CN110572395B - Identity verification method and system - Google Patents
Identity verification method and system Download PDFInfo
- Publication number
- CN110572395B CN110572395B CN201910850991.5A CN201910850991A CN110572395B CN 110572395 B CN110572395 B CN 110572395B CN 201910850991 A CN201910850991 A CN 201910850991A CN 110572395 B CN110572395 B CN 110572395B
- Authority
- CN
- China
- Prior art keywords
- client
- http request
- equipment
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012795 verification Methods 0.000 title claims abstract description 36
- 230000004913 activation Effects 0.000 claims description 22
- 230000003213 activating effect Effects 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 2
- 238000001994 activation Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- KZSNJWFQEVHDMF-UHFFFAOYSA-M valinate Chemical compound CC(C)C(N)C([O-])=O KZSNJWFQEVHDMF-UHFFFAOYSA-M 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000005422 blasting Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an identity authentication method which is suitable for being executed in a proxy server, wherein the proxy server is respectively connected with a client and a back-end server through networks, the client is a mobile terminal or a webpage terminal, and the method comprises the following steps: receiving an HTTP request of a client; when the client is a webpage end, verifying a dynamic password in an HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the dynamic password passes the verification; and when the client is a mobile terminal, verifying the equipment information in the HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the equipment is bound. According to the scheme, the user experience can be improved while the safety of application access is improved.
Description
Technical Field
The invention relates to the technical field of security authentication, in particular to an identity verification method and an identity verification system.
Background
The office mailbox is an important communication tool for daily work of enterprise staff, and mail contents can contain many business sensitive information and business secrets, so that the safety guarantee of mailbox application is very important.
A commonly used mailbox security safeguard measure is to protect the security of the employee mailbox account from an account policy and an ACL (access control list, which filters a data packet on an interface according to a set condition and allows the data packet to pass or be discarded) of the mailbox, for example, a password with a high security factor is set by force, the password is modified periodically, a mailbox server is only opened to an intranet, and an extranet access needs to dial into a VPN virtual private network. However, this method has the following disadvantages: firstly, user experience is sacrificed, for example, when a user accesses a mailbox at home, the user needs to dial in a VPN first, and passwords are modified regularly and cannot be repeated, so that the working efficiency of staff is reduced undoubtedly; secondly, the security is not high, even the more complex password can be leaked out through a network disk and other ways, and even if the password is not leaked, the password leakage caused by the factors such as library collision, brute force cracking and the like can still exist. And many business systems and mailbox systems of enterprises are single-point login, and if a mailbox password is leaked, other business systems can not be attacked and self-broken.
For the problems of the mailbox login system, an identity authentication mechanism is needed, which can simultaneously consider the security and the user experience of the mailbox system.
Disclosure of Invention
To this end, the present invention provides an authentication method in an attempt to solve or at least alleviate at least one of the problems identified above.
According to an aspect of the present invention, an identity authentication method is provided, which is suitable for being executed in a proxy server, wherein the proxy server is respectively connected with a client and a back-end server through networks, and the client can be a mobile terminal or a webpage terminal. In the method, first, an HTTP request of a client is received. And when the client is a webpage end, verifying the dynamic password in the HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the dynamic password passes the verification. And when the client is a mobile terminal, verifying the equipment information in the HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the equipment is bound.
Optionally, in the above method, it is determined whether the client IP in the HTTP request is within a preset local area network. And judging whether the client IP is allowed to be accessed or not under the condition that the client IP is not in the preset local area network. And prompting the user to input a user name, a password and a dynamic password under the condition that the client IP is allowed to access.
Optionally, in the above method, it is determined whether the IP is allowed to access based on a preset IP blocking time, an IP access time period, and an IP maximum access frequency.
Optionally, in the above method, the device information includes a device ID, a device status, a device type, a device identification code, a device connection network, a user's cell phone number of the device, and an internet service provider.
Optionally, in the method, it is determined whether the mobile terminal is to transmit the HTTP request for the first time based on the device ID. And under the condition that the equipment sends the HTTP request for the first time, checking that the equipment is connected with the network. And binding the equipment under the condition that the equipment connection network is a preset local area network, otherwise, intercepting the HTTP request.
Optionally, in the above method, the device information is saved in a cache, and the device status is set to inactive.
