An identity authentication method and device

By employing a multi-layered authentication method that coordinates gateway devices and user terminals with authentication servers, and utilizing biometrics and location information, the security vulnerabilities of traditional SSLVPN authentication are addressed, resulting in higher accuracy of authentication and enhanced security of intranet data.

CN117614726BActive Publication Date: 2026-07-07NEW H3C SECURITY TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NEW H3C SECURITY TECH CO LTD
Filing Date
2023-11-30
Publication Date
2026-07-07

Smart Images

  • Figure CN117614726B_ABST
    Figure CN117614726B_ABST
Patent Text Reader

Abstract

The application provides an identity authentication method and device, and relates to the technical field of communication. When implementing the method, a gateway device receives a first authentication message sent by a user terminal, the first authentication message carrying authentication information of a user; after authenticating the user based on the authentication information, the gateway device sends an identity authentication indication to the user terminal; the gateway device acquires and records a first identity authentication result of the user from an authentication server, the first identity authentication result carrying first location information; the gateway device receives a second authentication message sent by the user terminal, the second authentication message carrying second location information; and the gateway device authenticates the identity of the user according to the first location information and the second location information. Thus, the security of user identity authentication is realized, the accuracy of the authentication result is improved, and the security of internal network data when a user authenticated is accessing the internal network is also improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to an identity authentication method and apparatus. Background Technology

[0002] SSLVPN (Secure Sockets Layer Virtual Private Network) is a virtual private network solution based on the SSL protocol. It allows users to remotely access internal corporate network resources through encrypted channels, ensuring the security and integrity of data transmission. Traditional SSLVPN authentication methods typically use usernames and passwords to verify user identity. Traditional authentication methods have security vulnerabilities, such as password cracking, leakage, or forgery. Furthermore, some recent authentication technologies have adopted biometric recognition, which significantly improves security. However, both traditional authentication methods and new biometric-based authentication technologies remain vulnerable to attackers using phishing attacks to break login credentials.

[0003] Therefore, how to perform secure authentication of user identities and ensure the security of internal network data when remotely accessing internal resources based on SSLVPN is one of the technical issues worth considering. Summary of the Invention

[0004] In view of this, this application provides an identity authentication method and apparatus for performing security authentication on the user's identity when the user remotely accesses internal resources based on SSLVPN, thereby ensuring the security of internal network data.

[0005] Specifically, this application is implemented through the following technical solution:

[0006] According to a first aspect of this application, an identity authentication method is provided, applied in a gateway device, the method comprising:

[0007] Receive a first authentication message sent by the user terminal, the first authentication message carrying the user's authentication information;

[0008] After the user is successfully authenticated based on the authentication information, an identity authentication instruction is sent to the user terminal. The identity authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0009] The authentication server obtains and records the user's first identity authentication result, which carries first location information. The first location information is the location information of the mobile terminal carried in the first identity authentication result after the authentication server has successfully authenticated the user.

[0010] The system receives a second authentication message sent by the user terminal. The second authentication message carries second location information, which is the location information of the user terminal and / or the location information of the mobile terminal. The location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server.

[0011] The user's identity is authenticated based on the first location information and the second location information.

[0012] According to a second aspect of this application, an identity authentication method is provided, applied in a user terminal, the method comprising:

[0013] Send a first authentication message to the gateway device, the first authentication message carrying the user's authentication information;

[0014] The system receives an authentication instruction sent by the gateway device after successfully authenticating the user based on the authentication information. The authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0015] The user's identity authentication result is obtained from the authentication server, and the identity authentication result carries the location information of the mobile terminal;

[0016] A second authentication message is sent to the gateway device so that the gateway device can authenticate the user's identity based on the first location information and the second location information;

[0017] Wherein, the first location information is the location information of the mobile terminal, which is the identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.

[0018] According to a third aspect of this application, an identity authentication device is provided, disposed in a gateway device, the device comprising:

[0019] The receiving module is used to receive a first authentication message sent by a user terminal, wherein the first authentication message carries the user's authentication information;

[0020] The first authentication module is used to authenticate the user based on the authentication information;

[0021] The sending module is configured to send an identity authentication instruction to the user terminal after the first authentication module has successfully authenticated the user based on the authentication information. The identity authentication instruction is configured to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0022] The acquisition module is used to acquire and record the user's first identity authentication result from the authentication server. The first identity authentication result carries first location information, which is the location information of the mobile terminal carried in the first identity authentication result after the authentication server has authenticated the user.

[0023] The receiving module is further configured to receive a second authentication message sent by the user terminal, the second authentication message carrying second location information, the second location information being the location information of the user terminal, and / or the location information of the mobile terminal, wherein the location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server;

[0024] The second authentication module is used to authenticate the user's identity based on the first location information and the second location information.

[0025] According to a fourth aspect of this application, an identity authentication device is provided, disposed in a user terminal, the device comprising:

[0026] The sending module is used to send a first authentication message to the gateway device, wherein the first authentication message carries the user's authentication information.

[0027] The receiving module is configured to receive an identity authentication instruction sent by the gateway device after the user has been successfully authenticated based on the authentication information. The identity authentication instruction is configured to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0028] The acquisition module is used to acquire the user's identity authentication result from the authentication server, wherein the identity authentication result carries the location information of the mobile terminal;

[0029] The sending module is further configured to send a second authentication message to the gateway device, so that the gateway device can authenticate the user's identity based on the first location information and the second location information;

[0030] Wherein, the first location information is the location information of the mobile terminal, which is the identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.

[0031] According to a fifth aspect of this application, an electronic device is provided, including a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being prompted by the computer program to perform the method provided in the first or second aspect of the embodiments of this application.

[0032] According to a sixth aspect of this application, a machine-readable storage medium is provided, which stores a computer program that, when invoked and executed by a processor, causes the processor to perform the method provided in the first or second aspect of the embodiments of this application.

[0033] The beneficial effects of the embodiments of this application are as follows:

[0034] In the identity authentication method and apparatus provided in this application embodiment, after receiving the first authentication message, the gateway device first performs preliminary authentication of the user's identity based on the user's authentication information in the first authentication message. After successful authentication, it sends an identity authentication instruction to the user terminal to perform secondary authentication of the user's identity, that is, it introduces an authentication server to authenticate the user's biometric information collected. While collecting the user's biometric information, the authentication server also collects the location information of the user's mobile terminal. Thus, after the authentication server verifies the user's biometrics, the gateway device can obtain the user's biometric authentication result, that is, after successful biometric authentication, it carries the location information of the mobile terminal (first location). The first authentication result (information) is obtained from the authentication server. On the other hand, in order to access intranet resources, the user terminal also obtains the user's biometric authentication result from the authentication server. That is, after the above biometric authentication is passed, the second authentication result carries the location information of the mobile terminal. In this way, the user terminal can initiate a second authentication message so that the gateway device can perform secondary authentication of the user's identity. The second authentication message carries the above-mentioned second location information. In this way, the gateway device can perform secondary authentication of the user's identity based on the first location information and the second location information, thereby realizing the security of user identity authentication, improving the accuracy of authentication results, and also improving the security of intranet data when the authenticated user accesses the intranet. Attached Figure Description

[0035] Figure 1 This is a flowchart illustrating an identity authentication method provided in an embodiment of this application;

[0036] Figure 2 This is a flowchart illustrating another message processing method provided in an embodiment of this application;

[0037] Figure 3 This is a schematic diagram of the structure of an identity authentication device provided in an embodiment of this application;

[0038] Figure 4 This is a schematic diagram of another identity authentication device provided in an embodiment of this application;

[0039] Figure 5 This is a schematic diagram of the hardware structure of an electronic device implementing an identity authentication method, provided in an embodiment of this application. Detailed Implementation

[0040] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application.

[0041] The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The singular forms “a,” “the,” and “the” used herein are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any and all possible combinations of one or more of the corresponding listed items.

[0042] It should be understood that although the terms first, second, third, etc., may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of this application, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "when," or "in response to determination."

[0043] The authentication method provided in this application is described in detail below.

[0044] See Figure 1 , Figure 1This is a flowchart of an authentication method provided in this application. This method can be applied to a gateway device, and when implementing this method, the gateway device may include the following steps:

[0045] S101. Receive a first authentication message sent by the user terminal, wherein the first authentication message carries the user's authentication information.

[0046] In this step, when a user wishes to access the intranet, they must first authenticate with the gateway device. Only after successful authentication will the gateway device allow the user terminal to access service packets within the intranet. Therefore, to achieve user authentication, the user can send an authentication message to the gateway device through their terminal. To distinguish it from subsequent authentications, this authentication message is referred to as the first authentication message. Then, to enable the gateway device to authenticate the user, the user terminal can include the user's authentication information in the first authentication message.

[0047] Optionally, the authentication information may be, but is not limited to, the user's username and password, etc., and the username may be, but is not limited to, the user's account.

[0048] Furthermore, when user terminals interact with gateway devices, they can do so through an SSL VPN tunnel. Specifically, the user terminal can send the aforementioned first authentication message to the gateway device through this SSL VPN tunnel. Additionally, subsequent interactions between the user terminal and the gateway device can also be based on this SSL VPN tunnel.

[0049] S102. After the user is successfully authenticated based on the authentication information, an identity authentication instruction is sent to the user terminal.

[0050] The aforementioned identity authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0051] In this step, after receiving the first authentication message, the gateway device can extract the authentication information from it and then match it with the user's locally recorded authentication information. If a match is found, it indicates that the user has been successfully authenticated. It is worth noting that the gateway device records the authentication information of users allowed to access the internal network.

[0052] Based on this, once the user's authentication is successful, it indicates that the user is a suspected secure user. To further enhance the security of the intranet, the gateway device needs to further authenticate the user's identity to improve intranet security. Therefore, this embodiment proposes generating an authentication instruction for the aforementioned user and then sending this authentication instruction to the user terminal. Thus, after the user terminal obtains the authentication instruction, since this instruction indicates the authentication data to be collected and the communication information of the authentication server used to authenticate the authentication data, the user can use their mobile terminal to establish a communication connection with the authentication server, enabling the authentication server to collect the authentication data for authenticating the user's identity.

[0053] The data to be authenticated may include, but is not limited to, user information and biometric information. It should be noted that the authentication server may enable its biometric recognition function to collect the user's biometric information. Therefore, to improve the accuracy of the authentication results, the data to be authenticated may also include the location information of the mobile terminal. That is, the user can enable their own location function based on the communication information of the authentication server carried in the authentication instruction, and then establish a communication connection with the authentication server using their mobile terminal (a terminal device other than the user terminal). The user can then upload the location information of the mobile terminal obtained by the location function to the authentication server, and the authentication server can then obtain the data to be authenticated.

[0054] It is worth noting that the aforementioned authentication instruction can carry the user's information, so that the authentication server can obtain the user's information based on the authentication instruction while collecting the user's biometric information.

[0055] Optionally, the aforementioned identity authentication indicator is an authentication QR code, which carries the access path to the authentication server.

[0056] Specifically, when the aforementioned authentication instruction is an authentication QR code, after receiving the authentication QR code, the user terminal can display it to the user in the form of a page on its display device. This page contains the authentication QR code. In this way, the user can use their mobile terminal to scan the authentication QR code. Since the authentication QR code carries the access path of the authentication server, after the mobile terminal scans the authentication QR code, it can establish a communication connection with the authentication server through the access path of the authentication server in the authentication QR code. Then, the authentication server can call its API interface for collecting biometric information, and then the authentication server can collect the user's biometric information through the API. At the same time, the authentication server also needs to obtain access permission to obtain the location information of the user's mobile terminal. When the user allows it, the mobile terminal can send its current location information to the authentication server so that the authentication server can perform subsequent verification processes.

[0057] It is worth noting that when the biometric information mentioned above is facial feature information, the authentication server will enable the facial capture API and then display a facial feature capture box through the user terminal. When the user matches the position of their face with the facial feature capture box, the authentication server can capture the user's facial feature information.

[0058] Furthermore, when verifying a user's identity, the authentication server's verification process is roughly as follows: It retrieves a pre-maintained list of user registration information locally. This list contains the registration information of trusted users, and each user's registration information may include, but is not limited to, their user profile and biometric information. Then, based on the user profile and biometric information retrieved this time, the authentication server checks the aforementioned list to see if there is any registration information matching that user's profile and biometric information. If it does, the user's identity verification is successful; otherwise, the user's identity verification fails.

[0059] It should be noted that the registration information of each trusted user in the above registration information list is pre-registered and maintained by the trusted user on the authentication server. Specifically, a user can initiate a registration request to the authentication server through their user terminal. This registration request can carry the user's user information. When the authentication server receives the registration request, it can activate the biometric identification API, which then collects the user's biometric information. Thus, the authentication server can obtain the correspondence between the user's user information and biometric information, and so on, ultimately forming the above registration information list. Optionally, before activating the API, the authentication server can obtain the user information of trusted users locally. After receiving a user's registration request, it first verifies the user's trustworthiness based on the user information in the registration request, and only after confirming the user's trustworthiness does it collect the user's biometric information.

[0060] S103. Obtain and record the user's first identity authentication result from the authentication server, wherein the first identity authentication result carries first location information.

[0061] Wherein, the first location information is the location information of the mobile terminal carried in the first identity authentication result after the authentication server has authenticated the user.

[0062] In this step, the gateway device can periodically retrieve the authentication results from the authentication server. Specifically, in one embodiment, the gateway device can collect users who have passed initial authentication within a set time period, form a user list, and then send the user list to the authentication server. Upon receiving the user list, the authentication server retrieves the authentication result corresponding to each user in the list and sends the obtained authentication results back to the gateway device as an authentication list. This authentication list includes the correspondence between each user and the authentication result. In another possible embodiment, the gateway device can send an authentication result retrieval request to the authentication server. Upon receiving this request, the authentication server can send the correspondence between the user information of users who have completed the authentication process and their authentication results to the gateway device. Specifically, the authentication server can also send back an authentication list to the gateway device. This authentication list can include the correspondence between the user information of the user who has completed the authentication process and the authentication result. Furthermore, when the gateway device sends an authentication result retrieval request, the authentication result retrieval request can also carry a set time period to instruct the authentication server to retrieve the authentication results within the set time period based on the time the retrieval request is received.

[0063] Based on this, the gateway device can obtain the identity authentication result from the received identity authentication list based on the user information of the initiating user in the first authentication message. In order to distinguish it from the subsequent identity authentication results, the identity authentication result of the user obtained from the authentication server is recorded as the aforementioned first identity authentication result.

[0064] Specifically, the authentication result can include authentication passed or authentication failed. When the authentication result is authentication passed, the authentication result can also carry the location information of the mobile terminal.

[0065] S104. Receive a second authentication message sent by the user terminal, wherein the second authentication message carries second location information.

[0066] Wherein, the second location information is the location information of the user terminal, and / or the location information of the mobile terminal, and the location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server.

[0067] Specifically, after receiving the aforementioned authentication instruction, the user terminal can also obtain the access path to the authentication server based on this instruction. Therefore, the user terminal can periodically obtain the authentication result of its user from the authentication server. Specifically, the user terminal can periodically, or at a set time after sending the first authentication message, initiate an authentication result retrieval request. This request can carry the user's information. Upon receiving the request, the authentication server can query the corresponding authentication result based on the user information in the request and then send it to the user terminal. Thus, the user terminal obtains the authentication result of its user, denoted as the second authentication result, which carries the mobile terminal's location information for subsequent secondary authentication. Based on this, the user terminal can send a second authentication message to the gateway device based on the obtained second authentication result, allowing the gateway device to perform secondary authentication of the user, thereby improving the accuracy of the authentication result and enhancing the security of the intranet.

[0068] It is worth noting that, in order to facilitate the gateway device's authentication of the user and enable the user to successfully access intranet resources, the user terminal may carry the aforementioned second location information in the second authentication message. This second location information may be the location information of the user terminal and / or the location information of the mobile terminal, so that the gateway device can authenticate the user more accurately.

[0069] It should be noted that this embodiment does not limit the execution order of steps S103 and S104, and they can be performed according to... Figure 3 The steps are executed in the order shown. Alternatively, step S104 can be executed first, followed by step S103. When step S104 is executed first, in addition to executing either of the two methods described above for obtaining authentication results from the authentication server, the gateway device can also implement the following process: After receiving the second authentication message, the gateway device can also carry the user's information. In this way, the gateway device can send the obtained user information to the authentication server, so that after receiving the user information, the authentication server can query the authentication result corresponding to the user information in its local record, i.e., the first authentication result mentioned above, and then return it to the gateway device.

[0070] S105. Authenticate the user's identity based on the first location information and the second location information.

[0071] In this step, since the user accesses the gateway device using a user terminal and then uses a mobile terminal for identity authentication, the user terminal and the mobile terminal are generally in the same location. Therefore, when the gateway device obtains the first location information and the second location information, since the first location information is the location information of the mobile terminal and the second location information is the location information of the user terminal or the mobile terminal, the gateway device can accurately authenticate the user's identity based on these two obtained location information, thereby ensuring the security of intranet data when the authenticated user accesses the intranet.

[0072] In the authentication method provided in this application, after receiving the first authentication message, the gateway device first performs preliminary authentication of the user's identity based on the user's authentication information in the first authentication message. After successful authentication, it sends an authentication instruction to the user terminal to perform secondary authentication of the user's identity, that is, it introduces an authentication server to authenticate the user's collected biometric information. While collecting the user's biometric information, the authentication server also collects the location information of the user's mobile terminal. Thus, after the authentication server verifies the user's biometrics, the gateway device can obtain the user's biometric authentication result, that is, it carries the location information of the mobile terminal (first location information) after successful biometric authentication. The first authentication result is obtained from the authentication server. On the other hand, in order to access intranet resources, the user terminal will also obtain the user's biometric authentication result from the authentication server. That is, after the above biometric authentication is passed, the second authentication result carries the location information of the mobile terminal. In this way, the user terminal can initiate a second authentication message so that the gateway device can perform secondary authentication of the user's identity. The second authentication message carries the above-mentioned second location information. In this way, the gateway device can perform secondary authentication of the user's identity based on the first location information and the second location information, thereby realizing the security of user identity authentication, improving the accuracy of authentication results, and also improving the security of intranet data when the authenticated user accesses the intranet.

[0073] Optionally, based on any of the above embodiments, in this embodiment, when the gateway device executes step S105, in one possible embodiment, when the second location information is the location information of the mobile terminal, if it is confirmed that the first location information is consistent with the second location information, then it is determined that the user's identity authentication is successful.

[0074] Specifically, when the second location information is the location information of the mobile terminal, the gateway device can directly compare the first location information with the second location information. When the comparison is consistent, the gateway device can determine that the user's identity has been successfully authenticated by combining the biometric authentication feature of the authentication server.

[0075] In another possible embodiment, when the second location information is the location information of the user terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is confirmed that the second location information is consistent with the first location information, then it is determined that the user's identity authentication is successful.

[0076] Specifically, when the second location information only includes the location information of the user terminal, since the user terminal and the mobile terminal are generally in the same location when the user performs identity authentication, after the gateway device receives the second location information, if it confirms that the first location information is consistent with the second location information, it means that the location of the user terminal is the same as the location of the mobile terminal, and the user authentication can be confirmed to be successful. This also avoids the situation where other users impersonate the user to access the intranet.

[0077] Furthermore, the gateway device can also maintain locally the area to which the IP address used by each trusted user is allowed to access intranet data. Then, when the gateway device receives the second location information, it can determine whether the second location information is in the area corresponding to the user. If it is, then when the first location information is consistent with the second location information, the authentication of the above user is confirmed to be successful.

[0078] In another possible embodiment, when the second location information is the location information of the user terminal and the location information of the mobile terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is determined that the location information of the user terminal, the location information of the mobile terminal, and the first location information are all consistent, then it is determined that the user's identity authentication is successful.

[0079] Specifically, when the second location information includes both the location information of the mobile terminal and the location information of the user terminal, since the user terminal and the mobile terminal are generally in the same location when the user performs identity authentication, if the gateway device confirms that the first location information is consistent with the location information of the user terminal and the location information of the mobile terminal after receiving the second location information, it indicates that the location of the user terminal is the same as the location of the mobile terminal, and the user authentication can be confirmed to be successful. This also prevents other users from impersonating the user to access the intranet.

[0080] Furthermore, the gateway device can also maintain locally the area to which the IP address used by each trusted user is allowed to access intranet data. Then, when the gateway device receives the second location information, it can determine whether the location information of the user terminal in the second location information is within the area corresponding to the user. If it is, then when the first location information and the second location information are consistent, the authentication of the above user is confirmed to be successful.

[0081] Optionally, based on any of the above embodiments, in this embodiment, the first identity authentication result also carries an identity identification identifier; the second authentication message also carries an identity identification identifier, which is assigned by the authentication server after the user is successfully authenticated; on this basis, step S105 can be executed according to the following process: if it is confirmed that the first location information is consistent with the second location information, and it is confirmed that the identity identification identifier carried by the first identity authentication result is consistent with the identity identification identifier carried by the second authentication message, then it is determined that the user's identity authentication is successful.

[0082] Specifically, to further improve the accuracy of identity authentication results, this embodiment also proposes that after the authentication server verifies the biometric information of each user, it can assign an identity identifier to that user, with different identity identifiers assigned to different users. Thus, when the authentication server sends the first identity authentication result to the gateway device after authenticating a user, the first identity authentication result can also carry the identity identifier assigned to that user. Similarly, when the authentication server sends the second identity authentication result to the user terminal after authenticating a user, the second identity authentication result can also carry the identity identifier assigned to that user. Furthermore, when the user sends a second authentication message through the user terminal, the received identity identifier can be included in the authentication message. This allows the gateway device, upon receiving the second authentication message, to not only identify the location information but also determine whether the identity identifier carried in the first identity authentication result matches the identity identifier carried in the second authentication message. If they match, and the first location information matches the second location information, then the user's identity authentication is confirmed to be successful. If the first location information is inconsistent with the second location information, and / or the identity identifier carried by the first authentication result is inconsistent with the identity identifier carried by the second authentication message, then the user's identity authentication is determined to be unsuccessful, and the user is denied access to intranet data through the gateway device.

[0083] Optionally, this embodiment proposes that when the second location information is the location information of the mobile terminal, the second authentication message is sent by the user terminal when it confirms that the location information of the mobile terminal is consistent with the location information of the user terminal.

[0084] Specifically, to improve authentication speed, the user terminal can first identify its location information after receiving the second authentication result. That is, if the user terminal's location information matches the mobile terminal's location information in the second authentication result, it can be determined that the user terminal and the mobile terminal are in the same location. Based on this, the user terminal can include the mobile terminal's location information when sending the second authentication message. In this way, the gateway device only needs to determine whether the first and second location information match to authenticate the user's identity, thereby improving the efficiency of user authentication on the gateway device side.

[0085] Optionally, based on any of the above embodiments, in this embodiment, the step of recording the user's first identity authentication result in step S103 can be performed according to the following process: determining whether the first location information is within the user's permitted location range; if it is, then recording the user's first identity authentication result; if not, then discarding the first identity authentication result.

[0086] Specifically, the gateway device can pre-maintain the permitted location ranges for each trusted user's access to intranet data and the locations of mobile terminals allowed during authentication. For example, the gateway device can maintain a location access list, which records the correspondence between user information of each trusted user and the corresponding permitted location range. Thus, when the gateway device obtains the first authentication result from the authentication server, it can extract user information and first location information (i.e., the location information of the mobile terminal) from the first authentication result. Then, based on this user information and first location information, it queries the aforementioned location access list. If the location access list is matched, it confirms that the mobile terminal was within the user's permitted location range when the user performed authentication using the mobile user account, and the gateway device can record the first authentication result. If the match is not found, the authentication result can be discarded. After discarding the first authentication result, when the user terminal initiates a second authentication message, if the gateway device finds that the user's first authentication result is not recorded locally, it can directly determine that the user's authentication has failed. This saves the gateway device's storage space and improves the accuracy of the authentication results.

[0087] Optionally, based on any of the above embodiments, in this embodiment, the user information of the user may be, but is not limited to, the user's user account, etc., and different users have different user accounts.

[0088] It is worth noting that the location information of the aforementioned user terminal and mobile terminal may be, but is not limited to, address information obtained from GPS positioning.

[0089] Based on the same inventive concept, this application also provides an identity authentication method provided on the user terminal side, see reference. Figure 2 The diagram shown illustrates another authentication method provided by this application, applied to a user's terminal, which may be, but is not limited to, a PC, laptop, Mac, etc. When implementing the method, the user terminal may include the following steps:

[0090] S201. Send a first authentication message to the gateway device, the first authentication message carrying the user's authentication information.

[0091] In this step, when a user wishes to access the intranet, they must first authenticate with the gateway device. Only after successful authentication will the gateway device allow the user terminal to access service packets within the intranet. Therefore, to achieve user authentication, the user can send the aforementioned first authentication message to the gateway device through their terminal, carrying the user's authentication information in the first authentication message so that the gateway device can authenticate the user.

[0092] S202. Receive the authentication instruction sent by the gateway device after the user has been successfully authenticated based on the authentication information.

[0093] The aforementioned identity authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0094] In this step, once the user is successfully authenticated, it indicates that the user is a suspected secure user. To further enhance the security of the intranet, the gateway device needs to further authenticate the user's identity to improve intranet security. Therefore, this embodiment proposes generating an authentication instruction for the aforementioned user and then sending this authentication instruction to the user terminal. Thus, after the user terminal obtains the authentication instruction, since the authentication instruction indicates the data to be collected for authentication and the communication information of the authentication server used to authenticate the data, the user can use their mobile terminal to establish a communication connection with the authentication server, enabling the authentication server to collect the data to be authenticated for the user's identity authentication.

[0095] The data to be authenticated may include, but is not limited to, user information and biometric information. It should be noted that the authentication server may enable its biometric recognition function to collect the user's biometric information. Therefore, to improve the accuracy of the authentication results, the data to be authenticated may also include the location information of the mobile terminal. That is, the user can enable their own location function based on the communication information of the authentication server carried in the authentication instruction, and then establish a communication connection with the authentication server using their mobile terminal (a terminal device other than the user terminal). The user can then upload the location information of the mobile terminal obtained by the location function to the authentication server, and the authentication server can then obtain the data to be authenticated.

[0096] Optionally, when the authentication indication is an authentication QR code, the authentication QR code carries the access path of the authentication server. When the authentication indication is an authentication QR code, after receiving the authentication QR code, the user terminal can display it to the user in the form of a page on its display device. This page contains the authentication QR code. In this way, the user can use their mobile terminal to scan the authentication QR code. Since the authentication QR code carries the access path of the authentication server, after the mobile terminal scans the authentication QR code, it can establish a communication connection with the authentication server through the access path of the authentication server in the authentication QR code. Then, the authentication server can call its API interface for collecting biometric information, and then the authentication server can collect the user's biometric information through the API. At the same time, the authentication server also needs to obtain access permission to obtain the location information of the user's mobile terminal. When the user allows it, the mobile terminal can send its current location information to the authentication server so that the authentication server can perform subsequent verification processes.

[0097] It is worth noting that when the biometric information mentioned above is facial feature information, the authentication server will enable the facial capture API and then display a facial feature capture box through the user terminal. When the user matches the position of their face with the facial feature capture box, the authentication server can capture the user's facial feature information.

[0098] Furthermore, when verifying a user's identity, the authentication server's verification process is roughly as follows: It retrieves a pre-maintained list of user registration information locally. This list contains the registration information of trusted users, and each user's registration information may include, but is not limited to, their user profile and biometric information. Then, based on the user profile and biometric information retrieved this time, the authentication server checks the aforementioned list to see if there is any registration information matching that user's profile and biometric information. If it does, the user's identity verification is successful; otherwise, the user's identity verification fails.

[0099] Furthermore, the authentication server can also return the authentication result to the mobile terminal. If the authentication result is a failure, the user can scan the authentication QR code again through the mobile terminal after being notified of the failure to continue the biometric authentication process.

[0100] It should be noted that the registration information of each trusted user in the above registration information list is pre-registered and maintained by the trusted user on the authentication server. Specifically, a user can initiate a registration request to the authentication server through their user terminal. This registration request can carry the user's user information. When the authentication server receives the registration request, it can activate the biometric identification API, which then collects the user's biometric information. Thus, the authentication server can obtain the correspondence between the user's user information and biometric information, and so on, ultimately forming the above registration information list. Optionally, before activating the API, the authentication server can obtain the user information of trusted users locally. After receiving a user's registration request, it first verifies the user's trustworthiness based on the user information in the registration request, and only after confirming the user's trustworthiness does it collect the user's biometric information.

[0101] S203. Obtain the user's identity authentication result from the authentication server, wherein the identity authentication result carries the location information of the mobile terminal.

[0102] In this step, after the user terminal receives the aforementioned authentication instruction, it can also obtain the access path to the authentication server based on this instruction. Therefore, the user terminal can periodically obtain the authentication result of its user from the authentication server. Specifically, the user terminal can periodically, or at a set time after sending the first authentication message, initiate an authentication result retrieval request. This retrieval request can carry the user's information. Upon receiving this request, the authentication server can query the corresponding authentication result based on the user information in the request and then send it to the user terminal. Thus, the user terminal obtains the authentication result of its user, which also carries the mobile terminal's location information for subsequent secondary authentication. Based on this, the user terminal can send a second authentication message to the gateway device based on the obtained authentication result, allowing the gateway device to perform secondary authentication of the user, thereby improving the accuracy of the authentication result and enhancing the security of the intranet.

[0103] Furthermore, when the aforementioned identity authentication indication is an authentication QR code, since the authentication QR code carries the access path of the authentication server, the user terminal can obtain the user's identity authentication result from the authentication server according to the access path of the authentication server.

[0104] S204. Send a second authentication message to the gateway device so that the gateway device can authenticate the user's identity based on the first location information and the second location information.

[0105] Wherein, the first location information is the location information of the mobile terminal, which is carried in the identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.

[0106] It is worth noting that, in order to facilitate the gateway device's authentication of the user and enable the user to successfully access intranet resources, the user terminal may carry the aforementioned second location information in the second authentication message. This second location information may be the location information of the user terminal and / or the location information of the mobile terminal, so that the gateway device can authenticate the user more accurately.

[0107] By providing the above-mentioned identity authentication method, the gateway device can perform secondary authentication of the user's identity, thereby ensuring the security of user identity authentication, improving the accuracy of authentication results, and also improving the security of intranet data when authenticated users access the intranet.

[0108] Optionally, based on any of the above embodiments, in this embodiment, step S204 can be performed according to the following process: obtaining the location information of the user terminal; if the location information of the user terminal is consistent with the obtained location information of the mobile terminal, then sending a second authentication message to the gateway device, wherein the second authentication message only carries the location information of the mobile terminal.

[0109] Specifically, to improve authentication speed, the user terminal can first identify its location information after receiving the second authentication result. That is, if the user terminal's location information matches the mobile terminal's location information in the second authentication result, it can be determined that the user terminal and the mobile terminal are in the same location. Based on this, the user terminal can include the mobile terminal's location information when sending the second authentication message. In this way, the gateway device only needs to determine whether the first and second location information match to authenticate the user's identity, thereby improving the efficiency of user authentication on the gateway device side.

[0110] Optionally, based on any of the above embodiments, in this embodiment, the second authentication message may also carry an identity identification identifier, which is assigned by the authentication server after the user has been successfully authenticated; thereby, the gateway device achieves more accurate authentication of the user's identity.

[0111] It is worth noting that the location information of the aforementioned user terminal and mobile terminal may be, but is not limited to, address information obtained from GPS positioning.

[0112] To better understand this embodiment, we will use an example of a user accessing an SSLVPN-based gateway device B using terminal device A:

[0113] Step 1: After the user enters their username and password on the SSLVPN login interface on terminal device A, the first authentication is triggered. Gateway device B first verifies the username and password. After successful verification, it generates an authentication QR code based on the user's input information and returns it to terminal device A. Terminal device A is then asked to scan the QR code using mobile terminal C. After terminal device C scans the authentication QR code, it establishes a communication connection with the authentication server. The authentication server then pops up a biometric feature collection window, allowing it to collect biometric features.

[0114] Step 2: After the user scans the above authentication QR code using mobile terminal C, the authentication server also needs to obtain the location information of mobile terminal C in order to obtain the location information of C while it is moving.

[0115] Step 3: The authentication server can then authenticate the user's biometrics based on the acquired biometric information. Upon successful authentication, a unique identification identifier is assigned to the user. After authentication, the authentication server can also return the biometric authentication result to the mobile terminal C. If authentication fails, the user can scan the authentication QR code again using the mobile terminal C to continue the biometric authentication process.

[0116] Step 4: Gateway device B periodically obtains the user's first authentication result from the authentication server, and terminal device A also periodically obtains the user's second authentication result from the authentication server. When the authentication server successfully authenticates the user, the aforementioned first authentication result may carry the location information of mobile terminal C (first location information), user information, and identity identification identifier; the second authentication result may also carry the location information of mobile terminal C, user information, and identity identification identifier.

[0117] Step 5: After receiving the second authentication result, terminal device A can extract the location information and identity identifier of mobile terminal C from the second authentication result; based on this, terminal device A can send a second authentication message to gateway device B, which carries the second location information and identity identifier.

[0118] Step 6: After receiving the second authentication message, gateway device B can perform secondary authentication of the user's identity based on the identity identifier in the second authentication message and the identity identifier in the first identity authentication result, as well as the first location information and the second location information, in order to improve the accuracy of the authentication result and enhance the security of intranet data.

[0119] Therefore, this application uses biometric identification technology to authenticate users and obtain their geographical information. By strictly ensuring the consistency between the user's geographical information and the geographical coordinates of the login source configured on the SSLVPN gateway device, and by supporting the restriction of login geographical information sources on the SSLVPN gateway device, the security of users accessing the intranet via SSLVPN can be greatly improved, and the leakage of intranet resources due to account theft can be basically completely prevented.

[0120] It is worth noting that the aforementioned authentication servers may be, but are not limited to, servers provided by trusted third-party service providers.

[0121] Based on the same inventive concept, this application also provides an identity authentication device corresponding to the identity authentication method provided by the aforementioned gateway device. Specific implementation details of this identity authentication device can be found in the description of the identity authentication method provided by the aforementioned gateway device, and will not be elaborated upon here.

[0122] See Figure 3 , Figure 3This application provides an exemplary embodiment of an identity authentication device, which is installed in a gateway device. The device includes:

[0123] The receiving module 301 is used to receive a first authentication message sent by a user terminal, wherein the first authentication message carries the user's authentication information;

[0124] The first authentication module 302 is used to authenticate the user based on the authentication information;

[0125] The sending module 303 is used to send an identity authentication instruction to the user terminal after the first authentication module 302 has successfully authenticated the user based on the authentication information. The identity authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0126] The acquisition module 304 is used to acquire and record the first identity authentication result of the user from the authentication server. The first identity authentication result carries first location information, which is the location information of the mobile terminal carried in the first identity authentication result after the authentication server authenticates the user.

[0127] The receiving module 301 is further configured to receive a second authentication message sent by the user terminal, the second authentication message carrying second location information, the second location information being the location information of the user terminal and / or the location information of the mobile terminal, wherein the location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server;

[0128] The second authentication module 305 is used to authenticate the user's identity based on the first location information and the second location information.

[0129] Optionally, based on the above embodiments, in this embodiment, the first identity authentication result also carries an identity identification identifier; the second authentication message also carries an identity identification identifier, which is assigned by the authentication server after the user is successfully authenticated; then the second authentication module 305 is specifically used to determine that the user's identity authentication is successful if it is confirmed that the first location information is consistent with the second location information, and that the identity identification identifier carried by the first identity authentication result is consistent with the identity identification identifier carried by the second authentication message.

[0130] Optionally, based on any of the above embodiments, in this embodiment, when the second location information is the location information of the mobile terminal, the second authentication message is sent by the user terminal when it confirms that the location information of the mobile terminal is consistent with the location information of the user terminal.

[0131] Optionally, based on any of the above embodiments, in this embodiment, the acquisition module 304 is specifically used to determine whether the first location information is within the user's permitted location range; if it is, then the user's first identity authentication result is recorded; if not, then the first identity authentication result is discarded.

[0132] Optionally, based on any of the above embodiments, in this embodiment, the second authentication module 305 is specifically used to determine that the user's identity authentication is successful if the first location information is consistent with the second location information when the second location information is the location information of the mobile terminal; or,

[0133] When the second location information is the location information of the user terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is confirmed that the second location information is consistent with the first location information, then it is determined that the user's identity authentication is successful; or,

[0134] When the second location information is the location information of the user terminal and the location information of the mobile terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is determined that the location information of the user terminal, the location information of the mobile terminal and the first location information are all consistent, then it is determined that the user's identity authentication is successful.

[0135] Based on the same inventive concept, this application also provides an identity authentication device corresponding to the identity authentication method provided on the user terminal side. Specific implementation details of this identity authentication device can be found in the description of the identity authentication method on the user terminal described above, and will not be elaborated upon here.

[0136] See Figure 4 , Figure 4 This application provides an exemplary embodiment of an identity authentication device, which is installed in a user terminal. The device includes:

[0137] Sending module 401 is used to send a first authentication message to the gateway device, the first authentication message carrying the user's authentication information;

[0138] The receiving module 402 is configured to receive an identity authentication instruction sent by the gateway device after the user has been successfully authenticated based on the authentication information. The identity authentication instruction is configured to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information.

[0139] The acquisition module 403 is used to acquire the user's identity authentication result from the authentication server, wherein the identity authentication result carries the location information of the mobile terminal;

[0140] The sending module 401 is further configured to send a second authentication message to the gateway device, so that the gateway device can authenticate the user's identity based on the first location information and the second location information;

[0141] Wherein, the first location information is the location information of the mobile terminal, which is the identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.

[0142] Optionally, based on the above embodiments, in this embodiment, the sending module 401 is specifically used to obtain the location information of the user terminal; if the location information of the user terminal is consistent with the obtained location information of the mobile terminal, then a second authentication message is sent to the gateway device, the second authentication message carrying only the location information of the mobile terminal.

[0143] Optionally, based on any of the above embodiments, in this embodiment, the above identity authentication indication is an authentication QR code, and the authentication QR code carries the access path of the authentication server; then, the above acquisition module 403 is specifically used to obtain the user's identity authentication result from the authentication server according to the access path of the authentication server.

[0144] Based on the same inventive concept, embodiments of this application provide an electronic device, which may be, but is not limited to, the aforementioned gateway device, user terminal, or authentication server. For example... Figure 5 As shown, the electronic device includes a processor 501 and a machine-readable storage medium 502. The machine-readable storage medium 502 stores a computer program executable by the processor 501. The processor 501 is prompted by the computer program to execute the authentication method provided in any embodiment of this application. Furthermore, the electronic device also includes a communication interface 503 and a communication bus 504, wherein the processor 501, the communication interface 503, and the machine-readable storage medium 502 communicate with each other via the communication bus 504.

[0145] The communication bus mentioned in the above electronic devices can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.

[0146] The communication interface is used for communication between the aforementioned electronic devices and other devices.

[0147] The machine-readable storage medium 502 described above can be a memory, which may include random access memory (RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory), or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.

[0148] The processors mentioned above can be general-purpose processors, including central processing units (CPUs), network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.

[0149] For embodiments of electronic devices and machine-readable storage media, since the methods involved are basically similar to those described in the foregoing method embodiments, the description is relatively simple, and relevant details can be found in the descriptions of the method embodiments.

[0150] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0151] The specific implementation process of the functions and roles of each unit / module in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.

[0152] For the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to in the description of the method embodiments. The device embodiments described above are merely illustrative. The units / modules described as separate components may or may not be physically separate. The components shown as units / modules may or may not be physical units / modules, that is, they may be located in one place or distributed across multiple network units / modules. Some or all of the units / modules can be selected to achieve the purpose of this application according to actual needs. Those skilled in the art can understand and implement this without creative effort.

[0153] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. An identity authentication method, characterized in that, The method, applied in a gateway device, includes: Receive a first authentication message sent by the user terminal, the first authentication message carrying the user's authentication information; After the user is successfully authenticated based on the authentication information, an identity authentication instruction is sent to the user terminal. The identity authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information. The authentication server obtains and records the user's first identity authentication result, which carries first location information. The first location information is the location information of the mobile terminal carried in the first identity authentication result after the authentication server has successfully authenticated the user. The system receives a second authentication message sent by the user terminal. The second authentication message carries second location information, which is the location information of the user terminal and / or the location information of the mobile terminal. The location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server. The user's identity is authenticated based on the first location information and the second location information.

2. The method according to claim 1, characterized in that, The first authentication result also carries an identity identifier; the second authentication message also carries an identity identifier, which is assigned by the authentication server after the user has been successfully authenticated; The user's identity is authenticated based on the first location information and the second location information, including: If it is confirmed that the first location information is consistent with the second location information, and that the identity identification identifier carried by the first identity authentication result is consistent with the identity identification identifier carried by the second authentication message, then it is determined that the user's identity authentication is successful.

3. The method according to claim 1, characterized in that, When the second location information is the location information of the mobile terminal, the second authentication message is sent by the user terminal when it confirms that the location information of the mobile terminal is consistent with the location information of the user terminal.

4. The method according to claim 1, characterized in that, Record the user's first authentication result, including: Determine whether the first location information is within the user's permitted location range; If present, then record the user's first identity authentication result; If not, discard the first authentication result.

5. The method according to claim 1, characterized in that, The user's identity is authenticated based on the first location information and the second location information, including: When the second location information is the location information of the mobile terminal, then if it is confirmed that the first location information is consistent with the second location information, then the user's identity authentication is deemed successful; or, When the second location information is the location information of the user terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is confirmed that the second location information is consistent with the first location information, then it is determined that the user's identity authentication is successful; or, When the second location information is the location information of the user terminal and the location information of the mobile terminal, if the location information of the user terminal is within the area pre-configured in the gateway device that allows the user to access resources, and it is determined that the location information of the user terminal, the location information of the mobile terminal and the first location information are all consistent, then it is determined that the user's identity authentication is successful.

6. An identity authentication method, characterized in that, The method, applied in a user terminal, includes: Send a first authentication message to the gateway device, the first authentication message carrying the user's authentication information; The system receives an authentication instruction sent by the gateway device after successfully authenticating the user based on the authentication information. The authentication instruction is used to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information. The user's second identity authentication result is obtained from the authentication server, and the second identity authentication result carries the location information of the mobile terminal; Send a second authentication message to the gateway device so that the gateway device can authenticate the user's identity based on the first location information and the second location information; Wherein, the first location information is the location information of the mobile terminal, which is carried in the first identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.

7. The method according to claim 6, characterized in that, Sending a second authentication message to the gateway device, including: Obtain the location information of the user terminal; If the location information of the user terminal is consistent with the location information of the mobile terminal, a second authentication message is sent to the gateway device. The second authentication message only carries the location information of the mobile terminal.

8. The method according to claim 6, characterized in that, The identity authentication indicator is an authentication QR code, which carries the access path to the authentication server; Obtaining the user's second identity authentication result from the authentication server includes: Based on the access path of the authentication server, obtain the user's second identity authentication result from the authentication server.

9. An identity authentication device, characterized in that, The device, configured in a gateway device, includes: The receiving module is used to receive a first authentication message sent by a user terminal, wherein the first authentication message carries the user's authentication information; The first authentication module is used to authenticate the user based on the authentication information; The sending module is configured to send an identity authentication instruction to the user terminal after the first authentication module has successfully authenticated the user based on the authentication information. The identity authentication instruction is configured to instruct the authentication server to obtain the user's user information, biometric information and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information. The acquisition module is used to acquire and record the user's first identity authentication result from the authentication server. The first identity authentication result carries first location information, which is the location information of the mobile terminal carried in the first identity authentication result after the authentication server has authenticated the user. The receiving module is further configured to receive a second authentication message sent by the user terminal, the second authentication message carrying second location information, the second location information being the location information of the user terminal, and / or the location information of the mobile terminal, wherein the location information of the mobile terminal in the second authentication message is obtained by the user terminal from the second identity authentication result obtained by the authentication server; The second authentication module is used to authenticate the user's identity based on the first location information and the second location information.

10. An identity authentication device, characterized in that, The device, installed in a user terminal, includes: The sending module is used to send a first authentication message to the gateway device, wherein the first authentication message carries the user's authentication information; The receiving module is configured to receive an identity authentication instruction sent by the gateway device after the user has been successfully authenticated based on the authentication information. The identity authentication instruction is configured to instruct the authentication server to obtain the user's user information, biometric information, and the location information of the user's mobile terminal, and to authenticate the user based on the user information and the biometric information. The acquisition module is used to acquire the user's second identity authentication result from the authentication server, wherein the second identity authentication result carries the location information of the mobile terminal; The sending module is further configured to send a second authentication message to the gateway device, so that the gateway device can authenticate the user's identity based on the first location information and the second location information; Wherein, the first location information is the location information of the mobile terminal, which is carried in the first identity authentication result sent to the gateway device after the authentication server authenticates the user; the second location information is the location information of the user terminal, and / or the location information of the mobile terminal.