(19)
(11)EP 3 893 196 A1

(12)EUROPEAN PATENT APPLICATION
published in accordance with Art. 153(4) EPC

(43)Date of publication:
13.10.2021 Bulletin 2021/41

(21)Application number: 19909984.7

(22)Date of filing:  26.12.2019
(51)International Patent Classification (IPC): 
G06T 7/00(2017.01)
G06F 21/31(2013.01)
G06Q 50/10(2012.01)
G06T 7/20(2017.01)
G06F 21/32(2013.01)
(52)Cooperative Patent Classification (CPC):
G06F 21/32; G06F 21/31; G06T 7/00; G06Q 50/10; G06T 7/20
(86)International application number:
PCT/JP2019/051070
(87)International publication number:
WO 2020/149136 (23.07.2020 Gazette  2020/30)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30)Priority: 15.01.2019 JP 2019004321

(71)Applicant: GLORY LTD.
Himeji-shi Hyogo 670-8567 (JP)

(72)Inventors:
  • FUJITA, Yuichi
    Himeji-shi, Hyogo 670-8567 (JP)
  • NISHIDA, Shigenobu
    Himeji-shi, Hyogo 670-8567 (JP)
  • KOKUBUN, Ayumi
    Himeji-shi, Hyogo 670-8567 (JP)
  • MORIWAKI, Sotaro
    Himeji-shi, Hyogo 670-8567 (JP)

(74)Representative: Jenkins, Peter David et al
Page White & Farrer Bedford House John Street
London WC1N 2BF
London WC1N 2BF (GB)

  


(54)AUTHENTICATION SYSTEM, MANAGEMENT DEVICE, AND AUTHENTICATION METHOD


(57) In order to efficiently perform personal authentication when a user performs various procedures, an authentication system causes a user A to access a management device 20 through a mobile terminal 10 and perform initial registration including registration of a moving image of the user A. When the user A uses a service at a branch X of a financial institution ABC or at a convenience store Y, the management device 20 receives a moving image of the user A taken at the branch or store, performs an authentication process corresponding to a usage type, and notifies the branch or store of the authentication result.




Description

TECHNICAL FIELD



[0001] The present invention relates to an authentication system, a management device, and an authentication method that efficiently performs, when a user performs various procedures, authentication (hereinafter, referred to as "personal authentication") of whether a person performing the procedures is the user themselves.

BACKGROUND ART



[0002] Conventionally, a bank account opening reception terminal device that receives applications for opening accounts of a plurality of banks in an unmanned manner has been known. For example, the bank account opening reception terminal device disclosed in Patent Literature 1 takes a picture of a face of an applicant and reads an identification card of the applicant. This device performs authentication of the applicant based on the face image and the identification card of the applicant.

[0003] Moreover, a technology for improving authentication accuracy by combining a plurality of types of authentication has been known. For example, in the device disclosed in Patent Literature 2, a first authentication unit performs a first type individual authentication of a person. Individual feature information of the person, who is an authentication target, obtained by an individual feature information extraction unit of the first authentication unit is used for setting a camera and a lighting position. Thereafter, a second authentication unit performs a second type individual authentication based on image data of the person to be authenticated taken by the camera.

CITATION LIST


[PATENT LITERATURE]



[0004] 

[PTL 1] Japanese Laid-Open Patent Publication No. 2003-030452

[PTL 2] Japanese Laid-Open Patent Publication No. 2005-258860


SUMMARY OF THE INVENTION


PROBLEMS TO BE SOLVED BY THE INVENTION



[0005] However, the technology of Patent Literature 1 is realized so that an applicant can open a new bank account, but this technology cannot be used for settlement or internet banking other than opening an account. The authentication accuracy can be improved by using the technology of Patent Literature 2 of combining a plurality of types of authentication, but this technology cannot handle a plurality of services having different authentication levels.

[0006] For example, when a user changes their address, the user needs to perform a procedure for notifying a financial institution of address change, a procedure for notifying a public institution of moving-out and moving-in, a procedure of notifying each of other institutions of address change, etc. The technology of Patent Literature 1 cannot handle such procedures. The user has to go to the financial institution, the public institution, and other institutions to perform these procedures, and excessive effort is required to get involved in such procedures. In addition, the user needs to perform personal authentication individually in each of these procedures. Therefore, it is an important issue to perform personal authentication efficiently for various procedures.

[0007] The present invention is made to solve the problem of the conventional art, and an object of the present invention is to provide an authentication system, a management device, and an authentication method that allow authentication to be efficiently performed when a user performs various procedures.

SOLUTION TO THE PROBLEMS



[0008] In order to solve the above-described problem, the present invention provides an authentication system having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the authentication system including: a usage type determination unit configured to determine a predetermined usage type; an authentication type selection unit configured to select an authentication type corresponding to the usage type determined by the usage type determination unit, from among a plurality of authentication types; an authentication processing unit configured to perform an authentication process for the user based on the authentication type selected by the authentication type selection unit; and a notification unit configured to notify a result of authentication of the user by the authentication processing unit.

[0009] According to the present invention, in the above configuration, the authentication processing unit performs an authentication process including at least dynamic biometric authentication using a moving image including a face portion of the user and a voice of the user.

[0010] According to the present invention, in the above configuration, in the dynamic biometric authentication, an authentication process including a face authentication process based on a face image of the user included in the moving image and a voice authentication process based on voice information of the user included in the moving image is performed.

[0011] According to the present invention, in the above configuration, the face authentication process is a process of collating the face image of the user included in the moving image with a face image included in the authentication information managed by the authentication information management unit.

[0012] According to the present invention, in the above configuration, the authentication information managed by the authentication information management unit is information on a certificate including a face image of the user and issued by a public institution.

[0013] According to the present invention, in the above configuration, the voice authentication process is a process of collating attribute information on the user indicated by a voice uttered by the user with attribute information included in the authentication information managed by the authentication information management unit.

[0014] According to the present invention, in the above configuration, the voice authentication process is a process of collating a keyword indicated by a voice uttered by the user with a predetermined keyword that the user has been previously requested to utter.

[0015] According to the present invention, in the above configuration, the voice authentication process is a process of collating voiceprint information of the user included in a voice uttered by the user with voiceprint information included in the authentication information managed by the authentication information management unit.

[0016] According to the present invention, in the above configuration, the dynamic biometric authentication includes lip authentication for authenticating whether movement of a lip of the user included in the moving image matches a keyword indicated by a voice of the user included in the moving image.

[0017] According to the present invention, in the above configuration, the authentication process in the authentication processing unit is executed by a management device configured to communicate with a mobile terminal possessed by the user.

[0018] According to the present invention, in the above configuration, the authentication process by the authentication processing unit is executed in the mobile terminal possessed by the user.

[0019] According to the present invention, in the above configuration, authentication information to be managed by the authentication information management unit is registered from the mobile terminal possessed by the user.

[0020] The present invention also provides a management device having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the management device including: a usage type determination unit configured to determine a predetermined usage type; an authentication type selection unit configured to select an authentication type corresponding to the usage type determined by the usage type determination unit, from among a plurality of authentication types; an authentication processing unit configured to perform an authentication process for the user based on the authentication type selected by the authentication type selection unit; and a notification unit configured to notify a result of authentication of the user by the authentication processing unit.

[0021] The present invention also provides an authentication method in an authentication system having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the authentication method including: a usage type determination step of determining a predetermined usage type; an authentication type selection step of selecting an authentication type corresponding to the usage type determined in the usage type determination step, from among a plurality of authentication types; an authentication processing step of performing an authentication process for the user based on the authentication type selected in the authentication type selection step; and a notification step of notifying a result of authentication of the user in the authentication processing step.

ADVANTAGEOUS EFFECTS OF THE INVENTION



[0022] According to the present invention, authentication can be efficiently performed when a user performs various procedures.

BRIEF DESCRIPTION OF THE DRAWINGS



[0023] 

[FIG. 1] FIG. 1 is a diagram showing an outline of an authentication system according to Embodiment 1.

[FIG. 2] FIG. 2 is a functional block diagram showing the configuration of a management device shown in FIG. 1.

[FIG. 3] FIG. 3 is a diagram showing an example of an authentication information table shown in FIG. 2.

[FIG. 4] FIG. 4 is a diagram showing an example of an authentication type management table shown in FIG. 2.

[FIG. 5] FIG. 5 illustrates an authentication process of an authentication type 5 shown in FIG. 4.

[FIG. 6] FIG. 6 is a flowchart showing a processing procedure at the time of initial registration.

[FIG. 7] FIG. 7 is a diagram showing a screen example (No. 1) of a mobile terminal at the time of initial registration.

[FIG. 8] FIG. 8 is a diagram showing a screen example (No. 2) of the mobile terminal at the time of initial registration.

[FIG. 9] FIG. 9 is a diagram showing a screen example (No. 3) of the mobile terminal at the time of initial registration.

[FIG. 10] FIG. 10 is a diagram showing a screen example (No. 4) of the mobile terminal at the time of initial registration.

[FIG. 11] FIG. 11 is a flowchart showing a processing procedure at the time of personal authentication.

[FIG. 12] FIG. 12 is a diagram showing an outline of an authentication system according to Embodiment 2.

[FIG. 13] FIG. 13 is a functional block diagram showing the configuration of a management device shown in FIG. 12.

[FIG. 14] FIG. 14 is a flowchart showing a processing procedure at the time of initial registration.

[FIG. 15] FIG. 15 is a flowchart showing a processing procedure at the time of service reservation.


DESCRIPTION OF EMBODIMENTS



[0024] Hereinafter, preferable embodiments of the authentication system, the management device, and the authentication method according to the present invention will be described with reference to the accompanying drawings. In Embodiments 1 and 2, the case of providing an authentication service using a management device that serves as a server device of a client-server system is described, but the present invention is not limited thereto. For example, the present invention can also be applied to the case of providing an authentication service on a cloud system.

[Embodiment 1]


<Outline of authentication system according to Embodiment 1>



[0025] First, an outline of an authentication system according to Embodiment 1 will be described. The authentication system according to Embodiment 1 performs a service of a personal authentication by using face authentication with moving images, voice authentication, etc. That is, the authentication system according to Embodiment 1 can prove that a user is authentic, to a third party by performing an authentication process using dynamic biometric information after the user registers the face and the voice of the user in advance in the system.

[0026] Specifically, an official certificate including a face image of the user is registered in the authentication system in advance. For example, the My Number Card or the driver's license can be used as the official certificate. The authentication system performs authentication of whether the face image included in the registered official certificate is the same as a face image of the user taken by, for example, a mobile terminal 10, through face authentication. The authentication system causes the user to utter the name of the user or a keyword on an authentication application in the mobile terminal 10, and performs authentication of whether the name or keyword obtained by voice recognition of this voice is the same as that in the official certificate. The authentication system performs authentication of whether the voiceprint included in the voice uttered on the authentication application in the mobile terminal 10 is the same as a voiceprint of the user registered in advance. The authentication system performs lip authentication of whether each phoneme included in the voice matches the movement of the lip of the user. The authentication system performs authentication of whether a user is authentic by performing dynamic biometric authentication including a plurality of types of authentication among above described various types of authentication.

[0027] For example, when the user changes their address, the user performs initial registration in the authentication system. The initial registration improves the efficiency of personal authentication required for a procedure of the address change when the user performs the procedure at each financial institution by using the authentication system. In addition to the financial institutions, the efficiency of personal authentication can be improved in various situations such as, when purchasing items at convenience stores, when performing address change procedures at public institutions, when purchasing meal tickets at automatic ticket vending machines in employee cafeterias, etc. The authentication system can change an authentication type to be used, depending on the usage type of services the user uses.

[0028] The outline of the authentication system according to Embodiment 1 will be specifically described with reference to FIG. 1. FIG. 1 is a diagram showing the outline of the authentication system according to Embodiment 1. The case where a user A performs initial registration for an authentication service at home or the like, then moves to a branch X of a financial institution ABC to receive the authentication service, and moves to a convenience store Y to receive the authentication service, will be described.

[0029] The authentication system shown in FIG. 1 performs, when the user A uses various services, personal authentication corresponding to the usage type under a condition that the user A resisters, in advance, a moving image, attribute information, and a service selected by the user. Specifically, an authentication type corresponding to the usage type is selected from among a plurality of authentication types, and an authentication process of the selected authentication type is performed.

[0030] A management device 20 which forms the core of this authentication system can communicate with the mobile terminal 10 of the user A. The mobile terminal 10 is a terminal device such as a smartphone, a tablet, etc. The mobile terminal 10 accesses the management device 20 by, for example, 4G standard LTE (Long Term Evolution) communication or WiFi communication.

[0031] The management device 20 is communicably connected to a financial institution server 32 of a certain financial institution, a settlement server 43 of a certain settlement system, and a public institution server 44 of a public institution. The financial institution server 32 enables internet banking using the mobile terminal 10 of the user. The settlement server 43 manages the amount of electronic money and the like of each user. The public institution server 44 manages the resident list and the like of a municipality.

[0032] The management device 20 has a function of determining a usage type, a function of selecting an authentication type corresponding to the determined usage type from among a plurality of authentication types, a function of performing an authentication process for the user A based on the selected authentication type, and a function of notifying the authentication result of the user A. The authentication corresponding to the usage type means that authentication corresponding to a usage scene of the user A is performed. For example, when the user A is present at the branch X of the financial institution ABC, it is not good to utter personal information such as the name of the user A. Therefore, the management device 20 selects an authentication type that uses a moving image including utterance of a keyword that does not include the personal information. Meanwhile, when the user A is present at home, the management device 20 selects an authentication type that uses a moving image including utterance of the personal information. For example, when the user A purchases a low-priced item at the convenience store Y, the management device 20 selects an authentication type that can be performed in a relatively easy way using a moving image. Meanwhile, when the user A withdraws a large amount of money at the branch X of the financial institution ABC, the management device 20 selects an authentication type that is performed highly accurately by using a moving image.

[0033] When the user A needs to receive the authentication service of the authentication system, the user A accesses the management device 20 by using the mobile terminal 10 possessed by the user A to perform initial registration (step S1). Embodiment 1 describes the case where the user A downloads an authentication application for the authentication service from the management device 20 or a predetermined website by using the mobile terminal 10, launches the authentication application on the mobile terminal 10, and performs the initial registration, but the user A may directly access the management device 20 and perform the initial registration on the website. In the initial registration, the user registers a moving image including a face image and a voice, attribute information, a selected service, account information of a bank account, the My Number, etc., of the user. The initial registration will be described in detail later.

[0034] Thereafter, the user A moves to the branch X of the financial institution ABC. For example, the user A performs a procedure of changing the address of the bank account or a procedure of opening a new bank account of the changed address. A bank teller who operates a window terminal 31 at a teller window calls the user A, and the user A launches the authentication application in the mobile terminal 10, performs a login operation, accesses the management device 20, and makes an authentication request (step S2). The management device 20 that has received the authentication request performs an authentication process for the user A. Specifically, the management device 20 selects an authentication type matching the usage type from among the plurality of authentication types, and performs an authentication process corresponding to the selected authentication type. The authentication process is performed by using a moving image. The authentication process will be described in detail later.

[0035] The management device 20 notifies the financial institution server 32 of the financial institution ABC of the authentication result (step S3). If the financial institution server 32 receives a notification of the authentication result indicating that the user A is an authenticated user, the financial institution server 32 subsequently performs processes for the teller window, such as changing the address of the bank account, opening a new bank account of the changed address, etc. (step S4). Accordingly, the financial institution ABC can perform various procedures while preventing user spoofing. Here, the case where an authentication request is made from the mobile terminal 10 of the user A to the management device 20 has been described, but in the case where the window terminal 31 is provided with a function of obtaining a moving image and a function of making an authentication request, an authentication request can also be made from the window terminal 31 to the management device 20.

[0036] When the user A moves to the convenience store Y and purchases an item, a camera 42 connected to a POS terminal 41 in the store Y takes a moving image of the user A (step S5). The POS terminal 41 uses this moving image to make an authentication request to the management device 20 (step S6). The management device 20 that has received the authentication request performs an authentication process for the user A. The management device 20 selects an authentication type matching the usage type from among the plurality of authentication types, and performs an authentication process corresponding to the selected authentication type. The authentication process is performed by using the moving image.

[0037] The management device 20 notifies the settlement server 43 of the authentication result (step S7). If the settlement server 43 receives a notification of the authentication result indicating that the user A is an authenticated user, the settlement server 43 notifies the POS terminal 41 that it is possible to settle the purchased item by electronic money, automatic deduction from the bank account by the financial institution ABC, or the like. Then, the settlement is performed in the POS terminal 41 (step S8). Therefore, for example, even when the battery of the mobile terminal 10 of the user A runs out or the user A loses the mobile terminal 10, the user A can purchase an item. In particular, even when the mobile terminal 10 cannot be used due to a disaster or the like, the user A can purchase an item if a moving image of the user A can be obtained at the store Y. Similar to the case of the financial institution ABC, an authentication request can also be made by the mobile terminal 10 of the user A.

[0038] As described above, in the authentication system according to Embodiment 1, the user A accesses the management device 20 through the mobile terminal 10 and performs initial registration including registration of a user's moving image. When the user A uses a service at the branch X of the financial institution ABC or at the convenience store Y, a moving image is transmitted to the management device 20. The management device 20 performs the authentication process corresponding to the usage type and notifies the branch or the store of the authentication result. Accordingly, the personal authentication can be efficiently performed in the various procedures for the user A. Although the detailed description thereof is omitted for convenience of description, when a procedure at a public institution such as a city hall needs to be performed, an authentication result can be notified from the management device 20 to the public institution server 44.

<Configuration of management device 20>



[0039] Next, the configuration of the management device 20 shown in FIG. 1 will be described. FIG. 2 is a functional block diagram showing the configuration of the management device 20 shown in FIG. 1. As shown in FIG. 2, the management device 20 includes an input unit 21, a display unit 22, a communication I/F unit 23, a memory 24, and a control unit 25.

[0040] The input unit 21 is an input device such as a keyboard and a mouse. The display unit 22 is a display device such as a liquid crystal panel or a liquid crystal display. The communication I/F unit 23 performs communication with the mobile terminal 10, etc.

[0041] The memory 24 is a secondary storage unit such as a hard disk drive or a non-volatile memory. The memory 24 stores an authentication information table 24a and an authentication type management table 24b. The authentication information table 24a includes attribute information, authentication information, information about a shared service, etc., for each user identification information that uniquely identifies a user. The attribute information includes personal information such as the name, the address, and the telephone number of the user. The authentication information includes a moving image including the face and the voice of the user, iris information of the user, etc. The information about the shared service includes system types to which the authentication system is applied.

[0042] FIG. 3 is a diagram showing an example of the authentication information table 24a shown in FIG. 2. As shown in FIG. 3, attribute information of a name "oO TANAKA", an address "··· (omitted) ··· Tokyo", and a telephone number "03(1234)5678" is associated with a user ID "A123". The attribute information can also include the phonetic characters of the name of the user, the age of the user, the phone number of the mobile terminal 10, an e-mail address, etc.

[0043] As the authentication information, a moving image including a face and a voice, etc., are associated with the user ID "A123". For example, the user utters five different types of keywords at the time of initial registration, a moving image of the user uttering each keyword is taken, and these five types of moving images are associated with the user ID "A123". In addition, the plurality of keywords uttered by the user are registered so as to be associated with the user ID "A123". For example, if a sentence "What school did you graduate from?" is displayed on the display unit of the mobile terminal 10 and the user utters "oo University", the "oo University" obtained by the voice recognition is registered as a keyword. If a sentence "What is your mother's name?" is displayed on the display unit of the mobile terminal 10 and the user utters "

KO", the "

KO" obtained by the voice recognition is registered as a keyword.

[0044] Similarly, voiceprint information of the user is registered. A sentence having a predetermined length is displayed on the display unit of the mobile terminal 10, the user reads the sentence aloud, and voiceprint information of the user obtained by analyzing the voice data is registered in the authentication information table 24a. As the voiceprint information, one or both of the acoustic feature values (frequency characteristics) and the linguistic feature values (phoneme arrangement characteristics) of the voice are acquired. As for these moving image, keywords, and voiceprint information, data itself can be stored in the authentication information table 24a, or link information to each data file can be stored therein. Although not shown for convenience of description, the iris information of the user is stored as authentication information.

[0045] FIG. 3 shows a case in which, the financial institution ABC, a settlement system DEF, and a public system GHI are associated with the user ID "A123" as the shared services. Although not shown for convenience of description, a branch name and an account number can be stored for the financial institution ABC, an identification number for electronic money can be stored for the settlement system DEF, and the identification number in the My Number Card can be stored for the public system GHI.

[0046] Similarly, attribute information including a name "ΔRO YAMAMOTO", an address "... (omitted) ... Tokyo", and a telephone number "03(9876)5432", authentication information including a moving image including a face and a voice, and information about a shared service are registered for a user ID "A456". For the user ID "A456", the settlement system DEF is excluded from the shared services.

[0047] The authentication type management table 24b is a table showing combinations of authentications corresponding to each of a plurality of authentication types. In the authentication system according to Embodiment 1, an authentication type corresponding to a usage type such as a usage scene of the user is selected from among the plurality of authentication types, and an authentication process for the user is performed based on the selected authentication type. The plurality of authentication types are registered in the authentication type management table 24b in advance such that an authentication type corresponding to the usage type can be selected easily.

[0048] FIG. 4 is a diagram showing an example of the authentication type management table 24b shown in FIG. 2. As shown in FIG. 4, an authentication type 1 is an authentication type in which an authentication process is performed through face authentication. An authentication type 2 is an authentication type in which dynamic biometric authentication is performed through face authentication and voice authentication 1 (attribute). The voice authentication 1 (attribute) means an authentication process of determining whether attribute information (for example, name) included in a voice uttered by the user matches the attribute information of the user.

[0049] An authentication type 3 is an authentication type in which dynamic biometric authentication is performed through face authentication and voice authentication 2 (keyword). The voice authentication 2 (keyword) means an authentication process of displaying a question whose correct answer is known only by the user on the display unit of the mobile terminal 10, and determining whether a keyword is included in a voice recognition result of the user's answer to the question. For example, in the authentication process, a sentence "What school did you graduate from?" is displayed on the display unit of the mobile terminal 10, "oo University" is uttered by the user, and it is determined whether the voice-recognized "oo University" is registered as a keyword in the authentication information table 24a.

[0050] An authentication type 4 is an authentication type in which dynamic biometric authentication is performed through face authentication and voice authentication 3 (voiceprint). For example, in the authentication process, a sentence "Please read aloud the sentence shown below" is displayed on the display unit of the mobile terminal 10, voiceprint information is acquired from a voice obtained through the reading by the user, and it is determined whether the acquired voiceprint information matches the voiceprint information registered in the authentication information table 24a.

[0051] An authentication type 5 is an authentication type in which dynamic biometric authentication is performed through face authentication, the voice authentication 2 (keyword), and lip authentication. The lip authentication is an authentication process of authenticating whether phonemes obtained through utterance by the user match the movement of the mouth of the user. FIG. 5 illustrates an authentication process of the authentication type 5 shown in FIG. 4. As shown in FIG. 5, in the dynamic biometric authentication of the authentication type 5, a face authentication process is performed by using the face included in a moving image, and the voice authentication (keyword) is performed as described above, based on the voice included in the moving image. Furthermore, an authentication process of whether the user has truly spoken is performed based on the correspondence relationship between the movement of the mouth and the lip included in each image forming the moving image and the phonemes included in the voice. Accordingly, fraudulent reproduction of a recorded voice prepared in advance can be prevented.

[0052] An authentication type 6 is an authentication type in which dynamic biometric authentication is performed through face authentication, the voice authentication 3 (voiceprint), and lip authentication. An authentication type 7 is an authentication type in which dynamic biometric authentication is performed through face authentication, the voice authentication 2 (keyword), the voice authentication 3 (voiceprint), lip authentication, and iris authentication. The authentication type 7 is an authentication type adopted when advanced individual authentication for accurately identifying an individual is required.

[0053] As described above, in Embodiment 1, seven levels of authentication types, that is, the authentication types 1 to 7, are provided, and the closer to the authentication type 7, the higher the authentication level. The above described authentication types 1 to 7 are examples, and each authentication type may be obtained by freely combining the plurality of authentication. In addition to the illustrated authentication, various types of authentication with personal biometric information such as fingerprint authentication and palm print authentication can also be combined.

[0054] Returning to the description of FIG. 2, the control unit 25 controls the entirety of the management device 20. The control unit 25 includes an authentication information management unit 25a, an initial registration processing unit 25b, a usage type determination unit 25c, an authentication type selection unit 25d, an authentication processing unit 25e, and an authentication result notification unit 25f. In actuality, programs corresponding to these functional units are stored in a ROM or a nonvolatile memory which are not shown in the figure, and these programs are loaded to a CPU and executed, thereby causing the CPU to perform processes corresponding to the authentication information management unit 25a, the initial registration processing unit 25b, the usage type determination unit 25c, the authentication type selection unit 25d, the authentication processing unit 25e, and the authentication result notification unit 25f.

[0055] The authentication information management unit 25a manages the authentication information for each user by using the authentication information table 24a stored in the memory 24. As described above, the attribute information, the authentication information, the shared service, etc., of each user are registered in the authentication information table 24a. The authentication information management unit 25a performs a process of updating these items of information, etc.

[0056] The initial registration processing unit 25b performs initial registration when the user newly uses the authentication system. In Embodiment 1, a user who newly uses the authentication system downloads a predetermined authentication application from the management device 20 or a predetermined web server by using the mobile terminal 10, and launches the authentication application on the mobile terminal 10. Then, a confirmation document such as the driver's license, attribute information such as the name of the user, authentication information such as a moving image, and a shared service are registered through the authentication application. Although the case of using the authentication application is shown here, the user can access an HTTP server by using a web browser, and perform the initial registration on the web browser.

[0057] The usage type determination unit 25c determines the usage type based on the situation and the like of the user. For example, when the user is performing a procedure of changing the address or opening an account at a financial institution, the usage type determination unit 25c determines that the usage type is "financial institution handling". For example, when the user is performing a procedure of sending a large amount of money or sending money abroad at a financial institution, the usage type determination unit 25c determines that the usage type is "remittance of high amount". As described above, the usage type determination unit 25c determines the usage type corresponding to the situation of the user.

[0058] The authentication type selection unit 25d selects an authentication type corresponding to the usage type determined by the usage type determination unit 25c. For example, when the usage type determination unit 25c determined that the usage type is "remittance of high amount", the authentication type selection unit 25d selects the authentication type 7 having a high authentication level. For example, when an authentication type is to be selected for an automatic ticket vending machine in a company cafeteria, the authentication type selection unit 25d selects the authentication type 1 of the simple authentication process, for a user who used the company cafeteria within the last two months, and selects the authentication type 2 for a user who has not used the company cafeteria over the last two months or longer. For example, the authentication type selection unit 25d selects the authentication type 2 when the user is present at home, and selects the authentication type 3 when the user is not present at home. This is because it is not appropriate, from the viewpoint of protection of personal information, to make the user utter attribute information such as the name when the user is present at a location other than the home. It is noted that a table not shown in the figure is previously prepared to indicate the correspondence relationship between the authentication type and the usage type. Alternatively, it can be set that the authentication type is selected for the usage type by using a technique such as deep learning.

[0059] The authentication processing unit 25e performs an authentication process corresponding to the authentication type selected by the authentication type selection unit 25d. For example, when the authentication type 5 is selected by the authentication type selection unit 25d, the authentication processing unit 25e performs dynamic biometric authentication including a face authentication, a voice authentication (keyword), and a lip authentication, by using a moving image of the user. The face authentication, the voice authentication (keyword), and the lip authentication are well known and therefore the detailed description is omitted.

[0060] The authentication result notification unit 25f notifies the result of the authentication process performed by the authentication processing unit 25e. The notification destination of the authentication result is not limited to the mobile terminal 10. The window terminal 31 of the financial institution, the settlement server 43, etc., can also be notification destinations.

<Initial registration process>



[0061] Next, an initial registration process by the management device 20 will be described. FIG. 6 is a flowchart showing a processing procedure at the time of initial registration. FIG. 7 to FIG. 10 are diagrams showing screen examples of the mobile terminal 10 at the time of initial registration.

[0062] As shown in FIG. 6, when the initial registration is performed, a confirmation document is first registered (step S101). Specifically, when an operation of selecting "new registration" is performed on the screen of the authentication application shown in FIG. 7, a confirmation document registration screen shown in FIG. 8 is displayed. For example, if a driver's license is placed to be within a camera frame and an operation of selecting a "continue" button is performed, an image of the driver's license is transmitted to the management device 20 as the confirmation document.

[0063] Thereafter, attribute information is registered (step S102). Specifically, an attribute information registration screen shown in FIG. 9 is displayed on the display unit of the mobile terminal 10. If a name "oO TANAKA", an address "··· Tokyo", and a telephone number "03(1234)5678" are inputted and a "continue" button is selected as shown in FIG. 9, the inputted attribute information is transmitted to the management device 20.

[0064] Thereafter, a moving image is registered (step S103). Specifically, the name of the user and a plurality of keywords (for examples, five keywords) are displayed in order, on the display unit of the mobile terminal 10, and when the user utters them, a moving image including the face and the voice of the user is captured and transmitted to the management device 20.

[0065] Thereafter, a shared service is registered (step S104). Specifically, among a plurality of financial institutions, a plurality of settlement systems, a plurality of public institution services, etc., the user inputs a financial institution name, a settlement system name, and a public institution service name for which the authentication service is used. For example, as shown in FIG. 10, account information of the user such as a financial institution name "ABC", a branch name "Akasaka", and an account number "1234567" can be registered, and an identification number information for a settlement system such as electronic money name "DEF" and an identification number "1111111" can be registered.

<Processing procedure of management device 20 at time of personal authentication>



[0066] Next, the processing procedure of the management device 20 at the time of personal authentication will be described. FIG. 11 is a flowchart showing the processing procedure at the time of personal authentication. Here, it is assumed that the initial registration is completed in advance and login is being performed in the authentication application on the mobile terminal 10. For example, the mobile terminal 10 displays one of the plurality of keywords registered at the time of initial registration, on the display screen of the authentication application, causes the user to utter this keyword, and takes a moving image of the user. Then, the mobile terminal 10 transmits information including the moving image to the management device 20 to perform login with the moving image.

[0067] As shown in FIG. 11, after the management device 20 accepts the login with the moving image (step S201), the management device 20 determines a usage type (step S202). For example, the management device 20 acquires information (voice data, text) regarding a situation such as withdrawal of a large amount of money at a financial institution, from the mobile terminal 10 via the authentication application. Thereafter, the management device 20 determines the usage type based on the information acquired from the mobile terminal 10.

[0068] Thereafter, the management device 20 selects an authentication type based on the usage type (step S203). Specifically, the management device 20 selects an authentication type corresponding to the usage type from among the authentication types 1 to 7 shown in FIG. 4. An authentication type selection can be made by using a table showing the correspondence relationship between preset usage types and authentication types. Alternatively, the management device 20 can also make such a selection by using a learned model obtained through deep learning.

[0069] Thereafter, the management device 20 performs an authentication process corresponding to the selected authentication type (step S204). For example, when the authentication process 5 shown in FIG. 4 is selected, dynamic biometric authentication including face authentication, voice authentication (keyword), and lip authentication shown in FIG. 5 is performed. Thereafter, the authentication result is transmitted to the corresponding destination (step S205).

[0070] As described above, in the authentication system according to Embodiment 1, the management device 20 is accessed from the mobile terminal 10 of the user A, and initial registration including registration of a moving image of the user A is performed. When the user A uses a service at the branch X of the financial institution ABC or at the convenience store Y, a moving image of the user A is transmitted to the management device 20. The management device 20 performs the authentication process corresponding to the usage type, and notifies the branch or the store of the authentication result. Accordingly, personal authentication can be efficiently performed for various procedures performed by the user A.

[0071] In particular, according to Embodiment 1, authentication in a plurality of different types of systems can be efficiently performed regardless of business type. In addition, a cardless environment can be promoted. Furthermore, there is no need to add a dedicated device to the mobile terminal 10 for the authentication. It is sufficient if the mobile terminal 10 has a camera, a microphone, and a communication function and therefore, the range of use of the authentication system can be expanded.

[0072] This authentication system can also be applied to the case of performing one-to-N authentication in which one person is authenticated out of N people. Even when a smartphone owned by each user cannot be used due to a disaster, if there is one shared terminal such as a tablet that can take a moving image with voice, personal authentication of the user can be performed by using this shared terminal as the mobile terminal 10 and therefore, the authentication system is extremely effective at the time of a disaster. Depending on the combination of shared systems, items can also be purchased through personal authentication without money at the time of a disaster.

[0073] Embodiment 1 describes the case where dynamic biometric authentication, which is the combination of face authentication, the voice authentication 1 (attribute), the voice authentication 2 (keyword), the voice authentication 3 (voiceprint), lip authentication, and iris authentication shown in FIG. 4, is performed, but the present invention is not limited thereto, and various types of authentication can be freely combined. Various types of authentication with individual authentication information such as fingerprint authentication and palm print authentication can be used in combination.

[0074] Embodiment 1 describes the case where various authentication processes are performed on the management device 20, but the present invention is not limited thereto. The authentication process can be performed on the mobile terminal 10, and the authentication result can be notified from the mobile terminal 10 to the management device 20. In this case, the authentication type is notified from the management device 20 to the mobile terminal 10, and the mobile terminal 10 that has received the notification of the authentication type performs the authentication process corresponding to the authentication type.

[0075] Embodiment 1 describes the case where the initial registration is performed in advance, but the present invention is not limited thereto, and the initial registration and the personal authentication can be performed in succession. Furthermore, the Embodiment 1 describes the case where the authentication type is selected according to the usage type, but the present invention is not limited thereto, and the authentication type can be selected by focusing on the situation of the user. In addition, the user and the family of the user can be associated with each other in the system. Furthermore, when the user is an inbound user (foreigner visiting Japan), a low-level authentication type can be selected in their own country, and a high-level authentication type can be selected in Japan.

[Embodiment 2]


<Outline of authentication system according to Embodiment 2>



[0076] Next, an authentication system in the case where a user located in a country X enters a country Y and uses a service in the country Y will be described. The present embodiment shows the case where a user B performs initial registration for an authentication service in the country X, then leaves the country X, enters the country Y, and uses the service in the country Y. It is assumed that the country Y is Japan.

[0077] FIG. 12 is a diagram showing an outline of an authentication system according to Embodiment 2. As shown in FIG. 12, when the user B receives the authentication service by the authentication system, the user B accesses a management device 110 by using a mobile terminal 100 possessed by the user B, and performs initial registration (step S11). In the initial registration, a moving image including a face image and a voice, attribute information (name, passport number, international driver's license number, etc.), settlement information (credit information, bank account information, payment means, etc.), etc., of the user B are registered.

[0078] Thereafter, the user B makes a usage service reservation (step S12). In the usage service reservation, a service type, a period, a usage means, etc. are registered. For example, when an inbound user uses private lodging (so-called "Minpaku" in Japanese), a service type "private lodging", a period "February 1st to February 10th, 2019", and a usage means "two-dimensional bar code" are registered.

[0079] The management device 110 makes a service reservation to a service management device 120 of a service management company (step S13). When the service management company can provide the corresponding service, the service management device 120 transmits permission information as a reply, to the management device 110 (step S14). The permission information includes, for example, information of a two-dimensional barcode that is a key when using the private lodging.

[0080] Then, when the user B enters the country Y, that is, Japan, and uses the private lodging, the user B launches an authentication application in the mobile terminal 100, accesses the management device 110, and performs a process for a service usage request including transmission of a moving image of the user B (step S15). The management device 110 that has received the service usage request performs personal authentication by using the received moving image (step S16). At this time, the management device 110 can perform an authentication process using the dynamic biometric authentication described in Embodiment 1. As a result, if the personal authentication is performed correctly, the management device 110 transmits service permission information to the mobile terminal 100 (step S17). The service permission information includes, for example, a two-dimensional bar code that is a key for the private lodging.

[0081] If the mobile terminal 100 receives the service permission information from the management device 110, the mobile terminal 100 stores the service permission information in a memory within the mobile terminal 100 (step S18), and uses the service permission information for the service (step S19). In the case of the private lodging, the key of a house or condominium for the private lodging can be unlocked with the two-dimensional bar code. The user B can unlock the house or condominium by using the two-dimensional bar code included in the service permission information. An alert is issued to the mobile terminal 100 before the period registered in the usage service reservation (step S20) elapses, and the key cannot be unlocked after this period elapses.

[0082] As described above, in the authentication system of Embodiment 2, a foreigner visiting Japan can efficiently perform personal authentication in Japan. Therefore, it is possible for the foreigner visiting Japan to efficiently uses a service in Japan. For example, when a foreigner visiting Japan uses private lodging, it is possible to go directly to the corresponding house or condominium and unlock the house or condominium by using the two-dimensional bar code included in the service permission information. The fee required for the service can be collected from the user by using the settlement system registered at the time of initial registration.

<Configuration of management device 110>



[0083] Next, the configuration of the management device 110 shown in FIG. 12 will be described. FIG. 13 is a functional block diagram showing the configuration of the management device 110 shown in FIG. 12. As shown in FIG. 13, the management device 110 includes an input unit 111, a display unit 112, a communication I/F unit 113, a memory 114, and a control unit 115.

[0084] The input unit 111 is an input device such as a keyboard and a mouse. The display unit 112 is a display device such as a liquid crystal panel or a liquid crystal display. The communication I/F unit 113 performs communication with the mobile terminal 100, the service management device 120, etc.

[0085] The memory 114 is a secondary storage unit such as a hard disk drive or a non-volatile memory. The memory 114 stores a user information table 114a and a service information management table 114b. The user information table 114a includes attribute information, authentication information, reservation service information, etc., for each piece of user identification information that uniquely identifies a user. The attribute information includes personal information such as the name, the passport number, the telephone number, etc., of the user. The authentication information includes a moving image including the face and the voice of the user, etc. The reserved service information includes information about the service reserved by the user. The service information management table 114b is a table that manages access destination information of service management devices 120 of various services that can be provided to the user.

[0086] The control unit 115 controls the entirety of the management device 110. The control unit 115 includes a user information management unit 115a, an initial registration processing unit 115b, a usage service reservation processing unit 115c, a permission information acquisition unit 115d, an authentication processing unit 115e, and a service permission information notification unit 115f. In actuality, programs corresponding to these functional units are stored in a ROM or a nonvolatile memory which are not shown in the figure, and these programs are loaded to a CPU and executed, thereby causing the CPU to perform processes corresponding to the user information management unit 115a, the initial registration processing unit 115b, the usage service reservation processing unit 115c, the permission information acquisition unit 115d, the authentication processing unit 115e, and the service permission information notification unit 115f.

[0087] The user information management unit 115a manages the information for each user by using the user information table 114a stored in the memory 114. As described above, the attribute information, the authentication information, the reservation service information, etc., of each user are registered in the user information table 114a. The user information management unit 115a performs a process of updating the items of information, etc.

[0088] The initial registration processing unit 115b performs initial registration when the user newly uses the authentication system. Specifically, a confirmation document such as the passport or the international driver's license, attribute information such as the name of the user, authentication information such as a moving image, and settlement information are registered through the authentication application. Although the case of using the authentication application is shown here, the user can access an HTTP server by using a web browser, and perform the initial registration on the web browser.

[0089] The usage service reservation processing unit 115c reserves a service to be used by the user. The usage service reservation processing unit 115c reserves a usage service type, a period, and a usage means. The permission information acquisition unit 115d acquires permission information from the service management device 120 corresponding to the service reserved for the user. The permission information includes, for example, a two-dimensional bar code that is a key for private lodging.

[0090] The authentication processing unit 115e performs dynamic biometric authentication using a moving image. The details of the dynamic biometric authentication are the same as in Embodiment 1, and thus the detailed description thereof is omitted. The service permission information notification unit 115f notifies the mobile terminal 100 of the user of service permission information. The service permission information includes, for example, a two-dimensional bar code that is a key when using the private lodging.

<Initial registration process>



[0091] Next, an initial registration process by the management device 110 shown in FIG. 13 will be described. FIG. 14 is a flowchart showing a processing procedure at the time of initial registration by the management device 110 shown in FIG. 13. As shown in FIG. 14, attribute information is first registered (step S301). The attribute information includes an image in a passport or an international driver's license, a name, a passport number, a telephone number, etc.

[0092] Thereafter, a moving image including a face and a voice of the user is captured by using the mobile terminal 100, and the captured moving image is registered (step S302). When capturing the moving image, the mobile terminal 100 makes the user utter the user's name and a plurality of keywords, and each moving image is registered.

[0093] Thereafter, settlement information of the user is registered (step S303). Specifically, a financial institution name, a branch name, and an account number of a financial institution, an identification number for electronic money, etc., are registered.

<Processing procedure of management device 110 at time of service reservation>



[0094] Next, the processing procedure of the management device 110 at the time of service reservation will be described. FIG. 15 is a flowchart showing the processing procedure of the management device 110 at the time of service reservation. Here, it is assumed that the initial registration is completed in advance. For example, the mobile terminal 100 displays one of the plurality of keywords registered at the time of initial registration, on the display screen of the authentication application, causes the user to utter this keyword, and takes a moving image of the user. Then, the mobile terminal 100 transmits information including the moving image to the management device 110 to perform login with the moving image.

[0095] When the management device 110 accepts the login with the moving image (step S401), the management device 110 performs an authentication process with dynamic biometric information using the moving image (step S402). As a result, when it is determined that the person is not the legitimate person (step S403; No), the management device 110 performs an error process (step S404) and ends the processing.

[0096] On the other hand, when it is determined that the person is the legitimate person (step S403; Yes), the management device 110 receives the type of a service to be used (for example, use of private lodging) (step S405) and receives a usage period (step S406).

[0097] Thereafter, the management device 110 accesses the corresponding service management device 120 to acquire permission information (step S407), registers reservation information in the user information table 114a (step S408), and ends the above series of processes.

<Processing procedure of management device 110 at time of service process>



[0098] When the user uses a service, the management device 110 accepts login with a moving image, similar to the time of the service reservation. Thereafter, the management device 110 performs an authentication process with dynamic biometric information using a moving image. When it is determined that the person is the legitimate person, service permission information is notified to the mobile terminal 100.

[0099] As described above, in the authentication system of Embodiment 2, a foreigner visiting Japan can efficiently perform personal authentication in Japan. Therefore, it is possible for the foreigner visiting Japan to efficiently use a service in Japan. For example, when a foreigner visiting Japan uses private lodging, it is possible to go directly to the corresponding house or condominium and unlock the house or condominium using the two-dimensional bar code included in service permission information. The fee required for the service can be collected from the user by using the settlement system registered at the time of initial registration.

[0100] Embodiment 2 describes the case of using private lodging for which unlocking can be performed with a two-dimensional bar code, but the present invention is not limited thereto, and can also be applied to the case of unlocking a key using short-range wireless communication. In addition, the service type is not limited to the private lodging, and the present invention can also be used for hotel reservation and car sharing.

[0101] Moreover, in order to identify the user, a postal mail that can be received only by the user may be sent to the address obtained from an official certificate to confirm the identity of the user, the user may be guided to a verification website by a two-dimensional bar code or the like in which an authentication URL is written and which is attached to the postal mail, and face authentication, voice authentication, etc., may be performed again, thereby further preventing spoofing.

[0102] The constituent elements described in Embodiment 1 or 2 described above are conceptually functional constituent elements, and thus may not be necessarily configured as physical constituent elements, as illustrated in the drawings. That is, distributed or integrated forms of each device are not limited to the forms illustrated in the drawings, and all or some of the forms may be distributed or integrated functionally or physically in any unit depending on various loads, use statuses, or the like.

INDUSTRIAL APPLICABILITY



[0103] The authentication system, the management device, and the authentication method according to the present invention are useful in efficiently performing personal authentication when the user performs various procedures.

DESCRIPTION OF THE REFERENCE CHARACTERS



[0104] 
A, B
User
10
Mobile terminal
20
Management device
21
Input unit
22
Display unit
23
Communication I/F unit
24
Memory
24a
Authentication information table
24b
Authentication type management table
25
Control unit
25a
Authentication information management unit
25b
Initial registration processing unit
25c
Usage type determination unit
25d
Authentication type selection unit
25e
Authentication processing unit
25f
Authentication result notification unit
31
Window terminal
32
Financial institution server
41
POS terminal
42
Imaging device (camera)
43
Settlement server
44
Public institution server
100
Mobile terminal
110
Management device
111
Input unit
112
Display unit
113
Communication I/F unit
114
Memory
114a
User information table
114b
Service information management table
115
Control unit
115a
User information management unit
115b
Initial registration processing unit
115c
Usage service reservation processing unit
115d
Permission information acquisition unit
115e
Authentication processing unit
115f
Service permission information notification unit
120
Service management device



Claims

1. An authentication system having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the authentication system comprising:

a usage type determination unit configured to determine a predetermined usage type;

an authentication type selection unit configured to select an authentication type corresponding to the usage type determined by the usage type determination unit, from among a plurality of authentication types;

an authentication processing unit configured to perform an authentication process for the user based on the authentication type selected by the authentication type selection unit; and

a notification unit configured to notify a result of authentication of the user by the authentication processing unit.


 
2. The authentication system according to claim 1, wherein the authentication processing unit performs an authentication process including at least dynamic biometric authentication using a moving image including a face portion of the user and a voice of the user.
 
3. The authentication system according to claim 2, wherein, in the dynamic biometric authentication, an authentication process including a face authentication process based on a face image of the user included in the moving image and a voice authentication process based on voice information of the user included in the moving image is performed.
 
4. The authentication system according to claim 3, wherein the face authentication process is a process of collating the face image of the user included in the moving image with a face image included in the authentication information managed by the authentication information management unit.
 
5. The authentication system according to claim 3 or 4, wherein the authentication information managed by the authentication information management unit is information on a certificate including a face image of the user and issued by a public institution.
 
6. The authentication system according to claim 3 or 4, wherein the voice authentication process is a process of collating attribute information on the user indicated by a voice uttered by the user with attribute information included in the authentication information managed by the authentication information management unit.
 
7. The authentication system according to claim 3, wherein the voice authentication process is a process of collating a keyword indicated by a voice uttered by the user with a predetermined keyword that the user has been previously requested to utter.
 
8. The authentication system according to claim 3, wherein the voice authentication process is a process of collating voiceprint information of the user included in a voice uttered by the user with voiceprint information included in the authentication information managed by the authentication information management unit.
 
9. The authentication system according to claim 3, wherein the dynamic biometric authentication includes lip authentication for authenticating whether movement of a lip of the user included in the moving image matches a keyword indicated by a voice of the user included in the moving image.
 
10. The authentication system according to any one of claims 1 to 9, wherein the authentication process by the authentication processing unit is executed in a management device configured to communicate with a mobile terminal possessed by the user.
 
11. The authentication system according to any one of claims 1 to 9, wherein the authentication process by the authentication processing unit is executed in the mobile terminal possessed by the user.
 
12. The authentication system according to any one of claims 1 to 11, wherein authentication information to be managed by the authentication information management unit is registered from the mobile terminal possessed by the user.
 
13. A management device having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the management device comprising;

a usage type determination unit configured to determine a predetermined usage type;

an authentication type selection unit configured to select an authentication type corresponding to the usage type determined by the usage type determination unit, from among a plurality of authentication types;

an authentication processing unit configured to perform an authentication process for the user based on the authentication type selected by the authentication type selection unit; and

a notification unit configured to notify a result of authentication of the user by the authentication processing unit.


 
14. An authentication method in an authentication system having an authentication information management unit configured to manage a plurality of items of authentication information for authenticating a user, the authentication method comprising:

determining a predetermined usage type;

selecting an authentication type corresponding to the usage type determined in the determining, from among a plurality of authentication types;

performing an authentication process for the user based on the authentication type selected in the selecting; and

notifying a result of authentication of the user in the authentication process.


 




Drawing











































Search report










Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description