JP2023127338A - Information processing apparatus, information processing system, and program - Google Patents

Abstract

To provide an apparatus, system, and program capable of avoiding a situation where no user can log in.SOLUTION: An information processing apparatus that changes multi-factor authentication settings, comprises: a storage unit 51 for storing first and second authentication information in association with user type information; a communication unit 50 for receiving a request to enable the multi-factor authentication settings after a first authentication process using the first authentication information is successful; and a setting processing unit 55 for enabling the multi-factor authentication settings according to the type information and the second authentication information stored in the storage unit 51.SELECTED DRAWING: Figure 3

Description

The present invention relates to an information processing apparatus and system for changing multi-factor authentication settings, and a program for causing a computer to execute processing for changing multi-factor authentication settings.

When using a service, user authentication is performed to determine whether the user is authorized to use the service. In the user authentication, a user ID and password are generally used, but if the user ID and password are leaked, a third party can impersonate the user and use the service.

Therefore, in order to increase security, in addition to knowledge information such as user ID and password that only the user knows, information on things that the user owns (possession information) such as IC cards and smartphones, and biological information that represents the user's physical characteristics. Multi-factor authentication, which performs authentication using other factors such as information, has come into use.

As an example of multi-factor authentication, if an information processing terminal is registered on a server, and the information stored on the information processing terminal is successfully matched with the information registered on the server, and authentication using identification information and password is successful, 2. Description of the Related Art Techniques for enabling access to websites are known (for example, see Patent Document 1).

However, in the conventional technology, multi-factor authentication can be set effectively even when no information processing terminal is registered on the server, so there is a problem that no user can log in.

The present invention solves the above-mentioned problems, and aims to provide a device, a system, and a program that can avoid a situation where no user can log in.

According to the present invention, there is provided an information processing apparatus that changes settings of multi-factor authentication,
storage means for storing first and second authentication information in association with user type information;
a communication means for receiving a request to enable multi-factor authentication settings after a first authentication process using the first authentication information is successful;
An information processing apparatus is provided, including a setting processing means for enabling multi-factor authentication settings according to type information and second authentication information stored in a storage means.

According to the present invention, it is possible to avoid a situation where no user can log in.

1 is a diagram illustrating a configuration example of an information processing system according to an embodiment. FIG. 1 is a diagram showing an example of a hardware configuration of an application server as an information processing device. FIG. 2 is a block diagram showing an example of functional configurations of a user terminal, an application server, and an authentication terminal. Diagram showing an example of authentication information stored in the storage unit of the application server FIG. 3 is a sequence diagram illustrating an example of a process for changing multi-factor authentication settings. 10 is a flowchart illustrating an example of a process for changing multi-factor authentication settings. The diagram showing an example of a screen for setting multi-factor authentication. FIG. 3 is a sequence diagram illustrating an example of a process for registering a user terminal used for multi-factor authentication. The sequence diagram showing the flow of using a service by implementing multi-factor authentication.

The present invention will be described below with reference to embodiments, but the present invention is not limited to the embodiments described below.

FIG. 1 is a diagram showing a configuration example of an information processing system according to this embodiment. The information processing system includes a user terminal 10 used by a user, an application server (hereinafter referred to as an application server) 11 as an example of an information processing device that provides services to the user terminal 10, and a terminal for user authentication. (authentication terminal) 12. Note that the number of user terminals 10 and authentication terminals 12 is not limited to one each, and may be two or more each.

The user terminal 10 and the application server 11 are connected via a network 13. The authentication terminal 12 is also connected to the network 13 via a relay device such as a router, and is connected to the application server 11. The network 13 may be either a wired network or a wireless network.

The user terminal 10 is a notebook PC (Personal Computer), a desktop PC, a tablet terminal, etc. used by the user, and is equipped with a browser for requesting services and displaying services provided by the application server 11. The application server 11 receives a request from the browser of the user terminal 10 and provides the requested service. It may be implemented in the form of an application on a server on the network 13 and provided as a cloud computer.

The service provided by the application server 11 may be any service, and an example is a web service that can be used by displaying or operating on a browser. Web services include online distribution services, ticket reservation/purchase services, information search services, and the like.

In order to receive the services provided by the application server 11, the user uses the user terminal 10 to request the provision of the services. When providing a service, the application server 11 performs user authentication to determine whether the user is authorized to use the service.

User authentication is generally performed using identification information such as a user name and user ID, and a password. The identification information and password are knowledge information known only to the user, and can be written down so as not to be forgotten. However, if a third party sees your memo and becomes aware of your password, the third party will be able to access your service. Therefore, multi-factor authentication is increasingly being adopted to increase security.

Multi-factor authentication performs authentication using two or more different factors, such as knowledge information such as identification information and password, possession information that is information about what the user owns, and biometric information that represents the user's physical characteristics. be. Knowledge information includes a PIN (Personal Identification Number) used to unlock a smartphone, questions and answers for identity verification, and the like. Items held by the user include IC cards and smartphones, and information held by the user includes a one-time password generated by the device, card information such as a card number, device information such as the device name, and the information provided by the device to receive services. There is an application ID, etc., which is a value that is automatically generated when an application to be executed is installed. Biometric information includes fingerprints, face, iris, retina, veins, etc.

A user who uses the service registers first authentication information and second authentication information used in multi-factor authentication in the application server 11 before using the service. Hereinafter, multi-factor authentication will be described as two-factor authentication that performs authentication using two factors, but it is not limited to two-factor authentication, and authentication may be performed using three or more factors. Further, although the first authentication information is described as identification information and a password, and the second authentication information is described as device information and an application ID, the combination is not limited to this.

The authentication terminal 12 is an authentication device used only by the user, and is, for example, a mobile phone, a smartphone, a tablet terminal, a PDA (Personal Digital Assistant), a notebook PC (Personal Computer), or the like.

Multi-factor authentication can be implemented by setting the multi-factor authentication to “enable” on the management screen that is managed by the application server 11 and provided to the user terminal 10. The management screen can be viewed and operated by the system administrator to change settings. Therefore, by opening the management screen and setting the multi-factor authentication to "enabled", the administrator can perform subsequent authentication processing as multi-factor authentication processing. Note that the administrator is one of the users.

The management screen can be opened by entering only the first authentication information and logging in. Administrators can request multi-factor authentication to be set to "enabled" on the management screen. Therefore, even if the second authentication information is not registered, the multi-factor authentication setting can be made "valid". If there is one or more administrators, and none of the administrators has registered secondary authentication information, and the multi-factor authentication setting is set to "enabled", no users will be able to log in. It's gone. Then, even if you want to return the multi-factor authentication setting to "disabled", no one can log in, so you cannot change the multi-factor authentication setting.

Therefore, when setting multi-factor authentication to "enable", the application server 11 is configured to determine whether the conditions for enabling multi-factor authentication are met, and to enable multi-factor authentication if the conditions are met. be done.

FIG. 2 is a diagram showing an example of the hardware configuration of the application server 11. The user terminal 10 and the authentication terminal 12 can also have the same hardware configuration as the application server 11, so a description of the hardware configuration of the user terminal 10 will be omitted.

The application server 11 includes hardware such as a CPU (Central Processing Unit) 20, a ROM (Read Only Memory) 21, a RAM (Random Access Memory) 22, an HD (Hard Disk) 23, an HDD (Hard Disk Drive) controller 24, and a display. 25, an external device connection I/F 26, a network I/F 27, and a bus line 28. The application server 11 includes a keyboard 29, a pointing device 30, a DVD-RW (Digital Versatile Disk Rewritable) drive 31, and a media I/F 32 as hardware.

The CPU 20 controls the overall operation of the application server 11. The ROM 21 stores programs used to drive the CPU 20, such as IPL (Initial Program Loader). The RAM 22 is used as a work area for the CPU 20. The HD 23 stores various data such as programs. The HDD controller 24 controls reading and writing of various data to the HD 23 under the control of the CPU 20 . Although the HD 23 is used as the storage device here, the storage device is not limited to this, and an SSD (Solid State Drive) or the like may also be used.

The display 25 displays various information such as a cursor, menu, window, characters, or images. The external device connection I/F 26 is an interface for connecting various external devices. The external device is, for example, a USB (Universal Serial Bus) memory, a printer, or the like. The network I/F 27 is an interface for data communication using the network 13. The bus line 28 is an address bus, a data bus, etc. for electrically connecting each component such as the CPU 20.

The keyboard 29 is a type of input means that includes a plurality of keys for inputting characters, numerical values, various instructions, and the like. The pointing device 30 is a type of input means for selecting and executing various instructions, selecting a processing target, moving a cursor, and the like. The DVD-RW drive 31 controls reading and writing of various data to and from a DVD-RW 33, which is an example of a removable recording medium. Note that it is not limited to DVD-RW, but may be DVD-R or the like. The media I/F 32 controls reading and writing of data to and from a recording medium 34 such as a flash memory. Note that the authentication terminal 12 further includes a camera as an imaging means.

FIG. 3 is a block diagram showing an example of the functional configuration of the user terminal 10, the application server 11, and the authentication terminal 12. Each of the user terminal 10, the application server 11, and the authentication terminal 12 can implement each function using one or more processing circuits. Here, the processing circuit refers to a processor programmed to execute each function by software, such as a processor implemented using an electronic circuit, or an ASIC (Application Specific Integrated Circuit) designed to execute each function. , DSP (Digital Signal Processor), FPGA (Field Programmable Gate Array), and conventional circuit modules.

The user terminal 10 includes a communication section 40, a display control section 41, an input reception section 42, and a request processing section 43.

The communication unit 40 communicates with the application server 11, transmits first authentication information, and receives management screen information, authentication management screen information, service screen information, and the like. The display control unit 41 controls the display of a management screen, an authentication management screen, a service screen, and the like. The input receiving unit 42 receives input to the first authentication information, the management screen, and the like.

The request processing unit 43 requests the application server 11 to perform user authentication, obtain a management screen, change settings, provide services, etc. via the communication unit 40 .

The application server 11 includes a communication section 50, a storage section 51, a registration processing section 52, an authentication processing section 53, a determination section 54, a setting processing section 55, and a service providing section 56.

The communication unit 50 communicates with the user terminal 10, receives device information, application ID, etc. to be registered as first authentication information and second authentication information from the user terminal 10, and transmits management screen information and service information to the user terminal 10. Send content etc.

The storage unit 51 stores a user name and a password as first authentication information as user information. Note that the information is not limited to the user name, and a user ID or the like may be used as information that uniquely identifies the user. The first authentication information is stored in association with user type information. The user type information is information indicating the type of user, such as "general" indicating a general user, "management" indicating an administrator, etc. The registration processing unit 52 causes the storage unit 51 to store the second authentication information requested for registration in association with the user type information and the first authentication information. The registration processing unit 52 transmits the registration result to the authentication terminal 12 via the communication unit 50.

FIG. 4 is a diagram showing an example of authentication information stored in the storage unit 51. The first authentication information may be set by the user himself or may be generated and issued by the application server 11. The user type information may also be set by the user himself or may be set all at once by the administrator. The second authentication information is registered in association with the user type information and the first authentication information only when the user registers for multi-factor authentication.

In the example shown in FIG. 4, first authentication information for three users with user names "X", "Y", and "Z" is registered, and the user with the user name "X" is of the type "management", and the user name Users “Y” and “Z” are of type “general”. "Management" represents an administrator, and "general" represents a general user. Additionally, the administrator with the user name "X" and the general user with the user name "Y" have registered the device information and application ID of their respective authentication terminals 12 as second authentication information, but the administrator with the user name "Z" For general users, the second authentication information is unregistered.

Referring again to FIG. 3, the storage unit 51 also stores setting information managed by the setting processing unit 55, content of services provided by the service providing unit 56, and the like.

The authentication processing unit 53 compares the first authentication information received from the user terminal 10 with the first authentication information stored in the storage unit 51, and performs login depending on whether the two match. The authentication processing unit 53 stores the authentication result together with the time in the storage unit 51. The time is used to determine whether re-access is performed within a predetermined time after authentication using the second authentication information is successful. If it is carried out within a predetermined time, it is possible to provide services without going through multi-factor authentication, and the authentication process can be simplified.

The determination unit 54 receives a request from the user terminal 10 via the communication unit 50 to enable the setting of multi-factor authentication, which is one of the setting items of the setting information, and determines whether the conditions for enabling the multi-factor authentication are satisfied. Determine whether or not. A condition for enabling multi-factor authentication is, for example, whether one or more authentication terminals 12 of the administrator are registered in advance. That is, it is whether the device information of one or more authentication terminals 12 of the administrator is registered in the application server 11 as second authentication information.

If the determination result of the determination unit 54 satisfies the conditions, the setting processing unit 55 changes the setting of multi-factor authentication from invalid to valid. When the multi-factor authentication is enabled and the multi-factor authentication is successful, the service providing unit 56 transmits service contents and the like to the user terminal 10 via the communication unit 50 to provide the service.

The authentication terminal 12 includes a communication section 60, an imaging section 61, a storage section 62, and a control section 63. The communication unit 60 communicates with the application server 11, and in order to register the device information and application ID held by the device as second authentication information, the communication unit 60 sends the device information together with the first authentication information input by the administrator. etc. are sent to the application server 11. The imaging unit 61 receives the two-dimensional code from the application server 11 via the communication unit 60 and photographs the two-dimensional code within the authentication management screen displayed on the user terminal 10 .

The two-dimensional code is, for example, a QR code (registered trademark), and includes address information indicating the storage location of the login screen information. The address information is a URL (Uniform Resource Locator) or the like. Although a two-dimensional code is displayed here, the display is not limited to a two-dimensional code, and a one-dimensional code such as a barcode or address information itself may be displayed. Therefore, by photographing the two-dimensional code using the imaging unit 61, the login screen can be displayed on the authentication terminal 12.

The storage unit 62 stores device information such as an application ID and a device name generated when an application is installed. The control unit 63 requests the acquisition of the app ID and device information from the storage unit 62, the user authentication for the app server 11, the registration of the second authentication information input in the registration screen information, etc. via the communication unit 40. do.

FIG. 5 is a sequence diagram illustrating an example of a process for changing multi-factor authentication settings. Since the communication unit 40, display control unit 41, input reception unit 42, and request processing unit 43 in the user terminal 10 are functions implemented by a browser, the settings for multi-factor authentication are changed using the browser 70. The flow of processing will be explained.

Multi-factor authentication settings are performed on the management screen, so they are performed by the administrator. There may be one administrator or multiple administrators. The administrator 71 displays a login screen on the browser 70 of the user terminal 10 that the administrator 71 owns, and inputs login information (S1). Login information is first authentication information (user name, password).

The browser 70 transmits a login request including login information to the application server 11 (S2). The application server 11 executes authentication processing based on the received login information (S3). If the authentication process is successful, the application server 11 transmits management screen information to the browser 70 and displays the management screen (S4).

The administrator 71 views the management screen and requests display of the authentication management screen (S4). The browser 70 requests authentication management screen information from the application server 11 (S5). Upon receiving the request from the browser 70, the application server 11 transmits authentication management screen information to the browser 70, and causes the browser 70 to display the authentication management screen (S6).

The administrator 71 views the authentication management screen and changes the multi-factor authentication setting from disabled "OFF" to enabled "ON" (S7). The browser 70 notifies the application server 11 that the multi-factor authentication setting has been turned on by the administrator 71 (S8). The application server 11 receives the notification from the browser 70 and determines whether the conditions for turning on multi-factor authentication are satisfied (S9).

If the conditions are met, the application server 11 turns on the multi-factor authentication setting and notifies the browser 70 that the multi-factor authentication has been turned on as a result notification (S10). The browser 70 displays the result and notifies the administrator 71 that multi-factor authentication has been enabled (S11).

If the conditions are not met, the application server 11 leaves the multi-factor authentication setting OFF and notifies the browser 70 of the error as a result notification (S12). The browser 70 displays the result and notifies the administrator 71 that activation of multi-factor authentication has failed (S13).

FIG. 6 is a flowchart illustrating an example of a process for changing multi-factor authentication settings. Upon receiving an input from the administrator 71 to turn on multi-factor authentication, the process starts from step 100. In step 101, multi-factor authentication is set to ON on the browser 70, and the application server 11 is notified that multi-factor authentication is set to ON. In step 102, the application server 11 determines whether one or more authentication terminals 12 of the administrator 71 are registered. That is, the application server 11 determines whether there is one or more administrators associated with the second authentication information.

If the administrator 71 is one person and has multiple authentication terminals 12, the application server 11 uses device information, etc. of one or more of the multiple authentication terminals 12 as second authentication information. It is determined whether it is registered in the application server 11. Therefore, if the administrator 71 has authentication terminals A, B, and C, and authentication terminal C is registered, it is determined that it is registered.

If there are multiple administrators 71 and each of them owns one or more authentication terminals 12, the application server 11 is configured to use one of the multiple authentication terminals 12 owned by the multiple administrators 71. It is determined whether the above device information and the like are registered in the application server 11 as second authentication information. Therefore, if the authentication terminals 12 of administrators D and E are not registered, but the authentication terminal 12 of administrator F is registered, it is determined that the authentication terminals 12 are registered.

If it is determined in step 102 that it has been registered, the process advances to step 103 and multi-factor authentication is enabled. On the other hand, if it is determined in step 102 that it is not registered, the process proceeds to step 104, where the application server 11 notifies the browser 70 of the error via dialog, and in step 105, multi-factor authentication remains disabled. In this example, the number of administrators who have registered the second authentication information is not limited to one or more, but a threshold is set and it is determined whether there are more than the threshold number of administrators who have registered the second authentication information. You may.

FIG. 7 is a diagram showing an example of an authentication management screen for setting multi-factor authentication. The authentication management screen includes a two-dimensional code for terminal registration 80 and a toggle button 81 that can enable or disable multi-factor authentication. When registering the authentication terminal 12, the administrator photographs the two-dimensional code 80 for terminal registration. Further, when enabling the multi-factor authentication setting, the administrator operates the toggle button 81 using an input means such as a mouse.

At this time, if one or more administrator authentication terminals 12 are registered, the toggle button 81 moves to the valid side (to the right in FIG. 7) and can be set to valid. On the other hand, if none of the administrator's authentication terminals 12 are registered, the application server 11 notifies the user of an error, sends an instruction to change screen information that disables user operations, and displays the information on the authentication terminal 12. The toggle button 81 that is displayed remains unchanged from the disabled side (the left side as viewed in FIG. 7). Therefore, the administrator cannot enable it. As a result, it is possible to avoid a situation where multi-factor authentication is enabled without any administrator registering the authentication terminal 12 for multi-factor authentication, and no user is able to log in.

FIG. 8 is a sequence diagram showing an example of a process for registering the authentication terminal 12 for multi-factor authentication. The administrator 71 requests the browser 70 to display a login screen. The browser 70 displays a login screen in response to the request. The administrator 71 inputs login information as first authentication information and logs into the web application of the browser 70 (S1). The browser 70 requests the application server 11 to log in using the login information input by the administrator 71 (S2).

The application server 11 executes authentication processing using the login information received from the browser 70 (S3). If the authentication process is successful, the application server 11 transmits management screen information to the browser 70 and displays the management screen (S4).

The administrator 71 views the management screen and requests display of the authentication management screen (S5). The browser 70 requests authentication management screen information from the application server 11 (S6). Upon receiving the request from the browser 70, the application server 11 transmits the authentication management screen information to the browser 70, and causes the browser 70 to display the authentication management screen (S7). The authentication management screen includes a two-dimensional code 80 for terminal registration.

The administrator 71 photographs the two-dimensional code 80 for terminal registration on the authentication management screen using the authentication terminal 12 that the administrator wants to register (S8). The authentication terminal 12 displays a login screen based on the login screen information obtained from the address information included in the photographed two-dimensional code for terminal registration 80 (S9). The administrator 71 enters login information on the login screen (S10). The login information is first authentication information such as the user name and password of the user who uses the authentication terminal 12 to be registered. The authentication terminal 12 to be registered may be a terminal of the administrator 71 or a terminal of a general user managed by the administrator 71. When a general user's terminal is registered by an administrator on behalf of the general user, the user name and password of the first authentication information become the user name and password of the general user. Thereby, the administrator 71 logs into the application of the authentication terminal 12.

The authentication terminal 12 requests the application server 11 to register the user name included in the login information, the device information stored in the authentication terminal 12, and the application ID as second authentication information (S11). The application server 11 uses the user name received from the authentication terminal 12 as user information, and registers the device information and the application ID as second authentication information in association with the user information (S12). The device information is a model name, a MAC (Media Access Control) address, etc., and the application ID is an ID issued and held by an application within the authentication terminal 12.

After registering the authentication terminal 12 by registering the second authentication information, the application server 11 transmits the terminal registration result to the authentication terminal 12 (S13). This allows authentication using the authentication terminal 12.

FIG. 9 is a sequence diagram showing the flow of performing multi-factor authentication and using a service. The process shown in FIG. 9 is a process that is executed after the multi-factor authentication setting is enabled. An administrator 71 or a general user, as a user 72, requests the browser 70 to display a login screen, and causes the browser 70 to display the login screen. The user 72 inputs login information (S1). The browser 70 requests the application server 11 to log in using the login information input by the user 72 (S2).

The application server 11 executes authentication processing using the login information received from the browser 70 (S3). This is the first factor of authentication processing. If the authentication process is successful, the application server 11 transmits information on the two-dimensional code for multi-factor authentication to the browser 70, and displays the two-dimensional code for multi-factor authentication (S4).

The user 72 photographs the two-dimensional code for multi-factor authentication using the authentication terminal 12 (S5). The authentication terminal 12 transmits an authentication request including the device information held by itself and the application ID to the application server 11 (S6).

The application server 11 uses the device information and application ID received from the authentication terminal 12 to determine whether the terminal is already registered as the authentication terminal of the user 72 (S7). This is the second factor authentication process. The application server 11 holds device information and application ID in association with user information such as a user name. For this reason, the application server 11 compares the device information etc. it holds with the device information etc. received from the authentication terminal 12, and determines whether the terminal is a registered terminal depending on whether the two match.

The application server 11 stores the authentication result and the time when the authentication was performed (S8). The application server 11 transmits the authentication result to the authentication terminal 12 (S9). The user 72 can view the authentication result displayed by the authentication terminal 12 and, if the authentication result is successful, request service provision from the browser 70 and receive service provision from the application server 11 .

The user 72 may want to once end the use of the service and then use it again. In this case, the user 72 can log off once. When using the service again, the user 72 starts the browser 70 and reloads the screen of the browser 70 (S10). The browser 70 accesses the application server 11 again (S11).

Upon receiving the re-access from the browser 70, the application server 11 determines whether the user 72 has successfully completed multi-factor authentication within a predetermined time (S12). The predetermined time is, for example, 24 hours. Although the predetermined time is set to 24 hours here, it is not limited to 24 hours. If the multi-factor authentication has been successful within 24 hours, the application server 11 provides the service without performing the multi-factor authentication again (S13). On the other hand, if multi-factor authentication is not successful within 24 hours, the application server 11 provides the two-dimensional code for multi-factor authentication again and requests transmission of device information, etc. used for multi-factor authentication again (S14). . An example of a case where multi-factor authentication has not been successful within 24 hours is a case where more than 24 hours have passed since the previous successful multi-factor authentication.

After multi-factor authentication has been enabled, the administrator deletes the device information or app ID that is registered second authentication information, such as when purchasing a new device, and attempts to register new device information, etc. There is.

When the application server 11 receives a request to delete the second authentication information from the administrator, it determines whether the type information associated with the second authentication information requested to be deleted is that of the administrator. If the application server 11 determines that the administrator is the administrator, the application server 11 determines whether or not the administrator who registered the second authentication information no longer exists if the requested second authentication information is deleted. If the administrator no longer exists, the application server 11 can send a message to the user terminal 10 to the effect that the requested second authentication information cannot be deleted. Note that the message transmission is performed by the communication unit 50 included in the application server 11.

The administrator can delete not only the second authentication information but also the first authentication information, and can also change the user type information from "management" to "general".

After multi-factor authentication is enabled, the application server 11 deletes the first and second authentication information of the administrator, or when the user type information is requested to be changed from administrator to general user. Or, if changed, it is determined whether the administrator no longer exists. If the administrator no longer exists, the application server 11 sends a message to the user terminal 10 to the effect that the administrator's first and second authentication information cannot be deleted or that the administrator cannot be changed to a general user. be able to. Further, when deleting or changing the application server 11, the application server 11 can send a message instructing to register the first and second authentication information of another administrator.

As explained above, if the device information of at least one of the authentication terminal 12 of the administrator 71 is not registered in the application server 11 as the second authentication information, the multi-factor authentication setting cannot be enabled. This prevents a situation where no user can log in.

Although one embodiment of the present invention has been described so far, the present invention is not limited to the embodiment described above, and the present invention may be modified or deleted from the constituent elements of this embodiment, or the constituent elements of this embodiment may be modified or deleted. Changes can be made within the range that can be conceived by those skilled in the art, such as adding other components, and any aspect is included in the scope of the present invention as long as the effects of the present invention are achieved. .

10...User terminal 11...Application server 12...Authentication terminal 13...Network 20...CPU
21...ROM
22...RAM
23...HD
24...HDD controller 25...Display 26...External device connection I/F
27...Network I/F
28...Bus line 29...Keyboard 30...Pointing device 31...DVD-RW drive 32...Media I/F
33...DVD-RW
34...Recording media 40...Communication unit 41...Display control unit 42...Input reception unit 43...Request processing unit 50...Communication unit 51...Storage unit 52...Registration processing unit 53...Authentication processing unit 54...Determination unit 55...Setting processing unit 56...Service providing unit 60...Communication unit 61...Imaging unit 62...Storage unit 63...Control unit 70...Browser 71...Administrator 72...User 80...Two-dimensional code for terminal registration 81...Toggle button

Japanese Patent Application Publication No. 2015-138382

Claims (12)

An information processing device that changes multi-factor authentication settings,
storage means for storing first and second authentication information in association with user type information;
Communication means for receiving a request to enable the multi-factor authentication settings after a first authentication process using the first authentication information is successful;
An information processing device comprising: a setting processing means for validating the setting of the multi-factor authentication according to the type information and the second authentication information stored in the storage means. comprising a determining means for determining whether there is one or more users of a predetermined type associated with the second authentication information stored in the storage means;
The information processing apparatus according to claim 1, wherein the setting processing means enables the multi-factor authentication setting when it is determined that the multi-factor authentication setting exists. The determining means determines whether there are a threshold number or more of users of the predetermined type associated with the second authentication information stored in the storage means,
The information processing apparatus according to claim 2, wherein the setting processing means validates the multi-factor authentication setting when it is determined that the multi-factor authentication setting exists. When the determining means determines that the determining means does not exist, the communication means sends a message to the effect that the multi-factor authentication setting cannot be enabled, and the information possessed by the user of the predetermined type as the second authentication information. The information processing device according to claim 2 or 3, wherein the information processing device transmits a message instructing to register. After transmitting screen information that allows the user to perform an operation to change the settings of the multi-factor authentication, the communication means changes the screen information to screen information that disables the operation when the determination means determines that the multi-factor authentication setting does not exist. The information processing device according to any one of claims 2 to 4, wherein the information processing device transmits an instruction to do so. The first authentication information includes identification information for identifying the user and a password,
The information according to any one of claims 1 to 5, wherein the second authentication information is either possession information of the user or biometric information of the user, which is different from the first authentication information. Processing equipment. The second authentication information is the possession information,
The information processing device includes:
The claim further comprises a registration processing means for storing the possession information as the second authentication information in the storage means in association with the first authentication information based on the identification information and the possession information received from the authentication terminal. The information processing device according to item 6. The communication means is configured such that the type information associated with the second authentication information requested to be deleted is information indicating a predetermined type after the multi-factor authentication is set to be valid, and the type information associated with the second authentication information requested to be deleted is information indicating a predetermined type. If the user of the predetermined type associated with the second authentication information no longer exists in the storage means if the second authentication information is deleted, the requested second authentication information cannot be deleted. The information processing device according to any one of claims 1 to 7, wherein the information processing device transmits a message. After the multi-factor authentication is set to be valid, the communication means deletes the first and second authentication information of the user of a predetermined type, or changes the type information of the user of the predetermined type to the predetermined type. If the user of the predetermined type associated with the second authentication information no longer exists in the storage means if deletion or change is requested, the user's first and second authentication information If the authentication information cannot be deleted or the type information cannot be changed to a type other than the predetermined type, and if the authentication information is to be deleted or changed, register the first and second authentication information of other users of the predetermined type. The information processing apparatus according to any one of claims 1 to 8, wherein the information processing apparatus transmits a message instructing the information processing apparatus to perform the following operations. An information processing system comprising: the information processing device according to claim 1; and a user terminal that transmits first authentication information used for multi-factor authentication to the information processing device. The information processing system according to claim 11, further comprising an authentication terminal that transmits information that it owns as second authentication information used for multi-factor authentication. A program for causing a computer to execute a process of changing multi-factor authentication settings, the computer including a storage means for storing first and second authentication information in association with user type information,
receiving a request to enable the multi-factor authentication settings after a first successful authentication process using the first authentication information;
A program that executes a step of validating the multi-factor authentication setting according to the type information and the second authentication information stored in the storage means.