CN-121984763-A - Service login method based on temporary access certificate

Abstract

The invention relates to the technical field of network security and identity authentication, in particular to a business login method based on temporary access credentials. The method comprises the steps of receiving a generation request of a shadow login credential, analyzing a target user identifier and a preset access limit parameter in the generation request, generating a unique credential number, storing a credential record containing the credential number, the target user identifier and the access limit parameter in a database of a server, receiving a login verification request carrying the credential number, searching a corresponding credential record in the database based on the credential number, carrying out validity verification on the login verification request according to the access limit parameter in the credential record, and completing business login in response to a validity verification result. According to the method, through a temporary credential mechanism of decryptization, the security proxy login under a VPN or emergency scene is realized, and the problems of account password leakage risk and audit tracing are solved by utilizing a multidimensional limiting strategy and operation mark.

Inventors

• CHEN ZHIQIANG
• WU PEISHENG
• PENG YIHANG

Assignees

• 钛动科技股份有限公司

Dates

Publication Date

20260505

Application Date

20260206

Claims (10)

1. 1. The business login method based on the temporary access certificate is applied to a service end of a business system, and is characterized by comprising the following steps: Receiving a generation request of a shadow login credential, analyzing a target user identifier and a preset access limit parameter in the generation request, generating a unique credential number, and storing a credential record containing the credential number, the target user identifier and the access limit parameter in a database of the server; And receiving a login verification request carrying the certificate number, searching a corresponding certificate record in the database based on the certificate number, carrying out validity verification on the login verification request according to access limit parameters in the certificate record, and completing business login according to a validity verification result.
2. 2. The method of claim 1, wherein the access restriction parameters include a failure time point of the shadow login credentials and a maximum number of login uses of the shadow login credentials, and wherein the credential record further includes real-time status data of the shadow login credentials including an availability status of the shadow login credentials and a current accumulated number of logins of the shadow login credentials.
3. 3. The service login method according to claim 2, wherein verifying the validity of the login authentication request according to the access restriction parameter in the credential record comprises: Sequentially verifying whether the number of the shadow login credentials exists, whether the available state of the shadow login credentials is valid, whether the current system time is earlier than or equal to the failure time point of the shadow login credentials, and whether the current accumulated login times of the shadow login credentials are smaller than the maximum login use times of the shadow login credentials in the server; If the verification passes, the current accumulated login times of the shadow login credentials in the database are added with one operation, and a service session associated with the target user identification is established to complete the shadow login; and if the validity check is judged not to pass, refusing to establish the service session associated with the target user identification, and generating a log record of check failure.
4. 4. The service login method according to claim 1, wherein when a generation request of a shadow login credential is received, an identity of an initiator of the generation request is parsed, and the identity of the initiator of the generation request is written into the credential record.
5. 5. The method according to claim 2, wherein storing the certificate record including the certificate number, the target user identification, and the access restriction parameter in the database of the server is inserting a certificate record of a shadow login certificate into the database, the certificate record including the number of the shadow login certificate, the identification of the target user, a failure time point of the shadow login certificate, a maximum login usage number of the shadow login certificate, a current accumulated login number of the shadow login certificate, and an availability status of the shadow login certificate, wherein an initial value of the current accumulated login number of the shadow login certificate is set to zero, and an initial value of the availability status of the shadow login certificate is set to be valid.
6. 6. A service sign-on method according to claim 3, wherein establishing a service session associated with the target user identity comprises: Inquiring authority configuration information of the target user in the database based on the target user identification, generating a service session token according to the authority configuration information, and returning the service session token to a request end for sending the login verification request so that the request end can execute service operation with the identity of the target user by carrying the service session token.
7. 7. The method of claim 4, further comprising generating an audit log based on the identity of the initiator and the target user identification to record the authorized source and usage behavior of the shadow login credentials after completing the service login in response to the validity check result.
8. 8. The service login method according to claim 5, wherein the service login method further comprises: And receiving a revocation request carrying the certificate number, positioning a corresponding shadow login certificate in the database based on the certificate number, and modifying the available state of the shadow login certificate from valid to invalid so as to block the login verification request of the shadow login certificate.
9. 9. The service login method according to claim 1, wherein the method of generating a unique credential number is: And generating a non-repeated identification code by using a random algorithm to serve as a credential number of the shadow login credential, or generating a random character string based on a hash combination of a current timestamp and the target user identifier to serve as the credential number of the shadow login credential.
10. 10. The business login method according to claim 1, wherein before receiving the generation request of the shadow login credentials, the business login method further comprises verifying the authority level of the generation request initiator, confirming whether the generation request initiator has the authority qualification of proxy login, if so, returning a target user selection interface to the generation request initiator, receiving the identification of the target user selected by the generation request initiator on the target user selection interface, and if not, rejecting the generation request and prompting that the authority is insufficient.

Description

Service login method based on temporary access certificate Technical Field The application relates to the technical field of network security and identity authentication, in particular to a business login method based on temporary access credentials. Background The identity authentication and authority management of the business system are core components of enterprise information security, and in the daily enterprise operation process, operators or system administrators often face the scene of needing to temporarily log in a business account. For example, when business personnel go on business, the network environment is limited (no VPN connection) and cannot be directly operated, the operator is required to log in to complete data transfer after obtaining the authorized offspring, or after the operator configures special rights for the business account, the operator is required to log in the business account for secondary confirmation to verify the correctness of the authorization, and such requirements are very common in large internet enterprises and traditional enterprises with higher digitization degree. However, existing solutions typically rely on traditional account and password sharing modes, where the business person informs the operator of his own account and password, either through an instant messaging tool or verbally, and the operator uses the password to log in. The method has serious potential safety hazards, namely firstly, the plaintext transmission of the password is extremely easy to cause leakage, once the password is intercepted, an attacker obtains the complete control right of the account, secondly, the sharing of the account password causes blurring of an audit trail, when the operation behavior of a certain account is recorded in a system log, whether the operation is the primary owner operation or the operation is carried out by an operator agent operation cannot be distinguished, responsibility definition is unclear when data accidents occur, and in addition, the problems of difficult password management and timeliness control of temporary authorization cannot be solved even if the password is updated regularly. The above problems can lead to the vulnerability of enterprise data security lines, increase the risk of internal data leakage, and seriously affect the operation and maintenance audit compliance of the system. Therefore, a business login method capable of stripping password dependence, having fine authority control and capable of clearly leaving marks is needed, which is often called shadow login in the industry, so as to solve the problems of security risk and audit deletion caused by account password sharing in the prior art. Disclosure of Invention In order to solve the problems of password leakage risk and unclear operation audit existing when operators proxy to log in a service account in the prior art, the invention provides a service login method based on temporary access credentials, which comprises the following steps: Receiving a generation request of a shadow login credential, analyzing a target user identifier and a preset access limit parameter in the generation request, generating a unique credential number, and storing a credential record containing the credential number, the target user identifier and the access limit parameter in a database of the server; And receiving a login verification request carrying the certificate number, searching a corresponding certificate record in the database based on the certificate number, carrying out validity verification on the login verification request according to access limit parameters in the certificate record, and completing business login according to a validity verification result. The technical scheme constructs a complete shadow login life cycle management mechanism, firstly, achieves source control of authority grant by receiving a generation request of a shadow login credential, secondly, generates a unique credential number and binds the unique credential number with specific access limit parameters to be stored in a database, which is equivalent to creating a temporary pass with strict use limit, discarding dependence on an original password of a user, searching credential records and executing validity check based on the credential number in a login stage, ensuring that the shadow login credential can only be used under specified limit conditions, greatly reducing an attack surface, and finally, finishing service login in response to a validity check result, ensuring continuity of service, ensuring controlled use of the shadow login credential, stripping password dependence, fine authority control and mark reserving operation, and reducing service risk of proxy login. Preferably, the access limiting parameter comprises an expiration time point of the shadow login credential and a maximum login use number of the shadow login credential, and the credential record further comprises real-time state data o