CN103856332A - Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication - Google Patents
Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication Download PDFInfo
- Publication number
- CN103856332A CN103856332A CN201410109452.3A CN201410109452A CN103856332A CN 103856332 A CN103856332 A CN 103856332A CN 201410109452 A CN201410109452 A CN 201410109452A CN 103856332 A CN103856332 A CN 103856332A
- Authority
- CN
- China
- Prior art keywords
- account
- user
- equipment
- information
- intelligent terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to an implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication. A novel SSO (Single Sign On) account mapping management method is implemented according to the one-to-multiple bidirectional associations of IDP (Integrated Data Processing) accounts of identity providers and SP (Service Provider) service accounts of a service provider as well as the one-to-multiple bidirectional associations of the IDP accounts of the identity providers and DID (Device Identity) in multi-screen multi-factor identity authentication (that is, the authentication of local sensitive information is firstly implemented by users via the moving of intelligent terminal equipment, and then the OTP (One Time Password) authentication is implemented at server-sides after the passing of the authentication of the local sensitive information) on the premise of guaranteeing the high security and the convenient and rapid operation of the user identity authentication, so that the SSO login process is implemented by virtue of any one of multi-DID instead of a multi-SP login process. Thus, the information security in the authentication process is greatly improved under the condition of guaranteeing the convenient and rapid operation of the user identity authentication.
Description
Technical field
The invention belongs to the field of identity authentication of information security field, be specifically related to the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor.
Background technology
Along with the development of network and universal (networking of desktop services) of the Internet, user will have a large amount of accounts in obtaining network service.Investigation shows: if a user has 30 accounts, this user can use 5 or 6 passwords, and user always adopts the method for trial to log in, attempt each password and log in until log in successfully, or use replacement cryptographic function to log in.User will expend a large amount of time in login process like this, and because the restriction of website log strategy can expend the longer time, and some website requires, inputting several times after bad password, need to fill in identifying code.Along with emerging in large numbers of increasing network service, if user needs to use different passwords logging in each website, this will be a test to user's memory.
Single-sign-on (Single Sign-On, be called for short SSO) can greatly simplify user and log in the process of website: it allows user to use same identity supplier (Identity Provider, be called for short IDP) account login each service provider (Service Provider, be called for short SP) website, make user from freeing in multiple websites register account number with using the memory of multiple passwords.The advantages such as therefore, SSO has makes user remember less password, a bit log in, and universe is roamed, user experience is good.But, tradition SSO landing approach is not from solving in essence the high problem landing safely of user, can just can user safe and convenient be logged in to SP be converted into and lands safely IDP, once IDP logs in account and is stolen by people, other SP network services of this IDP binding will be usurped by people, make user data be faced with serious security threat.
The identification authentication mode that tradition strengthens, general adopt two step authentications, two to three in information (something have) that the information of knowing by authentication of users at server end (something know), user have, user's self information (something are) complete multiple-factor and authenticate to improve the safe class of authentication.If user's channel in the process of connection server is held as a hostage, more authentication factor information also can, by the channel leakage of being held as a hostage, be brought potential potential safety hazard to user.
Summary of the invention
The technology of the present invention is dealt with problems: overcome the deficiencies in the prior art, the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor is provided, in the situation that guaranteeing authenticating user identification simple operation, improve greatly the fail safe of information in verification process.
The technology of the present invention solution: guaranteeing under the prerequisite of the high safety of authenticating user identification and simple operation, the authentication of multi-screen multiple-factor (be user first mobile intelligent terminal equipment complete the checking of local sensitive information, after being verified, complete the Password based on disposal password OTP(One Time at server end, be called for short OTP) checking) in serve one-to-many bi-directional association and identity supplier IDP account and the equipment account (DeviceIdentity of account by identity supplier IDP account and service provider SP, be called for short DID) one-to-many bi-directional association, complete a kind of novel SSO account mapping management process, thereby realize and the landfall process of many SP is become to any one that use in many DID complete single-sign-on process.
Specific implementation step of the present invention is as follows:
(1) three layers of account system of model
By three layers of account system, complete the association to equipment, user, three aspects of service, described three layers of account system are respectively equipment account DID, user account UID and service account SPID, corresponding device layer (DID), client layer (UID) and service layer (SPID) respectively; Wherein:
Equipment account DID, as the identifying information of mobile intelligent terminal equipment, plays the effect that identifying user has this equipment, is obtained on equipment depot (ED) server VS by mobile intelligent terminal equipment by certificate activation technique; DID information is made up of jointly two parts information, and a part is mobile intelligent terminal equipment owner information, is kept in mobile intelligent terminal local secure storage district; Another part is mobile intelligent terminal equipment self-information, is kept on equipment depot (ED) server VS; User profile is utilized local device mapping relations, directly with DID information association, and equipment depot (ED) server VS Shang storing device information;
User account UID is the account at WS as user, is user's identity, is registered acquisition by user on certificate server WS, and UID information is kept at certificate server WS, is the DID middleware associated with SPID, is the basis of the enforcement of three layers of account system;
The service account that service account SPID is user, is provided by SP; The SP end that is registered in of SPID carries out, and the information of SPID is kept on SP server simultaneously, and the Service Privileges of SPID provides management by SP;
(2) three layers of account map bindings and use
The mode of three layers of account map bindings is multiple DID map bindings to UID, a UID map bindings is to multiple SPID, by device certificate activation technique equipment layer mark, obtain user service layer mark at service provider SP place, register and obtain client layer mark certificate server user, and realize the mapping association under three layers of account system of user at this layer, user completes after three layers of account system map bindings, while obtaining the service that service provider SP provides, first after verifying by local device layer, by the DID of mobile intelligent terminal and comprise that the out of Memory of OTP information sends to certificate server WS, certificate server WS therefrom finds the UID that DID is corresponding, the account SPID of service layer corresponding to services selection providing according to the service provider that will login corresponding to user UID again, relevant information is sent to SP server by certificate server WS, completing user will be enjoyed the authentication login process of service,
Landfall process under (3) three layers of account system after account map bindings
(31) mobile intelligent terminal registration
On mobile intelligent terminal equipment, client is installed, while operation first on equipment depot (ED) server VS device registration account DID;
(32) user registers on mobile intelligent terminal
User, in the time using mobile intelligent terminal equipment, in this ground of mobile intelligent terminal information of registered users, then completes the binding with equipment account DID;
(33) user registered user account
User is registered user's account UID on certificate server WS;
(34) equipment account DID user bound account UID
When user's completing steps (33), need to be tied on DID, at this moment need user to continue binding procedure, then select binding UID, secure browser plug-in unit can start local Wi-Fi, and Wi-Fi link information is represented to user with the form of QR code, user is by the QR code scan function of mobile intelligent terminal, read afferent message and set up wireless interconnected with browser plug-in, transmit DID information and OTP information is transmitted to WS through browser plug-in simultaneously, after being verified, complete binding;
(35) equipment account DID binding service account SPID
When user's completing steps (34), complete the basic binding procedure of account; In the time of user's access services SP of provider, after local verification and SP server authentication, can look for according to DID the SPID of corresponding SP binding, as not binding, jump to initial SPID binding, binding procedure is that first account and the password by SPID completes login, logs in rear SPID by SPID and asserts and send to certificate server WS safely, and certificate server WS is according to asserting that the corresponding relation with SPID and UID completes binding; If bind, WS send safety assert and SPID information to SP server, complete authentication login process.
In described step (31), running client needs finishing equipment to register on equipment depot (ED) server VS first, if registration process on VS is skipped in the upper existing registration of VS, and the registered mistake of notifying user equipment, can continue to use.
In described step (32), binding information is stored in mobile intelligent terminal this locality, object is for user stays mobile intelligent terminal to complete local verification by the local account information of input oneself, has been verified ground floor checking, and device start OTP production process is to complete subsequent authentication; If local verification does not pass through, require checking again until success.
In described step (34), if checking is not passed through, Bind Failed, rolls back to before UID registration, prevents the situation of independent UID without DID binding, brings potential threat.
In described step (35), safety asserts and is respectively SP server and certificate server WS produces respectively, and all checkings, by all causing step (35) failure, do not require to re-execute.
Briefly introduce the basic principle of this programme below.
Aspect one, equipment account DID.DID is as user's mobile intelligent terminal recognition of devices mark, play the effect that identifying user has this equipment, registered on equipment depot (ED) server VS by mobile terminal device, by device certificate activation technique equipment account information (as device certificate etc.).DID account information is made up of two parts, and a part is that the static sensitive information of user is kept at mobile terminal; Another part is that mobile terminal device information is kept at equipment depot (ED) server VS.There is a kind of mapping incidence relation in this two parts information.Its advantage is: (1) server is not also known concrete user's identity, can only identify credible equipment, plays the effect of identifying user account identity by the identity of credible equipment, thereby has protected the personal secrets of user identity; (2) equipment account has recognition function to mobile terminal, is the authentication information comparison of late-enhancement, plays user profile and mobile terminal mapping correlation.
Aspect two, user account UID.User account UID, as the middleware of three layers of account system, has played connecting bridge beam action between three layers of account, is registered obtain user account information by user on certificate server WS.The benefit of this layer of account existence is: the account management resume module of map bindings control being given to certificate server WS, realize user account UID and the map bindings of equipment account DID one-to-many and map bindings and the associated release of associated release, user account UID and service account SPID one-to-many, better experience and the support to highly compatible are provided.
Aspect three, service account SPID.SPID is user's service account, is provided by service provider SP.The server end that is registered in service provider SP of SPID completes, and the information of SPID is kept on SP server simultaneously, and the Service Privileges of SPID is managed by SP.UID account relating service account SPID under three layers of account system, SPID serves discernible information as user network, both guaranteed that Service controll power was retained in SP, make SP can refuse by blacklist user's service request, guarantee that again SP does not change, reduce cost and the security risk of docking with SP, increased the convenience that system is disposed.
The implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor that the present invention proposes, need user at FIDO(Fast Identity Online, be called for short FIDO, fast authentication alliance) utilize the FIDO-IDP(FIDO identity supplier who provides in multi-screen multiple-factor authentication mechanism on basic framework) an one's own FIDO user account UID of registration in website, then used network service account and this account are bound.User, in the time that needs use network service, need to log in FIDO-IDP by once two-layer safety certification, obtains FIDO-IDP and can use network service after to the mandate of SP account.
The present invention compared with prior art has advantage to be: the present invention proposes a kind of convenient account mapping management process when improving user's login security by the polyfactorial authentication of multi-screen.First at the static sensitive information of mobile intelligent terminal device authentication subscriber's local, after being verified, after one time key (OTP) encryption that mobile intelligent terminal equipment is generated, being committed to service end FIDO-IDP verifies, guarantee to greatest extent the safety that user authenticates, simultaneously by mobile intelligent terminal equipment account, the associated system of three layers of FIDO-IDP user account and service provider SP service account SPID, has simplified the process of single-sign-on and the identifying of identity.
Accompanying drawing explanation
Fig. 1 whole implementation schematic diagram of the present invention;
Three layers of account system schematic diagram in the authentication of Fig. 2 multi-screen multiple-factor of the present invention;
The convenient schematic diagram that logs in of user under three layers of account system in the authentication of Fig. 3 multi-screen multiple-factor of the present invention;
Account binding login process figure under three layers of account system in the authentication of Fig. 4 multi-screen multiple-factor of the present invention.
Embodiment
For making object of the present invention, advantage and technical scheme clearer, below implement by concrete, and by reference to the accompanying drawings, the present invention is described in more detail.
The present invention of three layers of account system (verifies different authentication data respectively at local device layer and service end server layer at multi-screen multiple-factor authentication method.Avoid only at server layer, data being verified in conventional authentication, improved the fail safe in authentication process by the checking of multi-layer under multi-screen.It is the local authentication that user passes through mobile intelligent terminal equipment, relend and help mobile intelligent terminal equipment to log in FIDO-IDP, the final process that obtains network service mandate) on basis, by three layers of account relating system, complete the association to equipment, user, three aspects of service.Take user account as crucial intermediate connecting layer, when maintenance equipment, user, service association, make the certain independence of they each self-sustainings.Both guarantee the integrality of safety certification process by the implementation method of layering, also protected the personal secrets of each layer data simultaneously.
The present invention is directed to user login time provide multi-screen polyfactorial authentication method, user carries out after local checking at mobile intelligent terminal equipment, the OTP that recycling mobile intelligent terminal equipment generates is submitted to certificate server FIDO-IDP and verifies.The parts that completing two-layer authentication function needs have: browser plug-in, mobile intelligent terminal equipment, equipment depot (ED) server (VS), equipment depot (ED) checking buffer memory (VC), certificate server (WS), service provider (SP).
Browser plug-in is mounted in user's intelligent terminal, and in order to guarantee the each several part critical function parts that work customizes smoothly of whole system, it mainly provides and generates QR code, is connected the functions such as the forwarding of message content with the safety of mobile intelligent terminal equipment.User is in the time of user bound account or login user account, need to call this plug-in unit and generate the QR code that comprises intelligent terminal link information, after mobile intelligent terminal device scan QR code, utilize the information in QR code to carry out safe connection with plug-in unit, this plug-in unit also can set up the forwarding operation that completes some message contents (as OTP) after safety connects.
Mobile intelligent terminal provides the physical isolation equipment of a password.Mobile intelligent terminal equipment need to be registered before use on VC, and consults to produce the shared secret key of OTP; It can also provide the local authentication function of the first factor, and after being verified, just can generate OTP so that the checking of the second factor to be provided.Meanwhile, mobile intelligent terminal equipment obtains the link information of intelligent terminal by scanning QR code, complete automated wireless be connected with intelligent terminal.
Equipment depot (ED) checking buffer memory (VC) is a buffer memory of equipment depot (ED) server stores data, and it is that physics is connected with certificate server WS.Certificate server WS submits to after mobile intelligent terminal device identifying information DID at every turn, and it can rapidly and efficiently return to corresponding OTP.
Certificate server (WS) is the core of native system, is the part of wanting most of FIDO-IDP, is responsible for user account management and the account binding management of core.User need to, at this server log user account, obtain the mandate to service provider's account that this server returns in the time of login SP.User is in the time of login account, and it can submit the corresponding OTP request of DID to VC.
Equipment depot (ED) server (VS) provides the registering functional of mobile intelligent terminal equipment, and all mobile intelligent terminal equipment all needs registration before this system of use.It and mobile intelligent terminal equipment are consulted the contents such as secret key and mobile intelligent terminal device identifying information (DID) jointly.It can be stored these contents and is updated in VC, so that WS can obtain the information of the corresponding mobile intelligent terminal equipment of user in to the second factor authentication process of user.
Service provider (SP) is to provide the entity of network service, and user can, by user account being bound to multiple service provider's accounts, can log in multiple service provider's accounts by logging in a user account like this.Service provider needs and WS sets up certain trusting relationship and has safe communication mode.
The above-mentioned functional part completing in multi-screen multiple-factor authentication method, equipment depot (ED) server VS is responsible for providing three layers of equipment account under account system, service provider SP is responsible for providing three layers of user under account system to serve account, certificate server WS is responsible for providing user account under three layers of account system, is the bridge that three layers of account connect.
Describe on the whole for Fig. 1 the general frame that in the authentication of multi-screen multiple-factor, account management is implemented, mainly comprised two-part content below.
One, the implementation method of three layers of account system in the authentication of multi-screen multiple-factor
As Fig. 2, three layers of account System Design corresponding device layer (DID), client layer (UID) and service layer (SPID) respectively, this three layers of account design is mainly in order to solve in authentication process, the convenient management between secret and many identity of information.
Equipment account DID, as the identifying information of mobile intelligent terminal equipment, is obtained by certificate activation technique on VS by mobile intelligent terminal equipment.DID information is made up of jointly two parts information, and a part is mobile intelligent terminal equipment owner information, is kept in mobile intelligent terminal local secure storage district; Another part is mobile intelligent terminal equipment self-information, is kept on equipment depot (ED) server VS.User profile is utilized local device mapping relations, directly with DID information association, server VS Shang storing device information, such benefit is, server is not also known concrete user's identity, can only being identified as user, to have equipment be trusted devices, and the equipment owner can authorize it to have equipment to use to other credible users simultaneously.DID has played the recognition function to mobile intelligent terminal equipment, simultaneously for user's ID authentication information provides the comparison function at certificate server WS end, as the user's ID authentication information bridge associated with mobile intelligent terminal equipment.
User account UID is the account at WS as user, is user's identity, is registered acquisition by user on WS server, and UID information is kept at WS server, is the DID middleware associated with SPID, is the basis of the enforcement of three layers of account system.Exist the benefit of this layer of account to be mapping control to give WS to process, go up account management module by WS, DID is realized the map bindings of one-to-many and SPID realized to the map bindings of one-to-many and the associated release with DID and SPID, the support of better experience and highly compatible is provided.
The service account that service account SPID is user, is provided by SP.The SP end that is registered in of SPID carries out, and the information of SPID is kept on SP server simultaneously, and the Service Privileges of SPID provides management by SP.UID account system relationship SPID; SPID is the discernible information of service provider SP; both can make Service controll side be retained in SP; make SP can refuse by blacklist user's service request; guarantee again SP service system, without change, to have reduced the cost of docking with SP service system, increased the convenience that system is disposed; Service controll side is scattered in to each SP simultaneously, has protected to a certain extent user's privacy information.
Three layers of account map bindings and to use the mode of binding be multiple DID map bindings to UID, a UID map bindings is to multiple SPID, identify, obtain at service provider SP place user service layer mark, register and obtain client layer mark certificate server user by device certificate activation technique equipment layer, and realize the mapping association under three layers of account system of user at this layer.User completes after three layers of account system map bindings, when user will obtain the service that service provider provides, user is first after by the checking of local device layer, the DID of mobile intelligent terminal and out of Memory (as OTP information) are sent to certificate server, certificate server WS therefrom finds the UID that DID is corresponding, the account SPID of service layer corresponding to services selection providing according to the service provider that will login corresponding to user UID again, relevant information is sent to SP server by certificate server, and completing user will be enjoyed the authentication login process of service.
Two, the landfall process after account map bindings under three layers of account system
Initialization user is before using this scheme map bindings, need to carry out initialization operation to mobile intelligent terminal equipment (as smart mobile phone, Pad etc.) and intelligent terminal (as computer, intelligent cloud TV etc.) etc., put each layer of corresponding account information to obtain three layers of account.
The initialization of mobile intelligent terminal equipment: user installs after multi-screen multiple-factor authentication application at mobile intelligent terminal equipment, need carry out initialization to its application, be that connection device authentication server VS completes registration, negotiation obtains user's mobile intelligent terminal device certificate, and this certificate is used for identifying user and sets up the functions such as safe lane SSL is connected.Consult to obtain the DID of identity certificate simultaneously, and generate the shared secret key K of OTP, these data are all stored in the secure storage areas of mobile intelligent terminal equipment, and this memory block can only be accessed by multi-screen multiple-factor authentication application.After succeeding in registration, VS can be by information updating corresponding mobile intelligent terminal equipment to each distributed apparatus warehouse checking buffer memory VC.This process implementation is mainly set up mechanical floor account, for mechanical floor condition is established in the authentication of multi-screen multiple-factor.
The initialization of intelligent terminal: user need to install authentication security plug-in unit on intelligent terminal (as PC, intelligent cloud TV) browser, completes the login function based on wireless security devolved authentication information.Meanwhile, user need be arranged on install certificate on intelligent terminal browser to guarantee setting up safe lane SSL between authentication security plug-in unit and mobile intelligent terminal equipment, authentication security plug-in unit and certificate server WS.
As shown in Figure 3, once complete logging in needs these steps.Suppose that user has had user account UID and service provider's account SPID, and they hold binding at certificate server WS.Equipment account DID and user account UID have completed map bindings.Because mobile intelligent terminal equipment in this programme is not defined as a certain kind equipment, herein take smart mobile phone as example, by reference to the accompanying drawings 4, concrete implementation process is described, wherein a)-h) step is user account landfall process, i)-l) step obtains the process into the mandate of service provider SP account:
A) the browser B access SP website of user in intelligent terminal PC, and select single sign-on, service provider SP website will jump to certificate server WS login page;
B) browser is set up SSL by authentication security plug-in unit with WS server and is connected safely, and making SSL share secret key is KBW.WS page invocation has been arranged on the safety insert of browser, sets up WI-FI access point, and the Wi-Fi link information generation Quick Response Code of PC is shown in the page.The information that Quick Response Code comprises is: [SSID, Password, Address, Port], wherein SSID is the Tag ID of Wi-Fi access point, Password is Wi-Fi access point password, Address is the IP address information of Wi-Fi access point, and Port is the idle port number of Wi-Fi access point;
C) user is first in the corresponding local account of mobile intelligent terminal equipment utilization local password release, open the application of mobile intelligent terminal equipment, scanning b) step generates Quick Response Code, resolve Quick Response Code content and set up safe lane SSL with intelligent terminal PC browser and is connected, making the shared secret key of SSL is KBM;
D) mobile intelligent terminal equipment utilization is consulted in advance, and shared secret key K generates OTP, utilize the safety of c) setting up connect by information Sig}KBM is sent to intelligent terminal for DID, Time:
E) safety insert of intelligent terminal PC receives after the message of mobile intelligent terminal equipment wireless security transmission, then by setting up ground safe lane between browser and WS server, (e) is forwarded to WS server;
F) WS server receives the message that intelligent terminal PC sends, and obtains DID, Time and Sig after safe lane SSL utilizes KBW deciphering, the validity of checking Time, and DID, Time and Sig are committed to equipment depot (ED) checking buffer memory VC verify its validity; If Time is invalid, checking is not passed through, this prompting user failure;
G) VC is receiving after DID, Sig and Time, find corresponding shared secret key K by DID, re-using this secret key and current time in system generates OTP as calculating parameter, utilize OTP to adopt the hmac algorithm identical with a kind of intelligent terminal to DID, Time signature, and compare with receiving Sig value, the result is returned to WS;
If h) Sig is verified, VC returns to the result being proved to be successful, and the user account of so far DID binding logs in successfully; If Sig does not pass through, authentication failed.Now the WS page can show the SP account that user has bound, and user selects one of them SP account to log in.WS can random generate an identifying code Authorization Code and by SP account relating selected to itself and user.And return to a link that jumps to SP with parameter, wherein parameter is Authorization Code;
I) browser jumps to the link of returning according to WS the processing page of SP;
J) SP verifies the validity of this redirect linking request, and the request that this redirect links and the request that starts to log in are from same browser.Checking effectively, is sent to WS by Authorization Code, the mandate of request SP account; If invalid, return to logon error;
K) WS, receiving after SP account authorization requests, is back to service provider SP by SP account corresponding Authorization Code;
L) SP returns to the browser of intelligent terminal PC that SP account logs in successfully or failed result.
Claims (5)
1. an implementation method for the one-to-many account map bindings of the convenient WEB authentication of multi-screen multiple-factor, is characterized in that performing step is as follows:
(1) three layers of account system of model
By three layers of account system, complete the association to equipment, user, three aspects of service, described three layers of account system are respectively equipment account DID, user account UID and service account SPID, corresponding device layer (DID), client layer (UID) and service layer (SPID) respectively; Wherein:
Equipment account DID, as the identifying information of mobile intelligent terminal equipment, plays the effect that identifying user has this equipment, is obtained on equipment depot (ED) server VS by mobile intelligent terminal equipment by certificate activation technique; DID information is made up of jointly two parts information, and a part is mobile intelligent terminal equipment owner information, is kept in mobile intelligent terminal local secure storage district; Another part is mobile intelligent terminal equipment self-information, is kept on equipment depot (ED) server VS; User profile is utilized local device mapping relations, directly with DID information association, and equipment depot (ED) server VS Shang storing device information;
User account UID is the account at WS as user, is user's identity, is registered acquisition by user on certificate server WS, and UID information is kept at certificate server WS, is the DID middleware associated with SPID, is the basis of the enforcement of three layers of account system;
The service account that service account SPID is user, is provided by SP; The SP end that is registered in of SPID carries out, and the information of SPID is kept on SP server simultaneously, and the Service Privileges of SPID provides management by SP;
(2) three layers of account map bindings
The mode of three layers of account map bindings is multiple DID map bindings to UID, a UID map bindings is to multiple SPID, identify, obtain at service provider SP place user service layer mark, register and obtain client layer mark certificate server user by device certificate activation technique equipment layer, and realizing the mapping association under three layers of account system of user at this layer, user completes three layers of account system map bindings;
Landfall process under (3) three layers of account system after account map bindings
(31) mobile intelligent terminal registration
On mobile intelligent terminal equipment, client is installed, while operation first on equipment depot (ED) server VS device registration account DID;
(32) user registers on mobile intelligent terminal
User, in the time using mobile intelligent terminal equipment, in this ground of mobile intelligent terminal information of registered users, then completes the binding with equipment account DID;
(33) user registered user account
User is registered user's account UID on certificate server WS;
(34) equipment account DID user bound account UID
When user's completing steps (33), need to be tied on DID, at this moment need user to continue binding procedure, then select binding UID, secure browser plug-in unit can start local Wi-Fi, and Wi-Fi link information is represented to user with the form of QR code, user is by the QR code scan function of mobile intelligent terminal, read afferent message and set up wireless interconnected with browser plug-in, transmit DID information and OTP information is transmitted to WS through browser plug-in simultaneously, after being verified, complete binding;
(35) equipment account DID binding service account SPID
When user's completing steps (34), complete the basic binding procedure of account; In the time of user's access services SP of provider, after local verification and SP server authentication, can look for according to DID the SPID of corresponding SP binding, as not binding, jump to initial SPID binding, binding procedure is that first account and the password by SPID completes login, logs in rear SPID by SPID and asserts and send to certificate server WS safely, and certificate server WS is according to asserting that the corresponding relation with SPID and UID completes binding; If bind, WS send safety assert and SPID information to SP server, complete authentication login process.
2. the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor according to claim 1, it is characterized in that: in described step (31), running client needs finishing equipment to register on equipment depot (ED) server VS first, if the upper existing registration of VS, skip registration process on VS, and the registered mistake of notifying user equipment, can continue to use.
3. the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor according to claim 1, it is characterized in that: in described step (32), binding information is stored in mobile intelligent terminal this locality, object is, for user, the local account information of input oneself is stayed to mobile intelligent terminal to complete local verification, be verified ground floor checking, device start OTP production process is to complete subsequent authentication; If local verification does not pass through, require checking again until success.
4. the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor according to claim 1, it is characterized in that: in described step (34), if checking is not passed through, Bind Failed, roll back to before UID registration, prevent the situation of independent UID without DID binding, bring potential threat.
5. the implementation method of the one-to-many account map bindings of the convenient WEB authentication of a kind of multi-screen multiple-factor according to claim 1, it is characterized in that: in described step (35), safety is asserted and is respectively SP server and certificate server WS produces respectively, all checkings, by all causing step (35) failure, do not require to re-execute.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410109452.3A CN103856332B (en) | 2014-03-22 | 2014-03-22 | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410109452.3A CN103856332B (en) | 2014-03-22 | 2014-03-22 | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103856332A true CN103856332A (en) | 2014-06-11 |
| CN103856332B CN103856332B (en) | 2017-02-08 |
Family
ID=50863577
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410109452.3A Expired - Fee Related CN103856332B (en) | 2014-03-22 | 2014-03-22 | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103856332B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144163A (en) * | 2014-07-24 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Identity verification method, device and system |
| CN104283885A (en) * | 2014-10-14 | 2015-01-14 | 中国科学院信息工程研究所 | Multi-SP safety binding implementation method based on intelligent terminal local authentication |
| CN105553992A (en) * | 2015-12-22 | 2016-05-04 | 北京奇虎科技有限公司 | Method and system for realizing login by borrowing account of another person |
| CN105656890A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation |
| CN105721480A (en) * | 2016-03-02 | 2016-06-29 | 北京九州云腾科技有限公司 | FIDO hardware-based user operating method and system |
| CN106230845A (en) * | 2016-08-04 | 2016-12-14 | 杭州帕拉迪网络科技有限公司 | A kind of multifactor user authen method of flexibly configurable |
| CN108259458A (en) * | 2017-09-30 | 2018-07-06 | 中国平安人寿保险股份有限公司 | Application software account relating method, apparatus and storage medium |
| CN109361535A (en) * | 2018-09-27 | 2019-02-19 | 北京小米移动软件有限公司 | Smart machine binding method, device and storage medium |
| CN104901796B (en) * | 2015-06-02 | 2019-04-05 | 新华三技术有限公司 | A kind of authentication method and equipment |
| CN110867189A (en) * | 2018-08-28 | 2020-03-06 | 北京京东尚科信息技术有限公司 | Login method and device |
| CN111031540A (en) * | 2019-11-22 | 2020-04-17 | 儒庭信息技术(上海)有限公司 | Wireless network connection method and computer storage medium |
| CN111164594A (en) * | 2019-07-02 | 2020-05-15 | 阿里巴巴集团控股有限公司 | System and method for mapping decentralized identity to real entity |
| CN111695108A (en) * | 2020-06-04 | 2020-09-22 | 中国科学院计算机网络信息中心 | Unified account identification system for multi-source accounts in heterogeneous computing environment |
| CN112199652A (en) * | 2020-10-23 | 2021-01-08 | 网易(杭州)网络有限公司 | Login method, terminal, server, system, medium and equipment of application program |
| CN113079085A (en) * | 2021-03-30 | 2021-07-06 | 北京有竹居网络技术有限公司 | Business service interaction method, business service interaction device, business service interaction equipment and storage medium |
| WO2021155490A1 (en) * | 2020-02-03 | 2021-08-12 | Nokia Solutions And Networks Oy | Providing mutl-device serivce using network application programming interface |
| CN113452584A (en) * | 2021-04-28 | 2021-09-28 | 珠海格力电器股份有限公司 | Binding control method and device of electric appliance, storage medium, mobile terminal and electric appliance |
| CN115277624A (en) * | 2022-03-07 | 2022-11-01 | 上海诺行信息技术有限公司 | Multi-card aggregation real-name authentication method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420800A (en) * | 2010-09-28 | 2012-04-18 | 俞浩波 | Method, system and authentication terminal for accomplishing service by multi-factor identity authentication |
| US20120240204A1 (en) * | 2011-03-11 | 2012-09-20 | Piyush Bhatnagar | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication |
| CN103428001A (en) * | 2013-09-05 | 2013-12-04 | 中国科学院信息工程研究所 | Implicit type enhanced convenient WEB identity authentication method |
-
2014
- 2014-03-22 CN CN201410109452.3A patent/CN103856332B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420800A (en) * | 2010-09-28 | 2012-04-18 | 俞浩波 | Method, system and authentication terminal for accomplishing service by multi-factor identity authentication |
| US20120240204A1 (en) * | 2011-03-11 | 2012-09-20 | Piyush Bhatnagar | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication |
| CN103428001A (en) * | 2013-09-05 | 2013-12-04 | 中国科学院信息工程研究所 | Implicit type enhanced convenient WEB identity authentication method |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144163A (en) * | 2014-07-24 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Identity verification method, device and system |
| CN104283885A (en) * | 2014-10-14 | 2015-01-14 | 中国科学院信息工程研究所 | Multi-SP safety binding implementation method based on intelligent terminal local authentication |
| CN104283885B (en) * | 2014-10-14 | 2017-07-28 | 中国科学院信息工程研究所 | A kind of implementation method of many SP secure bindings based on intelligent terminal local authentication |
| CN104901796B (en) * | 2015-06-02 | 2019-04-05 | 新华三技术有限公司 | A kind of authentication method and equipment |
| CN105553992A (en) * | 2015-12-22 | 2016-05-04 | 北京奇虎科技有限公司 | Method and system for realizing login by borrowing account of another person |
| CN105553992B (en) * | 2015-12-22 | 2019-02-12 | 北京奇虎科技有限公司 | A kind of method and system for borrowing other people accounts and realizing login |
| CN105656890A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation |
| CN105656890B (en) * | 2015-12-30 | 2018-11-06 | 深圳数字电视国家工程实验室股份有限公司 | A kind of FIDO authenticators and system and method based on TEE and without line justification |
| CN105721480A (en) * | 2016-03-02 | 2016-06-29 | 北京九州云腾科技有限公司 | FIDO hardware-based user operating method and system |
| CN106230845A (en) * | 2016-08-04 | 2016-12-14 | 杭州帕拉迪网络科技有限公司 | A kind of multifactor user authen method of flexibly configurable |
| CN108259458A (en) * | 2017-09-30 | 2018-07-06 | 中国平安人寿保险股份有限公司 | Application software account relating method, apparatus and storage medium |
| CN108259458B (en) * | 2017-09-30 | 2021-12-28 | 中国平安人寿保险股份有限公司 | Application software account correlation method and device and storage medium |
| CN110867189A (en) * | 2018-08-28 | 2020-03-06 | 北京京东尚科信息技术有限公司 | Login method and device |
| CN109361535A (en) * | 2018-09-27 | 2019-02-19 | 北京小米移动软件有限公司 | Smart machine binding method, device and storage medium |
| CN111164594A (en) * | 2019-07-02 | 2020-05-15 | 阿里巴巴集团控股有限公司 | System and method for mapping decentralized identity to real entity |
| CN111164594B (en) * | 2019-07-02 | 2023-08-25 | 创新先进技术有限公司 | System and method for mapping a de-centralized identity to a real entity |
| CN111031540A (en) * | 2019-11-22 | 2020-04-17 | 儒庭信息技术(上海)有限公司 | Wireless network connection method and computer storage medium |
| WO2021155490A1 (en) * | 2020-02-03 | 2021-08-12 | Nokia Solutions And Networks Oy | Providing mutl-device serivce using network application programming interface |
| CN111695108A (en) * | 2020-06-04 | 2020-09-22 | 中国科学院计算机网络信息中心 | Unified account identification system for multi-source accounts in heterogeneous computing environment |
| CN112199652A (en) * | 2020-10-23 | 2021-01-08 | 网易(杭州)网络有限公司 | Login method, terminal, server, system, medium and equipment of application program |
| CN112199652B (en) * | 2020-10-23 | 2023-08-25 | 网易(杭州)网络有限公司 | Login method, terminal, server, system, medium and equipment of application program |
| CN113079085B (en) * | 2021-03-30 | 2023-01-10 | 北京有竹居网络技术有限公司 | Business service interaction method, business service interaction device, business service interaction equipment and storage medium |
| CN113079085A (en) * | 2021-03-30 | 2021-07-06 | 北京有竹居网络技术有限公司 | Business service interaction method, business service interaction device, business service interaction equipment and storage medium |
| CN113452584B (en) * | 2021-04-28 | 2023-01-31 | 珠海格力电器股份有限公司 | Binding control method and device of electric appliance, storage medium, mobile terminal and electric appliance |
| CN113452584A (en) * | 2021-04-28 | 2021-09-28 | 珠海格力电器股份有限公司 | Binding control method and device of electric appliance, storage medium, mobile terminal and electric appliance |
| CN115277624A (en) * | 2022-03-07 | 2022-11-01 | 上海诺行信息技术有限公司 | Multi-card aggregation real-name authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103856332B (en) | 2017-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103856332A (en) | Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication | |
| CN103780397B (en) | A kind of multi-screen multiple-factor convenient WEB identity authentication method | |
| CN103888265B (en) | A kind of application login system and method based on mobile terminal | |
| CN101902327B (en) | Method and device for realizing single-point log-in and system thereof | |
| CN103795731B (en) | A kind of user account login method | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| CN102624720B (en) | Method, device and system for identity authentication | |
| US9025769B2 (en) | Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone | |
| US9419974B2 (en) | Apparatus and method for performing user authentication by proxy in wireless communication system | |
| CN104283886B (en) | A kind of implementation method of the web secure access based on intelligent terminal local authentication | |
| JP6468013B2 (en) | Authentication system, service providing apparatus, authentication apparatus, authentication method, and program | |
| CN110493232A (en) | Calculate the automatic subscriber registration and unlock of equipment | |
| KR101451359B1 (en) | User account recovery | |
| CN107733861A (en) | It is a kind of based on enterprise-level intranet and extranet environment without password login implementation method | |
| CN102265255A (en) | Method and system for providing a federated authentication service with gradual expiration of credentials | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| CN101986598B (en) | Authentication method, server and system | |
| CN103428203A (en) | Access control method and device | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| CN102571873B (en) | Bidirectional security audit method and device in distributed system | |
| CN107005605A (en) | Device identification in authorization of service | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN103384198A (en) | User identity identification service method and system on basis of mailbox | |
| CN108092988A (en) | Unaware Certificate Authority network system and method based on dynamic creation temporary password | |
| CN106161475A (en) | The implementation method of subscription authentication and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170208 Termination date: 20180322 |