FR3015821A1 - SECURE MEANS OF AUTHENTICATION - Google Patents

Abstract

The invention relates to means for authenticating a user wishing to access a service provided by an application system, by: • receiving, by a first channel, a first means of identification and verifying its validity; Transmitting to the user a second means of identification, by a second communication channel; Receiving a confirmation message, issued by the user, comprising the second means of identification. It relates more particularly to an infrastructure in which the authentication means are distinct from the means for providing said service.

Description

The present invention relates to secure means for enabling the authentication of a user wishing to access a service. It relates more particularly to a secure infrastructure in which the management of user authentication is performed by means other than those used to provide said service. Access to some services may require user authentication. For example, it may be desirable to conduct such a check to ensure the legitimacy of the user to access a service, or to limit access to a service to only those who have subscribed to a subscription. The authentication solution must not only have a sufficient level of security to limit the risk of fraud, but also be simple and effective so that users are not dissuaded from using the service. It is common that the service provider wants to dedicate resources to the management of authentication, separate from those used to provide the service, and located remotely or even on several sites. These specialized means can also be managed by a third party company and / or shared between several service providers. It is known, for example from US patent document 2007/0174904, to use an authentication server using a single identification factor to guarantee access to a service provided by different application means. However, the level of security offered by such systems is limited by the use of a single identification factor, which must in turn guarantee the identity of the user.

Authentication means using several identification factors are still known to authenticate the user, for example from patent document WO 2009/112 693. In such systems, the first identification factor is typically the transmission of a user. secret code known to the user, the second identification factor being the transmission of an authentication code generated by a cryptographic application installed on a mobile communication terminal of the user, the validity of said authentication code can be verified by the authentication server. In general, this type of authentication means requires the use of a complex infrastructure requiring a specific setting of the mobile communication terminal of the user. In addition, it is generally necessary to install specific applications on the mobile communication terminal of the user, which significantly increases the complexity and difficulty of deployment of such means. This is why there is still a need for efficient means for securely delegating the authentication of users wishing to access a service provided by different application means, and not requiring substantial hardware or software modifications of the terminals used. by the user to authenticate. One of the objects of the invention is to provide secure means of authentication allowing users to access a service of a provider. Another object of the invention is to provide an efficient infrastructure enabling the service provider to securely delegate the authentication of users wishing to access this service. Another object of the invention is to propose means and methods offering a high degree of confidence as to the reliability and security of user authentication. Another object of the invention is to propose an authentication solution that is simple to deploy and implement with the users and the service provider, in particular a solution that can be used on standard terminals, available to a large number of users. users, and does not require substantial hardware or software changes to these terminals. One or more of these objects are filled by the method, device and system according to the independent claims. The dependent claims further provide solutions to these objects and / or other advantages. More particularly, according to a first aspect, the invention relates to an authentication method, implemented by an authentication device, of a user having requested access to a service provided by an application system. The authentication device comprises, for example authentication management means, typically separate from those used to provide the service, and located remotely or on multiple sites. These specialized means can also be managed by a third party company and / or shared between several service providers. The authentication management means comprise, for example, servers for receiving and processing authentication requests, databases for storing information and means of identification relating to users, network interconnection means, as well as communication interfaces to allow communication with users and the application system of the provider. For example, the service access request may be issued by a first terminal available to the user, for example a computer with a web browser or an application allowing access to the service. The service is provided by the provider's application system, for example a web server delivering information, data streams or offering a particular service. It is usually standard equipment, widespread, and without configuration or specific setting. Typically, access to the service requires that the user has the right to use it, for example, that the latter is a registered user and having the necessary access rights, and / or that the user has paid the payment necessary for this access. The method is adapted to the authentication of the user requesting access to the application system, for example a website, an online application, or a remote access server. The user has a communication device capable of receiving and transmitting information via a second communication channel. For example, the communication device may be a communication terminal, such as a tablet or mobile phone having access to a GSM / GPRS / UMTS type data communication network, and capable of transmitting and receiving data messages of type SMS or SMS +. In this example, the communication device is therefore a standard device, and does not necessarily include specific or dedicated software.

The method according to the first aspect comprises the following steps: reception, by a first communication channel, of a first identification means relating to the user; - verification of the validity of the first means of identification; transmitting a second means of identification, via the second communication channel, to the communication device; receiving a confirmation message sent by the communication device; sending to the application system information on the success of the authentication of the user, if the confirmation message includes the second means of identification. Thus it is possible to authenticate the user using a standard communication device, for example a mobile phone, without specific configuration. No cryptographic element is generated by the communication device, no specific configuration of the communication device is required. In particular, the method does not require the implementation on the communication device of a signature algorithm or cryptography, neither symmetrical nor asymmetrical, to transmit the second channel of the second identification means. The communication device may have few resources, and it does not need to be provided with a sophisticated graphical interface, a web browser or significant computing means. In addition, the level of security obtained is particularly high since two distinct means of identification are used and their transmission takes place on two separate communication channels. The first means of identification is for example a secret element as a password associated with the user. In this example, after receiving the password of the user, the authentication device verifies whether the secret element received by the first channel corresponds to the secret element of the known user of the authentication device. Otherwise, the user authentication fails. Knowledge of this secret element can be acquired by the authentication device during a preliminary step of registering said user with the authentication device. During this optional registration step, the user provides, for example, in addition to the secret element, one or more information among the following information: a user name, a unique identifier from the list of identifiers used by the others users of the authentication device, a first telephone number or a first address for enabling the identification and transmission of data via the second communication channel to the user's communication device, a second telephone number or a second address for enabling the identification and transmission of data to a second communication device. The first means of identification may also include one or more elements, associated with the user, from the following list: a certificate, in particular a certificate conforming to the X.509 cryptography standard of the International Telecommunication Union, a complementary one-time password generated by hardware and / or software means, a password, biometric identification means, etc. Alternatively, the knowledge of the secret element of the user by the authentication device can be obtained from another system, for example the application system or a directory, preferably by authenticating on the one hand the system providing information and on the other hand by securing the transfer of the secret element. The first communication channel is for example a communication channel established in a data network, typically the Internet and, more generally, an Ethernet-type network, enabling the transfer of data between compatible terminals, more particularly between on the one hand the device authentication and on the other hand the user's computer and / or the application server. The validity of the first identification means can be verified as soon as it is received, before the transmission of the second identification means. For example, when the first means of identification is a secret element associated with the user's identifier, the verification can be performed by ensuring that the secret element received corresponds to the secret element stored or accessible by the user. authentication device, corresponding to the user. Otherwise, the user authentication fails. The second communication channel is for example a communication channel established in a mobile telephone network, typically a GSM network, allowing the transfer of data between, on the one hand, the authentication device and, on the other hand, the communication device of the user. In one embodiment, the second communication channel is a communication channel adapted to carry messages, for example text messages of SMS or SMS + type with special pricing.

The second means of identification is for example a key generated by the authentication device for uniquely identifying the request of the service access user. The key can be generated by a cryptographic method, for example using a pseudo-random alphanumeric sequence generator, from information relating to the user and the request for access to the service. Thus, the key thus generated is transmitted to the user's communication device via the second communication channel, typically in an SMS or SMS + message comprising the key thus generated. Optionally, the authentication device can ensure that the second identification means has been delivered to the user's device, for example by using acknowledgment mechanisms available for the second communication channel. The second means of identification may also include one or more elements, associated with the user, from the following list: a certificate, in particular a certificate conforming to the X.509 cryptography standard of the International Telecommunication Union, a complementary one-time password generated by hardware and / or software, a password, etc. The knowledge of the number or the address to allow the transmission of the second identification means to the communication device can be obtained during the optional registration step with the authentication device. Alternatively, this information is obtained from another system, for example the application system or a directory, preferably by authenticating on the one hand the system providing the information and on the other hand by securing the transfer of information. Once the second identification means has been transmitted to the communication device, the authentication device waits to receive a message sent by the communication device. Thus, it is possible to ensure that the user has received on his communication device the second means of identification, for example the key to uniquely identify the request of the user of access to the service. It is then expected that the latter sends to the authentication device a confirmation message comprising the second authentication means, in the first place to confirm that it is the origin of this request, and secondly to validate his identity by proving that the issuer of the application is in possession of the communication device. It is also possible to overtax the transmission of such a message, in order to provide a simple means of payment to the user to access the service. The confirmation message comprising the second authentication means may be transmitted by the communication device by sending an SMS / SMS + using the SMS transfer user function. The confirmation message comprising the second authentication means may also be transmitted by an application deployed on the communication device configured to transmit the second SMS authentication means to the authentication device. If the confirmation message includes the second means of identification, the authentication device sends the application system information on the success of the authentication of the user.

