Search

US-12619698-B2 - Authentication apparatus, system, method, and program for multi-stage authentication

US12619698B2US 12619698 B2US12619698 B2US 12619698B2US-12619698-B2

Abstract

Authentication apparatus includes: communication part capable of communicating with server apparatus that stores common authentication information and first distributed authentication information in association with each other via network; read part capable of reading information from user storage medium that stores common authentication information and second distributed authentication information; input part; and control part, wherein the control part authenticates by collating the second distributed authentication information acquired via the read part with the second distributed authentication information acquired from a user via the input part; transmits the common authentication information acquired via the read part to the server apparatus via the communication part; authenticates by collating the first distributed authentication information acquired from the server apparatus via the communication part with the first distributed authentication information acquired from the user via the input part; and unlocks a lock when completing authenticating all of the first distributed authentication information.

Inventors

  • Hiroya OKADA

Assignees

  • NEC CORPORATION

Dates

Publication Date
20260505
Application Date
20211203

Claims (15)

  1. 1 . An authentication apparatus, comprising: at least one processor; and a memory in circuit communication with the processor, wherein the processor is configured to execute program instruction stored in the memory to implement: a communication part configured to be able to communicate with a server apparatus that stores at least one piece of common authentication information and at least one piece of first distributed authentication information as registered first distributed authentication information in association with each other, via a network; a read part configured to be able to read information from a user storage medium used by a user that stores the at least one piece of common authentication information and at least one piece of second distributed authentication information as registered second distributed authentication information; an input part configured to be able to receive the first distributed authentication information as input first distributed authentication information and the second distributed authentication information as input second distributed authentication information by action of the user; and a control part configured to control the communication part, the read part, and the input part, wherein the control part is configured to perform processings of: acquiring the common authentication information and the registered second distributed authentication information via the read part from the user storage medium; acquiring the input second distributed authentication information via the input part by action of the user; performing second authentication by collating the registered second distributed authentication information with the input second distributed authentication information; erasing all of the second distributed authentication information of the user when authenticating all of the second distributed authentication information of the user is completed; transmitting the common authentication information acquired via the read part to the server apparatus via the communication part after erasing; acquiring the registered first distributed authentication information associated with the common authentication information same as the transmitted common authentication information via the communication part from the server apparatus; acquiring the input first distributed authentication information via the input part by action of the user, after acquiring the registered first distributed authentication information from the server apparatus; performing first authentication by collating the registered first distributed authentication information with the input first distributed authentication information; and unlocking a lock when authenticating all of the first distributed authentication information is completed, and wherein the first distributed authentication information is different from the second distributed authentication information.
  2. 2 . The authentication apparatus according to claim 1 , wherein: the common authentication information is possession information; the first distributed authentication information is knowledge information; and the second distributed authentication information is biometric information.
  3. 3 . The authentication apparatus according to claim 1 , wherein: the common authentication information is possession information; the first distributed authentication information is biometric information; and the second distributed authentication information is knowledge information.
  4. 4 . The authentication apparatus according to claim 1 , wherein: the common authentication information is possession information; the first distributed authentication information is first biometric information and/or first knowledge information; and the second distributed authentication information is second biometric information and/or second knowledge information.
  5. 5 . The authentication apparatus according to claim 1 , wherein the read part is configured to be able to perform wired or wireless communication with the user storage medium without intervening the network.
  6. 6 . The authentication apparatus according to claim 1 , wherein the control part is configured to further perform a processing of erasing all of the first distributed authentication information when authenticating all of the first distributed authentication information is completed.
  7. 7 . An authentication system, comprising: a server apparatus configured to store at least one piece of common authentication information and at least one piece of first distributed authentication information in association with each other; a user storage medium used by a user configured to store the at least one piece of common authentication information and at least one piece of second distributed authentication information; and the authentication apparatus according to claim 1 .
  8. 8 . An authentication method of authenticating using an authentication apparatus, wherein the authentication apparatus comprises: at least one processor; and a memory in circuit communication with the processor, wherein the processor is configured to execute program instruction stored in the memory to implement: a communication part configured to be able to communicate with a server apparatus that stores at least one piece of common authentication information and at least one piece of first distributed authentication information as registered first distributed authentication information in association with each other, via a network; a read part configured to be able to read information from a user storage medium used by a user that stores the at least one piece of common authentication information and at least one piece of second distributed authentication information as registered second distributed authentication information; an input part configured to be able to receive the first distributed authentication information as input first distributed authentication information and the second distributed authentication information as input second distributed authentication information by action of the user; and a control part configured to control the communication part, the read part, and the input part, and wherein the authentication method comprises: acquiring the common authentication information and the registered second distributed authentication information via the read part from the user storage medium; acquiring the input second distributed authentication information via the input part by action of the user; performing second authentication by collating the registered second distributed authentication information with the input second distributed authentication information; erasing all of the second distributed authentication information of the user when authenticating all of the second distributed authentication information of the user is completed; transmitting the common authentication information acquired via the read part to the server apparatus via the communication part after erasing; acquiring the registered first distributed authentication information associated with the common authentication information same as the transmitted common authentication information via the communication part from the server apparatus; acquiring the input first distributed authentication information via the input part by action of the user, after acquiring the registered first distributed authentication information from the server apparatus; performing first authentication by collating the registered first distributed authentication information with the input first distributed authentication information; and unlocking a lock when authenticating all of the first distributed authentication information is completed.
  9. 9 . A non-transitory computer readable recording medium storing a program causing an authentication apparatus to perform authentication processing, wherein the authentication apparatus comprises at least one processor configured to execute the program to implement: a communication part configured to be able to communicate with a server apparatus that stores at least one piece of common authentication information and at least one piece of first distributed authentication information as registered first distributed authentication information in association with each other, via a network; a read part configured to be able to read information from a user storage medium used by a user that stores the at least one piece of common authentication information and at least one piece of second distributed authentication information as registered second distributed authentication information; an input part configured to be able to receive the first distributed authentication information as input first distributed authentication information and the second distributed authentication information as input second distributed authentication information by action of the user; and a control part configured to control the communication part, the read part, and the input part, and wherein the program causes the control part to execute processings of: acquiring the common authentication information and the registered second distributed authentication information via the read part from the user storage medium; acquiring the input second distributed authentication information via the input part by action of the user; performing second authentication by collating the registered second distributed authentication information with the input second distributed authentication information; erasing all of the second distributed authentication information of the user when authenticating all of the second distributed authentication information of the user is completed; transmitting the common authentication information acquired via the read part to the server apparatus via the communication part after erasing; acquiring the registered first distributed authentication information associated with the common authentication information same as the transmitted common authentication information via the communication part from the server apparatus; acquiring the input first distributed authentication information via the input part by action of the user, after acquiring the registered first distributed authentication information from the server apparatus; performing first authentication by collating the registered first distributed authentication information with the input first distributed authentication information; and unlocking a lock when authenticating all of the first distributed authentication information is completed.
  10. 10 . The authentication apparatus according to claim 2 , wherein the read part is configured to be able to perform wired or wireless communication with the user storage medium without intervening the network.
  11. 11 . The authentication apparatus according to claim 3 , wherein the read part is configured to be able to perform wired or wireless communication with the user storage medium without intervening the network.
  12. 12 . The authentication apparatus according to claim 4 , wherein the read part is configured to be able to perform wired or wireless communication with the user storage medium without intervening the network.
  13. 13 . The authentication apparatus according to claim 2 , wherein the control part is configured to further perform a processing of erasing all of the first distributed authentication information when authenticating all of the first distributed authentication information is completed.
  14. 14 . The authentication apparatus according to claim 3 , wherein the control part is configured to further perform a processing of erasing all of the first distributed authentication information when authenticating all of the first distributed authentication information is completed.
  15. 15 . The authentication apparatus according to claim 4 , wherein the control part is configured to further perform a processing of erasing all of the first distributed authentication information when authenticating all of the first distributed authentication information is completed.

Description

This application is a National Stage Entry of PCT/JP2021/044508 filed on Dec. 3, 2021, the contents of all of which are incorporated herein by reference, in their entirety. FIELD The present invention relates to an authentication apparatus, a system, a method, and a program. BACKGROUND Authentication technology is used in many places of personal belongings such as electronic apparatuses and access (entering/leaving) manages. Also, the authentication technology is utilized for user management and unauthorized login prevention. In an authentication system using authentication technology, there is growing trend towards an authentication apparatus incorporating multi-factor authentication by combining two or more among “knowledge information”, “possession information”, and “biometric information,” as three factors of authentication to improve security strength. For example, there are authentication systems (for example, see Patent Literatures (PTLs) 1, 3, and 4) that centrally manage two or more authentication factors among biometric information such as face shape, voiceprint and iris; knowledge information such as identification information, password and security question; and possession information such as smart card number, security token and SMS (Short Message Service) authentication, in a single server apparatus, or authentication systems that distributedly manage these factors using a plurality of server apparatuses (for example, see PTLs 2 and 5). [PTL 1] JP2020-154496A[PTL 2] JP2015-518228A[PTL 3] JP2003-140765A[PTL 4] JP2002-112340A[PTL 5] JP2002-041469A SUMMARY The following analysis is provided by the inventor of the present application. In the authentication systems described in PTLs 1 to 5, however, since all of the authentication factors required for multi-factor authentication are managed by one or more server apparatuses, in a configuration where other external terminals can access the server apparatuses via a network, all of the authentication factors required for multi-factor authentication, there is a possibility that all of the authentication factors required for multi-factor authentication are leaked to the outside via the network and abused, even if using encryption techniques or hashing techniques etc. to anonymize the authentication factors. It is a main object of the present invention to provide an authentication apparatus, a system, a method, and a program that can contribute to preventing all of the authentication factors required for multi-factor authentication from leaking to the outside via a network. An authentication apparatus according to a first aspect comprises: a communication part configured to be able to communicate with a server apparatus that stores at least one piece of common authentication information and at least one piece of first distributed authentication information in association with each other via a network; a read part configured to be able to read information from a user storage medium used by a user that stores at least one piece of common authentication information and at least one piece of second distributed authentication information; an input part configured to be able to receive the first distributed authentication information and the second distributed authentication information by action of the user; and a control part configured to control the communication part, the read part, and the input part, wherein the control part is configured to perform processings of: acquiring the common authentication information and the second distributed authentication information via the read part from the user storage medium; acquiring the second distributed authentication information via the input part by action of the user; authenticating by collating the second distributed authentication information acquired via the read part with the second distributed authentication information acquired via the input part; transmitting the common authentication information acquired via the read part to the server apparatus via the communication part when authenticating all of the second distributed authentication information is completed; acquiring the first distributed authentication information associated with the common authentication information same as the transmitted common authentication information via the communication part from the server apparatus; acquiring the first distributed authentication information via the input part by action of the user; authenticating by collating the first distributed authentication information acquired via the communication part with the first distributed authentication information acquired via the input part; and unlocking a lock when authenticating all of the first distributed authentication information is completed, and wherein the first distributed authentication information is different from the second distributed authentication information. An authentication system according to a second aspect comprises: a server apparatus configure