When services are provided to users over the Internet or private networks, methods for granting access authority to a user include methods for performing authentication via a user ID and a password, by an IC card authentication device or a biometrics authentication device and the like.
For authentication by an IC card authentication device or a biometrics authentication device, etc., issuing a user ID to a particular individual and granting access authority to the user generally involve the user presenting a document and the like to provide the user's personal information to a service provider so that the user is identified, registered and granted access authority. Thus, an individual may be identified and authenticated, but the above procedure involves verifying the user's personal information such as the user's real name and address in advance. The service providers are required to put forth a great effort on these verification procedures and make investments in facilities and equipment for performing the verification procedures. Some users avoid the registration in order to avoid cumbersome procedures or having to entrust others with the users' personal information. Also, when using an IC card authentication device or a biometrics authentication device, some avoid obtaining required devices due to the costs for obtaining a mobile information terminal (hereinafter, referred to “mobile information terminal”) and the authentication device additionally required, not to mention laborious initial configuration of the devices.
On the other hand, network services such as social networks having a large user base and benefitting from high volume of user information, are simplifying the registration procedures and authentication processes for individual authentication because cumbersome individual authentication hinders the growth of registered user base. For the same reason, they often grant access authority to their users without requiring their personal information, or accept registration of the personal information by trusting information submitted by each individual and not requiring the individual's identification document.
However, when the access authority is granted in such manners, users can register themselves with incorrect information. Since false name can be registered, one individual can obtain a plurality of user IDs. In such a simplified individual authentication system, it is difficult to correctly identify individuals as users. In other words, it becomes difficult for a system administrator to control services provided to the individuals as users.
For example, terminating services for a particular individual may not be possible by simply intercepting the individual's registered user ID account if the individual has obtained more than one user IDs.
Also, it is impossible to use both of the authentication via a user ID and a password, and the authentication using an IC card authentication device or a biometrics authentication device to accurately identify and authenticate individuals. If an individual uses a false name to register himself or herself as a user during the authentication via a user ID and a password, the same individual can obtain a plurality of access rights, resulting in inaccurate registrations.
Thus, in the conventional individual authentication technologies, simplified individual authentication makes it impossible to identify individuals accurately, and accurate individual identification prevents the growth of network service user base due to the increased procedures and costs, resulting in a tradeoff between the simplified and accurate individual authentication. In other words, there has been no technology for providing users with simplified individual authentication while identifying individuals as users.
On the other hand, the other individual authentication methods include a method for individual authentication using user-specific behavioral pattern information (Patent Document 1) and a method for individual authentication through questions and answers regarding a user's behavioral history (Patent Document 2).
By nature, these techniques are ones as individual authentication methods for controlling user access to an object of security management, but not techniques for identifying individuals as users of mobile information terminals.
In order to identify a particular individual, there is needed unique information which enables to identify the particular individual among all other individuals, and a mechanism which enables to efficiently compare and differentiate the identification information of the particular individual and all other individuals. Patent Documents 1 and 2 merely disclose methods for verifying if an individual as a user has an access authority, but do not offer unique identification information which allows identification of a particular individual among others.
In the technique of Patent Document 1 using a user-specific behavioral pattern information to authenticate an individual, user travel path information may be used as identification information for each user since the user-specific behavioral pattern consists of the user's travel paths recorded in advance, and since the individual authentication is performed by comparing the user's travel paths with a behavioral path of a user at the time of the user's access.
However, compared to location information of one or two locations, the travel path information has more information and more complex data, requiring complicated and laborious tasks when comparing the travel path information of different users. Also, note that Patent Document 1 does not offer means for comparing the travel path information from each other and determining whether they are the same or different.
Additionally, in this method, the identification information may be generated only when a user continually takes an identical travel path. In other words, for a user without consistent travel paths or without habitual travel patterns, the identification information may not be generated. Thus, a network service requiring a large-scale user base may not be constructed on a system incapable of granting access authority to a user unless the user meets particular conditions.
Further, the GPS function of general-purpose mobile information terminals do not consistently provide accurate positioning, often resulting in errors in the location information. Those errors make it difficult to compare and identify the travel path information.
Thus, in the above individual authentication method, it is difficult to identify an individual as a user of a mobile information terminal and differentiate the individual from others.
The method for individual authentication through questions and answers regarding the user behavioral history of Patent Document 2 uses the user's behavioral history including information on a purchased product, a ticket gate, and date and time related to the user to authenticate an individual.
In this individual authentication method, personal information needs to be registered in advance in order to obtain the information on the products the user purchases, ticket gates that the user goes through, etc., and therefore, this method requires identification of each individual for accurate individual authentication. That is, the accurate individual authentication increases the required procedures and cost, and may discourage the user base growth in the network services.
As such, neither of the above conventional techniques for individual authentication may be easily used to concomitantly identify each user.
Unlike either of these individual authentication techniques, the present invention provides users with simplified individual authentication procedures while allowing identification of an individual as a user of a mobile information terminal from the other users. This identification is not done at the level of user IDs, but rather at the level of each individual using the mobile information terminal by identifying individuals as users of a network service. For this reason, even if one individual is using a plurality of user IDs, the individual as a user of the user IDs may be identified as one identical individual. Also, even if one individual is using a plurality of mobile information terminals, the individual as the user of the mobile information terminals may be identified as one identical individual. Thus, the technique of the present invention has a broader range of identifiable objects than, and is different from the conventional techniques.
Also, when a user presents the user's personal information to a network service provider to receive access authority, there could be a risk of the user's personal information being leaked depending on the management of the network service provider. For this reason, as a tendency, users have been refraining from presenting their personal information, and thus, many network services have been allowing their users to anonymously register themselves. However, this allows a plurality of registrations by one individual, making it impossible to identify the individual. In other words, there has been a tradeoff problem between allowing the users to use the network service anonymously and identifying individuals as the network service users.
The present invention allows the users to anonymously access network services while enabling identification of an individual as a user of a mobile information terminal from the other users.