Information processing device, control method for information processing device, and program

Abstract

This invention provides an information processing device, a control method for the information processing device, and a program that enable authentication to a service even when the terminal to which the credentials are registered is unavailable, if the credentials are registered on a terminal different from the terminal from which the credentials are registered. [Solution] In the system, when the authentication terminal 101, which is an information processing device, registers credentials with the authentication terminal 102, it requests the user's consent to also register the credentials with the authentication terminal 101 (S704), communicates with the authentication terminal 102 and registers the credentials for accessing the service with the terminal (S705~S715), and if consent has been obtained, it further registers the credentials for accessing the service with the authentication terminal 101 (S716~S729).

Description

【Technical Field】 【0001】 The present invention relates to an information processing apparatus, a control method for an information processing apparatus, and a program. 【Background Art】 【0002】 There is FIDO (registered trademark) as an authentication system including biometric authentication. FIDO is an abbreviation of "Fast Identity Online". Further, as an extended specification of credentials handled by FIDO (hereinafter referred to as FIDO credentials), multi-device FIDO credentials have been a topic of recent discussion. 【0003】 In FIDO, registration work is performed in advance between an authenticator such as a user's terminal at hand and an authentication server, so that credentials such as a private key and a user ID are registered in the authenticator, and a public key is registered in the authentication server. Here, in the conventional FIDO, there was no specification to transmit and save credentials from the registration source terminal to another terminal or server. Therefore, it was not possible to synchronize the credentials with a terminal different from the terminal used by the user in the registration work, and thus account recovery was not possible. Patent Document 1 discloses a technique of performing pairing between terminals, authenticating with a terminal that holds credentials, and then transmitting the credentials to another destination terminal. Further, Patent Document 2 discloses a technique of executing account recovery of a terminal equipped with a FIDO authenticator of an approver by consent processing of the terminal equipped with the FIDO authenticator of the approvee. 【0004】 On the other hand, multi-device FIDO credentials transmit the credentials from the FIDO client module of the registration source terminal to the server that manages the client module at the time of the credential registration work. This makes it possible to synchronize the FIDO credentials with another terminal handled by the user. Additionally, there is an option called the Supplemental Public Key option, which is defined in the Webauthn Level 3 specification. This option is specified when the application server providing the service wants to restrict access to only devices that have registered the credentials when creating the authentication credentials. 【0005】 By specifying this option when registering credentials on the application server, credentials identifying the authentication terminal are created on the registration authentication terminal. During authentication, specifying this option on the application server also requires a signature using not only user verification credentials but also authentication terminal identification credentials. By verifying these two signatures, it is possible to verify whether the authentication request originated from the authentication terminal used during registration. In addition, when registering credentials, it is possible to register credentials on a different device from the one from which they were originally registered by using communication methods such as BLE (Bluetooth® Lower Energy) to communicate between devices. [Prior art documents] [Patent Documents] 【0006】 [Patent Document 1] Japanese Patent Publication No. 2018-201217 [Patent Document 2] Japanese Patent Publication No. 2023-159773 [Overview of the Initiative] [Problems that the invention aims to solve] 【0007】 However, with the conventional method described above, where credentials are registered on a device other than the original device through communication between devices, the credentials are not registered on the original device. Therefore, if the device to which the credentials are registered becomes unavailable due to power failure, malfunction, loss, etc., authentication to the service may become impossible. 【0008】 This invention was made to solve the above-mentioned problems. The purpose of this invention is to provide a mechanism that enables authentication to a service even when the terminal to which the credentials are registered is unavailable, if the credentials are registered on a terminal different from the terminal from which the credentials are registered. [Means for solving the problem] 【0009】 The present invention relates to an information processing device having an authentication function, comprising: registration means for communicating with a terminal having an authentication function and performing a first registration process for registering credentials for accessing a service with the terminal; and first request means for requesting a first consent from the user to register credentials for accessing the service with the information processing device when the credentials are registered with the terminal by the first registration process, wherein, if the first consent is obtained, the registration means performs a second registration process in addition to the first registration process to register credentials for accessing the service with the information processing device. [Effects of the Invention] 【0010】 According to the present invention, even if credentials are registered on a terminal different from the terminal from which they were registered, authentication to the service can be enabled even if the terminal to which the credentials were registered is unavailable. As a result, the usability of FIDO authentication can be significantly improved with minimal effort and ease. [Brief explanation of the drawing] 【0011】 [Figure 1]A diagram illustrating the overall configuration of the system in this embodiment. [Figure 2] A diagram illustrating the hardware configuration of each device in this embodiment. [Figure 3] A diagram illustrating the module configuration of each device in the first embodiment. [Figure 4] A diagram illustrating the credential information registration screen. [Figure 5] A sequence diagram illustrating the user authentication process. [Figure 6] A sequence diagram illustrating the authentication process of the credential information management server. [Figure 7] A sequence diagram illustrating the credential information registration process in the first embodiment. [Figure 8] A diagram illustrating the credential registration consent screen. [Figure 9] A flowchart illustrating the consent acquisition determination process for continuing credential registration in the first embodiment. [Figure 10] A diagram illustrating the consent screen for continuing credential registration. [Figure 11] A flowchart illustrating the determination process for continuing credential registration in the first embodiment. [Figure 12] A diagram illustrating the credential registration result screen. [Figure 13] A diagram illustrating the module configuration of each device in the second embodiment. [Figure 14] A sequence diagram illustrating the credential information registration process in the second embodiment. [Figure 15] A flowchart illustrating the determination process for continuing credential registration in the second embodiment. [Figure 16] A diagram illustrating the screen indicating that continuing credential registration is not required in the second embodiment. [Figure 17] A diagram illustrating the module configuration of each device in the third embodiment. [Figure 18] A sequence diagram illustrating the authentication time update process in the third embodiment. [Figure 19]Sequence diagram illustrating the credential information registration process in the third embodiment. [Figure 20] Flowchart illustrating the authentication process skip determination process in the third embodiment. 【Embodiments for Carrying Out the Invention】 【0012】 Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. 〔First Embodiment〕 In this embodiment, in a credential registration method in which credentials for service use are registered in a registration destination terminal different from the registration source terminal of the credentials by communicating between terminals, a configuration for simultaneously registering the credentials for service use in the registration source terminal will be described. 【0013】 <System Configuration> FIG. 1 is a diagram illustrating the overall configuration of the system in an embodiment of the present invention. The system of this embodiment is a system corresponding to multi-device FIDO credential authentication. In this embodiment, the credentials registered in the terminal are multi-device compatible FIDO credentials, also referred to as passkeys. 【0014】 In Figure 1, 101 and 102 are authentication terminals. Authentication terminals 101 and 102 send a request to application server 103 to create credential information and obtain a challenge from authentication server 104. Then, authentication terminals 101 and 102 send the registration result of the credential information to authentication server 104. Furthermore, authentication terminals 101 and 102 send a request to credential information management servers 105 and 106 to register the credential information and obtain the registration result from credential information management servers 105 and 106. In addition, during credential registration, authentication terminals 101 and 102 communicate with each other to register the credentials to an authentication terminal other than the one from which the registration originated. Authentication terminals 101 and 102 are information processing devices such as personal computers (PCs), smartphones, and tablet terminals. 【0015】 When application server 103 receives a request to create credential information from authentication terminals 101 and 102, it sends the request to authentication server 104. Furthermore, when application server 103 receives the result of the credential information creation from authentication server 104, it sends the result to authentication terminals 101 and 102. 【0016】 When the authentication server 104 receives a request to create credential information, it sends a challenge to the authentication terminals 101 and 102. When the authentication server 104 receives the results of the credential information creation from the authentication terminals 101 and 102, it registers the public key with the authentication server 104 and sends the results of the credential information creation to the application server 103. Note that the authentication server 104 may be managed on the same server as the application server 103. 【0017】 The credential information management servers 105 and 106 manage credential information. When they receive a request to register credential information from the authentication terminals 101 and 102, they register the credential information in the credential information management servers 105 and 106 and send the credential information registration result to the authentication terminals 101 and 102. In addition, when using the registration function, the credential information management servers 105 and 106 require authentication of the user using the authentication terminals 101 and 102 and provide the authentication function to the authentication terminals 101 and 102. 【0018】 Authentication terminals 101 and 102 are connected via local networks 107 and 108, respectively. Application server 103, authentication server 104, and credential information management servers 105 and 106 are connected via global network 109. Local networks 107 and 108 are communication networks implemented using one or a combination of, for example, LAN, WAN, telephone lines, dedicated digital lines, ATM or frame relay lines, cable television lines, or wireless lines for data broadcasting. Global network 109 has a similar configuration to local networks 107 and 108. - 【0019】 <Hardware configuration of authentication terminal and server device> Figure 2(a) is a block diagram showing an example of the hardware configuration of the information processing devices that make up the authentication terminals 101 and 102. Authentication terminals such as 101 and 102 are equipped with a CPU 201 that executes software stored on a hard disk drive (HDD) 203, which is a storage device. The CPU 201 comprehensively controls each piece of hardware connected to the system bus 204. 【0020】 Memory 202 functions as the main memory, work area, etc., of CPU 201. The HDD203 records data as a high-capacity storage device. Alternatively, other storage devices such as an SSD (Solid State Drive) or eMMC (embedded MultiMediaCard) may be used in place of or in conjunction with the HDD (Hard Disk Drive). 【0021】 The UI control unit 206 controls input from an input device 207, such as a touch panel. The network control unit 208 exchanges data bidirectionally with other nodes via the network. 【0022】 The proximity communication interface 205 is a network interface for proximity communication such as NFC (Near Field Communication) and Bluetooth (registered trademark), and communicates with other devices and exchanges data. Furthermore, the authentication terminal is equipped with an image processing unit that controls the input from the onboard camera. 【0023】 The TPM (Trusted Platform Module) 208 is a tamper-proof storage device that prevents the stored data from being read from the outside, for the purpose of processing and holding confidential information. In this embodiment, the TPM 208 manages the biometric information itself used for authentication, or credential information such as a secret key corresponding to the biometric information. 【0024】 The biometric information sensor 209 is a sensor that reads the biometric information of users using the authentication terminal. For example, it reads information such as the user's fingerprint, vein pattern, voiceprint, iris, and facial image, and converts it into a signal. This is implemented using a dedicated reader such as a fingerprint sensor, a camera, a microphone, etc. 