WO2015060950A1 - Method and system for authenticating service - Google Patents

Method and system for authenticating service Download PDF

Info

Publication number
WO2015060950A1
WO2015060950A1 PCT/US2014/054564 US2014054564W WO2015060950A1 WO 2015060950 A1 WO2015060950 A1 WO 2015060950A1 US 2014054564 W US2014054564 W US 2014054564W WO 2015060950 A1 WO2015060950 A1 WO 2015060950A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
link
issued
request
equipment information
Prior art date
Application number
PCT/US2014/054564
Other languages
French (fr)
Inventor
Kai Cao
Original Assignee
Alibaba Group Holding Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201310512274.4A external-priority patent/CN104580112B/en
Application filed by Alibaba Group Holding Limited filed Critical Alibaba Group Holding Limited
Priority to ES14781714T priority Critical patent/ES2802924T3/en
Priority to JP2016517306A priority patent/JP6034995B2/en
Priority to KR1020167007984A priority patent/KR101812002B1/en
Priority to EP14781714.2A priority patent/EP3061025B1/en
Priority to PL14781714T priority patent/PL3061025T3/en
Publication of WO2015060950A1 publication Critical patent/WO2015060950A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels

Definitions

  • the present application relates to a method and system for authenticating a service.
  • a client terminal also referred to as a terminal
  • the terminal often issues a service request, such as a payment service request or an identity authentication service request, to the server.
  • a service request such as a payment service request or an identity authentication service request
  • the client issues a request to the server when asking for a service to be performed, which is called a service request.
  • the browser could issue a payment service request to the server when a user clicks a "PAY NOW" button on a payment service provider's website to transfer funds.
  • the server authenticates the user upon receiving the service request from the client.
  • the server In order to validate the service request, after the server receives the service request, the server usually does not respond to the service request immediately, but instead generates a confirmation number (typically, a 6-digit confirmation number). In some cases, the server sends the generated confirmation number via a short message service (SMS) text message to a mobile phone bound to the user account number that was used when the terminal logged onto the server based on a binding relationship between locally stored user account numbers and mobile telephone numbers.
  • SMS short message service
  • the mobile phone displays to the user the confirmation number sent by the server.
  • the user then inputs a confirmation number into the terminal through an input port of the terminal.
  • the terminal displays to the user a page where the confirmation number can be input, and the user inputs a confirmation number into an input box on the page.
  • the terminal sends the confirmation number input by the user to the server.
  • the server compares the confirmation number sent by the terminal to a locally generated confirmation number. If the confirmation number sent by the terminal and the locally generated confirmation number are the same, the server authenticates the service request and responds to the service request.
  • the mobile phone that is bound to the user account can experience a Trojan Horse infiltration or some similar infiltration, or the user of the mobile phone bound to the user account can be a victim of fraud, such that the confirmation number is intercepted by a malicious third party.
  • the confirmation number sent by the server to the mobile phone bound to the user account is misappropriated. If the misappropriated confirmation number is used by an unauthorized user during the authentication process relating to the service request, the reliability of the service request authentication cannot be assured.
  • FIG. 1 is a flow diagram of an embodiment of a process for authenticating a service.
  • FIG. 2 is a flow diagram of an embodiment of a process for determining equipment information of a terminal.
  • FIG. 3 is a structural diagram of an embodiment of a system for authenticating a service.
  • FIG. 4 is a structural diagram of an embodiment of a device for authenticating a service.
  • FIG. 5 is a functional diagram illustrating an embodiment of a programmed computer system for authenticating a service.
  • the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
  • these implementations, or any other form that the invention may take, may be referred to as techniques.
  • the order of the steps of disclosed processes may be altered within the scope of the invention.
  • a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
  • the term 'processor' refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
  • a method for authenticating a service includes the following in some embodiments: when receiving a service request sent by a user, the server generates a link address linking to an access location on the server and sends the generated link address to a terminal corresponding to a terminal identifier preset by the user. Then, when the server receives a first link request issued through the link address, the server compares the terminal issuing the first link request with the terminal corresponding to a terminal identifier preset by the user. In the event that the server determines that the terminal that issued the first link request and the terminal corresponding to the terminal identifier preset by the user are the same, the server approves the authentication of the service request. Otherwise, the server rejects the authentication of the service request.
  • the comparing of the terminal linked to the server through the link request with the terminal corresponding to the terminal identifier preset by the user also includes comparing the terminal linked to the server through the link request with an authorized terminal. Even if the link address issued by the server to the authorized terminal is
  • the server can, as the authorized terminal remains secure and is not put to illicit use, identify that the terminal that established the local link through the link address is not an authorized terminal.
  • the server will not approve authentication of the service request and thus service authentication reliability is increased as a result.
  • the link addresses correspond to Uniform Resource Locators
  • the URLs can also be called Web addresses.
  • the URLs can be linked to pages of specific access locations in the server.
  • the link addresses are not limited to specific access locations.
  • the link addresses are short links, and the short links correspond to long URLs converted through program calculations or other such methods into abbreviated Web address character strings.
  • a short link for alibaba.com is
  • the terminals correspond to PCs, mobile phones, or other such mobile terminals.
  • service requests are service requests with relatively high security requirements, such as payment service requests or identity authentication service requests.
  • FIG. 1 is a flow diagram of an embodiment of a process for authenticating a service.
  • the process 100 is implemented by the server 320 of FIG. 3 and comprises:
  • the server receives a first service request sent by a user.
  • the user issues the first service request to the server through a first terminal.
  • the terminal can be a laptop computer, a desktop computer, a tablet, a mobile device, a smart phone, a wearable networking device, or any other appropriate computing device.
  • a web browser or a standalone application is installed at each client and enables a user to access the service hosted by the server.
  • the server supports a variety of application types, such as a game website server, an online banking server, or a shopping website payment server.
  • the server may be implemented using one or more computing devices such as a computer, a multi-processor system, a microprocessor-based system, a special purpose device, a distributed computing environment including any of the foregoing systems or devices, or other appropriate hardware/software/firmware combination that includes one or more processors, and memory coupled to the processors and configured to provide the processors with instructions.
  • the server may comprise a single or multiple devices.
  • the first terminal logs onto the server based on a pre-registered user account number (such as username and password) and then sends a service request for a service to the server.
  • the first terminal is a personal computer (PC) and the server is an online banking server.
  • the PC After the PC establishes a connection, via the Internet, with the online banking server, the PC displays to the user an online banking server login page and receives a user pre- registered user account number input by the user into an input box on the login page.
  • the PC sends the user account number to the online banking server.
  • the online banking server receives a user account number from the PC and validates the received user account number from the PC.
  • the server After the online banking server approves authentication of the user account number, the server completes the login process.
  • the PC receives a first service request (such as a payment service) input by the user through a display page and sends the first service request to the online banking server.
  • a first service request (such as a payment service) input by the user through a display page and sends the first service request to the online banking server.
  • the first service request can be an HTTP Request of "POST https://service.example.com.”
  • the server generates a first link address that is used to link to an access location for the first service request. Whenever the server receives a service request, the server dynamically generates a link address for the service request.
  • the generated link address is converted into a short link.
  • each link address to an access location on a server refers to an authentication page on the server.
  • SMS Short Message Service
  • the preset terminal identifier is a terminal identifier preset by the user, and the preset terminal identifier is stored in a database accessible by the server.
  • the preset terminal identifier is a preset terminal identifier that is generated based on some variables of terminal features and a hash function, and the preset terminal identifier is stored in a database accessible by the server.
  • a user when a user registers an account number in a server, the user provides a preset terminal identifier that is bound to the registered user account number.
  • a binding relationship is recorded in the server between the user account number and the preset terminal identifier of the second terminal.
  • the server determines the preset terminal identifier corresponding to the second terminal based on the user account number used when the second terminal is logged into the server.
  • the second terminal is a mobile phone and the first terminal which a user requires service from is a mobile phone or a personal computer (PC).
  • a mobile phone number of the second terminal is provided and stored in a server, so that the server is capable of sending an SMS message to the second terminal (via the mobile phone number the user provides, which corresponds to the preset terminal identifier).
  • the user can click or activate a link in the SMS message which was sent to the second terminal and access a page of a link address.
  • the link is set to be active when being sent and is set to expire in a short period of time, e.g., a few minutes. Accordingly, the second terminal accessing the server can be quickly verified instead of implementing a whole "login process.”
  • the mobile phone number is validated when the second terminal accesses the server via an API from a telecommunication service provider.
  • the first and second terminals are two separate pieces of terminal equipment.
  • the first terminal is a PC
  • the second terminal is a mobile phone.
  • the first and second terminals are components in the same piece of terminal equipment.
  • the first and second terminals are different components (e.g., different software applications) in a mobile phone.
  • the terminal equipment has the separate functional components of the first terminal and the second terminal for performing the process 100.
  • the server when the second terminal is a mobile phone, the server sends the first link address to the second terminal by issuing a downlink short message service (SMS) text message or by another form of wireless communication.
  • SMS downlink short message service
  • the server receives a first link request from a terminal that issued the first link request and determines an issued terminal identifier of the terminal that issued the first link request based on the first link request issued from the first link address.
  • the issued terminal identifier of the terminal could be a mobile phone number.
  • the link is sent to a user's mobile phone via an SMS message.
  • the link is sent to a user's mobile phone via an Internet protocol.
  • the server could determine the mobile phone number of the mobile phone that issued the first link request by querying the mobile phone that issued the first link request through an application programming interface (API) made publicly available by an Internet operator.
  • API application programming interface
  • the second terminal displays the first link address received and directly issues the first link request to the server based on the received first link address.
  • the second terminal is a smart phone with a touch screen
  • the user can click or activate the first link address displayed on the second terminal via a browser application or the like.
  • the second terminal issues the first link request to the server based on the first link address.
  • the first link request can be POST https://jy.example.com/jy.htm7pwd_id.
  • the misappropriated first link address is sent to an unauthorized terminal, through which an unauthorized user will make an unauthorized response.
  • the first link request could be issued through the misappropriated first link address to the server.
  • the server compares the determined issued terminal identifier with the preset terminal identifier of the second terminal.
  • the server's comparing the issued terminal identifier of the terminal that was confirmed as having issued the first link request with the preset terminal identifier of the second terminal determines whether the issued terminal identifier of the terminal that issued the first link request is the same as the preset terminal identifier of the second terminal. In the event that the issued terminal identifier of the terminal that issued the first link request is the same as the preset terminal identifier of the second terminal, the determination result is that the issued terminal identifier of the terminal that issued the first link request matches the preset terminal identifier of the second terminal. In this case, the terminal that issued the first link request to the server is determined to be the second terminal.
  • the comparison result is that the issued terminal identifier of the terminal that issued the first link request does not match the preset terminal identifier of the second terminal, and the comparison result includes that the terminal that issued the first link request to the server is not the second terminal.
  • the server performs the next processing operation on the first service request based on the comparison result.
  • the next operation of the processing of the first service request includes: in response to the first service request, the server approves the authentication of the first service request, optionally sends an authentication success message to the terminal, and permits the next processing operation to proceed. Otherwise, the next processing operation of the first service request includes: in response to the first service request, the server disapproves the authentication of the first service request and the server sends back an authentication failure message to the terminal.
  • the terminal that is linked to the server is compared with an authorized terminal certified by the server (the terminal corresponding to the terminal identifier preset by the user). Even if the link address issued by the server to the authorized terminal is misappropriated, the server can, as long as the authorized terminal remains secure and is not put to unauthorized use, identify that the terminal that established the local link is not an authorized terminal. The server will not approve authentication of the service request and thus service authentication reliability can be increased.
  • the above process 100 determines whether the terminal that issued the first link request is an authorized terminal based on a preset terminal identifier. Furthermore, the server can also determine whether the terminal that issued the first link request is an authorized terminal based on terminal equipment information.
  • the terminal equipment information includes an equipment model number of a terminal, a version number of an operating system of a terminal, a version number of a browser of a terminal, a size and resolution of a display screen of a terminal, or any combination thereof.
  • the terminal equipment information is used to determine whether the terminal that issued the first link request is an authorized terminal. The determination includes:
  • the server determines equipment information of the terminal that issued the first link request. [0043] In some embodiments, operation 145 is performed simultaneously with operation
  • operation 145 is performed before or after operation 140.
  • the server compares the determined equipment information with equipment information of the second terminal.
  • operation 155 is performed simultaneously with operation
  • operation 155 is performed before or after operation 150.
  • the comparing of the equipment information of the terminal that issued the first link request with the equipment information of the second terminal includes: determining whether the equipment information of the terminal that issued the first link request is the same as the equipment information of the second terminal. In the event that the equipment information of the terminal that issued the first link request is the same as the equipment information of the second terminal, the comparison result is that the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. In the event that the equipment information of the terminal that issued the first link request and the equipment information of the second terminal are different, the comparison result is that the equipment information of the terminal that issued the first link request does not match the equipment information of the second terminal.
  • the server can, after converting the equipment information to digital values, obtain results of calculations, such as hash calculations, and compare those results.
  • the server converts the equipment information of the second terminal into a numerical value.
  • a hash calculation or other such technique is used to generate a hash character string containing N (N being a positive integer) letters or digits.
  • the server compares the N-digit hash string generated from the equipment information of the terminal that issued the first link request with an N-digit hash string generated from the equipment information of the second terminal. In the event that the two N-digit hash strings are the same, then the comparison result includes that the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. Otherwise, the comparison result includes that the equipment information of the terminal that issued the first link request does not match the equipment information of the second terminal.
  • the server after performing the comparing operations 150 and 155, the server simultaneously references the comparison results of operations 150 and 155.
  • the server approves the authentication of the first service request in the event that the comparison results of both operations 150 and 155 indicate that the issued terminal identifier of the terminal that issued the first link request matches the preset terminal identifier of the second terminal, and the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. Otherwise, the server does not approve authentication of the first service request.
  • the server determines the equipment information of the second terminal prior to the performing of operation 155 so that the comparison operation can be performed based on the determined equipment information of the second terminal in operation 155. In some embodiments, the server determines the equipment information based on, but not limited to, one of the following two approaches:
  • the server determines equipment information of the second terminal based on historical record information from when the second terminal accessed the server itself.
  • the server can, in a manner similar to process 100, interact with a terminal that used the user account number bound to the second terminal. For example, a link sent to the second terminal by the server is related to a user account and a service request. When the link is clicked and posted to the server, the related account is bound to the second terminal accordingly.
  • some equipment related information is sent to the server via, for example, a Hypertext Transfer Protocol Secure (HTTPS) protocol.
  • HTTPS Hypertext Transfer Protocol Secure
  • the server stores the equipment information of the second terminal so that the equipment information of the second terminal can be determined when process 100 is executed.
  • FIG. 2 is a flow diagram of an embodiment of a process for determining equipment information of a terminal.
  • the process 200 is an implementation of operation 145 of FIG. 1 and comprises: [0053]
  • the server when the server receives a second service request sent by a terminal using a user account number bound to the second terminal, the server generates a second link address that is used to link to an access location.
  • the terminal that sends the second service request is the second terminal.
  • the terminal is another terminal using the user account number bound to the second terminal.
  • the second service request is a service request with the same content as the first service request. In some embodiments, the second service request is a service request with different content from the first service request. "First" and “second” are used here to differentiate between service requests sent on two different occasions.
  • the first and second link addresses are different link addresses generated by the server for the first service request and the second service request, respectively.
  • the server sends the second link address to the second terminal.
  • the server determines a terminal identifier of the terminal that issued the second link request and equipment information of the terminal based on the second link request issued through the second link address.
  • the first link request and second link request can be link requests of the same type.
  • the server determines whether to approve authentication of the second service request. In the event that the server approves authentication of the second service request and the server has not received a warning message within a set length of time, the terminal that issued the second link request is confirmed as the authenticated second terminal.
  • the server locally stores the equipment information of the terminal that issued the second link request and determines that the equipment information is the equipment information of the second terminal.
  • the process 100 includes comparing the issued terminal identifier of the first terminal linked to the server with the authorized second terminal corresponding to the preset terminal identifier preset by the user.
  • the issued terminal identifier and the equipment information of the first terminal linked to the server are compared to the preset terminal identifier and the equipment information of the authorized second terminal. Even if the link address issued by the server to the authorized second terminal is misappropriated, the server can, as long as the authorized second terminal remains secure and is not put to unauthorized use, identify the fact that the first terminal that established the local link through the link address is not an authorized terminal. The server will refuse to authenticate the service request and thus service authentication reliability is increased as a result.
  • process 100 can be used in combination with traditional methods for authenticating services.
  • the service can be authenticated by combining process 100 with the conventional confirmation number methods described in the background.
  • FIG. 3 is a structural diagram of an embodiment of a system for authenticating a service.
  • the system 300 implements the process 100 of FIG. 1 and comprises a server 320, a first terminal 310, and a second terminal 315.
  • the server 320 receives, across a network 330, a first service request sent by a user to generate a first link address that is used to link to an access location (item 1), determines a preset terminal identifier, sends the first link address to the second terminal 315 corresponding to the preset terminal identifier (item 2), the preset terminal identifier being a terminal identifier preset by the user, receives a first link request from a terminal (item 3), determines an issued terminal identifier of the terminal that issued the first link request, compares the determined issued terminal identifier with the preset terminal identifier of the second terminal, and performs the next processing operation on the first service request based on the comparing results.
  • the second terminal 315 receives the first link address sent by the server 320 and issues the first link request through the first link address to the server 320.
  • the first terminal 310 issues the first service request based on user instructions.
  • the first terminal and the second terminal are different terminals. In some embodiments, the first terminal and the second terminal are the same terminal. [0068] Furthermore, the server 320 determines equipment information of the second terminal and determines equipment information of the terminal that issued the first link request, and compares the equipment information of the terminal that issued the first link request and the equipment information of the second terminal.
  • the server 320 determines the equipment information of the second terminal through, but not limited to, one of the following two approaches:
  • the server 320 determines equipment information of the second terminal 315 based on historical record information on the second terminal accessing the server.
  • the server 320 when in the past the server 320 has received a second service request sent by a terminal using a user account number bound to the second terminal 315, the server 320 generates a second link address that is used to link to the access location, sends the second link address to the second terminal, and determines a terminal identifier of the terminal that issued the second link request and equipment information of the terminal based on the second link request issued through the second link address, in the event that the server 320 determines that the terminal identifier of the terminal that issued the second link request matches the preset terminal identifier of the second terminal, and in the event that the server 320 has not received a warning message within a set length of time following the approval of the authentication of the second service request, the server 320 determines that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
  • FIG. 4 is a structural diagram of an embodiment of a device for authenticating a service.
  • the device 400 implements the process 100 and comprises a receiving module 410, a link address generating module 420, a sending module 430, a determining module 440, a comparing module 450, and an equipment information determining module 460.
  • the receiving module 410 receives a first service request sent by a user, and receives a first link request from a terminal that issued the first link request.
  • the link address generating module 420 generates a first link address that is used to link to an access location.
  • the sending module 430 sends the first link address to a second terminal corresponding to a determined preset terminal identifier.
  • the determining module 440 determines an issued terminal identifier of the terminal that issued the first service request based on the first link request issued through the first link address.
  • the comparing module 450 compares the determined issued terminal identifier with the preset terminal identifier of the second terminal and performs the next operation in processing the first service request based on the comparison result.
  • the equipment information determining module 460 determines equipment information of the second terminal.
  • the determining module 440 further determines equipment information of the terminal that issued the first link request.
  • the comparing module 450 further compares the equipment information of the terminal that issued the first link request with the equipment information of the second terminal.
  • the equipment information determining module 460 determines the equipment information of the second terminal based on, but not limited to, one of the two approaches below:
  • the equipment information determining module 460 specifically determines equipment information of the second terminal based on historical record information on the second terminal accessing the device 400.
  • the equipment information determining module 460 together with at least one other module in the device 400, determines equipment information of the second terminal.
  • the receiving module 410 receives in the past a second service request sent by a terminal based on a user account number bound to the second terminal.
  • the link address generating module 420 further generates a second link address that is used to link to an access location.
  • the sending module 430 further sends the second link address to the second terminal.
  • the determining module 440 further determines the terminal identifier of the terminal that issued the second link request and the equipment information of the terminal based on the second link request issued through the second link address.
  • the comparing module 450 further compares the terminal identifier of the terminal that issued the second link request with the preset terminal identifier of the second terminal.
  • the equipment information determining module 460 determines that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
  • FIG. 5 is a functional diagram illustrating an embodiment of a programmed computer system for authenticating a service.
  • Computer system 500 which includes various subsystems as described below, includes at least one microprocessor subsystem (also referred to as a processor or a central processing unit (CPU)) 502.
  • processor 502 can be implemented by a single-chip processor or by multiple processors.
  • processor 502 is a general purpose digital processor that controls the operation of the computer system 500. Using instructions retrieved from memory 510, the processor 502 controls the reception and manipulation of input data, and the output and display of data on output devices (e.g., display 518).
  • Processor 502 is coupled bi-directionally with memory 510, which can include a first primary storage, typically a random access memory (RAM), and a second primary storage area, typically a read-only memory (ROM).
  • primary storage can be used as a general storage area and as scratch-pad memory, and can also be used to store input data and processed data.
  • Primary storage can also store programming instructions and data, in the form of data objects and text objects, in addition to other data and instructions for processes operating on processor 502.
  • primary storage typically includes basic operating instructions, program code, data, and objects used by the processor 502 to perform its functions (e.g., programmed instructions).
  • memory 510 can include any suitable computer- readable storage media, described below, depending on whether, for example, data access needs to be bi-directional or uni-directional.
  • processor 502 can also directly and very rapidly retrieve and store frequently needed data in a cache memory (not shown).
  • a removable mass storage device 512 provides additional data storage capacity for the computer system 500, and is coupled either bi-directionally (read/write) or uni-directionally (read only) to processor 502.
  • storage 512 can also include computer-readable media such as magnetic tape, flash memory, PC-CARDS, portable mass storage devices, holographic storage devices, and other storage devices.
  • a fixed mass storage 520 can also, for example, provide additional data storage capacity. The most common example of mass storage 520 is a hard disk drive.
  • Mass storage 512, 520 generally store additional programming instructions, data, and the like that typically are not in active use by the processor 502. It will be appreciated that the information retained within mass storage 512 and 520 can be incorporated, if needed, in standard fashion as part of memory 510 (e.g., RAM) as virtual memory.
  • bus 514 can also be used to provide access to other subsystems and devices. As shown, these can include a display monitor 518, a network interface 516, a keyboard 504, and a pointing device 506, as well as an auxiliary input/output device interface, a sound card, speakers, and other subsystems as needed.
  • the pointing device 506 can be a mouse, stylus, track ball, or tablet, and is useful for interacting with a graphical user interface.
  • the network interface 516 allows processor 502 to be coupled to another computer, computer network, or telecommunications network using a network connection as shown.
  • the processor 502 can receive information (e.g., data objects or program instructions) from another network or output information to another network in the course of performing method/process steps.
  • Information often represented as a sequence of instructions to be executed on a processor, can be received from and outputted to another network.
  • An interface card or similar device and appropriate software implemented by e.g.,
  • processor 502 can be used to connect the computer system 500 to an external network and transfer data according to standard protocols. For example, various process embodiments disclosed herein can be executed on processor 502, or can be performed across a network such as the Internet, intranet networks, or local area networks, in conjunction with a remote processor that shares a portion of the processing. Additional mass storage devices (not shown) can also be connected to processor 502 through network interface 516. [0095] An auxiliary I/O device interface (not shown) can be used in conjunction with computer system 500.
  • the auxiliary I/O device interface can include general and customized interfaces that allow the processor 502 to send and, more typically, receive data from other devices such as microphones, touch-sensitive displays, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
  • the computer system shown in FIG. 5 is but an example of a computer system suitable for use with the various embodiments disclosed herein.
  • Other computer systems suitable for such use can include additional or fewer subsystems.
  • bus 514 is illustrative of any interconnection scheme serving to link the subsystems.
  • Other computer architectures having different configurations of subsystems can also be utilized.
  • the modules described above can be implemented as software components executing on one or more general purpose processors, as hardware such as programmable logic devices and/or Application Specific Integrated Circuits designed to perform certain functions or a combination thereof.
  • the modules can be embodied by a form of software products which can be stored in a nonvolatile storage medium (such as optical disk, flash storage device, mobile hard disk, etc.), including a number of instructions for making a computer device (such as personal computers, servers, network equipment, etc.) implement the methods described in the embodiments of the present invention.
  • the modules may be implemented on a single device or distributed across multiple devices. The functions of the modules may be merged into one another or further split into multiple sub-modules.

Abstract

Embodiments of the present application relate to a method, a system, and a computer program product for authenticating a service. A method for authenticating a service is provided. The method includes receiving a first service request from a first terminal, generating a first link address that is used to link to an access location based on the received first service request, determining a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user, sending the first link address to the second terminal, receiving a first link request, determining an issued terminal identifier based on the first link request, comparing the determined issued terminal identifier with the preset terminal identifier of the second terminal, and performing a next processing operation on the first service request based on the comparison result.

Description

METHOD AND SYSTEM FOR AUTHENTICATING SERVICE
CROSS REFERENCE TO OTHER APPLICATIONS
[0001] This application claims priority to People's Republic of China Patent Application
No. 201310512274.4 entitled A SERVICE AUTHENTICATION METHOD, SYSTEM AND SERVER, filed October 25, 2013 which is incorporated herein by reference for all purposes.
FIELD OF THE DESCRIPTION
[0002] The present application relates to a method and system for authenticating a service.
BACKGROUND OF THE INVENTION
[0003] After a client terminal (also referred to as a terminal) logs onto a server using a user account number input by a user, the terminal often issues a service request, such as a payment service request or an identity authentication service request, to the server. In web applications of browser-server (or client-server) architectures, the client issues a request to the server when asking for a service to be performed, which is called a service request. For example, the browser could issue a payment service request to the server when a user clicks a "PAY NOW" button on a payment service provider's website to transfer funds. Typically, for anti-fraud purposes, the server authenticates the user upon receiving the service request from the client. In order to validate the service request, after the server receives the service request, the server usually does not respond to the service request immediately, but instead generates a confirmation number (typically, a 6-digit confirmation number). In some cases, the server sends the generated confirmation number via a short message service (SMS) text message to a mobile phone bound to the user account number that was used when the terminal logged onto the server based on a binding relationship between locally stored user account numbers and mobile telephone numbers.
[0004] The mobile phone displays to the user the confirmation number sent by the server.
The user then inputs a confirmation number into the terminal through an input port of the terminal. For example, the terminal displays to the user a page where the confirmation number can be input, and the user inputs a confirmation number into an input box on the page. The terminal sends the confirmation number input by the user to the server. The server compares the confirmation number sent by the terminal to a locally generated confirmation number. If the confirmation number sent by the terminal and the locally generated confirmation number are the same, the server authenticates the service request and responds to the service request.
[0005] However, during the actual service authentication process, the mobile phone that is bound to the user account can experience a Trojan Horse infiltration or some similar infiltration, or the user of the mobile phone bound to the user account can be a victim of fraud, such that the confirmation number is intercepted by a malicious third party. As a result, the confirmation number sent by the server to the mobile phone bound to the user account is misappropriated. If the misappropriated confirmation number is used by an unauthorized user during the authentication process relating to the service request, the reliability of the service request authentication cannot be assured.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
[0007] FIG. 1 is a flow diagram of an embodiment of a process for authenticating a service.
[0008] FIG. 2 is a flow diagram of an embodiment of a process for determining equipment information of a terminal.
[0009] FIG. 3 is a structural diagram of an embodiment of a system for authenticating a service.
[0010] FIG. 4 is a structural diagram of an embodiment of a device for authenticating a service.
[0011] FIG. 5 is a functional diagram illustrating an embodiment of a programmed computer system for authenticating a service.
DETAILED DESCRIPTION
[0012] The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term 'processor' refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
[0013] A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention
encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
[0014] A method for authenticating a service includes the following in some embodiments: when receiving a service request sent by a user, the server generates a link address linking to an access location on the server and sends the generated link address to a terminal corresponding to a terminal identifier preset by the user. Then, when the server receives a first link request issued through the link address, the server compares the terminal issuing the first link request with the terminal corresponding to a terminal identifier preset by the user. In the event that the server determines that the terminal that issued the first link request and the terminal corresponding to the terminal identifier preset by the user are the same, the server approves the authentication of the service request. Otherwise, the server rejects the authentication of the service request.
[0015] In some embodiments, the comparing of the terminal linked to the server through the link request with the terminal corresponding to the terminal identifier preset by the user also includes comparing the terminal linked to the server through the link request with an authorized terminal. Even if the link address issued by the server to the authorized terminal is
misappropriated, the server can, as the authorized terminal remains secure and is not put to illicit use, identify that the terminal that established the local link through the link address is not an authorized terminal. The server will not approve authentication of the service request and thus service authentication reliability is increased as a result. [0016] In some embodiments, the link addresses correspond to Uniform Resource Locators
(URLs). The URLs can also be called Web addresses. The URLs can be linked to pages of specific access locations in the server. In some embodiments, the link addresses are not limited to specific access locations. For example, the link addresses are short links, and the short links correspond to long URLs converted through program calculations or other such methods into abbreviated Web address character strings. For example, a short link for alibaba.com is
http://bit.ly/18pmnGp.
[0017] In some embodiments, the terminals correspond to PCs, mobile phones, or other such mobile terminals.
[0018] In some embodiments, service requests are service requests with relatively high security requirements, such as payment service requests or identity authentication service requests.
[0019] FIG. 1 is a flow diagram of an embodiment of a process for authenticating a service.
In some embodiments, the process 100 is implemented by the server 320 of FIG. 3 and comprises:
[0020] In 110, the server receives a first service request sent by a user.
[0021] In some embodiments, the user issues the first service request to the server through a first terminal. The terminal can be a laptop computer, a desktop computer, a tablet, a mobile device, a smart phone, a wearable networking device, or any other appropriate computing device. In some embodiments, a web browser or a standalone application is installed at each client and enables a user to access the service hosted by the server. In various embodiments, the server supports a variety of application types, such as a game website server, an online banking server, or a shopping website payment server. The server may be implemented using one or more computing devices such as a computer, a multi-processor system, a microprocessor-based system, a special purpose device, a distributed computing environment including any of the foregoing systems or devices, or other appropriate hardware/software/firmware combination that includes one or more processors, and memory coupled to the processors and configured to provide the processors with instructions. The server may comprise a single or multiple devices.
[0022] In some embodiments, the first terminal, as instructed by the user, logs onto the server based on a pre-registered user account number (such as username and password) and then sends a service request for a service to the server. For example, the first terminal is a personal computer (PC) and the server is an online banking server. [0023] After the PC establishes a connection, via the Internet, with the online banking server, the PC displays to the user an online banking server login page and receives a user pre- registered user account number input by the user into an input box on the login page. The PC sends the user account number to the online banking server. The online banking server receives a user account number from the PC and validates the received user account number from the PC. After the online banking server approves authentication of the user account number, the server completes the login process. Next, the PC receives a first service request (such as a payment service) input by the user through a display page and sends the first service request to the online banking server. For example, the first service request can be an HTTP Request of "POST https://service.example.com."
[0024] In 120, the server generates a first link address that is used to link to an access location for the first service request. Whenever the server receives a service request, the server dynamically generates a link address for the service request. An example of a generated link address is https://jy.example.com/jy.htm?pwd_id=abcl23. In another example, the generated link address is converted into a short link.
[0025] In some embodiments, each link address to an access location on a server refers to an authentication page on the server. In other words, the generated link address of
https://jy.abc. com/jy.htm?pwd_id=abcl23 corresponds to the authentication page on the server.
[0026] In 130, the server determines a preset terminal identifier corresponding to a second terminal and sends the first link address to the second terminal. For example, the generated link address https://jy.example.com/jy.htm?pwd_id=abcl23 discussed above is sent as the first link address to the second terminal using a message with the format of a Short Message Service (SMS) message. In some embodiments, the preset terminal identifier is a terminal identifier preset by the user, and the preset terminal identifier is stored in a database accessible by the server. In some embodiments, the preset terminal identifier is a preset terminal identifier that is generated based on some variables of terminal features and a hash function, and the preset terminal identifier is stored in a database accessible by the server.
[0027] In some embodiments, when a user registers an account number in a server, the user provides a preset terminal identifier that is bound to the registered user account number. In other words, a binding relationship is recorded in the server between the user account number and the preset terminal identifier of the second terminal. The server determines the preset terminal identifier corresponding to the second terminal based on the user account number used when the second terminal is logged into the server. The server then sends the first link address to the second terminal based on the preset terminal identifier determined for the second terminal. For example, the first link address of https://jy.example.com/jy.htm?pwd_id=abcl23 is sent to the second terminal.
[0028] As an example, the second terminal is a mobile phone and the first terminal which a user requires service from is a mobile phone or a personal computer (PC). When a user account is initially registered, a mobile phone number of the second terminal is provided and stored in a server, so that the server is capable of sending an SMS message to the second terminal (via the mobile phone number the user provides, which corresponds to the preset terminal identifier). The user can click or activate a link in the SMS message which was sent to the second terminal and access a page of a link address. In the example, the link is set to be active when being sent and is set to expire in a short period of time, e.g., a few minutes. Accordingly, the second terminal accessing the server can be quickly verified instead of implementing a whole "login process." In some embodiments, the mobile phone number is validated when the second terminal accesses the server via an API from a telecommunication service provider.
[0029] In some embodiments, the first and second terminals are two separate pieces of terminal equipment. For example, the first terminal is a PC, and the second terminal is a mobile phone. In some embodiments, the first and second terminals are components in the same piece of terminal equipment. For example, the first and second terminals are different components (e.g., different software applications) in a mobile phone. When the first terminal and the second terminal refer to components within a piece of terminal equipment, the terminal equipment has the separate functional components of the first terminal and the second terminal for performing the process 100.
[0030] In some embodiments, when the second terminal is a mobile phone, the server sends the first link address to the second terminal by issuing a downlink short message service (SMS) text message or by another form of wireless communication.
[0031] In 140, the server receives a first link request from a terminal that issued the first link request and determines an issued terminal identifier of the terminal that issued the first link request based on the first link request issued from the first link address.
[0032] If the terminal that issued the first link request is a mobile phone, the issued terminal identifier of the terminal could be a mobile phone number. In some embodiments, the link is sent to a user's mobile phone via an SMS message. In some embodiments, the link is sent to a user's mobile phone via an Internet protocol. In this case, the server could determine the mobile phone number of the mobile phone that issued the first link request by querying the mobile phone that issued the first link request through an application programming interface (API) made publicly available by an Internet operator.
[0033] In this example, the second terminal displays the first link address received and directly issues the first link request to the server based on the received first link address. For example, if the second terminal is a smart phone with a touch screen, the user can click or activate the first link address displayed on the second terminal via a browser application or the like. After the second terminal recognizes the user's click action, the second terminal issues the first link request to the server based on the first link address. For example, the first link request can be POST https://jy.example.com/jy.htm7pwd_id.
[0034] In the event that the first link address issued by the server to the second terminal is misappropriated, the misappropriated first link address is sent to an unauthorized terminal, through which an unauthorized user will make an unauthorized response. Thus, the first link request could be issued through the misappropriated first link address to the server.
[0035] In 150, the server compares the determined issued terminal identifier with the preset terminal identifier of the second terminal.
[0036] In some embodiments, the server's comparing the issued terminal identifier of the terminal that was confirmed as having issued the first link request with the preset terminal identifier of the second terminal determines whether the issued terminal identifier of the terminal that issued the first link request is the same as the preset terminal identifier of the second terminal. In the event that the issued terminal identifier of the terminal that issued the first link request is the same as the preset terminal identifier of the second terminal, the determination result is that the issued terminal identifier of the terminal that issued the first link request matches the preset terminal identifier of the second terminal. In this case, the terminal that issued the first link request to the server is determined to be the second terminal. In the event that the issued terminal identifier of the terminal that issued the first link request and the preset terminal identifier of the second terminal are different, the comparison result is that the issued terminal identifier of the terminal that issued the first link request does not match the preset terminal identifier of the second terminal, and the comparison result includes that the terminal that issued the first link request to the server is not the second terminal. [0037] In 160, the server performs the next processing operation on the first service request based on the comparison result.
[0038] In some embodiments, in the event that the comparison result includes the issued terminal identifier of the terminal that issued the first link request being the same as the preset terminal identifier of the second terminal, the next operation of the processing of the first service request includes: in response to the first service request, the server approves the authentication of the first service request, optionally sends an authentication success message to the terminal, and permits the next processing operation to proceed. Otherwise, the next processing operation of the first service request includes: in response to the first service request, the server disapproves the authentication of the first service request and the server sends back an authentication failure message to the terminal.
[0039] Through the above process 100, the terminal that is linked to the server is compared with an authorized terminal certified by the server (the terminal corresponding to the terminal identifier preset by the user). Even if the link address issued by the server to the authorized terminal is misappropriated, the server can, as long as the authorized terminal remains secure and is not put to unauthorized use, identify that the terminal that established the local link is not an authorized terminal. The server will not approve authentication of the service request and thus service authentication reliability can be increased.
[0040] The above process 100 determines whether the terminal that issued the first link request is an authorized terminal based on a preset terminal identifier. Furthermore, the server can also determine whether the terminal that issued the first link request is an authorized terminal based on terminal equipment information. The terminal equipment information includes an equipment model number of a terminal, a version number of an operating system of a terminal, a version number of a browser of a terminal, a size and resolution of a display screen of a terminal, or any combination thereof.
[0041] In some embodiments, the terminal equipment information is used to determine whether the terminal that issued the first link request is an authorized terminal. The determination includes:
[0042] In 145, the server determines equipment information of the terminal that issued the first link request. [0043] In some embodiments, operation 145 is performed simultaneously with operation
140. In some embodiments, operation 145 is performed before or after operation 140.
[0044] In 155, the server compares the determined equipment information with equipment information of the second terminal.
[0045] In some embodiments, operation 155 is performed simultaneously with operation
150. In some embodiments, operation 155 is performed before or after operation 150.
[0046] In some embodiments, the comparing of the equipment information of the terminal that issued the first link request with the equipment information of the second terminal includes: determining whether the equipment information of the terminal that issued the first link request is the same as the equipment information of the second terminal. In the event that the equipment information of the terminal that issued the first link request is the same as the equipment information of the second terminal, the comparison result is that the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. In the event that the equipment information of the terminal that issued the first link request and the equipment information of the second terminal are different, the comparison result is that the equipment information of the terminal that issued the first link request does not match the equipment information of the second terminal.
[0047] In addition to performing a direct comparison operation to determine whether the equipment information of the terminal that issued the first link request is the same as the equipment information of the second terminal, the server can, after converting the equipment information to digital values, obtain results of calculations, such as hash calculations, and compare those results.
[0048] For example, the server converts the equipment information of the second terminal into a numerical value. For example, the equipment information of the second terminal is a version number of the browser in the terminal. This version number of the browser in the terminal is 2.3.7, which is converted to a numerical value such as, for example, 2x 100+3 x 10+7=237. A hash calculation or other such technique is used to generate a hash character string containing N (N being a positive integer) letters or digits. Then, after, based on the same calculation, generating an N-digit hash string from the equipment information of the terminal that issued the first link request, the server compares the N-digit hash string generated from the equipment information of the terminal that issued the first link request with an N-digit hash string generated from the equipment information of the second terminal. In the event that the two N-digit hash strings are the same, then the comparison result includes that the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. Otherwise, the comparison result includes that the equipment information of the terminal that issued the first link request does not match the equipment information of the second terminal.
[0049] In 160, after performing the comparing operations 150 and 155, the server simultaneously references the comparison results of operations 150 and 155. The server approves the authentication of the first service request in the event that the comparison results of both operations 150 and 155 indicate that the issued terminal identifier of the terminal that issued the first link request matches the preset terminal identifier of the second terminal, and the equipment information of the terminal that issued the first link request matches the equipment information of the second terminal. Otherwise, the server does not approve authentication of the first service request.
[0050] In some embodiments, the server determines the equipment information of the second terminal prior to the performing of operation 155 so that the comparison operation can be performed based on the determined equipment information of the second terminal in operation 155. In some embodiments, the server determines the equipment information based on, but not limited to, one of the following two approaches:
[0051] In a first approach, in the event that the second terminal accessed the server before the process 100 is performed, the server determines equipment information of the second terminal based on historical record information from when the second terminal accessed the server itself.
[0052] In a second approach, before the process 100 is performed, the server can, in a manner similar to process 100, interact with a terminal that used the user account number bound to the second terminal. For example, a link sent to the second terminal by the server is related to a user account and a service request. When the link is clicked and posted to the server, the related account is bound to the second terminal accordingly. In some embodiments, some equipment related information is sent to the server via, for example, a Hypertext Transfer Protocol Secure (HTTPS) protocol. Upon determining that the terminal is the second terminal, the server stores the equipment information of the second terminal so that the equipment information of the second terminal can be determined when process 100 is executed. FIG. 2 is a flow diagram of an embodiment of a process for determining equipment information of a terminal. In some
embodiments, the process 200 is an implementation of operation 145 of FIG. 1 and comprises: [0053] In 210, when the server receives a second service request sent by a terminal using a user account number bound to the second terminal, the server generates a second link address that is used to link to an access location.
[0054] In cases where the authentication process is normal, the terminal that sends the second service request is the second terminal. In cases where the authentication process is compromised and the first service request is intercepted, the terminal is another terminal using the user account number bound to the second terminal.
[0055] In some embodiments, the second service request is a service request with the same content as the first service request. In some embodiments, the second service request is a service request with different content from the first service request. "First" and "second" are used here to differentiate between service requests sent on two different occasions.
[0056] The first and second link addresses are different link addresses generated by the server for the first service request and the second service request, respectively.
[0057] In 220, the server sends the second link address to the second terminal.
[0058] In 230, the server determines a terminal identifier of the terminal that issued the second link request and equipment information of the terminal based on the second link request issued through the second link address.
[0059] The first link request and second link request can be link requests of the same type.
"First" and "second" are used here to differentiate between link requests relating to two different occasions of a service authentication process.
[0060] In 240, based on the matching result between the terminal identifier of the terminal that issued the second link address and the preset terminal identifier of the second terminal, the server determines whether to approve authentication of the second service request. In the event that the server approves authentication of the second service request and the server has not received a warning message within a set length of time, the terminal that issued the second link request is confirmed as the authenticated second terminal. The server locally stores the equipment information of the terminal that issued the second link request and determines that the equipment information is the equipment information of the second terminal.
[0061] In some embodiments, the process 100 includes comparing the issued terminal identifier of the first terminal linked to the server with the authorized second terminal corresponding to the preset terminal identifier preset by the user. In some embodiments, the issued terminal identifier and the equipment information of the first terminal linked to the server are compared to the preset terminal identifier and the equipment information of the authorized second terminal. Even if the link address issued by the server to the authorized second terminal is misappropriated, the server can, as long as the authorized second terminal remains secure and is not put to unauthorized use, identify the fact that the first terminal that established the local link through the link address is not an authorized terminal. The server will refuse to authenticate the service request and thus service authentication reliability is increased as a result.
[0062] Please note that process 100 can be used in combination with traditional methods for authenticating services. For example, the service can be authenticated by combining process 100 with the conventional confirmation number methods described in the background.
[0063] FIG. 3 is a structural diagram of an embodiment of a system for authenticating a service. In some embodiments, the system 300 implements the process 100 of FIG. 1 and comprises a server 320, a first terminal 310, and a second terminal 315.
[0064] In some embodiments, the server 320 receives, across a network 330, a first service request sent by a user to generate a first link address that is used to link to an access location (item 1), determines a preset terminal identifier, sends the first link address to the second terminal 315 corresponding to the preset terminal identifier (item 2), the preset terminal identifier being a terminal identifier preset by the user, receives a first link request from a terminal (item 3), determines an issued terminal identifier of the terminal that issued the first link request, compares the determined issued terminal identifier with the preset terminal identifier of the second terminal, and performs the next processing operation on the first service request based on the comparing results.
[0065] In some embodiments, the second terminal 315 receives the first link address sent by the server 320 and issues the first link request through the first link address to the server 320.
[0066] In some embodiments, the first terminal 310 issues the first service request based on user instructions.
[0067] In some embodiments, the first terminal and the second terminal are different terminals. In some embodiments, the first terminal and the second terminal are the same terminal. [0068] Furthermore, the server 320 determines equipment information of the second terminal and determines equipment information of the terminal that issued the first link request, and compares the equipment information of the terminal that issued the first link request and the equipment information of the second terminal.
[0069] Furthermore, the server 320 determines the equipment information of the second terminal through, but not limited to, one of the following two approaches:
[0070] In a first approach, the server 320 determines equipment information of the second terminal 315 based on historical record information on the second terminal accessing the server.
[0071] In a second approach, when in the past the server 320 has received a second service request sent by a terminal using a user account number bound to the second terminal 315, the server 320 generates a second link address that is used to link to the access location, sends the second link address to the second terminal, and determines a terminal identifier of the terminal that issued the second link request and equipment information of the terminal based on the second link request issued through the second link address, in the event that the server 320 determines that the terminal identifier of the terminal that issued the second link request matches the preset terminal identifier of the second terminal, and in the event that the server 320 has not received a warning message within a set length of time following the approval of the authentication of the second service request, the server 320 determines that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
[0072] FIG. 4 is a structural diagram of an embodiment of a device for authenticating a service. In some embodiments, the device 400 implements the process 100 and comprises a receiving module 410, a link address generating module 420, a sending module 430, a determining module 440, a comparing module 450, and an equipment information determining module 460.
[0073] In some embodiments, the receiving module 410 receives a first service request sent by a user, and receives a first link request from a terminal that issued the first link request.
[0074] In some embodiments, the link address generating module 420 generates a first link address that is used to link to an access location.
[0075] In some embodiments, the sending module 430 sends the first link address to a second terminal corresponding to a determined preset terminal identifier. [0076] In some embodiments, the determining module 440 determines an issued terminal identifier of the terminal that issued the first service request based on the first link request issued through the first link address.
[0077] In some embodiments, the comparing module 450 compares the determined issued terminal identifier with the preset terminal identifier of the second terminal and performs the next operation in processing the first service request based on the comparison result.
[0078] In some embodiments, the equipment information determining module 460 determines equipment information of the second terminal.
[0079] In some embodiments, the determining module 440 further determines equipment information of the terminal that issued the first link request.
[0080] In some embodiments, the comparing module 450 further compares the equipment information of the terminal that issued the first link request with the equipment information of the second terminal.
[0081] In some embodiments, the equipment information determining module 460 determines the equipment information of the second terminal based on, but not limited to, one of the two approaches below:
[0082] In a first approach, the equipment information determining module 460 specifically determines equipment information of the second terminal based on historical record information on the second terminal accessing the device 400.
[0083] In a second approach, the equipment information determining module 460, together with at least one other module in the device 400, determines equipment information of the second terminal.
[0084] In some embodiments, the receiving module 410 receives in the past a second service request sent by a terminal based on a user account number bound to the second terminal.
[0085] In some embodiments, the link address generating module 420 further generates a second link address that is used to link to an access location.
[0086] In some embodiments, the sending module 430 further sends the second link address to the second terminal. [0087] In some embodiments, the determining module 440 further determines the terminal identifier of the terminal that issued the second link request and the equipment information of the terminal based on the second link request issued through the second link address.
[0088] In some embodiments, the comparing module 450 further compares the terminal identifier of the terminal that issued the second link request with the preset terminal identifier of the second terminal.
[0089] In some embodiments, in the event that the comparing module 450 determines that the terminal identifier of the terminal that issued the second link request matches the preset terminal identifier of the second terminal and has not received a warning message within a set length of time following approval of the authentication of the second service request, the equipment information determining module 460 determines that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
[0090] FIG. 5 is a functional diagram illustrating an embodiment of a programmed computer system for authenticating a service. As will be apparent, other computer system architectures and configurations can be used to perform service authentication. Computer system 500, which includes various subsystems as described below, includes at least one microprocessor subsystem (also referred to as a processor or a central processing unit (CPU)) 502. For example, processor 502 can be implemented by a single-chip processor or by multiple processors. In some embodiments, processor 502 is a general purpose digital processor that controls the operation of the computer system 500. Using instructions retrieved from memory 510, the processor 502 controls the reception and manipulation of input data, and the output and display of data on output devices (e.g., display 518).
[0091] Processor 502 is coupled bi-directionally with memory 510, which can include a first primary storage, typically a random access memory (RAM), and a second primary storage area, typically a read-only memory (ROM). As is well known in the art, primary storage can be used as a general storage area and as scratch-pad memory, and can also be used to store input data and processed data. Primary storage can also store programming instructions and data, in the form of data objects and text objects, in addition to other data and instructions for processes operating on processor 502. Also as is well known in the art, primary storage typically includes basic operating instructions, program code, data, and objects used by the processor 502 to perform its functions (e.g., programmed instructions). For example, memory 510 can include any suitable computer- readable storage media, described below, depending on whether, for example, data access needs to be bi-directional or uni-directional. For example, processor 502 can also directly and very rapidly retrieve and store frequently needed data in a cache memory (not shown).
[0092] A removable mass storage device 512 provides additional data storage capacity for the computer system 500, and is coupled either bi-directionally (read/write) or uni-directionally (read only) to processor 502. For example, storage 512 can also include computer-readable media such as magnetic tape, flash memory, PC-CARDS, portable mass storage devices, holographic storage devices, and other storage devices. A fixed mass storage 520 can also, for example, provide additional data storage capacity. The most common example of mass storage 520 is a hard disk drive. Mass storage 512, 520 generally store additional programming instructions, data, and the like that typically are not in active use by the processor 502. It will be appreciated that the information retained within mass storage 512 and 520 can be incorporated, if needed, in standard fashion as part of memory 510 (e.g., RAM) as virtual memory.
[0093] In addition to providing processor 502 access to storage subsystems, bus 514 can also be used to provide access to other subsystems and devices. As shown, these can include a display monitor 518, a network interface 516, a keyboard 504, and a pointing device 506, as well as an auxiliary input/output device interface, a sound card, speakers, and other subsystems as needed. For example, the pointing device 506 can be a mouse, stylus, track ball, or tablet, and is useful for interacting with a graphical user interface.
[0094] The network interface 516 allows processor 502 to be coupled to another computer, computer network, or telecommunications network using a network connection as shown. For example, through the network interface 516, the processor 502 can receive information (e.g., data objects or program instructions) from another network or output information to another network in the course of performing method/process steps. Information, often represented as a sequence of instructions to be executed on a processor, can be received from and outputted to another network. An interface card or similar device and appropriate software implemented by (e.g.,
executed/performed on) processor 502 can be used to connect the computer system 500 to an external network and transfer data according to standard protocols. For example, various process embodiments disclosed herein can be executed on processor 502, or can be performed across a network such as the Internet, intranet networks, or local area networks, in conjunction with a remote processor that shares a portion of the processing. Additional mass storage devices (not shown) can also be connected to processor 502 through network interface 516. [0095] An auxiliary I/O device interface (not shown) can be used in conjunction with computer system 500. The auxiliary I/O device interface can include general and customized interfaces that allow the processor 502 to send and, more typically, receive data from other devices such as microphones, touch-sensitive displays, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
[0096] The computer system shown in FIG. 5 is but an example of a computer system suitable for use with the various embodiments disclosed herein. Other computer systems suitable for such use can include additional or fewer subsystems. In addition, bus 514 is illustrative of any interconnection scheme serving to link the subsystems. Other computer architectures having different configurations of subsystems can also be utilized.
[0097] The modules described above can be implemented as software components executing on one or more general purpose processors, as hardware such as programmable logic devices and/or Application Specific Integrated Circuits designed to perform certain functions or a combination thereof. In some embodiments, the modules can be embodied by a form of software products which can be stored in a nonvolatile storage medium (such as optical disk, flash storage device, mobile hard disk, etc.), including a number of instructions for making a computer device (such as personal computers, servers, network equipment, etc.) implement the methods described in the embodiments of the present invention. The modules may be implemented on a single device or distributed across multiple devices. The functions of the modules may be merged into one another or further split into multiple sub-modules.
[0098] The methods or algorithmic steps described in light of the embodiments disclosed herein can be implemented using hardware, processor-executed software modules, or combinations of both. Software modules can be installed in random-access memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard drives, removable disks, CD-ROM, or any other forms of storage media known in the technical field.
[0099] Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

Claims

1. A method for authenticating a service comprising:
receiving a first service request sent by a user from a first terminal;
generating a first link address that is used to link to an access location based on the received first service request;
determining a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user;
sending the first link address to the second terminal;
receiving a first link request from a terminal that issued the first link request;
determining an issued terminal identifier of the terminal that issued the first link request based on the first link request;
comparing the determined issued terminal identifier with the preset terminal identifier of the second terminal; and
performing a next processing operation on the first service request based on the comparison result.
2. The method as described in claim 1, wherein the next processing operation includes approving authentication of the first service request in the event that the comparison results of the issued terminal identifier of the terminal that issued the first link request matches the preset terminal identifier of the second terminal.
3. The method as described in claim 1, wherein the next processing operation includes disapproving authentication of the first service request and sending back an authentication failure message to the terminal in the event that the comparison results of the issued terminal identifier of the terminal that issued the first link request does not match the preset terminal identifier of the second terminal.
4. The method as described in claim 1, wherein:
the first service request is sent through the first terminal by the user; and
the first terminal and the second terminal are different terminals or the first terminal and the second terminal are the same terminal.
5. The method as described in claim 1, further comprising:
determining equipment information of the second terminal;
determining equipment information of the terminal that issued the first link request; and comparing the equipment information of the terminal that issued the first link request with the equipment information of the second terminal.
6. The method as described in claim 5, wherein the determining of the equipment information of the second terminal comprises:
a) determining the equipment information of the second terminal based on historical record information on the second terminal accessing a server; or
b) in the event that in the past having received a second service request sent by a terminal using a user account number bound to the second terminal, generating a second link address that is used to link to the access location;
sending the second link address to the second terminal;
determining a terminal identifier of the terminal that issued a second link request and equipment information of the terminal based on the second link request issued through the second link address;
comparing the terminal identifier of the terminal that issued the second link request with the preset terminal identifier of the second terminal; and
in the event that the terminal identifier of the terminal that issued the second link request and the preset terminal identifier of the second terminal match and a warning message has not been received within a set length of time following approval of an authentication of the second service request, determining that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
7. The method as described in claim 5, wherein the equipment information comprises an equipment model number of a terminal, a version number of a terminal operating system, a version number of a terminal browser, a size and resolution of a terminal display screen, or any
combination thereof.
8. A system for authenticating a service, comprising:
a server comprising:
at least one processor configured to:
receive a first service request sent by a user from a first terminal;
generate a first link address that is used to link to an access location based on the received first service request;
determine a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user; send the first link address to the second terminal;
receive a first link request from a terminal that issued the first link request; determine an issued terminal identifier of the terminal that issued the first link request based on the first link request;
compare the determined issued terminal identifier with the preset terminal identifier of the second terminal; and
perform a next processing operation on the first service request based on the comparison result; and
a memory coupled to the at least one processor and configured to provide the at least one processor with instructions; and
the second terminal configured to receive the first link address sent by the server and issue the first link request through the first link address to the server.
9. The system as described in claim 8, further comprising:
the first terminal configured to issue the first service request according to user instructions, wherein the first terminal and the second terminal are different terminals or the first terminal and the second terminal are the same terminal.
10. The system as described in claim 8, wherein the at least one processor is further configured to:
determine equipment information of the second terminal;
determine equipment information of the terminal that issued the first link request; and compare the equipment information of the terminal that issued the first link request with the equipment information of the second terminal.
11. The system as described in claim 10, wherein the determining of the equipment information of the second terminal comprises:
a) determine the equipment information of the second terminal based on historical record information on the second terminal accessing the server; or
b) in the event that in the past having received a second service request sent by a terminal using a user account number bound to the second terminal, generate a second link address that is used to link to the access location;
send the second link address to the second terminal;
determine a terminal identifier of the terminal that issued a second link request and equipment information of the terminal based on the second link request issued through the second link address; compare the terminal identifier of the terminal that issued the second link request with the preset terminal identifier of the second terminal; and
in the event that the terminal identifier of the terminal that issued the second link request and the preset terminal identifier of the second terminal match and a warning message has not been received within a set length of time following approval of an authentication of the second service request, determine that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
12. A server, comprising:
at least one processor configured to:
receive a first service request sent by a user from a first terminal;
generate a first link address that is used to link to an access location based on the received first service request;
determine a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user;
send the first link address to the second terminal;
receive a first link request from a terminal that issued the first link request;
determine an issued terminal identifier of the terminal that issued the first link request based on the first link request;
compare the determined issued terminal identifier with the preset terminal identifier of the second terminal; and
perform the next processing operation on the first service request based on the comparison result; and
a memory coupled to the at least one processor and configured to provide the at least one processor with instructions.
13. The server as described in claim 12, wherein the at least one processor is further configured to:
determine equipment information of the second terminal;
determine equipment information of the terminal that issued the first link request; and compare the equipment information of the terminal that issued the first link request with the equipment information of the second terminal.
14. The server as described in claim 13, wherein the at least one processor is further configured to: a) determine the equipment information of the second terminal based on historical record information on the second terminal accessing a server; or
b) in the event that in the past having received a second service request sent by a terminal using a user account number bound to the second terminal, generate a second link address that is used to link to the access location;
send the second link address to the second terminal;
determine a terminal identifier of the terminal that issued a second link request and equipment information of the terminal based on the second link request issued through the second link address;
compare the terminal identifier of the terminal that issued the second link request with the preset terminal identifier of the second terminal; and
in the event that the terminal identifier of the terminal that issued the second link request and the preset terminal identifier of the second terminal match and a warning message has not been received within a set length of time following approval of an authentication of the second service request, determine that the equipment information of the terminal that issued the second link request is the equipment information of the second terminal.
15. A computer program product for authenticating a service, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
receiving a first service request sent by a user from a first terminal;
generating a first link address that is used to link to an access location based on the received first service request;
determining a preset terminal identifier corresponding to a second terminal, the preset terminal identifier being a terminal identifier preset by the user;
sending the first link address to the second terminal;
receiving a first link request from a terminal that issued the first link request;
determining an issued terminal identifier of the terminal that issued the first link request based on the first link request;
comparing the determined issued terminal identifier with the preset terminal identifier of the second terminal; and
performing a next processing operation on the first service request based on the comparison result.
PCT/US2014/054564 2013-10-25 2014-09-08 Method and system for authenticating service WO2015060950A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
ES14781714T ES2802924T3 (en) 2013-10-25 2014-09-08 Method and system for the authentication of a service
JP2016517306A JP6034995B2 (en) 2013-10-25 2014-09-08 Method and system for authenticating services
KR1020167007984A KR101812002B1 (en) 2013-10-25 2014-09-08 Method and system for authenticating service
EP14781714.2A EP3061025B1 (en) 2013-10-25 2014-09-08 Method and system for authenticating service
PL14781714T PL3061025T3 (en) 2013-10-25 2014-09-08 Method and system for authenticating service

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201310512274.4 2013-10-25
CN201310512274.4A CN104580112B (en) 2013-10-25 2013-10-25 A kind of service authentication method, system and server
US14/478,385 2014-09-05
US14/478,385 US9413744B2 (en) 2013-10-25 2014-09-05 Method and system for authenticating service

Publications (1)

Publication Number Publication Date
WO2015060950A1 true WO2015060950A1 (en) 2015-04-30

Family

ID=51663443

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/054564 WO2015060950A1 (en) 2013-10-25 2014-09-08 Method and system for authenticating service

Country Status (1)

Country Link
WO (1) WO2015060950A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111278000A (en) * 2017-06-13 2020-06-12 Oppo广东移动通信有限公司 Method, device, terminal and storage medium for binding mobile phone number
CN112751928A (en) * 2020-12-28 2021-05-04 北京爱笔科技有限公司 Cross-terminal information interconnection method and device, computer equipment and storage medium
WO2023155685A1 (en) * 2022-02-15 2023-08-24 阿里巴巴(中国)有限公司 Communication method, system, and apparatus, storage medium, and processor

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079135A1 (en) * 2005-10-04 2007-04-05 Forval Technology, Inc. User authentication system and user authentication method
US20070136573A1 (en) * 2005-12-05 2007-06-14 Joseph Steinberg System and method of using two or more multi-factor authentication mechanisms to authenticate online parties
US20110138483A1 (en) * 2009-12-04 2011-06-09 International Business Machines Corporation Mobile phone and ip address correlation service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079135A1 (en) * 2005-10-04 2007-04-05 Forval Technology, Inc. User authentication system and user authentication method
US20070136573A1 (en) * 2005-12-05 2007-06-14 Joseph Steinberg System and method of using two or more multi-factor authentication mechanisms to authenticate online parties
US20110138483A1 (en) * 2009-12-04 2011-06-09 International Business Machines Corporation Mobile phone and ip address correlation service

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111278000A (en) * 2017-06-13 2020-06-12 Oppo广东移动通信有限公司 Method, device, terminal and storage medium for binding mobile phone number
CN111278000B (en) * 2017-06-13 2022-10-28 Oppo广东移动通信有限公司 Method, device, terminal and storage medium for binding mobile phone number
CN112751928A (en) * 2020-12-28 2021-05-04 北京爱笔科技有限公司 Cross-terminal information interconnection method and device, computer equipment and storage medium
CN112751928B (en) * 2020-12-28 2023-08-01 北京爱笔科技有限公司 Cross-terminal information interconnection method, device, computer equipment and storage medium
WO2023155685A1 (en) * 2022-02-15 2023-08-24 阿里巴巴(中国)有限公司 Communication method, system, and apparatus, storage medium, and processor

Similar Documents

Publication Publication Date Title
US9894053B2 (en) Method and system for authenticating service
KR102141836B1 (en) Two factor authentication
US20190124076A1 (en) Method and system for verifying an account operation
CN108804906B (en) System and method for application login
JP6282349B2 (en) Method and system for determining whether a terminal logged into a website is a mobile terminal
WO2017107956A1 (en) Data processing method, client and server
CN106850503B (en) Login-free identity authentication method and device
US20210099431A1 (en) Synthetic identity and network egress for user privacy
US9825955B2 (en) Method and system for exchanging information
US10135808B1 (en) Preventing inter-application message hijacking
JP2014106593A (en) Transaction authentication method and system
WO2015060950A1 (en) Method and system for authenticating service
US11037146B2 (en) Managing product returns associated with a user device
CN112967056A (en) Access information processing method and device, electronic equipment and medium
US20140215592A1 (en) Method, apparatus and system for user authentication
CN108074175A (en) Electronic signature method and device
KR101679183B1 (en) Server and method for electronic signature
US20240073029A1 (en) Multi-Computer System For User Authentication Based on Client-Side One-Time Passcode
US20230125547A1 (en) Authorization code for access
CN117097508A (en) Method and device for cross-device security management of NFT (network File transfer protocol)
CN114357425A (en) Application processing method and device
CA2982061A1 (en) Managing product returns associated with a user device
WO2016033144A1 (en) Method and system for exchanging information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14781714

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2014781714

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014781714

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20167007984

Country of ref document: KR

Kind code of ref document: A

Ref document number: 2016517306

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE