control server 20 each time data is stored in the storage database. For example, when the user data of the user with the personal identification code "HL21" is acquired, the location information including the personal identification code "HL21", the business operator code "healthcare provider", and the data type "exercise time" is sent to the distribution control server 20. sent to.

The data distribution unit 405 is means for realizing data distribution by "sharing". The data distribution unit 405 processes the “sharing instruction” received from the distribution control server 20 .

Upon receiving the sharing instruction, the data distribution unit 405 refers to the storage database and identifies the entry corresponding to the personal identification code and data type included in the sharing instruction. For example, when a sharing instruction including the personal identification code "HL21" and the data type "sleep hours" is received, the data distribution unit 405 identifies the entry shown at the top of FIG.

The data distribution unit 405 transmits the stored data described in the corresponding data type field of the specified entry to the data sharing destination specified by the sharing instruction.

The storage unit 406 stores information necessary for the operation of the service server 30.

[Terminal]
Examples of the terminal 40 include mobile terminal devices such as smartphones, mobile phones, game machines, and tablets, and computers (personal computers, notebook computers). The terminal 40 can be any equipment or device as long as it can receive user operations and communicate with the portal server 10 or the like.

For example, when the terminal 40 receives a biometric information provision request from the distribution control server 20, the terminal 40 displays a GUI that prompts for a face image (a so-called GUI that prompts a selfie) to acquire the user's biometric information. The terminal 40 transmits the acquired biometric information to the distribution control server 20 as a response to the biometric information provision request.

Also, since the configuration of the terminal 40 and the like are obvious to those skilled in the art, detailed description thereof is omitted.

[System operation]
Next, operation of the information distribution system according to the first embodiment will be described.

FIG. 22 is a sequence diagram showing an example of the operation of the information distribution system according to the first embodiment. Referring to FIG. 22, the system operation for implementing ID federation will be described.

The service server 30 acquires a cooperation code from a person who desires ID cooperation (step S301).

After obtaining the cooperation code, the service server 30 transmits an ID cooperation request to the distribution control server 20 (step S302).

Upon receiving the ID cooperation request, the distribution control server 20 transmits a biometric information provision request to the terminal 40 of the ID cooperation applicant (step S303).

Upon receiving the biometric information provision request, the terminal 40 acquires the user's biometric information and transmits the acquired biometric information (face image) to the distribution control server 20 (step S304).

The distribution control server 20 executes biometric authentication using the biometric information of the user specified using the cooperation code and the biometric information provided from the terminal 40 (step S305).

When the biometric authentication is successful, the distribution control server 20 executes ID federation (step S306).

The distribution control server 20 notifies the service server 30 of the ID federation result (step S307).

The service server 30 notifies the user of the ID federation result (step S308).

In this way, when the portal server 10 receives an ID linkage procedure for the personal identification ID from the user, it requests the distribution control server 20 to issue a linkage code. The distribution control server 20 generates a cooperation code associated with the user's system account, and transmits the generated cooperation code to the portal server 10 . The portal server 10 notifies the user of the transmitted link code.

The service server 30 acquires a cooperation code from a user who desires ID cooperation, and transmits an ID cooperation request containing a personal identification ID and the obtained cooperation code to the distribution control server 20 . The distribution control server 20 identifies the user who desires ID federation from the federation code included in the ID federation request, and requests the identified user to provide biometric information. The distribution control server 20 performs biometric authentication using the biometric information acquired in response to the request and the biometric information stored in the system account, and if the biometric authentication is successful, associates the personal identification ID with the user ID.

As described above, in the information distribution system according to the first embodiment, the cooperation code is used to realize the cooperation between the personal identification ID of the service account and the user ID of the system account. Through such ID linkage, the data accumulated by the service provider can be the object of data distribution. In addition, in the first embodiment, when receiving a service from a service provider whose ID linkage has been completed, the user is requested to perform the same procedure as when logging into the system account. As a result, high reliability can be imparted to data accumulated by service providers with low authentication strength and personal identification strength.

Specifically, as shown in FIG. 23, when creating a system account for the information distribution system, identity verification is performed using identification documents, and the identity verification strength for the user of the account is high. In addition, when a user logs into a system account, multi-factor authentication such as a combination of ID authentication and biometric authentication is used, so authentication strength is high when authenticating a person to be authenticated. For example, verification using an ID and a password is performed as primary verification, and verification (authentication) using biometric information is performed as secondary verification, so that high-strength authentication is performed. On the other hand, identity verification is not performed when a service provider (for example, a healthcare provider) accounts are created, and the strength of identity verification is low. Also, when logging into a service account of a service provider, only ID authentication using an ID and a password is performed, and the authentication strength for the person to be authenticated is low. In the first embodiment, when receiving a service from a service provider with whom ID federation has been completed (when logging into a service account), the distribution control server 20 uses single sign-on to identify the person to be authenticated. Authenticate. As a result, the authentication strength and identity verification strength of the user who uses the service provider is ensured, and the reliability of the data accumulated by the service provider is enhanced.

As explained above, in order to utilize user data accumulated by service providers that do not require high personal identification and authentication strength in providing services, it is necessary for the service provider (service providing organization) that accumulates the data to Authentication needs to be more reliable. Specifically, it is necessary to raise the authentication security level and identity verification level when accessing the service server 30 provided by the service provider to the same level as the system account. For this reason, in the first embodiment, when a service is provided by a service provider (for example, when using a health app provided by a healthcare provider), the authentication request for the health app is information Redirected to the distribution system. An information distribution system processes health app authentication requests (performs multi-factor authentication). As a result, the authentication security level when using the health app is raised to the level when using the personal portal. In addition, biometric authentication is performed during ID federation using the federation code, thereby confirming the identity of the person using the health application and the person using the personal portal. As a result, the level of identity verification when using health apps is raised to the level when using personal portals.

In this way, for example, an application (health application) provided by a healthcare provider may perform authentication using an ID and password, but does not perform biometric authentication, so the authentication strength is low. On the other hand, in the information distribution system according to the first embodiment, when the user uses the health application, the service account and the system account are linked, and the user is required to perform biometric authentication. Therefore, it is possible to increase the authentication strength when using applications such as health applications, and to utilize user data accumulated by service providers such as healthcare providers.

[Second embodiment]
Next, a second embodiment will be described in detail with reference to the drawings.

In the first embodiment, ID cooperation was described in the case where a user needs to log in to a service account managed by a service provider when receiving a service. In the second embodiment, a case will be described in which a personal identification ID of a service provider that does not require login or the like is linked when receiving a service such as a hospital.

The following description will focus on the differences between the first embodiment and the second embodiment.

FIG. 24 is a diagram showing an example of a schematic configuration of an information distribution system according to the second embodiment. As shown in FIG. 24, the information distribution system according to the second embodiment includes a hospital terminal 50 installed inside the hospital and a service server 30-3 installed outside the hospital.

The hospital terminal 50 is a terminal used by the staff of the service provider (hospital) that provides the second service, and stores the third ID in association with the user's identification information. Specifically, the hospital terminal 50 stores the patient's personal information (name, date of birth, etc.), individual identification ID (for example, patient registration card number, health insurance card number), and the like. A hospital terminal 50 is installed at a reception desk or the like. Hospital staff (hospital staff such as the medical department) use the hospital terminal 50 to perform their duties. The hospital terminal 50 has a camera device and is configured to be connectable to a network.

FIG. 25 is a diagram showing an example of the processing configuration (processing modules) of the hospital terminal 50 according to the second embodiment. Referring to FIG. 25 , hospital terminal 50 includes communication control section 501 , ID cooperation instruction processing section 502 , and storage section 503 .

The hospital terminal 50 executes processing related to the user ID of the system account and the personal identification ID of the hospital according to the operation of the hospital staff.

The communication control unit 501 is means for controlling communication with other devices. For example, the communication control unit 501 receives data (packets) from the service server 30-3. Also, the communication control unit 501 transmits data to the service server 30-3. The communication control unit 501 passes data received from other devices to other processing modules. The communication control unit 501 transmits data acquired from other processing modules to other devices. In this manner, other processing modules transmit and receive data to and from other devices via the communication control unit 501 . The communication control unit 501 has a function as a receiving unit that receives data from another device and a function as a transmitting unit that transmits data to the other device.

The ID cooperation instruction processing unit 502 is means for processing instructions regarding ID cooperation from hospital staff. Details of the ID cooperation instruction processing unit 502 will be described later.

The storage unit 503 stores information necessary for the operation of the hospital terminal 50. A patient information database for storing patient information is constructed in the storage unit 503 . The patient information database stores patient identification information (personal information; name, date of birth, etc.) and individual identification ID (medical examination card number, etc.).

The service server 30-3 (fourth server device) provides a personal identification ID (patient registration card number, etc.) necessary for providing a second service (medical service) to the user and a second ID provided to the user. We collect data about our services. The service server 30-3 is a server device (administration server) that stores data necessary for operating a data distribution service for patient user data (for example, examination results such as disease names).

The service server 30-3 provides a management portal necessary for hospital management. The service server 30-3 stores the personal identification ID of the patient (user) and the user data (disease name, etc.) to be distributed in association with each other.

In addition, the service server 30-3 has a function related to ID cooperation. That is, the service server 30-3 has a function of registering a patient's personal identification ID (for example, a patient registration card number) in the system in order to distribute accumulated patient data. Note that unlike the first embodiment, the user cannot directly access the service server 30-3.

FIG. 26 is a diagram showing an example of the processing configuration (processing modules) of the service server 30-3 according to the second embodiment. Referring to FIG. 26, a matching unit 407 is added to the configuration of the service server 30 according to the first embodiment.

Also, the service server 30-3 differs from the service server 30 of the first embodiment in the operation of the ID linkage function (customer management unit 402). In addition, the service server 30-3 has an ID linkage target person database that stores information on ID linkage applicants.

　When the personal identification ID issued by the hospital is to be linked, the user operates the terminal 40 to log in to the system account. The user selects a desired hospital for ID linkage when performing ID linkage procedures.

The ID cooperation control unit 204 of the portal server 10 changes the request to the distribution control server 20 according to the service provider information entered by the user. Specifically, as described in the first embodiment, for a service provider that requires a user to log in to a service account when receiving a service, the ID linkage control unit 204 sets the linkage code. A request for issuance is made to the distribution control server 20 .

On the other hand, as in the second embodiment, for service providers (hospitals, etc.) that do not require the user to log in to the service account when receiving the service, the ID cooperation control unit 204 allows the user to It requests (requests) the distribution control server 20 to transmit the personal identification information. Specifically, the ID cooperation control unit 204 transmits to the distribution control server 20 a “personal identification information transmission request” including the user ID of the user and the business code of the service provider (hospital) (step S51).

Note that the ID cooperation control unit 204 refers to table information or the like that associates the business operator code with the service provision form of the service provider (whether or not to log in to the service account), thereby enabling the distribution control server 20 switch requests for

Upon receiving the identity verification information transmission request, the ID cooperation management unit 304 of the distribution control server 20 searches the user information database based on the user ID and identifies the corresponding user. The ID cooperation management unit 304 transmits the identified user's user ID, personal identification information (for example, name or combination of name and date of birth), and biometric information (for example, face image) to service server 30-3 of the hospital. (step S52).

The service server 30-3 stores the received user ID, identity verification information, and biometric information in the ID linkage target person database.

After completing the procedures for ID linkage on the system account (portal server 10), the user visits the hospital. The user informs the hospital staff of the request for ID cooperation at the hospital's reception counter or accounting counter (see FIG. 28).

The hospital staff instructs the hospital terminal 50 to perform processing for ID linkage. In response to the instruction, the ID federation instruction processing unit 502 acquires the biometric information of the present user (the user who desires ID federation). The ID cooperation instruction processing unit 502 transmits a "matching request" including the acquired biometric information (face image) to the service server 30-3 of the hospital (step S61).

The matching unit 407 of the service server 30-3 performs a matching process using the biometric information included in the matching request and the biometric information stored in the ID-linked target person database (one-to-N matching; N is a positive integer, the same shall apply hereinafter). to identify the ID cooperation requester who visited the hospital. The collation unit 407 transmits identification information of the specified user (for example, the name or a combination of the name and the date of birth) and the user ID to the hospital terminal 50 (step S62).

The ID cooperation instruction processing unit 502 of the hospital terminal 50 extracts candidates for ID cooperation by searching the patient information database using the identification information obtained from the service server 30-3 as a key. The ID cooperation instruction processing unit 502 presents the extracted information about the candidate who desires ID cooperation to the hospital staff.

For example, when there is one candidate, the ID cooperation instruction processing unit 502 displays a GUI as shown in FIG. 29A. If there are multiple candidates, the ID linkage instruction processing unit 502 displays a GUI as shown in FIG. 29B.

As shown in FIGS. 29A and 29B, the ID linkage instruction processing unit 502 includes a face image obtained by photographing the user in front of him, a candidate's personal identification ID extracted using the personal identification information, display. At that time, if a plurality of candidates are identified due to the fact that patients with the same surname and the same name are registered, the ID linkage instruction processing unit 502 displays the personal identification IDs of the plurality of candidates and , a GUI is displayed that allows the hospital staff to select an ID cooperation candidate from a plurality of candidates.

If there is only one ID cooperation requesting candidate, the ID cooperation instruction processing unit 502 sends an ID cooperation request including an individual identification ID obtained by searching the patient information database, a user ID, and a business operator code to the distribution control server. 20 (step S63 in FIG. 28).

If there are multiple applicants for ID cooperation, the hospital staff confirms the patient registration card, etc., submitted by the applicant for ID cooperation at the time of reception or accounting, and confirms the patient registration card on the GUI shown in FIG. 29B. Select a number (personal identification ID).

The ID cooperation instruction processing unit 502 transmits an ID cooperation request including the personal identification ID selected by the hospital staff to the distribution control server 20 (step S63 in FIG. 28).

The ID federation management unit 304 of the distribution control server 20 identifies the ID federation applicant based on the user ID included in the ID federation request. The ID cooperation management unit 304 sets the personal identification ID of the acquired business operator code for the specified user.

After completing the ID federation process, the distribution control server 20 notifies the portal server 10 of the process result (step S53 in FIG. 27). The portal server 10 notifies the user of the ID federation result (ID federation success, ID federation failure). At that time, the portal server 10 may notify the user of the personal identification ID for which the ID linkage has been completed.

The user confirms the result notified from the portal server 10. At that time, the user confirms the personal identification ID (medical examination card number, etc.) for which the ID linkage has been completed, and if the personal identification ID is different from his/her personal identification ID, the user can request the portal server 10 to correct the personal identification ID. good. For example, the user may enter the correct personal identification ID into portal server 10 . In this case, the portal server 10 may send an ID cooperation request including the personal identification ID to the distribution control server 20 .

In this way, when the portal server 10 accepts a procedure for ID cooperation relating to the personal identification ID (third ID) of a hospital or the like from the user, the portal server 10 confirms the identity of the user who wishes to have the ID cooperation with the distribution control server 20 . Request information to be sent. In response to the request, the distribution control server 20 transmits the personal identification information and biometric information of the user who desires ID cooperation to the service server 30-3 (fourth server device). The hospital terminal 50 transmits to the service server 30-3 a verification request including the biometric information of the user who desires ID cooperation. The service server 30-3 uses the biometric information acquired from the hospital terminal 50 and the biometric information acquired from the distribution control server 20 to identify the user who desires ID linkage, and sends the identification information of the identified user to the hospital. Send to terminal 50 . The hospital terminal 50 transmits to the distribution control server 20 an ID cooperation request including a personal identification ID corresponding to the personal identification information acquired from the service server 30-3.

The hospital terminal 50 presents the personal identification ID corresponding to the personal identification information acquired from the service server 30-3 and the biometric information (face image) of the user who wishes to cooperate with the ID to the hospital staff. At that time, if there are multiple candidates corresponding to the personal identification information acquired from the service server 30-3, the hospital terminal 50 presents the personal identification IDs of the multiple candidates to the hospital staff. The hospital terminal 50 transmits to the distribution control server 20 an ID cooperation request including an individual identification ID selected by the hospital staff from among multiple personal identification IDs.

As described above, in the second embodiment, in order to utilize the data (medical data) accumulated by hospitals, etc., personal identification IDs (patient registration card numbers, etc.) managed by hospitals are registered in the system. When the user desires ID cooperation, the portal server 10 requests the distribution control server 20 to transmit the identification information of the person who wishes to cooperate with the ID to the service server 30-3 of the hospital. The hospital terminal 50 acquires the biometric information of the ID cooperation requester, and the hospital terminal 50 requests the service server 30-3 for verification using the biometric information. The service server 30 - 3 identifies the ID cooperation requester by verification processing using biometric information, and transmits the identification information to the hospital terminal 50 . The hospital terminal 50 identifies the ID cooperation requester by using the identity verification information notified from the service server 30-3 and the identity verification information in the patient information database (insurance card information stored by the hospital). That is, the hospital terminal 50 performs primary verification using the personal identification information. When a plurality of ID cooperation requesters are extracted due to duplication of names, etc., the hospital terminal 50 presents the hospital staff with a candidate list consisting of a plurality of ID requesters. The hospital staff performs secondary collation using the presented candidate list and the patient identification card presented by the ID cooperation requester, and finally identifies the ID cooperation target patient. As described above, in the second embodiment, verification (authentication) using biometric information is performed as primary verification, and visual verification by hospital staff is performed as secondary verification. In addition, since the candidate list includes personal identification IDs (medical examination card numbers, etc.), hospital staff can specify ID cooperation applicants without entering the numbers. Therefore, the hospital staff are hardly burdened. The hospital terminal 50 notifies the distribution control server 20 of an ID cooperation request including the personal identification ID of the ID cooperation applicant. The distribution control server 20 performs ID cooperation regarding the notified personal identification ID.

As explained above, when using data managed by hospitals that do not require a service account login, a system account login is required (multi-factor authentication is performed). Therefore, the authentication security level when using hospital accumulated data (medical data) is raised to the level when using an information distribution system. In hospitals, face-to-face identity verification (confirmation of the patient's face) is performed when a patient registration card is created, and the level of identity verification is inherently high. There is no problem with this point. However, when the user ID of the system and the personal identification ID are linked, requesting the hospital staff to input the patient registration card number into the system increases the burden on the staff. Regarding this problem, in the second embodiment, since the hospital terminal 50 automatically specifies the patient registration card number, there is no need to match IDs, and the burden on hospital staff is reduced.

Next, the hardware of each device that makes up the information distribution system will be explained. FIG. 30 is a diagram showing an example of the hardware configuration of the distribution control server 20. As shown in FIG.

The distribution control server 20 can be configured by an information processing device (so-called computer), and has the configuration illustrated in FIG. For example, the distribution control server 20 includes a processor 311, a memory 312, an input/output interface 313, a communication interface 314, and the like. Components such as the processor 311 are connected by an internal bus or the like and configured to be able to communicate with each other.

However, the configuration shown in FIG. 30 is not meant to limit the hardware configuration of the distribution control server 20 . The distribution control server 20 may include hardware (not shown) and may not have the input/output interface 313 if necessary. Also, the number of processors 311 and the like included in the distribution control server 20 is not limited to the example shown in FIG.

The processor 311 is, for example, a programmable device such as a CPU (Central Processing Unit), MPU (Micro Processing Unit), DSP (Digital Signal Processor). Alternatively, processor 311 may be a device such as FPGA (Field Programmable Gate Array), ASIC (Application Specific Integrated Circuit), or the like. The processor 311 executes various programs including an operating system (OS).

The memory 312 is RAM (Random Access Memory), ROM (Read Only Memory), HDD (Hard Disk Drive), SSD (Solid State Drive), or the like. The memory 312 stores an OS program, application programs, and various data.

The input/output interface 313 is an interface for a display device and an input device (not shown). The display device is, for example, a liquid crystal display. The input device is, for example, a device such as a keyboard or mouse that receives user operations.

The communication interface 314 is a circuit, module, etc. that communicates with other devices. For example, the communication interface 314 includes a NIC (Network Interface Card) or the like.

The functions of the distribution control server 20 are realized by various processing modules. The processing module is implemented by the processor 311 executing a program stored in the memory 312, for example. Also, the program can be recorded in a computer-readable storage medium. The storage medium can be non-transitory such as semiconductor memory, hard disk, magnetic recording medium, optical recording medium, and the like. That is, the present invention can also be embodied as a computer program product. Also, the program can be downloaded via a network or updated using a storage medium storing the program. Furthermore, the processing module may be realized by a semiconductor chip.

The portal server 10, the service server 30, and the like can also be configured by information processing devices in the same way as the distribution control server 20, and the basic hardware configuration thereof is the same as that of the distribution control server 20, so description thereof will be omitted. .

The distribution control server 20, which is an information processing device, is equipped with a computer, and the function of the distribution control server 20 can be realized by causing the computer to execute a program. Also, the distribution control server 20 executes the control method of the distribution control server 20 by the program.

[Modification]
Note that the configuration, operation, etc. of the information distribution system described in the above embodiment are examples, and are not intended to limit the configuration of the system.

In the above embodiment, the case where the portal server 10 serves as an interface for system accounts has been described. However, all or part of the functions of the portal server 10 may be performed by the distribution control server 20 . The information distribution system does not have to include the portal server 10 . That is, the terminal 40 and the distribution control server 20 may directly transmit and receive a "request for issuing a cooperation code" and a "request for ID cooperation".

In the above embodiment, the distribution control server 20 has a function of managing users (account generation, login management) and a function of controlling data distribution. However, these functions may be realized by different server devices. Specifically, the system may include a management server 21 that manages users and a control server 22 that controls data distribution (see FIG. 31). In this case, the management server 21 operates as a so-called eKYC (electronic Know Your Customer) server. The configuration, operation, etc. of the management server 21 and the control server 22 are clear from the operations according to the first and second embodiments, and thus the description thereof is omitted.

In the above embodiment, authentication using an ID and password and authentication using biometric information were explained as examples of multi-factor authentication adopted by the information distribution system. However, it goes without saying that multi-factor authentication is not limited to ID authentication and biometric authentication. For example, the information processing system may adopt e-mail address authentication (terminal authentication) in which an e-mail including a verification URL (Uniform Resource Locator) is sent to the e-mail address.

In the above embodiment, the case of using a face image as biometric information has been described. However, biometric information may be a feature amount generated from a face image. For example, a feature amount may be registered instead of a face image when generating a system account.

Furthermore, the information distribution system may utilize biometric information other than face images and feature quantities. That is, biometric information includes, for example, data (feature amounts) calculated from physical features unique to individuals, such as face, fingerprints, voiceprints, veins, retinas, and iris patterns. Alternatively, the biometric information may be image data such as a face image or a fingerprint image. The biometric information should just contain a user's physical characteristic as information.

In the above embodiment, it was explained that the distribution control server 20 generates a character string consisting of a combination of numbers and characters as a link code and issues it to the user. At that time, the distribution control server 20 may issue a two-dimensional code obtained by converting the character string to the user as a cooperation code. That is, the cooperation code issued to the user is not limited to the character string shown in FIG.

In the above embodiment, the user information database is configured inside the distribution control server 20, but the database may be configured in an external database server or the like. That is, some functions of the distribution control server 20 may be implemented in another server. More specifically, if the above-described "ID federation management section (ID federation management means)", "data distribution control section (data distribution control means)", etc. are implemented in any device included in the system good.

The form of data transmission/reception between each device (portal server 10, distribution control server 20, etc.) is not particularly limited, but the data transmitted/received between these devices may be encrypted. User's personal information and the like are transmitted and received between these devices, and it is desirable to transmit and receive encrypted data in order to appropriately protect such information.

In the flowcharts (flowcharts, sequence diagrams) used in the above explanation, multiple steps (processes) are described in order, but the execution order of the steps executed in the embodiment is not limited to the described order. In the embodiment, the order of the illustrated steps can be changed within a range that does not interfere with the content, such as executing each process in parallel.

The above embodiments have been described in detail to facilitate understanding of the disclosure of the present application, and are not intended to require all the configurations described above. Also, when a plurality of embodiments are described, each embodiment may be used alone or in combination. For example, it is possible to replace part of the configuration of the embodiment with the configuration of another embodiment, or to add the configuration of another embodiment to the configuration of the embodiment. Furthermore, additions, deletions, and replacements of other configurations are possible for some of the configurations of the embodiments.

Although the industrial applicability of the present invention is clear from the above description, the present invention can be suitably applied to an information distribution system that distributes accumulated data related to services provided to users.

Some or all of the above embodiments may also be described in the following additional remarks, but are not limited to the following.
[Appendix 1]
A first server that stores a first ID required to provide a first service to a user logged into a first account, and accumulates data relating to the first service provided to the user. a device;
a second server device that controls data distribution of the accumulated data for the user who has logged in to the second account;
including
After the first ID managed by the first account and the second ID managed by the second account are associated with each other, the second server device allows the user to access the first ID. system, when logging into the second account, requires the user to follow the same procedure as logging into the second account.
[Appendix 2]
further comprising a third server device that receives a login request to the second account by the user and requests authentication of the user from the second server device;
The system according to appendix 1, wherein the second server device executes multi-factor authentication for the user and notifies the third server device of the result of the multi-factor authentication.
[Appendix 3]
The system according to appendix 2, wherein the second server device stores at least biometric information for authenticating the user who logs into the second account.
[Appendix 4]
When the third server device receives an ID linkage procedure for the first ID from the user, the third server device requests the second server device to issue a linkage code,
The second server device generates the cooperation code associated with the second account of the user, transmits the generated cooperation code to the third server device,
The system according to appendix 3, wherein the third server device notifies the user of the transmitted cooperation code.
[Appendix 5]
The first server obtains the cooperation code from the user who desires the ID cooperation, and transmits an ID cooperation request including the first ID and the obtained cooperation code to the second server. ,
The second server device is
identifying the user who desires the ID linkage from the linkage code included in the ID linkage request, and requesting the identified user to provide biometric information;
biometric authentication is performed using the biometric information obtained in response to the request and the biometric information stored in the second account, and if the biometric authentication is successful, the first ID and the second ID are authenticated; 5. The system of clause 4, which associates.
[Appendix 6]
a fourth server device for accumulating a third ID necessary for providing the second service to the user and data relating to the second service provided to the user;
a terminal used by an employee of a service provider that provides the second service, and stores the third ID and the identity verification information of the user in association with each other;
further comprising
The system according to supplementary note 2, wherein the terminal executes processing related to cooperation between the second ID and the third ID in accordance with an operation by the staff member.
[Appendix 7]
When the third server device receives the ID federation procedure for the third ID from the user, the third server device transmits identity verification information of the user who desires the ID federation to the second server device. request,
The second server device, in response to the request, transmits identity verification information and biometric information of the user who desires the ID linkage to the fourth server device,
The terminal transmits a verification request including biometric information of the user who desires the ID linkage to the fourth server device,
The fourth server device identifies the user who desires the ID linkage by using the biometric information obtained from the terminal and the biometric information obtained from the second server device, and identifies the identified user himself/herself. sending confirmation information to said terminal;
7. The system according to appendix 6, wherein the terminal transmits an ID cooperation request including the third ID corresponding to the personal identification information acquired from the fourth server device to the second server device.
[Appendix 8]
The terminal is
8. The system according to appendix 7, wherein the staff member is presented with the third ID corresponding to the personal identification information acquired from the fourth server device and the biometric information of the user who desires the ID linkage.
[Appendix 9]
The terminal presents the employee with a plurality of the third IDs corresponding to the personal identification information acquired from the fourth server device,
9. The system according to appendix 7 or 8, wherein the ID cooperation request including the third ID selected by the employee from among the plurality of third IDs is transmitted to the second server device.
[Appendix 10]
10. The system according to any one of appendices 1 to 9, wherein the multi-factor authentication includes authentication using an ID and password and authentication using biometric information.
[Appendix 11]
11. The system according to appendix 10, wherein the biometric information is a face image or a feature amount generated from the face image.
[Appendix 12]
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , a communication control unit, and
a data distribution control unit that controls data distribution of the accumulated data for the user who has logged in to the second account;
an ID cooperation management unit that associates a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. requesting a login manager;
A server device.
[Appendix 13]
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , in the server device,
controlling data distribution of the accumulated data for the user who has logged in to the second account;
associating a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. A method of controlling the server device that is requested.
[Appendix 14]
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , to the computer installed in the server device,
a process of controlling data distribution of the accumulated data for the user who has logged in to the second account;
A process of associating a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. the requested action; and
A computer-readable storage medium that stores a program for executing

It should be noted that each disclosure of the above cited prior art documents shall be incorporated into this document by citation. Although the embodiments of the present invention have been described above, the present invention is not limited to these embodiments. Those skilled in the art will appreciate that these embodiments are illustrative only and that various modifications can be made without departing from the scope and spirit of the invention. That is, the present invention naturally includes various variations and modifications that can be made by those skilled in the art according to the entire disclosure including claims and technical ideas.

10 portal server 20 distribution control server 21 management server 22 control server 30 service server 30-1 service server 30-2 service server 30-3 service server 40 terminal 50 hospital terminal 101 first server device 102 second server device 201 communication Control unit 202 Account generation control unit 203 Login control unit 204 ID cooperation control unit 205 Storage unit 301 Communication control unit 302 Account management unit 303 Login management unit 304 ID cooperation management unit 305 Location information management unit 306 Data distribution control unit 307 Storage unit 311 Processor 312 Memory 313 Input/output interface 314 Communication interface 401 Communication control unit 402 Customer management unit 403 Sharing request unit 404 Data storage unit 405 Data distribution unit 406 Storage unit 407 Verification unit 501 Communication control unit 502 ID cooperation instruction processing unit 503 Storage unit

Claims

A first server that stores a first ID required to provide a first service to a user logged into a first account, and accumulates data relating to the first service provided to the user. a device;
a second server device that controls data distribution of the accumulated data for the user who has logged in to the second account;
including
After the first ID managed by the first account and the second ID managed by the second account are associated with each other, the second server device allows the user to access the first ID. system, when logging into the second account, requires the user to follow the same procedure as logging into the second account.
further comprising a third server device that receives a login request to the second account by the user and requests authentication of the user from the second server device;
2. The system according to claim 1, wherein said second server device executes multi-factor authentication for said user and notifies said third server device of a result of said multi-factor authentication.
The system according to claim 2, wherein said second server device stores at least biometric information for authenticating said user who logs into said second account.
When the third server device receives an ID linkage procedure for the first ID from the user, the third server device requests the second server device to issue a linkage code,
The second server device generates the cooperation code associated with the second account of the user, transmits the generated cooperation code to the third server device,
4. The system according to claim 3, wherein said third server device notifies said user of said transmitted cooperation code.
The first server obtains the cooperation code from the user who desires the ID cooperation, and transmits an ID cooperation request including the first ID and the obtained cooperation code to the second server. ,
The second server device is
identifying the user who desires the ID linkage from the linkage code included in the ID linkage request, and requesting the identified user to provide biometric information;
biometric authentication is performed using the biometric information obtained in response to the request and the biometric information stored in the second account, and if the biometric authentication is successful, the first ID and the second ID are authenticated; 5. The system of claim 4, which associates.
a fourth server device for accumulating a third ID necessary for providing the second service to the user and data relating to the second service provided to the user;
a terminal used by an employee of a service provider that provides the second service, and stores the third ID and the identity verification information of the user in association with each other;
further comprising
3. The system according to claim 2, wherein said terminal executes processing related to cooperation between said second ID and said third ID in accordance with an operation by said staff member.
When the third server device receives the ID federation procedure for the third ID from the user, the third server device transmits identity verification information of the user who desires the ID federation to the second server device. request,
The second server device, in response to the request, transmits identity verification information and biometric information of the user who desires the ID linkage to the fourth server device,
The terminal transmits a verification request including biometric information of the user who desires the ID linkage to the fourth server device,
The fourth server device identifies the user who desires the ID linkage by using the biometric information obtained from the terminal and the biometric information obtained from the second server device, and identifies the identified user himself/herself. sending confirmation information to said terminal;
7. The system according to claim 6, wherein said terminal transmits to said second server device an ID cooperation request including said third ID corresponding to said personal identification information acquired from said fourth server device.
The terminal is
8. The system according to claim 7, wherein the third ID corresponding to the personal identification information acquired from the fourth server device and the biometric information of the user who desires the ID linkage are presented to the employee.
The terminal presents the employee with a plurality of the third IDs corresponding to the personal identification information acquired from the fourth server device,
9. The system according to claim 7, wherein the ID cooperation request including the third ID selected by the employee from among the plurality of third IDs is transmitted to the second server device.
The system according to any one of claims 1 to 9, wherein the multi-factor authentication includes authentication using an ID and password and authentication using biometric information.
The system according to claim 10, wherein the biometric information is a facial image or a feature quantity generated from the facial image.
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , a communication control unit, and
a data distribution control unit that controls data distribution of the accumulated data for the user who has logged in to the second account;
an ID cooperation management unit that associates a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. requesting a login manager;
A server device.
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , in the server device,
controlling data distribution of the accumulated data for the user who has logged in to the second account;
associating a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. A method of controlling the server device that is requested.
storing a first ID required to provide a first service to a user logged into a first account; storing data relating to the first service provided to the user; communicating with a server; , to the computer installed in the server device,
a process of controlling data distribution of the accumulated data for the user who has logged in to the second account;
A process of associating a first ID managed by the first account with a second ID managed by the second account;
After the first ID and the second ID are associated, when the user logs into the first account, the user is instructed to follow the same procedure as the procedure for logging into the second account. the requested action; and
A computer-readable storage medium that stores a program for executing