JP5768033B2 - Authentication system, user terminal, authentication device, and program - Google Patents

Description

  The present invention relates to a technique for reducing the burden of managing authentication information used during user authentication and allowing the user to easily input authentication information.

  In recent years, an increasing number of users use various services provided by servers of each service provider.

  When a user uses various services provided by each service provider's server, it is necessary to register authentication information such as a password with each service provider for each service. However, when the authentication information used for each service is different, it is necessary to manage a lot of authentication information by the user himself, which increases the burden of managing the authentication information by the user. Therefore, a method that can reduce the burden of managing authentication information by the user is desired.

  As an authentication method currently used, for example, there are the following methods.

Method 1
A single sign-on method, such as Kerberos authentication, that allows you to log in to a service provider server that has a trust relationship with the authentication server by logging in to the authentication server.

Method 2
A single sign-on method in which a plurality of servers can authenticate a plurality of servers with the same authentication information by requesting an authentication part to a single authentication server, such as RADIUS authentication.

Method 3
A single sign-on method that allows users to select any authentication server from multiple authentication servers, such as Open ID authentication.

Method 4
A method for performing authentication by transmitting authentication information stored in a user terminal to an authentication server based on local authentication in the user terminal.

  Further, as a technical document filed prior to the present invention, for example, in Patent Document 1 (Japanese Patent Laid-Open No. 2002-189702), even when the number of business partners increases, the types of passwords increase for the user. A technology that enables unified management of passwords without being conscious of this is disclosed.

  In the above-mentioned Patent Document 1, authentication processing is performed using user-specific biometric information (fingerprint, face, retina, iris, palm shape, voice, etc.), thereby enabling unified management of passwords.

  Japanese Patent Laid-Open No. 2000-322383 discloses a technique for reducing the burden of managing personal authentication information.

  In Patent Document 2, the burden of managing personal authentication information is reduced by performing authentication processing using an IC card in which personal authentication information such as a user ID and password is recorded.

JP 2002-189702 A JP 2000-322383 A

  However, Method 1 and Method 2 can be used only when there is a trust relationship such as in-house system or hot spot authentication of the same company. That is, there is a problem that authentication of services that do not belong to a specific same business cannot be integrated.

  Method 3 is used for authentication integration between different operators, but there is a privacy problem that the usage status of a specific individual service can be traced entirely by the authentication server. For example, other people know the usage status of services that require login (information such as when and how often they use it).

  The method 4 has a problem that it is difficult to add new authentication information or change authentication information when a plurality of user terminals are used. In particular, it is inconvenient when adding a new user terminal.

  Moreover, in the said patent document 1, since the authentication process is performed using biometric information peculiar to a user, the function for analyzing biometric information is needed.

  Further, in Patent Document 2, since an authentication process is performed using an IC card, a reader function for reading information recorded on the IC card is required.

  The present invention has been made in view of the above circumstances, and reduces the burden of the user managing authentication information used during user authentication, and allows the user to easily input authentication information, and a user An object is to provide a terminal, an authentication device, and a program.

  In order to achieve this object, the present invention has the following features.

<Authentication system>
An authentication system according to the present invention includes:
An authentication system comprising a plurality of authentication devices and user terminals,
The user terminal is
Display means for displaying an image commonly used by a user in a plurality of the authentication devices;
Input means for inputting at least one position information on the image selected by a user operation from the images displayed on the display means as user-side authentication information;
An authentication matrix receiving means for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device at the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information, and the converted code An authentication code generating means for generating an authentication code to be configured;
An authentication code transmitting means for transmitting the authentication code to the authentication device of the authentication destination,
The authentication device
Storage means for storing the plurality of authentication matrices and server-side authentication codes in association with the user account information;
Transmitting means for transmitting the plurality of authentication matrices to the user terminal;
And the user-side authentication code received from the user terminal, and matching the a server side authentication code stored in the storage means in association with said plurality of authentication matrices transmitted to the user terminal, both sure An authentication means for permitting authentication of the user when the authentication code matches;
It is characterized by having.

<User terminal>
The user terminal according to the present invention is:
A user terminal that performs authentication with a plurality of authentication devices,
Display means for displaying an image commonly used by a user in a plurality of the authentication devices;
Input means for inputting at least one position information on the image selected by a user operation from the images displayed on the display means as user- side authentication information;
An authentication matrix receiving means for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device at the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information, and the converted code An authentication code generating means for generating an authentication code to be configured;
An authentication code transmitting means for transmitting the authentication code to the authentication device of the authentication destination,
The authentication the authentication code is stored in the storage unit of the authentication destination of the authentication device from the association with the authentication destination and account information of the user and the plurality of authentication matrix where the user terminal receives the authentication device The authentication of the user is permitted when it matches the code.

<Authentication device>
The authentication device according to the present invention is:
An authentication device for authenticating a user operating a user terminal,
Consists of user-side authentication information composed of at least one position information on the image selected by user operation of the user terminal from among images commonly used by the user in the plurality of authentication devices, and a plurality of codes A plurality of authentication matrices are combined, and an authentication code composed of the code converted into the authentication matrix code according to the location information and the plurality of authentication matrices are stored in association with the account information of the user Storage means for
Transmitting means for transmitting the plurality of authentication matrices to the user terminal;
When the authentication code is received from the user terminal after transmitting the authentication matrix, the received authentication code is stored in the storage means in association with the plurality of authentication matrices transmitted to the user terminal. The authentication code, and if both of the authentication codes match, an authentication means for permitting authentication of the user;
It is characterized by having.

<Program>
The program according to the present invention is:
A program to be executed by a computer of a user terminal that performs authentication with a plurality of authentication devices,
Display processing for displaying an image commonly used by a user on a plurality of the authentication devices on a display unit;
An input process for inputting at least one position information on the image selected by a user operation from the images displayed on the display unit to the input unit as user-side authentication information;
An authentication matrix reception process for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device of the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information, and the converted code An authentication code generation process for generating an authentication code to be configured;
Causing the computer to execute an authentication code transmission process for transmitting the authentication code to the authentication device of the authentication destination,
The authentication code is stored in the storage means of the authentication device at the authentication destination in association with the plurality of authentication matrices received by the user terminal from the authentication device at the authentication destination and the account information of the user If the user ID matches, the user authentication is permitted.

The program according to the present invention is:
A program that is executed by a computer of an authentication device that authenticates a user who operates a user terminal,
Consists of user-side authentication information composed of at least one position information on the image selected by user operation of the user terminal from among images commonly used by the user in the plurality of authentication devices, and a plurality of codes A plurality of authentication matrices are combined, and an authentication code composed of the code converted into the authentication matrix code according to the location information and the plurality of authentication matrices are stored in association with the account information of the user A storage process stored in the means;
A transmission process for transmitting the plurality of authentication matrices to the user terminal;
When the authentication code is received from the user terminal after transmitting the authentication matrix, the received authentication code is stored in the storage means in association with the plurality of authentication matrices transmitted to the user terminal. The authentication code is collated, and if both of the authentication codes match, the computer is caused to execute an authentication process for permitting the user authentication.

  ADVANTAGE OF THE INVENTION According to this invention, while reducing the burden which a user manages the authentication information used at the time of user authentication, a user can input authentication information easily.

It is a figure which shows the system configuration example of the authentication system of this embodiment. It is a figure which shows the structural example of the main apparatuses which comprise the authentication system of this embodiment. It is a figure which shows the registration processing operation example of a 1st authentication code. 3 is a diagram illustrating an example of registering a first authentication code in an authentication server 101. FIG. It is a figure which shows the example of a processing operation at the time of 1st user authentication. It is a figure which shows the example which collates 1st authentication code. It is a figure which shows the registration processing operation example of a 2nd authentication code. It is a figure which shows the example of a processing operation at the time of 2nd user authentication. It is a figure which shows the registration processing operation example of a 3rd authentication code. It is a figure which shows the example of a processing operation at the time of 3rd user authentication. It is a figure which shows the registration processing operation example of the 4th authentication code. It is a figure which shows the example of a processing operation at the time of 4th user authentication.

(Outline of Embodiment of Authentication System According to the Present Invention)
First, an outline of an embodiment of an authentication system according to the present invention will be described with reference to FIGS. 1 and 2. FIG. 1 shows a system configuration example of an authentication system according to the present invention, and FIG. 2 shows a configuration example of main devices constituting the authentication system according to the present invention.

  The authentication system according to the present invention includes a plurality of authentication devices (corresponding to the authentication servers 101 of the service providers 100-1 to n (n is an arbitrary integer)) and the user terminal UE. It is an authentication system.

  The user terminal UE is selected by a user operation from a display unit (corresponding to the display unit 10) that displays an image commonly used by the user in the plurality of authentication devices 101 and an image displayed on the display unit 10 An input unit (corresponding to the input unit 10) for inputting at least one position information on the image as authentication information, and an authentication matrix receiving unit (reception) that receives an authentication matrix composed of a plurality of codes from the authentication device 101 of the authentication destination The authentication information and the authentication matrix, the position information constituting the authentication information is converted into the code of the authentication matrix corresponding to the position information, and the authentication code constituted by the converted code Authentication code generating means (corresponding to the authentication code generating section 15) and an authentication code transmitting means for transmitting the authentication code to the authentication apparatus 101 of the authentication destination To), constituting a.

  The authentication device 101 includes a storage unit (corresponding to the storage unit 1011) that stores an authentication matrix and an authentication code in association with user account information, and a transmission unit (transmission unit) that transmits the authentication matrix to the user terminal UE. 1012) and the authentication code received from the user terminal UE and the authentication code stored in the storage means 1011 in association with the authentication matrix transmitted to the user terminal UE. And an authentication unit (corresponding to the authentication unit 1014) that permits user authentication when they match.

  The authentication system according to the present invention displays, on the user terminal UE, an image commonly used by a user in a plurality of authentication devices 101 on the display means 10, and selected from the images displayed on the display means 10 by a user operation Since at least one position information on the displayed image is input to the input means 11 as authentication information, the burden of managing the authentication information used at the time of user authentication is reduced, and the user can easily input the authentication information. Can do. Hereinafter, an embodiment of an authentication system according to the present invention will be described in detail with reference to the accompanying drawings.

(First embodiment)
<System configuration example of authentication system>
First, a system configuration example of the authentication system according to the present embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating a system configuration example of an authentication system according to the present embodiment.

  In the authentication system of this embodiment, a plurality of service providers 100-1 to 100-n (n is an arbitrary integer), an image management server 200, and a user terminal UE are configured via a network NW. The network NW can be applied to any communication form as long as information communication is possible between devices regardless of wired or wireless.

  Each service provider 100-1 to 100-n includes an authentication server 101 and an application server 102.

  The application server 102 provides various services to the user who operates the user terminal UE. The authentication server 101 performs user authentication when using the service provided by the application server 102.

  The image management server 200 manages images used during user authentication. The image management server 200 stores and manages user-specific images for each user. Images are stored and managed in association with user IDs.

  The user terminal UE is a terminal used by each user, and each user operates the user terminal UE to access the authentication server 101 of the service providers 100-1 to 100-n, performs user authentication, and user authentication becomes OK. In this case, the service provided by the application server 102 of the service providers 100-1 to 100-n in cooperation with the authentication server 101 can be used.

<Configuration example of each device constituting the authentication system>
Next, a configuration example of each device configuring the authentication system according to the present embodiment will be described with reference to FIG. FIG. 2 is a diagram illustrating a configuration example of main devices configuring the authentication system illustrated in FIG. 1.

  The authentication server 101 of each service provider 100-1 to 100-n includes a storage unit 1011, a transmission unit 1012, a reception unit 1013, and an authentication unit 1014.

  The storage unit 1011 stores a user ID, an authentication code, and an authentication matrix in association with each other. The user ID is account information for identifying the user. Any information can be used as the account information as long as the user can be identified. The authentication code is used when a user uses a service provided by the application server 102 of the service provider 100. The authentication matrix is used when generating an authentication code, and is composed of a plurality of codes.

  The transmission unit 1012 transmits various types of information. For example, the authentication matrix stored in the storage unit 1011 is transmitted to the user terminal UE.

  The receiving unit 1013 receives various information. For example, an authentication code is received from the user terminal UE.

  The authentication unit 1014 performs user authentication. For example, the authentication code stored in the storage unit 1011 and the authentication code received by the receiving unit 1013 from the user terminal UE are collated, and when both authentication codes match, user authentication is permitted.

  The image management server 200 includes a storage unit 201, a transmission unit 202, and a reception unit 203.

  The storage unit 201 stores a user ID and an image in association with each other. The user ID is information for identifying the user. The image is used when generating the authentication code.

  The transmission unit 202 transmits various types of information. For example, the image stored in the storage unit 201 is transmitted to the user terminal UE. The receiving unit 203 receives various information. For example, an image is received from the user terminal UE. The storage unit 201 stores the image received by the receiving unit 203 from the user terminal UE and the user ID in association with each other. Thereby, a user-specific image can be stored.

  The user terminal UE includes a display unit 10, an input unit 11, a transmission unit 12, a reception unit 13, an authentication matrix generation unit 14, and an authentication code generation unit 15.

  The display unit 10 displays various information. For example, the image received by the receiving unit 13 from the image management server 200 is displayed.

Input unit 1 1 inputs various kinds of information. For example, when a user operation is performed on the image displayed on the display unit 10, the position of the image where the user operation is performed is detected, and the position information on the image is input as authentication information. The authentication information is used when generating an authentication code.

  The transmission unit 12 transmits various information. For example, the authentication matrix generated by the authentication matrix generation unit 14 described later is transmitted to the authentication server 101. Further, the authentication code generated by the authentication code generation unit 15 described later is transmitted to the authentication server 101.

  The receiving unit 13 receives various information. For example, an image is received from the image management server 200.

  The authentication matrix generation unit 14 generates an authentication matrix. The authentication matrix is used when generating an authentication code, and is composed of a plurality of codes.

  The authentication code generation unit 15 generates an authentication code. The authentication code combines the authentication matrix and the authentication information, converts the position information constituting the authentication information into an authentication matrix code corresponding to the position information, and generates an authentication code constituted by the converted code. .

<Processing operation example of authentication system>
Next, a processing operation example of the authentication system according to the present embodiment will be described.

<Operation example of authentication code registration processing>
First, a processing operation example for registering the authentication code (N) in the authentication server 101 will be described with reference to FIGS. 3 and 4. FIG. 3 is a diagram illustrating an example of an operation for registering an authentication code (N). FIG. 4 is a diagram illustrating an example in which the authentication code (N) is registered in the authentication server 101. The authentication code (N) is used when a user uses a service provided by the application server 102 of the service provider 100. The authentication code (N) is a hashed authentication code.

  First, the authentication matrix generation unit 14 of the user terminal UE randomly generates an authentication matrix (step A1). In FIG. 4, the authentication matrix is a 3 × 3 matrix, and is composed of nine types of codes. Each code is a 2-character code.

  Further, the transmission unit 12 of the user terminal UE accesses the image management server 200, transmits the user ID to the image management server 200 (step A2), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. Is received (step A3). Since the image management server 200 stores and manages the user ID and the image in association with each other in the storage unit 201, the transmission is performed when the receiving unit 203 of the image management server 200 receives the user ID from the user terminal UE. The unit 202 can provide an image corresponding to the user ID to the user terminal UE.

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. As a result, the image shown in FIG. 4 is displayed on the display unit 10. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step A4). The authentication information is information on a specific point position on the image displayed on the display unit 10. When a user operation is performed on the image displayed on the display unit 10, the user terminal UE detects the position of the image on which the user operation has been performed. The case of FIG. 4 shows a state in which the areas 1, 2, and 3 are selected in order by the user operation. The position information of 1 → 2 → 3 is authentication information.

  The authentication code generation unit 15 of the user terminal UE combines the authentication information input to the input unit 11 and the authentication matrix generated by the authentication matrix generation unit 14 in step A1 to generate an authentication code (n) (step) A5).

  In the case of FIG. 4, since the authentication information is position information of 1 → 2 → 3 of the image, the code corresponding to 1 is vi, the code corresponding to 2 is pe, and corresponds to 3. Since the code is ur, the authentication code (n) is n = (vi + pe + ur).

  Next, the authentication code generation unit 15 of the user terminal UE hashes the generated authentication code (n) to generate a hashed authentication code (N) (step A6).

  Since the hashed authentication code (N) is (N) = hash (n), (N) = hash ((vi + pe + ur)).

  Since the user terminal UE registers the hashed authentication code (N) in the authentication server 101 of the service provider 100-1, the transmission unit 12 transmits the user ID, the hashed authentication code (N), and the authentication matrix to the authentication server. It transmits to 101 (step A7).

  The receiving unit 1013 of the authentication server 101 stores the user ID received from the user terminal UE, the hashed authentication code (N), and the authentication matrix in association with each other in the storage unit 1011 (step A8).

  Thus, the user can register the authentication code (N) used when using the service provided by the application server 102 of the service provider 100-1 in the authentication server 101. In addition, since the authentication code (N) is hashed, the authentication information input by the user terminal UE cannot be reproduced. For this reason, the authentication information input by the user terminal UE can be kept secret on the service provider 100-1 side.

<Example of processing operation during user authentication>
Next, an example of processing operation during user authentication will be described with reference to FIGS. 5 and 6. FIG. 5 shows an example of processing operation during user authentication, and FIG. 6 is a diagram showing an example of collating authentication codes. User authentication is performed when a user uses a service provided by the application server 102 of the service provider 100.

  The transmitting unit 12 of the user terminal UE transmits the user ID to the authentication server 101 when logging into the authentication server 101 of the service provider 100-1 (Step B1).

  When the receiving unit 1013 of the authentication server 101 receives a user ID from the user terminal UE, the transmitting unit 1012 receives an authentication matrix corresponding to the user ID and a random challenge code (cc) that is changed every time. Transmit to UE (step B2). In FIG. 6, the authentication matrix is a 3 × 3 matrix, and is composed of nine types of codes. Each code is a 2-character code.

  Further, the transmission unit 12 of the user terminal UE accesses the image management server 200, transmits the user ID to the image management server 200 (step B3), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. Is received (step B4).

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. As a result, the image shown in FIG. 6 is displayed on the display unit 10. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step B5). When a user operation is performed on the image displayed on the display unit 10, the user terminal UE detects the position of the image on which the user operation has been performed. In the case of FIG. 6, a state in which areas 1, 2, and 3 are sequentially selected in the image by a user operation is shown. The position information of 1 → 2 → 3 is authentication information.

  The authentication code generation unit 15 of the user terminal UE combines the authentication information input from the input unit 11 and the authentication matrix received by the reception unit 13 from the authentication server 101 in step B2 to generate an authentication code (n). (Step B6).

  In the case of FIG. 6, since the authentication information is position information of 1 → 2 → 3 of the image, the code corresponding to 1 is vi, the code corresponding to 2 is pe, and corresponds to 3. Since the code is ur, the authentication code (n) is n = (vi + pe + ur).

  Next, the authentication code generation unit 15 of the user terminal UE hashes the generated authentication code (n) to generate a hashed authentication code (N) (step B7).

  Since the hashed authentication code (N) is (N) = hash (n), (N) = hash ((vi + pe + ur)).

  Next, the authentication code generation unit 15 of the user terminal UE concatenates and hashes the hashed authentication code (N) and the challenge code (cc) received by the reception unit 13 from the authentication server 101 in step B2. The link authentication code is generated (step B8).

  Since the hashed authentication code is (N) and the challenge code is (cc), the linked authentication code is Hash (cc + N).

  The transmission unit 12 of the user terminal UE transmits a linked authentication code to the authentication server 101, and performs user authentication with the authentication server 101 (step B9).

  The authentication unit 1014 of the authentication server 101 concatenates and hashes the hashed authentication code (N) corresponding to the user ID and the challenge code (cc) transmitted from the transmission unit 1012 to the user terminal UE in step B2. The link authentication code is generated (step B10). The consolidated authentication code is Hash (cc + N).

  The authentication unit 1014 of the authentication server 101 collates the connection authentication code generated on the authentication server 101 side with the connection authentication code received by the reception unit 1013 from the user terminal UE (step B11). The authentication unit 1014 of the authentication server 101 determines that authentication is OK when both of the linked authentication codes match. Further, if both of the linked authentication codes do not match, it is determined as authentication NG.

  The transmission unit 1012 of the authentication server 101 notifies the user terminal UE of the collation result. If the authentication unit 1014 of the authentication server 101 determines that the authentication is OK, the authentication unit 1014 permits the user to use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Thereby, the user can use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Even when using the service provided by the application server 102 of another service provider 100-2 in the authentication system of the present embodiment, the above-described user authentication process is performed, and the user terminal UE is operated to obtain the user ID. Authentication information is input from the associated image. Since the other service provider 100-2 stores and manages an authentication matrix different from the service provider 100-1 in the storage unit 1011, the authentication information and the authentication matrix are stored on the user terminal UE side. The authentication code generated in combination is also an authentication code different from that of the service provider 100-1.

  For example, in the case of FIG. 6, the authentication information is 1 → 2 → 3 position information of the image, and the authentication information common to the plurality of service providers 100-1 and 100-2 is used. However, the authentication code (n) generated using the authentication matrix of the service provider 100-1 is n = ((vi + pe + ur)) and generated using the authentication matrix of the other service provider 100-2. The authentication code (n) is n = (en + ch + je), and the authentication code (n) is different for each service provider 100-1 to 100-n. For this reason, even if the authentication information input based on the image commonly used by the service providers 100-1 and 100-2 by the user is the same for the service providers 100-1 to 100-n, the authentication code ( Since n) differs for each service provider 100-1 to 100-n, each service provider 100-1 can be obtained by grasping one piece of authentication information without storing and managing a plurality of pieces of authentication information by the user himself / herself. User authentication can be performed by generating a different authentication code (n) for each ~ n. As a result, the burden of managing the authentication information used at the time of user authentication can be reduced, and the user can easily input the authentication information.

  In this embodiment, the authentication code (n) is hashed, and the hashed authentication code (N) is transmitted to the authentication server 101. For this reason, the authentication information input on the user terminal UE side cannot be reproduced, and the authentication information input on the user terminal UE can be kept secret on the service provider 100-1 side. In this embodiment, since the authentication information is shared by a plurality of service providers 100-1 to 100-n, if the authentication information can be reproduced on the service provider 100-1 side, another service is used using the authentication information. I can log in to the authentication server 101 of the provider 100-2. However, in this embodiment, since the authentication code (n) is hashed, the authentication information cannot be reproduced, and the above-described problem can be avoided.

  In the above embodiment, the authentication matrix is a 3 × 3 matrix, and is configured by nine types of codes. However, the authentication matrix is not limited to a 3 × 3 matrix, and can be composed of an arbitrary matrix. For example, a 16 × 16 matrix can be used. As a result, the number of combinations of authentication codes (n) can be increased and security can be improved.

  In the above embodiment, since the feature point position selected on the image displayed on the display unit 10 is used as the authentication information, the authentication code (n) is three digits, but the start point and end point selected on the image are It is also possible to use a stroke constituted by a position as authentication information. In this case, the start and end points are double 6 digits, and the authentication code (n) is also 6 digits, so the 6-digit authentication code (n) is 2.8E + 14 ((16 × 16) ^ 6 ) And the security can be further improved.

(Second Embodiment)
Next, a second embodiment will be described.

  In the first embodiment, the authentication code (n) is hashed so that the authentication information input on the user terminal UE side cannot be reproduced on the authentication server 101 side.

  In the second embodiment, the authentication code (n) is not hashed, but the authentication code (n) is made redundant so that the authentication information input on the user terminal UE side cannot be reproduced on the authentication server 101 side. To.

<Operation example of authentication code registration processing>
First, an example of processing operation for registering the authentication code (n) in the authentication server 101 will be described with reference to FIG. FIG. 7 is a diagram illustrating an example of an operation for registering the authentication code (n).

  First, the authentication matrix generation unit 14 of the user terminal UE randomly generates a plurality of authentication matrices (step C1). The authentication matrix is, for example, a 16 × 16 matrix, and three authentication matrices are generated. Each of the 16 × 16 matrices constituting the authentication matrix stores 16 types of codes. For this reason, 16 codes exist in one code. If it is a three-digit code, it will have 4096 (16 ^ 3) redundancy. In addition, if it is a stroke, it will have 16 million ((16 × 16) ^ 3) redundancy.

  Further, the transmission unit 12 of the user terminal UE accesses the image management server 200, transmits the user ID to the image management server 200 (step C2), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. Is received (step C3).

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step C4). For example, when an image is displayed on the display unit 10 and areas 1, 2, and 3 are sequentially selected in the image by a user operation, the position information 1 → 2 → 3 is authentication information.

  The authentication code generation unit 15 of the user terminal UE combines the authentication information input to the input unit 11 and the plurality of authentication matrices generated by the authentication matrix generation unit 14 in step C1 to generate an authentication code (n). (Step C5).

  Since the authentication information is 1 → 2 → 3 position information of the image, the first position information (1) constituting the authentication information and the first authentication matrix are combined to provide the first code. Convert to Further, the second position information (2) constituting the authentication information and the second authentication matrix are combined and converted into a second code. Further, the third position information (3) constituting the authentication information and the third authentication matrix are combined and converted into a third code. As a result, a three-digit authentication code (n) composed of three codes can be generated.

  Since the user terminal UE registers the authentication code (n) in the authentication server 101 of the service provider 100-1, the transmission unit 12 transmits the user ID, the authentication code (n), and a plurality of authentication matrices to the authentication server 101. (Step C6).

  The receiving unit 1013 of the authentication server 101 associates the user ID received from the user terminal UE, the authentication code (n), and a plurality of authentication matrices and stores them in the storage unit 1011 (step C7).

  As a result, the user can register the authentication code (n) used when using the service provided by the application server 102 of the service provider 100-1 in the authentication server 101. Since the authentication code (n) is made redundant, it is difficult to reproduce the authentication information input at the user terminal UE. For this reason, it is possible to make it difficult for the service provider 100-1 to decipher the authentication information input at the user terminal UE.

<Example of processing operation during user authentication>
Next, an example of processing operation during user authentication will be described with reference to FIG. FIG. 8 is a diagram illustrating a processing operation example during user authentication.

  The transmission unit 12 of the user terminal UE transmits the user ID to the authentication server 101 when logging into the authentication server 101 of the service provider 100-1 (step D1).

  When the receiving unit 1013 of the authentication server 101 receives a user ID from the user terminal UE, the transmitting unit 1012 transmits a plurality of authentication matrices corresponding to the user ID to the user terminal UE (step D2).

  Further, the transmission unit 12 of the user terminal UE accesses the image management server 200, transmits a user ID to the image management server 200 (step D3), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. Is received (step D4).

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step D5). For example, when an image is displayed on the display unit 10 and areas 1, 2, and 3 are sequentially selected in the image by a user operation, the position information 1 → 2 → 3 is authentication information.

  The authentication code generation unit 15 of the user terminal UE combines the authentication information input to the input unit 11 and a plurality of authentication matrices received by the reception unit 13 from the authentication server 101 in step D2, and generates an authentication code (n). Generate (step D6).

  Since the authentication information is 1 → 2 → 3 position information of the image, the first position information (1) constituting the authentication information and the first authentication matrix are combined to provide the first code. Convert to Further, the second position information (2) constituting the authentication information and the second authentication matrix are combined and converted into a second code. Further, the third position information (3) constituting the authentication information and the third authentication matrix are combined and converted into a third code. As a result, a three-digit authentication code (n) composed of three codes can be generated.

  The transmission unit 12 of the user terminal UE transmits the authentication code (n) to the authentication server 101, and performs user authentication with the authentication server 101 (step D7).

  The authentication unit 1014 of the authentication server 101 collates the authentication code (n) corresponding to the user ID with the authentication code (n) received by the receiving unit 1013 from the user terminal UE (step D8). The authentication unit 1014 of the authentication server 101 determines that authentication is OK when both authentication codes match. If both authentication codes do not match, authentication NG is determined.

  The transmission unit 1012 of the authentication server 101 notifies the user terminal UE of the collation result. If the authentication unit 1014 of the authentication server 101 determines that the authentication is OK, the authentication unit 1014 permits the user to use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Thereby, the user can use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Even when using the service provided by the application server 102 of another service provider 100-2 in the authentication system of the present embodiment, the above-described user authentication process is performed, and the user terminal UE is operated to obtain the user ID. Authentication information is input from the associated image. Since the other service provider 100-2 stores and manages a plurality of authentication matrices different from the service provider 100-1 in the storage unit 1011, the user terminal UE stores the authentication information and the plurality of authentication matrices. And an authentication code generated by combining the above and the service provider 100-1. For this reason, even if the authentication information input by the user based on the image is the same for the plurality of service providers 100-1 to 100-n, the authentication code (n) is different for each service provider 100-1 to 100-n. Even if the authentication information is not stored and managed by the user himself / herself, by obtaining one authentication information, a different authentication code (n) is generated for each service provider 100-1 to 100-n to perform user authentication. It can be carried out. As a result, the burden of managing the authentication information used at the time of user authentication can be reduced, and the user can easily input the authentication information.

  In this embodiment, the authentication code (n) is transmitted to the authentication server 101 with redundancy. For this reason, it is difficult to reproduce the authentication information input on the user terminal UE side, and it is difficult to decode the authentication information input on the user terminal UE on the service provider 100-1 side.

(Third embodiment)
Next, a third embodiment will be described.

  In the second embodiment, an authentication code is generated using a plurality of authentication matrices, and the authentication code is made redundant.

  In the third embodiment, a use order of a plurality of authentication matrices is generated, and the use order of the plurality of authentication matrices is rearranged in the use order to generate an authentication code. As a result, the authentication code can be made more redundant than in the second embodiment.

<Operation example of authentication code registration processing>
First, an example of processing operation for registering the authentication code (n) in the authentication server 101 will be described with reference to FIG. FIG. 9 is a diagram illustrating an example of an operation for registering the authentication code (n).

  First, the authentication matrix generation unit 14 of the user terminal UE randomly generates a plurality of authentication matrices (step E1). The authentication matrix is, for example, a 16 × 16 matrix, and six authentication matrices are generated. Each of the 16 × 16 matrices constituting the authentication matrix stores 16 types of codes.

  In the present embodiment, the user terminal UE has a usage order generation unit (not shown), and the usage order generation unit generates the usage order of the authentication matrix. Then, the authentication code generation unit 15 rearranges the usage order of the plurality of authentication matrices in the usage order generated by the usage order generation unit, combines the authentication matrix after the rearrangement, and the authentication information input from the input unit 11, Generate an authentication code. For this reason, 16 × 6 (96) redundancy exists in one code. If a three-digit code is used, any three of the six choices will have about 880,000 (96 ^ 3) redundancy. In addition, if it is a stroke, it will have about 300 million ((96 × 16) ^ 3) redundancy.

  The transmission unit 12 of the user terminal UE accesses the image management server 200, transmits a user ID to the image management server 200 (step E2), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. (Step E3).

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step E4). For example, when an image is displayed on the display unit 10 and areas 1, 2, and 3 are sequentially selected in the image by a user operation, the position information 1 → 2 → 3 is authentication information.

  When the authentication information is input to the input unit 11, the usage order generation unit of the user terminal UE generates the usage order of the plurality of authentication matrices generated by the authentication matrix generation unit 14 in step E1 (step E5). In the present embodiment, since the authentication information input from the input unit 11 becomes three pieces of position information, three authentication matrices are selected from the six authentication matrices, and the usage order of the selected three authentication matrices is changed. Generate.

  The usage order of the three authentication matrices is 6P3 = 120. Since there are 16 million ((16 × 16) ^ 3) authentication information input to the input unit 11, the usage order generation unit hashes the authentication information input to the input unit 11 and hashes it. The remainder of the value 120 is calculated, and the authentication information is reduced to 120. Accordingly, the usage order generation unit generates the usage order of the three authentication matrices based on the authentication information input to the input unit 11, and selects one of the 120 usage orders of the six authentication matrices. Can do.

  The authentication information input to the input unit 11 and the address information (URL, etc.) when accessing the authentication server 101 are concatenated, the concatenated information is hashed, and the remainder of 120 of the hashed value is obtained. It is also possible to calculate one and select one out of 120 usage orders of six authentication matrices. As a result, the 120 usage orders of the six authentication matrices can be made different for each authentication server 101.

  The authentication code generation unit 15 of the user terminal UE rearranges the usage order of the plurality of authentication matrices in the usage order generated by the usage order generation unit in step E5, and the authentication information input from the input unit 11 after the rearrangement And an authentication code (n) is generated (step E6).

  Since the authentication information is 1 → 2 → 3 position information of the image, the first position information (1) constituting the authentication information and the first authentication matrix are combined to provide the first code. Convert to Further, the second position information (2) constituting the authentication information and the second authentication matrix are combined and converted into a second code. Further, the third position information (3) constituting the authentication information and the third authentication matrix are combined and converted into a third code. As a result, a three-digit authentication code (n) composed of three codes can be generated.

  Since the user terminal UE registers the authentication code (n) in the authentication server 101 of the service provider 100-1, the transmission unit 12 transmits the user ID, the authentication code (n), and a plurality of authentication matrices to the authentication server 101. (Step E7).

  The receiving unit 1013 of the authentication server 101 associates the user ID received from the user terminal UE, the authentication code (n), and a plurality of authentication matrices and stores them in the storage unit 1011 (step E8).

  As a result, the user can register the authentication code (n) used when using the service provided by the application server 102 of the service provider 100-1 in the authentication server 101. Since the authentication code (n) is made redundant, it is difficult to reproduce the authentication information input at the user terminal UE. For this reason, it is possible to make it difficult for the service provider 100-1 to decipher the authentication information input at the user terminal UE.

<Example of processing operation during user authentication>
Next, an example of processing operation during user authentication will be described with reference to FIG. FIG. 10 is a diagram illustrating a processing operation example during user authentication.

  The transmission unit 12 of the user terminal UE transmits the user ID to the authentication server 101 when logging into the authentication server 101 of the service provider 100-1 (Step F1).

  When the reception unit 1013 of the authentication server 101 receives a user ID from the user terminal UE, the transmission unit 1012 transmits a plurality of authentication matrices corresponding to the user ID to the user terminal UE (step F2).

  Further, the transmission unit 12 of the user terminal UE accesses the image management server 200, transmits the user ID to the image management server 200 (step F3), and the reception unit 13 receives an image corresponding to the user ID from the image management server 200. Is received (step F4).

  The display unit 10 of the user terminal UE displays an image acquired from the image management server 200. Based on the user's own memory, the user selects a feature point position on the image displayed on the display unit 10 and inputs authentication information to the input unit 11 (step F5). For example, when an image is displayed on the display unit 10 and areas 1, 2, and 3 are sequentially selected in the image by a user operation, the position information 1 → 2 → 3 is authentication information.

  When the authentication information is input to the input unit 11, the usage order generation unit of the user terminal UE generates the usage order of the plurality of authentication matrices received by the receiving unit 13 from the authentication server 101 in step F2 (step F6). . In the present embodiment, since the authentication information input to the input unit 11 is three pieces of position information, three authentication matrices are selected from the six authentication matrices, and the usage order of the selected three authentication matrices is changed. Generate.

  The authentication code generation unit 15 of the user terminal UE rearranges the usage order of the plurality of authentication matrices in the usage order generated by the usage order generation unit in step F6, and the authentication matrix after the rearrangement and the authentication information input from the input unit 11 And an authentication code (n) is generated (step F7).

  Since the authentication information is 1 → 2 → 3 position information of the image, the first position information (1) constituting the authentication information and the first authentication matrix are combined to provide the first code. Convert to Further, the second position information (2) constituting the authentication information and the second authentication matrix are combined and converted into a second code. Further, the third position information (3) constituting the authentication information and the third authentication matrix are combined and converted into a third code. As a result, a three-digit authentication code (n) composed of three codes can be generated.

  The transmission unit 12 of the user terminal UE transmits the authentication code (n) to the authentication server 101, and performs user authentication with the authentication server 101 (step F8).

  The authentication unit 1014 of the authentication server 101 collates the authentication code (n) corresponding to the user ID with the authentication code (n) received from the user terminal UE by the receiving unit 1013 (step F9). The authentication unit 1014 of the authentication server 101 determines that authentication is OK when both authentication codes match. If both authentication codes do not match, authentication NG is determined.

Transmitting portion 101 2 of the authentication server 101 notifies the verification result to the user terminal UE. If the authentication unit 1014 of the authentication server 101 determines that the authentication is OK, the authentication unit 1014 permits the user to use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Thereby, the user can use the service provided by the application server 102 of the service provider 100-1 in cooperation with the authentication server 101.

  Even when using the service provided by the application server 102 of another service provider 100-2 in the authentication system of the present embodiment, the above-described user authentication process is performed, and the user terminal UE is operated to obtain the user ID. Authentication information is input from the associated image. The other service provider 100-2 stores and manages a plurality of authentication matrices different from the service provider 100-1 in the storage unit 1011, and the user terminal UE generates a use order of the plurality of authentication matrices. Since the authentication code is generated by rearranging the usage order of the plurality of authentication matrices in the usage order, the generated authentication code is an authentication code different from that of the service provider 100-1.

  In this embodiment, the authentication code (n) is transmitted to the authentication server 101 with redundancy. For this reason, it is difficult to reproduce the authentication information input on the user terminal UE, and it is difficult to decode the authentication information input on the user terminal UE on the service provider 100-1 side.

(Fourth embodiment)
Next, a fourth embodiment will be described.

  The fourth embodiment improves the user authentication of the third embodiment described above, and is input from the input unit 11 to the authentication code (n) generated in step G6 of FIG. 11 or step H7 of FIG. Authentication information is concatenated, and the concatenated information is hashed and registered and transmitted to the authentication server 101 (step G7 in FIG. 11 and step H8 in FIG. 12). Since there are 16 million ((16 × 16) ^ 3) authentication information input from the input unit 11, by concatenating the authentication information with the authentication code (n) and hashing it, the authentication code (n ) Can not be deciphered.

  For example, in the third embodiment, when the authentication code (n) stored in the storage unit 1011 of the authentication server 101 is leaked, even if the authentication code (n) is hashed, 16 types of codes of 3 digits Since there are only 4096 (16 ^ 3) authentication codes (represented as c), the original authentication code (c) can be calculated.

  For this reason, as in this embodiment, by connecting the authentication information (input coordinate sequence: expressed as m) input from the input unit 11 and the authentication code (c), more than 6 billion patterns Since the authentication code is ((16 × 16) ^ 3 × 16 ^ 3), the original authentication code cannot be calculated. Also, the authentication information (m) cannot be reproduced on the authentication server 101 side by hashing the authentication code on the user terminal UE side and registering and transmitting the hashed value (expressed as M) to the authentication server 101 Can be. This is because the authentication information (m) cannot be reproduced from the hashed value (M) because the authentication code is hashed.

  Further, in order to grasp the authentication information on the authentication server 101 side, an attack that alters the authentication matrix on the authentication server 101 side to eliminate redundancy can be considered. Even in this case, since the original three-digit authentication code (c) cannot be reproduced from the hashed value (M), the authentication information (m) cannot be reproduced even with a falsified authentication matrix. As a result, security can be improved.

  The above-described embodiment is a preferred embodiment of the present invention, and the scope of the present invention is not limited to the above-described embodiment alone, and various modifications are made without departing from the gist of the present invention. Implementation is possible.

  For example, in the authentication system of the above-described embodiment, in order to enable user authentication using a plurality of user terminals UE, an image management server 200 that stores user-specific images is provided, and the user-specific images are stored in the image management server 200. To get to. However, it is also possible to manage images with the user terminal UE.

  If a falsified authentication matrix is sent from the malicious authentication server 101 to the user terminal UE, there is a risk that the authentication information input at the user terminal UE will be leaked. For this reason, it is also possible to construct such that the user terminal UE digitally signs at the time of registration and collates at the time of reception.

  In the above embodiment, the authentication matrix is stored in the service provider and read out by the user terminal UE at the time of authentication. However, the authentication matrix information can be safely shared by the user terminal UE and can be configured not to be exposed to the outside. Is possible. In this case, an attack in which the authentication service side transmits a fake authentication matrix advantageous for analysis cannot be performed at all, which is effective.

  In the first embodiment, the example in which the authentication code (n) is generated using one authentication matrix has been described. However, it is also possible to generate the authentication code (n) using a plurality of authentication matrices. For example, it is assumed that three authentication matrices configured by a 16 × 16 matrix are prepared, and each matrix configuring the authentication matrix stores 256 types of codes without redundancy. In this case, the authentication code (n) generated by combining the authentication information input by selecting and inputting the image displayed on the display unit 10 by the user and the three authentication matrices composed of the 16 × 16 matrix is 3 This is a digit authentication code (n), and the number of combinations is 16 million ((16 × 16) ^ 3).

  Three or more authentication matrices are generated with redundancy. Then, the authentication information input to the input unit 11 based on the authentication information input to the input unit 11 by performing a user operation on the image displayed on the display unit 10 and the information related to the authentication server 101 In which order the authentication matrices are used. Then, the authentication matrix can be rearranged in the selected order, and the authentication matrix after the rearrangement can be combined with the authentication information input to the input unit 11 to generate the authentication code (n). Thereby, security can be further improved. For example, authentication information ((16 × 16) ^ 3) and address information such as the URL of the authentication server 101 are concatenated to calculate a remainder of 6 of the hashed value to reduce the authentication information. Based on the reduced authentication information, one usage order is selected from the six usage orders of the three authentication matrices. Then, the authentication matrix is rearranged in the selected order of use, and the authentication matrix after the rearrangement and the authentication information input to the input unit 11 are combined to generate an authentication code (n). As a result, the authentication information cannot be reproduced only by the information stored in the authentication server 101 of the service provider 100-1. As a result, it is possible to prevent login to the authentication server 101 of another service provider 100-2 based on the information stored in the authentication server 101 of the service provider 100-1.

  The control operation in the user terminal UE, the image management server 200, the authentication server 101, and the application server 102 constituting the authentication system of the present embodiment described above is performed using hardware, software, or a composite configuration of both. It is also possible to execute.

  In the case of executing processing using software, it is possible to install and execute a program in which a processing sequence is recorded in a memory in a computer incorporated in dedicated hardware. Alternatively, the program can be installed and executed on a general-purpose computer capable of executing various processes.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program can be stored (recorded) temporarily or permanently in a removable recording medium. Such a removable recording medium can be provided as so-called package software. Examples of the removable recording medium include a floppy (registered trademark) disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, and a semiconductor memory.

  The program is installed in the computer from the removable recording medium as described above. In addition, it is wirelessly transferred from the download site to the computer. In addition, it is transferred to the computer via a network by wire.

  In addition, the control operations in the user terminal UE, the image management server 200, the authentication server 101, and the application server 102 constituting the authentication system of the present embodiment are only executed in time series according to the processing operations described in the above embodiment. Instead, it is possible to construct the processing capability of the apparatus that executes the processing, or to execute in parallel or individually as required.

100-1 to n Service provider 101 Authentication server 1011 Storage unit 1012 Transmission unit 1013 Reception unit 1014 Authentication unit 102 Application server 200 Image management server 201 Storage unit 202 Transmission unit 203 Reception unit UE user terminal 10 Display unit 11 Input unit 12 Transmission unit 13 Receiver 14 Authentication Matrix Generator 15 Authentication Code Generator NW Network

Claims (9)

An authentication system comprising a plurality of authentication devices and user terminals,
The user terminal is
Display means for displaying an image commonly used by a user in a plurality of the authentication devices;
Input means for inputting at least one position information on the image selected by a user operation from the images displayed on the display means as user-side authentication information;
An authentication matrix receiving means for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device at the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information, and the converted code An authentication code generating means for generating an authentication code to be configured;
An authentication code transmitting means for transmitting the authentication code to the authentication device of the authentication destination,
The authentication device
Storage means for storing the plurality of authentication matrices and server-side authentication codes in association with the user account information;
Transmitting means for transmitting the plurality of authentication matrices to the user terminal;
And the user-side authentication code received from the user terminal, and matching the a server side authentication code stored in the storage means in association with said plurality of authentication matrices transmitted to the user terminal, both sure An authentication means for permitting authentication of the user when the authentication code matches;
An authentication system comprising: The authentication system has image management means for managing the image for each user,
The authentication system according to claim 1, wherein the display unit displays the image acquired from the image management unit. The authentication code generation means hashes the authentication code, generates the hashed user-side authentication code,
The authentication code transmitting means transmits the hashed user-side authentication code,
The storage means stores the authentication matrix and the hashed server-side authentication code in association with the user account information,
The authentication means includes the hashed server-side authentication code stored in the storage means in association with the hashed user-side authentication code received from the user terminal and the authentication matrix transmitted to the user terminal. when collates, when both hashed authentication code matches, claim 1 or claim 2 authentication system according and permits authentication of the user. Said user terminal, have a use sequence generating means for generating a usage order of a plurality of the authentication matrix,
The authentication code generating means rearranges the usage order of the plurality of authentication matrices in the usage order , combines the user side authentication information and the authentication matrix after the rearrangement , and configures the user side authentication information. information, the converted code authentication matrix corresponding to the position information, the authentication system according to claim 1, wherein the generating an authentication code, consisting code the transform. The authentication code generating means concatenates the user side authentication information and the authentication code, hashes the concatenated information, and generates a hashed concatenated authentication code ,
The authentication code transmitting means transmits the hashed linked authentication code,
The storage means stores a plurality of the authentication matrices and the hashed linked authentication codes in association with the user account information,
The authentication means includes the hashed connection authentication code received from the user terminal and the hashed connection authentication code stored in the storage means in association with the plurality of authentication matrices transmitted to the user terminal. when the matches, if both the connection authentication code by hashing the match, the authentication system according to claim 1, wherein allowing authentication of the user. A user terminal that performs authentication with a plurality of authentication devices,
Display means for displaying an image commonly used by a user in a plurality of the authentication devices;
Input means for inputting at least one position information on the image selected by a user operation from the images displayed on the display means as user-side authentication information;
An authentication matrix receiving means for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device at the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information, and the converted code An authentication code generating means for generating an authentication code to be configured;
An authentication code transmitting means for transmitting the authentication code to the authentication device of the authentication destination,
The authentication code, the user terminal is stored in the storage unit of the authentication device associated with the authentication destination and account information of the said plurality of authentication matrices received user from the authentication destination of the authentication device If there is a match with the authentication code, the user terminal characterized by Rukoto authentication of the user is permitted. An authentication apparatus for authenticating a user operating the User chromatography The terminal,
And the user-side authentication information user to configure at least one position information on the image selected by the user operation of the user terminal from among the images used in common by a plurality of the authentication device, which composed of a plurality of code A plurality of authentication matrices are combined, and an authentication code composed of the code converted into the authentication matrix code according to the location information and the plurality of authentication matrices are stored in association with the account information of the user Storage means for
And transmission means to transmit the plurality of authentication matrix to the user terminal,
After transmitting the authentication matrix, wherein upon receiving the authentication code from the user terminal, wherein the authentication code thus received, stored in said plurality of authentication matrix and corresponds with by the storing means for transmitting to the user terminal It is the collates the authentication code, the is, when both the authentication code matches an authentication means for permitting authentication of the user,
Authentication device according to claim Rukoto to have a. A program to be executed by a computer of a user terminal that performs authentication with a plurality of authentication devices ,
Display processing for displaying an image commonly used by a user on a plurality of the authentication devices on a display unit;
An input process for inputting at least one position information on the image selected by a user operation from the images displayed on the display unit to the input unit as user-side authentication information;
An authentication matrix reception process for receiving a plurality of authentication matrices composed of a plurality of codes from the authentication device of the authentication destination;
The user-side authentication information and the plurality of authentication matrices are combined, the position information constituting the user-side authentication information is converted into a code of the authentication matrix corresponding to the position information , and the converted code An authentication code generation process for generating an authentication code to be configured;
Causing the computer to execute an authentication code transmission process for transmitting the authentication code to the authentication device of the authentication destination,
The authentication the authentication code, the user terminal from the authentication destination of the authentication apparatus is stored in the storage unit of the authentication device of the authentication target in association with the account information of the said plurality of authentication matrices received user when matching the code, program characterized Rukoto authentication of the user is permitted. A program for causing a computer to execute an authentication device for authenticating a user who operates the user terminal,
And the user-side authentication information user to configure at least one position information on the image selected by the user operation of the user terminal from among the images used in common by a plurality of the authentication device, which composed of a plurality of code a plurality of authentication matrix, the combining seen, the authentication codes constituting the above code is converted into the code of the authentication matrix Ji was response to said position information, said plurality of authentication matrix, the account information of the user A storage process for storing the associated information in the storage means;
A transmit process of transmitting the plurality of authentication matrix to the user terminal,
After transmitting the authentication matrix, wherein when the user terminal receiving the authentication code, the authentication code thus received, the user terminal to transmit the plurality of authentication matrix and the association with each other in the storage means is the collates the authentication code, the is, when both the authorization code match, an authentication process you allow authentication of the user, a program for causing the computer to perform.

Images