KR102205953B1 - User Certification method based on multi-device, and service apparatus therefor - Google Patents

Abstract

The present invention maps and manages one or more devices used by a user and user identification information, and performs authentication processing through one device selected at random among one or more devices mapped to the input user identification information when a user authentication is requested. A device-based user authentication method and a service apparatus therefor, comprising: mapping one or more first devices with user identification information of a specific user to register, and receiving user identification information from a second device requesting a service, the received user By selecting one of one or more first devices mapped to the identification information, user authentication is performed through the selected first device, and if user authentication is successful, security information for service use is generated, and a second device based on the security information It is implemented to provide services to devices.

Description

User Certification method based on multi-device, and service apparatus therefor.

The present invention relates to multi-device-based user authentication, and more specifically, one or more devices used by a user and user identification information are mapped and managed, and when user authentication is requested, among one or more devices mapped to the input user identification information. The present invention relates to a multi-device-based user authentication method for performing authentication processing through one randomly selected device, and a service apparatus therefor.

With the development of communication technology and digital technology, various online services based on the Internet are provided, and most of the online services are provided based on user authentication to provide services classified for each user or process billing.

The most basic user authentication method in such an online service is a login method based on an ID and password.

This is a method of certifying that the user is himself/herself by setting an ID and password when registering as a member, and inputting the previously registered ID and password every time after using the service.

However, in the case of a user authentication method based on information input by a user as described above, there is a problem in that sniffing through a hacking technique that intercepts data input from an input means through a key logger or the like is easy.

In order to solve this problem, there are cases in which it is necessary to check whether or not a hacking program such as a key logger is installed before inputting an ID and password, but this is inconvenient that it takes time to check, and in addition, a number of unspecified users In the case of a device that is commonly used, there is a problem that the reliability of the test result is degraded because it is not possible to know whether or not the test program has been altered.

Therefore, a new user authentication method capable of solving security vulnerabilities while minimizing user inconvenience is required.

Korean Patent Publication No. 10-2008-0067448, published on July 21, 2008 (Name: Security method in a computer using a mobile communication terminal)

Accordingly, the present invention is proposed to solve security vulnerabilities while minimizing user inconvenience, and is mapped to one or more devices used by a user and user identification information, and is mapped to the input user identification information when a user authentication is requested. An object of the present invention is to provide a multi-device-based user authentication method for performing authentication processing through one device selected at random among one or more devices, and a service apparatus therefor.

As a means for solving the above problems, the present invention provides a service communication unit for transmitting and receiving data with one or more first devices for user authentication and a second device for service use; A device registration unit that maps and registers at least one first device with user identification information of a specific user according to a registration request of at least one first device received through the service communication unit; When user identification information is received from the second device through the service communication unit, one or more first devices mapped to the user identification information are selected, user authentication is performed through the selected first device, and if user authentication is successful, the service An authentication processing unit that generates security information for use and provides it to the second device; It provides a service apparatus for user authentication based on a multi-device, comprising a storage unit for storing user identification information and mapping information between one or more first devices.

In the service apparatus for user authentication based on a multi-device according to the present invention, the device registration unit performs authentication on one or more first devices and maps the authenticated first device with user identification information.

In addition, in the service apparatus for user authentication based on a multi-device according to the present invention, the authentication processing unit is characterized in that it randomly selects a first device to perform user authentication.

In addition, in the service apparatus for user authentication based on a multi-device according to the present invention, after the authentication processing unit transmits a message including authentication information to the selected first device, the authentication information transmitted from the second device is transmitted to the first device. It is characterized in that it is determined that the user authentication has been successful if it matches the authentication information transmitted to.

In addition, in the service apparatus for user authentication based on a multi-device according to the present invention, the device registration unit downloads and installs a push client module activated by a push operation to one or more authenticated first devices.

In addition, in the multi-device-based user authentication service apparatus according to the present invention, the authentication processing unit calls a push client module installed in the selected first device and determines whether user authentication is successful according to a response from the push client module. It features.

In addition, in the service apparatus for user authentication based on a multi-device according to the present invention, security information may be generated in the form of a cookie or a token.

In addition, the present invention is another means for solving the above-described problem, the service device mapping user identification information and one or more first devices and registering; Receiving user identification information from a second device to be provided with a service; Checking one or more first devices mapped to the input user identification information, and selecting one of the one or more first devices; Performing user authentication through the selected first device; And if user authentication is successful, generating security information for service use and providing the security information to a second device.

In the multi-device-based user authentication method according to the present invention, the registering includes: receiving, by a service apparatus, a registration request from one or more first devices; Generating user identification information; Performing authentication for one or more first devices; It may include mapping and storing at least one authenticated first device and the user identification information.

In the multi-device-based user authentication method according to the present invention, the step of selecting one of one or more first devices may randomly select one of the one or more first devices.

In addition, in the multi-device-based user authentication method according to the present invention, the performing of user authentication includes: transmitting a message including authentication information to a selected first device; Receiving authentication information from a second device; If the authentication information received from the second device matches the authentication information transmitted to the first device, determining that the user authentication is successful.

In addition, in the multi-device-based user authentication method according to the present invention, the registering step further includes downloading and installing a push client module activated by a push operation from a service device to one or more authenticated first devices. can do.

In addition, the performing of user authentication may include: calling a push client module installed in the first device selected for user authentication by the service apparatus; Receiving a response to the call from the push client module of the first device activated by the call; And determining whether user authentication is successful according to a response to a call received from the push client module of the first device.

In addition, the present invention provides a computer-readable recording medium in which a program for performing a multi-device-based user authentication method is recorded.

The present invention maps and manages one or more devices used by a user and user identification information, and when a user authentication is requested, authentication processing is performed through one device selected at random among one or more devices mapped to the input user identification information, Regardless of whether input information is exposed through hacking programs such as key loggers, and forgery or alteration of inspection programs, reliable user authentication results can always be provided.

In particular, the present invention performs user authentication through a device used by a user for service use, not a public device, but through a trusted third device previously registered by the user, thereby changing the location of the attacker's sniffing target. You can increase your credibility.

In addition, the present invention is not a fixed device, but by performing user authentication through a randomly selected device among multi-devices used by the user, thereby increasing the complexity of the attack due to a plurality of sniffing targets, and as a result, it is possible to improve the security vulnerability. have.

1 is a block diagram showing a multi-device-based user authentication system according to the present invention.
2 is a configuration diagram of a service apparatus in a multi-device-based user authentication system according to the present invention.
3 is a configuration diagram of a first device used for authentication in a multi-device-based user authentication system according to the present invention.
4 is a block diagram of a second device used when using a service in the multi-device-based user authentication system according to the present invention.
5 is a flowchart illustrating a multi-device-based user authentication method according to the first embodiment of the present invention.
6 is a flowchart illustrating a multi-device-based user authentication method according to a second embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, in the following description and the accompanying drawings, detailed descriptions of known functions or configurations that may obscure the subject matter of the present invention will be omitted. In addition, it should be noted that the same components are indicated by the same reference numerals as possible throughout the drawings.

The terms or words used in the present specification and claims described below should not be construed as being limited to a conventional or dictionary meaning, and the inventor is appropriate as a concept of terms for describing his own invention in the best way. It should be interpreted as a meaning and concept consistent with the technical idea of the present invention on the basis of the principle that it can be defined. Therefore, the embodiments described in the present specification and the configurations shown in the drawings are only the most preferred embodiments of the present invention, and do not represent all the technical ideas of the present invention, and thus various alternatives that can be substituted for them at the time of application It should be understood that there may be equivalents and variations.

In addition, terms including ordinal numbers such as first and second are used to describe various elements, and are only used for the purpose of distinguishing one element from other elements, and to limit the elements. Not used. For example, without departing from the scope of the present invention, a second component may be referred to as a first component, and similarly, a first component may be referred to as a second component.

In addition, when a component is referred to as being "connected" or "connected" to another component, it means that it is logically or physically connected or can be connected. In other words, it should be understood that a component may be directly connected or connected to another component, but another component may exist in the middle, or may be indirectly connected or connected.

In addition, terms used in the present specification are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In addition, terms such as "comprises" or "have" described herein are intended to designate the presence of features, numbers, steps, actions, components, parts, or a combination thereof described in the specification. It is to be understood that the above other features, or the possibility of the presence or addition of numbers, steps, actions, components, parts, or combinations thereof, are not preliminarily excluded.

The multi-device-based user authentication system according to the present invention is for performing user authentication through one device selected from one or more devices (referred to as multi-devices) used by a user during user authentication, and its configuration And explain the action.

1 is a block diagram showing a multi-device-based user authentication system according to the present invention.

Referring to FIG. 1, a multi-device-based user authentication system according to the present invention includes a service device 100, one or more first devices 200, and a second device 100 directly or indirectly connected to each other through a communication network 10. It includes a device 300.

Here, the communication network 10 performs a series of data transmission/reception operations for exchanging and requesting information between the service apparatus 100 and the first device 200 and the second device 300. The communication network 10 is currently known or under development, and various types of communication networks available in the future may be used, for example, WLAN (Wireless LAN), Wi-Fi, Wibro, and WiMAX. Wireless communication methods such as (Wimax), High Speed Downlink Packet Access (HSDPA), or Ethernet, xDSL (ADSL, VDSL), HFC (Hybrid Fiber Coax), FTTC (Fiber to The Curb), Wired communication methods such as FTTH (Fiber To The Home) may be used.

For reference, when the first device 200 is a wireless-based portable terminal device, the communication network 10 is connected to the first device 200 through a wireless communication network (for example, a mobile communication network or a Wi-Fi network). When the second device 300 is a PC, the communication network 10 may be connected to the second device 300 through a wired network (eg, an Internet network) to transmit and receive data.

That is, the communication network 10 may be formed by combining two or more different communication networks for communication with the first device 200 and the third device 300.

