Abstract: Disclosed are methods and systems of implementing a right over a content or contents. Various implementations may include means and operations for receiving, for example in an execution environment and from a secure element, a first key for implementing a right over an encrypted content; decrypting said content in said execution environment with the help of the first key; and implementing the right over the content in said execution environment. Various implementations may also include means and operations for receiving a second key in, for example, said execution environment, from the secure element; and encrypting said content in sad execution environment with the help of the second key.

Abstract: An authentication system to authorize access to data to be protected, including a token having a memory that stores: an array containing alphanumeric information and random data; and a seal scheme vector containing information to enable access to each of the information items in their respective positions in the array. The authentication system is configured to: subject access to the token to the insertion of a password; decrypt the seal scheme vector; acquire the arrangement information and the size information of each random data from the seal scheme vector; check correspondence between the acquired arrangement information and the effective arrangement of the information in the array, and between the acquired size information and the effective size of the random data; authorize or deny access to the data to be protected on the basis of a result of the previous check.

Abstract: The present invention discloses an apparatus, system and method for accessing internet webpage. The system includes a user terminal and a proxy server. The user terminal is configured to initiate an access request to the proxy server, the access request including URL information of a target webpage which carries an identifier of requiring security authentication, and receive and display target webpage information outputted from the proxy server. The proxy server is configured to receive the access request, perform security authentication on the URL information of the target webpage which carries the identifier of requiring security authentication according to pre-stored webpage security database information; if the security authentication is passed, obtain the target webpage information and output the target webpage information to the user terminal. By applying the present invention, network delay overload for accessing the internet webpage can be reduced, and user experience can be improved.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: A computer-implemented system and method for pool-based identity generation and use for service access is disclosed. The method in an example embodiment includes seeding an identity generator with a private key; retrieving independently verifiable data corresponding to a service consumer; using the independently verifiable data to create signed assertions corresponding to the service consumer; generating a non-portable identity document associated with the service consumer, the identity document including the signed assertions; signing the identity document with the private key; and conveying the signed identity document to the service consumer via a secure link.

Abstract: A system and a digital token for user identity verification comprise a control device for communicating over a network. The control device executes program applications and displays outputs to a user. A server communicates over the network to the control device and to other devices. The server comprises a personal identity model, a personal identity engine and a personal identity controller. The personal identity model collects and stores user information comprising personal information, personality, and biometric information. The personal identity engine processes the stored user information to produce the digital token. The personal identity controller manages exchange of the digital token in a user identity verification process. A claim point exchanges the digital token with the server in the user identity verification process in which upon verification the user's identity, the claim point provides a service to the user.

Abstract: A nonlinear feedback shift register for creating a signature for cryptographic applications includes a sequence of series-connected flip-flops which are connected to each other for forming at least one polynomial, with the aid of at least one signal feedback having at least one operator. The flip-flops are connected to at least one switching operator for forming at least two different polynomials, the switching operator switching between the polynomials as a function of an input signal. A method for nonlinear signature formation is also provided.

Abstract: In accordance with the present disclosure, a system and method for multilayered authentication of trusted platform updates is described. The method may include storing first cryptographic data in a personality module of an information handling system, with the first cryptographic data corresponding to a verified firmware component. A second cryptographic data may also be determined, with the second cryptographic data corresponding to an unverified firmware component. The unverified firmware component may be stored in a memory element of the information handling system, and the second cryptographic data may be determined using a processor of the information handling system.

Abstract: A system and method for troubleshooting errors that occur during token requests. An identity provider generates a session ID and uses the session ID when logging events that occur during handling of the request. Multiple servers, processes, or threads may use the same session ID. The session ID may be sent with an error message to the requester. An ID of one or more servers that processed the request may also be sent to the requester. Upon receiving the error message, the requester may provide the error information to an administrator, who uses the information to retrieve associated logged events.

Abstract: A server apparatus includes an analyzer unit which analyzes log-in information for a server received from a client, determines an authentication scheme of the server, and extracts, from the log-in information, provisional authentication information in a form representative of variable information. The analyzer unit stores, in the storage device, information representative of the authentication scheme and the provisional authentication information as the variable information. The analyzer unit also stores, in the storage device, as the variable information, authentication information of a user for the server that is associated with representative authentication information of the user.

Abstract: A biometric-information processing apparatus and method including storing sample biometric information of a user each time biometric authentication processing for verifying sample biometric information of a user against enrolled biometric information registered in a first storage unit succeeds, where the user's sample biometric information is stored in a second storage unit, and selecting an update-candidate biometric information for updating the user's enrolled biometric information from the user's sample biometric information stored in the second storage unit, based on a result of verification of multiple pieces of the user's sample biometric information stored in the second storage unit against enrolled biometric information of other users.

Abstract: A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

Abstract: The present disclosure describes methods, systems, and computer program products for interactive authentication can include receiving a valid authentication credential or an invalid authentication credential associated with a digital identity. The credentials can be received from an end user at an input device in association with a login attempt. If a valid authentication credential is received, it is determined whether an identification token is received with the valid authentication credential. If received, the identification token is identified as a token included in a list of valid tokens associated with the digital identity at an authentication system. In response to the determination that the identification token is included in the list of valid tokens, it is determined whether a lockout period associated with the identification token in the list of valid tokens has expired. If expired, the end user associated with the login attempt can be authenticated.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: Technologies are generally described for methods, instructions, and client applications for device discovery in a ubiquitous computing environment. In some examples, the methods, instructions, and client applications may facilitate the organization of features of devices in a ubiquitous computing environment into a series of hierarchical hash numbers, the ordering of the hierarchical hash numbers corresponding to the respective devices, and the searching for a particular one of the devices by attempting to match hashed search criteria to the ordered hierarchical hash numbers at one of the devices in the ubiquitous computing environment.

Abstract: A system and method is provided for generating a one-time passcode (OTP) from a user device. The method includes providing a passcode application and a cardstring defined by a provider account to the user device. The passcode application is configured to generate a passcode configured as a user OTP for the provider account, using the cardstring. The cardstring is defined by at least one key camouflaged with a personal identification number (PIN). The key may be camouflaged by modifying and encrypting the modified key under the PIN. The key may be configured as a symmetric key, a secret, a seed, and a controlled datum. The cardstring may be an EMV cardstring; and the key may be a UDKA or UDKB. The cardstring may be an OTP cardstring, and the key may be a secret configurable to generate one of a HOTP, a TOTP, and a counter-based OTP.

Abstract: An apparatus and method for determining contents information corresponding to a Rights Object (RO) by transmitting information on contents together when the RO is moved from a mobile device to a memory card or a smart card or when the RO is moved from the memory card or the smart card to the mobile device are provided. The apparatus includes a meta information manager for determining information on contents corresponding to the RO when the RO is moved, and for generating meta information containing the determined contents information, and a controller for providing control to transmit the RO and the meta information generated by the meta information manager to a portable storage device. