JP7555656B1 - Authentication device, authentication method, and program - Google Patents

Abstract

An authentication device capable of improving the accuracy of authentication is provided.
[Solution] The authentication device 1 includes a receiving unit 11 that receives an authentication request from the authenticated device 2, the authentication request including a user identifier that identifies the user carrying the authenticated device 2 and authentication information used to authenticate the authenticated device 2; a device authentication unit 12 that performs device authentication to determine whether the authenticated device 2 is legitimate using the authentication information included in the received authentication request; a biometric information acquisition unit 14 that acquires biometric information of the user carrying the authenticated device 2; a biometric authentication unit 16 that performs biometric authentication to determine whether the user is legitimate using registered biometric information associated with the user identifier included in the authentication request received by the receiving unit 11 and the biometric information acquired by the biometric information acquisition unit 14; and an output unit 17 that outputs the result of the device authentication and the result of the biometric authentication.
[Selected Figure] Figure 1

Description

The present invention relates to an authentication device that performs biometric authentication.

Conventionally, biometric authentication such as facial recognition has been used (for example, see Patent Document 1). When using a PIN or password for authentication, there is a possibility that authentication cannot be performed due to forgetting or losing the PIN or password, but biometric authentication has the advantage that such problems do not occur.

JP 2022-180831 A

However, when authenticating an individual using only biometric authentication, it is necessary to minimize erroneous judgments. For example, when authenticating an individual using only biometric authentication, it is necessary to reduce the False Rejection Rate (FRR), which is the rate at which a person is erroneously judged to be a false identity, and the False Acceptance Rate (FAR), which is the rate at which a person who is not the person is erroneously judged to be the individual.

To improve the accuracy of such biometric authentication, that is, to reduce the false rejection rate and false acceptance rate, it is necessary to use more detailed biometric information of an individual. Because such detailed biometric information can easily identify an individual, the handling of the information must be very sensitive from the perspective of the risk of information leakage. For this reason, it becomes difficult to store an individual's biometric information used for biometric authentication in, for example, a local system that performs biometric authentication. On the other hand, it is possible to manage a huge amount of biometric information on a secure server and access the server via a network, but such management of biometric information is not suitable for real-time biometric authentication.

The present invention was made in response to the above circumstances, and aims to provide an authentication device etc. that can achieve more accurate individual authentication even if the accuracy of biometric authentication is not necessarily high.

In order to achieve the above object, an authentication device according to one aspect of the present invention includes a receiving unit that receives an authentication request transmitted from an authenticated device, the authentication request including a user identifier that identifies a user carrying the authenticated device and authentication information used to authenticate the authenticated device; a device authentication unit that performs device authentication to determine whether the authenticated device that transmitted the authentication request is legitimate using the authentication information included in the authentication request received by the receiving unit; a biometric information acquisition unit that acquires biometric information of a user carrying the authenticated device; a storage unit that stores multiple pieces of correspondence information that associate a user identifier that identifies a user with registered biometric information that is the biometric information of the user; a biometric authentication unit that performs biometric authentication to determine whether the user whose biometric information is acquired is legitimate using the registered biometric information that is associated by the correspondence information with the user identifier included in the authentication request received by the receiving unit and the biometric information acquired by the biometric information acquisition unit; and an output unit that outputs the result of device authentication by the device authentication unit and the result of biometric authentication by the biometric authentication unit.

With this configuration, by performing device authentication and biometric authentication, it is possible to improve the accuracy of personal authentication that authenticates a person's identity. Therefore, even if the accuracy of biometric authentication is not necessarily high, it is possible to perform appropriate personal authentication.

In addition, in an authentication device according to one aspect of the present invention, the receiving unit includes a first receiver set including one or more first receivers, and a second receiver set including one or more second receivers arranged at a different location from the first receiver set, and further includes an identifying unit that identifies the location of the device to be authenticated based on the strength difference between the authentication requests received by the first and second receiver sets, respectively, and the biometric information acquiring unit may acquire biometric information of a user carrying the device to be authenticated that is located at the location identified by the identifying unit.

With this configuration, the biometric information acquisition unit can acquire the biometric information of the target user using the results of identifying the location of the device to be authenticated, thereby improving the accuracy of biometric authentication.

In addition, in an authentication device according to one aspect of the present invention, the biometric authentication may be facial authentication.

This configuration makes it possible to achieve hands-free authentication, for example.

In addition, in an authentication device according to one aspect of the present invention, the biometric authentication may be at least one of biometric authentication using height, biometric authentication using stride length, and iris authentication.

With this configuration, personal authentication can be performed appropriately even if the accuracy of the biometric authentication is not necessarily high, such as biometric authentication using height or stride length.

In addition, in an authentication device according to one aspect of the present invention, the accuracy of the biometric authentication performed by the biometric authentication unit may be lower than the accuracy when authenticating an individual using only biometric information.

With this configuration, for example, it becomes possible to store registered biometric information in a local storage unit.

In addition, in an authentication device according to one aspect of the present invention, the receiving unit may receive an authentication request that is a radio wave.

This configuration makes it possible to authenticate the device even if the device to be authenticated is placed in the user's bag, for example.

Also, an authentication method according to one aspect of the present invention is an authentication method processed using a receiving unit, a device authentication unit, a biometric information acquisition unit, a storage unit in which a plurality of correspondence information that associates a user identifier that identifies a user with registered biometric information that is the biometric information of the user is stored, a biometric authentication unit, and an output unit, and includes the steps of: the receiving unit receiving an authentication request transmitted from an authenticated device, the authentication request including a user identifier that identifies a user carrying the authenticated device and authentication information used to authenticate the authenticated device; the device authentication unit performing device authentication to determine whether the authenticated device that transmitted the authentication request is legitimate using the authentication information included in the received authentication request; the biometric information acquisition unit acquiring biometric information of the user carrying the authenticated device; the biometric authentication unit performing biometric authentication to determine whether the user whose biometric information is acquired is legitimate using the registered biometric information that is associated by the correspondence information with the user identifier included in the authentication request received in the authentication request receiving step and the biometric information acquired in the biometric information acquisition step; and the output unit outputting the result of the device authentication in the device authentication step and the result of the biometric authentication in the biometric authentication step.

According to an authentication device according to one aspect of the present invention, the accuracy of authentication as a whole can be improved by performing device authentication for the device to be authenticated and biometric authentication of the user carrying the device to be authenticated.

FIG. 1 is a block diagram showing a configuration of an authentication device according to an embodiment of the present invention; FIG. 2 is a diagram for explaining how to specify the position of an authenticated device in the embodiment; FIG. 2 is a diagram for explaining acquisition of biological information in the embodiment. FIG. 13 is a diagram showing an example of correspondence information according to the embodiment; A flowchart showing the operation of the authentication device according to the embodiment. FIG. 2 shows an example of the configuration of a computer system according to the embodiment.

The authentication device and authentication method according to the present invention will be described below using an embodiment. Note that in the following embodiments, components and steps with the same reference numerals are the same or equivalent, and repeated explanations may be omitted. The authentication device according to this embodiment performs device authentication of the device to be authenticated and biometric authentication of the user carrying the device to be authenticated.

Figure 1 is a block diagram showing the configuration of an authentication device 1 according to this embodiment. The authentication device 1 according to this embodiment includes a receiving unit 11, a device authentication unit 12, an identifying unit 13, a biometric information acquisition unit 14, a storage unit 15, a biometric authentication unit 16, and an output unit 17. The authentication device 1 according to this embodiment authenticates the authenticated device 2 carried by the user 5, and when the authenticated device 2 is determined to be valid in the authentication, performs biometric authentication of the user 5 carrying the authenticated device 2 that is valid. Note that while FIG. 1 shows a situation in which the user 5 holds the authenticated device 2 in his/her hand, the fact that the user 5 is carrying the authenticated device 2 refers to, for example, a state in which the authenticated device 2 also moves in accordance with the movement of the user 5, and the user 5 does not necessarily have to hold the authenticated device 2 in his/her hand. Also, FIG. 1 shows a case in which the authentication device 1 receives an authentication request from one authenticated device 2, but the authentication device 1 may receive authentication requests from, for example, multiple authenticated devices 2, respectively.

The authentication device 1 may be, for example, an automatic ticket barrier, a gate for entering a venue such as an event, a vending machine, a control device that locks and unlocks the doors of a hotel or a rental conference room, a device that performs authentication in a cash register, etc., or may be a mobile information terminal with a communication function such as a smartphone. The device to be authenticated 2 may be, for example, a mobile information terminal with a communication function such as a smartphone, a tablet terminal, a PDA (Personal Digital Assistant), a notebook computer, a transceiver, etc., or may be other devices.

The receiving unit 11 receives an authentication request transmitted from the authenticated device 2, the authentication request including a user identifier for identifying the user carrying the authenticated device 2 and authentication information used to authenticate the authenticated device 2. The authenticated device 2 may transmit an authentication request that is, for example, radio waves, or may transmit an authentication request that is, for example, sound waves. That is, the receiving unit 11 may receive an authentication request that is, for example, radio waves, or may receive an authentication request that is, for example, sound waves. In this embodiment, a case where an authentication request that is, for example, radio waves is transmitted and received will be mainly described. Note that, when an authentication request that is, for example, sound waves, is transmitted and received, it is preferable that there is no obstacle in the space from the authenticated device 2 to the authentication device 1. On the other hand, when an authentication request that is, for example, radio waves, is transmitted and received, the authenticated device 2 may be line of sight from the authentication device 1 to the authentication device 1, or may not be line of sight. In the latter case, the user 5 may carry the authenticated device 2 in, for example, a pocket of clothing or a bag.

The authentication request, which is a radio wave, may be, for example, a pulse wave that is transmitted intermittently, or a continuous wave that is transmitted continuously. In addition, any wireless communication standard may be used to transmit and receive the authentication request. For example, the authentication request may be communicated by Bluetooth Low Energy (BLE), Bluetooth Basic Rate (BR)/Enhanced Data Rate (EDR), wireless LAN (IEEE802.11), IEEE802.15.4 such as ZigBee (registered trademark), or other wireless communication standard. It is preferable that the authentication request be transmitted and received by short-range wireless communication such as BLE, Bluetooth BR/EDR, or wireless LAN.

The frequency of the radio wave of the authentication request is not particularly limited, but may be, for example, a frequency in the range of 300 MHz to 300 GHz. The device to be authenticated 2 may transmit the authentication request by broadcast, or may communicate by unicast. Since the authentication request can be transmitted without specifying the communication partner, it is preferable to transmit the authentication request by broadcast. In this embodiment, the device to be authenticated 2 mainly transmits the authentication request by broadcast. It is preferable that the device to be authenticated 2 transmits the authentication request without receiving a transmission instruction from the user 5. The device to be authenticated 2 may transmit the authentication request in response to receiving, for example, a predetermined beacon. This beacon may be transmitted, for example, in an area where authentication using the authentication request is performed. As an example, the authentication device 1 may transmit a beacon. In this case, the authentication device 1 may further include a transmission unit that transmits the beacon.

The user identifier may be, for example, a sequence of letters, numbers, and/or symbols unique to the user, or a device identifier that identifies the device to be authenticated 2 may be used as the user identifier. The device identifier may be, for example, an address such as a physical address of the device to be authenticated 2, a telephone number, or a sequence of letters, numbers, and/or symbols unique to the device. The user identifier may be, for example, encrypted and included in the authentication request, or may be included in the authentication request in plain text.

The authentication information may include any information that can be used to authenticate the authenticated device 2. As an example, the authentication information may include cryptographic information obtained by encrypting unique information, which is unique information. The unique information may include, for example, a time, a random number, a count value, a one-time password, etc. The unique information may be information specific to the authentication request. That is, the unique information corresponding to the cryptographic information included in each authentication request may be different. The unique information may be, for example, information generated by the authenticated device 2, or information transmitted from the authentication device 1 to the authenticated device 2. In the latter case, challenge-response authentication may be performed by the authentication device 1. When the unique information is transmitted from the authentication device 1, the authentication device 1 may further include a transmitting unit that transmits the unique information. In this embodiment, the case where the unique information is generated by the authenticated device 2 will be mainly described. As with the cryptographic information described above, it is preferable that the authentication information includes different information for each authentication request. This is to prevent the authentication information from being reused by a malicious third party. As an example, the cryptographic information may be information obtained by encrypting a user identifier and unique information. In this case, the encryption information may be considered to be information that includes, for example, a user identifier and authentication information.

The encryption of the unique information may be, for example, encryption using a common key encryption or public key encryption. That is, the encryption key used to encrypt the unique information may be, for example, a common key or a public key corresponding to the authentication device 1. When the encryption key is a common key, it is preferable that the authentication device 1 and the device to be authenticated 2 have the same common key. It is also preferable that the common key is different for each device to be authenticated 2.

The receiving unit 11 may include a first receiver set 21 including one or more receivers 23 that receive an authentication request transmitted from the authenticated device 2, and a second receiver set 22 including one or more receivers 24 that receive the authentication request. In this embodiment, this case will be mainly described. When the receiving unit 11 includes the first receiver set 21 and the second receiver set 22, the authentication request may also be used to identify the location of the authenticated device 2. The first receiver set 21 may be disposed at a first position. Also, the second receiver set 22 may be disposed at a second position different from the first position. From the viewpoint of realizing a more accurate location identification of the authenticated device 2, it is preferable that the first receiver set 21 includes a plurality of first receivers 23, and the second receiver set 22 includes a plurality of second receivers 24. As shown in FIG. 1, for example, the first receiver set 21 may include four first receivers 23, and the second receiver set 22 may include four second receivers 24, but the number of receivers included in the first and second receiver sets 21 and 22 may be any number from one to three, or may be five or more. Each receiver 23 and 24 included in the first and second receiver sets 21 and 22 is capable of acquiring the strength of radio waves or sound waves of an authentication request.

When the first receiver set 21 includes a plurality of first receivers 23, the first position may be, for example, the position of the center of gravity of the plurality of first receivers 23. More specifically, the position of the center of gravity of each of the first receivers 23 may be identified, and the position of the center of gravity of the identified plurality of centers of gravity may be set as the first position. The plurality of first receivers 23 may be located, for example, close to each other, or may be located at distant positions. Note that even in the latter case, it is preferable that the plurality of first receivers 23 are included within a range within the distance from the first position to the second position. The same applies to the second position of the second receiver set 22.

The receiving unit 11 may include a wireless receiving device such as an antenna for receiving radio waves, may include a receiving device such as a microphone for receiving sound waves, or may not include a receiving device. The receiving unit 11 may be realized by hardware, or may be realized by software such as a driver that drives the receiving device.

The device authentication unit 12 performs device authentication using authentication information included in the authentication request received by the receiving unit 11 to determine whether the authenticated device 2 that sent the authentication request is legitimate. For example, if the authentication information includes cryptographic information in which unique information is encrypted, the authenticated device 2 that sent the authentication information may be determined to be legitimate when the unique information corresponding to the cryptographic information matches the unique information stored in the authentication device 1 that corresponds to the authenticated device 2 that sent the authentication information, and may be determined to be invalid when the unique information corresponding to the cryptographic information matches the unique information stored in the authentication device 1. Whether the unique information corresponding to the cryptographic information matches the unique information stored in the authentication device 1 may be determined, for example, by whether the unique information obtained by decrypting the cryptographic information matches the unique information stored in the authentication device 1, or by whether the cryptographic information matches the result of encrypting the unique information stored in the authentication device 1.

When the unique information is acquired in the authenticated device 2, the unique information stored in the authentication device 1 may be, for example, acquired in the same manner as the authenticated device 2. Also, when the authenticated device 2 receives unique information from the authentication device 1, the unique information stored in the authentication device 1 may be, for example, unique information transmitted by the authentication device 1 to the authenticated device 2.

When the cryptographic information included in the authentication information is encrypted with a common key, the device authentication unit 12 may, for example, read from the storage unit 15 the common key that is stored together with the authentication information in association with the user identifier included in the authentication information, and decrypt the cryptographic information using the read common key, or may encrypt the unique information stored in the authentication device 1 using the read common key. When the cryptographic information included in the authentication information is encrypted with a public key, the device authentication unit 12 may, for example, read from the storage unit 15 a private key and decrypt the cryptographic information using the read private key, or may read from the storage unit 15 a public key and encrypt the unique information stored in the authentication device 1 using the read public key.

The device authentication unit 12 may perform device authentication using one authentication request, or may perform device authentication using multiple authentication requests received within a predetermined period. For authentication using multiple authentication requests, see, for example, the following document:
Literature: International Publication No. WO2020/080301

The identification unit 13 identifies the location of the authenticated device 2 based on the strength difference of the authentication requests received by the first and second receiver sets 21 and 22, respectively. The strength difference of the authentication requests may be, for example, the difference in the received signal strength (RSSI: Received Signal Strength Indicator) of the authentication requests. In addition, when the first and second receiver sets 21 and 22 include two or more receivers, the strength difference may be, for example, the difference between representative values of multiple received signal strengths acquired by two or more receivers in the first and second receiver sets 21 and 22, respectively. The representative value may be, for example, an average value, a median value, or the like. In addition, when the first and second receiver sets 21 and 22 include two or more receivers, it is preferable that the two or more receivers have the same performance. For example, it is preferable that the antenna gains of the two or more receivers included in the first receiver set 21 or the second receiver set 22 are the same. In identifying the location of the wave source using the intensity difference of the received authentication request, for example, an Apollonius circle or line corresponding to the reception intensity difference may be identified using the reception intensity of the authentication request received by the first and second receiver sets 21 and 22 and the first and second positions of the first and second receiver sets 21 and 22, and a position on the Apollonius circle, line, or within the circle may be identified as the position of the authenticated device 2, or the position of the authenticated device 2 may be identified by other methods.

The position identified by the identification unit 13 may be, for example, a point-like position, or a line-like, planar, or three-dimensional position. In this embodiment, a case where a point-like position of the authenticated device 2 is identified by the identification unit 13 will be mainly described. The identified position may be, for example, a position on a two-dimensional plane or a position in three-dimensional space. In this embodiment, the former case will be mainly described. FIG. 2 is a plan view showing an area R1 in which the authenticated device 2 may exist. As an example, the area R1 may be an area in which a user 5 passing through a ticket gate may exist. The identification unit 13 may identify, for example, a position P1 of the authenticated device 2 in the area R1 based on the strength difference between the authentication requests received by the first and second receiver sets 21 and 22, respectively.

Since the method of determining the location of a wave source using the difference in the received intensity of radio waves or sound waves is already known, a detailed description thereof will be omitted. For information on such a method of determining the location of a wave source, see, for example, the following document:
Literature: International Publication No. 2020/080314

The biometric information acquisition unit 14 acquires biometric information of a user carrying the authenticated device 2. The biometric information acquisition unit 14 may acquire biometric information of a user carrying the authenticated device 2 located at a position identified by the identification unit 13, for example. The biometric authentication using the biometric information acquired by the biometric information acquisition unit 14 may be authentication using an individual's physical characteristics or may be authentication using an individual's behavioral characteristics. The biometric authentication is not particularly limited, and may be, for example, at least one of face authentication, biometric authentication using height, biometric authentication using stride length, biometric authentication using weight, skeletal authentication using skeleton, iris authentication, fingerprint authentication, and voice authentication. The biometric authentication is preferably authentication that acquires biometric information without contact, such as face authentication, but may also be authentication that acquires biometric information through contact, such as fingerprint authentication. In this embodiment, the case where the biometric authentication is face authentication will be mainly described.

It is preferable that the biometric information acquired by the biometric information acquisition unit 14 is information corresponding to the biometric authentication performed by the biometric authentication unit 16. For example, when face authentication is performed by the biometric authentication unit 16, it is preferable that the biometric information acquisition unit 14 acquires biometric information that is an image of a face, or biometric information that is information on features corresponding to an image of a face.

When the biometric information acquisition unit 14 acquires biometric information using a captured image acquired by the imaging unit 7, the biometric information may be, for example, a partial image of the captured image (e.g., an image of the face or an image of the iris), or may be information on features acquired from a partial image of the captured image (e.g., information on the features of the face or information on the features of the iris).

The biometric information acquisition unit 14 may acquire biometric information, for example, using a captured image captured by the image capture unit 7. The captured image may be an image of an area where the authenticated device 2, which is the source of the authentication request received by the receiving unit 11, may be present. FIG. 3 is a diagram showing an example of a captured image. The captured image in FIG. 3 may be an image captured in an area R1 near an automatic ticket gate. It is assumed that the users 5a to 5c carry the authenticated devices 2a to 2c, respectively, and that the authenticated devices 2a to 2c transmit authentication requests, respectively. If the position P1 of the authenticated device 2a in a two-dimensional plane is identified by the identification unit 13 using the authentication request transmitted from the authenticated device 2a, as shown in FIG. 2, the biometric information acquisition unit 14 identifies a circular area R2 of a predetermined radius centered on the identified position P1 in the captured image. The radius may be, for example, 30 centimeters, 50 centimeters, or 80 centimeters. The biometric information acquisition unit 14 may then identify an image PH1 of the face region of the user 5a where part of the body is within the identified region R2, and acquire biometric information, which is the facial features of the user 5a, from the identified image PH1. Note that in this embodiment, a case where the biometric information is the facial features will be described, but the biometric information may also be an image of the face. Similarly, for users 5b and 5c, the identification unit 13 may identify the positions of the authenticated devices 2b and 2c, and acquire the biometric information of users 5b and 5c based on the identified positions.

The biometric information acquisition unit 14 may acquire biometric information, which is the height of the user 5, for example, by using a captured image, a distance measurement sensor, or other sensing results. When measuring the height using a distance measurement sensor, for example, the height of the user 5 may be acquired by measuring the distance from the ceiling to the top of the head of the user 5 using one or more distance measurement sensors arranged on the ceiling, and subtracting the distance from the ceiling to the top of the head from the distance from the floor to the ceiling.

The biometric information acquisition unit 14 may acquire biometric information, which is the stride of the user 5, for example, by using a captured image, by using a pressure sensor placed on the floor surface, or by using other sensing results. When acquiring the stride using a captured image, the captured image may be a moving image. The biometric information acquisition unit 14 may then identify the stride by identifying the position where the foot touches the ground in the captured image. When acquiring the stride using a pressure sensor, the biometric information acquisition unit 14 may identify the position where the foot of the user 5 touches the ground according to the position of the pressure sensor where the pressure is high, and identify the stride of the user 5 using the position of the pressure sensor.

The biometric information acquisition unit 14 may also acquire biometric information, such as the weight of the user 5, using, for example, a weight sensor placed on the floor surface, or may acquire the information using other sensing results.

The biometric information acquisition unit 14 may also acquire biometric information indicative of the skeleton of the user 5, for example, by using a captured image. Methods for acquiring a person's skeleton using a captured image are already known, and detailed explanations thereof will be omitted. When the biometric information is information indicative of the skeleton of the user 5, the captured image may be a still image or a moving image. In the latter case, biometric information indicative of changes in the skeleton over time may be acquired by using the captured image, which is a moving image.

The biometric information acquisition unit 14 may also acquire biometric information, which is information on the iris of the user 5, by using, for example, a captured image. In this case, the image capture unit 7 is preferably positioned so that it can capture an image of the user 5 from the front, so as to be able to capture an image of the iris of the user 5. In other words, it is preferable that the captured image is acquired so that the optical axis direction of the image capture unit 7 is the line of sight of the user 5. Note that, when iris authentication is to be performed, the user 5 may be instructed to look in the direction of the image capture unit 7.

The biometric information acquisition unit 14 may also acquire biometric information, which is information about the fingerprint of the user 5, using, for example, a fingerprint sensor. In this case, an instruction may be given to the user 5 to read the fingerprint using the fingerprint sensor.

The biometric information acquisition unit 14 may also acquire biometric information, which is information about the voice of the user 5, using, for example, a microphone. In this case, an instruction may be given to the user 5 to speak. This voice may be, for example, a predetermined voice, or may be any voice.

The storage unit 15 stores multiple pieces of correspondence information. The correspondence information is information that associates a user identifier that identifies the user 5 with registered biometric information, which is the biometric information of the user 5. When the registered biometric information is information acquired using a captured image, like the biometric information acquired by the biometric information acquisition unit 14, the registered biometric information may be, for example, a partial image of the captured image (e.g., a face image or an iris image), or may be information on features acquired from a partial image of the captured image (e.g., information on face features or information on iris features). The registered biometric information stored in the storage unit 15 is preferably information corresponding to biometric authentication performed by the biometric authentication unit 16. For example, when face authentication is performed by the biometric authentication unit 16, it is preferable that the storage unit 15 stores registered biometric information that is a face image or registered biometric information that is information on features acquired from a face image.

Figure 4 is a diagram showing an example of multiple pieces of correspondence information stored in the storage unit 15. As shown in Figure 4, the correspondence information may be information including a user identifier and registered biometric information. In this case, the user identifier and registered biometric information included in one piece of correspondence information may be associated with each other. For example, the registered biometric information of a user identified by a user identifier "U001" (hereinafter, also referred to as "user U001") is "B001". When the biometric authentication is face authentication, this registered biometric information "B001" may be, for example, a face image or information on features acquired from a face image.

The process by which the corresponding information is stored in the storage unit 15 is not important. For example, the corresponding information may be stored in the storage unit 15 via a recording medium, or the corresponding information transmitted via a communication line or the like may be stored in the storage unit 15. Information other than the corresponding information may also be stored in the storage unit 15. For example, an encryption key, a decryption key, unique information, etc. used in device authentication may be stored in the storage unit 15. The storage unit 15 is preferably realized by a non-volatile recording medium, but may also be realized by a volatile recording medium. The recording medium may be, for example, a semiconductor memory or a magnetic disk.

The biometric authentication unit 16 performs biometric authentication to determine whether the user 5 from whom the biometric information was acquired is legitimate, using the registered biometric information associated by the correspondence information with the user identifier included in the authentication request received by the receiving unit 11 and the biometric information acquired by the biometric information acquisition unit 14. As described above, this biometric authentication may be, for example, at least one of face authentication, biometric authentication using height, biometric authentication using stride length, biometric authentication using weight, skeletal authentication using skeleton, iris authentication, fingerprint authentication, and voice authentication.

The order in which device authentication and biometric authentication are performed does not matter. For example, biometric authentication may be performed after device authentication, or biometric authentication may be performed after device authentication, or both may be performed in parallel. When biometric authentication is performed after device authentication, for example, biometric authentication may be performed only when the device authentication is determined to be valid. That is, when the device authentication is determined to be invalid, biometric authentication may not be performed. In this embodiment, this case will be mainly described. When biometric authentication is performed after the device authentication is determined to be valid, the biometric authentication unit 16 may perform biometric authentication using the biometric information of the user 5 carrying the authenticated device 2 located at the position specified using the authentication request acquired by the biometric information acquisition unit 14 when the device authentication using the authentication information included in the authentication request received by the receiving unit 11 is determined to be valid, and the registered biometric information associated with the user identifier included in the authentication request. That is, biometric authentication may be performed using registered biometric information associated by the correspondence information with a user identifier included in an authentication request transmitted from an authenticated device 2 determined to be valid in device authentication, and biometric information acquired by the biometric information acquisition unit 14. For example, when the biometric authentication is face authentication, the biometric authentication unit 16 compares facial feature information acquired by the biometric information acquisition unit 14 or facial feature information acquired from an image acquired by the biometric information acquisition unit 14 with facial feature information indicated by the registered biometric information or facial feature information acquired from an image that is the registered biometric information, and may determine that the user 5 from whom the biometric information is acquired is valid when the two match, and may determine that the user 5 is invalid when they do not. Note that the facial feature information matching may be, for example, a strict match, or a match with a predetermined error allowed. In the latter case, it may be determined that the two match when the similarity exceeds a threshold. Note that the method of biometric authentication is already known, and a detailed description thereof will be omitted.

Here, since the biometric authentication unit 16 performs biometric authentication of the user 5 carrying the authenticated device 2, the accuracy of the biometric authentication performed by the biometric authentication unit 16 does not need to be very high. This is because biometric authentication can be performed with a narrower target of authentication. For example, the accuracy of the biometric authentication performed by the biometric authentication unit 16 may be lower than the accuracy when authenticating an individual using only biometric information. Therefore, the registered biometric information stored in the storage unit 15 may be information that can perform biometric authentication with such accuracy. As a result, information that does not easily identify an individual can be used as the registered biometric information. For example, registered biometric information indicating height can be used. Therefore, it is possible to store the registered biometric information in the local authentication device 1, and biometric authentication can be preferably performed in real time. In addition, by performing biometric authentication with low accuracy, for example, it becomes possible to perform biometric authentication in a shorter time. For example, this is because it is necessary to compare a smaller number of features.

The output unit 17 outputs the result of device authentication by the device authentication unit 12 and the result of biometric authentication by the biometric authentication unit 16. It is preferable that this output allows the user to know whether the device authentication and the biometric authentication are both determined to be valid, or whether at least one of them is determined to be invalid. Therefore, as an example, the device authentication may output a message indicating that the authenticated device 2 is determined to be valid or invalid, and the biometric authentication may output a message indicating that the user 5 is determined to be valid or invalid. As an example, the output unit 17 may output an authentication result indicating whether the device authentication and the biometric authentication are both determined to be valid, or whether at least one of them is determined to be invalid. The output unit 17 may output the authentication result only when the device authentication and the biometric authentication are both determined to be valid. In other words, when the device authentication and the biometric authentication are both determined to be invalid, the authentication result may not be output. Furthermore, if biometric authentication is performed after device authentication has been determined to be valid, the fact that device authentication has been determined to be valid can be seen in response to the output of the biometric authentication result. Therefore, in this case, the output unit 17 may output only the biometric authentication result. The authentication result may be output, for example, together with a user identifier that identifies the user 5 who is the subject of authentication. This user identifier may be, for example, the user identifier included in the authentication request.

Here, this output may be, for example, a display on a display device (such as a liquid crystal display or an organic EL display), a transmission via a communication line to a specified device, printing by a printer, audio output by a speaker, storage on a recording medium, or delivery to another component. Note that output unit 17 may or may not include a device that performs the output (such as a display device or a communication device). Also, output unit 17 may be realized by hardware, or may be realized by software such as a driver that drives those devices.

Next, the operation of the authentication device 1 will be described with reference to the flowchart of FIG.
(Step S101) The receiving unit 11 judges whether or not an authentication request has been received. If an authentication request has been received, the process proceeds to step S102. If not, the process of step S101 is repeated until an authentication request is received.

(Step S102) The device authentication unit 12 performs device authentication using the received authentication request. Note that when performing device authentication using multiple authentication requests, for example, the authentication requests may be continuously received until a predetermined period has elapsed since the first authentication request was received, and device authentication may be performed using the multiple authentication requests received during that predetermined period.

(Step S103) If the authenticated device 2 that sent the authentication request is determined to be valid in the device authentication in step S102, proceed to step S104; if not, proceed to step S107.

(Step S104) The identification unit 13 identifies the location of the authenticated device 2 using the received authentication request. When multiple authentication requests are received, the location of the authenticated device 2 may be identified using the authentication request received closest to the time when the biometric information is acquired, for example, the last authentication request received.

(Step S105) The biometric information acquisition unit 14 acquires biometric information of the user 5 carrying the authenticated device 2 located at the position identified in step S104.

(Step S106) The biometric authentication unit 16 performs biometric authentication using the registered biometric information associated with the user identifier included in the received authentication device and the biometric information acquired in step S105.

(Step S107) The output unit 17 outputs the result of the biometric authentication in step S106. In the flowchart of FIG. 5, biometric authentication is performed only when the device authentication is determined to be valid, so that the result of the biometric authentication is output, which indirectly indicates that the device authentication is valid. Note that if the biometric authentication in step S106 is not performed, i.e., if the authenticated device 2 is determined to be invalid in the device authentication, the output unit 17 may output the result of the device authentication. Then, the process returns to step S101.

The order of processing in the flowchart of FIG. 5 is an example, and the order of each step may be changed as long as the same result can be obtained. For example, the location of the authenticated device 2 may be identified before device authentication. Also, device authentication may be performed after biometric authentication. Also, in the flowchart of FIG. 5, processing may end due to power off or an interrupt to end processing.

Next, the operation of the authentication device 1 according to this embodiment will be described using a specific example. In this specific example, the biometric authentication is assumed to be face authentication. Also, it is assumed that multiple pieces of correspondence information shown in FIG. 4 are stored in the memory unit 15. In this specific example, it is assumed that the registered biometric information is information on features acquired from a captured image of the face area of the user 5. Also, in this specific example, it is assumed that authentication is performed at a ticket gate.

First, assume that user U001 enters an automated ticket gate while carrying device to be authenticated 2, which is a smartphone. Device to be authenticated 2 then receives a beacon transmitted by the automated ticket gate, generates authentication information in response to the beacon, and transmits an authentication request including the generated authentication information and the user identifier "U001."

The authentication request sent from the device to be authenticated 2 of user U001 is received by the first and second receiver sets 21, 22 of the authentication device 1, respectively, and the authentication request is passed to the device authentication unit 12. At the same time, the received signal strength of the authentication request by the multiple first receivers 23 of the first receiver set 21 and the received signal strength of the authentication request by the multiple second receivers 24 of the second receiver set 22 are passed to the identification unit 13 (step S101).

When the device authentication unit 12 receives the authentication request, it performs device authentication using the authentication information included in the authentication request (step S102). It is assumed that this device authentication determines that the authenticated device 2 is legitimate (step S103). The device authentication unit 12 then passes on the fact that the authenticated device 2 is legitimate to the identification unit 13 and the biometric information acquisition unit 14, and passes on the fact that the authenticated device 2 is legitimate and the user identifier "U001" included in the received authentication request to the biometric authentication unit 16.

When receiving the received signal strength and the result of device authentication, the identification unit 13 acquires a representative value of the received signal strength acquired by the multiple first receivers 23 and a representative value of the received signal strength acquired by the multiple second receivers 24, and identifies the location of the authenticated device 2 using the difference between the representative values of the received signal strength and the first and second positions, which are the positions of the first and second receiver sets 21, 22 (step S104). The identified position is assumed to be position P1 shown in FIG. 2. Position P1 is passed to the biometric information acquisition unit 14.

When the biometric information acquisition unit 14 receives the device authentication result and the identified position P1, it uses the captured image captured by the imaging unit 7 at that time to identify an area R2 of a predetermined radius centered on the position P1, as shown in Figures 2 and 3. The biometric information acquisition unit 14 also identifies the user 5a present in the area R2, identifies an image PH1 of the face area of the identified user 5a, and acquires biometric information, which is information on the features used in face authentication, from the identified image PH1 and passes it to the biometric authentication unit 16 (step S105). Note that user 5a is user U001.

When the biometric authentication unit 16 receives the device authentication result, the user identifier, and the biometric information, it searches for the multiple pieces of corresponding information shown in FIG. 4 using the received user identifier "U001" as a search key, and reads out the registered biometric information "B001" contained in the first matching piece of corresponding information from the storage unit 15. The biometric authentication unit 16 then performs biometric authentication using the registered biometric information "B001" and the received biometric information (step S106). In this biometric authentication, it is assumed that the two are similar enough to exceed a threshold value, and that user U001 is determined to be legitimate. Then, the biometric authentication result and the user identifier "U001" are passed to the output unit 17.

When the output unit 17 receives the biometric authentication result, it transmits the biometric authentication result and the user identifier to a management system that manages the entry and exit of the user 5 (step S107). As a result, for example, the system may manage that the user U001 has entered the ticket gate at a specific station, or that he/she has left the ticket gate at a specific station. In the latter case, for example, the management system may perform a process of charging the user U001 the fare from the station where the user U001 entered the ticket gate to the station where he/she left the ticket gate.

In this specific example, if the device authentication determines that the device is not valid, for example, if the user 5 is using an invalid authenticated device 2, or if a user 5 who is not the original user of the authenticated device 2 is carrying the authenticated device 2, and as a result the device is determined to be invalid by biometric authentication, a message to that effect may be sent to the management system. Then, for example, the user 5 may be prevented from entering the ticket gate.

Finally, we will briefly explain examples of devices and systems that implement the authentication device 1 according to this embodiment.

The authentication device 1 may be incorporated into an automatic ticket gate. Then, when the authentication device 1 determines that both the device authentication and the biometric authentication are valid using an authentication request sent from a nearby authenticated device 2 and biometric information of a user 5 carrying the authenticated device 2, the gate of the automatic ticket gate may open, allowing the user to enter or exit the ticket gate. The user may also be charged when entering or exiting the ticket gate. In this way, for example, the user can board a train or the like without operating a smartphone or the like which is the authenticated device 2.

The authentication device 1 may be incorporated into a vending machine for drinks, etc. Then, after a user operates the purchase button on the vending machine, if the authentication device 1 determines that both the device authentication and the biometric authentication are valid using an authentication request sent from a nearby authenticated device 2 and biometric information of the user 5 carrying the authenticated device 2, the vending machine may provide the user with a product such as a drink corresponding to the purchase button operated by the user. In addition, the user may be charged appropriately depending on the processing. In this way, for example, the user can purchase products from the vending machine without operating the authenticated device 2, such as a smartphone.

The authentication device 1 may be installed near the entrance of an event venue such as a concert, sporting event, or seminar, an art museum, a museum, a theme park, a sports club, or a members-only lounge. When the authentication device 1 determines that both the device authentication and the biometric authentication are valid based on an authentication request sent from a nearby authenticated device 2 and biometric information of a user 5 carrying the authenticated device 2, the authentication device 1 may output information such as a ticket corresponding to a user identified by a user identifier included in the authentication request (e.g., information on the type of ticket or information on the owner of a pre-registered ticket) at a specified position of the authenticated device 2. By looking at the display, the staff of the event can identify people who do not have a ticket or membership card among those entering through the entrance. Note that the staff may request that people who do not have a ticket or a membership card present. In this way, for example, a user can enter an event venue, a museum, a sports club, or the like without operating a smartphone or the like that is the authenticated device 2.

The authentication device 1 may be incorporated into a store's cash register. Then, for example, after a user or a store clerk operates the payment button on the cash register, the authentication device 1 determines that both the device authentication and the biometric authentication are valid using an authentication request sent from a nearby authenticated device 2 and the biometric information of the user 5 carrying the authenticated device 2, and then a charge according to the purchase amount may be made to a pre-registered payment method (e.g., credit card, electronic money, etc.). In this way, for example, the user can purchase goods and the like at a store without operating the authenticated device 2, such as a smartphone.

The authentication device 1 may be incorporated into a device that requires identity authentication, such as a PC (Personal Computer) or an ATM (Automated Teller Machine). Then, for example, after a user operates a device such as a PC or an ATM, the authentication device 1 determines that both device authentication and biometric authentication are valid using an authentication request sent from a nearby authenticated device 2 and biometric information of a user 5 carrying the authenticated device 2. For example, the user identified by the user identifier included in the authentication request may log in to a PC, log in to a website operated on the PC, or withdraw cash from an ATM. In this way, for example, a user can be authenticated on a device such as a PC or an ATM and can operate the device without having to enter a PIN number, etc.

The authentication device 1 according to this embodiment can also be used in situations other than those described above. For example, it may be used for authentication in car sharing, rental cars, boarding procedures for airplanes, etc. It may also be used for user authentication when operating devices such as personal computers.

As described above, according to the authentication device 1 of the present embodiment, since device authentication is performed, it is possible to prevent impersonation of another person. For example, if only a user identifier is included in the authentication request, a malicious third party who has acquired the user identifier of another person can send an authentication request including the acquired user identifier to the authentication device 1 and impersonate the user identified by that user identifier. However, since the authentication request also includes authentication information, and device authentication is performed using the authentication information, such impersonation can be prevented. In addition, by performing biometric authentication together with device authentication, appropriate personal authentication can be performed without necessarily performing highly accurate biometric authentication. This is because the use of the authentication request makes it possible to limit the users who perform biometric authentication. Therefore, the accuracy of the biometric authentication performed by the biometric authentication unit 16 can be lower than the accuracy of biometric authentication that authenticates an individual using only biometric information. Therefore, as the registered biometric information, information with a degree of accuracy that cannot identify an individual by itself, such as information such as height and stride length, can also be used. As a result, it is also possible to store the registered biometric information locally in the authentication device 1, and it becomes possible to perform biometric authentication in real time. Furthermore, if the biometric authentication unit 16 performs biometric authentication with the same level of accuracy as biometric authentication that uses only biometric information to authenticate an individual, the overall accuracy of authentication will be higher.

In addition, by performing biometric authentication in addition to device authentication, if an unauthorized user carries the authenticated device 2, the authenticated device 2 will be determined to be unauthorized by the biometric authentication, and unauthorized use of the authenticated device 2 by an unauthorized user can be prevented. For example, if user B carries user A's authenticated device 2, user B can be prevented from impersonating user A and entering an event venue such as a concert.

In addition, by acquiring biometric information using the position of the authenticated device 2 identified by the identification unit 13, it is possible to properly acquire the biometric information of the target user, thereby improving the accuracy of biometric authentication. In addition, by performing biometric authentication using biometric information that can be acquired contactlessly, such as face authentication, it is possible to realize, for example, hands-free personal authentication, i.e., personal authentication that does not involve any operation by the user 5.

In this embodiment, the receiving unit 11 has mainly been described as having two receiver sets, i.e., the first and second receiver sets 21 and 22. However, the receiving unit 11 may have three or more receiver sets. That is, the receiving unit 11 may have the first to Nth receiver sets arranged at the first to Nth positions, respectively. N is an integer of 2 or more. The first to Nth receiver sets may also be similar to the first and second receiver sets 21 and 22. For example, the Kth receiver set may include one or more receivers. K is an arbitrary integer of 1 to N. It is preferable that the first to Nth positions are different positions. In addition, when N is 3 or more, for example, when the positions are specified by a three-point survey, it is preferable that the first to Nth positions do not exist on a single straight line, but otherwise, the first to Nth positions may exist on a single straight line. Also, when N is 4, for example, when the position is specified by a three-point survey, it is preferable that the first to fourth positions are not vertices of a parallelogram, but otherwise the first to fourth positions may be vertices of a parallelogram. In this way, when the receiving unit 11 has the first to Nth receiver sets, the specifying unit 13 may specify the position of the authenticated device 2 based on the intensity difference of the authentication request received by each of the first to Nth receiver sets. Note that this position specification may be performed, for example, by repeatedly specifying an Apollonius circle or line based on the intensity difference of the authentication request received by each of the two receiver sets for different combinations of the first to Nth receiver sets, thereby specifying a plurality of Apollonius circles or lines, and specifying a position on the specified Apollonius circle, line, or circle as the position of the authenticated device 2, or by other methods.

In addition, in this embodiment, the case where the location of the authenticated device 2 is identified by the identification unit 13 has been mainly described, but this is not necessary. When the location of the authenticated device 2 is not identified, the authentication device 1 may not have, for example, the identification unit 13, and the receiving unit 11 may not have the first and second receiver sets 21 and 22. That is, the receiving unit 11 may receive the authentication request by, for example, one receiver. In this case, the biometric information acquisition unit 14 may acquire, for example, biometric information of a user 5 present in an area assumed to be the source of the authentication request received by the receiving unit 11. When the authenticated device 2 transmits an authentication request in response to receiving a specific beacon, the area may be, for example, the reachable range of the specific beacon. Also, when the location of the authenticated device 2 is not identified, the biometric information acquisition unit 14 may acquire, for example, biometric information of one or more users 5. When multiple pieces of biometric information are acquired, the biometric authentication unit 16 may determine that the user 5 from whom the biometric information is acquired is legitimate when at least one of the multiple pieces of biometric information matches the registered biometric information associated with the user identifier included in the received authentication request. In this case, it may be difficult to acquire only the biometric information of the user 5 carrying the authenticated device 2 that sent the authentication request.

In addition, in the above embodiments, each process or function may be realized by centralized processing in a single device or a single system, or may be realized by distributed processing in multiple devices or multiple systems.

In addition, in the above embodiment, the transfer of information between components may be performed, for example, by one component outputting information and the other component receiving information if the two components transferring the information are physically different, or, if the two components transferring the information are physically the same, by shifting from a processing phase corresponding to one component to a processing phase corresponding to the other component.

In addition, in the above embodiment, information related to the processing performed by each component, such as information accepted, acquired, selected, generated, transmitted, or received by each component, and information such as thresholds, formulas, and addresses used by each component in processing, may be temporarily or long-term stored in a recording medium (not shown) even if not specified in the above description. Furthermore, each component or a storage unit (not shown) may store information in the recording medium (not shown). Furthermore, each component or a reading unit (not shown) may read information from the recording medium (not shown).

In the above embodiment, if the information used by each component, such as the thresholds, addresses, and various setting values used by each component in processing, may be changed by the user, the user may or may not be able to change the information as appropriate, even if not specified in the above description. If the information is changeable by the user, the change may be realized, for example, by a reception unit (not shown) that receives a change instruction from the user, and a change unit (not shown) that changes the information in response to the change instruction. The reception unit (not shown) may receive the change instruction from an input device, may receive information transmitted via a communication line, or may receive information read from a specified recording medium.

In addition, in the above embodiment, when two or more components included in the authentication device 1 have a communication device, an input device, etc., the two or more components may have a single physical device, or may have separate devices.

In the above embodiment, each component may be configured by dedicated hardware, or components that can be realized by software may be realized by executing a program. For example, each component may be realized by a program execution unit such as a CPU reading and executing a software program recorded on a recording medium such as a hard disk or semiconductor memory. During execution, the program execution unit may execute the program while accessing the memory unit or recording medium. The software that realizes the authentication device 1 in the above embodiment is a program such as the following. In other words, this program may be a program for causing a computer that can access a storage unit that stores multiple pieces of correspondence information that associate a user identifier that identifies a user with registered biometric information that is the user's biometric information to execute the following steps: receiving an authentication request transmitted from an authenticated device, the authentication request including a user identifier that identifies a user carrying the authenticated device and authentication information used to authenticate the authenticated device; performing device authentication using the authentication information included in the received authentication request to determine whether the authenticated device that sent the authentication request is legitimate; acquiring biometric information of a user carrying the authenticated device; performing biometric authentication using the registered biometric information that is associated by the correspondence information with the user identifier included in the authentication request received in the authentication request receiving step and the biometric information acquired in the biometric information acquiring step to determine whether the user whose biometric information is acquired is legitimate; and outputting the result of the device authentication in the device authentication step and the result of the biometric authentication in the biometric authentication step.

In the above program, the steps of receiving information, acquiring information, and outputting information do not include processes that are performed only by hardware, such as processes performed by a communication device in the receiving step, or processes performed by a communication device or display device in the output device.

This program may also be executed by being downloaded from a server or the like, or by being read from a predetermined recording medium (for example, an optical disk such as a CD-ROM, a magnetic disk, or a semiconductor memory). This program may also be used as a program constituting a program product.

The program may be executed by a single computer or multiple computers. In other words, it may perform centralized processing or distributed processing.

Figure 6 is a diagram showing an example of a computer system 900 that executes the above program to realize the authentication device 1 according to the above embodiment. The above embodiment can be realized by computer hardware and a computer program executed thereon.

6, the computer system 900 includes an MPU (Micro Processing Unit) 911, a ROM 912 such as a flash memory in which programs such as a boot-up program, application programs, system programs, and data are stored, a RAM 913 connected to the MPU 911 to temporarily store instructions for application programs and provide a temporary storage space, a touch panel 914, a wireless communication module 915, and a bus 916 that interconnects the MPU 911, the ROM 912, and the like. The computer system 900 may include, for example, a plurality of wireless communication modules 915 corresponding to the first and second receiver sets 21 and 22, or may be connected to a plurality of wireless communication modules corresponding to the first and second receiver sets 21 and 22. The computer system 900 may also include a display and an input device such as a mouse or a keyboard instead of the touch panel 914. The computer system 900 may also include other recording media such as a hard disk.

A program that causes the computer system 900 to execute the functions of the authentication device 1 according to the above embodiment may be stored in the ROM 912 via the wireless communication module 915. The program is loaded into the RAM 913 when executed. The program may also be loaded directly from the network.

The program does not necessarily have to include an operating system (OS) or a third-party program that causes the computer system 900 to execute the functions of the authentication device 1 according to the above embodiment. The program may include only an instruction portion that calls appropriate functions or modules in a controlled manner to achieve the desired result. How the computer system 900 operates is well known, and a detailed description will be omitted.

The above embodiments are merely examples for specifically implementing the present invention, and are not intended to limit the technical scope of the present invention. The technical scope of the present invention is indicated by the claims, not by the description of the embodiments, and is intended to include modifications within the literal scope of the claims and within the scope of equivalent meanings.

REFERENCE SIGNS LIST 1 Authentication device 2, 2a to 2c Device to be authenticated 5, 5a to 5c User 11 Reception unit 12 Device authentication unit 13 Identification unit 14 Biometric information acquisition unit 15 Storage unit 16 Biometric authentication unit 17 Output unit 21 First receiver set 22 Second receiver set 23 First receiver 24 Second receiver

Claims (6)

a receiving unit that receives an authentication request transmitted from the device to be authenticated, the request including a user identifier that identifies a user carrying the device to be authenticated and authentication information used to authenticate the device to be authenticated;
a device authentication unit that performs device authentication by using authentication information included in the authentication request received by the receiving unit to determine whether the authenticated device that has transmitted the authentication request is valid;
a biometric information acquiring unit for acquiring biometric information of a user carrying the device to be authenticated;
a storage unit that stores a plurality of pieces of correspondence information that associate a user identifier that identifies a user with registered biometric information that is biometric information of the user;
a biometric authentication unit that performs biometric authentication to determine whether a user whose biometric information has been acquired is legitimate, using registered biometric information that is associated with a user identifier included in the authentication request received by the receiving unit by the correspondence information and the biometric information acquired by the biometric information acquisition unit;
an output unit that outputs a result of device authentication by the device authentication unit and a result of biometric authentication by the biometric authentication unit ,
The receiving unit is
a first receiver set including one or more first receivers;
a second receiver set including one or more second receivers located at a different location than the first receiver set.
and a determination unit for determining a location of the authenticatee based on a strength difference between the authentication requests received by the first and second receiver sets, respectively.
The authentication device , wherein the biometric information acquisition unit acquires biometric information of a user carrying an authenticated device that is located at a position identified by the identification unit . The authentication device according to claim 1 , wherein the biometric authentication is face authentication. The authentication device according to claim 1 , wherein the biometric authentication is at least one of biometric authentication using height, biometric authentication using stride length, and iris authentication. The authentication device according to claim 1 , wherein the receiving unit receives the authentication request as a radio wave. An authentication method processed using a receiving unit including a first receiver set including one or more first receivers, and a second receiver set including one or more second receivers arranged at a position different from the first receiver set, an identifying unit, a device authentication unit, a biometric information acquiring unit, a storage unit in which a plurality of pieces of correspondence information are stored that associate a user identifier that identifies a user with registered biometric information that is biometric information of the user, a biometric authentication unit, and an output unit,
a step of receiving, by the receiving unit, an authentication request transmitted from the authenticated device, the authentication request including a user identifier that identifies a user carrying the authenticated device and authentication information used to authenticate the authenticated device , by the first and second receiver sets ;
a step of performing device authentication by the device authentication unit, using authentication information included in the received authentication request, to determine whether the authenticated device that has transmitted the authentication request is valid;
the determining unit determining a location of the authenticatee device based on a strength difference between authentication requests received by the first and second sets of receivers, respectively;
a step of acquiring biometric information of a user carrying an authenticated device that is located at a position identified in the step of identifying the position of the authenticated device , by the biometric information acquiring unit;
a step in which the biometric authentication unit performs biometric authentication to determine whether or not a user whose biometric information has been acquired is legitimate, using registered biometric information associated with a user identifier included in the authentication request received in the step of receiving the authentication request by the correspondence information and the biometric information acquired in the step of acquiring the biometric information;
an output unit outputting a result of device authentication in the step of performing device authentication and a result of biometric authentication in the step of performing biometric authentication. A computer that can access a storage unit that stores a plurality of pieces of correspondence information that associate a user identifier that identifies a user with registered biometric information that is biometric information of the user,
receiving an authentication request transmitted from an authenticated device, the authentication request including a user identifier for identifying a user carrying the authenticated device and authentication information used to authenticate the authenticated device , by a first receiver set including one or more first receivers and a second receiver set including one or more second receivers arranged at a position different from that of the first receiver set ;
performing device authentication using authentication information included in the received authentication request to determine whether the authenticated device that has transmitted the authentication request is valid;
determining a location of the authenticatee device based on a difference in strength of authentication requests received by the first and second sets of receivers, respectively;
acquiring biometric information of a user carrying an authenticated device that is located at the position identified in the step of identifying the location of the authenticated device ;
performing biometric authentication to determine whether a user whose biometric information is acquired is legitimate, using registered biometric information associated with a user identifier included in the authentication request received in the step of receiving the authentication request by the correspondence information and the biometric information acquired in the step of acquiring the biometric information;
and a step of outputting a result of the device authentication in the step of performing the device authentication and a result of the biometric authentication in the step of performing the biometric authentication.

Images