Optionally, in the above method, it is determined whether the device status is activated. When the equipment state is activated, the HTTP request is ignored, and the user can directly log in or access the equipment; activating the device when the device state is not activated; intercepting the HTTP request if the device state is blocked.
Optionally, in the above method, a frequency of device activation is detected, and when the frequency of device activation is less than a first preset frequency, the activation code is generated. And sending the activation code to the mobile phone number of the user, and deleting the sent activation code. And generating a prompt short message based on the second preset frequency, and sending the prompt short message to the mobile phone number of the user.
Optionally, in the above method, the HTTP request further includes a request instruction, and the request instruction requesting the return data and the corresponding return data may be filtered.
According to another aspect of the invention, an identity verification system is also provided, which comprises a client, a proxy server, a back-end server and a cache. The client is suitable for sending HTTP requests of users. The proxy server is suitable for receiving the HTTP request sent by the client, when the client is a webpage end, the dynamic password in the HTTP request is verified, when the dynamic password passes the verification, the HTTP request is sent to the back-end server for identity verification, when the client is a mobile end, the equipment information in the HTTP request is verified, and when the equipment is bound, the HTTP request is sent to the back-end server for identity verification. The back-end server is suitable for receiving the HTTP request sent by the proxy server, verifying the client information in the HTTP request and returning response information to the client. The cache is adapted to store client information.
According to the scheme, when a user accesses an application such as an enterprise mailbox through an external network, the dynamic password is verified in the proxy server at first, if the dynamic password is not verified, the HTTP request is intercepted directly, and if the dynamic password is verified, the identity is verified in a one-time verification mode through the password and the dynamic password; when a user accesses the enterprise mailbox through the intranet for the first time, the equipment and the application are bound, and identity verification is carried out based on the state of the equipment. Therefore, the scheme can ensure the safety of application access and simultaneously improve the user experience.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic block diagram of an authentication system 100 according to an embodiment of the invention;
FIG. 2 shows a schematic flow diagram of an authentication method 200 according to one embodiment of the invention;
FIG. 3 is a diagram illustrating a web page-side mailbox login interface according to one embodiment of the present invention;
FIG. 4 shows a schematic diagram of a hint information according to one embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Token-based identity authentication methods generally include the following steps: the client requests login by using a user name and a password; the server side verifies the user name and the password after receiving the request; after the verification is successful, the server side issues a token and sends the token to the client side; after receiving the token, the client may store the token, for example, in a Cookie or a memory, and the token issued by the server needs to be carried when the client requests a resource from the server each time; and the server receives the request, then verifies the token carried in the request of the client, returns the requested data to the client if the verification is successful, and reapplies for authentication if the token is expired. The method is that the user name and the password are firstly verified, and then the dynamic password is authenticated, so that the user experience is not facilitated, and the risk of blasting is high. Therefore, the scheme provides an identity verification method, a password and dynamic password one-time authentication mode is used for web end requests, and an equipment binding and activation authentication mode is used for mobile end requests, so that user experience can be improved, and access safety can be improved.
Fig. 1 shows a schematic structural diagram of an authentication system 100 according to an embodiment of the present invention. As shown in fig. 1, the authentication system 100 includes one or more clients 110, a proxy server 120, a back-end server 130, and a cache 140. The proxy server 120 is respectively connected with the client 110 and the backend server 130 via networks, and is adapted to receive the HTTP request from the client 110, verify request information in the HTTP request, and send the HTTP request to the backend server 130 if the verification is passed. According to an embodiment of the invention, the proxy server can be configured in advance, and the proxy server can be used for capturing packets of the login operation of the user to obtain the request information. The client 110 may be a web page terminal of a web browser, an email, and instant messaging software, or may be an app application installed in a mobile terminal such as a mobile phone. Specifically, the proxy server 120 may verify the dynamic password in the HTTP request when the client is a web page, and send the HTTP request to the backend server for identity verification when the verification passes; and under the condition that the client is the mobile terminal, verifying the equipment information of the mobile terminal, and under the condition that the equipment is bound, sending the HTTP request to a back-end server for identity verification. The cache 140 is adapted to store client information, which may include authentication information submitted by a user, device information, network information, etc., to facilitate the proxy server to match the client information in the HTTP request with pre-stored information for authentication.
Fig. 2 shows a schematic flow diagram of an authentication method 200 according to an embodiment of the invention. As shown in fig. 2, the method starts in step S210, and first in step S210, an HTTP request of a client is received.
The HTTP request is a request for a client to request a server to access a resource, and includes a request method, a URL domain name, a request header, and a request body, where the request method may be any one of get, post, put, head, option, delete, and tarce methods, and the post method is usually used when user authentication information is submitted. The URL indicates the network resource to be accessed completely, and the request header contains information about the client and the request body, and the like. For example, the request header of the HTTP request at the web page end is attached with a user-agent user agent attribute, the content starts with Mozilla, and whether the client is the mobile end or the web page end can be determined by a keyword matching method. The request body may contain information about the request or query string submitted by the client. For example, "username & passswerd & 1234". According to an embodiment of the invention, an Ajax login request can be sent when a mailbox page is logged in, and a user name username, a password, a dynamic password and a random verification code capcode which are required by login are submitted:
var username=$(′.login_box#Account′).val()
var password=$(′.login_box#Password&keyword′).val()
var captchaCode=$(′.login_box#Capcode′).val()
subsequently, in step S220, when the client is a web page, the dynamic password in the HTTP request is verified, and if the dynamic password passes the verification, the HTTP request is sent to the backend server for identity verification.
According to one embodiment of the invention, the HTTP request message can be analyzed, the user name and the dynamic password are obtained from the HTTP request message, and whether the HTTP request message is legal or not is verified by calling the OTP one-time dynamic password interface. For example, the client and the backend server may agree on a key in advance, and the backend server and the client each have a counter and synchronize count values in advance. When the dynamic password is verified, the combination of the secret key and the counter is used by the client to generate a one-time dynamic password by using a dynamic password generation algorithm. Part of the code for dynamic password verification may be as follows:
specifically, the client generates and encrypts a dynamic password by using a dynamic password generation algorithm, and transmits an encryption result to the proxy server. And the proxy server calculates the dynamic password of the user according to the current time, decrypts the received response string by using the password, compares the decryption result with the hash value of the calculation result, if the decryption result is the same as the hash value of the calculation result, the authentication is successful, and otherwise, the authentication fails. The user can download the dynamic password authentication application program to the mobile terminal, and input the dynamic password received by the mobile terminal into the webpage end login interface for authentication.
According to one embodiment of the invention, before the dynamic password is verified, the client IP in the HTTP request is verified, and whether the client IP is in a preset local area network or not and is allowed to access is judged. The local area network, i.e., the intranet, can implement functions such as file management, application software sharing, printer sharing, and the like. Network resources may be accessed through a common gateway, and thus it is extranet that network resources are not accessible through the gateway. The following code may be used to determine whether the client IP is within a preset lan:
and under the condition that the client IP is not in the preset local area network, judging whether the client IP is allowed to access or not, and under the condition that the client IP is allowed to access, prompting a user to input a user name, a password and a dynamic password. For example, an IP blacklist or whitelist may be preconfigured to enable identification and filtering of user IPs. None of the IPs in the blacklist have access to the current resource, but only the IPs in the whitelist have access to the current resource. According to an embodiment of the present invention, the determination may be made based on a preset IP blocking time, IP access time, maximum access frequency, and the like. And if the IP access time period of the client exceeds the preset IP access time period, the access fails. If the IP access time of the client is within the preset blocking time, the access is failed. If the access times in a certain time exceed the preset maximum access times, the access fails, and error information can be returned.
For example, whether the client IP is allowed to access may be determined by:
the above codes are only exemplary, and other methods for determining the client IP may be used, which is not limited in this embodiment.
Fig. 3 is a schematic diagram illustrating a web page-side mailbox login interface according to an embodiment of the present invention. Because the user requests to log in the mailbox at the external network, the user is prompted to input a user name, a password and a dynamic password at a login interface. By accessing the Outlook Web Access page, the user does not need to install Outlook client software, and directly uses a Web browser to read or send e-mails through the Internet, manage their calendar address books, tasks and other cooperative office functions. The login interface in the scheme is only exemplary, and other applications such as other office systems and public file systems can also be logged in, and the scheme is not limited to this.
In step S230, when the client is a mobile terminal, the device information in the HTTP request is verified, and when the device is bound, the HTTP request is sent to the backend server for authentication.
