JP2005149388A - Password authentication apparatus, program for the same, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a password authentication apparatus that can realize both improved convenience for an authorized user and ensured security despite using authentication with password. <P>SOLUTION: If authentication fails, a similarity rate calculation part 32 calculates a rate of similarity between a received password and a registered password, and a support need determination part 33 determines whether or not to present support information according to the rate of similarity. If the presentation is found necessary, an authentication support processing part 31 presents support information showing the place of a wrongly input digit in the received password to support the next password input by the user who has input the password. Such support information is not presented if it is found unnecessary. The support information presentation enables the password authentication apparatus to execute password authentication while ensuring security despite supporting the authorized user to improve convenience for the authorized user. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a password authentication device that authenticates a user with a password, a program thereof, and a recording medium.

  Conventionally, in a network system or other system, it is confirmed whether a user who intends to use a computer has the authority to use, or the contents of electronic data exchanged by e-mail or online transactions are Authentication technology is widely used as a technology for confirming whether it is legitimate and supporting the safety of those systems.

  Among these authentication techniques, there is password authentication in which a password input by a user is compared with a password registered in advance. However, when authenticating with the password, if the registered password leaks to a third party who is not a legitimate user, the third party can impersonate the legitimate user. Here, if the length of the registered password is increased, the risk of leakage can be reduced to some extent, but the time required for the authorized user to input the password increases, and the convenience of the authorized user is reduced. Even if the user is a legitimate user, if the user forgets the registration password, the correct password (registration password) cannot be input, so that it is determined that the user is not a legitimate user. Therefore, if the length of the registered password is increased, there is a high possibility that the authorized user forgets the registered password. From this point of view, the convenience of the authorized user is reduced.

  On the other hand, a configuration that is used in combination with another authentication method in order to achieve both ease of matching and ensuring safety is described in, for example, Patent Document 1 described later. In the system of Patent Document 1, biometrics authentication and password authentication are used together as other authentication methods, and the number of digits of the password required at the time of password authentication is changed according to the matching rate by collation of ecological features. Is done.

Here, biometrics authentication is an authentication method that uses human characteristics such as fingerprints, retinas, and voices, for example. (Information) is used for authentication, there is a possibility that the identification rate may fluctuate due to voice dying, nasal voice, and thin fingerprints. If the authentication rate fluctuates, there is a possibility that the person (authorized user) fails to authenticate, or authentication by a third party succeeds and the third party is accepted. However, in the above configuration, since both are used together, both ease of verification and safety are improved.
JP 2002-91921 A

  However, in the conventional configuration, password authentication and biometrics authentication are used together in order to achieve both easy verification and ensuring safety, and thus a device for biometrics authentication is indispensable.

  The present invention has been made in view of the above-described problems, and the purpose thereof is to achieve both improvement of convenience for a legitimate user and securing of safety despite authentication with a password. It is to realize a password authentication device.

  In order to solve the above-mentioned problem, the password authentication device according to the present invention accepts an input of a password by a user, compares it with a registered password registered in advance in a storage device, and determines whether or not the user is a legitimate user. In the password authentication apparatus having the authentication means for authenticating the password, the presenting means for presenting support information for supporting the next password input by the user, and the authentication means input the password based on the password accepted this time It is characterized by including control means for estimating whether or not the user is a regular user and, when it is estimated that the user is not a regular user, preventing presentation of support information by the presenting means. .

  Further, in addition to the above configuration, the control means estimates that the user is a legitimate user when it is determined that the degree of similarity between the password received this time and the registered password is higher than a predetermined threshold. May be.

  On the other hand, in order to solve the above problems, the password authentication device according to the present invention accepts input of a password by a user, checks it against a registered password registered in advance in a storage device, and determines whether the user is a legitimate user. In a password authentication apparatus having authentication means for authenticating whether or not, a presentation means for presenting support information for supporting the next password input by the user, and information according to the password that the user has input so far In addition, the history information, which is information for determining whether or not it is necessary to present support information to the user, is stored in the storage device, and the password is input based on the history information stored in the storage device. It is estimated whether or not the user is a regular user, and if it is estimated that the user is not a regular user, the support information by the presenting means is It is characterized in that it comprises a control means for determining whether or not to permit the presentation.

  Further, in addition to the above configuration, the control means stores, in the storage device, information for obtaining the degree of similarity between the password input so far and the registered password as the history information. If the history information read from the above indicates that the two passwords are similar, it may be estimated that the user is a legitimate user.

  In addition to the above configuration, the control means stores, in the storage device, information for determining the degree of similarity between the passwords input so far as the history information, and reads the information from the storage device. If the history information indicates that the two passwords are similar, it may be estimated that the user is a legitimate user.

  Furthermore, in addition to the above configuration, the history information is a password that has been input so far, and the control means determines whether or not the password as the history information matches a predetermined pattern. You may estimate whether it is a regular user.

In addition to the above configuration, the history information is information indicating the number of times authentication has failed,
The control means may estimate that the user is not an authorized user when the history information indicates that the number of failures is large.

  Further, in addition to the above configuration, the control unit may estimate whether or not the user is a legitimate user based on the history information stored in the storage device and the password accepted this time.

  On the other hand, in addition to the configuration described above, the control means may calculate the degree of similarity based on the number of digits that match between passwords that determine similarity.

  In addition to the above configuration, the storage device is provided with an area for storing a similarity between values that may be input as password digits, and the control means stores the storage in the storage device. The degree of similarity may be calculated based on the similarity relationship.

  Further, in addition to the above configuration, the authentication unit accepts an input by an input device whose value changes depending on the operated position, and the control unit replaces a certain digit value of the registered password with another value. May be calculated based on the position of the operation for inputting both values.

  In addition to the above configuration, the storage device is provided with an area for storing type information indicating the type of the registered password, and the control means also stores the type of the registered password stored in the storage device. With reference to the information, the necessity of presenting the support information by the presenting means may be determined.

  Further, in addition to the above configuration, the storage device is provided with an area for storing personal information of a legitimate user, and the control means refers to the personal information stored in the storage device, and The necessity of presenting support information by the presenting means may be determined.

  In addition to the above configuration, the support information may be information indicating the number of digits that do not match by comparing the input password and the registered password. Further, in addition to the above configuration, the support information may be information indicating the position of the mismatched digit by comparing the input password and the registered password. In addition to the above configuration, the support information is information indicating a part of all digits of the password and including a position of a mismatched digit by comparing the input password with the registered password. May be.

  Furthermore, the program according to the present invention is a program that causes a computer having a storage device to operate as each unit of the password authentication device. In addition, the program is recorded on a recording medium according to the present invention.

  As described above, the password authentication device according to the present invention includes an authentication unit, a presentation unit, and a control unit. Based on the input password, the control unit is a regular user who has input the password. Estimate whether or not there is. When the estimation of the control means based on the password received this time indicates that the user is not a legitimate user, the support information by the presenting means is blocked and the support information is not presented to the user. Therefore, it is possible to suppress a decrease in safety at the time of password authentication as compared with a configuration in which support information is presented to all users.

  On the other hand, when it is estimated that the user is a legitimate user, the presenting means, for example, presents support information indicating the number of digits input in error, the position of the digit, etc. as support information. Support next password entry. As a result, a user who is estimated to be a legitimate user can easily input a correct password at the next password input, and convenience for the user can be improved.

  As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  In addition to the above configuration, the control unit estimates that the user is a legitimate user when it is determined that the degree of similarity between the password received this time and the registered password is higher than a predetermined threshold value. In the configuration, the necessity of presenting support information is determined according to the degree of similarity between the password received this time and the registered password.

  If you are a legitimate user who knows the password, even if you enter the password incorrectly due to a typo or misunderstanding, you will rarely enter a password that is very different from the registered password. Often input. Therefore, by estimating a user who inputs a password similar to the registered password as a regular user, it can be accurately estimated whether or not the user is a regular user. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  Furthermore, as described above, the password authentication apparatus according to the present invention includes the authentication unit, the presenting unit, and the control unit. The control unit is information corresponding to the password input so far, and The history information, which is information for determining the necessity of presenting the support information, is stored in the storage device, and the user who inputs the password is a legitimate user based on the history information stored in the storage device. Estimate whether or not there is.

  When the estimation result indicates that the user is not an authorized user, the support information by the presenting means is blocked and the support information is not presented to the user. Therefore, it is possible to suppress a decrease in safety at the time of password authentication as compared with a configuration in which support information is presented to all users.

  On the other hand, when it is estimated that the user is a legitimate user, for example, when the previous password stored as the history information is similar to the registered password, the presenting means has erroneously input, for example, as support information The next password input by the user is supported by presenting support information indicating the number of digits, the position of the digits, and the like. As a result, a user who is estimated to be a legitimate user can easily input a correct password at the next password input, and convenience for the user can be improved.

  As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  In addition to the above configuration, in the configuration in which the control unit stores information for obtaining the degree of similarity between the password input so far and the registered password as the history information in the storage device, for example, Information for determining the degree of similarity between the two passwords, such as the password entered so far or data indicating the similarity between it and the registered password, is stored in the storage device, and both passwords are similar , It is estimated by the control means that the user who entered the password is a legitimate user.

  Here, as described above, if it is a legitimate user who knows the password, a similar password is often entered, so if the password entered so far is similar to the registered password, By estimating a user who has input a password as a regular user, it is possible to accurately estimate whether or not the user is a regular user. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  Further, in addition to the above configuration, in the configuration in which the control means stores in the storage device information for determining the degree of similarity between passwords input so far as the history information, for example, Information for determining the degree of similarity between the two passwords, such as the entered password itself or data indicating the similarity between it and other passwords entered so far, is stored in the storage device, and both passwords are stored in the storage device. When it is shown that they are similar, it is estimated by the control means that the user who entered the password is a legitimate user.

  Here, as described above, since a regular user who knows a password often inputs a similar password, passwords input so far are often similar. Therefore, when the two passwords are similar, it is possible to accurately estimate whether or not the user is a legitimate user by estimating the user who has input the password as a legitimate user. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  In addition to the above configuration, in the configuration for estimating whether or not the user is a legitimate user based on whether or not the password input so far matches a predetermined pattern, it has been input so far. Therefore, it is possible to estimate whether or not the user is a legitimate user more accurately.

  As an example, for example, if it is a legitimate user, even if authentication fails continuously, those passwords often converge to a registered password. On the other hand, a third party who does not know the registered password cannot fail in the pattern when the authentication fails continuously.

