TWI776436B - Authentication systems, authentication methods, and program products - Google Patents

Authentication systems, authentication methods, and program products Download PDF

Info

Publication number
TWI776436B
TWI776436B TW110110322A TW110110322A TWI776436B TW I776436 B TWI776436 B TW I776436B TW 110110322 A TW110110322 A TW 110110322A TW 110110322 A TW110110322 A TW 110110322A TW I776436 B TWI776436 B TW I776436B
Authority
TW
Taiwan
Prior art keywords
information
authentication
preceding paragraph
user
similar
Prior art date
Application number
TW110110322A
Other languages
Chinese (zh)
Other versions
TW202139036A (en
Inventor
北川拓也
蔡永男
Original Assignee
日商樂天集團股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日商樂天集團股份有限公司 filed Critical 日商樂天集團股份有限公司
Publication of TW202139036A publication Critical patent/TW202139036A/en
Application granted granted Critical
Publication of TWI776436B publication Critical patent/TWI776436B/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Collating Specific Patterns (AREA)
  • Storage Device Security (AREA)

Abstract

認證系統(S)的第1登錄手段(102),係將第1資訊之第1部分,登錄至第1裝置(20)。第2登錄手段(104),係將第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置(10)。認證手段(105),係基於第1部分、第2部分、及第2資訊,而進行認證。限制手段(106),係限制彼此相同或類似的複數個第2部分之每一者,被與彼此相同或類似的第2資訊建立關連。The first registration means (102) of the authentication system (S) registers the first part of the first information in the first device (20). The second registration means (104) is for registering the second part of the first information in the second device (10) by associating it with the second information. The authentication means (105) performs authentication based on the first part, the second part, and the second information. The restricting means (106) restricts each of a plurality of second parts that are identical or similar to each other from being associated with second information that is identical or similar to each other.

Description

認證系統、認證方法、及程式產品Authentication systems, authentication methods, and program products

本揭露係有關於認證系統、認證方法、及程式產品。This disclosure relates to authentication systems, authentication methods, and program products.

先前,用來提高安全性所需之認證技術,已為人知。例如,專利文獻1中係記載,將使用者的指紋圖案之第1部分與使用者ID建立關連而登錄至使用者終端,將指紋圖案之第2部分與使用者ID建立關連而登錄至伺服器的系統。一旦使用者把手指放在使用者終端的指紋感測器上,則指紋感測器所偵測到的指紋圖案,會連同使用者終端中所被登錄之第1部分與使用者ID,一起被發送至伺服器。伺服器係將所接收到的第1部分、和與所接收到之使用者ID建立關連而被登錄在自身中的第2部分,予以結合。伺服器係將結合後的指紋圖案、與所接收到的指紋圖案進行比較,以進行認證。 [先前技術文獻] [專利文獻]Previously, the authentication techniques needed to improve security have been known. For example, Patent Document 1 describes that the first part of the fingerprint pattern of the user is associated with the user ID to log in to the user terminal, and the second part of the fingerprint pattern is associated with the user ID to log in to the server system. Once the user puts his finger on the fingerprint sensor of the user terminal, the fingerprint pattern detected by the fingerprint sensor will be recorded together with the first part and the user ID registered in the user terminal. sent to the server. The server combines the received 1st part and the 2nd part which is registered in itself in association with the received user ID. The server compares the combined fingerprint pattern with the received fingerprint pattern for authentication. [Prior Art Literature] [Patent Literature]

[專利文獻1]日本特開2002-312317號公報[Patent Document 1] Japanese Patent Laid-Open No. 2002-312317

[發明所欲解決之課題][The problem to be solved by the invention]

在專利文獻1的技術中,由於在使用者終端中係被登錄有使用者ID,因此使用者ID會有洩漏的風險。為了避免使用者ID的洩漏風險,例如考慮生成隨機的數值並登錄至使用者終端,取代使用者ID來做利用。然而,對於第2部分為彼此類似的複數個使用者,若賦予相同的數值則會變成有冒充的可能,安全性並不足夠。In the technique of Patent Document 1, since the user ID is registered in the user terminal, there is a risk of leakage of the user ID. In order to avoid the risk of leakage of the user ID, for example, it is considered to generate a random numerical value, log in to the user terminal, and use it instead of the user ID. However, if the second part is a plurality of users who are similar to each other, if the same value is assigned, there is a possibility of impersonation, and the security is not sufficient.

本揭露目的在於提高安全性。 [用以解決課題之手段]The purpose of this disclosure is to improve security. [means to solve the problem]

本揭露之一態樣所述之認證系統,係含有:第1登錄手段,係用以將第1資訊之第1部分,登錄至第1裝置;和第2登錄手段,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;和認證手段,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;和限制手段,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。The authentication system described in one aspect of the present disclosure includes: first registration means for registering the first part of the first information to the first device; and second registration means for registering the first 1. The second part of the information, which is associated with the second information to log in to the second device; and the authentication means for performing authentication based on the first part of the preamble, the second part of the preamble, and the second part of the preamble; and restrictions Means for restricting each of a plurality of the second part of the preamble that are identical or similar to each other from being associated with the second part of the preamble that is the same or similar to each other.

本揭露之一態樣所述之使用者終端,係含有:第1取得手段,係用以取得第1資訊之第1部分;和第2取得手段,係用以從前記第1資訊之第2部分所被登錄的伺服器,且為限制彼此相同或類似的複數個前記第2部分之每一者被與彼此相同或類似的第2資訊建立關連的伺服器,取得前記第2資訊;和記憶手段,係用以記憶前記第1部分和前記第2資訊;和送訊手段,係用以在認證被進行時,對外部裝置,發送前記第1部分和前記第2資訊。The user terminal described in one aspect of the present disclosure includes: a first obtaining means for obtaining the first part of the first information; and a second obtaining means for obtaining the second part of the first information mentioned above The server to which the part is registered, and obtains the second information of the preceding paragraph for the purpose of restricting each of a plurality of the second part of the preceding paragraph that are identical or similar to each other from being associated with the second information of the second paragraph that is the same or similar to each other; and memory The means is used to memorize the first part of the preamble and the second information of the preamble; and the transmission means is used to transmit the first part of the preamble and the second information of the preamble to the external device when authentication is performed.

本揭露之一態樣所述之認證方法,係含有:第1登錄步驟,係用以將第1資訊之第1部分,登錄至第1裝置;和第2登錄步驟,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;和認證步驟,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;和限制步驟,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。The authentication method described in one aspect of the present disclosure includes: a first registration step for registering the first part of the first information to the first device; and a second registration step for registering the first The second part of the 1 information, which is associated with the second information to log in to the second device; and the authentication step for performing authentication based on the first part of the preamble, the second part of the preamble, and the second part of the preamble; and restrictions The step is for restricting each of the plurality of prescriptive second parts that are the same or similar to each other from being associated with the prescriptive second information that is the same or similar to each other.

本揭露之一態樣所述之程式產品,係使電腦發揮功能而成為:第1登錄手段,係用以將第1資訊之第1部分,登錄至第1裝置;第2登錄手段,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;認證手段,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;限制手段,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。The program product described in one aspect of the present disclosure makes the computer function to become: the first registration means is used to register the first part of the first information to the first device; the second registration means is used to register Log in to the second device by associating the second part of the first information of the preceding paragraph with the second information; the authentication means is used to perform authentication based on the first part of the preceding paragraph, the second part of the preceding paragraph, and the second information of the preceding paragraph ; Restriction means for restricting each of a plurality of Preamble Part 2 that are identical or similar to each other from being associated with the same or similar Preamble Part 2 information to each other.

若依據本揭露之一態樣,則前記限制手段,係許可彼此不同或不類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。According to one aspect of the present disclosure, the aforementioned restriction means allows each of a plurality of aforementioned second parts, which are different or dissimilar to each other, to be associated with the same or similar aforementioned second information.

若依據本揭露之一態樣,則前記認證系統係還含有:受理手段,係用以受理所定之登錄申請;前記限制手段,係限制做了前記登錄申請之使用者之前記第2部分,被與和前記第2部分為相同或類似之其他使用者相同或類似的前記第2資訊建立關連。According to one aspect of the present disclosure, the aforementioned authentication system further includes: acceptance means, which is used to accept the specified registration application; aforementioned restriction means, which restricts the users who have made the aforementioned registration application. Establish a relationship with the same or similar information in the second paragraph of the first paragraph of other users who are the same or similar to the second part of the first paragraph.

若依據本揭露之一態樣,則前記限制手段,係檢索未被與前記其他使用者之前記第2部分建立關連的第2資訊;前記第2登錄手段,係對做了前記登錄申請之使用者之前記第2部分,將已被檢索到的前記第2資訊建立關連而登錄。According to one aspect of the present disclosure, the aforementioned restriction means is to retrieve the second information that is not related to the second part of the aforementioned other users; the aforementioned second registration means is the use of the aforementioned registration application. The second part of the previous note of the user is registered, and the information of the second note of the previous note that has been retrieved is linked and registered.

若依據本揭露之一態樣,則前記認證系統係還含有:生成手段,係用以生成做了前記登錄申請之使用者的前記第2資訊之候補;前記限制手段,係在前記候補、和前記其他使用者的前記第2資訊為相同或類似的情況下,則前記候補係不被視為做了前記登錄申請之使用者的前記第2資訊;在前記候補、和前記其他使用者的前記第2資訊為不同或不類似的情況下,則將前記候補視為做了前記登錄申請之使用者的前記第2資訊。According to one aspect of the present disclosure, the aforementioned authentication system further includes: generating means for generating a candidate for the second information of the aforementioned user who has applied for the aforementioned registration; aforementioned restricting means for the aforementioned candidate, and If the second information of the other users mentioned above is the same or similar, the candidate of the preceding paragraph will not be regarded as the second information of the user who has applied for the registration of the preceding paragraph; If the second information is different or dissimilar, the first-mentioned candidate will be regarded as the first-mentioned second information of the user who made the first-mentioned registration application.

若依據本揭露之一態樣,則前記第1裝置係為使用者終端;前記第2裝置係為伺服器;前記認證手段,係基於所被輸入之前記第1資訊及前記第2資訊、和前記使用者終端之前記第1部分、和前記伺服器之前記第2部分及前記第2資訊,而進行前記認證。According to one aspect of the present disclosure, the aforementioned first device is a user terminal; the aforementioned second device is a server; the aforementioned authentication means is based on the aforementioned first aforementioned first information and aforementioned aforementioned second information, and The prescriptive user terminal prescriptive part 1, the prescriptive server prescriptive part 2 and the prescriptive note second information, and the prescriptive authentication are performed.

若依據本揭露之一態樣,則前記第1登錄手段,係在前記使用者終端中,登錄前記第1部分與前記第2資訊;所被輸入之前記第2資訊,係為前記使用者終端中所被登錄之前記第2資訊。According to one aspect of the present disclosure, the aforesaid first registration means is set in the aforesaid user terminal, and the first part of the aforesaid record and the aforesaid second information are registered; the inputted aforesaid second information is the aforesaid user terminal. The second information is recorded before the center is registered.

若依據本揭露之一態樣,則前記使用者終端,係利用近距離無線通訊,而向用來取得所被輸入之前記第1資訊所需之認證裝置,發送前記第1部分;前記認證裝置,係對前記認證手段,發送從前記使用者終端所接收到的前記第1部分。According to an aspect of the present disclosure, the user terminal of the foregoing description uses short-range wireless communication to send the first portion of the foregoing description to the authentication device required to obtain the inputted first information of the foregoing description; the foregoing authentication device , which is an authentication means for the preamble, and transmits the preamble part 1 received from the preamble user terminal.

若依據本揭露之一態樣,則前記近距離無線通訊,係為可利用廣播封包(Advertising Packet)的通訊規格;前記使用者終端,係利用前記廣播封包(Advertising Packet),來對前記認證裝置發送前記第1部分。According to an aspect of the present disclosure, the aforementioned short-range wireless communication is a communication specification that can utilize advertising packets; Send Pre-Note Part 1.

若依據本揭露之一態樣,則前記認證手段,係將前記第1裝置中所被登錄之前記第1部分、和前記第2裝置中所被登錄之前記第2部分加以結合而取得前記第1資訊;基於所被輸入之前記第1資訊與所被結合之前記第1資訊的類似性,和所被輸入之前記第2資訊與前記第2裝置之前記第2資訊的同一性,而進行前記認證;前記限制手段,係限制彼此類似的前記第2部分之每一者,被與彼此相同的前記第2資訊建立關連。According to one aspect of the present disclosure, the aforementioned authentication means obtains the aforementioned first portion by combining the first portion of the preceding note registered in the aforementioned first device and the second portion of the aforementioned preceding note registered in the second device. 1 information; based on the similarity of the entered pre-entry 1 information and the combined pre-entry 1 information, and the identity of the entered pre-entry 2 information and pre-entry 2 device pre-entry 2 information, and carried out The aforesaid authentication; the aforesaid restriction means is to restrict each of the aforesaid second parts that are similar to each other from being associated with the same aforesaid second information.

若依據本揭露之一態樣,則前記第2裝置中所被記憶之複數個資料庫之每一者中,被登錄有複數個使用者之每一者之前記第2部分;前記第2資訊係為前記資料庫的識別資訊;前記認證手段,係基於藉由所被輸入之前記第2資訊而被識別的前記資料庫中所被登錄之前記第2部分,而取得所被結合之前記第1資訊。According to an aspect of the present disclosure, in each of the plurality of databases memorized in the aforementioned second device, each of the plurality of users is registered with the second portion; the aforementioned second information It is the identification information of the pre-record database; pre-record authentication means, based on the registered pre-record part 2 in the pre-record database identified by the entered pre-record 2 information, to obtain the combined pre-record first 1 Information.

若依據本揭露之一態樣,則前記第1資訊係為生物資訊;前記第2資訊係為,用來檢索前記第2裝置中所被登錄之前記第2部分所需之檢索資訊;前記認證係為,基於前記第1部分、和藉由前記檢索資訊而被檢索到之前記第2部分的生物認證。According to an aspect of the present disclosure, the first information of the preceding paragraph is biological information; the second information of the preceding paragraph is the retrieval information used to retrieve the second part of the preceding paragraph registered in the second device of the preceding paragraph; the preceding paragraph authentication It is a biometric authentication based on the first part of the preceding description and the second part of the preceding description is retrieved by the searching information of the preceding description.

若依據本揭露之一態樣,則前記認證手段,係基於所定之判定演算法,而判定所被輸入之前記第1資訊、與所被登錄之前記第1部分及前記第2部分所結合而成的前記第1資訊是否相同或類似,藉此而進行前記認證;前記限制手段,係基於與前記判定演算法相同的判定演算法,而判定彼此相同或類似的前記複數個第2部分是否存在。 [發明效果]According to an aspect of the present disclosure, the preamble authentication means is based on a predetermined determination algorithm, and determines that the entered preamble first information, the registered preamble part 1 and the preamble part 2 are combined to form The aforesaid first information is the same or similar, and the aforesaid authentication is performed; the aforesaid restriction means is based on the same judgment algorithm as the aforesaid judgment algorithm to determine whether there are multiple second parts of the same or similar antecedents. . [Inventive effect]

若依據本揭露,則可提高安全性。According to the present disclosure, security can be improved.

[1.認證系統之全體構成][1. Overall composition of the authentication system]

以下說明認證系統的實施形態之例子。圖1係認證系統之全體構成的圖示。如圖1所示,認證系統S係含有:伺服器10、使用者終端20、及認證裝置30,這些係可連接至網際網路等之網路N。此外,在圖1中,伺服器10、使用者終端20、及認證裝置30之每一者雖然僅各圖示1台,但這些亦可為複數台。An example of an embodiment of the authentication system will be described below. FIG. 1 is a diagram showing the overall configuration of the authentication system. As shown in FIG. 1, the authentication system S includes a server 10, a user terminal 20, and an authentication device 30, and these are connectable to a network N such as the Internet. In addition, in FIG. 1, although only one of each of the server 10, the user terminal 20, and the authentication apparatus 30 is shown in figure, these may be several.

伺服器10,係為伺服器電腦。伺服器10係含有控制部11、記憶部12、及通訊部13。控制部11,係含有至少1個處理器。控制部11,係依照記憶部12中所記憶之程式或資料,來執行處理。記憶部12係含有主記憶部及輔助記憶部。例如,主記憶部係為RAM等之揮發性記憶體,輔助記憶部係為ROM、EEPROM、快閃記憶體、或硬碟等之非揮發性記憶體。通訊部13,係為有線通訊或無線通訊用之通訊介面,透過網路N而進行資料通訊。The server 10 is a server computer. The server 10 includes a control unit 11 , a memory unit 12 , and a communication unit 13 . The control unit 11 includes at least one processor. The control unit 11 executes processing according to the program or data stored in the memory unit 12 . The memory unit 12 includes a main memory unit and an auxiliary memory unit. For example, the main memory is a volatile memory such as RAM, and the auxiliary memory is a non-volatile memory such as ROM, EEPROM, flash memory, or hard disk. The communication part 13 is a communication interface for wired communication or wireless communication, and performs data communication through the network N.

使用者終端20,係為使用者所操作的電腦。例如,使用者終端20係為行動電話機(包含智慧型手機)、攜帶型資訊終端(包含平板型電腦及可穿戴式終端)、或個人電腦等。在本實施形態中,使用者終端20係含有:控制部21、記憶部22、通訊部23、操作部24、顯示部25、及攝影部26。控制部21、記憶部22、及通訊部23之實體構成,係可分別和控制部11、記憶部12、及通訊部13相同。The user terminal 20 is a computer operated by the user. For example, the user terminal 20 is a mobile phone (including a smart phone), a portable information terminal (including a tablet computer and a wearable terminal), or a personal computer. In the present embodiment, the user terminal 20 includes a control unit 21 , a memory unit 22 , a communication unit 23 , an operation unit 24 , a display unit 25 , and a photographing unit 26 . The physical structures of the control unit 21 , the memory unit 22 , and the communication unit 23 may be the same as the control unit 11 , the memory unit 12 , and the communication unit 13 , respectively.

操作部24,係為輸入裝置,例如觸控面板或滑鼠等之指標裝置、鍵盤、或按鈕等。操作部24係將操作內容,傳達至控制部21。顯示部25係為例如液晶顯示部或有機EL顯示部等。顯示部25係依照控制部21的指示而顯示影像。The operation unit 24 is an input device, such as a touch panel, a pointing device such as a mouse, a keyboard, or a button. The operation unit 24 transmits the operation content to the control unit 21 . The display unit 25 is, for example, a liquid crystal display unit, an organic EL display unit, or the like. The display unit 25 displays images in accordance with instructions from the control unit 21 .

攝影部26,係含有至少1台的相機。例如,攝影部26,係含有CCD成像感測器或CMOS成像感測器等之攝像元件,將該當攝像元件所拍攝到的影像,作為數位資料而記錄。影像,係可為靜止影像,亦可為以所定之畫格速率而被連續拍攝的動畫。The imaging unit 26 includes at least one camera. For example, the imaging unit 26 includes an imaging element such as a CCD imaging sensor or a CMOS imaging sensor, and records images captured by the imaging element as digital data. The images may be still images or animations that are continuously shot at a predetermined frame rate.

認證裝置30,係為被使用於認證的電腦。例如,認證裝置30係為行動電話機、攜帶型資訊終端、或個人電腦等。在本實施形態中,認證裝置30係含有:控制部31、記憶部32、通訊部33、操作部34、顯示部35、及攝影部36。控制部31、記憶部32、通訊部33、操作部34、顯示部35、及攝影部36的實體構成,係可分別和控制部11、記憶部12、通訊部13、操作部24、顯示部25、及攝影部26相同。The authentication device 30 is a computer used for authentication. For example, the authentication device 30 is a mobile phone, a portable information terminal, or a personal computer. In the present embodiment, the authentication device 30 includes a control unit 31 , a memory unit 32 , a communication unit 33 , an operation unit 34 , a display unit 35 , and a photographing unit 36 . The physical structure of the control unit 31 , the memory unit 32 , the communication unit 33 , the operation unit 34 , the display unit 35 , and the photographing unit 36 can be related to the control unit 11 , the memory unit 12 , the communication unit 13 , the operation unit 24 , and the display unit, respectively. 25 and the photographing unit 26 are the same.

此外,作為被記憶在記憶部12、22、32中而說明的程式及資料,係亦可透過網路N而被供給。又,上記說明的各電腦之硬體構成,係不限於上記的例子,可適用各式各樣的硬體。例如,亦可包含有:將電腦可讀取之資訊記憶媒體予以讀取的讀取部(例如光碟驅動機或記憶卡插槽)或用來與外部機器進行資料之輸出入所需之輸出入部(例如USB埠)。例如,資訊記憶媒體中所被記憶之程式或資料係亦可透過讀取部或輸出入部而被供給。In addition, programs and data described as being stored in the memory units 12 , 22 , and 32 can also be supplied through the network N. In addition, the hardware configuration of each computer described above is not limited to the above-mentioned example, and various kinds of hardware can be applied. For example, it may also include: a reading unit (such as a CD-ROM drive or a memory card slot) for reading a computer-readable information storage medium, or an input/output unit for data input/output with an external device (eg USB port). For example, the program or data memorized in the information storage medium can also be supplied through the reading unit or the input/output unit.

[2.認證系統的概要] 認證系統S,係於任意之場面中為了確認使用者的正當性,而執行認證。認證,係為確認使用者是否具有所定之資格的行為。認證,係也會被稱為對象認證或本人認證。認證系統S,係可執行各式各樣之類型的認證,例如可執行:2維碼認證、生物認證、通行碼認證、密碼認證、電子***認證、或密語認證。[2. Outline of the authentication system] The authentication system S executes authentication in order to confirm the legitimacy of the user in an arbitrary scene. Authentication is the act of confirming whether the user has the specified qualifications. Authentication is also referred to as subject authentication or personal authentication. The authentication system S can perform various types of authentication, such as: 2D code authentication, biometric authentication, pass code authentication, password authentication, electronic seal authentication, or password authentication.

生物認證,係為利用人類的身體性特徵或行動性特徵的認證方法。例如,利用身體性特徵的生物認證中係有:臉部認證、指紋認證、DNA認證、掌形認證、網膜認證、虹膜認證、靜脈認證、或聲音認證。又例如,利用行動性特徵的生物認證中係有:筆跡認證、敲鍵認證、唇動認證、扎眼認證、或步行認證。Biometric authentication is an authentication method that utilizes human physical characteristics or mobility characteristics. For example, among the biometric authentication using physical features are: face authentication, fingerprint authentication, DNA authentication, palm authentication, retina authentication, iris authentication, vein authentication, or voice authentication. For another example, biometric authentication using mobility features includes handwriting authentication, keystroke authentication, lip movement authentication, eye-catching authentication, or walking authentication.

在本實施形態中,是舉出使用者通過安全閘道的場面為例,說明認證系統S之處理。此外,認證系統S,係如後述的變形例,可適用於各種場面。認證系統S所被適用的場面,係不限於本實施形態之例子。In the present embodiment, the processing of the authentication system S is described by taking a scene in which a user passes through a security gateway as an example. In addition, the authentication system S is a modified example to be described later, and can be applied to various situations. The scene to which the authentication system S is applied is not limited to the example of the present embodiment.

圖2係為認證系統S所被利用之場面之一例的圖示。如圖2所示,安全閘道SG,係含有旋轉式的門。安全閘道SG,係被連接有認證裝置30。安全閘道SG的門,係藉由上鎖機構而被上鎖。一旦使用者的認證為成功,則上鎖就被解除。安全閘道SG,係被配置在上班處的公司或公共設施等之任意的設施。只有具有入場資格的人,可以通過安全閘道SG。FIG. 2 is a diagram showing an example of a scene in which the authentication system S is used. As shown in Fig. 2, the safety gate SG includes a revolving door. The authentication device 30 is connected to the security gateway SG. The door of the security gateway SG is locked by a locking mechanism. Once the user's authentication is successful, the lock is released. The safety gateway SG is an arbitrary facility such as a company or a public facility that is arranged at the workplace. Only those who are qualified for admission can pass through the security gateway SG.

在本實施形態中,作為將使用者進行認證的認證方法,是舉出臉部認證為例。使用者係在要利用認證系統S所提供的認證服務之際,會進行所定之利用登錄。使用者一旦完成利用登錄,則用來唯一識別使用者的使用者ID就會被發行。使用者所輸入的姓名等之資訊,係被登錄至伺服器10。使用者係在利用登錄時或其後的任意之時序上,進行臉部照片之登錄申請。例如,一旦使用者操作使用者終端20而向伺服器10進行存取,則用來進行登錄申請所需之登錄申請畫面就會被顯示在使用者終端20上。In the present embodiment, face authentication is exemplified as an authentication method for authenticating a user. When the user wants to use the authentication service provided by the authentication system S, a predetermined use registration is performed. Once the user completes the use registration, a user ID for uniquely identifying the user is issued. The information such as the name entered by the user is registered in the server 10 . The user applies for registration of a face photo at the time of registration or at any time after that. For example, when the user operates the user terminal 20 to access the server 10 , a login application screen necessary for performing a login application is displayed on the user terminal 20 .

圖3係為登錄申請畫面之一例的圖示。如圖3所示,登錄申請畫面G1中係被顯示有:用來輸入使用者ID所需之輸入表單F10、用來輸入密碼所需之輸入表單F11、及用來上傳臉部照片所需之輸入表單F12、及用來進行登錄申請所需之按鈕B13。此外,密碼係並非為了通過安全閘道SG,而是為了變更自己的登錄資訊等之其他目的而被利用。FIG. 3 is a diagram showing an example of a login application screen. As shown in FIG. 3, the login application screen G1 is displayed with an input form F10 for inputting a user ID, an input form F11 for inputting a password, and an input form F11 for uploading a face photo Input form F12 and button B13 required for making a login application. In addition, the password is not used to pass through the secure gateway SG, but is used for other purposes such as changing one's own login information.

例如,使用者終端20的記憶部22中係記憶有使用者的臉部照片。使用者係在輸入表單F12中輸入檔名,指定要上傳的臉部照片。亦即,使用者,係在輸入表單F12中,指定在臉部認證時所要使用的臉部照片。在本實施形態中,為了簡化說明,而說明只登錄1張臉部照片的情況,但亦可登錄複數張臉部照片。此外,使用者係亦可啟動攝影部26,而當場拍攝臉部照片。For example, the memory unit 22 of the user terminal 20 stores a photograph of the user's face. The user inputs the file name in the input form F12, and specifies the facial photo to be uploaded. That is, in the input form F12, the user designates a face photograph to be used for face authentication. In this embodiment, in order to simplify the description, the case where only one facial photograph is registered is described, but a plurality of facial photographs may be registered. In addition, the user can also activate the photographing unit 26 to take a photo of the face on the spot.

一旦使用者在輸入表單F10~F12之每一者中輸入資訊並選擇了按鈕B13,則臉部照片就會被上傳至伺服器10。伺服器10,係基於臉部照片,而計算使用者的臉部的特徵量。臉部的特徵量,並非在伺服器10中集中管理,而是在伺服器10與使用者終端20間被分散管理。Once the user enters information in each of the input forms F10 - F12 and selects the button B13 , the facial photo is uploaded to the server 10 . The server 10 calculates the feature amount of the user's face based on the facial photograph. The feature amount of the face is not centrally managed by the server 10 , but is managed distributedly between the server 10 and the user terminal 20 .

在本實施形態中,臉部的特徵量之第1部分,係被登錄至使用者終端20。臉部的特徵量之第2部分,係被登錄至伺服器10。此外,臉部的特徵量之第2部分,係亦可被複數個伺服器所分散管理。第1部分,係為臉部的特徵量之中的一部分。第2部分,係為異於第1部分的部分。第1部分與第2部分,其一部分亦可重複。臉部的特徵量,係亦可不只第1部分與第2部分,而是被分割成3個以上之部分。臉部的特徵量之中,哪個部分會變成第1部分及第2部分,假設是被預先決定。第1部分及第2部分,係可為任意之部分,不限於本實施形態之例子。In the present embodiment, the first part of the feature value of the face is registered in the user terminal 20 . The second part of the feature value of the face is registered in the server 10 . In addition, the second part of the feature value of the face may be distributed and managed by a plurality of servers. The first part is a part of the feature quantity of the face. Part 2 is a different part from Part 1. Parts 1 and 2, part of which may be repeated. The feature value of the face may be divided into not only the first part and the second part but also three or more parts. Among the feature values of the face, which part becomes the first part and the second part is assumed to be predetermined. The first part and the second part may be arbitrary parts, and are not limited to the examples of this embodiment.

例如,臉部的特徵量,係用n維(n為自然數)之向量而被表現。在本實施形態中,假設n的數值為5。例如,在5維向量之中,前半的2個要素,係作為第1部分而被登錄至使用者終端20。5維向量之中,後半的3個要素,係作為第2部分而被登錄至伺服器10。若假設臉部的特徵量為(2.4, 1.5, 3.6, 4.3, 8.9),則(2.4, 1.5)之部分,係作為第1部分而被登錄至使用者終端20。(3.6, 4.3, 8.9)之部分,係作為第2部分而被登錄至伺服器10。For example, the feature value of the face is represented by an n-dimensional (n is a natural number) vector. In this embodiment, the value of n is assumed to be 5. For example, in a 5-dimensional vector, the two elements in the first half are registered in the user terminal 20 as the first part. In the 5-dimensional vector, the three elements in the second half are registered in the second part. Server 10. Assuming that the feature values of the face are (2.4, 1.5, 3.6, 4.3, 8.9), the part of (2.4, 1.5) is registered in the user terminal 20 as the first part. The parts (3.6, 4.3, 8.9) are registered to the server 10 as the second part.

伺服器10,係記憶至少被登錄有1位使用者之第2部分的資料庫。伺服器10,係記憶複數個資料庫。在本實施形態中,係對各資料庫分配有DB號碼。DB號碼,係用來唯一識別資料庫的資訊。DB號碼,係亦可為資料庫的名稱或ID。在本實施形態中,將該資料庫稱為第2部分資料庫。The server 10 memorizes the database of the second part in which at least one user is registered. The server 10 memorizes a plurality of databases. In the present embodiment, a DB number is assigned to each database. The DB number is the information used to uniquely identify the database. The DB number can also be the name or ID of the database. In the present embodiment, this database is referred to as a second partial database.

使用者的第2部分,係被登錄至任一第2部分資料庫。在使用者終端20中,係不只使用者的第1部分,還會連同第2部分所被登錄之第2部分資料庫之DB號碼,一起加以登錄。第1部分、第2部分、及DB號碼之每一者的登錄一旦完成,則登錄完成畫面就被顯示於顯示部25。A user's Part 2 is logged into any Part 2 database. In the user terminal 20, not only the first part of the user but also the DB number of the second part database in which the second part is registered is registered. Once the registration of each of the first part, the second part, and the DB number is completed, the registration completion screen is displayed on the display unit 25 .

圖4係為登錄完成畫面之一例的圖示。如圖4所示,在登錄完成畫面G2係被顯示有,表示登錄已經完成的訊息等。在登錄完成畫面G2中亦可被顯示有,使用者終端20中所被登錄之第1部分與DB號碼。一旦登錄完成,則使用者就可執行認證而可通過安全閘道SG。FIG. 4 is a diagram showing an example of a login completion screen. As shown in FIG. 4, a message indicating that the registration has been completed is displayed on the registration completion screen G2. The first part and the DB number registered in the user terminal 20 may be displayed on the registration completion screen G2. Once the login is complete, the user can perform authentication and pass through the secure gateway SG.

圖5係為認證系統S中的認證之流程的圖示。在圖5的例子中,在使用者終端20中係被登錄有第1部分(2.4, 1.5)、和DB號碼「157813」。使用者終端20,係利用Bluethooth(註冊商標)或Wi-Fi(註冊商標)等之近距離無線通訊,而將自身中所被登錄之這些資訊,向周圍發送。例如,使用者終端20,係亦可在廣播封包(Advertising Packet)中,儲存第1部分和DB號碼而向周圍發送。FIG. 5 is a diagram showing the flow of authentication in the authentication system S. FIG. In the example of FIG. 5 , the first part (2.4, 1.5) and the DB number “157813” are registered in the user terminal 20 . The user terminal 20 transmits the information registered in the user terminal 20 to the surroundings using short-range wireless communication such as Bluetooth (registered trademark) or Wi-Fi (registered trademark). For example, the user terminal 20 may store the first part and the DB number in an advertising packet and transmit it to the surroundings.

一旦使用者接近認證裝置30,則認證裝置30係利用近距離無線通訊,從使用者終端20,接收第1部分(2.4, 1.5)、和DB號碼「157813」。使用者係依照認證裝置30的顯示部35中所被顯示的說明,而令攝影部36拍攝自己的臉部。認證裝置30,係對伺服器10,發送第1部分(2.4, 1.5)、DB號碼「157813」、及藉由攝影部36所被拍攝到的影像。When the user approaches the authentication device 30, the authentication device 30 receives the first part (2.4, 1.5) and the DB number "157813" from the user terminal 20 by using short-range wireless communication. In accordance with the instructions displayed on the display unit 35 of the authentication device 30, the user instructs the photographing unit 36 to photograph his own face. The authentication device 30 transmits the first part (2.4, 1.5), the DB number "157813", and the image captured by the imaging unit 36 to the server 10 .

伺服器10,係將從認證裝置30所接收到的影像中所拍到的臉部的特徵量,加以計算。該特徵量,係以5維之向量而被表現。例如,伺服器10,作為影像中所拍到的臉部的特徵量,係取得(2.4, 1.5, 3.6, 4.3, 8.9)。該特徵量,係相當於認證時的查詢。The server 10 calculates the feature value of the face captured in the video received from the authentication device 30 . This feature quantity is represented by a 5-dimensional vector. For example, the server 10 acquires (2.4, 1.5, 3.6, 4.3, 8.9) as the feature quantity of the face captured in the video. This feature quantity corresponds to a query at the time of authentication.

伺服器10,係參照從認證裝置30所接收到的DB號碼「157813」的第2部分資料庫DB1。伺服器10,係對從認證裝置30所接收到的第1部分(2.4, 1.5),將該第2部分資料庫DB1中所被儲存之第2部分(3.6, 4.3, 8.9)予以結合,取得5維之向量(2.4, 1.5, 3.6, 4.3, 8.9)之特徵量。該特徵量,係相當於認證時的索引。在第2部分資料庫DB1被登錄有複數個使用者之第2部分的情況下,則該使用者的數量有多少,就會取得多少個索引之特徵量。The server 10 refers to the second part database DB1 of the DB number "157813" received from the authentication device 30 . The server 10 combines the second part (3.6, 4.3, 8.9) stored in the second part database DB1 with the first part (2.4, 1.5) received from the authentication device 30, and obtains The feature quantity of a 5-dimensional vector (2.4, 1.5, 3.6, 4.3, 8.9). This feature value corresponds to an index at the time of authentication. When the second part database DB1 of the second part is registered in the second part of a plurality of users, the feature quantity of the index is obtained as many as the number of the users.

伺服器10,係計算查詢之特徵量與索引之特徵量的距離。索引之特徵量被取得複數個的情況下,則索引之特徵量的數量有多少,就會計算出多少個距離。伺服器10,係在有未滿閾值之距離存在的情況下,判定為認證成功。若為圖5的例子,則由於距離為0者是存在於第2部分資料庫DB1內,因此判定為認證成功。一旦認證成功,則安全閘道SG的上鎖係被解除,使用者係可通過安全閘道SG。The server 10 calculates the distance between the feature value of the query and the feature value of the index. When a plurality of index feature values are acquired, how many distances are calculated depending on the number of index feature values. The server 10 determines that the authentication is successful when there is a distance less than the threshold value. In the example of FIG. 5 , since the distance 0 exists in the second partial database DB1, it is determined that the authentication is successful. Once the authentication is successful, the lock system of the security gateway SG is released, and the user can pass through the security gateway SG.

如以上所述,認證系統S中的認證就被進行。第2部分資料庫DB1中所被登錄之第2部分,係會與使用者終端20中所被登錄之第1部分做結合,因此在相同的第2部分資料庫DB1中,若有彼此相同或類似的複數個第2部分被登錄,則就有可能發生冒充。As described above, the authentication in the authentication system S is performed. The second part registered in the second part database DB1 will be combined with the first part registered in the user terminal 20. Therefore, in the same second part database DB1, if there are the same or the same If a plurality of similar second parts are registered, impersonation may occur.

圖6係為冒充會成為可能之情況之一例的圖示。如圖6所示,在DB號碼「157813」的第2部分資料庫DB1中,假設有第2部分(3.6, 4.3, 8.9)為相同的使用者A、B存在。使用者A進行認證的情況下,使用者A的使用者終端20中所被登錄之第1部分(2.4, 1.5)、與第2部分資料庫DB1中所被登錄之第2部分(3.6, 4.3, 8.9),係一旦被結合,就有可能會與影像中所拍到的使用者A之臉部的特徵量相同或類似。FIG. 6 is an illustration of an example of a situation where impersonation may be possible. As shown in FIG. 6, in the second part database DB1 of the DB number "157813", it is assumed that the second part (3.6, 4.3, 8.9) exists for the same users A and B. When the user A performs authentication, the first part (2.4, 1.5) registered in the user terminal 20 of the user A and the second part (3.6, 4.3) registered in the second part database DB1 , 8.9), once combined, it may be the same or similar to the feature quantity of user A's face captured in the image.

在圖6的情況下,使用者A是有可能被認證成為使用者B,而可能發生冒充。即使使用者A的第1部分、與使用者B的第1部分係為不同,仍有可能發生冒充。即使第2部分並非完全相同,只要彼此類似的複數個第2部分是被登錄在相同的第2部分資料庫DB1中,就有可能發生同樣的冒充。於是,在本實施形態中,係使得在相同的DB號碼的第2部分資料庫DB1中,彼此相同或類似的複數個第2部分,不會被登錄。In the case of FIG. 6 , user A may be authenticated as user B, and impersonation may occur. Even if user A's part 1 is different from user B's part 1, impersonation may still occur. Even if the second parts are not identical, as long as a plurality of second parts similar to each other are registered in the same second part database DB1, the same impersonation may occur. Therefore, in the present embodiment, in the second-part database DB1 of the same DB number, a plurality of second parts that are the same or similar to each other are not registered.

圖7係為登錄申請時的處理之一例的圖示。如圖7所示,假設在使用者A進行登錄申請的情況下,與使用者A之第2部分相同或類似的使用者B,已經使用了DB號碼「157813」。此情況下,伺服器10,係使得與使用者B相同的DB號碼「157813」不會被分配給使用者A的方式,而將其他DB號碼「438569」,分配給使用者A。FIG. 7 is a diagram showing an example of processing at the time of registration application. As shown in FIG. 7, it is assumed that when user A applies for login, user B, which is the same as or similar to the second part of user A, has already used the DB number "157813". In this case, the server 10 assigns the other DB number "438569" to the user A in such a manner that the same DB number "157813" as the user B is not assigned to the user A.

例如,伺服器10係判定,在DB號碼「438569」的第2部分資料庫DB1之中,是否有與使用者A之第2部分相同或類似的其他使用者存在。伺服器10,係先確認在DB號碼「438569」的第2部分資料庫DB1之中,沒有與使用者A之第2部分相同或類似的其他使用者存在,然後才會將該DB號碼分配給使用者A。For example, the server 10 determines whether there are other users that are the same as or similar to the second part of the user A in the second part database DB1 of the DB number "438569". The server 10 first confirms that in the second part database DB1 of the DB number "438569", there is no other user that is the same or similar to the second part of the user A, and then assigns the DB number to the database. User A.

在DB號碼「438569」的第2部分資料庫DB1之中,有與使用者A之第2部分相同或類似的其他使用者存在的情況下,則伺服器10係執行上記的處理,直到找到沒有與使用者A之第2部分相同或類似的其他使用者存在的第2部分資料庫DB1。在既存的全部的第2部分資料庫DB1中都未找到的情況下,則伺服器10亦可發行新的DB號碼。此情況下,伺服器10,係在新的DB號碼所對應之第2部分資料庫DB1中,登錄使用者A的第2部分。In the second part database DB1 of the DB number "438569", if there are other users that are the same as or similar to the second part of the user A, the server 10 executes the above-mentioned processing until it finds no other users. Part 2 database DB1 that exists for other users that are the same or similar to Part 2 of User A. If the server 10 is not found in all the existing second-part database DB1, the server 10 may issue a new DB number. In this case, the server 10 registers the second part of the user A in the second part database DB1 corresponding to the new DB number.

如以上所述,認證系統S,係在相同的第2部分資料庫DB1中,不會登錄彼此相同或類似的複數個第2部分,藉此可以防止冒充,而充分提高安全性。以下,說明該技術的細節。As described above, the authentication system S is stored in the same second-part database DB1, and a plurality of second parts that are the same or similar to each other are not registered, whereby impersonation can be prevented and security can be sufficiently improved. Hereinafter, the details of this technique will be described.

[3.於認證系統中所被實現之功能] 圖8係為本實施形態的認證系統S中所被實現的功能之一例的功能區塊圖。此處係說明,在伺服器10、使用者終端20、及認證裝置30之各者中所被實現之功能。[3. Functions implemented in the authentication system] FIG. 8 is a functional block diagram showing an example of functions implemented in the authentication system S of the present embodiment. Here, the functions implemented in each of the server 10 , the user terminal 20 , and the authentication device 30 are described.

[3-1.於伺服器中所被實現的功能] 如圖8所示,在伺服器10中係被實現有:資料記憶部100、受理部101、第1登錄部102、生成部103、第2登錄部104、認證部105、限制部106、及處理執行部107。[3-1. Functions implemented in the server] As shown in FIG. 8 , the server 10 is implemented with a data storage unit 100 , a reception unit 101 , a first registration unit 102 , a generation unit 103 , a second registration unit 104 , an authentication unit 105 , a restriction unit 106 , and Process execution unit 107 .

[資料記憶部] 資料記憶部100,係以記憶部12為主而被實現。資料記憶部100,係記憶認證時所必須之資料。此處,作為資料記憶部100所記憶的資料之一例,說明第2部分資料庫DB1、和使用者資料庫DB2。[Data Memory Department] The data storage unit 100 is realized mainly by the storage unit 12 . The data storage unit 100 is to memorize data necessary for authentication. Here, the second part database DB1 and the user database DB2 will be described as examples of the data stored in the data storage unit 100 .

第2部分資料庫DB1,係為至少被登錄有1位使用者之第2部分的資料庫。資料記憶部100,係記憶複數個第2部分資料庫DB1。第2部分資料庫DB1,係藉由DB號碼而被識別。DB號碼,係可用連續號碼來編號,亦可不必特別使用連續號碼。DB號碼係被記錄在資料記憶部100中。The second-part database DB1 is a second-part database in which at least one user is registered. The data storage unit 100 stores a plurality of second partial databases DB1. The second part database DB1 is identified by the DB number. The DB number can be numbered with consecutive numbers, or it is not necessary to use consecutive numbers. The DB number is recorded in the data storage unit 100 .

DB號碼,係為第2資訊之一例。因此,在本實施形態中記載為DB號碼的地方,係可替換成第2資訊。第2資訊,係為與第2部分建立關連的資訊。所謂建立關連,係第2部分與第2資訊是可相互檢索,或者第2部分與第2資訊是彼此關連。在DB號碼所示的第2部分資料庫DB1中登錄第2部分這件事情,就相當於把第2部分與DB號碼建立關連。其他還有,例如,對後述的使用者資料庫DB2的相同的紀錄,將第2部分與DB號碼予以登錄這件事情,也是相當於把第2部分與DB號碼建立關連。The DB number is an example of the second information. Therefore, the place described as the DB number in the present embodiment can be replaced with the second information. The 2nd information is the information which is related to the 2nd part. The so-called establishment of a relationship means that the second part and the second information can be retrieved from each other, or the second part and the second information are related to each other. Registering the second part in the second part database DB1 indicated by the DB number is equivalent to associating the second part with the DB number. Others, for example, registering the second part and the DB number for the same record in the user database DB2 described later is also equivalent to associating the second part with the DB number.

例如,第2資訊,係為資料庫的識別資訊。該識別資訊,係不限於DB號碼,亦可為字串,亦可為文字與數值之組合。第2資訊係亦可稱為,用來檢索伺服器10中所被登錄之第2部分所需之檢索資訊。檢索資訊,係為檢索時可以成為查詢或索引的資訊。在伺服器10中所被記憶之複數個第2部分資料庫DB1之每一者中,係被登錄有複數個使用者之每一者的第2部分。For example, the second information is identification information of the database. The identification information is not limited to the DB number, but can also be a character string or a combination of characters and numerical values. The second information can also be referred to as retrieval information required for retrieving the second part registered in the server 10 . Retrieval information is the information that can be searched or indexed during retrieval. In each of the plurality of second part databases DB1 memorized in the server 10, the second part of each of the plurality of users is registered.

圖9係為使用者資料庫DB2的資料儲存例的圖示。如圖9所示,使用者資料庫DB2係為,關於使用者的各種資訊所被儲存的資料庫。使用者資料庫DB2中係被儲存有:使用者ID、使用者的姓名、密碼、已被上傳之臉部照片之資料、從臉部照片所被計算出來的臉部的特徵量、第2部分、及DB號碼。此外,使用者資料庫DB2中所被儲存之資訊,係不限於這些,亦可儲存有使用者的連絡處或地址這類任意之資訊。FIG. 9 is a diagram showing an example of data storage in the user database DB2. As shown in FIG. 9, the user database DB2 is a database in which various information about the user is stored. The user database DB2 stores: the user ID, the user's name, password, the data of the uploaded face photo, the feature value of the face calculated from the face photo, part 2 , and the DB number. In addition, the information stored in the user database DB2 is not limited to these, and arbitrary information such as the user's contact point or address may also be stored.

密碼、第2部分、及DB號碼,係為認證資訊的一種。所謂認證資訊,係為在認證時所被參照的資訊,隨著認證方法而其名稱為不同。例如,若為電子***認證,則***的多點觸控型樣即為認證資訊,若為密語認證,則密語即為認證資訊。Password, Part 2, and DB number are one type of authentication information. The so-called authentication information is information referred to at the time of authentication, and its name is different depending on the authentication method. For example, in the case of electronic seal authentication, the multi-touch pattern of the seal is the authentication information, and in the case of password authentication, the password is the authentication information.

臉部的特徵量,係為將臉部之特徵予以數值化的資訊,係表示例如:臉部之零件的相對位置、大小、或形狀等之特徵。在本實施形態中,雖然是事前就計算出臉部照片所示之臉部的特徵量,但臉部的特徵量係亦可在認證時當場計算。在有複數張臉部照片被登錄的情況下,則按照每一臉部照片,計算出臉部的特徵量。臉部認證本身,係可適用各種手法,例如可以利用主成分分析、線性判別分析、彈性匹配、或隱藏式馬可夫模型這些手法,特徵量係只要以相應於這些手法的計算式而被計算即可。例如,臉部的特徵量,雖然是以多維的向量來表示,但亦可用數列或單一的數值這類其他形式來表示。The feature value of the face is information that quantifies the features of the face, and represents features such as the relative position, size, or shape of the parts of the face. In the present embodiment, although the feature value of the face shown in the facial photograph is calculated in advance, the feature value of the face may be calculated on the spot at the time of authentication. When a plurality of facial photos are registered, the feature value of the face is calculated for each facial photo. For face authentication itself, various techniques can be applied, for example, principal component analysis, linear discriminant analysis, elastic matching, or hidden Markov model can be used, and the feature quantity can be calculated by the calculation formula corresponding to these techniques. . For example, although the feature value of a face is represented by a multidimensional vector, it can also be represented by other forms such as a sequence of numbers or a single numerical value.

[受理部] 受理部101,係以控制部11為主而被實現。受理部101,係受理所定之登錄申請。登錄申請,係為用來登錄認證時所必須之資訊所需之申請,此處係為來登錄臉部的特徵量所需之申請。登錄申請,係藉由預先制定之程序來辦理手續而被進行。例如,使用者終端20係一旦選擇了按鈕B13,就會發送所定之登錄申請。登錄申請中係含有,使用者所指定的臉部照片之影像資料。受理部101,係從使用者終端20接收含有臉部照片之影像資料的登錄申請。[Reception Department] The reception unit 101 is realized mainly by the control unit 11 . The acceptance unit 101 accepts a predetermined registration application. The registration application is an application required to register the information necessary for authentication, and here is an application required to register the feature value of the face. The registration application is carried out by going through the procedures through a pre-established procedure. For example, when the button B13 is selected, the user terminal 20 transmits a predetermined registration application. The registration application contains the image data of the facial photo specified by the user. The reception unit 101 receives from the user terminal 20 a registration application for video data including a facial photograph.

[第1登錄部] 第1登錄部102,係以控制部11為主而被實現。第1登錄部102,係將臉部的特徵量之第1部分,登錄至使用者終端20。在本實施形態中,第1登錄部102,係在使用者終端20中登錄第1部分與第2資訊。此外,第2資訊,係亦可被登錄在使用者終端20以外的電腦。所謂登錄,係為和記錄、儲存、或保存相同的意思。第1登錄部102,係將某個使用者的第1部分,登錄至該使用者的使用者終端20。[First Registration Section] The first registration unit 102 is realized mainly by the control unit 11 . The first registration unit 102 registers the first part of the feature value of the face to the user terminal 20 . In the present embodiment, the first registration unit 102 registers the first part and the second information in the user terminal 20 . In addition, the second information may be registered in a computer other than the user terminal 20 . The so-called registration means the same meaning as recording, storing, or saving. The first registration unit 102 registers the first part of a certain user in the user terminal 20 of the user.

臉部的特徵量,係為第1資訊之一例。因此,在本實施形態中記載為臉部之特徵量的地方,係可替換成第1資訊。第1資訊,係為認證資訊。在本實施形態中,由於是利用生物認證,因此第1資訊係為生物資訊。生物資訊,係為生物認證中所被利用的認證資訊。除了臉部的特徵量以外,臉部照片本身亦可相當於生物資訊。在利用臉部認證以外之生物認證的情況下,則生物資訊係只要是相應於該生物認證的認證資訊即可。The feature value of the face is an example of the first information. Therefore, what is described as the feature value of the face in this embodiment can be replaced by the first information. The first information is authentication information. In this embodiment, since biometric authentication is used, the first information is biometric information. Biometric information is authentication information used in biometric authentication. In addition to the feature quantity of the face, the face photo itself can be equivalent to biological information. In the case of using biometric authentication other than face authentication, the biometric information system only needs to be authentication information corresponding to the biometric authentication.

使用者終端20,係為第1裝置之一例。因此,在本實施形態中記載為使用者終端20的地方,係可替換成第1裝置。第1裝置,係只要是異於第2裝置的裝置即可。例如,第1裝置,係除了使用者終端20以外,亦可為異於伺服器10的伺服器電腦。此情況下,第1部分與第2部分,係在個別的伺服器電腦中被分散管理。The user terminal 20 is an example of the first device. Therefore, what is described as the user terminal 20 in this embodiment can be replaced with the first device. The first device may be any device as long as it is different from the second device. For example, the first device may be a server computer other than the server 10 in addition to the user terminal 20 . In this case, part 1 and part 2 are distributed and managed in separate server computers.

使用者所指定的臉部照片之特徵量,係亦可藉由伺服器10而被計算,亦可藉由使用者終端20而被計算。特徵量,係只要基於預先決定的演算法而被計算即可,例如亦可利用CNN。第1登錄部102,係將臉部的特徵量之中被預先決定之位置的部分(在本實施形態中係為最初的2個要素),當作第1部分而加以取得。若換成別的說法,則臉部的特徵量,係被分割成第1部分與第2部分。第1登錄部102,係對使用者終端20,發送第1部分並予以登錄。The feature value of the facial photo designated by the user may be calculated by the server 10 or calculated by the user terminal 20 . The feature quantity may be calculated based on a predetermined algorithm, and for example, CNN may also be used. The first registration unit 102 acquires the pre-determined positions (the first two elements in this embodiment) among the feature values of the face as the first part. In other words, the feature value of the face is divided into a first part and a second part. The first registration unit 102 transmits and registers the first part to the user terminal 20 .

[生成部] 生成部103,係以控制部11為主而被實現。生成部103,係將做了登錄申請之使用者的DB號碼之候補,加以生成。所謂候補,係為有被登錄使用者之第2部分之可能性的第2部分資料庫DB2之DB號碼。生成部103,係從既存之DB號碼之中,選擇出候補。所謂既存之DB號碼,係為已經被作成的第2部分資料庫DB2之DB號碼。生成部103,係亦可從既存之DB號碼之中隨機地選擇出候補,亦可按照既存之DB號碼的從較新至較舊的號碼順序,來選擇候補。生成部103,係亦可不是既存之DB號碼,而是生成新的DB號碼。此情況下,生成部103,係亦可將基於亂數而生成的隨機的數值,當作候補。[Generation Department] The generation unit 103 is realized mainly by the control unit 11 . The generating unit 103 generates a candidate for the DB number of the user who has applied for the registration. The so-called candidate is the DB number of the second part database DB2 that may be registered as the second part of the user. The generation unit 103 selects candidates from the existing DB numbers. The so-called existing DB number is the DB number of the already created Part 2 database DB2. The generation unit 103 may randomly select the candidates from the existing DB numbers, or may select the candidates in the order from the newer to the older of the existing DB numbers. The generation unit 103 may generate a new DB number instead of the existing DB number. In this case, the generation unit 103 may use random numerical values generated based on random numbers as candidates.

[第2登錄部] 第2登錄部104,係以控制部11為主而被實現。第2登錄部104,係將臉部的特徵量之第2部分,與DB號碼建立關連而登錄至伺服器10。在本實施形態中,一旦使用者進行登錄申請則第2部分就會被登錄,因此第2登錄部104,係對做了登錄申請之使用者之第2部分,將已被檢索到的DB號碼建立關連而加以登錄。[Second Registration Section] The second registration unit 104 is realized mainly by the control unit 11 . The second registering unit 104 registers the second part of the feature value of the face in the server 10 in association with the DB number. In the present embodiment, the second part is registered when the user makes a registration application. Therefore, the second registration unit 104 stores the DB number that has been searched for the second part of the user who has made the registration application. Log in after establishing a connection.

第2登錄部104,係將臉部的特徵量之中被預先決定之位置的部分(在本實施形態中係為後半的3個要素),當作第2部分而加以取得。例如,第2登錄部104,係在做了登錄申請之使用者之DB號碼的第2部分資料庫DB1中,登錄該使用者的第2部分。又例如,第2登錄部104,係在使用者資料庫DB2之中,在做了登錄申請之使用者之紀錄中,登錄該使用者的第2部分與DB號碼。The second registration unit 104 acquires the part of the feature value of the face at a predetermined position (in the present embodiment, the three elements in the latter half) as the second part. For example, the second registration unit 104 registers the second part of the user in the second part database DB1 of the DB number of the user who made the registration application. For another example, the second registration unit 104 is in the user database DB2, and registers the second part and the DB number of the user in the record of the user who has applied for registration.

[認證部] 認證部105,係以控制部11為主而被實現。認證部105,係基於第1部分、第2部分、及DB號碼,認證部105,係基於所被輸入之臉部的特徵量及DB號碼、與使用者終端20的第1部分、與伺服器10的第2部分及DB號碼,而進行認證。在本實施形態中,認證時所被利用的第2部分,係藉由DB號碼而被檢索,因此認證係為,基於第1部分、與藉由DB號碼而被檢索到的第2部分的生物認證。[Certification Department] The authentication unit 105 is realized mainly by the control unit 11 . The authentication unit 105 is based on the first part, the second part, and the DB number, and the authentication unit 105 is based on the input feature value of the face and the DB number, the first part of the user terminal 20, and the server 10 part 2 and the DB number for authentication. In this embodiment, the second part used for authentication is retrieved by the DB number, so authentication is based on the first part and the second part retrieved by the DB number. Certification.

所謂所被輸入之臉部的特徵量,係為在認證時對電腦所輸入之特徵量,例如,亦可為藉由攝影部36等之感測器之偵測結果而被輸入之特徵量,亦可為藉由使用者之操作而被輸入之特徵量。在本實施形態中,藉由攝影部36所被拍攝到的影像所呈現的臉部的特徵量,係為所被輸入之特徵量之一例。所被輸入之DB號碼也是同樣地,是在認證時對電腦所被輸入之DB號碼。在本實施形態中,認證裝置30從使用者終端20所接收到之DB號碼,係為所被輸入之DB號碼之一例。所被輸入之DB號碼,係為使用者終端20中所被登錄之DB號碼。The feature value of the input face is the feature value input to the computer at the time of authentication, for example, it may be the feature value input by the detection result of the sensor of the imaging unit 36 or the like, It may also be a feature quantity input by a user's operation. In the present embodiment, the feature value of the face represented by the image captured by the imaging unit 36 is an example of the input feature value. Similarly, the inputted DB number is the DB number input to the computer at the time of authentication. In the present embodiment, the DB number received by the authentication device 30 from the user terminal 20 is an example of the input DB number. The inputted DB number is the DB number registered in the user terminal 20 .

所被輸入之臉部的特徵量及DB號碼,係為相當於認證時之查詢的資訊。使用者終端20的第1部分,與伺服器10的第2部分及DB號碼,係為相當於認證時之索引的資訊。在本實施形態中,是舉出生物認證為例,因此是說明,藉由相當於查詢的資訊、與相當於索引的資訊的類似性而決定認證之成否的情況,在利用其他認證方法的情況下,則亦可藉由它們的同一性而決定認證之成否。The input feature value and DB number of the face are information equivalent to an inquiry at the time of authentication. The first part of the user terminal 20 and the second part and the DB number of the server 10 are information corresponding to the index at the time of authentication. In the present embodiment, the biometric authentication is used as an example, so the description will be given to the case where the authentication is determined based on the similarity between the information corresponding to the inquiry and the information corresponding to the index, and the case where another authentication method is used. Under the same conditions, the authentication can also be determined by their identity.

例如,認證部105,係將使用者終端20中所被登錄之第1部分、與伺服器10中所被登錄之第2部分加以結合,而取得臉部的特徵量。認證部105,係基於所被輸入之臉部的特徵量與所被結合之臉部的特徵量的類似性,和所被輸入之DB號碼與伺服器10之DB號碼的同一性,而進行認證。For example, the authentication unit 105 combines the first part registered in the user terminal 20 and the second part registered in the server 10 to obtain the feature value of the face. The authentication unit 105 performs authentication based on the similarity between the input feature value of the face and the feature value of the combined face, and the identity of the input DB number and the DB number of the server 10 .

認證部105,係在所被輸入之臉部的特徵量與所被結合之臉部的特徵量為類似的情況下,判定為認證成功。認證部105,係在所被輸入之臉部的特徵量與所被結合之臉部的特徵量不類似的情況下,判定為認證失敗。例如,認證部105,係基於已被輸入之臉部的特徵量、與已被登錄之臉部的特徵量,而計算類似度。The authentication unit 105 determines that the authentication has succeeded when the feature value of the input face and the feature value of the combined face are similar. The authentication unit 105 determines that the authentication has failed when the feature value of the input face is not similar to the feature value of the combined face. For example, the authentication unit 105 calculates the degree of similarity based on the feature value of the input face and the feature value of the registered face.

認證部105,係亦可將這些特徵量的差(例如特徵量所表示之向量彼此的距離)直接當作類似度,亦可將這些特徵量代入至所定之計算式(例如針對特徵量所表示之向量之每一要素而做了加權的計算式)而計算出類似度。認證部105,係在類似度為閾值以上的情況下判定為認證成功,在類似度未滿閾值的情況下判定為認證失敗。The authentication unit 105 may directly regard the difference of these feature amounts (for example, the distance between the vectors represented by the feature amount) as the similarity degree, or may substitute these feature amounts into a predetermined calculation formula (for example, for the features indicated by the feature amount) The similarity is calculated by weighting each element of the vector). The authentication unit 105 determines that the authentication has succeeded when the similarity is equal to or greater than the threshold, and determines that the authentication has failed when the similarity is less than the threshold.

此外,在不是臉部的特徵量,而是將臉部照片本身利用於臉部認證的情況下,則認證部105係亦可計算已被輸入之臉部照片、與已被結合之臉部照片的類似度。影像彼此之類似度的計算方法本身,係可適用各種之手法,例如,亦可利用計算影像內的像素之像素值的差的方法,也可利用機器學習中的類似度計算。In addition, when the facial photograph itself is used for face authentication instead of the feature value of the face, the authentication unit 105 may calculate the input facial photograph and the combined facial photograph. similarity. Various methods can be applied to the calculation method of the similarity between images. For example, a method of calculating the difference between pixel values of pixels in an image can be used, and a similarity calculation in machine learning can be used.

在本實施形態中,所被輸入之DB號碼與伺服器10之DB號碼為相同這件事情,也是作為認證成功之條件。認證部105,係基於藉由所被輸入之DB號碼而被識別的第2部分資料庫DB1中所被登錄之第2部分,而取得已被結合之臉部的特徵量。認證部105,係按照該第2部分資料庫DB1中所被登錄之每一第2部分,將使用者之第1部分與該當第2部分進行結合以取得特徵量。亦即,認證部105,係對於該第2部分資料庫DB1中所被登錄之所有的第2部分,結合使用者的第1部分而取得特徵量。認證部105,係若有與所被輸入之特徵量類似的已被結合之特徵量存在,則判定為認證成功。In the present embodiment, the fact that the inputted DB number and the DB number of the server 10 are the same is also a condition for successful authentication. The authentication unit 105 acquires the feature value of the combined face based on the second part registered in the second part database DB1 identified by the inputted DB number. The authentication unit 105 combines the first part of the user with the corresponding second part for each second part registered in the second part database DB1 to obtain the feature value. That is, the authentication unit 105 acquires the feature value in combination with the first part of the user for all the second parts registered in the second part database DB1. The authentication unit 105 determines that the authentication is successful if there is a combined feature value similar to the input feature value.

認證部105,係基於所定之判定演算法,而判定所被輸入之臉部的特徵量、與所被登錄之第1部分及第2部分所結合而成的臉部的特徵量是否相同或類似,藉此而進行認證。判定演算法,係為用來判定特徵量彼此之類似與否所需之演算法。例如,判定演算法,係計算特徵量之距離。判定演算法,係將n維向量之特徵量彼此之距離,降維至所定維度(例如2維)之座標上,而計算2維座標資訊距離。認證部105,係基於所定維度之座標上之距離,而判定特徵量之類似與否。因此,無論比較對象的資訊是何種維度,都會被降維成所定維度之距離。The authentication unit 105 determines, based on a predetermined determination algorithm, whether the input feature value of the face is the same as or similar to the face feature value obtained by combining the registered first and second parts. , which is used for authentication. The determination algorithm is an algorithm required for determining whether or not the feature quantities are similar to each other. For example, the decision algorithm calculates the distance of the feature quantity. The determination algorithm is to reduce the distance between the feature quantities of the n-dimensional vector to the coordinates of a predetermined dimension (for example, 2-dimensional), and calculate the 2-dimensional coordinate information distance. The authentication unit 105 determines whether the feature quantities are similar or not based on the distance on the coordinates of the predetermined dimension. Therefore, no matter what dimension the information of the comparison object is, it will be reduced to the distance of the specified dimension.

[限制部] 限制部106,係以控制部11為主而被實現。限制部106,係限制彼此相同或類似的複數個第2部分之每一者,被與彼此相同或類似的DB號碼建立關連。限制部106,係對第2部分為彼此相同或類似的複數個使用者,限制彼此相同或類似的DB號碼被建立關連。在本實施形態中,由於是在登錄申請時進行限制,因此限制部106係限制,做了登錄申請之使用者之第2部分,被與和第2部分為相同或類似之其他使用者相同或類似的DB號碼建立關連。其他使用者,係為已經登錄了第1部分、第2部分、及DB號碼的使用者。[Restriction Department] The restriction unit 106 is realized mainly by the control unit 11 . The restriction unit 106 restricts each of a plurality of second parts that are the same or similar to each other from being associated with the same or similar DB numbers. The restriction unit 106 restricts the connection of the same or similar DB numbers to a plurality of users whose second part is the same or similar to each other. In this embodiment, since the restriction is performed at the time of registration application, the restriction unit 106 restricts the second part of the user who made the registration application to be the same or similar to other users who are the same or similar to the second part. Similar DB numbers establish associations. Other users are users who have already registered Part 1, Part 2, and DB numbers.

所謂限制,係為防止或禁止上記的關連建立被進行。在本實施形態中,限制部106,係為了使得彼此相同或類似的複數個第2部分之每一者,不會被與彼此相同或類似的DB號碼建立關連,而藉由決定使用者之DB號碼,以進行限制。The so-called restriction is to prevent or prohibit the establishment of the above-mentioned connection from being carried out. In this embodiment, the restricting unit 106 determines the user's DB by determining the user's DB so that each of the plurality of second parts that are the same or similar to each other is not associated with the same or similar DB numbers. number to limit.

限制部106,係許可彼此不同或不類似的複數個第2部分之每一者,被與彼此相同或類似的DB號碼建立關連。限制部106,係對第2部分為彼此不同或不類似的複數個使用者,許可彼此相同或類似的DB號碼被建立關連。因此,在1個第2部分資料庫DB1之中,會被登錄有複數個使用者的第2部分。The restriction unit 106 allows each of a plurality of second parts that are different or different from each other to be associated with the same or similar DB numbers. The restriction unit 106 permits the connection of the same or similar DB numbers to a plurality of users whose second part is different or different from each other. Therefore, the second part of a plurality of users is registered in one second part database DB1.

限制部106,係檢索未被與上記其他使用者的第2部分建立關連的DB號碼。限制部106,係檢索沒有第2部分是與做了登錄申請之使用者為相同或類似之其他使用者存在的DB號碼,決定成為做了登錄申請之使用者的DB號碼。The restriction unit 106 searches for the DB numbers that are not associated with the second part of the other users listed above. The restriction unit 106 searches for the DB number of another user whose second part is the same as or similar to the user who made the registration application, and determines the DB number of the user who made the registration application.

例如,限制部106,係在候補、與上記其他使用者之DB號碼為相同或類似的情況下,候補就不會設成做了登錄申請之使用者之DB號碼。例如,限制部106,係在候補、與上記其他使用者之DB號碼為不同或不類似的情況下,就將候補設成做了登錄申請之使用者之DB號碼。限制部106,係檢索並非第2部分是與做了登錄申請之使用者為相同或類似之其他使用者之DB號碼的候補,在有發現到此種候補的情況下,就決定成為是做了登錄申請之使用者的DB號碼。For example, in the restriction unit 106, if the DB number of the candidate is the same as or similar to that of the other user mentioned above, the candidate will not be set to the DB number of the user who has applied for registration. For example, the restriction unit 106 sets the candidate as the DB number of the user who has applied for registration when the candidate is different from or different from the DB numbers of the other users listed above. The restriction unit 106 searches for candidates whose DB numbers are the same or similar to the user who made the registration application in the second part, and when such a candidate is found, it is determined that the application is made. The DB number of the user who applied for registration.

在本實施形態中,由於是執行藉由類似性而決定成否的生物認證,因此限制部106係限制,彼此類似的第2部分之每一者,被與彼此相同的DB號碼建立關連。In the present embodiment, since biometric authentication based on similarity is performed, the restriction unit 106 restricts each of the second parts that are similar to each other to be associated with the same DB number.

限制部106,係基於與認證部105所利用之判定演算法相同的判定演算法,來判定彼此相同或類似的複數個第2部分是否存在。限制部106,係利用該判定演算法,將第2部分降維成所定維度之座標上之距離,判定是否有彼此相同或類似的複數個第2部分。在本實施形態中,該判定中會使用第2部分彼此之距離。若距離未滿閾值,則該判定係為肯定。若距離為閾值以上,則該判定係為否定。The restriction unit 106 determines whether or not a plurality of second parts that are the same or similar to each other exist based on the same determination algorithm as the determination algorithm used by the authentication unit 105 . The limiting unit 106 uses the determination algorithm to reduce the dimension of the second part to the distance on the coordinates of the predetermined dimension, and determines whether there are a plurality of the second parts that are the same or similar to each other. In this embodiment, the distance between the second parts is used for this determination. If the distance is less than the threshold, the determination is affirmative. If the distance is greater than or equal to the threshold, the determination is negative.

[處理執行部] 處理執行部107,係以控制部11為主而被實現。處理執行部107,係基於認證結果,而執行所定之處理。例如,處理執行部107,係在認證失敗的情況下,就不執行所定之處理,在認證成功的情況下,才執行所定之處理。所定之處理係為,在認證成功時才被許可執行的處理。在本實施形態中係說明,用來解除安全閘道SG之上鎖所需之處理是相當於所定之處理的情況,但所定之處理係可適用任意之處理。例如,所定之處理係可為:對伺服器或終端的登入處理、解除電腦之鎖定的處理、許可資料之瀏覽的處理、許可資料之寫入的處理、開閉自動門的處理、許可電子投票的處理、或許可公文之取得的處理。[Processing Execution Department] The processing execution unit 107 is realized mainly by the control unit 11 . The processing execution unit 107 executes predetermined processing based on the authentication result. For example, the processing execution unit 107 does not execute the predetermined processing when the authentication fails, and executes the predetermined processing only when the authentication succeeds. The predetermined processing is the processing that is permitted to be executed only when the authentication succeeds. In the present embodiment, the processing required for unlocking the security gateway SG is described as a case corresponding to the predetermined processing, but the predetermined processing can be applied to any processing. For example, the predetermined processing may be: processing of logging in to a server or terminal, processing of unlocking a computer, processing of permitting browsing of data, processing of permitting data writing, processing of opening and closing automatic doors, processing of permitting electronic voting Processing, or processing of permitting the acquisition of official documents.

[3-2.於使用者終端中所被實現的功能] 如圖8所示,在使用者終端20中係被實現有:資料記憶部200、第1取得部201、第2取得部202、受理部203、及送訊部204。[3-2. Functions implemented in the user terminal] As shown in FIG. 8 , a data storage unit 200 , a first acquisition unit 201 , a second acquisition unit 202 , a reception unit 203 , and a transmission unit 204 are implemented in the user terminal 20 .

[資料記憶部] 資料記憶部200,係以記憶部22為主而被實現。資料記憶部200,係記憶登錄申請及認證時所必須之資料。例如,資料記憶部200,係記憶使用者的臉部照片之資料。又例如,資料記憶部200,係記憶第1部分和DB號碼。[Data Memory Department] The data storage unit 200 is realized mainly by the storage unit 22 . The data storage unit 200 stores data necessary for registration application and authentication. For example, the data storage unit 200 stores data of the user's facial photo. For another example, the data storage unit 200 stores the first part and the DB number.

[第1取得部] 第1取得部201,係以控制部21為主而被實現。第1取得部201,係將臉部的特徵量之第1部分,加以取得。在本實施形態中,是藉由伺服器10的第1登錄部102來生成第1部分並發送至使用者終端20,因此第1取得部201係從伺服器10接收第1部分,並記錄至資料記憶部200。[Part 1 Acquisition] The first acquisition unit 201 is realized mainly by the control unit 21 . The first acquisition unit 201 acquires the first part of the feature value of the face. In this embodiment, since the first part is generated by the first registration unit 102 of the server 10 and sent to the user terminal 20, the first acquisition part 201 receives the first part from the server 10 and records it in Data storage unit 200 .

[第2取得部] 第2取得部202,係以控制部21為主而被實現。第2取得部202,係從臉部的特徵量之第2部分所被登錄的伺服器10,且為限制彼此相同或類似的複數個第2部分之每一者被與彼此相同或類似的DB號碼建立關連的伺服器10,取得DB號碼。在本實施形態中,由於是藉由伺服器10的限制部106來決定DB號碼,因此第2取得部202係從伺服器10接收DB號碼,並記錄至資料記憶部200。[Part 2 Acquisition] The second acquisition unit 202 is realized mainly by the control unit 21 . The second acquisition unit 202 is the server 10 registered from the second part of the feature value of the face, and is a DB that restricts each of a plurality of second parts that are the same or similar to each other from being the same or similar to each other The server 10 associated with the number acquires the DB number. In this embodiment, since the DB number is determined by the restriction unit 106 of the server 10 , the second acquisition unit 202 receives the DB number from the server 10 and records it in the data storage unit 200 .

[受理部] 受理部203,係以控制部21為主而被實現。受理部203,係受理各種輸入操作。例如,受理部203係受理對輸入表單F10的使用者ID之輸入操作。又例如,受理部203係受理對輸入表單F11的密碼之輸入操作。又例如,受理部203係受理對輸入表單F12的臉部照片之檔名等的輸入操作。此外,受理部203所受理的輸入操作係不限於這些,可受理其他各種輸入操作。[Reception Department] The reception unit 203 is realized mainly by the control unit 21 . The accepting unit 203 accepts various input operations. For example, the accepting part 203 accepts the input operation of the user ID of the input form F10. For another example, the accepting unit 203 accepts an input operation for the password of the input form F11. For another example, the accepting unit 203 accepts an input operation of the file name of the facial photograph of the input form F12, and the like. In addition, the input operation system accepted by the accepting unit 203 is not limited to these, and other various input operations can be accepted.

[送訊部] 送訊部204,係以控制部21為主而被實現。送訊部204,係基於已被受理部203所受理的輸入操作,而將用來進行登錄申請所需之資料予以發送。例如,送訊部204係基於對輸入表單F10~F12之各者的輸入操作,而將使用者ID、密碼、及臉部照片之資料予以發送。此外,送訊部204所發送的資料係不限於這些,亦可發送其他各種資料。[Communication Department] The transmission unit 204 is realized mainly by the control unit 21 . The transmission unit 204 transmits the data required for the registration application based on the input operation accepted by the reception unit 203 . For example, the transmission part 204 transmits the data of a user ID, a password, and a face photograph based on the input operation to each of the input forms F10-F12. In addition, the data transmitted by the transmission part 204 is not limited to these, and other various data may be transmitted.

例如,送訊部204,係在認證被進行的情況下,對認證裝置30,發送第1部分與DB號碼。認證裝置30,係為外部裝置之一例。因此,本實施形態中記載為認證裝置30的地方,係可替換成外部裝置。外部裝置,係只要是使用者終端20以外的裝置即可,亦可為認證裝置30以外之電腦。For example, the transmission unit 204 transmits the first part and the DB number to the authentication device 30 when authentication is performed. The authentication device 30 is an example of an external device. Therefore, what is described as the authentication device 30 in this embodiment can be replaced with an external device. The external device may be a device other than the user terminal 20 , and may be a computer other than the authentication device 30 .

送訊部204,係利用近距離無線通訊,而向用來取得所被輸入之臉部的特徵量所需之認證裝置30,發送第1部分。在本實施形態中,近距離無線通訊,係為可利用廣播封包(Advertising Packet)的通訊規格。送訊部,係利用廣播封包(Advertising Packet),來對認證裝置30發送第1部分。在本實施形態中,關於DB號碼也是利用廣播封包(Advertising Packet)而被發送。The transmission unit 204 transmits the first part to the authentication device 30 required for acquiring the feature value of the input face by using the short-range wireless communication. In this embodiment, the short-range wireless communication is a communication standard that can utilize advertising packets. The sending unit sends the first part to the authentication device 30 by using an advertising packet. In the present embodiment, the DB number is also transmitted using an advertising packet (Advertising Packet).

[3-3.於認證裝置中所被實現之功能] 如圖8所示,在認證裝置30中係被實現有:資料記憶部300、受理部301、送訊部302、及處理執行部303。此外,在本實施形態中雖然是說明,認證裝置30是被包含在認證系統S中的情況,但認證裝置30係亦可為可與認證系統S通訊的外部裝置。[3-3. Functions implemented in the authentication device] As shown in FIG. 8 , the authentication device 30 is implemented with a data storage unit 300 , a reception unit 301 , a transmission unit 302 , and a process execution unit 303 . In addition, in the present embodiment, the authentication device 30 is described as being included in the authentication system S, but the authentication device 30 may be an external device that can communicate with the authentication system S.

[資料記憶部] 資料記憶部300,係以記憶部32為主而被實現。資料記憶部300,係記憶認證時所必須之資料。例如,資料記憶部300係記憶著伺服器10的IP位址等之資訊。又例如,資料記憶部300係記憶著,用來令顯示部35顯示出各種畫面所需之資料(例如HTML資料或影像資料)。[Data Memory Department] The data storage unit 300 is realized mainly by the storage unit 32 . The data memory unit 300 is to memorize data necessary for authentication. For example, the data storage unit 300 stores information such as the IP address of the server 10 . For another example, the data storage unit 300 stores data (eg, HTML data or image data) required for the display unit 35 to display various screens.

[受理部] 受理部301,係以控制部31為主而被實現。受理部301,係受理輸入操作。輸入操作,係只要是認證時所必須之輸入操作即可,在本實施形態中,關於臉部認證係不需要使用者的輸入操作,因此受理部301係受理認證開始的操作等。[Reception Department] The reception unit 301 is realized mainly by the control unit 31 . The accepting unit 301 accepts an input operation. The input operation may be any input operation necessary for authentication. In this embodiment, the user's input operation is not required for face authentication. Therefore, the accepting unit 301 accepts an operation such as an authentication start.

此外,受理部301,係只要受理隨應於認證系統S中所利用之認證之種類的輸入操作即可,例如,在利用指紋認證的情況下,則受理使用者將手指放在相機等之上的輸入操作。又例如,在利用筆跡認證的情況下,則受理使用者在觸控面板等之上寫下文字的輸入操作。又例如,在利用密碼認證或密語認證的情況下,則受理部301係受理密碼或密語的輸入操作。In addition, the accepting unit 301 only needs to accept an input operation according to the type of authentication used in the authentication system S. For example, in the case of using fingerprint authentication, accept the user's finger on the camera or the like. input operation. For another example, in the case of using handwriting authentication, an input operation of writing characters on a touch panel or the like by the user is accepted. For another example, when password authentication or passphrase authentication is used, the accepting unit 301 accepts an input operation of the password or passphrase.

[送訊部] 送訊部302,係以控制部31為主而被實現。送訊部302,係對伺服器10的認證部105,發送從使用者終端20所接收到的第1部分。在本實施形態中,使用者終端20係不只發送第1部分就連DB號碼也會發送,因此送訊部302係將第1部分與DB號碼予以發送。送訊部302,係只要發送認證時所必須之資訊即可,例如亦將攝影部36所拍攝到的影像予以發送。送訊部302,係亦可將認證資訊本身予以發送,亦可將用來特定認證資訊所需之資訊予以發送。[Communication Department] The transmission unit 302 is realized mainly by the control unit 31 . The transmission unit 302 transmits the first part received from the user terminal 20 to the authentication unit 105 of the server 10 . In this embodiment, since the user terminal 20 transmits not only the first part but also the DB number, the transmission unit 302 transmits the first part and the DB number. The transmission unit 302 only needs to transmit the information necessary for authentication, for example, the image captured by the photographing unit 36 is also transmitted. The sending unit 302 can also send the authentication information itself, or send the information required for specifying the authentication information.

在本實施形態中係說明,認證部105是藉由伺服器10而被實現的情況,因此說明送訊部204係向伺服器10發送資料的情況,但若是藉由其他電腦來實現認證部105的情況下,則亦可向該當其他電腦發送資料。又,亦可在認證裝置30側計算臉部的特徵量,此情況下,送訊部302,係取代影像,而將該當所被計算出來的臉部的特徵量予以發送。In this embodiment, the case where the authentication unit 105 is realized by the server 10 is described, so the case where the transmission unit 204 transmits data to the server 10 will be described, but the authentication unit 105 is realized by another computer In the case of , it can also send the data to the other computer. In addition, the feature value of the face may be calculated on the authentication device 30 side, and in this case, the transmitting unit 302 transmits the feature value of the face thus calculated instead of the video.

此外,送訊部302,係只要發送隨應於認證系統S中所利用之認證之種類的資訊即可,例如,在指紋認證被利用的情況下,則送訊部302係亦可發送使用者的手指的影像,將根據影像所被計算出來的手指之特徵量予以發送。又例如,在利用筆跡認證的情況下,則送訊部302係亦可將使用者在觸控面板等之上寫下的文字之影像予以發送,亦可將表示觸碰位置之變化的座標資訊予以發送。又例如,在利用密碼認證或密語認證的情況下,則送訊部302係亦可將使用者所輸入的密碼或密語予以發送。In addition, the transmission unit 302 only needs to transmit the information corresponding to the type of authentication used in the authentication system S. For example, when fingerprint authentication is used, the transmission unit 302 may also transmit the information to the user. The image of the finger is transmitted, and the feature value of the finger calculated from the image is sent. For another example, in the case of using handwriting authentication, the transmission unit 302 may also transmit the image of the text written by the user on the touch panel or the like, and may also transmit the coordinate information indicating the change of the touch position. be sent. For another example, in the case of using password authentication or password authentication, the transmitting unit 302 may also transmit the password or password input by the user.

[處理執行部] 處理執行部303,係以控制部31為主而被實現。處理執行部303,係認證為成功的情況下,執行所定之處理。所定之處理的意思,係如同前述,是在認證成功的情況下才被許可執行的處理。在本實施形態中,在認證成功的情況下,安全閘道SG之上鎖會被解除,因此處理執行部303係在接收到表示認證成功的通知的情況下,藉由令上鎖機構的馬達做旋轉等而解除上鎖,在未接收到表示認證成功的通知的情況下,則不解除上鎖。[Processing Execution Department] The processing execution unit 303 is realized mainly by the control unit 31 . The process execution unit 303 executes a predetermined process when the authentication is successful. The predetermined processing means that, as described above, the processing is permitted to be executed only when the authentication is successful. In the present embodiment, when the authentication is successful, the lock of the security gateway SG is released. Therefore, when the processing execution unit 303 receives a notification indicating that the authentication is successful, the motor of the locking mechanism is activated by The lock is released by rotating or the like, and the lock is not released if the notification indicating that the authentication is successful is not received.

[4.於本實施形態中所被執行之處理] 接著說明,於認證系統S中所被執行之處理。此處,針對用來讓使用者登錄臉部照片所需之登錄處理,與用來讓使用者通過安全閘道SG所需之認證處理,加以說明。下記所說明的處理,係為被圖8所示之功能區塊所執行的處理之一例。[4. Processing performed in this embodiment] Next, the processing executed in the authentication system S will be described. Here, the registration processing required to allow the user to register the face photo and the authentication processing required to allow the user to pass through the security gateway SG will be described. The processing described below is an example of processing executed by the functional block shown in FIG. 8 .

[4-1.登錄處理] 圖10係為表示登錄處理之一例的流程圖。圖10所示的登錄處理,係藉由控制部11、21分別依照記憶部12、22中所被記憶之程式而動作,而被執行。此外,登錄處理被執行時,假設使用者是已經完成利用登錄,並且自己的使用者ID及密碼是已經發行。[4-1. Login process] FIG. 10 is a flowchart showing an example of a registration process. The registration process shown in FIG. 10 is executed when the control units 11 and 21 operate in accordance with the programs memorized in the memory units 12 and 22, respectively. In addition, when the login process is executed, it is assumed that the user has completed the use login and that his own user ID and password have been issued.

如圖10所示,使用者終端20,係向伺服器10進行存取,令登錄申請畫面G1被顯示於顯示部25(S1)。使用者終端20,係在按鈕B13已被選擇的情況下,則對伺服器10,將已被輸入至輸入表單F10~F12之各者中的資訊,予以發送(S2)。於S2中,使用者終端20係將已被使用者所輸入的使用者ID、密碼、及臉部照片之影像資料,予以發送。As shown in FIG. 10, the user terminal 20 accesses the server 10, and causes the login application screen G1 to be displayed on the display unit 25 (S1). When the button B13 has been selected, the user terminal 20 transmits, to the server 10, the information that has been input into each of the input forms F10 to F12 (S2). In S2, the user terminal 20 transmits the image data of the user ID, the password, and the facial photo that have been input by the user.

伺服器10係一旦從使用者終端20接收到使用者ID等,就基於使用者資料庫DB2、和已接收之使用者ID及密碼,來進行密碼認證(S3)。在密碼認證失敗的情況下(S3;失敗),伺服器10係對使用者終端20,發送所定之錯誤訊息(S4),本處理係結束。此情況下,使用者的登錄申請就不被受理。When the server 10 receives the user ID and the like from the user terminal 20, it performs password authentication based on the user database DB2 and the received user ID and password (S3). When the password authentication fails (S3; failure), the server 10 transmits a predetermined error message to the user terminal 20 (S4), and this process ends. In this case, the user's login application will not be accepted.

另一方面,密碼認證為成功的情況下(S3;成功),伺服器10係基於S3中所接收到的臉部照片,而計算做了登錄申請之使用者的臉部的特徵量(S5)。於S5中,伺服器10係偵測臉部的零件的相對位置等,而計算臉部的特徵量。伺服器10,係將所計算出來的特徵量,分割成第1部分與第2部分。On the other hand, when the password authentication is successful (S3; success), the server 10 calculates the feature value of the face of the user who has applied for the login based on the facial photograph received in S3 (S5) . In S5, the server 10 detects the relative positions of the parts of the face, etc., and calculates the feature amount of the face. The server 10 divides the calculated feature amount into a first part and a second part.

伺服器10,係基於已被預先決定的演算法,而生成DB號碼的候補(S6)。於S6中,伺服器10係將既存之DB號碼之中的任意1者,選擇作為候補。在S6之時點上亦可生成新的DB號碼來作為候補,但由於第2部分資料庫DB1有可能變成大量,因此在本實施形態中是說明,在S6之時點上,是從既存之DB號碼之中來做選擇的情況。The server 10 generates a DB number candidate based on a predetermined algorithm (S6). In S6, the server 10 selects any one of the existing DB numbers as a candidate. At the time of S6, a new DB number can also be generated as a candidate, but since the second part database DB1 may become a large number, it is explained in this embodiment that at the time of S6, the existing DB number is used. to make a choice among them.

伺服器10,係參照S6中所生成之候補所示的第2部分資料庫DB1,判定與S5中所計算出來的特徵量之第2部分相同或類似的第2部分是否存在(S7)。於S7中,伺服器10係計算,所參照的第2部分資料庫DB1之各紀錄中所被儲存之第2部分,與S5中所計算出來的特徵量之第2部分的距離。例如,該距離係基於前述的判定演算法,而被降維成所定維度之距離。若有該距離未滿閾值的紀錄存在,則S7的判定係為肯定。若沒有該距離未滿閾值的紀錄存在,則S7的判定係為否定。The server 10 refers to the second part database DB1 indicated by the candidate generated in S6, and determines whether a second part identical to or similar to the second part of the feature quantity calculated in S5 exists (S7). In S7, the server 10 calculates the distance between the second part stored in each record of the referenced second part database DB1 and the second part of the feature quantity calculated in S5. For example, the distance is reduced to a distance of a predetermined dimension based on the aforementioned determination algorithm. If there is a record in which the distance is less than the threshold value, the determination of S7 is affirmative. If there is no record whose distance is less than the threshold, the determination of S7 is negative.

在判定為有與S5中所計算出來的特徵量之第2部分相同或類似的第2部分存在的情況下(S7;Y),則回到S6之處理,生成別的候補。若既存的所有DB號碼都已經被生成作為候補的情況下,則伺服器10係生成新的DB號碼來作為候補。此情況下,就會生成新的第2部分資料庫DB1。When it is determined that there is a second part that is the same as or similar to the second part of the feature amount calculated in S5 (S7; Y), the process returns to S6 to generate another candidate. When all existing DB numbers have already been generated as candidates, the server 10 generates new DB numbers as candidates. In this case, a new Part 2 database DB1 is created.

在並非判定為有與S5中所計算出來的特徵量之第2部分相同或類似的第2部分存在的情況下(S7;N),伺服器10係將現狀之候補,決定成為要與S5中所計算出來的特徵量之第2部分建立關連的DB號碼(S8),並在該DB號碼的第2部分資料庫DB1中,儲存S5中所計算出來的特徵量之第2部分(S9)。When it is not determined that there is a second part that is the same as or similar to the second part of the feature amount calculated in S5 ( S7 ; N), the server 10 decides the current candidate to be the same as or similar to the second part in S5 The second part of the calculated feature quantity is associated with a DB number (S8), and the second part of the feature quantity calculated in S5 is stored in the second part database DB1 of the DB number (S9).

伺服器10,係對使用者終端20,發送含有S5中所計算出來的特徵量之第1部分、與S8中所決定之DB號碼的完成通知(S10)。完成通知,係藉由發送所定形式之資料而被進行,例如假設還含有已被登錄之臉部照片。The server 10 transmits, to the user terminal 20, a completion notification including the first part of the feature amount calculated in S5 and the DB number determined in S8 (S10). Completion notification is performed by sending information in a predetermined form, for example, if it also contains a registered face photo.

伺服器10,係在使用者資料庫DB2中,登錄使用者的臉部照片、臉部的特徵量、及S8中所決定之DB號碼(S11)。於S11中,伺服器10係在使用者資料庫DB2之中,在做了登錄申請之使用者的使用者ID所被儲存之紀錄中,儲存S3中所接收到的臉部照片、S5中所計算出來的特徵量之第2部分、及S8中所決定之DB號碼。The server 10 registers the user's facial photograph, the facial feature, and the DB number determined in S8 in the user database DB2 (S11). In S11, the server 10 is stored in the user database DB2, and in the record of the user ID of the user who made the login application, the facial photo received in S3, the facial photo received in S5, The second part of the calculated feature quantity and the DB number determined in S8.

使用者終端20,係一旦接收完成通知,就將完成通知中所含之第1部分與DB號碼,記錄至記憶部22記錄(S12),令登錄完成畫面G2被顯示於顯示部25(S13),本處理係結束。於S13中,使用者終端20係令完成通知中所含之臉部照片,被顯示於登錄完成畫面G2。特徵量之第1部分與DB號碼,係不被顯示於登錄完成畫面G2。以後,使用者就變成可以通過安全閘道SG。The user terminal 20, upon receiving the completion notification, records the first part and the DB number included in the completion notification in the memory unit 22 (S12), and causes the registration completion screen G2 to be displayed on the display unit 25 (S13) , this process ends. In S13, the user terminal 20 causes the facial photograph included in the completion notification to be displayed on the login completion screen G2. The first part of the feature value and the DB number are not displayed on the registration completion screen G2. After that, the user becomes able to pass through the safe gateway SG.

[4-2.認證處理] 圖11係為表示認證處理之一例的流程圖。圖11所示的認證處理,係藉由控制部11、21、31分別依照記憶部12、22、32中所被記憶之程式而動作,而被執行。此外,假設認證處理被執行時,登錄處理是已經完成。[4-2. Authentication processing] FIG. 11 is a flowchart showing an example of authentication processing. The authentication process shown in FIG. 11 is executed when the control units 11, 21, and 31 operate in accordance with the programs memorized in the memory units 12, 22, and 32, respectively. Furthermore, it is assumed that the login process is already completed when the authentication process is executed.

如圖11所示,使用者終端20,係利用近距離無線通訊,將記憶部22中所被記憶之第1部分與DB號碼予以發送(S20)。於S20中,使用者終端20,係在廣播封包(Advertising Packet)中儲存第1部分與DB號碼,並向周圍發送。假設通訊部23的電源係事前就已經打開。通訊部23的電源為關閉的情況下,亦可隨應於使用者之操作而打開電源,亦可利用GPS之位置資訊等而使電源自動打開。As shown in FIG. 11, the user terminal 20 transmits the first part and the DB number memorized in the memory unit 22 by using short-range wireless communication (S20). In S20, the user terminal 20 stores the first part and the DB number in the advertising packet, and transmits it to the surroundings. It is assumed that the power supply of the communication unit 23 has been turned on in advance. When the power of the communication part 23 is turned off, the power may be turned on according to the operation of the user, or the power may be turned on automatically by using the position information of GPS and the like.

認證裝置30,係利用近距離無線通訊,將從使用者終端20所被發送過來的第1部分與DB號碼,予以接收(S21)。於S21中,認證裝置30,係將已接收之第1部分與DB號碼,記錄至記憶部32。第1部分與DB號碼,係在任意之時序上,被從記憶部32抹除。該時序係為:認證已成功的情況、經過了一定時間的情況、或用近距離無線通訊已經接收不到特徵量之第1部分與DB號碼的情況等。The authentication device 30 receives the first part and the DB number transmitted from the user terminal 20 by using short-range wireless communication (S21). In S21 , the authentication device 30 records the received first part and the DB number in the memory unit 32 . The first part and the DB number are erased from the memory unit 32 at an arbitrary time sequence. This sequence is a case where authentication has succeeded, a case where a certain period of time has elapsed, or a case where the first part of the feature quantity and the DB number have not been received by the short-range wireless communication.

認證裝置30,係基於攝影部36的偵測訊號,而取得影像(S22)。認證裝置30,係對伺服器10,發送含有第1部分、DB號碼、及影像的認證要求(S23)。認證要求,係藉由發送所定形式之資料而被進行,例如假設還含有認證裝置30的識別資訊等。The authentication device 30 acquires an image based on the detection signal of the imaging unit 36 (S22). The authentication device 30 transmits an authentication request including the first part, the DB number, and the video to the server 10 (S23). The authentication request is performed by sending data in a predetermined form, for example, it is assumed that the authentication device 30 also contains identification information and the like.

伺服器10,係一旦接收到認證要求,就將認證要求中所含之DB號碼的第2部分資料庫DB1中所被登錄之第2部分,加以取得(S24)。在該第2部分資料庫DB1之中,若已被登錄有複數個第2部分的情況下,則伺服器10係將這些複數個第2部分全部加以取得。Upon receiving the authentication request, the server 10 acquires the second part registered in the second part database DB1 of the DB number included in the authentication request (S24). In the second-part database DB1, when a plurality of second parts are already registered, the server 10 acquires all of the plurality of second parts.

伺服器10係生成,將認證要求中所含之第1部分、和S24中所取得之第2部分予以結合而成的特徵量(S25)。於S25中,伺服器10係針對S24中所取得之每一第2部分,分別將認證要求中所含之第1部分與該當第2部分進行結合以取得特徵量。在有複數個第2部分被取得的情況下,則所被結合之特徵量係為,所被取得的第2部分之數量有多少,就會被生成多少個。The server 10 generates a feature amount obtained by combining the first part included in the authentication request and the second part acquired in S24 (S25). In S25, for each second part obtained in S24, the server 10 combines the first part included in the authentication request with the corresponding second part to obtain the feature quantity. In the case where a plurality of second parts are acquired, the combined feature amount is the number of generated second parts depending on the number of acquired second parts.

伺服器10係基於認證要求中所含之影像,而計算臉部的特徵量(S26)。於S26中,伺服器10係和S5之處理同樣地,計算臉部的特徵量。The server 10 calculates the feature value of the face based on the image included in the authentication request (S26). In S26, the server 10 calculates the feature value of the face in the same way as the process of S5.

伺服器10,係基於S25中所生成之特徵量、與S26中所計算出來的特徵量,而進行認證(S27)。於S27中,伺服器10係計算S25中所生成之特徵量、與S26中所計算出來之特徵量的距離。在S25中所生成之特徵量之中,若有該距離為未滿閾值者存在,則認證係為成功。若沒有該距離未滿閾值者存在,則認證係為失敗。S27的判定演算法,係與S7的判定演算法相同。The server 10 performs authentication based on the feature amount generated in S25 and the feature amount calculated in S26 (S27). In S27, the server 10 calculates the distance between the feature amount generated in S25 and the feature amount calculated in S26. Among the feature quantities generated in S25, if there is a person whose distance is less than the threshold, the authentication is successful. If there is no one whose distance is less than the threshold, the authentication is a failure. The determination algorithm of S27 is the same as the determination algorithm of S7.

在認證失敗的情況下(S27;失敗),伺服器10係對認證裝置30發送錯誤訊息(S28),本處理係結束。此情況下,認證裝置30的顯示部35中係會顯示錯誤訊息,向使用者通知認證不成功。When the authentication fails (S27; failure), the server 10 transmits an error message to the authentication device 30 (S28), and the present process ends. In this case, an error message is displayed on the display unit 35 of the authentication device 30 to notify the user that the authentication was unsuccessful.

另一方面,在認證成功的情況下(S27;成功),伺服器10係對認證裝置30發送表示認證已成功的成功通知(S29)。成功通知,係藉由發送所定形式之資料而被進行,含有認證成功的使用者的姓名。On the other hand, when the authentication succeeds (S27; success), the server 10 transmits a success notification indicating that the authentication has succeeded to the authentication device 30 (S29). Successful notification is performed by sending information in the form specified, containing the name of the user who has successfully authenticated.

於認證裝置30中,係一旦接收到成功通知,則控制部31就解除安全閘道SG的上鎖(S30),本處理係結束。使用者,係確認自己的姓名被顯示在顯示部35中,推開安全閘道的門而通過。此外,此情況下,亦可在伺服器10中保留使用者的姓名或現在日期時間等之資訊作為通行記錄。In the authentication apparatus 30, when the success notification is received, the control part 31 releases the lock|rock of the safety gate SG (S30), and this process is complete|finished. The user confirms that his name is displayed on the display unit 35, pushes open the door of the security gate, and passes through. In addition, in this case, information such as the user's name or the current date and time can also be retained in the server 10 as a travel record.

若依據本實施形態的認證系統S,則限制彼此相同或類似的複數個第2部分之每一者,被與彼此相同或類似的DB號碼建立關連,藉此可防止冒充,提高安全性。又,由於不需要在使用者終端20中登錄像是使用者ID這類重要的資訊,因此可避免該資訊洩漏的風險,就這點來說也可提高安全性。即使使用者終端20的DB號碼發生洩漏,也只要編號成其他的DB號碼即可解決,不需要變更使用者ID,可提升使用者的便利性。又,藉由將臉部的特徵量做分散管理,可防止臉部的特徵量之洩漏所致之安全性降低。According to the authentication system S of the present embodiment, each of a plurality of second parts that are the same or similar to each other is restricted from being associated with the same or similar DB numbers, thereby preventing impersonation and improving security. In addition, since important information such as the user ID does not need to be registered in the user terminal 20, the risk of leakage of the information can be avoided, and the security can also be improved in this regard. Even if the DB number of the user terminal 20 is leaked, it can be solved by simply numbering it to another DB number, and it is not necessary to change the user ID, which improves the convenience of the user. In addition, by distributing and managing the facial feature data, it is possible to prevent a decrease in safety due to leakage of the facial feature data.

又,認證系統S,係許可彼此不同或不類似的複數個第2部分之每一者,被與彼此相同或類似的DB號碼建立關連,藉此可防止DB號碼變得過多(第2部分資料庫DB1變得過多),可削減伺服器10的記憶體消耗量。又,藉由抑制第2部分資料庫DB1的增加,可簡化資料庫的管理。又,可防止DB號碼的耗盡。Also, the authentication system S allows each of a plurality of second parts that are different or dissimilar to each other to be associated with the same or similar DB numbers to each other, thereby preventing the DB numbers from becoming excessive (Part 2 data The library DB1 becomes too large), the memory consumption of the server 10 can be reduced. Furthermore, by suppressing the increase of the second partial database DB1, the management of the database can be simplified. Also, the exhaustion of DB numbers can be prevented.

又,認證系統S,係限制做了登錄申請之使用者的第2部分,被與和第2部分為相同或類似之其他使用者相同或類似的DB號碼建立關連,藉此可防止做了登錄申請之使用者冒充成已登錄之其他使用者,以及防止已登錄之其他使用者冒充成做了登錄申請之使用者,可提高安全性。Also, the authentication system S restricts the second part of the user who has applied for registration from being associated with the same or similar DB number as other users who are the same or similar to the second part, thereby preventing the registration. The user who applies for the application pretends to be another logged-in user, and prevents other logged-in users from pretending to be the user who has made the login application, which can improve security.

又,認證系統S,係檢索尚未與其他使用者之第2部分建立關連的DB號碼,並對做了登錄申請之使用者的第2部分,將已被檢索到的DB號碼建立關連而登錄,藉此可防止冒充,提高安全性。例如,在未新發行DB號碼的情況下,可有效活用既存之DB號碼,可削減伺服器10的記憶體消耗量。In addition, the authentication system S searches for the DB number that has not yet been associated with the second part of the other user, and associates the retrieved DB number with the second part of the user who has applied for registration, and registers it, This prevents impersonation and improves security. For example, when the DB number is not newly issued, the existing DB number can be effectively used, and the memory consumption of the server 10 can be reduced.

又,認證系統S,係在DB號碼的候補、與其他使用者的DB號碼為相同或類似的情況下,則該候補係不會設成做了登錄申請之使用者的DB號碼。認證系統S,係在DB號碼的候補、與其他使用者的DB號碼為不同或不類似的情況下,則將該候補設成做了登錄申請之使用者的DB號碼。藉此,可賦予能夠確實防止冒充的DB號碼,可提高安全性。Furthermore, in the authentication system S, if the DB number candidate is the same as or similar to the DB number of another user, the candidate will not be set as the DB number of the user who applied for registration. In the authentication system S, when the DB number candidate is different from or not similar to the DB numbers of other users, the candidate is set as the DB number of the user who has applied for registration. Thereby, it is possible to assign a DB number that can surely prevent impersonation, and it is possible to improve security.

又,認證系統S,係基於所被輸入之臉部的特徵量及DB號碼、與使用者終端20的第1部分、與伺服器10的第2部分及DB號碼,來進行認證,藉此可防止冒充,提高安全性。又,藉由在伺服器10與使用者終端20間將臉部的特徵量做分散管理,可防止臉部的特徵量之洩漏所致之安全性降低。In addition, the authentication system S performs authentication based on the input feature value and DB number of the face, the first part of the user terminal 20, and the second part of the server 10 and the DB number, whereby it is possible to Prevent impersonation and improve security. Furthermore, by distributing the management of the facial feature data between the server 10 and the user terminal 20, it is possible to prevent a decrease in security due to leakage of the facial feature data.

又,認證系統S,係在使用者終端20中登錄第1部分與DB號碼,並將使用者終端20中所被登錄之DB號碼,輸入至伺服器10,藉此可省去使用者輸入DB號碼的麻煩,可提高認證時的使用者的便利性。又,可正確地特定出使用者的第2部分所被儲存的第2部分資料庫DB1,也可提高認證的正確性。In the authentication system S, the first part and the DB number are registered in the user terminal 20, and the DB number registered in the user terminal 20 is input to the server 10, thereby eliminating the need for the user to input the DB. The trouble of the number can improve the convenience of the user at the time of authentication. In addition, the second part database DB1 in which the second part of the user is stored can be accurately specified, and the accuracy of authentication can also be improved.

又,認證系統S,係利用近距離無線通訊,向用來取得所被輸入之臉部的特徵量所需之認證裝置30,發送第1部分,並對伺服器10,發送從使用者終端20所接收到的第1部分,藉此可省去將第1部分發送至認證裝置30的麻煩,可提高認證時的使用者的便利性。In addition, the authentication system S transmits the first part to the authentication device 30 required for acquiring the feature value of the input face by using short-range wireless communication, and transmits the first part to the server 10 from the user terminal 20 The received first part can thereby save the trouble of transmitting the first part to the authentication device 30, thereby improving the convenience of the user at the time of authentication.

又,認證系統S,係利用廣播封包(Advertising Packet),來對認證裝置30發送第1部分,藉此可不進行配對就發送第1部分,可提高使用者的便利性。例如,即便使用者將使用者終端20放在口袋或皮包裡頭不取出,仍可將第1部分發送至認證裝置30。因此,即便使用者將使用者終端20放在口袋或皮包裡頭不取出,仍可使認證成功。又,藉由利用廣播封包(Advertising Packet),也可抑制使用者終端20的消耗電力。In addition, the authentication system S transmits the first part to the authentication device 30 by using an advertising packet, so that the first part can be sent without pairing, and the convenience of the user can be improved. For example, even if the user does not take out the user terminal 20 in a pocket or a purse, the first part can be sent to the authentication device 30 . Therefore, even if the user puts the user terminal 20 in a pocket or a purse and does not take it out, the authentication can still be successful. Furthermore, by using the advertising packet, the power consumption of the user terminal 20 can also be suppressed.

又,認證系統S係可提高,基於所被輸入之臉部的特徵量與所被結合之臉部的特徵量的類似性,和所被輸入之DB號碼與伺服器10之DB號碼的同一性而被進行之認證的安全性。Further, the authentication system S can be improved based on the similarity between the input feature value of the face and the feature value of the combined face, and the identity of the input DB number and the DB number of the server 10. and the security of the authentication being performed.

又,認證系統S,係基於藉由所被輸入之DB號碼而被識別的第2部分資料庫DB1中所被登錄之第2部分,而取得所被結合之臉部的特徵量,藉此可提高安全性。Furthermore, the authentication system S acquires the feature value of the combined face based on the second part registered in the second part database DB1 identified by the inputted DB number, and thereby can Improve security.

又,認證系統S係為,認證是基於第1部分、與藉由檢索資訊而被檢索到之第2部分的生物認證,因此可提高生物認證的安全性。In addition, the authentication system S is based on the biometric authentication based on the first part and the second part retrieved by the search information, so that the security of the biometric authentication can be improved.

又,認證系統S係藉由將S7與S27的判定演算法設成相同,因此在伺服器10中不必記錄複數種判定演算法,可效率良好地進行處理。In addition, since the authentication system S makes the determination algorithms of S7 and S27 the same, it is not necessary to record a plurality of determination algorithms in the server 10, and it can process efficiently.

[5.變形例] 此外,本揭露係不限定於以上說明的實施形態。在不脫離本揭露之宗旨的範圍內,可做適宜變更。[5. Modifications] In addition, the present disclosure is not limited to the embodiment described above. Appropriate changes may be made within the scope of not departing from the purpose of this disclosure.

例如,在實施形態中,雖然是舉出讓使用者通過安全閘道SG的場面為例,但認證系統S係亦可適用於讓使用者購入商品或是利用服務的場面。此情況下,例如,認證裝置30係為自動販賣機、售票機、POS終端、或店舖中的支付終端。使用者,係一旦認證成功,就會執行結帳處理,而可購入商品、或利用服務等等。For example, in the embodiment, the scene where the user is allowed to pass through the security gateway SG is taken as an example, but the authentication system S is also applicable to the scene where the user is allowed to purchase goods or use services. In this case, the authentication device 30 is, for example, a vending machine, a ticket machine, a POS terminal, or a payment terminal in a store. When the user is authenticated successfully, the checkout process is executed, and the user can purchase goods, use services, and the like.

在本變形例中,亦可為,先在使用者資料庫DB2中登錄結帳資訊,處理執行部係在某個使用者的認證為成功的情況下,就基於該使用者的結帳資訊來執行結帳處理。結帳處理之際所被參照的結帳資訊,係為認證成功之使用者所被建立關連對應到的結帳資訊。In this modification, the checkout information may be registered in the user database DB2 first, and the processing execution unit may, when the authentication of a certain user succeeds, based on the checkout information of the user Perform checkout processing. The checkout information that is referred to during the checkout process is the checkout information corresponding to the connection established for the user who has successfully authenticated.

結帳資訊,係為進行結帳時所必須之資訊,例如:***資訊、電子額值(例如電子貨幣或點數)的帳號資訊、虛擬通貨的帳號資訊、銀行戶頭資訊、或簽帳卡資訊等。結帳資訊,係在使用者登錄時等所被登錄,例如,在使用者資料庫DB2中,與使用者ID建立關連而儲存結帳資訊。此外,結帳資訊係亦可被儲存在,與使用者資料庫DB2不同的資料庫中。Billing information, which is the information necessary for billing, such as credit card information, account information of electronic value (such as electronic money or points), account information of virtual currency, bank account information, or charge card information Wait. The checkout information is registered when the user logs in, for example, in the user database DB2, the checkout information is stored in association with the user ID. In addition, the billing information can also be stored in a database different from the user database DB2.

伺服器10,係只要執行相應於結帳資訊的結帳處理即可,例如執行:基於***資訊的授信處理、令電子額值之餘額減少的處理、令虛擬通貨之餘額減少的處理、從銀行戶頭扣款或匯款的處理、或令簽帳卡資訊所示之戶頭之餘額減少的處理等。處理執行部,係在臉部認證或通行碼認證之任一方為失敗的情況下就不執行結帳處理,在臉部認證與通行碼認證為成功的情況下才執行結帳處理。The server 10 only needs to execute the checkout process corresponding to the checkout information, for example, execute the credit extension process based on the credit card information, the process of reducing the balance of the electronic value, the process of reducing the balance of the virtual currency, and the Processing of account debits or remittances, or processing of reducing the balance of the account indicated by the charge card information, etc. The process execution unit does not execute the checkout process when either the face authentication or the passcode authentication fails, and executes the checkout process only when the face authentication and the passcode authentication are successful.

結帳處理已被執行的情況下,在認證裝置30的顯示部35或店舖之終端等,會顯示該意旨,使用者係可收取商品、或利用服務等等。例如,若認證裝置30是被設置在店舖等中的電子看板裝置的情況下,則一旦從伺服器10接收到認證成功通知,就令表示認證成功的訊息被顯示在顯示部35。店舖的工作人員係一旦確認該當訊息,就向使用者交付商品或提供服務。此外,訊息亦可並非顯示在認證裝置30,而是轉送至店舖的工作人員所操作的終端等之其他電腦而被顯示。又例如,若認證裝置30是自動販賣機,則一旦從伺服器10接收到認證成功通知,認證裝置30就會將使用者所指定之商品予以排出,或是調理咖啡或速食食品等之商品等等。When the checkout process has been executed, the display unit 35 of the authentication device 30 or the terminal of the store or the like will display that information, and the user can receive goods, use services, and the like. For example, when the authentication device 30 is an electronic signage device installed in a store or the like, upon receiving the authentication success notification from the server 10 , a message indicating that the authentication is successful is displayed on the display unit 35 . Once the store staff confirms the appropriate information, they will deliver the product or provide the service to the user. In addition, the message may not be displayed on the authentication device 30, but may be transferred to another computer such as a terminal operated by a staff member of the store and displayed. For another example, if the authentication device 30 is an automatic vending machine, once the authentication success notification is received from the server 10, the authentication device 30 will discharge the product specified by the user, or prepare products such as coffee or instant food. and many more.

若依據以上說明的變形例,則可防止冒充成其他使用者而進行結帳、不法購入商品或利用服務等等,可充分提高商品之購入時或服務之利用時的安全性。According to the modification described above, it is possible to prevent the user pretending to be another user to perform checkout, illegally purchase goods or use services, etc., and can sufficiently improve the security at the time of purchase of goods or use of services.

又例如,雖然舉出使用者進行登錄申請的場面為例,但在DB號碼被再發行的場面中,亦可執行同樣的處理。此情況下,使用者終端20中所被登錄之DB號碼,就被改寫成再發行的DB號碼。使用者的第2部分,係被登錄至已被再發行之DB號碼的第2部分資料庫DB1中,而在舊的DB號碼的第2部分資料庫DB1中,使用者的第2部分係被抹除。又例如,伺服器10,係亦可參照使用者資料庫DB2,以取得與認證要求中所含之DB號碼建立關連的第2部分。此情況下,第2部分被取得後的處理之流程,係和實施形態中所說明的相同。For another example, although the scene where the user makes a login application is taken as an example, the same processing can be performed in the scene where the DB number is reissued. In this case, the DB number registered in the user terminal 20 is rewritten to the reissued DB number. The user's part 2 is registered in the part 2 database DB1 of the reissued DB number, and in the part 2 database DB1 of the old DB number, the user's part 2 is Erase. For another example, the server 10 can also refer to the user database DB2 to obtain the second part associated with the DB number included in the authentication request. In this case, the flow of processing after the second part is acquired is the same as that described in the embodiment.

又例如,雖然說明了第1資訊係為臉部的特徵量,第2資訊係為DB號碼的情況,但第1資訊和第2資訊亦可為其他資訊。例如,亦可為,第1資訊是臉部的特徵量,第2資訊是通行碼。此情況下,就變成會進行臉部認證與通行碼認證的2階段認證。使用者,係對使用者終端20或認證裝置30輸入通行碼,進行通行碼認證。伺服器10,係對第2部分為彼此相同或類似的複數個使用者,限制成不要賦予相同的通行碼。For another example, although the case where the first information is the feature value of the face and the second information is the DB number has been described, the first information and the second information may be other information. For example, the first information may be a feature value of a face, and the second information may be a pass code. In this case, it becomes a two-stage authentication of face authentication and passcode authentication. The user inputs the passcode to the user terminal 20 or the authentication device 30 to perform passcode authentication. The server 10 is restricted not to assign the same passcode to a plurality of users whose second part is the same or similar to each other.

又例如,亦可為,第1資訊是密碼,第2資訊是密語。此情況下,就變成會進行密碼認證與密語認證的2階段認證。密碼係在伺服器10與使用者終端20間被分散管理。使用者係對使用者終端20或認證裝置30輸入密碼和密語,進行密碼認證和密語認證。伺服器10係對密碼的第2部分為彼此相同或類似的複數個使用者,限制成不要賦予相同的密語。For another example, the first information may be a password, and the second information may be a password. In this case, the two-stage authentication of password authentication and passphrase authentication is performed. Passwords are distributed and managed between the server 10 and the user terminal 20 . The user inputs a password and a passphrase to the user terminal 20 or the authentication device 30, and performs password authentication and passphrase authentication. The server 10 restricts the second part of the password to a plurality of users who are the same or similar to each other so as not to give the same password.

又例如,亦可為,認證裝置30係為不存在,而是從使用者終端20對伺服器10,直接發送第1部分與DB號碼。此情況下,使用者終端20,係在認證被進行的情況下,利用攝影部26拍攝使用者的臉部。使用者終端20,係對伺服器10,將自身中所被登錄之第1部分及DB號碼,與攝影部26所拍攝到的影像,予以發送。伺服器10接收到這些之後的處理之流程,係如同實施形態中所說明。一旦認證成功,則伺服器10係對使用者終端20,發送成功通知。使用者終端20,係一旦接收到成功通知,就執行所定之處理。該處理係可為任意的處理,例如對使用者終端20的登入處理或結帳處理等。For another example, the authentication device 30 may not exist, but the first part and the DB number may be directly transmitted from the user terminal 20 to the server 10 . In this case, the user terminal 20 uses the photographing unit 26 to photograph the user's face when authentication is performed. The user terminal 20 transmits, to the server 10, the first part and the DB number registered in the user terminal 20 and the image captured by the imaging unit 26. The flow of processing after the server 10 receives these is as described in the embodiment. Once the authentication is successful, the server 10 sends a success notification to the user terminal 20 . The user terminal 20 executes predetermined processing upon receiving the success notification. The processing may be any processing, such as login processing and checkout processing with respect to the user terminal 20, for example.

又例如,雖然說明了主要功能是由伺服器10來實現的情況,但各功能係亦可被複數台電腦所分擔。例如,亦可由伺服器10、使用者終端20、及認證裝置30之各者來分擔功能。例如,認證處理亦可不是在伺服器10中被執行,而是在使用者終端20或認證裝置30中被執行。又例如,認證系統S是含有複數台伺服器電腦的情況下,則亦可由這些複數台伺服器電腦來分擔功能。又例如,作為被資料記憶部100所記憶而說明的資料,係亦可被伺服器10以外之電腦所記憶。For another example, although the case where the main functions are realized by the server 10 has been described, each function may be shared by a plurality of computers. For example, functions may be shared by each of the server 10 , the user terminal 20 , and the authentication device 30 . For example, the authentication process may be executed not in the server 10 but in the user terminal 20 or the authentication device 30 . For another example, when the authentication system S includes a plurality of server computers, the functions may be shared by the plurality of server computers. For another example, the data described as being memorized by the data storage unit 100 may also be memorized by a computer other than the server 10 .

N:網路 S:認證系統 10:伺服器 11:控制部 12:記憶部 13:通訊部 20:使用者終端 21:控制部 22:記憶部 23:通訊部 24:操作部 25:顯示部 26:攝影部 30:認證裝置 31:控制部 32:記憶部 33:通訊部 34:操作部 35:顯示部 36:攝影部 G1:登錄申請畫面 G2:登錄完成畫面 SG:安全閘道 100:資料記憶部 101:受理部 102:第1登錄部 103:生成部 104:第2登錄部 105:認證部 106:限制部 107:處理執行部 200:資料記憶部 201:第1取得部 202:第2取得部 203:受理部 204:送訊部 300:資料記憶部 301:受理部 302:送訊部 303:處理執行部 DB1:第2部分資料庫 DB2:使用者資料庫N: network S: Authentication System 10: Server 11: Control Department 12: Memory Department 13: Communications Department 20: User terminal 21: Control Department 22: Memory Department 23: Communications Department 24: Operation Department 25: Display part 26: Photography Department 30: Authentication device 31: Control Department 32: Memory Department 33: Communications Department 34: Operation Department 35: Display part 36: Photography Department G1: Login application screen G2: Login complete screen SG: Safe Gateway 100: Data Memory Department 101: Reception Department 102: 1st Registration Section 103: Generation Department 104: Part 2 Registration 105: Certification Department 106: Restriction Department 107: Processing Execution Department 200: Data Memory Department 201: Part 1 Acquired 202: Part 2 Acquisition 203: Reception Department 204: Communication Department 300: Data Memory Department 301: Reception Department 302: Communication Department 303: Processing Execution Department DB1: Part 2 Database DB2:User database

[圖1]認證系統之全體構成的圖示。 [圖2]認證系統所被利用之場面之一例的圖示。 [圖3]登錄申請畫面之一例的圖示。 [圖4]登錄完成畫面之一例的圖示。 [圖5]認證系統中的認證之流程的圖示。 [圖6]冒充會成為可能之情況之一例的圖示。 [圖7]登錄申請時的處理之一例的圖示。 [圖8]本實施形態的認證系統中所被實現的功能之一例的功能區塊圖。 [圖9]使用者資料庫的資料儲存例的圖示。 [圖10]登錄處理之一例的流程圖。 [圖11]認證處理之一例的流程圖。[FIG. 1] A diagram showing the overall configuration of the authentication system. [Fig. 2] A diagram showing an example of a scene in which the authentication system is used. [ Fig. 3 ] An illustration of an example of a login application screen. [ Fig. 4 ] An illustration of an example of a login completion screen. [FIG. 5] An illustration of the flow of authentication in the authentication system. [Fig. 6] An illustration of an example of a situation where impersonation is possible. [ Fig. 7 ] A diagram showing an example of processing at the time of registration application. [ Fig. 8] Fig. 8 is a functional block diagram of an example of functions implemented in the authentication system of the present embodiment. [FIG. 9] A diagram of a data storage example of the user database. [ Fig. 10 ] A flowchart of an example of registration processing. [ Fig. 11 ] A flowchart of an example of authentication processing.

10:伺服器 10: Server

20:使用者終端 20: User terminal

30:認證裝置 30: Authentication device

100:資料記憶部 100: Data Memory Department

101:受理部 101: Reception Department

102:第1登錄部 102: 1st Registration Section

103:生成部 103: Generation Department

104:第2登錄部 104: Part 2 Registration

105:認證部 105: Certification Department

106:限制部 106: Restriction Department

107:處理執行部 107: Processing Execution Department

200:資料記憶部 200: Data Memory Department

201:第1取得部 201: Part 1 Acquired

202:第2取得部 202: Part 2 Acquisition

203:受理部 203: Reception Department

204:送訊部 204: Communication Department

300:資料記憶部 300: Data Memory Department

301:受理部 301: Reception Department

302:送訊部 302: Communication Department

303:處理執行部 303: Processing Execution Department

DB1:第2部分資料庫 DB1: Part 2 Database

DB2:使用者資料庫 DB2:User database

Claims (17)

一種認證系統,係含有:第1登錄手段,係用以將第1資訊之第1部分,登錄至第1裝置;和第2登錄手段,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;和認證手段,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;和限制手段,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。 An authentication system comprising: a first registration means for registering a first part of the first information to a first device; and a second registration means for registering the second part of the first information mentioned above with The second information is connected to the second device; and the authentication means is used to perform authentication based on the first part of the preceding paragraph, the second part of the preceding paragraph, and the second information of the preceding paragraph; and the restriction means is used to restrict the same Each of a plurality of the second part of the preamble, or similar, is associated with the same or similar second part of the preamble to each other. 如請求項1所記載之認證系統,其中,前記限制手段,係判定彼此相同或類似的前記複數個第2部分是否存在,並限制被判定為彼此相同或類似的前記複數個第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。 The authentication system according to claim 1, wherein the pre-restriction means is to determine whether a plurality of the second parts of the pre-mentioned that are the same or similar to each other exist, and restrict each of the plurality of the second parts of the pre-notation that are determined to be the same or similar to each other. One is associated with the same or similar second information in the preceding paragraph. 如請求項1或2所記載之認證系統,其中,前記限制手段,係許可彼此不同或不類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。 The authentication system as set forth in claim 1 or 2, wherein the aforementioned restriction means allows each of a plurality of aforementioned second parts that are different or different from each other to be associated with the same or similar aforementioned second information . 如請求項1或2所記載之認證系統,其中,前記認證系統係還含有:受理手段,係用以受理所定 之登錄申請;前記限制手段,係限制做了前記登錄申請之使用者之前記第2部分,被與和前記第2部分為相同或類似之其他使用者相同或類似的前記第2資訊建立關連。 The authentication system as described in claim 1 or 2, wherein the aforementioned authentication system further includes: an acceptance means for accepting the predetermined The above-mentioned registration application; the aforesaid restriction means, is to restrict the user who has made the aforesaid registration application Part 2 of the preceding paragraph from being associated with the same or similar information of the first paragraph 2 of other users who are the same or similar to the second part of the preceding paragraph. 如請求項4所記載之認證系統,其中,前記限制手段,係檢索未被與前記其他使用者之前記第2部分建立關連的第2資訊;前記第2登錄手段,係對做了前記登錄申請之使用者之前記第2部分,將已被檢索到的前記第2資訊建立關連而登錄。 The authentication system as set forth in claim 4, wherein the aforesaid restriction means is to retrieve the second information that is not related to the second part of the preceding description of other users; The second part of the user's previous record is associated with the second information of the previous record that has been retrieved and registered. 如請求項4所記載之認證系統,其中,前記認證系統係還含有:生成手段,係用以生成做了前記登錄申請之使用者的前記第2資訊之候補;前記限制手段,係在前記候補、和前記其他使用者的前記第2資訊為相同或類似的情況下,則前記候補係不被視為做了前記登錄申請之使用者的前記第2資訊;在前記候補、和前記其他使用者的前記第2資訊為不同或不類似的情況下,則將前記候補視為做了前記登錄申請之使用者的前記第2資訊。 The authentication system as set forth in claim 4, wherein the aforementioned authentication system further comprises: generating means for generating a candidate for the aforementioned second information of the user who has applied for the aforementioned registration; the aforementioned restricting means for generating the aforementioned candidate , In the case of the same or similar information as the first-mentioned second information of other users in the preceding paragraph, the first-mentioned candidate is not regarded as the first-mentioned second information of the user who has applied for the preceding-mentioned registration; If the second information of the preceding paragraph is different or dissimilar, the second information of the preceding paragraph will be regarded as the second preceding paragraph information of the user who has applied for the preceding paragraph registration. 如請求項1或2所記載之認證系統,其中,前記第1裝置係為使用者終端;前記第2裝置係為伺服器; 前記認證手段,係基於所被輸入之前記第1資訊及前記第2資訊、和前記使用者終端之前記第1部分、和前記伺服器之前記第2部分及前記第2資訊,而進行前記認證。 The authentication system according to claim 1 or 2, wherein the first device mentioned above is a user terminal; the second device mentioned above is a server; The prescriptive authentication means performs prescriptive authentication based on the inputted prescriptive first information and prescriptive second information, prescriptive user terminal prescriptive part 1, prescriptive server prescriptive part 2 and prescriptive second information . 如請求項7所記載之認證系統,其中,前記第1登錄手段,係在前記使用者終端中,登錄前記第1部分與前記第2資訊;所被輸入之前記第2資訊,係為前記使用者終端中所被登錄之前記第2資訊。 The authentication system as described in claim 7, wherein the first registration means of the preceding paragraph is in the user terminal of the preceding paragraph, and the first part of the preceding paragraph and the second information of the preceding paragraph are registered; the inputted second preceding paragraph information is used for the preceding paragraph. The second information is recorded before being registered in the user terminal. 如請求項7所記載之認證系統,其中,前記使用者終端,係利用近距離無線通訊,而向用來取得所被輸入之前記第1資訊所需之認證裝置,發送前記第1部分;前記認證裝置,係對前記認證手段,發送從前記使用者終端所接收到的前記第1部分。 The authentication system according to claim 7, wherein the user terminal of the preceding paragraph transmits the first part of the preceding paragraph to an authentication device required for obtaining the inputted first preceding paragraph information by using short-range wireless communication; The authentication device transmits the first part of the preamble received from the preamble user terminal to the preamble authentication means. 如請求項9所記載之認證系統,其中,前記近距離無線通訊,係為可利用廣播封包(Advertising Packet)的通訊規格;前記使用者終端,係利用前記廣播封包(Advertising Packet),來對前記認證裝置發送前記第1部分。 The authentication system as described in claim 9, wherein, the aforementioned short-range wireless communication is a communication specification that can utilize advertising packets; The authentication device sends the first part of the preamble. 如請求項1或2所記載之認證系統,其中,前記認證手段,係將前記第1裝置中所被登錄之前記第1部分、和前記第2裝置中所被登錄之前記第2部分加以結合而取得前記第1 資訊;基於所被輸入之前記第1資訊與所被結合之前記第1資訊的類似性,和所被輸入之前記第2資訊與前記第2裝置之前記第2資訊的同一性,而進行前記認證;前記限制手段,係限制彼此類似的前記第2部分之每一者,被與彼此相同的前記第2資訊建立關連。 The authentication system according to claim 1 or 2, wherein the authentication means described above is a combination of the first part registered in the first device and the second part registered in the second device. And get the first record information; based on the similarity of the entered pre-entry 1 information and the combined pre-entry 1 information, and the identity of the entered pre-entry 2 information and the pre-entry 2 device pre-entry 2 information, the pre-entry is performed Authentication; aforesaid restriction means to restrict each of the aforesaid second parts that are similar to each other from being associated with each other's same aforesaid second part information. 如請求項11所記載之認證系統,其中,前記第2裝置中所被記憶之複數個資料庫之每一者中,被登錄有複數個使用者之每一者之前記第2部分;前記第2資訊係為前記資料庫的識別資訊;前記認證手段,係基於藉由所被輸入之前記第2資訊而被識別的前記資料庫中所被登錄之前記第2部分,而取得所被結合之前記第1資訊。 The authentication system according to claim 11, wherein in each of the plurality of databases memorized in the second device of the preceding paragraph, each of the plurality of users is registered in the preceding paragraph 2; 2 information is the identification information of the pre-record database; pre-record authentication means is based on the registered pre-record 2 part in the pre-record database identified by the entered pre-record 2 information, and obtains the combined data. The first information in the preamble. 如請求項1或2所記載之認證系統,其中,前記第1資訊係為生物資訊;前記第2資訊係為,用來檢索前記第2裝置中所被登錄之前記第2部分所需之檢索資訊;前記認證係為,基於前記第1部分、和藉由前記檢索資訊而被檢索到之前記第2部分的生物認證。 The authentication system according to claim 1 or 2, wherein the first information of the preceding paragraph is biometric information; the second information of the preceding paragraph is a retrieval required for the retrieval of the second part of the preceding paragraph registered in the second device of the preceding paragraph Information; Prescriptive authentication is biometric authentication based on Prescriptive Part 1 and the Prescriptive Part 2 that is retrieved by prescriptive search information. 如請求項1或2所記載之認證系統,其中,前記認證手段,係基於所定之判定演算法,而判定所被輸入之前記第1資訊、與所被登錄之前記第1部分及前記 第2部分所結合而成的前記第1資訊是否相同或類似,藉此而進行前記認證;前記限制手段,係基於與前記判定演算法相同的判定演算法,而判定彼此相同或類似的前記複數個第2部分是否存在。 The authentication system according to claim 1 or 2, wherein the preamble authentication means is based on a predetermined determination algorithm to determine the input preamble first information, and the registered preamble part 1 and preamble The aforesaid first information combined in the second part is the same or similar, and the aforesaid authentication is carried out. Whether a Part 2 exists. 如請求項14所記載之認證系統,其中,前記第1資訊係為第1維度之向量;前記第2部分係為,較前記第1維度還低的第2維度之向量;前記認證手段,係將前記第1維度之向量也就是前記第1資訊彼此之距離,降維至較前記第1維度及前記第2維度還低的第3維度之座標上,藉由計算該當第3維度之座標上的距離,而進行前記認證;前記限制手段,係將前記第2維度之向量也就是前記第2部分彼此之距離,降維至前記第3維度之座標上,藉由計算該當第3維度之座標上的距離,以判定彼此相同或類似的前記複數個第2部分是否存在。 The authentication system as described in claim 14, wherein, the first information in the preceding paragraph is a vector of the first dimension; the second part in the preceding paragraph is a vector in the second dimension lower than the first dimension in the preceding paragraph; the authentication means in the preceding paragraph is a vector in the second dimension Reduce the vector of the first dimension of the preceding paragraph, that is, the distance between the first information of the preceding paragraph, to the coordinates of the third dimension lower than the first dimension of the preceding paragraph and the second dimension of the preceding paragraph, by calculating the coordinates of the third dimension. The distance of the previous note is verified, and the prescriptive verification is carried out; the prescriptive restriction method is to reduce the vector of the second dimension of the previous note, that is, the distance between the second part of the previous note, to the coordinates of the third dimension of the previous note. By calculating the coordinates of the third dimension to determine whether there are multiple second parts of the preamble that are identical or similar to each other. 一種認證方法,係藉由電腦而執行:第1登錄步驟,係用以將第1資訊之第1部分,登錄至第1裝置;和第2登錄步驟,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;和認證步驟,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;和 限制步驟,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。 An authentication method is performed by a computer: a first login step is used to register a first part of the first information to a first device; and a second login step is used to register the first part of the first information Part 2, to log in to the second device by establishing an association with the second information; and an authentication step for performing authentication based on the first part of the preamble, the part 2 of the preamble, and the second information of the preamble; and The restricting step is for restricting each of the plurality of prescriptive second parts that are identical or similar to each other from being associated with the prescriptive second information that is identical or similar to each other. 一種程式產品,係用來使電腦發揮功能而成為:第1登錄手段,係用以將第1資訊之第1部分,登錄至第1裝置;第2登錄手段,係用以將前記第1資訊之第2部分,與第2資訊建立關連而登錄至第2裝置;認證手段,係用以基於前記第1部分、前記第2部分、及前記第2資訊,而進行認證;限制手段,係用以限制彼此相同或類似的複數個前記第2部分之每一者,被與彼此相同或類似的前記第2資訊建立關連。 A program product is used to make a computer function and becomes: a first registration means, which is used to register the first part of the first information to a first device; a second registration means, which is used to register the first information mentioned above. The second part of the device is associated with the second information to log in to the second device; the authentication means is used to perform authentication based on the first part of the preamble, the second part of the preamble, and the second part of the preamble; the restriction means is used In order to restrict each of the plurality of prescriptive second parts that are the same or similar to each other from being associated with the prescriptive second information that is the same or similar to each other.
TW110110322A 2020-03-26 2021-03-23 Authentication systems, authentication methods, and program products TWI776436B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
PCT/JP2020/013707 WO2021192150A1 (en) 2020-03-26 2020-03-26 Authentication system, user terminal, authentication method, and program
WOPCT/JP2020/013707 2020-03-26

Publications (2)

Publication Number Publication Date
TW202139036A TW202139036A (en) 2021-10-16
TWI776436B true TWI776436B (en) 2022-09-01

Family

ID=76918316

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110110322A TWI776436B (en) 2020-03-26 2021-03-23 Authentication systems, authentication methods, and program products

Country Status (3)

Country Link
JP (1) JP6907426B1 (en)
TW (1) TWI776436B (en)
WO (1) WO2021192150A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000123178A (en) * 1998-10-20 2000-04-28 Mitsubishi Electric Corp Fingerprint collating device
JP2002312317A (en) * 2001-04-11 2002-10-25 Casio Comput Co Ltd Certification system and certification method
CN110637300A (en) * 2018-04-25 2019-12-31 谷歌有限责任公司 Delayed two-factor authentication in a networked environment
US20200076802A1 (en) * 2015-10-15 2020-03-05 Id.Me, Inc. Systems and methods for secure online credential authentication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2116950B1 (en) * 2006-12-25 2014-10-22 Fujitsu Limited Authentication device, authentication method, and authentication program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000123178A (en) * 1998-10-20 2000-04-28 Mitsubishi Electric Corp Fingerprint collating device
JP2002312317A (en) * 2001-04-11 2002-10-25 Casio Comput Co Ltd Certification system and certification method
US20200076802A1 (en) * 2015-10-15 2020-03-05 Id.Me, Inc. Systems and methods for secure online credential authentication
CN110637300A (en) * 2018-04-25 2019-12-31 谷歌有限责任公司 Delayed two-factor authentication in a networked environment

Also Published As

Publication number Publication date
WO2021192150A1 (en) 2021-09-30
JP6907426B1 (en) 2021-07-21
JPWO2021192150A1 (en) 2021-09-30
TW202139036A (en) 2021-10-16

Similar Documents

Publication Publication Date Title
US10846996B2 (en) Registry verification for a mechanized store using radio frequency tags
JP5458597B2 (en) Verification device and authentication device
JP6757861B1 (en) Authentication system, authentication method, and program
JP7090008B2 (en) Identity verification support device and identity verification support method
TWI754964B (en) Authentication system, authentication device, authentication method, and program product
TWI804900B (en) Authentication system, authentication method and program product
TWI762065B (en) Authentication system, authentication device, authentication method, and program product
JP7295319B2 (en) Authentication system, authentication method, and program
TWI776436B (en) Authentication systems, authentication methods, and program products
TWI771819B (en) Authentication system, authentication device, authentication method, and program product
US20240256640A1 (en) Authentication system, authentication device, authentication method and program
JP2023039447A (en) Program, system and information processing method
JP2020060845A (en) Print system and print terminal

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent