A generic user-sensitive operation secondary authentication method and system

The general-purpose user-sensitive operation two-factor authentication system solves the problem of repetitive development of two-factor authentication for user-sensitive operations, realizes an efficient and standardized authentication process and diversified authentication methods, and improves development efficiency and user experience.

CN116070182BActive Publication Date: 2026-06-05TRUSTASIA TECH INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TRUSTASIA TECH INC
Filing Date
2023-02-10
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In existing technologies, secondary verification of sensitive user operations requires repeated development and integration, resulting in increased and cumbersome business processes and a lack of unified standards and specifications.

Method used

A general-purpose user-sensitive operation two-factor authentication system is adopted, which includes modules such as pre-data settings, verification method acquisition, pre-verification and verification. By separating the general verification service and business service, a standardized two-factor authentication process is provided, supporting multiple verification methods.

Benefits of technology

It improves development efficiency, reduces redundant development, standardizes the secondary verification process, maintains a consistent user experience, supports multiple verification methods, and meets users' personalized needs.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116070182B_ABST
    Figure CN116070182B_ABST
Patent Text Reader

Abstract

The application relates to a general user-sensitive operation secondary authentication method and system. The system comprises five modules of pre-data setting, verification mode acquisition, pre-authentication, authentication and business operation. The method comprises the following steps: a client and a business service request setting of pre-data to a general authentication service, and user pre-data and business system sensitive operation pre-data are respectively generated. The application aims to solve the problems of repeated development and repeated docking of secondary authentication modes, so that users can select different secondary authentication modes according to their own needs, and the application has strong adaptability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of digital identity verification, and in particular to a general method and system for two-factor authentication of sensitive user operations. Background Technology

[0002] In today's user-related system development, a common challenge is handling the verification of sensitive user actions, such as password changes or personal information modifications. Typically, to ensure security, systems should enable multi-factor authentication (MFA) or two-factor authentication (2FA) to verify that the sensitive action is performed by the user. However, enabling 2FA / MFA often leads to repetitive development as business needs increase. Furthermore, as the number of sensitive user actions increases, the demand for secondary verification also grows. If a separate secondary verification logic is written for each sensitive action, developers will need to repeatedly develop and integrate it, which is inefficient for business services and results in significant redundancy and cumbersome processes.

[0003] Based on the above problems, it is necessary to propose a method that can solve the problems of repeated development, repeated integration, and secondary verification. Summary of the Invention

[0004] In view of the above problems, the purpose of this invention is to provide a universal two-factor authentication system for sensitive user operations, which allows users to choose different two-factor authentication methods according to their own needs and has strong adaptability.

[0005] The technical solution adopted by the system of the present invention is: a general user sensitive operation two-factor authentication system, which includes 5 modules: pre-data setting, obtaining verification method, pre-verification, verification, and business operation. The core logic is pre-verification and verification. In addition, in order to facilitate the distinction between verification and business operation, the service is divided into general verification service and business service. The general verification service is mainly used to provide user operation behavior verification service, and the business service refers to the service that connects to the user's sensitive operation.

[0006] The aforementioned pre-data settings are divided into user pre-data settings and business system sensitive operation pre-data settings. User pre-data settings are used by the system to collect user verification data. Business system sensitive operation pre-data settings refer to defining the secondary verification methods supported by the operation when the business service defines a sensitive operation that requires secondary verification of user identity to the general verification service.

[0007] The aforementioned obtaining verification method refers to the user requesting the client to obtain the verification method supported by the sensitive operation based on the current sensitive operation from the general verification service. In this operation, the general verification service needs to determine the intersection between the verification method supported by the sensitive operation (the business system's sensitive operation pre-data settings) and the verification method currently set by the user (the user's pre-data settings) and return the result.

[0008] The pre-verification refers to the user requesting the general verification service to start the verification process based on the obtained verification method. In addition, the behavior of the general verification service will be different depending on the verification method, but the core logic remains the same, that is, the current operation behavior is cached for subsequent verification.

[0009] The verification is used to determine whether the verification data submitted by the user is correct and valid. If the verification is successful, the general verification service returns a temporary password to the client and caches the current operation and the temporary password. The client should cache the temporary password responded by the service and carry the password when performing business operations.

[0010] The aforementioned business operations are used to perform specific sensitive operations. When performing a business operation, the user needs to request the business service with the temporary password returned in the verification step (this password is usually saved by the client and automatically uploaded without the user's knowledge). The business service requests the verification token (temporary password) and whether the current operation is legal from the general verification service. If the verification is successful, the business service will perform the relevant operation; otherwise, the user operation will be rejected.

[0011] It is important to note that business operations can only proceed after four modules have been completed: pre-data setup, obtaining verification methods, pre-verification, and verification.

[0012] This invention also provides a general method for two-factor authentication of sensitive user operations, implemented using a general two-factor authentication system for sensitive user operations as described above. The method includes the following steps:

[0013] S10, the client and business service request the general verification service to set the pre-data, and generate user pre-data and business system sensitive operation pre-data respectively;

[0014] S20, the client requests the general verification service to obtain multiple verification methods supported by sensitive operations. The general verification service obtains the intersection result Q between the user pre-data and the sensitive operation pre-data of the business system generated in step S10, and returns it to the client. The client displays the obtained verification methods.

[0015] S30: The user obtains the verification method from the client and then requests pre-verification from the general verification service. The general verification service verifies the verification method selected by the user and the corresponding sensitive operation, that is, it verifies whether the sensitive operation supports the verification method. If the verification passes, the corresponding pre-verification operation is performed, and the pre-verification information and operation information are cached at the same time.

[0016] S40, the user submits verification information. The general verification service verifies the user's submitted verification information and corresponding operation behavior based on the pre-verification information and operation information cached in step S30. If the verification is successful, the general verification service generates a temporary password and caches the corresponding user operation and temporary password. After receiving the response temporary password, the client caches the password locally.

[0017] S50: The user submits business operation data. The client carries a locally cached temporary password and requests the business service to perform a sensitive operation. After receiving the request, the business service requests the general verification service to verify the user operation and password. The general verification service verifies the user operation based on the password and user operation cached in step S40. If the verification is successful, the business service performs the corresponding sensitive business operation and returns the operation result to the client.

[0018] As a further improvement of the present invention, step S10 specifically includes:

[0019] The client sets necessary pre-verification conditions based on the verification method. The user's pre-verification data will be different depending on the verification method selected by the user.

[0020] The business service also sets the necessary verification methods for the general verification service according to the needs of sensitive business. The general verification service stores the list of verification methods supported by the sensitive operation according to the request of the business server and generates the pre-operation data for sensitive operations of the business system.

[0021] As a further improvement of the present invention, the step S30 in which the user obtains the verification method from the client specifically includes:

[0022] If the intersection result Q in step S20 is data for one verification method, the user directly obtains this verification method from the client. If the intersection result Q in step S20 is data for more than one verification method, the user directly selects one verification method from the multiple verification methods obtained from the client.

[0023] As a further improvement of the present invention, the general verification service in step S30 verifies the verification method selected by the user and the corresponding sensitive operation, and specifically includes the following steps:

[0024] S3001, the general authentication service receives the authentication method and sensitive operation from the client;

[0025] S3002, the general verification service determines whether the verification methods supported by the sensitive operation include the verification method requested by the user based on the sensitive operation pre-data of the business system. If not, the verification fails. If it does, the service further verifies whether the user has set the user pre-data required for the verification method.

[0026] S3003: If the user meets the user prerequisite data required for this verification method, the verification will pass; otherwise, the verification will fail.

[0027] As a further improvement of the present invention, step S40 specifically includes the following steps:

[0028] S4001, retrieve the verification information cached in step S30;

[0029] S4002, match the verification information with the verification information submitted by the user. If they match completely, the verification passes; otherwise, the verification fails.

[0030] The above technical solution has the following beneficial effects:

[0031] To address the issue of repetitive development involved in secondary verification during actual development, this invention proposes a new and standardized solution that eliminates the need for developers to repeatedly develop secondary verification services during business development. All sensitive operations are handled by a general secondary verification service, greatly improving development efficiency.

[0032] The general two-factor authentication method standardizes the way two-factor authentication is used, providing a standardized process for two-factor authentication of sensitive user operations.

[0033] When users use the system using this method, there is little difference compared to conventional two-factor authentication services, and there is no additional usage cost for users, making it easy for users to accept.

[0034] The range of supported two-factor authentication methods is extensive, including SMS verification code, email verification code, user security questions, FIDO verification, TOTP dynamic verification code verification, and password verification. Users can choose different verification methods based on their own convenience to obtain authorization for sensitive operations through two-factor authentication. Attached Figure Description

[0035] The specific embodiments of the present invention will be further described below with reference to the accompanying drawings:

[0036] Figure 1 This is a framework diagram of a general user-sensitive operation two-factor authentication system provided in an embodiment of the present invention;

[0037] Figure 2This is a flowchart of a general user-sensitive operation two-factor authentication method provided in an embodiment of the present invention. Detailed Implementation

[0038] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0039] like Figure 1 As shown, a general user sensitive operation two-factor authentication system includes five modules: pre-data setting, obtaining verification method, pre-verification, verification, and business operation. The core logic is pre-verification and verification. In addition, to facilitate the distinction between verification and business operation, the service is divided into general verification service and business service. The general verification service is mainly used to provide user operation behavior verification service, while the business service refers to the service that connects to the user's sensitive operation.

[0040] The aforementioned pre-set data is divided into user pre-set data and business system sensitive operation pre-set data. User pre-set data refers to the collection of user verification data. For example, when using SMS verification codes, a user's mobile phone number is required, so collecting and storing the mobile phone number is a user data pre-set. Similar operations include FIDO credential creation and TOTP (Time-based One-time Password algorithm) binding. The above operations belong to user information and are important parameters for verifying user identity. Generally, each verification service chooses its own implementation method, or it can use data collected by the business service. This invention does not emphasize the implementation method of this setting. Business system sensitive operation pre-set data refers to the business service defining sensitive operations that require secondary verification of user identity to the general verification service, and defining the secondary verification methods supported by the operation. For example, defining password modification as a user sensitive operation requires secondary verification methods such as SMS verification code or old password verification. This means that when a user needs to modify their password, they need to verify the SMS verification code or the old password to identify the user's identity.

[0041] The aforementioned obtaining verification method refers to the user requesting the client to obtain the verification methods supported by the sensitive operation based on the current sensitive operation, from the general verification service. In this operation, the general verification service needs to determine the intersection between the verification methods supported by the sensitive operation (the business system's sensitive operation pre-set data) and the verification methods currently set by the user (the user's pre-set data), and return the result. For example, if the general verification service defines the supported verification methods for the password modification operation as mobile phone verification code and old password verification, and the user has not set a mobile phone number but only a password, then after performing the intersection operation, the returned list of verification methods supported by the user will only contain the old password.

[0042] The pre-verification refers to the user requesting the general verification service to initiate a verification process based on the obtained verification method. For example, if a user chooses SMS verification code for secondary verification when changing their password, they send a pre-verification request to the general verification service to modify their password. Upon receiving the request, the general verification service verifies the user's selected method and sensitive operation, determining whether the selected operation is one of the intersection elements of the user's pre-data and the system's sensitive operation pre-data. If the verification passes, a verification code is sent to the user's bound mobile phone number. Simultaneously, the general verification service caches the sent verification code for subsequent verification. Note that the behavior of the general verification service during pre-verification may differ depending on the verification method. For instance, SMS verification codes require sending an SMS message, while FIDO requires the service to send a verification code to FIDO. The server requests to begin pre-verification. For old password verification, it only needs to verify whether the selected verification method is valid. The specific processing logic needs to be changed according to different verification methods, but the core logic—caching the current operation behavior for subsequent verification—remains unchanged. For example, selecting SMS verification code requires caching the current operation and verification code information, while FIDO verification requires caching the current operation and challenge (content in the FIDO protocol) information. Even if the user selects old password verification, the user's current operation still needs to be cached. The purpose of caching is to ensure that subsequent verification steps can verify whether the user's current behavior is valid.

[0043] The verification is used to determine whether the verification data submitted by the user is correct and valid. If the verification passes, the general verification service returns a temporary password to the client. For example, if the user submits an SMS verification code to the service, the general verification service verifies whether the user's current operation and the verification code are correct (based on the information in the pre-verification cache). If the verification passes, the general verification service generates a temporary password (the password should have an expiration time, which should be configured according to the actual system needs) and caches the current operation and the temporary password. The client should cache the temporary password responded by the service and carry the password when performing business operations.

[0044] The aforementioned business operations are used to perform specific sensitive operations. These operations can only be performed after four modules: pre-data setup, verification method acquisition, pre-verification, and verification. When performing a business operation, the user must request the business service using the temporary password returned during the verification step (this password is usually saved by the client and automatically uploaded, unnoticed by the user). The business service requests a verification token (temporary password) and verification of the current operation's legitimacy from the general verification service. If the verification passes, the business service performs the relevant operation; otherwise, the user operation is rejected. For example, if a user changes their password, the password change interface should include the new password information and a temporary password generated during the verification step, submitted to the business service for password change. Upon receiving the user's request, the business service requests verification of the temporary password and the current operation's legitimacy from the general verification service. If the verification passes, the business service performs the password change operation; otherwise, the user operation is rejected.

[0045] like Figure 2 As shown, this invention provides a general method for two-factor authentication of sensitive user operations, implemented using a general two-factor authentication system for sensitive user operations as described above. The method includes the following steps:

[0046] S10, the client and business service request the general verification service to set the pre-data, and generate user pre-data and business system sensitive operation pre-data respectively;

[0047] S20, the client requests the general verification service to obtain multiple verification methods supported by sensitive operations. The general verification service obtains the intersection result Q between the user pre-data and the sensitive operation pre-data of the business system generated in step S10, and returns it to the client. The client displays the obtained verification methods.

[0048] S30: The user obtains the verification method from the client and then requests pre-verification from the general verification service. The general verification service verifies the verification method selected by the user and the corresponding sensitive operation, that is, it verifies whether the sensitive operation supports the verification method. If the verification passes, the corresponding pre-verification operation is performed, and the pre-verification information and operation information are cached at the same time.

[0049] S40, the user submits verification information. The general verification service verifies the user's submitted verification information and corresponding operation behavior based on the pre-verification information and operation information cached in step S30. If the verification is successful, the general verification service generates a temporary password and caches the corresponding user operation and temporary password. After receiving the response temporary password, the client caches the password locally.

[0050] S50: The user submits business operation data. The client carries a locally cached temporary password and requests the business service to perform a sensitive operation. After receiving the request, the business service requests the general verification service to verify the user operation and password. The general verification service verifies the user operation based on the password and user operation cached in step S40. If the verification is successful, the business service performs the corresponding sensitive business operation and returns the operation result to the client.

[0051] Preferably, method step S10 further includes the following steps:

[0052] The client sets necessary pre-verification conditions based on the verification method. The user's pre-verification data will be different depending on the verification method selected by the user.

[0053] The business service also sets the necessary verification methods for the general verification service according to the needs of sensitive business. The general verification service stores the list of verification methods supported by the sensitive operation according to the request of the business server and generates the pre-operation data for sensitive operations of the business system.

[0054] Preferably, the step S30 of the method, in which the user obtains the verification method from the client, further includes:

[0055] If the intersection result Q in step S20 is data for one verification method, the user directly obtains this verification method from the client; if the intersection result Q in step S20 is data for more than one verification method, the user directly selects one verification method from the multiple verification methods obtained from the client.

[0056] Preferably, the general verification service in step S30 of the method verifies the verification method selected by the user and the corresponding sensitive operation, and specifically includes the following steps:

[0057] S3001, the general authentication service receives the authentication method and sensitive operation from the client;

[0058] S3002, the general verification service determines whether the verification methods supported by the sensitive operation include the verification method requested by the user based on the sensitive operation pre-data of the business system. If not, the verification fails. If it does, the service further verifies whether the user has set the user pre-data required for the verification method.

[0059] S3003: If the user meets the user prerequisite data required for this verification method, the verification will pass; otherwise, the verification will fail.

[0060] Preferably, step S40 in the method further includes the following steps:

[0061] S4001, retrieve the verification information cached in step S30;

[0062] S4002, match the verification information with the verification information submitted by the user. If they match completely, the verification passes; otherwise, the verification fails.

[0063] The verification method and verification system described in this invention have the following advantages during implementation:

[0064] First, this invention eliminates the need for developers to repeatedly develop secondary authentication services during business development, as all sensitive operations are handled by a universal secondary verification service, significantly improving development efficiency. Second, the universal secondary verification method standardizes the usage of secondary verification, providing a standardized process for verifying sensitive user actions. Third, users experience little difference when using this system compared to conventional secondary verification services, incurring no additional usage costs and making it easily acceptable. Fourth, it supports a wide range of secondary verification methods, allowing users to choose the most convenient option to authorize sensitive operations.

[0065] The above are merely specific embodiments of the present invention, and should not be construed as limiting the scope of the present invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these all fall within the protection scope of the present invention.

Claims

1. A universal two-factor authentication system for sensitive user operations, characterized in that, The system comprises five modules: pre-data setting, verification method acquisition, pre-verification, verification, and business operation. The core logic consists of pre-verification and verification. In addition, to facilitate the distinction between verification and business operation, the service is divided into general verification service and business service. The general verification service is mainly used to provide user operation behavior verification services, while the business service refers to the service that connects to the user's sensitive operations. The aforementioned pre-data settings are divided into user pre-data settings and business system sensitive operation pre-data settings. User pre-data settings are used by the system to collect user verification data. Business system sensitive operation pre-data settings refer to defining the secondary verification methods supported by the operation when the business service defines a sensitive operation that requires secondary verification of user identity to the general verification service. The aforementioned verification method refers to the user requesting the client to obtain the verification method supported by the sensitive operation based on the current sensitive operation from the general verification service. In this operation, the general verification service needs to determine the intersection between the verification method supported by the sensitive operation (i.e., the pre-set data of the sensitive operation in the business system) and the verification method currently set by the user (i.e., the user's pre-set data), and return the result. The pre-verification refers to the process where a user requests the general verification service to initiate a verification process based on the obtained verification method. After receiving the request, the general verification service verifies the verification method selected by the user and the corresponding sensitive operation, that is, it verifies whether the sensitive operation supports the verification method. If the verification passes, the corresponding pre-verification operation is performed. The behavior of the general verification service will be different depending on the verification method, but the core logic remains the same, that is, the pre-verification information and operation information are cached for subsequent verification. The verification is used to determine whether the verification data submitted by the user is correct and legal based on the pre-verification information and operation information in the pre-verification cache. If the verification is successful, the general verification service returns a temporary password to the client and caches the current operation and the temporary password. The client should cache the temporary password responded by the service and carry the password when performing business operations. The business operation is used to perform specific sensitive operations. When performing a business operation, the temporary password returned in the verification step is required to request the business service. This temporary password is usually saved by the client and automatically uploaded without the user's knowledge. The business service requests a verification token from the general verification service to verify whether the temporary password and the current operation are valid. If the verification is successful, the business service will perform the relevant operation; otherwise, the user's operation will be rejected.

2. The universal user-sensitive operation two-factor authentication system according to claim 1, characterized in that, Business operations can only proceed after four modules have been completed: pre-data setup, obtaining verification methods, pre-verification, and verification.

3. A general method for two-factor authentication of user-sensitive operations, characterized in that, The system is implemented using a general user-sensitive operation two-factor authentication system as described in claim 1, and the method includes the following steps: S10, the client and business service request the general verification service to set the pre-data. The general verification service stores the user pre-data and the business system sensitive operation pre-data respectively. S20, the client requests the general verification service to obtain multiple verification methods supported by sensitive operations. The general verification service obtains the intersection result Q between the user pre-data and the sensitive operation pre-data of the business system generated in step S10, and returns it to the client. The client displays the obtained verification methods. S30: The user obtains the verification method from the client and then requests pre-verification from the general verification service. The general verification service verifies the verification method selected by the user and the corresponding sensitive operation, that is, it verifies whether the sensitive operation supports the verification method. If the verification passes, the corresponding pre-verification operation is performed, and the pre-verification information and operation information are cached at the same time. S40, the user submits verification information. The general verification service verifies the user's submitted verification information and corresponding operation behavior based on the pre-verification information and operation information cached in step S30. If the verification is successful, the general verification service generates a temporary password and caches the corresponding user operation and temporary password. After receiving the response temporary password, the client caches the password locally. S50: The user submits business operation data. The client carries a locally cached temporary password and requests the business service to perform a sensitive operation. After receiving the request, the business service requests the general verification service to verify the user operation and password. The general verification service verifies the user operation based on the password and user operation cached in step S40. If the verification is successful, the business service performs the corresponding sensitive business operation and returns the operation result to the client.

4. The universal user-sensitive operation two-factor authentication method according to claim 3, characterized in that, Step S10 specifically also includes: The client sets necessary pre-verification conditions based on the verification method. The user's pre-verification data will be different depending on the verification method selected by the user. The business service also sets the necessary verification methods for the general verification service according to the needs of sensitive business. The general verification service stores the list of verification methods supported by the sensitive operation according to the request of the business server and generates the pre-operation data for sensitive operations of the business system.

5. A general user-sensitive operation two-factor authentication method according to claim 3, characterized in that, The step S30, in which the user obtains the verification method from the client, specifically includes: If the intersection result Q in step S20 is data for one verification method, the user directly obtains this verification method from the client. If the intersection result Q in step S20 is data for more than one verification method, the user directly selects one verification method from the multiple verification methods obtained from the client.

6. The universal two-factor authentication method for sensitive user operations according to claim 3, characterized in that, The general verification service in step S30 verifies the verification method selected by the user and the corresponding sensitive operation, and specifically includes the following steps: S3001, the general authentication service receives the authentication method and sensitive operation from the client; S3002, the general verification service determines whether the verification methods supported by the sensitive operation include the verification method requested by the user based on the sensitive operation pre-data of the business system. If not, the verification fails. If it does, the service further verifies whether the user has set the user pre-data required for the verification method. S3003: If the user meets the user prerequisite data required for this verification method, the verification will pass; otherwise, the verification will fail.

7. A general user-sensitive operation two-factor authentication method according to claim 3, characterized in that, The verification method in step S40 further includes the following steps: S4001, retrieve the verification information cached in step S30; S4002, match the verification information with the verification information submitted by the user. If they match completely, the verification passes; otherwise, the verification fails.