Now, the service apparatus 100 and the first and second devices 200 and 300 constituting the multi-device-based user authentication system according to the present invention will be described.

The service apparatus 100 is a server apparatus that performs multi-device-based user authentication processing according to the present invention. The service device 100 may be an authentication server that performs only authentication, or may be a service server for providing a predetermined service including an authentication function.

In addition, at least one first device 200 is a user device that performs multi-device-based user authentication by interworking with the service device 100, and the second device 300 requests user authentication, and the user authentication result It can be classified into user devices that use the following security information.

That is, the present invention separates a device that requests user authentication and uses security information according to a user authentication result from a device on which user authentication is performed, and based on this user authentication process, the first device 200 and the second device 300 can be distinguished.

Here, it is preferable that the at least one first device 200 can be accessed only by a specific user and is a trusted user device. For example, the terminal is a mobile phone, a portable multimedia player (PMP), or a mobile internet device (MID). , Smartphone (Smart Phone), personal desktop (Desktop), tablet computer (Tablet PC), notebook (Note book), it can be a net book (Net book).

On the other hand, the second device 300 is not limited to any user device that can access the service device 100 and process the service provided by the service device 100, and in particular, a mobile phone, a portable multimedia device (PMP). Player), MID (Mobile Internet Device), Smart Phone, as well as Desktop, Tablet PC, Note Book, Net Book, which can be used by many unspecified people. Can be included.

In addition, the service apparatus 100 and the first and second devices 200 and 300 described above operate as follows for multi-device-based user authentication.

First, the service apparatus 100 according to the present invention maps and registers user identification information and one or more first devices 200 for each user for multi-device-based user authentication.

To this end, the service apparatus 100 may generate user identification information according to a user's request and may receive a registration request from one or more first devices 200. In addition, the service apparatus 100 may perform device authentication with respect to one or more first devices 200.

Here, the user identification information is information for classifying a user when using a service, and may be an ID set by the user.

In addition, the service apparatus 100 receives user identification information from any second device 300 that has accessed for service use. The user identification information may be input by the user through the second device 300 connected to the service apparatus 100.

Accordingly, the service apparatus 100 checks one or more first devices 200 mapped to the user identification information received from the second device 300 and selects one of them. In addition, the service device 100 performs user authentication through the first device 200, and security information (eg, cookie or token) for service use to the second device 300 according to the user authentication result. And provide it.

User authentication through the first device 200 selected above may be performed in various ways, and a specific embodiment thereof will be described with reference to FIG. 2.

2 is a block diagram of a service apparatus 100 in a multi-device-based user authentication system according to the present invention.

Referring to FIG. 2, a service apparatus 100 for user authentication based on a multi-device according to the present invention includes a service communication unit 2600, a device registration unit 120, an authentication processing unit 130, and a storage unit 140. ) Can be included.

The service communication unit 2600 is a component for transmitting and receiving data by communicating with the first and second devices 200 and 300 for user authentication based on a multi-device based on the communication network 10.

The device registration unit 120 is a configuration for mapping and managing one or more first devices 200 to be used for multi-device-based user authentication and user identification information of a corresponding user for each user. To this end, the device registration unit 120 receives a registration request from one or more first devices 200 through the service communication unit 2600, and the at least one first device 200 requested to be registered is a user of a specific user. It is mapped with the identification information and stored in the storage unit 140. Here, the user identification information may be generated according to user settings. In addition, the device registration unit 120 performs device authentication for the at least one first device 200 requested for registration in order to increase trust in the first device 200 to be used for user authentication, and is verified through this. Only the first device 200 may be mapped to user identification information.

Next, the authentication processing unit 130 is a configuration for processing user authentication to use the service. Specifically, when the user identification information is received from the second device 300 through the service communication unit 2600, the authentication processing unit 130, the at least one first device 200 mapped to the user identification information. One of them is selected, user authentication is performed through the selected first device 200, and if user authentication is successful, security information for service use is generated and provided to the second device 300. Here, the security information is information related to user authorization for setting user authentication status and service use range, and may be generated and provided in the form of a cookie or token. In addition, the security information may be set to be effective for a certain period or when certain conditions are satisfied.

Here, the authentication processing unit 130 may receive user identification information corresponding to a user who will use the service together with the service request from the second device 300 requesting the service.

In addition, when selecting one of the one or more first devices 200 mapped to the received user identification information, the authentication processing unit 130 may select randomly. As described above, by randomly selecting the first device 200 to perform user authentication, uncertainty about an attack target may be increased, making it difficult to attack.

In addition, the authentication processing unit 130 may perform user authentication in various ways through the selected first device 200. In this embodiment, the authentication processing unit 130 transmits a message including authentication information. After transmitting to the first device 200, authentication information is received from the second device 300 and the authentication information received from the second device 300 is transmitted to the first device 200 If it matches with, it can be determined that user authentication has been successful. Here, the authentication information may be a random authentication number randomly selected for user authentication, and the message may be transmitted through various text message services including SMS, MMS, and LMS. The message including the transmitted authentication information is provided to the user through the selected first device 200, and the user who confirms this inputs the verified authentication information through the second device 300 and sends the message to the service device 100. Can be transmitted.

