CN106161475A

CN106161475A - The implementation method of subscription authentication and device

Info

Publication number: CN106161475A
Application number: CN201610817540.8A
Authority: CN
Inventors: 沈书荣
Original assignee: Individual
Current assignee: Xinweilu Technology Zhuhai Co ltd
Priority date: 2016-09-12
Filing date: 2016-09-12
Publication date: 2016-11-23
Anticipated expiration: 2036-09-12
Also published as: CN106161475B

Abstract

The invention discloses implementation method and the device of a kind of subscription authentication, wherein, the method includes: in the case of application server needs to authenticate user, is verified the identity of user by mobile terminal；After user is by the checking of mobile terminal, authentication assistance information is sent to certificate server by mobile terminal, authentication assistance information is for notifying that certificate server assists user to realize authentication operations on the application server, wherein, authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.The present invention is avoided that user remembers account number and the password of numerous application server, and solution user cipher is excessively simple, user uses same password and user in the end side (such as PC) that safety the is poor upper preservation safety issue that also administrator password is brought at multiple application servers.

Description

The implementation method of subscription authentication and device

Technical field

The present invention relates to the communications field, and especially, relate to implementation method and the device of a kind of subscription authentication.

Background technology

At present, (application server herein includes that can accept user logs in and to user to log in application server Website or the CS server etc. of service are provided) mostly use account number, pin mode.User inputs correct user name and close After Ma, application server it is determined that this user by authentication, and allow user to log in and follow-up provide a user with various Service or resource.

But, had a disadvantage in that by the authentication mode of username and password

(1) from security standpoint, on the one hand, the password of user setup should be tried one's best complexity, and should regularly replace close Code；On the other hand, on different application server, (accounts for different) should arrange different passwords.Along with user uses Application service get more and more, remember that these account numbers and password become the heavy burden of user undoubtedly, for most users, Allow user setup complexity password and regularly replacing, hardly possible complete；

(2), in reality, according to investigation and statistics, in order to avoid the password that memory is complicated, a lot of users should for different Very simple password is only set by the account of registration on server, and phase would generally be set on different application servers With password, once user's account number on an application server and password are broken through by hacker, it will cause user to lose it His account, thus there is great potential safety hazard in the interests of user and privacy.

User carries out authentication operations on the application server for convenience, currently mainly proposes following two scheme: (1) OAUTH (can be described as open mandate) and (2) use Password Management instrument (such as Robo Form, LastPass etc.).

Although these schemes can avoid user to remember substantial amounts of complicated password to a certain extent, but there is also very Significantly defect.For OAUTH scheme, although user need not input the username and password of registration on application server, But the verification process of OAUTH scheme is wanted first with account number cipher mode login authentication server, signs in application clothes the most again Business device, this process need nonetheless remain for user and inputs password.Once this password is cracked, and also results in user at application server The account of upper registration is lost.It addition, in the scheme using Password Management tool management password, password and enciphering/deciphering program are all In the end side (such as PC) that safety is poor, once Password Management instrument is cracked, and will cause Password Management instrument institute All username and passwords of management are all lost, and there is bigger potential safety hazard.Authenticated additionally, based on Password Management instrument Journey completes completely on single terminal end, is the most easily hacked, and once uses on public computer, is more prone to cause account Family information leakage.

Arrange the problem being difficult to take into account memory and safety, the most not yet proposition for the password of user in correlation technique to have The solution of effect.

Summary of the invention

For the problem in correlation technique, the present invention proposes implementation method and the device of a kind of subscription authentication, is avoided that use Account number and the password of numerous application servers is remembered at family, solves user cipher application server the simplest, multiple and uses identical Password and user ask in the safety that end side (such as PC) preserves and administrator password is brought that safety is poor Topic.

To achieve these goals, according to an aspect of the invention, it is provided the implementation method of a kind of subscription authentication.

The implementation method of the subscription authentication according to the present invention includes: need the feelings authenticating user at application server Under condition, by mobile terminal, the identity of user is verified；After user is by the checking of mobile terminal, mobile terminal will mirror Power assistance information sends to certificate server, and authentication assistance information is used for notifying that certificate server assists user to realize at application clothes Authentication operations on business device, wherein, authentication assistance information includes first mark of user, and first is designated user in authentication service Unique mark on device.

Wherein, above-mentioned authentication assistance information farther includes the proof of identity code of certificate server, and, it is achieved method Farther include:

In the case of certificate server receives authentication assistance information, the proof of identity code in authentication assistance information is entered Row verification, and realize authentication operations on the application server in verification by the rear user of assistance.

Additionally, above-mentioned authentication assistance information may further include the mark of application server, this authentication operations Mark, and, may further include according to the implementation method of the present invention:

In the case of application server needs to authenticate user, the authentication request of this authentication of acquisition for mobile terminal Information, wherein, authentication request information includes the mark of the mark of application server, this authentication operations, the mark of application server Know for application server unique identifier on certificate server, this authentication operations be designated this authentication operations only One identification code.

On the one hand, before the identity of user is verified by mobile terminal, the implementation method according to the present invention is further Including: user initiates authentication request by PC end；Identification code is generated and at PC in response to authentication request, application server or PC end End shows this identification code, and wherein, identification code includes the mark of the mark of application server, this authentication operations；Mobile terminal pair After identification code is identified, initiate the authentication to user.

In the case of user initiates authentication request by PC end, certificate server can assist user real in the following manner Authentication operations the most on the application server:

Mode one: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises First mark, the mark of this authentication operations；Application server is after receiving authentication License Info, according to first pre-saved Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations The user that mark allows the second mark corresponding is authenticated by this；Wherein, second it is designated user the most only One mark；Or

Mode two: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information The second mark and application server login password that association preserves, and the second mark and application server login password are sent extremely PC end, in order to the second mark and application server login password are submitted to application server to complete authentication by PC end；Wherein, Two are designated user's unique mark on the application server, and application server login password is and this unique corresponding close of mark Code；Or

Mode three: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code Send to PC end, in order to the second mark and dynamic security identification code are committed to application server to complete authentication by PC end；Wherein, Second is designated user's unique mark on the application server.

On the other hand, before the identity of user is verified by mobile terminal, the implementation method according to the present invention is permissible Farther include: user initiates authentication request by the third party APP of mobile terminal；In response to authentication request, third party APP adjusts With the authentication module of mobile terminal, user is carried out authentication.

In the case of user initiates authentication request by the third party APP of mobile terminal, certificate server can pass through In the following manner assistance user's realization authentication operations on the application server:

Mode four: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises First mark, the mark of this authentication operations；Application server is after receiving authentication License Info, according to first pre-saved Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations The user that mark allows the second mark corresponding is authenticated by this；Wherein, second it is designated user the most only One mark；Or

Mode five: certificate server is searched and ID in this locality according to the first mark comprised in authentication assistance information The second mark that association preserves, after finding the second mark, certificate server is by the second mark and dynamic security identification code Send to third party APP, in order to the second mark and dynamic security identification code are committed to application server with complete by third party APP Become authentication；Wherein, second it is designated user's unique mark on the application server.

Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations Send to application server；Further, when application server receives authentication License Info, if application server determines PC end This authentication operations carried in the mark of this authentication operations sent when request is by authentication and authentication License Info Identify identical, then allow this user corresponding to the second mark by authentication on this PC end；

For mode two, before certificate server sends the second mark and application server login password, wrap further Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to the second mark and application server are logged in Password sends to PC end；

For mode three, before certificate server sends the second mark and dynamic security identification code, farther include Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this The mark of authentication operations sends to certificate server, determines that at certificate server the mark of this this authentication operations is assisted with authentication In the case of the mark of this authentication operations carried in information is identical, it is allowed to the second mark and dynamic security identification code are sent out Deliver to PC end；

For mode four, before application server allows the user of the second mark correspondence to be authenticated by this, further Comprise the following steps: third party APP asks by authentication to application server, and when request by the mark of this authentication operations Send to application server；Further, when application server receives authentication License Info, if application server determines the 3rd APP mark of this authentication operations of transmission when asking by authentication in side is grasped with authenticating this authentication carried in License Info The mark made is identical, then allow this user corresponding to the second mark by authentication on this third party APP；

For mode five, before certificate server sends the second mark and dynamic security identification code, farther include Following steps: third party APP identifies and dynamic security identification code to certificate server acquisition request second, and will when request The mark of this authentication operations sends to certificate server, determines mark and the authentication of this this authentication operations at certificate server In the case of the mark of this authentication operations carried in assistance information is identical, it is allowed to by the second mark and dynamic security identification Code sends to third party APP.

Additionally, application server needs the situation authenticating user to include: user initiates logging request, user initiates Obtaining the request of resource, the operation that user initiates in the case of having logged on needs to carry out secondary authentication.

Alternatively, the mode that the identity of user is verified by mobile terminal includes: iris verification, fingerprint authentication, password Checking and/or pattern checking.

According to a further aspect in the invention, it is provided that a kind of subscription authentication realize device.

The device that realizes of subscription authentication according to embodiments of the present invention includes:

Authentication module, in the case of application server needs to authenticate user, is carried out the identity of user Checking；

Communication module, after user by the checking of mobile terminal, sends authentication assistance information to authentication service Device, authentication assistance information is for notifying that certificate server assists user to realize authentication operations on the application server, wherein, mirror Power assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.

Wherein, above-mentioned authentication assistance information farther includes the proof of identity code of certificate server, and, take in certification In the case of business device receives authentication assistance information, the proof of identity code in authentication assistance information is checked, and in verification Authentication operations on the application server is realized by the rear user of assistance.

Additionally, above-mentioned authentication assistance information may further include the mark of application server, this authentication operations Mark, and, in the case of application server needs to authenticate user, the authentication of this authentication of acquisition for mobile terminal please Seeking information, wherein, authentication request information includes the mark of the mark of application server, this authentication operations, application server Be designated application server unique identifier on certificate server, this authentication operations be designated this authentication operations Unique identifier.

On the one hand, user can initiate authentication request by PC end；Raw in response to authentication request, application server or PC end Becoming identification code and show this identification code at PC end, wherein, identification code includes the mark of the mark of application server, this authentication operations Know；After identification code is identified by mobile terminal, initiate the authentication to user.

In the case of user initiates authentication request by PC end, certificate server assists user to realize in the following manner Authentication operations on the application server:

On the other hand, user can initiate authentication request by the third party APP of mobile terminal；In response to authentication request, Third party APP calls the authentication module of mobile terminal and user is carried out authentication.

Mode four: authentication License Info is sent to application server by certificate server, wherein, authentication License Info comprises First mark, the mark of this authentication operations；Application server is after receiving authentication License Info, according to first pre-saved Identify the corresponding relation between the second mark and search second mark corresponding with the first mark, and according to this authentication operations The user that mark allows the second mark corresponding is authenticated by this；Wherein, second it is designated user the most only One mark；

Alternatively, the mode that the identity of user is verified by authentication module includes: iris verification, fingerprint authentication, password Checking and/or pattern checking.

By means of the present invention, it is possible at mobile terminal, user is carried out authentication, in the case of user is by checking Informed that certificate server assists user to complete authentication operations on the application server by mobile terminal, user can either be avoided to remember Recall and input password, also ensure that the safety of account simultaneously；Moreover, owing to assisting user complete by certificate server Become the authentication operations at application server, it is possible to avoid user to preserve in the end side (such as PC) that safety is poor And manage username and password, reduce further potential safety hazard.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment The accompanying drawing used is needed to be briefly described, it should be apparent that, the accompanying drawing in describing below is only some enforcements of the present invention Example, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtains according to these accompanying drawings Obtain other accompanying drawing.

Fig. 1 is the flow chart of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 2 is the signalling diagram of the specific embodiment 1 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 3 is the signalling diagram of the specific embodiment 2 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 4 is the signalling diagram of the specific embodiment 3 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 5 is the signalling diagram of the specific embodiment 4 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 6 is the signalling diagram of the specific embodiment 5 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 7 is the signalling diagram of the specific embodiment 6 of the implementation method of subscription authentication according to embodiments of the present invention；

Fig. 8 is the block diagram realizing device of subscription authentication according to embodiments of the present invention.

Detailed description of the invention

Hereinafter in connection with accompanying drawing, the one exemplary embodiment of the present invention is described.For clarity and conciseness, All features of actual embodiment are not the most described.It should be understood, however, that in any this actual enforcement of exploitation Must make during example much specific to the decision of embodiment, in order to realize the objectives of developer, such as, symbol Close those restrictive conditions relevant to system and business, and these restrictive conditions may have along with the difference of embodiment Changed.Additionally, it also should be appreciated that, although development is likely to be extremely complex and time-consuming, but to having benefited from the disclosure For those skilled in the art of content, this development is only routine task.

Here, also need to explanation a bit, in order to avoid having obscured the present invention because of unnecessary details, in the accompanying drawings Illustrate only and according to the closely-related apparatus structure of the solution of the present invention and/or process step, and eliminate and the present invention Other details that relation is little.

According to embodiments of the invention, it is provided that the implementation method of a kind of subscription authentication.

As it is shown in figure 1, the implementation method of subscription authentication according to embodiments of the present invention includes:

Step S101, in the case of application server needs to authenticate user, by mobile terminal to user's Identity is verified；

Step S103, after user is by the checking of mobile terminal, authentication assistance information is sent to certification by mobile terminal Server, authentication assistance information is used for notifying that certificate server assists user to realize authentication operations on the application server, its In, authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.

Wherein, mobile terminal in its this locality to the purpose of the authentication that user is carried out is whether checking active user is machine Master in person, not judges that user the most directly can be by the authentication of application server.

The authentication implementing method that the present invention proposes can apply to several scenes, such as, when user sends out to application server When playing logging request, or (include obtaining media resource, request application server carries when user initiates the request obtaining resource For service or information etc.), the operation that user initiates in the case of having logged on needs to carry out secondary authentication (such as, including using Family, after logging in application server, needs to carry out the important operations such as payment).

In one embodiment, above-mentioned authentication assistance information may further include the proof of identity of certificate server Code.So, in the case of certificate server receives authentication assistance information, it will to the proof of identity in authentication assistance information Code is checked, and realizes authentication operations on the application server in verification by the rear user of assistance.By means of this identity school Test code, it is possible to allow certificate server that mobile terminal to be verified, prevent other illegal terminals from pretending to be user to log in.

In one embodiment, in the case of application server needs to authenticate user, mobile terminal can be first First obtain this authentication authentication request information, wherein, authentication request information include application server mark, this authenticate behaviour Make mark, application server be designated application server unique identifier on certificate server, this authentication operations The unique identifier being designated this authentication operations；

After obtaining authentication request information, mobile terminal sends will enter one to the authentication assistance information of certificate server Step includes: the mark of application server, the mark of this authentication operations.

In one embodiment, user can be by PC end to requests such as application server initiation login or resource uses. Now, authentication request is initiated by PC end by user；In response to authentication request, application server or PC end generate identification code and PC end shows this identification code (this identification code can be Quick Response Code, it is also possible to be other similar techniques), and wherein, identification code includes should With the mark of server (application server unique identifier on certificate server, such as, station address) and this mirror The unique identification information of power request；After identification code is identified by mobile terminal, can obtain application server mark and The unique identification information of this authentication request, and, mobile terminal will initiate the authentication to user in this locality, such as, and can Allow user carry out iris or fingerprint authentication with prompting, or user can be allowed to input password with pop-up dialogue box, it is also possible to display Pattern allows user input pattern password.Whether by iris, fingerprint, password, pattern or other modes, user is carried out body Part checking, its checking can ensure the safety of user account.Wherein, the safety of iris and fingerprint authentication is best, it is possible to Ensure that only owner can be by checking to the full extent.

It should be noted that, password as described herein or pattern checking are set when registering on the application server with user The password put or pattern are mutually independent.Here checking is to ensure that user can be by the local identity of mobile terminal Checking, upon checking, mobile terminal will be notified that certificate server assists user to complete the follow-up mirror at application server Power operation.

When user initiates authentication request by PC end, certificate server can assist user to complete in several ways The authentication operations of application server, specifically can be found in mode one to mode three which will be described.

Mode one: in one embodiment, authentication License Info is sent to application server by certificate server, wherein, Authentication License Info comprises the mark of the first mark, this authentication operations；Application server receive authentication License Info after, root Second mark corresponding with the first mark, and root is searched according to the corresponding relation between the first mark pre-saved and the second mark The user allowing the second mark corresponding according to the mark of this authentication operations is authenticated by this；Wherein, second it is designated user and exists Unique mark on application server.In the present embodiment, once user is taken by the authentication of mobile terminal this locality, certification Business device will directly inform that this user of application server can be by authentication.This scheme needs existing application server is done one Setting the tone whole, whole authentication process user is without memory and inputs complicated password, simultaneously both will not be by user at application server The password of upper setting preserves and management in end side, without transmitting this password, it is to avoid password is trapped in transmitting procedure Problem, there is the highest safety.

Mode two: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first Ground is searched and is associated the second mark and the application server login password preserved with ID, and by the second mark and application service Device login password send to PC end, in order to PC end by second mark and application server login password submit to application server with Complete authentication；Wherein, second is designated user's unique mark on the application server, and application server login password is and this The password that unique mark is corresponding.In the present embodiment, PC end is equally without preserving the user that user registers on the application server Name and the password arranged, but managed by certificate server and these contents are provided, even if so user is in application service The account password arranged on device is extremely complex, and user is without memory and input, while user-friendly, it is ensured that account The safety at family, the most most the most compatible application servers.

Mode three: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first Ground is searched and associate second preserved with ID and identify, after finding the second mark, certificate server identify second with And dynamic security identification code sends to PC end, in order to the second mark and dynamic security identification code are committed to application server by PC end To complete authentication；Wherein, second it is designated user's unique mark on the application server.In the present embodiment, PC end is same Without preserving and managing user name and the password of setting that user registers on the application server, user is without remembering and defeated Enter；Moreover, on the basis of a upper embodiment, the present embodiment additionally uses dynamic security identification code identification, evades further The risk that password is trapped in transmitting procedure.

Wherein, for mode one, before application server allows the user of the second mark correspondence to be authenticated by this, enter One step comprises the following steps: PC end is asked by authentication to application server, and when request by the mark of this authentication operations (being assumed to be mark A) sends to application server；Further, authentication License Info (authentication license letter is received at application server Breath also comprises the mark of this authentication operations, it is assumed that for mark A ') time, if application server determines at PC end logical in request The mark A of this authentication operations sent when crossing authentication and mark A authenticating this authentication operations carried in License Info ' phase With, then allow this user corresponding to the second mark by authentication on this PC end；

For mode two, before certificate server sends the second mark and application server login password, wrap further Include following steps: PC end identifies and application server login password to certificate server acquisition request second, and will when request The mark (being assumed to be mark A) of this authentication operations sends to certificate server；Authentication assistance information is received at certificate server Time (authentication assistance information comprising the mark of this authentication operations equally, it is assumed that for mark A '), if it is determined that receive before Mark A of this authentication operations carried in the mark A of this authentication operations and authentication assistance information ' identical, then allow the Two marks and application server login password send to PC end；

For mode three, before certificate server sends the second mark and dynamic security identification code, farther include Following steps: PC end identifies and dynamic security identification code to certificate server acquisition request second, and when request by this The mark (being assumed to be mark A) of authentication operations sends to certificate server, receives authentication assistance information (authentication at certificate server Assistance information comprises the mark of this authentication operations equally, it is assumed that for mark A ') time, if it is determined that this mirror before received The mark A of power operation and mark A authenticating this authentication operations carried in assistance information ' identical, then allow to identify second And dynamic security identification code sends to PC end.

In embodiment listed above, user initiates authentication request by PC end.Additionally, in other embodiments, use Family can initiate authentication request by the third party APP of mobile terminal to application server.Specifically, application server can be by Authentication request information is supplied to third party APP, and this authentication request information includes the mark of application server, this authentication operations Mark, wherein, application server be designated application server unique identifier on certificate server, this authentication operations The unique identifier being designated this authentication operations；In response to authentication request (such as, when receiving authentication request information), the Tripartite APP calls the authentication module of mobile terminal and user is carried out authentication.Here user is carried out the mode of authentication Equally use the modes such as iris verification, fingerprint authentication, password authentification or pattern checking.

If user has passed through the authentication of mobile terminal, certificate server can assist user in several ways Complete the authentication at application server, specifically can be found in mode four to mode five which will be described.

Mode four: in one embodiment, authentication License Info is sent to application server by certificate server, wherein, Authentication License Info comprises the mark of the first mark, this authentication operations；Application server receive authentication License Info after, root Second mark corresponding with the first mark, and root is searched according to the corresponding relation between the first mark pre-saved and the second mark The user allowing the second mark corresponding according to the mark of this authentication operations is authenticated by this；Wherein, second it is designated user and exists Unique mark on application server.In the present embodiment, once user is taken by the authentication of mobile terminal this locality, certification Business device will directly inform that this user of application server can be by authentication.This scheme needs existing application server is done one Setting the tone whole, whole authentication process user is without memory and inputs complicated password, simultaneously both will not be by user at application server The password of upper setting preserves and management in end side, without transmitting this password, it is to avoid password is trapped in transmitting procedure Problem, there is the highest safety.

Mode five: in another embodiment, certificate server identifies at this according to comprise in authentication assistance information first Ground is searched and associate second preserved with ID and identify, after finding the second mark, certificate server identify second with And dynamic security identification code sends to third party APP, in order to the second mark and dynamic security identification code are submitted to by third party APP To application server to complete authentication；Wherein, second it is designated user's unique mark on the application server.At the present embodiment In, by the safety that can effectively ensure that user account information of dynamic security code, prevent the appearance of the situations such as illegal login, And again without the password arranged on the application server transmission over networks user, it is to avoid password is cut in transmitting procedure The probability obtained.

Wherein, for mode four, before application server allows the user of the second mark correspondence to be authenticated by this, enter One step comprises the following steps: third party APP asks by authentication to application server, and when request by this authentication operations Mark sends to application server；Further, when application server receives authentication License Info, if application server determines This mirror carried in the mark of this authentication operations that third party APP sends when request is by authentication and authentication License Info The mark of power operation is identical, then allow this user corresponding to the second mark by authentication on this third party APP；

Several specific embodiments of the present invention are described below in conjunction with application scenarios.

Embodiment 1: exempt from password login

As in figure 2 it is shown, when user wish by PC end log in certain application server (can be website or CS server, letter It is referred to as AppServerA, lower same) time, idiographic flow is as follows:

Step 1: user initiates logging request (that is, authentication request) by PC end；

Step 2:AppServerA shows this Quick Response Code logged in (send this Quick Response Code to PC end and show), two Dimension code comprises the information such as unique mark of application server identifier that user to be logged in, this authentication request, and user uses hands Machine app scans this Quick Response Code；

Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner)； Specifically, checking can be realized by the authentication module (not shown in Fig. 2) of mobile phone side；

Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request Operation (that is, sends authentication assistance information)；Specifically, can be sent by the communication module (not shown in Fig. 2) of mobile phone side Authentication assistance information；

Step 5: authentication result is notified that AppServerA (that is, sends authentication license to AppServerA by certificate server Information), AppServerA is after receiving this authentication License Info, it is not necessary to allow user input username and password further, Current PC end is allowed to log in；

Step 6:AppServerA notifies that user logins successfully.

In the present embodiment, it is only necessary to AppServerA is carried out a certain degree of change, can transmit there is no password In the case of complete the authentication to user, there is the highest safety (avoiding password to be trapped), and owing to user is without note Recall and input its username and password registered on the application server, so largely decreasing the workload of user, There is good Consumer's Experience.

Embodiment 2: log in general Websites

As it is shown on figure 3, when user wishes to be logged in without any change by the browser plug-in of PC end During AppServerA, handling process is as follows:

The browser plug-in of step 2:PC end gets this solicited message, generates and shows the two dimension comprising this solicited message Code, solicited message includes the unique of application server identifier (such as, station address) that user to be logged in and this request Marks etc., user uses mobile phone app to scan this Quick Response Code；

Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner)； Specifically, checking can be realized by the authentication module (not shown in Fig. 3) of mobile phone side；

Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request Operation (that is, sends authentication assistance information)；Specifically, can be sent by the communication module (not shown in Fig. 3) of mobile phone side Authentication assistance information；

Step 5: user is handed down to clear at account number and the password of AppServerA by escape way by certificate server Look at device plug-in unit；

Step 6: browser plug-in uses account, password automatically to fill the login page of AppServerA, and user confirms Rear click login button can complete the login to AppServerA；

Step 7:AppServerA notice browser logins successfully.

In the present embodiment, it is not necessary to transform website, user account number password leaves certificate server, certification in Server is issued to browser plug-in by escape way, and is filled out by browser plug-in generation, and user is without memory and inputs user Name and password, ensureing on the basis of safety, also allows certificate server hold concurrently with the server such as existing website well Hold.

Embodiment 3:CS logs in

As shown in Figure 4, wish that the desktop application by PC end (includes the program run on PC, such as, shopping network as user The programmatic client stood, network game client etc.) when logging in AppServerA, handling process is as follows:

The desktop application of step 2:PC end gets this solicited message, generates and shows the two dimension comprising this solicited message Code, solicited message includes application server identifier, unique mark etc. of this request that user to be logged in, and user uses mobile phone Scanning Quick Response Code；

Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner)； Specifically, checking can be realized by the authentication module (not shown in Fig. 4) of mobile phone side；

Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request Operation (that is, sends authentication assistance information)；Specifically, can be sent by the communication module (not shown in Fig. 4) of mobile phone side Authentication assistance information；

Step 5: certificate server will be identified at account number and the dynamic security of AppServerA user by escape way The information such as code are handed down to desktop application；

Step 6: desktop application uses account and dynamic security identification code to log in AppServerA；

Step 7:AppServerA notice desktop application logins successfully.

The present embodiment and the 2nd embodiment are similar to, all without website is transformed (or transforming on a small quantity) so that Application server has good system compatibility；It addition, desktop is answered by means of dynamic security identification code (non-password) With verifying, it is possible to that avoids in the case of without user's memory and input password that password is trapped in transmitting procedure can Energy property, has more preferable safety.

Embodiment 4: the secondary authentication of important operation

As it is shown in figure 5, when user has logged on, if the user desired that carry out the important operations such as payment, permissible When carrying out this operation, user being carried out secondary authentication, handling process is as follows:

Step 1 a: critical function (being called for short Func1, can be the functions such as payment) of user AppServerA to be used Time, initiate authentication request to AppServerA；

Step 2:AppServerA shows the Quick Response Code comprising this solicited message, request letter by webpage or desktop application Breath includes unique mark (Func1 mark) etc. of application server identifier, this request；User use mobile phone app scan this two Dimension code；

Step 3: mobile phone is by fingerprint recognition or other security means checking user identity (that is, user is owner)； Specifically, checking can be realized by the authentication module (not shown in Fig. 5) of mobile phone side；

Step 4: after subscriber authentication is passed through, mobile phone app assists this login of user to certificate server request Operation (that is, sends authentication assistance information)；Specifically, can be sent by the communication module (not shown in Fig. 5) of mobile phone side Authentication assistance information；

Step 5: authentication result is notified that AppServerA (that is, send out to AppServerA by certificate server by certificate server Send authentication License Info), AppServerA confirms the legitimacy of this operation, it is not necessary to allow user input password, Ji Keyun further Family allowable performs current important operation；

The notice user operation success of step 6:AppServerA.

The present embodiment is similar to Example 1, can allow user performs important behaviour in the case of not having password transmission The authentication made, and owing to whole flow process is without transmitting the password of user, further increase safety；User during whole Without remembering and inputting password, so having good Consumer's Experience.

Embodiment 5: third party's mobile phone A pp exempts from password login

As shown in Figure 6, when user directly logs in AppServerA by third party App on mobile phone, handling process is as follows:

Step 1: when user uses third party App to log in AppServerA, sends to third party app and logs in authentication request；

Step 2: third party App calls authentication module, verifies user identity by fingerprint recognition or other security means (that is, user is owner)；

Step 3: after subscriber authentication is passed through, (not shown in Fig. 6, communication module is permissible for the communication module of mobile phone side Authentication module and certificate server communication with mobile phone side, it is achieved the transmission of information) send authentication assistance to certificate server Information, comprises the information such as application server identifier, this unique mark asked；

Step 4: authentication result is notified that (that is, certificate server sends authentication license letter to AppServerA by certificate server Cease to AppServerA)；

Complete to log in (that is, completing the authentication to user) after the verification of step 5:AppServerA, and notify that third party App steps on Record successfully.

In the present embodiment, need existing application server and mobile phone A PP are all modified, thus avoid authenticating Journey is avoided transmit password, improve safety.

Embodiment 6: third party's mobile phone A pp safety code logs in

As it is shown in fig. 7, user can by directly by the third party APP of mobile phone with safety code in the way of log in, place Reason flow process is as follows:

Step 3: after subscriber authentication is passed through, (not shown in Fig. 7, communication module is permissible for the communication module of mobile phone side Authentication module and certificate server communication with mobile phone side, it is achieved the transmission of information) send authentication assistance to certificate server Information, comprises the information such as application server identifier, this unique mark asked；

Step 4: certificate server issues account number, dynamic security identification to the communication module (not shown in Fig. 7) of mobile phone side Code；

Step 5: third party App uses account number, dynamic security identification code to log in AppServerA；

Step 6:AppServerA notifies that third party APP logins successfully.

In the present embodiment, only need to be modified mobile phone APP, application server side can be changed less even without changing Dynamic, not only avoid avoiding transmitting in authentication process password, and safety can be ensured by safety code, additionally aid certification Server and the compatibility of existing system.

Additionally, according to embodiments of the invention, additionally provide a kind of subscription authentication realizes device.

As shown in Figure 8, the device that realizes of subscription authentication according to embodiments of the present invention includes:

Authentication module 81, in the case of application server needs to authenticate user, enters the identity of user Row checking；

Communication module 82, after user by the checking of mobile terminal, takes authentication assistance information transmission to certification Business device, authentication assistance information is for notifying certificate server assistance user's realization authentication operations on the application server, wherein, Authentication assistance information includes first mark of user, and first is designated the user's unique mark on certificate server.

Alternatively, the mode that the identity of user is verified by authentication module 81 includes: iris verification, fingerprint authentication, close Code checking and/or pattern checking.

In sum, by means of technical scheme, by user being carried out authentication at mobile terminal, with By mobile terminal, family is by informing that certificate server is assisted user to complete authentication on the application server and grasped in the case of checking Make, user can either be avoided to remember and input password, also ensure that the safety of account simultaneously；Moreover, due to user's Application server account number and password are saved on the higher certificate server of safety, it is possible to be prevented effectively from because using public computer Or the security risk that PC keeping or input password are easily brought by assault, further increases user account Safety.

The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.

Claims

1. the implementation method of a subscription authentication, it is characterised in that including:

In the case of application server needs to authenticate user, by mobile terminal, the identity of described user is tested Card；

After described user is by the checking of described mobile terminal, authentication assistance information is sent to certification clothes by described mobile terminal Business device, described authentication assistance information is used for notifying that described certificate server assists the real presently described application server of described user Authentication operations, wherein, described authentication assistance information include described user first mark, described first is designated described user Unique mark on described certificate server.

Implementation method the most according to claim 1, it is characterised in that described authentication assistance information farther includes described The proof of identity code of certificate server, and, described implementation method farther includes:

In the case of described certificate server receives described authentication assistance information, to the identity school in described authentication assistance information Test code to check, and in verification by the authentication operations on the real presently described application server of the described user of rear assistance.

Implementation method the most according to claim 1, it is characterised in that described authentication assistance information farther includes described The mark of application server, the mark of this authentication operations, and, described implementation method farther includes:

In the case of described application server needs to authenticate user, the authentication of this authentication of described acquisition for mobile terminal Solicited message, wherein, described authentication request information includes the mark of the mark of described application server, this authentication operations, institute That states application server is designated described application server unique identifier on described certificate server, this authentication operations The unique identifier being designated this authentication operations.

Implementation method the most according to claim 3, it is characterised in that the identity of described user is entered at described mobile terminal Before row checking, described implementation method farther includes:

Described user initiates authentication request by PC end；

Generate identification code in response to described authentication request, described application server or described PC end and show this knowledge at described PC end Other code, wherein, described identification code includes the mark of the mark of described application server, this authentication operations；

After described identification code is identified by described mobile terminal, initiate the authentication to described user.

Implementation method the most according to claim 4, it is characterised in that described certificate server assists institute in the following manner State the authentication operations on the real presently described application server of user:

Mode one: authentication License Info is sent to described application server by described certificate server, wherein, described authentication license Information comprises described first mark, the mark of this authentication operations；Described application server is receiving described authentication License Info After, search corresponding with described first mark according to the corresponding relation between described first mark pre-saved and the second mark Second mark, and allow the user of described second mark correspondence to be authenticated by this according to the mark of this authentication operations；Wherein, Described second is designated the described user unique mark on described application server；Or

Mode two: described certificate server according to described authentication assistance information comprises described first mark this locality search with The second mark and application server login password that the association of described ID preserves, and by described second mark and described application Server log password sends to described PC end, in order to described second mark and described application server login password are carried by PC end Give described application server to complete authentication；Wherein, described second it is designated described user on described application server Unique mark, described application server login password is uniquely to identify corresponding password with this；Or

Mode three: described certificate server according to described authentication assistance information comprises described first mark this locality search with The second mark that the association of described ID preserves, after finding described second mark, described certificate server is by described the Two marks and dynamic security identification code send to described PC end, in order to described second mark and described dynamic security are known by PC end Other code is committed to described application server to complete authentication；Wherein, described second it is designated described user in described application service Unique mark on device.

Described user initiates authentication request by the third party APP of described mobile terminal；

In response to described authentication request, described third party APP calls the authentication module of described mobile terminal to be carried out described user Authentication.

Implementation method the most according to claim 6, it is characterised in that described certificate server assists institute in the following manner State the authentication operations on the real presently described application server of user:

Mode four: authentication License Info is sent to described application server by described certificate server, wherein, described authentication license Information comprises described first mark, the mark of this authentication operations；Described application server is receiving described authentication License Info After, search corresponding with described first mark according to the corresponding relation between described first mark pre-saved and the second mark Second mark, and allow the user of described second mark correspondence to be authenticated by this according to the mark of this authentication operations；Wherein, Described second is designated the described user unique mark on described application server；Or

Mode five: described certificate server according to described authentication assistance information comprises described first mark this locality search with The second mark that the association of described ID preserves, after finding described second mark, described certificate server is by described the Two marks and dynamic security identification code send to described third party APP, in order to described third party APP will described second identify with And dynamic security identification code is committed to described application server to complete authentication；Wherein, described second it is designated described user and exists Unique mark on described application server.

8. according to the implementation method described in claim 5 or 7, it is characterised in that

For described mode one, the user allowing described second mark corresponding at described application server authenticates it by this Before, further include steps of PC end to application server request by authentication, and when request by this authentication operations Mark sends to application server；Further, when described application server receives described authentication License Info, should if described Described PC the end mark of this authentication operations of transmission and described authentication license letter when request is by authentication is determined with server The mark of this authentication operations carried in breath is identical, then allow this user corresponding to the second mark by mirror on this PC end Power；

For described mode two, described certificate server send described second mark and described application server login password it Before, further include steps of described PC end to the second mark and described application described in described certificate server acquisition request Server log password, and when request, the mark of this authentication operations is sent to described certificate server, in described certification Server determines the mark phase of this authentication operations carried in the mark of this this authentication operations and described authentication assistance information In the case of Tong, it is allowed to described second mark and described application server login password are sent to described PC end；

For described mode three, before described certificate server sends described second mark and dynamic security identification code, enter One step comprises the following steps: described PC end is to the second mark and dynamic security identification described in described certificate server acquisition request Code, and when request, the mark of this authentication operations is sent to described certificate server, determine this at described certificate server In the case of the mark of this authentication operations is identical with the mark of this authentication operations carried in described authentication assistance information, fair Permitted to send to described PC end described second mark and described dynamic security identification code；

For described mode four, the user allowing described second mark corresponding at described application server authenticates it by this Before, further include steps of described third party APP to application server request by authentication, and when request by this The mark of authentication operations sends to application server；Further, when described application server receives described authentication License Info, If described application server determine described third party APP request by authentication time send this authentication operations mark with The mark of this authentication operations carried in described authentication License Info is identical, then allow this user corresponding to the second mark to exist By authentication on this third party APP；

For described mode five, before described certificate server sends described second mark and dynamic security identification code, enter One step comprises the following steps: described third party APP to the second mark described in described certificate server acquisition request and dynamically pacifies Full identification code, and when request, the mark of this authentication operations is sent to described certificate server, at described certificate server Determine the feelings that the mark of this this authentication operations is identical with the mark of this authentication operations carried in described authentication assistance information Under condition, it is allowed to described second mark and described dynamic security identification code are sent to described third party APP.

Implementation method the most according to any one of claim 1 to 8, it is characterised in that

Application server needs the situation authenticating user to include: user initiates logging request, and user initiates to obtain resource Request, the operation that user initiates in the case of having logged on needs to carry out secondary authentication；

The mode that the identity of described user is verified by described mobile terminal includes: iris verification, fingerprint authentication, password are tested Card and/or pattern checking.

10. subscription authentication realize a device, be arranged at mobile terminal side, it is characterised in that this device includes:

Authentication module, in the case of application server needs to authenticate user, is carried out the identity of described user Checking；

Communication module, for after described user is by the checking of described mobile terminal, sends authentication assistance information to certification Server, described authentication assistance information is used for notifying that described certificate server assists the real presently described application server of described user On authentication operations, wherein, described authentication assistance information include described user first mark, described first is designated described use The family unique mark on described certificate server.