When a user inputs identity authentication information at a mobile terminal, the mobile terminal transmits information of mobile terminal equipment through a wbxml protocol, wherein the equipment information may include an equipment ID, an equipment state, an equipment type, an equipment identification code, a network to which the equipment is connected, a user mobile phone number of the equipment, and an internet service provider. And if the equipment ID is null, directly quitting the user request. According to one embodiment of the invention, whether the device sends the HTTP request for the first time can be judged according to the ID of the device. If it is the first time the request is sent, the check continues with the device connecting to the network. And if the equipment connection network is a preset wireless local area network, binding the equipment, and otherwise, intercepting the HTTP request. Namely, a piece of new equipment information is stored in the cache, and the equipment state is set to be inactive. For example, a user logs in an office mailbox for the first time at home by using a mobile phone, and at the moment, a network connected with the mobile phone is not a local area network of an office, a login request of the user is directly intercepted. If the user logs in the office mailbox for the first time by using the mobile phone and the network used by the mobile phone is the office WiFi network, the login request of the user is sent to the back-end server, the equipment information of the user is bound, and if the user uses the equipment information, the equipment information is collected.
According to an embodiment of the present invention, after the device is bound, it may be further determined whether the device status is activated. And directly ignoring the user request and directly performing login access under the condition that the equipment state is activated. And activating the equipment when the equipment state is not activated. In the event the device state is blocked, the HTTP request is intercepted.
After the equipment is bound, the equipment can be successfully logged in only by activation, so the equipment also needs to be activated, and after the activation program is completed, a user can log in a mailbox to check mail information. Thus, when the user equipment logs in the mailbox again, the mailbox can be logged in only by activating the equipment because the equipment is bound. The user can also set the equipment state to be activated by himself, so that the user equipment can directly perform identity verification in the back-end server when logging in the mailbox again, and user experience is improved.
When the device state is inactive, the user may also be allowed to connect to the server, but some key instructions may be filtered, for example, a request instruction requesting return data and corresponding return data are filtered, and an option instruction may be temporarily transmitted to the back-end server, so that the user experience is ensured and the information security is ensured. After entering the activation procedure, the frequency of device activation may be checked. And when the frequency of the equipment activation is less than the first preset frequency, generating an activation code, sending the activation code to a mobile phone number of the user, and deleting the sent activation code. And generating a prompt short message based on the second preset frequency, and sending the prompt short message to the mobile phone number of the user.
For example, it may be set that activation is allowed only once in a minute and that the activation process is not performed beyond the activation frequency. The sending frequency of the short messages can be set to be once every 10 hours so as to prevent the user from being harassed by frequently sending the short messages. FIG. 4 shows a schematic diagram of a hint information according to one embodiment of the present invention. As shown in fig. 4, the link is provided in the prompt message, and the user can click the link to execute the operation of allowing or rejecting. After the user clicks the link to bind the equipment, the user can continue to receive a prompt short message to further activate the equipment, so that illegal activation is prevented. The information of the activated equipment is displayed, and comprises a user mobile phone number, an equipment identification code, an equipment ID and an equipment model. And after the device is successfully activated, the authorized information of the device can be displayed on a login interface of the mobile terminal.
According to the scheme of the invention, when the user accesses the enterprise mailbox through the external network, the identity authentication is carried out in a one-time authentication mode through the password and the dynamic password, so that the access safety can be improved; when a user uses mobile equipment to access an enterprise mailbox through an intranet for the first time, the equipment information of the user is bound and activated for identity verification. And if the user uses the mobile equipment to access the enterprise mailbox through the external network for the first time, directly intercepting the user request. Therefore, the scheme can improve the access security and improve the user experience.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the method of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. An identity authentication method is suitable for being executed in a proxy server, the proxy server is respectively connected with a client and a back-end server through networks, the client is a mobile terminal or a webpage terminal, and the method comprises the following steps:
receiving an HTTP request of a client;
when the client is a webpage end, verifying a dynamic password in an HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the dynamic password passes the verification;
and when the client is a mobile terminal, verifying the equipment information in the HTTP request, and sending the HTTP request to a back-end server for identity verification under the condition that the equipment is bound.