【0025】 Figure 2(b) is a block diagram showing an example of the hardware configuration of the server devices comprising the application server 103, authentication server 104, and credential information management server 105. The server device includes a CPU 210 that executes software stored on the HDD 212, which is a storage device. The CPU 210 comprehensively controls each piece of hardware connected to the system bus 213. 【0026】 Memory 211 functions as the main memory, work area, etc., of the CPU 210. The HDD212 records data as a high-capacity storage device. Alternatively, other storage devices such as SSDs may be used in place of or in conjunction with the HDD. 【0027】 The input control unit 214 controls input from an input device 215, such as a keyboard. Depending on the role of the server device, a configuration without the input control unit 214 and input device 215 is also possible. The display control unit 216 controls the display on the display device 217, such as a liquid crystal display. Depending on the role of the server device, a configuration without the display control unit 216 and display device 217 is also possible. The network control unit 218 exchanges data bidirectionally with other nodes via the network. 【0028】 The server devices comprising application server 103, authentication server 104, and credential information management servers 105 and 106 are implemented by information processing devices provided as a cloud computing service. Cloud computing includes serverless computing and virtual machines. In cloud computing, multiple hardware resources as shown in Figure 2 are used. Alternatively, application server 103, authentication server 104, and credential information management servers 105 and 106 may each be implemented on a single physical machine. 【0029】 <Functional Configuration> Figure 3 is a block diagram showing an example of the functional configuration of authentication terminals 101 and 102, application server 103, authentication server 104, and credential information management servers 105 and 106 in the first embodiment. In this figure, the functional configuration of authentication terminals 101 and 102 is realized by the CPU 201 of each authentication terminal reading a program stored in HDD 203 into memory 202 and executing it. The functional configurations of application server 103, authentication server 104, and credential information management servers 105 and 106 are realized by the CPU 210 of each server reading a program stored in HDD 212 into memory 211 and executing it. 【0030】 (Authentication terminal) The authentication terminals 101 and 102 each include a browser 310, an authentication client 320, an authenticator 330, and an image processing unit 334. Browser 310 is a web browser that has the function of interpreting HTML and displaying web pages, and the function of receiving input from the user and sending requests to application server 103. In this embodiment, browser 310 displays a web page for displaying a credential information registration screen, as shown in Figure 4, provided by application server 103. Figure 4 shows an example of a credential information registration screen. In addition, the browser 310 has a function to display a QR code (registered trademark) issued when permission is granted for communication between authentication terminals 101 and 102. 【0031】 The authentication client 320 has the function of performing the authentication process required when a user registers their credential information and controlling the registration of credential information. The credential information is described in the function description of the credential information storage unit 332. The authentication client 320 also has the function of controlling the synchronization of credential information. In addition, the authentication client 320 manages communication between authentication terminals 101 and 102, issues a QR code (registered trademark) when permission is granted for communication between authentication terminals, and requests the browser 310 to display the QR code. Furthermore, once communication between authentication terminals 101 and 102 is established, the authentication client 320 has the function of sending a credential registration request to the other authentication terminal. 【0032】 The authenticator 330 comprises a biometric authentication processing unit 331, a credential information storage unit 332, and a biometric information management unit 333. The biometric authentication processing unit 331 has the function of requesting the user to input biometric information and the function of performing biometric authentication. Biometric authentication is a process that verifies that the biometric information received from the user exists in the biometric information table held by the biometric information management unit 333. The biometric information and the biometric information table will be described in the function description of the biometric information management unit 333. In addition, the biometric authentication processing unit 331 provides a function to create credential information. The credential information will be described in the function configuration of the credential information storage unit 332. 【0033】 The credential information storage unit 332 provides a function to store the credential information created by the biometric authentication processing unit 331 when the application server 103 registers a public key for using the services provided by the application server 103 with the authentication server 104. 【0034】 Table 1 shows an example of a credential information table held in the credential information storage unit 332 of the authentication terminal 101. [Table 1] Table 2 shows an example of a credential information table held in the credential information storage unit 332 of the authentication terminal 102. [Table 2] 【0035】 As shown in Tables 1 and 2, the credential information record in the credential information table includes an authentication information ID, which is an ID that uniquely identifies the authentication information, a private key, a user ID, which is an ID that uniquely identifies the user information, and a service URL, which is the URL of the service provided by the application server 103. 【0036】 The biometric information management unit 333 manages the biometric information stored in the authenticator 330. Table 3 shows an example of a biometric information table managed by the biometric information management unit 333 for the authentication terminal 101. [Table 3] Table 4 shows an example of a biometric information table managed by the biometric information management unit 333 of the authentication terminal 102. [Table 4] As shown in Tables 3 and 4, each biometric record in the biometrics table includes a user ID and a biometrics ID, which is an ID that uniquely identifies the biometric information. 【0037】 The image processing unit 334 acquires image information of the QR code (registered trademark) used for communication between authentication terminals, which is entered by the user, and performs analysis of the QR code. 【0038】 (Application Server) The application server 103 includes an authentication processing unit 340 and a credential registration processing unit 341. The authentication processing unit 340 provides a function to request the credential information management server 105 to obtain information about users who use the services provided by the application server 103. The authentication processing unit 340 obtains the user authentication result from the credential information management servers 105 and 106. In this embodiment, OpenID Connect is used for user authentication, but other authentication methods such as HTTP authentication (Basic authentication / Digest authentication) may also be used. 【0039】 The credential registration processing unit 341 receives credential registration requests from authentication terminals 101 and 102 and provides the function of sending credential registration requests to the authentication server 104. The credential registration processing unit 341 also receives credential registration results from authentication terminals 101 and 102 and provides the function of sending a request to the authentication server 104 to verify the credential registration results. 【0040】 (Authentication server) The authentication server 104 includes an authentication request management unit 350 and a public key management unit 351. The authentication request management unit 350 receives a request to create credential information sent from the application server 103 and provides a function to send a challenge for credential registration. The authentication request management unit 350 also provides a function to verify the results of the credential information creation sent from the authentication terminals 101 and 102 and send the creation results to the application server 103. Furthermore, the authentication request management unit 350 provides a function to send a request to the public key management unit 351 to save the public key information included in the results of the credential information creation. 【0041】 The public key management unit 351 receives a public key storage request sent from the authentication request management unit 350 and provides a function to store the public key. Table 5 shows an example of a public key table managed by the public key management unit 351. [Table 5] As shown in Table 5, the public key record in the public key table contains the authentication information ID and the public key. 【0042】 (Credential information management server) The credential information management server 105 includes a credential information management unit 360 and a user management unit 361. 【0043】 The credential information management unit 360 has the function of receiving credential information registration requests from authentication terminals 101 and 102 and storing the credential information. Table 6 shows an example of a credential information table maintained by the credential information management unit 360 of the credential information management server 105. [Table 6] Table 7 shows an example of a credential information table maintained by the credential information management unit 360 of the credential information management server 106. [Table 7] As shown in Tables 6 and 7, the credential information records in the credential information table include authentication information ID, private key, user ID, and service URL. 【0044】 The user management unit 361 provides a function to hold user information for users of authentication terminals 101 and 102. The user management unit 361 also receives user authentication requests from the application server 103, performs user authentication processing, and issues token information for using the application server 103. Furthermore, when using the function to synchronize credential information provided by the credential management server, the user management unit 361 provides a function to authenticate users using the credential management server. In this embodiment, authentication using the HTTP authentication method (Basic authentication / Digest authentication) is employed, but other authentication methods such as OpenID Connect may also be used. 【0045】 Table 8 shows an example of a user information table maintained by the user management unit 361 of the credential information management server 105. [Table 8] Table 9 shows an example of a user information table maintained by the user management unit 361 of the credential information management server 106. [Table 9] As shown in Tables 8 and 9, the user information records in the user information table include the user ID and password. 【0046】 <User Authentication Process> The user authentication process will be explained using Figure 5. In order to register the credential information associated with users using authentication terminals 101 and 102, it is necessary to verify whether the user is registered with the service. This process uses the authentication information of the user using authentication terminal 102 to authenticate the service provided by application server 103 from authentication terminal 101. 【0047】 Figure 5 is a sequence diagram illustrating the processes of the authentication terminal 101, the application server 103, and the credential information management server 106, which manages the authentication information of users utilizing the authentication terminal 102, in the user authentication process. In this diagram, the process of the authentication terminal 101 is realized by the CPU 201 of the authentication terminal 101 loading a program stored in the HDD 203 into memory 202 and executing it. The processes of the application server 103 and the credential information management server 106 are realized by the CPU 210 of each server loading a program stored in the HDD 212 into memory 211 and executing it. 【0048】 When the user authentication process begins, at S501, the browser 310 of the authentication terminal 101 sends a login request to the application server 103. Upon receiving this request, the application server 103 proceeds to S502. 【0049】 In S502, the authentication processing unit 340 of the application server 103 creates and stores a nonce (number used once) associated with the session. A nonce is a disposable random character used during encrypted communication. A specific example would be "1 999 888 777 666 555 444". 【0050】 Next, in S503, the authentication processing unit 340 of the application server 103 sends an access request to the credential information management server 106 to the authentication terminal 101. For example, this request is accompanied by a nonce created in association with the above session. In response to this request, the authentication terminal 101 accesses the credential information management server 105, and the authentication screen (not shown) of the credential information management server 105 is displayed in the browser 310. When the authentication information of the user using the authentication terminal 101 (explained here as user ID and password) is entered on this authentication screen and authentication is instructed to be performed, the browser 310 of the authentication terminal 101 proceeds to S504. 【0051】 At S504, the browser 310 of the authentication terminal 101 sends an authentication request to the credential information management server 105. The authentication request includes the user ID and password of the user using the authentication terminal 102. Here, we will explain assuming that the user ID is "user002" and the password is "userpass2". When the credential information management server 105 receives the above authentication request, it proceeds to process at S505. 【0052】 In S505, the user management unit 361 of the credential information management server 105 verifies the authentication information sent from the authentication terminal 101. If the combination of user ID and password exists in the user information table held by the user management unit 361 (i.e., the verification is successful), the user management unit 362 associates the nonce with the session and saves it, then proceeds to S506. Table 10 shows an example of a nonsense information table maintained by the user management unit 361. [Table 10] As shown in Table 10, the nonce information record in the nonce information table contains the session ID, which is the session identifier, and the nonce. 【0053】 In S506, the user management unit 361 of the credential information management server 106 sends an authorization code to the authentication terminal 101. The authorization code is a time-limited token issued from the authorization endpoint, and a specific example is "dd1231FBC3123a987=". Upon receiving this authorization code, the authentication terminal 101 proceeds to S507. 【0054】 In S507, the browser 310 of the authentication terminal 101 sends the received authorization code to the application server 103. Upon receiving this authorization code, the application server 103 proceeds to S508. At S508, the authentication processing unit 340 of the application server 103 sends a request to the credential information management server 106 for the acquisition of an ID token and nonce, along with the authorization code mentioned above. An ID token is a token defined in OpenID Connect that proves that the user who requested the issuance has been authenticated. 【0055】 Now, let's explain ID tokens. An ID token consists of a header, payload, and signature, in that order. Note that it may not include a signature. The following are specific examples of ID tokens, but they are not exhaustive. 【0056】 (Header) { “typ”: “assertion”, “alg”: “ES256”, “kid”: “aaaaaaaa-bbbb-1111-8888-999999999999” } (payload) { “response_type”: “id_token”, “redirect_url”: “http: / / example_srv.com / customer”, “iss”: “ODBIMWUwasdasd123UUUMXw”, “sub”: “dXIIMM123KKllss”, “iat”: 1903144999, “exp”: 1903149999 } (signature) 【0057】 When the credential information management server 105 receives the request to obtain the ID token and nonce along with the authorization code mentioned above, it proceeds to process S509. In S509, the user management unit 362 of the credential information management server 105 sends the ID token and the nonce from S505 to the application server 103. Upon receiving the ID token and nonce, the application server 103 proceeds to S510. 【0058】 In S510, the authentication processing unit 340 of the application server 103 verifies the ID token and nonce. For example, in nonce verification, it checks whether it matches the nonce issued in S502 associated with the session. If the nonce verification is successful, the authentication processing unit 340 deletes the nonce issued in S502. The authentication processing unit 340 determines that authentication is successful if the verification of the ID token and nonce is successful, and that authentication is failed if these verifications fail. Next, in S511, the authentication processing unit 340 of the application server 103 sends the authentication result to the authentication terminal 101 and terminates the process. 【0059】 <Credential Management Server Authentication Process> The authentication process for the credential information management server will be explained using Figure 6. This process performs the necessary authentication before authentication terminal 101 registers credential information with credential information management server 105, and authentication terminal 102 registers credential information with credential information management server 106. 【0060】 Figure 6 is a sequence diagram showing the processing of authentication terminals 101 / 102 and credential information management servers 105 / 106 in the credential information management server authentication process. In this diagram, the processing of authentication terminals 101 / 102 is achieved by the CPU 201 of authentication terminals 101 / 102 reading the program stored in HDD 203 into memory 202 and executing it. Similarly, the processing of credential information management servers 105 / 106 is achieved by the CPU 210 of credential information management servers 105 / 106 reading the program stored in HDD 212 into memory 211 and executing it. 【0061】 When the credential information management server authentication process begins, at S601, the browser 310 of the authentication terminal sends an authentication request to the credential information management server. Authentication terminal 101 sends a request to credential information management server 105, and authentication terminal 102 sends a request to credential information management server 106. Upon receiving these requests, the credential information management server proceeds to S602. 【0062】 In S602, the user management unit 361 of the credential information management server sends a user information acquisition request to the authentication terminal. The credential information management server 105 sends the request to the authentication terminal 101, and the credential information management server 106 sends the request to the authentication terminal 102. Upon receiving this request, the authentication terminal proceeds to S603. 【0063】 In S603, the authentication terminal's browser 310 receives the user ID and password of the user using the authentication terminal. Upon receiving the input from the user, the authentication terminal's browser 310 sends the obtained user ID and password to the user credential information management server. Authentication terminal 101 sends the user ID and password to the credential information management server 105, and authentication terminal 102 sends the user ID and password to the credential information management server 106. In this embodiment, the user ID sent from authentication terminal 101 is "user001" and the password is "userpass1", and the user ID sent from authentication terminal 102 is "user002" and the password is "userpass2". Upon receiving this user ID and password, the credential information management server proceeds to S604. 【0064】 At S604, the user management unit 361 of the credential information management server performs user information verification. If a user ID and password combination matching the received user ID and password combination exists in the user information table, the authentication result is considered successful; otherwise, the authentication result is considered unsuccessful. 【0065】 Next, at S605, the user management unit 361 of the credential information management server sends the verification result to the authentication terminal and terminates this process. The credential information management server 105 sends the authentication result to the authentication terminal 101, and the credential information management server 106 sends the authentication result to the authentication terminal 1002. The authentication terminal receives this authentication result. 【0066】 <Credential Information Registration Process> The credential information registration process will be explained using Figure 7. This process involves communication between authentication terminals, with authentication terminal 101 requesting credential registration from authentication terminal 102. Next, authentication terminal 102 registers the credentials. Furthermore, based on the credential registration result at authentication terminal 102, authentication terminal 101 also performs credential registration. This process can only be executed if the user authentication process is successful. This process allows authentication terminal 101 to use services provided by application server 103 even if authentication terminal 102, the terminal to which credentials are registered, is temporarily unavailable. 【0067】 Figure 7 is a sequence diagram illustrating the processes of authentication terminal 101, authentication terminal 102, application server 103, authentication server 104, credential information management server 105, and credential information management server 106 in the credential information registration process of the first embodiment. In this figure, the processes of authentication terminals 101 and 102 are realized by the CPU 201 of each authentication terminal reading a program stored in HDD 203 into memory 202 and executing it. The processes of application server 103, authentication server 104, and credential information management servers 105 / 106 are realized by the CPU 210 of each server device reading a program stored in HDD 212 into memory 211 and executing it. 【0068】 For example, the browser 310 of the authentication terminal 101 displays a credential information registration screen, as shown in Figure 4, provided by the application server 103. The process is initiated when the user clicks the "Yes" button 401 on the credential information registration screen. 【0069】 When the credential information registration process begins, at S701, the browser 310 of the authentication terminal 101 sends a request to the application server 103 to create credential information for the user using the authentication terminal 101. Upon receiving this request, the application server 103 proceeds to S702. 【0070】 In S702, the credential registration processing unit 341 of the application server 103 sends a credential information creation request to the authentication server 104. Upon receiving this request, the authentication server 104 proceeds to process S703. 【0071】 In S703, the authentication request management unit 350 of the authentication server 104 sends a credential information registration request along with a challenge to the authentication terminal 101. Specific examples of requests included in the credential information registration sent from the authentication request management unit 350 are as follows: 【0072】 { challenge: “ASD123tre12312FE”, rp: { name: “AdminPage”, id: “https: / / example_srv.com / admin”, User: { id: “user002”, name: “user002”, displayName: “user002”, }, pubKeyCredParams: [ {alg: -7, type: “public-key”}, {alg: -257, type: “public-key”}], AuthenticatorSelection: { authenticatorAttachment: “platform”, requireResidentKey: true, } } } 【0073】 When authentication terminal 101 receives such a challenge, it proceeds to process S704. In S704, the authentication client 320 of the authentication terminal 101 sends a request to the browser 310 to display the credential registration consent screen for the authentication terminal 101. In response to this request, the browser 310 displays the credential registration consent screen as shown in Figure 8 and accepts consent input from the user. 【0074】 Figure 8 shows an example of a screen for consenting to register credentials to the authentication terminal 101. When the browser 310 of the authentication terminal 101 obtains user consent by having the user click the "Yes" button 801 on the credential registration consent screen, it notifies the authentication client 320 of the authentication terminal 101. The authentication client 320 of the authentication terminal 101 sets the credential registration flag, an internal variable that determines whether to additionally register the credentials with the original authentication terminal, to "True". On the other hand, if the user clicks the "No" button 802 and user consent cannot be obtained, the authentication client 320 of the authentication terminal 101 sets the credential registration flag to "False". For example, the internal variable is stored in the memory 202 of the authentication terminal 101. 【0075】 Next, at S705, the authentication client 320 of the authentication terminal 101 sends a request to the browser 310 to display a QR code (registered trademark) for communication between authentication terminals. The browser 310 displays a QR code (not shown) for communication between authentication terminals. 【0076】 When the user reads the QR code displayed on the authentication terminal 101 using the camera of the authentication terminal 102 in step S705, the authentication terminal 102 executes the process in step S706. In S706, the image processing unit 334 of the authentication terminal 102 acquires image information of the QR code used for communication between authentication terminals, which is entered by the user, and performs QR code analysis. Once the analysis confirms that the QR code is a QR code for requesting registration of credential information, the authentication terminal 102 uses the analyzed information to start communication with the authentication terminal 101 via BLE (Bluetooth® Lower Energy). Since BLE is a well-known technology, an explanation is omitted here. 【0077】 When authentication terminal 101 begins communication with authentication terminal 102, it proceeds to process S707. In S707, authentication terminal 101 sends a request to authentication terminal 102 for registration of the challenge and credential information obtained in S703. Upon receiving this, authentication terminal 102 proceeds to S708. 【0078】 In S708, the authentication terminal 102 acquires the biometric information of the user using the authentication terminal 102. Specifically, the authentication client 320 of the authentication terminal 102 sends a request to acquire biometric information to the biometric authentication processing unit 331. Upon receiving the request, the biometric authentication processing unit 331 waits until it receives the user's biometric information. The biometric authentication processing unit 331 acquires the feature quantities of the biometric information entered by the user. The feature quantities of biometric information are values ​​obtained by converting something unique to each individual, such as fingerprint patterns, iris patterns, and vein shapes, into values ​​that do not impair their uniqueness. Biometric authentication is the process of identifying an individual using these unique feature quantities. It is desirable that the biometric information transmitted in this process be encrypted using a known encryption technology so that only each authentication terminal can decrypt it. 【0079】 Next, in S709, the biometric authentication processing unit 331 of the authentication terminal 102 performs the authentication process. Specifically, the biometric authentication processing unit 331 sends a request to the biometric information management unit 333 to confirm that the biometric information acquired in S708 has been registered. In response to this request, the biometric information management unit 333 checks whether the biometric information acquired in S708 has been registered and sends the confirmation result back to the biometric authentication processing unit 331. If the biometric authentication processing unit 331 receives confirmation from the biometric information management unit 333 that the biometric information has already been registered, it determines that the authentication was successful; otherwise, it terminates this process. If the authentication is successful, the biometric authentication processing unit 331 proceeds to S710. 【0080】 At S710, the biometric authentication processing unit 331 of the authentication terminal 102 sends a request to create credential information and store it in the credential information storage unit 332. When the credential information storage unit 332 receives the request to store the credential information, it stores the credential information in the TPM 209 of the authentication terminal 102, as shown in Table 11. Table 11 shows an example of a credential information table after credential information creation in the biometric authentication processing unit 331 of the authentication terminal 102. [Table 11] 【0081】 Next, in S711, the authentication client 320 of the authentication terminal 102 sends the result of creating the credential information to the authentication terminal 101. Specific examples of the result of creating the credential information to be sent to the authentication terminal 101 include the following: 【0082】 { “id”: “asda13123fdcccc9786546”, “rawId”: “10003”, “response”: { “clientDataJson”: { “type”: “webauthn.create”, “challenge”: “NKX1239887823ASd”, “origin”: “https: / / device102.me”, “crossOrigin”: false }, “attestationObject”: { “aaguid”: 00000000-0000-0000-0000-000000000000, “credentialId”: “10003”, “credentialPublicKey”: {"kty": "RSA", “alg”: “ECDSA_alg_sha256”, “crv”: p-256, “x”: “1aasdaVERSSDfs / werwcsdfsdf”, “y”: “oisdfsdbfsbdhs / easdas,casdasd” } }, “authenticatorAttachment”: “platform”, “type”: “public-key” } } 【0083】 When authentication terminal 101 receives the credential information creation result from authentication terminal 102, it proceeds to process S712. In S712, the authentication client 320 of the authentication terminal 101 sends the credential information creation result to the authentication server 104. Upon receiving the credential information creation result, the authentication server 104 executes the process in S713. 【0084】 In S713, the authentication request management unit 350 of the authentication server 104 verifies the signature of the challenge included in the credential information creation result. If the verification is successful, it obtains the public key included in the credential information creation result, sends a public key storage request to the public key management unit 351, and stores the public key as shown in Table 12. Table 12 shows an example of a public key table managed by the public key management unit 351 after public key registration. [Table 12] 【0085】 Next, in S714, the authentication request management unit 350 of the authentication server 104 sends the result of creating the credential information to the application server 103. Upon receiving the result of creating the credential information, the application server 103 proceeds to S715. In S715, the credential registration processing unit 341 of the application server 103 sends the result of creating the credential information to the authentication terminal 101. Upon receiving the result of creating the credential information, the authentication terminal 101 proceeds to S716. 【0086】 In S716, the authentication client 320 of the authentication terminal 101 executes a process to determine whether to obtain consent for continued credential registration. The process to determine whether to obtain consent for continued credential registration will be explained in Figure 9 below. This process sets the value of the credential registration continuation consent screen flag, an internal variable that indicates whether to display the credential registration continuation consent screen on the authentication terminal 101. If the value is "True", the authentication client 320 of the authentication terminal 101 proceeds to S717. On the other hand, if the credential registration continuation consent screen flag is "False", it skips S717 and proceeds to S718. 【0087】 In S717, the authentication client 320 of the authentication terminal 101 sends a request to the browser 310 to display a consent screen for continuing credential registration. Based on this request, the browser 310 of the authentication terminal 101 displays a consent screen for continuing credential registration as shown in Figure 10. Figure 10 shows an example of a consent screen for continuing credential registration displayed by the browser 310 of the authentication terminal 101. When the browser 310 of the authentication terminal 101 obtains permission from the user to continue registration by clicking the "Yes" button 1001 on the consent screen for continuing credential registration, it notifies the authentication client 320 of the authentication terminal 101. The authentication client 320 of the authentication terminal 101 sets the value of the credential registration continuation flag, an internal variable indicating whether to continue credential registration, to "True". On the other hand, if the user is instructed to click the "No" button 1002 and permission to continue registration cannot be obtained from the user, the authentication client 320 of the authentication terminal 101 sets the value of the credential registration continuation flag to "False". The value of the credential registration continuation flag is set to "True" by default. 【0088】 Next, in S718, the authentication client 320 of the authentication terminal 101 performs a credential registration continuation determination process. The credential registration continuation determination process will be explained in Figure 11 below. This process sets the value of the credential registration process completion flag, an internal variable that indicates whether or not to terminate credential registration at the authentication terminal 101. If the credential registration process completion flag is "True", the authentication client 320 of the authentication terminal 101 terminates this process. If it is "False", the authentication client 320 of the authentication terminal 101 proceeds to S719. 【0089】 In S719, the authentication client 320 of the authentication terminal 101 sends a request to the application server 103 to create credentials for the user using the authentication terminal 101. Upon receiving the request to create credentials, the application server 103 executes the process in S720. 【0090】 In S720, the credential registration processing unit 341 of the application server 103 sends a credential information creation request to the authentication server 104. Upon receiving this request, the authentication server 104 proceeds to S721. 【0091】 In S721, the authentication request management unit 350 of the authentication server 104 sends a credential information registration request along with a challenge to the authentication terminal 101. Specific examples of requests included in the credential information registration sent from the authentication request management unit 350 are as follows: 【0092】 { challenge: “QWE123tre12312FE”, rp: { name: “AdminPage”, id: “https: / / example_srv.com / admin”, User: { id: “user001”, name: “user001”, displayName: “user001”, }, pubKeyCredParams: [ {alg: -7, type: “public-key”}, {alg: -257, type: “public-key”}], AuthenticatorSelection: { authenticatorAttachment: “platform”, requireResidentKey: true, } } } 【0093】 When authentication terminal 101 receives such a challenge, it proceeds to process S722. In step S722, the authentication terminal 101 acquires the biometric information of the user using the authentication terminal 101. Specifically, the authentication client 320 of the authentication terminal 101 sends a biometric information acquisition request to the biometric authentication processing unit 331. Upon receiving the biometric information acquisition request, the biometric authentication processing unit 331 waits until it receives the user's biometric information. The biometric authentication processing unit 331 acquires the feature quantities of the biometric information entered by the user. 【0094】 Next, in S723, the biometric authentication processing unit 331 of the authentication terminal 101 performs the authentication process. Specifically, the biometric authentication processing unit 331 sends a request to the biometric information management unit 333 to confirm that the biometric information acquired in S722 has been registered. In response to this request, the biometric information management unit 333 checks whether the biometric information acquired in S722 has been registered and sends the confirmation result back to the biometric authentication processing unit 331. If the biometric authentication processing unit 331 receives confirmation from the biometric information management unit 333 that the biometric information has already been registered, it determines that the authentication was successful; otherwise, it terminates this process. If the authentication is successful, the biometric authentication processing unit 331 proceeds to S724. 【0095】 In S724, the biometric authentication processing unit 331 of the authentication terminal 101 sends a request to create credential information and store it in the credential information storage unit 332. When the credential information storage unit 332 receives the request to store the credential information, it stores the credential information in the TPM 209 of the authentication terminal 101, as shown in Table 13. Table 13 shows an example of a credential information table after credential information creation in the biometric authentication processing unit 331 of the authentication terminal 101. [Table 13] 【0096】 Next, at S725, the authentication client 320 of the authentication terminal 101 sends the credential information creation result to the authentication server 104. Specific examples of the credential information creation result sent to the authentication server 104 include the following: { “id”: “qwwqa13123fdcccc9786546”, “rawId”: “10004”, “response”: { “clientDataJson”: { “type”: “webauthn.create”, “challenge”: “LQW1239887823ASd”, “origin”: “https: / / device101.me”, “crossOrigin”: false }, “attestationObject”: { “aaguid”: 00000000-0000-0000-0000-000000000000, “credentialId”: “10004”, “credentialPublicKey”: {"kty": "RSA", “alg”: “ECDSA_alg_sha256”, “crv”: p-256, “x”: “2aasdaVERSSDfs / werwcsdfsdf”, “y”: “qisdfsdbfsbdhs / easdas,casdasd” } }, “authenticatorAttachment”: “platform”, “type”: “public-key” } } 【0097】 When the authentication server 104 receives the result of creating credential information from the authentication terminal 101, it executes the process in S726. In S726, the authentication request management unit 350 of the authentication server 104 verifies the signature of the challenge included in the credential information creation result. If the verification is successful, it obtains the public key included in the credential information creation result, sends a public key storage request to the public key management unit 351, and stores the public key as shown in Table 14. Table 14 shows an example of a public key table managed by the public key management unit 351 after public key registration. [Table 14] 【0098】 Next, in S727, the authentication request management unit 350 of the authentication server 104 sends the result of creating the credential information to the application server 103. Upon receiving the result of creating the credential information, the application server 103 proceeds to processing in S728. In S728, the credential registration processing unit 341 of the application server 103 sends the result of creating the credential information to the authentication terminal 101. Upon receiving the result of creating the credential information, the authentication terminal 101 proceeds to S729. 【0099】 In step S729, the authentication client 320 of the authentication terminal 101 sends a registration result display request to the browser 310 of the authentication terminal 101. Upon receiving the registration result display request, the browser 310 displays the registration result as shown in Figure 12. Figure 12 shows an example of the registration result screen displayed in the browser 310 of the authentication terminal 101. 【0100】 In step S730, the authentication client 320 of the authentication terminal 102 sends a request to retrieve the credential information registered in the credential storage unit 332 of the authentication terminal 102 in step S710. Furthermore, the authentication client 320 of the authentication terminal 102 sends the retrieved credential information to the credential information management server 106. This communication utilizes known encrypted communication such as SSL. Upon receiving the credential information, the credential information management server 106 executes the process in step S731. 【0101】 In S731, the credential information management unit 360 of the credential information management server 106 stores the credential information as shown in Table 15. Table 15 shows an example of a registered credential information table in the credential information management unit 360 of the credential information management server 106. [Table 15] 【0102】 After registering the credential information, the credential information management unit 360 of the credential information management server 106 sends the credential information registration result to the authentication terminal 102. The authentication terminal 102 receives the credential information registration result. 【0103】 Furthermore, in S732, the authentication client 320 of the authentication terminal 101 sends a request to retrieve the credential information registered in the credential storage unit 332 of the authentication terminal 101 in S724. In addition, the authentication client 320 of the authentication terminal 101 sends the retrieved credential information to the credential information management server 105. This communication uses known encrypted communication such as SSL. When the credential information management server 106 receives the credential information, it executes the process in S733. 【0104】 In S733, the credential information management unit 360 of the credential information management server 105 stores the credential information as shown in Table 16. Table 16 shows an example of a registered credential information table in the credential information management unit 360 of the credential information management server 105. [Table 16] 【0105】 After registering the credential information, the credential information management unit 360 of the credential information management server 106 sends the credential information registration result to the authentication terminal 101 and terminates this process. The authentication terminal 101 receives the credential information registration result. 【0106】 <Processing to determine consent for continued credential registration> The process for determining whether to obtain consent for continued credential registration, which is processed by the authentication client 320 of the authentication terminal 101, will be explained using Figure 9. This process determines whether to obtain consent to continue registering the credential information when an error occurs at the authentication terminal 102 during the credential information registration process and the credential registration fails. 【0107】 Figure 9 is a flowchart showing an example of the process for determining consent to continue credential registration, as shown in S716 of Figure 7. This flowchart is executed by the CPU 201 of the authentication terminal 101 loading a program stored in the HDD 203 into memory 202 and executing it. 【0108】 First, when this process starts, at S901, the authentication client 320 of the authentication terminal 101 obtains the credential registration result from the credential registration destination terminal. In this embodiment, the credential registration destination terminal is the authentication terminal 102. Next, in S902, the authentication client 320 determines whether the credential registration was successful. If the credential registration is successful (YES in S902), the authentication client 320 proceeds to S903. At S903, the authentication client 320 sets the "Display Credential Registration Continuation Consent Screen Flag," an internal variable indicating whether to display the credential registration continuation consent screen, to "False," and terminates the processing of this flowchart. 【0109】 On the other hand, if credential registration fails in S902 (if the result is NO in S902), the authentication client 320 proceeds to S904. At S904, the authentication client 320 sets the flag for displaying the consent screen for continuing credential registration to "True," and terminates the processing of this flowchart. 【0110】 <Credential registration continuation determination process> The credential registration continuation determination process, which is performed by the authentication client 320 of the authentication terminal 101, will be explained using Figure 11. This process determines whether to continue registering additional credential information on the authentication terminal 101 during the credential information registration process. 【0111】 Figure 11 is a flowchart showing an example of the credential registration continuation determination process shown in S718 of Figure 7 in the first embodiment. The processing in this flowchart is achieved when the CPU 201 of the authentication terminal 101 reads the program stored in the HDD 203 into the memory 202 and executes it. 【0112】 First, when this process starts, at S1101, the authentication client 320 of the authentication terminal 101 obtains a credential registration flag (for example, set at S704 in Figure 7), which is an internal variable indicating whether or not to register credentials, from the credential registration source terminal. In this embodiment, the credential registration source terminal is the authentication terminal 101. 【0113】 Next, in S1102, the authentication client 320 obtains a credential registration continuation flag (for example, set in S717 in Figure 7), which is an internal variable indicating whether or not to continue credential registration, from the credential registration source terminal. 【0114】 Next, in S1103, the authentication client 320 determines whether the credential registration flag obtained in S1101 is "True". If the credential registration flag is "False" (NO in S1103), the authentication client 320 proceeds to S1104. In S1104, the authentication client 320 sets the credential registration completion flag, an internal variable indicating whether credential registration has been completed at the credential registration source terminal, to "True," and terminates the processing of this flowchart. 【0115】 On the other hand, if the credential registration flag is "True" (if YES is given in S1103), the authentication client 320 proceeds to S1105. In S1105, the authentication client 320 determines whether the credential registration continuation flag obtained in S1102 is "True". If the credential registration continuation flag is "False" (NO in S1105), the authentication client 320 proceeds to S1106. At S1106, the authentication client 320 sets the credential registration process completion flag to "True" and terminates the processing of this flowchart. In this case, the processes from S719 onwards in Figure 7 are not executed, and crudential registration at the registration source terminal (authentication terminal 101 in this example) is completed. 【0116】 On the other hand, if the credential registration continuation flag is "True" (if YES is given in S1107), the authentication client 320 proceeds to S1107. At S1107, the authentication client 320 sets the credential registration process completion flag to "False" and terminates the processing of this flowchart. In this case, the processes from S719 onwards are executed in Figure 7, and crudential registration continues at the registration source terminal (authentication terminal 101 in this example). 【0117】 Alternatively, instead of displaying the credential registration consent screen shown in Figure 8 at the time of S704, the system may display a screen similar to the credential registration consent screen shown in Figure 8 at the time the process of registering credentials to the destination terminal is completed (immediately after S715), along with the registration result, to request consent to additionally register the credentials to the terminal from which the credentials were registered. If such consent is obtained, the system may then register the credentials to the terminal from which the credentials were registered in steps S719 to S728. 【0118】 As described above, according to the first embodiment, by communicating between terminals, when registering credentials for accessing a service on a terminal different from the terminal from which the credentials were registered, the credentials can be registered simultaneously on the terminal from which the credentials were registered. This eliminates the need for the user to separately register a passkey on the terminal to which the credentials are registered and on the terminal from which the credentials were registered. Instead, it allows for easy passkey registration on both the terminal to which the credentials are registered and on the terminal from which the credentials were registered in a single step, significantly improving usability and the authentication security of the device. As a result, authentication to the service can be enabled even if the terminal to which the passkey is registered is temporarily unavailable. 【0119】 The device to which credentials are registered may be a phone or tablet linked to the device from which credentials are registered (for example, a smartphone or tablet connected to the device from which credentials are registered, which is a Windows 11 device, via a feature called "Phone Link" in Windows 11). In this case, it is not necessary for the device to scan the QR code displayed on the device from which credentials are registered. However, the device to which credentials are registered must be in close proximity to the device from which credentials are registered. Additionally, the device to which credentials are registered may also be a security key such as a USB security key. 【0120】 Here, we will explain using a conventional device (hereinafter referred to as "this device") having the following functions as an example. This device can locally store a passkey (corresponding to the credentials of this embodiment). In addition, this device can store credentials in one of the following locations (1) to (3). (1) New phone or tablet: For example, the passkey can be saved on a mobile device such as a smartphone or tablet. In this case, the mobile device must scan the QR code displayed on this device. Also, the mobile device must be in close proximity to this device. (2) Linked phone or tablet: The passkey can be saved on a mobile device, such as a smartphone or tablet, that is linked to this device. In this case, the linked mobile device must be in close proximity to this device. (3) Security key: For example, a pass key can be saved on a USB security key. However, with this device, when saving the passkey in (1) to (3), the passkey is not saved on this device itself. Therefore, if the terminal to which the credentials are registered becomes unavailable due to power failure, loss, etc., authentication to the service may become impossible. Therefore, by adding the functions described in the above-described embodiment to such conventional devices, when registering credentials to a device other than the credential registration device (such as a smartphone, tablet, or security key) by communicating between terminals as described in (1) to (3) above, it becomes possible to register the credentials to the credential registration device as well. As a result, even if authentication to a service using the device to which credentials are registered cannot be performed due to, for example, the battery running out or the device being lost, it becomes possible to authenticate to the service using the credential registration device. 【0121】 In the above explanation, if consent for credential registration to the authentication terminal 101 (the registration source terminal) is obtained from the credential registration consent screen as shown in Figure 8, then credential registration to the authentication terminal 101 (the registration source terminal) is performed upon successful credential registration to the authentication terminal 102 (the registration destination terminal). On the other hand, even if consent for credential registration to the authentication terminal 101 (the registration source terminal) is obtained, if credential registration to the authentication terminal 102 (the registration destination terminal) fails, the system will ask for consent to continue credential registration to the authentication terminal 101 (the registration source terminal) from the credential registration continuation consent screen as shown in Figure 10, and if such consent is obtained, credential registration to the authentication terminal 101 (the registration source terminal) is performed. However, if consent for credential registration to the authentication terminal 101 (the registration source terminal) is obtained from the credential registration consent screen as shown in Figure 8, it may be configured to perform credential registration to the authentication terminal 101 (the registration source terminal) regardless of the result (success / failure) of credential registration to the authentication terminal 102 (the registration destination terminal). 【0122】 Furthermore, if credential registration to the authentication terminal 101, which is the registration source terminal, fails, a message such as "Credential registration at the registration source terminal failed. Do you want to register your credentials at another terminal?" may be displayed. If the user agrees, the authentication terminal 101, which is the registration source terminal, may further accept the user's selection of which of (1) to (3) above to register the credentials, and register the credentials at the location selected by the user. Alternatively, regardless of the success or failure of the credential registration to the authentication terminal 101, which is the registration source terminal, a message such as "Do you want to register your credentials to other terminals?" may be displayed as described above, and the user may be prompted to register their credentials to other terminals based on their selection. This configuration allows, for example, users to register their credentials on a smartphone, and if the credential registration on the PC (the source device) fails, they can also register their credentials on a security key as a backup. This means that even if authentication to a service using the smartphone (the device to which the credentials are registered) fails due to battery failure, malfunction, loss, etc., it is still possible to authenticate to the service using the backup security key. 【0123】 [Second Embodiment] In the first embodiment, a method for registering credentials on both the source and destination authentication terminals was disclosed. In the first embodiment, even when authentication is permitted only on a specified authentication terminal, such as with the SupplementalPublicKey option, credentials are registered on both terminals. Therefore, the application server's original objective of allowing authentication only on the destination authentication terminal cannot be achieved. For this reason, in the second embodiment, in addition to the configuration of the first embodiment, a configuration is described in which the registration of credentials to the source terminal is skipped when the SupplementalPublicKey option is specified from the application server providing the service. 【0124】 <System Configuration> Since it is the same as the first embodiment, the explanation will be omitted. <Hardware configuration of authentication terminal and server device> Since it is the same as the first embodiment, the explanation will be omitted. 【0125】 <Functional Configuration> Figure 13 is a block diagram showing an example of the functional configuration of authentication terminals 101, 102, application server 103, authentication server 104, and credential information management servers 105, 106 in the second embodiment. 【0126】 (Authentication terminal) The authentication terminals 101 and 102 each include a browser 310, an authentication client 1320, an authenticator 330, and an image processing unit 334. Since the browser 310 and image processing unit 334 are the same as in the first embodiment, their description will be omitted. 【0127】 In addition to the functions of the authentication client 320 in the first embodiment, the authentication client 1320 provides a function to skip the additional registration of credentials to the authentication terminals 101 and 102 that register the credentials, depending on the option specified by the application server 103 during credential registration. Furthermore, the authentication client 1320 manages the registration skip target option information, which is the option information that skips the additional registration of credentials, from among the options sent from the authentication server 104, as shown in Table 17. 【0128】 Table 17 shows an example of a registration skip target option information management table managed by authentication client 1320. [Table 17] As shown in Table 17, the registration skip target option information in the registration skip target option information management table includes the option name. 【0129】 The authenticator 330 comprises a biometric authentication processing unit 1331, a credential information storage unit 1332, and a biometric information management unit 333. Since the biological information management unit 333 is the same as in the first embodiment, its description will be omitted. 【0130】 In addition to the functions of the biometric information processing unit 331 in the first embodiment, the biometric information processing unit 1331 has the function of creating credential information linked to the authentication terminal. In addition to the functions of the credential information storage unit 332 in the first embodiment, the credential information storage unit 1332 provides a function for managing credential information associated with the authentication terminal. 【0131】 Table 18 is an example of a credential information management table associated with an authentication terminal, managed by the credential information storage unit 1332 of the authentication terminal 101. [Table 18] Table 19 is an example of a credential information management table associated with an authentication terminal, managed by the credential information storage unit 1332 of the authentication terminal 102. [Table 19] As shown in Tables 18 and 19, the credential information associated with the authentication terminal in the credential information management table linked to the authentication terminal includes the authentication information ID, private key, user ID, and service URL. 【0132】 (Application Server) The application server 103 includes an authentication processing unit 340 and a credential registration processing unit 1341. The authentication processing unit 340 is the same as in the first embodiment, so its description is omitted. In addition to the functions of the credential registration processing unit 341 in the first embodiment, the authentication processing unit 1341 provides the authentication server 104 with the function to specify options for credential registration. 【0133】 (Authentication server) The authentication server 104 includes an authentication request management unit 1350 and a public key management unit 1351. In addition to the functions of the authentication request management unit 350 in the first embodiment, the authentication request management unit 1350 provides the function of receiving options specified from the application server 103 during credential registration and sending the options along with a challenge to the authentication terminals 101 and 102. Furthermore, the authentication request management unit 1350 has the function of verifying the signature information signed with the credential information associated with the authentication terminals, which is included in the credential registration results sent from the authentication terminals 101 and 102. 【0134】 In addition to the functions of the public key management unit 351 in the first embodiment, the public key management unit 1351 has the function of managing the public keys of credentials associated with the authentication terminals included in the credential registration results transmitted from the authentication terminals 101 and 102. Table 20 shows an example of a public key information table associated with an authentication terminal managed by the public key management unit 1351 of the authentication server 104. [Table 20] As shown in Table 20, the public key information associated with the authentication terminal in the public key information table includes the authentication information ID and the public key. 【0135】 (Credential Information Management Server 1) Since the credential information management servers 105 and 106 have the same functional configurations as in the first embodiment, their description is omitted. 【0136】 <User Authentication Process> Since it is the same as the first embodiment, the explanation will be omitted. <Credential Management Server Authentication Process> Since it is the same as the first embodiment, the explanation will be omitted. 【0137】 <Credential Information Registration Process> The credential information registration process in the second embodiment will be explained with reference to Figure 14. This process involves communication between authentication terminals, requesting credential registration from authentication terminal 101 to authentication terminal 102. Furthermore, based on the credential registration result at authentication terminal 102 and the specified options from application server 103, additional credential registration is also performed at authentication terminal 101. In addition, this process can only be executed if user authentication is successful through the user authentication process. This process allows application server 103 to determine whether or not to register additional credentials at authentication terminal 101 based on the specified options. 【0138】 Figure 14 is a sequence diagram showing the processes of authentication terminal 101, authentication terminal 102, application server 103, authentication server 104, credential information management server 105, and credential information management server 106 in the credential information registration process of the second embodiment. In this figure, the processes of authentication terminals 101 and 102 are realized by the CPU 201 of each authentication terminal reading a program stored in HDD 203 into memory 202 and executing it. The processes of application server 103, authentication server 104, and credential information management servers 105 / 106 are realized by the CPU 210 of each server device reading a program stored in HDD 212 into memory 211 and executing it. 【0139】 Since S1401 is the same as S701 in the first embodiment, its explanation will be omitted. When the application server 103 receives the credential information creation request in S1401, it proceeds to process S1402. 【0140】 In S1402, the credential registration processing unit 1341 of the application server 103 sends a request to create credential information, including options, to the authentication server 104. In this embodiment, the option to be added is supplementalPubKey, which is an option that requests the registration of SupplementalPublicKey. When the authentication server 104 receives this credential information creation request, it proceeds to process S1403. 【0141】 In S1403, the authentication request management unit 1350 of the authentication server 104 sends a credential information registration request along with a challenge to the authentication terminal 101. Specific examples of requests included in the credential information registration sent from the authentication request management unit 1350 are as follows: 【0142】 { “challenge”: “ASD123tre12312FE”, “rp”: { “name”: “AdminPage”, “id”: “https: / / example_srv.com / admin”, “user”: { “id”: “user002”, “name”: “user002”, “displayName”: “user002”, }, “pubKeyCredParams”: [ {“alg”: -7, “type”: “public-key”}, {“alg”: -257, “type“: “public-key”}], “authenticatorSelection”: { “authenticatorAttachment”: “platform”, “requireResidentKey”: true, } “extensions”:{ “supplementalPubKeys”:{ [{ “scopes”: [”device”], “attestation”:“indirect”, “attestationFormats”: [ ] }] } } } } 【0143】 Next, steps S1404 to S1409 are the same as steps S704 to S709 in the first embodiment, so their explanation will be omitted. If the biometric authentication processing unit 331 successfully authenticates in S1409, it proceeds to S1410. 【0144】 At S1410, the biometric authentication processing unit 1331 of the authentication terminal 102 sends a request to create credential information and store it in the credential information storage unit 1332. When the credential information storage unit 1332 receives the request to store the credential information, it stores the credential information in the TPM 209 of the authentication terminal 102. 【0145】 Table 21 shows an example of a credential information table after the credential information has been created. Table 22 also shows an example of a credential information table linked to an authentication terminal after the credential information has been created. [Table 21] [Table 22] 【0146】 Next, at S1411, the authentication client 320 of the authentication terminal 102 sends the result of creating the credential information to the authentication terminal 101. Specific examples of the result of creating the credential information to be sent to the authentication terminal 101 include the following: 【0147】 { “id”: “asda34154fdcccc9786546”, “rawId”: “10005”, “response”: { “clientDataJson”: { “type”: “webauthn.create”, “challenge”: “NKX1239887823ASd”, “origin”: “https: / / device102.me”, “crossOrigin”: false }, “attestationObject”: { “aaguid”: 00000000-0000-0000-0000-000000000000, “credentialId”: “10003”, “credentialPublicKey”: {“kty”: “RSA”, “alg”: “ECDSA_alg_sha256”, “crv”: p-256, “x”: “1aasdaVERSSDfs / werwcsdfsdf”, “y”: “oisdfsdbfsbdhs / easdas,casdasd” } }, “authenticatorAttachment”: “platform”, “type”: “public-key”, “extensions”:{ “supplementalPubKeys”:{ [{ “aaguid”: 12343231-dddd-ffff-cccc-bbbbccccdddd, “scope“: ”device“ “spk”: { “kty”: “RSA”, “alg”: “ECDSA_alg_sha256”, “crv”: p-256, “x”: “qwrtyfVERSSDfs / werwcsdfsdf”, “y”: “qwrtysdbfsbdhs / easdas,casdasd” }, “nonce”:“1 222 444 666 666 555 444” }] } } } } 【0148】 Subsequently, since S1412 is the same as S712 in the first embodiment, the description thereof will be omitted. When the authentication server 104 receives the credential information creation result of S1412, it executes the process of S713. 【0149】 In S1413, the authentication request management unit 1350 of the authentication server 104 verifies the signature to the challenge included in the credential information creation result. If the verification is successful, it acquires the public key included in the credential information creation result and sends a public key storage request to the public key management unit 1351 to store the public key. 【0150】 Table 23 shows an example of the public key table managed by the public key management unit 1351 after the public key registration. Also, Table 24 shows an example of the public key table associated with the authentication terminal managed by the public key management unit 1351 after the public key registration. 【Table 23】 【Table 24】 【0151】 Subsequently, since S1414 to S1417 are the same as S714 to S717 in the first embodiment, the description thereof will be omitted. 【0152】 In S1418, the authentication client 320 of the authentication terminal 101 performs a credential registration continuation determination process. The credential registration continuation determination process will be described in FIG. 15 which will be described later. By this process, the value of the credential registration process end flag, which is an internal variable indicating whether to end the credential registration in the authentication terminal 101, is set. If the credential registration process end flag is "True", that is, if it is determined in this process that registration continuation is unnecessary, in a step not shown, the authentication client 320 of the authentication terminal 101 sends a request to the browser 310 to display a registration continuation unnecessary screen. The browser 310 of the authentication terminal 101 displays a registration continuation unnecessary screen as shown in FIG. 16 based on this request. Figure 16 shows an example of a screen indicating that registration continuation is not required. 【0153】 On the other hand, if the credential registration process completion flag is "False", the authentication client 320 of the authentication terminal 101 proceeds to S1419. Next, since steps S1419 to S1433 are the same as steps S719 to S733 in the first embodiment, we will omit their explanation. 【0154】 <Credential registration continuation determination process> The credential registration continuation determination process, which is performed by the authentication client 1320 of the authentication terminal 101, will be explained using Figure 15. This process determines whether to continue registering additional credential information on the authentication terminal 101 during the credential information registration process. 【0155】 Figure 15 is a flowchart showing an example of the credential registration continuation determination process shown in S1418 of Figure 11 in the second embodiment. The processing in this flowchart is achieved when the CPU 201 of the authentication terminal 101 reads the program stored in the HDD 203 into the memory 202 and executes it. 【0156】 First, regarding S1501 to S1502, since they are the same as S1101 to S1102 in the first embodiment, we will omit the explanation. Next, in S1503, the authentication client 1320 of the authentication terminal 101 checks whether the request for registration of credential information sent from the authentication server 104 (S1403 in Figure 14) specifies an option included in the registration skip target option information management table, as exemplified in Table 17 (in the example in Table 17, "supplementalPubKeys"). 【0157】 If the request for registration of credential information includes an option included in the registration skip option information management table (YES in S1503), the authentication client 1320 proceeds to S1504. In S1504, the authentication client 1320 sets the credential registration completion flag, an internal variable indicating whether credential registration is complete at the credential registration source terminal, to "True," and terminates the processing of this flowchart. 【0158】 On the other hand, if the request for registration of credential information does not specify any options included in the registration skip option information management table (i.e., NO in S1503), the authentication client 1320 proceeds to S1505. Sections S1505 to S1509 are the same as S1103 to S1107 in the first embodiment, so their explanation is omitted. 【0159】 As described above, according to the second embodiment, when the application server 103 providing the service performs a credential registration process to the registration destination terminal in response to a credential creation request with a predetermined option (e.g., the SupplementalPublicKey option), the credential registration process to the registration source terminal is not performed. This configuration allows for skipping credential registration to the registration source terminal when authentication is permitted only to specified authentication terminals such as those specified by the SupplementalPublicKey option. 【0160】 [Third Embodiment] In the first embodiment, a configuration was shown in which credentials are registered on both the registration source and the registration destination authentication terminal, but authentication processing must be performed on either authentication terminal during registration. In the third embodiment, if authentication has been performed from the registration destination authentication terminal within a certain period, the authentication process at the registration source authentication terminal is skipped when additional credentials are registered at the registration source authentication terminal. 【0161】 <System Configuration> Since it is the same as the first embodiment, the explanation will be omitted. <Hardware configuration of devices and information processing equipment> Since it is the same as the first embodiment, the description thereof will be omitted. <Functional Configuration> FIG. 17 is a block diagram showing an example of the functional configurations of authentication terminals 101 and 102, application server 103, authentication server 104, and credential information management servers 105 and 106 in the third embodiment. Since the functional configurations of credential information management servers 105 and 106 are the same as those in the first embodiment, the description thereof will be omitted. 【0162】 In addition to the functional configuration of the first embodiment, authentication terminals 101 and 102 include an authentication history management unit 1710. The authentication history management unit 1710 has a function of managing authentication time information that holds the time when authentication processing by communication between authentication terminals such as hybrid authentication was successful. Since hybrid authentication is a known technique, a detailed description thereof will be omitted. 【0163】 Table 25 shows an example of an authentication time information management table that manages authentication time information in the authentication history management unit 1710 of authentication terminal 101. 【Table 25】 The authentication time information in the authentication time information management table includes an authentication terminal ID, which is an identifier of the authentication terminal of the authentication destination, and an authentication time, which is the date and time at which authentication was successful. In this embodiment, the authentication time is the UNIX (registered trademark) time. Also, the authentication terminal ID of authentication terminal 102 is set to “1234-5678”. The authentication terminal ID is an identifier of the authentication terminal of the authentication destination that can be obtained during communication between authentication terminals. 【0164】 In addition to the function of the credential registration processing unit 341 of the first embodiment, the credential registration processing unit 1741 of application server 103 has a function of transmitting an authentication request transmitted from authentication terminals 101 and 102 to authentication server 104. 【0165】 The authentication request management unit 1750 of the authentication server 104 has the function of receiving an authentication request sent from the application server 103 and sending a challenge to the authentication terminals 101 and 102. In addition, the authentication request management unit 1750 has the function of verifying the signature sent during authentication from the authentication terminals 101 and 102 and sending the authentication result to the application server 103. 【0166】 <User Authentication Process> Since it is the same as the first embodiment, the explanation will be omitted. <Credential Management Server Authentication Process> Since it is the same as the first embodiment, the explanation will be omitted. 【0167】 <Authentication time update process> The authentication time update process will be explained using Figure 18. This process involves an authentication process where authentication terminal 101 requests authentication from authentication terminal 102 by communicating between authentication terminals. Based on the authentication result at authentication terminal 102, the authentication time information management table is updated. 【0168】 Figure 18 is a sequence diagram showing an example of the processing of authentication terminal 101, authentication terminal 102, application server 103, and authentication server 104 in the authentication time update process of the third embodiment. In this figure, the processing of authentication terminals 101 and 102 is realized by the CPU 201 of each authentication terminal reading a program stored in HDD 203 into memory 202 and executing it. The processing of application server 103 and authentication server 104 is realized by the CPU 210 of each server device reading a program stored in HDD 212 into memory 211 and executing it. 【0169】 When the authentication time update process starts, in S1801, the browser 310 of the authentication terminal 101 sends an authentication request from the user using the authentication terminal 101 to the application server 103. Upon receiving this authentication request, the application server 103 executes the process in S1802. 【0170】 In S1802, the credential registration processing unit 341 of the application server 103 sends a user authentication request to the authentication server 104. Upon receiving this authentication request, the authentication server 104 executes the process in S1803. 【0171】 In S1803, the authentication request management unit 350 of the authentication server 104 sends an authentication request along with a challenge to the authentication terminal 101. Specific examples of authentication requests sent from the authentication request management unit 350 include the following: 【0172】 { challenge: “FRG123tre12312FE”, rp: { name: “AdminPage”, id: “https: / / example_srv.com / admin”, User: { id: “user002”, name: “user002”, displayName: “user002”, }, AuthenticatorSelection: { authenticatorAttachment: “platform”, requireResidentKey: true, } } } 【0173】 When the authentication terminal 101 receives the challenge and authentication request as described above, it proceeds to process S1804. In S1804, the authentication client 1720 of the authentication terminal 101 sends a request to the browser 310 to display a QR code (registered trademark) for communication between authentication terminals. The browser 310 displays a QR code (not shown) for communication between authentication terminals. 【0174】 When the user reads the QR code displayed on the authentication terminal 101 in step S1804 using the camera of the authentication terminal 102, the authentication terminal 102 executes the process in step S1805. In S1805, the image processing unit 340 of the authentication terminal 102 acquires image information of the QR code for communication between authentication terminals entered by the user and performs QR code analysis. Once it analyzes that the QR code is an authentication request QR code, the authentication terminal 102 uses the analyzed information to start communication with the authentication terminal 101 via BLE. Since BLE is a well-known technology, an explanation is omitted here. 【0175】 When authentication terminal 101 begins communication with authentication terminal 102, it proceeds to process S1806. In S1806, authentication terminal 101 sends the challenge and authentication request obtained in S1803 to authentication terminal 102. Upon receiving this, authentication terminal 102 proceeds to S1807. 【0176】 In S1807, the authentication terminal 102 acquires the biometric information of the user using the authentication terminal 102. Specifically, the authentication client 320 of the authentication terminal 102 sends a biometric information acquisition request to the biometric authentication processing unit 331. Upon receiving the biometric information acquisition request, the biometric authentication processing unit 331 waits until it receives the user's biometric information. The biometric authentication processing unit 331 acquires the feature quantities of the biometric information entered by the user. 【0177】 Next, in S1808, the biometric authentication processing unit 331 of the authentication terminal 102 performs the authentication process. Specifically, the biometric authentication processing unit 331 sends a request to the biometric information management unit 333 to confirm that the biometric information acquired in S1807 has been registered. In response to this request, the biometric information management unit 333 checks whether the biometric information acquired in S1807 has been registered and sends the confirmation result back to the biometric authentication processing unit 331. If the biometric authentication processing unit 331 receives confirmation from the biometric information management unit 333 that the biometric information has already been registered, it determines that the authentication was successful; otherwise, it terminates this process. If the authentication is successful, the biometric authentication processing unit 331 proceeds to S1809. 【0178】 In S1809, the biometric authentication processing unit 331 of the authentication terminal 102 creates a signature. Next, at S1810, the authentication client 1720 of the authentication terminal 102 sends the authentication result to the authentication terminal 101. Specific examples of the authentication result sent to the authentication terminal 101 include the following: 【0179】 { “id”: “asda3333333fdcccc9786546”, “rawId”: “10003”, “response”: { “clientDataJson”: { “type”: “webauthn.create”, “challenge”: “NKX1239887823ASd”, “origin”: “https: / / device102.me”, “crossOrigin”: false }, “signature”: “111bcbc9878fdfdf”, “userhandle”: “222bcbc9878fdfdf” } } 【0180】 When authentication terminal 101 receives the authentication result from authentication terminal 102, it proceeds to process S1811. In S1811, the authentication client 1720 of the authentication terminal 101 sends the authentication result to the authentication server 104. Upon receiving this authentication result, the authentication server 104 proceeds to S1812. 【0181】 In S1812, the authentication request management unit 350 of the authentication server 104 verifies the signature of the challenge included in the authentication result. Next, in S1813, the authentication request management unit 350 of the authentication server 104 sends the authentication result to the application server 103. Next, at S1814, the credential registration processing unit 341 of the application server 103 sends the authentication result to the authentication terminal 101. Upon receiving the authentication result, the authentication terminal 101 proceeds to S1815. 【0182】 In S1815, the authentication terminal 101 obtains the authentication result, and if authentication is successful, updates the authentication time information management table and terminates this process. Table 25 shows an example of the update result of the authentication time information management table in the authentication client 1720 of the authentication terminal 101. [Table 25] 【0183】 <Credential Information Registration Process> The credential information registration process will be explained using Figure 19. This process skips the authentication process at authentication terminal 101 if authentication is received from authentication terminal 102 within a certain period of time during the credential information registration process of the first embodiment. This process reduces the authentication step at authentication terminal 101, thereby improving the work efficiency of the credential registration process. 【0184】 Figure 19 is a sequence diagram showing the processing of authentication terminal 101, authentication terminal 102, application server 103, authentication server 104, credential information management server 105, and credential information management server 106 in the credential information registration process of the third embodiment. In this figure, the processing of authentication terminals 101 and 102 is realized by the CPU 201 of each authentication terminal reading a program stored in HDD 203 into memory 202 and executing it. The processing of application server 103, authentication server 104, and credential information management servers 105 / 106 is realized by the CPU 210 of each server device reading a program stored in HDD 212 into memory 211 and executing it. 【0185】 Since steps S1901 to S1921 are the same as steps S701 to S721 in the first embodiment, their explanation will be omitted. When the authentication terminal 101 receives the challenge in S1921, it proceeds to process S1922. 【0186】 In S1922, the authentication client 1720 of the authentication terminal 101 requests the authentication time management unit 1710 of the authentication terminal 101 to obtain the authentication time of the authentication terminal 102. Upon receiving this request, the authentication time management unit 1710 transmits the authentication time of the authentication terminal 102 to the authentication client 1720. Upon receiving the authentication time of the authentication terminal 102, the authentication client 1720 of the authentication terminal 101 executes an authentication process skip determination process. Details of the authentication process skip determination process are shown in Figure 20, which will be described later. This process sets an authentication process skip flag, which is an internal variable used to determine whether to skip the authentication process. 【0187】 Next, in S1923, the authentication client 1720 of the authentication terminal 101 acquires biometric authentication information only if the authentication process skip flag is "False". In other words, the authentication client 1720 of the authentication terminal 101 skips acquiring biometric authentication information if the authentication process skip flag is "True". 【0188】 Next, in S1924, the authentication client 1720 of the authentication terminal 101 executes the biometric authentication process only if the authentication process skip flag is "False". In other words, the authentication client 1720 of the authentication terminal 101 skips the biometric authentication process if the authentication process skip flag is "True". 【0189】 Next, sections S1925 to S1934 are the same as S724 to S733 in the first embodiment, so we will omit their explanation. 【0190】 <Authentication process skip determination process> The authentication process skip determination process, which is performed by the authentication client 1720 of the authentication terminal 101, will be explained using Figure 20. This process determines whether to perform the authentication process on the authentication terminal 101 during the credential information registration process. 【0191】 Figure 20 is a flowchart showing an example of the authentication process skip determination process shown in S1922 of Figure 19 in the third embodiment. The process in this flowchart is realized when the CPU 201 of the authentication terminal 101 reads the program stored in the HDD 203 into the memory 202 and executes it. 【0192】 First, when this process starts, in S2001, the authentication client 1720 of authentication terminal 101 obtains the authentication time of authentication terminal 102. Next, in S2002, the authentication client 1720 of the authentication terminal 101 checks whether the credential registration on the authentication terminal 102 was successful. If credential registration at authentication terminal 102 fails (resulting in NO in S2002), authentication client 1720 on authentication terminal 101 proceeds to S2003. In S2003, the authentication client 1720 of the authentication terminal 101 sets the authentication process skip flag to "False" and terminates the processing of this flowchart. 【0193】 On the other hand, if credential registration is successful on authentication terminal 102 (if the answer is YES in S2002), authentication client 1720 on authentication terminal 101 proceeds to S2004. In S2004, the authentication client 1720 of the authentication terminal 101 determines whether an authentication process from the authentication terminal 102 has been executed within a certain period of time. In this embodiment, for example, this determination is made using a threshold of one day from the current time. 【0194】 If no authentication process has occurred from the authentication terminal 102 within a certain time (i.e., the answer is NO in S2004), the authentication client 1720 of the authentication terminal 101 proceeds to S2005. In S2005, the authentication client 1720 of the authentication terminal 101 sets the authentication process skip flag to "False" and terminates the processing of this flowchart. 【0195】 On the other hand, if an authentication process has occurred from the authentication terminal 102 within a certain period of time (if the answer is YES in S2004), the authentication client 1720 of the authentication terminal 101 proceeds to S2006. In S2006, the authentication client 1720 of the authentication terminal 101 sets the authentication process skip flag to "True" and terminates the processing of this flowchart. 【0196】 As described above, according to the third embodiment, the date and time of the successful authentication process, in which the registration terminal communicates with the destination terminal and requests authentication from the registration terminal to the destination terminal, are managed. If the authentication process is successful within a predetermined period, the authentication process on the registration terminal can be skipped when additional credentials are registered on the registration terminal, thereby reducing the operational burden on the user during credential registration. 【0197】 As described above, according to each embodiment, even if credentials are registered on a terminal different from the terminal from which they were registered, authentication to the service can be enabled even if the terminal to which the credentials were registered is unavailable. As a result, the usability of FIDO authentication can be significantly improved with minimal effort and ease. 【0198】 It should be noted that the structure and content of the various data described above are not limited to those mentioned, and it goes without saying that they can be composed of various structures and contents depending on the use and purpose. Although one embodiment has been described above, the present invention can take the form of, for example, a system, apparatus, method, program, or storage medium. Specifically, it may be applied to a system consisting of multiple devices, or to an apparatus consisting of a single device. Furthermore, any configurations combining the above embodiments are also included in the present invention. 【0199】 [Other Embodiments] The present invention can also be realized by supplying a program that implements one or more of the functions of the above-described embodiments to a system or device via a network or storage medium, and by having one or more processors in the computer of that system or device read and execute the program. It can also be realized by a circuit (e.g., an ASIC) that implements one or more functions. Furthermore, the present invention may be applied to a system consisting of multiple devices or to a device consisting of a single device. The present invention is not limited to the embodiments described above, and various modifications (including organic combinations of each embodiment) are possible based on the spirit of the invention, and these are not excluded from the scope of the invention. That is, all configurations that combine the above-described embodiments and their modified forms are included in the present invention. 【0200】 This embodiment includes the following configurations, methods, and programs. (Composition 1) An information processing device having an authentication function, A registration means that communicates with a terminal having an authentication function and performs a first registration process to register credentials for accessing the service on the terminal, The system includes a first request means that, when registering credentials to the terminal through the first registration process, requests the user to give first consent to register credentials for accessing the service with the information processing device, The registration means is characterized in that, when the first consent is obtained, it performs a second registration process in addition to the first registration process to register credentials for accessing the service in the information processing device. (Configuration 2) The information processing apparatus according to Configuration 1, characterized in that the registration means performs the second registration process when the first consent is obtained and the first registration process is successful. (Composition 3) If the first consent has been obtained and the first registration process has failed, the system has a second request means for notifying the user that registration of the credentials to the terminal has failed and for requesting the user to give a second consent to continue registering the credentials to the information processing device, If the second consent is obtained, the registration means performs the second registration process. The information processing device according to configuration 2, characterized in that if the second consent is not obtained, the second registration process is not performed. (Composition 4) The information processing device according to any one of configurations 1 to 3, characterized in that, if the second registration process fails, it has a notification means for notifying the user that the registration of credentials to the information processing device has failed. (Composition 5) If the second registration process fails, a third request means notifies the user that the registration of credentials to the information processing device has failed and requests the user to give a third consent to register the credentials to a terminal other than the terminal, The information processing apparatus according to any one of configurations 1 to 3, characterized in that, when the third consent is obtained, the registration means performs a third registration process in which it communicates with the other terminal and registers credentials for accessing the service to the other terminal. (Composition 6) The information processing device according to any one of configurations 1 to 5, characterized in that the second registration process is not performed when the first registration process is performed in response to a request for credential creation in which predetermined options are specified by the server providing the said service. (Composition 7) The system has a management means for managing the date and time of success in an authentication process that communicates with the terminal and requests authentication from the information processing device to the terminal. The information processing apparatus according to any one of configurations 1 to 6, characterized in that, if the authentication process is successful within a predetermined period, the registration means registers the credentials in the information processing apparatus without performing user authentication by the authentication function of the information processing apparatus in the second registration process. (Method 1) A control method for an information processing device having an authentication function, A first registration step involves communicating with a terminal having an authentication function and performing a first registration process to register credentials for accessing the service on the terminal, When registering credentials to the terminal through the first registration process, the process includes a request step in which the user is asked to give first consent to register credentials for accessing the service with the information processing device, A control method for an information processing device, characterized by further comprising: a second registration step of performing a second registration process to register credentials for accessing the service in the information processing device when the first consent is obtained. (Program 1) A program that causes a computer to execute the control method for the information processing device described in Method 1.

Claims

[Claim 1] An information processing device having an authentication function, A registration means that communicates with a terminal having an authentication function and performs a first registration process to register credentials for accessing the service on the terminal, The system includes a first request means that, when registering credentials to the terminal by the first registration process, requests the user to give first consent to register credentials for accessing the service with the information processing device, The registration means is characterized in that, when the first consent is obtained, it performs a second registration process in addition to the first registration process to register credentials for accessing the service in the information processing device. [Claim 2] The information processing apparatus according to claim 1, characterized in that the registration means performs the second registration process when the first consent is obtained and the first registration process is successful. [Claim 3] If the first consent has been obtained and the first registration process has failed, the system has a second requesting means for notifying the user that registration of the credentials to the terminal has failed and for requesting the user to give a second consent to continue registering the credentials to the information processing device. If the second consent is obtained, the registration means performs the second registration process. The information processing apparatus according to claim 2, characterized in that if the second consent is not obtained, the second registration process is not performed. [Claim 4] The information processing apparatus according to any one of claims 1 to 3, characterized in that it has a notification means for notifying the user that the registration of credentials to the information processing apparatus has failed if the second registration process fails. [Claim 5] If the second registration process fails, a third request means notifies the user that the registration of credentials to the information processing device has failed and requests the user to give a third consent to register the credentials to a terminal other than the terminal, The information processing apparatus according to any one of claims 1 to 3, characterized in that, when the third consent is obtained, the registration means performs a third registration process in which it communicates with the other terminal and registers credentials for accessing the service to the other terminal. [Claim 6] The information processing apparatus according to any one of claims 1 to 3, characterized in that the second registration process is not performed when the first registration process is performed in response to a request for credential creation in which predetermined options are specified by the server providing the said service. [Claim 7] The system has a management means for managing the date and time of success in an authentication process that communicates with the terminal and requests authentication from the information processing device to the terminal. The information processing apparatus according to any one of claims 1 to 3, characterized in that, if the authentication process is successful within a predetermined period, the registration means registers the credentials in the information processing apparatus without performing user authentication by the authentication function of the information processing apparatus in the second registration process. [Claim 8] A control method for an information processing device having an authentication function, A first registration step involves communicating with a terminal having an authentication function and performing a first registration process to register credentials for accessing the service on the terminal, When registering credentials to the terminal through the first registration process, the process includes a request step of requesting the user to give first consent to register credentials for accessing the service with the information processing device, A control method for an information processing device, characterized by further comprising: a second registration step of performing a second registration process to register credentials for accessing the service in the information processing device when the first consent is obtained. [Claim 9] A program for causing a computer to execute the control method for the information processing device described in claim 8.

Images