JP2026008010A - Authentication system, authentication method, and authentication program - Google Patents

Abstract

The present invention provides an authentication system, an authentication method, and an authentication program that reduce the burden on users when performing two-step authentication.
[Solution] One form of authentication system according to the present disclosure is an authentication system having a user terminal, an authentication terminal, and a server, wherein one of the user terminal, authentication terminal, and server has a first authentication unit that authenticates the user using a first authentication means that authenticates the user using biometric information, and the server has a second authentication unit that authenticates the user using a second authentication means that authenticates the user through wireless communication between the user terminal and the authentication terminal, a judgment unit that judges whether the authentication of the user by the first authentication unit and the second authentication unit has been successful, and an execution control unit that, when the judgment unit judges that the authentication of the user has been successful, executes processing for the user depending on the first authentication result by the first authentication unit or the second authentication result by the second authentication unit.
[Selected Figure] Figure 1

Description

This disclosure relates to an authentication system, authentication method, and authentication program that reduce the burden on users when performing two-step authentication.

A known method of verifying a person's identity is to use information about the person's characteristics captured in an image. In this type of authentication, biometric information such as a facial image or fingerprint is used to prove the uniqueness of the individual. For example, in facial recognition processing, a user's facial image is registered in advance, and the facial image acquired during authentication is compared with the registered image to verify the user's identity.

In addition, technology is known that enhances security through two-step authentication, which combines authentication methods using biometric information with other authentication methods (for example, Patent Document 1).

Japanese Patent Application Laid-Open No. 2017-8639

However, two-step authentication can place a heavy burden on users. For example, two-step authentication requires two types of authentication, which requires the presentation of two types of information. In the case of biometric authentication, the user's biometric information is used as the key, so the burden on the user is low. However, in the case of authentication that uses a physical device such as an IC card as the key, the user must take out the IC card and present it to the authentication device, which places a heavy burden on the user.

This disclosure therefore proposes an authentication system, authentication method, and authentication program that reduce the burden on users when performing two-step authentication.

In order to solve the above problem, one embodiment of an authentication system according to the present disclosure is an authentication system having a user terminal, an authentication terminal, and a server, wherein one of the user terminal, the authentication terminal, and the server is equipped with a first authentication unit that authenticates the user using first authentication means that authenticates the user using biometric information, and the server is equipped with a second authentication unit that authenticates the user using second authentication means that authenticates the user via wireless communication between the user terminal and the authentication terminal, a determination unit that determines whether authentication of the user by the first authentication unit and the second authentication unit was successful, and an execution control unit that, when the determination unit determines that authentication of the user was successful, executes processing for the user in accordance with the first authentication result by the first authentication unit or the second authentication result by the second authentication unit.

One aspect of this embodiment has the effect of reducing the burden on users when performing two-step authentication.

FIG. 1 is a diagram illustrating an example of a configuration of an authentication system according to a first embodiment. FIG. 10 is a diagram illustrating an example of authentication processing according to the first embodiment. FIG. 10 is a diagram illustrating an example of authentication processing according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of a user terminal according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of an authentication terminal according to the first embodiment. FIG. 2 is a diagram illustrating an example of the configuration of a server according to the first embodiment. FIG. 10 is a sequence diagram illustrating an example of a procedure of an authentication process according to the first embodiment. FIG. 10 is a diagram illustrating an example of authentication processing according to the second embodiment. FIG. 10 is a diagram illustrating an example of authentication processing according to the second embodiment. FIG. 10 is a diagram illustrating an example of the configuration of an authentication terminal according to a second embodiment. FIG. 10 is a diagram illustrating an example of the configuration of a server device according to a second embodiment. FIG. 10 is a sequence diagram illustrating an example of a procedure of an authentication process according to the second embodiment. FIG. 13 is a diagram illustrating an example of authentication processing according to the third embodiment. FIG. 13 is a diagram illustrating an example of authentication processing according to the third embodiment. FIG. 11 is a diagram illustrating an example of the configuration of a user terminal according to the third embodiment. FIG. 11 is a diagram illustrating an example of the configuration of a server according to the third embodiment. FIG. 13 is a sequence diagram illustrating an example of a procedure of an authentication process according to the third embodiment. FIG. 13 is a diagram illustrating an example of authentication processing according to the fourth embodiment. FIG. 13 is a diagram illustrating an example of authentication processing according to the fourth embodiment. FIG. 13 is a diagram illustrating an example of the configuration of a user terminal according to the fourth embodiment. FIG. 13 is a sequence diagram illustrating an example of a procedure of an authentication process according to the fourth embodiment. FIG. 2 is a hardware configuration diagram illustrating an example of a computer that realizes the functions of each device.

Embodiments of the present disclosure will be described in detail below with reference to the drawings. Note that in the following embodiments, identical components will be designated by the same reference numerals, and duplicate descriptions will be omitted.

(1. First embodiment)
(1-1. Configuration of the authentication system according to the first embodiment)
Fig. 1 is a diagram showing an example of the configuration of an authentication system according to the first embodiment. The authentication process according to the first embodiment is executed by an authentication system 1 shown in Fig. 1. The authentication system 1 includes a user terminal 100, an authentication terminal 200, a server 300, an authentication engine 400, an execution control device 500, and an execution device 600.

The user terminal 100 is a terminal device used by the user 10, such as a smartphone or tablet terminal. The user terminal 100 transmits information to identify the user 10 to the authentication terminal 200 using a contactless method.

The authentication terminal 200 is a terminal device that acquires information necessary for authentication processing and transmits it to the server 300, which will be described later. For example, the authentication terminal 200 transmits to the server 300 information (such as an employee number) that can identify the user 10 to be authenticated. For example, the authentication terminal 200 transmits to the server 300 biometric information that can identify the user 10 to be authenticated. For example, the authentication terminal 200 transmits to the server 300 a facial image of the user 10 captured using a camera provided on the device. Figure 1 shows an example in which the authentication terminal 200 is a tablet terminal installed at the entrance to the workplace where the user 10 works.

The server 300 is an information processing device that executes authentication processing. For example, the server 300 authenticates the user 10 using information received from the authentication terminal 200. For example, the server 300 performs biometric authentication of the user 10 using the authentication engine 400 described below. Figure 1 shows an example in which the server 300 is a server device that communicates with a tablet terminal.

The authentication engine 400 is a server device (or program) that performs authentication using biometric information of the user 10. In the following embodiment, the authentication engine 400 is described as an example of a face authentication engine 400A that performs face authentication, but the biometric authentication method used by the authentication system 1 is not limited to face authentication, and the authentication engine 400 is not limited to the face authentication engine 400A.

The facial recognition engine 400A is a server device (or program) that performs identity authentication of facial images using known techniques such as facial area detection in an image, facial feature point extraction, facial feature amount extraction, feature point matching, and feature amount matching. The facial recognition engine 400A is provided, for example, by a company engaged in facial recognition. Although not shown in FIG. 1, the authentication system may perform authentication using multiple different facial recognition engines 400A. Each facial recognition engine 400A is developed by a different company and has various different characteristics. That is, different facial recognition engines 400A excel at different image characteristics (image brightness, the proportion of the image occupied by the face, the skin color and facial features of the user 10 to be authenticated, etc.). Therefore, the authentication terminal 200 can be used in a variety of ways, such as selecting the facial recognition engine 400A to perform authentication depending on the application or having multiple facial recognition engines 400A perform authentication.

The execution control device 500 is an information processing device that controls the execution of processing for user 10. For example, if user 10 has the necessary authority for the processing, the execution control device 500 causes the execution device 600 to execute processing for user 10. In the following, an example is given in which the execution control device 500 is an entry/exit management device 500A that manages entry and exit of user 10, but the execution control performed by the authentication system 1 is not limited to entry/exit management, and the execution control device 500 is not limited to the entry/exit management device 500A. For example, the entry/exit management device 500A controls entry and exit of user 10 using authentication information that can identify user 10.

The execution device 600 is an information processing device that executes processing for the user 10. In the following embodiment, the execution device 600 is described as a gate 600A that controls the entry and exit of the user 10, but the execution of processing performed by the authentication system 1 is not limited to opening and closing a gate, and the execution device 600 is not limited to the gate 600A. The gate 600A is controlled by another device, such as the execution control device 500, and performs an unlocking operation to allow the user 10 to enter. Figure 1 shows an example in which the execution device 600 is a gate 600A installed at the entrance and exit of the workplace where the user 10 works.

In the above authentication system 1, when a user 10 brings an IC card built into the user terminal 100 close to the authentication terminal 200, information such as the employee number recorded on the IC card is read by the authentication terminal 200, and authentication is performed by the server 300. Furthermore, when the user 10 has the authentication terminal 200 capture a facial image, the server 300 authenticates the facial image using the facial recognition engine 400A.

Next, if the contactless authentication and biometric authentication are successful, the server 300 controls the entry/exit management device 500A to control the entry and exit of the user 10 based on the authentication results, and performs operations such as unlocking and locking the gate 600A.

As mentioned above, two-step authentication that combines contactless and biometric authentication can prevent spoofing using physical devices, but it can also place a significant burden on users. For example, contactless authentication using IC cards typically uses a close-contact method with a communication distance of several millimeters to several centimeters. For this reason, if close-contact contactless authentication is used for entering and exiting a facility, the user must remove their IC card and present it to the authentication terminal each time they enter or exit the facility.

In addition, contactless authentication requires the user to present an IC card, which can lead to congestion of users waiting for authentication if the user is unable to present their IC card smoothly or if there is a large number of users. For this reason, even when adopting two-step authentication, it is desirable to reduce the effort required to present authentication elements and reduce the burden on users.

The authentication system 1 according to the embodiment has the following configuration to reduce the burden on users during two-step authentication. Specifically, the authentication system 1 includes a user terminal 100, an authentication terminal 200, and a server 300. One of the user terminal 100, authentication terminal 200, and server 300 authenticates the user 10 using a first authentication means that authenticates the user 10 using biometric information. The server 300 authenticates the user 10 using a second authentication means that authenticates the user 10 via wireless communication between the user terminal 100 and the authentication terminal 200. The server 300 determines whether the authentication of the user 10 by the first authentication means and the second authentication means was successful. If it is determined that the authentication of the user 10 was successful, the server 300 executes processing for the user 10 according to the first authentication result or the second authentication result.

As a result, authentication system 1 performs two-step authentication by combining authentication via wireless communication and authentication via biometric information, eliminating the need to present a physical device, thereby achieving robust security while reducing the burden on users when it comes to two-step authentication.

Next, each authentication process performed in the authentication system 1 will be described using Figures 2 and 3. In the first embodiment, authentication is performed by the second authentication means using wireless communication, followed by authentication by the first authentication means using biometric information. Therefore, authentication by the second authentication means will first be described using Figure 2. Figure 2 is a diagram for explaining an example of authentication processing according to the first embodiment. Figure 2 schematically shows the flow of authentication of the user 10 by the second authentication means.

As shown in Figure 2, the user terminal 100 and authentication terminal 200 are connected as follows: first, the user 10 carrying the user terminal 100 approaches the authentication terminal 200 (step S11). This brings the distance between the user terminal 100 and the authentication terminal 200 less than a predetermined distance. Next, the user terminal 100 transmits information for identifying the user 10, such as employee information, to the authentication terminal 200 (step S12). Next, the authentication terminal 200 transmits the employee information transmitted from the user terminal 100 to the server 300 (step S13). Next, the server 300 references the information it holds and identifies the user ID from the employee number (step S14).

Next, authentication by the first authentication means will be described using Figure 3. Figure 3 is a diagram for explaining an example of authentication processing according to the first embodiment. Figure 3 schematically shows the flow in which authentication of user 10 by the first authentication means is performed after authentication of user 10 by the second authentication means.

As shown in FIG. 3, the authentication terminal 200 captures a facial image of the user 10 (step S15). Next, the authentication terminal 200 transmits the facial image to the server 300 (step S16). Next, the server 300 transmits the facial image to the facial recognition engine 400A (step S17). Next, the facial recognition engine 400A performs facial recognition using the transmitted facial image and identifies ID data corresponding to the facial image (step S18). Then, the facial recognition engine 400A transmits ID data, which is the result of the facial recognition, to the server 300 (step S19).

(1-2. Configuration of User Terminal According to First Embodiment)
Next, a description will be given of the configuration of the user terminal 100 that executes the authentication process according to the first embodiment. Fig. 4 is a diagram showing an example of the configuration of the user terminal 100 according to the first embodiment.

As shown in FIG. 4, the user terminal 100 has a communication unit 110, a memory unit 120, and a control unit 130. The user terminal 100 may also have an input unit (e.g., a touch panel, keyboard, mouse, etc.) that accepts various operations from an administrator or the like who manages the user terminal 100.

The communication unit 110 is realized, for example, by a NIC (Network Interface Card) or a network interface controller. The communication unit 110 is connected to a network N (e.g., the Internet) via a wired or wireless connection, and transmits and receives information to and from external devices such as the authentication terminal 200 and server 300 via the network N. For example, the communication unit 110 may transmit and receive information using any communication standard or technology, such as Wi-Fi (registered trademark), Bluetooth (registered trademark), SIM (Subscriber Identity Module), or LPWA (Low Power Wide Area).

The storage unit 120 is realized, for example, by a semiconductor memory element such as RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or optical disk. The storage unit 120 has a user information storage unit 121.

The user information storage unit 121 stores information about the user 10. For example, the user information storage unit 121 stores information such as the user name and employee number.

The control unit 130 is realized by, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), etc., executing a program stored inside the user terminal 100 using RAM or the like as a working area. The control unit 130 is also a controller, and is realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).

As shown in FIG. 4, the control unit 130 includes a wireless communication unit 131.

The wireless communication unit 131 measures the distance between the user terminal 100 and the authentication terminal 200 via wireless communication. For example, the wireless communication unit 131 measures the distance between the user terminal 100 and the authentication terminal 200 using BLE (Bluetooth Low Energy) technology. For example, the wireless communication unit 131 measures the distance between the user terminal 100 and the authentication terminal 200 based on the reception strength of radio waves transmitted from a BLE beacon built into the authentication terminal 200. That is, since radio waves attenuate the greater the distance, if the radio wave strength when the wireless communication unit 131 receives radio waves transmitted from a BLE beacon built into the authentication terminal 200 is strong, it indicates that the distance to the authentication terminal 200 is close, and if the radio wave strength is weak, it indicates that the distance to the authentication terminal 200 is far. Note that in the above example, the BLE beacon built into the authentication terminal 200 is the transmitting side and the wireless communication unit 131 is the receiving side, but the opposite may also be true: the wireless communication unit 131 is the transmitting side and the BLE beacon built into the authentication terminal 200 is the receiving side.

In addition to the above examples, the wireless communication unit 131 can measure the distance between the user terminal 100 and the authentication terminal 200 using general ranging and positioning techniques that use BLE beacons.

The wireless communication unit 131 transmits and receives information via wireless communication. For example, when the distance from the authentication terminal 200 becomes less than a predetermined distance, the wireless communication unit 231 transmits information identifying the user 10 to the authentication terminal 200. The wireless communication unit 231 also receives information requesting information identifying the user 10 transmitted from the authentication terminal 200. The predetermined distance can be freely changed depending on the purpose.

General wireless technologies can be used for transmitting and receiving information between the wireless communication unit 131 and the authentication terminal 200. For example, the wireless communication unit 131 uses technology such as BLE to transmit information identifying the user 10 to the authentication terminal 200 and receive requests for information identifying the user 10 transmitted from the authentication terminal 200. For example, the wireless communication unit 131 functions as a BLE beacon and transmits employee information to the authentication terminal 200 when the distance from the authentication terminal 200 becomes less than a predetermined distance. The wireless communication unit 131 also receives information requesting employee information transmitted from the authentication terminal 200, transmitted from a BLE beacon built into the authentication terminal 200.

Note that the wireless communication unit 131 may transmit information identifying the user 10 to the authentication terminal 200 and receive a request for information identifying the user 10 when the user terminal 100 and the authentication terminal 200 are connected using a pre-configured pairing (device registration) function.

(1-3. Configuration of the authentication terminal according to the first embodiment)
Next, a description will be given of the configuration of the authentication terminal 200 that executes the authentication process according to the first embodiment. Fig. 5 is a diagram showing an example of the configuration of the authentication terminal 200 according to the first embodiment.

As shown in FIG. 5, the authentication terminal 200 has a communication unit 210, a memory unit 220, and a control unit 230. The authentication terminal 200 may also have an input unit (e.g., a touch panel, keyboard, mouse, etc.) that accepts various operations from an administrator or the like who manages the authentication terminal 200.

The communication unit 210 is realized, for example, by a NIC (Network Interface Card) or a network interface controller. The communication unit 210 is connected to a network N (e.g., the Internet) via a wired or wireless connection, and transmits and receives information to and from external devices such as the user terminal 100 and server 300 via the network N. For example, the communication unit 110 may transmit and receive information using any communication standard or technology, such as Wi-Fi, Bluetooth, SIM (Subscriber Identity Module), or LPWA (Low Power Wide Area).

The storage unit 220 is realized, for example, by a semiconductor memory element such as RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or optical disk. The storage unit 220 has a biometric information storage unit 221.

The biometric information storage unit 221 stores biometric information. For example, the biometric information storage unit 221 stores captured facial images for each user 10. Furthermore, the facial image information stored in the biometric information storage unit 221 includes information on feature points and feature amounts extracted from the facial image. Note that the biometric information stored in the biometric information storage unit 221 is not limited to facial images, and the biometric information storage unit 221 stores biometric information according to the biometric authentication method used in the authentication system 1.

The control unit 230 is realized by, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), etc., executing a program stored inside the authentication terminal 200 using RAM or the like as a working area. The control unit 130 is a controller, and is realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).

As shown in FIG. 5, the control unit 230 has a wireless communication unit 231 and an acquisition unit 232.

The wireless communication unit 231 measures the distance between the user terminal 100 and the authentication terminal 200 via wireless communication. For example, the wireless communication unit 231 measures the distance between the user terminal 100 and the authentication terminal 200 based on the reception strength of radio waves transmitted from a BLE beacon built into the user terminal 100. Note that in the above example, the BLE beacon built into the user terminal 100 is the transmitting side and the wireless communication unit 231 is the receiving side, but the opposite may also be true, with the wireless communication unit 231 being the transmitting side and the BLE beacon built into the user terminal 100 being the receiving side.

In addition to the above examples, the wireless communication unit 231 can measure the distance between the user terminal 100 and the authentication terminal 200 using general ranging and positioning techniques that use BLE beacons.

The wireless communication unit 231 transmits and receives information via wireless communication. For example, the wireless communication unit 231 receives information identifying the user 10 transmitted from the user terminal 100. Furthermore, when the distance to the user terminal 100 becomes less than a predetermined distance, the wireless communication unit 231 transmits information to the user terminal 100 requesting information identifying the user 10.

General wireless technologies can be used for transmitting and receiving information between the wireless communication unit 231 and the user terminal 100. For example, the wireless communication unit 231 uses technology such as BLE to request information identifying the user 10 from the user terminal 100 and receive information identifying the user 10 transmitted from the user terminal 100. For example, the wireless communication unit 231 functions as a BLE beacon and requests employee information from the user terminal 100 when the distance to the user terminal 100 becomes less than a predetermined distance. The wireless communication unit 231 also receives employee information transmitted from a beacon built into the user terminal 100.

Note that the wireless communication unit 231 may request information identifying the user 10 from the user terminal 100 or receive information identifying the user 10 when the user terminal 100 and the authentication terminal 200 are connected using a pre-configured pairing function.

The acquisition unit 232 acquires biometric information of the user 10 from the user 10. For example, the acquisition unit 232 acquires a facial image of the user 10 using a camera provided in the authentication terminal 200. The above describes an example of biometric authentication in which the acquisition unit 232 acquires a facial image for facial authentication, but this is merely an example, and the acquisition unit 232 can acquire information used for biometric authentication, such as a retinal image used for iris authentication, a fingerprint image used for fingerprint authentication, or a vein image used for vein authentication. The acquisition unit 232 can also acquire voice used for voice authentication using a recording device. In other words, the acquisition unit 232 acquires information used for biometric authentication using a device appropriate for the type of biometric authentication used in the authentication system 1.

(1-4. Server Configuration According to the First Embodiment)
Next, a description will be given of the configuration of the server 300 that executes the authentication process according to the first embodiment. Fig. 6 is a diagram showing an example of the configuration of the server 300 according to the first embodiment.

As shown in FIG. 6, the server 300 has a communication unit 310, a memory unit 320, and a control unit 330.

The communication unit 310 is realized, for example, by a NIC (Network Interface Card) or a network interface controller. The communication unit 310 is connected to a network N (e.g., the Internet) via a wired or wireless connection, and transmits and receives information via the network N to and from external devices such as the user terminal 100, authentication terminal 200, authentication engine 400, and execution control device 500. For example, the communication unit 310 may transmit and receive information using any communication standard or technology, such as Wi-Fi, Bluetooth, SIM (Subscriber Identity Module), or LPWA (Low Power Wide Area).

The storage unit 320 is realized, for example, by a semiconductor memory element such as RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or optical disk. The storage unit 320 has a user information storage unit 321 and a biometric information storage unit 322.

The user information storage unit 321 stores information about users 10. For example, the user information storage unit 321 stores, for each user 10, control information related to the control of users 10, such as the employee number, ID data, user name, entry/exit classification, and attendance classification of the user 10.

The biometric information storage unit 322 stores biometric information. For example, the biometric information storage unit 322 stores a facial image for each user 10. Furthermore, the facial image information stored in the biometric information storage unit 322 includes information on feature points and feature amounts extracted from the facial image. The biometric information stored in the biometric information storage unit 322 is not limited to facial images, and the biometric information storage unit 322 stores biometric information according to the biometric authentication method used in the authentication system 1.

The control unit 330 is realized by, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), etc., executing a program stored inside the server 300 using RAM or the like as a working area. The control unit 330 is also a controller, and is realized by, for example, an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).

As shown in FIG. 6, the control unit 330 has a first authentication unit 331, a second authentication unit 333, a determination unit 336, and an execution control unit 337.

The first authentication unit 331 authenticates the user 10 using a first authentication means that authenticates the user using biometric information. Here, the first authentication means may be, for example, biometric authentication such as facial authentication, iris authentication, fingerprint authentication, vein authentication, or voiceprint authentication, but the following explanation will use facial authentication as an example.

The first authentication unit 331 authenticates the user 10 using a first authentication means that authenticates the user 10 using a facial image acquired by the acquisition unit 232. For example, the first authentication unit 331 performs facial authentication of the user 10 by comparing the correct answer data from the facial recognition process of the facial recognition engine 400A with a captured facial image of the user 10. Note that in other embodiments, the first authentication unit 331 may authenticate the user 10 using biometric information acquired by the acquisition unit 132 provided in the user terminal 100.

An example will be described in which the first authentication unit 331 uses feature points of the correct data from the facial recognition process when performing authentication using the facial recognition engine 400A. The first authentication unit 331 uses the facial recognition engine 400A to compare feature points of the correct data from the facial recognition process with feature points of the facial image of user 10 to calculate the similarity and determine whether the similarity exceeds a set threshold. If the calculated similarity exceeds the threshold, the first authentication unit 331 then authenticates that user 10 is the user 10 corresponding to the correct data from the facial recognition process.

An example will be described in which the first authentication unit 331 uses the features of the correct data from the facial recognition process when performing authentication using the facial recognition engine 400A. The first authentication unit 331 uses the facial recognition engine 400A to compare the features of the correct data from the facial recognition process with the features of the facial image of the user 10 to calculate the similarity and determine whether the similarity exceeds a set threshold. If the calculated similarity exceeds the threshold, the first authentication unit 331 then authenticates that the user 10 is the user 10 corresponding to the correct data from the facial recognition process. In this way, if the calculated similarity exceeds the threshold, authentication is successful.

After the second authentication unit 333 identifies the identification information corresponding to the user 10, the first authentication unit 331 authenticates the user 10 using the biometric information acquired by the acquisition unit 232. For example, after the second authentication unit 333 identifies the user ID of the user 10, the first authentication unit 331 authenticates the user 10 using the facial image acquired by the acquisition unit 232. In other words, the first authentication unit 331 performs biometric authentication after authentication via wireless communication is performed.

The second authentication unit 333 authenticates the user 10 via wireless communication. For example, the second authentication unit 333 authenticates the user 10 using a second authentication means that authenticates the user 10 via wireless communication between the user terminal 100 and the authentication terminal 200. Specifically, the second authentication unit 333 references the user information storage unit 321 and authenticates that the user 10 is the user 10 identified by the user ID corresponding to the employee number transmitted from the user terminal 100 to the authentication terminal 200 via wireless communication.

Furthermore, the second authentication unit 333 authenticates the user 10 using the second authentication means when the distance between the authentication terminal 200 and the user terminal 100 is less than a predetermined distance. The distance between the authentication terminal 200 and the user terminal 100 is measured using the functions of the wireless communication unit 131 and the wireless communication unit 231. The predetermined distance can be freely changed depending on the purpose. For example, in the first embodiment, if a traffic jam occurs of users 10 waiting to be authenticated by the second authentication unit, the predetermined distance is increased.

The determination unit 336 determines whether authentication of user 10 by the first authentication unit 331 and the second authentication unit 333 has been successful. For example, the determination unit 336 determines that authentication has been successful when a user ID corresponding to user 10 has been identified. In other words, the determination unit 336 determines that authentication of user 10 has been successful when a user ID corresponding to biometric information has been identified by the first authentication unit 331 and a user ID corresponding to employee information has been identified by the second authentication unit 333.

The determination unit 336 can also determine whether authentication of user 10 was successful based on the results of comparing each user ID. For example, the determination unit 336 compares whether the user ID identified by the first authentication unit 331 matches the user ID identified by the second authentication unit 333, and determines that authentication of user 10 was successful if the user IDs match. Note that when authenticating user 10 by the determination unit 336, the first authentication unit 331 may be the first authentication unit 133 provided in the user terminal 100 in other embodiments, or the first authentication unit 233 provided in the authentication terminal 200.

When the determination unit 336 determines that authentication of user 10 has been successful, the execution control unit 337 executes processing for user 10 in accordance with the first authentication result by the first authentication unit 331 or the second authentication result by the second authentication unit 333. For example, the execution control unit 337 causes the execution control device 500 to execute processing for user 10 in accordance with the authentication result. Taking entry/exit management as an example, when the determination unit 336 determines that authentication of user 10 has been successful, the execution control unit 337 transmits the user ID, which is the first authentication result by the first authentication unit 331, to the entry/exit management device 500A, and causes the entry/exit management device 500A to execute processing to allow entry for user 10 identified by the user ID. Examples of processing for user 10 include entry/exit management and attendance management, but are not particularly limited as long as authentication of user 10 can be performed when processing user 10.

(1-5. Procedure of authentication process according to the first embodiment)
Next, the procedure of the authentication process according to the first embodiment will be described with reference to Fig. 7. Fig. 7 is a sequence diagram showing an example of the procedure of the authentication process according to the first embodiment. Note that the steps below may be executed in a different order, and some steps may be omitted.

First, the authentication terminal 200 waits on a wireless communication detection screen (step S101). For example, the authentication terminal 200 displays a Bluetooth detection screen and waits. Next, the user 10 carrying the user terminal 100 approaches the authentication terminal 200 (step S102). Next, the user terminal 100 transmits an employee number to the authentication terminal 200 (step S103). For example, the user terminal 100 detects that the distance from the authentication terminal 200 is less than a predetermined distance and transmits the employee number to the authentication terminal 200. Also, for example, the user terminal 100 receives a request from the authentication terminal 200 and transmits the employee number to the authentication terminal 200. Next, the authentication terminal 200 transmits the employee number to the server 300 (step S104). Next, the server 300 identifies the user ID from the employee number (step S105).

The authentication terminal 200 then requests a facial image from the user 10 (step S106). For example, the authentication terminal 200 notifies the user 10 that a facial image will be taken. The user 10 then takes a picture of their face with the camera of the authentication terminal 200 (step S107). The authentication terminal 200 then takes a facial image of the user 10 (step S108). The authentication terminal 200 then transmits the facial image of the user 10 to the server 300 (step S109). The server 300 then identifies the user ID from the facial image of the user 10 (step S110). For example, the server 300 uses the facial recognition engine 400A to identify the user ID corresponding to the facial image.

Next, the server 300 determines whether the user ID identified from the employee number matches the user ID identified from the facial image (step S111). If the server 300 determines that the IDs do not match (step S111; No), the authentication terminal 200 performs the process of step S101 again.

On the other hand, if the server 300 determines that the IDs match (Step S111; Yes), the server 300 transmits the ID data of the authenticated user 10 to the execution control device 500 (Step S112). The execution control device 500 then controls the execution device 600 to execute processing for the user 10 identified by the ID data (Step S113). For example, the execution control device 500 checks the authority information for the transmitted user ID, and if the user has the authority required for the processing, controls the execution device 600 to execute processing for the user 10. The execution device 600 then executes the processing for the user 10 and terminates the processing (Step S114).

(1-6. Effects of the authentication system according to the first embodiment)
As described above, the authentication system according to the present disclosure is an authentication system having a user terminal (user terminal 100 in the embodiment), an authentication terminal (authentication terminal 200 in the first embodiment), and a server (server 300 in the first embodiment), and one of the user terminal, authentication terminal, and server has a first authentication unit (first authentication unit 331 in the first embodiment), and the server has a second authentication unit (second authentication unit 333 in the first embodiment), a judgment unit (judgment unit 336 in the first embodiment), and an execution control unit (execution control unit 337 in the first embodiment).

The first authentication unit authenticates the user using first authentication means that authenticates the user using biometric information. The second authentication unit authenticates the user using second authentication means that authenticates the user through wireless communication between the user terminal and the authentication terminal. The determination unit determines whether the user authentication by the first authentication unit and the second authentication unit was successful. If the determination unit determines that the user authentication was successful, the execution control unit executes processing for the user depending on the first authentication result by the first authentication unit or the second authentication result by the second authentication unit.

The authentication terminal may further include an acquisition unit (acquisition unit 232 in the first embodiment). The acquisition unit acquires biometric information of the user from the user. After the second authentication unit identifies identification information corresponding to the user, the first authentication unit authenticates the user using the biometric information acquired by the acquisition unit.

In this way, the authentication system 1 according to the first embodiment performs two-step authentication by combining authentication via wireless communication and authentication via biometric information, eliminating the need to present a physical device during authentication, thereby reducing the burden on the user 10 during two-step authentication. Furthermore, by performing authentication via wireless communication followed by authentication via biometric information, it is possible to prevent spoofing using a physical device, thereby achieving robust security.

(2. Second embodiment)
(2-1. Overview of authentication processing according to the second embodiment)
In the first embodiment, the process in which the server 300 authenticates the user 10 using the second authentication means has been described. However, the authentication process may be made faster and more efficient by transmitting biometric information for the user 10 identified by the first authentication means to the authentication terminal 200 in advance, and then having the authentication terminal 200 authenticate the user 10 using the second authentication means. This point will be described as the second embodiment. Note that the content described in the first embodiment will be omitted as appropriate.

The authentication process according to the second embodiment will be described using Figures 8 and 9. Figure 8 is a diagram showing an example of the authentication process according to the third embodiment. Figure 8 schematically shows the flow of authentication of the user 10 by the second authentication means in the user terminal 100.

As shown in FIG. 8, the user terminal 100 and authentication terminal 200 are configured as follows: first, the user 10 carrying the user terminal 100 approaches the authentication terminal 200 (step S21). Next, the user terminal 100 transmits information for identifying the user 10, such as employee information, to the authentication terminal 200 (step S22). Next, the authentication terminal 200 transmits the employee information transmitted from the user terminal 100 to the server 300 (step S23). Next, the server 300 references information stored in its own device and identifies the user ID from the employee number (step S24). The server 300 then transmits the identified user ID and information on the feature points of the correct answer data from the facial recognition process corresponding to the user ID to the authentication terminal 200 (step S25).

Next, authentication by the first authentication means will be described using Figure 9. Figure 9 is a diagram for explaining an example of authentication processing according to the second embodiment. Figure 9 schematically shows the flow in which authentication of user 10 by the second authentication means is performed, followed by authentication of user 10 by the first authentication means.

As shown in FIG. 9, the authentication terminal 200 captures a facial image of the user 10 (step S26). Next, the authentication terminal 200 performs facial authentication of the captured facial image using the built-in facial authentication engine 400A (step S27). For example, the authentication terminal 200 compares the feature points of the correct answer data for the facial authentication process corresponding to the user ID transmitted in step S25 of FIG. 8 with the feature points of the captured facial image, and identifies the user as the user with the transmitted user ID.

In this way, the authentication system according to the second embodiment enables biometric authentication in a local environment by preparing for two-step authentication, which combines authentication via wireless communication and authentication via biometric information, by sending user information identified via wireless communication to the authentication terminal 200 in advance, thereby reducing the burden on the user during two-step authentication and improving processing speed.

(2-2. Configuration of the authentication terminal according to the second embodiment)
Next, a configuration of the authentication terminal 200 that executes the authentication process according to the embodiment will be described. Fig. 10 is a diagram showing an example of the configuration of the authentication terminal 200 according to the embodiment.

The biometric information storage unit 221 stores biometric information. For example, the biometric information storage unit 221 stores captured facial images and correct answer data from facial authentication processing. Furthermore, the facial image information stored in the biometric information storage unit 221 includes information on feature points and feature amounts extracted from the facial image. The biometric information stored in the biometric information storage unit 221 is not limited to facial images, and the biometric information storage unit 221 stores biometric information according to the biometric authentication method used in the authentication system 1.

As shown in FIG. 10, the control unit 230 has a wireless communication unit 231, an acquisition unit 232, and a first authentication unit 233.

The first authentication unit 233 authenticates the user by comparing the information used for biometric authentication of the user 10 transmitted from the transmission unit 332 provided in the server 300 with the biometric information acquired by the acquisition unit 232. For example, the first authentication unit 233 authenticates the user 10 by comparing the feature point information of the correct answer data for the facial authentication process corresponding to the user ID of the user 10 transmitted from the transmission unit 332 with the feature points of the facial image acquired by the acquisition unit 232. Note that, although feature point information has been exemplified above as information used for biometric authentication, the information is not limited as long as it can be used for biometric authentication of the user 10.

Furthermore, when information used for biometric authentication of multiple users 10 is transmitted from the transmission unit 332, the first authentication unit 233 compares the information used for biometric authentication of each user 10 with the biometric information acquired by the acquisition unit 232. In other words, the first authentication unit 233 can speed up biometric authentication of users 10 by preparing and waiting for the information used for biometric authentication of users 10 transmitted from the transmission unit 332 in advance.

In order to speed up biometric authentication, the number of users 10 related to the information transmitted by the transmission unit 332 and waiting for biometric authentication is set to be less than a predetermined value. The predetermined value can be freely changed depending on the purpose. For example, the predetermined value is changed depending on the performance of the authentication terminal 200, the level of congestion related to authentication, etc.

In this case, the order in which biometric authentication is performed for multiple users 10 is assumed to be the order in which they were sent from the transmission unit 332. Note that the first authentication unit 233 can perform the same processing as the first authentication unit 331.

The determination unit 234 determines that authentication of the user 10 by the first authentication unit 223 and the second authentication unit 333 has been successful if the similarity between the feature point information of the correct data from the facial authentication process corresponding to the user ID of the user 10 and the feature points of the facial image is equal to or greater than a predetermined threshold. Note that the predetermined threshold used for comparison with the similarity can be freely changed depending on the purpose. The determination unit 234 can also perform the same processing as the determination unit 336.

(2-3. Server Configuration According to Second Embodiment)
Next, a description will be given of the configuration of the server 300 that executes the authentication process according to the second embodiment. Fig. 11 is a diagram showing an example of the configuration of the server 300 according to the embodiment.

The transmission unit 332 transmits the user ID of the user 10 identified by the second authentication unit 333 to the authentication terminal 200. At this time, the transmission unit 332 can also transmit information used for biometric authentication to the authentication terminal 200. For example, the transmission unit 332 transmits information used for biometric authentication of the user 10 identified by the second authentication unit 333 to the authentication terminal 200. More specifically, the transmission unit 332 transmits information on feature points of the correct data from the facial authentication process corresponding to the user ID of the user 10 to the authentication terminal 200. At this time, the transmission unit 332 can transmit information on multiple users 10 to the authentication terminal 200. Note that, although feature point information has been exemplified above as information used for biometric authentication, there is no particular limitation as long as it can be used for biometric authentication of the user 10.

The second authentication unit 333 authenticates the user 10 using the second authentication means when the distance between the authentication terminal 200 and the user terminal 100 is less than a predetermined distance. Here, the predetermined distance may be changed depending on the number of users 10 associated with the information transmitted by the transmission unit 332 who are awaiting biometric authentication. For example, if there are a large number of users 10 associated with the information transmitted by the transmission unit 332 who are awaiting biometric authentication, it is assumed that biometric authentication is being delayed, and the predetermined distance is reduced. Conversely, if there are a small number of users 10 associated with the information transmitted by the transmission unit 332 who are awaiting biometric authentication, it is assumed that authentication is being performed smoothly, and the predetermined distance is increased. In other words, the second authentication unit 333 can improve the efficiency of the authentication process by changing the distance at which authentication is performed using the second authentication means depending on the number of users awaiting biometric authentication.

(2-4. Procedure of authentication process according to the second embodiment)
The flow of authentication processing according to the second embodiment will be described with reference to Fig. 12. Fig. 12 is a sequence diagram showing an example of the procedure of authentication processing according to the second embodiment. Note that the following steps may be executed in a different order, and some processing may be omitted.

First, the authentication terminal 200 waits on a wireless communication detection screen (step S201). Next, the user 10 carrying the user terminal 100 approaches the authentication terminal 200 (step S202). Next, the user terminal 100 transmits the employee number to the authentication terminal 200 (step S203). Next, the authentication terminal 200 transmits the employee number to the server 300 (step S204). Next, the server 300 identifies the user ID from the employee number (step S205).

Next, the server 300 transmits the identified user ID and information on the feature points of the correct data from the facial authentication process corresponding to the user ID to the authentication terminal 200 (step S206). Next, the authentication terminal 200 requests a facial image from the user 10 (step S207). For example, the authentication terminal 200 notifies the user 10 that a facial image will be captured. Next, the user 10 captures a picture of their face in front of the camera of the authentication terminal 200 (step S208). Next, the authentication terminal 200 captures a facial image of the user 10 (step S209).

Next, the authentication terminal 200 uses the built-in face recognition engine 400A to calculate the similarity (match rate) between the feature points of the face image of the user 10 and the feature points of the correct data of the face recognition process corresponding to the identified user ID (step S210). Next, the authentication terminal 200 determines whether the similarity is equal to or greater than a threshold (step S211). If the authentication terminal 200 determines that the similarity is not equal to or greater than the threshold (step S211; No), the authentication terminal 200 performs the process of step S210 again. At this time, the authentication terminal 200 can calculate the similarity between the feature points of the correct data of the face recognition process corresponding to the identified user ID and the feature points of the captured face image in the order of the users 10 waiting to be authenticated (whose user IDs have been identified). In other words, if the calculated similarity is not equal to or greater than the threshold, the authentication terminal 200 repeats the process of calculating the similarity by comparing the feature point information of the next waiting user 10 with the feature points of the captured face image.

On the other hand, if the authentication terminal 200 determines that the similarity is equal to or greater than the threshold (Step S211; Yes), the authentication terminal 200 notifies the server 300 that the authentication was successful (Step S212). The server 300 then transmits the ID data of the successfully authenticated user 10 to the execution control device 500 (Step S213). The execution control device 500 then controls the execution device 600 to execute processing for the user 10 identified by the ID data (Step S214). For example, the execution control device 500 checks the authority information for the transmitted user ID, and if the user has the authority required for the processing, controls the execution device 600 to execute processing for the user 10. The execution device 600 then executes the processing for the user 10 and terminates the processing (Step S215).

(2-5. Effects of the authentication system according to the second embodiment)
As described above, in the authentication system according to the present disclosure, the server may further include a transmission unit (transmission unit 332 in the second embodiment). The first authentication unit authenticates the user by comparing the information used for biometric authentication of the user transmitted from the transmission unit with the biometric information acquired by the acquisition unit.

In this way, the authentication system 1 according to the second embodiment enables biometric authentication in a local environment by preparing for two-step authentication, which combines authentication via wireless communication and authentication via biometric information, by sending information about the user 10 identified via wireless communication to the authentication terminal 200 in advance, thereby reducing the burden on the user 10 during two-step authentication and improving processing speed.

(3. Third embodiment)
(3-1. Overview of authentication process according to the third embodiment)
In the first and second embodiments, examples have been described in which authentication using biometric information is performed after authentication using wireless communication, but authentication using biometric information may be performed before authentication using wireless communication. Furthermore, the efficiency of the authentication process may be improved by using flag information indicating that authentication using biometric information has been completed. This point will be described as a third embodiment. Note that the contents described in the first and second embodiments will be omitted as appropriate.

The authentication process according to the third embodiment will be described using Figures 13 and 14. Figure 13 is a diagram showing an example of the authentication process according to the third embodiment. Figure 13 schematically shows the flow of authentication of a user 10 by the first authentication means in the user terminal 100.

As shown in FIG. 13, first, the user terminal 100 captures a facial image of the user 10 (step S31). Next, the user terminal 100 transmits the facial image to the server 300 (step S32). Next, the server 300 transmits the facial image to the facial recognition engine 400A (step S33). Next, the facial recognition engine 400A performs facial recognition using the transmitted facial image and identifies the user ID (step S34). Next, the facial recognition engine 400A transmits the user ID, which is the result of the facial recognition, to the server 300 (step S35). Then, the server 300 assigns a flag to the user ID indicating that authentication by the first authentication means has been completed (step S36).

Next, authentication by the second authentication means will be described using Figure 14. Figure 14 is a diagram for explaining an example of authentication processing according to the third embodiment. Figure 14 schematically shows the flow of authentication of user 10 by the second authentication means.

As shown in FIG. 14, first, a user 10 carrying a user terminal 100 approaches the authentication terminal 200 (step S41). Next, the user terminal 100 transmits information for identifying the user 10, such as employee information, to the authentication terminal 200 (step S42). Next, the authentication terminal 200 transmits the employee information transmitted from the user terminal 100 to the server 300 (step S43). Next, the server 300 references the information it holds and identifies the user ID from the employee number (step S44). Then, if the user ID identified from the employee number has a flag assigned, the server 300 determines that the user 10 has been biometrically authenticated and is the user identified by the user ID (step S45).

In this way, the authentication system 1 according to the third embodiment performs authentication via wireless communication after authentication via biometric information, thereby eliminating the need for authentication via biometric information at, for example, an entrance/exit gate. In other words, because the user 10 has already been authenticated via biometric information, there is no need to perform authentication via biometric information at the entrance/exit gate; two-step authentication can be completed by performing authentication via wireless communication alone.

(3-2. Configuration of User Terminal According to Third Embodiment)
Next, a description will be given of the configuration of the user terminal 100 that executes the authentication process according to the third embodiment. Fig. 15 is a diagram showing an example of the configuration of the user terminal 100 according to the third embodiment.

The storage unit 120 is realized, for example, by a semiconductor memory element such as RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or optical disk. The storage unit 120 has a user information storage unit 121 and a biometric information storage unit 122.

The user information storage unit 121 also stores flag information. Here, the flag information includes the time the flag was assigned, the location information of the user terminal 100 at the time the flag was assigned, etc.

The biometric information storage unit 122 stores biometric information. For example, the biometric information storage unit 122 stores captured facial images. Furthermore, the facial image information stored in the biometric information storage unit 122 includes information on feature points and feature amounts extracted from the facial images. The biometric information stored in the biometric information storage unit 122 is not limited to facial images, and the biometric information storage unit 122 stores biometric information according to the biometric authentication method used in the authentication system 1.

As shown in FIG. 15, the control unit 130 has a wireless communication unit 131 and an acquisition unit 132.

The acquisition unit 132 acquires biometric information of the user 10 from the user 10. Note that the acquisition unit 132 can perform the same processing as the acquisition unit 232.

(3-3. Server Configuration According to the Third Embodiment)
Next, a description will be given of the configuration of the server 300 that executes the authentication process according to the third embodiment. Fig. 16 is a diagram showing an example of the configuration of the server 300 according to the third embodiment.

The user information storage unit 321 also stores flag information. Here, the flag information includes the time the flag was assigned, the location information of the user terminal 100 at the time the flag was assigned, etc.

As shown in FIG. 16, the control unit 330 has a first authentication unit 331, a transmission unit 332, a second authentication unit 333, a flag assignment unit 334, a flag determination unit 335, a determination unit 336, and an execution control unit 337.

The second authentication unit 333 authenticates the user 10 when the approach between the authentication terminal 200 and the user terminal 100 is detected after the first authentication unit 331 has identified the identification information corresponding to the user 10. For example, the second authentication unit 333 authenticates the user 10 when the distance between the authentication terminal 200 and the user terminal 100 is less than a predetermined distance after the first authentication unit 331 has identified the user ID of the user 10. The distance between the authentication terminal 200 and the user terminal 100 is measured by the functions of the wireless communication unit 131 and the wireless communication unit 231. The predetermined distance can be freely changed depending on the purpose. For example, the predetermined distance can be reduced if there is a congestion of users 10 waiting to be authenticated using biometric information.

When the first authentication unit 331 has completed identifying the identification information corresponding to user 10, the flag assignment unit 334 assigns flag information indicating that authentication has been completed by the first authentication unit 331 to the identification information. For example, when the first authentication unit 331 has completed identifying the user ID of user 10, the flag assignment unit 334 assigns flag information indicating that authentication has been completed by the first authentication unit 331 to the user ID. Note that while a user ID is shown as an example of identification information, there is no particular limitation as long as it is information that can uniquely identify user 10.

The flag determination unit 335 determines whether flag information has been assigned to the identification information by the flag assignment unit 334. For example, the flag determination unit 335 determines whether flag information has been assigned to the user ID by the flag assignment unit 334.

Furthermore, the flag determination unit 335 determines that flag information has not been assigned if predetermined conditions are not met. For example, if a predetermined period of time has passed since the flag assignment unit 334 assigned flag information, it determines that flag information has not been assigned. For example, if the location of the user terminal 100 when the flag assignment unit 334 assigned flag information is more than a predetermined distance away from the location of the authentication terminal 200, it determines that flag information has not been assigned. Note that the predetermined period of time and the predetermined distance can be freely changed depending on the purpose.

In this way, even when flag information is assigned, by imposing restrictions based on time and location information, convenience for the user 10 can be improved while reducing the risk that the user terminal 100 will be seized by a third party and used for impersonation between the completion of authentication using biometric information and the start of authentication via wireless communication.

If the flag determination unit 335 determines that flag information has been assigned, the execution control unit 337 executes processing for the user 10 in accordance with the second authentication result. For example, if the flag determination unit 335 determines that flag information has been assigned, the execution control unit 337 executes processing for the user 10 by transmitting the user ID, which is the second authentication result, to the execution control device 500.

(3-4. Procedure of authentication process according to the third embodiment)
The flow of authentication processing according to the third embodiment will be described with reference to Fig. 17. Fig. 17 is a sequence diagram showing an example of the procedure of authentication processing according to the third embodiment. Note that the following steps may be executed in a different order, and some processing may be omitted.

First, the user 10 photographs their face in front of the camera of the user terminal 100 (step S301). Next, the user terminal 100 captures a facial image of the user 10 (step S302). Next, the user terminal 100 transmits the facial image of the user 10 to the server 300 (step S303). Next, the server 300 identifies the user ID from the facial image of the user 10 (step S304). Next, the server 300 assigns flag information to the identified user ID indicating that the user has been authenticated by the first authentication means (step S305).

The authentication terminal 200 then waits on a wireless communication detection screen (step S306). The user 10 carrying the user terminal 100 then approaches the authentication terminal 200 (step S307). The user terminal 100 then transmits the employee number to the authentication terminal 200 (step S308). The authentication terminal 200 then transmits the employee number to the server 300 (step S309). The server 300 then identifies the user ID from the employee number (step S310).

Next, the server 300 determines whether flag information has been assigned to the identified user ID (step S311). At this time, even if flag information has been assigned to the user ID, the server 300 may determine that flag information has not been assigned if certain conditions are not met. Here, if the server 300 determines that flag information has been assigned (step S311; Yes), the server 300 transmits ID data of the authenticated user 10 to the execution control device 500 (step S312). Next, the execution control device 500 controls the execution device 600 to execute processing for the user 10 identified by the ID data (step S313). For example, the execution control device 500 checks the authority information of the transmitted user ID, and if the user has the necessary authority for the processing, controls the execution device 600 to execute processing for the user 10. The execution device 600 then executes the processing for the user 10 and terminates the processing (step S314).

On the other hand, if it is determined that flag information has not been assigned by the server 300 (step S311; No), the authentication terminal 200 performs the process of step S106 shown in FIG. 7. In other words, since authentication has not been performed using the first authentication means, authentication is performed again using the first authentication means.

(3-5. Effects of the authentication system according to the third embodiment)
As described above, in the authentication system according to the present disclosure, the second authentication unit (the second authentication unit 333 in the third embodiment) authenticates the user 10 after the identification information corresponding to the user 10 has been identified by the first authentication unit (the first authentication unit 233 in the third embodiment) and when proximity between the authentication terminal 200 and the user terminal 100 is detected.

In this way, the authentication system 1 according to the third embodiment performs authentication via wireless communication after authentication via biometric information, thereby eliminating the need for authentication via biometric information at, for example, an entrance/exit gate. In other words, because the user 10 has already performed authentication via biometric information, there is no need to perform authentication via biometric information at the entrance/exit gate; two-step authentication can be completed by performing authentication via wireless communication alone. In this way, the authentication system 1 according to the third embodiment can improve processing speed while reducing the burden on the user 10 during two-step authentication.

The authentication system according to the present disclosure further includes a flag assignment unit (flag assignment unit 334 in the third embodiment) and a flag determination unit (flag determination unit 335 in the third embodiment). The flag assignment unit assigns flag information indicating that authentication by the first authentication unit has been completed to the identification information. The flag determination unit determines whether flag information has been assigned to the identification information by the flag assignment unit. In the authentication system 1 according to the present disclosure, the execution control unit (execution control unit 337 in the third embodiment) executes processing for the user in accordance with the second authentication result when the flag determination unit determines that flag information has been assigned.

In this way, the authentication system 1 according to the third embodiment performs authentication using flag information indicating that authentication using biometric information has been completed, thereby linking each separate authentication operation and improving user convenience and the efficiency of the authentication process.

(4. Fourth embodiment)
(4-1. Overview of authentication process according to the fourth embodiment)
In the third embodiment, an example has been described in which authentication by the first authentication means is performed by the server 300, but authentication by the first authentication means may also be performed by the user terminal 100. This point will be described as the fourth embodiment. Note that the contents described in the first, second, and third embodiments will be omitted as appropriate.

The authentication process according to the fourth embodiment will be described with reference to Figures 18 and 19. Figure 18 is a diagram illustrating an example of the authentication process according to the fourth embodiment. Figure 18 schematically illustrates the flow of the authentication process by the first authentication means and the process of assigning a flag in the user terminal 100. First, the user terminal 100 acquires biometric information, for example, a facial image of the user 10 (step S51). Next, the user terminal 100 uses the built-in facial recognition engine 400A to identify the user ID of the user 10 from the captured facial image (step S52). For example, the user terminal 100 calculates the similarity between the feature points of the correct data related to the facial recognition process of the owner of the user terminal 100 stored in the biometric information storage unit 122 and the feature points of the captured facial image. If the similarity is equal to or greater than a predetermined threshold, the user ID is identified as corresponding to the correct data for facial recognition. The user terminal 100 then assigns a flag to information used to identify the user 10, such as an employee number, indicating that the user has been authenticated by the first authentication means (step S53).

Next, authentication by the second authentication means will be described using Figure 19. Figure 19 is a diagram for explaining an example of authentication processing according to the fourth embodiment. Figure 19 schematically shows the flow of authentication of user 10 by the second authentication means.

As shown in FIG. 19, first, the user 10 carrying the user terminal 100 approaches the authentication terminal 200 (step S54). Next, the user terminal 100 transmits information for identifying the user 10, such as employee information, to the authentication terminal 200 (step S55). At this time, because flag information was added in step S53 of FIG. 18, the employee information with the flag information added is transmitted. Next, the authentication terminal 200 transmits the employee information transmitted from the user terminal 100 to the server 300 (step S56). Next, the server 300 references the information it holds and identifies the user ID from the employee number (step S57). Then, if the employee information transmitted from the authentication terminal 200 is flagged, the server 300 determines that the user 10 has been biometrically authenticated and is the user identified by the user ID (step S58).

(4-2. Configuration of User Terminal According to Fourth Embodiment)
Next, a description will be given of the configuration of the user terminal 100 that executes the authentication process according to the fourth embodiment. Fig. 20 is a diagram showing an example of the configuration of the user terminal 100 according to the fourth embodiment.

The biometric information storage unit 122 stores biometric information. For example, the biometric information storage unit 122 stores captured facial images and pre-registered correct answer data for facial authentication processing. For example, the biometric information storage unit 122 stores correct answer data for facial authentication processing of the user 10 who is the owner of the user terminal 100. Furthermore, the facial image information stored in the biometric information storage unit 122 includes information on feature points and feature amounts extracted from the facial image. The biometric information stored in the biometric information storage unit 122 is not limited to facial images, and the biometric information storage unit 122 stores biometric information according to the biometric authentication method used in the authentication system 1.

As shown in FIG. 20, the control unit 130 has a wireless communication unit 131, an acquisition unit 132, a first authentication unit 133, and a flag assignment unit 134.

The acquisition unit 132 acquires biometric information of the user 10 from the user 10. For example, the acquisition unit 132 acquires a facial image of the user 10 using a camera provided in the user terminal 100. The acquisition unit 132 can perform the same processing as the acquisition unit 232.

The first authentication unit 133 authenticates the user 10 using a first authentication means that authenticates the user using biometric information. The first authentication unit 133 can perform the same processing as the first authentication unit 331.

When the first authentication unit 133 has completed identifying the identification information corresponding to the user 10, the flag assignment unit 134 assigns flag information indicating that the user 10 has been authenticated by the first authentication unit 133 to the information for identifying the user 10. For example, when the first authentication unit 133 has completed identifying the user ID corresponding to the user 10, the flag assignment unit 134 assigns flag information indicating that the user has been authenticated by the first authentication unit 133 to the employee information stored in the user terminal 100.

(4-3. Server configuration according to the fourth embodiment)
Next, the configuration of the server 300 that executes the authentication process according to the fourth embodiment will be described.

The flag determination unit 335 determines whether flag information has been assigned by the flag assignment unit 134 to information for identifying the user 10. For example, the flag determination unit 335 determines whether flag information has been assigned by the flag assignment unit 134 to an employee number.

(4-4. Procedure of authentication process according to the fourth embodiment)
The flow of authentication processing according to the fourth embodiment will be described with reference to Fig. 21. Fig. 21 is a sequence diagram showing an example of the procedure of authentication processing according to the fourth embodiment. Note that the following steps may be executed in a different order, and some processing may be omitted.

First, the user 10 photographs their face in front of the camera of the user terminal 100 (step S401). Next, the user terminal 100 captures a facial image of the user 10 (step S402). Next, the user terminal 100 identifies the user ID from the facial image of the user 10 (step S403). For example, the user terminal 100 uses the built-in facial recognition engine 400A to match feature points of the correct answer data for facial recognition of the owner of the user terminal 100 with feature points of the captured facial image to identify the user ID. Next, the user terminal 100 assigns flag information indicating that the employee number from which the user ID was identified has been authenticated by the first authentication means (step S404).

The authentication terminal 200 then waits on a wireless communication detection screen (step S405). The user 10 carrying the user terminal 100 then approaches the authentication terminal 200 (step S406). The user terminal 100 then transmits the employee number to the authentication terminal 200 (step S407). The authentication terminal 200 then transmits the employee number to the server 300 (step S408). The server 300 then identifies the user ID from the employee number (step S409).

Next, the server 300 determines whether flag information has been assigned to the transmitted employee number (step S410). At this time, even if flag information has been assigned to the employee number, the server 300 may determine that flag information has not been assigned if certain conditions are not met. If the server 300 determines that flag information has been assigned (step S410; Yes), the server 300 transmits the ID data of the authenticated user 10 to the execution control device 500 (step S411). The execution control device 500 then controls the execution device 600 to execute processing for the user 10 identified by the ID data (step S412). For example, the execution control device 500 checks the authority information for the transmitted user ID, and if the user has the necessary authority for the processing, controls the execution device 600 to execute processing for the user 10. The execution device 600 then executes the processing for the user 10 and terminates the processing (step S413).

On the other hand, if it is determined that flag information has not been assigned by the server 300 (step S410; No), the authentication terminal 200 performs the process of step S106 shown in FIG. 7. In other words, since authentication has not been performed using the first authentication means, authentication is performed again using the first authentication means.

(4-5. Effects of the authentication system according to the fourth embodiment)
As described above, in the authentication system according to the present disclosure, the user terminal (user terminal 100 in the fourth embodiment) has a first authentication unit (first authentication unit 133 in the fourth embodiment). The first authentication unit authenticates the user 10 by first authentication means that authenticates the user using biometric information.

In this way, in the authentication system 1 according to the fourth embodiment, biometric authentication is performed by the user terminal 100 that acquires the biometric information of the user 10, so there is less risk of the biometric information being leaked, and biometric authentication can be performed more safely.

The authentication system according to the present disclosure further includes a flag assignment unit (flag assignment unit 134 in the fourth embodiment) and a flag determination unit (flag determination unit 335 in the fourth embodiment). The flag assignment unit assigns flag information indicating that authentication has been completed by the first authentication unit to information for identifying a user. The flag determination unit determines whether flag information has been assigned to the identification information by the flag assignment unit. In addition, in the authentication system 1 according to the present disclosure, the execution control unit (execution control unit 337 in the third embodiment) executes processing for the user in accordance with the second authentication result when the flag determination unit determines that flag information has been assigned.

In this way, the authentication system 1 according to the fourth embodiment performs authentication using flag information indicating that authentication using biometric information has been completed, thereby linking each separate authentication operation and improving user convenience and the efficiency of the authentication process.

(5. Modifications)
(5-1. Equipment configuration)
The user terminal 100, the authentication terminal 200, and the server 300 may perform authentication using an external authentication engine, or may perform authentication using a trained authentication model provided in each device. That is, the user terminal 100, the authentication terminal 200, and the server 300 may not only receive an authentication engine from a business operator, but may also execute the processing according to the embodiment in an on-premise environment where the authentication engine functions by itself.

6. Other Embodiments
The processing according to the above-described embodiment may be implemented in various different forms other than the above embodiment.

For example, among the processes described in the above embodiments, all or part of the processes described as being performed automatically can be performed manually, or all or part of the processes described as being performed manually can be performed automatically using known methods. In addition, the information including the processing procedures, specific names, various data, and parameters shown in the above documents and drawings can be changed as desired unless otherwise specified. For example, the various information shown in each drawing is not limited to the information shown.

Furthermore, the components of each device shown in the figure are functional concepts and do not necessarily have to be physically configured as shown. In other words, the specific form of distribution and integration of each device is not limited to that shown, and all or part of them can be functionally or physically distributed and integrated in any unit depending on various loads, usage conditions, etc.

Furthermore, the above-described embodiments and variations can be combined as appropriate to the extent that the processing content is not contradictory.

Furthermore, the effects described in this specification are merely examples and are not limiting, and other effects may also be present.

(7. Hardware Configuration)
Information devices such as the user terminal 100, authentication terminal 200, and server 300 according to the above-described embodiments are realized by a computer 1000 having a configuration such as that shown in FIG. 22 . The user terminal 100, authentication terminal 200, and server 300 according to the embodiments will be described below as examples. FIG. 22 is a hardware configuration diagram showing an example of a computer 1000 that realizes the functions of the user terminal 100, authentication terminal 200, server 300, etc. The computer 1000 has a CPU 1100, RAM 1200, ROM (Read Only Memory) 1300, HDD (Hard Disk Drive) 1400, communication interface 1500, and input/output interface 1600. The components of the computer 1000 are connected by a bus 1050.

The CPU 1100 operates based on programs stored in the ROM 1300 or HDD 1400 and controls each component. For example, the CPU 1100 loads programs stored in the ROM 1300 or HDD 1400 into the RAM 1200 and executes processing corresponding to the various programs.

ROM 1300 stores boot programs such as the BIOS (Basic Input Output System) executed by the CPU 1100 when the computer 1000 starts up, as well as programs that depend on the computer 1000's hardware.

HDD 1400 is a computer-readable recording medium that non-temporarily records programs executed by CPU 1100 and data used by such programs. Specifically, HDD 1400 is a recording medium that records a program that executes the authentication process related to the present disclosure, which is an example of program data 1450.

The communication interface 1500 is an interface that allows the computer 1000 to connect to an external network 1550 (e.g., the Internet). For example, the CPU 1100 receives data from other devices and transmits data generated by the CPU 1100 to other devices via the communication interface 1500.

The input/output interface 1600 is an interface for connecting the input/output device 1650 and the computer 1000. For example, the CPU 1100 receives data from input devices such as a keyboard or mouse via the input/output interface 1600. The CPU 1100 also transmits data to output devices such as a display, speaker, or printer via the input/output interface 1600. The input/output interface 1600 may also function as a media interface that reads programs and the like recorded on a specified recording medium. Examples of media include optical recording media such as DVDs (Digital Versatile Discs) and PDs (Phase Change Rewritable Disks), magneto-optical recording media such as MOs (Magneto-Optical Disks), tape media, magnetic recording media, and semiconductor memories.

For example, when computer 1000 functions as authentication terminal 200 according to an embodiment, CPU 1100 of computer 1000 executes an authentication program loaded onto RAM 1200 to realize the functions of control unit 130, etc. Furthermore, HDD 1400 stores a program that executes the authentication process according to the present disclosure and data in memory unit 120. Note that CPU 1100 reads and executes program data 1450 from HDD 1400, but as another example, these programs may be obtained from another device via external network 1550.

The above describes in detail the embodiments of the present application based on the drawings, but these are merely examples, and the present invention can be implemented in other forms that incorporate various modifications and improvements based on the knowledge of those skilled in the art, including the aspects described in the Disclosure of the Invention section.

1 Authentication system 10 User 100 User terminal 110 Communication unit 120 Memory unit 121 User information memory unit 122 Biometric information memory unit 130 Control unit 131 Wireless communication unit 132 Acquisition unit 133 First authentication unit 134 Flag assignment unit 200 Authentication terminal 210 Communication unit 220 Memory unit 221 Biometric information memory unit 230 Control unit 231 Wireless communication unit 232 Acquisition unit 233 First authentication unit 234 Determination unit 300 Server 310 Communication unit 320 Memory unit 321 User information memory unit 322 Biometric information memory unit 330 Control unit 331 First authentication unit 332 Transmission unit 333 Second authentication unit 334 Flag assignment unit 335 Flag determination unit 336 Determination unit 337 Execution control unit 400 Authentication engine 500 Execution control device 600 Execution device

Claims (9)

An authentication system having a user terminal, an authentication terminal, and a server,
Any one of the user terminal, the authentication terminal, and the server
a first authentication unit that authenticates a user by first authentication means that authenticates a user by biometric information;
The server
a second authentication unit that authenticates a user by a second authentication means that authenticates a user through wireless communication between the user terminal and the authentication terminal;
a determination unit that determines whether the authentication of the user by the first authentication unit and the second authentication unit has been successful;
an execution control unit that, when the determination unit determines that the authentication of the user has been successful, executes a process for the user in accordance with a first authentication result by the first authentication unit or a second authentication result by the second authentication unit;
An authentication system comprising: The authentication terminal
an acquisition unit that acquires biometric information of the user from the user;
2. The authentication system according to claim 1, wherein the first authentication unit authenticates the user using the biometric information acquired by the acquisition unit after the second authentication unit identifies identification information corresponding to the user. The server
a transmitting unit that transmits information used for biometric authentication of the user identified by the second authentication unit to the authentication terminal;
The authentication system according to claim 2, characterized in that the first authentication unit provided in the authentication terminal authenticates the user by comparing the information used for biometric authentication of the user transmitted from the transmission unit with the biometric information acquired by the acquisition unit. The second authentication unit
The authentication system according to claim 1, characterized in that after the first authentication unit identifies identification information corresponding to the user, the user is authenticated when proximity between the authentication terminal and the user terminal is detected. The server
a flag assigning unit that assigns flag information indicating that the user has been authenticated by the first authentication unit to the identification information when the first authentication unit has completed specifying the identification information corresponding to the user;
a flag determination unit that determines whether or not the flag information has been added to the identification information by the flag addition unit,
The authentication system according to claim 4, wherein the execution control unit executes processing for the user in accordance with the second authentication result when the flag determination unit determines that the flag information has been assigned. The authentication system according to claim 4 , wherein the first authentication unit is provided in the user terminal. The user terminal
a flag assigning unit that assigns flag information indicating that authentication by the first authentication unit has been completed to information for identifying the user when the first authentication unit has completed specifying the identification information corresponding to the user,
The server
a flag determination unit that determines whether or not the flag information is assigned to the information for identifying the user by the flag assignment unit,
The authentication system according to claim 6, wherein the execution control unit executes processing for the user in accordance with the second authentication result when the flag determination unit determines that the flag information has been assigned. An authentication method executed by an authentication system having a user terminal, an authentication terminal, and a server, comprising:
An authentication system having a user terminal, an authentication terminal, and a server,
any one of the user terminal, the authentication terminal, and the server authenticates the user by first authentication means that authenticates the user by biometric information;
the server authenticates the user by a second authentication means that authenticates the user through wireless communication between the user terminal and the authentication terminal;
the server determines whether the authentication of the user by the first authentication means and the second authentication means has been successful;
When the server determines that the authentication of the user is successful, the server executes a process for the user according to a first authentication result by the first authentication means or a second authentication result by the second authentication means.
An authentication method comprising: Computer,
a first authentication unit that authenticates a user by first authentication means that authenticates a user using biometric information;
a second authentication unit that authenticates a user by a second authentication means that authenticates a user through wireless communication between the user terminal and the authentication terminal;
a determination unit that determines whether the authentication of the user by the first authentication unit and the second authentication unit has been successful;
an execution control unit that, when the determination unit determines that the authentication of the user has been successful, executes a process for the user in accordance with a first authentication result by the first authentication unit or a second authentication result by the second authentication unit;
An authentication program characterized by causing the program to function as an authentication system comprising: