CN112507308A - Identity recognition and authentication method - Google Patents

Identity recognition and authentication method Download PDF

Info

Publication number
CN112507308A
CN112507308A CN202011127463.6A CN202011127463A CN112507308A CN 112507308 A CN112507308 A CN 112507308A CN 202011127463 A CN202011127463 A CN 202011127463A CN 112507308 A CN112507308 A CN 112507308A
Authority
CN
China
Prior art keywords
face
user
face recognition
authentication
login
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011127463.6A
Other languages
Chinese (zh)
Inventor
陈志开
刘云鹤
张超
史晶
郭俊余
雷飞涛
孔金珠
黄鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202011127463.6A priority Critical patent/CN112507308A/en
Publication of CN112507308A publication Critical patent/CN112507308A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/16Human faces, e.g. facial parts, sketches or expressions
    • G06V40/161Detection; Localisation; Normalisation
    • G06V40/166Detection; Localisation; Normalisation using acquisition arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/16Human faces, e.g. facial parts, sketches or expressions
    • G06V40/168Feature extraction; Face representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/40Spoof detection, e.g. liveness detection
    • G06V40/45Detection of the body part being alive

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Human Computer Interaction (AREA)
  • Oral & Maxillofacial Surgery (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The invention relates to an identity recognition and authentication method, which comprises the following steps: initialization setting: for a user logging in the system for the first time, inputting a face characteristic value and storing the face characteristic value into a local configuration file or a local database; in the ordinary login stage, the system detects whether face information can be acquired or not, and whether the face feature information is recorded or not in a local configuration file or a local database or not, and preferentially uses a face recognition login mode to log in; under the condition of logging in a face recognition login mode, a face recognition authentication module acquires a characteristic value from a captured face image, compares the characteristic value with stored characteristic value data, acquires user information from a local configuration file or a local database after the comparison is successful, and logs in; and (3) a subsequent monitoring stage: and the face identification authentication continuously acquires face information at preset intervals, and when the current terminal system user is monitored to be changed, the terminal system quits the login interface, or when the face is not identified in a preset time period, the system enters a screen locking state.

Description

Identity recognition and authentication method
Technical Field
The invention relates to the technical field of information security, in particular to an identity identification and authentication method.
Background
With the continuous development of information technology, internal information systems are built in government, army, military enterprises and other institutions, and the information system construction brings great convenience to the institutions, such as resource sharing, office automation, convenient information transmission and the like, so that the working efficiency is greatly improved. But also causes the confidential electronic information resources distributed in each host to be in a high-risk state.
The personal host often lacks protective measures, and cannot effectively prevent active or passive disclosure of a person, for example, a password of the host is accidentally obtained by others, and the host is not shut down or locked after use. On a host for data storage and backup in some enterprises, a plurality of people often share one host, the potential safety hazard of data is increased, if secret-related information is lost, the loss caused to the country and the enterprises is immeasurable, and the problem of security management of the secret-related electronic information is not ignored.
The security protection mechanism commonly used in the personal terminal comprises an identity authentication login system, a control storage system, a mobile device, a security officer for manually managing the personal host and a remote server for monitoring the service condition of the terminal. The login mode of the personal terminal usually uses face recognition, fingerprint recognition, account password or other identity detection devices to log in the system.
When the system is logged in by using the account password, the login service program firstly encrypts the input password, then compares the encrypted password with the encrypted password of the corresponding account stored in the/etc/password file, if the encrypted password is passed through, the pam _ permit module is executed to pass the authentication, otherwise, the pam _ deny module is executed to refuse the user to log in. The password can be changed only when the user actively modifies the password, the user experience can be influenced if the password is frequently modified, and the risk of information leakage can be increased if the password is not modified for a long time. Meanwhile, the complexity of the password also has a crucial influence on the safety protection of the information, and if the password is too simple, the password is easy to be cracked by an illegal user; if the password is too complicated, the user can not remember the password conveniently, and the time of the user is wasted.
If the face recognition and finger vein login system is used, the login service program compares the characteristic values extracted by the face camera and the finger veins with the characteristic values of the face and the finger veins stored in the database, and executes the pam _ permit module to pass the authentication after the comparison is successful, otherwise executes the pam _ deny module to refuse the user to login. The method can prevent the password from being leaked to a certain extent, but after the user logs in successfully, the validity period of the currently used account can be continued until the next shutdown and screen locking operation is executed, and the system cannot judge whether the user of the current host is the account holder or not. If the user is allowed to identify and authenticate at regular time, the working efficiency of the user and the user experience are influenced if the authentication time interval is set to be too short. If the authentication time interval is too long, the information leakage risk is increased; the remote server monitors the use condition of system resources only under the condition that the network connection is normal.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides an identity identification and authentication method, which comprises the following steps:
step S1, initializing setting: aiming at a user logging in the system for the first time, a manager logs in the system and inputs face information of the manager or other common users, the system stores face characteristic values into a local configuration file or a local database, and each face corresponds to one user;
step S2, the normal login phase, includes the following steps:
step S21: when a common user logs in, the system detects whether face information can be acquired or not, and if the face information is detected, the system preferentially logs in by using a face recognition login mode; if the face feature information does not exist, the login is switched to an administrator account and password mode;
step S22: under the condition of logging in a face recognition login mode, a face recognition authentication module acquires a characteristic value from a captured face image, compares the characteristic value with stored characteristic value data, acquires user information from a local configuration file or a local database after the comparison is successful, and logs in;
step S3, the subsequent monitoring phase: and under the condition that the face recognition login is successful, the face recognition authentication is operated in the background, face information is continuously obtained at preset time intervals, and the system is quitted from the login interface when the current terminal system user is monitored to change, or the system enters a screen locking state when the face is not recognized in a preset time period.
In step S21, when the system detects whether the face information can be acquired, the system captures visible light image data through the face recognition camera, and captures a black-and-white image through the infrared camera, and the system displays the visible light image data on the login interface and compares the visible light image data with the black-and-white image to determine whether the face is currently a real person and then performs face recognition, and if the face is determined to be a real person, the system logs in a face recognition login manner.
In step S3, if the face recognition authentication monitors that the connection of the face recognition camera is abnormal in the background, the system prompts the user to save the current content and returns to the login interface.
In step S3, if the face recognition authentication monitors that the user of the terminal system changes in the background, the system prompts the user that the face verification fails and returns to the login interface.
In step S3, if the face identification authentication does not identify a face within the predetermined monitoring time period in the background, the system enters a screen locking state.
In step S3, if the face position detected in the background by the face recognition authentication is deviated, the system prompts the user in a pop-up window manner to adjust the posture.
In step S3, when the face recognition authentication monitors a face in the background, the face recognition camera captures visible light image data, the infrared camera captures a black-and-white image, and the visible light image data is compared with the black-and-white image to determine whether the face recognition is currently performed for a real person, and in case of determining that the face recognition is currently performed for a real person, the face recognition authentication monitors whether the user changes.
According to the identity recognition and authentication method provided by the invention, the face recognition service is started at the background, and the silent authentication is carried out at the background, so that whether the currently logged-in user and the actual user are the same person or not can be continuously monitored on the premise of not influencing the use of the user, and the screen locking treatment is carried out when the personnel change, so that the safety of the currently logged-in user data is ensured.
Drawings
FIG. 1: the identity recognition and authentication method of the invention completely realizes a logic flow chart.
FIG. 2: the identity recognition and authentication method of the invention is a logic flow chart for realizing the login stage.
FIG. 3: the identity recognition and authentication method of the invention realizes a logic flow chart in an authentication monitoring stage.
Detailed Description
In order to further understand the technical scheme and the advantages of the present invention, the following detailed description of the technical scheme and the advantages thereof is provided in conjunction with the accompanying drawings.
The invention provides a technology aiming at the defects that in the prior art, in order to ensure the safety of a personal terminal operating system, a user needs to set and memorize a complex password, and on the premise of not influencing user experience, after the user successfully logs in authentication, whether the user of the current host and an account used for logging in are the same person is detected in real time, and if not, the system of the same person automatically locks the screen. Specifically, in a personal terminal operating system, the face recognition and PAM identification module is combined, the face recognition login is set, after the system login is successful, the face recognition continues to run in a background service mode, and the face recognition and comparison are carried out on the current user of the host in real time, so that the current user of the host is ensured to be the same as the login user.
When the face recognition login method is used for face recognition login, the input face information is stored locally and is not influenced by a network state when being called.
Fig. 1 to fig. 3 are a logic flow chart of a complete implementation of the identity recognition and authentication method of the present invention and a logic flow chart of an implementation of the identity recognition and authentication method in a login stage and an authentication monitoring stage, respectively, as shown in fig. 1 to fig. 3, a complete implementation method of the identity recognition and authentication method provided by the present invention is as follows:
first, initialization setting
1. And adding the face recognition and comparison algorithm service into an operating system.
2. And compiling a face recognition login authentication module by utilizing the PAM SPI, adding the login authentication module into the system through a PAM configuration file, reading the configuration file by using a PAM interface library, and linking the application program with a corresponding PAM service module.
3. A face recognition service is added to the system.
4. For the personal user who logs in for the first time, the personal user needs to log in by using an administrator account and a password, personal information is input by using administrator authority, the personal terminal operating system corresponds to two types of users, one type is the administrator user, is in charge of managing and maintaining the system, has higher authority, can manage common users, input face information and the like; the other type is a common user, and only files created by the user can be operated; the invention logs in the system by an administrator and inputs face information of the administrator or other common users who log in for the first time, the system stores face characteristic values into a local configuration file or a local database, and each face corresponds to one user; and restarting the system after the setting is completed.
Second, ordinary login stage
Referring to fig. 1 and fig. 2, the normal login phase is implemented by the following steps:
1. the system detects whether the face information can be acquired or not, and displays the face image acquired by the face recognition camera in real time on a login interface after the face information is detected.
2. The face recognition authentication module acquires the current camera state and judges whether the connection of the face recognition camera is normal or not. If the connection is abnormal, the system displays abnormal information of the face recognition camera on a login interface, prompts a user to contact an administrator, and switches to login with an administrator account and a password; and if the connection is normal, starting to perform face recognition authentication.
3. After the authentication operation is started, the face recognition authentication module preferentially detects whether the face feature information which is recorded exists in a local configuration file or a local database, and if the face feature information does not exist, the face recognition authentication module is switched to be logged in by an administrator account number and a password; if the human face identification exists, the human face identification is started, visible light image data are captured through the human face identification camera, meanwhile, black and white images are captured through the infrared camera, the system displays the human visible light image data on a login interface, the visible light image data are compared with the black and white images to judge whether the human face identification is carried out when the human face identification is carried out currently, under the condition that the human face identification is judged to be a real person, whether human face characteristic information corresponding to the current user exists in a local configuration file or a local database is detected, and under the condition that the human face identification login mode is used for login when the human face characteristic information and the human face characteristic information pass through detection.
Specifically, when face feature information is compared and identified, the system calls face identification and comparison authentication through a PAM module, if a face identification result is matched with data stored in a database, a PAM _ permit module is executed to pass the authentication, and otherwise, a PAM _ deny module is executed to refuse user login.
Third, continuous authentication phase
After the user logs in successfully, in the operation period, the face recognition authentication continues to run in the background, the video data acquired by the face recognition camera is not continuously displayed on the desktop, but face comparison authentication is repeatedly performed at intervals of a preset time period (such as 15 seconds), the recognized face information is compared with the face information stored locally and the face information of the current logged-in user, if the comparison is successful, the user is continuously allowed to operate the host computer, if the comparison is failed for a preset number of times (such as 3 times), the system automatically enters a screen locking state, please refer to fig. 1 and 3, and the specific authentication process and authentication logic are as follows:
if the face recognition authentication monitors that the face recognition camera is abnormally connected in the background, the system prompts a user to store the current modified content and quits the login interface in a short time.
If the face recognition authentication monitors that the user of the current terminal system changes in the background, the system prompts the user that the face authentication fails and quits the login interface in a short time.
If the face identification authentication cannot identify the face within a period of time in the background, the system enters a screen locking state, the same user leaves within a period of time, the system enters the screen locking state, and the task which is not closed currently is reserved until the same user logs in next time or the system is closed. During this time, if there are other users logged in, the data of the two users will be relatively isolated.
If the face recognition authentication detects a face in the background, but the position of the face has a deviation, the system prompts the user to adjust the face direction in a correct posture in a popup mode.
Therefore, the PAM service module is compiled, login authentication is carried out in a face recognition mode, after the authentication is successful, the face recognition background daemon service is started, silent authentication is carried out in the background, namely whether a currently logged-in user and an actual user are the same person or not is continuously monitored on the premise that the use of the user is not influenced, and if personnel change, the system can automatically carry out screen locking processing, so that the safety of data of the currently logged-in user is ensured. Therefore, the invention not only identifies and authenticates the identity of the user in the process that the user uses the terminal system, but also reduces the influence on the work of the user due to identification and authentication.
In the present invention, "PAM" is an abbreviation of plug Authentication Modules, and is an Authentication mechanism. The system has the advantages that the services provided by the system and the authentication modes of the services are separated by providing a plurality of dynamic link libraries and a set of unified API, a system administrator can flexibly configure different authentication modes for different services according to needs without changing service programs, and meanwhile, a new authentication means is conveniently added into the system.
In the present invention, the "page _ permit" is a module for making the current user authentication successful.
In the present invention, the "pam _ deny" means that the current user authentication fails.
In the invention, the PAM SPI is a group of interfaces required to be realized by the PAM service module and is used for a developer to write an authentication module. And the PAM module communicates with the PAM interface library through the PAM SPI.
In the present invention, the "PAM interface library" is a library that associates an application program with a login authentication module by reading a PAM configuration file.
In the present invention, the so-called "system" is a set of basic building blocks of the Linux system, and a system and service manager operated by a PID1 is provided for starting the daemon process. The function of the system is not only to start an operating system, but also to undertake many roles of background service, termination, state query, log filing, device management, power management, timing tasks and the like, and to support On-demand tasks triggered by specific events (such as inserting a specific USB device) and specific port data.
The invention has the following beneficial effects:
1. by modifying the PAM service module and adopting the face characteristic value generated by the face recognition module as authentication data, the method has the advantage of reducing the risk of losing the account and the password of the user.
2. After the user logs in successfully, the guard authentication face recognition service automatically runs in the background, and the system can automatically pull up and initialize the service when the service is stopped accidentally, so that the system has the advantage of preventing malicious attack of other people.
3. The face state of the current user is detected through real-time silence and compared with the face characteristic information of the current logged-in user, so that the method has the advantages that the normal use of a legal user is not influenced, and information leakage can be prevented when the operator of the terminal system changes.
Although the present invention has been described with reference to the preferred embodiments, it should be understood that the scope of the present invention is not limited thereto, and those skilled in the art will appreciate that various changes and modifications can be made without departing from the spirit and scope of the present invention.

Claims (7)

1. An identity identification and authentication method is characterized by comprising the following steps:
step S1, initializing setting: aiming at a user logging in the system for the first time, a manager logs in the system and inputs face information of the manager or other common users, the system stores face characteristic values into a local configuration file or a local database, and each face corresponds to one user;
step S2, the normal login phase, includes the following steps:
step S21: when a common user logs in, the system detects whether face information can be acquired or not, and if the face information is detected, the system preferentially logs in by using a face recognition login mode; if the face feature information does not exist, the login is switched to an administrator account and password mode;
step S22: under the condition of logging in a face recognition login mode, a face recognition authentication module acquires a characteristic value from a captured face image, compares the characteristic value with stored characteristic value data, acquires user information from a local configuration file or a local database after the comparison is successful, and logs in;
step S3, the subsequent monitoring phase: and under the condition that the face recognition login is successful, the face recognition authentication is operated in the background, face information is continuously obtained at preset time intervals, and the system is quitted from the login interface when the current terminal system user is monitored to change, or the system enters a screen locking state when the face is not recognized in a preset time period.
2. The identity recognition and authentication method according to claim 1, wherein in step S21, when detecting whether the face information can be obtained, the system captures visible light image data through the face recognition camera and simultaneously captures a black-and-white image through the infrared camera, the system displays the visible light image data on the login interface, and compares the visible light image data with the black-and-white image to determine whether the current person is a real person and then performs face recognition, and if the current person is a real person, the system logs in a face recognition login manner.
3. The identity recognition and authentication method of claim 1, wherein in step S3, if the face recognition authentication monitors that the face recognition camera is connected abnormally in the background, the system prompts the user to save the current content and returns to the login interface.
4. The identity recognition and authentication method of claim 1, wherein in step S3, if the face recognition authentication detects that the user of the terminal system changes in the background, the system prompts the user that the face verification fails and returns to the login interface.
5. The identity recognition and authentication method according to claim 1, wherein in step S3, if the face recognition authentication does not recognize the face within the predetermined monitoring time period in the background, the system enters the screen locking state.
6. The identity recognition and authentication method of claim 1, wherein in step S3, if the face recognition authentication has a deviation in the face position monitored in the background, the system prompts the user in the form of a pop-up window to adjust the posture.
7. The identity recognition and authentication method of claim 1, wherein in step S3, when the face recognition authentication monitors the face in the background, the face recognition camera captures visible light image data, and the infrared camera captures a black-and-white image, and the visible light image data is compared with the black-and-white image to determine whether the face recognition is currently performed by a real person, and if the face recognition is determined to be a real person, the user is monitored whether the face recognition is currently performed by a real person.
CN202011127463.6A 2020-10-20 2020-10-20 Identity recognition and authentication method Withdrawn CN112507308A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011127463.6A CN112507308A (en) 2020-10-20 2020-10-20 Identity recognition and authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011127463.6A CN112507308A (en) 2020-10-20 2020-10-20 Identity recognition and authentication method

Publications (1)

Publication Number Publication Date
CN112507308A true CN112507308A (en) 2021-03-16

Family

ID=74954162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011127463.6A Withdrawn CN112507308A (en) 2020-10-20 2020-10-20 Identity recognition and authentication method

Country Status (1)

Country Link
CN (1) CN112507308A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113205401A (en) * 2021-05-27 2021-08-03 则思科技(苏州)有限公司 Big data military enterprise intelligent management platform use method
CN115085968A (en) * 2022-04-29 2022-09-20 麒麟软件有限公司 Login authentication method based on custom tag under Linux

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850667A (en) * 2017-03-03 2017-06-13 杭州智贝信息科技有限公司 It is a kind of to continue certification security protection system and its method
CN108764071A (en) * 2018-05-11 2018-11-06 四川大学 It is a kind of based on infrared and visible images real human face detection method and device
CN109583348A (en) * 2018-11-22 2019-04-05 阿里巴巴集团控股有限公司 A kind of face identification method, device, equipment and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850667A (en) * 2017-03-03 2017-06-13 杭州智贝信息科技有限公司 It is a kind of to continue certification security protection system and its method
CN108764071A (en) * 2018-05-11 2018-11-06 四川大学 It is a kind of based on infrared and visible images real human face detection method and device
CN109583348A (en) * 2018-11-22 2019-04-05 阿里巴巴集团控股有限公司 A kind of face identification method, device, equipment and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113205401A (en) * 2021-05-27 2021-08-03 则思科技(苏州)有限公司 Big data military enterprise intelligent management platform use method
CN115085968A (en) * 2022-04-29 2022-09-20 麒麟软件有限公司 Login authentication method based on custom tag under Linux
CN115085968B (en) * 2022-04-29 2023-08-04 麒麟软件有限公司 Login authentication method based on custom tag under Linux

Similar Documents

Publication Publication Date Title
US9569605B1 (en) Systems and methods for enabling biometric authentication options
CN106326699B (en) Server reinforcing method based on file access control and process access control
US20210400049A1 (en) Dynamic Access Evaluation and Control System
CN112507308A (en) Identity recognition and authentication method
WO2016188230A1 (en) Unlocking method and device
US20220232004A1 (en) Virtual session access management
CN104954534A (en) Control method and control device for communication terminal, and corresponding communication terminal
KR102356474B1 (en) Systems that support smart work
CN110808983A (en) Cloud desktop identity recognition detection method for network access of cloud desktop terminal
KR102160656B1 (en) Login Method Using Palm Vein
US8978150B1 (en) Data recovery service with automated identification and response to compromised user credentials
KR100832804B1 (en) Database security system and method based on profiling
CN111711656A (en) Network edge storage device with safety function
CN106856471A (en) AD domains login authentication method under 802.1X
CN113704061A (en) Secret-related computer protection system
EP4359981A1 (en) Data recovery for a computing device
CN111556024B (en) Reverse access control system and method
KR102060563B1 (en) Method and apparatus for providing authentication using voice and facial data
CN111506893A (en) External equipment management method and device, electronic equipment and storage medium
CN112153337A (en) Monitoring method and related equipment
CN111291429A (en) Data protection method and system
US11706214B2 (en) Continuous multifactor authentication system integration with corporate security systems
US11132471B1 (en) Methods and apparatus for secure access
CN117527199A (en) Device login method, device and computer readable storage medium
KR102504284B1 (en) Security system and method for controlling instruction executing and connecting to server by facial recognition

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210316

WW01 Invention patent application withdrawn after publication