when an identity authentication request applying login behaviors is received, calculating a current identity authentication result based on an authentication matrix, adjusting trust scores of all dimensions according to the identity authentication result and configuration information related to the trust scores in a score adjustment model, and realizing updating of the trust scores of all dimensions in the authentication matrix and updating of login attempt times and success times based on identity authentication result regression iterative computation until a final identity authentication result is obtained.

Taking the terminal IP address as an example, the initial trust score of the terminal IP address may be set to 58. For the authentication mode of password authentication, the configuration information in the score adjustment model may be the trust score plus 5 if the authentication is successful and the trust score minus 1 if the authentication is failed. For the authentication mode of short message verification code authentication, the configuration information in the score adjustment model can be the trust score plus 10 if the authentication is successful and the trust score minus 2 if the authentication is failed. For the authentication mode of face recognition authentication, the configuration information in the score adjustment model may be the trust score plus 20 if the authentication is successful and the trust score minus 4 if the authentication is failed. Other dimensions in the user agent information may similarly configure corresponding score adjustment models. And if the authentication result corresponding to the password authentication is successful, adding 5 to the trust score corresponding to the terminal IP address in the user agent information, and respectively updating the trust scores corresponding to other dimensions according to a preset score adjustment model. And then, recalculating the total score of the identity authentication request according to each adjusted trust score and the corresponding weight value.

And S150, determining the identity authentication result of the login behavior according to the comparison result of the recalculated total score and the trust threshold and the authentication result.

Specifically, whether the recalculated total score is lower than a trust threshold value or not is judged, and the identity authentication result of the login behavior is determined according to the comparison result and the authentication result. If the total score after recalculation is not lower than the trust threshold, the identity authentication result of the login behavior can be directly determined to be the success of the identity authentication. If the identity authentication result of the login behavior still cannot be determined based on the comparison result and the authentication result, the authentication mode can be continuously triggered and the trust scores corresponding to all dimensions in the user agent information can be adjusted. For example, if the authentication result is successful, if the recalculated total score is still lower than the trust threshold, a higher level authentication mode may be triggered based on the ranking result of the authentication modes. And when the authentication result is authentication failure, the corresponding authentication mode can be continuously triggered according to the recalculated total score, and when the number of authentication failure times exceeds a set number threshold, the identity authentication result of the login behavior can be directly determined to be identity authentication failure.

Step S160, it is determined that the identity authentication result of the login behavior is that the identity authentication is successful.

Specifically, if the total score is higher than or equal to the trust threshold, it is determined that the identity authentication result of the login behavior is identity authentication success.

The method comprises the steps of obtaining user agent information in an identity authentication request corresponding to a login behavior, obtaining trust scores and weight values corresponding to the user agent information, calculating total scores of the identity authentication request according to the trust scores and the corresponding weight values, triggering an authentication mode corresponding to a score segment to which the total scores belong if the total scores are lower than a trust threshold, respectively updating the trust scores of all dimensions in the user agent information according to an authentication result and a preset score adjustment model, recalculating the total scores of the identity authentication request according to the adjusted trust scores and the corresponding weight values, and determining the identity authentication result of the login behavior according to a comparison result of the recalculated total scores and the trust threshold and the authentication result. According to the embodiment of the invention, the trust scores corresponding to all dimensions in the user agent information are dynamically adjusted in the identity authentication process of the login behavior, so that the login behavior is dynamically authenticated under the condition of not reducing the use convenience of the user, the risk of the user account being stolen is reduced, and the security of the identity authentication is improved.

Example two

Fig. 2 is a flowchart of another dynamic identity authentication method provided in the second embodiment of the present invention, and this embodiment is optimized on the basis of the foregoing embodiment, as shown in fig. 2, the method includes:

step S201, obtaining user agent information in the identity authentication request corresponding to the login behavior, obtaining trust scores and weight values corresponding to the user agent information, and calculating a total score of the identity authentication request according to each trust score and corresponding weight value.

Wherein the user agent information is determined based on the login information and the application attribute information.

Step S202, determining whether the total score is lower than the trust threshold, if yes, performing step S203, otherwise, performing step S204.

Step S203, the identity authentication result of the login behavior is determined to be the identity authentication success.

Step S204, determining the security level of the application according to the application attribute information in the user agent information, determining the scoring standard corresponding to the application according to the security level, and determining the corresponding trust threshold value and the corresponding relation between the scoring segment and the authentication mode based on the scoring standard.

Illustratively, the trust threshold for common applications is preset to be 60. The trust threshold of the pre-defined highly sensitive application is higher than that of the normal application, for example, the trust threshold of the financial level security application may be 80. The trust threshold of the preset super high level application is higher than that of the high sensitive application, for example, the trust threshold of the security application related to the sensitive information or the sensitive official document can be 90. And simultaneously presetting corresponding grading segments and corresponding relations between the grading and the authentication modes.

Alternatively, determining the security level of the application according to the application attribute information in the user agent information, and determining the scoring criteria corresponding to the application according to the security level may include:

and determining the security level of the terminal IP address according to the terminal IP address in the user agent information and a preset IP address blacklist, and determining a corresponding scoring standard according to the security level of the terminal IP address.

Specifically, the security level of the terminal IP address in the preset IP address blacklist is determined according to the terminal IP address in the user agent information, and a corresponding scoring standard is determined according to the security level. For example, if the IP address of the terminal is in the IP address blacklist and is set as a danger level due to the fact that the account is stolen many times in history, a corresponding scoring criterion may be determined according to the danger level.

judging whether the access terminal is cracked or not according to the terminal information in the user agent information, determining the security level of the access terminal according to the judgment result, and determining the corresponding scoring standard according to the security level.

Specifically, whether a cracking attribute exists in the terminal information of the user agent information is detected, if so, the access terminal can be determined to be cracked, the security level corresponding to the cracking terminal can be further determined, if not, the access terminal can be determined not to be cracked, and the security level corresponding to the non-cracked terminal can be further determined. And then the corresponding scoring standard can be determined according to the security level.

And S205, triggering an authentication mode corresponding to the scoring section to which the total score belongs.

Optionally, the triggering of the authentication manner corresponding to the score segment to which the total score belongs includes:

if the scoring segment to which the total score belongs is the first scoring segment, determining that the authentication mode corresponding to the first scoring segment is password authentication, and triggering the password authentication;

if the score segment to which the total score belongs is the second score segment, determining that the authentication mode corresponding to the second score segment is short message verification code authentication, and triggering short message verification code authentication;

and if the scoring segment to which the total score belongs is the third scoring segment, determining that the authentication mode corresponding to the third scoring segment is face recognition authentication, and triggering the face recognition authentication.

Wherein the first scoring segment, the second scoring segment, and the third scoring segment may be non-overlapping or overlapping with each other. For example, if three scoring segments overlap each other and the scoring segment to which the total score belongs is located at the overlap of two or three scoring segments, two or three authentication modes may be triggered accordingly.

Step S206, obtaining an authentication result corresponding to the authentication mode, if the authentication result is that the authentication is passed, step S207 is executed, and if the authentication result is that the authentication is failed, step S208 is executed.

And step S207, respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model. Execution continues with step S209.

The first scoring rule may be configured to indicate configuration information for increasing the trust score of each dimension in the user agent according to an authentication result that the authentication is successful.

And S208, respectively reducing the trust scores of all dimensions in the user agent information according to a first reduction rule in a preset score adjustment model. The process continues to step S210.

The first deduction rule may be used to indicate configuration information for reducing trust scores of the dimensions in the user agent according to an authentication result of authentication failure.

In the embodiment, after the identity authentication request is acquired and the calculated total score is lower than the trust threshold, the trust score of each dimension in the user agent is dynamically adjusted according to the first score adding rule and the first score subtracting rule, so that the simplicity of the subsequent authentication process is improved.

Optionally, before the first adding rule in the preset score adjustment model respectively increases the trust scores of the dimensions in the user agent information, and the first subtracting rule in the preset score adjustment model respectively reduces the trust scores of the dimensions in the user agent information, the method further includes:

and if the trust scores of all dimensions in the user agent information are detected to be kept unchanged in a first preset period, adjusting a first adding rule and a first subtracting rule in a preset score adjusting model.

Exemplarily, taking the application attribute information in the user agent information as an example, the first bonus rule corresponding to the application attribute information may be that 6 points are added to the trust score if the password authentication is successful, and 12 points are added to the trust score if the short message verification code authentication is successful. The first deduction rule corresponding to the application attribute information can be that the trust score is subtracted by 2 points when password authentication fails, and the trust score is subtracted by 4 points when short message verification code authentication fails. If it is detected that the trust scores of the application attribute information remain unchanged within 3 months, the increasing scores in the first score adding rule can be all adjusted up to 0.1, and the decreasing scores in the first score decreasing rule can be all adjusted down to 0.5. In this case, if the user logs in with the APP all the time, but accidentally logs in with the browser once, a higher-level authentication method is not directly triggered due to a few login failures. According to the embodiment, the login behavior of the user can be well predicted by dynamically adjusting the first score adding rule and the first score subtracting rule.

And S209, recalculating the total score of the identity authentication request according to the increased trust scores and the corresponding weight values. The process continues to step S211.

And step S210, recalculating the total score of the identity authentication request according to the reduced trust scores and the corresponding weight values. The process continues to step S213.

Step S211, determining whether the recalculated total score is lower than the trust threshold, if so, executing step S203, otherwise, executing step S212.

And step S212, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step S206.

And if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step of updating the trust scores of all dimensions in the user agent information respectively according to the authentication result and a preset score adjustment model.

Illustratively, if the user switches to log in or update the access terminal at a location, although the authentication result obtained in step S206 is that the authentication is passed, the recalculated total score is still lower than the trust threshold, a higher-level authentication mode is triggered, and the step of updating the trust scores of the dimensions in the user agent information according to the authentication result and the preset score adjustment model is returned.

Step S213, determining whether the number of authentication failures exceeds a set number threshold, if so, executing step S214, otherwise, returning to execute step S205.

And returning to the step of executing the authentication mode corresponding to the score segment to which the total trigger score belongs when the authentication result is authentication failure.

Step S214, the identity authentication result of the login behavior is determined to be the identity authentication failure.

And if the authentication failure times exceed the set time threshold, determining that the identity authentication result of the login behavior is identity authentication failure.

Optionally, at a preset time, respectively obtaining login success times and login attempt times corresponding to each dimension in the user agent information in a second preset period;

calculating the target dimension adjusted trust score by the following formula:

and the ratio of the second value to the first value is equal to the preset accuracy.

Illustratively, with 75% as the boundary, the confidence score for the day of the target dimension increases by 1 point for each 5% improvement in accuracy. Every time the accuracy rate is reduced by 5%, the trust score of the target dimension on the day is reduced by 1.

Optionally, at a preset time, login success times and login attempt times corresponding to each dimension in the user agent information in a second preset period are respectively obtained;

respectively calculating the ratio of the login success times to the login attempt times to obtain login accuracy;

for a target dimension with the login accuracy higher than the preset accuracy, calculating a difference value between the accuracy of the target dimension and the preset accuracy, and increasing the trust score of the target dimension at the preset moment corresponding to the target dimension according to a second scoring rule corresponding to the accuracy difference value section to which the difference value belongs;

calculating the difference between the accuracy of the target dimension and the preset accuracy for the target dimension with the login accuracy lower than the preset accuracy, and reducing the trust score of the target dimension at the preset moment corresponding to the target dimension according to a second score reduction rule corresponding to the accuracy difference segment to which the difference belongs;

and for the target dimension with the login accuracy rate equal to the preset accuracy rate, keeping the trust score of the target dimension at the preset moment unchanged.

Illustratively, by taking a day as a unit, login success times and login attempt times corresponding to all dimensions in user agent information of the day are acquired in the early morning of each day, login accuracy of all dimensions is respectively calculated, 75% is taken as a preset accuracy, and for a target dimension with accuracy higher than 75%, a difference value between the accuracy of the target dimension and 75% is calculated. If the difference is less than 5%, adding 1 to the current trust score of the target dimension; if the difference is greater than or equal to 5% and less than 10%, then the current day trust score of the target dimension may be increased by 2; if the difference is greater than or equal to 10% and less than 15%, then the current day's trust score for the target dimension may be increased by 3; if the difference is greater than or equal to 15% and less than 20%, adding 4 to the current day trust score of the target dimension; if the difference is greater than or equal to 20% and less than 25%, then the current day's trust score for the target dimension may be incremented by 5.

According to the embodiment, the login success events and the login attempt events of all dimensions in the user agent information are audited, and the trust scores of all dimensions are continuously adjusted, so that the user behaviors and the future pressure condition of the system can be better predicted, and the safety risk is reduced.

According to the embodiment of the invention, when the access terminal sends the identity authentication request, the trust score of the current access terminal is followed and the corresponding authentication mode is triggered, after the authentication is passed, the total score of the identity authentication request is further calculated again according to the adjusted trust score and the corresponding weight value, and is compared with the trust threshold value again, and whether a higher-level authentication process is triggered is determined according to the comparison result, so that the trust score of each dimension in the user agent information is dynamically adjusted in the identity authentication process, the problem that the user identity cannot be safely authenticated in a complex environment in the prior art is solved, the login behavior is dynamically authenticated by combining with the multi-dimension information, and the security of the identity authentication is improved.

EXAMPLE III

Fig. 3 is a schematic structural diagram of a dynamic identity authentication apparatus according to a third embodiment of the present invention. The device can be realized by software and/or hardware, can be generally integrated in a server, and can realize dynamic identity authentication on login behaviors by executing a dynamic identity authentication method, thereby improving the security of identity authentication. As shown in fig. 3, the apparatus includes:

thescore calculating module 310 is configured to obtain user agent information in an identity authentication request corresponding to a login behavior, obtain trust scores and weight values corresponding to the user agent information, and calculate a total score of the identity authentication request according to each trust score and corresponding weight value, where the user agent information is determined based on login information and application attribute information;

theauthentication triggering module 320 is configured to trigger an authentication manner corresponding to a score segment to which the total score belongs if the total score is lower than a trust threshold;

ascore adjustment module 330, configured to obtain an authentication result corresponding to the authentication manner, update trust scores of each dimension in the user agent information according to the authentication result and a preset score adjustment model, and recalculate a total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, where the score adjustment model is used to indicate configuration information for adjusting the trust score of each dimension in the user agent information according to the authentication result;

and theresult determining module 340 is configured to determine an identity authentication result of the login behavior according to the comparison result between the recalculated total score and the trust threshold and the authentication result.

Optionally, theresult determining module 340 is specifically configured to:

if the authentication result is successful, if the recalculated total score is not lower than the trust threshold, determining that the identity authentication result of the login behavior is successful;

if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on the level sorting result of the authentication modes, and returning to execute the step of updating the trust scores of all dimensions in the user agent information respectively according to the authentication result and a preset score adjustment model;

returning to the step of executing the authentication mode corresponding to the score segment to which the total score belongs when the authentication result is authentication failure;

and if the authentication failure times exceed a set time threshold, determining that the identity authentication result of the login behavior is identity authentication failure.

Optionally, theauthentication triggering module 320 is specifically configured to:

if the scoring segment to which the total score belongs is a first scoring segment, determining that the authentication mode corresponding to the first scoring segment is password authentication, and triggering the password authentication;

if the scoring segment to which the total score belongs is a second scoring segment, determining that the authentication mode corresponding to the second scoring segment is short message verification code authentication, and triggering the short message verification code authentication;

and if the scoring segment to which the total score belongs is a third scoring segment, determining that the authentication mode corresponding to the third scoring segment is face recognition authentication, and triggering the face recognition authentication.

Optionally, thescore adjusting module 330 is specifically configured to:

if the authentication result is that the authentication is passed, respectively increasing the trust scores of all dimensions in the user agent information according to a first score adding rule in a preset score adjusting model;

and if the authentication result is authentication failure, respectively reducing the trust scores of all dimensions in the user agent information according to a first reduction rule in a preset score adjustment model.

Optionally, thescore adjusting module 330 is further specifically configured to:

respectively increasing the trust scores of all dimensions in the user agent information according to a first adding and dividing rule in a preset score adjusting model, and adjusting the first adding and dividing rule and a first subtracting rule in the preset score adjusting model if the trust scores of all dimensions in the user agent information are detected to be kept unchanged in a first preset period before the trust scores of all dimensions in the user agent information are respectively reduced according to a first subtracting rule in the preset score adjusting model.

Optionally, the apparatus further comprises:

and the safety level determining module is used for determining the safety level of the application according to the application attribute information in the user agent information before triggering the authentication mode corresponding to the scoring section to which the total score belongs if the total score is lower than the trust threshold, determining the scoring standard corresponding to the application according to the safety level, and determining the corresponding trust threshold and the corresponding relation between the scoring section and the authentication mode based on the scoring standard.

Optionally, the apparatus further comprises:

the login time acquisition module is used for respectively acquiring login success times and login attempt times corresponding to all dimensions in the user agent information in a second preset period at a preset time;

the adjusted score calculating module is used for calculating the trust score after the target dimension is adjusted through the following formula:

and f (target dimension) represents the trust score after the target dimension is adjusted, and the ratio of the second value to the first value is equal to the preset accuracy.

The dynamic identity authentication device provided by the embodiment of the invention can execute the dynamic identity authentication method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.

Example four

Fig. 4 is a schematic structural diagram of a server according to a fourth embodiment of the present invention, as shown in fig. 4, the server includes aprocessor 400, amemory 410, aninput device 420, and anoutput device 430; the number of theprocessors 400 in the server may be one or more, and oneprocessor 400 is taken as an example in fig. 4; theprocessor 400, thememory 410, theinput device 420 and theoutput device 430 in the server may be connected by a bus or other means, and fig. 4 illustrates the connection by a bus as an example.

Thememory 410, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules, such as program instructions and/or modules corresponding to the dynamic authentication method in the embodiments of the present invention (e.g., thescore calculating module 310, theauthentication triggering module 320, thescore adjusting module 330, and theresult determining module 340 in the dynamic authentication apparatus). Theprocessor 400 executes various functional applications of the server and data processing by executing software programs, instructions and modules stored in thememory 410, so as to implement the above-mentioned dynamic authentication method.

Thememory 410 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, thememory 410 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples,memory 410 may further include memory located remotely fromprocessor 400, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Theinput device 420 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the server. Theoutput device 430 may include a display device such as a display screen.

EXAMPLE five

An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for dynamic identity authentication, the method including:

if the total score is lower than the trust threshold, triggering an authentication mode corresponding to the score section to which the total score belongs;

obtaining an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjustment model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjustment model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;

Of course, the storage medium provided in the embodiment of the present invention includes computer-executable instructions, where the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the dynamic identity authentication method provided in any embodiment of the present invention.

From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, which can be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

It should be noted that, in the embodiment of the dynamic identity authentication apparatus, the included units and modules are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are only for the convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in some detail by the above embodiments, the invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the invention, and the scope of the invention is determined by the scope of the appended claims.

Claims

1. A dynamic identity authentication method, comprising:

2. The method of claim 1, wherein determining the identity authentication result of the login behavior based on the comparison of the recalculated total score to the trust threshold and the authentication result comprises:

if the authentication result is successful, if the recalculated total score is lower than the trust threshold, triggering a higher-level authentication mode based on a level sorting result of the authentication modes, and returning to execute the step of respectively updating the trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjustment model;

3. The method according to claim 1, wherein the triggering of the authentication mode corresponding to the score segment to which the total score belongs comprises:

4. The method according to claim 1, wherein the updating the trust scores of the user agent information in each dimension according to the authentication result and a preset score adjustment model comprises:

5. The method of claim 4, further comprising, before the first score adding rule in the preset score adjustment model respectively increases the trust scores of the dimensions in the user agent information, and the first score subtracting rule in the preset score adjustment model respectively decreases the trust scores of the dimensions in the user agent information:

and if the trust scores of all dimensions in the user agent information are detected to be kept unchanged in a first preset period, adjusting the first score adding rule and the first score subtracting rule in the preset score adjusting model.

6. The method according to claim 1, wherein before triggering the authentication method corresponding to the score segment to which the total score belongs if the total score is lower than the trust threshold, the method further comprises:

determining the security level of the application according to the application attribute information in the user agent information, determining a scoring standard corresponding to the application according to the security level, and determining a corresponding trust threshold value and a corresponding relation between a scoring segment and an authentication mode based on the scoring standard.

7. The method of claim 1, further comprising:

respectively acquiring login success times and login attempt times corresponding to all dimensions in the user agent information in a second preset period at a preset time;

calculating the target dimension adjusted trust score by the following formula:

8. A dynamic authentication apparatus, comprising:

the score adjusting module is used for acquiring an authentication result corresponding to the authentication mode, respectively updating trust scores of all dimensions in the user agent information according to the authentication result and a preset score adjusting model, and recalculating the total score of the identity authentication request according to each adjusted trust score and a corresponding weight value, wherein the score adjusting model is used for indicating configuration information for adjusting the trust scores of all dimensions in the user agent information according to the authentication result;

9. A server, characterized in that the server comprises:

one or more processors;

a memory for storing one or more programs,

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the dynamic identity authentication method of any of claims 1-7.

10. A storage medium containing computer-executable instructions for performing the dynamic authentication method of any one of claims 1-7 when executed by a computer processor.