TW201820194A - Identity verification system, method, device, and account verification method - Google Patents

Abstract

The invention discloses an identity verification system, a method, a device, and an account verification method. The method comprises: obtaining historical association data of a user account corresponding to an application, wherein the historical association data comprises information associated with the user account and obtained in a preconfigured service period; adopting the historical association data to perform an evaluation to obtain an evaluation result; and determining, according to the evaluation result, an identity verification method to perform identity verification. The invention resolves a technical issue of having difficulty to prevent identity theft or forgery in the prior art, owing to employing a single identity verification method in the related art.

Description

   Identity authentication system, method, device and account authentication method   

The present invention relates to the field of the Internet, and in particular to an identity authentication system, method, device, and account authentication method.

At present, with the continuous innovation of science and technology, the identity authentication process of conducting personal online business (for example, opening a personal online store on a shopping platform website) has also undergone rapid changes. From the initial identity authentication, in order to ensure the "unification of witnesses", an authentication method for individual users holding ID photos was proposed; later, it was gradually upgraded to require individual users to upload / submit specified dynamic gesture images; now, in the After the real person authentication method is added to the big data risk management mode, it provides expanded possibilities for the rich and diverse technical means of identity authentication.

However, the mainstream identity authentication methods used in related technologies can usually only implement verification of the user's identity based on the user's name, the user's personal identity document, and the user's face image during the authentication phase. However, it is impossible to perform real-time monitoring of the authenticity of the user's identity for a long time, which results in lower security and reliability.

In view of the above problems, no effective solution has been proposed.

Embodiments of the present invention provide an identity authentication system, method, device, and account authentication method to solve at least a single identity authentication method used in related technologies, and it is difficult to prevent technical problems of forging and altering false identity information.

According to an aspect of an embodiment of the present invention, an identity authentication system is provided, including: a user device and an authentication server; the user device is configured to run an application program, and requests the authentication server to perform a user account corresponding to the application program. Authentication status detection; authentication server, used to determine the user account as the account to be authenticated, using the acquired historical account data for evaluation, to obtain the evaluation result, and determine the corresponding identity authentication method based on the evaluation result, Perform identity authentication, where historical association data is information associated with user accounts obtained within a preset business cycle.

Optionally, the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.

Optionally, the authentication server is further configured to issue authorization authentication information to the user equipment.

Optionally, the authentication server is further configured to analyze historical related data, construct an evaluation model, and statistically evaluate the level or score corresponding to each characteristic index in the evaluation model to obtain an evaluation result.

Optionally, the user equipment information includes at least: Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, the use record of the user equipment, the authentication server, and further The user equipment information builds an evaluation model, and statistically evaluates the level or score corresponding to each characteristic index in the evaluation model to obtain the evaluation result. The characteristic indicators in the evaluation model include: determining whether the user device has performed illegal operations according to the IP address information, Determine whether the operating system used by the user equipment has a security vulnerability according to the type of operating system used by the user equipment, and determine whether the user equipment has installed a high-risk application according to the use record of the user equipment.

Optionally, the preset business cycle includes: a first evaluation cycle and a second evaluation cycle, and the authentication server is further configured to analyze a change trend of historical related data between the first evaluation cycle and the second evaluation cycle to obtain an evaluation result. .

Optionally, the authentication server is further configured to determine the verification steps to be performed and the identity authentication related information to be collected in each verification step according to the evaluation results, and according to the verification steps to be performed and the information to be collected in each verification step. Identity authentication related information for identity authentication.

According to another aspect of the embodiments of the present invention, there is also provided an identity authentication method for selecting an identity authentication method, including: obtaining historical association data of a user account corresponding to an application, wherein the historical association data is preset Information associated with the user account obtained during the business cycle; evaluation using historical correlation data to obtain an evaluation result; determining the corresponding identity authentication method based on the evaluation result, and performing identity authentication.

Optionally, the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.

Optionally, before obtaining the historical association data, the method further includes: receiving a first request message from the user equipment, wherein the user equipment is used to run an application program; and performing authentication status detection according to the user account of the first request message, A first response message is returned to the user equipment, where the first response message is used to confirm that the user account is an account to be authenticated.

Optionally, after returning the first response message to the user equipment, the method further includes: receiving a second request message from the user equipment; determining authorization authentication information to be issued according to the second request message; and returning to the user equipment The second response message, wherein the second response message carries authorization authentication information.

Optionally, the historical correlation data is used for evaluation, and the obtained evaluation results include: analyzing the historical correlation data to construct an evaluation model, wherein the evaluation model includes: a level or score corresponding to each characteristic index in the historical correlation data; statistical evaluation The grade or score corresponding to each characteristic index in the model is used to obtain the evaluation result.

Optionally, the user equipment information includes at least the following characteristic indicators: the Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, the use history of the user equipment, and analysis of historical association data The construction of the evaluation model includes: obtaining the IP address information, operating system type, usage records, and construction evaluation model included in the user equipment information; the statistical evaluation model corresponds to the level or score of each characteristic index, and the evaluation results include: According to the IP address information, determine whether the user equipment has performed illegal operations and count the corresponding rating or rating. According to the type of operating system used by the user device, determine whether the operating system used by the user device has a security vulnerability and count the corresponding level or Rating, and determining whether the user equipment has installed a high-risk application and counting the corresponding grade or rating according to the use record of the user equipment; the evaluation result is obtained by counting the grade or rating corresponding to each characteristic index.

Optionally, the IP address information, the operating system type, and the record are used as input information to construct an evaluation model by using a random forest algorithm.

Optionally, the preset business cycle includes: a first evaluation cycle and a second evaluation cycle, and the evaluation is performed by using historical related data, and obtaining an evaluation result includes: obtaining a change trend of historical related data between the first evaluation cycle and the second evaluation cycle; Analyze the change trend and get the evaluation results.

Optionally, determining the identity authentication mode according to the evaluation result, performing identity authentication includes: determining the verification steps to be performed and the identity authentication related information to be collected in each verification step according to the evaluation results; according to the verification steps to be performed and each verification The identity authentication related information to be collected in the step performs identity authentication.

According to yet another aspect of the embodiments of the present invention, another identity authentication method is provided for selecting an identity authentication method, including: running an application program; triggering an authentication server to perform authentication status detection on a user account corresponding to the application program, wherein The authentication status detection is used to evaluate the obtained historical association data of the user account to obtain an evaluation result, and determine the corresponding identity authentication method according to the evaluation result. The historical association data is obtained and used in a preset business cycle. Information associated with their account.

According to still another aspect of the embodiments of the present invention, there is also provided an account authentication method for determining whether an account operator has changed, including: obtaining first period association data and second period association data of an account to be authenticated, where the first Period-related data is data associated with the account to be authenticated in the first time period, and second-period related data is data associated with the account to be authenticated in the second time period, and the first time period and the second time period are incomplete It is the same; similarity calculation is performed on the related data of the first period and the related data of the second period to obtain a similarity result; and whether the operator of the account to be authenticated is changed according to the similarity result.

Optionally, the data associated with the account to be authenticated in the first time period is the first set of operational information; the data associated with the account to be authenticated in the second time period is the second set of operational information; for the first period The similarity calculation of the related data and the related data in the second period includes: calculating the difference between the first operation information set and the second operation information set; judging whether the operator of the account to be authenticated changes according to the similarity result includes: if the difference set exceeds a predetermined The threshold determines that the operator of the account to be authenticated has changed.

Optionally, the data associated with the account to be authenticated in the first time period is the first device information set; the data associated with the account to be authenticated in the second time period is the second device information set; The calculation of the similarity between the related data and the related data in the second period includes: calculating the difference between the first device information set and the second device information set; determining whether the operator of the account to be authenticated has changed based on the similarity result includes: if the difference set exceeds a predetermined The threshold determines that the operator of the account to be authenticated has changed.

According to still another aspect of the embodiments of the present invention, an identity authentication device is further provided for selecting an identity authentication method, including: an obtaining module for obtaining historical association data of a user account corresponding to an application, wherein the history Relevant data is information associated with user accounts obtained in a preset business cycle; an evaluation module is used to evaluate historical historical data to obtain an evaluation result; an authentication module is used to determine the corresponding identity based on the evaluation result Authentication method for identity authentication.

According to still another aspect of the embodiments of the present invention, another identity authentication device is provided for selecting an identity authentication method, including: an operation module for running an application program; and a trigger module for triggering an authentication server to apply to the application. The user account corresponding to the program performs authentication status detection. The authentication status detection is used to evaluate the obtained historical association data of the user account to obtain an evaluation result, and determine the corresponding identity authentication method and historical association data based on the evaluation result. Is information associated with a user ’s account obtained within a preset business cycle.

In the embodiment of the present invention, historical association data of the user account corresponding to the application program (that is, information associated with the user account obtained in a preset business cycle) is adopted; evaluation is performed by using the historical association data to obtain The method of evaluating results, determining the corresponding identity authentication method through the evaluation results, and then performing the identity authentication process, achieving the purpose of separately identifying whether the user account is at risk through historical association data accumulated by the user account, thereby realizing long-term real-time It monitors the authenticity and reliability of the user's identity and improves the technical effect of the identity authentication security level, thereby solving the technical problem that the identity authentication method used in the related technology is relatively single and it is difficult to prevent forgery and alteration of false identity information. In addition, for account operator changes caused by account transactions, the similarity between account-related information and / or related operation records in different periods can also provide an objective operating basis.

10‧‧‧User Equipment

20‧‧‧ authentication server

S32‧‧‧step

S34‧‧‧step

S36‧‧‧step

S42‧‧‧step

S44‧‧‧step

S52‧‧‧step

S54‧‧‧step

S56‧‧‧step

10‧‧‧Get Module

20‧‧‧ Evaluation Module

30‧‧‧Certified Module

40‧‧‧First receiving module

50‧‧‧First Response Module

60‧‧‧Second receiving module

70‧‧‧Second Response Module

80‧‧‧operation module

90‧‧‧Trigger Module

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of the present application. The schematic embodiments of the present invention and the descriptions thereof are used to explain the present invention, and do not constitute an improper limitation on the present invention. In the drawings: FIG. 1 is a block diagram of a hardware structure of an identity authentication system according to an embodiment of the present invention; FIG. 2 is a schematic diagram of an application interface operation triggering an authentication process according to a preferred embodiment of the present invention; FIG. 3 is a diagram according to the present invention A flowchart of an identity authentication method according to an embodiment; FIG. 4 is a flowchart of another identity authentication method according to an embodiment of the present invention; FIG. 5 is a flowchart of an account authentication method according to an embodiment of the present invention; FIG. 6 is according to the present invention FIG. 7 is a structural block diagram of an identity authentication device according to a preferred embodiment of the present invention; FIG. 8 is a structural block diagram of another identity authentication device according to an embodiment of the present invention.

In order to enable those with ordinary knowledge in the technical field to better understand the solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described in combination with the drawings in the embodiment of the present invention. Obviously, the described The examples are only examples of a part of the present invention, but not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those with ordinary knowledge in the technical field without making progressive labor should belong to the scope of protection of the present invention.

It should be noted that the scope of the specification and claims of the present invention for patent application and the terms "first" and "second" in the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. order. It should be understood that the materials used as such are interchangeable under appropriate circumstances so that the embodiments of the invention described herein can be implemented in an order other than those illustrated or described herein. Furthermore, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product, or device that includes a series of steps or units need not be limited to those explicitly listed Those steps or units may instead include other steps or units not explicitly listed or inherent to these processes, methods, products or equipment.

First, some terms or terms appearing during the description of the embodiments of the present application are applicable to the following explanations:

(1) Smart terminal application (APP): a client installed on a smart terminal to extend the functions of the smart terminal itself to achieve the user's personalized business needs, such as: online shopping apps, online payment apps, Used goods trading app.

(2) User account: In order to use the integrity function service provided by the application, an independent information storage area is generated by filling in the user's personal information on the registration page.

(3) Historically associated data: information associated with the user account that can be obtained within a preset business cycle, where the preset business cycle can be from the time when the user account is successfully registered to the time when the authentication process is triggered, or It can be a specific time period after the user account is successfully registered; the information associated with the user account can include, but is not limited to, at least one of the following: user identity information, user network behavior information, user used by the user Device information and user business information, where user identity information can include but is not limited to at least one of the following: a user account registered by a user to use a function provided by a specific application, and an identity provided by the user during registration The information presented in the certificate, the user's contact information, the user's home address and / or work address; the user device information can include but is not limited to at least one of the following: the operating system used by the user device, the user device Model, user equipment International Mobile Subscriber Identity (IMSI) / International Mobile Equipment Identity (IMEI), Internet Protocol (IP) address and / or Media Access Control (MAC) address used by user equipment; user network behavior information may include but is not limited to at least one of the following: current authentication operation behavior 2. The past behaviors associated with the user account before performing identity authentication (for example: shopping behavior reflected in shopping records); user business information may include, but is not limited to, at least one of the following: shopping records, user operation trajectories.

    Example 1    

FIG. 1 is a block diagram of a hardware structure of an identity authentication system according to an embodiment of the present invention. As shown in FIG. 1, the user equipment 10 may be connected to one or more authentication servers 20 via a data network connection or electronically. In an optional embodiment, the user equipment 10 may be a personal computer (PC), a smart phone, or a tablet computer. The data network connection can be a local area network connection, a wide area network connection, an Internet connection, or another type of data network connection. The user equipment 10 may execute to connect to a network service performed by a server or a group of servers. Web servers are web-based user services such as social networks, cloud resources, email, online payments or other online applications.

In this embodiment, the user device 10 is configured to run an application and requests an authentication server to perform authentication status detection on a user account corresponding to the application; the authentication server 20 is configured to determine that the user account is pending authentication After the account is used, the obtained historical association data of the user account is used for evaluation, and the evaluation result is obtained, and the corresponding identity authentication method is determined according to the evaluation result to perform identity authentication. Among them, the historical association data is obtained within a preset business cycle. Information associated with a user account.

FIG. 2 is a schematic diagram of an application interface operation that triggers an authentication process according to a preferred embodiment of the present invention. As shown in Figure 2, if the user needs to perform second-hand goods transactions online, after the application installed on the user's device (for example, the user's second-hand goods sale) runs, the user can log in to a pre-registered user account . The user device needs to detect whether the user account is opened through an online store account. If the user device is not opened, the user device needs to be triggered to check the user authentication status. The user equipment will call a real-person authentication server (ie, the above-mentioned authentication server 20) to determine the current user authentication status, and then determine whether the authentication process needs to be performed on the user. Among them, the real-person authentication server judges The basis may include, but is not limited to, at least one of the following: user identity information (for example: user name, user ID card number), operating system used by the user device (for example: android system, iOS system), user The performance of the device itself (for example: hardware configuration, whether jailbreak operation has been performed).

Optionally, the authentication server 20 is further configured to issue authorization authentication information to the user equipment.

If the real person authentication server determines that the authentication process needs to be performed on the user, the user device needs to request the real person authentication server to issue authorization authentication information, such as a token, and obtain the real person authentication server to return Authorized authentication information, wherein the above-mentioned authorized authentication information is used for authentication authority verification, generating authentication tasks, and passing between different authentication execution subjects.

Taking a token as an example, its format can include the following three parts: (1) header, which indicates the type of the token; (2) claims set, which indicates the stored data, which can include: user authorization information; ( 3) signature, used to verify the authenticity of the Token.

Optionally, the authentication server 20 is further configured to analyze historical related data, construct an evaluation model, and statistically evaluate the level or score corresponding to each characteristic index in the evaluation model to obtain an evaluation result.

After obtaining the token issued by the real person authentication server, the user equipment requests the real person authentication server to start the identity authentication process. The real person authentication server selects a corresponding authentication channel for the user according to the business type of the application used by the user. During the identity authentication process using the selected authentication channel, the real person authentication server can obtain user identity information uploaded by the user through the user device, information about the network behavior performed by the user, and the user used by the user Establish an evaluation model for historical correlation data such as device information, user biometric information that has been collected, and make comprehensive judgments to determine the risk level of users and provide differentiated authentication methods for users with different levels of risk. Among them, user identity The information may include, but is not limited to, at least one of the following: user account registered by the user to use the functions provided by the specific application, information presented in the identity document provided by the user during registration, user contact information, use The home address and / or work address of the user; the user equipment information may include but is not limited to at least one of the following: the operating system used by the user equipment, the model of the user equipment, and the international mobile user identification of the user equipment Code (IMSI) / International Mobile Equipment Identity (IMEI), User Equipment Institute Used Internet Protocol (IP) address and / or media access control (MAC) address; user network behavior information may include, but is not limited to, at least one of the following: current authentication operation behavior, before and during identity authentication Past behaviors (such as shopping records) associated with the user ’s account; biometric information may include, but is not limited to, at least one of the following: voiceprint, fingerprint, eye pattern, iris, static user image, dynamic living detection user image.

Biometric detection requires users to instruct users to complete one or more specified actions in specific scenarios, such as: instructing users to shake their heads, instructing users to nod, and instruct users to say a word. The user is a real living person and not a photo.

Optionally, the user equipment information includes at least: Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, the use record of the user equipment, the authentication server, and further The user equipment information builds an evaluation model, and statistically evaluates the level or score corresponding to each characteristic index in the evaluation model to obtain the evaluation result. The characteristic indicators in the evaluation model include: determining whether the user device has performed illegal operations according to the IP address information, Determine whether the operating system used by the user equipment has a security vulnerability according to the type of operating system used by the user equipment, and determine whether the user equipment has installed a high-risk application according to the use record of the user equipment.

As a preferred embodiment of the present invention, such a random forest algorithm can be used to construct the above evaluation model, and the evaluation model is used as a main judgment factor for risk prevention and control. The input information of the evaluation model may include, but is not limited to, the above-mentioned user equipment information, user identity information, user network behavior information, and user business information. The output information obtained after calculation by the random forest algorithm is the model score. , And finally determine the corresponding identity authentication method according to the model score. Specifically, first of all, we need to obtain the available data (for example: user equipment information, user identity information, user network behavior information, user business information); second, we need to build features, that is, determine the authenticity of the available data. Degree; again, feature analysis is needed, that is, feature quality analysis, feature monotonic situation analysis, feature importance analysis, and feature synthesis are performed on the constructed features; then, a random forest algorithm is used for model selection and finally evaluation result.

In the preferred implementation process, historically related data is taken as an example of the user equipment. The comprehensive assessment of the user ’s risk level by constructing an evaluation model may include: if a telecommunications fraud case has previously occurred in the IP address's place of ownership, the use of it can be reduced. The security level of the user device of the IP address (for example, the security level is reduced by 1 level) or the security score (for example, the security score is deducted by 1 point), thereby reducing the credibility of the intent to run the application before performing a shopping operation or a transfer operation, and further Raise the threshold of identity authentication; if the user device is using android system or iOS system that has performed jailbreak operation, due to security vulnerabilities, the security level of the user device using the IP address can be reduced (for example: the security level is reduced by 1 level ) Or safety score (for example, 1 point is deducted from the safety score), thereby reducing the credibility before intending to run an application to perform a shopping operation or a transfer operation, thereby raising the identity authentication threshold; if the user ’s device has installed cheating software or viewed illegally ( (E.g. pornography, gambling), you can reduce your use The security level of the user device of the IP address (for example, the security level is reduced by 1 level) or the security score (for example, the security score is deducted by 1 point), thereby reducing the credibility before intending to run the application to perform a shopping operation or a transfer operation, thereby improving Identity authentication threshold.

In addition, for other information contained in historically related data, an evaluation model can also be constructed in turn for security evaluation. For example, if there are multiple malicious online behaviors under the user account of a specific user device (for example, swiping a bill), then the credibility before using the user device to run an application to perform a shopping operation can be reduced, thereby increasing the threshold for identity authentication. ; If a user ’s personal information uploaded after signing in to a user account does not match the relevant information previously stored by the real authentication server, the creditworthiness before using the user account to run an application for a shopping or transfer operation may be reduced, Raising the threshold for identity authentication. If the user ’s registered user ’s contact information, the user ’s home address, and / or work address have false information, then the user ’s credibility before using the user account to run the application to perform a shopping operation or a transfer operation may be reduced, thereby further Raising the threshold for identity authentication. If a user places an order for a large number of items in a shopping cart but does not pay on time, then the user ’s credibility before using the user ’s intent to run an application to perform a shopping operation or a transfer operation may be lowered, thereby increasing the threshold for identity verification.

It should be noted that the evaluation can score only one of the determining factors according to the business type of the application, and can also comprehensively evaluate multiple determining factors at the same time, and finally determine whether the identity authentication threshold needs to be raised. The above examples of historically related materials are for illustration only, and do not constitute improper restrictions on the content contained in historically related materials.

Optionally, the preset business cycle includes at least a first evaluation cycle and a second evaluation cycle, and the authentication server 20 is further configured to analyze a change trend of historical associated data between the first evaluation cycle and the second evaluation cycle, Get the evaluation result.

The first evaluation cycle and the second evaluation cycle may be two adjacent time periods selected in advance. It is assumed that the first evaluation cycle is ten days closest to the current time, and the second evaluation cycle is adjacent to the last ten days. In the past ten days, then the evaluation is determined by comparing the historical trend of historical related data in the first evaluation cycle and the second evaluation cycle, that is, comparing the similarity of historical related data in the first evaluation cycle and the second evaluation cycle. result.

Taking the user's online behavior information as an example, it is assumed that the sales or shopping behavior of Account A during the first evaluation cycle has always remained normal (that is, the order is shipped normally and the quality of the item is good, or the payment is made in time after the order is placed) However, during the second evaluation period, account A had abnormal sales behaviors due to account theft, etc. (for example, the original sales of high-quality goods changed to the sale of high-quality inferior goods or the payment was made based on the buyer's long-term trust. A has not shipped for a long time) or abnormal shopping behavior (for example: frequent orders but not paying or frequent complaints to the seller about the quality of the intact product and asking the seller to return / replace), then you can determine that the account A may be stolen. If it is abnormal, the user who uses account A needs to be authenticated again.

Taking user equipment information and user network behavior information as an example, assuming that account A uses an ios system Apple phone in the first evaluation cycle, the IP address used is displayed in C, and the sales behavior during this period is always in Normal state, however, account A changed from an iPhone with an ios system to a Huawei phone with an Android system during the second evaluation cycle due to account transfers, etc. The IP address used changed from C to D, and here During the period of abnormal sales behavior (for example, because the original sale of high-quality goods changed to sell high-quality inferior goods or after payment based on the buyer's long-term trust, the account A has not been shipped for a long time), then the account A can be judged accordingly There may be an abnormal use of the account, and the user who uses account A needs to be authenticated again.

Optionally, the authentication server 20 is further configured to determine the verification steps to be performed and the identity authentication related information to be collected in each verification step according to the evaluation results, and according to the verification steps to be performed and the to-be-collected information in each verification step. Identity verification information for.

During the identity authentication process, a software development kit (SDK) integrated in the application for performing identity authentication functions is collected in accordance with the sequence of steps required for the authentication process and the identity authentication-related information that needs to be collected in each step. And interact with real person authentication server in real time. The evaluation results obtained through the above evaluation model can be used for normal and risk accounts of user accounts. For normal accounts, the automated authentication process can be set according to the routine, including: collecting static identity image, dynamic living detection user image, etc. Information; for dangerous accounts, it is necessary to add a supplementary data collection process based on the conventional automated authentication process, such as adding a dynamic gesture verification link to collect more user information for further inspection.

After completing the above identity authentication process, the real person authentication server will feed back the final identity authentication result to the user device.

Under the above operating environment, this application provides an identity authentication method as shown in FIG. 3. It should be noted that the steps shown in the flowchart of the figure can be executed in a computer system such as a set of computer executable instructions. And, although the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than here.

FIG. 3 is a flowchart of an identity authentication method according to an embodiment of the present invention. As shown in FIG. 3, the method may include the following processing steps: Step S32, obtaining historical association data of the user account corresponding to the application, wherein the historical association data is obtained with the user account within a preset business cycle. Related information; step S34, using historical related data for evaluation to obtain an evaluation result; step S36, determining a corresponding identity authentication method according to the evaluation result, and performing identity authentication.

In a preferred implementation process, the above historical association data may include, but is not limited to, at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.

Optionally, before obtaining historical association data in step S32, the method may further include the following execution steps: step S30, receiving a first request message from the user equipment, wherein the user equipment is used to run an application program; step S31, The user account is checked for authentication status according to the first request message, and a first response message is returned to the user device, where the first response message is used to confirm that the user account is an account to be authenticated.

Optionally, after returning the first response message to the user equipment in step S31, the method may further include the following execution steps: step S37, receiving a second request message from the user equipment; step S38, determining according to the second request message Authorization authentication information to be issued; step S39, returning a second response message to the user equipment, where the second response message carries the authorization authentication information.

Optionally, in step S34, the evaluation is performed using historical association data, and the obtained evaluation result may include the following execution steps: step S340, analyzing the historical association data, and constructing an evaluation model, wherein the evaluation model includes: The rank or score corresponding to each feature index; step S342, the rank or score corresponding to each feature index in the statistical evaluation model is obtained to obtain an evaluation result.

Optionally, the above user equipment information includes at least the following characteristic indicators: Internet protocol IP address information used by the user equipment, the type of operating system used by the user equipment, and the use record of the user equipment; in step S340, Analyze historical association data, and construct an evaluation model may include the following execution steps: step S3400, obtaining IP address information, operating system type, usage records, and constructing an evaluation model included in user equipment information; in step S342, statistics The level or score corresponding to each characteristic index in the evaluation model, and the evaluation result obtained may include the following execution steps: Step S3420, determining whether the user equipment has performed illegal operations according to the IP address information, and counting the corresponding grade or score, according to the user equipment The type of operating system used determines whether there is a security vulnerability in the operating system used by the user device and counts the corresponding rating or rating, and determines whether the user device has installed high-risk applications and counts the corresponding level or rating based on the user device's use record. Score; pass statistics The grade or score corresponding to each characteristic index is used to obtain the evaluation result.

Optionally, the preset business cycle includes a first evaluation cycle and a second evaluation cycle. In step S34, the evaluation is performed using historical related data, and the obtained evaluation result may include the following execution steps: step S344, obtaining historical related data in the first step. The change trend of the first evaluation cycle and the second evaluation cycle; step S346, analyzing the change trend to obtain an evaluation result.

Optionally, in step S36, the identity authentication mode is determined according to the evaluation result. Performing identity authentication may include the following execution steps: step S360, determining the verification steps to be performed and the identity authentication associations to be collected in each verification step according to the evaluation results. Information; step S362, performing identity authentication according to the verification steps to be performed and the identity authentication related information to be collected in each verification step.

Under the above-mentioned operating environment, this application provides another identity authentication method as shown in FIG. 4. It should be noted that the steps shown in the flowchart of the figure can be implemented in a computer system such as a set of computer-executable instructions. Perform, and although the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than here.

FIG. 4 is a flowchart of another identity authentication method according to an embodiment of the present invention. As shown in FIG. 4, the method may include the following processing steps: step S42, running an application program; step S44, triggering an authentication server to perform authentication status detection on a user account corresponding to the application program, wherein the authentication status detection is used for acquiring The obtained historical association data of the user account is evaluated to obtain an evaluation result, and a corresponding identity authentication method is determined according to the evaluation result. The historical association data is information associated with the user account obtained in a preset business cycle.

Under the above operating environment, this application provides an account authentication method as shown in FIG. 5. It should be noted that the steps shown in the flowchart of the figure can be executed in a computer system such as a set of computer executable instructions. And, although the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than here.

FIG. 5 is a flowchart of an account authentication method according to an embodiment of the present invention. As shown in FIG. 5, the method may include the following processing steps: Step S52: Obtain first-period correlation data and second-period correlation data of the account to be authenticated, where the first-period correlation data is related to the The data associated with the authentication account, the data associated with the second period are data associated with the account to be authenticated within the second time period, and the first time period is not exactly the same as the second time period; step S54, the data associated with the first period and The similarity calculation is performed on the related data in the second period to obtain the similarity result; step S56, it is determined whether the operator of the account to be authenticated is changed according to the similarity result.

The first time period and the second time period may be two adjacent time periods selected in advance, that is, the first time period and the second time period do not overlap in time range. It is assumed that the first time period is a distance from the current time period. The last ten days, and the second time period is the past ten days adjacent to the last ten days; the first time period and the second time period may be a pre-selected two overlapping time periods, assuming the first The time period is from the 1st to the 10th of the month, and the second time period is from the 5th to the 15th of the month. By comparing the similarity between the first period related data and the second period related data, it is determined whether the operator of the account to be authenticated has changed.

In a preferred implementation process, the data associated with the account to be authenticated during the first time period may be the first set of operational information; the data associated with the account to be authenticated during the second time period may be the second set of operational information; In step S54, performing similarity calculation on the first period related data and the second period related data may include the following execution steps: step S540, calculating a difference set between the first operation information set and the second operation information set; in step S56, Judging whether the operator of the account to be authenticated is changed according to the similarity result may include the following execution steps: step S560, if the difference set exceeds a predetermined threshold, determining that the operator of the account to be authenticated is changed.

Assume that account A's sales or shopping behavior has always remained normal during the first time period (that is, the order is shipped normally and the goods are of good quality, or the payment is made in time after placing the order), but account A is in the second time period Abnormal sales due to account theft (for example, because account A has not been shipped for a long time due to the original sale of high-quality goods converted to high-quality inferior goods or payment based on the buyer's long-term trust) or abnormal shopping Behavior (for example: frequent orders but not paying or frequent complaints to sellers about the quality of intact products and requiring sellers to return / replace), then by comparing the relevant data in the first period (that is, the sales of account A in the first time period) Behavior or log records of shopping behavior) and related data in the second period (that is, log records of account A ’s sales behavior or shopping behavior during the second time period) can be used to determine that the operator of Account A is very There may be changes, and the operator who uses account A needs to be re-authenticated.

In a preferred implementation process, the data associated with the account to be authenticated in the first time period is the first device information set; the data associated with the account to be authenticated in the second time period is the second device information set; In step S54, performing similarity calculation on the first period related data and the second period related data may include the following execution steps: step S542, calculating a difference set between the first device information set and the second device information set; in step S56, Judging whether the operator of the account to be authenticated is changed according to the similarity result may include the following execution steps: step S562, if the difference set exceeds a predetermined threshold, determining that the operator of the account to be authenticated is changed.

Assume that account A uses an ios system Apple phone in the first time period, the IP address used is displayed in C, and the operator displayed by MNC in the IMSI used is China Mobile, however, account A is issued by the second time period. The Apple phone using the ioS system was transformed into a Huawei phone using the Android system, and the IP address display changed from C to D. During this period, it was also found that the operator displayed by MNC in the IMSI used by it was changed from China Mobile to China China Unicom, then by comparing the associated data in the first period (that is, the log records related to the user equipment information used by Account A in the first time period) and the associated data in the second period (that is, the account used by Account A in the second time period) The similarity between the log records related to user equipment information) can be used to determine that the operator of account A is likely to change, and it is necessary to re-authenticate the operator using account A.

By obtaining the user identity information that the individual user has uploaded through the user device, the network behavior information that the user has performed, the user device information that the user has used, and the user biology that the user device has collected Establish an evaluation model for historical analysis of characteristic related information such as feature information for comprehensive analysis, real-time monitoring of the risk level / program of user accounts, and further upgrade the authentication method to live detection. Not only that, the real person authentication business can also be expanded to other online businesses that need to pass personal identity authentication.

It should be noted that, for the foregoing method embodiments, for simplicity of description, they are all described as a series of action combinations, but those with ordinary knowledge in the technical field should know that the present invention is not subject to the described actions. The order is limited because according to the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those with ordinary knowledge in the technical field should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

Through the description of the above embodiments, those with ordinary knowledge in the technical field can clearly understand that the identity authentication method according to the above embodiments can be implemented by means of software plus the necessary universal hardware platform, and of course, it can also be implemented by hardware. , But in many cases the former is a better implementation. Based on such an understanding, the technical solution of the present invention, in essence, or a part that contributes to the existing technology, can be embodied in the form of a software product. The computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk). ) Includes several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in the embodiments of the present invention.

    Example 2    

According to an embodiment of the present invention, an embodiment of a device for implementing the foregoing identity authentication method is also provided. FIG. 6 is a structural block diagram of an identity authentication device according to an embodiment of the present invention. As shown in FIG. 6, the device includes: an obtaining module 10 for obtaining historical association data of a user account corresponding to an application, wherein the historical association data is obtained with a user account in a preset business cycle Relevant information; an evaluation module 20 is configured to perform evaluation using historical correlation data to obtain an evaluation result; and an authentication module 30 is configured to determine a corresponding identity authentication method according to the evaluation result to perform identity authentication.

Optionally, FIG. 7 is a structural block diagram of an identity authentication device according to a preferred embodiment of the present invention. As shown in FIG. 7, the above device may further include: a first receiving module 40 for receiving a first request message from a user equipment, wherein the user equipment is used to run an application program; the first response module 50 For detecting the authentication status of the user account according to the first request message, and returning a first response message to the user device, wherein the first response message is used to confirm that the user account is an account to be authenticated.

In a preferred implementation process, the above historical association data may include, but is not limited to, at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.

Optionally, as shown in FIG. 7, the above device may further include: a second receiving module 60 for receiving a second request message from the user equipment; and a second response module 70 for receiving a second request according to the second request. The message determines the authorization authentication information to be issued, and returns a second response message to the user equipment, where the second response message carries the authorization authentication information.

Optionally, the evaluation module 20 may include: an analysis unit (not shown in the figure), configured to analyze historically related data and construct an evaluation model, where the evaluation model includes: corresponding to each characteristic index in the historically related data The first statistical unit (not shown in the figure) is used to statistically evaluate the level or score corresponding to each characteristic index in the evaluation model to obtain the evaluation result.

Optionally, the above user equipment information includes at least the following characteristic indicators: Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, the use history of the user equipment, and an analysis unit (in the figure) (Not shown), used to obtain the IP address information, operating system type, usage records, and build an evaluation model included in the user device information; a statistical unit (not shown in the figure) is used to determine the use according to the IP address information Whether the user ’s device has performed an illegal operation and counted the corresponding rating or rating, according to the type of operating system used by the user ’s device, determine whether the operating system used by the user ’s device has a security vulnerability, and count the corresponding level or rating, and The device usage record determines whether the user's device has installed a high-risk application and counts the corresponding grade or score; the evaluation result is obtained by counting the grade or score corresponding to each characteristic index.

Optionally, the above-mentioned preset service cycle includes at least a first evaluation cycle and a second evaluation cycle. The evaluation module 20 may include: an acquisition unit (not shown in the figure), configured to acquire historical associated data in the first evaluation cycle. And the change trend of the second evaluation cycle; the second statistical unit (not shown in the figure) is used to analyze the change trend and obtain an evaluation result.

Optionally, the authentication module 30 may include: a determining unit (not shown in the figure) for determining the verification steps to be performed and the identity authentication related information to be collected in each verification step according to the evaluation results; the authentication unit (FIG. (Not shown in the figure), used to perform identity authentication according to the verification steps to be performed and the identity authentication related information to be collected in each verification step.

According to an embodiment of the present invention, another apparatus embodiment for implementing the foregoing identity authentication method is also provided. FIG. 8 is a structural block diagram of another identity authentication device according to an embodiment of the present invention. As shown in FIG. 8, the device includes: a running module 80 for running an application program; and a triggering module 90 for triggering an authentication server to perform an authentication status detection on a user account corresponding to the application, wherein the authentication status detection It is used to use the obtained historical association data of the user account for evaluation to obtain the evaluation result, and determine the corresponding identity authentication method according to the evaluation result. The historical association data is obtained in a preset business cycle and is associated with the user account. Information.

    Example 3    

An embodiment of the present invention also provides a storage medium. Those with ordinary knowledge in the technical field can understand that all or part of the steps in the various methods of the above embodiments can be completed by a program instructing the terminal / server-end device-related hardware, and the program can be stored in a computer-readable Among the storage media, the storage medium may include: a flash drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like.

Optionally, in this embodiment, the storage medium may be used to store program code executed by the identity authentication method provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any server in a server group in a computer network, or in any server in a server group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: S1, obtaining historical association data of a user account corresponding to the application, wherein the historical association data is preset Information associated with the user account obtained during the business cycle; S2, the evaluation is performed using historical association data to obtain the evaluation result; S3, the corresponding identity authentication method is determined based on the evaluation result, and identity authentication is performed.

Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: receiving a first request message from a user equipment, wherein the user equipment is used to run an application program; The first request message detects the authentication status of the user account, and returns a first response message to the user device, where the first response message is used to confirm that the user account is an account to be authenticated.

Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: receiving a second request message from the user equipment; and determining the authorization authentication to be issued according to the second request message Information; a second response message is returned to the user equipment, wherein the second response message carries authorization authentication information.

Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: analyzing historically-related data and constructing an evaluation model, where the evaluation model includes: The rank or score corresponding to the feature index; the rank or score corresponding to each feature index in the statistical evaluation model to obtain the evaluation result.

Optionally, the user equipment information includes at least the following characteristic indicators: the Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, and the use history of the user equipment; in this embodiment, The storage medium is also set to store program code for performing the following steps: obtaining the IP address information contained in the user equipment information, the type of operating system, the use record, and constructing an evaluation model; determining whether the user equipment is based on the IP address information Illegal operations have been performed and the corresponding grades or scores have been counted, according to the type of operating system used by the user equipment, whether the operating system used by the user equipment has a security vulnerability, and the corresponding grades or ratings have been calculated, and according to the use of the user equipment The record determines whether the user equipment has installed a high-risk application and counts the corresponding rating or rating; the statistical result is obtained by counting the rating or rating corresponding to each characteristic index.

Optionally, the preset business cycle includes a first evaluation cycle and a second evaluation cycle. In this embodiment, the storage medium is further configured to store program code for performing the following steps: obtaining historical association data in the first evaluation Change trend of the cycle and the second evaluation cycle; analyze the change trend to get the evaluation result.

Optionally, in this embodiment, the storage medium is further configured to store program code for performing the following steps: determining the verification steps to be performed and the identity authentication related information to be collected in each verification step according to the evaluation results; The verification steps to be performed and the identity authentication related information to be collected in each verification step perform identity verification.

The sequence numbers of the foregoing embodiments of the present invention are only for description, and do not represent the superiority or inferiority of the embodiments.

In the above embodiments of the present invention, the description of each embodiment has its own emphasis. For a part that is not described in detail in an embodiment, reference may be made to the description of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are only schematic. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or integrated. To another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, which may be located in one place, or may be distributed on multiple network units. . Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist as a separate entity, or two or more units may be integrated into one unit. The above integrated unit may be implemented in the form of hardware or in the form of software functional unit.

When the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention essentially or part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium, It includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present invention. The aforementioned storage media include: various types of programs that can store programs such as flash drives, Read-Only Memory (ROM), Random Access Memory (RAM), mobile hard disks, magnetic disks, or optical disks Media.

The above is only a preferred embodiment of the present invention. It should be noted that, for those with ordinary knowledge in the technical field, several improvements and retouchings can be made without departing from the principles of the present invention. These improvements and Retouching should also be regarded as the protection scope of the present invention.

Claims (22)

    An identity authentication system, comprising: a user device and an authentication server; the user device is used to run an application program and requests the authentication server to perform an authentication status detection on a user account corresponding to the application program The authentication server is configured to, after determining that the user account is an account to be authenticated, use the obtained historical association data of the user account for evaluation, obtain an evaluation result, and determine a corresponding response based on the evaluation result; Identity authentication method, performing identity authentication, wherein the historical association data is information associated with the user account obtained in a preset business cycle.         The system according to claim 1, wherein the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.         The system according to claim 1, wherein the authentication server is further configured to issue authorization authentication information to the user equipment.         The system according to claim 2, wherein the authentication server is further configured to analyze the historical association data, construct an evaluation model, and count the rank or score corresponding to each characteristic index in the evaluation model, The evaluation result is obtained.         The system according to claim 4, wherein the user equipment information includes at least: Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, and the user equipment The authentication server is further configured to construct an evaluation model according to the user equipment information, and calculate the rating or score corresponding to each characteristic index in the evaluation model to obtain the evaluation result. The characteristic indicators in the evaluation model include: determining whether the user equipment has performed illegal operations according to the IP address information, and determining the operating system used by the user equipment according to the type of operating system used by the user equipment. Whether there is a security loophole, and determining whether the user equipment has installed a high-risk application according to a use record of the user equipment.         The system according to claim 2, wherein the preset service period includes a first evaluation period and a second evaluation period, and the authentication server is further configured to perform the first evaluation on the historical association data in the first evaluation. An analysis is performed on a cycle and a change trend of the second evaluation cycle to obtain the evaluation result.         The system according to claim 5 or 6, wherein the authentication server is further configured to determine a verification step to be performed and identity authentication related information to be collected in each verification step according to the evaluation result, and according to the The authentication steps to be performed and the identity authentication related information to be collected in each authentication step are performed to perform the identity authentication.         An identity authentication method for selecting an identity authentication method, comprising: obtaining historical association data of a user account corresponding to an application program, wherein the historical association data is obtained in a preset business cycle and The information associated with the user account; using the historical association data for evaluation to obtain an evaluation result; determining a corresponding identity authentication method according to the evaluation result, and performing identity authentication.         The method according to claim 8, wherein the historical association data includes at least one of the following: user equipment information, user identity information, user network behavior information, and user business information.         The method according to claim 8, before obtaining the historical association data, further comprising: receiving a first request message from a user equipment, wherein the user equipment is used to run the application program; Detecting the authentication status of the user account according to the first request message, and returning a first response message to the user device, wherein the first response message is used to confirm that the user account is an account to be authenticated .         The method according to claim 10, wherein after returning the first response message to the user equipment, the method further comprises: receiving a second request message from the user equipment; and according to the second request The message determines the authorization authentication information to be issued; and returns a second response message to the user equipment, wherein the second response message carries the authorization authentication information.         The method according to claim 9, wherein the evaluation is performed by using the historical correlation data, and obtaining the evaluation result includes analyzing the historical correlation data to construct an evaluation model, wherein the evaluation model includes: The rank or score corresponding to each characteristic index in the historical association data; the rank or score corresponding to each characteristic index in the evaluation model is counted to obtain the evaluation result.         The method according to claim 12, wherein the user equipment information includes at least the following characteristic indicators: Internet Protocol IP address information used by the user equipment, the type of operating system used by the user equipment, the Use history of user equipment; analyzing the historically related data, and constructing an evaluation model includes: obtaining the IP address information, the operating system type, and the use history included in the user equipment information, and Constructing an evaluation model; counting the level or score corresponding to each characteristic index in the evaluation model, and obtaining the evaluation result includes: determining whether the user equipment has performed an illegal operation according to the IP address information and counting the corresponding level or A score, determining whether there is a security vulnerability in the operating system used by the user equipment according to the type of operating system used by the user equipment, and counting the corresponding level or rating, and determining the according to the use record of the user equipment Whether the user equipment has installed high-risk applications and counts the corresponding levels or ratings; Statistics for each level corresponding characteristic index or score, to obtain the evaluation results.         The method according to claim 13, wherein the IP address information, the operating system type, and the usage record are used as input information to construct an evaluation model by using a random forest algorithm.         The method according to claim 9, wherein the preset business cycle includes a first evaluation cycle and a second evaluation cycle, and the historical correlation data is used for evaluation, and obtaining the evaluation result includes: obtaining the historical correlation Change trends of data in the first evaluation cycle and the second evaluation cycle; analyze the change trends to obtain the evaluation results.         The method according to claim 13 or 15, wherein the identity authentication method is determined according to the evaluation result, and performing the identity authentication includes: determining a verification step to be performed according to the evaluation result, and a verification step in each verification step. Collected identity authentication related information; perform the identity authentication according to the verification steps to be performed and the identity authentication related information to be collected in each verification step.         An identity authentication method for selecting an identity authentication method, comprising: running an application program; and triggering an authentication server to perform authentication status detection on a user account corresponding to the application program, wherein the authentication status detection is used for The obtained historical association data of the user account is used for evaluation to obtain an evaluation result, and a corresponding identity authentication method is determined according to the evaluation result. The historical association data is obtained from all users within a preset business cycle. Describes the information associated with a user account.         An account authentication method for determining whether an account operator has changed, comprising: obtaining first-period related data and second-period related data of an account to be authenticated, wherein the first-period related data is in the first period; Data associated with the account to be authenticated in a time period, the second period associated data is data associated with the account to be authenticated in a second time period, and the first time period is not exactly the same as the second time period Performing similarity calculation on the first period of related data and the second period of related data to obtain a similarity result; and judging whether the operator of the account to be authenticated has changed based on the similarity result.         The method according to claim 18, wherein the data associated with the account to be authenticated in the first time period is a first set of operation information; and the method is associated with the account to be authenticated in the second time period The related data is the second operation information set. The similarity calculation of the first period related data and the second period related data includes: calculating a difference between the first operation information set and the second operation information set; The similarity result determining whether the operator of the account to be authenticated is changed includes: if the difference set exceeds a predetermined threshold, determining that the operator of the account to be authenticated is changed.         The method according to claim 18, wherein the data associated with the account to be authenticated in the first time period is a first device information set; and the account associated with the account to be authenticated in the second time period The associated data is the second device information set. The similarity calculation of the first period related data and the second period related data includes: calculating a difference between the first device information set and the second device information set; The similarity result determining whether the operator of the account to be authenticated is changed includes: if the difference set exceeds a predetermined threshold, determining that the operator of the account to be authenticated is changed.         An identity authentication device for selecting an identity authentication method, comprising: an obtaining module for obtaining historical association data of a user account corresponding to an application program, wherein the historical association data is in a preset service; Information associated with the user account obtained during the cycle; an evaluation module for evaluating using the historical association data to obtain an evaluation result; an authentication module for determining corresponding identity authentication based on the evaluation result Way to perform identity authentication.         An identity authentication device for selecting an identity authentication method, comprising: an operation module for running an application program; and a trigger module for triggering an authentication server to authenticate a user account corresponding to the application program Status detection, wherein the authentication status detection is used to evaluate the obtained historical association data of the user account to obtain an evaluation result, and determine a corresponding identity authentication method according to the evaluation result, the historical association data The information associated with the user account is obtained in a preset business cycle.