In order to reinforce the level of security of the service, in particular as regards the exchange of information between the application service and the authentication device, the method may comprise a step of authenticating the application system, prior to sending information about the success of user authentication. A unique identifier, a shared secret and / or a certificate may for example be provided by the application system to the authentication device. In one embodiment, the first communication channel is configured to allow the authentication device to receive information from the application system, the first identification means being received from the application system. Thus the user wishing to access the service transmits the first identification means to the application system, which in turn transmits it to the authentication device by the first channel. The user therefore delegates to the application system the provision of the first identification means to the authentication device. This solution offers great flexibility, since there are configurations in which the user can not directly transmit the first identification means to the authentication device without requiring heavy hardware or software modifications.

In one embodiment, the first communication channel is configured to allow the authentication device to receive information from a terminal used by the user to request access to the service, the first relative identification means to the user being received from the terminal. This solution makes it possible to increase the level of security from the point of view of the user, since the first means of identification is not transmitted to the application system, but only to the authentication device. In order to inform the application system of the success of the authentication, the method may further comprise the following steps: receiving a request for authentication of the user; - transmission to the application system of a session identifier; The session identifier is then transmitted to the application system when sending the information of the success of the authentication of the user. Optionally, it may be proposed to the user to revoke the first means of identification with the authentication device, to increase the level of security of the system, for example in the event of disclosure or compromise of the first means of identification. During the step of verifying the validity of the first identification means, it can then be checked whether the first identification means has not been previously revoked. Optionally, it may be proposed to the user to revoke the use of the communication device, to increase the level of security of the system, for example in case of compromise of the authentication device. During the transmission step of the second identification means, it can be verified whether the communication device has not been previously revoked.

According to a second aspect, the invention relates to a device for authenticating a user who has requested access to a service provided by an application system. The device according to the second aspect is in particular adapted to implement the method according to the first aspect. The authentication device comprises: a first interface adapted to receive information by a first communication channel; a second interface adapted to receive and transmit information by the second communication channel; a processing module configured to: receive, by the first interface, a first identification means relating to the user; o check the validity of the first means of identification; o transmit, by the second interface, a second means of identification; o receive, via the second interface, a confirmation message; o send to the application system, the information of the success of the authentication of the user, if the confirmation message comprises the second means of identification. The processing module can be further configured to authenticate the application system, prior to sending the information of the success of the authentication of the user. The first communication channel may be configured to allow the authentication device to receive information from the application system, the processing module being configured to receive the first identification means of the application system.

Alternatively, the first communication channel may be configured to allow the authentication device to receive information from a terminal used by the user to request access to the service, the processing module being configured to receive the first means of identification of the terminal. In particular, the processing module can be configured to: - receive a request for authentication of the user; - send the application system a session identifier; sending the session identifier with the information of the success of the authentication of the user to the application system. According to a third aspect, the invention relates to a system comprising: an application system configured to provide a service on request of a user; an authentication device according to the second aspect. The application system comprises an access management module configured to: - issue a request for authentication of the user to the authentication device; - provide the service required by the user, if the information of the success of the authentication of the user is received from the authentication device. According to a fourth aspect, the invention relates to a computer program comprising instructions for performing the steps of the method according to the first aspect, when said program is executed by a processor. Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any form what other form is desirable. According to a fifth aspect, the invention relates to a computer-readable recording medium on which is recorded a computer program comprising instructions for executing the steps of the method according to the first aspect. The information carrier may be any entity or any device capable of storing the program. For example, the medium may comprise storage means, such as a ROM, for example a CD-ROM or a microelectronic circuit ROM, or a magnetic recording means, for example a diskette or a hard disk. On the other hand, the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed by an electrical or optical cable, by radio or by other means. The program according to the invention can in particular be downloaded to an Internet network. Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.

Other features and advantages of the present invention will appear, in the following description of embodiments, with reference to the accompanying drawings, in which: - Figure 1 is a schematic representation of an infrastructure to restrict access to a service for authenticated users only; FIG. 2 is a block diagram of an authentication device; FIG. 3 is a sequence diagram of an authentication method according to one embodiment; FIG. 4 is a sequence diagram of an authentication method according to another embodiment; Figure 1 schematically illustrates an infrastructure for restricting access to a service to authenticated users only. The system comprises an authentication device 10 and an application system 12, interconnected by communication means, for example by an Internet type network. The application system is configured to receive, from a terminal 14, a request for access to a service. The authentication device and the application system are typically devices that are distinct from one another and located at different sites. The terminal 14 and the application system are interconnected by communication means, for example by an Internet type network. The authentication device still has means for exchanging information with a mobile terminal 16, for example via a mobile network of GSM type. The mobile terminal 16 is, for example, a tablet or a mobile phone having access to a GSM / GPRS / UMTS type data communication network, and able to transmit and receive SMS or SMS + type data messages. The terminal 14 and the mobile terminal 16 are terminals available to the user who issued the request for access to the service.

Referring now to Figure 2. The authentication device comprises a first interface 110 adapted to receive information through a first communication channel. The first interface is adapted for example to be coupled to the Internet network. The authentication device comprises a second interface 120 adapted to receive information via a second communication channel. The second interface is adapted for example to be coupled to the mobile telecommunications network. The authentication device also includes a processing module for receiving and processing authentication requests. The authentication device also comprises a database 140 for storing information and identification means relating to users. The authentication device makes it possible to provide a centralized third-party authentication service to the application system. The authentication device provides two-factor authentication of the users, for example, by ensuring that the user knows a password and is in possession of a registered mobile terminal. Figure 3 shows a sequence diagram of an authentication method according to one embodiment. The terminal 14 transmits, during a step 210, a REQ access request to the application services 12 to access the service. The request REQ comprises a secret element S1, for example a password, as well as a AuthUserlD identifier known or accessible from the authentication device. The user is deemed to be the owner of the AuthUserlD ID. The application service 12 in turn transmits an authentication request to the authentication device 10 comprising the AuthUserlD identifier and the secret element S1. The authentication request sent by the application service 12 can be implemented by a Web service, using the secure HTTPS protocol and a GET method. If the authentication device is accessible by the domain name "auth.com", and the application service identifiable by the ServID service identifier, the authentication request can then be the following: https: //www.auth .com / authenticate? appid = ServID & userid = AuthUserlD & password = S1 & timeout = 120 During a step 225, the authentication device checks the validity of the received secret element S1. Verification of the validity can be made by comparison between a cryptographic hash stored by the authentication device and the hash of the secret element S1 provided by the application system. If the secret element S1 received is valid, the authentication device generates, during a step 230, a second secret element S2, for example a key obtained using a pseudo-random generator. The second secret element S2 is then transmitted to the mobile terminal 16 corresponding to the AuthUserlD identifier of the user. For this purpose, the authentication device sends an SMS text message to the telephone number corresponding to the mobile terminal 16. For example, the SMS text message may comprise: a keyword designating and identifying the authentication device; this keyword can in particular be used to allow the operator conveying the message to the mobile terminal to send back to the authentication device a message sent by the user in response to the message transmitted by the authentication device; a question inviting the user to confirm the authentication request, and including the name of the user, used by the application service identified by his domain name; - a sentence inviting the user to forward this message to a SMS + short number; the second secret element S2, for example the key generated by the authentication device, uniquely identifying the authentication REQ request. The message takes for example the following form, with the keyword SMS + "hello" associated with the shared short number 89999: "Hello Laurent Martin Do you confirm your request for access to auth.com? If yes, transfer this message to 89999. Otherwise do not transfer it: your username and password may have been stolen. Key: SJD8SDLKN1103jdsKN1YFGCNA0181ND7202 "In this example, the second secret element S2 is the key" SJD8SDLKN1103jdsKN1YFGCNA0181ND7202 ". The mobile terminal 16 then sends the message comprising the second secret element S2 to the authentication device during a step 250.

During a step 260, the authentication device then checks the validity of the received message, ensuring that the recipient of the SMS sent during the step 240 - the mobile terminal 16 - has indeed responded to the message and that the response comprises at least the second secret element S2 generated during step 230.

If the validity of the received message is confirmed, then the authentication device transmits to the application service 12 confirmation that the user corresponding to the AuthUserlD identifier is authenticated. Other checks may be carried out by the authentication device, before transmitting this confirmation, in particular: the service identifier ServID is known to the authentication device; the application service is authorized to make a request for authorization from the user, for example if the credit of an application service account with the authentication device is sufficient; - - the AuthUserld identifier is known to the authentication device; - - the operator in charge of sending the SMS has confirmed his delivery to the mobile terminal of the User; - - the mobile terminal has forwarded this message to the prescribed number within a time compatible with a predefined parameter. After receiving confirmation that the user corresponding to the AuthUserlD identifier is authenticated, the application service grants access to the service to the terminal 14 of the user, during a step 280. FIG. sequence of an authentication method according to another embodiment. The terminal 14 transmits, during a step 310, a REQ access request to the application service 12 to access the service comprising a AuthUserlD identifier known or accessible from the authentication device. The REQ request has no secret element. During a step 320, the application service 12 in turn transmits an authentication request to the authentication device 10 having the AuthUserlD identifier. In a step 330, the authentication device generates a session identifier K1 for the authentication request relating to the AuthUserlD identifier. This session identifier is transmitted in a step 340 to the application system, which in turn transmits it to the terminal 14 during a step 350, accompanied by a redirection request to the authentication device. The terminal 14 transmits, during a step 360, to the authentication device, a secret element S1, for example a password, and its AuthUserlD identifier known or accessible from the authentication device. The user is deemed to be the owner of the AuthUserlD identifier. During a step 370, the authentication device checks the validity of the secret element S1 received. Verification of the validity can be made by comparison between a cryptographic hash stored by the authentication device and the hash of the secret element S1 provided by the application system. If the secret element S1 received is valid, the authentication device generates, during a step 380, a second secret element S2, for example a key obtained using a pseudo-random generator. The second secret element S2 is then transmitted to the mobile terminal 16 corresponding to the AuthUserlD identifier of the user. For this purpose, the authentication device sends an SMS text message to the telephone number corresponding to the mobile terminal 16. For example, the SMS text message may comprise: a keyword designating and identifying the authentication device; this keyword can in particular be used to allow the operator conveying the message to the mobile terminal to send back to the authentication device a message sent by the user in response to the message transmitted by the authentication device; a question inviting the user to confirm the authentication request, and including the name of the user, used by the application service identified by his domain name; - a sentence inviting the user to forward this message to a SMS + short number; the second secret element S2, for example the key generated by the authentication device, uniquely identifying the authentication REQ request. The message takes for example the following form, with the keyword SMS + "hello" associated with the shared short number 89999: "Hello Laurent Martin Do you confirm your request for access to auth.com? If yes, transfer this message to 89999. Otherwise do not transfer it: your username and password may have been stolen. Key: SJD8SDLKN1103jdsKN1YFGCNA0181ND7202 "In this example, the second secret element S2 is the key" SJD8SDLKN1103jdsKN1YFGCNA0181ND7202 ".

The mobile terminal 16 then sends the message comprising the second secret element S2 to the authentication device, during a step 400. During a step 410, the authentication device then checks the validity of the received message, in ensuring that the recipient of the SMS sent during step 390 - the mobile terminal 16 - has indeed responded to the message and that the response comprises at least the second secret element S2 generated during step 380. If the validity of the received message is confirmed, then the authentication device transmits to the application service 12, during a step 420, and the terminal 14, during a step 430, the confirmation that the user corresponding to the AuthUserlD identifier is authenticated for the request corresponding to the session identifier K1. Other checks may be carried out by the authentication device, before transmitting this confirmation, in particular: - the service identifier Servld is known to the authentication device; the application service is authorized to make a request for authorization from the user, for example if the credit of an application service account with the authentication device is sufficient; - - the AuthUserld identifier is known to the authentication device; - - the operator in charge of sending the SMS has confirmed his delivery to the mobile terminal of the User; - - the mobile terminal has forwarded this message to the prescribed number within a time compatible with a predefined parameter.

After receiving the confirmation, the terminal 14 sends a request for access to the service with the session identifier K1, during a step 440. If the application system has received confirmation that the user corresponding to the identifier AuthUserlD is authenticated for the request corresponding to the session identifier K1, the application service grants access to the service to the terminal 14 of the user, during a step 450.

Claims (8)

CLAIMS1 authentication method, adapted to be implemented by an authentication device (10), of a user having requested access to a service provided by an application system (12) and further having a device communication device (16) adapted to receive and transmit information via a second communication channel, characterized in that it comprises the following steps: reception (220; 360), by a first communication channel, a first identification means relating to the user; checking (225; 370) the validity of the first identification means; - transmitting (240; 390) a second means of identification, by the second communication channel, to the communication device; receiving (250; 400) a confirmation message sent by the communication device; sending (270; 420) to the application system, information on the success of the authentication of the user, if the confirmation message comprises the second means of identification. 2. Method according to claim 1, further comprising a step of authenticating the application system, prior to sending the information of the success of the authentication of the user. The method according to any one of claims 1 to 2, wherein the first communication channel is configured to allow the authentication device to receive information from the application system, the first identification means being received from the system. application. The method of any one of claims 1 to 2, wherein the first communication channel is configured to allow the authentication device to receive information from a terminal (14) used by the user to request access to the service, the first means of identification relating to the user being received from the terminal. The method of claim 4, further comprising the steps of: receiving (310, 320) a user authentication request; - transmission (330, 340) to the application system of a session identifier; the session identifier is further transmitted (410) to the application system when sending the information of the success of the authentication of the user. 6. Method according to any one of the preceding claims wherein during the step of verifying the validity of the first identification means, it is checked whether the first identification means has not been previously revoked. Method according to any one of the preceding claims, wherein during the step of transmitting the second identification means, it is checked whether the communication device has not been previously revoked. 8. Device for authenticating (10) a user who has requested access to a service provided by an application system (12), the user having in addition a communication device (16) able to receive and transmit information via a second communication channel, characterized in that it comprises: - a first interface (110) adapted to receive information by a first communication channel; a second interface (120) adapted to receive and transmit information via the second communication channel; a processing module (130) configured to: receive, by the first interface, a first identification means relating to the user; 9. 10. 11. 12. 30 13. o check the validity of the first means of identification; o transmit, by the second interface, a second means of identification; o receive, via the second interface, a confirmation message; o send to the application system, the information of the success of the authentication of the user, if the confirmation message comprises the second means of identification. Device according to claim 8, wherein the processing module is further configured to authenticate the application system, prior to sending the information of the successful authentication of the user. Device according to claim 8 or 9, wherein the first communication channel is configured to allow the authentication device to receive information from the application system, the processing module being configured to receive the first system identification means application. An apparatus according to claim 8 or 9, wherein the first communication channel is configured to allow the authentication device to receive information from a terminal (14) used by the user to request access to the service, the processing module being configured to receive the first identification means of the terminal. Apparatus according to claim 11, wherein the processing module is configured to: - receive an authentication request from the user; - send the application system a session identifier; sending the session identifier with the information of the success of the authentication of the user to the application system. System comprising: - an application system (12) configured to provide a service on request of a user; - an authentication device (10) according to any of claims 8 to 12; the application system comprising an access management module configured to: - issue a request for authentication of the user to the authentication device; - provide the service required by the user, if the information of the success of the authentication of the user is received from the authentication device. A computer program comprising instructions for executing the steps of the method according to any one of claims 1 to 7 when said program is executed by a processor. 15. A computer-readable recording medium on which is recorded a computer program comprising instructions for performing the steps of the method according to any one of claims 1 to 7.