JP2022036851A - User authentication support device - Google Patents

Abstract

To provide a technique for realizing tolerant user authentication that reduces the burden on users.SOLUTION: A user authentication support device (gateway device 20) for supporting the verification of end users in services by multiple service providers has an information recording unit 22 configured to accumulate, in a database, user information that is information about an end user registered by the end user and trail information including information about a record that a first service accesses the user information of the end user in order for the end user to use the first service, a request reception unit 23 configured to accept, from end users, requests to subscribe to a second service that the end users have not subscribed to, an information acquisition unit 21 configured to extract, from the database, the user information about the end user and the trail information of the user information of the end user, which are required to subscribe to the second service, and an authentication support processing unit 24 configured to notify a service provider of the second service of the extracted user information and the trail information.SELECTED DRAWING: Figure 2

Description

The present disclosure relates to a technique for authenticating a user who uses a service provided on a network.

Some services provided on the Internet perform user authentication when using them. User authentication means verifying whether or not the information declared when using the service correctly indicates the user who uses the service. If it can be confirmed that the person who uses the service is the user himself / herself, the user is permitted to use the service. As a service that involves user authentication, some services require strict user authentication, while other services require more forgiving user authentication. Further, considering the convenience of the service for the user, it is desirable that the user authentication does not impose a burden on the user as much as possible.

Patent Documents 1 and 2 disclose techniques related to user authentication.

In the technique of Patent Document 1, the authentication server that authenticates the user manages the biometric authentication template information for confirming the identity of the user and the personal information of the user used for the service business in independent databases. Then, the authentication server has a means for limiting the access destination to only the biometric authentication template information when providing the service to the user. In addition, the authentication server has a means for setting a privacy policy for each user, and has a means for limiting services that use biometric authentication template information and personal information according to the user's privacy policy. Furthermore, it has a means of accepting usage applications according to the user's privacy policy for usage other than the purpose of use.

In the technology of Patent Document 2, the identity verification management device that performs identity verification outputs the information of the person to be confirmed who receives the identity verification and the information of the performer who performs the identity verification to the terminal (identified person terminal, identity verification performer terminal). Receive from and register in the database. Further, when the identity verification management device receives the request for implementation of the identity verification from the terminal of the person to be confirmed, the identity verification management device notifies the terminal of the identity verification performer of the request for implementation of the identity verification. Then, the identity verification management device receives and stores the identity verification result information obtained by performing the identity verification from the identity verification performer terminal.

Japanese Unexamined Patent Publication No. 2005-339308 Japanese Unexamined Patent Publication No. 2018-1737998

In the method of Patent Document 1, the authentication server manages the biometric authentication template information of each user, and the user authentication is performed using the information. Therefore, it can be said that the authentication server plays a role of guaranteeing the content of the user's information for user authentication. In the method of Patent Document 2, the identity verification management device manages the information of the person to be confirmed and sends the information to the person who carries out the identity verification. Therefore, it can be said that the identity verification management device plays a role of guaranteeing the content of the user's information for identity verification. That is, both methods require a device that plays a role of guaranteeing the content of the user's information for user authentication. Therefore, the user authentication itself becomes strict, and the burden on the user may become heavy.

However, as mentioned above, many services provided on the Internet or elsewhere allow forgiving user authentication. When the technique of Patent Document 1 or the technique of Patent Document 2 is applied to such a service, the convenience of the user may be reduced because excessively strict user authentication is applied.

One object of the present disclosure is to provide a technique for realizing tolerant user authentication that reduces the burden on the user.

A user authentication support device according to one aspect of the present disclosure is a device that supports verification of an end user in a service by a plurality of service providers, and includes user information that is information about the end user registered by the end user and the user information described above. An information recording unit that stores in a database trail information including information related to a record that the first service has accessed the user information of the end user in order for the end user to use the first service, and the end from the end user. A request reception unit that accepts a request for a user to subscribe to a second service that has not been subscribed, user information about the end user required to subscribe to the second service, and trail information of the user information of the end user. It has an information acquisition unit that extracts the above from the database, and an authentication support processing unit that notifies the service provider of the second service of the extracted user information and the trail information.

According to one aspect of the present disclosure, it is possible to realize tolerant user authentication that reduces the burden on the user.

It is a block diagram of a service providing system. It is a block diagram which shows the functional structure of a gateway device. It is a table showing user information. It is a table showing trail information. It is a block diagram which shows the hardware configuration of a gateway device. It is a sequence diagram of the trail information recording process. It is a sequence diagram of a service subscription process.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

FIG. 1 is a block diagram of a service providing system.

