Information processing systems, information processing methods, authentication systems, and programs
The information processing apparatus addresses the long expiration period issue in one-time password systems by implementing real-time expiration dates for authentication codes, enhancing reliability and preventing impersonation through frequent updates and timely validity checks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- GLEE HOLDINGS CO LTD
- Filing Date
- 2023-10-25
- Publication Date
- 2026-06-22
Smart Images

Figure 0007876796000001 
Figure 0007876796000002 
Figure 0007876796000003
Abstract
Description
Technical Field
[0001] The present disclosure relates to an information processing system, an information processing method, an authentication system, and a program.
Background Art
[0002] As a measure to enhance the reliability of the authentication process, a technique using a one-time password (also referred to as OTP (One Time Password)), which is more powerful than password-based authentication, is known.
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] However, in the conventional technology as described above, a relatively long expiration period is set for the one-time password, making it difficult to further enhance the reliability.
[0005] Therefore, in one aspect, the present disclosure aims to effectively enhance the reliability of the authentication process.
Means for Solving the Problems
[0006] In one aspect, there is provided an information processing apparatus including an authentication information acquisition unit that acquires authentication information, and a code update unit that updates an authentication code that can be read from the outside or transmitted to the outside at each predetermined period based on the authentication information and time information that changes at an update period of not more than a predetermined period.
Effects of the Invention
[0007] In one respect, this disclosure makes it possible to effectively enhance the reliability of the authentication process. [Brief explanation of the drawing]
[0008] [Figure 1] This is a block diagram of the authentication system according to this embodiment. [Figure 2] This is a timing chart (part 1) illustrating an example of how the authentication system works. [Figure 3] This is a timing chart (part 2) illustrating an example of how the authentication system works. [Figure 4] This is a timing chart (part 3) illustrating an example of how the authentication system works. [Modes for carrying out the invention]
[0009] The embodiments will be described in detail below with reference to the attached drawings. Note that, for ease of viewing, only some of the parts with the same attribute that exist in multiple locations may be assigned reference numerals in the attached drawings.
[0010] Referring to Figure 1, an overview of the authentication system 1 according to one embodiment will be described. Figure 1 is a block diagram of the authentication system 1 according to this embodiment.
[0011] The authentication system 1 comprises a server device 10 and one or more terminal devices 20. Although three terminal devices 20 are shown in Figure 1 for simplicity, the number of terminal devices 20 is arbitrary.
[0012] The server device 10 is, for example, an information processing system such as a server managed by one or more operators providing this authentication service. The terminal device 20 is a device used by a user, such as a mobile phone, smartphone, tablet, PC (Personal Computer), head-mounted display, or game device. Typically, multiple terminal devices 20 may be connected to the server device 10 via the network 3 in different configurations for each user.
[0013] The terminal device 20 is capable of executing the authentication service application according to this embodiment. The authentication service application may be received by the terminal device 20 from the server device 10 or a predetermined application distribution server via the network 3, or it may be pre-stored in a storage device provided in the terminal device 20 or in a storage medium such as a memory card that the terminal device 20 can read. The server device 10 and the terminal device 20 are connected to each other via the network 3 so as to be able to communicate. For example, the server device 10 and the terminal device 20 cooperate to perform various processes related to the authentication service.
[0014] Network 3 may include wireless communication networks, the Internet, VPNs (Virtual Private Networks), WANs (Wide Area Networks), wired networks, or any combination thereof.
[0015] In the following, the authentication system 1 implements an example of an information processing system. However, each element of a specific terminal device 20 (see terminal communication unit 21 to terminal control unit 25 in Figure 1) may implement an example of an information processing system, or multiple terminal devices 20 may cooperate to implement an example of an information processing system. Furthermore, the server device 10 may implement an example of an information processing system by itself, or the server device 10 and one or more terminal devices 20 may cooperate to implement an example of an information processing system.
[0016] (Server configuration) The configuration of the server device 10 will be specifically described. The server device 10 is composed of a server computer. The server device 10 may also be realized by a plurality of server computers cooperating with each other. For example, the server device 10 may be realized by cooperating with a server computer that provides various contents (such as time information) and a server computer that realizes an authentication server. Also, the server device 10 may include a Web server. In this case, a part of the functions of the terminal device 20 described later may be realized by the browser processing an HTML document received from the Web server and various programs (JavaScript (registered trademark)) associated therewith.
[0017] As shown in FIG. 1, the server device 10 includes a server communication unit 11, a server storage unit 12, and a server control unit 13.
[0018] The server communication unit 11 includes an interface for communicating with an external device wirelessly or wiredly and transmitting and receiving information. The server communication unit 11 may include, for example, a wireless LAN (Local Area Network) communication module or a wired LAN communication module. The server communication unit 11 can transmit and receive information to and from the terminal device 20 via the network 3.
[0019] The server storage unit 12 is, for example, a storage device, and stores various information and programs necessary for various processes related to the authentication service.
[0020] The server control unit 13 may include a dedicated microprocessor or a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), etc. that realizes a specific function by loading a specific program. For example, the server control unit 13 cooperates with the terminal device 20 and executes an authentication service application according to a user operation on the display unit 23 (touch panel) of the terminal device 20.
[0021] (Configuration of the terminal device) The configuration of the terminal device 20 will be described. As shown in FIG. 1, the terminal device 20 includes a terminal communication unit 21, a terminal storage unit 22, a display unit 23, an input unit 24, and a terminal control unit 25.
[0022] The terminal communication unit 21 includes an interface for communicating with an external device wirelessly or wiredly and performing transmission and reception of information. The terminal communication unit 21 may include, for example, a wireless communication module corresponding to mobile communication standards such as LTE (Long Term Evolution) (registered trademark), LTE-A (LTE-Advanced), the fifth-generation mobile communication system, UMB (Ultra Mobile Broadband), a wireless LAN communication module, or a wired LAN communication module. The terminal communication unit 21 can transmit and receive information to and from the server device 10 via the network 3.
[0023] The terminal storage unit 22 includes, for example, a primary storage device and a secondary storage device. For example, the terminal storage unit 22 may include a semiconductor memory, a magnetic memory, or an optical memory. The terminal storage unit 22 stores various information and programs used for authentication service-related processing received from the server device 10. The information and programs used for authentication service-related processing may be acquired from an external device via the terminal communication unit 21. For example, an authentication service application program may be acquired from a predetermined application distribution server. Hereinafter, the application program is also simply referred to as an application or an app.
[0024] The display unit 23 includes a display device such as a liquid crystal display or an organic EL (Electro-Luminescence) display. The display unit 23 can display various images. The display unit 23 is configured by, for example, a touch panel and functions as an interface for detecting various user operations. Note that the display unit 23 may be in a form built into a head-mounted display as described above.
[0025] The input unit 24 may include physical keys, or it may further include any input interface, such as a pointing device like a mouse.
[0026] The terminal control unit 25 includes one or more processors. The terminal control unit 25 controls the operation of the entire terminal device 20.
[0027] The terminal control unit 25 transmits and receives information via the terminal communication unit 21. For example, the terminal control unit 25 receives various information and programs used for authentication service-related processing from at least one of the server device 10 and other external servers. The terminal control unit 25 stores the received information and programs in the terminal storage unit 22. For example, the terminal storage unit 22 may store a browser (internet browser) for connecting to a web server.
[0028] Next, an example of the operation of authentication system 1 will be described with reference to Figure 2 and subsequent figures.
[0029] Figures 2 to 4 are timing charts showing an example of the operation of authentication system 1. Figures 2 to 4 show a series of operations, but only a part of them may be executed. In addition to the user, Figures 2 to 4 also show the authentication-side information terminal 40, the authenticated-side information terminal 42, the authentication server 50, the NTP server 52, and the content server 54.
