TW200820042A - Multi-factor authentication system and a logon method of a windows OS - Google Patents
Multi-factor authentication system and a logon method of a windows OS Download PDFInfo
- Publication number
- TW200820042A TW200820042A TW95139806A TW95139806A TW200820042A TW 200820042 A TW200820042 A TW 200820042A TW 95139806 A TW95139806 A TW 95139806A TW 95139806 A TW95139806 A TW 95139806A TW 200820042 A TW200820042 A TW 200820042A
- Authority
- TW
- Taiwan
- Prior art keywords
- login
- window
- authentication
- operating system
- program
- Prior art date
Links
Landscapes
- User Interface Of Digital Computer (AREA)
Abstract
Description
200820042 九、發明說明: 【發明所屬之技術領域】 本發明提供一種視窗作業系統之多因子認證系統與登 入方法,特別是用於視窗VistaTM作業系統中客製化的多因 子€忍證糸統與登入方法。 【先前技術】 普遍使用的視窗作業系統(Windows® OS )為一種多 人使用的磁碟作業環境,其中有幾種經使用者認證的登入 (Logon)方式,藉以針對系統與其中資料建立一個安全 與保密的作業環境。 除了習知的視窗作業系統外,新開發的視窗VistaTM作 業系統採取與以前的視窗作業系統完全不同的登入認證方 式,請參閱微軟(Microsoft®)官方網站所公開的技術内 谷。其中利用一種使用者帳戶控制(User Account Control , UAC)作為視窗Vista™對使用者進行權限管理,能在管理 員帳戶(Administrator)的彈性與功能,和一般使用者帳 戶的安全性之間,取得巧妙的平衡。 視囪Vista™作業系統提出一種新的認證模型,使登入 的晝面(LogonUI)與管理視窗登入程序的winlogon程序 直接溝通’此说證模型提供簡單(simplicity )、可擴張 (scalability)與彈性(flexibility)的認證程序,並且摒棄 習知視窗作業系統(如Windows XP或Windows 2000)使 用一圖形化識別與驗證(GIN A)模組管理使用者認證與登 入的方式。不同於以往GINA模組的方式,程式設計者不 6 200820042 用去修改任何使用者介面或是登入視窗來產生新的認證環 境,視窗Vista™作業系統係提供一種聯繫視窗登入晝面的 憑證提供者(credential provider)模組,藉擷取使用者憑 迅(credential) ’並傳至Winlogon登入程序,進行系統登 入0 上述視窗Vista™作業系統亦提供了讓程式設計師可 以進行其他登入方式的環境,以便引入除了傳統視窗作業 糸統所提供的使用者識別碼與密碼(ID/Password)認證以 外的方式’比如使用生物特徵辨識(bi〇metrics)的方式。 其中所&到的憑證提供者模組為一 可附加(additive)的模組,即可提供多人使用的憑證,並 共同存在此系統中,如同時提供視窗VistaTM作業系統一般 使用識別碼(ID )與岔碼的憑證與使用智慧卡(smart car(j) 的憑證。也就是說,除了作業系統所提供的認證方式以外, 第二方(thlrd party)可由視窗vistaTM作業系統所提供的 憑證提供者加入所要認證的服務,比如可於視窗登入晝面 (LogonUI)中加入一個憑證,指定可藉以使用第三方所 提供的智慧卡認證;或是再加入一個憑證使用掌紋(palm print)、虹膜(iris)、視網膜(retma)、顏面(facial)、耳 靡 C auricle )、语音聲紋(v〇iceprint )、指紋(fingerprint)、 手指/手掌/手背靜脈(vein)分布等生物辨識手段,亦或是 其他認證方式,使在相同的登入晝面下,更可使用傳統利 用識別碼與密碼的認證手段進行系統登入作業。 一視窗Vista™作業系統登入認證架構如第一圖所示之 示思圖’此架構包括於開機(b〇〇t )後進入視窗登入 200820042 (Wml〇g〇n)財(11),此視窗登入程 入的策略;此程序接物登:以 (Logonm)程式〇3),藉以產生視窗登=者,,面 以獲知目前視窗Vlsta™作業環境已註 '旦面去並藉 料,即藉此登入使用者介面程式取得—個或—f用者的資 證的資料,如圖式中,L〇g〇nUl⑼式固:士的憑 界面取得驗提供者_ (151)與驗提供由=好的 所有憑證貢料(credentials),每個 的 於登入的晝面上顯示代表不同憑證的小姻(13) 使用者點選進行登人認證。以預設 ^ (則’以供 password credendal provider) , L〇go^ m ^ 密碼憑證提供者後,取得所有可供密碼登,㈣入 窗登入晝面上顯示該類憑證的小圖式與;二吏 密碼憑證提供者該憑證應顯示·號:#额 "3 供使用者輸入密碼⑼,密碼憑證提供者當二,; 輸入的密碼後,確認登人❹者的身份,絲彳^ 斤 (authentication package),透過 L〇g〇nUl (⑴並回傳匕200820042 IX. Description of the Invention: [Technical Field] The present invention provides a multi-factor authentication system and a login method for a window operating system, in particular, a multi-factor and a customized multi-factor for a Windows Vista operating system. Login method. [Prior Art] The commonly used Windows operating system (Windows® OS) is a multi-user disk operating environment, in which there are several user-authenticated login (Logon) methods to establish a security for the system and its data. With a confidential working environment. In addition to the conventional Windows operating system, the newly developed Windows VistaTM operating system adopts a completely different login authentication method than the previous Windows operating system. Please refer to the technology inside the Microsoft (Microsoft®) official website. The user account control (UAC) is used as the Windows VistaTM to manage the rights of the user, which can be obtained between the flexibility and function of the administrator account and the security of the general user account. Clever balance. The VistaTM operating system proposes a new authentication model that allows the login login (LogonUI) to communicate directly with the winlogon program of the management window login program. This demonstration model provides simplicity, scalability and flexibility. Flexibility), and abandoning the traditional Windows operating system (such as Windows XP or Windows 2000) using a graphical identification and verification (GIN A) module to manage user authentication and login. Unlike the previous GINA module approach, the programmer does not modify any user interface or login window to create a new authentication environment. The Windows VistaTM operating system provides a credential provider that contacts the Windows login page. (credential provider) module, through the user's "credential" and passed to the Winlogon login program, the system login 0 The above window VistaTM operating system also provides an environment for programmers to carry out other login methods. In order to introduce methods other than the user ID and password authentication provided by the traditional Windows operating system, such as using biometrics (bi〇metrics). The credential provider module to which the & is is an additive module, which can provide credentials for multi-person use, and coexist in the system, such as providing a window VistaTM operating system generally using an identification code ( ID) and the certificate of the weight and the certificate of the smart card (smart car(j). That is to say, in addition to the authentication method provided by the operating system, the second party (thlrd party) can be provided by the window vistaTM operating system. The provider joins the service to be authenticated. For example, a voucher can be added to the login login (LogonUI) to specify the smart card authentication provided by the third party; or a voucher can be used to use the palm print, iris. Biometric means such as (iris), retina (retma), facial (facial), deafness (c auricle), voiceprint (v〇iceprint), fingerprint (fingerprint), finger/palm/vein vein distribution (vein) Or other authentication methods, so that under the same login, you can use the traditional authentication method using ID and password for system login. A Windows Vista operating system login authentication architecture as shown in the first figure 'This architecture is included in the boot (b〇〇t) into the Windows login 200820042 (Wml〇g〇n) Cai (11), this window Login process strategy; this program picks up the file: (Logonm) program 〇 3), in order to generate the window, the face to know that the current window VlstaTM operating environment has been injected and borrowed, that is, borrowed The login user interface program obtains the data of the certificate of the user or the user, as shown in the figure, L〇g〇nUl(9) type solid: the interface of the provider is obtained by the provider _ (151) and the test is provided by = Good all the credentials (credentials), each of which displays a small marriage representing different credentials on the login page (13). The user clicks to authenticate. By default ^ (then 'for the password credendal provider), L〇go^ m ^ password credential provider, get all the passwords available, (4) enter the window login face to display the small picture of the certificate and; The password certificate provider should display the number: #额"3 for the user to enter the password (9), the password certificate provider for the second,; after entering the password, confirm the identity of the person who is the person who is the person (authentication package), through L〇g〇nUl ((1) and back to 匕
Wmlogon ^ 〇 t ^ ^Wmlogon ^ 〇 t ^ ^
Seomty Authonty,LSa )(】9 )提交到—安全帳戶管理器 (Security Accounts Manager,SAM)資料庫中進行認證了 此安全帳戶%>理器係為儲存所有憑證的憑據資訊的資料 庫,包括使用者名稱與密碼。 200820042 【發明内容】 上述視窗Vista™作業系統係利用憑證提供者 (credential provider)進行各種使用者認證,原有使用者 所建立的憑證除了使用一组使用者名稱與密碼或智慧卡 (smart card)的認證方式外,其他客製化的認證方式如生 物辨識需要另外建立一專屬的憑證進行其他的認證程序。 然本發明視窗作業系統之多因子認證系統與登入方法係藉 建立一新的憑證提供者(credential provider ),在不影響使 用者使用習慣下,在視窗系統登入晝面上產生一多因子 (multi-factor)的認證畫面,於執行登入系統時藉以產生 更安全與方便的登入方式。 本發明所揭露的視窗作業系統之多因子認證系統包括 有一使用者身份比對手段,係針對多因子認證程序產生的 使用者識別資料與一身份識別資料庫中登錄的使用者資料 進行比對’藉以確認該使用者身份;一使用憑證提供者的 認證手段,此為管理視窗Vista™作業系統中的使用者管理 手段;一使用者識別碼/密碼回填手段,將多因子認證程序 產生的使用者識別資料與身份識別資料庫中對應的使用者 識別碼/密碼回填至視窗登入程序中的使用者識別碼/密石馬 欄位;以及一達成多因子認證程序與視窗登入程序間的訊 號傳遞的訊息傳遞手段。 本發明主要應用於視窗Vista™作業系統的使用者認 也上’貫施例包括先開機後載入作業系統,此時藉 Winlogon.exe系統程式啟動視窗登入程序,之後由上述視 固登入程式(Winiogon.exe)呼叫一登入使用者介面程序 9 200820042 (=LogonUI.exe執行),藉以描述視窗登入晝面的程序, 接著載人視窗作㈣、統標準的密碼憑證提供者(passed aedendal pn)Vlder)與本發明所提供包括多因子認證模組 的客製的憑證提供者。 此登入使用者介面程式(L〇g〇nUI exe)呼叫各個憑證 提供者的API,定義每個憑證登人作業系統時的態樣。當 登入使用者介面程式呼叫到本發明的客製的憑證提供者 ^本各衣的憑5且提供者會顯示一多因子認證視窗於作業 系統之登人視窗中’並建立多因子認證與本客製憑證提供 者間的訊息傳遞通道’如⑴管道(Pipe)機制;或(2)訊息 (Message)機制;或(3)訊息分享機制,以進行該多因子 認證程序與本客製憑證提供者間訊息的傳遞。Seomty Authonty, LSa ) ( ) 9 ) Submitted to the Security Accounts Manager (SAM) database for authentication. This security account %> is a repository for storing credential information for all credentials, including Username and password. 200820042 [Summary of the Invention] The above-mentioned Windows VistaTM operating system uses a credential provider to perform various user authentications. The credentials established by the original user use a set of user names and passwords or smart cards. In addition to the authentication method, other customized authentication methods such as biometric identification require the establishment of a separate certificate for other authentication procedures. However, the multi-factor authentication system and the login method of the window operating system of the present invention create a new credential provider, and generate a multi-factor (multi-factor) on the login window of the window system without affecting the user's usage habits. -factor) The authentication screen is used to generate a safer and more convenient login method when executing the login system. The multi-factor authentication system of the window operating system disclosed by the present invention includes a user identity comparison means for comparing the user identification data generated by the multi-factor authentication program with the user data registered in an identity identification database. In order to confirm the identity of the user; a means of authentication using the credential provider, which is a user management means in the management window VistaTM operating system; a user identification code/password backfilling means, the user generated by the multi-factor authentication program The user identification code/password in the identification data and the identification database is backfilled to the user ID/Mist stone field in the window login program; and the signal transmission between the multi-factor authentication program and the window login program is achieved. Means of message delivery. The invention is mainly applied to the user of the Windows Vista operating system. The application example includes the first booting and loading the operating system. At this time, the Winlogon.exe system program is used to start the window login program, and then the above-mentioned visual login program ( Winiogon.exe) calls a login user interface program 9 200820042 (=LogonUI.exe execution), which describes the program after the window login, and then the manned window for (4), the standard password credential provider (passed aedendal pn) Vlder A custom credential provider comprising a multi-factor authentication module as provided by the present invention. This login user interface program (L〇g〇nUI exe) calls each credential provider's API to define the aspect of each credential when it logs into the operating system. When the login user interface program calls to the customized credential provider of the present invention, the provider will display a multi-factor authentication window in the entry window of the operating system' and establish multi-factor authentication and a message passing channel between the custom credential providers' such as (1) Pipe mechanism; or (2) Message mechanism; or (3) Message sharing mechanism to perform the multi-factor authentication procedure and the provisioning credential The transmission of information between people.
另外,本發明客製之憑證提供者會建立—偽裝的密碼 憑證提供者(wrappedpassw〇rdcredentia〗pr〇vider)。當登 入使用者介面程式呼叫API : GetCredentialC(nmt(),H 取各個憑證提供者所提供的憑證數目,在呼叫 GetCredentlalCount〇擷取憑證數目時,回傳數目為〇 (c侧t喝、Aut〇L〇g〇nWithDefault 為 ,接著進 ^認Γ程序。經成功確認使用者身份後,至認證資料庫 ^ 這過上述讯息傳遞通道通知憑證提供者,送出所· 應出的使用者識別碼/密碼。 k出坏對 虽各製的憑練供者透觀㈣遞 =密碼後,請求登入使用者介面程式重轉= 者所提供的憑證,之後,客製的憑證提供者呼叫上 k b之·的密碼憑證提供者的Αρι錄密碼憑證數 200820042 目與憑證資料,再一 一比較符合已認證使用者名稱的憑 證,並即時建立該帳號的客製憑證與一偽裝的密碼憑證。 此時,GetCredentialCount()的回傳數目為 1 ( count二1 )、 AutoLogonWithDefault 為 True 〇 接著,登入使用者介面程式呼叫GetCredentialAt(), 此時回傳客製憑證。 登入使用者介面程式會自動執行登入,以預設值所指 定的客製憑證登入,客製憑證會回填相對於所欲登入的帳 號的密碼至偽裝的密碼憑證的密碼攔位,以取得該密碼憑 證相對應的認證封包(authentication package),並將之傳 遞至作業系統中的登入使用者介面程序。 【實施方式】 微軟(M1Cr〇S0ftTM)公司發佈了 一個名爲Wml〇g〇n Re-Architecture的新架構,此用於視窗VistaTM作業系統的 使用者認證架構中包括一種叫做憑證提供者(credential provider)的模組,用來替代視窗χρ/2〇〇〇中所使用的GINa (圖形識別與認證)架構。本發明所揭露的一種主要應用 於視窗V1StaTM作業系統之多因子(multi_fact〇r )認證系統 與登入方法即根據上述視窗VlstaTM作業系統的新架構加 以改善’而在此架構下原有使用者所建立的憑證 (credential)係使用一般使用者名稱與密碼的認證方式, 且在上述憑證提供者的認證架構下建立的憑證除了使 用:組使用者名稱與密碼的認證方式外,無法再引用別的 涊證方式,若要使用原本認證方式之外的認證手段,包括 11 200820042 生物認證:等第三方所提供的方式,需要建立使用該方式的 使用者憑證。 而本發明所揭露的多因子認證系統與登入方法則改變 原有視窗作業系統的登入程序,擷取原本的認證資訊,以 多因子的認證所對應的認證資訊取代,使能在不改變使用 者操作習慣下,使已存在於系統中的憑證能順利使用多因 子認證方式,如加入各種生物辨識、智慧卡等認證方式, 於視窗系統登入晝面上產生一多因子的認證晝面,產生更 安全與方便的登入方式。 上述視窗Vista™作業系統係支援互動式登入的方 式,其中利用作業系統中一個視窗登入(Winlogon)的程 序管理視窗作業系統認證登入的策略’負責保管與傳遞訊 息,與維持作業系統的狀態,如歡迎晝面、登入、登出、 工作站鎖定等。然本發明視窗作業系統之多因子認證系統 與登入方法係藉改變原有作業系統的程序,如於登入使用 者介面程式(LogonULexe)建立的程序中擷取其中認證資 訊,產生另一客製化的登入程序’此多因子認證的程序乃 一瞬間完成,本發明即在不影響一般使用者使用習慣下’ 在視窗系統登入畫面上產生一多因子認證的登入視窗。 第二A圖顯不為本發明多因子$忍證應用於視囪 Vista™作業系統的登入畫面示意圖’於開機後載入作業糸 統,並接著載入上述視窗登入(Winl〇g〇n)的程序,並呼 叫登入使用者介面(LogonUI)程式產生視窗登入的畫面, 進入圖示中的登入畫面20,晝面中將顯示一或複數個視窗 Vista.™作業系統使用者帳戶的憑證(credential),如圖式 12 200820042 中的系統管理者2〇1、使用者一 203與使用者二205等, 下方更提供複數個系統指令選單24,包括重新開機、暫 停、關機等狀態,本發明藉改變原有作業系統的登入程序, 修改登入使用者介面程式(LogonUI.exe)所產生視窗登入 的晝面’於晝面中特定位置額外顯示一多因子認證视窗 22 ’讓使用者藉此可不改變原有操作習慣改用此多因子認 證視窗22登入系統。以預設狀態為例,使用者點選其中之 一憑證,如點選使用者二205,所屬圖式會變大(或其他 "、、員示放果)’並利用第二B圖所示的下一個認證晝面顯示 提不鍵入使用者識別碼(或名稱)21與對應的密碼23,使 用者可藉以登入系統。 +壯此例中係顯示使用指紋認證的方式,可利用一指紋掃 描Ϊ置Ϊ描使用者之指紋,再進行特徵比對的認證程序。 而貝際貫施此多因子認證手段可包括需鍵人通行碼或識別 碼的智慧卡、符記卡、各種掌紋(palmprmt)、虹膜㈤小 視網膜(如)、顏面(facial)、耳廓(aye)、語音聲 紋 C voiceprint)、指 έ文 Γ Γ ·In addition, the custom credential provider of the present invention will create a masqueraded cryptographic credential provider (wrappedpassw〇rdcredentia pr〇vider). When logging in to the user interface program call API: GetCredentialC(nmt(), H takes the number of credentials provided by each credential provider, and when calling GetCredentlalCount to retrieve the number of credentials, the number of returns is 〇 (c side t drink, Aut〇 L〇g〇nWithDefault is, and then enters the authentication procedure. After successfully confirming the identity of the user, to the authentication database ^, the above message delivery channel notifies the voucher provider, and sends out the user ID/password to be sent out. If the k is bad, the vulgar supplier of the system will be able to view the voucher provided by the user interface program, and then the custom voucher provider will call the kb. The password voucher provider's password vouchers number 200820042 and the voucher data, and then compare the voucher that matches the authenticated user name, and immediately establish the account voucher of the account and a disguised password voucher. At this time, GetCredentialCount( The number of postbacks is 1 (count 2) and AutoLogonWithDefault is True. Then, the user interface program calls GetCredentialAt(), and the custom credentials are returned. The login user interface program will automatically perform the login and log in with the customized credentials specified by the default value. The custom certificate will backfill the password with respect to the password of the account to be logged in to the password of the disguised password certificate to obtain the password. The authentication package corresponding to the password voucher is passed to the login user interface program in the operating system. [Embodiment] Microsoft (M1Cr〇S0ftTM) has released a file called Wml〇g〇n Re- The new architecture of Architecture, the user authentication architecture for the Windows VistaTM operating system, includes a module called a credential provider that replaces the GINa used in Windows χρ/2〇〇〇 (graphic recognition). And authentication). A multi-factor authentication system and login method mainly applied to the Windows V1StaTM operating system disclosed in the present invention is improved according to the new architecture of the above-mentioned Windows VlstaTM operating system. A credential established by a user is authenticated using a general user name and password, and In addition to the use of the authentication method of the group user name and password, the credentials established by the above-mentioned credential provider's authentication framework can no longer refer to other methods of authentication, including the use of authentication methods other than the original authentication method, including 11 200820042 Certification: The method provided by a third party requires the establishment of a user certificate using this method. The multi-factor authentication system and the login method disclosed in the present invention change the login procedure of the original window operation system, take the original authentication information, and replace the authentication information corresponding to the multi-factor authentication, so that the user is not changed. Under the operating habits, the voucher already existing in the system can successfully use the multi-factor authentication method, such as adding various biometrics, smart cards and other authentication methods, and generating a multi-factor authentication face on the login window of the window system to generate more Safe and convenient login method. The above-mentioned Windows VistaTM operating system supports an interactive login method in which a Winlogon program is used to manage the Windows operating system authentication login policy in the operating system, which is responsible for maintaining and transmitting messages, and maintaining the status of the operating system, such as Welcome face, login, logout, workstation lock, etc. However, the multi-factor authentication system and the login method of the window operating system of the present invention generate another customization by changing the program of the original operating system, such as the authentication information created by the login user interface program (LogonULexe). The login program 'This multi-factor authentication program is completed in an instant. The present invention generates a multi-factor authentication login window on the Windows system login screen without affecting the general user usage habits. The second A picture is not shown in the multi-factor $ forensic application of the login screen of the VistaTM operating system. After the boot, the operating system is loaded, and then the above window login (Winl〇g〇n) is loaded. The program, and call the login user interface (LogonUI) program to generate a window login screen, enter the login screen 20 in the icon, the side will display one or more windows Vista.TM operating system user account credentials (credential As shown in Figure 12 200820042, the system administrator 2〇1, the user one 203 and the user two 205, etc., further provides a plurality of system command menus 24, including restarting, suspending, shutting down, etc. Change the login procedure of the original operating system, modify the login screen generated by the login user interface program (LogonUI.exe) to display a multi-factor authentication window 22 at a specific location in the screen. The original operating habits use this multi-factor authentication window 22 to log into the system. Taking the preset state as an example, the user clicks one of the credentials, for example, clicks the user two 205, the associated schema becomes larger (or other ", the member shows the fruit) and uses the second B map. The next authentication page shown indicates that the user identification code (or name) 21 and the corresponding password 23 are not entered, and the user can log in to the system. + Zhuang In this example, the method of using fingerprint authentication is displayed, and a fingerprint scanning device can be used to scan the fingerprint of the user, and then the authentication procedure of the feature comparison is performed. The multi-factor authentication method may include a smart card, a token card, a palm printr (palmprmt), an iris (five) small retina (such as), a facial (facial), an auricle (a) that requires a person pass code or an identification code. Aye), voice voice C voiceprint), έ文έ Γ ·
Uem彳八gerPnnt)、手指/手掌/手背靜脈 二―辨識機制,或是其他等效的認證方式。 第三圖顯示本私日日 — 一 畫面20上顯示的多二另二:施:]示意圖’即於視窗登入 式選項的方今# j〜6忍々視窗22上以有複數個認證圖 0式表達I數種多因子認證功能,讓使用者、阳媒 適當的認證方式,如闻A ^裱便用者廷擇 片卡認證圖式222與示的指,證赋221、晶 認證資訊或生物特彳^式223等,其中所接收的 使用者制碼與ί將透過❹者身份比對手段對應一組 …以原使用密碼的憑證提供者進行認 13 200820042 證與登入,使用者可藉以選擇所 援的認證方式,在不用改變原來使=:该電腦系統有支 ;;進行登入畫面中所顯示的多因子的認證視窗 古w i別於,Vista™作業系統公開技術文件對於第三 方棱仏的涊證機制需先建立自己的憑说 、 provider)的建議,本發明係藉修改1 /、 ( credential 提供之多因子認證程序,使原有#用去二入轾序,加入所 甲、有使用者可在不改變帳號或 疋使用狀態下進行多因子認證,此視窗作業系統之多因子 涊證系統如第四圖顯示之架構示意圖,包括以下幾個主要 手段功能Uem 彳 gerPnnt), finger / palm / hand veins II - identification mechanism, or other equivalent authentication methods. The third picture shows the private day--the two screens displayed on the screen 20: Shi:] Schematic's in the window login option of the current #j~6 on the window 22 to have a plurality of authentication diagrams Express I several kinds of multi-factor authentication functions, so that users and media can properly authenticate the way, such as Wen A ^ 裱 用 者 T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T In particular, the type 223 and the like, wherein the received user code and ί will correspond to each other through the identification method of the identity of the person... The certificate provider who used the original password will recognize and log in, and the user can select The authentication method supported by the user does not need to change the original == the computer system has a branch;; the multi-factor authentication window displayed in the login screen is different, and the VistaTM operating system discloses the technical file for the third party. The evidence-based mechanism needs to establish its own advice, provider, and the invention. The invention is based on the modification of the multi-factor authentication program provided by credential, so that the original # uses the second-in order, joins the Can not change account or Multi-factor authentication state of use of this factor as much as Windows operating system such as muddy water card system architecture diagram of a fourth diagram shows, the primary means including the following features
(1) 視窗登入手段(Winlogon) 41,係於電腦系統開 機後’載入本發明所應用之視窗VistaTM作業系 統,並藉Winlogon.exe程式建立一視窗登入程序, 此Winlogon.exe為視窗作業系統的登入管理程 式,管理所執行的使用者名稱/密碼登入作業,可 藉以建立安全的管理登入、登出程序; (2) 登入使用者介面手段(LogonUI) 42,由上述視窗 登入程序呼叫一登入使用者介面程序,執行 LogonUI.exe,此登入使用者介面手段係先獲取視 窗VistaTNMiF業糸統中所包括憑證(credential )資 訊,再將之顯示於視窗登入晝面上; (3) 登入晝面顯示手段43,本發明即藉提供一客製的 憑證提供者,由上述登入使用者介面程式 (LogonUI.exe)載入後,於登入畫面上顯示一多 14 200820042 因子認證視窗; (4) 多因子認證手段(Multi-factor authentication) 44, 利用上述晝面顯示手段,產生一多因子認證程 序,於顯示之多因子認證視窗上進行多因子認 證’此手段可包括需鍵入通行碼或識別碼的智慧 卡、符記卡、各種掌紋(palm print)、虹膜(iris)、 視網膜(retina)、顏面(facial)、耳廓(auricie)、 語音聲紋(voiceprint)、指紋(fingerprint)、手指 /手掌/手背靜脈(vein)分布等生物辨識機制,或 是其他認證方式,舉例來說,可利用一指紋掃描 裝置掃描該使用者之指紋,藉以進行此多因子認 證程序; (5) 使用者身份比對手段45,係針對經過多因子認證 程序後產生的使用者識別資料,將其與一身份識 別資料庫中登錄的使用者資料進行比對,藉以確 認該使用者身份;另一實施例係將多因子認證程 序產生的使用者識別資料對應一組使用者識別碼 與密碼,將之回傳至客製的憑證提供者,利用其 中認證程序進行使用者身份的比對; (6) 認證手段(Certification)46,此為管理視窗VlstaTM 作業系統中的使用者管理手段,係利用聯繫上述 登入使用者介面程式所載入的憑證提供者 (credential provlder )模組描述各憑證之使用者介 面,並藉以將收集的憑證資訊傳送至視窗登入程 序中,並藉以建立登入畫面(登入晝面顯示手 15 200820042 段),憑證提供者可提供多人使用的憑證,如同時 提供視窗VistaTM作業系統一般使用識別碼(ID) 與洽碼的憑證與使用智慧卡(smart car(j )的憑證。 並且’除了作業系統所提供的認證方式以外,第 三方(third party )亦可由視窗Vista™作業系統所 提供的憑證提供者加入所要認證的服務,比如可 於視窗登入畫面(L〇gonui)中加入一個智慧卡認 證的憑證,或是本發明所提供的多因子認證的憑 證提供者; 〜 (7)使用者識別碼/密碼回填手段48,當進行多因子認 證時,將多因子認證程序產生的使用者識別資料 與身份識別資料庫中對應的使用者識別碼/密碼進 行視自登入時特定憑證的使用者識別碼/密碼回 填,即回填至視窗登入程序中的使用者識別碼/密 碼搁位;以及 ⑻訊息傳遞手段47,係藉一訊息傳遞通道達成上述 多因子認證程序與憑證提供者間的訊號傳遞,戋 是將上述使用者識別碼/密碼經此訊息傳遞通道傳 遞至憑證提供者。例如,當使用者依照多因子切 證視窗輸入指紋並經過身分認證成功後,即透: 上述訊息傳遞通道通知憑證提供者,並通知登入 、使用者介面程序,以重新整理所有的憑證提供者。 上述的訊息傳遞手段可包括以下多種機制: ===== 16 200820042 傳遞訊息,其方式就是使管道前面程序之標準輪 出導引至管道後面程序之標準輸入。如將上述多 因子的§忍證程序中所謂取智慧卡的訊息、掃描白勺 指紋或其他生物$忍證的特徵值經標準輸出,經由 此管道傳遞至視窗作業系統的認證登入程序; (2) 視窗作業系統中的訊息(Message)機制,可以 窺視或接收傳遞彳宁列中的訊息,此訊息機制提供 本發明之多因子的認證程序傳遞智慧卡的訊 息、知*彳田的指紋或其他生物$忍證的特徵值至彳見g 登入程序; (3) 或利用一訊息分享機制,即利用一分享記情體 (shared memory )進行智慧卡的訊息、掃描的指 故或其他生物$忍證的特徵值等訊息的交換。 第五圖所示為本發明為使用多因子認證方法時憑證提 供者運作的示意圖。此多因子認證方式係先建立一客製的 憑證提供者53,使其與原有視窗VlstaTM作業系統所使^的 憑證提供者51共存,同樣透過登入使用者介面程式 ogonUI.exe ) 50載入作業糸統内的密碼憑證提供者 (password credential provider ) 51與本發明所利用的客製 憑證提供者53。客製憑證提供者53會產生一偽穿 (wrapped)的密碼憑證提供者55,以提供上述客製馮^ 提供者53於認證時能轉介到作業系統内的密碼憑證 者51,以順利讓此多因子認證方式同樣使用原有的密碼認 證系統,並藉以比對多因子認證而得出欲登入帳號的識^ 碼/密碼。 200820042 當本發明客製的憑證提供者53透過管道(訊息傳遞通 逼)收到識別碼/密碼後,經比對後確認該欲登入帳號的憑 證(credential)後,建立該帳號的客製憑證57與一偽裝的 控碼憑證(wrapped password credential) 59。之後,客製 憑證57將對應該帳號之密碼回填至此偽裝的密碼憑證 59 ’並呼叫偽裝的密碼憑證59的API,取得認證封包後, 將該認證封包傳回給登入使用者介面程式5〇進行登入。 弟一實施例: 利用上述第四圖所示的各手段功能進行本發明視窗作 業系統之多因子認證之登入方法,主要步驟如第六圖所示 之流程: 於系統開機後載入作業系統(步驟S601); 接著進入視窗登入(Winlogon)程序,係由視窗登入 程式(Winlogon.exe)啟動此視窗登入程序,此視窗登入 矛王序係管理視窗Vista™作業糸統認證登入的程序(步驟 S603 ); 之後,即呼叫登入使用者介面程式(L0g0nui.exe)(步 驟S605),此登入使用者介面程式係用以管理各種視窗登 入的畫面參數,接著載入所有的憑證提供者(credential provider),包括視窗作業系統所提供的密碼憑證提供者與 本發明所客製的密碼憑證提供者,藉由幾個參數(如 CPUS—LOGON,讓使用者選擇帳號的登入晝面; CPUS一UNLOCK一WORKSTATION,電腦被鎖定後等待解 除鎖定的畫面;與CPUS_CREDUI,使用者帳號控制視窗 等參數)取得一個或一個以上的憑證的資料,以獲知目前 18 200820042 視窗vlsta作業系統中已註冊的帳號的資料(步驟s6〇7); —上述登入使用者介面程式顯示視窗登入晝面,於本發 明實施例係顯示包括有多因子認證視窗的登入晝面,並^ 括每個憑證由此登人使用者介面程式於登人晝面上顯示= 表不同憑證的小圖式(tile) ’或包括的帳號名稱,以供使 用者點選進行登入認證(步驟S609); 、、、,之後建立多因子認證視窗與憑證提供者_訊息傳遞 通這(步驟S611),包括傳遞憑證訊息、對應多因子認證 =使用者識別碼/密碼等,訊息傳遞通道包括⑴管道⑺^ ) 機制」或⑺訊息(Message)機制;或(3)訊息分享機制; 訊息傳遞通道建立後,即建立一偽裝的密碼憑證提供 ^ ’以此可順利將登人使用者介面程< (kg。··)與 、發明客製的密碼憑證提供者之間溝通的Α ρ ι與訊息轉介 至糸統所提供的密碼憑證提供者(步驟S613); 此時,使用者利用上述包含多因子認證的登入晝面執 仃夕因子認證程序(步驟S615); 一 至5忍證貢料庫比對,透過 送出所對應出的使用者識 經成功確認使用者身份後 ‘息傳遞通道通知憑證提供者 別碼/密碼(步驟S617); f wn $明客製的㈣憑證提供者呼叫應用程式介 重新^^^祕叫略通知登入使用者介面程 驟S6^ )所有的敍提供者可提供的憑證(㈣dentmls )((1) Windows login means (Winlogon) 41, after the computer system is turned on, 'loads the Windows Vista operating system to which the present invention is applied, and creates a window login program by using the Winlogon.exe program. This Winlogon.exe is a Windows operating system. The login management program manages the user name/password login operation performed by the administrator to establish a secure management login and logout procedure; (2) Login user interface means (LogonUI) 42, call by the above window login program The user interface program executes LogonUI.exe. The login user interface means to obtain the credential information included in the Windows VistaTNMiF system and display it on the Windows login page. (3) Login screen The display means 43, the invention provides a customized credential provider, and after being loaded by the login user interface program (LogonUI.exe), displays a multi-level 14200820042 factor authentication window on the login screen; (4) Multi-factor authentication 44, using the above-mentioned face display means to generate a multi-factor authentication program for display Multi-factor authentication on the factor authentication window' This means may include a smart card, a token card, a palm print, an iris, a retina, a facial, which requires a passcode or an identification code. Biometric mechanisms such as auricie, voiceprint, fingerprint, finger/palm/vein distribution, or other authentication methods, for example, can be scanned using a fingerprint scanner The fingerprint of the user is used to perform the multi-factor authentication procedure; (5) The user identity comparison means 45 is to log in to the identity identification database for the user identification data generated after the multi-factor authentication procedure. The user data is compared to confirm the identity of the user; in another embodiment, the user identification data generated by the multi-factor authentication program is corresponding to a set of user identification codes and passwords, and is transmitted back to the customized certificate. Provider, using the authentication program to compare the user's identity; (6) Certification (Certification) 46, this is the management window VlstaTM operation The user management means in the system describes the user interface of each credential by using a credential provider module loaded in the login user interface program, and transmits the collected credential information to the window login program. In order to create a login screen (login screen display hand 15 200820042 paragraph), the credential provider can provide credentials for multi-person use, such as providing the Windows VistaTM operating system generally using identification code (ID) and the use of the certificate and use of the code Smart card (smart car (j) credentials. And 'in addition to the authentication method provided by the operating system, the third party can also join the service to be authenticated by the credential provider provided by the Windows VistaTM operating system, for example, can be added to the Windows login screen (L〇gonui). A smart card authentication credential, or a multi-factor authentication credential provider provided by the present invention; (7) a user ID/password backfilling means 48, when multi-factor authentication is performed, a multi-factor authentication program is generated The user identification code/password in the user identification data and the identification database is used to perform the user identification code/password backfilling of the specific certificate when the user logs in, that is, the user identification code/password placement back to the window login program. And (8) the message passing means 47, by means of a message passing channel to achieve the signal transmission between the multi-factor authentication program and the credential provider, and then transmitting the user ID/password to the credential provider via the message passing channel. For example, when the user enters the fingerprint according to the multi-factor authentication window and successfully authenticates through the identity, the above-mentioned message delivery channel notifies the credential provider and notifies the login and user interface programs to rearrange all the credential providers. The above message delivery means may include the following various mechanisms: ===== 16 200820042 The message is transmitted by directing the standard round of the program in front of the pipeline to the standard input of the program behind the pipeline. If the above-mentioned multi-factor § forcible procedure, the so-called smart card message, the scanned fingerprint or other bio-hazard eigenvalues are output by standard, and passed through the pipeline to the authentication operation program of the window operating system; The message mechanism in the Windows operating system can peek or receive the message in the delivery column. The message mechanism provides the multi-factor authentication program of the present invention to transmit the smart card message, know the fingerprint of the field or other The characteristic value of the bio-torture is to see the g-login procedure; (3) or use a message-sharing mechanism to use a shared memory for smart card messages, scanned allegations or other creatures. The exchange of information such as the characteristic value of the certificate. The fifth figure shows a schematic diagram of the operation of the credential provider when the multi-factor authentication method is used in the present invention. The multi-factor authentication method first establishes a custom credential provider 53 to coexist with the credential provider 51 of the original Windows VlstaTM operating system, and also loads the login user interface program ogonUI.exe) 50 A password credential provider 51 within the operating system and a custom credential provider 53 utilized by the present invention. The custom credential provider 53 generates a pseudo-wrapped credential credential provider 55 to provide the credential credential 51 that can be referred to the operating system by the above-mentioned custom vending provider 53 for authentication. This multi-factor authentication method also uses the original password authentication system, and compares the multi-factor authentication to obtain the identification code/password to be logged into the account. 200820042 When the customized credential provider 53 of the present invention receives the identification code/password through the pipeline (message transfer), after confirming the credential of the account to be logged, the custom credential of the account is established. 57 and a disguised password credential 59. After that, the customized credential 57 backfills the password of the account to the spoofed password credential 59' and calls the API of the spoofed credential voucher 59 to obtain the authentication packet, and then returns the authentication packet to the login user interface program 5 Sign in. An embodiment of the present invention: the multi-factor authentication login method of the window operating system of the present invention is performed by using the functions of the means shown in the fourth figure, and the main steps are as shown in the sixth figure: loading the operating system after the system is powered on ( Step S601); Then enter the Windows login (Winlogon) program, and the Windows login program (Winlogon.exe) starts the Windows login program, and the window is logged into the Spearmaster Management window VistaTM operation system authentication login program (Step S603) After that, the login user interface program (L0g0nui.exe) is called (step S605), and the login user interface program is used to manage various window login screen parameters, and then all the credential providers are loaded. , including the password credential provider provided by the Windows operating system and the custom password credential provider of the present invention, by means of several parameters (such as CPUS-LOGON, let the user select the login face of the account; CPUS-UNLOCK-WORKSTATION , after the computer is locked, waiting for the screen to be unlocked; with CPUS_CREDUI, user account control window and other parameters) Information of one or more vouchers for obtaining information of registered accounts in the current 2008 20082 Windows vlsta operating system (steps s6-7); - the above login user interface program display window login screen, in the embodiment of the present invention The login screen including the multi-factor authentication window is displayed, and each credential is displayed on the board of the user by the user interface program = a small tile of different credentials or an account included a name for the user to click to perform login authentication (step S609); ,,, and then establish a multi-factor authentication window and a credential provider_message pass (step S611), including transmitting a credential message, corresponding multi-factor authentication = User identification code/password, etc., the message delivery channel includes (1) pipe (7) ^) mechanism or (7) message mechanism; or (3) message sharing mechanism; after the message delivery channel is established, a masqueraded password certificate is established ^ 'This can be used to successfully transfer the 使用者 ι and message to the 糸 所 沟通 、 ( ( ( ( ( ( ( 、 、 、 、 、 、 、 、 与 与 与 与 与 与 与 与The provided password voucher provider (step S613); at this time, the user uses the above-mentioned multi-factor authentication login method to perform the e-factor authentication procedure (step S615); one to five tortuous tribute library comparison, through the delivery station After the corresponding user recognizes that the user identity is successfully confirmed, the message delivery channel notifies the voucher provider of the code/password (step S617); f wn $ the customer (4) voucher provider calls the application to re-^^^ Slightly notify the login user interface step S6^) all the credentials provided by the provider ((4) dentmls) (
穷巧H本發明所客s的憑證提供者將呼叫上述偽裝 山碼’“提供者的 API,如 Get^dentlala)untG 19 200820042The credential provider of the invention will call the above-mentioned camouflage code "provider's API, such as Get^dentlala" untG 19 200820042
GetCredentmlAtO,以擷取密碼憑證數 S62i ),一與從多因子認證所傳#、;^貝枓(步驟. 確認’若無法確認使用者身份’在產生錯誤訊碼= 到步驟S6G7衫因子認證的登人步驟;若確認該: 對應的密碼憑證後,則建立該所欲登人的帳號的客势^ 與一偽裝的密碼憑證(步驟S623 ) ; mi 上述登入使用者介面程式藉由定義好的應用程式介面 (API ) GetCredendalAtO詢問並取得客製憑證 S 62 5 )’客製憑證接著進行回填對應該帳號識別碼的密; 到已建立的偽裝的密碼憑證中,並取得認證封包(步驟 最後,透過該認證封包執行系統登入(步驟S629)。 弟二貫施例:GetCredentmlAtO, to retrieve the number of password voucher S62i), one from the multi-factor authentication pass #,; ^ 贝枓 (step. Confirm 'if the user identity cannot be confirmed' in the error code = to step S6G7 shirt factor certification If the password is confirmed, the password of the account to be logged in is established and a masqueraded password certificate is created (step S623); mi is defined by the login user interface program. The application interface (API) GetCredendalAtO asks and obtains the custom certificate S 62 5) 'Customized certificate then backfills the password corresponding to the account identification code; goes to the established masqueraded password certificate and obtains the authentication packet (at the end of the step, The system login is performed through the authentication packet (step S629).
在執行上述登入流程時,在登入使用者介面程式與視 窗作業系統的憑證提供者間的資料傳遞使用了一些Αρι的 呼叫,如第七圖所示本發明之較佳實施例的流程,其主要 應用於視1¾ Vista™作業系統的使用者認證上,實施例細節 包括: 開機後載入作業系統(步驟S701); 此時藉Winlogon.exe系統程式啟動視窗登入程序(步 驟 S703 ); 之後電腦系統進行與視窗VistaTM作業系統登入晝面 的溝通’由上述視窗登入程式(Winlogon.exe)呼叫一登 入使用者介面程序(由LogonUI.exe執行),藉以描述視窗 登入晝面的程序’並收集各註冊帳號的憑證(credential) 20 200820042 資訊,包括該視窗作業系統的憑證數目、各憑證對系統中 資源的使用權限,並畫出登入晝面,與作業系統的認證模 組產生互動(步驟S705 ); 接著載入此視窗VistaTM作業系統管理當中使用者的 憑證提供者,同時載入視窗作業系統標準的密碼憑證提供 者(password credential provider)與本發明所提供包括多 因子認證模組的客製的憑證提供者(步驟S707); 此登入使用者介面程式(LogonUI.exe)呼叫各個憑證 技供者的API · SetUsageScenario() ’猎以與憑證提供者溝 通是否有支援即將要處理的功能,即定義每個憑證登入作 業糸統8守的悲樣(步驟S 7 0 9 )’依不同的時機所傳入參數 包括:(l)CPUS_L〇GON :登入晝面,為開機後或登出後 的顯示晝面’供使用者選擇不同的帳號進行登入; (2)CPUS—UNLOCK—WORKSTATION :解除鎖定,為當使 用者已透過一帳號登入後,在不登出的情況下,鎖定電腦 後等待解除的畫面;(3)CPUS一CREDUI : UAC(使用者帳號 控制,User Account Control)彈出視窗,在此視窗VistaTM 作業系統中低權限帳號欲執行高權限的功能時,比如新增 帳號,此UAC將彈出具系統管理者(Administrator)身份 的帳號,供使用者選擇,若密碼確認成功才能以該高權限 的帳號進行該功能; 之後,登入使用者介面程式針對所擷取的各憑證資 訊,加上本發明所提供的多因子認證視窗,於視窗登入晝 面上晝出各憑證的登入圖式,藉此步驟將多因子認證視窗 與作業系統所提供之登入視窗顯示於同一晝面中(步驟 21 200820042 S711); 並建立多因子認證與客製的憑證提In performing the above login process, the data transfer between the login user interface program and the credential provider of the Windows operating system uses some calls, as shown in the seventh embodiment, the flow of the preferred embodiment of the present invention, which is mainly For the user authentication of the Visual Studio operating system, the embodiment details include: loading the operating system after booting (step S701); at this time, starting the window login program by using the Winlogon.exe system program (step S703); Communicate with the Windows Vista operating system login page 'The above window login program (Winlogon.exe) calls a login user interface program (executed by LogonUI.exe) to describe the program after the window login' and collects the registrations. The account information (credential) 20 200820042 information, including the number of credentials of the window operating system, the permissions of each voucher to the resources in the system, and draws the login face, interacting with the authentication module of the operating system (step S705); Then load the credential provider of the user in this window VistaTM operating system management, and load the view at the same time. The operating system standard password credential provider and the customized credential provider including the multi-factor authentication module provided by the present invention (step S707); the login user interface program (LogonUI.exe) calls each credential The technology provider's API · SetUsageScenario() 'hunting to communicate with the credential provider whether there is support for the function to be processed, that is, defining the sadness of each credential login operation system (step S 7 0 9 )' The parameters passed in the timing include: (l) CPUS_L〇GON: After logging in, after the boot or after the logout, the user can select a different account to log in; (2) CPUS-UNLOCK-WORKSTATION: Unlocking, after the user has logged in through an account, if they do not log out, they will wait for the screen after unlocking the computer; (3) CPUS-CREDUI: UAC (User Account Control) pop-up window In this window VistaTM operating system, when a low-privileged account wants to perform a high-privilege function, such as adding an account, the UAC will pop up as the system administrator (Administrator). The account number is selected by the user. If the password is successfully confirmed, the function can be performed with the high-privileged account; afterwards, the login user interface program adds the multi-factor authentication window provided by the present invention to the obtained credential information. The login pattern of each credential is displayed on the window login screen, and the multi-factor authentication window is displayed in the same login window as the operation system provides (step 21 200820042 S711); and multi-factor authentication is established. Customized voucher
If (= S713) ’訊息傳遞通道之較佳實❹ 而經加解密過程的安全通道,如⑴f道(¥ (2)tfl 4 (Message) (3)ΐκ4 , 夕因子说證程序與客製的憑證提供者間訊息的傳遞;/ 證提二‘(:毛明Γρ1之憑设提供者建立一偽裝的密碼憑 口且 ki、者(Wrapped Password CredentlalPr〇vlder),以 ^述各製憑證提供者於認證時能轉介到作㈣統内的密瑪 ==者,以順利讓此多因子認證方式使㈣有的ί碼 豆糸統(步驟S715); 此時,上述登入使用者介面程式呼叫Αρι : ;=CredentlaiC嶋t(),以擷取各個憑證提供者所提供的憑 :文目,即表不所要晝出登入憑證,如原有密碼憑證提供 者回傳的憑證數目,再加上本發明所提供的客製的憑證提 七、者所回傳的憑證數目(步驟S717 ); 广私S717呼叫GetCredentialCountO擷取憑證數目, 乎Η本叙明所客製之憑證提供者時,回傳數目為〇 ^C〇Unt—〇)、Aut〇L〇gonWithDefault 為 False,則代表憑證 如么、者不提供登入使用者介面程式顯示此客製的憑證於晝 S719 )故豆入畫面仍顯示原有的憑證(cre<^entials )(步驟 了 寺待使用者進行認證,包括多因子認證盥偉蜞 的識別碼/宓, μ 一1寻、、死 w在碼的認證(步驟S721 ); 著^行多因子認證程序,除了上述一般利用使用者 22 200820042 識別碼(ID或名稱)與密碼的登入方式外,可使用第三方 所提供的認證方式的使用者認證資訊,如生物辨識、智慧 卡或其他等效的認證方式(步驟S723 ); 當使用者依照多因子認證視窗的指示進行多因子認證 時,如輸入指紋、拍攝臉型、輸入智慧卡等,並且成功確 認使用者身份;於其他狀況時,如無法確認使用者身份, 在產生錯誤訊息後’需回到步驟S711顯示多因子認證視窗 的登入晝面,接受重新認證; 經成功確認使用者身份後,至認證資料庫比對,透過 上述訊息傳遞通道通知憑證提供者,送出所對應出的使用 者識別碼/密碼(步驟S725 ); 接著,本發明客製的憑證提供者透過訊息傳遞通道收 到此使用者識別碼/密碼後,透過ΑΠ: CredentialsChanged〇 通知登入使用者介面程式(步驟S727),之後,登入使用 者介面程式重新整理所有憑證提供者所提供的憑證(步驟 S729); 登入使用者介面程式再一次呼叫 API · GetCredentialCount()(步S731 ) ·’ 本發明客製的)昂试才β 供者呼叫上述已建立之偽裝的密碼憑證提供者的Αρι:If (= S713) 'The better implementation of the message passing channel and the secure channel through the encryption and decryption process, such as (1) f road (¥ (2) tfl 4 (Message) (3) ΐ κ4, the eclipse argument program and the custom The transmission of the message between the vouchers; / 证提二' (: Mao Ming Γ 1 提供 建立 建立 建立 建立 建立 建立 ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki ki At the time of authentication, it can be referred to the MM== in the system (4) to smoothly make the multi-factor authentication method (4), and the above-mentioned login user interface program call. Αρι : ;=CredentlaiC嶋t(), in order to retrieve the credentials provided by each credential provider: the catalogue, that is, the login voucher is not required, such as the number of voucher returned by the original password credential provider, plus The number of voucher returned by the custom certificate provided by the present invention (step S717); the number of voucher retrieved by the wide private S717 call GetCredentialCountO, which is returned when the customized credential provider is described The number is 〇^C〇Unt—〇), Aut〇L〇gonWithDefault is False, If the voucher is not provided, the login user interface program is not provided to display the customized voucher in 昼S719. The original voucher (cre<^entials) is still displayed on the bean screen (the step is to wait for the user to authenticate, Including the multi-factor authentication 盥 蜞 蜞 识别 宓 宓 μ μ μ μ μ μ μ μ μ 、 、 、 、 、 、 、 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( In addition to the login method of the password and the password, the user authentication information of the authentication method provided by the third party, such as biometric identification, smart card or other equivalent authentication method (step S723) may be used; when the user complies with multi-factor authentication When the window indicates multi-factor authentication, such as inputting fingerprint, shooting face, inputting smart card, etc., and successfully confirming the user's identity; in other situations, if the user's identity cannot be confirmed, after returning the error message, 'return to step S711 displays the login face of the multi-factor authentication window and accepts re-authentication; after successfully confirming the identity of the user, it compares to the authentication database, through the above message The delivery channel notifies the voucher provider to send the corresponding user ID/password (step S725); then, the customized credential provider of the present invention receives the user ID/password through the message delivery channel, and then : CredentialsChanged will notify the login user interface program (step S727), after which, the login user interface program reorganizes the credentials provided by all the credential providers (step S729); the login user interface program calls the API again · GetCredentialCount() ( Step S731) · 'Customized by the invention') The beta provider calls the above-mentioned established camouflage password credential provider:
GetCredentmlCountO、GetCredentialAtO,以擷取密碼憑證 數目與憑證資料(步驟S733 ); …正 再一一比較符合已認證使用者名稱的憑證後,即時建 立該帳號的客製憑證與一偽裝的密碼憑證(步驟S735 ) · 之後’本發明客製的憑證提供者回傳 GetCredentialCount(),包括數目(count )、自動以預設登 200820042 入(AutoLogonWithDefault)與預設值(Default),其中數 目為1 (ccmnt=l),代表產生一個憑證可供顯示;並且設 定預設登入的帳號為第一個預設(Default=0),代表登入 使用者介面程式以第一個憑證進行自動登入;並且表數GetCredentmlCountO, GetCredentialAtO, in order to retrieve the number of password voucher and voucher data (step S733); ... after comparing the voucher corresponding to the authenticated user name, immediately establish a customized credential of the account and a disguised password voucher (step S735) · After the custom credential provider of the present invention returns GetCredentialCount(), including the number (count), automatically presets to 200820042 (AutoLogonWithDefault) and the default value (Default), where the number is 1 (ccmnt= l), the representative generates a voucher for display; and sets the default login account as the first preset (Default=0), which means that the login user interface program automatically logs in with the first voucher; and the number of tables
AutoLogonWithDefault為True,代表登入使用者介面程式 自動執行登入,以預設值所指定的憑證登入(步驟S737); 接著,登入使用者介面程式呼叫本發明客製的憑證提 供者的 API : GetCredentialAtQ,並傳入 Index 為 〇,得到 所欲登入的客製憑證,以進行自動登入(步驟S739); 在登入使用者介面程式藉由定義好的界面與上述步驟 的客製憑證溝通時,本客製憑證會將之轉介到已建立好的 偽裝的密碼憑證(步驟S741); 登入使用者介面程式最後呼叫客製憑證的 GetSerialization〇 (步驟 S743); 接續上述步驟,客製憑證以所對應的使用者識別碼/ 密碼回填相對於所欲登入的帳號的密碼至偽裝的密碼憑證 的密碼攔位(步驟S745); 接著轉呼叫偽裝之密碼憑證的 ΑΠ : GetSerialization(),以取得認證封包(步驟S747); 再將該認證封包傳回給登入使用者介面程式(步驟 S749),並執行登入(步驟S751)。 綜上所述,本發明所揭露的多因子認證系統與登入方 法係主要應用於視窗Vista™作業系統與其後採用憑證提 供者認證架構的作業系統,能在不影響使用者使用習慣 下,於微軟視窗系統登入晝面上產生一多因子的認證視 24 200820042 窗,於執行登入系統時藉此多因子的認證方式產生更安全 與方便的登入方式。而於本發明之實施例中,使用者利用 上述多因子認證手段(如配合指紋掃描裝置進行指紋掃 描),經比對確認使用者身份後,即快速建立一密碼形式的 憑證(password credential),以回填相對於使用者識別碼 (或名稱)的密碼,進行登入系統。其優點至少包括: (1) 互動式登入晝面; (2) 支援多因子的視窗登入,將所對應的密碼傳回至 憑證提供者,符合視窗Vista™作業系統的認證程 序,並不影響原來使用者習慣; (3) 利用多因子認證方式自動登入視窗系統; (4) 依據原有作業系統登入程序中的程式,系統穩定; (5) 產生登入時作業系統該有的目錄與權限; (6) 仍可使用預設之使用者識別碼/密碼的認證方式; (7) 亦可產生一客製化的登入晝面; (8) 更安全的認證機制; (9) 多因子的認證登入視窗可包括有複數個認證功 能,讓使用者選擇適當的認證方式。 惟以上所述僅為本發明之較佳可行實施例,非因此即 拘限本發明之專利範圍,故舉凡運用本發明說明書及圖示 内容所為之等效結構變化,均同理包含於本發明之範圍 内,合予陳明。 25 200820042 【圖式簡單說明】 , 第一圖係為視窗Vista™作業系統登入認證架構示意 圖; 第二A圖顯示為本發明多因子認證應用於視窗 Vista™作業系統的登入晝面示意圖之一; 第二B圖顯示為本發明多因子認證應用於視窗 Vista™作業系統的登入晝面示意圖之二; 第三圖係為本發明多因子認證登入晝面示意圖; 第四圖係為本發明視窗作業系統之多因子認證系統架 構示意圖; 第五圖係為本發明視窗作業系統之憑證提供者與客製 的憑證提供者之架構示意圖; 第六圖所示為本發明視窗作業系統之多因子認證之登 入方法流程; 第七圖係為本發明多因子認證登入方法之較佳實施例 流程。 【主要元件符號說明】The AutoLogonWithDefault is True, and the login user interface program automatically performs the login, and logs in with the credentials specified by the preset value (step S737); then, the login user interface program calls the API of the custom credential provider of the present invention: GetCredentialAtQ, and The incoming index is 〇, and the customized credential to be logged in is obtained for automatic login (step S739); when the login user interface program communicates with the customized credential of the above step by the defined interface, the customized credential It will be referred to the password certificate of the established masquerading (step S741); the login user interface program finally calls the GetSerialization of the customized certificate (step S743); following the above steps, the customized certificate is the corresponding user. The identification code/password is backfilled with respect to the password of the account to be logged in to the password of the masqueraded password certificate (step S745); then 转: GetSerialization() of the cryptographic password certificate is called to obtain the authentication packet (step S747) And transmitting the authentication packet back to the login user interface program (step S749), and performing login (step S751)In summary, the multi-factor authentication system and the login method disclosed in the present invention are mainly applied to the Windows Vista operating system and the operating system using the credential provider authentication architecture, which can be used in Microsoft without affecting the user's usage habits. A multi-factor authentication view 2008 20082 window is generated on the Windows system login screen. This multi-factor authentication method is used to generate a safer and more convenient login method when executing the login system. In the embodiment of the present invention, the user uses the multi-factor authentication means (such as fingerprint scanning with the fingerprint scanning device) to quickly establish a password credential after confirming the identity of the user. The system is logged in by backfilling the password relative to the user ID (or name). The advantages include: (1) interactive login page; (2) support multi-factor window login, return the corresponding password back to the credential provider, conform to the authentication procedure of Windows VistaTM operating system, does not affect the original User habits; (3) Automatic login to the Windows system using multi-factor authentication; (4) The system is stable according to the program in the original operating system login program; (5) Generate the directory and permissions of the operating system when logging in; 6) The default user ID/password authentication method can still be used; (7) A customized login screen can also be generated; (8) More secure authentication mechanism; (9) Multi-factor authentication login The window can include a number of authentication functions that allow the user to select the appropriate authentication method. However, the above description is only a preferred embodiment of the present invention, and thus the scope of the present invention is not limited thereto, and equivalent structural changes made by using the present specification and the illustrated contents are equally included in the present invention. Within the scope of the agreement, Chen Ming. 25 200820042 [Simple description of the schema], the first diagram is a schematic diagram of the Windows Vista operating system login authentication architecture; the second A diagram shows one of the login schematic diagrams of the multi-factor authentication applied to the Windows VistaTM operating system; FIG. 2B is a schematic diagram showing the login of the multi-factor authentication system of the present invention to the Windows Vista operating system; the third diagram is a schematic diagram of the multi-factor authentication login of the present invention; Schematic diagram of the multi-factor authentication system architecture of the system; Figure 5 is a schematic diagram of the architecture of the credential provider and the customized credential provider of the window operating system of the present invention; Figure 6 is a multi-factor authentication of the window operating system of the present invention. The login method flow; the seventh figure is the flow of the preferred embodiment of the multi-factor authentication login method of the present invention. [Main component symbol description]
Winlogon 11 LSA 19 LogonUI 13 使用者名稱/密碼Π 憑證一 151 憑證二152 26 200820042 登入晝面20 - 系統管理者201 使用者一 203 使用者二205 多因子認證視窗22 系統指令選單24 使用者識別碼21 密碼23 指紋認證圖式221 晶片卡認證圖式222 臉型認證圖式223 視窗Vista作業系統登入手段41 登入使用者介面手段42 登入晝面顯示手段43 多因子認證手段44 使用者身份比對手段45 認證手段4 6 認證傳遞手段47 使用者識別碼/密碼回填手段48 登入使用者介面程式(LogonUI.exe) 50 密碼憑證提供者51 客製憑證提供者53 偽裝的密碼憑證提供者55 密碼憑證57 27 200820042 偽裝的、密碼憑證59Winlogon 11 LSA 19 LogonUI 13 Username/Password 凭证 Credential 151 Credential 2 152 26 200820042 Login Page 20 - System Manager 201 User 203 User 2 205 Multi-factor authentication window 22 System Command Menu 24 User ID 21 Password 23 Fingerprint authentication pattern 221 Chip card authentication pattern 222 Face authentication pattern 223 Window Vista operating system login means 41 Login user interface means 42 Login face display means 43 Multi-factor authentication means 44 User identity comparison means 45 Authentication means 4 6 Authentication transfer means 47 User ID / Password backfill means 48 Login user interface program (LogonUI.exe) 50 Password voucher provider 51 Custom credential provider 53 Camouflaged password voucher provider 55 Password voucher 57 27 200820042 Disguised, password credentials 59
2828
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW95139806A TW200820042A (en) | 2006-10-27 | 2006-10-27 | Multi-factor authentication system and a logon method of a windows OS |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW95139806A TW200820042A (en) | 2006-10-27 | 2006-10-27 | Multi-factor authentication system and a logon method of a windows OS |
Publications (1)
Publication Number | Publication Date |
---|---|
TW200820042A true TW200820042A (en) | 2008-05-01 |
Family
ID=44770034
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW95139806A TW200820042A (en) | 2006-10-27 | 2006-10-27 | Multi-factor authentication system and a logon method of a windows OS |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW200820042A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109634512A (en) * | 2012-06-11 | 2019-04-16 | 三星电子株式会社 | Mobile device and its settlement method |
CN113094681A (en) * | 2021-04-09 | 2021-07-09 | 广东电网有限责任公司 | Identity recognition method, system, equipment and storage medium |
-
2006
- 2006-10-27 TW TW95139806A patent/TW200820042A/en unknown
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109634512A (en) * | 2012-06-11 | 2019-04-16 | 三星电子株式会社 | Mobile device and its settlement method |
CN113094681A (en) * | 2021-04-09 | 2021-07-09 | 广东电网有限责任公司 | Identity recognition method, system, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11838324B2 (en) | Secure web container for a secure online user environment | |
US20240106865A1 (en) | Secure Web Container for a Secure Online User Environment | |
US11716315B2 (en) | Disposable browsers and authentication techniques for a secure online user environment | |
US11134070B2 (en) | Authentication through multiple pathways based on device capabilities and user requests | |
US20080115208A1 (en) | Multi-Factor Authentication System and a Logon Method of a Windows Operating System | |
US8763105B1 (en) | Keyfob for use with multiple authentication entities | |
US7577659B2 (en) | Interoperable credential gathering and access modularity | |
US9055060B2 (en) | Cloud service system based on enhanced security function and method for supporting the same | |
US6651168B1 (en) | Authentication framework for multiple authentication processes and mechanisms | |
US8984597B2 (en) | Protecting user credentials using an intermediary component | |
EP2873192B1 (en) | Methods and systems for using derived credentials to authenticate a device across multiple platforms | |
JP5534520B2 (en) | System and method for browser-based access to smart cards | |
EP3787226A1 (en) | A multi-user strong authentication token | |
US20160127352A1 (en) | Step-up authentication for single sign-on | |
US20220150237A1 (en) | System and Methods for Using a Trusted Single Web Portal For Accessing Multiple Web Services | |
EP1315064A1 (en) | Single authentication for a plurality of services | |
US11695748B2 (en) | Sharing authentication between applications | |
CN107124529A (en) | Image processing system, device, method and information processor, method | |
US8543810B1 (en) | Deployment tool and method for managing security lifecycle of a federated web service | |
TW200820042A (en) | Multi-factor authentication system and a logon method of a windows OS | |
US11716331B2 (en) | Authentication method, an authentication device and a system comprising the authentication device | |
JP2023017196A (en) | Authentication apparatus and authentication method | |
JP2020086775A (en) | Terminal unit, authentication assisting apparatus, and program | |
JP2002525704A (en) | Context Sensitive Login Shield |