In another embodiment, in order to perform user authentication, the device registration unit 120 may download and install a push client module activated by a push operation on one or more first devices 200 to be mapped with user identification information. have. This may be accomplished by the device registration unit 120 instructing installation by transmitting a program corresponding to the push client module to the one or more first devices 200. In addition, the push client module is activated according to a call from the service device 100 and outputs user authentication-related information to the user through the first device 200, and a response to the call (authentication confirmation) according to a preset algorithm. Response, etc.) may be implemented to transmit to the service device 100. Here, the response to the call may be made through user confirmation.

In this case, the authentication processing unit 130 may call a push client module installed in the first device 200 selected for user authentication, and determine whether user authentication is successful according to a response from the push client module. . That is, when a normal response is received from the first device 200, it is determined that user authentication is successful, and if the response is not received, it may be determined that user authentication has failed.

Finally, the storage unit 140 is a configuration for storing data and programs required for the operation of the service apparatus 100, and in particular, may store data for user authentication based on a multi-device according to the present invention. In more detail, the storage unit 140 may store the mapping information 141 between the user identification information registered by the device registration unit 120 and one or more first devices, and user authentication by the authentication processing unit 130 The security information 142 provided in the case of success in may be temporarily stored.

Next, a first device 200 that performs user authentication in conjunction with the service device 100 will be described with reference to FIG. 3.

3 is a block diagram illustrating a first device 200 used for user authentication in a multi-device-based user authentication system according to the present invention.

Referring to FIG. 3, a first device 200 includes an input unit 210, a display unit 220, a communication unit 230, an audio processing unit 240, a storage unit 250, and a control unit 260.

Here, the controller 260 may include at least one of a push client module 261 that operates in conjunction with the service device 100 for user authentication and a message processing module 262 that transmits and receives a text message.

In more detail, the input unit 210 controls various information such as numeric and character information input from the user, various function settings, and signals input in connection with function control of the first device 200. Pass it to 260. In particular, the input unit 210 of the present invention may receive a user command for requesting device registration or may receive a user confirmation signal for a user authentication request after registration.

The input unit 210 may include at least one of a keypad and a keypad that generates an input signal according to a user's touch or manipulation. In this case, the input unit 210 is configured in the form of a single touch panel (or touch screen) together with the display unit 220 to perform input and display functions at the same time. In addition, as the input unit 210, in addition to input devices such as a keyboard, keypad, mouse, and joystick, all types of input means that may be developed in the future may be used.

The display unit 220 displays information on a series of operation states and operation results that occur while performing a function of the first device 200. In addition, the display unit 220 may display a menu of the first device 200 and user data input by the user. The display unit 220 includes a liquid crystal display (LCD), an ultra-thin liquid crystal display (TFT-LCD, Thin Film Transistor LCD), a light emitting diode (LED), and an organic light emitting diode (OLED). LED), active organic light emitting diodes (AMOLED, Active Matrix OLED), Retina Display, flexible display, and 3D display. In this case, when the display unit 220 is configured in the form of a touch screen, the display unit 220 may perform some or all of the functions of the input unit 210. The display unit 220 according to an embodiment of the present invention may output a screen related to user authentication processed by the push client module 261 or the message processing module 262.

The communication unit 230 is a component for communicating with the service apparatus 100 and serves to support transmission and reception of data related to a device registration process for multi-device user authentication.

For example, the communication unit 230 may transmit a device registration request to the service device 100, receive an authentication request from the service device 100, and transmit a response thereto.

In addition, in an embodiment of the present invention, the communication unit 230 may receive a text message including authentication information, and in another embodiment of the present invention, it corresponds to a push client module for interworking with the service device 100 You can receive a program to do.

The audio processing unit 240 is connected to a microphone (MIC), a speaker (SPK), and the like to process an audio signal generated during operation of the first device 200, and the audio signal generated during operation is transmitted to the speaker (SPK). Through this, it is possible to output as an audible sound or convert various audible sounds recognized through a microphone (MIC) into an audio signal.

The storage unit 250 is a configuration for storing data and programs, and specifically, the storage unit 250 stores an OS program that boots the first device 200 and at least one application program executed based on the OS program. I can. In particular, the storage unit 250 may store programs corresponding to the push client module 261 and the message processing module 262. The storage unit 250 includes a flash memory, a hard disk, a multimedia card micro-type memory (eg, SD or XD memory, etc.), RAM, and ROM ( It may be configured to include a storage medium such as ROM).

The controller 260 performs overall control of the first device 200, and in hardware, at least one processor including a CPU (Central Processing Unit) / MPU (Micro Processing Unit) and at least one memory loading data It may include a loaded execution memory (eg, a register and/or a random access memory (RAM)) and a bus for inputting and outputting at least one data to the processor and the memory. In addition, the software may include a predefined function of the first device 200, that is, a predetermined program routine or program data that is loaded into a memory from a predetermined recording medium and processed by a processor. The push client module 261 and the message processing module 262 included in the control unit 260 may be configured as a combination of the program routine or program data corresponding to each function and a processor.

The controller 260 of the present invention is functionally connected to at least one or more components provided in the first device 200 to support multi-device-based user authentication according to an embodiment of the present invention. That is, the control unit 260 is functionally connected to the input unit 210, the display unit 220, the communication unit 230, the audio processing unit 240, and the storage unit 250, and supplies power and functions to the respective components. It controls the flow of signals for.

Specifically, the controller 260 of the first device 200 may control the communication unit 230 according to a user input signal transmitted through the input unit 210 to request device registration from the service apparatus 100. Thereafter, when device authentication is requested from the service device 100, a response for the requested device authentication may be transmitted to the service device 100. The response may be in the form of transmitting information for authenticating the first device 200, for example, device identification information, or a pre-stored certificate.

In addition, in another embodiment of the present invention, after requesting device registration, the first device 200 may download and install the push client module 261 according to a request from the service device 100. . That is, the push client module 261 may be configured through a device registration process.

The first device 200 registered with the service device 100 through the above-described registration process receives a text message including authentication information from the service device 100 or receives a call signal to the push client module 261 can do. In this case, the control unit 260 outputs a text message including the authentication information received through the message processing module 262 to the display unit 220 so that the user can check or activate the push client module 261 , Performs processing according to the algorithm of the push client module 261. Specifically, the activated push client module 261 outputs through the display unit 220 that user authentication has been requested to notify the user, and responds to the call according to whether the user has been confirmed through the input unit 210 100). In this case, the response to the call may include information for supporting user authentication, for example, authentication information for a certificate or user authentication.

Next, FIG. 4 is a block diagram illustrating a second device 300 used when using a service in a multi-device-based user authentication system according to the present invention.

Referring to FIG. 4, the second device 300 includes an input unit 310, a display unit 320, a communication unit 330, an audio processing unit 340, a storage unit 350, and a control unit 360.

Here, the control unit 260 may include a browser module 361 interworking with the service device 100 to use a service, and the storage unit 250 is provided with security information from the service device 100 according to user authentication. Can store 351.

In more detail for each component, the input unit 310 controls various information such as numeric and character information input from a user, various function settings, and signals input in connection with function control of the second device 300. Forward to 360. In particular, the input unit 310 of the present invention may receive a request for access to the service device 100 in order to use a specific service, or may receive user identification information for user authentication.

The input unit 310 may be configured to include at least one of a keypad and a touch pad that generate an input signal according to a user's touch or manipulation. In this case, the input unit 310 is configured in the form of a single touch panel (or touch screen) together with the display unit 320 to perform input and display functions at the same time. In addition, as the input unit 310, in addition to input devices such as a keyboard, a keypad, a mouse, and a joystick, all types of input means that may be developed in the future may be used.

The display unit 320 displays information on a series of operation states and operation results that occur while performing a function of the second device 300. Also, the display unit 320 may display a menu of the second device 300 and user data input by a user. The display unit 320 includes a liquid crystal display (LCD), an ultra-thin liquid crystal display (TFT-LCD, Thin Film Transistor LCD), a light emitting diode (LED), an organic light emitting diode (OLED, organic). LED), active organic light emitting diodes (AMOLED, Active Matrix OLED), Retina Display, flexible display, and 3D display. In this case, when the display unit 320 is configured in the form of a touch screen, the display unit 320 may perform some or all of the functions of the input unit 310. The display unit 320 according to an embodiment of the present invention may output a service page accessed through the browser module 361. The service page may include a function of inputting user identification information and/or authentication information.

The communication unit 330 is a component for communicating with the service device 100 and serves to support transmission and reception of data related to service use.

For example, the communication unit 330 may transmit one of a service request, user identification information, and authentication information to the service device 100 and receive security information and a service page including an authentication result from the service device 100.

The audio processing unit 340 is connected to a microphone (MIC), a speaker (SPK), and the like, and is configured to process an audio signal generated during operation of the second device 300. The audio signal generated during operation is transmitted to the speaker SPK. Through this, it is possible to output as an audible sound or convert various audible sounds recognized through a microphone (MIC) into an audio signal. In particular, the audio processing unit 340 may output an audio signal generated during service use.

The storage unit 350 is a configuration for storing data and programs. Specifically, the storage unit 350 stores an OS program for booting the second device 300 and at least one application program executed based on the OS program. I can. In particular, the storage unit 350 may store the security information 351 provided from the service device 100 for a predetermined period.

The storage unit 350 includes a flash memory, a hard disk, a multimedia card micro-type memory (eg, SD or XD memory, etc.), RAM, and ROM ( It may be configured to include a storage medium such as ROM).

