Authentication processing device, authentication processing method, and program
The authentication processing device uses UUIDs and session IDs to verify user terminals, sending authentication URLs via SMS and checking for matching identifiers with time limits, effectively preventing unauthorized access and enhancing security against phishing attacks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- SUMITOMO MITSUI CARD
- Filing Date
- 2025-04-03
- Publication Date
- 2026-06-25
AI Technical Summary
Existing authentication technologies relying on passwords or authentication codes are vulnerable to real-time phishing fraud, necessitating the development of new methods that enhance security without relying on these traditional forms of verification.
An authentication processing device that utilizes UUIDs (Universally Unique Identifiers) and session IDs to verify the legitimacy of user terminals, generating and sending authentication URLs via SMS, and checking for matching UUIDs and session IDs to authorize application access, with time limits to prevent unauthorized access.
Prevents unauthorized access by ensuring UUIDs and session IDs match, even if the session ID is different or time has elapsed, thereby enhancing security against phishing attacks and fraudulent access attempts.
Smart Images

Figure 0007880461000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to an authentication processing apparatus, an authentication processing method, and a program based on an authentication technology that does not depend on a password or an authentication code.
Background Art
[0002] Conventionally, a predetermined user ID and password have been used as an authentication technology when using services such as systems and applications. However, if the user ID and password were leaked to a third party, anyone could use the service. Subsequently, two-factor authentication was introduced to enhance security. For example, an authentication technology that provides an authentication code such as a one-time password (OTP) by any communication means such as SMS (Short Message Service) has been used.
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] However, if a one-time password is stolen by the method of real-time phishing fraud, there has been a problem that a malicious third party can similarly use the service. In order to counter the method of real-time phishing fraud, in recent years, new online authentication technologies that do not depend only on passwords or authentication codes have been continuously explored. In Patent Document 1, a session ID associated with a session for information processing between a user terminal and a server is generated by the server, and this session ID is transmitted to the user terminal together with an authentication URL as an authentication code to be authenticated, and a warning function against phishing attacks is introduced.
[0005] As is well known to those in the industry, cyberattack methods are evolving rapidly, and security measures to counter them must also be continuously improved to keep up with the latest trends. Therefore, there is a need to continuously improve new online authentication technologies that do not rely on traditional passwords or authentication codes and cannot be breached by real-time phishing scams.
[0006] This invention was made to solve these problems and aims to provide an authentication processing device, an authentication processing method, and a program based on authentication technology that does not rely on passwords or authentication codes. [Means for solving the problem]
[0007] To solve the above problems, the authentication processing device according to the present invention is an authentication processing device comprising a control unit and a storage unit, The control unit, Receiving authentication application information from the user terminal, wherein the authentication application information includes the user ID, the SMS number, and a first identifier of the user terminal. The process involves determining whether the verification SMS number read from the storage unit based on the user ID included in the authentication application information matches the SMS number included in the authentication application information. The first identifier of the user terminal included in the authentication application information is stored in the storage unit, and an authentication URL is generated for launching the application provided to the user terminal. The generated authentication URL is sent to the user's terminal via SMS, Receiving authentication processing information from the user terminal, wherein the authentication processing information includes the user ID and a second identifier of the user terminal, and the second identifier of the user terminal is information obtained by the user terminal in response to the user terminal selecting the authentication URL. To determine whether the first identifier of the user terminal read from the storage unit based on the user ID included in the authentication processing information matches the second identifier of the user terminal included in the authentication processing information, If it is determined that the first identifier of the user terminal and the second identifier of the user terminal match, a message indicating that the authentication process has been successfully completed is generated and provided to the user terminal. It is configured to execute. [Effects of the Invention]
[0008] According to the present invention, identity verification can be performed by checking whether the UUID obtained by the app at the time of authentication application matches the UUID obtained by the app launched from the authentication URL received via SMS. This prevents unauthorized access attempts using different devices. Furthermore, it can prevent unauthorized access even if the app's session ID is different or if a certain amount of time has elapsed since receiving the authentication URL. [Brief explanation of the drawing]
[0009] A detailed understanding of the embodiments disclosed herein can be obtained from the following description illustrated in relation to the accompanying drawings. [Figure 1] This is a diagram showing the overall system configuration including the authentication processing device 10 according to the present invention. [Figure 2] This is a system configuration diagram of the authentication processing device 10 according to the present invention. [Figure 3] This diagram illustrates an example of the data structure of user information DB106. [Figure 4] This is a processing flow diagram illustrating the authentication technology that the authentication processing device 10 provides to the user terminal 11, which does not rely on passwords or authentication codes. [Modes for carrying out the invention]
[0010] Embodiments of the present invention will be described in detail below with reference to the drawings. In multiple drawings, the same reference numerals represent the same elements, and redundant descriptions are omitted. The examples given herein are illustrative and are not intended to limit the scope of this invention in any way.
[0011] (Overall structure and the function of each component) Figure 1 is a diagram of the entire system including the authentication processing device 10 according to the present invention. The authentication processing device 10 is connected to the user terminal 11 so as to be able to communicate with each other via any communication network 12 such as wired and / or wireless. In Figure 1, only one user terminal 11 is shown for illustrative purposes, but there may be multiple user terminals 11.
[0012] The authentication processing device 10 can obtain a first UUID (Universally Unique Identifier) of the user terminal 11 when any application is started and store it internally. The UUID is an identifier that can uniquely identify each user terminal 11. In response to obtaining the first UUID, the authentication processing device 10 can generate an authentication URL and send it to the user terminal 11 via SMS.
[0013] Furthermore, the authentication processing device 10 can also obtain the session ID of any application when it is first used.
[0014] The authentication processing device 10 obtains a second UUID acquired by the application executed when the authentication URL is tapped (selected) by the user terminal 11, performs authentication based on whether the first UUID and the second UUID match, and authorizes the execution of the application.
[0015] In addition, the authentication processing device 10 can also perform authentication by determining whether the session ID at the start of using an arbitrary application is the same as the session ID when the authentication URL is tapped (selected). Even if a third party fraudulently obtains the authentication URL, since the UUIDs are different, even if the authentication URL is selected, an authentication error will occur. Subsequently, even if a legitimate user selects the authentication URL, since the authentication process has already been performed once, it may be configured such that an authentication error will occur even for a legitimate user.
[0016] In addition, the authentication processing device 10 can also execute the authentication process based on whether the authentication URL is tapped (selected) within a predetermined time. Even if a screen that requests entering a URL on a phishing site is displayed, if it is tapped (selected) when copying the URL, then even if the authentication URL is tapped later, the authentication will not be successful. Even if it can be copied without tapping, if the expiration time of the authentication URL is limited to a short time, a malicious third party will not be able to perform unauthorized access. The predetermined time as the expiration time can be arbitrarily set by parameters or the like.
[0017] The authentication processing device 10 may be operated independently to link the authentication result to an external server and then cause communication between the subsequent user terminal 11 and the external server. Alternatively, the authentication processing device 10 may be included in an arbitrary server and be responsible for the authentication processing function in that server, and is not particularly limited.
[0018] The user terminal 11 may be any type of device operable in a wired and / or wireless environment (e.g., a smartphone, a mobile phone, a tablet terminal, etc.), and is not limited to a specific device or apparatus. The user terminal 11 can communicate with the authentication processing device 10 and transmit and receive various types of information. The user terminal 11 can make an authentication application by transmitting number information for SMS and a first UUID through an arbitrary application. The first UUID is obtained by the application. The user terminal 11 can receive an authentication URL by SMS. When the authentication URL is tapped (selected) by the user, the user terminal 11 transmits a second UUID obtained by the application associated with the tapped authentication URL to the authentication processing device 10.
[0019] In response to receiving information that the first UUID and the second UUID match, the user terminal 11 becomes able to use the application. On the other hand, when the user terminal 11 receives information that the first UUID and the second UUID do not match, it can receive an authentication error message from the authentication processing device 10. Additionally, whether the application can be used may be determined by the session ID of the application or the time until the authentication URL is tapped (selected) by the user.
[0020] (System Configuration) FIG. 2 is a system configuration diagram of the authentication processing device 10 according to the present invention. The authentication processing device 10 includes a control unit 101, a main storage unit 102, an auxiliary storage unit 103, an IF unit 104, and an output unit 105, which are interconnected by a bus 120 or the like, similar to a general computer. The authentication processing device 10 includes a user information DB 106 in the form of storage means such as a file / database in the auxiliary storage unit 103.
[0021] The control unit 101, also known as the central processing unit (CPU), controls each component of the authentication processing unit 10 and performs data calculations. It also reads various programs stored in the auxiliary storage unit 103 into the main memory unit 102 and executes them. The main memory unit 102, also known as main memory, can store various received data, computer-executable instructions, and data after calculations performed by those instructions. The auxiliary storage unit 103 is a storage device such as a hard disk drive (HDD) or solid-state drive (SSD), and is used for long-term storage of data and programs.
[0022] The embodiment shown in Figure 2 describes an embodiment in which the control unit 101, main memory unit 102, and auxiliary storage unit 103 are located within the same computer. However, in other embodiments, the authentication processing device 10 can be configured to achieve parallel distributed processing by multiple computers by using multiple control units 101, main memory unit 102, and auxiliary storage unit 103. Furthermore, in other embodiments, it is possible to set up multiple servers for the authentication processing device 10, and have multiple servers share a single auxiliary storage unit 103.
[0023] The IF unit 104 acts as an interface (IF) for sending and receiving data with other systems and devices, and also provides an interface for receiving various commands and input data (various masters, tables, etc.) from the system operator. The output unit 105 provides a display screen for displaying the processed data and printing means for printing the data.
[0024] Similar functional components to the control unit 101, main memory unit 102, auxiliary memory unit 103, IF unit 104, and output unit 105 also exist in the user terminal 11, but their description is omitted in this specification.
[0025] The user information DB 106 stores information about users who receive the authentication processing service described herein. Figure 3 is a diagram illustrating an example of the data structure of the user information DB 106. The user information DB 106 may include, but is not limited to, user ID 301, user information 302, matching SMS number 303, matching UUID 304, first authentication processing flag 305, matching session ID 306, second authentication processing flag 307, and authentication time limit 308.
[0026] User ID 301 is an identifier that identifies the user. User information 302 shows information about the user necessary for using the application, such as the user's name. Verification SMS number 303 is an SMS phone number for sending information for user authentication. The phone number stored in Verification SMS number 303 may be pre-registered. Verification UUID 304 stores the UUID (first UUID) of the user terminal 11 obtained by the application when an authentication application is submitted when the application is started to be used. First authentication processing flag 305 is a flag indicating whether the UUID verification process is being performed. Verification session ID 306 is an identifier of the session at the time of the authentication application when the application is started to be used. A session refers to the period from the start to the end of communication between the user terminal 11 and the authentication processing device 10 via the application. Second authentication processing flag 307 is a flag indicating whether the authentication process was performed within the same session. Authentication time limit 308 indicates the time until the authentication process is completed. After this time, even legitimate users will be unable to authenticate and will need to start the authentication application process again. The authentication time limit 308 may be set to a short period of time after the authentication URL is generated and sent, in order to prevent fraud by third parties.
[0027] The following describes authentication technologies that do not rely on passwords or authentication codes and can be applied to one of the authentication processes in two-factor authentication.
[0028] (Processing flow for authentication technology that does not rely on passwords or authentication codes) Figure 4 is a processing flow diagram illustrating the authentication technology provided by the authentication processing device 10 to the user terminal 11, which does not rely on passwords or authentication codes. Prior to this authentication process, another authentication process of two-factor authentication (for example, authentication using a user ID and password) may be performed. Furthermore, it is assumed that an application compatible with the authentication technology described herein (hereinafter referred to as "compatible app") is provided and launched by the authentication processing device 10 on the user terminal 11. The authentication processing device 10 can communicate with the user terminal 11 via the compatible app.
[0029] In S401, the authentication processing unit 10 receives authentication application information from the user terminal 11 via the corresponding application. More specifically, the user enters an SMS number on a designated screen in the corresponding application and presses the authentication application button. When the authentication processing unit 10 receives a signal that the authentication application button has been pressed in the corresponding application, it reads the UUID of the user terminal 11 using the functionality of the corresponding application. The authentication processing unit 10 receives authentication application information from the user terminal 11, which includes the user ID, the SMS number, and the UUID of the user terminal 11. This user ID may be the user ID itself, or it may be an authentication cookie generated from the user ID, etc. The authentication application information may also include the session ID of the session in which the authentication processing unit 10 and the user terminal 11 are communicating via the corresponding application.
[0030] In S402, the authentication processing device 10 queries the user information DB 106 based on the user ID included in the authentication application information and reads the matching SMS number from the matching SMS number 303. The authentication processing device 10 determines whether the SMS number included in the authentication application information matches the read matching SMS number. If a match is determined, the process proceeds to S403; on the other hand, if a mismatch is determined, the process proceeds to S408.
[0031] Furthermore, in S402, the authentication processing device 10 stores the UUID of the user terminal 11, which is included in the authentication application information, in the matching UUID 304 of the user information DB 106, associating it with the user ID. The authentication processing device 10 can generate an authentication URL that includes link information for launching the corresponding application. As described above, the authentication processing device 10 can identify the corresponding application that is provided to and running on the user terminal 11.
[0032] Additionally, in S402, the authentication processing device 10 can obtain a session ID for communication between the user terminal 11 and the authentication processing device 10, include it in the authentication application information, and store the obtained session ID in the matching session ID 306 of the user information DB 106 in association with the user ID.
[0033] In S403, the authentication processing device 10 sends the authentication URL generated in S402 to the user terminal 11 via SMS, and stores a predetermined time after the SMS transmission in the authentication time limit 308 of the user information DB 106. The stored time may be short enough to prevent fraudulent activity by third parties.
[0034] In S404, the user taps (i.e., selects) the authentication URL received via SMS on the user terminal 11. In response to the selection of the authentication URL, the corresponding application is launched, and the authentication processing unit 10 uses the functionality of the corresponding application to read the UUID of the user terminal 11. The authentication processing unit 10 receives authentication processing information from the user terminal 11, including the user ID and the UUID of the user terminal 11. Additionally, the authentication processing unit 10 may also obtain the session ID for the communication between the user terminal 11 and the authentication processing unit 10, and include it in the authentication processing information.
[0035] In S405, the authentication processing device 10 queries the user information DB 106 based on the user ID included in the authentication processing information and reads the matching UUID from the matching UUID 304. The authentication processing device 10 determines whether the UUID included in the authentication processing information matches the read matching UUID and stores the determined information in the first authentication processing flag 305. If a match is determined, the process proceeds to S406; on the other hand, if a mismatch is determined, the process proceeds to S407.
[0036] Additionally, the authentication processing device 10 queries the user information DB 106 based on the user ID included in the authentication processing information and reads the matching session ID from the matching session ID 306. The authentication processing device 10 can also determine whether the session ID included in the authentication processing information matches the session ID obtained in S404 and store the determined information in the second authentication processing flag 307. If a match is determined, the process proceeds to S406; on the other hand, if a mismatch is determined, the process proceeds to S407.
[0037] Additionally, the authentication processing device 10 queries the user information DB 106 based on the user ID included in the authentication processing information to retrieve the time information for the authentication time limit 308. The authentication processing device 10 compares the time the authentication processing information was received with the retrieved time information. If the time the authentication processing information was received is earlier than or the same as the time the retrieved time information is received (time the authentication processing information was received ≤ time the authentication time limit 308 time information), the process proceeds to S406. Otherwise, the process proceeds to S407, assuming that the authentication URL has expired.
[0038] In S406, the authentication processing device 10 generates a message indicating that the authentication process has been successfully completed and sends it to the user terminal 11 via the corresponding application or directly.
[0039] In S407, the authentication processing device 10 generates a message indicating the error or specific information (for example, contact information) and sends it to the user terminal 11 via the corresponding application or directly.
[0040] (Regarding the high level of security of this invention) As described above, in this invention, the UUID of the user terminal 11 at the time of authentication application is compared with the UUID of the user terminal 11 at the time of authentication processing, and if they match, subsequent processing can be performed. Each user terminal 11 is uniquely assigned a UUID, and furthermore, since the user has no way of knowing the UUID of the user terminal 11, there is no risk of the user leaking information to an external site.
[0041] Even if a third party intercepts the communication and steals the authentication URL, the UUID of the device used by the third party will be different from the matching UUID, so the third party will not be able to perform subsequent processing in the corresponding app. Subsequently, even if a legitimate user taps the authentication URL, the determined information will be stored in the first authentication processing flag 305 and the second authentication processing flag 307, so even a legitimate user will have to start the authentication process from the beginning or log in again.
[0042] Even if a third party prepares a fake website for copying the authentication URL, if the user taps the authentication URL when copying it, the corresponding app will launch, and at that point, the determined information will be stored in the first authentication processing flag 305 and the second authentication processing flag 307. Therefore, even if a third party obtains the authentication URL, they will not be able to perform subsequent processing in the corresponding app. Even if the authentication URL is copied to the fake website without being tapped, it will be difficult for a third party to resolve the UUID issue within the short validity period and perform subsequent operations on the corresponding app.
[0043] Although the principles of the present invention have been described above with reference to exemplary embodiments, those skilled in the art will understand that various embodiments with modifications in configuration and details can be realized without departing from the spirit of the invention. That is, the present invention can take the form of, for example, a system, apparatus, method, program, or storage medium. [Explanation of Symbols]
[0044] 10 Authentication Processing Unit 11 User terminals 12 Communication Network 101 Control Unit 102 Main memory 103 Auxiliary storage 104 IF section 105 Output section 106 User Information Database
Claims
1. An authentication processing device comprising a control unit and a storage unit, The control unit, Receiving authentication application information from the user terminal, wherein the authentication application information includes the user ID, the SMS number, and the first identifier of the user terminal. The process involves determining whether the matching SMS number read from the storage unit based on the user ID included in the authentication application information matches the SMS number included in the authentication application information. The first identifier of the user terminal included in the authentication application information is stored in the storage unit, and an authentication URL for launching the application provided to the user terminal is generated. The generated authentication URL is sent to the user terminal via SMS, Receiving authentication processing information from the user terminal, wherein the authentication processing information includes the user ID and a second identifier of the user terminal, and the second identifier of the user terminal is information obtained by the user terminal in response to the user terminal selecting the authentication URL. To determine whether the first identifier of the user terminal read from the storage unit based on the user ID included in the authentication processing information matches the second identifier of the user terminal included in the authentication processing information, If it is determined that the first identifier of the user terminal and the second identifier of the user terminal match, a message indicating that the authentication process has been successfully completed is generated and provided to the user terminal. An authentication processing device configured to perform the following actions.
2. The authentication application information further includes a first session ID of the session in which the authentication processing device and the user terminal are communicating, The control unit, If it is determined that the matching SMS number and the SMS number included in the authentication application information match, the first session ID included in the authentication application information is stored in the storage unit. To determine whether the first session ID read from the storage unit based on the user ID included in the authentication processing information matches the second session ID included in the authentication processing information, If it is determined that the first session ID and the second session ID match, the system generates the message indicating that the authentication process has been successfully completed and provides it to the user terminal. The authentication processing apparatus according to claim 1, configured to further perform the following:
3. Sending the authentication URL to the user terminal via SMS includes storing a reference time a predetermined time after the SMS transmission time in the storage unit. The control unit, The system compares the time of receipt of the authentication processing information with the reference time, and if the time of receipt is earlier than or at the same time as the reference time, it generates a message indicating that the authentication process has been successfully completed and provides it to the user terminal. The authentication processing apparatus according to claim 2, configured to further perform the following:
4. The authentication processing device according to claim 2, further configured to store in the storage unit information indicating that a determination has been made as to whether the first session ID and the second session ID match, in response to determining whether the first session ID and the second session ID match.
5. Sending the authentication URL to the user terminal via SMS includes storing a reference time a predetermined time after the SMS transmission time in the storage unit. The control unit, The system compares the time of receipt of the authentication processing information with the reference time, and if the time of receipt is earlier than or at the same time as the reference time, it generates a message indicating that the authentication process has been successfully completed and provides it to the user terminal. The authentication processing apparatus according to claim 1, configured to further perform the following:
6. The authentication processing device according to claim 1, further configured to store in the storage unit information indicating that a determination has been made as to whether a first identifier of the user terminal matches a second identifier of the user terminal, in response to determining whether a first identifier of the user terminal matches a second identifier of the user terminal.
7. If it is not determined that the first identifier of the user terminal matches the second identifier of the user terminal, or if it is not determined that the first session ID matches the second session ID, the control unit is further configured to generate a predetermined message and provide it to the user terminal, as described in claim 2.
8. Authentication processing method performed by an authentication processing device comprising a control unit and a storage unit, Receiving authentication application information from the user terminal, wherein the authentication application information includes the user ID, the SMS number, and the first identifier of the user terminal. The process involves determining whether the matching SMS number read from the storage unit based on the user ID included in the authentication application information matches the SMS number included in the authentication application information. The first identifier of the user terminal included in the authentication application information is stored in the storage unit, and an authentication URL for launching the application provided to the user terminal is generated. The generated authentication URL is sent to the user terminal via SMS, Receiving authentication processing information from the user terminal, wherein the authentication processing information includes the user ID and a second identifier of the user terminal, and the second identifier of the user terminal is information obtained by the user terminal in response to the user terminal selecting the authentication URL. To determine whether the first identifier of the user terminal read from the storage unit based on the user ID included in the authentication processing information matches the second identifier of the user terminal included in the authentication processing information, If it is determined that the first identifier of the user terminal and the second identifier of the user terminal match, a message indicating that the authentication process has been successfully completed is generated and provided to the user terminal. A method that includes this.
9. A program that, when executed, causes a computer to perform the method described in claim 8.