Referring to FIG. 1, the service providing system includes a web service providing device 11, a real service management device 12, a gateway device 20, and a user terminal 30.

The web service providing device 11 is a device that provides a web service to the end user 90. As an example, the web service providing device 11 is realized by software running on the platform provided by the gateway device 20. The web service referred to here is a service realized by web application software and provided to the end user 90 on the user terminal 30 via the Internet. Web services include, for example, online reservations such as travel, online shopping, and Internet banking. The web service here involves user authentication. That is, the web service providing device 11 confirms that the person who uses the service is the user himself / herself, and then provides the service to that person.

The real service management device 12 is a device that manages the real service provided to the end user 90. As an example, the real service management device 12 is realized by software running on the platform provided by the gateway device 20. The real service is a service provided by the service provider 80 directly facing the end user 90. Real services include, for example, selling products at stores and providing food and drink in restaurants. The real service management device 12 manages information associated with the real service, and manages, for example, the end user 90 who receives the provision of the real service. The real service here involves user authentication. That is, the service provider 80 of the real service confirms that the person who uses the service is the user himself / herself, and then provides the service to that person. In this embodiment, the user authentication of this real service is performed on the Internet in the same manner as the user authentication of the web service.

The gateway device 20 is a device that provides a platform for service providers 80 of various services including web services and real services to provide services. The gateway device 20 supports user authentication of the end user 90 executed by the web service providing device 11 or the real service management device 12 when the end user 90 subscribes to various services. The configuration of the gateway device 20 and the process for supporting the user authentication thereof will be described later.

The user terminal 30 is an information processing terminal for the end user 90 to use the web service by the web service providing device 11. The user terminal 30 is, for example, a personal computer, a smartphone, or the like. The user terminal 30 executes a browser or user application software, connects to the gateway device 20 and the web service providing device 11 or the real service management device 12 via a communication line such as the Internet, and provides a web service or a real service by the end user 90. Enables the use of.

FIG. 2 is a block diagram showing a functional configuration of the gateway device.

Referring to FIG. 2, the gateway device 20 has an information acquisition unit 21, an information recording unit 22, a request reception unit 23, an authentication support processing unit 24, and an electronic signature generation unit 25.

In the information recording unit 22, the first service ends in order to use the user information which is the information about the end user registered by the end user and the end user using a certain service (hereinafter, also referred to as "first service"). The trail information including the information about the record of accessing the user information of the user is stored in the database.

FIG. 3 is a table showing user information. User information of each end user 90 is recorded in the table of user information 41. The user information includes information on each item of user number, user name, gender, date of birth, telephone number, e-mail address, and biometric information.

The user number is a number that identifies each end user 90. The user name is the name of the end user 90. The gender is the gender of the end user 90. The date of birth is the date of birth of the end user 90. The telephone number is the telephone number of the end user 90. The e-mail address is the e-mail address of the end user 90. The biometric information is biometric information of the end user 90. The biometric information here is personally identifiable information obtained from the body of the end user 90. The biometric information is, for example, a fingerprint, a face, an iris, a voice, a vein, and the like.

FIG. 4 is a table showing trail information.

Referring to FIG. 4, trail information of each end user 90 is recorded in the table of trail information 42. The trail information includes a user number, a label, an update time stamp, an access service name, a service electronic signature, an access time stamp, and a user electronic signature.

The user number is a number that identifies each end user 90. This user number is the same as the user number included in the user information. The label is information indicating an item of user information. The update time stamp is a time stamp that represents the time when the user information is updated. The access service name is the name of the service that accessed the user information. The service digital signature is the digital signature of the service that accessed the user information. The electronic signature is, for example, a digital signature generated by a public key method. The access time stamp is a time stamp indicating the time when the service accesses the user information. The user digital signature is the digital signature of the end user 90.

The request reception unit 23 receives a request from the end user 90 to subscribe to a service (hereinafter, also referred to as "second service") to which the end user 90 has not subscribed.

The information acquisition unit 21 extracts the user information 41 regarding the end user 90 and the trail information 42 of the user information of the end user 90, which are required for subscribing to the second service, from the database.

The authentication support processing unit 24 notifies the service provider 80 of the second service of the extracted user information 41 and trail information 42.

As described above, according to the present embodiment, the trail information 42 generated for the end user 90 to use the first service is used for user authentication when the end user 90 subscribes to the second service which has not been subscribed. be able to. Since the reliability of the user information 41 can be measured by the trail information 42, the reliability of the user information 41 can be ensured to some extent even if there is no device for guaranteeing the contents of the user information 41 itself. Therefore, it is possible to realize a tolerant user authentication that reduces the burden on the user.

In this embodiment, when the end user 90 requests to subscribe to the second service, the request receiving unit 23 acquires the biometric information of the end user 90. Then, the electronic signature generation unit 25 generates an electronic signature based on the biometric information of the end user 90. Since the electronic signature is generated based on the biometric information, the guarantee of the user information 41 by the electronic signature can be realized with a light burden on the end user 90. Further, the information recording unit 22 encrypts and records the user information 41, and the electronic signature may be used as a private key for encryption. The electronic signature generation unit 25 may update the electronic signature every time the user information 41 is updated.

Further, in the present embodiment, the trail information 42 notified to the provider of the second service indicates the service that accessed the user information 41 and the time when the service is permitted to access, as shown in FIG. The information of the time stamp and the information of the update time stamp indicating the time when the user information 41 is updated are included. As a result, the provider of the second service can obtain the time when the access to the user information 41 is permitted to a certain service and the time when the user information 41 is updated. As a result, the reliability of the updated user information 41 can be measured more appropriately.

Further, in the present embodiment, the trail information 42 notified to the provider of the second service includes the electronic signature of the end user 90 for the user information 41 as shown in FIG. 4, and the electronic signature is the user. It may be updated every time the information 41 is updated. According to this, instead of having no device for guaranteeing the contents of the user information 41, the user information 41 is guaranteed to be tamper-proof by the user's own electronic signature.

FIG. 5 is a block diagram showing a hardware configuration of the gateway device.

The gateway device 20 has a processing device 31, a main memory 32, a storage device 33, a communication device 34, an input device 35, and a display device 36 as hardware, and these are connected to the bus 37.

The storage device 33 stores software programs and data so that they can be written and read. The user information 41 exemplified in FIG. 3 and the trail information 42 exemplified in FIG. 4 are stored in the storage device 33.

The processing device 31 is a processor that reads the data stored in the storage device 33 into the main memory 32 and executes the processing of the software program using the main memory 32. When the processing device 31 executes the software program, the information acquisition unit 21, the information recording unit 22, the request reception unit 23, the authentication support processing unit 24, and the electronic signature generation unit 25 shown in FIG. 2 are realized.

The communication device 34 transmits / receives information to / from an external device such as a user terminal 30. The communication device 34 transmits the information processed by the processing device 31 via a communication network including wired, wireless, or both, and also transmits the information received via the communication network to the processing device 31. The received information is used for software processing by the processing device 31.

The input device 35 is a device that receives information input by an operator such as a keyboard or a mouse, and the input information is used for software processing by the processing device 31.

The display device 36 is a device that displays image or text information on a display screen as a result of software processing by the processing device 31.

FIG. 6 is a sequence diagram of trail information recording processing. The trail information recording process is a process in which the gateway device 20 records the trail information 42. It should be noted that here, the process of recording trail information while the end user 90 is using the first service is illustrated, but the process is not limited to this. As another example, trail information may be recorded when the end user 90 subscribes to the first service.

When a certain end user 90 is using the first service and the first service providing device 10-1 providing the first service accesses the user information 41 of the end user 90 (step 101), the gateway device 20 Records the trail information 42 of the end user 90 by the information recording unit 22 (step 102). Specifically, a new line is added to the trail information 42 illustrated in FIG. 4, and the user No. of the end user 90 is added to the "user No." in that line. Is recorded, a label indicating an item of user information 41 accessed by the first service is recorded in the "label", the service name of the first service is recorded in the "access service name", and the first is recorded in the "service electronic signature". The electronic signature by the service is recorded, and the time when the first service is accessed is recorded in the "access time stamp".

Further, when the end user 90 updates his / her own user information 41 (step 103), the gateway device 20 records the trail information 42 of the end user 90 by the information recording unit 22 (step 104). Specifically, a new line is added to the trail information 42 illustrated in FIG. 4, and the user No. of the end user 90 is added to the "user No." in that line. Is recorded, a label indicating the item of the updated user information 41 is recorded in the "label", the time when the user information 41 is updated is recorded in the "update time stamp", and the end user is recorded in the "user electronic signature". 90 digital signatures are recorded.

FIG. 7 is a sequence diagram of service subscription processing. The service subscription process is a process executed when the end user 90 subscribes to a service that has not been subscribed. FIG. 7 shows a process in which the end user 90 subscribes to the second service.

When the end user 30 sends a service subscription request for subscription to the second service from the user terminal 30 (step 201), the service subscription request is made by the second service providing device 10-2 that provides the second service. Received. The second service providing device 10-2 requests the gateway device 20 for information used for authentication of the end user 90 (step 202). The information used for authentication is user information 41 and trail information 42.

The gateway device 20 extracts the user information 41 and the trail information 42 of the end user 90 from the database by the information acquisition unit 21 (step 203). Then, the gateway device 20 sends an information provision availability inquiry to the user terminal 30 (step 204) by the information acquisition unit 21, and informs the end user whether or not the user information 41 may be notified to the provider of the second service. Contact us.

When the end user 90 is permitted to notify the user information 41 to the provider of the second service, the information provision permission is transmitted from the user terminal 30 to the gateway device 20 (step 205). Upon receiving the information provision permission, the gateway device 20 sends the authentication information including the user information 41 and the trail information 42 to the second service providing device 10-2 by the information acquisition unit 21, thereby providing the authentication information to the second service. (Step 206).

The second service providing device 10-2 that has received the authentication information performs authentication based on the authentication information (step 207), and when it is determined that the permission is granted, the second service providing device 10-2 provides a service to the user terminal 30. The subscription permission is sent (step 208).

As described here, in the present embodiment, the gateway device 20 presents the user information 41 extracted from the database to the end user 90 by the information acquisition unit 21, and the user information 41 is used as the service provider of the second service. The end user 90 is urged to determine whether or not to permit the notification to the service provider, and if the end user 90 permits, the user information 41 and the trail information 42 are notified to the service provider. This makes it possible to prevent the user information 41 from being notified to the service provider of the second service without the permission of the end user 90. For example, when the information acquisition unit 21 presents the extracted user information 41 to the end user 90 and prompts the user to determine whether or not to allow the service provider of the second service to be notified, the user information 41 and the information acquisition unit 21. The notification enable / disable button may be displayed on the screen of the user terminal 30 of the end user 90. When the end user presses the notification enable / disable button, it is assumed that the end user 90 permits the notification by the operation, and the user information 41 and the trail information 42 may be notified to the service provider of the second service.

Further, here, as an example, it is assumed that the first service is a service to which the end user 90 has already subscribed. As a result, the reliability of the user information 41 can be measured by the trail information such as access by the service that confirms the user information 41 and permits the subscription.

Further, although the subscription to the web service is exemplified here, the above steps 202-203 and 206-207 may be executed in the case of subscription to the real service.

The above-mentioned examples of the present invention are examples for the purpose of explaining the present invention, and the scope of the present invention is not limited to those examples. One of ordinary skill in the art can practice the invention in various other embodiments without departing from the scope of the invention.

10 ... Service providing device, 11 ... Web service providing device, 12 ... Real service management device, 20 ... Gateway device, 21 ... Information acquisition unit, 22 ... Information recording unit, 23 ... Request reception unit, 24 ... Authentication support processing unit, 25 ... Electronic signature generator, 30 ... User terminal, 31 ... Processing device, 32 ... Main memory, 33 ... Storage device, 34 ... Communication device, 35 ... Input device, 36 ... Display device, 37 ... Bus, 41 ... User information , 42 ... Trail information, 80 ... Service provider, 90 ... End user

Claims (7)

A user authentication support device that supports end-user verification in services by multiple service providers.
User information that is information about the end user registered by the end user, and trail information including information about a record that the first service accesses the user information of the end user in order for the end user to use the first service. The information recording unit that stores the information in the database,
A request reception unit that accepts a request from the end user to subscribe to a second service that the end user has not subscribed to.
An information acquisition unit that extracts user information about the end user and trail information of the user information of the end user, which are required to subscribe to the second service, from the database.
An authentication support processing unit that notifies the service provider of the second service of the extracted user information and the trail information, and the authentication support processing unit.
User authentication support device with. The trail information further includes access time stamp information indicating a service accessing the user information and a time when the service is permitted to access, and update time stamp information indicating a time when the user information is updated.
The user authentication support device according to claim 1. The trail information further includes the end user's electronic signature on the user information.
The electronic signature is updated every time the user information is updated.
The user authentication support device according to claim 2. The request reception unit acquires the biometric information of the end user and obtains the biometric information of the end user.
The user authentication support device further includes an electronic signature generation unit that generates the electronic signature based on the biometric information of the end user.
The user authentication support device according to claim 3. The information recording unit encrypts the user information and uses the electronic signature as a secret key.
The user authentication support device according to claim 4. The information acquisition unit presents the user information extracted from the database to the end user, and determines whether or not to allow the user information to be notified to the service provider of the second service. To notify the service provider of the user information and the trail information if the end user permits.
The user authentication support device according to claim 1. The first service is a service that the end user has subscribed to.
The user authentication support device according to claim 1.

Images