The controller 360 performs overall control of the second device 300, and in hardware, at least one processor including a CPU (Central Processing Unit) / MPU (Micro Processing Unit) and at least one memory loading data It may include a loaded execution memory (eg, a register and/or a random access memory (RAM)) and a bus for inputting and outputting at least one data to the processor and the memory. In addition, the software may include a predefined function of the second device 300, that is, a predetermined program routine or program data that is loaded from a predetermined recording medium into a memory and processed by a processor. The control unit 360 may include a browser module 361 for processing a web-based service page, and may receive and output a service page provided by the service device 100 through the browser module 361. have.

The controller 360 of the present invention is functionally connected to at least one or more components provided in the second device 300 to support service use through multi-device-based user authentication according to an embodiment of the present invention. That is, the control unit 360 is functionally connected to the input unit 310, the display unit 320, the communication unit 330, the audio processing unit 340, and the storage unit 350, and supplies power and functions to the respective components. It controls the flow of signals for.

Specifically, the control unit 360 of the second device 300 may control the communication unit 330 according to a user input signal transmitted through the input unit 310 to request a service page from the service device 100, and the request The service page provided according to the result may be rendered through the browser module 361 and output to the display unit 320. The service page output in this way may include a configuration for inputting user identification information, and transmits the user identification information input through this to the service device 100 to request user authentication.

Thereafter, the controller 360 may receive authentication information for user authentication through the input unit 310 and further transmit the authentication information to the service device 100.

In addition, the control unit 360 may receive and store security information including a user authentication result from the service device 100.

Thereafter, the controller 360 may use various services provided by the service device 100 based on the security information.

Next, a multi-device-based user authentication method performed through the service apparatus 100 configured as described above and the first and second devices 200 and 300 will be described.

First, FIG. 5 is a flow chart showing a multi-device-based user authentication method according to a first embodiment of the present invention.

Referring to FIG. 5, a user who wants to use multi-device-based user authentication may request registration to the service apparatus 100 through one or more first devices 200 (S105). Here, the device registration request may be transmitted by each of the at least one first device 200 directly accessing the service apparatus 100, and the at least one first device may be transmitted through any one of the at least one first device 200. You can also request registration for (200).

Accordingly, the service device 100 generates user identification information for the user, and the user identification information (ID) may be generated based on user information or may be generated based on input data from the user (S110). .

In addition, the service apparatus 100 transmits a device authentication request message to the one or more first devices 200 in order to verify the one or more first devices 200 requested for registration (S115), and Therefore, the at least one first device 200 is verified (S120).

In addition, the service apparatus 100 maps and stores the at least one verified first device 200 with the generated user identification information (S125).

In this case, the service apparatus 100 according to the present invention may download a predetermined program to one or more verified first devices 200 and install the push client module 261.

Thereafter, the user may access the service apparatus 100 through a second device 300 other than the one or more previously registered first devices 200 and request service use (S130). Here, the second device 300 may be a user device installed in a public place and available to a large number of unspecified users.

In this case, the user may input his/her user identification information (ID) through the second device 300 according to the guide of the service page provided from the service apparatus 100 and transmit the input to the service apparatus 100 (S135). .

The service apparatus 100 receiving the user identification information through the second device 300 requesting the service in this way checks the one or more first devices 200 mapped to the received user identification information (S140), and One is selected as a target device to perform user authentication (S145). In this case, the selection of a device to perform user authentication may be made randomly.

Then, the service apparatus 100 calls the push client module 261 installed in the selected first device 200 for user authentication (S150).

At this time, the push client module 261 is normally installed in the called first device 200, and the push client module 261 operates, notifying the user that authentication has been requested, so that the user can check it (S155 ), and also transmits a response according to a preset algorithm to the service device 100 (S160). Here, the response may be transmitted through user confirmation, and may not be transmitted when the user rejects the response.

Therefore, after calling the push client module 261 of the selected first device 200, the service device 100 determines that user authentication has failed if a response is not received. On the other hand, when a response is received, the user authentication is successful. It is determined that the user authentication is successful and security information (for example, a cookie or a token) including information on user authority is generated (S165).

In addition, after transmitting the user identification information in step S135, the second device 300 reconnects to the service apparatus 100 again when a predetermined time elapses (S170).

Accordingly, the service apparatus 100 provides the generated security information to the second device 300 based on the result of the authentication process in step S165 above, and executes the service based on the security information (S175).

The above describes an embodiment of performing user authentication using a push method.

Therefore, when a user intends to use the service through the second device 300 that is exposed to an unspecified number of people or does not know whether forgery or alteration is not known, the user is not exposed by entering both the ID and password, but by entering only the user identification information, It is possible to securely process user authentication through any one of the trusted one or more first devices 200.

Next, FIG. 6 is a flow chart illustrating a multi-device-based user authentication method according to a second embodiment of the present invention.

Referring to FIG. 6, as in the above-described first embodiment, a user who wants to use multi-device-based user authentication may request registration as the service apparatus 100 through one or more first devices 200 ( S205). Here, the device registration request may be directly connected to the service device 100 through one or more first devices 200, and the one or more first devices 200 through any one of the one or more first devices 200. You can also request registration for ).

Thereafter, the service device 100 generates user identification information for the user, and the user identification information (ID) may be generated based on user information or may be generated based on input data from the user (S210). .

In addition, the service device 100 transmits a device authentication request message to the one or more first devices 200 to verify the one or more first devices 200 requested for registration (S215), and responds to the Therefore, the at least one first device 200 is verified (S220).

In addition, the service apparatus 100 maps and stores the at least one verified first device 200 with the generated user identification information (S225).

Steps S205 to S225 described above are performed similarly to steps S105 to S125 of the first embodiment. The process of installing the module 261 is omitted.

Thereafter, the user may access the service apparatus 100 through a second device 300 other than the one or more previously registered first devices 200 and request service use (S230). Here, the second device 300 may be a user device installed in a public place and available to a large number of unspecified users.

In this case, the user may input his/her user identification information (ID) through the second device 300 according to the guide of the service page provided from the service device 100 and transmit it to the service device 100 (S235). .

The service apparatus 100 receiving the user identification information through the second device 300 requesting the service in this way checks the at least one first device 200 mapped to the received user identification information (S240), and One is selected as a target device to perform user authentication (S245). In this case, the selection of a device to perform user authentication may be made randomly.

Then, the service apparatus 100 transmits authentication information to the selected first device 200 for user authentication (S250). Here, the authentication information may be transmitted through a message service such as SMS, MMS, and LMS.

Accordingly, the selected first device 200 receives a message including the authentication information through the message processing module 262 and then outputs it through the display unit 22 (S255).

The user who checks the authentication information through the first device 200 in this way may input the authentication information through the service page accessed by the second device 300 and transmit the authentication information to the service apparatus 100 (S260).

Upon receiving the authentication information from the second device 300 requesting the service, the service device 100 compares whether the received authentication information matches the authentication information previously transmitted to the first device 200, and if it does, the user It is determined that authentication is successful, and security information (eg, cookie) including information on whether or not user authentication is successful and user authority is generated (S265).

Then, the generated security information is provided to the second device 300, and then, a service is executed based on the security information (S270).

According to the above, authentication information (eg, authentication number) is transmitted to the first device 200 randomly selected from among the multi-devices, and the transmitted authentication number is input to the second device 300, so that the second device Through 300, the possibility that user information is exposed and the possibility that an attacker intercepts the authentication information transmitted to the randomly selected first device 200 can be minimized, and as a result, reliability for user authentication can be increased.

The multi-device-based user authentication method according to the present invention described above may be implemented in a form of software that can be read through various computer means and recorded on a computer-readable recording medium. Here, the recording medium may include a program command, a data file, a data structure, or the like alone or in combination. The program instructions recorded on the recording medium may be specially designed and configured for the present invention, or may be known and usable to those skilled in computer software. For example, the recording medium is a magnetic medium such as a hard disk, a floppy disk, and a magnetic tape, an optical medium such as a compact disk read only memory (CD-ROM), a digital video disk (DVD), and a floppy disk. Magnetic-Optical Media, such as a floptical disk, and hardware devices specially configured to store and execute program instructions such as ROM, Random Access Memory (RAM), Flash memory, etc. do. Examples of the program instructions may include not only machine language codes such as those produced by a compiler but also high-level language codes that can be executed by a computer using an interpreter or the like. These hardware devices may be configured to operate as one or more software modules to perform the operation of the present invention, and vice versa.

Further, a processor mounted in the service apparatus 100 or the first and second devices 200 and 300 according to the present invention may process program instructions for executing the method according to the present invention. In one implementation example, the processor may be a single-threaded processor, and in another implementation example, the processor may be a multithreaded processor. Furthermore, the processor is capable of processing instructions stored in a memory or a storage device.

The service apparatus 100 or the first and second devices 200 and 300 according to the present invention may be driven by a command that causes one or more processors to perform the functions and processes described above. For example, such instructions may include interpreted instructions such as script instructions such as JavaScript or ECMAScript instructions, executable code, or other instructions stored in a computer-readable medium. Furthermore, the device according to the present invention may be implemented in a distributed manner over a network, such as a server farm, or may be implemented in a single computer device.

Although the present specification and drawings describe exemplary device configurations, the functional operations and implementations of the subject described in this specification may be implemented with other types of digital electronic circuits, or the structures disclosed herein and structural equivalents thereof. It may be implemented with computer software, firmware, or hardware, or may be implemented by a combination of one or more of them. Implementations of the subject matter described in this specification are one or more computer program products, that is, one relating to computer program instructions encoded on a tangible program storage medium for execution by or for controlling the operation of a device according to the invention. It can be implemented as the above module. The computer-readable medium may be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of materials that affect a machine-readable radio wave signal, or a combination of one or more of them.

A computer program (also known as a program, software, software application, script or code) mounted on the device according to the present invention and executing the method according to the present invention is a compiled or interpreted language or programming including a priori or procedural language. It can be written in any form of language, and can be deployed in any form, including standalone programs, modules, components, subroutines, or other units suitable for use in a computer environment. Computer programs do not necessarily correspond to files in the file system. A program may be in a single file provided to the requested program, or in multiple interactive files (e.g., files that store one or more modules, subprograms, or portions of code), or part of a file that holds other programs or data. (Eg, one or more scripts stored within a markup language document). The computer program may be deployed to run on one computer or multiple computers located at one site or distributed across a plurality of sites and interconnected by a communication network.

Implementations of the subject matter described herein include a backend component, such as a data server, or a middleware component such as an application server, or, for example, a web browser or graphic user that allows a user to interact with an implementation of the subject matter described herein. It can be implemented in a front-end component, such as a client computer with an interface, or a computing system that includes any combination of one or more of such back-ends, middleware or front-end components. The components of the system can be interconnected by any form or medium of digital data communication, for example a communication network.

While this specification includes details of a number of specific implementations, these should not be construed as limiting to the scope of any invention or claim, but rather as a description of features that may be peculiar to a particular embodiment of a particular invention. It must be understood. Certain features described herein in the context of separate embodiments may be implemented in combination in a single embodiment. Conversely, various features described in the context of a single embodiment can also be implemented in multiple embodiments individually or in any suitable sub-combination. Furthermore, although features operate in a particular combination and may be initially described as so claimed, one or more features from a claimed combination may in some cases be excluded from the combination, and the claimed combination may be a subcombination. Or sub-combination variations.

Likewise, although operations are depicted in the drawings in a specific order, it should not be understood that such operations must be performed in that particular order or sequential order shown, or that all illustrated operations must be performed in order to obtain a desired result. In certain cases, multitasking and parallel processing can be advantageous. In addition, separation of the various system components of the above-described embodiments should not be understood as requiring such separation in all embodiments, and the program components and systems described are generally integrated together into a single software product or packaged in multiple software products. You should understand that you can.

In addition, although the present specification and drawings disclose a preferred embodiment of the present invention, it is common in the technical field to which the present invention pertains that other modified examples based on the technical idea of the present invention can be implemented even with the exceptions disclosed herein. It is self-evident to those who have knowledge. In addition, specific terms have been used in the specification and drawings, but these are merely used in a general meaning to easily describe the technical content of the present invention and to aid understanding of the present invention, and are not intended to limit the scope of the present invention.

Therefore, the scope of the present invention should not be determined by the described embodiments, but should be determined by the claims.

The present invention maps and manages one or more devices used by a user and user identification information, and when a user authentication is requested, authentication processing is performed through one device selected at random among one or more devices mapped to the input user identification information, Regardless of whether input information is exposed through hacking programs such as key loggers, and forgery or alteration of inspection programs, reliable user authentication results can always be provided.

In particular, the present invention performs user authentication through a device used by a user for service use, not a public device, but through a trusted third device previously registered by the user, thereby changing the location of the attacker's sniffing target. You can increase your credibility.

In addition, the present invention is not a fixed device, but by performing user authentication through a randomly selected device among multi-devices used by the user, thereby increasing the complexity of the attack due to a plurality of sniffing targets, and as a result, it is possible to improve the security vulnerability. have.

10: communication network
100: service device
200: first device
300: second device

Claims (14)

A service communication unit for transmitting and receiving data to and from one or more first devices for user authentication and a second device for service use;
A device registration unit for registering the at least one first device by mapping the at least one first device with user identification information of a specific user in response to a registration request of the at least one first device received through the service communication unit;
When user identification information is received from the second device through the service communication unit, one of the one or more first devices mapped to the user identification information is selected, user authentication is performed through the selected first device, and user authentication An authentication processing unit generating security information for use of the service and providing the security information to the second device upon success;
A storage unit for storing mapping information between the user identification information and one or more first devices,
The device registration unit
A service apparatus for multi-device-based user authentication, characterized in that performing authentication on the at least one first device and controlling to install a push client module activated by a push operation on the at least one authenticated first device. The method of claim 1, wherein the device registration unit
A service apparatus for multi-device-based user authentication, characterized in that mapping the authenticated first device with the user identification information. The method of claim 1, wherein the authentication processing unit
A service apparatus for multi-device-based user authentication, characterized in that the first device to perform user authentication is randomly selected. delete delete The method of claim 1, wherein the authentication processing unit
A service apparatus for multi-device-based user authentication, comprising calling a push client module installed in the selected first device and determining whether user authentication is successful according to a response from the push client module. delete Registering, by a service device, mapping user identification information and one or more first devices;
Receiving user identification information from a second device to be provided with a service;
Checking one or more first devices mapped to the input user identification information, and selecting one of the one or more first devices;
Performing user authentication through the selected first device; And
If user authentication is successful, the step of generating security information for using the service and providing it to the second device,
The registering step
Performing authentication for the at least one first device; And
Controlling to install a push client module activated by a push operation on the at least one authenticated first device;
Multi-device-based user authentication method comprising a. delete delete delete delete delete delete

Images