JP2007079777A - Authentication server, portable terminal, authentication system, authentication method and authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent any illegal access to a protection target due to the use of an electronic card or an electronic key illegally acquired by a person other than an owner. <P>SOLUTION: This authentication server for limiting an operation to a protection target by communicating with a portable terminal having a biological information input part which inputs biological information is provided with: a receiving part which receives biological information input by a biological information input part of the portable terminal and the location information of the portable terminal from the portable terminal by communication equipment; a biological information authentication part for identifying the biological information of a predetermined user by a processor based on the biological information received by the receiving part; a location authenticating part for authenticating that the portable terminal is positioned at a predetermined location by the processor based on the location information of the portable terminal received by the receiving part; and an operation permitting part for permitting the operation to the protection target by the processor when authentication succeeds by the biological information authentication part and the position authentication part. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an authentication server, an authentication method, an authentication program, a mobile terminal used for authentication, and an authentication system having an authentication server and a mobile terminal for controlling operations on a protected object based on biological information and position information. It is.

Some conventional security devices, for example, as disclosed in Japanese Patent Laid-Open No. 2002-140646, authenticate by using a GPS (Global Positioning System) device or a mobile phone with GPS to confirm the person's location. .
JP 2004-220572 A JP 2002-140646 A JP 2003-150883 A JP 2002-203225 A JP 2003-56227 A JP 2003-242428 A JP 2005-5623 A Japanese Patent Laid-Open No. 10-15230

There is a method of setting a restriction by a password or biometric authentication for using an electronic card or an electronic key obtained by an unauthorized method such as theft or counterfeit by a person other than the owner. Here, the electronic card is, for example, a credit card, a cash card, a debit card, an ETC (Electronic Toll Collection) card, or the like. The electronic key is used, for example, for a smart key for a vehicle, a key for unlocking a condominium or the like, and an entrance certificate to a place where only related persons can enter. Therefore, use of an electronic card, an electronic key, or the like means, for example, trying to shop or withdraw a deposit, use a vehicle, and enter a residence or a specific site.
However, in the method of setting a restriction by a password, since it is difficult to generate a password that is not forgotten by oneself and is unknown to others, an easy password is often used. For this reason, there is a problem that passwords are easily stolen. In addition, the method of providing restrictions by biometric authentication has a problem that it is difficult to introduce a terminal having a biometric authentication function because the types and installation locations of terminals such as ATMs are various.

  In addition, there are some devices that check the position of the person by using a GPS device or a mobile phone, and place restrictions on the position. However, there is no guarantee that a GPS device or a mobile phone uses the device. Therefore, in the restriction | limiting by a position, there existed a subject that it was possible to try using using the GPS apparatus and mobile phone which were obtained by the illegal method.

  The embodiment of the present invention was made to solve the above-mentioned problems, such as unauthorized access to a protected object by using an electronic card or an electronic key obtained by an unauthorized method other than the owner. The purpose is to prevent and prevent unauthorized access.

An authentication server according to an embodiment of the present invention communicates with a mobile terminal having a biometric information input unit that inputs biometric information, and in an authentication server that restricts operations on a protection target object.
A receiving unit that receives the biometric information input by the biometric information input unit of the portable terminal and the position information of the portable terminal from the portable terminal by the communication device, and a predetermined user by the processing device based on the biological information received by the receiving unit A biometric information authenticating unit that authenticates that the mobile terminal is the biometric information, a position authenticating unit that authenticates that the mobile terminal is at a predetermined position by the processing device based on the position information of the mobile terminal received by the receiving unit, The biometric information authentication unit and the position authentication unit include an operation permission unit that permits an operation to the protection target object by the processing device when authenticated.

  According to the authentication server according to the embodiment of the present invention, it is possible to confirm that the mobile terminal is in a predetermined position based on the position information of the mobile terminal by providing the position information authentication unit. In addition, it is possible to authenticate that the predetermined user is using the mobile terminal by providing a biometric information authentication unit and performing authentication based on the biometric information input by the biometric information input unit of the mobile terminal. Is possible. Therefore, the authentication server according to the embodiment of the present invention can prevent unauthorized use.

  Hereinafter, the present invention will be described based on embodiments shown in the drawings.

  First, the hardware configuration of the authentication system 1000 according to the embodiment will be described with reference to FIGS. 1, 2, and 3.

FIG. 1 is a diagram illustrating an example of an appearance of an authentication system 1000 according to the embodiment.
1, the authentication system 1000 includes a CRT (Cathode Ray Tube) display device 901, a keyboard (K / B) 902, a mouse 903, a compact disk device (CDD) 905, a database 908, a system unit 909, and a server 910. These are connected by a cable.
Further, the authentication system 1000 is connected to the Internet 940 via a local area network (LAN) 942 and a gateway 941.
In addition, a mobile phone 950, a smart key 952, an ATM 960, a terminal mounted on the vehicle 962, and the like are connected to the LAN 942 and the Internet 940.
In the embodiment described below, the “authentication server 100” is, for example, the system unit 909 and the server 910. The “mobile terminal 200” is, for example, a mobile phone 950, a smart key 952, and the like. The “authentication terminal 300” and the like are, for example, an ATM (Automated Teller Machine) 960, a key part of the vehicle 962, and the like.

FIG. 2 is a diagram illustrating an example of a hardware configuration of the authentication server 100 such as the system unit 909 and the server 910 included in the authentication system 1000 according to the embodiment.
2, the authentication server 100 includes a CPU (Central Processing Unit) 911 that executes a program. The CPU 911 is connected to the ROM 913, RAM 914, communication board 915, CRT display device 901, K / B 902, mouse 903, FDD (Flexible Disk) 904, CDD 905, and magnetic disk device 920 via the bus 912.
The RAM 914 is an example of a volatile memory. The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. These are examples of the storage device.
The communication board 915 is connected to the LAN 942 or the like. The communication board 915 is an example of a communication device.
K / B 902, mouse 903, and the like are examples of input devices.

Here, the communication board 915 is not limited to the LAN 942 but may be directly connected to the Internet 940 or a WAN (Wide Area Network) such as ISDN. When directly connected to the WAN such as the Internet 940 or ISDN, the authentication system 1000 is connected to the WAN such as the Internet 940 or ISDN, and the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system (OS) 921, a window system 922, a program group 923, and a file group 924. The program group 923 is executed by the CPU 911, the OS 921, and the window system 922.

FIG. 3 is a diagram illustrating an example of a hardware configuration of the mobile terminal 200 such as the mobile phone 950 and the smart key 952 included in the authentication system 1000 according to the embodiment.
In FIG. 3, the mobile terminal 200 includes a CPU 911 that executes a program. The CPU 911 is connected to a ROM 913, a RAM 914, a communication board 915, an LCD (Liquid Crystal Display) 916, a K / B 902, and a fingerprint input device 970 via a bus 912.
The RAM 914 is an example of a volatile memory. The ROM 913 is an example of a nonvolatile memory. These are examples of the storage device.
The communication board 915 is connected to the LAN 942 or the like. The communication board 915 is an example of a communication device.
The K / B 902, the fingerprint input device 970, and the like are examples of input devices.

  The OS 921, the program group 923, the file group 924, and the like are stored in the ROM 913, the RAM 914, and the like in the portable terminal 200. The program group 923 is executed by the CPU 911, the OS 921, and the like.

The program group 923 stores programs that execute functions described as “˜units” in the description of the embodiments described below. The program is read and executed by the CPU 911.
In the file group 924, what is described as “determination” in the description of the embodiment described below is stored as “˜file”.
Also, the arrows in the flowcharts described in the following description of the embodiments mainly indicate data input / output, and the data for the data input / output is the magnetic disk device 920, FD, optical disk, CD, MD. (Mini disc), DVD (Digital Versatile Disk) and other recording media. Alternatively, it is transmitted through a signal line or other transmission medium.

  In addition, what is described as “unit” in the description of the embodiment described below may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented by software alone, hardware alone, a combination of software and hardware, or a combination of firmware.

  In addition, a program that implements the embodiment described below may be stored using a recording device using another recording medium such as the magnetic disk device 920, FD, optical disk, CD, MD, DVD, or the like.

Embodiment 1 FIG.
Embodiment 1 will be described. In the first embodiment, an authentication system 1000 that prevents unauthorized use with respect to operations such as bank deposits and credit settlement accounts from ATM 960 will be described.

  First, functions of the authentication system 1000 according to the first embodiment will be described with reference to FIG. FIG. 4 is a functional block diagram illustrating functions of the authentication system 1000 according to the first embodiment.

  The authentication system 1000 includes an authentication server 100, a mobile terminal 200, an authentication terminal 300, and a protection target object 400.

  The authentication server 100 restricts operations on the protection target object 400 by a user or the like. The authentication server 100 includes an authentication unit 110, a storage unit 120, a communication unit 130, an operation permission unit 140, an unauthorized processing unit 150, and a specifying unit 160.

The authentication unit 110 authenticates a user or the like. The authentication unit 110 includes a terminal authentication unit 111, a location authentication unit 112, and a biometric information authentication unit 113.
The terminal authentication unit 111 authenticates that a user specified by electronic key information described later received from the authentication terminal 300 is valid. The terminal authentication unit 111 authenticates the above by the processing device based on the first authentication information stored in the authentication information storage unit 121 described later. For example, when the electronic key information indicates a specific user, when the electronic key information indicates a specific user, or when the electronic key information indicates a group of a plurality of persons, the electronic key information is For example, the user belongs to the group indicated.
The position authentication unit 112 authenticates that the mobile terminal 200 is at a predetermined position by the processing device based on the position information of the mobile terminal 200. The position authentication unit 112 is such that the position specified by the position information of the mobile terminal 200 is a predetermined position with respect to the position specified by the position information of the authentication terminal 300 stored in the position information storage unit 122 described later. Authenticate. The predetermined position is, for example, within a predetermined distance range centered on the position specified by the position information of the authentication terminal 300, or in a predetermined direction from the position specified by the position information of the authentication terminal 300. In addition, it is within a predetermined distance range. In addition, the position authentication unit 112 performs data conversion as necessary when the data format of the position information needs to be changed. Here, the data format is, for example, GPS data, latitude / longitude, and address.
The biometric information authentication unit 113 authenticates the biometric information of a predetermined user by the processing device based on the biometric information input by the mobile terminal 200. The biometric information is information that can identify an individual, such as a fingerprint, an iris, a voiceprint, and a vein shape. Here, the biometric information authentication unit 113 performs authentication when biometric authentication information stored in an authentication information storage unit 121 described later matches biometric information input by the mobile terminal 200.

The storage unit 120 stores information used by the authentication unit 110 for authentication. The storage unit 120 includes an authentication information storage unit 121 and a position information storage unit 122.
The authentication information storage unit 121 stores authentication information 610 in a storage device. Details of the authentication information 610 will be described later. The authentication information 610 includes first authentication information for authenticating that the user specified by the electronic key information is valid. The first authentication information is, for example, a password. That is, the above-described terminal authentication unit 111 performs authentication when, for example, the password received together with the electronic key information from the authentication terminal 300 matches the password stored in the authentication information storage unit 121. The authentication information storage unit 121 stores terminal authentication information for authenticating that the accessing authentication terminal 300 is an accessible authentication terminal 300 in a storage device.
The position information storage unit 122 stores the position information of the authentication terminal 300 that transmitted the electronic key information in the storage device. When there are a plurality of authentication terminals 300, the position information storage unit 122 stores the position information of each authentication terminal 300.

The communication unit 130 communicates with the mobile terminal 200, the authentication terminal 300, and the like through a communication device. The communication unit 130 includes a reception unit 131 and a transmission unit 132.
The receiving unit 131 receives information from the mobile terminal 200, the authentication terminal 300, and the like by a communication device. The receiving unit 131 receives the biological information and the position information of the mobile terminal 200 from the mobile terminal 200 by the communication device. In addition, the reception unit 131 receives the electronic key information transmitted from the authentication terminal 300 by the communication device.
The transmission part 132 transmits information to the portable terminal 200, the authentication terminal 300, etc. with a communication apparatus.

  The operation permission unit 140 permits the processing device to operate the protected object 400 when the authentication unit 110 authenticates. Here, the operation permission unit 140 permits the processing device to operate the protected object when all of the terminal authentication unit 111, the position authentication unit 112, and the biometric information authentication unit 113 have been authenticated.

  If the authentication unit 110 cannot be authenticated, the fraud processing unit 150 prohibits the processing device from permitting the operation on the protection target object 400 based on the electronic key information that cannot be authenticated. Here, if at least one of the terminal authentication unit 111, the position authentication unit 112, and the biometric information authentication unit 113 cannot be authenticated, the fraud processing unit 150 is protected by the electronic key information used in that case. The processing device prohibits permission to operate the object 400.

  The specifying unit 160 specifies the mobile terminal 200 corresponding to the electronic key information received by the receiving unit 131 based on the later-described authentication mobile terminal information 612 stored in the authentication information storage unit 121.

The mobile terminal 200 transmits information for the authentication server 100 to authenticate to the authentication server 100. Here, it is assumed that the mobile terminal 200 is a mobile phone 950 as an example. The portable terminal 200 includes a communication unit 210, a biological information input unit 220, and a position information acquisition unit 230.
The communication unit 210 communicates with the authentication server 100 and the like. The communication unit 210 includes a reception unit 211 and a transmission unit 212.
The receiving unit 211 receives information from the authentication server 100 or the like using a communication device. The receiving unit 211 receives an authentication information request for requesting information for authentication from the authentication server 100 by the communication device.
The transmission unit 212 transmits information to the authentication server 100 or the like using a communication device. The transmission unit 212 transmits the biological information input by the biological information input unit 220 described later and the positional information acquired by the positional information acquisition unit 230 described later to the authentication server 100 by the communication device.

  The biometric information input unit 220 inputs biometric information using an input device. The biometric information is information that can identify an individual such as a fingerprint, an iris, a voiceprint, and a vein shape, for example. Therefore, the biometric information input unit 220 is, for example, a fingerprint input device 970 or the like.

  The position information acquisition unit 230 acquires the position information of the mobile terminal 200 by the processing device. The position information acquisition method may be based on the GPS method or other methods.

  The authentication terminal 300 is a terminal on which a user operates. Here, it is assumed that the authentication terminal 300 is an ATM 960 as an example. The authentication terminal 300 includes a communication unit 310, a reception unit 320, a terminal information storage unit 330, and a server search unit 340.

The communication unit 310 communicates with the authentication server 100 and the like. The communication unit 310 includes a reception unit 311 and a transmission unit 312.
The receiving unit 311 receives information from the authentication server 100 or the like using a communication device.
The transmission unit 312 transmits information to the authentication server 100 or the like using a communication device. The transmission unit 312 transmits the electronic key information to the authentication server 100 through the communication device. The transmission unit 312 may transmit authentication information such as a password together with the electronic key information.

  The accepting unit 320 accepts an electronic key having electronic key information and a command that is operation information from the user. Here, the electronic key having the electronic key information is a cash card, a debit card, a credit card, or the like. The command that is operation information includes, for example, deposit and withdrawal, transfer, balance inquiry, credit card settlement, and credit card borrowing.

  The terminal information storage unit 330 determines whether the authentication terminal 300 can handle the electronic key received by the reception unit 320 and stores information for determining the authentication server 100 to be accessed in the storage device. For example, when a cash card as an electronic key is inserted into the reception unit 320, the terminal information storage unit 330 determines whether or not the inserted cash card is a handleable card, and accesses the authentication server Information for determining 100 is stored. The terminal information storage unit 330 stores, for example, card type information and authentication server 100 information.

  The server search unit 340 searches the authentication server 100 to be accessed based on the electronic key information and the information stored in the terminal information storage unit 330. The server search unit 340 stores an access server list that is a list of servers to be accessed (not shown), and searches the authentication server 100 to access by referring to the access server list. The communication unit 310 communicates with the authentication server 100 searched by the server search unit 340.

  The protection target object 400 is an operation that is restricted by the authentication server 100. Here, it is assumed that the protection object 400 is a bank deposit or an account for credit settlement.

  Next, the authentication information 610 stored in the authentication information storage unit 121 will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of authentication information 610 stored in the authentication information storage unit 121.

  The authentication information 610 is information in which the portable terminal 200, the electronic key authentication information 616, and the like are assigned to the protection target object 400. The authentication information 610 includes protection object information 611, authentication portable terminal information 612, identity confirmation state information 615, and electronic key authentication information 616.

  The protection target information 611 is information for specifying the protection target object 400. Here, it is assumed that the protected object information 611 is an account number as an example.

The mobile terminal information for authentication 612 includes information for specifying the mobile terminal 200 registered for the protection target object information 611. That is, the authentication portable terminal information 612 includes information for specifying the portable terminal 200 corresponding to the electronic key authentication information 616. The authentication portable terminal information 612 includes a portable terminal ID (identifier) 613 and biometric authentication information 614.
The mobile terminal ID 613 is information for specifying the mobile terminal 200. That is, the specifying unit 160 can specify the mobile terminal 200 based on the mobile terminal ID 613 for electronic key authentication information 616 described later. The mobile terminal ID 613 is, for example, the number of the mobile phone 950.
The biometric authentication information 614 is user biometric information assigned to the mobile terminal 200. That is, when the authentication server 100 receives biometric information from the portable terminal 200, the biometric information authentication unit 113 can authenticate because the received biometric information matches the biometric authentication information 614.

  The personal identification status information 615 is information indicating whether or not the biometric information authentication unit 113 has already been authenticated. That is, when the personal identification status information 615 indicates that authentication has been completed, the biometric information authentication unit 113 does not need to authenticate again. For example, when the biometric information authentication unit 113 authenticates, the identity verification status information 615 is updated to “completed” indicating the authenticated status by the operation permission unit 140. Also, the identity verification state information 615 is updated to “not yet” indicating a state where the operation permission unit 140 is not authenticated when, for example, a predetermined time has elapsed since the biometric information authentication unit 113 authenticated. That is, the operation permission unit 140 restricts the operation to the protection target object 400 again when a predetermined time has elapsed since the operation to the protection target object 400 has been permitted. Here, the predetermined time may be set for each protection object 400 or may be all the same.

The electronic key authentication information 616 is information that the electronic card received by the authentication terminal 300 has. Here, the electronic key authentication information 616 is cash card information or the like. The electronic key authentication information 616 includes a card type 617, an electronic key ID 618, and a password 619.
The card type 617 is information for specifying the authentication server 100 to be accessed. Therefore, when the card type 617 indicates that access is made to a different authentication server 100, the accessed authentication server 100 cannot accept it.
The electronic key ID 618 is information for specifying an electronic card. Here, the electronic key ID 618 is, for example, an account number. In the case of a credit card or debit card, it may be possible to have an ID that is assigned separately from the account number, such as a card number, and can be uniquely identified. Such an ID may be used.
The password 619 is information for authenticating that the user specified by the electronic key authentication information 616 is valid.

  The electronic key authentication information 616 includes information that the electronic key has, although the data format may be different from the information that the electronic key has. Information such as an expiration date not shown may be added.

  One line of information shown in the authentication information 610 is one account information that the authentication server 100 restricts operations. Therefore, there are as many lines of authentication information 610 as the number of accounts that the authentication server 100 restricts operations.

  Next, operation | movement of the authentication system 1000 concerning Embodiment 1 is demonstrated based on FIG.6, FIG.7, FIG.8. 6, 7, and 8 are flowcharts illustrating the operation of the authentication system 1000 according to the first embodiment.

  First, operation | movement of the authentication terminal 300 concerning Embodiment 1 is demonstrated based on FIG. FIG. 6 is a flowchart of an authentication terminal process that is an operation of the authentication terminal 300 according to the first embodiment.

  When the authentication terminal 300 that is ATM 960 is activated and starts processing, the authentication terminal 300 waits for a command waiting for a request from the user (S101). Next, the accepting unit 320 determines whether or not an access request to the account has been made every predetermined time (S102). When it is determined that an account access request has not been received (No in S102), the accepting unit 320 waits for a command again (S101). When it is determined that an account access request has been received (Yes in S102), the receiving unit 320 acquires a command that is an operation request input by the user (S103).

  When the command is acquired, the reception unit 320 acquires electronic key information from an electronic card that is an electronic key. Here, electronic key information is acquired from a cash card which is an electronic key (S104).

  Next, the accepting unit 320 determines whether or not the electronic card can be accepted by the authentication terminal 300. In this determination, first, the server search unit 340 searches the authentication server 100 to be accessed based on the electronic key information and the information stored in the terminal information storage unit 330. The receiving unit 320 determines whether or not the electronic card can be received depending on whether or not the authentication server 100 accessed by the server searching unit 340 has been searched (S105).

  If the authentication server 100 to be accessed cannot be searched (No in S105), the accepting unit 320 performs unusable card processing. In the unhandled card process, for example, an error display is performed, and the command waits again (S111). If the accessing authentication server 100 can be searched (Yes in S105), a password request is made and the password is acquired (S106).

  Next, the communication unit 310 accesses the server searched by the server search unit 340 and transmits the acquired command, electronic key information, and password (S107). Processing in the authentication server 100 will be described later. Then, the communication unit 310 waits for a predetermined time for a response from the server (S108).

  Here, the predetermined time can be set for each authentication terminal 300. The communication unit 310 determines whether or not the authentication server 100 is authenticated and access to the account is accepted (S109).

  If the communication unit 310 determines that access to the account has not been accepted (No in S109), the accepting unit 320 performs unhandled card processing and waits for a command again (S111). When the communication unit 310 determines that access to the account has been accepted (Yes in S109), the command is an operation request input by the user (S110).

  Then, the accepting unit 320 performs a series of processing completion procedures to the user, such as returning a card or providing a statement, and determines whether or not to end the processing (S112). If the receiving unit 320 determines that the process is not finished (No in S112), the receiving unit 320 waits for a command again. If it is determined that the process is to be ended (Yes in S112), the receiving unit 320 ends the process.

  Here, S101 to S103 are user access steps. S104 is an electronic key information acquisition step. S105 is an electronic key information determination step. S106 is a password acquisition step. S107 and S108 are server access steps. S109 is a server access determination step. S110 is an execution step. S111 is an unauthorized processing step. S112 is an end step.

  Next, operation | movement of the authentication server 100 concerning Embodiment 1 is demonstrated based on FIG. FIG. 7 is a flowchart of an authentication server process that is an operation of the authentication server 100 according to the first embodiment.

  The authentication server 100 waits for an access request from the ATM 960 that is the authentication terminal 300 (S201). Next, the communication unit 130 determines whether an access request to the account is received from the ATM 960 that is the authentication terminal 300 at every predetermined time (S202).

  If it is determined that no access request has been received (No in S202), the authentication server 100 waits for an access request again. When it is determined that an access request has been received (Yes in S202), the reception unit 131 receives information transmitted by the ATM 960 that is the authentication terminal 300. Here, the receiving unit 131 receives a command, electronic key information, and a password (S203).

  Next, the terminal authentication unit 111 authenticates that the accessed authentication terminal 300 is an accessible authentication terminal 300 based on the terminal authentication information stored in the authentication information storage unit 121. Further, the terminal authentication unit 111 searches for the corresponding authentication information 610 from the authentication information 610 stored in the authentication information storage unit 121 based on the protected object information 611 requested to be accessed. Then, the terminal authentication unit 111 authenticates that the electronic card can be accepted by the authentication server 100 based on the card type 617 and the like of the retrieved authentication information 610. Further, the terminal authentication unit 111 performs authentication based on the password 619 of the retrieved authentication information 610 and the received password (S204).

  If the terminal authentication unit 111 cannot be authenticated (No in S204), the unauthorized processing unit 150 executes unauthorized access processing (S212). The unauthorized access processing is, for example, that the processing device prohibits permission to operate the protection target object 400 using electronic key information that cannot be authenticated. That is, the fraud processing unit 150 prohibits access to an account by a cash card inserted in the ATM 960, for example. When the terminal authentication unit 111 has been authenticated (Yes in S204), the biometric information authentication unit 113 determines whether or not the user has been verified based on the user confirmation status information 615 of the authentication information 610 stored in the authentication information storage unit 121. Determination is made (S205). If the identity has not been confirmed (No in S205), the identifying unit 160 searches for the corresponding authentication information 610 from the authentication information 610 stored in the authentication information storage unit 121 based on the protected object information 611 requested to be accessed. . Then, the specifying unit 160 specifies the corresponding mobile terminal 200 based on the mobile terminal ID 613 of the searched authentication information 610, and the biometric information authentication unit 113 sends an authentication request for biometric information to the mobile terminal 200 in the transmission unit 132. Send an information request. (S206). Next, the receiving unit 131 receives biological information from the mobile terminal 200. Then, the biometric information authentication unit 113 performs authentication based on the biometric authentication information 614 of the retrieved authentication information 610 and the received biometric information (S207). Then, the biometric information authentication unit 113 determines whether authentication based on the biometric information has been performed (S208).

  When authentication based on biometric information cannot be performed (No in S208), the unauthorized processing unit 150 executes unauthorized access processing (S212). When the authentication based on the biometric information can be performed (Yes in S208), the biometric information authentication unit 113 first updates the personal identification status information 615 to “complete”. Then, after the identity verification status information 615 has been updated, or when the identity verification has been completed (Yes in S205), the location authentication unit 112 performs authentication based on the protected object information 611 requested to be accessed. The corresponding authentication information 610 is searched from the authentication information 610 stored in the information storage unit 121. Then, the position authentication unit 112 identifies the corresponding mobile terminal 200 based on the mobile terminal ID 613 of the searched authentication information 610 and causes the transmission unit 132 to transmit a request for position information to the mobile terminal 200. The receiving unit 131 receives position information of the mobile terminal 200 from the mobile terminal 200. Next, the location authentication unit 112 performs authentication based on the location of the accessing authentication terminal 300 stored in the location information storage unit 122 and the received location of the mobile terminal 200 (S209).

  When the authentication based on the position information cannot be performed (No in S209), the unauthorized processing unit 150 executes an unauthorized access process (S212). When the authentication based on the position information is completed (Yes in S209), the operation permission unit 140 performs the requested operation on the account that is the protection target object 400 based on the command (S210). Then, the transmission unit 132 notifies the authentication terminal 300 that the operation has been performed (S211).

  The authentication server 100 determines whether or not to end the process (S213). If the authentication server 100 determines not to end the process (No in S213), it again waits for an access request. If the authentication server 100 determines to end the process (Yes in S213), the authentication server 100 ends the process.

  Here, S201 and S202 are terminal access steps. S203 is a reception step. S204 is a terminal authentication step. S205 to S208 are biometric information authentication steps. S209 is a position authentication step. S210 and S211 are operation permission steps. S212 is an unauthorized processing step. S213 is an end step.

  Next, the operation of the mobile terminal 200 according to the first embodiment will be described with reference to FIG. FIG. 8 is a flowchart of a mobile terminal process that is an operation of the mobile terminal 200 according to the first embodiment.

  The portable terminal 200 waits for an authentication information request from the authentication server 100 (S301). Next, the communication unit 210 determines whether an authentication information request has been received from the authentication server 100 at predetermined time intervals (S302). Next, the biometric information input unit 220 inputs biometric information (S303). Next, the location information acquisition unit 230 acquires location information of the mobile terminal 200 (S304). Then, the transmission unit 212 transmits the biological information input by the biological information input unit 220 and the positional information acquired by the positional information acquisition unit 230 to the authentication server 100 (S305).

  Here, S301 and S302 are authentication information request receiving steps. S303 is a biometric information input step. S304 is a position information acquisition step. S305 is an authentication information transmission step.

  Here, ATM 960 has been described as an example of authentication terminal 300, but the present invention is not limited to this, and an ETC gate (roadside machine) or the like may be used. In the case of ETC, the ETC position information via the DSRC (Dedicated Short Range Communications) or the position information of the DSRC information transmission source via the ETC is acquired. The ETC position information is position information acquired by an ETC or an ETC and a car navigation system (in-vehicle device) provided in the vehicle. The location information of the information transmission source of the DSRC to be passed is location information indicated by which gate has passed.

