JP2019219999A - System determining apparatus, system determining method, and system determining program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method determining device, a method determining method and a method determining program capable of determining a convenient authentication method while ensuring safety. A method determination device 1 includes a collection unit 11, a learning unit 12, a determination unit 13, and a selection unit 17. The collecting unit collects a predetermined type of user information indicating the state of the user from the authentication terminal associated with the user in advance. The learning unit generates a classifier for identifying the user based on the user information. When executing user authentication, the determination unit acquires user information from the authentication terminal and determines the security level required for authentication based on the user's identity calculated by the classifier using the acquired user information. decide. The selection unit selects the method that suits the security level from among multiple authentication methods. [Selection diagram] Fig. 2

Description

  The present invention relates to an apparatus, a method, and a program for authenticating a user.

Conventionally, various services have been provided via communication networks. These services are provided with an authentication function for confirming that the user is who he or she is, in order to prevent fraud such as spoofing. A variety of authentication methods can be used for this authentication function, and the service provider usually determines which authentication method to use.
Patent Literature 1 proposes a method of determining an authentication method based on security required by a service and a situation at the time of authentication.

JP 2017-45328 A

  However, in the conventional method, a complicated authentication procedure may always be required for a user who repeatedly logs in, and there is a problem in convenience.

  An object of the present invention is to provide a scheme determining apparatus, a scheme determining method, and a scheme determining program that can determine a convenient authentication scheme while ensuring security.

  A method determining apparatus according to the present invention includes a collection unit that collects a predetermined type of user information indicating a state of the user from an authentication terminal previously associated with the user, and identifies the user based on the user information. A learning unit for generating an identifier for performing the authentication of the user, acquiring the user information from the authentication terminal, and calculating the identity of the user by using the user information. A determining unit that determines a security level required for the authentication based on the security, and a selecting unit that selects a method suitable for the security level among a plurality of authentication methods.

  The collection unit, when the user makes an authentication request from a login terminal different from the authentication terminal, acquires the identification information of the login terminal, the learning unit, based on the user information and the identification information, The classifier may be generated.

  The method determination device may include a state determination unit that determines a current state of the user based on the user information, and the selection unit may select a method suitable for the determined current state. .

  The learning unit may generate the discriminator based on a difference from information of another user different from the user.

  The method determination device may include a priority acquisition unit that acquires priority information of the plurality of authentication methods registered by the user, and the selection unit may select a method based on the priority information.

  The method determination device includes a usability acquisition unit that acquires usability information for each method including the time until the authentication succeeds, or the number of failures, and the selection unit selects a method based on the usability information. Is also good.

  A method for determining a method according to the present invention includes the steps of: collecting a predetermined type of user information indicating a state of the user from an authentication terminal associated with the user in advance; and identifying the user based on the user information. A learning step of generating a classifier for performing the authentication of the user, acquiring the user information from the authentication terminal, and using the user information to calculate the identity of the user. The computer executes a determining step of determining a security level necessary for the authentication based on the characteristics, and a selecting step of selecting a method suitable for the security level from among a plurality of authentication methods.

  The method determining program according to the present invention includes: a collecting step of collecting predetermined types of user information indicating a state of the user from an authentication terminal previously associated with the user; and identifying the user based on the user information. A learning step of generating a classifier for performing the authentication of the user, acquiring the user information from the authentication terminal, and using the user information to calculate the identity of the user. A determining step of determining a security level required for the authentication based on the security, and a selecting step of selecting a method suitable for the security level from among a plurality of authentication methods. .

  According to the present invention, a convenient authentication method can be determined.

1 is a schematic diagram illustrating a configuration of an entire authentication system according to an embodiment. It is a figure showing the functional composition of the system decision device concerning an embodiment. FIG. 4 is a sequence diagram illustrating a process at the time of user authentication in the authentication system according to the embodiment.

Hereinafter, an example of an embodiment of the present invention will be described.
FIG. 1 is a schematic diagram illustrating a configuration of an entire authentication system 100 including a scheme determination device 1 according to the present embodiment.

  The user uses a login terminal 3 that receives a service provided by the service providing server 2 and an authentication terminal 4 that provides information for performing user authentication at the time of login. In the present embodiment, the authentication terminal 4 is separate from the login terminal 3 and is assumed to be a mobile terminal such as a smartphone or a tablet terminal. However, the present invention is not limited to this, and the login terminal 3 also serves as the authentication terminal 4. May be.

  The method determining apparatus 1 periodically acquires information on the authentication terminal 4 via the terminal management server 5 and generates an identifier for identifying the identity of the user by learning. The method determining apparatus 1 uses the discriminator to determine the identity of the user who has made the authentication request, and selects an authentication method according to the determination result.

  The login terminal 3 or the authentication terminal 4 executes various authentication processes with the terminal management server 5 using the authentication method selected by the method determination device 1 to log in to the service providing server 2. The authentication result is notified to the service providing server 2 and access from the login terminal 3 is permitted.

Here, examples of the authentication method include, but are not limited to, the following, and various authentication methods may be used. Further, a plurality of methods may be combined and a multi-step authentication method may be used.
・ Password authentication ・ 4-digit password authentication ・ 8-digit password authentication ・ Pattern authentication ・ Authentication using secret question ・ One-time password authentication ・ One-time pattern authentication ・ SIM authentication ・ Device authentication ・ Using secret key Signature authentication • Random number table authentication • Palm print authentication • Fingerprint authentication • Face authentication • Hand vein authentication • Finger vein authentication • Iris authentication • Voice authentication • Signature authentication • Multi-factor authentication • Image authentication (CAPTCHA)
・ Location authentication ・ Risk-based authentication ・ Multi-path authentication

In each of these authentication methods, the risk of unauthorized access is considered, and a security level that can guarantee the legitimacy of the user is set for each. Further, a necessary security level is set by the service provider according to the content of the service provided by the service providing server 2.
The method determining device 1 selects an authentication method to satisfy the security level set by the service provider.

FIG. 2 is a diagram illustrating a functional configuration of the method determining apparatus 1 according to the present embodiment.
The method determining device 1 is an information processing device (computer) such as a personal computer or a server including the control unit 10 and the storage unit 20 and further has an interface function with a user and an external device such as an input / output device and a communication interface. Have.

The control unit 10 functions as the following units by reading and executing software (system determination program) stored in the storage unit 20.
That is, the control unit 10 includes a collection unit 11, a learning unit 12, a determination unit 13, a state determination unit 14, a priority acquisition unit 15, a usability acquisition unit 16, and a selection unit 17.

The collection unit 11 collects predetermined types of user information indicating the state of the user from the authentication terminal 4 previously associated with the user.
As a method of associating the user with the authentication terminal 4, the terminal used at the time of past authentication may be automatically associated with the user, or the user may register the authentication terminal 4. The association information may be stored in the storage unit 20 or may be stored in the external terminal management server 5 or the like.

Examples of the user information include the following types of data.
Position information such as an IP address, a base station ID, and GPS positioning information;
-Measurement values of various sensors provided in the authentication terminal 4, such as an acceleration sensor, a proximity sensor, and a brightness sensor.
-Moving means such as stationary, walking, or an automobile determined using the above various data.

  The collection unit 11 periodically acquires these pieces of user information from the user authentication terminal 4 and provides the information together with the date and time information to the learning unit 12. In addition, the collection unit 11 may further acquire information at the time when the user makes an authentication request, and provide the information to the learning unit 12 as information specialized at the time of authentication.

  Further, when the user makes an authentication request from the login terminal 3 different from the authentication terminal 4, the collection unit 11 acquires identification information including the IP address and the position information of the login terminal 3 and provides the identification information to the learning unit 12. May be.

The learning unit 12 generates a classifier for identifying a user based on the user information and the identification information. Note that an existing learning method may be used as a means for generating a classifier.
Thereby, data characterizing the behavior of each user is formed by learning, and a score indicating personality is calculated according to when and where the login terminal 3 and the authentication terminal 4 are in what state.
At this time, the learning unit 12 can also improve the identification accuracy of the user by generating the classifier based on a difference from information of another user different from the target user.

When executing the user authentication, the determining unit 13 inputs the user information newly acquired from the authentication terminal 4 to the discriminator, and determines the security required for the authentication based on the calculated score indicating the identity of the user. Determine the level.
The security level required by the provided service may be set according to the calculated score indicating personality. In other words, if the identity is low, a higher security level is required, but if the identity is high, even if the authentication is at a relatively low security level, the authentication is required in combination with the calculated score indicating the identity. Security level is assured.

The state determination unit 14 determines the current state of the user based on the user information.
For example, based on various types of sensor information, the state determination unit 14 determines whether the user is in a bright place or a dark place, whether it is a quiet place or a noisy place, what the transportation means is, etc. Determine the status.
Note that an identifier for each user may be used to determine this state, or an identifier common to a plurality of users may be used. Further, the state determination unit 14 may determine the state based on a prepared threshold.

  The priority obtaining unit 15 obtains priority information of a plurality of authentication methods registered in advance by the user. For example, the method determining apparatus 1 receives a plurality of authentication methods that the user wants to use and a designation of a ranking or a point, and registers the information as setting information for each user.

  The usability acquisition unit 16 acquires usability information for each method including the time taken for the user to be successfully authenticated by one of the authentication methods or the number of failures. This usability information indicates suitability for each authentication method for each user, and is acquired every time authentication is performed.

  The selecting unit 17 selects a method suitable for the security level from the plurality of authentication methods. Here, a security level is set for each of the plurality of authentication methods, and an authentication method with a level higher than or equal to the security level determined by the determination unit 13 is selected.

Further, the selecting unit 17 selects an authentication method suitable for the determined current user state from among authentication methods satisfying the security level condition.
For example, since voice authentication is difficult in a train, fingerprint authentication or the like is selected. Alternatively, since face authentication is difficult in a dark place, fingerprint authentication using another sensor is selected.
These selection logics are registered in the storage unit 20 in advance.

The selecting unit 17 selects an authentication method based on the priority information acquired by the priority acquiring unit 15 and the usability information acquired by the usability acquiring unit 16.
At this time, for example, when a certain user prioritizes fingerprint authentication but has a high failure rate, a selection method that places importance on usability over user preferences (priority), such as selecting palmprint authentication with a high success rate, is used. There may be.

  Further, the selecting unit 17 obtains information on the change of the setting of the priority order by the user himself and combines it with the usability information, thereby avoiding a certain authentication method due to a large number of failures or simply dislike or dislike. It can be determined that an authentication method is desired. Then, for example, if the ranking of a certain authentication method is lowered due to mere preference, the selection unit 17 may select an authentication method contrary to the setting in order to maintain the security level.

FIG. 3 is a sequence diagram illustrating a process at the time of user authentication in the authentication system 100 according to the present embodiment.
Prior to this processing, it is assumed that the method determining apparatus 1 periodically acquires user user information from the authentication terminal 4 in advance, and generates an identifier for each user.

In step S1, the login terminal 3 issues a service request to the service providing server 2 according to an instruction input from a user.
In step S2, the service providing server 2 issues a redirect request to the requesting login terminal 3 to the method determining apparatus 1 in order to authenticate the user who has requested the service.
In step S3, the login terminal 3 notifies the method determination device 1 of the user ID and makes an authentication request according to the redirect request.

In step S4, the method determination device 1 notifies the terminal management server 5 of the user ID that has issued the authentication request.
In step S5, the terminal management server 5 specifies the authentication terminal 4 previously associated with the user ID.

In step S6, the terminal management server 5 transmits the ID of the specified authentication terminal 4 to the notification server that is responsible for the push notification, and makes a request for the push notification.
In step S7, the notification server issues a push notification for a user information request to the designated authentication terminal 4.
In step S8, the authentication terminal 4 acquires user information by activating a predetermined application in response to receiving the push notification.
In step S9, the authentication terminal 4 sends the obtained user information to the terminal management server 5.

In step S10, the terminal management server 5 transfers the received user information to the method determining device 1.
In step S11, the method determining apparatus 1 inputs the received user information to a classifier for each user, and acquires a score indicating personality. Then, when determining the security level according to the risk indicated by the score, the method determination device 1 selects an authentication method that satisfies the security level.

In step S12, the terminal management server 5 executes an authentication process with the authentication terminal 4 or the login terminal 3 using the authentication method selected by the method determination device 1.
In step S13, the terminal management server 5 notifies the service providing server 2 of the authentication result.

In step S14, the terminal management server 5 issues a redirect request for causing the login terminal 3 to access the service providing server 2.
In step S15, the login terminal 3 issues a service request to the service providing server 2 in response to the redirect request.
In step S16, the service providing server 2 provides a predetermined service to the login terminal 3 according to the service request.

Here, the method determining apparatus 1 periodically acquires the user information for learning the classifier from the registered authentication terminal 4 via the terminal management server 5. At this time, steps S6 to S10 are periodically performed. Is executed.
In this example, the process of performing the push notification via the notification server is illustrated. However, depending on the function of the authentication terminal 4 and the type of the operating system, the trigger is performed without the notification server or only once at the start. Thus, the predetermined application may automatically and periodically transmit the user information.

  According to the present embodiment, the method determining apparatus 1 collects user information from the authentication terminal 4 and generates a classifier for each user by learning, so that the user information acquired anew when executing authentication is input. A score indicating personality is calculated. The method determining device 1 determines a security level required for authentication based on the score indicating the identity, and selects a method suitable for this security level.

From the user information acquired by the authentication terminal 4 carried, for example, information on frequently visited locations such as offices, commuting routes, business offices, and overseas bases is learned. Although the risk of personality is high, it can be estimated that the risk is low if it matches the learning content.
Therefore, the scheme determination device 1 can confirm the identity of the user at the time of authentication using the user information at the time of non-authentication, thereby ensuring the same security even if the required security level is reduced. As a result, the scheme determination device 1 can determine a convenient authentication scheme while ensuring security.

When the login terminal 3 is different from the authentication terminal 4, the method determination device 1 acquires identification information such as an IP address and position information from the login terminal 3, and uses the identification information for learning the identifier.
Therefore, the method determining apparatus 1 can collect abundant information at the time of non-authentication and at the time of authentication, and improve the accuracy of the discriminator.

  The method determining apparatus 1 determines the current state of the user based on the user information at the time of authentication, and can select an authentication method suitable for this state. Thereby, the scheme determination apparatus 1 can flexibly change the authentication scheme depending on the situation, and can improve convenience.

  Since the method determination device 1 generates the classifier based on the difference from the information of the other users, the identification accuracy can be improved using unique information different from the target user.

  By using the setting information on the priority order, the scheme determining apparatus 1 can select an authentication scheme according to the user's preference while maintaining the security level, and can improve the convenience.

  By using the usability information for each authentication method including the time until the authentication succeeds or the number of failures, the method determination device 1 can select an authentication method in a procedure that is easy for the user to perform, thereby improving the convenience.

  The embodiments of the present invention have been described above, but the present invention is not limited to the above-described embodiments. Further, the effects described in the above-described embodiments merely enumerate the most preferable effects resulting from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

  The method of determining a method by the method determining apparatus 1 is realized by software. When realized by software, a program constituting the software is installed in an information processing device (computer). Further, these programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Further, these programs may be provided to a user's computer as a Web service via a network without being downloaded.

Reference Signs List 1 system determination device 2 service providing server 3 login terminal 4 authentication terminal 5 terminal management server 10 control unit 11 collection unit 12 learning unit 13 determination unit 14 state determination unit 15 priority acquisition unit 16 usability acquisition unit 17 selection unit 20 storage unit 100 Authentication system

Claims (8)

A collecting unit that collects a predetermined type of user information indicating a state of the user from an authentication terminal associated with the user in advance;
Based on the user information, a learning unit that generates a classifier for identifying the user,
When performing the authentication of the user, obtain the user information from the authentication terminal, based on the identity of the user calculated by the classifier using the user information, the security level required for the authentication A determination unit for determining
A selection unit that selects a method suitable for the security level from among a plurality of authentication methods. The collection unit, when the user makes an authentication request from a login terminal different from the authentication terminal, acquires identification information of the login terminal,
The method determination device according to claim 1, wherein the learning unit generates the classifier based on the user information and the identification information. A state determination unit that determines a current state of the user based on the user information,
3. The method determination device according to claim 1, wherein the selection unit selects a method suitable for the determined current state. 4.   4. The method determination device according to claim 1, wherein the learning unit generates the classifier based on a difference from information of another user different from the user. 5. A priority acquisition unit for acquiring priority information of the plurality of authentication methods registered by the user,
The method determination device according to claim 1, wherein the selection unit selects a method based on the priority information. The time until the authentication succeeds, or comprising a usability acquisition unit for acquiring usability information for each method including the number of failures,
The method determination device according to claim 1, wherein the selection unit selects a method based on the usability information. A collecting step of collecting a predetermined type of user information indicating a state of the user from an authentication terminal previously associated with the user;
Based on the user information, a learning step of generating a classifier for identifying the user,
When performing the authentication of the user, obtain the user information from the authentication terminal, based on the identity of the user calculated by the classifier using the user information, the security level required for the authentication A determining step of determining
Selecting a method suitable for the security level from among a plurality of authentication methods. A collecting step of collecting a predetermined type of user information indicating a state of the user from an authentication terminal previously associated with the user;
Based on the user information, a learning step of generating a classifier for identifying the user,
When performing the authentication of the user, obtain the user information from the authentication terminal, based on the identity of the user calculated by the classifier using the user information, the security level required for the authentication A determining step of determining
And a selecting step of selecting a method suitable for the security level from among the plurality of authentication methods.

Images