JP2016066132A - Multilevel authentication device and multilevel authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for applying authentication according to a security level of a system with a uniform authentication criterion easily and properly, and improving security and application convenience.SOLUTION: The present invention relates to a multilevel authentication device for managing authentication to a selected system out of plural systems, from a user's terminal of one user out of plural users. The multilevel authentication device compares an authentication level corresponding to a selected authentication method, and a system authentication level of the selected system, and thereby performs authentication to the selected system.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a multilevel authentication apparatus and a multilevel authentication method provided as a basic service.

  Cloud usage is increasing year by year, and software that provides SaaS (Software as a Service) type services is also increasing. In this way, the operation of providing services as a base is also spreading.

  Smart devices typified by smartphones and the like are in widespread use in society. In systems using conventional PCs, authentication such as ID / PW (user ID and password) is frequently used. However, smart devices are characterized by authentication other than ID / PW (for example, PIN (Personal Identification Number)). ) Authentication and gesture authentication are often used.

  There are many systems using single sign-on on the market. Many of these are systems that perform authentication of a plurality of systems in a unified manner using specific authentication information, and are used mainly for reducing the operational burden on users.

  As a method of personal authentication, there is an authentication method using behavioral characteristics. This is a method of estimating the identity of the user by analyzing the actions of the user using the terminal, such as keyboard keystrokes, mouse click speeds, and file access methods. Combining these behavioral characteristics authentication enables more accurate personal authentication than ID / PW. There exists patent document 1 as a prior art.

JP 2009-175984 A

  At present, there are many scenes where various systems and services are used, and authentication information is handled for each system, so it is not possible to define an authentication level based on a unified standard. In addition, the user needs to perform authentication processing for each of various systems and services, and the burden associated with the user authentication processing is large.

  On the other hand, there is a single sign-on technology that enables a plurality of systems and services to be used by a single authentication process. However, with authentication using single sign-on, if an attacker breaks the authentication even once, various systems and services may be used in subsequent operations.

  The security level required for the system or service used after authentication differs depending on the importance. For example, a system that inputs a credit card or personal information needs to have a high security level, but even if the security level is low, such as an anonymous survey, there is no problem. However, in the current authentication, appropriate authentication according to the security level of the system cannot be performed.

  In addition to PW authentication and biometric authentication, new authentication methods such as image authentication by touching an image and authentication by trajectory by touch have appeared. Considering this, for example, an authentication method with a low probability of identity cannot be used for authentication of a system with a high security level. Therefore, it is necessary to authenticate with a different authentication method for each system, and operational convenience is lowered.

  The present invention has been made in view of such a situation, and can appropriately and easily operate authentication according to the security level of the system with a unified authentication standard, and can improve security and operational convenience. I will provide a.

  In order to solve the above problems, for example, the configuration described in the claims is adopted. The present application includes a plurality of means for solving the above-mentioned problems. To give an example, a multi-level that manages authentication from a user terminal of a plurality of users to a selected system in the plurality of systems. An authentication device is provided. The multilevel authentication apparatus includes a storage unit and an authentication processing unit. The storage unit includes a plurality of authentication methods, authentication information corresponding to each authentication method, authentication management information in which an authentication level corresponding to each authentication method is set for each user, and a system authentication level for each system. At least the set system information is stored. The authentication processing unit executes an authentication process by comparing the authentication information in the storage unit corresponding to the authentication method selected from the plurality of authentication methods with the authentication information received from the terminal. When the authentication process is successful, the authentication to the selected system is performed by comparing the authentication level corresponding to the selected authentication method with the system authentication level of the selected system. .

  According to another example, there is provided a multilevel authentication method by a multilevel authentication apparatus that manages authentication from a user terminal of a plurality of users to a selected system of the plurality of systems. The multi-level authentication apparatus includes: authentication information in which a plurality of authentication methods and authentication levels corresponding to the respective authentication methods are set for each user; and system information in which a system authentication level for each system is set. Storing. In the multilevel authentication method, the multilevel authentication apparatus compares the authentication information in the multilevel authentication apparatus corresponding to the authentication method selected by the terminal with the authentication information received from the terminal, A first step of executing an authentication process; and if the authentication process in the first step is successful, the multi-level authentication device is configured to enable the authentication level corresponding to the selected authentication method and the selected system A second step of authenticating the selected system by comparing the system authentication level.

  According to the present invention, authentication according to the security level of the system can be appropriately and easily operated with a unified authentication standard, and security and operational convenience can be improved.

  Further features related to the present invention will become apparent from the description of the present specification and the accompanying drawings. Further, problems, configurations and effects other than those described above will be clarified by the description of the following examples.

1 is an overall system diagram including a multilevel authentication device according to an embodiment of the present invention. It is a functional block diagram of the multilevel authentication apparatus in the Example of this invention. It is a functional block diagram of the agent in the Example of this invention. It is an example of the user information in the Example of this invention. It is an example of the authentication management information in the Example of this invention. It is an example of the action characteristic information in the Example of this invention. It is an example of the terminal information in the Example of this invention. It is an example of the system information in the Example of this invention. It is a flowchart of the authentication process in the Example of this invention. It is a flowchart of the action characteristic determination process in the Example of this invention.

  Embodiments of the present invention will be described below with reference to the accompanying drawings. The accompanying drawings show specific embodiments in accordance with the principle of the present invention, but these are for the understanding of the present invention, and are never used to interpret the present invention in a limited manner. is not.

  In order to solve the problems, a basic service for managing unified authentication information and authentication (hereinafter referred to as MLA (Multi Level Authentication) infrastructure) will be established. It also uses the cloud to manage authentication information from various terminals.

  In this embodiment, a SaaS type multi-level authentication device is provided as a basic service. FIG. 1 is an overall view of a system including a multilevel authentication apparatus as a basic service. The MLA infrastructure (multilevel authentication apparatus 101) manages authentication of a plurality of users from a plurality of terminals to a plurality of systems. In the operation example of FIG. 1, an MLA base (multi-level authentication apparatus 101), three types of systems α, β, γ, and terminals of a plurality of users A, B, and C are shown.

  The multilevel authentication apparatus 101 is an apparatus on the cloud, and is connected to a plurality of systems α, β, and γ via a network. The multilevel authentication apparatus 101 is connected from a plurality of terminals owned by a plurality of users A, B, and C via a program (hereinafter referred to as an agent) 102. Users A, B, and C have different types of terminals and the number of terminals, and examples of terminals are information processing terminals such as PCs (Personal Computers), tablet terminals, and smartphones.

  The multilevel authentication apparatus 101 manages unified authentication information, and authenticates each user when connected from the terminals of users A, B, and C via the agent 102. When the authentication process is completed, the multilevel authentication apparatus 101 permits connection to the selected systems α, β, and γ. Thereafter, the users A, B, and C can use the selected systems α, β, and γ through the agent 102. Further, the agent 102 collects the behavior characteristics of the users A, B, and C and transmits them to the multilevel authentication apparatus 101. The multilevel authentication apparatus 101 authenticates the users A, B, and C from the behavior characteristics information. Do.

  In this embodiment, the agent 102 is installed in advance on the terminals of the users A, B, and C. Note that the agent 102 may be downloaded from the multilevel authentication apparatus 101 when the terminals of the users A, B, and C are connected to the multilevel authentication apparatus 101.

  Next, the multilevel authentication apparatus 101 and the agent 102 will be described. The multi-level authentication apparatus 101 is configured by an information processing apparatus including at least a processor such as a central processing unit (CPU), a memory, and a storage device such as a hard disk. In FIG. 1, the multilevel authentication apparatus 101 is shown as one information processing apparatus, but the present invention is not limited to this. The constituent elements of the multilevel authentication apparatus 101 may be distributed among a plurality of information processing apparatuses on the network.

  Various types of information described later (information shown in FIGS. 3 to 7) are stored in the storage device of the multilevel authentication apparatus 101. Note that these pieces of information may be stored in an information processing device different from the multilevel authentication device 101 or a storage device on a network.

  FIG. 2A shows a functional block diagram of the multilevel authentication apparatus 101. The multilevel authentication device 101 includes an authentication processing unit 201, a behavior characteristic determination unit 202, and a storage unit 203. The authentication processing unit 201 executes authentication processing by comparing authentication information received via the agent 102 with authentication information registered in advance in the storage unit 203. The behavior characteristic determination unit 202 controls the use of the system by comparing the behavior characteristic information received via the agent 102 with the behavior characteristic information registered in the storage unit 203 in advance. The storage unit 203 is a storage device such as the hard disk described above, and stores authentication information necessary for authentication processing.

  FIG. 2B shows a functional block diagram of the agent 102. The agent 102 includes an authentication information transmission / reception unit 211 and a behavior characteristic collection unit 212. The authentication information transmitting / receiving unit 211 transmits the system information selected by the user, the user terminal information, the authentication information input by the user, and the like to the multilevel authentication apparatus 101. Further, the authentication information transmission / reception unit 211 receives a notification of the result of authentication processing in the multilevel authentication apparatus 101. Note that the information transmitted and received between the authentication information transmission / reception unit 211 and the multilevel authentication device 101 is secured by encrypting / decrypting the information. In addition, the behavior characteristic collection unit 212 collects behavior characteristic information on the user's terminal, and transmits the collected behavior characteristic information to the multilevel authentication apparatus 101.

  Next, information managed by the multilevel authentication apparatus 101 will be described. The multilevel authentication apparatus 101 in this embodiment manages various information necessary for authentication processing. These pieces of information are stored in advance in the storage unit 203 of the multilevel authentication apparatus 101. Table 1 is a table for explaining information managed on the multilevel authentication apparatus 101.

  Next, a detailed example of the information described in Table 1 will be described with reference to FIGS. The various information will be described using the “table” structure in the following description, but it is not necessarily expressed by the data structure of the table, and may be expressed by other data structures.

  FIG. 3 is an example of user information. The user information includes an item number 301, a user ID 302, a user name 303, a job title 304, and an authentication point 305. In the user information of this embodiment, the authentication point 305 is managed for each job title 304. For example, the authority to the system that can be accessed may differ depending on the job title and job authority in the company. For example, a high authentication point 305 is given to a user having a higher post 304, and an authentication level point for one authentication is increased for a user having a high authentication point 305 in the authentication processing described below. Operations such as weighting may be performed. By performing such processing, access to the system can be managed according to the job title.

  FIG. 4 is an example of authentication management information. In the authentication management information, a plurality of authentication methods, authentication information corresponding to each authentication method, and an authentication level corresponding to each authentication method are set for each user. The authentication management information includes an item number 401, a user ID 402, an authentication method 403, authentication information 404, an authentication ID 405, and an authentication method authentication level 406.

  As the authentication method 403, a plurality of arbitrary methods can be registered for each user, such as PW authentication, PIN authentication, biometric authentication (for example, fingerprint authentication), image authentication, and locus authentication. Here, the image authentication is authentication in which a user selects a specific image from a plurality of images in advance. For example, image information is registered in the authentication information 404. Similarly, for biometric authentication or the like, image information such as a biometric information pattern is registered as the authentication information 404. The trajectory authentication is authentication using, for example, a finger trajectory pattern on a screen on a smartphone or tablet terminal, and information on the finger trajectory pattern is registered as the authentication information 404.

  In the authentication method authentication level 406, an authentication level obtained when authentication is successful in each authentication method is registered. For example, when the user “U001” succeeds in “PW authentication”, the point “5” of the authentication level can be obtained. In this embodiment, the authentication to the selected system is performed by comparing the point of the authentication method authentication level 406 with the system authentication level described below. Even if the points of the authentication method authentication level 406 have not reached the system authentication level, the authentication level finally obtained by the system side is obtained by executing a plurality of authentication methods and adding the points of the authentication method authentication level 406. Judge whether to reach. When the authentication level required by the system is finally reached, access to the selected system is permitted.

  FIG. 5 is an example of behavior characteristic information. The behavior characteristic information includes an item number 501, a user ID 502, a behavior characteristic item 503, a behavior characteristic 504, and previous statistical data 505.

  The information resulting from the behavioral characteristics of the principal uses statistical data of the behavioral data of the principal. Information for a certain period is aggregated as statistical data, and user behavior characteristics are analyzed in advance. This period is the “behavioral characteristic collection period” until data necessary for statistical analysis can be collected. During this period, the accuracy varies depending on the data to be collected (if the mouse click speed, a certain accuracy is maintained with 10 clicks, but the keystroke requires a period of up to 100 characters). Continue collecting behavioral characteristics until they can be collected. Information on behavioral characteristics collected in this way is registered in advance as behavioral characteristics 504. As the behavior characteristics 504, a plurality of arbitrary behavior characteristics such as keystrokes, mouse clicks, access to specific files, and the like can be registered.

  In addition to the behavior characteristics 504, the previous statistical data 505 may be managed. This is useful when the user's behavioral characteristics change gradually. For example, when the behavioral characteristics of the user are gradually changing, even if the acquired behavioral characteristic information does not match the behavioral characteristics 504, it is possible to estimate that the user is the identity if it matches the previous statistical data 505. is there. By using more recent statistical data, it is possible to obtain a certain accuracy of person estimation.

  FIG. 6 is an example of terminal information. The terminal information includes an item number 601, a user ID 602, a terminal ID 603, a terminal type 604, and a terminal name 605. The terminal information can be used, for example, when selecting an authentication method. Possible authentication methods vary depending on the terminal used. For example, when the user's terminal is a tablet or a smartphone, the multilevel authentication device 101 can notify the agent 102 that trajectory authentication can be selected as the authentication method.

  FIG. 7 is an example of system information. In the system information, a system authentication level for each system is set. The system information includes an item number 701, a system ID 702, a system name 703, a system authentication level 704, and system information 705. Since the authentication level required on the system side is different for each system, a system authentication level 704 is defined in advance for each system.

  The user authenticates the MLA infrastructure (multilevel authentication apparatus 101) when using the system, but it is possible to combine not only one authentication method but a plurality of authentication methods. The user performs the authentication process with the selected authentication method, thereby adding points of the authentication method authentication level 406 of the authentication management information. When the user finally reaches the system authentication level 704 required by the system side, access to the system is performed. Is allowed.

  Next, the authentication process in a present Example is demonstrated. FIG. 8 is a flowchart of the authentication process. In the following description, the functional blocks shown in FIGS. 2A and 2B will be described as the subject. However, the program uses a memory and a communication port (communication control device) for processing determined by the processor. However, the description may be made with the processor as the subject.

  Here, an example in which the user A uses the system α will be described. First, the authentication information transmission / reception unit 211 of the agent 102 acquires system information from the multilevel authentication apparatus 101 and displays it on the user A's terminal. User A selects system α from the list of systems displayed on the terminal (801). At that time, the authentication information transmission / reception unit 211 transmits the selected system information and the user A terminal information to the multilevel authentication apparatus 101.

  Next, the authentication information transmission / reception unit 211 acquires information on authentication methods that can be used by the terminal from the multilevel authentication apparatus 101. For example, when the user A's terminal is a personal computer, PW authentication and image authentication are possible in the example of FIG. Two authentication methods of PW authentication and image authentication are displayed on the terminal of user A, and user A selects, for example, PW authentication from the list of authentication methods displayed on the terminal (802).

  Next, the user A inputs authentication information on the terminal (803). At this time, the authentication information transmission / reception unit 211 transmits the input authentication information to the multilevel authentication apparatus 101.

  Next, the authentication processing unit 201 of the multilevel authentication apparatus 101 compares the authentication information corresponding to the authentication method (PW authentication) selected from the plurality of authentication methods with the authentication information received from the user A terminal. Thus, the authentication process is executed (804). If the authentication information received from the terminal of user A matches the authentication information 404 of FIG. 4, the process proceeds to step 805, and if not, the process returns to step 803.

  When the authentication information matches, the authentication processing unit 201 acquires the authentication level point “5” corresponding to the PW authentication from the authentication information of FIG. 4 (805). Next, the authentication processing unit 201 compares the authentication level point “5” corresponding to PW authentication with the system authentication level “10” of the selected system α, and has reached the system authentication level 704 of the system α. Is determined (806). In this case, since the point “5” of the authentication level acquired by the user A has not reached the system authentication level “10” required by the system α, the process returns to step 802 to perform additional authentication. At this time, the authentication processing unit 201 notifies the agent 102 that additional authentication is necessary.

  Next, assume that image authentication is selected in step 802 and the processing in steps 802 to 804 is executed. After step 804, the authentication processing unit 201 acquires the authentication level “8” corresponding to the image authentication from the authentication information of FIG. 4 and adds it to the point of the current authentication level (805). Thereby, the point of the authentication level obtained by the two authentication methods is “13”.

  Next, the authentication processing unit 201 determines whether the addition result of the authentication level points has reached the system authentication level 704 of the system α (806). In this case, the point of the authentication level acquired by the user A is “13”, which exceeds the system authentication level “10” of the system α. After that, the authentication processing unit 201 notifies the user A's terminal of permission to connect to the system α via the authentication information transmitting / receiving unit 211 of the agent 102. Thereby, the terminal of the user A is permitted to connect to the system α and can use the system α.

  Note that when the user A uses the system β or γ, the same processing as that of the system α is performed to perform authentication. In the above-described example, the authentication to the system is performed by combining a plurality of authentication methods. However, if the user first selects an authentication method (for example, fingerprint authentication) with a high probability of identity verification, the authentication method is performed once. It is also possible to connect to the system. The user can select an arbitrary authentication method to connect to the selected system.

  Further, when the users B and C use the system α, authentication is performed by the same process as the user A. However, since the authority is different for each user (the title of the user information and the authentication point 305 are different), the required authentication level is different even if they are the same terminal. The multi-level authentication apparatus 101 (MLA base) may change the point of the authentication method authentication level 406 obtained by the authentication process in accordance with the authority of the user (authentication point 305). Will be required.

  As described above, according to the present embodiment, the system can be used by combining various authentication methods and adding the points of the authentication level for each authentication method. Therefore, with respect to a plurality of users using various systems, the user can authenticate each system at an appropriate authentication level. Further, in this embodiment, various authentication information can be managed on the cloud and provided as a basis. Since the authentication level required by each system is managed by the multi-level authentication device 101 (MLA platform), each system does not need to be aware of information necessary for authentication processing, such as points related to authentication, and is convenient for system operation. Also improves.

  Therefore, authentication according to the security level of the system can be appropriately and easily operated with a unified authentication standard called an authentication level point, and security and operational convenience can be improved.

  Next, the behavior characteristic determination process while the authentication process of FIG. 8 is completed and the system is used will be described. A description will be given assuming that the user A uses the system α after the authentication processing of FIG.

  In this embodiment, after the authentication is successful and the user A connects to the system α, the agent 102 collects various behavior characteristics of the user A. The agent 102 transmits the collected behavior characteristic information to the multilevel authentication apparatus 101 (MLA base). The multi-level authentication device 101 determines whether the received behavior characteristic information matches the behavior characteristic information registered in advance, and controls the use of the system A of the user A. For example, when the behavior characteristic information matches, it is assumed that the user A is operating the system α and the connection with the system α is maintained.

  FIG. 9 is a flowchart of the behavior characteristic determination process showing details of the above process. After the authentication, while the user A is using the system α, the behavior characteristic collection unit 212 of the agent 102 collects behavior data information on the terminal of the user A for a predetermined period (901).

  Thereafter, the behavior characteristic collection unit 212 analyzes the collected data and transmits behavior characteristic information (for example, keystrokes, mouse clicks, etc.) to the multilevel authentication apparatus 101 (902). Here, an example has been described in which the behavior characteristic collection unit 212 of the agent 102 transmits the analysis result to the multilevel authentication apparatus 101. However, the behavior characteristic collection unit 212 transmits the behavior data on the terminal to the multilevel authentication apparatus 101. It may be transmitted one by one, and behavior characteristic information may be acquired by analyzing behavior data on the multi-level authentication device 101 side.

  Next, the behavior characteristic determination unit 202 of the multilevel authentication apparatus 101 determines whether the behavior characteristic information received from the terminal of the user A matches the behavior characteristic 504 in FIG. 5 (903). If they match, the process proceeds to step 904. Here, the behavior characteristic information received from the terminal of the user A does not have to completely match the behavior characteristic 504 in FIG. 5, and the value of the behavior characteristic 504 may have an allowable range. Therefore, the behavior characteristic determination unit 202 may determine that the received behavior characteristic information matches the behavior characteristic 504 in FIG. 5 if the received behavior characteristic information is within the allowable range. Even if the behavior characteristic 504 in FIG. 5 does not match, if the received behavior characteristic information matches the previous statistical data 505 or is within a predetermined allowable range with respect to the previous statistical data 505, the user A The process may proceed to step 904 assuming that α is being operated.

  If the behavior characteristic information matches, the connection between the terminal of user A and the system α is maintained (904). At this time, the behavior characteristic determination unit 202 registers the behavior characteristic information received from the terminal of the user A this time as the previous statistical data 505.

  On the other hand, if the behavior characteristic information does not match, a user re-authentication process is performed. As this re-authentication process, for example, steps 802 to 807 in FIG. 8 are performed. It should be noted that for a user who needs to be re-authenticated in the behavior characteristic determination process as described above, the authentication process may be executed by lowering the value of the system authentication level 704 by a predetermined value. Since the authentication to the system α has already been successful once and the probability that the user A is using it is high, it is possible to reduce the load on the user by lowering the system authentication level 704 for the second authentication. it can.

  As another example, when the behavior characteristic information does not match, the connection from the terminal of user A to the system α may be disconnected. In this case, the user A executes the authentication process of FIG. 8 again. Instead of re-authentication processing, security may be enhanced by controlling so that the system α cannot be used.

  The period during which the authentication based on the behavior characteristic information is valid is 30 minutes, and if it exceeds 30 minutes, the behavior characteristics are collected again. That is, after step 904, after 30 minutes, the process returns to step 901 again. In addition, you may change suitably the period when the authentication by this action characteristic information is effective.

  As described above, according to the present embodiment, after the system authentication process, the behavioral characteristics of the user are collected from the terminal and notified to the multilevel authentication apparatus 101 (MLA base). The multi-level authentication apparatus 101 compares the received behavior characteristic information with pre-registered behavior characteristic information and performs personal authentication. If the multi-level authentication apparatus 101 cannot be estimated as the user, the multi-level authentication apparatus 101 performs processing such as re-authentication (or system unusable) to prevent continuous use of the system. Thereby, security can be improved.

  Conventionally, there has been a system that requires a user to re-authenticate as an authentication time-out after a certain period of time has elapsed after performing authentication, but it requires the user to re-authenticate, which is cumbersome for the user. On the other hand, in this embodiment, if it is estimated that the user is the person based on the behavior characteristic information, it is possible to continue using the system without performing the re-authentication process. As a result, the operational load of re-authentication due to a system timeout can be reduced.

  In addition, this invention is not limited to the Example mentioned above, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. In addition, a part of the configuration of one embodiment may be replaced with the configuration of another embodiment, and the configuration of another embodiment may be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

  In addition, each function, processing unit, and the like shown in the above embodiments may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files for realizing each function is stored in a recording or storage device such as a memory, hard disk, or SSD (Solid State Drive), or in a recording or storage medium such as an IC card, SD card, or DVD. be able to.

  Furthermore, in the above-described embodiments, control lines and information lines are those that are considered necessary for explanation, and not all control lines and information lines on the product are necessarily shown. All the components may be connected to each other.

101: Multi-level authentication device 102: Program (agent)
201: Authentication processing unit 202: Behavior characteristic determination unit 203: Storage unit 211: Authentication information transmission / reception unit 212: Behavior characteristic collection unit

Claims (12)

A multi-level authentication device that manages authentication from a user terminal of a plurality of users to a selected system of the plurality of systems,
A storage unit;
An authentication processing unit;
With
The storage unit
A plurality of authentication methods, authentication information corresponding to each authentication method, and authentication management information in which an authentication level corresponding to each authentication method is set for each user;
System information in which a system authentication level for each system is set; and
At least
The authentication processing unit
Performing authentication processing by comparing the authentication information of the storage unit corresponding to the authentication method selected from the plurality of authentication methods with the authentication information received from the terminal;
If the authentication process is successful, authenticate the selected system by comparing the authentication level corresponding to the selected authentication method with the system authentication level of the selected system. A multi-level authentication device characterized by The multilevel authentication device according to claim 1, wherein
The authentication processing unit adds the authentication level corresponding to the selected authentication method, and determines whether the added result has reached the system authentication level of the selected system. A multi-level authentication apparatus for performing authentication to a selected system. The multilevel authentication device according to claim 2, wherein
The authentication processing unit notifies the terminal to perform additional authentication when the added result does not reach the system authentication level of the selected system. In the multilevel authentication device according to any one of claims 1 to 3,
The storage unit further stores behavior characteristic information for each user,
Multi-level authentication further comprising a behavior characteristic determination unit that controls use of the selected system by comparing the behavior characteristic information received from the terminal and the behavior characteristic information of the storage unit apparatus. The multi-level authentication device according to claim 4,
The behavioral characteristic determination unit continues the use of the selected system when the behavioral characteristic information received from the terminal matches the behavioral characteristic information in the storage unit. . The multi-level authentication device according to claim 4 or 5,
The multi-level authentication apparatus, wherein the behavior characteristic determination unit notifies the terminal of additional authentication when the behavior characteristic information received from the terminal does not match the behavior characteristic information in the storage unit. A multilevel authentication method by a multilevel authentication apparatus that manages authentication from a terminal of a user among a plurality of users to a selected system in the plurality of systems, wherein the multilevel authentication apparatus includes a plurality of authentication methods. Authentication information corresponding to each authentication method and authentication information set for each user, and system information where the system authentication level for each system is set,
The multi-level authentication device executes an authentication process by comparing the authentication information in the multi-level authentication device corresponding to the authentication method selected by the terminal with the authentication information received from the terminal. Steps,
When the authentication process in the first step is successful, the multilevel authentication device compares the authentication level corresponding to the selected authentication method with the system authentication level of the selected system. And a second step of authenticating to the selected system. The multi-level authentication method according to claim 7,
The second step includes adding the authentication levels corresponding to the selected authentication method, and determining whether the added result has reached the system authentication level of the selected system. A multi-level authentication method comprising authenticating to a selected system. The multi-level authentication method according to claim 8, wherein
The second step includes notifying the terminal to perform additional authentication if the added result does not reach the system authentication level of the selected system. Authentication method. In the multilevel authentication method according to any one of claims 7 to 9,
The multi-level authentication device further stores behavior characteristic information for each user,
The method is
The multi-level further comprising a third step of controlling the use of the selected system by comparing the behavior characteristic information received from the terminal and the behavior characteristic information in the multi-level authentication device. Authentication method. The multi-level authentication method according to claim 10, wherein
The third step includes continuing to use the selected system when the behavior characteristic information received from the terminal matches the behavior characteristic information in the multi-level authentication device. Multilevel authentication method. The multi-level authentication method according to claim 10 or 11,
The third step includes notifying the terminal of additional authentication when the behavior characteristic information received from the terminal does not match the behavior characteristic information in the multi-level authentication device. Level authentication method.

Images