JP5679567B2 - Authentication support apparatus and authentication support method - Google Patents

Description

  The present invention relates to a technique for performing user terminal authentication processing.

Various user terminals such as PCs (Personal Computers), mobile phone terminals (smartphones), tablet PCs, TV receivers, etc. connect to service provider servers that provide services via networks such as the Internet. Received service. There are various services provided through the network, such as content distribution services such as moving images, application use services called ASP (Application Service Provider) and SaaS (Software as a Service), and the like. When providing such a service, an authentication server installed on the service provider side stores, for example, a user ID (IDentifier) and a password in advance and responds to an authentication request transmitted from the user terminal. Appropriate authentication processing is performed, and use of the service is permitted when it is determined that authentication is successful. In the authentication process, an authentication method such as IC card authentication, fingerprint authentication, and voice recognition is used in addition to authentication using a user ID and a password.
Patent Document 1 describes setting an operation environment according to a user authenticated by a word processor. Patent Document 2 describes storing functions used by a user in a copying machine, a printer, a multifunction machine, and the like, and displaying an initial screen corresponding to the authenticated user. In Patent Document 3, for each model of user terminal, an authentication method that can be used in the user terminal is stored in association with the user terminal, for example, so that an authentication method corresponding to the user terminal can be selected. Have been described. Patent Document 4 describes selecting an authentication method according to a security level.

JP 9-44477 A JP 2009-75451 A Japanese Patent No. 3983035 International Publication No. 2007/66480

  However, there are cases where different authentication methods can be used in each of the various user terminals as described above, and a plurality of authentication methods can be used in one user terminal. For example, in a PC, in addition to authentication using a user ID and password input from a keyboard, IC card authentication can be used if an IC card reader is connected, and fingerprint authentication is used if a fingerprint authentication reader is connected. it can. In such a case, it is conceivable that a plurality of users use the same service after being authenticated by different authentication methods from one user terminal. Patent Documents 1 to 4 do not consider such a situation. Therefore, even when a plurality of users use user terminals that can use a plurality of authentication methods, it is desirable to perform authentication efficiently by an authentication method corresponding to the user to be used.

  The present invention has been made in view of such a situation, and even when a plurality of users use user terminals that can use a plurality of authentication methods, the authentication method according to the user to be used efficiently. An authentication support apparatus and an authentication support method for supporting authentication are provided.

  In order to solve the above-described problem, the present invention provides an authentication connected to a plurality of user terminals and a plurality of authentication devices that perform authentication processing of the user terminal by any one of the plurality of authentication methods. For each terminal identification information for identifying a plurality of user terminals, history information associated with an authentication method in an authentication process performed by the authentication apparatus in response to an authentication request from the user terminal is stored. A history information storage unit, an authentication method selection unit that reads an authentication method associated with the user terminal and stored in the history information storage unit upon receiving an authentication request transmitted from the user terminal, and a plurality of An authentication requesting unit that transmits a user terminal authentication request to an authentication device that authenticates the user terminal by the authentication method read by the authentication method selection unit.

  Further, according to the present invention, the authentication apparatus performs an authentication process for each user of the user terminal, and the history information storage unit includes user identification information for identifying a plurality of users who have performed the authentication process for each terminal identification information. Correspondingly stored, the authentication method selection unit is a user who has a large number of authentications out of the user identification information associated with the user terminal that transmitted the authentication request from the history information stored in the history information storage unit. The authentication method associated with the user identification information is read out.

  Further, according to the present invention, the history information storage unit indicates, for each terminal identification information, whether or not the authentication processing performed by the authentication device in response to the authentication request from the user terminal indicated by the terminal identification information is successful. The authentication result is stored in association with each other, and the authentication method selection unit calculates the success rate for each authentication method for each user terminal that has transmitted the authentication request, or the success rate for each authentication method for each user of the user terminal. It is calculated based on the authentication result, and an authentication method with a high success rate is read out.

  Further, in the present invention, the history information stored in the history information storage unit includes information indicating the date and time when the authentication process was performed, and the authentication method selection unit calculates a success rate according to the date and time, An authentication method having a high success rate at a time close to the current date and time is read.

  Further, according to the present invention, the history information stored in the history information storage unit includes information indicating a time zone when the authentication process is performed, and the authentication method selection unit responds to the time zone when the authentication request is received. The authentication method is read out.

  In the present invention, the authentication device performs authentication processing for each service provided to the user terminal, and the history information storage unit includes a service provided when the authentication processing is successful for each terminal identification information. Service identification information to be identified is stored in association with the authentication method selection unit, and the authentication method selected from the history information stored in the history information storage unit is associated with the service provided when the authentication process is successful. Is read out.

  Further, according to the present invention, the authentication method selection unit receives information indicating the application stored in the user terminal from the user terminal, and responds to the application from the history information stored in the history information storage unit. The authentication method is read out.

  The present invention further includes a terminal information storage unit that stores model information indicating a model of the user terminal and an authentication method that can be used in the model in association with each other, and the authentication method selection unit transmits an authentication request. The authentication method associated with the user terminal model is read from the terminal information storage unit.

  Further, the present invention provides a service provider policy storage unit that stores information indicating an authentication method applied in authentication processing when using a service in association with each service provided to a user terminal. The authentication method selection unit reads out the authentication method stored in the service provider policy storage unit.

  In the present invention, the authentication method selection unit reads a plurality of authentication methods from the history information storage unit, determines the priority order of the plurality of read authentication methods, and the authentication request unit is determined by the authentication method selection unit. An authentication request is transmitted to the authentication device according to the priority order.

In addition, the present invention is connected to a plurality of user terminals and a plurality of authentication apparatuses that perform user terminal authentication processing by any one of the plurality of authentication methods, and identifies the plurality of user terminals. for each terminal identification information, the authentication support device history information authentication method associated with the authentication process performed by the authentication apparatus is provided with a history information storage unit which is stored in response to the authentication request from the user terminal An authentication support method to be performed , when the authentication support device receives an authentication request transmitted from a user terminal, a step of reading an authentication method associated with the user terminal and stored in the history information storage unit; authenticates support device, among a plurality of authentication devices, the authentication device for authenticating the user terminal by the read authentication method and sending an authentication request of the user terminal, comprising: a .

  As described above, according to the present invention, authentication support connected to a plurality of user terminals and a plurality of authentication apparatuses that perform authentication processing of the user terminal by any one of the plurality of authentication methods. For each terminal identification information for identifying a plurality of user terminals, history information associated with an authentication method in an authentication process performed by an authentication apparatus in response to an authentication request from a user terminal is stored. A history information storage unit, an authentication method selection unit that reads an authentication method associated with the user terminal and stored in the history information storage unit upon receiving an authentication request transmitted from the user terminal, Among the authentication devices, the authentication device that authenticates the user terminal by the authentication method read by the authentication method selection unit is provided with an authentication request unit that transmits an authentication request for the user terminal. If the method is utilized by the user terminal a plurality of users that can be utilized by the authentication method corresponding to the user utilizing efficiently the authentication can be performed.

It is a figure which shows the structural example of the communication system by one Embodiment of this invention. It is a block diagram which shows the structure of each computer apparatus with which the communication system by one Embodiment of this invention is provided. It is a figure which shows the data example of the terminal information memorize | stored in the terminal information storage part by one Embodiment of this invention. It is a figure which shows the example of data of the user authentication information memorize | stored in the user authentication information storage part by one Embodiment of this invention. It is a figure which shows the example of data of the authentication method information memorize | stored in the authentication method information storage part by one Embodiment of this invention. It is a figure which shows the example of data of the terminal authentication information memorize | stored in the terminal authentication information storage part by one Embodiment of this invention. It is a figure which shows the example of data of the service provision provider policy information memorize | stored in the service provision provider policy information storage part by one Embodiment of this invention. It is a figure which shows the example of data of the authentication history information memorize | stored in the authentication history information storage part by one Embodiment of this invention. It is a sequence diagram which shows the operation example of the authentication process by the communication system by one Embodiment of this invention. It is a flowchart which shows the operation example of the authentication assistance server and authentication server by one Embodiment of this invention. It is a flowchart explaining the user estimation process by the user estimation part by one Embodiment of this invention. It is a figure which shows the example of data of the authentication history information which the user estimation part by one Embodiment of this invention read. It is a flowchart explaining the user determination process by the user estimation part by one Embodiment of this invention. It is a figure which shows the example of the search result by the user estimation part by one Embodiment of this invention. It is a figure which shows the example of the search result by the user estimation part by one Embodiment of this invention. It is a flowchart explaining the authentication method selection process by the authentication method selection part by one Embodiment of this invention. It is a figure which shows the example of the search result by the authentication system selection part by one Embodiment of this invention. It is a figure which shows the example of the search result by the authentication system selection part by one Embodiment of this invention. It is a figure which shows the example of a sequence operation | movement when it determines with the authentication result by one Embodiment of this invention being authentication failure. It is a figure which shows the sequence operation example when the user estimation by one Embodiment of this invention fails. It is a figure which shows the sequence operation example in the case of selecting an authentication method based on the application by one Embodiment of this invention, and selecting an authentication method based on a service provider provider policy. It is a flowchart which shows the operation example of the authentication assistance server and authentication server by one Embodiment of this invention. It is a figure explaining the effect by one embodiment of the present invention compared with the prior art.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram illustrating a configuration of a communication system 1 according to the present embodiment. The communication system 1 includes a plurality of user terminals 100 (user terminal 100-1, user terminal 100-2, user terminal 100-3, user terminal 100-4,...) And a service provider. The computer apparatus of the server 200, the terminal management apparatus 300, the some authentication server 400 (The authentication server 400-1, the authentication server 400-2, the authentication server 400-3, ...), and the authentication assistance server 500 is provided. ing. Since the plurality of user terminals 100 have the same configuration, the description of “-1”, “−2”, etc. will be omitted and described as the user terminal 100 unless otherwise distinguished. Similarly, since the plurality of authentication servers 400 have the same configuration, the description of “−1”, “−2”, etc. will be omitted as the authentication server 400 unless otherwise distinguished.

  On the user side, a plurality of user terminals 100 are connected to the terminal management apparatus 300 to form a user network (NW). A plurality of user terminals 100 connected to the terminal management apparatus 300 are used by a plurality of users, respectively. The user NW is, for example, a home LAN (Local Area Network). The terminal management apparatus 300 is connected to the service provider server 200 of the service provider, the authentication support server 500 and the authentication server 400 of the authentication service provider via an external network (NW). The NW is a communication network such as the Internet network. However, the NW may be any communication network, whether it is a virtual closed network, a LAN, a WAN (Wide Area Network), a dedicated line, a public line, a wireless line, or a wired line, as long as the computer apparatus and the computer terminal can communicate with each other. The terminal management apparatus 300, the service provider server 200, the authentication support server 500, and the authentication server 400 are connected via an NW and can communicate with each other.

FIG. 2 is a block diagram illustrating a configuration of each computer device included in the communication system 1.
The user terminal 100 is a computer terminal used by a user, and uses a service provided from the service provider server 200 via a network. Here, when the user terminal 100 uses the service of the service provider server 200, the authentication data input from the user is transmitted to perform user authentication, and the use is permitted when the authentication process is successful. The The user terminal 100 includes one or a plurality of input devices such as a keyboard that accepts input of authentication data for performing such authentication processing, an IC card reader, and a fingerprint data reader. As the user terminal 100, for example, a PC, a mobile phone terminal (smartphone), a tablet PC, a television receiver, or the like is assumed. The user terminal 100 can be shared and used by a plurality of users.

  The service provider server 200 is a computer device that provides a service to the user terminal 100 connected via a network. The service provider server 200 exchanges information with the user terminal 100 to provide services such as a content distribution service such as a moving image and an application use service called ASP or SaaS. The service provider server 200 redirects the authentication request transmitted from the user terminal 100 to the authentication server 400. If it is determined that the authentication is successful by the authentication process performed by the authentication server 400, the use of the service is permitted, and information is transmitted to and received from the authenticated user terminal 100. The service provider server 200 includes an authentication request reception unit 201.

  When receiving the authentication request transmitted from the user terminal 100, the authentication request receiving unit 201 redirects the authentication request to the authentication support server 500. Redirection is also referred to as HTTP (Hypertext Transfer Protocol) redirection, URL (Uniform Resource Locator) redirection (URL redirection), and the like, and is to transfer an authentication request destined for its own URL to another URL. Further, when transferring the authentication request, the authentication request receiving unit 201 adds a service provider ID for identifying its own service provider to the authentication request.

  The terminal management device 300 is a computer device such as a router or a home gateway that connects a plurality of user terminals 100 to form a user network. The terminal management apparatus 300 includes a terminal information storage unit 301, a terminal information acquisition unit 302, and a terminal information addition unit 303.

  The terminal information storage unit 301 stores terminal information of the user terminal 100 connected to the user network. FIG. 3 is a diagram illustrating a data example of terminal information stored in the terminal information storage unit 301. The terminal information includes data such as a MAC (Media Access Control) address, a terminal unique number, a terminal model number, and a device name. The MAC address is a physical address uniquely given to the communication device. The terminal unique number is a sequence number uniquely assigned to the terminal. The MAC address and the terminal unique number are identification information for identifying the user terminal 100. The terminal model number is information indicating the terminal model. The device name is the name of the terminal model.

The terminal information acquisition unit 302 acquires terminal information from a plurality of user terminals 100 connected to the user network, and stores the terminal information in the terminal information storage unit 301. The terminal information acquisition unit 302 acquires terminal information from the user terminal 100 by performing communication based on, for example, UPnP (Universal Plug and Play).
When the authentication request from the user terminal 100 to the service provider server 200 is redirected to the authentication support server 500, the terminal information adding unit 303 adds terminal information to the redirected authentication request, and the authentication support server 500 Forward to.

  The authentication server 400 is a user terminal 100 that uses the service provided by the service provider server 200 or a computer device that performs user authentication processing. The user authentication information storage unit 401, the authentication result notification unit 403, And an authentication processing unit 402. Here, a different authentication server 400 is installed for each of a plurality of authentication methods. For example, the authentication server 400-1 is a computer device that performs authentication processing using an ID / PW (password) authentication method, and the authentication server 400-2 is a computer device that performs authentication processing using an IC card authentication method. is there.

  The user authentication information storage unit 401 stores user authentication information for authenticating the user in advance. FIG. 4 is a diagram illustrating a data example of user authentication information stored in the user authentication information storage unit 401-1. In the user authentication information, a line ID, a terminal unique number, a user ID, and a password are stored in association with each other. The line ID is identification information for identifying a line to which the user terminal 100 that is predetermined to use the service is connected. The terminal unique number is a terminal unique number of the user terminal 100 that is predetermined to use the service. The user ID is information for identifying a user who is predetermined to use the service. The password is a password corresponding to the user ID, and is verified with authentication data transmitted from the user terminal 100. As described above, when the authentication method is ID / PW authentication, the line ID and the terminal unique number are associated with the character string of the user ID and the password. For example, when the authentication method is fingerprint authentication, The information indicating the fingerprint pattern collected from is stored in association with each other.

The authentication processing unit 402 receives the authentication request transmitted from the authentication support server 500, and performs authentication processing for each service and each user. For example, when receiving the authentication data including the user ID and password transmitted from the user terminal 100, the authentication processing unit 402-1 reads and verifies the user authentication information stored in the user authentication information storage unit 401. To do. If it is determined that information that matches the received authentication data is stored in the user authentication information storage unit 401, it is determined that the authentication is successful, and information that matches the received authentication data is stored in the user authentication information storage unit 401. If it is determined that it is not, it is determined that the authentication has failed.
The authentication result notifying unit 403 transmits the authentication result of the authentication process performed by the authentication processing unit 402 to the authentication support server 500.

  The authentication support server 500 is a computer device connected to a plurality of user terminals 100 and a plurality of authentication servers 400 that perform authentication processing of the user terminal 100 by any one of a plurality of authentication methods. The authentication support server 500 includes an authentication method information storage unit 501, a terminal authentication information storage unit 502, a service provider policy information storage unit 503, an authentication history information storage unit 504, a terminal information determination unit 505, and a service provision A provider determination unit 506, a user estimation unit 507, a terminal capability determination unit 508, a service provider provider policy application unit 509, an authentication method selection unit 510, and an authentication support unit 511 are provided.

  The authentication method information storage unit 501 stores information indicating the authentication method of the authentication process by the authentication server 400. FIG. 5 is a diagram illustrating a data example of authentication method information stored in the authentication method information storage unit 501. The authentication method information includes information of an authentication method ID, an authentication method type, and an authentication method name. The authentication method ID is identification information for identifying the authentication method. The authentication method type is information indicating the type of the authentication method. The authentication method name is information indicating the name of the authentication method. The authentication method name may indicate an application name stored in the user terminal 100.

  The terminal authentication information storage unit 502 stores model information indicating the model of the user terminal 100 and an authentication method that can be used for the model in association with each other. FIG. 6 is a diagram illustrating a data example of terminal authentication information stored in the terminal authentication information storage unit 502. The terminal authentication information includes a terminal model number and an available authentication method ID. The terminal model number is information indicating the model of the user terminal 100. The usable authentication method ID is identification information for identifying an authentication method that can be used in the user terminal 100 of the corresponding terminal model number.

  The service provider policy information storage unit 503 stores, for each service provided to the user terminal 100, information indicating an authentication method applied in authentication processing when using the service in association with each other. . FIG. 7 is a diagram illustrating a data example of service provider policy information stored in the service provider policy information storage unit 503. The service provider ID is identification information that identifies a service provider that operates the service provider server 200. The authentication method ID is identification information for identifying an authentication method determined to be applied by the corresponding service provider. Thereby, for example, the service provider can define an authentication method for authentication processing performed in order to use a service provided by itself among a plurality of authentication methods.

  The authentication history information storage unit 504 corresponds to the authentication method in the authentication process performed by the authentication server 400 in response to the authentication request from the user terminal 100 for each terminal identification information for identifying the plurality of user terminals 100. The attached authentication history information is stored. FIG. 8 is a diagram illustrating a data example of authentication history information stored in the authentication history information storage unit 504. The authentication history information includes a sequence number, a line ID, a terminal model number, a terminal unique number, a service provider ID, an authentication method ID, a user ID, an authentication result, an authentication date, and a date determination. Are associated.

  The line ID is identification information for identifying the line to which the user terminal 100 that has undergone the authentication process has transmitted an authentication request. The terminal model number is information indicating the model number of the user terminal 100 on which the authentication process has been performed. The terminal unique number is a terminal unique number of the user terminal 100 on which the authentication process has been performed. The service provider ID is identification information for identifying a service provided when the authentication process is successful. The authentication method ID is identification information for identifying the authentication method of the authentication processing that has been performed. The user ID is identification information for identifying the user who has performed the authentication process. The authentication result is information indicating whether or not the authentication process performed by the authentication server 400 in response to the authentication request from the user terminal 100 is successful. For example, “OK” is associated when the authentication result indicates successful authentication, and “NG” is associated with when the authentication result indicates successful authentication. The authentication date / time is information indicating the date / time when the authentication process was performed. The date / time determination is information indicating a time zone determined by the authentication support server 500 based on the authentication date / time. For example, the authentication support server 500 determines the time zone based on a predefined time zone such as a holiday, weekday, or time zone. For example, weekends and holidays are defined as holidays, and others are defined as weekdays, 5-11 o'clock as morning, 11-17 o'clock as noon, 17-23 o'clock as night, 23-5 o'clock as midnight, and so on. The time zone is determined.

The terminal information determination unit 505 reads an authentication method corresponding to the terminal information included in the authentication request from the terminal authentication information storage unit 502.
The service provider determination unit 506 reads the service provider ID included in the authentication request.
The user estimation unit 507 performs user estimation processing for reading authentication history information corresponding to terminal information included in the authentication request from the authentication history information storage unit 504.

The terminal capability determination unit 508 receives information indicating the application stored in the user terminal 100 from the user terminal 100, and reads the corresponding authentication method ID from the authentication method information storage unit 501.
The service provider policy application unit 509 reads the authentication method ID stored in the service provider policy information storage unit 503 in association with the service provider of the service requested to be authenticated, and can be used. Perform the filtering process.

  Upon receiving the authentication request transmitted from the user terminal 100, the authentication method selection unit 510 reads the authentication method stored in the authentication history information storage unit 504 in association with the terminal unique number of the user terminal 100. . Here, the authentication method selection unit 510 determines the success rate for each authentication method for each user terminal 100 that transmitted the authentication request or the success rate for each authentication method for each user of the user terminal 100 based on the authentication result. And read out the authentication method with a high success rate. The authentication method selection unit 510 calculates a success rate according to the date and time, and reads out an authentication method with a high success rate at a time close to the current date and time. Further, the authentication method selection unit 510 reads the authentication method associated with the service provided when the authentication process is successful from the authentication history information stored in the authentication history information storage unit 504. In addition, the authentication method selection unit 510 reads the authentication method associated with the model of the user terminal 100 that transmitted the authentication request from the authentication history information storage unit 504. Further, the authentication method selection unit 510 reads an authentication method corresponding to the time zone when the authentication request is received. Further, the authentication method selection unit 510 uses the authentication history information stored in the authentication history information storage unit 504, among the user identification information associated with the user terminal 100 that has transmitted the authentication request, the user with the highest number of authentications. The authentication method associated with the user identification information is read out. Here, when there are a plurality of corresponding authentication methods, the authentication method selection unit 510 reads the plurality of authentication methods from the authentication history information storage unit 504, and prioritizes the plurality of read authentication methods according to the success rate or the like. Determine the ranking.

  The authentication support unit 511 transmits an authentication request for the user terminal 100 to the authentication server 400 that authenticates the user terminal 100 using the authentication method read by the authentication method selection unit 510 among the plurality of authentication servers 400. Further, the authentication support unit 511 transmits an authentication request to the authentication server 400 according to the priority order determined by the authentication method selection unit 510. Further, the authentication support unit 511 receives an authentication result corresponding to the authentication request transmitted to the authentication server 400 and causes the authentication history information storage unit 504 to store authentication history information including the authentication result. Further, when the received authentication result is an authentication failure or indicates switching of the authentication method, the authentication support unit 511 transmits an authentication request to the authentication server 400 that performs authentication processing by another authentication method. To do.

Next, an operation example of the communication system 1 according to the present embodiment will be described. FIG. 9 is a sequence diagram illustrating an operation example of authentication processing by the communication system 1.
When the user terminal 100 connects to the terminal management apparatus 300 (step S1), the terminal information acquisition unit 302 of the terminal management apparatus 300 acquires terminal information from the user terminal 100 and stores it in the terminal information storage unit 301. Then, in response to an input from the user, the user terminal 100 transmits an authentication request for a service provided by the service provider server 200 with the URL of the service provider server 200 as a destination (step S2). Based on the authentication request transmitted from the user terminal 100, the service provider server 200 adds a service provider ID for identifying itself to the authentication request, and performs HTTP redirection with the authentication support server 500 as a destination. Transmit (step S3). In response to the HTTP redirect transmitted from the service provider server 200, the user terminal 100 transmits an authentication request destined for the authentication support server 500. At this time, the terminal management apparatus 300 reads terminal information corresponding to the user terminal 100 that transmitted the authentication request from the terminal information storage unit 301, and adds the read terminal information to the authentication request transmitted from the user terminal 100. To do. Further, the terminal management apparatus 300 adds line information including a line ID for identifying a line connected to the network to the authentication request, and transfers the authentication information to the authentication support server 500 (step S4).

  When the authentication support server 500 receives the authentication request transmitted from the user terminal 100, the terminal information determination unit 505 refers to the authentication method information storage unit 501 and the terminal authentication information storage unit 502 and is included in the authentication request. The authentication method ID corresponding to the terminal information to be read is read (steps S5 and S6). Further, the user estimation unit 507 converts the authentication history information including the user ID corresponding to the line information and the terminal information included in the authentication request, the service provider ID, and the authentication date and time into the authentication history information storage unit 504. (Steps S7, 8). Then, the authentication method selection unit 510 reads the authentication history information corresponding to the read user ID and terminal information from the authentication history information storage unit 504, and based on the number of authentications and the number of successful authentications included in the read authentication history information. The authentication method is determined (steps S9 and S10).

  Then, the authentication support server 500 transmits an authentication request including line information, terminal information, a user ID, and an authentication method to the authentication server 400 that performs authentication using the determined authentication method (step S11). When the authentication server 400 receives the authentication request transmitted from the authentication support server 500, the authentication server 400 transmits an authentication data input screen to the user terminal 100. For example, when the authentication server 400 performs ID / PW authentication authentication processing, the ID and password input screen is transmitted. When the authentication server 400 performs fingerprint authentication authentication processing, the fingerprint authentication input screen is transmitted ( Step S12). The user terminal 100 displays an authentication data input screen transmitted from the authentication server 400 and accepts input of authentication data. The user terminal 100 transmits the input authentication data to the authentication server 400 (step S13). When the authentication server 400 receives the authentication data transmitted from the user terminal 100, the authentication processing unit 402 reads out the user authentication information stored in the user authentication information storage unit 401 and compares it with the received authentication data. Authentication processing is performed (steps S14 and S15). When the authentication processing unit 402 determines that the authentication is successful, the authentication result notifying unit 403 transmits the authentication result to the authentication support server 500 (step S16).

  Upon receiving the authentication result transmitted from the authentication server 400, the authentication support unit 511 of the authentication support server 500 stores authentication history information including the authentication result in the authentication history information storage unit 504 (Step S17). The authentication support server 500 transmits the URL of the service provider server 200 that is a destination when the authentication is successful to the user terminal 100 (step S18), and the user terminal 100 redirects to the service provider server 200. Then, the service provider server 200 transmits an authentication result screen to the user terminal 100 (step S20).

  FIG. 10 is a flowchart showing an operation example of the authentication support server 500 and the authentication server 400. The terminal information determination unit 505 of the authentication support server 500 determines the model based on the terminal information included in the authentication request transmitted from the user terminal 100 (step S30), and selects an authentication method candidate corresponding to the determined model. Read (step S31). When the service provider determination unit 506 reads the service provider ID included in the authentication request, the user estimation unit 507 performs user estimation processing (step S33). Then, the authentication method selection unit 510 determines the authentication method (step S34), and the authentication support unit 511 transmits an authentication request to the authentication server 400.

  When the authentication server 400 performs authentication processing (step S35) and transmits the authentication result to the authentication support server 500, the authentication support server 500 receives the transmitted authentication result. If the authentication result indicates authentication failure (step S36: NO), an authentication history indicating authentication failure is stored in the authentication history information storage unit 504, and another authentication method is selected (step S40). Return and perform the authentication process.

  If the authentication result transmitted from the authentication server 400 indicates that the authentication is successful (step S36: YES), the authentication support server 500 stores the authentication history indicating the authentication success in the authentication history information storage unit 504 (step S37). ) A successful authentication notification is transmitted to the user terminal 100 (step S38), and the process is terminated.

  Here, the user estimation process in step S33 shown in FIG. 10 will be described in detail. FIG. 11 is a flowchart for explaining user estimation processing by the user estimation unit 507 of the authentication support server 500. The user estimation unit 507 searches the authentication history information storage unit 504 for authentication history information based on the terminal information (terminal unique number) received from the user terminal 100 (step S50). If the authentication history information corresponding to the terminal information does not exist in the authentication history information storage unit 504 (step S51: YES), the user estimation unit 507 determines that there is no user ID of the user estimation result (step S52) and ends the process. .

  On the other hand, if the user estimation unit 507 determines in step S51 that the authentication history information corresponding to the terminal information exists in the authentication history information storage unit 504 (step S51: YES), the authentication history information corresponding to the terminal information is read out. . For example, FIG. 12 is a diagram illustrating a data example of the authentication history information read by the user estimation unit 507. When there are a plurality of user IDs corresponding to the terminal information (step S53: NO), the user estimation unit 507 performs a user determination process (step S54). If the result of the user determination process is no user (step S55: NO), the process proceeds to step S52. If there is a user (step S55: YES), the process proceeds to step S56. In step S53, when there is one user ID corresponding to the terminal information (step S53), the process is ended using the searched user ID as a user estimation result (step S56).

  Here, the user determination process in step S54 shown in FIG. 11 will be described in detail. FIG. 13 is a flowchart for describing user determination processing by the user estimation unit 507 of the authentication support server 500. First, the authentication history information stored in the authentication history information storage unit 504 is searched based on the terminal unique number and the authentication date and time, and the probability is calculated for each user using Bayesian theory (step S60). For example, the probability of being user A is (number of histories of user A / number of target histories). If the search result is as shown in FIG. 14, the probability of being userA is 3/4 = 0.75, and the probability of being userC is 1/4 = 0.25.

  Next, the authentication history information is searched based on the terminal unique number and the service provider ID, and the probability is calculated by Bayesian theory for each user (step S61). For example, the probability of being user A is (number of histories of user A / number of target histories). If the search result is as shown in FIG. 15, the probability of being userA is 4/6 = 0.67, and the probability of being userC is 2/6 = 0.33. For each user, the sum of the probabilities calculated in step S60 and step S61 is calculated as a determination index. In the above example, the determination index for userA is 0.75 + 0.67 = 1.42, and the determination index for userC is 0.25 + 0.33 = 0.58.

  Then, the calculated determination indices are compared (step S63). Here, the determination result is a user having the largest calculated determination index. Here, when the probability of either step S60 or step S61 is 0, the user may be excluded from the determination target. As for the determination processing result, when there is one user whose index is the maximum value, one determined user ID becomes the determination result. Alternatively, when there are a plurality of users whose determination index is the maximum value, the determination result is “no user”. Even when all users are not subject to determination, the determination result is that there is no user. The user estimation unit 507 outputs a determination result.

  Next, the authentication method selection process in step S34 shown in FIG. 10 will be described in detail. FIG. 16 is a flowchart for explaining authentication method selection processing by the authentication method selection unit 510 of the authentication support server 500. If there is a user ID estimation result as a result of the user estimation process in step S33 (step S70: YES), authentication is performed from the authentication history information storage unit 504 based on the terminal unique information and the estimated user ID. History information is searched (step S71). On the other hand, if the user ID estimation result does not exist (step S70: NO), the authentication method selection unit 510 searches the authentication history information storage unit 504 for authentication history information based on the terminal unique information (step S72). .

  Then, the authentication method selection unit 510 calculates an authentication success rate using the Laplace continuity rule for each authentication method (step S73). Here, the authentication method selection unit 510 determines the success rate for each authentication method for each user terminal 100 that transmitted the authentication request or the success rate for each authentication method for each user of the user terminal 100 based on the authentication result. To calculate. For example, the success rate of authentication method 1 is represented by (success count + 1 / trial count + 2). For example, if the search result based on userA in step S71 is as shown in FIG. 17, the success rate of the authentication method 1 is 2 and the number of trials is 3. Therefore, the success rate is (2 + 1) / (3 + 2) = 3. /5=0.6. On the other hand, since the number of successes of the authentication method 2 is 4 and the number of trials is 5, the success rate is (4 + 1) / (5 + 2) = 5/7 = 0.71. Therefore, the priority order is the order of authentication method 2 and authentication method 1.

Alternatively, for example, when the search result based only on the terminal unique number in step S72 is as shown in FIG. 18, the success count of the authentication method 1 is 6 and the trial count is 8, so the success rate is (6 + 1) / (8 + 2) = 7/10 = 0.7. Since the number of successes of the authentication method 2 is 3 and the number of trials is 5, the success rate is (3 + 1) / (5 + 2) = 4/7 = 0.57. Since the number of successes of authentication method 3 is 2 and the number of trials is 3, the success rate is (2 + 1) / (3 + 2) = 3/5 = 0.6. Therefore, the priority order is authentication method 1, authentication method 3, and authentication method 2.
Here, the authentication method selection unit 510 can calculate a success rate according to the authentication date and time stored in the authentication history information storage unit 504, and can read an authentication method with a high success rate near the current date and time. For example, when calculating the success rate, the success rate can be calculated by weighting the latest authentication result within a certain period from the current date and time. Alternatively, the success rate may be calculated only from history information within a certain period such as a half year.
Then, the authentication method selection unit 510 reads out an authentication method with a high success rate according to the success rate calculated in this way (step S74).

  Next, with reference to FIG. 19, an example of a sequence operation when the authentication result by the authentication process is determined to be authentication failure will be described. As described with reference to FIG. 9, when the authentication data input screen is transmitted in step S12, authentication data is input, and transmitted to the authentication server 400-1 in step S13, the authentication processing unit 402 of the authentication server 400-1 performs. Authentication processing is performed (steps S14 and S15). Here, if the authentication result is a failure and the authentication result notification unit 403 transmits a notification of the authentication failure result to the authentication support server 500 (step S80), the authentication support unit 511 of the authentication support server 500 authenticates the authentication failure. The history is stored in the authentication history information storage unit 504 (step S81). Then, the authentication support unit 511 transmits an authentication method selection screen to the user terminal 100 (step S82). The user terminal 100 receives an authentication method selection input from the user, and transmits the selection result to the authentication support server 500 (step S83). The authentication support server 500 transmits an authentication request to the authentication server 400-2 that performs the authentication process of the selected authentication method (step S84). The authentication server 400-2 transmits an authentication data input screen using an authentication method different from that of the authentication server 400-1 to the user terminal 100 (step S85).

  Next, with reference to FIG. 20, a sequence operation example when the user estimation fails will be described. If the user cannot be estimated by the user estimation process in step S7 described in FIG. 9, the authentication history information including the service provider ID and the authentication date / time is read from the authentication history information storage unit 504 (step S90). ). Then, the authentication method selection unit 510 reads authentication history information corresponding to the read terminal information from the authentication history information storage unit 504, and selects an authentication method based on the number of authentications and the number of successful authentications included in the read authentication history information. Determination is made (steps S91, 92). Then, the authentication support server 500 transmits an authentication request including the line information, the terminal information, and the authentication method to the authentication server 400 that performs authentication using the determined authentication method (step S93). Upon receiving the authentication request transmitted from the authentication support server 500, the authentication server 400 transmits an authentication data input screen to the user terminal 100 as in step S12.

Next, with reference to FIG. 21, a sequence operation example in the case where an authentication method is selected based on an application and an authentication method is selected based on a service provider policy will be described. In step S6 described with reference to FIG. 9, after reading the authentication method corresponding to the terminal information, the terminal capability determination unit 508 reads the terminal detailed information including the application information from the user terminal 100 (steps S100 and 101). . Then, the authentication support server 500 reads the authentication method corresponding to the terminal detailed information from the authentication history information storage unit 504 (steps S102 and 103). Also, the service provider policy application unit 509 reads the service provider policy from the service provider policy information storage unit 503, performs a filtering process according to the service provider policy, and determines an authentication method candidate. (Steps S104 and 105).
FIG. 22 is a diagram showing a flowchart when such processing is performed. The processing from step S30 to step S40 is the same as the processing described in FIG. 10, but after step S31, terminal capability determination processing according to the application is performed (step S110), and the authentication method according to the determination result is set. Determination is made (step S111). Further, after determining the service provider in step S32, the service provider policy is applied (step S112).

  As described above, according to the present embodiment, the authentication support server 500 presents an authentication method according to the user's authentication history even if the user does not select an authentication method that suits the user each time authentication processing is performed. This eliminates the hassle of selecting an authentication method by itself, and improves convenience. For example, as shown in FIG. 23 (a), as an authentication method when using a content distribution service by a home television receiver, any one of IC card authentication, fingerprint authentication, and ID / PASS authentication is used. Shall be available. It is assumed that the user father and the user mother use such a television receiver, the user father often uses IC card authentication, and the user mother often uses ID / PASS authentication. In such a case, conventionally, since the user himself / herself has to select an authentication method, the selection operation is troublesome and there is a case where a service use opportunity is lost. On the other hand, if this embodiment is applied, as shown in (b), the user who requested the authentication is estimated by the user estimation function, and an authentication method corresponding to the estimated user is automatically provided. It is possible to improve user convenience and prevent loss of service use opportunities.

  It should be noted that a program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to perform authentication support. May be. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 Communication system 100 User terminal 200 Service provider server 201 Authentication request reception part 300 Terminal management apparatus 301 Terminal information storage part 302 Terminal information acquisition part 303 Terminal information addition part 400 Authentication server 401 User authentication information storage part 402 Authentication processing part 403 Authentication result notification unit 500 Authentication support server 501 Authentication method information storage unit 502 Terminal authentication information storage unit 503 Service provider business policy information storage unit 504 Authentication history information storage unit 505 Terminal information determination unit 506 Service provider determination unit 507 User Estimating unit 508 Terminal capability determining unit 509 Service provider policy applying unit 510 Authentication method selecting unit 511 Authentication supporting unit

Claims (11)

An authentication support device connected to a plurality of user terminals and a plurality of authentication devices that perform authentication processing of the user terminal by any one of a plurality of authentication methods,
For each piece of terminal identification information for identifying a plurality of user terminals, there is stored history information in which an authentication method in an authentication process performed by the authentication device is associated with an authentication request from the user terminal. A history information storage unit;
Upon receiving an authentication request transmitted from the user terminal, an authentication method selection unit that reads out the authentication method associated with the user terminal and stored in the history information storage unit;
An authentication request unit that transmits an authentication request for the user terminal to the authentication device that performs authentication of the user terminal by the authentication method read by the authentication method selection unit among the plurality of authentication devices;
An authentication support apparatus comprising: The authentication device performs an authentication process for each user of the user terminal,
In the history information storage unit, for each terminal identification information, user identification information for identifying a plurality of users who have performed authentication processing is stored in association with each other,
The authentication method selection unit is a user of a user who is frequently authenticated among user identification information associated with the user terminal that has transmitted the authentication request from the history information stored in the history information storage unit. The authentication support apparatus according to claim 1, wherein the authentication method associated with the identification information is read out. In the history information storage unit, for each terminal identification information, an authentication result indicating whether or not an authentication process performed by the authentication device in response to an authentication request from a user terminal indicated by the terminal identification information is successful Are stored in association with each other,
The authentication method selection unit calculates a success rate for each authentication method for each user terminal that has transmitted the authentication request, or a success rate for each authentication method for each user of the user terminal based on the authentication result. The authentication support apparatus according to claim 1, wherein the authentication method having a high success rate is read out. The history information stored in the history information storage unit includes information indicating the date and time when the authentication process was performed,
The authentication support apparatus according to claim 3, wherein the authentication method selection unit calculates the success rate according to the date and time, and reads the authentication method having a high success rate at a time close to the current date and time. The history information stored in the history information storage unit includes information indicating a time zone in which the authentication process was performed,
The authentication support apparatus according to any one of claims 1 to 4, wherein the authentication method selection unit reads the authentication method according to a time zone when the authentication request is received. The authentication device performs an authentication process for each service provided to the user terminal,
In the history information storage unit, for each terminal identification information, service identification information for identifying a service provided when the authentication process is successful is associated and stored,
The authentication method selection unit reads the authentication method associated with a service provided when the authentication process is successful from the history information stored in the history information storage unit. The authentication support device according to any one of claims 1 to 5. The authentication method selection unit receives information indicating an application stored in the user terminal from the user terminal, and responds to the application from the history information stored in the history information storage unit. The authentication support apparatus according to claim 1, wherein the authentication method is read out. A terminal information storage unit that stores model information indicating a model of the user terminal and an authentication method that can be used in the model in association with each other;
The authentication method selection unit reads an authentication method associated with a model of the user terminal that transmitted the authentication request from the terminal information storage unit. The authentication support device according to Item. For each service provided to the user terminal, comprising a service provider policy storage unit that stores information indicating an authentication method applied in an authentication process when using the service in association with the service,
The authentication support apparatus according to any one of claims 1 to 8, wherein the authentication method selection unit reads the authentication method stored in the service provider policy storage unit. The authentication method selection unit reads a plurality of authentication methods from the history information storage unit, determines priorities of the plurality of read authentication methods,
The said authentication request part transmits an authentication request | requirement to the said authentication apparatus according to the priority determined by the said authentication system selection part. The one of Claim 1- Claim 9 characterized by the above-mentioned. Authentication support device. For each terminal identification information that is connected to a plurality of user terminals and a plurality of authentication devices that perform authentication processing of the user terminal by any one of a plurality of authentication methods and identifies the plurality of user terminals to the authentication by the authentication device authentication support device history information authentication method associated in performed authentication processing with the history information storage unit stored by performed in response to an authentication request from the user terminal A support method,
When the authentication support apparatus receives an authentication request transmitted from the user terminal, reading the authentication method associated with the user terminal and stored in the history information storage unit;
The authentication support device transmitting an authentication request for the user terminal to the authentication device that performs authentication of the user terminal by the read authentication method among the plurality of authentication devices;
An authentication support method comprising:

Images