[0030] The authentication-side information terminal 40 and the authenticated-side information terminal 42 may be implemented by the terminal device 20 shown in Figure 1. The authentication server 50 and the content server 54 may be implemented by one or more server devices 10 shown in Figure 1. Therefore, in this case, in Figures 2 to 4, the authentication system 1 may be implemented by the authentication-side information terminal 40, the authenticated-side information terminal 42, the authentication server 50, and the content server 54. In a modified example, the authentication system 1 may be implemented by the authentication-side information terminal 40, the authenticated-side information terminal 42, and the authentication server 50.
[0031] Here, as an example, an example of operation related to a game application will be described. The game application is implemented on the authenticated information terminal 42. In this embodiment, the game application includes the application portion for the authenticated side of the authentication service application, but they may cooperate as separate applications. The authentication-side information terminal 40 and the authentication server 50 include the application portion for the authentication-side of the authentication service application.
[0032] As explained sequentially from Figure 2, the user first launches a game application on the authenticated information terminal 42 (step S200). That is, the terminal control unit 25 of the authenticated information terminal 42 launches the game application in response to user operations. The terminal control unit 25 works in cooperation with the server device 10 to execute authentication service-related processing. For example, the terminal control unit 25 of the authenticated information terminal 42 may output a GUI (Graphical User Interface) that detects user operations on the screen of the display unit 23. The terminal control unit 25 can detect user operations via the input unit 24. For example, the terminal control unit 25 can detect various operations by user gestures (operations corresponding to tap operations, long tap operations, flick operations, and swipe operations, etc.).
[0033] The authenticated information terminal 42 performs the following processing based on the launched game application. That is, the launched game application runs on the authenticated information terminal 42, thereby enabling the following various operations of the authenticated information terminal 42. First, the game application on the authenticated information terminal 42 generates a key pair in the authentication service application part (step S202), and displays the top screen on the display unit 23 of the authenticated information terminal 42 (step S204). Key pair generation may be performed when OAuth authentication is used. In this case, the key pair is used when generating the OAuth signature.
[0034] The user, while the top screen of the authenticated information terminal 42 is in output state, makes input for a predetermined request (hereinafter also referred to as "predetermined request input") via the input unit 24 (step S206). The predetermined request is arbitrary, but in this case it is a data transfer request due to a change of model, for example, a data transfer request for a game application. In other embodiments, the predetermined request may be the sharing of authentication information across multiple terminals. Such sharing may be a process to enable the use of the same or similar services with the same account on multiple terminals.
[0035] The game application on the authenticated information terminal 42, in response to a predetermined request input from the user, requests a one-time token (an example of authentication information) for authentication related to the current predetermined request (step S208).
[0036] The authentication server 50 generates a one-time token in response to a request for a one-time token (step S210). The expiration date of the one-time token (an example of the first expiration date) is the expiration date from the present time, and its length (an example of the first length) is arbitrary, but may be, for example, about 5 minutes.
[0037] When the authentication server 50 generates a one-time token, it sends the generated one-time token to the requesting authentication terminal 42 (step S212).
[0038] The game application on the authenticated information terminal 42, when the authentication service application receives a one-time token from the authentication server 50, adds predetermined information to the one-time token (step S214). The predetermined information is arbitrary, but may represent, for example, an action to be performed upon successful authentication (e.g., login). In this case, the predetermined information may differ depending on the action. The predetermined information may also be added to check the integrity of data between the user's devices (other than the real-time expiration date check related to this authentication service described later), or to pass data necessary for client-side processing. Hereinafter, the authentication information to which the predetermined information has been added to the one-time token in this manner will also be referred to as "predetermined authentication information". Note that in the modified example, the predetermined information may be omitted.
[0039] Next, the game application on the authenticated information terminal 42, specifically the authentication service application portion, performs a time synchronization process (see Q2) to obtain accurate time information. Specifically, first, the authenticated information terminal 42 sends a request for current time information to the NTP server 52 (step S216). The NTP server 52 responds to the request and sends time information to the authenticated information terminal 42 that made the request (step S218). When the authenticated information terminal 42 receives the time information from the NTP server 52, it synchronizes the time information within the authenticated information terminal 42 with the received time information (step S220). By performing this time synchronization process, the authenticated information terminal 42 can generate time information synchronized with the NTP server 52 for at least a certain period of time after receiving time information from the NTP server 52. The authenticated information terminal 42 may also perform time synchronization processing periodically in advance. In this case, the time synchronization process can be omitted and the process can proceed to step S300.
[0040] Once the authentication service application portion of the authenticated information terminal 42 completes the time synchronization process (see Q2), the game application then executes the two-dimensional code generation / update process (see Q3), as shown in Figure 3.
[0041] The two-dimensional code generation / update process is executed repeatedly at predetermined intervals ΔT1. The two-dimensional code generation / update process may be executed for a single one-time token only during the validity period of that one-time token. The predetermined interval ΔT1 is significantly shorter than the validity period of the one-time token. Here, "significantly" shorter (or longer) may mean, for example, a difference in order of magnitude. For example, if the validity period of the one-time token is about 5 minutes, the predetermined interval ΔT1 may be between 0 and 10 seconds, preferably about 0.1 seconds.
[0042] In the two-dimensional code generation / update process, the authenticated information terminal 42 adds a new expiration date (hereinafter also referred to as the "real-time expiration date") to the predetermined authentication information (step S300). The real-time expiration date is the expiration date from the present time, and the present time may be a time based on time information. The time information on the authenticated information terminal 42 may be updated at a very short period corresponding to the clock frequency of the authenticated information terminal 42. For example, the time information on the authenticated information terminal 42 may be updated at a period of less than or equal to a predetermined period ΔT1 / 10. However, the time information may represent a different time during the two-dimensional code generation / update process at each predetermined period ΔT1.
[0043] The length of the real-time expiration period (an example of a second expiration period) (an example of a second length) is significantly shorter than the expiration period of the one-time token. Furthermore, the length of the real-time expiration period may be greater than or equal to a predetermined period ΔT1. For example, if the expiration period of the one-time token is about 5 minutes, the length of the real-time expiration period may be between 0.1 seconds and 10 seconds, preferably about 0.5 seconds.
[0044] Next, the authenticated information terminal 42 generates two-dimensional code data based on predetermined authentication information with a real-time expiration date (step S302). The encrypted two-dimensional code data may be generated by encrypting the predetermined authentication information with a real-time expiration date.
[0045] Next, the authenticated information terminal 42 generates two-dimensional code image data based on the two-dimensional code data (step S304).
[0046] In this way, the game application on the authenticated information terminal 42 generates a two-dimensional code image data (an example of an authentication code) with a real-time expiration date based on that point in time, at predetermined intervals ΔT1, through the authentication service application portion.
[0047] In this embodiment, the two-dimensional code image (and the two-dimensional code data derived therefrom) is updated on the authenticated information terminal 42 side rather than on the authentication server 50, thus eliminating the need for communication between the authentication server 50 and the authenticated information terminal 42. This reduces the communication load and enables high-speed updating of the two-dimensional code image (generation at predetermined intervals ΔT1).
[0048] When the authenticated information terminal 42 generates two-dimensional code image data, it outputs a two-dimensional code image based on the generated two-dimensional code image data onto the display unit 23 (step S306). Therefore, the user can view the two-dimensional code image via the display unit 23. The form of the two-dimensional code image is arbitrary and may be, for example, a QR code (registered trademark).
[0049] In this embodiment, as described above, the two-dimensional code image data changes at predetermined intervals ΔT1, so the two-dimensional code image (and real-time expiration date) displayed on the display unit 23 of the authenticated information terminal 42 also changes at predetermined intervals ΔT1.
[0050] The user causes the authentication terminal 40 to read the two-dimensional code image displayed on the display unit 23 of the authentication terminal 42 (step S308). The authentication terminal 40 reads the two-dimensional code image and obtains the two-dimensional code data related to the two-dimensional code image (steps S310, S312). The authentication terminal 40 decodes the two-dimensional code data (step S314) and obtains the predetermined authentication information with a real-time expiration date as described above.
[0051] In this embodiment, as described above, the two-dimensional code image displayed on the display unit 23 of the authenticated information terminal 42 changes at predetermined intervals ΔT1, but the authentication information terminal 40 can acquire the predetermined authentication information with a real-time expiration date based on the two-dimensional code image displayed on the authenticated information terminal 42 at the time of reading.
[0052] When the authentication-side information terminal 40 obtains predetermined authentication information with a real-time expiration date in this manner, it performs a time synchronization process (see Q4) to obtain accurate time information. Specifically, first, the authentication-side information terminal 40 sends a request for current time information to the NTP server 52 (step S316). In response to the request, the NTP server 52 sends time information to the requesting authentication-side information terminal 40 (step S318). When the authentication-side information terminal 40 receives the time information from the NTP server 52, it synchronizes the time information within the authentication-side information terminal 40 with the received time information (step S320). By performing this time synchronization process, the authentication-side information terminal 40 can generate time information synchronized with the NTP server 52 for at least a certain period of time after receiving time information from the NTP server 52. The authentication-side information terminal 40 may also perform the time synchronization process periodically in advance. In this case, the time synchronization process can be omitted and the process can proceed to step S400.
[0053] When the authentication-side information terminal 40 obtains predetermined authentication information with a real-time expiration date, it checks the real-time expiration date (step S400), and if the real-time expiration date has not expired, it displays a login confirmation screen (step S402). The authentication-side information terminal 40 also sends an output request to the content server 54 for the display of the biometric authentication and passcode authentication screens on the authenticated-side information terminal 42 (step S404). If the real-time expiration date has expired, the authentication-side information terminal 40 may not proceed to the processing from step S402 onwards. In this case, it may be possible to restart from an intermediate step, such as starting again from step S308, as appropriate.
[0054] In response to such an output request, the content server 54 presents the user with a screen display for biometric authentication and passcode authentication via the authenticated information terminal 42 (step S406). The user enters the information for biometric authentication and passcode authentication (step S408), and if the authentication is successful, a notification to that effect is sent from the content server 54 to the authentication information terminal 40 (step S410).
[0055] When the authentication terminal 40 receives the notification, it sends the predetermined authentication information with a real-time expiration date, obtained as described above, to the authentication server 50 (step S412). In the case of predetermined authentication information sent to the authentication server 50, the predetermined authentication information with a real-time expiration date does not have to include the predetermined information described above. That is, the predetermined authentication information with a real-time expiration date may include the original one-time token and the real-time expiration date.
[0056] In the examples shown in Figures 2 to 4, the authentication terminal 40 checks the real-time expiration date (step S400), but this check by the authentication terminal 40 may be omitted. Furthermore, if the authentication terminal 40 performs a real-time expiration date check, as shown in Figures 2 to 4, and the check indicates that the real-time expiration date is valid, the authentication terminal 40 may perform a real-time expiration date renewal (extension) process. Such an renewal may be effective when the real-time expiration date is relatively short.
[0057] When the authentication server 50 receives predetermined authentication information with a real-time expiration date, it determines the validity of the received predetermined authentication information with a real-time expiration date (and consequently, the validity of the two-dimensional code image related to said predetermined authentication information) (steps S414, S416). At this time, the authentication server 50 determines the validity of the two-dimensional code image based on the expiration dates of both the one-time token related to the two-dimensional code image and the real-time expiration date related to the two-dimensional code image. Specifically, it determines whether or not both expiration dates have expired based on the current time information. If both expiration dates have not expired, authentication is successful. In this case, it executes the processing corresponding to the predetermined request (step S418). In this embodiment, the authentication server 50 executes the data transfer processing for the game application. The authentication server 50 also notifies the authentication-side information terminal 40 that authentication was successful (step S420). When the authentication-side information terminal 40 receives such notification, it notifies the user that login was successful (step S422).
[0058] The user returns the screen on the authenticated information terminal 42 to the top screen (step S424) and displays the top screen (step S426). Then, the user starts the game application (step S428).
[0059] In this way, according to this embodiment, since the real-time expiration date is taken into consideration along with the expiration date of the one-time token, the reliability of authentication can be enhanced. In other words, by utilizing a relatively short real-time expiration date that effectively starts from the time the two-dimensional code image is read, impersonation can be effectively prevented.
[0060] For example, consider a scenario where user A takes a screenshot of a two-dimensional code image displayed on the display unit 23 of their terminal device 20 and sends it to user B. In this case, due to the time required from the generation of the two-dimensional code image until user B acquires and reads it, there is a high probability that the real-time validity period will expire before the two-dimensional code image reaches the authentication server 50. This is particularly suitable when the real-time validity period is very short.
[0061] Furthermore, as described above, in this embodiment, the authenticated information terminal 42 can update the two-dimensional code image at high speed, and is therefore not affected by communication delays caused by communication between the authentication server 50 and the authenticated information terminal 42. Accordingly, inconveniences such as failure to authenticate within the validity period due to communication delays (potentially impairing user convenience) can be reduced.
[0062] In the example described above with reference to Figures 2 to 4, the authentication terminal 40 is assumed to be used by the same user as the authenticated terminal 42. However, depending on the purpose of authentication, the relationship between the user of the authentication terminal 40 and the user of the authenticated terminal 42 can vary.
[0063] Furthermore, in the examples described above with reference to Figures 2 to 4, the authentication-side information terminal 40 is preferably a portable terminal device 20 (e.g., a smartphone), and the authenticated-side information terminal 42 is preferably a stationary terminal device 20 (e.g., a desktop computer). However, the forms of the authentication-side information terminal 40 and / or the authenticated-side information terminal 42 can vary depending on the application. For example, the authentication-side information terminal 40 may be a fixed terminal fixed in a predetermined location. In this case, authentication via the authentication-side information terminal 40 may be used to prove that the user of the authenticated-side information terminal 42 is at the predetermined location at that time. Such applications are suitable for attendance confirmation, distribution of novelty items and other items at event venues, etc.
[0064] Furthermore, in the example described above with reference to Figures 2 to 4, steps S402 to S410 are executed due to the nature of the data transfer application (predetermined requirement), but in other applications, steps S402 to S410 may be omitted.
[0065] Furthermore, referring to Figures 2 to 4, the above example considers both the expiration date of the one-time token and the real-time expiration date, although the expiration date of the one-time token may be omitted.
[0066] Furthermore, while the examples described above with reference to Figures 2 to 4 are examples of applications in the real world, they can also be applied to events in virtual space. In the case of virtual space, the authentication-side information terminal 40 is similarly a fixed terminal fixed in a predetermined location, but it may be substantially implemented by the server device 10 on the virtual space's operating side. In other words, in the case of virtual space, the authentication-side information terminal 40 and the authentication server 50 may be implemented as a single unit.
[0067] Furthermore, in a virtual space, there can be various methods by which a user holds up an authentication-side information terminal 40 to read a two-dimensional code image. It could simply be a method of giving a reading instruction near the location of the authentication-side information terminal 40, or it could be a method similar to that in the real world, such as pointing the display screen of the authenticated-side information terminal 42, such as a smartphone in the virtual space, towards the authentication-side information terminal 40.
[0068] Furthermore, in the example described above with reference to Figures 2 to 4, when the authenticated information terminal 42 executes the process in step S212 of Figure 2, an example of the "authentication information acquisition unit" or "authenticated side acquisition unit" described in the claims is realized. When the authenticated information terminal 42 executes the process in step S300 of Figure 3, an example of the "code update unit" described in the claims is realized. When the authenticated information terminal 42 executes the process in step S208 of Figure 2, an example of the "authentication information request unit" described in the claims is realized.
[0069] Furthermore, in the example described above with reference to Figures 2 to 4, an example of the "code acquisition unit" or "acquisition-side acquisition unit" described in the claims is realized when the authentication-side information terminal 40 executes the processes of steps S310 and S312 in Figure 3, and an example of the "determination unit" described in the claims is realized when the authentication-side information terminal 40 executes the process of step S400 in Figure 4 and / or when the authentication server 50 executes the processes of steps S414 and S416 in Figure 4. In addition, an example of the "authentication information issuance unit" described in the claims is realized when the authentication server 50 executes the processes of steps S210 and S212 in Figure 2, and an example of the "processing execution unit" described in the claims is realized when the authentication server 50 executes the process of step S418 in Figure 4.
[0070] Although each embodiment has been described in detail above, the invention is not limited to any particular embodiment, and various modifications and changes are possible within the scope described in the claims. Furthermore, it is possible to combine all or more of the components of the embodiments described above.
[0071] For example, in the embodiment described above, an authentication code in the form of a two-dimensional code image is used, but other codes, such as a one-dimensional code image, may be used instead of a two-dimensional code image. In this case, the other code may be readable by any reading terminal using RFID (Radio Frequency Identification), etc. Alternatively, a random sequence of numbers that can be recognized by image recognition may be used as the authentication code instead of a two-dimensional code image.
[0072] Furthermore, in the embodiment described above, the two-dimensional code image (and the two-dimensional code data derived therefrom) is updated on the authenticated information terminal 42 side rather than on the authentication server 50 side, but it may also be updated on the authentication server 50 side. In this case, the possibility of tampering on the authenticated information terminal 42 side can be effectively reduced.
[0073] The following additional information is disclosed regarding the embodiments described above. [Note 1] Authentication information acquisition unit that acquires authentication information, An information processing apparatus comprising: a code update unit that updates an authentication code, which is readable from an external source or transmittable to an external source, at predetermined intervals based on the aforementioned authentication information and time information that changes at an update interval of less than or equal to a predetermined interval. [Note 2] The information processing apparatus according to Appendix 1, wherein the predetermined period is 1 second or less. [Note 3] The information processing device described in Appendix 1, wherein the authentication information acquisition unit acquires the authentication information from an external server in the form of a one-time token having a first length and a first expiration date. [Note 4] The aforementioned authentication code has a second expiration date corresponding to a second length, based on the time of update by the code update unit. The information processing apparatus described in Appendix 3, wherein the second length is shorter than the first length. [Note 5] The information processing apparatus according to Appendix 4, wherein the length of the predetermined period is shorter than the second length. [Note 6] The validity of the authentication information is determined based on the expiration dates of both the first and second expiration dates, as described in Appendix 4 or 5 of the information processing device. [Note 7] The determination relating to the second expiration date is performed based on the time information of the authentication side, as described in Appendix 6 of the information processing device. [Note 8] The authentication code is generated based on encrypted data derived from the authentication information and the time information, as described in Appendix 1 of the information processing apparatus. [Note 9] The authentication code is in the form of a two-dimensional code image, as described in Appendix 1, in the information processing device. [Note 10] The information processing apparatus according to Appendix 1, further comprising an authentication information request unit that requests the authentication information in response to a predetermined input by a user. [Note 11] A code acquisition unit that acquires an authentication code generated based on authentication information and time information that changes at an update cycle of less than or equal to a predetermined period, An information processing apparatus comprising a determination unit that determines the validity of the authentication code based on the authentication code and time information. [Note 12] The information processing apparatus according to Appendix 11, further comprising an authentication information issuing unit that issues the aforementioned authentication information in the form of a one-time token having a first length and a first expiration date. [Note 13] The information processing apparatus according to Appendix 12, wherein the authentication information issuing unit issues the authentication information based on a request received from the authenticated party, and transmits the issued authentication information to the authenticated party so that the authenticated party can generate the authentication code based on the authentication information. [Note 14] The aforementioned authentication code has a second expiration date corresponding to the second length, The information processing apparatus described in Appendix 12, wherein the second length is shorter than the first length. [Note 15] The information processing device described in Appendix 14, wherein the determination unit determines the validity of the authentication code based on the expiration dates of both the first and second expiration dates. [Note 16] The information processing apparatus according to Appendix 11, further comprising a processing execution unit that performs a corresponding predetermined process based on the determination result by the determination unit indicating that the authentication code is valid. [Note 17] It comprises a first information processing device on the authenticated side and a second information processing device on the authenticating side. The first information processing device is The authentication information acquisition unit on the authenticated side, The system includes a code update unit that updates the authentication code at predetermined intervals based on the authentication information and time information that changes at an update interval of less than or equal to a predetermined interval. The second information processing device is The authentication side acquisition unit that acquires the aforementioned authentication code, An authentication system comprising a determination unit that determines the validity of the authentication code based on the authentication code and time information. [Note 18] The second information processing device further includes an authentication information issuing unit that issues the authentication information in the form of a one-time token having a first length and a first expiration date, The code update unit of the first information processing device updates the authentication code in a manner that has a second expiration date corresponding to a second length based on the update time, The authentication system described in Appendix 17, wherein the second length is shorter than the first length. [Note 19] Obtain authentication information, Based on the aforementioned authentication information and time information that changes at an update interval of less than or equal to a predetermined interval, an authentication code that can be read from an external source or transmitted to an external source is updated at the predetermined interval. A program that instructs a computer to perform a process. [Note 20] An authentication code is obtained based on authentication information and time information that changes at an update interval of less than a predetermined period. Based on the authentication code and time information, the validity of the authentication code is determined. A program that instructs a computer to perform a process. [Explanation of symbols]
[0074] 1. Authentication System 3 Network 10 Server devices 11 Server Communication Unit 12 Server Storage 13 Server Control Unit 20 Terminal devices 21 Terminal Communication Section 22 Terminal storage unit 23 Display section 24 Input section 25 Terminal Control Unit 40. Authentication-side information terminal (information processing device, second information processing device) 42. Authenticated Information Terminal (Information Processing Device, First Information Processing Device) 50 Authentication Server (Information Processing Unit, Second Information Processing Unit) 52 NTP servers 54 Content Server
Claims
1. An authentication server that issues authentication information with a set first expiration date, An authenticated information terminal that obtains the authentication information from the authentication server and generates an authentication code with a second expiration date shorter than the first expiration date based on the authentication information, An authentication-side information terminal that obtains the authentication code from the authenticated-side information terminal and obtains the authentication information with the second expiration date by decrypting the authentication code, Equipped with, The authentication terminal determines whether the second expiration date has expired, and if the second expiration date has not expired, it transmits the second expiration date and the authentication information to the authentication server. The authentication server determines the validity of the authentication information based on the second expiration date. Authentication system.
2. The authenticated information terminal updates the authentication code at update intervals shorter than the length of the first expiration period. When the second expiration date has elapsed, the authentication-side information terminal shall not transmit the second expiration date and the authentication information to the authentication server, but shall instead obtain the updated authentication code from the authenticated-side information terminal. The authentication system according to claim 1.
3. The renewal of the authentication code is performed repeatedly within the first validity period. The authentication system according to claim 2.
4. The authentication system according to claim 2, wherein the update cycle is 1 second or less.
5. The authentication system according to claim 1, wherein the authentication server determines the validity of the authentication information based on the first expiration date and the second expiration date.
6. The authentication system according to claim 1, wherein the authenticated information terminal and the authentication information terminal each perform time synchronization processing.
7. The authentication system according to claim 1, wherein the authentication code is in the form of a two-dimensional code image.
8. The authenticated information terminal, in response to input from the user for a predetermined request, sends an authentication information request to the authentication server. The authentication server generates the authentication information in response to the authentication information request. The authentication system according to claim 1.
9. The authentication system according to claim 8, wherein the authentication server executes a predetermined process corresponding to the predetermined request based on a determination result indicating that the authentication code is valid.
10. The process involves issuing authentication information with a first expiration date set, which is performed by the authentication server. A step performed by the authenticated information terminal is to obtain the authentication information from the authentication server and generate an authentication code with a second expiration date shorter than the first expiration date, based on the authentication information. The authentication terminal performs the steps of obtaining the authentication code from the authenticated information terminal, decrypting the authentication code to obtain the authentication information with the second expiration date, and determining whether the second expiration date has expired, and if it has not expired, transmitting the second expiration date and the authentication information to the authentication server. A step performed by the authentication server to determine the validity of the authentication information based on the second expiration date, An authentication method that includes the following features.