  In the authentication system 1000 according to the first embodiment, authentication is performed based on the biometric information input by the biometric information input unit 220 included in the mobile terminal 200. If the mobile terminal 200 is, for example, a mobile phone 950 having a fingerprint input device 970 or the like, it is not necessary to newly introduce a biometric information input device to the ATM 960 or the like that is the authentication terminal 300. Therefore, according to the authentication system 1000 according to the first embodiment, authentication based on biometric information can be easily performed.

  In the authentication system 1000 according to the first embodiment, in response to an access request to the protection target object 400 from the authentication terminal 300, the mobile terminal 200 that has input biometric information in addition to authentication by biometric information Authentication is based on being in the vicinity. Therefore, according to the authentication system 1000 concerning Embodiment 1, it can confirm that the user who input biometric information is operating the authentication terminal 300. FIG.

Embodiment 2. FIG.
Next, a second embodiment will be described. In the second embodiment, an authentication system 1000 provided with a function for the mobile terminal 200 to perform biometric authentication will be described.

  First, functions of the authentication system 1000 according to the second embodiment will be described with reference to FIG. FIG. 9 is a functional block diagram illustrating functions of the authentication system 1000 according to the second embodiment.

  Only the parts of the authentication system 1000 according to the second embodiment that are different from the function of the authentication system 1000 according to the first embodiment will be described.

  First, the mobile terminal 200 will be described. The mobile terminal 200 further includes a mobile terminal authentication unit 240 and a mobile terminal information storage unit 250.

The mobile terminal authentication unit 240 authenticates that the biometric information of a predetermined user is used by the processing device based on the biometric information input by the biometric information input unit 220. That is, mobile terminal authentication unit 240 has the same function as biometric information authentication unit 113 in the first embodiment.
The portable terminal information storage unit 250 stores portable terminal authentication information 600 including portable terminal information 605 that can be acquired when the portable terminal authentication unit 240 authenticates biometric information of a predetermined user in a storage device. For example, the portable terminal information 605 is information that is very difficult to forge, such as an extremely large number of digits.

  The transmission unit 212 transmits the mobile terminal information 605 instead of transmitting the biological information.

  Next, the authentication server 100 will be described.

The biometric information authentication unit 113 indicates that the mobile terminal 200 is a predetermined user by the processing device based on the mobile terminal information 605 transmitted by the transmission unit 212 and the second authentication information stored in the authentication information storage unit 121 described later. Authenticate that you are authenticated.
The authentication information storage unit 121 stores second authentication information that is information for authenticating that the mobile terminal 200 has been authenticated as a predetermined user. That is, the second authentication information is stored instead of the biometric authentication information 614 in FIG.

The authentication server 100 further includes an authentication information generation unit 170.
The authentication information generation unit 170 generates new authentication information by the processing device.
When the biometric information authentication unit 113 authenticates, the authentication information storage unit 121 stores new authentication information generated by the authentication information generation unit 170 as second authentication information. In addition, when the biometric information authentication unit 113 authenticates, the transmission unit 132 transmits new authentication information generated by the authentication information generation unit 170 to the mobile terminal 200. Then, the mobile terminal information storage unit 250 stores the new authentication information transmitted by the transmission unit 132 as mobile terminal information 605. That is, the second authentication information and the mobile terminal information 605 are the same information.

  Next, the mobile terminal authentication information 600 stored in the mobile terminal information storage unit 250 will be described with reference to FIG. FIG. 10 is a diagram illustrating an example of the mobile terminal authentication information 600 stored in the mobile terminal information storage unit 250.

  The mobile terminal authentication information 600 includes a mobile terminal ID 601, authenticated person information 602, and mobile terminal information 605.

The mobile terminal ID 601 is the same as the mobile terminal ID 613 included in the authentication information 610.
The person-to-be-authenticated person information 602 is information related to the protection target object 400 and the user. The person-to-be-authenticated person information 602 includes a protected object ID 603 and person-to-be-authenticated person information 604.
The protection object ID 603 is the same as the protection object information 611 included in the authentication information 610.
The authenticator biometric information 604 is the biometric information of the user assigned to the mobile terminal 200.
The mobile terminal information 605 is information that can be acquired when the mobile terminal authentication unit 240 authenticates that it is biometric information of a predetermined user.

  That is, the mobile terminal 200 receives the protection target object information 611 from the authentication server 100. Next, the biometric information input unit 220 inputs biometric information. Then, the mobile terminal authentication unit 240 performs authentication when the input biometric information matches the authenticator biometric information 604 of the mobile terminal authentication information 600 specified from the protection target object information 611.

  Next, the operation of the authentication system 1000 according to the second exemplary embodiment will be described. The operation of the authentication terminal 300 according to the second embodiment is the same as the operation of the authentication terminal 300 according to the first embodiment. Therefore, operations of the authentication server 100 and the mobile terminal 200 according to the second embodiment will be described.

  First, the operation of the mobile terminal 200 according to the second embodiment will be described with reference to FIG. FIG. 11 is a flowchart of a mobile terminal process that is an operation of the mobile terminal 200 according to the second embodiment. Regarding the operation of the mobile terminal 200 according to the second embodiment, only the parts different from the operation of the mobile terminal 200 according to the first embodiment will be described.

  S401 to S404 are the same as S301 to S304 shown in the first embodiment. After S404, the mobile terminal authentication unit 240 uses the biometric information of a predetermined user based on the biometric information input by the biometric information input unit 220 and the biometric information 604 of the authenticated person stored by the mobile terminal information storage unit 250. A certain authentication is performed (S405). When the authentication by the mobile terminal authentication unit 240 cannot be performed (No in S405), the mobile terminal 200 executes an unauthorized access process (S407). In the unauthorized access process, the transmission unit 212 transmits, for example, NULL data or the like to the authentication server 100. When the authentication by the mobile terminal authentication unit 240 is successful (Yes in S405), the transmission unit 212 transmits the mobile terminal information 605 to the authentication server 100 (S406).

  Here, S401 and S402 are authentication information request receiving steps. S403 is a biometric information input step. S404 is a position information acquisition step. S405 is a portable terminal authentication step. S406 is an authentication information transmission step. S407 is an unauthorized processing step.

  Next, the operation of the authentication server 100 according to the second embodiment will be described. The operation of the authentication server 100 according to the second embodiment is the same as the operation of the authentication server 100 according to the first embodiment. Therefore, the operation of the authentication server 100 according to the second embodiment will be described based on the flowchart shown in FIG. The operation of the authentication server 100 according to the second embodiment will be described only for the parts that are different from the operation of the authentication server 100 according to the first embodiment.

  S201 to S206 are the same as those in the first embodiment. In S <b> 207, the reception unit 131 receives the mobile terminal information 605 from the mobile terminal 200. Then, the biometric information authentication unit 113 performs authentication based on the second authentication information of the searched authentication information 610 and the received mobile terminal information 605. Here, when the mobile terminal information 605 received from the mobile terminal 200 is NULL data, the biometric information authentication unit 113 cannot perform authentication. In step S <b> 208, the biometric information authentication unit 113 determines whether authentication based on the mobile terminal information 605 has been performed. When the authentication based on the portable terminal information 605 is successful (Yes in S208), the authentication information generation unit 170 first generates new authentication information. Next, the authentication information storage unit 121 stores new authentication information generated by the authentication information generation unit 170 as second authentication information. In addition, the transmission unit 132 transmits new authentication information generated by the authentication information generation unit 170 to the mobile terminal 200. Then, the mobile terminal information storage unit 250 stores the new authentication information transmitted by the transmission unit 132 as mobile terminal information 605. When the identity verification has been completed in S205 (Yes in S205), or when authentication based on the mobile terminal information 605 has been completed (Yes in S208), the processing in S209 is performed. S209 to S213 are the same as those in the first embodiment.

  In the above, new authentication information is generated in the authentication server 100 and authentication information is shared. However, in the mobile terminal 200, new authentication information may be generated and authentication information may be shared.

  In the authentication system 1000 according to the second embodiment, the authentication server 100 does not store biometric information. The biological information is information related to personal privacy. There is a risk of leaking information related to personal privacy by managing biometric information on a server or the like. However, in the authentication system 1000 according to the second embodiment, the biological information is replaced with information that is difficult to forge without managing the biological information. Therefore, according to the authentication system 1000 according to the second embodiment, there is little risk of leakage of information related to personal privacy.

  Further, in the authentication system 1000 according to the second embodiment, when authentication information that substitutes for biometric information is used once for authentication, new authentication information is generated and the authentication information used by the authentication server 100 and the portable terminal 200 is replaced. is doing. That is, in the authentication system 1000 according to the second embodiment, the authentication information that substitutes for biometric information is a one-time password. Therefore, there is little risk of leakage of authentication information that substitutes for biometric information.

Embodiment 3 FIG.
Next, Embodiment 3 will be described. In the third embodiment, an authentication system 1000 having an unauthorized processing function that suppresses unauthorized use of an electronic card such as a cash card will be described.
In the above embodiment, the authentication server 100 includes the fraud processing unit 150. In the above embodiment, if the authentication unit 110 cannot be authenticated, the fraud processing unit 150 performs processing for prohibiting the processing device from permitting the operation of the protection target object 400 using the electronic key information that has not been authenticated. Yes. In the third embodiment, the unauthorized processing unit 150 further registers a contact address for unauthorized access in advance in the server, and notifies the contact address of unauthorized access information. For example, as a contact information, the nearest police station or security company searched from the use position information is notified. That is, as a contact server, notification is made to the nearest police station server or security company server searched from the use position information. Further, the fraud processing unit 150 may sound an alarm at the place of use.
According to the authentication system 1000 according to the third embodiment, unauthorized use of an electronic card such as a cash card is suppressed by sending information about unauthorized use to a server or device such as a predetermined person or organization. Is possible.

Embodiment 4 FIG.
Next, a fourth embodiment will be described. In the first embodiment, the authentication system 1000 that prevents unauthorized use of ATM 960 or the like for operations such as bank deposits and credit settlement accounts has been described. In the fourth embodiment, an authentication system 1000 that restricts entry to a specific area such as a building or a partition will be described.

  First, functions of the authentication system 1000 according to the fourth embodiment will be described. The functional configuration of the authentication system 1000 according to the fourth embodiment is the same as that of the authentication system 1000 according to the first embodiment. Similarly to the second embodiment, the mobile terminal 200 may have a function of performing biometric authentication. Further, as in the third embodiment, the authentication server 100 may be configured to have an unauthorized processing function.

  In the fourth embodiment, the authentication terminal 300 is a terminal installed at a gate such as a building or a section, for example. Therefore, the reception unit 320 receives, for example, an electronic key having electronic key information such as a card key and a command that is operation information from the user. The command is, for example, gate unlocking, locking, entry permission, exit permission, entry record, entry record, and the like.

  In the fourth embodiment, the protection target object 400 is a gate such as a building or a partition.

  Next, the authentication information 610 stored in the authentication information storage unit 121 in the fourth embodiment will be described with reference to FIG. FIG. 12 is a diagram illustrating an example of authentication information 610 stored in the authentication information storage unit 121.

  Only the difference between the authentication information 610 in the fourth embodiment and the authentication information 610 in the first embodiment will be described.

The protection target object information 611 of the authentication information 610 in the fourth embodiment is a section ID that uniquely identifies a building, a section, or the like. Further, the electronic key authentication information 616 of the authentication information 610 in the fourth embodiment is, for example, admission permit information stored in a card key or the like.
The electronic key authentication information 616 includes information that the electronic key has, although the data format may be different from the information that the electronic key has. Information such as an expiration date not shown may be added.
Further, one line of information shown in the authentication information 610 is one piece of section information that the authentication server 100 restricts operations. Therefore, there are as many lines of authentication information 610 as the number of partitions for which the authentication server 100 restricts operations.

  Next, operation | movement of the authentication system 1000 concerning Embodiment 4 is demonstrated based on FIG.8, FIG.13, FIG.14. 8, FIG. 13 and FIG. 14 are flowcharts showing the operation of the authentication system 1000 according to the fourth embodiment.

  First, operation | movement of the authentication terminal 300 concerning Embodiment 4 is demonstrated based on FIG. FIG. 13 is a flowchart of an authentication terminal process that is an operation of the authentication terminal 300 according to the fourth embodiment. Only operations that are different from the operation of the authentication terminal 300 according to the first embodiment will be described with respect to the operation of the authentication terminal 300 according to the fourth embodiment.

  First, when the authentication terminal 300, which is a terminal provided in a gate or the like, starts up and starts processing, the authentication terminal 300 waits for a command request from the user (S501). Here, it is assumed that the request is an admission permission request. Next, the accepting unit 320 determines whether or not an admission permission request has been made every predetermined time (S502). Operations after the determination (No in S502, Yes in S502, S503) are the same as those in the first embodiment (No in S102, Yes in S102, S103). When the command is acquired in S503, the reception unit 320 acquires the electronic key information from the electronic card that is an electronic key. Here, electronic key information is acquired from the admission permit which is an electronic key (S504). S505 to S508 are the same as in the first embodiment (S105 to S108), respectively. Next, the communication unit 310 determines whether or not the authentication server 100 is authenticated and entry is permitted (S509). S510 to S512 are the same as in the first embodiment (S110 to S112), respectively.

  Here, S501 to S503 are user access steps. S504 is an electronic key information acquisition step. S505 is an electronic key information determination step. S506 is a password acquisition step. S507 and S508 are server access steps. S509 is a server access determination step. S510 is an execution step. S511 is an unauthorized processing step. S512 is an end step.

  Next, operation | movement of the authentication server 100 concerning Embodiment 4 is demonstrated based on FIG. FIG. 14 is a flowchart of an authentication server process that is an operation of the authentication server 100 according to the fourth embodiment. Only the operation of the authentication server 100 according to the fourth embodiment that is different from the operation of the authentication server 100 according to the first embodiment will be described.

  The authentication server 100 waits for an access request from a terminal provided in the gate which is the authentication terminal 300 (S601). Next, the communication unit 130 determines whether an access request has been received from the authentication terminal 300 at predetermined time intervals (S602). When it is determined that no access request has been received (No in S602), the operation is the same as in the first embodiment (No in S202). When it is determined that an access request has been received (Yes in S602), the reception unit 131 receives information transmitted by the gate serving as the authentication terminal 300. Here, the receiving unit 131 receives a command, information such as an entrance permit or electronic lock, which is electronic key information, and a password (S603). Steps S604 to S609 are the same as those in the first embodiment (S204 to S209). The operation in the case where authentication based on position information cannot be performed in S609 (No in S609) is the same as that in the first embodiment (No in S209). When the authentication based on the position information is completed in S609 (Yes in S609), the operation permission unit 140 performs the requested operation on the gate, which is the protection target object 400, based on the command (S210). S611 to S613 are the same as in the first embodiment (S211 to S213).

  Here, S601 and S602 are terminal access steps. S603 is a reception step. S604 is a terminal authentication step. Steps S605 to S608 are biometric information authentication steps. S609 is a position authentication step. S610 and S611 are operation permission steps. S612 is an unauthorized processing step. S613 is an end step.

  About operation | movement of the portable terminal 200 concerning Embodiment 4, it is the same as that of the portable terminal 200 concerning Embodiment 1 shown in FIG.

  In the authentication system 1000 according to the fourth embodiment, authentication is performed based on the biometric information input by the biometric information input unit 220 included in the mobile terminal 200. If the mobile terminal 200 is, for example, a mobile phone 950 provided with a fingerprint input device 970 or the like, it is not necessary to newly introduce a biometric information input device to a terminal provided in a gate that is the authentication terminal 300 or the like. . Therefore, according to the authentication system 1000 according to the first embodiment, authentication based on biometric information can be easily performed.

  In the above-described embodiment, in order to control access to an account such as a bank, the application of the authentication system 1000 for ATM 960, ETC, etc., and the application of the authentication system 1000 for a terminal of a gate controlling entry to a partition, etc. Explained. However, the present invention is not limited to this, and in order to control the operation of the vehicle, the authentication system 1000 is applied to the system using the smart key 952, the train system is used to control the boarding of the train, etc. It may be applied.

  In the above-described embodiment, the identity verification information by biometric authentication, the location information of the identity information confirmation terminal, and the ATM 960, ETC, or the like, which is an access terminal installed as a gate to a deposit, building, site, car, etc. A management server device, system, and method for restricting operations on protected objects based on location information such as entrance / exit management terminals.

  In addition to the above, it is a management server device, system, and method that limit the usage time of the protected object and restrict the operation on the protected object.

  In addition to the above, the present invention is characterized in that the management server device, the system, and the method limit the operation to the protected object using the personal identification information by the biometric authentication by the mobile phone.

  Furthermore, in addition to the above, a management server device, system, and method that use a vehicle to be protected are characterized by the following.

  Furthermore, in addition to the above, a management server device, system, and method that use a protected object as a gate to a building, a site, or the like, which is a specific place, are characterized.

  Further, in addition to the above, a card management server device and system for sending location information, terminal ID, etc., which is specific information of a used place, to the owner when a use is attempted in a state where the card cannot be used, and It is a method.

It is the figure which showed an example of the external appearance of the authentication system 1000 concerning embodiment. It is a figure which shows an example of the hardware constitutions of the authentication server 100 which is the system unit 909, the server 910, etc. with which the authentication system 1000 in embodiment is equipped. It is a figure which shows an example of the hardware constitutions of the portable terminal 200 which is the mobile telephone 950 with which the authentication system 1000 in embodiment, the smart key 952, etc. are provided. FIG. 2 is a functional block diagram showing functions of an authentication system 1000 according to the first exemplary embodiment. It is a figure which shows an example of the authentication information 610 which the authentication information storage part 121 memorize | stores. 4 is a flowchart showing an authentication terminal process that is an operation of the authentication terminal 300 according to the first exemplary embodiment; 3 is a flowchart showing an authentication server process that is an operation of the authentication server 100 according to the first exemplary embodiment; 3 is a flowchart showing a mobile terminal process that is an operation of the mobile terminal 200 according to the first exemplary embodiment; It is a functional block diagram which shows the function of the authentication system 1000 concerning Embodiment 2. FIG. It is a figure which shows an example of the portable terminal authentication information 600 which the portable terminal information storage part 250 memorize | stores. 10 is a flowchart illustrating a mobile terminal process that is an operation of the mobile terminal 200 according to the second exemplary embodiment. It is a figure which shows an example of the authentication information 610 which the authentication information storage part 121 memorize | stores. 10 is a flowchart illustrating an authentication terminal process that is an operation of the authentication terminal 300 according to the fourth exemplary embodiment; 10 is a flowchart illustrating an authentication server process that is an operation of the authentication server 100 according to the fourth embodiment;

Explanation of symbols

  100 authentication server, 110 authentication unit, 111 terminal authentication unit, 112 location authentication unit, 113 biometric information authentication unit, 120 storage unit, 121 authentication information storage unit, 122 location information storage unit, 130 communication unit, 131 reception unit, 132 transmission Unit, 140 operation permission unit, 150 fraud processing unit, 160 identification unit, 170 authentication information generation unit, 200 portable terminal, 210 communication unit, 211 reception unit, 212 transmission unit, 220 biometric information input unit, 230 position information acquisition unit, 240 mobile terminal authentication unit, 250 mobile terminal information storage unit, 300 authentication terminal, 310 communication unit, 311 reception unit, 312 transmission unit, 320 reception unit, 330 terminal information storage unit, 340 server search unit, 400 protection object, 500 Electronic key, 600 mobile terminal authentication information, 601 mobile terminal ID, 602 person to be authenticated Information, 603 protection object ID, 604 authentication subject biometric information, 605 mobile terminal information, 610 authentication information, 611 protection target information, 612 authentication mobile terminal information, 613 mobile terminal ID, 614 biometric authentication information, 615 Status information, 616 electronic key authentication information, 617 card type, 618 electronic key ID, 619 password, 901 CRT display device, 902 K / B, 903 mouse, 904 FDD, 905 CDD, 908 database, 909 system unit, 910 server, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk unit, 921 OS, 922 window system, 923 program group, 924 file group, 931 telephone, 932 FAX machine, 940 Internet, 941 gateway, 942 LAN, 950 mobile phone, 952 smart key, 960 ATM, 962 vehicle.

Claims (15)

In an authentication server that communicates with a mobile terminal that has a biometric information input unit for inputting biometric information and restricts operations on protected objects,
A receiving unit that receives the biological information input by the biological information input unit of the portable terminal and the position information of the portable terminal from the portable terminal by a communication device;
A biometric information authenticating unit that authenticates the biometric information of a predetermined user by a processing device based on the biometric information received by the receiving unit;
A position authentication unit that authenticates that the mobile terminal is in a predetermined position by the processing device based on the position information of the mobile terminal received by the reception unit;
An authentication server, comprising: an operation permission unit that allows a processing device to permit an operation on a protected object when the biometric information authentication unit and the position authentication unit authenticate. The authentication server communicates with an authentication terminal operated by a user,
The authentication server further includes:
A location information storage unit that stores location information of the authentication terminal in a storage device;
The position authentication unit authenticates that the position specified by the position information of the portable terminal is a predetermined position with respect to the position specified by the position information of the authentication terminal stored by the position information storage unit. The authentication server according to claim 1, wherein the authentication server is performed. The authentication server communicates with an authentication terminal that transmits electronic key information having information for identifying a user,
The receiving unit receives the electronic key information transmitted by the authentication terminal,
The authentication server further includes:
An authentication information storage unit for storing, in a storage device, first authentication information for authenticating that the user specified by the electronic key information received by the reception unit is valid;
When the receiving unit receives the electronic key information from the authentication terminal, the terminal authenticates by the processing device that the user specified by the electronic key information is valid based on the first authentication information stored in the authentication information storage unit With an authentication unit,
2. The authentication according to claim 1, wherein the operation permission unit permits a processing device to permit an operation on a protected object when the terminal authentication unit, the biometric information authentication unit, and the position authentication unit authenticate. server. The authentication server includes a biometric information input unit that inputs biometric information, and a mobile terminal that includes a mobile terminal authentication unit that authenticates that the biometric information of a predetermined user is based on the biometric information input by the biometric information input unit. Communicate
The receiving unit receives the mobile terminal information transmitted by the mobile terminal when the mobile terminal authentication unit of the mobile terminal authenticates that the mobile terminal is a predetermined user, by the communication device,
The authentication information storage unit stores second authentication information for authenticating that the mobile terminal information is valid in a storage device,
The biometric information authentication unit authenticates that the mobile terminal information is valid by the processing device based on the mobile terminal information received by the reception unit by the communication device and the second authentication information stored by the authentication information storage unit. The authentication server according to claim 1. The authentication server further includes:
An authentication information generation unit that generates new authentication information by the processing device when the biometric information authentication unit performs authentication based on the mobile terminal information and the second authentication information;
A transmission unit that transmits the authentication information generated by the authentication information generation unit as portable terminal information to the portable terminal by a communication device;
The authentication server according to claim 4, wherein the authentication information storage unit stores the authentication information generated by the authentication information generation unit in a storage device as second authentication information. The authentication server according to claim 1, wherein the operation permission unit restricts the operation to the protection object when a predetermined time has elapsed since the operation to the protection object has been permitted. The authentication information storage unit stores authentication mobile terminal information for specifying a mobile terminal corresponding to the electronic key information,
The authentication server further includes a specifying unit that specifies a mobile terminal corresponding to the electronic key information received by the receiving unit based on the authentication mobile terminal information stored in the authentication information storage unit,
The receiving unit receives the biometric information input by the biometric information input unit included in the mobile terminal specified by the specifying unit and the location information of the mobile terminal,
The biometric information authenticating unit authenticates that the biometric information received by the receiving unit belongs to the user specified by the electronic key information,
The authentication server further includes a position information storage unit that stores, in a storage device, position information of the authentication terminal that transmitted the electronic key information.
The position authentication unit has a predetermined position relative to the position specified by the position information of the authentication terminal stored in the position information storage unit, the position specified by the position information of the mobile terminal received by the receiving unit. 4. The authentication server according to claim 3, wherein the authentication server authenticates that it is in a position. The authentication server further processes permission of an operation to the protected object by the electronic key information when at least one of the terminal authentication unit, the biometric information authentication unit, and the position authentication unit cannot be authenticated. The authentication server according to claim 3, further comprising an unauthorized processing unit prohibited by the device. The authentication server according to claim 8, wherein the fraud processing unit identifies an authentication terminal that has transmitted the electronic key information. In a mobile terminal that performs authentication based on biometric information and location information and communicates with an authentication server that restricts operations on protected objects,
A biometric information input unit for inputting biometric information by an input device;
A position information acquisition unit for acquiring position information of the mobile terminal by the processing device;
A communication unit that receives an authentication information request from an authentication server by a communication device and transmits the biometric information input by the biometric information input unit and the position information acquired by the position information acquisition unit to the authentication server by the communication device. A portable terminal characterized by comprising. The mobile device further includes:
A portable terminal authenticating unit that authenticates the biological information of a predetermined user by the processing device based on the biological information input by the biological information input unit;
A portable terminal information storage unit that stores portable terminal information that can be acquired when the portable terminal authentication unit is authenticated as biometric information of a predetermined user in a storage device;
The mobile terminal according to claim 10, wherein the communication unit transmits mobile terminal information stored in the mobile terminal information storage unit instead of biometric information. The mobile terminal according to claim 11, wherein the communication unit receives new mobile terminal information from the authentication server when the mobile terminal information is transmitted to the authentication server. In an authentication system comprising a mobile terminal and an authentication server that restricts operations on protected objects,
The mobile device
A biometric information input unit for inputting biometric information by an input device;
A position information acquisition unit for acquiring position information of the mobile terminal by the processing device;
A transmission unit that transmits the biological information input by the biological information input unit and the positional information acquired by the positional information acquisition unit to the authentication server by a communication device;
The authentication server
A receiving unit for receiving the biological information and the position information transmitted by the transmitting unit by a communication device;
A biometric information authenticating unit that authenticates the biometric information of a predetermined user by the processing device based on the biometric information received by the receiver;
A position authentication unit that authenticates that the mobile terminal is in a predetermined position by the processing device based on the position information of the mobile terminal received by the reception unit;
An authentication system comprising: an operation permission unit that allows a processing device to permit an operation on a protected object when the biometric information authentication unit and the position authentication unit authenticate. In an authentication method of an authentication server that communicates with a mobile terminal having a biometric information input unit for inputting biometric information and restricts an operation to a protection target object
A receiving step in which the receiving unit receives the biometric information input by the biometric information input unit of the mobile terminal and the location information of the mobile terminal from the mobile terminal by the communication device;
A biometric information authentication step for authenticating that the biometric information authentication unit is biometric information of a predetermined user by the processing device based on the biometric information received in the receiving step;
A position authentication step in which a position authentication unit authenticates that the mobile terminal is at a predetermined position by the processing device based on the position information of the mobile terminal acquired in the reception step;
An operation permission step for allowing an operation permission unit to allow an operation to a protected object by the processing device when the biometric information authentication unit and the position authentication unit authenticate at the biometric information authentication step and the position authentication step by the processing device. An authentication method comprising: In an authentication program of an authentication server that communicates with a mobile terminal having a biometric information input unit for inputting biometric information and restricts an operation on a protection target,
A receiving step in which the receiving unit receives the biometric information input by the biometric information input unit of the mobile terminal and the location information of the mobile terminal from the mobile terminal by the communication device;
A biometric information authentication step for authenticating that the biometric information authentication unit is biometric information of a predetermined user by the processing device based on the biometric information received in the receiving step;
A position authentication step in which a position authentication unit authenticates that the mobile terminal is at a predetermined position by the processing device based on the position information of the mobile terminal acquired in the reception step;
An operation permission step for allowing an operation permission unit to allow an operation to a protected object by the processing device when the biometric information authentication unit and the position authentication unit authenticate at the biometric information authentication step and the position authentication step by the processing device. Authentication program to make the computer execute.

Images