Method, apparatus, device and storage medium for application security access
By obtaining the device fingerprint in the browser and combining it with authentication information for security verification, the problem of users being able to log in to the application on a specified device is solved, improving the security of application access and preventing information leakage.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING HONGTENG INTELLIGENT TECH CO LTD
- Filing Date
- 2024-12-06
- Publication Date
- 2026-06-09
AI Technical Summary
Existing authentication methods cannot ensure that users can only log in to the application system on designated devices, leading to information leakage due to user accounts logging in across devices.
By obtaining the device fingerprint in the browser and combining it with authentication information for security verification, it ensures that users can only access the application on designated secure devices.
It effectively improves application access security and prevents unauthorized access and information leakage.
Smart Images

Figure CN122174218A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of security verification technology, and in particular to application secure access methods, apparatus, devices and storage media. Background Technology
[0002] With the development of the internet, more and more application systems rely on browsers for access and operation. In this context, ensuring the authenticity of visitors' identities and the security of their operations has become particularly important. Traditional authentication methods mainly rely on usernames and passwords, but this method is vulnerable to security threats such as phishing attacks and password guessing. Even with SMS or email verification codes, it cannot be guaranteed that users will only log in to application systems on designated devices, leading to information leaks due to cross-device logins.
[0003] Therefore, ensuring that users can only access applications on designated secure devices and improving application access security is a problem that urgently needs to be solved.
[0004] The above content is only used to help understand the technical solution of this application and does not represent an admission that the above content is prior art. Summary of the Invention
[0005] The main purpose of this application is to provide an application security access method, apparatus, device and storage medium, which aims to solve the technical problem that the inability to ensure that users log in to the application system only on designated devices leads to information leakage of user accounts when logging in across devices.
[0006] To achieve the above objectives, this application proposes an application-secure access method, the method comprising:
[0007] In response to an application access request entered in the browser, the user's authentication information is determined based on the application access request;
[0008] Obtain a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information;
[0009] A security verification is performed based on the authentication information and the device fingerprint to obtain the security verification result.
[0010] Application access control is performed based on the security verification results.
[0011] In one embodiment, prior to acquiring the device fingerprint, the method further includes:
[0012] Obtain user device information;
[0013] The device information is preprocessed to obtain preprocessed device information;
[0014] The browser generates a device fingerprint based on the preprocessed device information.
[0015] In one embodiment, generating a device fingerprint based on the preprocessed device information includes:
[0016] A target hash value is generated based on the preprocessed device information using a first hash algorithm;
[0017] The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
[0018] In one embodiment, generating a target hash value based on the preprocessed device information using a first hash algorithm includes:
[0019] The device features in the preprocessed device information are hashed using the first hash algorithm to obtain hash values corresponding to multiple device features.
[0020] The hash values corresponding to the multiple device features are concatenated to generate the target hash value.
[0021] In one embodiment, generating the target hash value using the first hash algorithm based on the preprocessed device information further includes:
[0022] Random weights are assigned to the device features in the preprocessed device information to obtain the weight values of each device feature;
[0023] The preprocessed device information is hashed using a first hash algorithm based on the weight values of each device feature to generate a target hash value.
[0024] In one embodiment, after the browser generates the device fingerprint based on the preprocessed device information, the method further includes:
[0025] In response to the input binding request, retrieve the user's bound username;
[0026] The user name and device fingerprint are sent to the authentication center for binding, and the binding information is received from the authentication center.
[0027] In one embodiment, the preprocessing of the device information to obtain preprocessed device information includes:
[0028] The device information is standardized to obtain device information in a unified format;
[0029] Noise information is identified and removed from the unified format device information to obtain denoised device information;
[0030] The denoised device information is merged to obtain preprocessed device information.
[0031] In one embodiment, the step of performing security verification based on the authentication information and the device fingerprint to obtain a security verification result includes:
[0032] The current username is determined based on the authentication information;
[0033] Obtain the binding information between the current username and the device fingerprint;
[0034] A security verification is performed based on the binding information to obtain the security verification result.
[0035] In one embodiment, the step of performing security verification based on the binding information to obtain a security verification result includes:
[0036] Determine whether a binding relationship exists between the current username and the device fingerprint based on the binding information;
[0037] When there is a binding relationship between the current username and the device fingerprint, the security verification result is determined to be that the current device is a secure device;
[0038] If there is no binding relationship between the current username and the device fingerprint, the security verification result is determined to be that the current device is an insecure device.
[0039] In one embodiment, the step of performing application access control based on the security verification result includes:
[0040] When the security verification result indicates that the current device is a secure device, user authentication is performed based on the authentication information to obtain user identity information;
[0041] When the user's identity information indicates that the user is an authorized user, the user is allowed to access the application.
[0042] In one embodiment, the step of authenticating the user based on the authentication information to obtain user identity information includes:
[0043] The current username, current password, and current verification code are determined based on the authentication information.
[0044] Query the account corresponding to the current username, and obtain the preset password of the account and the dynamic verification code sent to the terminal bound to the account;
[0045] When the current password matches the preset password and the current verification code matches the dynamic verification code, the user's identity information is determined to be that of an authorized user.
[0046] In one embodiment, the step of performing application access control based on the security verification result further includes:
[0047] If the security verification result indicates that the current device is an insecure device, the user is denied access to the application, and a corresponding prompt message is returned.
[0048] Furthermore, to achieve the above objectives, this application also proposes an application security access device, which includes:
[0049] The determination module is used to determine the user's authentication information based on the application access request entered in the browser in response to the application access request.
[0050] An acquisition module is used to acquire a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information;
[0051] The verification module is used to perform security verification based on the authentication information and device fingerprint, and obtain the security verification result;
[0052] The control module is used to perform application access control based on the security verification results.
[0053] In one embodiment, the application security access device further includes a generation module;
[0054] The generation module is used to obtain the user's device information;
[0055] The device information is preprocessed to obtain preprocessed device information;
[0056] The browser generates a device fingerprint based on the preprocessed device information.
[0057] In one embodiment, the generation module is further configured to generate a target hash value based on the preprocessed device information using a first hash algorithm;
[0058] The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
[0059] In one embodiment, the generation module is further configured to perform hash processing on the device features in the preprocessed device information using a first hash algorithm to obtain hash values corresponding to multiple device features;
[0060] The hash values corresponding to the multiple device features are concatenated to generate the target hash value.
[0061] In one embodiment, the generation module is further configured to randomly assign weights to the device features in the preprocessed device information to obtain weight values for each device feature;
[0062] The preprocessed device information is hashed using a first hash algorithm based on the weight values of each device feature to generate a target hash value.
[0063] In one embodiment, the generation module is further configured to obtain the user's bound username in response to an input binding request;
[0064] The user name and device fingerprint are sent to the authentication center for binding, and the binding information is received from the authentication center.
[0065] In addition, to achieve the above objectives, this application also proposes an application security access device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the application security access method as described above.
[0066] In addition, to achieve the above objectives, this application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and which, when executed by a processor, implements the steps of the application secure access method described above.
[0067] In addition, to achieve the above objectives, this application also provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of the application security access method described above.
[0068] This application provides a secure application access method. The method involves first responding to an application access request entered in a browser, determining the user's authentication information based on the request, obtaining a device fingerprint (generated by the browser based on the user's device information), performing a security verification based on the authentication information and the device fingerprint, and obtaining a security verification result. Finally, application access control is performed based on the security verification result. This method ensures that users can only access applications on designated secure devices, effectively improving application access security.
[0069] In summary, this application can quickly extract user authentication information based on the application access request entered in the browser. This information, combined with a device fingerprint generated by the browser based on the user's device information, enables accurate identification of the current login environment. The security verification result is then used for application access control, ensuring that users can only access the application on designated secure devices. This overcomes the technical shortcomings of previous applications that could not guarantee users could only log in to the application system on designated devices, leading to information leakage due to cross-device logins. This application effectively improves application access security by ensuring that users can only access the application on designated secure devices. Attached Figure Description
[0070] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0071] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0072] Figure 1 A flowchart illustrating the first embodiment of the secure access method applied in this application;
[0073] Figure 2 This is a flowchart illustrating Embodiment 2 of the application of the secure access method.
[0074] Figure 3 A flowchart illustrating the MID binding and MID verification process provided in an embodiment of the secure access method applied in this application;
[0075] Figure 4 This is a schematic diagram of the module structure of the secure access device used in an embodiment of this application;
[0076] Figure 5 This is a schematic diagram of the device structure of the hardware operating environment involved in the application of the secure access method in the embodiments of this application.
[0077] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0078] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.
[0079] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.
[0080] The main solution of this application embodiment is as follows: in response to an application access request entered in the browser, determine the user's authentication information based on the application access request; obtain a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information; perform security verification based on the authentication information and the device fingerprint to obtain a security verification result; and perform application access control based on the security verification result.
[0081] With the development of the internet, an increasing number of applications rely on browsers for access and operation. In this context, ensuring the authenticity of visitors' identities and the security of their operations has become paramount. Traditional authentication methods primarily rely on usernames and passwords, but these are vulnerable to phishing attacks, password guessing, and other security threats. Even with SMS or email verification codes, it's impossible to guarantee that users only log in to applications on designated devices, leading to information leaks due to cross-device logins. Therefore, ensuring that users can only access applications on designated secure devices and improving application access security is a pressing issue that needs to be addressed.
[0082] This application can quickly extract user authentication information based on the application access request entered in the browser. Then, it combines the device fingerprint generated by the browser based on the user's device information for security verification. This can accurately identify the current login environment, and then use the security verification result to control application access, ensuring that users can only access the application on designated secure devices. This overcomes the technical defect that cannot ensure users can only log in to the application system on designated devices, leading to information leakage of user accounts when logging in across devices. It can ensure that users can only access the application on designated secure devices, effectively improving application access security.
[0083] It should be noted that the executing entity in this embodiment can be a computing service device with data processing, network communication, and program execution functions, such as a tablet computer, personal computer, or mobile phone, or an electronic device capable of performing the above functions, such as a browser in an application security access device. The following description uses a browser in an application security access device as an example to illustrate this embodiment and the subsequent embodiments.
[0084] Based on this, embodiments of this application provide an application secure access method, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the secure access method applied in this application.
[0085] In this embodiment, the application secure access method includes steps S10 to S40:
[0086] Step S10: In response to the application access request entered in the browser, determine the user's authentication information based on the application access request.
[0087] It should be noted that an application access request refers to a request initiated by a user through a browser, such as by entering a URL, clicking a link, or using a search engine, to request access to a specific application from a server.
[0088] It is understood that access requests can be initiated by the user or automatically by the browser based on the user's actions. This embodiment will use the example of a user-initiated request.
[0089] It is worth noting that authentication information may include, but is not limited to, usernames, passwords, and SMS verification codes. This information is used to confirm the identity of the request initiator, thereby ensuring access security. In this embodiment, authentication information can be determined in various ways, such as by the user entering a username and password on the login interface, and simultaneously verifying the information by receiving a verification code sent by the system via SMS. Furthermore, authentication information may also include biometric information, such as fingerprints or facial recognition, to provide a higher level of security; this embodiment does not impose any limitations on this.
[0090] In the specific implementation, the browser loads the login page, the user enters their username, password, and SMS verification code, and clicks submit. This generates an access request, which carries the user's input authentication information. Step S20: Obtain the device fingerprint, wherein the device fingerprint is obtained by the browser based on the user's device.
[0091] Step S20: Obtain device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information.
[0092] It's important to note that a device fingerprint (MID) is a unique identifier generated by analyzing a device's hardware, software, and network characteristics to identify and distinguish different devices. The device fingerprint is generated by the browser based on the user's device information and pre-stored in the browser's local storage. This device information can be a combination of various hardware and software characteristics, such as operating system type, browser version, screen resolution, IP address, MAC address, and device serial number.
[0093] It is understandable that after obtaining the user's authentication information, the browser calls the pre-stored device fingerprint (MID). The device fingerprint can be called through JavaScript code or obtained through the API interface provided by the browser. This embodiment will not go into specifics.
[0094] Step S30: Perform security verification based on the authentication information and device fingerprint to obtain the security verification result.
[0095] It should be noted that by combining device fingerprints with authentication information, the current access environment can be identified more accurately, determining whether the current device is secure, thereby effectively preventing unauthorized access and identity theft. The security verification result will determine whether the user can continue to access specific applications, network resources, or services, thus improving access security.
[0096] In one feasible implementation, step S30 may include: determining the current username based on the authentication information; obtaining binding information between the current username and the device fingerprint; performing security verification based on the binding information to obtain a security verification result.
[0097] It's important to note that the username refers to the name a user uses when registering for the application, typically associated with their phone number, email address, or other unique identifier. Binding information is the association data between the user's current username and the device fingerprint of the current device. Binding information can be stored on the server side for quick verification each time a user attempts to access the application.
[0098] Understandably, the device fingerprint is bound to the user's username when the user first registers or logs into the application. When the user attempts to access the application again, a security check is performed based on the binding information between the currently entered username and the device fingerprint. If the check passes, it means the request comes from a known and secure device, and access to the application is allowed; if the check fails, the access request is denied, thus effectively preventing unauthorized access and ensuring that users can only access the application on designated secure devices, effectively improving application access security.
[0099] In one feasible implementation, the step of performing security verification based on the binding information to obtain a security verification result includes: determining whether there is a binding relationship between the current username and the device fingerprint based on the binding information; when there is a binding relationship between the current username and the device fingerprint, determining that the current device is a secure device; and when there is no binding relationship between the current username and the device fingerprint, determining that the current device is an insecure device.
[0100] It should be noted that the binding information can quickly determine whether there is a binding relationship between the current username entered by the user and the device fingerprint of the current device, thereby determining whether the current device is a secure device and deciding whether to allow the user to access it.
[0101] Understandably, if there is a binding relationship between the current username and the device fingerprint, it indicates that the security verification has passed and the current device is a secure device, allowing the user to continue accessing the application; if there is no binding relationship, it indicates that the security verification has failed, and the user will be denied access, thus effectively preventing unauthorized access attempts.
[0102] It's worth noting that when security verification fails, a prompt message can be returned, such as "Device MID not bound," to inform the user that the current device is not authorized for access, requiring the user to log in using a registered device, or guiding the user to perform a device binding operation, thereby ensuring successful access to the application in the future. This method ensures that only authorized users on authorized devices can access the application, significantly reducing the risk of data leaks and unauthorized access.
[0103] Step S40: Perform application access control based on the security verification result.
[0104] It should be noted that application access control can include allowing or denying users access to specific applications, network resources, or services.
[0105] Specifically, if the security verification result indicates that the current device is a secure device, then user authentication will be performed. If the authentication is successful, access will be allowed to continue, and the user will be redirected to the application system with key information and a session will be established. Conversely, if the security verification result indicates that the current device is insecure or fails the authentication, then access will be denied.
[0106] In one feasible implementation, step S40 may include: when the security verification result indicates that the current device is a secure device, performing user authentication based on the authentication information to obtain user identity information; and when the user identity information indicates that the user is an authorized user, allowing the user to access the application.
[0107] It's important to note that user authentication refers to verifying whether a user is authorized, typically involving entering a password, SMS verification code, or other authentication methods. If user authentication is successful, the user will be authorized to access the application; otherwise, access will be denied. The purpose of user authentication is to ensure that only authorized users can access their accounts and related resources. This method further enhances application security and prevents unauthorized users from accessing sensitive information or performing inappropriate actions.
[0108] It is understood that identity verification information refers to the information provided by the user during the login process, which may be a password, biometric data (such as fingerprints, facial recognition), SMS verification code, etc. This embodiment does not impose specific restrictions on this.
[0109] In one feasible implementation, the step of verifying user identity based on the authentication information to obtain user identity information includes: determining the current username, current password, and current verification code based on the authentication information; querying the account corresponding to the current username and obtaining the preset password of the account and the dynamic verification code sent to the terminal bound to the account; and determining the user identity information as an authorized user when the current password is consistent with the preset password and the current verification code is consistent with the dynamic verification code.
[0110] It should be noted that in this embodiment, the authentication information includes the username, password, and SMS verification code. Based on the authentication information, the current username, password, and verification code entered by the current user can be determined. The current username refers to the username entered by the current user. This username may or may not exist in the server's user database. If the username does not exist in the server's user database, it indicates that the current user has not registered or the registration information is incorrect. In this case, the user can be prompted to register or correct the information. If the username exists in the database, the password and verification code are further compared.
[0111] Understandably, the password is a private information set by the user during registration to verify their identity, while the verification code is usually sent to the linked terminal via SMS, ensuring the timeliness and security of the verification code. The current password refers to the password corresponding to the current username entered by the current user, the default password is the password set by the user during registration, and the dynamic verification code is a verification code sent by the system to the user's linked terminal when the user attempts to log in, used to further verify the user's identity.
[0112] It's worth noting that if the user's current password matches the preset password stored on the server, and the user's current verification code matches the dynamic verification code sent by the system to the bound terminal, then the user's identity can be confirmed as an authorized user. This dual verification mechanism greatly improves security because even if the password is cracked, authentication cannot be completed without the dynamic verification code. Furthermore, the time-limited nature of the dynamic verification code limits the risk window during the verification process, further protecting the user's account security. After confirming the user's identity as an authorized user, the system will allow the user to access the application, thus completing the entire security verification and authentication process.
[0113] It's worth noting that if either the current password or the current verification code does not match the preset password or dynamic verification code, the system will deny the user access and provide corresponding prompts, such as "Incorrect password or verification code, please re-enter." This ensures that only users who correctly enter their username, password, and verification code are considered authorized users and can access the application. This effectively prevents password guessing attacks and verification code abuse, further enhancing application security. Furthermore, the system can record the number and time of login attempts. If abnormal login behavior is detected, such as multiple incorrect password or verification code attempts within a short period, the system can take additional security measures, such as temporarily locking the account, to prevent potential malicious attacks.
[0114] In one feasible implementation, step S40 may further include: when the security verification result indicates that the current device is an insecure device, denying the user access to the application and returning a corresponding prompt message.
[0115] It should be noted that in cases where access is denied, appropriate prompts can be provided, such as "Device MID not bound, access to this application cannot be obtained," to notify the user that their device is not authorized and guide them through the device binding process. The purpose of such prompts is to ensure that users understand why their device is not authorized for access and to instruct them on how to resolve the issue.
[0116] Specifically, a blacklist mechanism can be introduced to add insecure devices or devices that fail security checks to the blacklist, preventing them from attempting to access the application again. The blacklist mechanism can be temporary or long-term, depending on the security policy and the severity of the device violation. For devices temporarily blacklisted, a cooling-off period can be set, during which the device cannot attempt to access the application again. After the cooling-off period, the device can undergo security checks again. For devices permanently blacklisted, users may need to take corrective measures, such as updating the device's security software or contacting technical support, to remove the device from the blacklist. Through the blacklist mechanism, the number of malicious attempts can be effectively reduced, improving the overall security of application access.
[0117] This embodiment provides an application security access method. First, in response to an application access request entered in a browser, the method determines the user's authentication information based on the request; then, it obtains a device fingerprint, generated by the browser based on the user's device information; finally, it performs a security verification based on the authentication information and the device fingerprint to obtain a security verification result; and then, based on the security verification result, it performs application access control. This ensures that the user can only access the application on a specified secure device, effectively improving application access security.
[0118] In summary, this embodiment can quickly extract user authentication information based on the application access request entered in the browser. Combined with the device fingerprint generated by the browser based on the user's device information for security verification, it can accurately identify the current login environment. The security verification result is then used for application access control, ensuring that users can only access the application on designated secure devices. This overcomes the technical deficiency of not being able to ensure users only log in to the application system on designated devices, leading to information leakage due to cross-device logins. It effectively improves application access security by ensuring users can only access the application on designated secure devices.
[0119] Based on the first embodiment of this application, in the second embodiment of this application, the content that is the same as or similar to that in Embodiment 1 above can be referred to the above description, and will not be repeated hereafter. Based on this, please refer to... Figure 2 Before step S20, steps S01-S03 are also included:
[0120] Step S01: Obtain the user's device information.
[0121] It should be noted that, in this embodiment, the user's device information includes, but is not limited to, information such as CPU, motherboard, disk, memory, device model, operating system version, browser type and version, IP address, MAC address, and device serial number.
[0122] In practice, after the browser is installed, the browser client collects device-related information and stores it in the browser's local database.
[0123] Step S02: Preprocess the device information to obtain preprocessed device information.
[0124] It should be noted that preprocessing the collected device information can remove unnecessary information or noisy data, thereby improving the accuracy of the device information. Preprocessing steps include, but are not limited to, data cleaning, format standardization, noise reduction, and merging.
[0125] In one feasible implementation, step S02 specifically includes: standardizing the device information to obtain device information in a unified format; identifying and removing noise information in the unified format device information to obtain denoised device information; and merging the denoised device information to obtain preprocessed device information.
[0126] It should be noted that format standardization refers to converting the collected device information into a unified standard format. For example, unifying all digital formats into international standard digital formats helps with subsequent data analysis and comparison, ensuring the consistency and accuracy of information.
[0127] As is understandable, noise information refers to erroneous or inconsistent data that may exist in device information, such as incorrect device models or incorrect operating system version numbers. By identifying and removing this noise information, we can ensure that the preprocessed device information is more accurate and reliable.
[0128] It is worth noting that merging refers to combining all the feature information in the denoised device information into a single string, which is then used as input to the hash algorithm for the subsequent generation of the device fingerprint.
[0129] Step S03: The browser generates a device fingerprint based on the preprocessed device information.
[0130] It's important to note that the browser performs hashing on the preprocessed device information to generate a unique device identifier, known as the device fingerprint (MID). Hashing converts the data into a fixed-length string that corresponds one-to-one with the original data, but the original data cannot be derived in reverse.
[0131] Understandably, the process of generating a device fingerprint (MID) ensures the uniqueness of each device on the internet, thus providing a foundation for subsequent access control and security verification. The generated device fingerprint (MID) will be stored in the browser's local database for use when security verification is required.
[0132] In one feasible implementation, step S03 specifically includes steps A10-A11:
[0133] Step A10: Generate a target hash value using the first hash algorithm based on the preprocessed device information.
[0134] It should be noted that the first hash algorithm can be the SHA-256 algorithm, which can generate a hash value of 256 bits in length, ensuring extremely high security.
[0135] Step A11: The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
[0136] It should be noted that the second hash algorithm can be the MD5 algorithm, which converts the target hash value into a 128-bit hash value in one step, facilitating storage and rapid comparison. This two-layer hashing process enhances the fingerprint's resistance to forgery, further improving its uniqueness and security. The generated device fingerprint (MID) will serve as the credential for browser access to applications, verifying device security.
[0137] In one feasible implementation, step A10 may include: performing hash processing on the device features in the preprocessed device information using a first hash algorithm to obtain hash values corresponding to multiple device features; and concatenating the hash values corresponding to the multiple device features to generate a target hash value.
[0138] It should be noted that in this embodiment, the browser hashes the device features in the device information separately using the SHA-256 algorithm, ensuring the independence and security of each feature. The concatenation operation combines these independent hash values into a single hash string, which serves as part of the final device fingerprint. This approach not only preserves the details of the device features but also increases the complexity and security of the device fingerprint through the irreversibility of the hash algorithm. This multi-feature hash concatenation method effectively resists attacks targeting a single feature, thus providing a more robust guarantee for secure access to the device.
[0139] In a feasible implementation, step A10 may further include: randomly assigning weights to the device features in the preprocessed device information to obtain the weight values of each device feature; and performing hash processing on the preprocessed device information according to the weight values of each device feature using a first hash algorithm to generate a target hash value.
[0140] It should be noted that in this embodiment, the browser randomly assigns weights to device features. For example, the operating system may be more important than resolution and language, so more hash calculations can be performed on the operating system to ensure that important features have a greater impact on the results when generating device fingerprints.
[0141] Understandably, the introduction of random weights increases the randomness of the fingerprint generation process, making it difficult for attackers to accurately deduce the complete device fingerprint even if they obtain partial device information. This strategy improves device fingerprint security while also enhancing the system's resistance to attacks.
[0142] Specifically, after assigning weights to device features, the browser uses the SHA-256 algorithm to hash the preprocessed device information according to the weight values of each device feature, ensuring that each feature is appropriately reflected in the final device fingerprint according to its importance.
[0143] In one feasible implementation, after step S03, the method further includes: in response to the input binding request, obtaining the user's binding username; sending the binding username and the device fingerprint to the authentication center for binding, and receiving the binding information fed back by the authentication center.
[0144] It should be noted that after the browser generates the device fingerprint for the current device, it will prompt the user to enter a binding request, and the user needs to provide their username. When the user enters and submits the username, the browser sends the user's binding username along with the generated device fingerprint (MID) to the authentication center for binding.
[0145] Understandably, after receiving a binding request, the authentication center will approve it through the authentication center administrator. Once approved, the device fingerprint will be bound to the username. The authentication center will then send the binding information to the browser, which will then display this information to the user, thus completing the association between the device fingerprint and the user's identity.
[0146] It's worth noting that each username can be bound to multiple device fingerprints, thus linking a user's identity to multiple devices. This allows users to perform secure authentication via device fingerprints when accessing the application on different devices, ensuring the continuity and convenience of user identity. At the same time, the multi-device binding mechanism also improves the system's flexibility, adapting to users switching between multiple devices.
[0147] like Figure 3 As shown, Figure 3 This is a flowchart illustrating the MID binding and verification process. The browser provides a page to apply for MID (device fingerprint) binding. The user enters their username and clicks submit. The page retrieves the username and submits it along with the user's device MID generated by the browser to the authentication center. Once approved by the administrator, the MID is bound to that username. When the user needs to log in to the application, the browser provides a login page. The user enters their username, password, and SMS verification code and submits it. The login page retrieves the username, password, and SMS verification code, along with the user's device MID generated by the browser, and submits them along with the MID to the authentication center for verification. If the verification passes, a session is established in the application system.
[0148] In this embodiment, by acquiring and preprocessing the user's device information, the accuracy of the information is effectively improved. Then, the browser generates a device fingerprint based on the preprocessed device information, ensuring the uniqueness and security of the device fingerprint.
[0149] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the application of the secure access method. Any simple modifications based on this technical concept are within the protection scope of this application.
[0150] This application also provides an application security access device; please refer to [reference needed]. Figure 4 The application security access device includes:
[0151] The determination module 10 is used to determine the user's authentication information based on the application access request entered in the browser in response to the application access request.
[0152] The acquisition module 20 is used to acquire a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information.
[0153] The verification module 30 is used to perform security verification based on the authentication information and the device fingerprint to obtain a security verification result.
[0154] The control module 40 is used to perform application access control based on the security verification result.
[0155] This embodiment provides an application security access device. In response to an application access request entered in a browser, this embodiment determines the user's authentication information based on the application access request; obtains a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information; performs security verification based on the authentication information and the device fingerprint to obtain a security verification result; and performs application access control based on the security verification result, which can ensure that the user can only access the application on a specified secure device, effectively improving application access security.
[0156] In summary, this embodiment can quickly extract user authentication information based on the application access request entered in the browser. Combined with the device fingerprint generated by the browser based on the user's device information for security verification, it can accurately identify the current login environment. The security verification result is then used for application access control, ensuring that users can only access the application on designated secure devices. This overcomes the technical deficiency of not being able to ensure users only log in to the application system on designated devices, leading to information leakage due to cross-device logins. It effectively improves application access security by ensuring users can only access the application on designated secure devices.
[0157] Optionally, the application security access device further includes a generation module; the generation module is used to obtain the user's device information; preprocess the device information to obtain preprocessed device information; and generate a device fingerprint by the browser based on the preprocessed device information.
[0158] Optionally, the generation module is further configured to generate a target hash value based on the preprocessed device information using a first hash algorithm; and to perform hash processing on the target hash value using a second hash algorithm to generate a device fingerprint.
[0159] Optionally, the generation module is further configured to perform hash processing on the device features in the preprocessed device information using a first hash algorithm to obtain hash values corresponding to multiple device features; and to concatenate the hash values corresponding to the multiple device features to generate a target hash value.
[0160] Optionally, the generation module is further configured to randomly assign weights to the device features in the preprocessed device information to obtain the weight values of each device feature; and to perform hash processing on the preprocessed device information according to the weight values of each device feature using a first hash algorithm to generate a target hash value.
[0161] Optionally, the generation module is further configured to, in response to an input binding request, obtain the user's binding username; send the binding username and the device fingerprint to the authentication center for binding; and receive binding information fed back by the authentication center.
[0162] Optionally, the generation module is further configured to standardize the device information to obtain device information in a unified format; identify and remove noise information in the unified format device information to obtain denoised device information; and merge the denoised device information to obtain preprocessed device information.
[0163] Optionally, the verification module 30 is further configured to determine the current username based on the authentication information; obtain the binding information between the current username and the device fingerprint; perform security verification based on the binding information, and obtain a security verification result.
[0164] Optionally, the verification module 30 is further configured to determine whether there is a binding relationship between the current username and the device fingerprint based on the binding information; when there is a binding relationship between the current username and the device fingerprint, determine that the current device is a secure device; when there is no binding relationship between the current username and the device fingerprint, determine that the current device is an insecure device.
[0165] Optionally, the control module 40 is further configured to, when the security verification result indicates that the current device is a secure device, perform user authentication based on the authentication information to obtain user identity information; and when the user identity information indicates that the user is an authorized user, allow the user to access the application.
[0166] Optionally, the control module 40 is further configured to determine the current username, current password, and current verification code based on the authentication information; query the account corresponding to the current username, and obtain the preset password of the account and the dynamic verification code sent to the terminal bound to the account; when the current password is consistent with the preset password and the current verification code is consistent with the dynamic verification code, determine that the user identity information is an authorized user.
[0167] Optionally, the control module 40 is further configured to refuse user access to the application and return corresponding prompt information when the security verification result indicates that the current device is an insecure device.
[0168] The application security access device provided in this application, employing the application security access method described in the above embodiments, can solve the technical problem of information leakage caused by the inability to ensure that users log in to the application system only on designated devices, leading to cross-device logins of user accounts. Compared with the prior art, the beneficial effects of the application security access device provided in this application are the same as those of the application security access method provided in the above embodiments, and other technical features in the application security access device are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.
[0169] This application provides an application security access device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, which are executed by the at least one processor to enable the at least one processor to perform the application security access method in Embodiment 1 above.
[0170] The following is for reference. Figure 5 This document illustrates a structural diagram of an application security access device suitable for implementing embodiments of this application. The application security access device in these embodiments may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 5 The application security access device shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.
[0171] like Figure 5As shown, the application security access device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.) that can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access memory (RAM) 1004. The RAM 1004 also stores various programs and data required for the operation of the application security access device. The processing unit 1001, ROM 1002, and RAM 1004 are interconnected via a bus 1005. An input / output (I / O) interface 1006 is also connected to the bus. Typically, the following systems can be connected to the I / O interface 1006: input devices 1007 including, for example, touchscreens, touchpads, keyboards, mice, image sensors, microphones, accelerometers, gyroscopes, etc.; output devices 1008 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 1003 including, for example, magnetic tapes, hard disks, etc.; and communication devices 1009. Communication device 1009 allows the application security access device to communicate wirelessly or wiredly with other devices to exchange data. While the figure shows application security access devices with various systems, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.
[0172] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.
[0173] The application security access device provided in this application, employing the application security access method described in the above embodiments, can solve the technical problem of information leakage caused by the inability to ensure that users log in to the application system only on designated devices, leading to cross-device logins of user accounts. Compared with the prior art, the beneficial effects of the application security access device provided in this application are the same as those of the application security access method provided in the above embodiments, and other technical features in this application security access device are the same as those disclosed in the previous embodiment method, and will not be repeated here.
[0174] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.
[0175] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0176] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, the computer-readable program instructions being used to execute the application security access method described in the above embodiments.
[0177] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, system, or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.
[0178] The aforementioned computer-readable storage medium may be included in the application secure access device; or it may exist independently and not assembled into the application secure access device.
[0179] The aforementioned computer-readable storage medium carries one or more programs that, when executed by an application security access device, cause the application security access device to: respond to an application access request entered in a browser, determine the user's authentication information based on the application access request; obtain a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information; perform security verification based on the authentication information and the device fingerprint to obtain a security verification result; and perform application access control based on the security verification result.
[0180] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, and conventional procedural programming languages such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0181] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0182] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.
[0183] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described application security access method. This solves the technical problem of information leakage caused by the inability to ensure that users only log in to the application system on designated devices, leading to cross-device logins. Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the application security access method provided in the above embodiments, and will not be repeated here.
[0184] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the application security access method described above.
[0185] The computer program product provided in this application can solve the technical problem of information leakage caused by the inability to ensure that users log in to the application system only on designated devices, resulting in user accounts being logged in across devices. Compared with the prior art, the beneficial effects of the computer program product provided in this application are the same as those of the application security access method provided in the above embodiments, and will not be repeated here.
[0186] The above description is only a part of the embodiments of this application and does not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.
[0187] This invention discloses A1. An application security access method, the method comprising:
[0188] In response to an application access request entered in the browser, the user's authentication information is determined based on the application access request;
[0189] Obtain a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information;
[0190] A security verification is performed based on the authentication information and the device fingerprint to obtain the security verification result.
[0191] Application access control is performed based on the security verification results.
[0192] A2. As described in A1, before acquiring the device fingerprint, the method further includes:
[0193] Obtain user device information;
[0194] The device information is preprocessed to obtain preprocessed device information;
[0195] The browser generates a device fingerprint based on the preprocessed device information.
[0196] A3. The method as described in A2, wherein generating the device fingerprint based on the preprocessed device information includes:
[0197] A target hash value is generated based on the preprocessed device information using a first hash algorithm;
[0198] The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
[0199] A4. The method as described in A3, wherein generating the target hash value based on the preprocessed device information using a first hash algorithm includes:
[0200] The device features in the preprocessed device information are hashed using the first hash algorithm to obtain hash values corresponding to multiple device features.
[0201] The hash values corresponding to the multiple device features are concatenated to generate the target hash value.
[0202] A5. The method as described in A3, wherein generating the target hash value based on the preprocessed device information using the first hash algorithm further includes:
[0203] Random weights are assigned to the device features in the preprocessed device information to obtain the weight values of each device feature;
[0204] The preprocessed device information is hashed using a first hash algorithm based on the weight values of each device feature to generate a target hash value.
[0205] A6. As described in A2, after the browser generates the device fingerprint based on the preprocessed device information, the method further includes:
[0206] In response to the input binding request, retrieve the user's bound username;
[0207] The user name and device fingerprint are sent to the authentication center for binding, and the binding information is received from the authentication center.
[0208] A7. The method as described in A2, wherein preprocessing the device information to obtain preprocessed device information includes:
[0209] The device information is standardized to obtain device information in a unified format;
[0210] Noise information is identified and removed from the unified format device information to obtain denoised device information;
[0211] The denoised device information is merged to obtain preprocessed device information.
[0212] A8. The method as described in A1, wherein the step of performing security verification based on the authentication information and the device fingerprint to obtain a security verification result includes:
[0213] The current username is determined based on the authentication information;
[0214] Obtain the binding information between the current username and the device fingerprint;
[0215] A security verification is performed based on the binding information to obtain the security verification result.
[0216] A9. As described in A8, the step of performing security verification based on the binding information to obtain a security verification result includes:
[0217] Determine whether a binding relationship exists between the current username and the device fingerprint based on the binding information;
[0218] When there is a binding relationship between the current username and the device fingerprint, the security verification result is determined to be that the current device is a secure device;
[0219] If there is no binding relationship between the current username and the device fingerprint, the security verification result is determined to be that the current device is an insecure device.
[0220] A10. The method as described in A1, wherein the application access control based on the security verification result includes:
[0221] When the security verification result indicates that the current device is a secure device, user authentication is performed based on the authentication information to obtain user identity information;
[0222] When the user's identity information indicates that the user is an authorized user, the user is allowed to access the application.
[0223] A11. The method as described in A10, wherein the step of authenticating the user based on the authentication information to obtain the user identity information includes:
[0224] The current username, current password, and current verification code are determined based on the authentication information.
[0225] Query the account corresponding to the current username, and obtain the preset password of the account and the dynamic verification code sent to the terminal bound to the account;
[0226] When the current password matches the preset password and the current verification code matches the dynamic verification code, the user's identity information is determined to be that of an authorized user.
[0227] A12. The method as described in A1, wherein the application access control based on the security verification result further includes:
[0228] If the security verification result indicates that the current device is an insecure device, the user is denied access to the application, and a corresponding prompt message is returned.
[0229] The present invention also discloses B13. An application security access device, the application security access device comprising:
[0230] The determination module is used to determine the user's authentication information based on the application access request entered in the browser in response to the application access request.
[0231] An acquisition module is used to acquire a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information;
[0232] The verification module is used to perform security verification based on the authentication information and device fingerprint, and obtain the security verification result;
[0233] The control module is used to perform application access control based on the security verification results.
[0234] B14. The apparatus as described in B13, wherein the application secure access apparatus further includes a generation module;
[0235] The generation module is used to obtain the user's device information;
[0236] The device information is preprocessed to obtain preprocessed device information;
[0237] The browser generates a device fingerprint based on the preprocessed device information.
[0238] B15. The apparatus as described in B14, wherein the generating module is further configured to generate a target hash value based on the preprocessed device information using a first hash algorithm;
[0239] The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
[0240] B16. The apparatus as described in B15, wherein the generating module is further configured to perform hash processing on the device features in the preprocessed device information respectively using a first hash algorithm to obtain hash values corresponding to multiple device features;
[0241] The hash values corresponding to the multiple device features are concatenated to generate the target hash value.
[0242] B17. The apparatus as described in B15, wherein the generating module is further configured to randomly assign weights to the device features in the preprocessed device information to obtain weight values for each device feature;
[0243] The preprocessed device information is hashed using a first hash algorithm based on the weight values of each device feature to generate a target hash value.
[0244] B18. The apparatus as described in B14, wherein the generation module is further configured to obtain the user's bound username in response to an input binding request;
[0245] The user name and device fingerprint are sent to the authentication center for binding, and the binding information is received from the authentication center.
[0246] The present invention also discloses C19. An application security access device, the application security access device comprising: a memory, a processor, and an application security access program stored on the memory and executable on the processor, the application security access program being configured to implement the application security access method as described in any one of 1 to 12.
[0247] The present invention also discloses D20. A storage medium storing an application security access program, which, when executed by a processor, implements the application security access method as described in any one of 1 to 12.
Claims
1. An application-secure access method, characterized in that, The method includes: In response to an application access request entered in the browser, the user's authentication information is determined based on the application access request; Obtain a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information; A security verification is performed based on the authentication information and the device fingerprint to obtain the security verification result. Application access control is performed based on the security verification results.
2. The method as described in claim 1, characterized in that, Before acquiring the device fingerprint, the process also includes: Obtain user device information; The device information is preprocessed to obtain preprocessed device information; The browser generates a device fingerprint based on the preprocessed device information.
3. The method as described in claim 2, characterized in that, The step of generating a device fingerprint based on the preprocessed device information includes: A target hash value is generated based on the preprocessed device information using a first hash algorithm; The target hash value is hashed using a second hash algorithm to generate a device fingerprint.
4. The method as described in claim 3, characterized in that, The step of generating a target hash value based on the preprocessed device information using a first hash algorithm includes: The device features in the preprocessed device information are hashed using the first hash algorithm to obtain hash values corresponding to multiple device features. The hash values corresponding to the multiple device features are concatenated to generate the target hash value.
5. The method as described in claim 3, characterized in that, The step of generating a target hash value based on the preprocessed device information using a first hash algorithm further includes: Random weights are assigned to the device features in the preprocessed device information to obtain the weight values of each device feature; The preprocessed device information is hashed using a first hash algorithm based on the weight values of each device feature to generate a target hash value.
6. The method as described in claim 2, characterized in that, After the browser generates the device fingerprint based on the preprocessed device information, the process further includes: In response to the input binding request, retrieve the user's bound username; The user name and device fingerprint are sent to the authentication center for binding, and the binding information is received from the authentication center.
7. The method as described in claim 2, characterized in that, The preprocessing of the device information to obtain preprocessed device information includes: The device information is standardized to obtain device information in a unified format. Noise information is identified and removed from the unified format device information to obtain denoised device information; The denoised device information is merged to obtain preprocessed device information.
8. An application-secure access device, characterized in that, The application security access device includes: The determination module is used to determine the user's authentication information based on the application access request entered in the browser in response to the application access request. An acquisition module is used to acquire a device fingerprint, wherein the device fingerprint is generated by the browser based on the user's device information; The verification module is used to perform security verification based on the authentication information and device fingerprint, and obtain the security verification result; The control module is used to perform application access control based on the security verification results.
9. An application security access device, characterized in that, The application security access device includes: a memory, a processor, and an application security access program stored on the memory and executable on the processor, the application security access program being configured to implement the application security access method as described in any one of claims 1 to 7.
10. A storage medium, characterized in that, The storage medium stores an application security access program, which, when executed by a processor, implements the application security access method as described in any one of claims 1 to 7.