Identity authentication method, authentication platform, server, terminal, and related device

By obtaining authorization confirmation information from the user terminal and providing the target user's identity information to the service provider's server through the authentication platform, the problems of cumbersome registration process and privacy information leakage are solved, and identity authentication that simplifies registration and improves security is achieved.

WO2026138084A1PCT designated stage Publication Date: 2026-07-02CHINA MOBILE INTERNET CO LTD +1

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
CHINA MOBILE INTERNET CO LTD
Filing Date
2025-10-15
Publication Date
2026-07-02

AI Technical Summary

Technical Problem

The registration process for network service providers in the current technology is cumbersome, and users' personal privacy information is easily leaked. In addition, users use the same account and password for convenience, which increases the risk of leakage.

Method used

The authentication platform obtains the service provider's personal information request, sends an authorization confirmation request to the target terminal, obtains the authorization confirmation information and verifies it, and then provides the pre-stored target user identity information to the service provider's server for authentication, reducing the number of form filling operations for users and improving security.

Benefits of technology

It simplifies the user registration process, reduces the risk of personal information leakage, and improves user experience and the security of identity authentication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN2025127874_02072026_PF_FP_ABST
    Figure CN2025127874_02072026_PF_FP_ABST
Patent Text Reader

Abstract

The present application belongs to the technical field of communications. Disclosed are an identity authentication method, an authentication platform, a server, a terminal, and a related device. The method is applied to an authentication platform, and comprises: acquiring personal-information request information sent by a service provider server; by means of sending to a target terminal target personal-information request information among the personal-information request information, acquiring authorization confirmation information returned by the target terminal on the basis of the target personal-information request information; determining that the authorization confirmation information passes verification, and acquiring pre-stored target user identity information, which corresponds to the personal-information request information; and sending the target user identity information to the service provider server, such that the service provider server authenticates a user identity on the basis of the target user identity information. By means of the method, the operations a user performs, such as filling out a large number of forms during registration can be reduced, thereby improving the user experience, and preventing personal privacy leakage, and thus improving the security of identity authentication.
Need to check novelty before this filing date? Find Prior Art

Description

Identity authentication methods, authentication platforms, servers, terminals and related equipment

[0001] Cross-reference to related applications

[0002] This application is based on and claims priority to Chinese Patent Application No. 202411905968.9, filed on December 23, 2024, the entire contents of which are incorporated herein by reference. Technical Field

[0003] This application relates to the field of communication technology, and in particular to an identity authentication method, authentication platform, server, terminal and related equipment. Background Technology

[0004] Currently, many internet service providers (ISPs) require users to register in order to better manage user information. During registration, users need to set up an account and password according to the ISP's requirements and fill in a large amount of personal information, such as profile picture, nickname, phone number, email address, real-name information, and interest tags. This information is stored on the ISP's servers, and users authenticate their identity using their account and password when logging in.

[0005] However, the cumbersome registration process and extensive information required often cause users to abandon registration when they only intend to try a particular service, which is detrimental to the business promotion of internet service providers. Furthermore, with the increasing number of internet service providers, users often choose the same username and password for ease of remembering. If the login process or a service provider's username and password are leaked, it makes the system vulnerable to credential stuffing attacks, leading to the leakage of personal privacy information. Summary of the Invention

[0006] This application provides an identity authentication method, authentication platform, server, terminal, and related equipment to at least solve the problems of cumbersome registration process and easy leakage of user's personal privacy information in the prior art.

[0007] To solve the above-mentioned technical problems, this application is implemented as follows:

[0008] In a first aspect, embodiments of this application provide an identity authentication method applied to an authentication platform, comprising: obtaining personal information request information sent by a service provider server, wherein the personal information request information is sent by the service provider server based on a registration request of a target terminal; obtaining authorization confirmation information returned by the target terminal based on the target personal information request information by sending target personal information request information in the personal information request information to the target terminal; determining that the authorization confirmation information has been verified, obtaining pre-stored target user identity information corresponding to the personal information request information; and sending the target user identity information to the service provider server so that the service provider server performs user identity authentication based on the target user identity information.

[0009] Secondly, this application provides an identity authentication method applied to a service provider server, comprising: obtaining a registration request sent by a target terminal; determining personal information request information based on the registration request; obtaining target user identity information by sending the personal information request information to an authentication platform; and authenticating the user identity based on the target user identity information.

[0010] Thirdly, embodiments of this application provide an identity authentication method applied to a target terminal, comprising: responding to a registration request sent by the target terminal, obtaining target personal information request information sent by an authentication platform; obtaining authorization confirmation information returned based on the target personal information request information by displaying the target personal information request information; and sending the authorization confirmation information to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified, and to send pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

[0011] Fourthly, embodiments of this application provide an authentication platform, comprising: a registration response module configured to obtain personal information request information sent by a service provider server, wherein the personal information request information is sent by the service provider server based on a registration request from a target terminal; an authorization confirmation module configured to obtain authorization confirmation information returned by the target terminal based on the target personal information request information by sending target personal information request information from the personal information request information to the target terminal; an information acquisition module configured to determine that the authorization confirmation information has been verified and obtain pre-stored target user identity information corresponding to the personal information request list; and a first sending module configured to send the target user identity information to the service provider server so that the service provider server can authenticate the user identity based on the target user identity information.

[0012] Fifthly, embodiments of this application provide a service provider server, including: a request acquisition module configured to acquire a registration request sent by a target terminal; an information determination module configured to determine personal information request information based on the registration request; a second sending module configured to acquire target user identity information corresponding to the personal information request information by sending the personal information request information to an authentication platform; and an identity authentication module configured to authenticate the user's identity based on the target user identity information.

[0013] Sixthly, embodiments of this application provide a terminal, including: a registration response module configured to respond to a registration request sent by a target terminal to a service provider server and obtain target personal information request information sent by an authentication platform; an information display module configured to obtain authorization confirmation information returned based on the target personal information request information by displaying the target personal information request information; and a third sending module configured to send the authorization confirmation information to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified and send pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

[0014] In a seventh aspect, embodiments of this application provide an electronic device, including a processor and a memory, wherein the memory stores a program or instructions executable on the processor, and the program or instructions, when executed by the processor, implement the steps of the method described in the first, second, or third aspect above.

[0015] Eighthly, embodiments of this application provide a computer-readable storage medium on which a program or instructions are stored, which, when executed by a processor, implement the steps of the method described in the first, second, or third aspects above.

[0016] Ninthly, embodiments of this application provide a computer program product, the computer program product including a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, which, when executed by a computer, cause the computer to perform the steps of the method described in the first, second, or third aspects above.

[0017] In this embodiment, the authentication platform obtains personal information request information sent by the service provider server; by sending the target personal information request information from the personal information request information to the target terminal, it obtains the authorization confirmation information returned by the target terminal based on the target personal information request information; after confirming that the authorization confirmation information has been verified, it obtains the pre-stored target user identity information corresponding to the personal information request information; and sends the target user identity information to the service provider server so that the service provider server can authenticate the user's identity based on the target user identity information. Thus, during the identity authentication process, the user provides the target user identity information corresponding to the personal information request information to the service provider server through the authorization authentication platform, which can reduce the amount of form filling required during registration and improve the user experience. Simultaneously, after the authorization confirmation information has been verified, the authentication platform provides the corresponding user identity information to the service provider server, which can effectively prevent the leakage of personal privacy or unauthorized access, and improve the security of identity authentication.

[0018] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description

[0019] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0020] Figure 1 shows a schematic diagram of the identity authentication system provided in an embodiment of this application;

[0021] Figure 2 shows a flowchart of an identity authentication method provided in an embodiment of this application;

[0022] Figure 3 illustrates a schematic diagram of a user registering on an authentication platform according to an embodiment of this application;

[0023] Figure 4 shows a schematic diagram of the authentication platform obtaining the user agreement provided in an embodiment of this application;

[0024] Figure 5 shows a schematic diagram of the user initial registration authentication provided in an embodiment of this application;

[0025] Figure 6 shows a schematic diagram of user login authentication provided in an embodiment of this application;

[0026] Figure 7 shows another flowchart of the identity authentication method provided in the embodiments of this application;

[0027] Figure 8 shows another flowchart of the identity authentication method provided in the embodiments of this application;

[0028] Figure 9 shows a schematic diagram of the authentication platform provided in an embodiment of this application;

[0029] Figure 10 shows a schematic diagram of the structure of the service provider server provided in an embodiment of this application;

[0030] Figure 11 shows a schematic diagram of the structure of the terminal provided in an embodiment of this application;

[0031] Figure 12 shows a schematic diagram of the hardware structure of the electronic device provided in an embodiment of this application. Detailed Implementation

[0032] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0033] Currently, many internet service providers require users to register in order to better manage user information. During the registration process, users need to set up an account and password according to the requirements of the internet service provider, and fill in personal information such as avatar, nickname, phone number, and email address. The registration process is cumbersome, and users' personal privacy information is easily leaked.

[0034] To address the aforementioned problems in the user registration process, this application provides an identity authentication system, as shown in Figure 1. This system includes a target terminal 110, a service provider server 120, and an authentication platform 130. The target terminal 110 initiates a registration request to the service provider server 120, which returns corresponding personal information request information. The authentication platform 130 obtains this personal information request information and sends the target personal information request information from the personal information request information to the target terminal 110, obtaining authorization confirmation information returned by the target terminal 110 based on the target personal information request information. Once the authorization confirmation information is verified, the platform obtains pre-stored target user identity information corresponding to the personal information request information and sends the target user identity information to the service provider server 120, enabling the service provider server 120 to authenticate the user's identity based on the target user identity information. In this way, during the identity authentication process, the user provides the target user identity information corresponding to the personal information request information to the service provider server 120 through the authorization authentication platform 130, reducing the amount of form filling required during registration and improving the user experience. Meanwhile, after the authorization confirmation information is verified, the authentication platform 130 provides the corresponding target user identity information to the service provider server, which can effectively prevent the leakage of personal privacy or unauthorized access and improve the security of identity authentication.

[0035] Figure 2 shows a flowchart of an identity authentication method provided in an embodiment of this application. The execution entity of this method can be an authentication platform 130. As shown in the figure, the identity authentication method 200 may include the following steps:

[0036] Step 201: Obtain personal information request information sent by the service provider server, wherein the personal information request information is sent by the service provider server based on the registration request of the target terminal.

[0037] In specific implementation, a network service provider's application (APP) can be installed on the target terminal 110. The user sends a registration request to the corresponding service provider server 120 through the APP. The service provider server 120 generates personal information request information based on the registration request. Specifically, this personal information request information can be in list format, graph structure format, tree structure format, or other data structure formats. The authentication platform 130 also includes a software development kit (SDK) installed on the target terminal 110. The network service provider's APP can call the authentication platform 130's SDK to send the registration request and personal information request information to the authentication platform 130, requesting the generation and distribution of user identity information such as user identifier ID and initial personal information. In response to the registration request sent by the target terminal 110, the service provider server 120 returns the personal information request information based on the registration request. The authentication platform 130 obtains the personal information request information to determine the user identity information that the user needs to provide to the service provider server during registration.

[0038] In one exemplary embodiment, a user opens the registration page of an online payment platform on their mobile phone and submits a registration request. The backend server of the online payment platform generates a personal information request list containing necessary information, such as name, mobile phone number, and address, based on the registration request. The online payment platform sends the registration request and the personal information request list to the authentication platform 130 by calling the authentication platform's SDK. After the user authorizes the registration, the authentication platform 130 provides the corresponding user identity information to the online payment platform.

[0039] Step 202: By sending the target personal information request information from the personal information request information to the target terminal, obtain the authorization confirmation information returned by the target terminal based on the target personal information request information.

[0040] In practice, the authentication platform 130 sends a confirmation authorization request to the target terminal 110 based on the registration requirements of the service provider server 120. This confirmation authorization request includes the target personal information request information from the personal information request information. The target terminal 110 returns authorization confirmation information based on the target personal information request list. For example, the personal information request information sent by the service provider server to the authentication platform includes information A, information B, and information C. Information A does not involve privacy and does not require user authorization, while information B and information C have higher privacy requirements and require user authorization. In this case, only information B and information C can be sent to the user as the target personal information request information for authorization confirmation.

[0041] In this way, after screening the personal information request information, the authentication platform sends the target personal information request information with high privacy to the user for authorization confirmation. This can reduce the amount of data transmission, reduce the authorization burden on the user, and increase the probability of the user authorizing.

[0042] The target terminal 110 can query the International Mobile Subscriber Identity (IMSI) of the SIM card and the International Mobile Equipment Identity (IMEI) of the target terminal, and return the IMSI and IMEI codes of the SIM card as authorization confirmation information to the authentication platform 130.

[0043] Optionally, the target terminal 110 can also display a list of personal information requests to the user through a preset display window. When the user browses the list of personal information requests through the display window and confirms that it is correct, the user enters the corresponding biometric information, such as fingerprint data, facial data, voice data, etc. The target terminal 110 returns the biometric information entered by the user as authorization confirmation information to the authentication platform 130.

[0044] Optionally, after obtaining the biometric information input by the user, the target terminal 110 can also query the IMSI code of the SIM card and the IMEI code of the target terminal, and return the biometric information, the IMSI code of the SIM card and the IMEI code of the terminal as authorization confirmation information to the authentication platform 130. Alternatively, it can perform encryption, hash operation and other processing on the biometric information, the IMSI code of the SIM card and the IMEI code of the target terminal before returning them to the authentication platform 130.

[0045] Step 203: Determine that the authorization confirmation information has been verified, and obtain the target user identity information corresponding to the pre-stored personal information request list.

[0046] In practice, the authentication platform 130 can verify the authorization confirmation information returned by the target terminal 110 based on the pre-stored information. When the authorization confirmation information is verified, the platform obtains the target user identity information corresponding to the pre-stored personal information request list.

[0047] In an exemplary embodiment, if the authorization confirmation information is fingerprint data input by the user, the authentication platform 130 can determine whether the authorization confirmation information has been verified by comparing the pre-stored fingerprint features with the user-input fingerprint data; if the authorization confirmation information is voice data input by the user, the authentication platform 130 can determine whether the authorization confirmation information has been verified by comparing the pre-stored voiceprint features with the user-input voice data; if the authorization confirmation information is biometric information, the IMSI code of the SIM card, and the IMEI code of the terminal, a digest can be generated based on the biometric information, the IMSI code of the SIM card, and the IMEI code of the terminal, and the authentication platform 130 can determine whether the authorization confirmation information has been verified by comparing the digest with a pre-stored target digest. Here, the target digest can be generated based on pre-stored target biometric information, target IMSI code, and target IMEI code.

[0048] Step 204: Send the target user identity information to the service provider server so that the service provider server can authenticate the user's identity based on the target user identity information.

[0049] In practice, the target user's identity information corresponding to the personal information request list is sent to the service provider server 120. The service provider server 120 then authenticates the user's identity based on the target user's identity information and completes the registration process.

[0050] By following the steps described above, during the identity authentication process, the authorization authentication platform provides the user's identity information corresponding to the personal information request to the service provider's server, eliminating the need to fill out numerous forms and improving user experience. Simultaneously, after the authorization confirmation information is verified, the authentication platform provides the corresponding user identity information to the service provider's server, effectively preventing the leakage of personal privacy or unauthorized access.

[0051] In one possible implementation, the authorization confirmation information includes at least one of first biometric information, first identity information, and first device serial number;

[0052] In step 202 above, determining that the authorization confirmation information has been verified includes:

[0053] A first digest is generated based on at least one of the first biometric information, the first identity information, and the first device serial number; if the first digest is determined to be the same as a pre-stored second digest, the authorization confirmation information is determined to be verified, wherein the second digest is generated based on at least one of the pre-stored target biometric information, target identity information, and target device serial number.

[0054] In this embodiment, the first biometric information may be biometric data such as fingerprint data, facial data, and voice data input by the user through the target terminal; the first identity recognition information may be the IMSI code of the SIM card carried on the target terminal 110; and the first device serial number may be the IMEI code of the target terminal 110. The authentication platform's SDK can logically encrypt the fingerprint data, the IMSI code of the target terminal's SIM card, and the IMEI code of the target terminal, then use SHA256 to generate a first digest, and subsequently send the first digest to the authentication platform. The authentication platform 130 compares the first digest with a pre-stored second digest; if they match, the authorization confirmation information is verified successfully. This second digest can be generated based on the target biometric information, target identity recognition information, and target device serial number obtained when the user registers on the authentication platform.

[0055] In this way, the authentication platform 130 verifies the authorization confirmation information by using the first biometric information, the first identity recognition information, and the first device serial number, which can ensure the consistency of the user, the terminal, and the SIM card, prevent risks such as identity forgery, terminal abuse, or SIM card theft, and further improve the security of identity authentication.

[0056] In one possible implementation, the above-described step of determining that the first digest is the same as the pre-stored second digest further includes:

[0057] Obtain user registration information corresponding to the target terminal, the user registration information including at least one of target biometric information, target identity information and target device serial number; logically encrypt the user registration information to obtain encrypted data; perform hash processing on the encrypted data to generate a second digest.

[0058] In this embodiment, a user can register on the authentication platform 130 using biometric information and terminal information, and provide corresponding information from the mobile phone list of personal information on the authentication platform. Specifically, as shown in Figure 3, the APP of the authentication platform installed on the target terminal 110 obtains the user registration information corresponding to the target terminal 110. This user registration information includes target biometric information, target identification information, and target device serial number. The target biometric information can be the user's fingerprint data, the target identification information can be the IMSI code of the SIM card, and the target device serial number can be the IMEI code of the target terminal. After logically encrypting the fingerprint data, IMSI code, and IMEI code, a second digest is generated using SHA256. The logical encryption involves encrypting the data through preset algorithms or mathematical logic operations such as adjusting sorting and interpolation.

[0059] To ensure security and data consistency, fingerprint data can be stored locally on the target terminal 210. After performing a similarity comparison on the fingerprint data locally, the target terminal 110 outputs a unique ID for the fingerprint data. The ID, IMSI, and IMEI of the fingerprint data are all unique. Therefore, the second digest generated after encryption according to the predetermined strategy is fixed. Subsequently, a new first digest is generated and compared with the second digest to ensure consistency between the person, card, and machine.

[0060] The authentication platform's app sends the second digest H (fingerprint + IMSI + IMEI) to the authentication platform 130. The authentication platform 130 generates a unique ID for the user and stores the second digest, thus registering the user's fingerprint data, SIM card IMSI code, and terminal IMEI code. Optionally, during the registration process described above, the target terminal 110 can also provide personal information to the authentication platform 130.

[0061] In this way, users can register for the authentication platform in advance on the platform's app and provide the platform with the corresponding personal information.

[0062] In one possible implementation, step 203 above, before obtaining the pre-stored target user identity information corresponding to the personal information request information, further includes:

[0063] The system acquires business information and personal information from the user agreements of multiple service providers; clusters the multiple service providers based on their business information to obtain at least one target class; selects a target service provider from the service providers corresponding to each target class; determines a collection list based on the union of the personal information of the target service providers; and stores the collection list, which includes the target user's identity information.

[0064] In this embodiment, the user agreement is a user agreement downloaded from publicly available channels and signed by users when providing services by various network service providers. As shown in Figure 4, the authentication platform 130 obtains user agreements from multiple service providers, preprocesses the user agreements, mainly including standardization processing to uniformly express personal information, and extracts the business information of network service providers and the personal information to be obtained from the user agreements. For example, if the network service provider is a game developer, its business information includes PC games, mobile games, web games, etc. Then, based on the business information of each service provider, multiple service providers are clustered to obtain at least one target class. Network service providers in the same target class provide the same or similar services. Target service providers are selected from the service providers corresponding to each target class. A collection list is determined based on the union of the personal information of the target service providers.

[0065] The above-mentioned clustering process based on the business information of each service provider to obtain at least one target class includes:

[0066] Obtain feature words from the business information; encode the feature words to obtain the feature vector of the business information; and perform clustering processing on the multiple service providers based on the feature vector of the business information to obtain at least one target class.

[0067] In this embodiment, feature words are extracted from business information, and Word2vec is used to encode the feature words of all network service providers to obtain the feature vector of business information. K-means is then called to cluster multiple network service providers using the feature vector of business information to obtain K target classes.

[0068] The selection of a target service provider from the service providers corresponding to each of the target classes, as described above, includes:

[0069] For each target class, the service capabilities of the service providers corresponding to the target class are evaluated according to preset service capability evaluation rules to obtain a service capability estimate; the service capability estimate is used to indicate the service capabilities of the service providers; service providers whose service capability estimate meets a preset threshold are identified as the target service providers corresponding to the target class.

[0070] In this embodiment of the application, for each target class, N typical target service providers are selected. Specifically, the service capabilities of the service providers corresponding to the target class can be evaluated according to the preset service capability evaluation rules to obtain the service capability estimate. Service providers whose service capability estimate exceeds the preset threshold are identified as typical target service providers. The preset threshold can be selected based on experience or by sorting the service providers corresponding to the target class in descending order of the service capability estimate. The service capability estimate of the m-th ranked service provider is then determined as the preset threshold.

[0071] The aforementioned process of evaluating the service capabilities of service providers corresponding to the target class according to preset service capability evaluation rules to obtain a service capability estimate includes:

[0072] The first estimated value, the second estimated value, and the third estimated value are weighted and summed to obtain the estimated service capacity of the service provider.

[0073] Wherein, the first estimated value is the first number of messages sent by the service provider within a preset time period; the second estimated value is the sum of the service provider's user scale level and the proportion of active users; and the third estimated value is the second number of user replies to messages by the service provider within the preset time period.

[0074] In this embodiment of the application, the service capabilities of service providers can be evaluated using the following formula: among the K target classes, the N target service providers with the highest estimated service capabilities are selected respectively.

[0075] Wherein, Score is the service capability estimate; P is the first estimate, which can be the first number of messages sent by the service provider within a preset time period. The preset time period can be selected based on experience, such as the number of SMS messages sent by the service provider in the last 3 months. The first estimate is used to measure the overall operational capability of the service provider. N represents the number of messages with the same content that the service provider sends at one time, such as sending marketing text messages to all registered users within a certain time period. This value can measure the user scale of the network service provider to some extent. X represents the number of users. M represents the proportion of active users, which is the number of users whose messages sent by the service provider exceed the threshold within a preset time period. This value can measure the scale of active users of the network service provider to a certain extent. Q represents the second number of user replies to messages by the service provider within a preset time period. In practical applications, the messages sent by the service provider are mostly verification codes, notifications, advertisements, etc., with almost no actual interactive content. If users reply, it usually means unsubscribing, which can be used as a penalty. α, β, and γ are adjustable weights.

[0076] The aforementioned collection list includes a public information list and an extended information list;

[0077] Based on the union of the personal information of the target service providers, a collection list is determined, including:

[0078] The intersection of the personal information of the target service providers is determined as the public information list; the personal information in the collection list other than the public information list is determined as the extended information list.

[0079] In this embodiment, the collection list can be divided into a public information list and an extended information list. Both the public information list and the extended information list record users' personal information. The public information list contains frequently used personal information with a lower level of privacy. For example, user avatars, nicknames, phone numbers, email addresses, interest tags, etc. Users authorize the use of personal information in the public information list in a centralized manner, and network service providers can directly request personal information in the public information list from the authentication platform.

[0080] The extended information list contains personal information that is used less frequently or has a higher level of privacy. Examples include bank card information and real-name registration information. If a service provider wants to use this personal information, the user needs to grant separate authorization to the network service provider.

[0081] The authentication platform 130 may determine the collection list by combining the union of the personal information of the target service providers, and the public information list by combining the intersection of the personal information of the target service providers; and determine the extended information list by combining the personal information in the collection list other than the public information list.

[0082] In one possible implementation, step 204 above, sending the target user identity information to the provider server, includes:

[0083] If the target user's identity information is determined to be personal information in the extended information list, an authorization verification request is sent to the target terminal; the target terminal receives a confirmation operation based on the authorization verification request, and the target user's identity information is sent to the provider server.

[0084] In this embodiment, the authentication platform 130 determines whether the target user's identity information (e.g., name, ID card number, mobile phone number, etc.) is included in the extended information list. If the target user's identity information is personal information in the extended information list, it sends an authorization verification request to the target terminal 110. After the user completes the authorization verification on the target terminal 110, the target terminal 110 returns a confirmation operation to the authentication platform 130. The authentication platform 130 then sends the target user's identity information to the provider server 120, so that the service provider server 120 can authenticate the user's identity based on the target user's identity information.

[0085] In one possible implementation, step 204 above, sending the target user identity information to the provider server, includes:

[0086] Based on the target user's identity information, a first digital certificate is generated; the first digital certificate is encrypted using the target private key to obtain a first digital signature; the first digital certificate, the first digital signature, and the target public key are sent to the provider's server, wherein the target private key corresponds to the target public key.

[0087] In this embodiment of the application, as shown in Figure 5, the authentication platform 130 generates a digital certificate based on the target user's identity information. The digital certificate may include information about the authentication platform 130, information about the network service provider corresponding to the service provider server 120, the user's personal information (user ID and target user identity information corresponding to the list of personal information requests authorized by the user), and the validity period. The digital certificate is encrypted using the target private key S to obtain a digital signature. The digital certificate, digital signature, and target public key S are returned to the target terminal 110, which provides them to the service provider server 120. The target private key corresponds to the target public key.

[0088] In one possible implementation, step 204 above, after sending the first digital certificate, the first digital signature, and the target public key to the provider server, further includes:

[0089] Obtain a login request sent by the service provider server; send the login request to the target terminal and obtain login authorization information returned by the target terminal based on the login request; if the login authorization information is verified successfully, authorize the service provider server to perform identity authentication based on the user identification information in the digital certificate.

[0090] In this embodiment of the application, as shown in FIG6, when a user uses the network service provider's APP on the target terminal 110 for the first time, the network service provider's APP sends a login request to the authentication platform 130 by calling the authentication platform's SDK; the authentication platform 130 sends the login request to the target terminal 110 and obtains the login authorization information returned by the target terminal 110 based on the login request. The login authorization information may include the user's input fingerprint data, the IMSI code of the current terminal's SIM card, and the IMEI code of the terminal; if the login authorization information is verified successfully, the authorization service provider server 120 performs identity authentication based on the user identification information in the digital certificate.

[0091] In one possible implementation, the login authorization information includes second biometric information, second identity information, and second device serial number;

[0092] The above-mentioned determination that the login authorization information verification is successful includes:

[0093] A third digest is generated based on the second biometric information, the second identity information, and the second device serial number; if the third digest is found to be the same as the pre-stored second digest, the login authorization information is verified as valid, wherein the second digest is generated based on the pre-stored target biometric information, target identity information, and target device serial number.

[0094] In this embodiment, the target terminal 110 can display a login request in a preset area and obtain the second biometric information input by the user based on the login request. The second biometric information can be fingerprint data. The authentication platform's SDK queries the IMSI code of the current terminal's SIM card and the IMEI code of the terminal, and after logically encrypting the fingerprint data, it uses SHA256 to generate a third digest. The user ID is extracted from the digital certificate, and the third digest and the user ID are sent to the authentication platform. The authentication platform compares the third digest with the pre-stored second digest. If the two are consistent, it determines that the login authorization information verification is successful.

[0095] In one possible implementation, prior to obtaining the login authorization information returned by the target terminal based on the login request, the method further includes:

[0096] Using the target public key, the first digital signature is decrypted to obtain the first authentication data, and the first digital certificate is hashed and encrypted to obtain the second authentication data.

[0097] If the first authentication data and the second authentication data are the same, obtain the login authorization information returned by the target terminal based on the login request.

[0098] In this embodiment of the application, the SDK of the authentication platform uses the target public key S to symmetrically decrypt the first digital signature to obtain the first authentication data value1, and performs hash encryption on the first digital certificate to obtain the second authentication data value2. When value1 and value2 are the same, the SDK of the authentication platform obtains the login authorization information returned by the target terminal based on the login request.

[0099] In one possible implementation, after sending the first digital certificate, the first digital signature, and the target public key to the provider server as described above, the method further includes:

[0100] In response to a request for new personal information sent by a service provider server, the system sends the request to the target terminal to obtain new authorization information returned by the target terminal based on the request. If the verification of the new authorization information is successful, the system obtains the new personal information corresponding to the target terminal and sends the new personal information to the service provider server. The new personal information is personal information located outside the digital certificate.

[0101] In this embodiment of the application, when the APP of the network service provider corresponding to the service provider server 120 uses personal information, it calls the SDK of the authentication platform to request the use of personal information (including requirements). At this time, the SDK of the authentication platform uses the public key S to perform symmetric decryption on the digital signature to obtain value3, and performs hash encryption on the digital certificate to obtain value4. When value3 and value4 are the same, it queries whether the personal information is located in the digital certificate.

[0102] If the personal information is in the digital certificate, the authentication platform will directly request the personal information (including the request). Regardless of whether the personal information is in the public information list or the extended information list, the authentication platform will directly return the personal information.

[0103] If the personal information is outside the digital certificate, i.e. newly added personal information, in most cases, the personal information is in the extended information list. In response to the request for new personal information sent by the service provider server 120, the SDK of the authentication platform obtains the identity information of the target terminal 110. If the identity information is verified, the SDK obtains the new personal information corresponding to the target terminal 110 and sends the new personal information to the service provider server 120.

[0104] The identity information includes third-party biometric information, third-party identity recognition information, and third-party device serial number;

[0105] The above-mentioned determination that the identity information verification is successful includes:

[0106] A fourth digest is generated based on the third biometric information, the third identity information, and the third device serial number; if the fourth digest is the same as the pre-stored second digest, it is determined that the identity information has been verified.

[0107] In an exemplary embodiment, the authentication platform's SDK queries the IMSI code and IMEI code of the SIM card of the target terminal 110, and after logically encrypting the fingerprint data, generates a fourth digest using SHA256. The fourth digest and the user ID are sent to the authentication platform. The authentication platform compares the fourth digest with the pre-stored second digest. If the two are consistent, the identity information verification is successful.

[0108] In one possible implementation, the above-mentioned acquisition of the newly added personal information corresponding to the target terminal includes:

[0109] If it is determined that the collection list includes newly added personal information corresponding to the target terminal, the newly added personal information corresponding to the target terminal is obtained from the collection list; if it is determined that the collection list does not include newly added personal information corresponding to the target terminal, a request for entering new personal information is sent to the target terminal, and the newly added personal information corresponding to the target terminal is obtained from the entry information returned by the target terminal based on the request for entering new personal information.

[0110] In this embodiment, if the authentication platform 130 determines that the pre-acquired collection list includes newly added personal information, it retrieves the newly added personal information corresponding to the target terminal from the collection list. If it determines that the collection list does not include the newly added personal information corresponding to the target terminal, i.e., the user has not entered newly added personal information, it sends a request for entering newly added personal information to the target terminal to prompt the user to enter personal information. The user returns the entered information based on the request for entering newly added personal information, and the newly added personal information corresponding to the target terminal is retrieved from the entered information.

[0111] In one possible implementation, sending the newly added personal information to the service provider server includes:

[0112] Based on the newly added personal information, a second digital certificate is generated; the second digital certificate is encrypted using the target private key to obtain a second digital signature; the second digital certificate, the second digital signature, and the target public key are sent to the provider server, wherein the target private key corresponds to the target public key.

[0113] In this embodiment, the authentication platform 130 regenerates a digital certificate, digital signature, and public key for the network service provider, adds the newly added personal information to the digital certificate, and sends the regenerated second digital certificate, second digital signature, and target public key to the provider server 120. Upon receiving the user's ID, the provider server 120 maps the user ID provided by the authentication platform to its own user ID, enabling registration and login, and granting the user corresponding business permissions based on the obtained personal information.

[0114] Figure 7 illustrates another flowchart of the authentication method provided in this application embodiment. The execution entity of this method is the service provider server 120. As shown in the figure, the authentication method 700 may include the following steps:

[0115] Step 701: Obtain the registration request sent by the target terminal.

[0116] In practice, a network service provider APP can be installed on the target terminal 110. The user sends a registration request to the corresponding service provider server 120 through the network service provider APP, and the service provider server 120 obtains the registration request.

[0117] Step 702: Determine the personal information request information based on the registration request.

[0118] In practice, the service provider server 120 determines the personal information request information based on the registration request, such as the target user's identity information that needs to be obtained during registration, including user ID, account name, account password, nickname, mobile phone number, email address, etc.

[0119] Step 703: Obtain the target user identity information corresponding to the personal information request information by sending the personal information request information to the authentication platform.

[0120] In practice, the network service provider's APP can call the authentication platform SDK to send personal information request information to the authentication platform 130, request the authentication platform 130 to generate and distribute user identity information such as user identifier ID and initial personal information, and obtain the target user identity information corresponding to the personal information request information returned by the authentication platform 130.

[0121] Step 704: Authenticate the user's identity based on the target user's identity information.

[0122] In practice, the service provider server 120 authenticates the user's identity based on the target user's identity information returned by the authentication platform 130.

[0123] Through the above steps, the service provider server sends personal information request information to the authentication platform. The user then provides the target user identity information corresponding to the personal information request information to the service provider server through the authorization authentication platform. This reduces the amount of form filling required during registration and improves the user experience.

[0124] In one possible implementation, step 703 above, obtaining the target user's identity information by sending the personal information request information to the authentication platform, includes:

[0125] By sending the personal information request information to the authentication platform, the system obtains a first digital certificate, a first digital signature, and a target public key returned by the authentication platform; the system decrypts the first digital signature using the target public key to obtain decrypted information; if the decrypted information matches the information in the first digital certificate, the system determines the target user's identity information based on the first digital certificate.

[0126] In practice, the service provider server 120 uses the target public key S to symmetrically decrypt the first digital signature to obtain the decrypted information, performs hash encryption on the first digital certificate to obtain the verification information, and queries the target user's identity information in the first digital certificate when the decrypted information and the verification information are consistent.

[0127] This method ensures the legitimacy of the target user's identity information, prevents man-in-the-middle attacks and certificate forgery, and further improves the security of identity authentication.

[0128] In one possible implementation, after authenticating the user's identity based on the target user's identity information in step 704 above, the method further includes:

[0129] In response to the login request sent by the target terminal, a login authorization request corresponding to the login request is sent to the authentication platform; a login authorization response returned by the authentication platform is obtained, the login authorization response being used to instruct the service provider server to perform identity authentication based on the user identification information in the first digital certificate.

[0130] In specific implementation, when the target terminal is not logging into the service provider server 120 for the first time, in response to the login request sent by the target terminal, the authentication platform SDK is called to send a login authorization request to the authentication platform 130, and the login authorization response returned by the authentication platform 130 is obtained. The service provider server 120 performs identity authentication based on the user identification information in the first digital certificate.

[0131] In one possible implementation, after authenticating the user's identity based on the target user's identity information in step 704 above, the method further includes:

[0132] Send a request to add personal information to the authentication platform, wherein the added personal information is personal information located outside the first digital certificate; obtain the added personal information corresponding to the target terminal returned by the authentication platform.

[0133] In practice, the service provider server 120 can also request the authentication platform 130 to send new personal information to further improve the user registration information.

[0134] Figure 8 shows another flowchart of the authentication method provided in this application embodiment. The execution subject of the method is the target terminal 110. As shown in the figure, the authentication method 800 may include the following steps:

[0135] Step 801: In response to the registration request sent by the target terminal to the service provider server, obtain the target personal information request information sent by the authentication platform.

[0136] In practice, a network service provider's (ISP) app can be installed on the target terminal 110. The user sends a registration request to the corresponding ISP server 120 through the ISP's app. The ISP server 120 generates personal information request information based on the registration request. The ISP's app calls the authentication platform SDK, sending the target personal information request information to the authentication platform 130, requesting the generation and distribution of target user identity information such as user ID and initial personal information. In response to the registration request sent by the target terminal 110, the authentication platform 130 obtains the personal information request information returned by the ISP server 120 based on the registration request. The authentication platform 130 then sends the target personal information request information requiring user authorization from the personal information request information to the target terminal 110, and the target terminal 110 obtains the target personal information request information corresponding to the registration request.

[0137] Step 802: By displaying the target personal information request information, obtain the authorization confirmation information returned based on the target personal information request information.

[0138] In specific implementation, the target terminal 110 can display the target personal information request information sent by the authentication platform 130 in a preset display area. The user can browse the personal information request list through the display area. When the user confirms that the personal information request list can be provided to the provider server 120, the user can enter biometric information such as facial data, fingerprint data, and voice data in the target area. The target terminal 110 obtains the authorization confirmation information returned based on the personal information request list. The authorization confirmation information may include biometric information, identity recognition information, device serial number, etc.

[0139] Step 803: Send the authorization confirmation information to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified and send the pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

[0140] In practice, the target terminal 110 sends the obtained authorization confirmation information to the authentication platform 130. The authentication platform 130 confirms that the authorization confirmation information has been verified and sends the target user identity information corresponding to the personal information request information to the service provider server 120. The service provider server 120 authenticates the user's identity based on the target user identity information.

[0141] Through the above steps, during the identity authentication process, the target terminal provides the user's identity information corresponding to the personal information request to the service provider's server through the authorization authentication platform, eliminating the need to fill out numerous forms and improving user experience. Simultaneously, after the authorization confirmation information is verified, the authentication platform provides the corresponding user identity information to the service provider's server, effectively preventing the leakage of personal privacy or unauthorized access.

[0142] In one possible implementation, step 802 above, obtaining the authorization confirmation information returned based on the target personal information request information, includes:

[0143] Obtain first biometric information returned based on the personal information request information, and obtain first identity recognition information and first device serial number corresponding to the target terminal; determine authorization confirmation information based on the first biometric information, first identity recognition information and first device serial number.

[0144] In one possible implementation, after sending the authorization confirmation information to the authentication platform in step 803 above, the method further includes:

[0145] Obtain the authorization verification request sent by the authentication platform, wherein the authorization verification request is sent by the authentication platform when it determines that the target user's identity information is personal information in the extended information list;

[0146] In response to the confirmation operation based on the authorization verification request, the confirmation operation is sent to the authentication platform, and the target user's identity information is sent to the service provider's server through the authentication platform.

[0147] In one possible implementation, after sending the authorization confirmation information to the authentication platform in step 803 above, the method further includes:

[0148] In response to a login request sent by a target terminal to a service provider server, the system obtains a login authorization request sent by the authentication platform; determines login authorization information based on the login authorization request; and sends the login authorization information to the authentication platform, which, upon determining that the login authorization information has been verified, sends a login authorization response to the service provider server.

[0149] The aforementioned determination of login authorization information based on the login authorization request includes:

[0150] Obtain the second biometric information returned based on the login authorization request, and obtain the second identity information and the second device serial number corresponding to the target terminal; determine the login authorization information based on the second biometric information, the second identity information, and the second device serial number.

[0151] In one possible implementation, after sending the authorization confirmation information to the authentication platform in step 803 above, the method further includes:

[0152] In response to a request for new personal information sent by a service provider server, the identity information of the target terminal is sent to the authentication platform. The authentication platform is used to obtain the new personal information corresponding to the target terminal when it is determined that the identity information has been verified, and send the new personal information to the service provider server. The new personal information is personal information located outside the digital certificate.

[0153] In one possible implementation, after sending the authorization confirmation information to the authentication platform in step 803 above, the method further includes:

[0154] Obtain a new personal information entry request sent by the authentication platform; wherein, the new personal information entry request is sent by the authentication platform when it determines that the new personal information corresponding to the target terminal is not included in the collection list;

[0155] Based on the request to enter new personal information, the system returns the entered information to the authentication platform so that the authentication platform can obtain the new personal information corresponding to the target terminal from the entered information.

[0156] In one possible implementation, after sending the authorization confirmation information to the authentication platform in step 803 above, the method further includes:

[0157] Obtain the registration response sent by the service provider server, the registration response being used to indicate the authentication result of the user identity corresponding to the target user identity information.

[0158] In specific implementation, the registration response sent by the service provider server 120 can be displayed in a preset display area on the target terminal 110. The registration response can be a flag or status code to indicate the authentication result of the user identity corresponding to the target user identity information, such as authentication passed or authentication failed, so as to know the status of user authentication in a timely manner and perform corresponding follow-up operations based on the authentication result, such as continuing registration or obtaining related services.

[0159] Figure 9 shows a schematic diagram of the authentication platform provided in an embodiment of this application. This authentication platform can implement all or part of the content shown in the embodiment of Figure 2. The authentication platform 900 includes:

[0160] The registration response module 910 is configured to obtain personal information request information sent by the service provider server, wherein the personal information request information is sent by the service provider server based on the registration request of the target terminal;

[0161] The authorization confirmation module 920 is configured to send the target personal information request information in the personal information request information to the target terminal, and obtain the authorization confirmation information returned by the target terminal based on the target personal information request information.

[0162] Information acquisition module 930 is configured to, upon confirming that the authorization confirmation information has been verified, acquire pre-stored target user identity information corresponding to the personal information request list;

[0163] The first sending module 940 is configured to send the target user's identity information to the service provider server, so that the service provider server can authenticate the user's identity based on the target user's identity information.

[0164] In one possible implementation, the authorization confirmation information includes at least one of first biometric information, first identity information, and first device serial number;

[0165] The authorization confirmation module 920, when used to determine that the authorization confirmation information has been verified, is specifically configured as follows:

[0166] A first summary is generated based on at least one of the first biometric information, the first identity information, and the first device serial number;

[0167] If the first digest is determined to be the same as the pre-stored second digest, the authorization confirmation information is determined to be verified, wherein the second digest is generated based on at least one of the pre-stored target biometric information, target identification information, and target device serial number.

[0168] In one possible implementation, the authorization confirmation module 920 is further configured as follows:

[0169] Obtain user registration information corresponding to the target terminal, wherein the user registration information includes at least one of target biometric information, target identity information, and target device serial number;

[0170] The user registration information is logically encrypted to obtain encrypted data;

[0171] The encrypted data is hashed to generate a second digest.

[0172] In one possible implementation, the information acquisition module 930 is further configured as follows:

[0173] Obtaining business and personal information from user agreements of multiple service providers;

[0174] Based on the business information of each service provider, the multiple service providers are clustered to obtain at least one target class;

[0175] Select a target service provider from the service providers corresponding to each of the target classes;

[0176] A collection list is determined based on the union of the personal information of the target service providers;

[0177] The collection list is stored, and the collection list includes the target user's identity information.

[0178] In one possible implementation, the information acquisition module 930, when performing clustering processing on the multiple service providers based on their business information to obtain at least one target class, is specifically configured as follows:

[0179] Obtain the feature words from the business information;

[0180] The feature words are encoded to obtain the feature vector of the business information;

[0181] Based on the feature vectors of the business information, the multiple service providers are clustered to obtain at least one target class.

[0182] In one possible implementation, the information acquisition module 930, when selecting a target service provider from the service providers corresponding to each of the target classes, is specifically configured as follows:

[0183] For each target class, the service capabilities of the service providers corresponding to the target class are evaluated according to preset service capability evaluation rules to obtain a service capability estimate; the service capability estimate is used to indicate the service capabilities of the service providers.

[0184] Service providers whose estimated service capabilities meet a preset threshold are identified as the target service providers corresponding to the target class.

[0185] In one possible implementation, the information acquisition module 930, when evaluating the service capabilities of the service providers corresponding to the target class according to preset service capability evaluation rules to obtain a service capability estimate, is specifically configured as follows:

[0186] The first estimated value, the second estimated value, and the third estimated value are weighted and summed to obtain the estimated service capacity of the service provider.

[0187] Wherein, the first estimated value is the first number of messages sent by the service provider within a preset time period; the second estimated value is the sum of the service provider's user scale level and the proportion of active users; and the third estimated value is the second number of user replies to messages by the service provider within the preset time period.

[0188] In one possible implementation, the collection list includes a public information list and an extended information list;

[0189] The information acquisition module 930 is also configured as follows:

[0190] The intersection of the personal information of the target service providers is determined as the public information list;

[0191] The personal information in the collection list other than the public information list is defined as the extended information list.

[0192] In one possible implementation, the first sending module 940, when used to send the target user identity information to the service provider server, is specifically configured as follows:

[0193] If the target user's identity information is determined to be the personal information in the extended information list, an authorization verification request is sent to the target terminal;

[0194] The system receives the confirmation operation returned by the target terminal based on the authorization verification request and sends the target user's identity information to the service provider's server.

[0195] In one possible implementation, the first sending module 940, when used to send the target user identity information to the provider server, is specifically configured as follows:

[0196] Generate a first digital certificate based on the target user's identity information;

[0197] The first digital certificate is encrypted using the target private key to obtain the first digital signature;

[0198] Send the first digital certificate, the first digital signature, and the target public key to the provider server, wherein the target private key corresponds to the target public key.

[0199] In one possible implementation, the first transmitting module 940 is further configured as follows:

[0200] Obtain the login request sent by the service provider's server;

[0201] Send the login request to the target terminal and obtain the login authorization information returned by the target terminal based on the login request;

[0202] If the login authorization information is verified successfully, the service provider server is authorized to perform identity authentication based on the user identification information in the first digital certificate.

[0203] The login authorization information includes second biometric information, second identity information, and second device serial number;

[0204] The first sending module 940, when determining that the login authorization information verification has passed, is specifically configured as follows:

[0205] A third digest is generated based on the second biometric information, the second identity information, and the second device serial number;

[0206] If the third digest is found to be the same as the pre-stored second digest, the login authorization information is deemed to have been verified. The second digest is generated based on the pre-stored target biometric information, target identity information, and target device serial number.

[0207] In one possible implementation, the first transmitting module 940 is further configured as follows:

[0208] Using the target public key, the first digital signature is decrypted to obtain the first authentication data, and the first digital certificate is hashed and encrypted to obtain the second authentication data.

[0209] If the first authentication data and the second authentication data are the same, obtain the login authorization information returned by the target terminal based on the login request.

[0210] In one possible implementation, the first transmitting module 940 is further configured as follows:

[0211] In response to a request for new personal information sent by a service provider server, the identity information of the target terminal is obtained;

[0212] If the identity information verification is successful, the newly added personal information corresponding to the target terminal is obtained and sent to the service provider server, wherein the newly added personal information is personal information located outside the digital certificate.

[0213] The identity information includes third-party biometric information, third-party identity recognition information, and third-party device serial number;

[0214] In one possible implementation, the first sending module 940, when determining that the identity information verification has passed, is specifically configured as follows:

[0215] A fourth digest is generated based on the third biometric information, the third identity information, and the third device serial number;

[0216] If the fourth digest is the same as the pre-stored second digest, the identity information is deemed to have been verified.

[0217] In one possible implementation, the first sending module 940, when used to obtain the newly added personal information corresponding to the target terminal, is specifically configured as follows:

[0218] If it is determined that the collection list includes newly added personal information corresponding to the target terminal, the newly added personal information corresponding to the target terminal is obtained from the collection list;

[0219] If it is determined that the collection list does not include the newly added personal information corresponding to the target terminal, the newly added personal information corresponding to the target terminal is obtained from the input information returned by the target terminal based on the newly added personal information input request by sending a request to the target terminal.

[0220] In one possible implementation, the first sending module 940, when used to send the newly added personal information to the service provider server, is specifically configured as follows:

[0221] A second digital certificate is generated based on the newly added personal information;

[0222] The second digital certificate is encrypted using the target private key to obtain the second digital signature;

[0223] Send the second digital certificate, the second digital signature, and the target public key to the provider server, wherein the target private key corresponds to the target public key.

[0224] This application provides an authentication platform, including a registration response module, an authorization confirmation module, an information acquisition module, and a first sending module. The registration response module acquires personal information request information sent by a service provider server based on a registration request from a target terminal. The authorization confirmation module sends the target personal information request information from the personal information request information to the target terminal and acquires authorization confirmation information returned by the target terminal based on the target personal information request information. The information acquisition module determines that the authorization confirmation information has been verified and acquires the target user identity information corresponding to the personal information request list from a pre-stored collection list. The first sending module sends the target user identity information to the service provider server so that the service provider server can authenticate the user's identity based on the target user identity information. In this way, during the identity authentication process, the authorization authentication platform provides the user identity information corresponding to the personal information request list to the service provider server, eliminating the need to fill out numerous forms and improving user experience. Simultaneously, after the authorization confirmation information is verified, the authentication platform provides the corresponding user identity information to the service provider server, effectively preventing the leakage of personal privacy or unauthorized access.

[0225] Figure 10 shows a schematic diagram of the structure of a service provider server provided in an embodiment of this application. This service provider server can implement all or part of the content shown in the embodiment of Figure 7. The service provider server 1000 includes:

[0226] The request acquisition module 1010 is configured to acquire the registration request sent by the target terminal;

[0227] The information determination module 1020 is configured to determine personal information request information based on the registration request;

[0228] The second sending module 1030 is configured to obtain the target user identity information corresponding to the personal information request information by sending the personal information request information to the authentication platform;

[0229] The identity authentication module 1040 is configured to authenticate the user's identity based on the target user's identity information.

[0230] In one possible implementation, the second sending module 1030, when used to obtain the target user's identity information by sending the personal information request information to the authentication platform, is specifically configured as follows:

[0231] By sending the personal information request information to the authentication platform, the first digital certificate, the first digital signature, and the target public key returned by the authentication platform are obtained;

[0232] The first digital signature is decrypted using the target public key to obtain decrypted information;

[0233] If the decrypted information matches the information in the first digital certificate, the target user's identity information is determined based on the first digital certificate.

[0234] In one possible implementation, the service provider server 1000 also includes:

[0235] The login authorization module is configured to respond to a login request sent by the target terminal and send a login authorization request corresponding to the login request to the authentication platform.

[0236] Obtain the login authorization response returned by the authentication platform. The login authorization response is used to instruct the service provider server to perform identity authentication based on the user identification information in the first digital certificate.

[0237] In one possible implementation, the service provider server 1000 also includes:

[0238] A new request module is added, configured to send a request to the authentication platform to add personal information, wherein the added personal information is personal information located outside the first digital certificate;

[0239] Obtain the newly added personal information corresponding to the target terminal returned by the authentication platform.

[0240] This application provides a service provider server, including a request acquisition module, an information determination module, a second sending module, and an identity authentication module. The request acquisition module acquires a registration request sent by a target terminal; the information determination module determines personal information request information based on the registration request; the second sending module obtains the target user identity information corresponding to the personal information request information by sending the personal information request information to an authentication platform; and the identity authentication module authenticates the user's identity based on the target user identity information. In this way, by sending personal information request information to the authentication platform, and the user authorizing the authentication platform to provide the target user identity information corresponding to the personal information request information to the service provider server, the service provider server can reduce the amount of form filling required during registration and improve the user experience.

[0241] Figure 11 shows a schematic diagram of the structure of a terminal provided in an embodiment of this application. This terminal can implement all or part of the content shown in the embodiment of Figure 8. The terminal 1100 includes:

[0242] The registration response module 1110 is configured to respond to the registration request sent by the target terminal to the service provider server and obtain the target personal information request information sent by the authentication platform.

[0243] The information display module 1120 is configured to obtain authorization confirmation information returned based on the target personal information request information by displaying the target personal information request information;

[0244] The third sending module 1130 is configured to send the authorization confirmation information to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified and to send the pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

[0245] In one possible implementation, terminal 1100 further includes:

[0246] The authorization verification module is configured to obtain the authorization verification request sent by the authentication platform, wherein the authorization verification request is sent by the authentication platform when it determines that the target user's identity information is personal information in the extended information list;

[0247] In response to the confirmation operation based on the authorization verification request, the confirmation operation is sent to the authentication platform, and the target user's identity information is sent to the service provider's server through the authentication platform.

[0248] In one possible implementation, terminal 1100 further includes:

[0249] The login verification module is configured to respond to a login request sent by the target terminal to the service provider server and obtain a login authorization request sent by the authentication platform.

[0250] Based on the login authorization request, determine the login authorization information;

[0251] The login authorization information is sent to the authentication platform, which, upon confirming that the login authorization information has been verified, sends a login authorization response to the service provider server.

[0252] In one possible implementation, terminal 1100 further includes:

[0253] The registration response module is configured to obtain the registration response sent by the service provider server, wherein the registration response is used to indicate the authentication result of the user identity corresponding to the target user identity information.

[0254] This application provides a terminal including a registration response module, an information display module, and a second sending module. The registration response module responds to a registration request sent by the target terminal to a service provider server, obtaining target personal information request information sent by an authentication platform. The information display module displays the target personal information request information and obtains authorization confirmation information returned based on it. The third sending module sends the authorization confirmation information to the authentication platform, wherein the authentication platform determines that the authorization confirmation information has been verified and sends pre-stored target user identity information to the service provider server, enabling the service provider server to authenticate the user's identity based on the target user identity information. In this way, the terminal provides the target user identity information corresponding to the personal information request information to the service provider server through the authorization authentication platform, eliminating the need for the user to fill out numerous forms, thus improving user experience. Simultaneously, after the authorization confirmation information is verified, the authentication platform provides the corresponding user identity information to the service provider server, effectively preventing the leakage of personal privacy or unauthorized access.

[0255] Figure 12 illustrates a hardware structure diagram of the electronic device provided in the embodiments of this application. Referring to the figure, at the hardware level, the electronic device 1200 includes a processor 1210, and optionally includes an internal bus 1220, a network interface 1230, and a memory 1240. The memory 1240 may include main memory 1241, such as high-speed random-access memory (RAM), and may also include non-volatile memory 1242, such as at least one disk storage device. Of course, the electronic device 1200 may also include other hardware required for other services.

[0256] The processor 1210, network interface 1230, and memory can be interconnected via an internal bus 1220. This internal bus 1220 can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. The bus can be categorized as an address bus, data bus, control bus, etc. For ease of illustration, only a single bidirectional arrow is used in this diagram, but this does not imply that there is only one bus or one type of bus.

[0257] Memory 1240 stores programs. Specifically, the program may include program code, which includes computer operation instructions. Memory 1240 may include main memory 1241 and non-volatile memory 1242, and provides instructions and data to processor 1210.

[0258] Processor 1210 reads the corresponding computer program from non-volatile memory 1242 into memory and then runs it, forming a device for locating the target user at the logical level. Processor 1210 executes the program stored in memory and specifically performs the method disclosed in the embodiment shown in FIG2, FIG7, or FIG8, and implements the functions and beneficial effects of the methods described in the foregoing method embodiments, which will not be repeated here.

[0259] The methods disclosed in the embodiments shown in Figures 2, 7, or 8 of this application can be applied to or implemented by the processor 1210. The processor 1210 may be an integrated circuit chip with signal processing capabilities. During implementation, each step of the above methods can be completed by integrated logic circuits in the hardware or by instructions in software within the processor 1210. The processor 1210 can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of this application can be directly manifested as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method.

[0260] The computer device can also execute the methods described in the preceding method embodiments and achieve the functions and beneficial effects of the methods described in the preceding method embodiments, which will not be repeated here.

[0261] Of course, in addition to software implementation, the electronic device 1200 of this application does not exclude other implementation methods, such as logic devices or a combination of hardware and software, etc. In other words, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

[0262] This application also proposes a computer-readable storage medium that stores one or more programs. When executed by an electronic device including multiple applications, the one or more programs cause the electronic device to perform the methods disclosed in the embodiments shown in FIG2, FIG7, or FIG8 and achieve the functions and beneficial effects of the methods described in the foregoing method embodiments, which will not be repeated here.

[0263] The computer-readable storage medium includes read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks, etc.

[0264] Furthermore, this application also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions, which, when executed by a computer, implement the following process: the method disclosed in the embodiment shown in FIG2, FIG7, or FIG8, and achieve the functions and beneficial effects of the methods described in the preceding method embodiments, which will not be repeated here.

[0265] The embodiments of this application can be applied to various scenarios of electronic device collaboration or interconnection, including: collaboration and interconnection between mobile phones and laptops / tablets; collaboration and interconnection between mobile terminals and smart TVs / monitors; collaboration and interconnection between mobile phones or tablets and in-vehicle entertainment systems; collaboration and interconnection between mobile terminals and smart conferencing systems, etc. This satisfies users' diverse needs in smart home, smart office, and smart travel scenarios.

[0266] In summary, the above description is merely a preferred embodiment of this application and does not limit the scope of protection of this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

[0267] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.

[0268] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can store information accessible to a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0269] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0270] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.

Claims

1. An identity authentication method, applied to an authentication platform, comprising: Obtain personal information request information sent by the service provider server, wherein the personal information request information is sent by the service provider server based on the registration request of the target terminal; By sending the target personal information request information from the personal information request information to the target terminal, the authorization confirmation information returned by the target terminal based on the target personal information request information is obtained; Once the authorization confirmation information is verified, the target user's identity information corresponding to the personal information request information is obtained from the pre-stored information. The target user's identity information is sent to the service provider's server so that the service provider's server can authenticate the user's identity based on the target user's identity information.

2. The method according to claim 1, wherein, The authorization confirmation information includes at least one of the following: first biometric information, first identity recognition information, and first device serial number; The step of determining that the authorization confirmation information has been verified successfully includes: A first summary is generated based on at least one of the first biometric information, the first identity information, and the first device serial number; If the first digest is determined to be the same as the pre-stored second digest, the authorization confirmation information is determined to be verified, wherein the second digest is generated based on at least one of the pre-stored target biometric information, target identification information, and target device serial number.

3. The method according to claim 2, wherein, Before determining that the first digest is the same as the pre-stored second digest, the method further includes: Obtain user registration information corresponding to the target terminal, wherein the user registration information includes at least one of target biometric information, target identity information, and target device serial number; The user registration information is logically encrypted to obtain encrypted data; The encrypted data is hashed to generate a second digest.

4. The method according to claim 1, wherein, Before obtaining the pre-stored target user identity information corresponding to the personal information request information, the method further includes: Obtaining business and personal information from user agreements of multiple service providers; Based on the business information of each service provider, the multiple service providers are clustered to obtain at least one target class; Select a target service provider from the service providers corresponding to each of the target classes; A collection list is determined based on the union of the personal information of the target service providers; The collection list is stored, and the collection list includes the target user's identity information.

5. The method according to claim 4, wherein, The step of selecting a target service provider from the service providers corresponding to each of the target classes includes: For each target class, the service capabilities of the service providers corresponding to the target class are evaluated according to preset service capability evaluation rules to obtain a service capability estimate; the service capability estimate is used to indicate the service capabilities of the service providers. Service providers whose estimated service capabilities meet a preset threshold are identified as the target service providers corresponding to the target class.

6. The method according to claim 5, wherein, The step of evaluating the service capabilities of the service providers corresponding to the target class according to preset service capability evaluation rules to obtain a service capability estimate includes: The first estimated value, the second estimated value, and the third estimated value are weighted and summed to obtain the estimated service capacity of the service provider. Wherein, the first estimated value is the first number of messages sent by the service provider within a preset time period; the second estimated value is the sum of the service provider's user scale level and the proportion of active users; and the third estimated value is the second number of user replies to messages by the service provider within the preset time period.

7. The method according to claim 4, wherein, The collection list includes a public information list and an extended information list; The step of determining the collection list based on the union of the personal information of the target service provider includes: The intersection of the personal information of the target service providers is determined as the public information list; The personal information in the collection list other than the public information list is defined as the extended information list.

8. The method according to claim 7, wherein, Sending the target user's identity information to the service provider's server includes: If the target user's identity information is determined to be the personal information in the extended information list, an authorization verification request is sent to the target terminal; The system receives the confirmation operation returned by the target terminal based on the authorization verification request and sends the target user's identity information to the service provider's server.

9. The method according to claim 1, wherein, Sending the target user's identity information to the provider's server includes: Generate a first digital certificate based on the target user's identity information; The first digital certificate is encrypted using the target private key to obtain the first digital signature; Send the first digital certificate, the first digital signature, and the target public key to the provider server, wherein the target private key corresponds to the target public key.

10. The method according to claim 9, wherein, After sending the first digital certificate, the first digital signature, and the target public key to the provider server, the method further includes: Obtain the login authorization request sent by the service provider's server; Send the login authorization request to the target terminal and obtain the login authorization information returned by the target terminal based on the login request; If the login authorization information is verified successfully, a login authorization response is sent to the service provider server. The login authorization response is used to instruct the service provider server to perform identity authentication based on the user identification information in the first digital certificate.

11. The method according to claim 10, wherein, The login authorization information includes second biometric information, second identity information, and second device serial number; The step of determining that the login authorization information has been verified successfully includes: A third digest is generated based on the second biometric information, the second identity information, and the second device serial number; If the third digest is found to be the same as the pre-stored second digest, the login authorization information is deemed to have been verified. The second digest is generated based on the pre-stored target biometric information, target identity information, and target device serial number.

12. The method according to claim 10, wherein, Before obtaining the login authorization information returned by the target terminal based on the login request, the method further includes: Using the target public key, the first digital signature is decrypted to obtain the first authentication data, and the first digital certificate is hashed and encrypted to obtain the second authentication data. If the first authentication data and the second authentication data are the same, obtain the login authorization information returned by the target terminal based on the login request.

13. The method according to claim 9, wherein, After sending the first digital certificate, the first digital signature, and the target public key to the provider server, the method further includes: In response to a request for new personal information sent by a service provider server, the identity information of the target terminal is obtained; If the identity information verification is successful, the newly added personal information corresponding to the target terminal is obtained and sent to the service provider server, wherein the newly added personal information is personal information located outside the first digital certificate.

14. The method according to claim 13, wherein, The identity information includes third biometric information, third identity recognition information, and third device serial number; The step of determining that the identity information has been verified includes: A fourth digest is generated based on the third biometric information, the third identity information, and the third device serial number; If the fourth digest is the same as the pre-stored second digest, the identity information is deemed to have been verified.

15. The method according to claim 13, wherein, The step of obtaining the newly added personal information corresponding to the target terminal includes: If it is determined that the collection list includes newly added personal information corresponding to the target terminal, the newly added personal information corresponding to the target terminal is obtained from the collection list; If it is determined that the collection list does not include the newly added personal information corresponding to the target terminal, the newly added personal information corresponding to the target terminal is obtained from the input information returned by the target terminal based on the newly added personal information input request by sending a request to the target terminal.

16. The method according to claim 13, wherein, Sending the newly added personal information to the service provider's server includes: A second digital certificate is generated based on the newly added personal information; The second digital certificate is encrypted using the target private key to obtain the second digital signature; Send the second digital certificate, the second digital signature, and the target public key to the provider server, wherein the target private key corresponds to the target public key.

17. An authentication method applied to a service provider server, comprising: Obtain the registration request sent by the target terminal; Based on the registration request, determine the personal information request information; By sending the personal information request information to the authentication platform, the target user's identity information corresponding to the personal information request information is obtained; User identity is authenticated based on the target user's identity information.

18. The method according to claim 17, wherein, The step of obtaining the target user's identity information by sending the personal information request information to the authentication platform includes: By sending the personal information request information to the authentication platform, the first digital certificate, the first digital signature, and the target public key returned by the authentication platform are obtained; The first digital signature is decrypted using the target public key to obtain decrypted information; If the decrypted information matches the information in the first digital certificate, the target user's identity information is determined based on the first digital certificate.

19. The method according to claim 18, wherein, After authenticating the user's identity based on the target user's identity information, the method further includes: In response to the login request sent by the target terminal, a login authorization request corresponding to the login request is sent to the authentication platform; Obtain the login authorization response returned by the authentication platform. The login authorization response is used to instruct the service provider server to perform identity authentication based on the user identification information in the first digital certificate.

20. The method of claim 17, wherein, After authenticating the user's identity based on the target user's identity information, the method further includes: Send a request to add personal information to the authentication platform, wherein the added personal information is personal information located outside the first digital certificate; Obtain the newly added personal information corresponding to the target terminal returned by the authentication platform.

21. An authentication method applied to a target terminal, comprising: In response to the registration request sent by the target terminal to the service provider server, obtain the target personal information request information sent by the authentication platform; By displaying the target personal information request information, authorization confirmation information returned based on the target personal information request information is obtained; The authorization confirmation information is sent to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified and to send the pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

22. The method according to claim 21, wherein, After sending the authorization confirmation information to the authentication platform, the method further includes: Obtain the authorization verification request sent by the authentication platform, wherein the authorization verification request is sent by the authentication platform when it determines that the target user's identity information is personal information in the extended information list; In response to the confirmation operation based on the authorization verification request, the confirmation operation is sent to the authentication platform, and the target user's identity information is sent to the service provider's server through the authentication platform.

23. The method according to claim 21, wherein, After sending the authorization confirmation information to the authentication platform, the method further includes: In response to a login request sent by the target terminal to the service provider server, obtain a login authorization request sent by the authentication platform; Based on the login authorization request, determine the login authorization information; The login authorization information is sent to the authentication platform, which, upon confirming that the login authorization information has been verified, sends a login authorization response to the service provider server.

24. The method according to any one of claims 21 to 23, wherein, After sending the authorization confirmation information to the authentication platform, the method further includes: Obtain the registration response sent by the service provider server, the registration response being used to indicate the authentication result of the user identity corresponding to the target user identity information.

25. An authentication platform, comprising: The registration response module is configured to obtain personal information request information sent by the service provider server, wherein the personal information request information is sent by the service provider server based on the registration request of the target terminal; The authorization confirmation module is configured to send the target personal information request information from the personal information request information to the target terminal, and obtain the authorization confirmation information returned by the target terminal based on the target personal information request information. The information acquisition module is configured to, upon confirming that the authorization confirmation information has been verified, acquire the target user identity information corresponding to the pre-stored personal information request list; The first sending module is configured to send the target user's identity information to the service provider server, so that the service provider server can authenticate the user's identity based on the target user's identity information.

26. A service provider server, comprising: The request acquisition module is configured to acquire registration requests sent by the target terminal; The information determination module is configured to determine personal information request information based on the registration request; The second sending module is configured to obtain the target user identity information corresponding to the personal information request information by sending the personal information request information to the authentication platform; The identity authentication module is configured to authenticate the user's identity based on the target user's identity information.

27. A terminal, comprising: The registration response module is configured to respond to the registration request sent by the target terminal to the service provider server and obtain the target personal information request information sent by the authentication platform. The information display module is configured to obtain authorization confirmation information returned based on the target personal information request information by displaying the target personal information request information; The third sending module is configured to send the authorization confirmation information to the authentication platform, wherein the authentication platform is used to determine that the authorization confirmation information has been verified and to send the pre-stored target user identity information to the service provider server, so that the service provider server can authenticate the user identity based on the target user identity information.

28. An electronic device comprising a processor and a memory, the memory storing a program or instructions executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the method of any one of claims 1 to 24.

29. A computer-readable storage medium storing a program or instructions that, when executed by a processor, implement the steps of the method of any one of claims 1 to 24.

30. A computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions that, when executed by a computer, cause the computer to perform the steps of the method according to any one of claims 1 to 24.