  In this way, in the above configuration, even if the authorized user who knows the registered password and the third party who does not know the authentication fail, the password patterns input at that time are different from each other. Based on the above, it is estimated whether or not the user is a legitimate user based on whether or not the password entered so far matches a predetermined pattern. Can be estimated. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  Further, in addition to the above-described configuration, the history information is information indicating the number of times authentication has failed, and the control means is configured so that when the history information indicates that the number of failures is large, a regular user In the configuration that is not estimated, even if it is estimated that it is a legitimate user by other estimation methods, if the number of failures is large and the possibility of repeated password entry by a third party cannot be denied, Support information can be prevented from being presented. Therefore, the possibility of presenting support information to a third party can be reduced, and a safer password authentication device can be realized.

  In addition to the above-described configuration, the control unit may be configured to estimate whether or not the user is a regular user based on the history information stored in the storage device and the password received this time. Since the estimation is performed with reference to both the password received this time, it is possible to more accurately determine whether or not the user is a regular user. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  By the way, there are various methods for calculating the degree of similarity of passwords. In addition to the above configuration, the degree of similarity is calculated based on the number of digits that match between passwords for determining similarity. In this configuration, since the degree of similarity can be calculated based on the number of digits of match / mismatch, whether or not the user is a legitimate user with a smaller amount of data compared to a configuration storing a similarity relationship described later. Can be estimated. Therefore, the possibility of presenting support information to a third party can be reduced, and a more secure password authentication device can be realized with a relatively simple configuration.

  In addition to the above configuration, the storage device is provided with an area for storing a similarity between values that may be input as password digits, and the control means stores the storage in the storage device. In the configuration in which the degree of similarity is calculated based on the similar relationship, the degree of similarity is calculated based on the similarity relationship, so that it is possible to more accurately estimate whether the user is a regular user.

  As an example, since a legitimate user knows the registration password, it is different from a third party who does not know the registration password, for example, a value whose outer shape is similar to the correct value, or whose reading is similar to the correct value. There is a high probability that you will type incorrectly.

  As described above, in the above configuration, values that are likely to be determined to be similar for a legitimate user are stored in advance as a similarity relationship, and the degree of similarity is calculated based on the similarity relationship, whereby the outer shape and reading It is possible to estimate whether or not the user is a regular user more accurately than in the case where the similar relationship such as is not considered. Therefore, the possibility of presenting support information to a third party can be reduced, and a safer password authentication device can be realized.

  Further, in addition to the above configuration, the authentication unit accepts an input from an input device whose value changes depending on the operated position, for example, a keypad, and the control unit converts the digit value of the registered password to a certain digit value. Instead, when other values are input, the configuration for calculating the degree of similarity based on the position of the operation for inputting both values is based on the position of the operation for inputting both values. Thus, since the degree of similarity is calculated, it can be estimated more accurately whether the user is a regular user.

  As an example, in the above input device, even if the user is a legitimate user, instead of a correct value, there is a high possibility of inputting a value that is close to the position of the operation for inputting the correct value. There is a low possibility of inputting a value at a position away from the position. On the other hand, since a third party does not know the registered password, an incorrect value is often input with the same probability regardless of the location.

  As described above, in the above configuration, if the user has a possibility of inputting the following value, that is, an incorrect value, the position of the operation for inputting the correct value and the erroneously input value are set. Since the degree of similarity is calculated based on the position of the operation for inputting both values based on the change in accordance with the positional relationship with the position of the operation for inputting, it is calculated regardless of the position. Compared to the case, it can be estimated whether or not the user is a proper user. Therefore, the possibility of presenting support information to a third party can be reduced, and a safer password authentication device can be realized.

  In addition to the above configuration, in the configuration in which the necessity of presenting support information by the presenting means is determined by referring to the type of registered password stored in the storage device, the type of registered password is also referred to for support. Necessity of information presentation is determined.

  Here, among registered passwords, for example, a password created by a legitimate user is a type that is difficult to forget if it is a legitimate user and cannot be expected to improve the convenience of the legitimate user by providing support information. There are passwords and types of passwords that are easy to forget even for legitimate users, such as automatically generated passwords, and are strongly required to present support information for the convenience of legitimate users. To do.

  In addition, some of the registered passwords are relatively damaged even if the registered password is leaked to a third party due to incorrect presentation of support information to the third party, such as a password for a resource that does not incur costs of use. There are a few types of passwords, and a type of password that is greatly damaged when a registered password leaks to a third party, such as a password for a credit card.

  As described above, it is difficult to determine the necessity of presenting support information by a common determination method for passwords of different types that require different support information presentation and damage severity. For example, as with passwords of a type that cannot be expected to improve convenience by presenting too much support information, the risk of presenting support information to a third party is reduced by more strictly estimating that the user is a legitimate user As a result, support information is not presented even for passwords of a type that can greatly improve convenience.

  On the other hand, in the above configuration, the necessity of presenting the support information is determined with reference to the type of the registered password, so the necessity of presenting can be determined more accurately. As a result, it is possible to support a legitimate user by presenting the support information, and it is possible to realize a password authentication device that can perform password authentication while ensuring safety despite improving convenience for the legitimate user.

  In addition to the above configuration, in the configuration in which the necessity of presenting support information by the presenting means is determined by referring to the personal information stored in the storage device, it is necessary to refer to the personal information and to display the support information. No is decided.

  Here, a password similar to personal information is unlikely to be forgotten by a legitimate user. Even third parties often have the opportunity to know personal information such as date of birth. Therefore, when a password similar to personal information is input, if it is assumed that the user is a legitimate user and support information is presented, there is a risk that password input by a third party may be supported.

  On the other hand, in the above configuration, since it is determined whether or not the support information should be presented with reference to the personal information, it can be determined not to support a user who has entered a password similar to the personal information. As a result, the possibility of providing support information to a third party can be reduced, and a safer password authentication device can be realized.

  By the way, various information can be considered as the support information presented by the presenting means. In addition to the above configuration, the support information compares the input password with the registered password, and the number of mismatched digits. In the configuration indicating the information, since the registered password can be reminded to the authorized user by the information, the next password input by the authorized user can be supported.

  In addition to the above configuration, in the configuration in which the support information is information indicating the position of the mismatched digit by comparing the input password and the registration password, the registration password is given to a legitimate user by the information. Since it can be reminded, the next password input by a regular user can be supported. In addition to the configuration, when only the mismatched digits are re-input, the operability of the authorized user can be further improved and the convenience of the user can be improved.

  On the other hand, in addition to the above configuration, the support information is information indicating a part of all digits of the password and including the position of the mismatched digit by comparing the input password and the registered password. In the configuration, since the registered password can be reminded to the authorized user by the information, the next password input by the authorized user can be supported. In addition, since the portion is not the mismatched digit position itself, it is harder to remember the registered password than when information indicating the digit position itself is presented, but since a regular user knows the registered password, By presenting the information indicating the part, the registration password can be input without any trouble. On the other hand, even if a third party who does not know the registration password is presented with a part that includes the position of the mismatched digit, the correct registration password is compared to the legitimate user because the part is not the mismatched digit position itself. Difficult to guess. As a result, it is possible to realize a password authentication device capable of improving convenience for a legitimate user while ensuring safety.

  By the way, the password authentication apparatus may be realized by hardware, or may be realized by causing a computer to execute a program. Specifically, the program according to the present invention is a program that causes a computer having a storage device to operate as each unit of the password authentication device, and the program is recorded on the recording medium according to the present invention.

  When these programs are read and executed by the computer, the computer operates as the password authentication device. Therefore, as with the above password authentication device, it is possible to support a legitimate user by presenting support information, and it is possible to authenticate a password while ensuring safety despite improving convenience for the legitimate user. A password authentication device can be realized.

[First Embodiment]
An embodiment of the present invention will be described below with reference to FIGS. That is, the password authentication system according to the present embodiment allows the user to use a resource that is predetermined as a management target among resources existing in the system based on a password input by the user of the system. In order to improve the convenience of legitimate users while ensuring safety, if the entered password is incorrect, the system controls whether to permit or not, It is a system that can determine whether or not to assist the authorized user to input a correct password.

  Specifically, as shown in FIG. 1, the password authentication system 1 is provided with a password authentication device 3 that accepts input of a password and controls whether or not the resource 2 to be managed can be used.

  Here, if the use of the resource 2 can be controlled by the password authentication device 3, the “hardware mechanism” or “function” included in the computer system itself or the operating system, or “ Any resource existing in the system 1 such as “time” or “operator” may be used. However, in FIG. 1, as an example, in the case of being a part of the password authentication device 3, more specifically, the password authentication device. 3 illustrates a case of a processing unit (for example, a database processing unit, etc.) having a specific function, realized by 3. If the password authentication device 3 can control the operation of the “operator” by the user depending on whether or not the instruction to the “operator” (for example, an instruction by display or voice) is output, the resource 2 is “ It may be an “operator”.

  On the other hand, the password authentication device 3 includes a password reception processing unit 12 that receives a password input from a keypad 11 as an input device, a password storage unit 13 that stores a regular password in advance, and a password reception processing unit 12. Based on the password Pi received by the password storage unit 13 and the password (registered password) Ps stored in the password storage unit 13, for example, when both passwords Pi and Ps match or when both passwords Pi and Ps are determined in advance (for example, On the other hand, the password Pi is input to the password acceptance processing unit 12 by the keypad 11 only when collation of both passwords Pi and Ps by a predetermined procedure is successful. An authentication processing unit 14 for determining that the authenticated user has succeeded in authentication; The authentication processing unit 14 only to the user who is determined that the authentication has succeeded, the license control unit 15 to allow use of the resource 2 is provided.

  As a result, a legitimate user who knows the legitimate password can use the resource 2 without any trouble, and the password authentication system 1 can use the resource 2 by a third party who does not know the legitimate password. Can be prevented.

  Here, when there is only one authorized user (when there is one password), authentication can be performed using only the password. However, the password authentication device 3 according to the present embodiment assigns passwords to a plurality of authorized users individually, Authentication is performed by a combination of a user ID (identifier) and a password for specifying each authorized user so that each can be individually authenticated.

  Specifically, the password storage unit 13 according to the present embodiment stores a combination of a regular user ID and a password in advance, and the password authentication device 3 is input by a card reader 16 as an input device. A user ID reception processing unit 17 for receiving a user ID. Further, the authentication processing unit 14 reads out the registration password Ps corresponding to the user ID received by the user ID reception processing unit 17 among the registered passwords stored in the password storage unit 13, and the registration password Ps. And the password Pi from the password reception processing unit 12 can be compared.

  In addition, the password authentication device 3 according to the present embodiment is provided with a display processing unit 19 that controls the display 18 as a means for presenting information to the user, and other members in the password authentication device 3 ( For example, in response to an instruction from the authentication processing unit 14 or the like, for example, a screen that prompts the user to input a password or a screen that indicates the success or failure of authentication is displayed on the display 18. it can.

  Furthermore, the password authentication device 3 according to the present embodiment is input by the following members, that is, the user in order to improve the convenience of a regular user while ensuring safety without significantly reducing safety. In response to the incorrect password Pi, for example, an authentication support processing unit (presentation means) that presents information (support information) for supporting the input of the next correct password by controlling the display processing unit 19 or the like. ) 31 is compared with two passwords Pi and Ps to be compared by the authentication processing unit 14, and a similarity rate calculating unit (control means) 32 for obtaining a similarity rate between them is calculated, and the similarity rate calculating unit 32 calculates And a support necessity determination unit (control means) 33 that determines whether or not the authentication support processing unit 31 requires authentication support based on the similarity rate.

  As the support information, various types of information can be considered as will be described later, but in the following, as an example, as shown in FIG. 2, a value is set between the registered password Ps and the entered incorrect password Pi. A case where information indicating the position of a digit that does not match is presented will be described. In this case, the authentication support processing unit 31 compares the two passwords Pi and Ps to be compared by the authentication processing unit 14, and the digit position where the values do not match, that is, the digit position that has been input incorrectly. And the display processing unit 19 is instructed to display the digit position. In FIG. 2, as an example of a digit position display method, a character (“*” in the example of the figure) indicating that is displayed at a correctly input digit position, and a mismatched digit position (for example, 10 In the (digit)), a case where an instruction to display an input character (for example, “q”) is shown.

  Various methods can be used for calculating the similarity rate, as will be described later. In the following, as an example, the number of matching digits itself or a value that changes according to the number of matching digits is calculated as the similarity rate. The case where it does is demonstrated. In this case, the similarity ratio calculation unit 32 compares the passwords Pi and Ps for each digit to determine whether each digit matches or does not match, and the matching digit number itself or, for example, the matching digit number / total A value that changes in accordance with the number of matching digits, such as the number of digits, is calculated as the similarity rate.

  Similarly, various methods can be considered as a method for determining whether or not authentication support is necessary, but in the following, as an example, the support necessity determination unit 33 is more similar than the threshold value set in advance. The case where it is determined that support is needed when the number of digits with the same similarity matches, or when it is a value that has a positive correlation with the similarity rate, it is greater than the threshold value. . In the following, a similarity rate that is more similar regardless of the value of the similarity rate is referred to as a higher similarity rate.

  The members 12 to 15, 17, 19, 31 to 33, and members 34b to 36f, 52, 54, 56, and 58 described later are stored in a storage device (not shown) by a CPU (Central Processing Unit) (not shown). This is a functional block realized by executing the programmed program and controlling peripheral circuits such as an input / output circuit (not shown). Of these, the storage units 13 and 34b to 36f may be storage devices such as memories.

  In the above configuration, in step 1 shown in FIG. 3 (hereinafter abbreviated as S1), the authentication processing unit 14 instructs the display processing unit 19, for example, as shown in FIG. It waits for the input of a password by displaying a screen for prompting the input of ID.

  When the password Pi and the user ID are input (YES in S1), the authentication processing unit 14 compares the password Pi with the registered password Ps stored in the password storage unit 13 in S2. Then, the user who entered the password Pi is authenticated.

  For example, when the authentication processing unit 14 detects the coincidence of both passwords Pi and Ps and succeeds in the authentication (YES in S2), the authentication processing unit 14 performs the authentication success process in S3 as For example, the display processing unit 19 is instructed to display the success of the authentication on the display 18, and the usage right control unit 15 is instructed to permit the user to use the resource 2, and then the authentication process is performed. finish.

  On the contrary, if the authentication fails (NO in S2), the similarity ratio calculation unit 32 calculates the similarity ratio of the passwords Pi and Ps in S4, and determines whether or not the support is necessary. In S5, it is determined whether or not both passwords Pi and Ps are similar, for example, by determining whether or not the similarity rate is higher than the threshold value.

  If they are not similar (NO in S5), the support necessity determination unit 33 determines that support is not required, and instructs the display processing unit 19 as an authentication failure process in S6, for example. Then, after performing a process such as displaying an authentication failure, the authentication process is terminated.

  On the other hand, when the similarity ratios are similar (YES in S5), the support necessity determination unit 33 determines that support is necessary. In this case, the authentication support processing unit 31 presents the support information to the user, for example, as shown in FIG. Pi input is supported, and thereafter, the processes after S1 described above, that is, input of password Pi, authentication, and necessity determination for authentication support are repeated.

  In the above-described configuration, for example, when the authorized user has entered a generally accurate password, such as when the authorized user has stored the correct password but has made a typo, the similarity calculation unit 32 Since the high similarity ratio is calculated and the support necessity determination unit 33 determines that the support is necessary, the authentication support processing unit 31 presents the support information to the user, so that the correct password by the user who entered the wrong password Pi is displayed. Support Pi input. As a result, the convenience of a regular user can be greatly improved.

  For example, when entering a password, the password authentication system 1 often does not display the entered password so that the third party who is near the user cannot recognize the password, and the user cannot recognize a typo. . Therefore, if a legitimate user makes a typo when trying to enter the correct password, and the password authentication system fails to authenticate in the same way as when a third party enters the wrong password, the user remembers the correct password. In spite of this, there is a possibility of misunderstanding that the memory is incorrect and repeating the input of another password, that is, an incorrect password. In many systems, if an incorrect password is entered repeatedly, it is determined that unauthorized access by a third party has been attempted. For example, even if the correct password is entered after that, authentication succeeds. Limit it not to let you. In this case, it is necessary for the authorized user to take a procedure for removing the restriction, for example, by contacting the system administrator to remove the restriction, which greatly impairs the convenience of the authorized user. End up.

  However, in the password authentication system 1 according to the present embodiment, since support information is presented when a legitimate user inputs a generally accurate password, misunderstanding of the legitimate user can be prevented. Furthermore, it becomes easier for a legitimate user to input the correct password Pi next time depending on the content of the support information. As a result, the convenience of a regular user can be greatly improved.

  On the other hand, in the present embodiment, the support necessity determination unit 33 authenticates by the authentication support processing unit 31 when the support necessity determination unit 33 determines that the similarity rate of the input password Pi is low (not similar). Support stops. Therefore, a third party who does not know the correct password and cannot input a password similar to the password cannot receive authentication support. Therefore, even though the convenience of legitimate users is greatly improved by the support of authentication, authentication against third-party attacks, that is, attacks that attempt to succeed by repeated password input The same level of safety as without assistance can be maintained.

  As a result, it is possible to realize the password authentication system 1 that can greatly improve the convenience of an authorized user while ensuring safety.

  In the above description, the case where the authentication support processing unit 31 displays an erroneously input digit position, that is, the case where the support information is the erroneously input digit position has been described as an example. The unit 31 may present information other than the digit position to the user as support information as long as the information can support the next password Pi input by the authorized user.

  For example, the authentication support processing unit 31 compares the two passwords Pi and Ps for each digit, specifies the position of the digit having a different value, and replaces the erroneously entered digit position with As shown in FIG. 5, information indicating a portion including the position of the digit among all the digits may be presented as support information. FIG. 5 illustrates the case where the above part is displayed by displaying “The password is incorrect except for *”. Moreover, the said part does not need to be continuous as long as it includes the digit inputted accidentally.

  When the registered password Ps is a random character string, the authentication support processing unit 31 displays the contents of a part of the input password (the digit value of the part) itself when displaying the above part as support information. May be displayed, but if it is a meaningful character string, if it is unknown whether it is a random character string, or if it is desired to more reliably prevent guesses by a third party, authentication support processing The unit 31 displays the content itself of a part of the input password in order to reduce the possibility of a third party guessing the remaining registered password Ps from the correctly input portion of the displayed content. Instead, for example, an erroneously input digit displays the content of the input digit itself, and the remaining part displays a random character string or a character indicating a correctly input part (see FIG. 5). In the example * ") Different character (for example, and," × "is better to such displays, etc.) desirable. Whether or not the above case is applicable may be set in the authentication support processing unit 31 in advance, but the authentication support processing unit 31 may determine from the registered password.

  In this way, when displaying information indicating a part including a digit position that has been entered incorrectly, as in the case where the support information is a digit position, if a legitimate user enters a slightly incorrect password, assistance is provided. By presenting the information, it is possible to recognize that an almost accurate password has been input, and to avoid the above-mentioned misunderstanding. This effect can also be obtained when the authentication support processing unit 31 displays the entire input password as support information.

  Furthermore, when the content of the support information is not the entire password but a part including a wrongly entered digit, the user must indicate that the wrongly entered digit position is one of those parts and the remaining part. I can recognize that it is not. In this way, a hint for determining the wrongly entered digit position is presented, so that the user enters the correct password at the next password entry, compared to the case where the wrongly entered digit position cannot be guessed at all. It becomes easy to do.

  In addition, as support information, not a wrongly entered digit position itself, but a hint to determine it is presented, so accidentally a third party enters a correct password and the support information is displayed. Even if it does, the third party can only know a hint for determining a digit position different from the correct password. Therefore, compared with the case where the digit position itself is presented, it is difficult for a third party who does not know the correct password to find the correct password, and the safety can be improved as compared with the case where the digit position itself is presented.

  As yet another example, the authentication support processing unit 31 compares the passwords Pi and Ps for each digit, calculates the number of digits having different values, and includes the digit position or the digit position described above. Instead of or in addition, for example, as shown in FIG. 5, this number may be presented as support information.

  Even in this case, a legitimate user can avoid the above-mentioned misunderstanding by presenting the support information itself, and, for example, based on the content of the support information, that is, the number of digits presented, It is possible to perform operations for entering a correct password, such as operating the keypad 11 with care not to change it, or changing and inputting digits that are relatively unconfident in the stored password. it can.

  Incidentally, in FIG. 3 described above, the case where the input acceptance process after the authentication support is the same as the first input acceptance process (S1) has been described as an example. An input reception process different from the input reception process may be performed.

  For example, in the case where the authentication support processing unit 31 presents information indicating a digit position erroneously input or a part including the digit position as support information, for example, the display processing unit 19 inputs the digit position or the part. The password authentication device 3 may prompt the input to the digit position or part by displaying a screen prompting the user on the display 18, and the password reception processing unit 12 may accept the input of the digit position or part. In this case, the authentication processing unit 14 considers that the remaining part is correctly input as in the previous case, and compares the input password Pi with the registered password Ps.

  In this case, when the password is input after the support information is presented, the user can input only the digit position that has been input incorrectly, or only the part that includes it, without entering the correct position. . Therefore, the operability can be improved and the possibility of typing errors can be reduced.

  On the other hand, in the above, the similarity calculation unit 32 compares the passwords Pi and Ps for each digit to determine whether or not they match, and the number of matching digits itself or changes accordingly. The case where the value is calculated as a similarity rate has been described as an example. However, how similar the passwords Pi and Ps are when viewed from a regular user who knows the correct password Ps, in other words, a regular user. If it is possible to determine the possibility that the user has entered the correct password Ps and entered the password Pi, the same effect can be obtained.

  For example, the similarity ratio calculation unit 32 according to the configuration example illustrated in FIG. 7 includes a similarity relationship table 32a in which similarity relationships between values that may be input as password digits, such as letters and numbers, are stored in advance. Referring to the similarity relationship table 32a, the passwords Pi and Ps are compared for each digit, the similarity rate of each digit is calculated, and the overall similarity rate of both passwords Pi and Ps is calculated based on the similarity rate. And a calculation unit 32b for calculation.

  In the similarity relationship table 32a, for example, combinations of values similar to each other are stored as similarity relationships between values as shown in FIG. In the example of FIG. 8, as combinations of values having similar external shapes, for example, a combination of a number “0” (zero) and an alphabet “o” (o), and an alphabet “v”, A combination with the letter “w” is stored. In FIG. 8, combinations of values having similar readings include a combination of the numeral “9” and the alphabet “q”, and a combination of the alphabet “m” and the alphabet “n”. Is remembered. Further, in the similarity relationship table 32a, combinations of alphabet “a” and alphabet “s” are stored as combinations of values having similar input positions.

  On the other hand, when the calculation unit 32b compares the passwords Pi and Ps for each digit and the combination of the values of the corresponding digits is stored in the similarity relationship table 32a, the two do not match. In addition, the similarity rate is set higher than when it is not stored in the similarity relationship table 32a. As an example, in the former case, the calculation unit 32b sets a predetermined value for the former case as the similarity rate, and in the latter case, the calculation unit 32b sets the value lower than the value for the former case. The set value is set as the similarity rate.

  Here, when a password is sent from the system administrator to a legitimate user in a document, or when a legitimate user records the password in a document such as a memo, the legitimate user who has read them has a similar external shape. There is a risk of misunderstanding. Therefore, a legitimate user, unlike a third party who does not know the legitimate password, when entering a digit in the password, has a value that is similar in shape to a value that is not similar to the correct value. It is easy to input wrong.

  Similarly, when a password is communicated by voice from a system administrator to a legitimate user, or when a legitimate user memorizes the password with sound (reading), the legitimate user reads the digit with the password in a similar manner. There is a risk of misinterpretation of the value. Therefore, a legitimate user, unlike a third party who does not know the legitimate password, has a similar reading when entering a digit in the password, rather than a reading that does not resemble the correct value. It is easy to input wrong.

  Also, legitimate users, unlike third parties who do not know the legitimate password, incorrectly enter a value at a close position when entering a digit with a password compared to a position away from the correct position. It ’s so easy.

  Thus, a legitimate user who knows a legitimate password is more likely to input a password that is similar to the legitimate password than a password that is not similar in outline, reading or position.

  Here, as described above, in the configuration in which the similarity rate is uniformly set, a value that is likely to be erroneously input by a legitimate user and a value that is difficult to be erroneously input are set to the same similarity rate. It is difficult to improve the adequacy of For example, if the support information is presented even in the case of a similarity rate that is not very similar in order to improve the convenience of a legitimate user, the support information may be erroneously presented to a third party. . On the other hand, if the support information is presented only in the case of a higher similarity rate in order to improve safety, the support necessity determination unit 33 does not need to present the support information even though a regular user inputs the information. There is a risk of judging.

  On the other hand, the similarity ratio calculation unit 32 according to the configuration example illustrated in FIG. 7 stores a similar value of an outer shape, a reading, or an input position as a certain value in the similarity relationship table 32a. The unit 32b sets a similarity rate higher when a similar value is input than when a non-similar value is input, so that an authorized user who knows a valid password is likely to make an error input. The similarity rate of a predetermined password can be set higher than the similarity rate of other passwords that are difficult to input incorrectly.

  Here, since a third party does not know a legitimate password, a password that is easy to be entered by the third party is different from a password that is legitimately entered by a legitimate user, and a password that is difficult to be entered by a third party is also included. The password is different from that of a legitimate user.

  As a result, by setting the similarity rate as described above, it is possible to calculate the similarity rate only for legitimate users, unlike the configuration that is uniformly set as described above, and erroneously presenting support information to a third party. It is possible to relatively easily set a threshold value at which support information can be presented only to legitimate users without increasing the possibility.

  Thereby, when an incorrect password is inputted, it can be judged more accurately whether or not the user who inputted the password Pi is a legitimate user, and the support information can be presented only to legitimate users more reliably. .

  In the above description, the case where the similarity rate when stored in the similarity relationship table 32a is a constant value and the similarity rate when not stored is also a constant value has been described as an example. It is not a thing. In the above description, the case where the similarity relationship is stored as a table has been described as an example. However, the storage method is not limited to this, and for example, a correct value and a similarity rate corresponding to the input value are output. You may memorize | store by other methods, such as the program programmed in. For example, in association with each combination described above, the correct value and the input value are stored in the similarity table 32a in the similarity ratio in the case of the combination, and the calculation unit 32b stores the similarity in association with the combination corresponding to both. Different similarity ratios may be set for each combination of the correct value and the input value, for example, by setting the calculated similarity ratio as the similarity ratio between the two. Also, for example, in order to change the similarity rate according to the input position, the distance between the correct input position and the input position of the actually input value is calculated, and the longer the distance, the lower the similarity rate is set. May be. In any case, the same effect can be obtained even if stored in another method, as long as a predetermined similarity rate can be set corresponding to the correct value and the input value.

  In the above description, the case where the similarity ratio calculation unit 32 compares each digit of both passwords Pi and Ps is described as an example regardless of whether or not the similarity relationship table 32a is provided. However, the present invention is not limited to this. .

  For example, as an erroneous input pattern, it is conceivable to input by skipping digits. For example, when the registered password Ps is “30870”, the digit skip means that the registered password Ps is input by skipping one digit as in the case of inputting “3870” as the password Pi. ing. In preparation for this case, if the length of the password Pi is shorter, the similarity ratio calculation unit 32 estimates that any digit of the input password Pi is skipped and changes the estimated position. However, the shift of the password Pi after the estimated position and the comparison of both passwords Pi and Ps for each digit are repeated to calculate the similarity, and the digit at the estimated position when the similarity is the highest It may be determined that it has been skipped, and the highest similarity rate may be output as the similarity rate. Similarly, since it is conceivable that a large number of digits are input as an erroneous input pattern, the similarity ratio calculation unit 32 determines that, when the password Pi is longer, Estimate that one of the digits was input, and while changing the estimated position, repeat the deletion of the digit of the password Pi at the estimated position and the comparison for each digit of both passwords Pi and Ps to calculate the similarity rate Then, it may be determined that the digit has been skipped at the estimated position when the similarity rate is the highest, and the highest value of the similarity rate may be output as the similarity rate. Further, the similarity ratio calculation unit 32 adjusts the maximum value of these similarity ratios by a predetermined amount as a value when digits are skipped or extra input, and the value after adjustment May be output as the similarity ratio.

  In this case, when the authentication support processing unit 31 presents the support information, the digit position is determined based on the position estimated by the similarity calculation unit 32 to have the digits skipped or extra input. Alternatively, the part including the digit position may be presented. Further, support information similar to the case where an incorrect value is input may be presented at a position where a digit has been skipped or at an excessively input position. Further, instead of or in addition to the above-described digit position, the portion including the digit position, and the number of digits, the number of mismatched digits may be presented as support information. Even in this case, since the support information itself is not presented when the similarity rate is low, a reduction in safety can be suppressed. Further, instead of comparing for each digit, a plurality of digits may be compared in pairs.

  In any case, the similarity rate calculation unit 32 can calculate the similarity rate of both passwords Pi and Ps based on both passwords Pi and Ps, and the support necessity determination unit 33 can calculate based on the similarity rate. The same effect can be obtained if it is possible to accurately determine whether or not the user who has entered the password Pi is a legitimate user.

  In the above description, the similarity relationship table 32a is described as an example in which similar relationships common to all users are stored. However, the present invention is not limited to this, and similar relationships are stored individually for each user. Also good. Thereby, it is possible to store the ease of error for each user (similarity relationship for the user), and more accurately determine whether or not the user is a regular user. Here, the similarity relationship may be registered in advance, and the password authentication device 3 may input an incorrect password Pi, for example, when the correct password Pi is input or from the administrator of the password authentication system 1. When the instruction that the user who repeated the above is a legitimate user is received, the similarity relationship may be updated based on the erroneously entered password Pi.

  In the above description, the case where the support necessity determination unit 33 determines only the necessity of authentication support and the authentication support processing unit 31 always presents support information created by the same method has been described as an example. This is not a limitation. For example, if the authentication support processing unit 31 can create support information by a plurality of methods, such as the case where the number of digits, a part including a digit position that has been input incorrectly, and the digit position itself can be presented, whether or not support is required The determination unit 33 may instruct the authentication support processing unit 31 as to which support information should be created according to the similarity rate as well as the necessity of authentication support. In this case, the password authentication device 3 can present support information having contents corresponding to the similarity rate. In any case, the same effect can be obtained if the support necessity determination unit 33 can prevent the support information from being presented by the authentication support processing unit 31 when the similarity rate is low.

  In the present embodiment, the case where the input device for inputting the password Pi is the keypad 11 connected to the password reception processing unit 12 of the password authentication device 3 has been described as an example. However, if the password Pi can be input, For example, the same effect can be obtained even when other input devices such as a keyboard and a pointing device are used.

  However, if the input device for inputting the password Pi is the small keypad 11 with a small number of keys, a typo is likely to occur, and the password authentication system authenticates in the same manner as when a third party inputs an incorrect password. The harmful effect of failing to do is great. Therefore, in the case of an input device that is easy to be mistyped, such as the keypad 11 according to the present embodiment or an input device that combines a key displayed on the screen and a touch panel, a particularly great effect is obtained.

  Similarly, in the present embodiment, the case where the input device for inputting the user ID is the card reader 16 connected to the user ID reception processing unit 17 of the password authentication device has been described as an example, but if the user ID can be input, Similar to the password Pi input device, other input devices may be used, and the same device as the password input device may be used. However, when the card reader 16 is used as in the present embodiment, a card such as an IC card in which a user ID is recorded in advance is inserted into the card reader 16 or placed near the card reader 16. Thus, since the user ID can be input simply by causing the card reader 16 to read the information recorded on the card, it is possible to reduce the trouble of inputting the user ID as compared with the case where the user inputs the user ID.

  Furthermore, in the above description, the case where the user of the password authentication device 3 inputs the password and the user ID has been described as an example. However, as in the password authentication system 1 shown in FIG. 1, the password and the user ID are input via the network. It may be configured to be able to.

  Specifically, the password authentication system 1 is provided with a terminal 5 that can be connected to the password authentication device 3 via a network 4 such as a local area network, for example. 4 is provided with a network interface (IF) 20 for connection to the network 4.

  On the other hand, the terminal 5 is a member similar to the keypad 11, the password reception processing unit 12, the card reader 16, the user ID reception processing unit 17, the display processing unit 19, and the network IF 20 of the password authentication device 3, that is, the keypad 51, A password reception processing unit 52, a card reader 53, a user ID reception processing unit 54, a network IF 55, and a control unit 56 for controlling each member (for example, members 51 to 55) of the terminal 5 are provided. The unit 56 can instruct the network IF 55 to transmit the password and user ID input by the keypad 51 and the card reader 53 to the password authentication device 3.

  Thereby, the password reception processing unit 12 and the user ID reception processing unit 17 of the password authentication device 3 are input at the terminal 5 in the same manner as when the password and the user ID are input from the keypad 11 and the card reader 16. The network IF 20 receives the password and the user ID received, and based on them, the user who inputs them can be authenticated.

  Further, similarly to the display processing unit 19 of the password authentication device 3, the terminal 5 includes a display processing unit 58 that controls the display 57 in accordance with instructions from other members (for example, the control unit 56) in the terminal 5. Is provided. On the other hand, instead of controlling the display 18, the display processing unit 19 of the password authentication device 3 can cause the network IF 20 to transmit data indicating display contents to the terminal 5. The control unit 56 of the terminal 5 The display content indicated by the data received by the network IF 55 can be displayed on the display 57. Thus, even when a password is input via the network, the password authentication system 1 displays, for example, a screen indicating the success or failure of authentication or support information to the user who has input the password (the user of the terminal 5). Various information can be presented, for example, by displaying a screen.

[Second Embodiment]
In the first embodiment, the case where the password authentication device 3 determines the necessity of presenting support information based on the similarity ratio calculated from both passwords Pi and Ps has been described. However, in the present embodiment, registration is performed. A case will be described in which it is determined whether or not it is necessary to present support information in consideration of whether or not the password Ps is a password Pi set by the user.

  That is, in the password authentication device 3b according to the present embodiment, as shown in FIG. 9, in addition to the configuration of the password authentication device 3 according to the first embodiment, a type information storage that stores the type of each registered password Ps. A portion 34b is provided.

  For example, as shown in FIG. 10, the type information storage unit 34b stores type information indicating whether or not the registered password Ps is a password set by the user, corresponding to each registered password Ps. ing. FIG. 10 illustrates an example in which the password storage unit 13 and the type information storage unit 34b are integrated to store a table storing combinations of user IDs, registered passwords Ps, and type information. ing.

  On the other hand, in the present embodiment, the support necessity determination unit 33b provided in place of the support necessity determination unit 33 performs substantially the same operation as the support necessity determination unit 33. However, when determining the necessity, The difference is that the type information stored in the type information storage unit 34b is also referred to.

  Further, the authentication processing unit 14 updates the type information in the type information storage unit 34b and updates the type information when the password reception processing unit 12 receives an input of a new registered password Ps by a legitimate user. ("Manual" in the example of FIG. 10). On the other hand, when the authentication processing unit 14 detects that an authorized user has instructed automatic password generation by an input device such as the keypad 11, the authentication processing unit 14 updates the type information in the type information storage unit 34b to indicate automatic generation. The value can be changed to “Auto” in the example of FIG.

  In the above configuration, substantially the same steps as in the case of the first embodiment (see FIG. 3) are performed, but in this embodiment, as shown in FIG. 11, before the step (S4) of calculating the similarity rate. Steps S11 to S14 for determining whether or not authentication support is necessary according to the type information are provided.

  Specifically, the support necessity determination unit 33b according to the present embodiment extracts the type information of the registered password Ps from the type information storage unit 34b in S11. Furthermore, if the type information indicates that the type information is automatically generated, that is, it is not a user-generated password (NO in S12), the support necessity determination unit 33b determines that authentication support is not required (S13). In this case, an authentication failure process is performed in S6 as in the case where it is determined that the authentication is unnecessary from the viewpoint of the similarity rate. On the other hand, if the type information indicates user generation (YES in S12), the support necessity determination unit 33b determines that authentication support is required from the point of type information (S14). In this case, the processing after S4 is performed, and it is determined whether or not authentication support is necessary based on the similarity rate.

  Note that S11 to S14 may be performed at any time as long as they are executed before S7, but if they are executed before S4, if it is determined that authentication support is unnecessary based on the type information, Since the calculation of the similarity rate itself can be omitted, the calculation amount of the password authentication device 3b can be reduced.

  In this configuration, attention is paid to the fact that a legitimate user is more likely to forget the automatically generated registration password Ps than the password Ps set by the user himself. When the user generation is indicated, the presentation of the support information is blocked.

  Thus, the password authentication device 3b according to the present embodiment stores whether or not the type of the registered password Ps is a type that is highly likely to be forgotten by the user, and is a type that is unlikely to be forgotten. Since the support information is prevented from being presented, it is possible to more appropriately determine whether or not authentication support is required, compared to a configuration that uniformly determines whether or not authentication support is required regardless of the type of password.

  In the above description, the case where the support necessity determination unit 33b refers to the type information storage unit 34b and changes the necessity of authentication support according to the type information has been described as an example. The necessity of authentication support by the support necessity determination unit may be changed by referring to the type information storage unit 34b and changing the similarity rate according to the type information.

  In the above description, the support necessity determination unit 33b determines that authentication support is not required when the type information is user-generated. For example, in the case of user generation, the support necessity determination unit 33b determines the similarity rate. The threshold information may be set higher than in the case of automatic generation, or the similarity ratio calculation unit 32 may calculate the similarity ratio higher than that in the case of automatic generation so that the support information can be presented easily.

  In the above description, the case where the type information is user-generated or automatically generated has been described as an example. However, the present invention is not limited to this, and if the type information correlates with whether a legitimate user is easy to forget, the same applies. The effect is obtained. In addition, it is possible to store the type information correlated with the risk when the registered password Ps is known to a third party, not whether or not a legitimate user is easy to forget. In general, among the registered passwords Ps, for example, there is a registered password Ps of a type that causes little damage even if known to others, such as a password for accessing a specific homepage, for example, a password of a bank or a credit card. There are also types of registered passwords Ps that are extremely risky when known to others, such as numbers. Therefore, the type information storage unit 34b stores type information correlated with the level of risk, and in the case of high-risk type information, the support necessity determination unit 33b prevents the support information from being presented or the risk is low. By making it difficult to present support information as compared to the case of type information, it is possible to more appropriately determine whether or not authentication support is required compared to a configuration that uniformly determines whether or not authentication support is required.

  Regardless of the method for determining whether authentication is necessary or the type information to be stored, if the support necessity determination unit can change the authentication support necessity determination according to the type information in the type information storage unit 34b, Similar effects can be obtained.

[Third Embodiment]
In the second embodiment, the case where the necessity of authentication support is changed according to the type of the registered password Ps has been described as an example. However, in the present embodiment, the contents of the registered password Ps and the personal information are changed. A configuration for changing the necessity of authentication support according to the comparison result will be described. Although this configuration can be applied to both the first and second embodiments, a case where it is applied to the first embodiment will be described below as an example.

  That is, in the password authentication device 3c according to the present embodiment, as shown in FIG. 12, a personal information storage unit 35c that stores personal information of a legitimate user is provided instead of the type information storage unit 34b shown in FIG. ing. As personal information, for example, an address, a telephone number, a date of birth, and the like are stored.

  In this embodiment, since there are a plurality of authorized users, the personal information is stored in association with the user ID or the registered password Ps, and the support necessity determination unit 33c receives the password Pi from the personal information storage unit 35c. Can be read out, that is, personal information stored in association with the user ID input together with the password Pi, or personal information related to the registered password Ps corresponding to the user ID.

  On the other hand, a support necessity determination unit 33c provided in place of the support necessity determination unit 33b includes the user's personal information stored in the personal information storage unit 35c and the registered password Ps stored in the password storage unit 13. And the necessity of authentication support is determined according to the comparison result.

  Here, it is widely known that if the personal information itself is used as a password, it is highly likely that it is likely to be guessed by a third party and dangerous, but it is difficult to memorize a password that has nothing to do with it. In some cases, a registration password Ps similar to the personal information is set, such as changing a part of the personal information or adding some information to the personal information.

  In this case, since it is highly possible that a third party can guess a password similar to the regular password Ps, the comparison of both passwords Pi and Ps as in the first and second embodiments described above. If the necessity of authentication support is determined based only on the result, authentication by a third party is also supported, and the registered password Ps may be known to the third party.

  On the other hand, in the present embodiment, as shown in FIG. 13, similarly to the second embodiment, the processes of S21 to S24 are provided before S4 (or before S7) shown in FIG. Whether authentication support is necessary or not is determined according to the comparison result between the personal information and the registered password Ps. Specifically, in S21, the support necessity determination unit 33c reads the personal information from the personal information storage unit 35c, and in S22, compares the personal information with the registered password Ps according to a predetermined procedure. Based on the personal information, it is analyzed whether it is easy to guess a password similar to the registered password Ps to the extent that support information is presented. As a result of the analysis, if it is determined that it is easy (NO in S22), the support necessity determination unit 33c determines in S23 that authentication support is not required. In this case, the processes after S7 are performed, and the password authentication device 3c ends the process without providing authentication support.

  On the other hand, if it is determined that it is not easy (YES in S22), the support necessity determination unit 33c determines that authentication support is necessary in S24, and after S4, as in the second embodiment. The necessity of authentication support based on the similarity rate is determined.

  As described above, the password authentication device 3c according to the present embodiment stores personal information, and when the password similar to the registered password Ps can be easily estimated from the personal information to the extent that support information can be presented, Prevent the presentation of information. Therefore, it is possible to reduce the possibility that the correct password Ps is guessed by presenting the support information to a third party, and the safety can be improved.

  In this embodiment as well, as in the second embodiment, the similarity calculation unit 32 refers to the personal information storage unit 35c, compares the personal information with the registered password Ps, and determines the similarity according to the analysis result. The necessity of authentication support by the support necessity determination unit may be changed by changing. In addition, the threshold when the support necessity determination unit determines the similarity rate is set higher, or the similarity rate calculation unit 32 calculates the similarity rate lower, so that it can be easily estimated. It may be difficult to present support information. In any case, the same effect can be obtained if the support necessity determination unit can change the authentication support necessity determination according to the personal information stored in the personal information storage unit 35c.

[Fourth Embodiment]
In the first to third embodiments, the password Pi that is input by the user has been described as the password that affects the determination of whether or not authentication is required. In the embodiment, a configuration for determining whether or not authentication is necessary will be described with reference to a history of previous authentication failures. Note that these configurations can be applied to any of the first to third embodiments, but in the following, a case where the configuration is applied to the first embodiment will be described as an example.

  That is, as shown in FIG. 14, the password authentication device 3d according to the present embodiment has a history storage unit that stores the number of failures as a history of authentication failures so far (failure history) in addition to the configuration shown in FIG. 36d. Further, a support necessity determination unit 33d provided in place of the support necessity determination unit 33 performs substantially the same operation as the support necessity determination unit 33, but the history storage is performed when the necessity of authentication support is determined. If the number of failures stored in the unit 36d is referred to and the number of failures is large, authentication support can be blocked. As a result, even if support information can be presented to a legitimate user, authentication support is not performed when the number of failures is large, that is, when there is a high possibility that a third party has repeatedly entered a trial password. Therefore, the security at the time of password authentication can be improved.

  More specifically, in the present embodiment, the history storage unit 36d stores the number of failures as shown in FIG. 15, for example. In this embodiment, since there are a plurality of users, the number of failures is stored in association with the user ID, and the support necessity determination unit 33d stores the number of failures associated with the user ID input together with the password Pi in the history. By reading from the unit 36d, the number of failures of the user who is currently inputting the password Pi (more precisely, the user who is inputting the user ID) can be acquired.

  Further, when the authentication with the input password Pi fails, the authentication processing unit 14 updates the area in which the number of failures of the user who has input the password Pi is stored in the storage area of the history storage unit 36d. The number of failures can be counted. In this case, the part of the authentication processing unit 14 that counts the number of failures corresponds to the control means described in the claims.

  In the above configuration, similarly to the second embodiment, the processing of S31 to S34 shown in FIG. 16 is provided before S4 shown in FIG. 3 (or before S7). The necessity of authentication support is determined. Specifically, in S31, the support necessity determination unit 33d reads the number of failures from the history storage unit 36d, and in S32, for example, compares the number of failures with a predetermined threshold value. It is determined whether the number of times is large. When it is determined that the number of failures is large (YES in S32), the support necessity determination unit 33d determines that authentication support is not required in S33. In this case, the processes after S7 are performed, and the password authentication device 3d ends the process without providing authentication support.

  On the other hand, when it is determined that the number of failures is small (NO in S32), in S34, the support necessity determination unit 33d determines that authentication support is necessary, and in the same manner as in the second embodiment, S4 and subsequent steps. In, it is determined whether or not authentication support is necessary based on the similarity rate.

  As described above, the password authentication device 3d according to the present embodiment stores the number of failures, and when the number of failures is large, presentation of support information can be prevented regardless of the similarity of both passwords Pi and Ps. As a result, it is possible to prevent a third party from continuing to make a trial input while referring to the support information, thereby improving safety. For example, when the threshold for determining the number of failures is 10, until the number of authentication failures reaches 10, the support information is not presented according to the similarity between the passwords Pi and Ps. However, if the number of passwords Pi and Ps is high, the support information can be prevented from being presented and the safety can be improved.

  Here, the case where the total is stored as the number of failures has been described above. However, instead of or in addition to the total, the number of consecutive failures by the authentication processing unit 14 as the number of failures to the history storage unit 36d. May be stored, and the necessity determination part 33d for support may change the necessity for authentication support according to the number of consecutive failures.

  The number of consecutive failures is the number of authentication failures that have been repeated at a time close to the time point at which the password Pi is currently input. For example, the authentication processing unit 14 previously stores the number of failures. When a predetermined time elapses after updating the value of the value, the value of the area is reset, or when a predetermined time elapses after recording of the number of failures, the number of failures is stored. It is counted by resetting the value of the existing area.

  As a result, when the password Pi is continuously input, that is, when the same person repeatedly inputs the password Pi and the authentication continues to fail, presentation of support information is prevented. It is possible to prevent the third party from making a trial input more accurately while referring to the support information more accurately, and the safety can be improved.

  In the above description, the case where the number of failures is stored in the history storage unit 36d has been described as an example of the method for storing the number of failures. However, the method is not limited to this as long as the number of failures can be stored. For example, each time authentication fails, the authentication processing unit 14 may store the number of failures by accumulating time information indicating the failed time in the history storage unit 36d. In this case, the support necessity determination unit 33d can acquire the total number of failures based on the number of time information stored in the history storage unit 36d. In this case, the support necessity determination unit 33d extracts time information close to the current time from the time information stored in the history storage unit 36d, or the adjacent time between the current time and the time information. By extracting time information such that only time information having a short time difference from the information exists, the number of consecutive failures can be acquired. Further, when a predetermined time has elapsed since the authentication processing unit 14 updated the value of the area storing the number of failures last time, the time information accumulated in the history storage unit 36d is reset. Thus, when the number of failures is stored, the support necessity determination unit 33d can acquire the number of times of failure continuously according to the number of time information accumulated in the history storage unit 36d.

  Further, in the present embodiment as well, as in the second embodiment, the similarity calculation unit 32 changes the similarity according to the number of failures acquired by referring to the history storage unit 36d, thereby determining the necessity for support. Whether or not authentication support is necessary may be changed. In addition, the greater the number of failures, the higher the threshold when the support necessity determination unit determines the similarity rate, or the similarity rate calculation unit 32 calculates the similarity rate lower. It may be difficult to present support information. In any case, the same effect can be obtained if the support necessity determination unit can change the authentication support necessity determination according to the number of failures in the history storage unit 36d.

[Fifth Embodiment]
In the present embodiment, a configuration will be described in which information indicating the similarity between both passwords Pi and Ps when a failure occurs is stored as a failure history. Note that these configurations can be applied to any of the first to fourth embodiments, but in the following, a case where the configuration is applied to the first embodiment will be described as an example.

  By the way, when the time when the previous password Pi0 is input is close to the current time, it is highly likely that the same person has input both the previous and current passwords Pi0 and Pi. Further, if the authorized user inputs, it is estimated that the previous password Pi0 and the current password Pi have high similarity. On the other hand, if the similarity of the previous password Pi0 is low even if the same person is inputting, even if the similarity of the current password Pi is high, it is a coincidence and is input by a third party. In this case, if authentication is supported, there is a possibility that support information may be presented to a third party.

  On the other hand, the password authentication device 3e according to the present embodiment, as shown in FIG. 14, in addition to the configuration shown in FIG. 1, information indicating the similarity between the passwords Pi and Ps when the failure occurs as a failure history. Is stored in the history storage unit 36e. Further, a support necessity determination unit 33e provided in place of the support necessity determination unit 33 performs substantially the same operation as the support necessity determination unit 33. However, the history storage is performed when determining the necessity of authentication support. If the time when the password Pi0 stored in the unit 36e is input is close to the current time, and the similarity between the password Pi0 and the registered password Ps is low, authentication support can be prevented. As a result, the possibility of presenting support information to a third party can be reduced, and the security at the time of password authentication can be improved even though the support information can be presented to a legitimate user.

  More specifically, for example, as shown in FIG. 17, the history storage unit 36e according to the present embodiment includes the password Pi itself at the time of failure as information indicating the similarity between the passwords Pi and Ps at the time of failure. An area to be stored is provided, and the authentication processing unit 14 can write the password Pi as the password Pi0 in the history storage unit 36e when authentication by the password Pi fails. In this case, a part of the authentication processing unit 14 that writes the password Pi0 corresponds to the control means described in the claims.

  The history storage unit 36e stores time information indicating the time when the password Pi0 is input in association with the password Pi0, and the authentication processing unit 14 also writes the time information together with the password Pi0. be able to. In this embodiment, since there are a plurality of users, the password Pi0 and the time information are stored in association with the user ID, and the support necessity determination unit 33e has the password Pi0 associated with the user ID input together with the password Pi. By reading out the time information from the history storage unit 36e, the password Pi0 and time information of the user who is currently inputting the password Pi (more precisely, the user who is inputting the user ID) can be acquired. Further, the support necessity determination unit 33e according to the present embodiment instructs the similarity calculation unit 32 to calculate the similarity between the password Pi0 acquired by itself and the registered password Ps stored in the password storage unit 13. Thus, the necessity of authentication support can be determined based on the similarity rate.

  In the above configuration, similarly to the second embodiment, the processing of S41 to S46 shown in FIG. 18 is provided before S4 shown in FIG. 3 (or before S7). The failure history of the history storage unit 36e is sometimes referred to. Specifically, in S41, the support necessity determination unit 33e reads the password Pi0 and the time information as the failure history from the history storage unit 36e, and in S42, based on the time information, the current password Pi is input. It is determined whether or not the authentication failure is repeated once in succession. As an example, if the period from the time indicated by the time information to the time when the password Pi is input this time does not exceed a predetermined time, the support necessity determination unit 33e performs the above repetition once. If it is determined that there is a period of time or more, it is determined that the repetition is not once.

  For example, when a user who has not taken his / her seat enters the password Pi for the first time, the failed password is not used once during the above repetition, as in the case where the elapsed time since the user entered the password Pi is long. In the case of the first continuous input (YES in S42), the support necessity determination unit 33e determines in S43 that authentication support is unnecessary. In this case, the processes after S7 are performed, and the password authentication device 3e ends the process without providing authentication support.

  On the other hand, when it is determined that the current input is one time during the repetition (NO in S42), the support necessity determination unit 33e instructs the similarity ratio calculation unit 32 in S44 to enter the password Pi0. The similarity rate with the registered password Ps is calculated.

  If it is determined that the similarity rate is high by comparing the similarity rate with a predetermined threshold value (YES in S45), the support necessity determination unit 33e determines authentication support in S46. As in the second embodiment, it is determined whether or not authentication support is necessary based on the similarity ratio between the passwords Pi and Ps after S4.

  On the other hand, if it is determined that the similarity rate is low, such as when the similarity rate between the password Pi0 and the registered password Ps is lower than the threshold value (NO in S45), a support necessity determination unit 33e performs the process of S43. Thereby, the process after S7 is performed and the password authentication apparatus 3e complete | finishes a process, without providing authentication assistance.

  In the above description, the case where the password Pi itself is stored when the history storage unit 36e has failed has been described as an example. However, if the information indicates the similarity between the passwords Pi and Ps when the failure occurs, for example, The same effect can be obtained by storing other information such as the similarity calculated in S44.

  In the above description, time information indicating the time when the previous password Pi0 was input is stored as information for determining whether or not the time when the password Pi0 stored in the history storage unit 36e is close to the current time. However, for example, when a predetermined time has elapsed since the password Pi was input last time, the information for determining the above is stored by resetting the area in which the password Pi0 is stored. May be. In this case, the support necessity determination unit 33e can determine that the input time of the previous password Pi0 is close to the current time based on the information that the area storing the password Pi0 has not been reset.

  Alternatively, the history storage unit 36e may store the number of continuous inputs as the above information in association with each password Pi0, for example, as shown in FIG. For example, when the password Pi is input, and the number of continuous inputs is stored in the history storage unit 36e, and the authentication processing unit 14 next receives an input of the password Pi. Then, it is determined whether or not a predetermined time has elapsed from the above time, and if it has not elapsed, it is updated by increasing the number of continuous input of the previous password Pi by one. On the other hand, if it has elapsed, the number of continuous inputs of the current password Pi is reset to an initial value (for example, 1). In the case of this configuration, the support necessity determination unit 33d determines whether the time when the password Pi0 stored in the history storage unit 36e is input is close to the current time depending on whether the number of continuous inputs in the history storage unit 36e is an initial value. Since it can be determined whether or not, the amount of calculation at the time of determination can be reduced. If the number of times of continuous input is stored, it is not necessary to store time information for each password Pi0. However, FIG. 19 illustrates a case where time information is also stored to reduce the amount of calculation at the time of determination. .

  Furthermore, in the above description, the case where the similarity rate between the previous password Pi0 and the registered password Ps is compared has been described. However, as long as the password Pi is a failure, it is not limited to the previous time, and the history storage unit 36e The password Pi from the previous time to the previous time is stored for a predetermined number of times, and the support necessity determination unit 33e evaluates all the similarities between these passwords Pi and the registered password Ps with a predetermined evaluation function. Based on the result, the necessity of authentication support may be changed.

  Also in this embodiment, similarly to the second embodiment, the similarity ratio calculation unit 32 refers to the history storage unit 36e and changes the similarity ratio, so that the necessity of authentication support by the support necessity determination unit is necessary. May be changed. In addition, the lower the similarity between the password at the time of the failure and the registered password Ps, or the longer the elapsed time since the input of these passwords, the more the support necessity determination unit determines the similarity rate. It may be difficult to present the support information by setting the threshold value higher, or by calculating the similarity rate lower by the similarity rate calculation unit 32. In any case, the same effect can be obtained if the support necessity determination unit can change the authentication support necessity determination according to the failure history of the history storage unit 36e.

[Sixth Embodiment]
In the present embodiment, a configuration will be described in which a plurality of passwords Pi at the time of failure are stored as the failure history, and the necessity of authentication support is changed according to the patterns. These configurations can be applied to any of the first to fifth embodiments. Hereinafter, a case where the configuration is applied to the first embodiment will be described as an example.

  By the way, since a regular user and a third party differ in whether or not they know the registered password Ps, in many cases, the pattern of the password Pi input when repeated authentication failures are mutually different. Is different.

  For example, when a legitimate user inputs a password Pi similar to the legitimate password due to a typo or a temporary memory difference, the user knows the registered password Ps, so be careful not to make a typo The password Pi is input after confirming the storage, confirming the record (memo etc.) of the registered password Ps if necessary. Accordingly, even if the authentication fails continuously, the password Pi input at that time has the following pattern, that is, the passwords Pi are similar to each other, or all of the passwords Pi are registered passwords. In many cases, the pattern is similar to Ps or converges to the registered password Ps when the passwords Pi are arranged in the order of input. On the other hand, since the third party does not know the registration password Ps, it is difficult to input with the above-mentioned pattern. In particular, as support information, when presenting a portion including a difference in the lengths of both passwords Pi and Ps, the number of digits entered incorrectly, or a position including a digit position entered incorrectly, even if the support information is presented, A third party cannot fully utilize support information, and it is difficult to input in the above pattern. In addition, unlike a regular user, a third party who does not know the registered password Ps may try to reach the registered password Ps repeatedly by repeatedly trying to input the password Pi.

  On the other hand, as shown in FIG. 14, the password authentication device 3f according to the present embodiment includes a history storage unit 36f that stores a password Pi group at the time of failure as a failure history in addition to the configuration shown in FIG. . Further, a support necessity determination unit 33f provided in place of the support necessity determination unit 33 performs substantially the same operation as the support necessity determination unit 33. However, the history storage is performed when the necessity of authentication support is determined. With reference to the password Pi group stored in the unit 36f, the necessity of authentication support can be changed according to whether or not these patterns match a previously registered pattern.

  As a result, the password authentication device 3f is configured so that the user who has failed in the authentication continuously is compared with a configuration in which the necessity of authentication support is determined based on only the password Pi input this time without analyzing the pattern. Therefore, it is possible to more accurately determine whether or not the user is a regular user, and support information can be presented only to the regular user. As a result, the possibility of presenting support information to a third party can be reduced, and the security at the time of password authentication can be improved even though the support information can be presented to a legitimate user.

  More specifically, as in the history storage unit 36e, the history storage unit 36f according to the present embodiment is provided with an area for storing the password Pi when it fails as shown in FIG. When the authentication by the password Pi fails, the password Pi can be written as the password Pi0 in the history storage unit 36f. The history storage unit 36f stores time information indicating the time when the password Pi0 is input in association with the password Pi0, and the authentication processing unit 14 also writes the time information together with the password Pi0. be able to. In this embodiment as well, as in the fifth embodiment, these passwords Pi0 and time information are stored in association with the user ID.

  The contents and number of patterns registered in the support necessity determination unit 33f can be arbitrarily set, but the support necessity determination unit 33f according to the present embodiment includes, for example, the following four patterns as the patterns. It is registered.

  The first pattern is a pattern that “the similarity rate between consecutive passwords Pi0 that have failed in authentication is high”. The support necessity determination unit 33f calculates, for example, the similarity rate between passwords Pi0. To the similarity ratio calculation unit 32 and the like, and the similarity ratio between the passwords Pi0 is calculated, for example, whether or not these similarity ratios respectively exceed a predetermined threshold, or these Whether or not the first pattern is matched by determining whether or not the similarity rate is high by determining whether the average of the similarity rate exceeds a predetermined threshold value or the like Can be determined. Then, if the support necessity determination unit 33f matches the first pattern, it can be determined that this pattern requires authentication support.

  The second pattern is a pattern that “the similarity rate between the password Pi0 and authentication password Ps that have been continuously failed in authentication is high”, and the support necessity determination unit 33f, for example, each password Pi0 and the registration password The similarity ratio between the password Pi0 and the registered password Ps is calculated by instructing the similarity ratio calculation unit 32 to calculate the similarity ratio with Ps, and whether these similarity ratios are high as in the case of the first pattern. By determining whether or not, it can be determined whether or not the second pattern is matched. Then, if the support necessity determination unit 33f matches the second pattern, it is possible to determine that this pattern requires authentication support.

  Further, the third pattern is a pattern that “the password Pi0 continuously failing in authentication has converged to the registered password Ps”, and the support necessity determination unit 33f, for example, The similarity ratio between the password Pi0 and the registered password Ps is calculated by instructing the similarity ratio calculation unit 32 to calculate the similarity ratio with the registered password Ps, and the increase / decrease in the similarity ratio is determined. It can be determined whether or not the pattern 3 is matched. Then, if it is matched with the third pattern, the support necessity determination unit 33f can determine that authentication support is necessary for this pattern.

  Furthermore, the fourth pattern is a pattern that “the password Pi0 that has been continuously failed in authentication is random”, and the support necessity determination unit 33f determines whether each password Pi0 is in a predetermined procedure. If the evaluation result shows that the evaluation result is random to some extent, it is determined that the pattern matches the fourth pattern, and it is determined that authentication support is necessary for this pattern. it can. Note that the evaluation result determination method is determined in advance so that it can be determined that a trial of periodic input by squeezing does not match the fourth pattern.

  In the above configuration, substantially the same processing as in the fifth embodiment is performed, but instead of S44 and S45 shown in FIG. 18, S54 shown in FIG. 20 is provided, and the support necessity determination unit 33f performs S54. In step S44, it is determined whether or not the password Pi0 matches the above pattern. If it is determined that the password Pi0 matches (in the case of YES in S54), the support necessity determination unit 33f determines whether or not the authentication support is required. As in the second embodiment, after S4, whether or not authentication support is necessary is determined based on the similarity rate. On the other hand, when it is determined that they do not match (NO in S54), support necessity determination unit 33f determines that authentication support is not required in S43. In this case, the processes after S7 are performed, and the password authentication device 3f ends the process without providing authentication support.

  In the above description, the input password Pi is stored as the failure history, and the necessity of authentication support is changed according to the pattern. However, the present invention is not limited to this. The history storage unit 36f stores the input time when the password Pi is input instead of / in addition to the password Pi as the failure history, and the support necessity determination unit 33f determines whether authentication support is necessary according to the patterns. May be determined. For example, if it is a legitimate user, it is common to input at a speed that humans can input and at some interval, but if a third party repeatedly tries to enter a password, In order to shorten the time required until the password is input, it is assumed that the password input program is repeated mechanically and at a speed faster than that entered by a person, for example, by causing a computer to execute a password input program. Therefore, even if the support necessity determination unit 33f determines whether authentication support is necessary according to the input time pattern of the password Pi that has failed in authentication, whether or not the user who has entered the password Pi is a legitimate user. Although the accuracy at the time of determining can be improved and the support information can be presented to an authorized user, the security at the time of password authentication can be improved.

  In the above description, time information indicating the time when the previous password Pi0 was input is stored as information for determining whether or not the time when the password Pi0 stored in the history storage unit 36f is input is close to the current time. However, as in the fifth embodiment, the information may be stored by another method. In the above description, whether or not authentication support is necessary is determined based on whether or not each pattern is matched. As in each of the above-described embodiments, whether or not authentication support is necessary is provided depending on the degree of matching. The type (level) of support information may be changed.

  Furthermore, although the case where a pattern is common to all users has been described above as an example, the present invention is not limited to this, and an individual pattern may be registered for each user in the support necessity determination unit 33f. Thereby, it is possible to change the ease of error (error pattern for the user) for each user, and more accurately determine whether or not the user is a regular user. Here, the pattern may be registered in advance, or the password authentication device 3f may, for example, input an incorrect password Pi when the correct password Pi is input or from the administrator of the password authentication system 1. When an instruction that the repeated user is a legitimate user is received, the registered pattern may be updated based on the erroneously entered password Pi.

  In each of the above embodiments, the support necessity determination unit determines the necessity of authentication support for each determination criterion such as the similarity rate, type, personal information, the number of failures, or a pattern. In the case of determining by the above, for example, by evaluating them with a predetermined evaluation function, the necessity of authentication support and the type (level) of support information may be changed by comprehensively determining them. .

  In each of the above embodiments, the similarity is described as an example as a criterion for determination. However, since a regular user and a third party know whether or not the registered password Ps is known, this time, Or, until now, when inputting an incorrect password Pi, the error methods are different from each other. Therefore, even if the judgment criteria are other than the above-mentioned examples, the judgment criteria are based on the difference in error, and the user who has entered the password Pi according to the password Pi entered this time or so far The same effect can be obtained as long as it is a criterion that can be used to infer whether or not the user is a legitimate user.

  Further, in each of the above-described embodiments, the members such as the password authentication devices (3 to 3f) or the authentication processing unit 14 constituting the terminal 5 are arithmetic units such as a CPU (ROM) (Read Only Memory) or RAM (Randam Access Memory). In the above description, the function block realized by executing the program code stored in the recording medium is described as an example. However, the function block may be realized by hardware that performs the same processing. Further, it can also be realized by combining hardware that performs a part of the processing and the above-described calculation means that executes the program code for controlling the hardware and the remaining processing. Further, among the members constituting the password authentication device and the terminal, even if it is a member described as hardware, hardware that performs part of the processing, and program code that performs control of the hardware and remaining processing It can also be realized by combining with the above calculation means for executing the above. The arithmetic means may be a single unit, or a plurality of arithmetic means connected via a bus inside the apparatus or various communication paths may execute the program code jointly.

  The program code itself that can be directly executed by the computing means, or a program as data that can be generated by a process such as decompression described later, stores the program (program code or the data) in a recording medium, A recording medium is distributed, or the program is distributed by being transmitted by a communication means for transmitting via a wired or wireless communication path, and is executed by the arithmetic means.

  In the case of transmission via a communication path, each transmission medium constituting the communication path propagates a signal sequence indicating a program, whereby the program is transmitted via the communication path. Further, when transmitting the signal sequence, the transmission device may superimpose the signal sequence on the carrier by modulating the carrier with the signal sequence indicating the program. In this case, the signal sequence is restored by the receiving apparatus demodulating the carrier wave. On the other hand, when transmitting the signal sequence, the transmission device may divide and transmit the signal sequence as a digital data sequence. In this case, the receiving apparatus concatenates the received packet groups and restores the signal sequence. Further, when transmitting a signal sequence, the transmission device may multiplex and transmit the signal sequence with another signal sequence by a method such as time division / frequency division / code division. In this case, the receiving apparatus extracts and restores individual signal sequences from the multiplexed signal sequence. In any case, the same effect can be obtained if the program can be transmitted via the communication path.

  Here, it is preferable that the recording medium for distributing the program is removable, but it does not matter whether the recording medium after distributing the program is removable. In addition, the recording medium can be rewritten (written), volatile, or the recording method and shape as long as a program is stored. Examples of recording media include tapes such as magnetic tapes and cassette tapes, magnetic disks such as floppy (registered trademark) disks and hard disks, CD-ROMs, magneto-optical disks (MO), mini-discs (MD) and digital A disk such as a video disk (DVD) may be mentioned. The recording medium may be a card such as an IC card or an optical card, or a semiconductor memory such as a mask ROM, EPROM, EEPROM, or flash ROM. Or the memory formed in calculating means, such as CPU, may be sufficient.

  The program code may be a code for instructing the arithmetic means of all the procedures of the processes, or a basic program capable of executing a part or all of the processes by calling according to a predetermined procedure. If (for example, an operating system or a library) already exists, a part or all of the entire procedure may be replaced with a code or a pointer that instructs the arithmetic means to call the basic program.

  The format for storing the program in the recording medium may be a storage format that can be accessed and executed by the arithmetic means, for example, as in a state where the program is stored in the real memory, or is stored in the real memory. Installed in the local recording medium from the storage format after being installed in a local recording medium (for example, real memory or hard disk) that is always accessible by the computing means, or from a network or a transportable recording medium The previous storage format may be used. Further, the program is not limited to the compiled object code, but may be stored as source code or intermediate code generated during interpretation or compilation. In any case, the above calculation is performed by a process such as decompression of compressed information, decoding of encoded information, interpretation, compilation, linking, allocation to real memory, or a combination of processes. If the means can be converted into an executable format, the same effect can be obtained regardless of the format in which the program is stored in the recording medium.

  The password authentication device according to the present invention can support a legitimate user by presenting support information, and can perform password authentication while ensuring safety in spite of improving convenience by the legitimate user. For example, the present invention can be widely applied to applications that require authentication, such as network systems and other systems that require access right control.

1, showing an embodiment of the present invention, is a block diagram showing a main configuration of a password authentication system. FIG. It is drawing which shows the example of the assistance information shown in the said password authentication system. It is a flowchart which shows operation | movement of the said password authentication system. It is drawing which shows the example of the screen which prompts input of a password in the said password authentication system. It is drawing which shows the other example of the support information shown in the said password authentication system. It is drawing which shows the further another example of the assistance information shown with the said password authentication system. It is a block diagram which shows the structural example of the similarity calculation part provided in the password authentication apparatus of the said password authentication system. It is drawing which shows the example of the memory content of the similarity relationship table provided in the said similarity calculation part. FIG. 29, showing another embodiment of the present invention, is a block diagram showing a main configuration of a password authentication system. It is drawing which shows the example of the memory content of the classification information storage part provided in the password authentication apparatus of the said password authentication system. It is a flowchart which shows operation | movement of the said password authentication system. FIG. 29 is a block diagram illustrating still another embodiment of the present invention and illustrating a configuration of a main part of a password authentication system. It is a flowchart which shows operation | movement of the said password authentication system. FIG. 29 is a block diagram illustrating still another embodiment of the present invention and illustrating a configuration of a main part of a password authentication system. It is drawing which shows the example of the memory | storage content of the log | history memory | storage part provided in the password authentication apparatus of the said password authentication system. It is a flowchart which shows operation | movement of the said password authentication system. It is a figure which shows other embodiment of this invention, and shows the example of the memory content of the said log | history memory | storage part. It is a flowchart which shows operation | movement of the said password authentication system. It is drawing which shows the other example of the memory content of the said log | history memory | storage part. 14 is a flowchart showing the operation of the password authentication system, showing still another embodiment of the present invention.

Explanation of symbols

3 to 3f Password authentication device 13 Password storage unit (storage device)
14 Authentication processing unit (authentication means; control means)
31 Authentication support processing part (presentation means)
32 Similarity rate calculation unit (control means)
32a Similarity relationship table (storage device)
33-33f Support necessity determination part (control means)
34b Type information storage unit (storage device)
35c Personal information storage unit (storage device)
36d to 36f History storage unit (storage device)

Claims (18)

In a password authentication device having an authentication unit that accepts an input of a password by a user, collates with a registered password registered in advance in a storage device, and authenticates whether the user is a regular user,
Presenting means for presenting support information for supporting the next password input by the user;
Based on the password accepted by the authentication means this time, it is estimated whether or not the user who entered the password is a legitimate user. And a control means for preventing the presentation of the password.   The said control means presumes that it is a regular user, when it determines with the similarity degree of the password received this time and a registration password being higher than a predetermined threshold value. The password authentication device described. In a password authentication device having an authentication unit that accepts an input of a password by a user, collates with a registered password registered in advance in a storage device, and authenticates whether the user is a regular user,
Presenting means for presenting support information for supporting the next password input by the user;
The storage device stores history information, which is information according to the password input by the user so far, and is information for determining whether or not to provide support information to the user in the storage device. Based on the history information stored in the table, it is estimated whether or not the user who entered the password is a regular user. If it is estimated that the user is not a regular user, the support information is presented by the presenting means. A password authentication apparatus comprising: control means for determining whether or not to permit the password.   The control means stores, as the history information, information for determining the degree of similarity between the password input so far and the registered password in the storage device, and the history information read from the storage device 4. The password authentication apparatus according to claim 3, wherein when the two passwords are similar to each other, it is estimated that the password is a legitimate user.   The control means stores, in the storage device, information for determining the degree of similarity between passwords input so far as the history information, and the history information read from the storage device is stored in the two passwords. 4. The password authentication apparatus according to claim 3, wherein when the similarity is indicated, it is estimated that the user is a legitimate user. The above history information is the password entered so far,
4. The password authentication according to claim 3, wherein the control means estimates whether or not the user is a legitimate user based on whether or not the password as the history information matches a predetermined pattern. apparatus. The history information is information indicating the number of times authentication failed,
4. The password authentication apparatus according to claim 3, wherein the control means estimates that the history information is not a regular user when the history information indicates that the number of failures is large.   4. The password authentication device according to claim 3, wherein the control means estimates whether or not the user is a regular user based on history information stored in the storage device and a password accepted this time.   6. The password authentication apparatus according to claim 2, wherein the control means calculates the degree of similarity based on the number of digits that match between passwords for determining similarity. The storage device is provided with an area for storing a similarity relationship between values that may be input as password digits.
6. The password authentication device according to claim 2, wherein the control means calculates the degree of similarity based on a similarity relationship stored in the storage device. The authentication means accepts an input from an input device whose value changes depending on the operated position,
The control means calculates the degree of similarity based on the position of an operation for inputting both values when another value is input instead of a certain digit value of the registered password. 6. The password authentication device according to claim 2, 4 or 5. The storage device is provided with an area for storing type information indicating the type of the registered password,
4. The password authentication apparatus according to claim 1, wherein the control means determines whether or not the presentation of support information by the presenting means is necessary with reference to the type of the registered password stored in the storage device. The storage device is provided with an area for storing personal information of a legitimate user,
The password authentication apparatus according to claim 1 or 3, wherein the control means determines whether or not support information presentation by the presenting means is necessary with reference to the personal information stored in the storage device.   4. The password authentication apparatus according to claim 1, wherein the support information is information indicating the number of digits that do not match by comparing the input password and the registered password.   4. The password authentication device according to claim 1, wherein the support information is information indicating a position of a mismatched digit by comparing the input password and the registered password.   2. The support information is information indicating a part of all digits of a password and including a position of a mismatched digit by comparing the input password and the registered password. Or the password authentication apparatus of 3 description.   The program which operates a computer which has a memory | storage device as each means of Claim 1 or 3.   A recording medium on which the program according to claim 17 is recorded.

Images