2. The method of claim 1, wherein prior to the step of verifying the dynamic password in the HTTP request, the method comprises:
judging whether the client IP in the HTTP request is in a preset local area network or not;
judging whether the client IP is allowed to be accessed or not under the condition that the client IP is not in a preset local area network; and
and prompting the user to input a user name, a password and a dynamic password under the condition that the client IP is allowed to access.
3. The method of claim 2, wherein the determining whether the client IP is allowed to access comprises:
and judging whether the client IP is allowed to access or not based on the preset IP blocking time, the IP access time period and the IP maximum access frequency.
4. The method of claim 1, wherein the device information includes a device ID, a device status, a device type, a device identification code, a network to which the device is connected, a user phone number of the device, and an internet service provider.
5. The method as claimed in claim 4, wherein the step of verifying the device information of the mobile terminal comprises:
judging whether the mobile terminal sends an HTTP request for the first time or not based on the equipment ID;
checking that the device is connected to the network under the condition that the device sends the HTTP request for the first time;
and binding the equipment under the condition that the equipment connection network is a preset local area network, otherwise, intercepting the HTTP request.
6. The method of claim 5, wherein the binding the device comprises:
the device information is saved in a cache and the device status is set to inactive.
7. The method as claimed in claim 6, wherein the step of verifying the device information of the mobile terminal further comprises:
judging whether the equipment state is activated or not;
under the condition that the equipment state is activated, the HTTP request is sent to a back-end server for identity authentication;
activating the device when the device state is not activated; and
intercepting the HTTP request if the device state is blocked.
8. The method of claim 7, wherein the step of activating the device comprises:
detecting the frequency of equipment activation, and generating an activation code when the frequency of equipment activation is less than a first preset frequency;
sending the activation code to a mobile phone number of a user, and deleting the sent activation code; and
and generating a prompt short message based on the second preset frequency, and sending the prompt short message to the mobile phone number of the user.
9. The method according to claim 8, wherein the HTTP request further includes a request instruction, and the step of verifying the device information of the mobile terminal before the step of activating the device includes:
and filtering the request instruction requesting the return data and the corresponding return data.
10. An identity verification system, comprising:
a client adapted to send a user's HTTP request;
the proxy server is suitable for receiving the HTTP request sent by the client, when the client is a webpage end, the dynamic password in the HTTP request is verified, when the dynamic password passes the verification, the HTTP request is sent to the back-end server for identity verification, when the client is a mobile end, the equipment information in the HTTP request is verified, and when the equipment is bound, the HTTP request is sent to the back-end server for identity verification;
the back-end server is suitable for receiving the HTTP request sent by the proxy server, verifying the client information in the HTTP request and returning response information to the client; and
and the cache is suitable for storing the client information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910850991.5A CN110572395B (en) | 2019-09-09 | 2019-09-09 | Identity verification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910850991.5A CN110572395B (en) | 2019-09-09 | 2019-09-09 | Identity verification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110572395A CN110572395A (en) | 2019-12-13 |
| CN110572395B true CN110572395B (en) | 2021-12-07 |
Family
ID=68778865
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910850991.5A Active CN110572395B (en) | 2019-09-09 | 2019-09-09 | Identity verification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572395B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200603A (en) * | 2019-12-30 | 2020-05-26 | 南京旅享云网络科技有限公司 | Data interaction method |
| CN111343080B (en) * | 2020-02-28 | 2020-12-04 | 北京芯盾时代科技有限公司 | Agent-based mail service method, server, client and system |
| CN111953664B (en) * | 2020-07-27 | 2022-07-08 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
| CN113221081A (en) * | 2021-05-25 | 2021-08-06 | 南方电网电力科技股份有限公司 | Double-factor identity authentication method and related device |
| CN113485131A (en) * | 2021-06-18 | 2021-10-08 | 南京物联传感技术有限公司 | Intelligent gateway control system based on internet terminal |
| CN114422252A (en) * | 2022-01-21 | 2022-04-29 | 中国农业银行股份有限公司 | A kind of identity authentication method and device |
| CN114666299B (en) * | 2022-04-18 | 2023-03-21 | 北京航天驭星科技有限公司 | Mail receiving and sending method, device, equipment and medium for satellite measurement, operation and control system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1879071A (en) * | 2003-11-07 | 2006-12-13 | 意大利电信股份公司 | Method and system for the authentication of a user of a data processing system |
| CN102316153A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | To the local dynamically VPN networking client of structure demonstration that inserts of webpage mail |
| CN104202338A (en) * | 2014-09-23 | 2014-12-10 | 中国南方电网有限责任公司 | Secure access method applicable to enterprise-level mobile applications |
| CN104539701A (en) * | 2014-12-29 | 2015-04-22 | 飞天诚信科技股份有限公司 | Working method of equipment and system for online activating mobile terminal token |
| CN105208013A (en) * | 2015-08-31 | 2015-12-30 | 张方华 | Cross-device high-security non-password login method |
| CN105992204A (en) * | 2015-02-03 | 2016-10-05 | 北京神州泰岳信息安全技术有限公司 | Access authentication method of applications of mobile intelligent terminal and device |
| KR20180017956A (en) * | 2016-08-11 | 2018-02-21 | 종 진 임 | The method and device to restrict access to server by registering IP address |
| CN107872440A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | Identification authentication methods, devices and systems |
| US10116644B1 (en) * | 2014-03-28 | 2018-10-30 | Pulse Secure, Llc | Network access session detection to provide single-sign on (SSO) functionality for a network access control device |
-
2019
- 2019-09-09 CN CN201910850991.5A patent/CN110572395B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1879071A (en) * | 2003-11-07 | 2006-12-13 | 意大利电信股份公司 | Method and system for the authentication of a user of a data processing system |
| CN102316153A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | To the local dynamically VPN networking client of structure demonstration that inserts of webpage mail |
| US10116644B1 (en) * | 2014-03-28 | 2018-10-30 | Pulse Secure, Llc | Network access session detection to provide single-sign on (SSO) functionality for a network access control device |
| CN104202338A (en) * | 2014-09-23 | 2014-12-10 | 中国南方电网有限责任公司 | Secure access method applicable to enterprise-level mobile applications |
| CN104539701A (en) * | 2014-12-29 | 2015-04-22 | 飞天诚信科技股份有限公司 | Working method of equipment and system for online activating mobile terminal token |
| CN105992204A (en) * | 2015-02-03 | 2016-10-05 | 北京神州泰岳信息安全技术有限公司 | Access authentication method of applications of mobile intelligent terminal and device |
| CN105208013A (en) * | 2015-08-31 | 2015-12-30 | 张方华 | Cross-device high-security non-password login method |
| KR20180017956A (en) * | 2016-08-11 | 2018-02-21 | 종 진 임 | The method and device to restrict access to server by registering IP address |
| CN107872440A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | Identification authentication methods, devices and systems |
Non-Patent Citations (1)
| Title |
|---|
| 企业移动办公信息系统的设计与实现;王勇;《万方数据库》;20180514;欠 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110572395A (en) | 2019-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110572395B (en) | Identity verification method and system | |
| US12137121B2 (en) | Distributed cloud-based security systems and methods | |
| EP3090525B1 (en) | System and method for biometric protocol standards | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| CN101227468B (en) | Method, device and system for authenticating user to network | |
| US8832857B2 (en) | Unsecured asset detection via correlated authentication anomalies | |
| Barron et al. | Cloud computing security case studies and research | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN106302332B (en) | User data access control method, device and system | |
| CN112688773A (en) | Token generation and verification method and device | |
| CN107370765A (en) | A kind of ftp server identity identifying method and system | |
| CN109936555A (en) | A data storage method, device and system based on cloud platform | |
| CN116668190A (en) | A method and system for cross-domain single sign-on based on browser fingerprint | |
| WO2016045541A1 (en) | Method and device for identifying the presence of man-in-the-middle | |
| EP2311218B1 (en) | Http authentication and authorization management | |
| US8656462B2 (en) | HTTP authentication and authorization management | |
| EP2775658A2 (en) | A password based security method, systems and devices | |
| JP7308554B2 (en) | Security authentication method, device and server for B2B service based on corporate official mailbox | |
| US12142073B2 (en) | Fingerprint-based device authentication | |
| US9904791B1 (en) | Processing device having secure container for accessing enterprise data over a network | |
| US10645074B2 (en) | Account take over prevention | |
| CN106529216B (en) | A software authorization system and software authorization method based on a public storage platform | |
| CN104506518B (en) | The identity identifying method of MIPS platform network system access controls | |
| CN109861982A (en) | A kind of implementation method and device of authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |