JP5429414B2 - Integrated identification information management system, identification information integrated management server, and identification information integrated management program - Google Patents

Description

  The present invention authenticates a user by a 1: 1 verification method using identification information (hereinafter also referred to as “ID”) about the user (hereinafter also referred to as “user”) and biometric information. The present invention relates to a technology applied to various service providing systems. In particular, the present invention relates to a technique suitable for use when biometric information of the same user is registered in association with different identification information in a plurality of service providing systems.

  Generally, in various service providing systems, a user ID and biometric information are registered in advance in association with each other, and after the user is authenticated by a 1: 1 verification method, The provision of services is underway. In authenticating the user, the user inputs his / her ID and his / her biometric information (for example, fingerprint, palm print, vein information, iris, voice print, etc.). On the service providing system side, the registered biometric information associated with the ID input by the user is read, and the registered biometric information is compared with the biometric information input by the user. When these are matched and they match, identity authentication is performed.

  By the way, in an environment where a plurality of service providing systems coexist, the same user may set different passwords for each system. On the other hand, in a system that employs biometrics authentication instead of password authentication, it is not necessary for the user to remember the password every time because the user is authenticated by checking biometric information instead of the password.

  However, if the ID registered in the system is not specified by the administrator, it is the first registered person, so if the ID you want to set is already used in that system, another ID (still used in the system) You must use an unidentified ID). As a result, the IDs may be inconsistent in a plurality of systems even though they are the same user. Further, in a system in which an administrator designates an ID, if the ID naming method varies depending on the manager of each system, the ID may be inconsistent in a plurality of systems even though they are the same user.

  In a service providing system that must maintain high security, when biometric authentication is employed, a 1: 1 authentication method is often used in order to minimize the risk of accepting others. In this 1: 1 authentication method, as described above, an individual is identified by an ID, and from the data already registered in the database, the user's reference biometric data associated with the ID is read and used for reference. The biometric data is collated with the biometric data input by the user. Therefore, the user needs to input an ID for logging in to the service providing system. At that time, the user must correctly input the ID registered in advance in the service providing system to log in. For this reason, when an inconsistent ID is registered for each service providing system, the user must accurately remember which ID is registered in which service providing system. As a result, although biometric data that can be used as a password is correctly input, for example, an ID registered in the service providing system B may be entered incorrectly when attempting to log in to the service providing system A. There are many cases where this is not possible.

  The following Patent Document 1 discloses a technique corresponding to such a situation. In the technology disclosed in Patent Document 1, when a user uses a plurality of types of applications or a plurality of bank accounts, if the password or the PIN is changed for each application ID or for each bank account, the password or the PIN is changed. This is to deal with a situation in which it is impossible to memorize which application ID and which bank account it corresponds to. Therefore, the technology disclosed in Patent Document 1 employs personal authentication based on biometric information that cannot be stolen or imitated to protect and guard secret information (password and personal identification number). An object of the present invention is to provide a portable electronic device that ensures high security performance.

The portable electronic device has a personal authentication function based on biometric information, and is carried by the owner to process various types of electronic information. In the portable electronic device, the verification biometric feature information and the reference biometric feature information of the person to be authenticated are compared, and as a result, the verification biometric feature information is recognized as belonging to the owner. Then, the code and account information corresponding to the upper information designated by the system name selection unit are displayed on the display unit. In the portable electronic device, a password including a password, a password, a secret key, etc. includes account information including an account name, ID, computer name, IP address, etc., system name, bank name, computer name, application name. Are stored in correspondence with higher-level information including, for example. Thus, after the user is recognized, if the user selects a target system in the system name selection unit, the corresponding personal identification code and account information are displayed on the display unit. It is possible to support forgetting.
JP 2001-236324 A

  In the technique disclosed in Patent Document 1, when the user's ID is forgotten and personal authentication is performed by biometric authentication, secret information including the ID to the system is read and displayed in a list form to the user. Then, when a display target system is selected by the system name selection unit, information on the selected system is displayed. However, displaying some registration information and notifying the user shows the user secret information that is not necessary, so there is a problem in constructing a system that requires high security. In addition, as a result, the user is forced to select from a plurality of IDs, and there is a problem that convenience is poor.

  As a generally known method, there is a collation method called 1: N collation method. In this 1: N collation method, the user inputs only biometric data for collation without entering an ID, and collates the biometric data for collation with a plurality of registered reference biometric data for registration. Individuals are identified from a plurality of users. However, the 1: N collation method eliminates the need to specify an ID, which increases convenience. On the other hand, collation biometric data is collated with reference biometric data for a plurality of users, so that others can be mistakenly accepted. There is sex (possibility of accepting others). Since the acceptance rate of others increases in proportion to the increase in the number N of reference biometrics to be verified, it is not preferable to use the 1: N verification method in a system that requires high security. However, if the number N of users who can perform 1: N collation is limited, all users cannot be rescued.

  Further, as another generally known method, there is a method of unifying IDs using an IC card in which unique information is written. However, in this method, the service providing system cannot be accessed without an IC card and a card reader. When biometric authentication is adopted, since the biometric data is information included in a part of the body, the user never forgets to carry the data. On the other hand, the necessity of carrying the IC card and the card reader only for unifying the ID leads to an increase in cost and increases the burden on the user.

One of the objects of the present invention is that even if the user misses the input of ID (identification information) while maintaining security without increasing the cost of the apparatus and without burdening the user, the identity of the user It is to be able to authenticate.
In addition, the present invention is not limited to the above-described object, and is an operational effect derived from each configuration shown in the best mode for carrying out the invention described later, and has an operational effect that cannot be obtained by conventional techniques. Can be positioned as one of the purposes.

  The identification information integrated management system disclosed herein includes a plurality of service providing systems that provide a predetermined service to the user according to a result of authenticating the user, identification information used in the plurality of service providing systems, and An identification information integrated management system comprising a management server for integrated management of biometric information, wherein the management server is transmitted from the service providing system based on a result of authentication performed in the service providing system; Identification information and collation biometric information are received, and among the plurality of registration biometric information stored in advance associated with each of the plurality of identification information, the registration biometric corresponding to the received first identification information The identification information associated with the biometric information for registration is collated with the received biometric information for verification, and according to the result of the verification The out identification information other than the first identification information, and transmits the identification information to be used for authentication to the service providing system.

  Also, the identification information integrated management server disclosed herein integrally manages identification information and biometric information used in a plurality of service providing systems that provide a predetermined service to the user according to the result of authenticating the user. A management server that receives first identification information and biometric information for verification transmitted from the service providing system based on a result of authentication performed in the service providing system; Among the plurality of registration biometric information stored in association with the identification information, the collation unit that collates the biometric information for registration corresponding to the first identification information and the biometric information for collation, and the result of the collation Accordingly, the identification information associated with the biometric information for registration is identification information other than the first identification information as identification information used for authentication. And a transmission unit that transmits to the system.

  Furthermore, the identification information integrated management program disclosed herein integrally manages identification information and biometric information used in a plurality of service providing systems that provide a predetermined service to the user according to the result of authenticating the user. An identification information integrated management program for causing a computer to function as a management server, which is collated with first identification information transmitted from the service providing system to the computer based on a result of authentication performed in the service providing system Biometric information for registration, among biometric information for registration stored in association with a plurality of pieces of identification information in advance, registration biometric information corresponding to first identification information, and biometric information for verification And the first identification information among the identification information associated with the biometric information for registration according to the result of the comparison. The identification information other than, and transmits the identification information to be used for authentication to the service providing system to perform the process.

  According to the disclosed technology, when the identification information registered in a plurality of service providing systems for the same user does not match, the identification information integrated management server integrates and manages the identification information based on the user's reference biometric information. To do. This makes it possible to authenticate the user even if the user makes a mistake in entering the ID while maintaining security without increasing the cost of the apparatus and placing a burden on the user.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Basic processing The basic operation of the ID integrated management system of this embodiment will be described.
In the ID integrated management system of this embodiment, the user assigns his ID and reference biometric data (reference biometric information) to one of the service providing systems (service providing servers) belonging to the ID integrated management system. When registering, the information is sent from the service providing system to the ID integrated management server. Then, in the ID integrated management server belonging to the ID integrated management system, ID management is performed using reference biometric data, and if the user misses the ID input at the time of verification prior to the start of service provision in the service providing system, the user The correct ID for can be found.

  In order to realize such processing, in the ID integrated management system, first, the following registration processing is executed. That is, in a service providing system that employs a 1: 1 authentication method using biometric information, a user inputs reference biometric data for reference from a living body part at the time of matching, as in a general registration process. At the same time, an ID is designated and a user registration request is made to the service providing system. Since the processing so far is a known flow, detailed description thereof is omitted.

  Upon receipt of the user registration request, the service providing system registers and stores the received ID and reference biometric data in a database (see the storage unit 202 in FIG. 1 and the like) in the own system, and the ID integrated management server Send to.

  The ID integrated management server receives the reference biometric data received from the service providing system and the reference biometric data already registered in the database of the ID integrated management server (see the management tables 301a and 301b in FIGS. 2 and 8). Is compared.

  If the ID integrated management server determines that biometric data matching the received reference biometric data does not exist in the database (management tables 301a and 301b) as a result of the comparison and collation, it creates a new record in the database. To do. Then, the reference biometric data received from the service providing system and the ID are associated with and stored in the record.

  On the other hand, when the ID integrated management server determines that biometric data matching the received reference biometric data exists in the database (management tables 301a and 301b) as a result of comparison and collation, the ID integrated management server provides a service to the corresponding record. Register the ID received from the system. In this case, it is not always necessary to store the reference biometric data.

  Next, in this ID integrated management system, when a user inputs an incorrect ID at the time of collation in the service providing system, a processing flow until a correct ID for the user is determined will be described.

  Here, for example, the user erroneously inputs a login ID to the service providing system B in an attempt to log in to the service providing system A, and creates and inputs predetermined collation biometric data from a biological part such as a fingerprint or a vein. A case where a personal authentication request is made to the service providing system A will be described. The service providing systems A and B perform authentication using the same type of biometric data, and that these service providing systems A and B belong to the ID integrated management system. It is the premise of form.

  At this time, in the database (storage unit 202) of the service providing system A, there are a case where the same ID as the ID erroneously input by the user is registered and a case where the same ID is not registered. In the former case, the registered ID is the ID of another person different from the user. Therefore, the result of comparison and collation between the reference biometric data associated with the other person's ID and the collation biometric data input by the user is inconsistent, and the user's identity authentication is not successful. On the other hand, in the latter case, since the same ID does not exist, the comparison with reference biometric data cannot be performed, and the user cannot be authenticated.

  In any case, the service providing system A determines that there is a possibility of the user's ID designation error, and sends the ID input by the user and the verification biometric data to the ID integrated management server. When the ID input by the user is found in the database (management tables 301a and 301b), the ID integrated management server receives from the service providing system A one or more reference biometric data registered in the record indicated by the ID. The comparison biometric data is compared.

  As a result of the comparison, when the reference biometric data that matches the verification biometric data is not found, the ID integrated management server notifies the service providing system A of the authentication failure, and the service providing system A also fails in the authentication. Finish the process. Even when the ID input by the user is not found in the database (management tables 301a and 301b), the ID integrated management server notifies the service providing system A of the authentication failure, and the service providing system A also authenticates the user. End processing as a failure.

  On the other hand, if reference biometric data that matches the matching biometric data is found as a result of the comparison, the ID integrated management server groups one or more IDs associated with the matched reference biometric data ( List) and return to the service providing system A.

  Then, the service providing system A searches its own database (storage unit 202), and a plurality of IDs registered in the database (storage unit 202) are returned from the ID integrated management server as described above. Alternatively, it is confirmed whether there is a match with the unique ID. If the ID returned from the ID integrated management server is not found in the database (storage unit 202), the service providing system A determines that the user is not registered in the service providing system A, and the identity authentication failure is detected. Finish the process.

  On the other hand, when the ID returned from the ID integrated management server is found in the database (storage unit 202), the service providing system A uses the reference biometric data associated with the ID and the verification received from the user. Compare with biometric data. As a result of this comparison, if they do not match, the service providing system A finishes the process as a failure of personal authentication. If they match, the service providing system A authenticates the user as the principal even if the wrong ID input by the user is not registered in the database (storage unit 202).

  At this time, when a plurality of IDs are returned from the ID integrated management server, two or more of these IDs may be registered / existing in the database (storage unit 202) of the service providing system A. is there. In such a case, the service providing system A performs comparison and collation between each of the two or more reference biometric data associated with the two or more IDs and the collation biometric data received from the user.

  As a result of the comparison and collation, if there is no reference biometric data that matches the collation biometric data, the service providing system A terminates the processing as a failure of personal authentication. If there is reference biometric data that matches the matching biometric data as a result of the comparison, the service providing system A selects the reference biometric data that matches the matching biometric data from a plurality of IDs. One ID associated with the metric data can be specified, and finally one user can be specified.

  Here, the login ID to the service providing system A and the login ID to the service providing system B are associated with the reference biometric data of the user in advance in the database (management tables 301a and 301b) of the ID integrated management server. Registered and saved. At this time, the user erroneously inputs a login ID to the service providing system B in an attempt to log in to the service providing system A and creates and inputs predetermined collation biometric data from a biological part such as a fingerprint or a vein, It is assumed that a personal authentication request is made to the service providing system A.

  In this case, regardless of whether or not an incorrect login ID is registered in the database (storage unit 202) of the service providing system A, as a result, the service providing system A may have a user ID designation error. The ID input by the user and the biometric data for verification are sent to the ID integrated management server.

  In the ID integrated management server, the login ID of the user to the service providing system B is found in the database (management tables 301a and 301b), and the reference biometric data registered in the record indicated by the ID is received from the service providing system A. The collated biometric data is compared, and these are matched. Then, the ID integrated management server identifies the ID associated with the matched reference biometric data (here, one ID other than the ID for the service providing system B of the user; that is, the login ID for the service providing system A). Is returned to the service providing system A.

  The service providing system A that has received the reply of ID searches its own database (storage unit 202), and the ID returned from the ID integrated management server among the IDs registered in the database (storage unit 202). You will find something that matches. Thereafter, the service providing system A compares the reference biometric data associated with the ID with the verification biometric data received from the user. At this time, the comparison results match. Therefore, the service providing system A recognizes that the correct ID in the service providing system A for the user has been specified even if the wrong ID input by the user is not registered in the database (storage unit 202). Then, the user is authenticated as the principal.

  In this way, the ID integrated management server integrally manages IDs and reference biometric data registered in a plurality of service providing systems. This makes it possible to input the wrong ID registered in a different service providing system so that the user can log in to the target service providing system while maintaining security without increasing the device cost and burdening the user. Even in this case, it becomes possible to authenticate the user.

[2] Specific Configuration and Operation [2-1] One Embodiment of Registration Processing System FIG. 1 shows an identification information integrated management system (a registration process of a service providing system and an identification information integrated management server) as one embodiment of the present invention. FIG. 2 is a diagram showing a configuration example of a management table in the identification information integrated management server of this embodiment.

  As shown in FIG. 1, an identification information integrated management system (ID integrated management system) 1 of this embodiment includes a plurality of service providing systems (service providing servers) 2 and one identification information integrated management server (ID integrated management server). Management server) 3. In FIG. 1, only one service providing system 2 is shown, but in reality, two or more service providing systems 2 are provided.

  Each service providing system 2 authenticates the user using the ID and biometric information about the user, and then starts providing a predetermined service to the user. Further, the ID integrated management server 3 performs integrated management of ID and biometric information used for the personal authentication in the plurality of service providing systems 3 as follows.

  The registration processing system of each service providing system 2 includes an ID / reference biometric data reception unit 201, an ID / reference biometric data storage unit 202, an ID / reference biometric data transmission unit 203, and an ID integrated management completion notification reception. A unit 204 and a registration completion notification unit 205 are provided.

  The ID / reference biometric data receiving unit 201 receives registration data for the service providing system 2 from a user (client). The registration data includes an ID (for example, a character string of a predetermined number of alphanumeric characters) specified by the user, predetermined reference biometric data (reference biometric information) obtained from a predetermined biological part of the user, and It is included. In the plurality of service providing systems 2, the same type of biometric information type is used for authentication.

  The ID / reference biometric data storage unit (database) 202 stores and stores the registration data received by the receiving unit 201. The storage unit 202 stores reference biometric data in association with an ID designated by the user. At the time of collation to be described later, reference biometric data associated with the ID is read from the storage unit 202 by searching the storage unit 202 with an ID input by the user.

  If the same ID as the user-specified ID received by the receiving unit 201 at the time of registration is already registered in the storage unit 202, a warning to that effect is given to the user and another ID is specified. Processing such as prompting is performed. Since the flow of such processing is known, the description thereof is omitted.

  The ID / reference biometric data transmission unit (registration target information transmission unit) 203 registers the user ID and the reference biometric data received by the reception unit 201 in the storage unit 202 when the registration target is stored. The ID and the registration target reference biometric information are transmitted to the ID integrated management server 3 to request management of these IDs and data.

The ID integrated management completion notification receiving unit (update result receiving unit) 204 receives an ID integrated management completion notification (described later) from the ID integrated management server 3.
The registration completion notification unit 205 notifies the user of the ID integrated management completion notification received by the reception unit 204 as a registration completion notification.

  On the other hand, the registration processing system of the ID integrated management server 3 includes a reference biometric data / ID management unit 301, an ID / reference biometric data reception unit 302, a reference biometric data reference unit 303, and a biometric data comparison unit 304. , A comparison result determination unit 305, a management table update unit 306, and an ID integrated management completion notification unit 307.

  A reference biometric data / ID management unit (storage unit; database) 301 associates a registration target ID and registration target reference biometric data acquired by a receiving unit 302 described later, and registers a registered ID and a registered reference, respectively. Can be registered and stored as a biometric for use. In this management unit 301, the registration target ID and the registration target reference biometric data are stored and managed in the form of a management table 301a that associates the registration target ID with the registration target reference biometric data, for example, as shown in FIG. The

  In the management table 301a shown in FIG. 2, a record to which a management number (management No.) is assigned is created in the order of registration and for each registration target reference biometric data. Each record is composed of a field for storing reference biometric data and one or more ID management fields for storing IDs (registration target IDs) associated with the reference biometric data. In the management table 301a, the ID management field managed as one record does not correspond to each service providing system 2, and the number of fields can be increased in a variable manner according to the addition of the ID. In the management table 301a shown in FIG. 2, five records assigned management numbers 000001 to 000005 are shown. For example, one record assigned management number 000001 has five ID management fields (1). Five different IDs “ikegami01”, “j_ikegami”, “980116”, “00980116”, and “ikegami” are registered and stored in (5) to (5).

The ID / reference biometric data receiving unit (acquisition unit) 302 uses the ID and reference biometric data registered by the user in each service providing system 2 as a registration target ID and registration target reference biometric data, respectively. It is received from the service providing system 2 (transmission unit 203) and acquired.
The reference biometric data reference unit 303 refers to reference biometric data already managed in each record of the management table 301a.

  The biometric data comparison unit (first comparison unit) 304 compares the registration target reference biometric data acquired by the reception unit 302 with the registered reference biometric data already stored in the management table 301a. It is. That is, the comparison unit 304 compares and matches the registration target reference biometric data extracted from the data acquired by the reception unit 302 and the registered reference biometric data referenced by the reference unit 303. .

The comparison result determination unit (first determination unit) 305 is based on the comparison result of the comparison unit 304 and whether or not there is registered reference biometric data that matches the registration target reference biometric data (stored in the management table 301a). Or not).
The management table update unit (update unit) 306 updates the information (registration state) of the management table 301a as follows according to the determination result by the comparison result determination unit 305.

  When the comparison result determination unit 305 determines that the registered reference biometric data that matches the registration target reference biometric data does not exist in the management table 301a, the update unit 306 includes the registration target ID and the registration target reference biometric data. The metric data is stored in the management table 301a as a registered ID and registered reference biometric data, respectively. That is, the update unit 306 creates a new record in the management table 301a, registers and saves the registration target reference biometric data in the biometric data field of the record, and uses one ID associated with the field. The registration target ID is registered and stored in the management field (1).

  When the comparison result determination unit 305 determines that registered reference biometric data that matches the registration target reference biometric data is present in the management table 301a, the update unit 306 adds the registration target ID to the registered target biometric data. It is stored in the management table 301a as a registered ID associated with the reference biometric data. That is, the update unit 306 refers to the record of the registered reference biometric data that matches the registration target reference biometric data, provides a new ID management field next to the final ID management field in the record, and The registration target ID is registered and saved in the field.

  For example, if the registration target reference biometric data matches the reference biometric data in the record assigned management No. 000005 in the management table 301a shown in FIG. Since “takayama” has already been registered, the ID to be registered this time is registered and stored in the next ID management field (2).

  At this time, only when the registered ID identical to the registration target ID in the management table 301a is not registered for the registered reference biometric data, the update unit 306 changes the registration target ID to the registered reference biometric. It is stored in the management table 301a as a registered ID associated with the metric data. That is, when a registered ID identical to the registration target ID in the management table 301a is already registered for the registered reference biometric data, the update unit 306 registers the management table 301a for the registration target ID. Absent. As a result, the same ID is prevented from being registered twice for the same registered reference biometric data, and wasteful consumption of the fields of the management table 301a is suppressed.

  Further, when updating the information in the management table 301a, the updating unit 306 converts the registered reference biometric data into the latest registration target reference biometric data received and acquired by the receiving unit (acquisition unit) 302. You may have the function to update the information of the management table 301a so that it may replace. That is, if there is a registered reference biometric data in the management table 301a that matches the registration target reference biometric data, the update unit 306 matches the registered reference biometric data in the corresponding record. May be replaced with the reference biometric data received by the receiving unit 302 this time. By performing such replacement update, when the user additionally registers a new ID, the reference biometric data for the user in the management table 301a can be replaced with the latest one.

  When the update of the management table 301a is completed by the updating unit 306, the ID integrated management completion notification unit 307 notifies the service providing system 2 that has transmitted the registration target ID and registration target reference biometric data to that effect. It is.

  When each service providing system 2 has an update function for updating the reference biometric data in the service providing system 2 (storage unit 202) after registration of the user's reference biometric data, The following update process may be performed. That is, when the user updates his / her reference biometric data to the latest using the update function (when the latest reference biometric data is input and replaced with the biometric data in the storage unit 202), The following update process is performed.

  The transmission unit 203 transmits the updated latest reference biometric data to the ID integrated management server 3. In the ID integrated management server 3, the comparison unit 304 compares the reference biometric data received by the reception unit 302 with the registered reference biometric data already stored in the management table 301a. Thereafter, the comparison result determination unit 305 determines the presence / absence of registered reference biometric data that matches the reference biometric data based on the comparison result by the comparison unit 304. That is, the comparison result determination unit 305 determines whether or not there is a record that holds registered reference biometric data that matches the reference biometric data.

  When the comparison result determination unit 305 determines that there is registered reference biometric data that matches the reference biometric information, the update unit 306 updates the registered reference biometric information in the corresponding record. The information in the management table 301a is updated so as to replace the reference biometric information. When there is no registered registered reference biometric data (record), the updating unit 306 performs no processing on the management table 301a.

  Next, the operation of the registration processing (registration processing system of the service providing system 2 and the ID integrated management server 3) of the ID integrated management system 1 of the present embodiment configured as described above will be described.

  The ID integrated management system 1 of this embodiment functions effectively when a user registers different IDs and specific reference biometric data for each system 2 with respect to a plurality of service providing systems 2. That is, in the ID integrated management system 1 of the present embodiment, when the same user designates different IDs for the plurality of service providing systems 2 and registers the same type of reference biometric data associated with each ID, The ID is managed by the ID integrated management server 3 as information associated with the reference biometric data. Hereinafter, the registration processing operation will be described in more detail.

  In the ID integrated management system 1 of the present embodiment, the ID integrated management server 3 has a plurality of reference biometric data indicating specific individuals and a plurality of specific individuals indicated by the reference biometric data registered in a plurality of service providing systems 2. The association with the ID is held as a management table 301a (see FIG. 2).

  When the user makes a mistake in inputting the ID when logging in to the service providing system 2 belonging to the system 1, the verification biometric data input by the user simultaneously with the ID and the registration registered in the storage unit 202 There are cases where the reference biometric data corresponding to the ID does not match or the designated ID itself does not exist.

  In such a case, in the ID integrated management system 1 of the present embodiment, the ID received from the user on the assumption that the user has made a mistake in specifying the ID, as will be described later with reference to FIG. And the biometric data for verification are transmitted from the service providing system 2 to the ID integrated management server 3.

  Then, the ID integrated management server 3 searches the management table 301a held by itself with the ID received from the service providing system 2. If the specified ID exists in the management table 301a as a result of the search, the comparison biometric data associated with the ID is compared with the biometric data for verification input by the user. As a result of the comparison and collation, if reference biometric data matching the biometric data for collation is found, a plurality of or unique IDs associated with the reference biometric data are returned to the original service providing system 2. .

  In the service providing system 2 to which the ID is returned, it is determined whether there is an ID that matches the ID stored in its own storage unit 202 among the returned IDs. If there is a matching ID, the reference biometric data associated with the ID and registered in the storage unit 202 is compared with the verification biometric data input by the user. When these data match, the system 1 that enables the correct ID to be specified reliably by determining that the ID is the correct ID for the user in the service providing system 2 is provided. Is done.

  In performing such processing, in the registration processing system of the ID integrated management system 1 of the present embodiment configured as shown in FIG. 1, reference biometric data and ID registered by the user in each service providing system 2 In order to manage the connection with the ID integrated management server 3, the following registration processing is performed.

  Flow of processing in which a user decides his / her ID to be registered in the service providing system 2 and collects reference biometric data and registers these ID and reference biometric data in the service providing system 2 Since is already known, its description is omitted. Similarly, the process until the service providing system 2 creates a record in the storage unit 202 with the ID requested to be registered by the user and stores the reference biometric data linked to the ID in the record is already known. Since there is, explanation is omitted.

  The service providing system 2 stores and saves data received by the ID / reference biometric data receiving unit 201 from the user (client) in the storage unit (database) 202. At this time, if the ID specified by the user is already registered in the storage unit 202 of the service providing system 2, the system 2 performs processing such as warning the user and prompting other IDs to be specified. As described above, since the processing flow is already known, the description thereof is omitted. The ID newly received in the receiving unit 201 and registered in the storage unit 202 and the reference biometric data in this way are transmitted to the ID integrated management server 3 by the transmitting unit 203, and management of these IDs and data is performed. Requested.

  In the ID integrated management server 3, the registration target ID and the registration target reference biometric data are extracted from the data received from the service providing system 2 by the reception unit 302. Further, the reference unit 303 refers to the reference biometric data already managed in each record of the management table 301a one by one. The comparison unit 304 compares and collates each biometric data referred to by the reference unit 303 with the registration target reference biometric data received from the service providing system 2.

  When it is determined by the comparison result determination unit 305 that registered reference biometric data that matches the registration target reference biometric data exists in the management table 301a, the update unit 306 uses the registered reference biometric data in the management table 301a. A registration target ID is newly added to the record corresponding to the biometric data.

  At this time, the updating unit 306 may replace the registered reference biometric data received from the service providing system 2 with the registered reference biometric data in the management table 301a. As a result, the reference biometric data held in the management table 301a can be updated to the latest one at that time, and the biometric data closest to the current user's biological state is stored and registered. . Therefore, when there are a plurality of service providing systems 2, the reference biometric data that is the latest at the time of registration by the user is held and managed by the ID integrated management server 3.

  On the other hand, when the comparison result determination unit 305 determines that the registered reference biometric data that matches the registration target reference biometric data does not exist in the management table 301a, the update unit 306 adds a new record to the management table 301a. Is added. Then, the update unit 306 additionally registers the registration target ID and the registration target reference biometric data in the record as a registered ID and registered reference biometric data, respectively.

  When the update of the management table 301a is completed in this way, the ID integrated management completion notification unit 307 indicates that the update of the management table 301a is completed, and the service that has transmitted the registration target ID and registration target reference biometric data The providing system 2 is notified. This completion notification is received by the receiving unit 204 of the service providing system 2, and further notified by the registration completion notifying unit 204 to the user (client) who requested the registration processing, and the registration processing is completed.

  Thus, by using the registration processing system of the system 1 shown in FIG. 1, the ID and reference biometric data registered by the user in each service providing system 2 are managed by the management table 301 a of the ID integrated management server 3. The This makes it possible to perform integrated management of IDs using the management table 301a, with reference biometric data as a key.

  Further, in the registration processing system of the system 1 shown in FIG. 1, the field can be changed according to the new registration addition of the ID without having a clear connection between each service providing system 2 and the management table 301a of the ID integrated management server 3. The number is increasing. Accordingly, flexible ID management can be performed without requiring connection between each service providing system 2 and the server 3.

  Further, in the registration processing system of the system 1 shown in FIG. 1, when each service providing system 2 has an update function for updating the reference biometric data registered in the storage unit 202, the update function is used. At the time of the update, the reference biometric data in the management table 301a of the ID integrated management server 3 can be updated to the latest one. As a result, the reference biometric data held in the management table 301a can be updated to the latest one at the time of update, and the biometric data closest to the current user's biological state is stored and registered. Become. Therefore, when there are a plurality of service providing systems 2, the reference biometric data that is the latest when the user performs the update is held and managed by the ID integrated management server 3.

[2-2] First Modified Example of Registration Processing System FIG. 3 shows a first modified example of the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) as an embodiment of the present invention. It is a block diagram which shows a structure. In FIG. 3, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof will be omitted.

  As shown in FIG. 3, the identification information integrated management system (ID integrated management system) 1A of the first modification includes a plurality of service providing systems (service providing servers) 2A and one identification information integrated management server (ID integrated management). Server; management server) 3A. In FIG. 3, only one service providing system 2A is shown, but actually two or more service providing systems 2A are provided.

The ID integrated management server 3A is configured in the same manner as the ID integrated management server 3 shown in FIG.
Each service providing system 2A is configured in substantially the same manner as each service providing system 2 shown in FIG. 1, but the registration processing system of each service providing system 2A is the same as each service providing system 2 shown in FIG. In addition to the reception unit 201, the storage unit 202, the transmission unit 203, the reception unit 204, and the registration completion notification unit 205, a user registration monitoring unit 206 is further added.

  Here, the user registration monitoring unit (monitoring unit) 206 added to each service providing system 2A monitors the registration request of ID and reference biometric data by the user to the service providing system 2A.

  When the monitoring unit 206 detects that the service providing system 2A has received the registration request, the monitoring unit 206 sends the ID and reference biometric data to the transmission unit 203, respectively, as a registration target ID and a registration target reference biometric data. Are transmitted to the ID integrated management server 3A.

  In each service providing system 2 in the system 1 shown in FIG. 1, when the ID and reference biometric data are received by the receiving unit 201, the received ID and reference biometric data are registered in the storage unit 202. At the same time, the data is directly transmitted to the ID integrated management server 3 by the transmission unit 203.

  On the other hand, in each service providing system 2A in the system 1A shown in FIG. 3, the ID and the reference biometric data received by the receiving unit 201 are not transmitted by the transmitting unit 203 as they are. Instead, in each service providing system 2A, a module for monitoring the storage unit 202 (database) in the background such as a daemon process is provided as the monitoring unit 206 described above.

  The monitoring unit 206 monitors the user registration status in the storage unit 202. When a new user registration process, that is, a registration process of a new ID and reference biometric data is detected, the monitoring unit 206 receives it from the user and stores it. The ID and the reference biometric data registered in are automatically transmitted to the ID integrated management server 3A by the transmission unit 203. The registration processing operation in the ID integrated management server 3A is the same as the operation of the ID integrated management server 3 shown in FIG.

  Thus, in the system 1A of the first modified example, the user registration is monitored by the module (monitoring unit 206) operating in the background, and the algorithm in the service providing system 2A communicates with the ID integrated management server 3A. Integrated ID management is possible without awareness. In other words, without adding any special changes to the existing receiving unit 201 in the service providing system 2A, the transmission unit 203 and the monitoring unit 206 are simply added to each service providing system 2A, and the ID integrated management server 3A Can be sent to.

[2-3] Second Modification of Registration Processing System FIG. 4 shows a second modification of the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) as an embodiment of the present invention. It is a block diagram which shows a structure. In FIG. 4, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof is omitted.

  As shown in FIG. 4, the identification information integrated management system (ID integrated management system) 1B of the second modification includes a plurality of service providing systems (service providing servers) 2B and one identification information integrated management server (ID integrated management). Server; management server) 3B. In FIG. 4, only one service providing system 2B is shown, but actually two or more service providing systems 2B are provided.

  Each service providing system 2B is configured in substantially the same manner as each service providing system 2 shown in FIG. 1, but the registration processing system of each service providing system 2B is the same as each service providing system 2 shown in FIG. A reception unit 201, a storage unit 202, a reception unit 204, and a registration completion notification unit 205 are provided, and the transmission unit 203 is omitted.

  Further, the ID integrated management server 3B is configured in substantially the same manner as the ID integrated management server 3 shown in FIG. However, in the registration processing system of the ID integrated management server 3B of the second modified example, the management unit 301 (management table 301a), the reference unit 303, the comparison unit 304, and the comparison result determination unit of the ID integrated management server 3 shown in FIG. 305, an update unit 306, and a notification unit 307 are provided, and a user registration monitoring unit 308 and an ID / reference biometric data acquisition unit 309 are provided instead of the reception unit 302 of the ID integrated management server 3.

  Here, the user registration monitoring unit (user registration monitoring unit) 308 monitors the registration status of the ID and reference biometric data by the user in the storage unit 202 of each service providing system 2B.

  When the user registration monitoring unit 308 detects the update of the ID and reference biometric data for the user, the ID / reference biometric data acquisition unit (acquisition unit) 309 obtains the ID and reference biometric data related to the update. Each is acquired as a registration target ID and registration target reference biometric data.

  In the system 1B of the second modification, the ID and the reference biometric data received from the user by the service providing system 2B (transmission unit 203) as in the systems 1 and 1A shown in FIG. 1 and FIG. Do not send. Instead, the user registration monitoring unit 308 of the ID integrated management server 3 performs monitoring by referring to the user registration status of the storage unit 202 of each service providing system 2B asynchronously with each service providing system 2B.

  When the user registration monitoring unit 308 confirms the update (change) of the user registration status in the storage unit 202 of the service providing system 1B, the storage unit of the service providing system 1B whose update has been confirmed by the acquisition unit 309. From 202, the ID and reference biometric data related to the update are acquired as a registration target ID and registration target reference biometric data, respectively.

  That is, in the system 1B of the second modified example, the user registration monitoring unit 308 on the ID integrated management server 3B side does not dynamically notify the user registration information from the service providing system 2B side to the ID integrated management server 3B. The ID integrated management server 3B periodically accesses the service providing system 2B. The user registration monitoring unit 308 is configured using a public protocol such as LDAP (Lightweight Directory Access Protocol) which is a directory service access protocol. If the user newly registered by the user registration monitoring unit 308 is confirmed, the acquisition unit 309 on the ID integrated management server 3B side acquires the user information from the service providing system 2B, and the ID is integrated in the management table 301a. Managed.

  As described above, in the system 1B of the second modified example, the user update information of each service providing system 2B can be acquired from the ID integrated management server 3B side, so that the service providing system 2B includes the service providing systems 2 and 2A. There is no need to build in the transmission unit 203. Therefore, ID integrated management by the ID integrated management server 3B can be realized while minimizing changes to the existing configuration of the service providing system 2B.

[2-4] Third Modification of Registration Processing System FIG. 5 shows a third modification of the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) as an embodiment of the present invention. It is a block diagram which shows a structure. In FIG. 5, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof is omitted.

  As shown in FIG. 5, the identification information integrated management system (ID integrated management system) 1C of the third modification includes a plurality of service providing systems (service providing servers) 2C and one identification information integrated management server (ID integrated management). Server; management server) 3C. In FIG. 5, only one service providing system 2C is shown, but in reality, two or more service providing systems 2C are provided.

The ID integrated management server 3C is configured in the same manner as the ID integrated management server 3 shown in FIG.
Each service providing system 2C is configured in substantially the same manner as each service providing system 2 shown in FIG. 1, but the registration processing system of each service providing system 2C is the same as each service providing system 2 shown in FIG. A reception unit 201, a storage unit 202, a transmission unit 203, and a reception unit 204 are provided, and a registration completion notification unit 207 is provided instead of the registration completion notification unit 205.

  When the reception unit 204 receives the ID integrated management completion notification from the ID integrated management server 3, the registration completion notification unit 205 in each service providing system 2 shown in FIG. 1 sends the ID integrated management completion notification to the user as a registration completion notification. It was something to be notified.

  On the other hand, the registration completion notification unit 207 in each service providing system 2C of the third modified example is the user's ID and reference biometric data storage unit 202 at the completion of registration in each service providing system 2C. In response to this, registration completion notification is performed. Thus, when the user registration in the storage unit 202 is completed, the notification unit 207 prompts the user at that time without waiting for the reception unit 204 to receive the ID integrated management completion notification from the ID integrated management server 3C. A registration completion notification will be returned.

  Therefore, in the service providing system 2C, if the user registration in the storage unit 202 is completed, the registration completion is notified to the user by the notification unit 207 before the registration control is transferred to the ID integrated management server 3C. The operation of the interface (I / F) with 2C can be terminated. Originally, the user is only intended for user registration in the service providing system 2C, and there is no need to be aware of the I / F between the service providing system 2C and the ID integrated management server 3C. For this reason, by using the above-described notification unit 207, a registration completion notification can be returned to the user immediately after completion of user registration in the storage unit 202, and the ID integrated management server emphasizes response performance to the user. ID management can be performed.

[2-5] Fourth Modified Example of Registration Processing System FIG. 6 shows a fourth modified example of the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) as an embodiment of the present invention. It is a block diagram which shows a structure. In FIG. 6, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof is omitted.

  As shown in FIG. 6, the identification information integrated management system (ID integrated management system) 1D of the fourth modified example includes a plurality of service providing systems (service providing servers) 2D and one identification information integrated management server (ID integrated management). Server; management server) 3D. In FIG. 6, only one service providing system 2D is shown, but actually two or more service providing systems 2D are provided.

  Since the ID integrated management server 3D is configured in the same manner as the ID integrated management server 3 shown in FIG. 1, detailed description thereof is omitted. Here, the ID integrated management completion notifying unit 307 in the ID integrated management server 3D of the fourth modified example performs substantially the same function as described above with reference to FIG. However, the ID integrated management completion notifying unit 307 of the fourth modification notifies the update result of the management table 301a by the updating unit 306 to the service providing system 2D in which the user has registered ID and reference biometric data. It functions as an update result notification unit. The update result includes success / failure information for notifying whether the update unit 306 has succeeded or failed in registration in the management table 301a.

  Each service providing system 2D is configured in substantially the same manner as each service providing system 2C shown in FIG. 5, but the registration processing system of each service providing system 2D is the same as each service providing system 2C shown in FIG. In addition to the reception unit 201, the storage unit 202, the transmission unit 203, the reception unit 204, and the registration completion notification unit 207, an ID integrated management success / failure determination unit 208 is further added.

  Here, the receiving unit 204 performs substantially the same function as described above with reference to FIG. 1, but here, the success / failure information from the ID integrated management server 3D (notification unit 307) is received. It functions as an update result receiving unit that receives an update result including it.

  An ID integrated management success / failure determination unit (update result determination unit) 208 determines whether the success / failure information included in the update result received by the reception unit 204 is success or failure. When the determination result is unsuccessful, that is, when the update unit 306 fails to register in the management table 301a, the determination unit 208 ID-integrates the registration ID and registration target reference biometric data that failed to be updated in the transmission unit 203. The management server 3D is retransmitted. On the other hand, if the determination result is successful, that is, if the update unit 306 has succeeded in registration in the management table 301a, the determination unit 208 performs no processing.

  By providing such a determination unit 208, when ID integrated management fails for some reason in the ID integrated management server 3D, the ID management process (registration process) is retried from the service providing system 2D to the ID integrated management server 3D. (Request again).

  In the system 1D of the fourth modified example, as in the third modified example, if the user registration in the storage unit 202 is completed in the service providing system 2D, the notification unit 207 is transferred before the registration control is transferred to the ID integrated management server 3D. The user is notified of the completion of registration, and the operation of the interface (I / F) between the user and the service providing system 2D is terminated.

  For this reason, in the unlikely event that registration processing (ID integrated management) in the management table 301a fails in the ID integrated management server 3D, the I / F operation between the user and the service providing system 2D has ended. The user cannot be immediately requested to re-enter the ID or biometric data.

  Therefore, by using the determination unit 208 described above, when the registration processing in the management table 301a fails in the ID integrated management server 3D, the ID integrated management server 3D is requested to perform ID integrated management again for the same registration contents. Is possible. Thereby, while emphasizing the response performance to the user, the ID integrated management can be reliably performed by retrying when the integrated ID management fails.

[2-6] Fifth Modification of Registration Processing System FIG. 7 shows a fifth modification of the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) as an embodiment of the present invention. FIG. 8 is a diagram showing a configuration example of a management table in the ID integrated management server shown in FIG. In FIG. 7, the same reference numerals as those described above indicate the same or substantially the same parts, and the description thereof is omitted.

  As shown in FIG. 7, the identification information integrated management system (ID integrated management system) 1E of the fifth modification includes a plurality of service providing systems (service providing servers) 2E and one identification information integrated management server (ID integrated management). Server; management server) 3E. In FIG. 7, only one service providing system 2E is shown, but actually two or more service providing systems 2E are provided.

  Each service providing system 2E is configured in substantially the same manner as each service providing system 2 shown in FIG. 1, but the registration processing system of each service providing system 2E is the same as each service providing system 2 shown in FIG. In addition to the reception unit 201, the storage unit 202, the transmission unit 203, the reception unit 204, and the registration completion notification unit 205, a service providing system identification unit 209 is further added.

  Since the ID integrated management server 3E is configured in the same manner as the ID integrated management server 3 shown in FIG. 1, its detailed description is omitted. However, the reference biometric data / ID management unit (storing unit) 301 in the ID integrated management server 3E of the fifth modified example replaces the management table 301a as shown in FIG. 1 with a management as shown in FIG. A table 301b is used.

  Here, in the management table 301b used in the fifth modified example, as shown in FIG. 8, as in the management table 301a shown in FIG. A record with a management number is created. Each record includes a field for storing reference biometric data, and a plurality of ID storage fields for storing IDs (registration target IDs) associated with the reference biometric data.

  In the management table 301b used in the fifth modification, a plurality of ID storage fields in each record are set so that IDs for different service providing systems A, B, C, D, E,. Has been. That is, in the management table (storage unit) 301b, a plurality of fields for registering and storing registered IDs corresponding to the plurality of service providing systems 2E are set in one record corresponding to registered reference biometric data. Has been.

  In the management table 301b shown in FIG. 8, five records to which management Nos. 000001 to 000005 are assigned are illustrated. For example, in one record assigned management No. 000001, five different IDs “ikegami01” and “ikegami01” are stored in five ID storage fields respectively corresponding to the five service providing systems A, B, C, D, and E. “j_ikegami”, “980116”, “00980116”, and “ikegami” are registered and stored.

  The service providing system identification unit 209 added to each service providing system 2E notifies the ID integrated management server 3E of identification information (system ID) for specifying each service providing system 2E belonging to the system 1E. It is. Based on the system ID notified from the service providing system identifying unit 209, the ID integrated management server 3E causes the service providing system 2E that has made a user registration request through the transmitting unit 203 to perform the service providing systems A, B, and C shown in FIG. , D, E,... Can be specified.

  Then, the update unit 306 in the ID integrated management server 3E of the fifth modified example sets the registration target ID as a registered ID in the ID storage field corresponding to the service providing system 2E that has transmitted the registration target ID in the management table 301b. Register and save. That is, in the update unit 306 and the management table 301b, the service providing system 2E that transmitted the registration target ID (the system 2E that has made the user registration request) is notified of the system ID notified from the service providing system identifying unit 209 of the system 2E. Specified based on. Then, the update unit 306 stores the registration target ID in the ID storage field corresponding to the identified system 2E.

  According to the registration process in the system 1E of the fifth modified example, the registration method to the management table 301b using the system ID is adopted, and the service providing system 2E using the ID registered in the management table 301b and the ID is used. Are clearly associated and managed. Note that the flow of the registration process is the same as the flow of the registration process described with reference to FIG. 1 except for associating the registered ID with the service providing system 2E in the management table 301b.

  In this way, each ID storage field in the management table 301b of the ID integrated management server 2E is associated with each of the plurality of service providing systems 2 on a one-to-one basis, while associating the registered ID with the service providing system 2E. Integrated management of ID can be performed.

[2-7] One Embodiment of Collation Processing System FIG. 9 is a block diagram showing a configuration of an identification information integrated management system (a collation processing system of a service providing system and an identification information integrated management server) as one embodiment of the present invention. is there.

  The verification processing system shown in FIG. 9 is provided in the ID integrated management systems 1, 1A, 1B, 1C, 1D, and 1E described with reference to FIGS. 1 and 3 to 7. That is, the verification processing system shown in FIG. 9 includes the service providing systems 2, 2A, 2B, 2C, 2D, 2E and the ID integrated management server having the registration processing system described with reference to FIG. 1 and FIGS. 3, 3A, 3B, 3C, 3D, 3E.

  In FIG. 9, only one service providing system 2, 2A, 2B, 2C, 2D, 2E is shown, but two or more are actually provided. In the following description, in order to simplify the description, reference numerals 1, 1A, 1B, 1C, 1D, 1E of the ID integrated management system are represented by reference numeral 1, and reference numerals 2, 2A, 2B, 2C indicating the service providing system are represented. , 2D, 2E are represented by reference numeral 2, and reference numerals 3, 3A, 3B, 3C, 3D, 3E of the ID integrated management server are represented by reference numeral 3.

  As shown in FIG. 9, the collation processing system of the service providing system 2 includes the storage unit 202 described above with reference to FIG. 1, an ID / collation biometric data receiving unit 211, a specified ID existence confirmation unit. 212, a reference biometric data reference unit 213, a biometric data comparison / collation unit 214, a comparison result determination unit 215, an ID / collation biometric data transmission unit 216, a processing result reception unit 217, and a personal authentication result notification unit 218 are provided. It has been.

  9, the collation processing system of the ID integrated management server 3 includes the management table 301a described above with reference to FIGS. 1 and 2, or the management described above with reference to FIGS. A management unit 301 having a table 301b is provided.

  Further, the collation processing system of the ID integrated management server 3 includes, in addition to the management unit 301, an ID / collation biometric data receiving unit 311, a designated ID existence confirmation unit 312, a management table reference biometric data reference unit 313. , A biometric data comparison unit 314, a comparison result determination unit 315, a candidate ID group creation unit 316, and an ID integrated management server processing result notification unit 317 are provided.

  The ID / collation biometric data receiving unit 211 receives collation data from a user when the user logs into the service provision system 2 in order to receive the service provided by each service provision system 2. The verification data includes a verification ID that should be registered in the service providing system 2 and predetermined verification biometric data (verification biometric information) obtained from a predetermined biological part of the user. It is. The receiving unit 211 may also be used as the receiving unit 201 shown in FIG.

  The designated ID existence confirmation unit 212 searches the storage unit 202 with the collation ID received by the reception unit 211 and confirms whether an ID that matches the collation ID is registered in the storage unit 202. It is. Further, the designated ID existence confirmation unit 212 also functions as a search unit described later.

  The reference biometric data reference unit 213, when the presence of an ID that matches the ID for verification is confirmed by the designated ID existence confirmation unit 212, the reference biometric data associated with the ID is stored in the storage unit 202. The data is read from the storage unit 202 with reference.

  The biometric data comparison / collation unit 214 compares and collates the reference biometric data read by the reference unit 213 with the collation biometric information input by the user and received by the reception unit 211. The biometric data comparison / collation unit 214 also functions as a third comparison unit described later.

  The comparison result determination unit 215 determines that the user has been successfully authenticated when the reference biometric data matches the reference biometric data as a result of the comparison / collation by the comparison / collation unit 213. Further, the comparison result determination unit 215 also functions as a third determination unit described later.

  The personal authentication result notifying unit 218 notifies the user of various information in addition to the personal authentication result. When the comparison result determining unit 215 determines that the personal authentication is successful, the user authentication result notifying unit 218 notifies the user. To notify. Further, as will be described later, the personal authentication result notification unit 218 has a function of notifying the user of the determination result by the function as the third determination unit of the comparison result determination unit 215 and the processing result from the ID integrated management server 3, It also functions as an ID notification unit to be described later. The notification unit 218 may also be used as the notification unit 205 illustrated in FIG.

  The ID / collation biometric data transmission unit (collation information transmission unit) 216 receives the collation ID and the collation biometric data received by the reception unit 211 for the following cases 1 or 2 in the ID integrated management server 3. To send to. The transmission unit 216 may also be used as the transmission unit 203 shown in FIG.

  Case 1: Prior to the start of provision of a predetermined service (when logging in to the service providing system 2), when performing personal authentication using the verification ID and verification biometric data entered by the user, the verification ID is When not registered in the service providing system 2 (storage unit 202). That is, the specified ID existence confirmation unit 212 searches the storage unit 202 with the verification ID received by the reception unit 211, and as a result, confirms that an ID that matches the verification ID is not registered in the storage unit 202. if you did this. In this case, it is considered that the collation ID is not registered in the storage unit 202 because the user has entered an incorrect ID or an ID registered in another service providing system 2. .

  Case 2: As a result of the comparison and collation by the comparison and collation unit 213, the reference biometric data and the collation biometric data do not match, and the comparison result determination unit 215 determines that the user authentication has failed. In this case, it is considered that the user inputs an incorrect ID, but the incorrect ID is accidentally registered in the storage unit 202. That is, this is a case where the biometric data for verification and the reference biometric data associated with the wrong ID are compared and collated, resulting in a mismatch determination and failing in personal authentication.

  The ID / collation biometric data receiving unit (collation information receiving unit) 311 receives the collation ID and collation biometric information from each service providing system 2 (transmission unit 216). The receiving unit 311 may also be used as the receiving unit 302 shown in FIG.

  The designated ID existence confirmation unit (confirmation unit) 312 searches the management table 301a (301b) with the collation ID received by the reception unit 311 and an ID that matches the collation ID is stored in the management table 301a (301b). This is to check whether or not it exists.

  When the designated ID existence confirmation unit 312 confirms the presence of an ID that matches the matching ID, the reference biometric data reference unit 313 includes one or more associated with the ID in the management table 301a (301b). The registered reference biometric data is referred to and read from the management table 301a (301b). That is, the registered reference biometric data registered in the biometric data field (see FIGS. 2 and 8) in the record holding the ID is read.

  At this time, if the same ID exists in the ID storage field in different records, a plurality of registered reference biometric data in different records are read out. When the confirmation unit 312 does not confirm the presence of an ID that matches the verification ID, the confirmation unit 312 notifies the notification unit 317 described later. The reference unit 313 may also be used as the reference unit 303 shown in FIG.

  The biometric data comparison unit (second comparison unit) 314 uses one or more registered reference biometric data read from the management table 301a (301b) by the reference unit 313 and the verification data received by the reception unit 311. This is to compare with biometric data. The comparison unit 314 may also be used as the comparison unit 304 shown in FIG.

  The comparison result determination unit (second determination unit) 315 stores, in the management table 301a (301b), the presence / absence of registered reference biometric data that matches the verification biometric data based on the comparison result of the comparison unit 314. Or not). The determination unit 315 may also be used as the determination unit 305 shown in FIG.

The candidate ID group creation unit (list creation unit) 316 is registered in the management table 301a (301b) when the determination unit 315 determines that registered reference biometric data that matches the matching biometric data exists. One or more registered IDs associated with the reference biometric data are extracted as candidate IDs to create a candidate ID list.

  The ID integrated management server processing result notifying unit (processing result notifying unit) 317 uses the candidate ID list (candidate ID group) created by the creating unit 316 as the processing result, and the source of the collating ID and collating biometric data The service providing system 2 is notified. When the confirmation unit 312 does not confirm the presence of the ID that matches the verification ID, the notification unit 317 uses the verification result and the verification biometric as a processing result indicating that the user authentication has failed. It also fulfills the function of notifying the service providing system 2 of the data transmission source. Further, when the determination unit 315 determines that there is no registered reference biometric data that matches the biometric data for verification, the notification unit 317 indicates that the user authentication has failed as a processing result. It also fulfills the function of notifying the service providing system 2 of the source of the verification ID and verification biometric data. The notification unit 317 may also be used as the notification unit 307 illustrated in FIG.

  The processing result receiving unit 217 receives a processing result from the ID integrated management server 3 (notification unit 317). The receiving unit 217 may also be used as the receiving unit 204 illustrated in FIG.

  After the reception unit 217 receives the processing result from the ID integrated management server 3 (notification unit 317), the above-described designated ID existence confirmation unit 212, reference biometric data reference unit 213, biometric data comparison / collation unit 214, The comparison result determination unit 215 and the personal authentication result notification unit 218 perform the following functions.

  When the candidate ID list is included in the processing result received by the receiving unit 217, the designated ID existence confirmation unit 212 is registered in the storage unit 202 from one or more candidate IDs in the candidate ID list. It functions as a search unit that searches for items that match the ID.

  When the confirmation unit 212 confirms the presence of a candidate ID that matches the registered ID of the storage unit 202, the reference biometric data reference unit 213 associates the reference biometric data reference unit 213 with the ID in the storage unit 202. The metric data is referred to and read from the storage unit 202.

  The biometric data comparison / collation unit 214 functions as a third comparison unit that compares the reference biometric data read by the reference unit 213 and the collation biometric data input by the user and received by the reception unit 211. To do.

  The comparison result determination unit 215 functions as a third determination unit that determines that the user has been successfully authenticated if the reference biometric data matches the verification biometric data as a result of the comparison by the comparison / collation unit 214. To do. On the other hand, the comparison result determination unit 215 determines whether the confirmation unit 212 has confirmed that there is a candidate ID that matches the registered ID of the storage unit 202 or the result of the comparison by the comparison collation unit 214 indicates that the reference bio When the metric data and the matching biometric data do not match, it also functions as a third determination unit that determines that the user authentication has failed.

  The personal authentication result notifying unit 218 notifies the user of the determination result (success / failure of personal authentication) by the determination unit 215 and that the processing result received by the receiving unit 217 has failed to authenticate the user. In the case of indicating the above, the function of notifying the user to that effect is fulfilled.

  Furthermore, when the identity authentication result notifying unit 218 determines that the user identity has been successfully authenticated by the determining unit 215, the identity authentication result notifying unit 218 sets the match ID searched and confirmed by the confirming unit 212 to be correct for the user in the service providing system 2. As identification information, you may function as an ID notification part which notifies a user.

  Next, the operation of the collation processing (collation processing system of the service providing system 2 and the ID integrated management server 3) of the ID integrated management system 1 of the present embodiment configured as described above will be described.

  In each service providing system 2, prior to the start of provision of a predetermined service, personal authentication is performed using the verification ID and verification biometric data input by the user. More specifically, when the user logs in to the service providing system 2, the user inputs the collating ID and the collating biometric data as collating data, and each service providing system 2 uses the collating data to Start providing services after authenticating your identity.

  At this time, in each service providing system 2, when the data for verification is received from the user (client) by the receiving unit 211, whether or not the ID designated by the user is an ID registered in the storage unit 202 is confirmed by the confirmation unit 212. Is confirmed. When the presence of the ID is confirmed, the reference unit 213 reads the reference biometric data associated with the ID from the storage unit 202, and the reference biometric data and the matching biometric data are The comparison / collation is performed by the comparison / collation unit 214.

  As a result of the comparison and collation by the comparison and collation unit 214, when the reference biometric data matches the collation biometric data, the determination unit 215 determines that the user authentication has been successful. As described above, when the personal authentication is successful, the service providing system 2 starts providing a predetermined service to the user and completes a series of collation processes.

  On the other hand, as a result of the comparison / collation by the comparison / collation unit 214, if the reference biometric data does not match the collation biometric data, the determination unit 215 determines that the user authentication has failed. As described above, in any case where the authentication failure is determined in this way, or the confirmation unit 212 determines that the verification ID is not registered in the storage unit 202, as described above, the user's ID designation error there is a possibility. Therefore, in any case, the transmitting unit 216 transmits the verification data received from the user to the ID integrated management server 3 as it is.

  In the ID integrated management server 3, when the receiving unit 311 receives the verification data, the confirmation unit 312 searches all the ID management fields (all ID storage fields) in all the records of the management table 301a (301b) and receives them. It is confirmed whether or not an ID that matches the verification ID exists in the management table 301a (301b).

  If the confirmation unit 312 does not confirm the presence of the ID, the notification unit 317 notifies the user of the failure of the personal authentication through the notification unit 218 of the service providing system 2, and the process ends.

  When the presence of the ID is confirmed by the confirmation unit 312, the reference biometric data in one or more records holding the ID is read by the reference unit 313. Then, the read-out reference biometric data is compared with the verification biometric data passed from the service providing system 2 by the comparison unit 314. Based on the result of the comparison and collation, the determination unit 315 determines whether or not reference biometric data that matches the biometric data for collation is stored in the management table 301a (301b).

  If the determination unit 315 determines that the matching reference biometric data is not stored, the notification unit 317 notifies the user of the failure of personal authentication through the notification unit 218 of the service providing system 2 and performs processing. End.

  When the determination unit 315 determines that the matching reference biometric data is stored, the candidate ID group creation unit 316 refers to the management table 301a (301b) and associates the reference biometric data with the reference biometric data. One or more IDs obtained are read out as candidate IDs and listed. The candidate ID list (candidate ID group) created in this way is returned from the notification unit 317 to the service providing system 2 (processing result receiving unit 217) as a processing result.

  In the service providing system 2, when the processing result reception unit 217 receives the processing result including the candidate ID list as described above from the ID integrated management server 3 (notification unit 317), the operation is performed as follows.

Among the one or more candidate IDs in the candidate ID list, one that matches the ID registered in the storage unit 202 is searched and confirmed by the confirmation unit 212.
If no matching ID exists in the candidate ID list, the user who has logged in this time has registered as a user in another service providing system, but the user providing the service providing system 2 is not registered. It can be determined that the person is not. Accordingly, since the service of the service providing system 2 cannot be started, the user authentication failure is returned to the user via the notification unit 218, and the process is terminated.

  On the other hand, if there is a matching ID in the candidate ID list, the reference unit 213 reads the reference biometric data associated with the ID. Then, the reference biometric data and the comparison biometric data input by the user are compared and collated by the comparison / collation unit 214, and the determination unit 215 determines whether the personal authentication is successful / failed based on the comparison / collation result. Is done by.

  At this time, there may be a plurality of IDs in the storage unit 202 that match the IDs in the candidate ID list. In such a case, each of a plurality of reference biometric data associated with a plurality of IDs is compared with the verification biometric data.

  If the collation biometric data does not match any of the plurality of reference biometric data read out, an ID that matches the ID in the candidate ID list exists in the storage unit 202. Can be determined by the determination unit 215 that it is not of the user who logged in this time. Therefore, in this case, the user authentication failure is notified to the user via the notification unit 218, and the process ends.

  On the other hand, when the matching biometric data is matched with any one of the plurality of reference biometric data read out, the matching ID input by the user is the ID registered in the service providing system 2 However, the user who logged in this time can be recognized as the user himself / herself.

  Accordingly, in this case, the user authentication is performed by the determination unit 215 as a successful authentication, and the service providing system 2 starts a predetermined service for the user and completes a series of processing. That is, even if the verification ID entered by the user is not registered in the service providing system 2 (storage unit 202), the above case can be recognized as the principal. As a result, even if the user tries to log in to the target service providing system 2 and enters the wrong ID registered in a different system, the information managed in the management table 301a (301b) is used. It is possible to reliably identify the correct ID and perform identity authentication.

  At this time, when the management table 301b described with reference to FIGS. 7 and 8 is used instead of the management table 301a as in the ID integrated management server 3E, the following operational effects can be obtained. . In the management table 301b, an ID storage field is set corresponding to each of the plurality of service providing systems 2E in each record. For this reason, even if the user inputs an incorrect ID to each service providing system 2E, the ID integrated management server 3 reliably identifies the correct ID to the corresponding service providing system 2E using the system ID. Can do. That is, the ID registered in the management table 301b is determined based on the system ID of the service providing system 2E requested to perform the authentication process (ID notified from the identification unit 209). Thereby, when the management table 301b is used, instead of returning a plurality of IDs as candidate IDs from the ID integrated management server 3 side and specifying a unique ID on the service providing system 2 side, on the ID integrated management server 3E side, It is possible to specify a unique ID to the service providing system 2E to which the user intends to log in.

  Further, in the present system 1, the user mistakenly inputs an ID registered in a different service providing system 2 in order to log in to the target service providing system 2. However, as described above, the correct ID is identified and the user authentication is performed. If successful, a predetermined service is started, and the notification unit 218 notifies the user of the correct ID. That is, in the service providing system 2, when the user makes an ID input mistake, the user can be notified of the correct ID that should be input at the same time as the predetermined service is started. Therefore, the user can avoid an ID input mistake from the next time.

  In the service providing system 2 as described above, when the user authentication is successful, the predetermined service is not started, and the notification unit 218 notifies the user of the correct ID, whereby the user confirms the ID (service ) Can also be realized. Such a system, for example, confirms the ID when the user has forgotten the ID of the target service providing system 2 even though the ID registered in the other service providing system 2 is stored. Can only be used for processing. That is, if the user does not intend to receive service provision but wishes to confirm the correct ID, the user registers the ID registered in the other service provision system 2 and his / her biometric data with respect to the target service provision system 2. Input as verification data. Thereby, without starting a predetermined service, the correct ID is specified and notified to the user as described above, and the user can know the correct ID of the target service providing system 2.

[2-8] Example of Applying Encrypted Communication to This System FIG. 10 shows an example configuration in which encrypted communication is applied to the ID integrated management system (registration processing system of the service providing system and ID integrated management server) shown in FIG. FIG. 11 is a block diagram showing a configuration of an example in which encrypted communication is applied to the ID integrated management system (the verification processing system of the service providing system and the ID information integrated management server) shown in FIG. 10 and 11, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof is omitted.

  The identification information integrated management system (ID integrated management system) 1 ′ shown in FIGS. 10 and 11 includes a plurality of service providing systems (service providing servers) 2 ′ and one identification information integrated management server (ID integrated management server; management). Server) 3 '. In FIG. 10, only one service providing system 2 ′ is shown, but actually two or more service providing systems 2 ′ are provided.

  The system 1 'shown in FIGS. 10 and 11 is an example in which encrypted communication is applied to the systems 1, 1A to 1E described above with reference to FIGS. In this system 1 ', it is assumed that the user inputs the ID and biometric data that are used for personal authentication in an encrypted manner. In other words, the encrypted communication applied to the system 1 ′ is intended to prevent impersonation of the user himself / herself by encrypting the ID and biometric data input from the user to the service providing system 2 ′. Yes.

The system 1 'shown in FIG. 10 corresponds to the system 1 shown in FIG. 1, but the encrypted communication described here is similarly applied to the systems 1A to 1E shown in FIGS. It goes without saying that it is done.
Since the ID integrated management server 3 ′ is configured in the same manner as the ID integrated management server 3 shown in FIGS. 1 and 9, the description thereof is omitted.

  As shown in FIG. 10, the registration processing system of each service providing system 2 ′ is configured in substantially the same manner as the registration processing system of each service providing system 2 shown in FIG. 1, but the registration of each service providing system 2 ′ is performed. In the processing system, in addition to the reception unit 201, the storage unit 202, the transmission unit 203, the reception unit 204, and the registration completion notification unit 205 similar to each service providing system 2 shown in FIG. 1, an ID / reference biometric data decoding unit 221 is further added.

  Further, as shown in FIG. 11, the verification processing system of each service providing system 2 ′ is configured in substantially the same manner as the verification processing system of each service providing system 2 shown in FIG. 9, but each service providing system 2 ′. In the verification processing system, the reception unit 211, the confirmation unit 212, the reference unit 213, the comparison verification unit 214, the determination unit 215, the transmission unit 216, the reception unit 217, and the notification unit are the same as those in each service providing system 2 shown in FIG. In addition to 218, an ID / collation biometric data decoding unit 222 is further added.

  The ID / reference biometric data decryption unit 221 decrypts the encryption registration data (encrypted ID and encrypted reference biometric data from the user) received by the reception unit 201. Similarly, the ID / collation biometric data decryption unit 222 decrypts the encryption collation data (encrypted ID and encryption collation biometric data from the user) received by the reception unit 211. Note that these decoding units 221 and 222 may be shared. Further, the processes after the decoding process by these decoding units 221 and 222 are the same as the processes described above with reference to FIGS.

  In this system 1 ′, a series of processing requests from the user (client) to the service providing system 2 ′ is performed in a state where the ID and biometric data are encrypted. Therefore, in the service providing system 2 ′, at the time of user registration, the encrypted data from the user is decrypted by the decryption unit 221 and then a series of registration processing is performed. Similarly, in the service providing system 2 ′, at the time of user verification at the time of login, encrypted data from the user is decrypted by the decryption unit 222 and then a series of verification processing is performed.

By performing such encrypted communication, it is possible to prevent impersonation of the user himself / herself.
Since the configuration for performing encryption when transmitting data from the user (client) is known, the description thereof is omitted. The data encryption method is not particularly limited, and a known method can be used.

[2-9] Another example in which encrypted communication is applied to this system FIG. 12 is another example in which encrypted communication is applied to the ID integrated management system (registration processing system of the service providing system and the ID integrated management server) shown in FIG. FIG. 13 is a block diagram showing a configuration of another example in which encrypted communication is applied to the ID integrated management system (the verification processing system of the service providing system and the ID integrated management server) shown in FIG. 10 and 11, the same reference numerals as those already described indicate the same or substantially the same parts, and the description thereof is omitted.

  The identification information integrated management system (ID integrated management system) 1 ″ shown in FIGS. 12 and 13 includes a plurality of service providing systems (service providing servers) 2 ″ and one identification information integrated management server (ID integrated management server; management). Server) 3 ″. In FIG. 10, only one service providing system 2 ″ is shown, but in practice, two or more service providing systems 2 ″ are provided.

  The system 1 ″ shown in FIG. 12 and FIG. 13 is another example in which encrypted communication is applied to the systems 1, 1A to 1E described above with reference to FIGS. On the assumption that ID and biometric data used for personal authentication are encrypted and data exchanged between the service providing system 2 ″ and the ID integrated management server 3 ″ is encrypted. It has become.

  That is, the encrypted communication applied to the system 1 ″ is for the purpose of preventing impersonation of the user himself / herself by encrypting the ID and biometric data input from the user to the service providing system 2 ″. Yes. The purpose of the encrypted communication applied to the system 1 ″ is to prevent data tampering by encrypting data between the service providing system 2 ″ and the ID integrated management server 3 ″.

  The system 1 ″ shown in FIG. 13 corresponds to the system 1 shown in FIG. 1, but the encrypted communication described here is similarly applied to the systems 1A to 1E shown in FIGS. It goes without saying that it is done.

  As shown in FIG. 12, the registration processing system of each service providing system 2 ″ is configured in substantially the same manner as the registration processing system of each service providing system 2 shown in FIG. In the processing system, a communication data decoding unit 223 is further added in addition to the reception unit 201, the storage unit 202, the transmission unit 203, the reception unit 204, and the registration completion notification unit 205 similar to the service providing systems 2 shown in FIG. ing.

  Further, as shown in FIG. 12, the registration processing system of the ID integrated management server 3 ″ is substantially the same as the registration processing system of the ID integrated management server 3 shown in FIG. In addition to the management unit 301, the reception unit 302, the reference unit 303, the comparison unit 304, the determination unit 305, the update unit 306, and the notification unit 307 similar to the ID integrated management server 3 shown in FIG. A data decryption unit 321 and a communication data encryption unit 322 are further added.

  On the other hand, as shown in FIG. 13, the verification processing system of each service providing system 2 ″ is configured in substantially the same manner as the verification processing system of each service providing system 2 shown in FIG. In the verification processing system, the reception unit 211, the confirmation unit 212, the reference unit 213, the comparison verification unit 214, the determination unit 215, the transmission unit 216, the reception unit 217, and the notification unit are the same as those in each service providing system 2 shown in FIG. In addition to 218, a communication data decryption unit 224, a communication data encryption unit 225, a communication data decryption unit 226, and a communication data encryption unit 227 are further added.

  Further, as shown in FIG. 13, the verification processing system of the ID integrated management server 3 ″ is configured in substantially the same manner as the verification processing system of the ID integrated management server 3 shown in FIG. 9, but the ID integrated management server 3 ″. In the verification processing system of FIG. 9, in addition to the reception unit 311, the confirmation unit 312, the reference unit 313, the comparison unit 314, the determination unit 315, the creation unit 316, and the notification unit 317, which are the same as those of the ID integrated management server 3 illustrated in FIG. A data decryption unit 323 and a communication data encryption unit 324 are further added.

  The communication data decryption unit 223 decrypts the encryption registration data (encryption ID and encryption reference biometric data from the user) received by the reception unit 201. Similarly, the communication data decryption unit 224 decrypts the encryption verification data (encryption ID and encryption verification biometric data from the user) received by the reception unit 211. The communication data decryption unit 226 decrypts the encryption processing result received by the reception unit 217. Note that these decoding units 223, 224, and 226 may be shared.

  The communication data encryption unit 225 encrypts information (the verification ID and the verification biometric data) to be transmitted to the ID integrated management server 3 ″ by the transmission unit 216. The communication data encryption unit 227 encrypts information (such as an authentication result) to be notified to the user by the notification unit 218. Note that these encryption units 225 and 227 may be shared.

  Similar to the communication data decryption unit 223, the communication data decryption unit 321 decrypts the encryption registration data received by the reception unit 302. In each service providing system 2 ″, the transmission unit 203 transmits the encrypted registration data received by the reception unit 201 as it is. The communication data encryption unit 322 also transmits the notification unit 307. This encrypts information to be notified to the service providing system 2 ″. In each service providing system 2 ″, the encrypted information from the ID integrated management server 3 ″ is directly notified to the user via the receiving unit 204 and the notification unit 205.

  The communication data decryption unit 323 decrypts the encryption verification data received by the reception unit 311. The communication data encryption unit 324 encrypts information to be notified to the service providing system 2 ″ by the notification unit 317.

  Note that the communication data decryption units 321 and 323 described above may be shared, and the communication data encryption units 322 and 324 described above may also be shared. The processing other than the decryption processing by the decryption units 223, 224, 226, 321, and 323 and the encryption processing by the encryption units 225, 227, 322, and 324 is described above with reference to FIGS. Since the processing is the same as that described above, the description thereof is omitted.

  In the system 1 ″ as well, as in the system 1 ′ described above, a series of processing requests from the user (client) to the service providing system 2 ″ is performed with the ID and biometric data encrypted. Therefore, in the service providing system 2 ″, at the time of user registration, encrypted data from the user is decrypted by the communication data decryption unit 223, and then a series of registration processes are performed. At the time of user registration, encryption from the user is performed. The data is transmitted as it is from the service providing system 2 ″ to the ID integrated management server 3 ″. In the ID integrated management server 3 ″, the received encrypted data is decrypted by the communication data decryption unit 321 and then a series of registration processes. Is done. Further, the completion notification of the ID integrated management server 3 ″ is encrypted by the communication data encryption unit 322, and then notified to the service providing system 2 ″ by the notification unit 307. Then, the notification of the completion of encryption is notified to the user as it is via the reception unit 204 and the notification unit 205 of the service providing system 2 ″.

  Similarly, in the service providing system 2 ″, at the time of user verification at login, encrypted data from the user is decrypted by the communication data decryption unit 224, and then a series of verification processing is performed. The authentication result is encrypted by the communication data encryption unit 227 and then notified to the user by the notification unit 218. When the verification data is transmitted from the service providing system 2 ″ to the ID integrated management server 3 ″ at the time of user verification. The verification data is encrypted by the communication data encryption unit 225 and then transmitted by the transmission unit 216. In the ID integrated management server 3 ″, the received encrypted data is transmitted by the communication data decryption unit 323. After decryption, a series of collation processes are performed. Further, the processing result in the ID integrated management server 3 ″ (which may include a candidate ID list) is encrypted by the communication data encryption unit 324 and then notified to the service providing system 2 ″ by the notification unit 317. The result of the encryption process is received by the receiving unit 217 of the service providing system 2 ″ and decrypted by the communication data decrypting unit 226, and then a series of processes are performed.

  By performing such encrypted communication, it is possible to prevent impersonation of the user himself / herself and to encrypt data exchanged between the service providing system 2 ″ and the ID integrated management server 3 ″. Data can be prevented from being falsified.

  Since the configuration for performing encryption when transmitting data from the user (client) is known, the description thereof is omitted. The data encryption method is not particularly limited, and a known method can be used. Furthermore, as the encryption method by the communication data decryption units 223, 224, 226, 321, 323 and the communication data encryption units 225, 227, 322, 324, all may adopt the same method or different methods. May be. Further, the same encryption method may be adopted for communication between the ID integrated management server 3 ″ and the plurality of service providing systems 2 ″, but the encryption method may be changed for each system 2 ″. When the encryption method is changed, the decryption by an eavesdropper or the like can be made more difficult and the security of communication data can be ensured.

[3] Registration processing procedure and collation processing procedure In the following specific example, a case where fingerprint authentication is performed by using a fingerprint as biometric data may be described. However, the present application is not limited to a fingerprint. Even in a system using an authentication technique based on biometric data other than fingerprints (for example, palm print, vein information, iris, voice print, etc.), the same processing as this application is possible by adopting the technology according to this application. Needless to say, the following effects can be obtained.

[3-1] First Example FIG. 14 is a flowchart for explaining a registration processing procedure by the ID integrated management system (registration processing system of the service providing system and the ID integrated management server) shown in FIG. 1, and FIG. It is a flowchart for demonstrating the collation process sequence by ID integrated management system (The collation processing system of a service provision system and ID integrated management server) shown.

The first example of the registration processing procedure and the collation processing procedure described here relates to the ID integrated management system 1 shown in FIGS. 1 and 9, for example.
In the first example, it is assumed that a plurality of service providing systems 2 that provide services by performing personal authentication by biometric authentication are mixed in an environment used by a user. Under such an environment, the ID registered by the user is dynamically managed by the ID integrated management server 3. As a result, when the same user sets a non-uniform ID for each service providing system 2 and the user uses the service providing system 2, for example, when the user logs in to the service providing system A, another service providing system is erroneously set. Even if the login ID to B is specified, the correct ID can be specified and the personal authentication can be successful. Specific examples thereof will be described below.

  First, at the time of registration in the service providing system 2, the user registers and stores the ID and reference biometric data in a database (DB; storage unit 202) in the service providing system 2, and the management table of the ID integrated management server 3 Also registered in 301a. The flow of the registration processing procedure at that time will be described according to the flowchart shown in FIG. 14 (steps S11 to S13, S21 to S26).

  In order to use the service providing system 2, the user registers an ID used for login and reference biometric data. At this time, since the same ID registration by different users cannot be permitted in one service providing system 2, if there is an ID overlap, the user is warned to set another ID. Since this warning process is publicly known, its description is omitted.

  In this way, the service providing system 2 starts the registration process on the assumption that the IDs are not duplicated in the service providing system 2. When the receiving unit 202 receives the registration target ID and reference biometric data from the user (step S11), the service providing system 2 registers and transmits the ID and reference biometric data in its own database 202. The unit 203 transmits the information to the ID integrated management server 3 (step S12).

  In the ID integrated management server 3, when the receiving unit 302 receives the ID and reference biometric data from the service providing system 2 (step S21), the received reference biometric data and reference to the management table 301a (see FIG. 2). Comparison with the biometric data stored in the biometric data field is performed by the reference unit 303 and the comparison unit 304 (step S22).

  Here, if it is determined by the determination unit 305 that the biometric data for reference in any record does not match (NO route in step S23), the user is not registered in any of a plurality of service providing systems. Accordingly, the update unit 306 adds a new record to the management table 301a, and registers the received reference biometric data and ID in the record (step S24).

  For example, in the management table 301a shown in FIG. 2, it is assumed that the user has sent the ID “takayama” and reference biometric data in a state where no record assigned management No. 000005 has been created. Then, it is assumed that the reference biometric data does not match any biometric data in the records of management No.000001 to management No.000004. In this case, the update unit 306 newly adds a record of management No.000005, registers the received reference biometric data in the reference biometric data field of the record, and sets the ID “takayama” of the record. Register in the ID management field (1).

  If it is determined by the determination unit 305 that the biometric data stored in the reference biometric data field matches the YES (YES route of step S23), the user is in any one of a plurality of service providing systems 2. It can be determined that the user is performing user registration. Therefore, the update unit 306 additionally registers the ID designated by the user in the record having the matched biometric data (step S25).

  For example, in the management table 301a shown in FIG. 2, it is assumed that the ID management field (5) of the management No. 000001 is in an ID unstored state, and the user sends ID “ikegami” and reference biometric data. Then, it is assumed that the reference biometric data matches the biometric data of management No.000001. In this case, the update unit 306 registers the ID “ikegami” designated by the user in the ID management field (5). Of course, if the ID specified by the user has already been registered in the ID management field (n) of the corresponding record, it is needless to say that there is no need to add a new field and therefore no processing is required.

In this way, the ID integrated management server 3 (update unit 306) updates the management table 301a, and notifies the service providing system 2 of the processing completion by the notification unit 307 (step S26).
When the receiving unit 204 receives the processing completion notification from the ID integrated management server 3, the service providing system 2 notifies the user (client) of the registration processing completion by the notification unit 205 (step S13).

  Next, the flow of the verification processing procedure when the user logs in to the service providing system 2 in the environment where the ID is integrated and managed by the ID integrated management server 3 using the management table 301a as described above is shown in FIG. 15 will be described in accordance with the flowchart shown in FIG. 15 (steps S31 to S38, S41 to S48).

  In each service providing system 2, when collation data is received from the user (client) by the receiving unit 211 (step S <b> 31), the confirmation unit 212 determines whether the ID specified by the user is an ID registered in the storage unit 202. Will be confirmed. When the existence of the ID is confirmed, the reference unit 213 reads the reference biometric data associated with the ID from the storage unit 202 (step S32; YES route of step S33), and the reference biometric data. Comparison and collation between the metric data and collation biometric data is performed by the comparison and collation unit 214 (step S34).

  In step S33, if the presence of the received ID or the existence of biometric data associated with the ID is not confirmed (NO route in step S33), the verification data is already processed by the ID integrated management server 3. It is determined whether or not it has been completed (step S38). If not processed (NO route of step S38), the data for verification is transmitted to the ID integrated management server 3 by the transmission unit 216 as described later. If the processing has been completed (YES route in step S38), the notification unit 218 notifies the user that the personal authentication has failed (step S37).

  As a result of the comparison and collation by the comparison and collation unit 214, when the reference biometric data matches the collation biometric data (YES route in step S35), the determination unit 215 determines that the user has been successfully authenticated. The Then, the notification unit 218 notifies the user that the personal authentication has been successful (step S37).

  On the other hand, as a result of the comparison and collation by the comparison and collation unit 214, when the reference biometric data does not match the collation biometric data (NO route in step S35), the collation data is already processed by the ID integrated management server 3 It is determined whether or not it has been completed (step S36). If it has not been processed (NO route of step S36), the data for verification is transmitted to the ID integrated management server 3 by the transmission unit 216 as described later. If the processing has been completed (YES route in step S36), the notification unit 218 notifies the user that the personal authentication has failed (step S37).

  In the ID integrated management server 3, when the collation data is received by the receiving unit 311 (step S41), the confirmation unit 312 sets all ID management fields (all ID storage fields) in all records of the management table 301a (301b). It is searched and it is confirmed whether or not an ID that matches the received verification ID exists in the management table 301a (301b) (step S42). If the presence of the ID is not confirmed by the confirmation unit 312 (NO route in step S43), the notification unit 317 notifies the user of the failure of personal authentication through the notification unit 218 of the service providing system 2 (step S37).

  If the presence of the ID is confirmed by the confirmation unit 312 (YES route in step S43), the reference biometric data in one or more records holding the ID is read by the reference unit 313 (step S44). Then, the read reference biometric data is compared with the verification biometric data passed from the service providing system 2 by the comparison unit 314 (step S45). Based on the result of the comparison and collation, the determination unit 315 determines whether or not reference biometric data that matches the collation biometric data is stored in the management table 301a (301b) (step S46). If the determination unit 315 determines that the matching reference biometric data is not stored (NO route in step S46), the notification unit 317 fails to authenticate the user through the notification unit 218 of the service providing system 2. Is notified (step S37).

  When it is determined by the determination unit 315 that the matching reference biometric data is stored (YES route in step S46), the candidate ID group creation unit 316 refers to the management table 301a (301b) for the reference One or more IDs associated with the biometric data are read and listed as candidate IDs (step S47). The candidate ID list (candidate ID group) created in this way is returned from the notification unit 317 to the service providing system 2 (processing result receiving unit 217) as a processing result (step S48).

  In the service providing system 2, when the processing result reception unit 217 receives the processing result including the candidate ID list as described above from the ID integrated management server 3 (notification unit 317), the operation is performed as follows. That is, one or more candidate IDs in the candidate ID list that match the ID registered in the storage unit 202 are searched and confirmed by the confirmation unit 212 (step S32). If there is no matching ID in the candidate ID list (NO route in step S33 and YES route in step S38), the notification unit 218 notifies the user of the failure of personal authentication (step S37).

  On the other hand, if there is a matching ID in the candidate ID list (YES route in step S33), the reference unit 213 reads the reference biometric data associated with the ID. Then, the reference biometric data and the verification biometric data input by the user are compared and collated by the comparison and collation unit 214 (step S34). Based on the result of the comparison and collation, determination of success / failure of the personal authentication is performed. Is performed by the determination unit 215 (step S35).

  If the matching biometric data does not match any of the read reference biometric data (NO route in step S35 and YES route in step S36), the notification unit 218 informs the user himself / herself. An authentication failure is notified (step S37).

  On the other hand, when the matching biometric data is matched with any one of the plurality of reference biometric data read (YES route in step S35), the matching ID input by the user is provided by this service. Although it is different from the ID registered in the system 2, since the user who has logged in this time can be recognized as the person himself, the notification unit 218 notifies that fact to the user (step S37).

  Up to this point, the series of verification processing procedures has been described with reference to FIG. 15. Next, in particular, information that is managed by the ID integrated management server 3 when an incorrect ID is entered when attempting to log in to the service providing system 2. The process until the correct ID is specified using the ID and the user is authenticated is described in detail.

  In addition, the user's input mistake in this application does not mean the input mistake in a broad sense. The user input error in this application is different from the provision of different services where the IDs of the service providing system 2 to receive the service should be input because the user registration is performed with a plurality of service providing systems 2 with a non-uniform ID. This refers to the case where the ID for the system 2 is entered by mistake.

  Hereinafter, in order to make the explanation easy to understand, the service providing system 2 in which the user logs in to receive the service is referred to as “service providing system A”. In addition, the original registration destination service providing system 2 of the ID that the user has mistakenly input to “service providing system A” is referred to as “service providing system B”.

Furthermore, in the following specific processing explanation, the registration example of the management table 301a shown in FIG. 2 is used. That is, it is assumed that the user who logs in to the service providing system A is a user who matches the biometric data of management No. 000001. Further, the user registers “ikegami01” stored in the ID management field (1) as an ID in the service providing system A, and is stored in the ID management field (2) in the service providing system B. It is assumed that “j_ikegami” is registered. In the following description, the user who intends to use the service providing system A has mistakenly input “j_ikegami” registered in the service providing system B, where “ikegami01” should originally be input as the ID. Assume a case.

  In order to log in to the service providing system A, the user extracts collation biometric data, inputs the collation ID, and accesses the service providing system A. The service providing system A verifies whether the ID that matches the ID received by the receiving unit 211 (that is, “j_ikegami”) is registered as a user in its own DB 202 by the confirmation unit 212 (steps S31 and S32).

  Here, there may be other users who have registered the same ID (“j_ikegami”) in the DB 202. Even if there is an ID in the DB 202 that matches the ID entered incorrectly, the ID is not that of the user itself, but of the other person who previously used that ID. Therefore, even if the same ID exists in the DB 202, the reference biometric data associated with the ID is not that of the user, so the reference biometric data and the user's own verification biometric The result of comparison with data does not match.

  However, at this time, the service providing system A cannot determine whether the user has made a mistake in the ID or whether the user is not registered in the service providing system A. For this reason, the received verification ID and verification biometric data are transmitted to the ID integrated management server 3, and the verification processing is transferred to the ID integrated management server 3 (YES route in step S33, step S34, step NO route of S35 and NO route of step S38).

  Further, even when the received ID itself is not registered in the service providing system A, it cannot be determined whether the user has entered the ID incorrectly or whether the user is not registered in the service providing system A. For this reason, the received verification ID and verification biometric data are transmitted to the ID integrated management server 3, and the verification process is shifted to the ID integrated management server 3 (NO route in step S33 and NO in step S38). root).

  Next, in the ID integrated management server 3 to which processing has been transferred in this way, all ID management fields are searched in the management table 301a, and whether or not an ID that matches the received ID is managed in the management table 301a. Is confirmed (steps S41 and S42). Here, if there is no matching ID (NO route in step S43), the collation processing is shifted to the service providing system A with no matching data, and the service providing system A ends the processing as a personal authentication failure.

  However, in this specific example, “j_ikegami” exists in the ID management field (2) of the record assigned with management No. 000001. Therefore, the ID integrated management server 3 compares the reference biometric data of this record with the biometric data for verification received from the service providing system A, and determines that they are the same user (step S43). YES route, YES route of steps S44, S45 and S46).

If the results of the comparison match (YES route in step S46), all IDs (that is, five IDs of ikegami01 / j_ikegami / 980116/00980116 / ikegami) possessed by the record (that is, the record of management No. 000001) are obtained. Listed (step S47). And that I
Group D notifies the service providing system A as a candidate ID list (step S48). Of course, since “j_ikegami” has already been determined not to match, “j_ikegami” may be excluded at this point.

The service providing system A to which the ID group (candidate ID list) has been returned searches the ID group from its own DB 202 (step S32). Here, “ikegami01” officially registered in the DB 202 is found (NO route in step S33).

However, since the service providing system A receives the ID group from the ID integrated management server 3, there is a possibility that a plurality of IDs in the ID group coincide with a plurality of IDs registered in the DB 202. Therefore, since there is a case where one of the plurality of IDs must be specified, the service providing system A uses the reference biometric data associated with all the matching IDs and the matching biometric data. Is compared (step S34). As a result, in this specific example, the matching biometric data matches the reference biometric data associated with “ikegami01” (YES route in step S35). As a result, even if the user tries to log in to the service providing system A and originally inputs “ikegami01”, he / she mistakenly inputs “j_ikegami” which is the login ID to the service providing system B. The person can be authenticated by reliably identifying the correct ID.

[3-2] Second Example FIG. 16 is a flowchart for explaining a registration processing procedure by the identification information integrated management system (registration processing system of the service providing system and the identification information integrated management server) shown in FIG. FIG. 9 illustrates a verification processing procedure performed by the identification information integrated management system (the verification processing system of the service providing system and the identification information integrated management server) illustrated in FIG. 9, which is performed using the management table illustrated in FIG. It is a flowchart for doing.

The second example of the registration processing procedure and the collation processing procedure described here relates to the ID integrated management system 1E shown in FIGS. 7 and 9, for example.
Also in this second example, it is assumed that a plurality of service providing systems 2E that provide services by performing personal authentication by biometric authentication are mixed in the environment used by the user. Under such an environment, the ID registered by the user is dynamically managed by the ID integrated management server 3E as in the first example. In the management table 301a of the first example, the ID is not associated with each service providing system 2, but the ID registered in the service providing system 2 is associated with the reference biometric data, and the ID management field is sequentially set. Added and managed ID. On the other hand, in the ID management table 301b of the second example, the ID storage field and the service providing system 2E are associated one-to-one based on the system ID from the identification unit 209. As a result, even if, for example, a login ID to another service providing system B is erroneously designated when logging in to the service providing system A, the correct unique ID can be specified on the ID integrated management server 3E side. Specific examples thereof will be described below.

  Of course, the means for linking each service providing system 2E and the ID integrated management server 3E (management table 301b) may be linked by automatic processing or manually by the system administrator. Detailed description of the means will be omitted. In the present embodiment, as described above with reference to FIG. 7, the ID storage field in the management table 301b of the ID integrated management server 3E is specified by the system ID from the identification unit 209. At this time, in the management table 301b, as shown in FIG. 8, each ID management field and each service providing system 2E are linked one to one.

  In the state where the ID integrated management server 3E and the service providing system 2E are linked as described above, first, the flow of the registration processing procedure will be described according to the flowchart (steps S51 to S53, S61 to S66) shown in FIG.

  As in the first example, the user registers an ID used for login and reference biometric data in order to use the service providing system 2E. Also in the second example, the service providing system 2E starts the registration process on the assumption that IDs do not overlap in the service providing system 2E. When the receiving unit 202 receives the registration target ID and reference biometric data from the user (step S51), the service providing system 2 registers and transmits the ID and reference biometric data in its own database 202. The information is transmitted to the ID integrated management server 3E by the unit 203 (step S52). At this time, the service providing system 2E of the second example also transmits a system ID (here, for example, a system name) for identifying the service providing system 2E to the ID integrated management server 3E together with the ID and the biometric data for reference (step). S52). As described above, the system ID is notified to the ID integrated management server 3E by the identification unit 209.

  In the ID integrated management server 3E, when the receiving unit 302 receives the ID, reference biometric data, and system name from the service providing system 2 (step S61), the received reference biometric data and the management table 301a (see FIG. 2). The reference unit 303 and the comparison unit 304 perform comparison and collation with the biometric data stored in the reference biometric data field (step S62).

  Here, when the determination unit 305 determines that the reference biometric data of any record does not match (NO route in step S63), the user is not registered in any of the plurality of service providing systems. Therefore, the update unit 306 adds a new record to the management table 301b, registers the reference biometric data received in the biometric field in the record, and also receives it in the ID storage field specified by the system name. ID is registered (step S64).

  If it is determined by the determination unit 305 that the biometric data stored in the reference biometric data field matches (YES route in step S63), the user is in any of a plurality of service providing systems 2E. It can be determined that the user is performing user registration. Therefore, the update unit 306 additionally registers the ID specified by the user in the ID storage field specified by the system name in the record having the matched biometric data (step S65).

In this way, the ID integrated management server 3E (update unit 306) updates the management table 301b, and notifies the service providing system 2E of processing completion by the notification unit 307 (step S66).
When the receiving unit 204 receives the processing completion notification from the ID integrated management server 3E, the service providing system 2E sends a registration processing completion notification to the user (client) by the notification unit 205 (step S53).

  Next, the user logs in to the service providing system 2E in an environment in which the ID storage field of the management table 301b and each service providing system 2E are associated with each other in a one-to-one manner and the ID is integrated and managed as described above. The flow of the matching processing procedure will be described according to the flowchart shown in FIG. 17 (steps S71 to S78, S81 to S88). Note that the processes in steps S71 to S78 and S82 to S86 in FIG. 17 correspond to the processes in steps S31 to S38 and S42 to S46 in FIG. 15, respectively, and thus detailed description thereof will be omitted.

  In particular, here, when an ID is entered by mistake when attempting to log in to the service providing system 2E, the correct ID is identified using information managed by the ID integrated management server 3E, and the user is authenticated. The process up to this will be specifically described.

  Hereinafter, in order to make the explanation easy to understand, the service providing system 2E in which the user logs in to receive the service is referred to as “service providing system A”. In addition, the original registration destination service providing system 2E of the ID that the user has mistakenly input to “service providing system A” is referred to as “service providing system B”.

Furthermore, in the following specific processing explanation, the registration example of the management table 301b shown in FIG. 8 is used. That is, it is assumed that the user who logs in to the service providing system A is a user who matches the biometric data of management No. 000001. Further, the user registers “ikegami01” stored in the service storage system A ID storage field as an ID in the service provision system A, and stores the service provision system B ID in the service provision system B. It is assumed that “j_ikegami” stored in the field is registered. In the following description, the user who intends to use the service providing system A has mistakenly input “j_ikegami” registered in the service providing system B, where “ikegami01” should originally be input as the ID. Assume a case.

  Of the series of collation processing procedures at this time, the collation processing procedure (steps S71 to S78) from when the service providing system A receives a personal authentication request from the user to when the processing request is made to the ID integrated management server 3E is the first mentioned above. Since this is the same as the processing procedure of one example (steps S31 to S38), the description thereof is omitted.

  In this second example, the ID integrated management server 3E, together with the ID “j_ikegami” and collation biometric data, identification information (system name as a system ID) that can be identified as a processing request from the service providing system A Is received (step S81). The subsequent search processing (steps S82 and S83) of the management table 301b and the biometric data reference / comparison processing (steps S84 to S86) by the ID integrated management server 3E are the processing procedures of the first example (steps S42 to S46). ), The description thereof is omitted. However, in the search process in step S82 corresponding to the processing request from the service providing system A, it is meaningless to search the ID storage field of the service providing system A, and may be excluded from the search target.

In this way, as in the first example, the reference biometric data of the record of management No. 000001 in which the ID “j_ikegami” exists is compared with the biometric data for verification (step S85). When it is confirmed that they match (YES route in step D86), the ID storage field of the service providing system A is referred to in the record holding the reference biometric data (that is, the record of management No. 000001). (Step S87). Then, the ID (that is, “ikegami01”) stored in the ID storage field is transmitted to the service providing system A (step S88).

  The service providing system A to which the unique ID is returned from the ID integrated management server 3E confirms whether or not the returned ID exists in its own DB 202 (steps S71 to S73). As a result of this confirmation processing, “ikegami01” officially registered in the DB 202 is found.

  At this time, since the unique ID is found, the service providing system A may authenticate the user as the principal. However, in the ID integrated management server 3E (management table 301b), the same ID may be found in a plurality of records. For example, in FIG. 8, the same ID “ikegami” exists in the record of management No. 000001 and the record of management No. 000004. For this reason, the collation processing in the ID integrated management server 3E may be 1: N collation. Needless to say, in the biometric authentication technique, the 1: N matching process may cause others to accept. For this reason, in the service providing system A, even if a unique ID is returned, the reference biometric data associated with the ID in the own DB 202 and the matching biometric data received from the user are again obtained. By performing comparison and collation (steps S72 to S75), the user can be specified more reliably.

  In this way, according to the second example, the matching biometric data matches the reference biometric data associated with the ID “ikegami01” (YES route in step S75). As a result, even if the user tries to log in to the service providing system A and originally inputs “ikegami01”, he / she mistakenly inputs “j_ikegami” which is the login ID to the service providing system B. The person can be authenticated by reliably identifying the correct ID.

[4] Effects of this Embodiment As described above, according to the present technology, when the IDs registered in a plurality of service providing systems 2 for the same user do not match, the ID integrated management server 3 refers to the user. ID is integrated and managed by biometric data. As a result, it is possible to authenticate the user even if the user misses the ID input while maintaining the security without increasing the cost of the apparatus and placing a burden on the user.

  In other words, if this technology is used, in an environment in which a plurality of service providing systems 2 using biometric matching are mixed, other systems will not be able to log in to the target system 2 due to non-uniform IDs of the systems 2. Even if the ID to 2 is entered by mistake, the personal authentication is possible. At this time, if the ID integrated management server 3 succeeds in biometric authentication based on the management table 301a, a candidate ID list is created. Then, in the target system 2, the ID for the target system 2 is found from the candidate ID list, and the comparison biometric data is compared with the reference biometric data associated with the found ID. By doing so, the correct ID can be reliably identified and the person can be authenticated.

  Further, in the ID integrated management server 3E, when a unique ID is specified based on the management table 301b (see the second example), the reference system associated with the unique ID in the target system 2E. By comparing and collating the biometric data with the collating biometric data, the user can be identified more reliably.

[5] Others The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.
For example, various methods have already been proposed for biometric data comparison and collation methods, but in this application, the types of biological parts from which biometrics are collected and the processing method of the collation engine that performs the collation processing are limited. However, it goes without saying that any biometric authentication method may be used.

  In addition, the functions (all or a part of functions) as the above-described units 201 to 209, 211 to 218, 221 to 227, 301 to 309, 311 to 317, and 321 to 324 are computer (CPU, information processing apparatus, various types). (Including a terminal) is executed by executing a predetermined application program (identification information integrated management program).

  The program is, for example, a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, Blu-ray disc, etc.) And the like recorded in a computer-readable recording medium. In this case, the computer reads the program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (Operating System), and means hardware that operates under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a computer program recorded on a recording medium. The program includes a program code for causing the computer as described above to realize the functions of the units 201 to 209, 211 to 218, 221 to 227, 301 to 309, 311 to 317, and 321 to 324. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

[6] Supplementary Notes The following supplementary notes are further disclosed regarding the above embodiment.
(Appendix 1)
A plurality of service providing systems that start providing a predetermined service to the user after authenticating the user using identification information and biometric information about the user;
A management server that integrates and manages the identification information and the biometric information used for the personal authentication in the plurality of service providing systems;
The management server
An acquisition unit that acquires identification information and reference biometric information registered by the user in each service providing system from each service providing system as registration target identification information and registration target reference biometric information, respectively;
A storage unit capable of registering and storing the registration target identification information acquired by the acquisition unit and the registration target reference biometric information in association with each other;
A first comparison unit for comparing the registration target reference biometric information acquired by the acquisition unit with the registered reference biometric information already stored in the storage unit;
A first determination unit that determines presence / absence of registered reference biometric information that matches the registration target reference biometric information based on a comparison result by the first comparison unit;
When the first determination unit determines that there is no registered reference biometric information that matches the registration target reference biometric information, the registration target identification information and the registration target reference biometric information are registered respectively. And an update unit that updates information in the storage unit to be stored in the storage unit as stored identification information and registered reference biometric information.

(Appendix 2)
Each of the service providing systems uses the identification information and the reference biometric information as registration target identification information and registration target reference biometric information when registering the user identification information and reference biometric information, respectively. A registration target information transmission unit for transmission to
The identification according to claim 1, wherein the acquisition unit is configured as a registration target information receiving unit that receives the registration target identification information and the registration target reference biometric information from each service providing system. Integrated information management system.

(Appendix 3)
Each service providing system further includes a monitoring unit that monitors registration requests of identification information and reference biometric information by the user for the service providing system,
When the monitoring unit detects that the registration request is received, the registration target information transmitting unit sends the identification target information and the reference biometric information to the registration target identification information and the registration target reference biometric information, respectively. The identification information integrated management system according to appendix 2, wherein the management information is transmitted to the management server.

(Appendix 4)
The management server further includes an update result notification unit that notifies the update result of the storage unit by the update unit to the service providing system in which the user has registered identification information and reference biometric information,
Each service providing system includes:
An update result receiving unit for receiving the update result from the management server;
It is determined whether the update result received by the update result receiving unit is successful or unsuccessful. If the update result is unsuccessful, the registration target information transmitting unit transmits the registration target identification information and the registration target reference bio that have failed to be updated. The identification information integrated management system according to Supplementary Note 2 or Supplementary Note 3, further comprising: an update result determination unit that retransmits metric information to the management server.

(Appendix 5)
Each service providing system has an update function for updating the reference biometric information in the service providing system after registration of the user's reference biometric information,
When the user has updated the reference biometric information using the update function, the registration target information transmission unit transmits the reference biometric information to the management server, and the management server The 1 comparison unit compares the reference biometric information received by the registration target information reception unit with the registered reference biometric information already stored in the storage unit, and the first determination unit The presence or absence of registered reference biometric information that matches the reference biometric information is determined based on the comparison result by the first comparison unit, and the first determination unit matches the reference biometric information. If it is determined that there is registered reference biometric information to be registered, the update unit The trick information, and updates the information of the storage unit to replace the corresponding reference biometric information, the identification information integrated management system according to any one of Appendices 2 Appendix 4.

(Appendix 6)
The management server further includes a user registration monitoring unit that monitors the registration status of identification information and reference biometric information by the user in each service providing system,
When the user registration monitoring unit detects an update of the identification information and reference biometric information about the user, the acquisition unit sets the identification information and reference biometric information related to the update to the registration target identification information, respectively. The identification information integrated management system according to appendix 1, wherein the identification information integrated management system is acquired as the registration target reference biometric information.

(Appendix 7)
When it is determined by the first determination unit that registered reference biometric information that matches the registration target reference biometric information is present, the update unit uses the registered reference biometric information as the registered reference biometric information. The identification information integrated management system according to any one of Supplementary Note 1 to Supplementary Note 6, wherein information of the storage unit is updated to be stored in the storage unit as identification information registered and registered in association with metric information.

(Appendix 8)
When the registered identification information that is the same as the registration target identification information in the storage unit is not registered with respect to the registered reference biometric information, the update unit converts the registration target identification information into the registered reference biometric information. The identification information integrated management system according to appendix 7, wherein the information in the storage unit is updated so as to be stored in the storage unit as identification information registered and registered in association with metric information.

(Appendix 9)
In the storage unit, in one record corresponding to the registered reference biometric information, a plurality of fields for registering and storing registered identification information corresponding to each of the plurality of service providing systems is set,
The update unit registers and stores the registration target identification information as the registered identification information in the field corresponding to the service providing system that has transmitted the registration target identification information. The identification information integrated management system as described in any one.

(Appendix 10)
The updating unit updates the information of the storage unit so as to replace the registered reference biometric information with the registration target reference biometric information acquired by the acquisition unit when updating the information of the storage unit. The identification information integrated management system according to any one of Supplementary Note 7 to Supplementary Note 9, wherein the system is updated.

(Appendix 11)
Each of the service providing systems includes a notification unit that notifies the user of the completion of registration when the registration of the user identification information and reference biometric information in the service providing system is completed. The identification information integrated management system according to any one of Appendix 1 to Appendix 10.

(Appendix 12)
When each service providing system performs identity authentication using verification identification information and verification biometric information input by the user prior to the start of provision of the predetermined service, the verification identification information If it is not registered in the service providing system, it further includes a verification information transmitting unit that transmits the verification identification information and verification biometric information to the management server,
The management server
A collation information receiving unit that receives the collation identification information and the collation biometric information from each service providing system;
A confirmation unit for confirming whether or not the identification information matching the identification information for verification received by the verification information receiving unit exists in the storage unit;
When the confirmation unit confirms the presence of identification information that matches the identification information for verification, the storage unit stores at least one registered reference biometric information associated with the identification information, and the verification information A second comparison unit that compares the biometric information for verification received by the reception unit;
A second determination unit that determines presence / absence of registered reference biometric information that matches the biometric information for matching based on a comparison result by the second comparison unit;
When it is determined by the second determination unit that registered reference biometric information that matches the collation biometric information is present, the storage unit stores at least one or more information associated with the registered reference biometric information. A list creation unit that extracts registered identification information as candidate identification information and creates a candidate identification information list;
A processing result notifying unit for notifying the candidate identification information list created by the list creating unit as a processing result to a service providing system that is a transmission source of the matching identification information and the matching biometric information; The identification information integrated management system according to any one of supplementary notes 1 to 11, characterized by:

(Appendix 13)
If the confirmation unit does not confirm the presence of identification information that matches the identification information for verification, the processing result notification unit uses the processing result to indicate that the user authentication has failed. 13. The identification information integrated management system according to appendix 12, characterized in that the identification information and the service providing system that sends the verification biometric information are notified.

(Appendix 14)
Each service providing system includes:
A processing result receiving unit for receiving the processing result from the management server;
If the candidate identification information list is included in the processing result received by the processing result receiving unit, identification information registered in the service providing system from one or more candidate identification information in the candidate identification information list A search part that searches for a match with
When identification information that matches the candidate identification information is searched by the search unit, reference biometric information associated with the matching identification information and the matching biometric information input by the user A third comparison unit for comparison;
If the reference biometric information and the matching biometric information match as a result of the comparison by the third comparison unit, it is determined that the user has been successfully authenticated, and the search unit determines the candidate. If the identification information that matches the identification information is not searched, or if the reference biometric information and the matching biometric information do not match as a result of comparison by the third comparison unit, the user The identification information integrated management system according to supplementary note 12 or supplementary note 13, further comprising a third determination unit that determines that the personal authentication has failed.

(Appendix 15)
When each of the service providing systems determines that the user authentication has been successful by the third determining unit, the service providing system displays the match identification information searched by the search unit for the user in the service providing system. 15. The identification information integrated management system according to appendix 14, further comprising an identification information notification unit that notifies the user as correct identification information.

(Appendix 16)
Used for the user authentication in a plurality of service providing systems that start providing a predetermined service to the user after authenticating the user using identification information and biometric information about the user. An identification information integrated management server that integrally manages the identification information and the biometric information,
An acquisition unit that acquires identification information and reference biometric information registered by the user in each service providing system from each service providing system as registration target identification information and registration target reference biometric information, respectively;
A storage unit capable of registering and storing the registration target identification information acquired by the acquisition unit and the registration target reference biometric information in association with each other;
A first comparison unit for comparing the registration target reference biometric information acquired by the acquisition unit with the registered reference biometric information already stored in the storage unit;
A first determination unit that determines presence / absence of registered reference biometric information that matches the registration target reference biometric information based on a comparison result by the first comparison unit;
When the first determination unit determines that there is no registered reference biometric information that matches the registration target reference biometric information, the registration target identification information and the registration target reference biometric information are registered respectively. An identification information integrated management server comprising: an update unit that updates information in the storage unit so as to be stored in the storage unit as stored identification information and registered reference biometric information.

(Appendix 17)
The verification identification information is not registered in the service providing system when performing personal authentication using the verification identification information and verification biometric information input by the user prior to the start of provision of the predetermined service. A collation information receiving unit that receives the collation identification information and the collation biometric information, transmitted from each service providing system.
A confirmation unit for confirming whether or not the identification information matching the identification information for verification received by the verification information receiving unit exists in the storage unit;
When the confirmation unit confirms the presence of identification information that matches the identification information for verification, the storage unit stores at least one registered reference biometric information associated with the identification information, and the verification information A second comparison unit that compares the biometric information for verification received by the reception unit;
A second determination unit that determines presence / absence of registered reference biometric information that matches the biometric information for matching based on a comparison result by the second comparison unit;
When it is determined by the second determination unit that registered reference biometric information that matches the collation biometric information is present, the storage unit stores at least one or more information associated with the registered reference biometric information. A list creation unit that extracts registered identification information as candidate identification information and creates a candidate identification information list;
A processing result notifying unit for notifying the candidate identification information list created by the list creating unit as a processing result to a service providing system that is a transmission source of the matching identification information and the matching biometric information; The identification information integrated management server according to appendix 16, characterized by:

(Appendix 18)
Used for the user authentication in a plurality of service providing systems that start providing a predetermined service to the user after authenticating the user using identification information and biometric information about the user. As an identification information integrated management server for integrated management of the identification information and the biometric information, an identification information integrated management program for causing a computer to function,
An acquisition unit that acquires identification information and reference biometric information registered by the user in each service providing system from each service providing system as registration target identification information and registration target reference biometric information, respectively.
A storage unit capable of registering and storing the registration target identification information acquired by the acquisition unit and the registration target reference biometric information in association with each other;
A first comparison unit for comparing the registration target reference biometric information acquired by the acquisition unit with the registered reference biometric information already stored in the storage unit;
A first determination unit that determines presence / absence of registered reference biometric information that matches the registration target reference biometric information based on a comparison result by the first comparison unit; and
When the first determination unit determines that there is no registered reference biometric information that matches the registration target reference biometric information, the registration target identification information and the registration target reference biometric information are registered respectively. An update unit for updating information in the storage unit to be stored in the storage unit as already-identified identification information and registered reference biometric information,
An identification information integrated management program characterized by causing the computer to function as:

(Appendix 19)
The verification identification information is not registered in the service providing system when performing personal authentication using the verification identification information and verification biometric information input by the user prior to the start of provision of the predetermined service. A collation information receiving unit that receives the collation identification information and the collation biometric information, transmitted from each service providing system.
A confirmation unit for confirming whether or not identification information matching the identification information for verification received by the verification information receiving unit exists in the storage unit;
When the confirmation unit confirms the presence of identification information that matches the identification information for verification, the storage unit stores at least one registered reference biometric information associated with the identification information, and the verification information A second comparison unit that compares the verification biometric information received by the reception unit;
A second determination unit that determines the presence / absence of registered reference biometric information that matches the verification biometric information based on a comparison result by the second comparison unit;
When it is determined by the second determination unit that registered reference biometric information that matches the collation biometric information is present, the storage unit stores at least one or more information associated with the registered reference biometric information. A list creation unit that extracts registered identification information as candidate identification information and creates a candidate identification information list; and
A processing result notifying unit for notifying the candidate identification information list created by the list creating unit as a processing result to a service providing system that is a transmission source of the matching identification information and the matching biometric information;
The identification information integrated management program according to appendix 18, characterized by further causing the computer to function as:

(Appendix 20)
Used for the user authentication in a plurality of service providing systems that start providing a predetermined service to the user after authenticating the user using identification information and biometric information about the user. A computer-readable recording medium in which an identification information integrated management program for causing a computer to function as an identification information integrated management server for integrated management of the identification information and the biometric information is recorded,
The identification information integrated management program is
An acquisition unit that acquires identification information and reference biometric information registered by the user in each service providing system from each service providing system as registration target identification information and registration target reference biometric information, respectively.
A storage unit capable of registering and storing the registration target identification information acquired by the acquisition unit and the registration target reference biometric information in association with each other;
A first comparison unit for comparing the registration target reference biometric information acquired by the acquisition unit with the registered reference biometric information already stored in the storage unit;
A first determination unit that determines presence / absence of registered reference biometric information that matches the registration target reference biometric information based on a comparison result by the first comparison unit; and
When the first determination unit determines that there is no registered reference biometric information that matches the registration target reference biometric information, the registration target identification information and the registration target reference biometric information are registered respectively. An update unit for updating information in the storage unit to be stored in the storage unit as already-identified identification information and registered reference biometric information,
A computer-readable recording medium having an identification information integrated management program recorded thereon, wherein the computer is caused to function as:

(Appendix 21)
The identification information integrated management program is
The verification identification information is not registered in the service providing system when performing personal authentication using the verification identification information and verification biometric information input by the user prior to the start of provision of the predetermined service. A collation information receiving unit that receives the collation identification information and the collation biometric information, transmitted from each service providing system.
A confirmation unit for confirming whether or not identification information matching the identification information for verification received by the verification information receiving unit exists in the storage unit;
When the confirmation unit confirms the presence of identification information that matches the identification information for verification, the storage unit stores at least one registered reference biometric information associated with the identification information, and the verification information A second comparison unit that compares the verification biometric information received by the reception unit;
A second determination unit that determines the presence / absence of registered reference biometric information that matches the verification biometric information based on a comparison result by the second comparison unit;
When it is determined by the second determination unit that registered reference biometric information that matches the collation biometric information is present, the storage unit stores at least one or more information associated with the registered reference biometric information. A list creation unit that extracts registered identification information as candidate identification information and creates a candidate identification information list; and
A processing result notifying unit for notifying the candidate identification information list created by the list creating unit as a processing result to a service providing system that is a transmission source of the matching identification information and the matching biometric information;
A computer-readable recording medium recording the integrated identification information management program according to appendix 20, wherein the computer is further functioned as:

It is a block diagram which shows the structure of the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) as one Embodiment of this invention. It is a figure which shows the structural example of the management table in the identification information integrated management server of this embodiment. It is a block diagram which shows the structure of the 1st modification of the identification information integrated management system (The service provision system and the registration processing system | strain of an identification information integrated management server) as one Embodiment of this invention. It is a block diagram which shows the structure of the 2nd modification of the identification information integrated management system (The service provision system and the registration processing system of an identification information integrated management server) as one Embodiment of this invention. It is a block diagram which shows the structure of the 3rd modification of the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) as one Embodiment of this invention. It is a block diagram which shows the structure of the 4th modification of the identification information integrated management system (The service provision system and the registration processing system of an identification information integrated management server) as one Embodiment of this invention. It is a block diagram which shows the structure of the 5th modification of the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) as one Embodiment of this invention. It is a figure which shows the structural example of the management table in the identification information integrated management server shown in FIG. It is a block diagram which shows the structure of the identification information integrated management system (The service provision system and the collation processing system of an identification information integrated management server) as one Embodiment of this invention. It is a block diagram which shows the structure of an example which applied encryption communication to the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) shown in FIG. FIG. 10 is a block diagram illustrating an example of a configuration in which encrypted communication is applied to the identification information integrated management system (the service providing system and the identification information integration management server verification processing system) illustrated in FIG. 9. It is a block diagram which shows the structure of the other example which applied encryption communication to the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) shown in FIG. It is a block diagram which shows the structure of the other example which applied encryption communication to the identification information integrated management system (The collation processing system of a service provision system and an identification information integrated management server) shown in FIG. It is a flowchart for demonstrating the registration processing procedure by the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) shown in FIG. It is a flowchart for demonstrating the collation process procedure by the identification information integrated management system (The collation processing system of a service provision system and an identification information integrated management server) shown in FIG. It is a flowchart for demonstrating the registration process procedure by the identification information integrated management system (The registration process system of a service provision system and an identification information integrated management server) shown in FIG. The verification processing procedure performed by the identification information integrated management system shown in FIG. 9 (the verification processing system of the service providing system and the identification information integrated management server) performed using the management table shown in FIG. 8 registered in the procedure shown in FIG. It is a flowchart for demonstrating.

1,1A, 1B, 1C, 1D, 1E, 1 ', 1 "Identification information integrated management system (ID integrated management system)
2, 2A, 2B, 2C, 2D, 2E, 2 ', 2 "Service providing system (service providing server)
3, 3A, 3B, 3C, 3D, 3E, 3 ', 3 "Identification information integrated management server (ID integrated management server; management server)
201 ID / reference biometric data receiving unit 202 ID / reference biometric data storage unit (database)
203 ID / reference biometric data transmitter (registration target information transmitter)
204 ID integrated management completion notification receiver (update result receiver)
205 Registration completion notification unit 206 User registration monitoring unit (monitoring unit)
207 Registration completion notification section (notification section)
208 ID integrated management success / failure determination unit (update result determination unit)
209 Service providing system identification unit 211 ID / verification biometric data reception unit 212 Designated ID existence confirmation unit (search unit)
213 Biometric data reference unit for reference 214 Biometric data comparison / collation unit (third comparison unit)
215 Comparison result determination unit (third determination unit)
216 ID / Verification Biometric Data Transmitter (Verification Information Transmitter)
217 Processing result receiving unit 218 Identity authentication result notification unit (identification information notification unit)
221 ID / reference biometric data decryption unit 222 ID / reference biometric data decryption unit 223, 224, 226 communication data decryption unit 225, 227 communication data encryption unit 301 reference biometric data / ID management unit (storage unit) ; Database)
301a, 301b management table (storage unit)
302 ID / reference biometric data receiving unit (acquiring unit)
303 Biometric data reference unit for reference 304 Biometric data comparison unit (first comparison unit)
305 Comparison result determination unit (first determination unit)
306 Management table update unit (update unit)
307 ID integrated management completion notification section (update result notification section)
308 User registration monitoring unit (user registration monitoring unit)
309 ID / reference biometric data acquisition unit (acquisition unit)
311 ID / verification biometric data receiver (verification information receiver)
312 Specified ID existence confirmation part (confirmation part)
313 Biometric data reference unit for reference in management table 314 Biometric data comparison unit (second comparison unit)
315 Comparison result determination unit (second determination unit)
316 Candidate ID group creation unit (list creation unit)
317 ID integrated management server processing result notification unit (processing result notification unit)
321,323 Communication data decryption unit 322,324 Communication data encryption unit

Claims (3)

A plurality of service providing systems that provide a predetermined service to the user according to a result of authenticating the user, and a management server that integrally manages identification information and biometric information used in the plurality of service providing systems In the integrated identification information management system,
The management server
Receiving first identification information and biometric information for verification transmitted from the service providing system based on a result of authentication performed in the service providing system;
Among the plurality of registration biometric information stored in association with a plurality of pieces of identification information in advance, the biometric information for registration corresponding to the received first identification information is collated with the received biometric information for verification. ,
According to the result of the collation, the identification information other than the first identification information among the identification information associated with the biometric information for registration is transmitted to the service providing system as identification information used for authentication. A unique identification information management system. A management server that integrates and manages identification information and biometric information used in a plurality of service providing systems that provide a predetermined service to the user according to a result of authenticating the user,
A receiving unit that receives first identification information and biometric information for verification transmitted from the service providing system based on a result of authentication performed in the service providing system;
A collation unit that collates the biometric information for registration corresponding to the first identification information and the biometric information for collation among the plurality of biometric information for registration stored in association with a plurality of pieces of identification information in advance.
A transmission unit that transmits identification information other than the first identification information among the identification information associated with the biometric information for registration to the service providing system as identification information used for authentication according to the collation result When,
An identification information integrated management server comprising: An identification information integrated management program for causing a computer to function as a management server that integrates and manages identification information and biometric information used in a plurality of service providing systems that provide a predetermined service to the user according to a result of authenticating the user. And
In the computer,
Receiving first identification information and biometric information for verification transmitted from the service providing system based on a result of authentication performed in the service providing system;
Among the plurality of registration biometric information stored in advance associated with each of the plurality of identification information, the biometric information for registration corresponding to the first identification information is collated with the biometric information for verification,
A process of transmitting identification information other than the first identification information among the identification information associated with the biometric information for registration to the service providing system as identification information used for authentication according to the result of the verification. An identification information integrated management program characterized by being executed.

Images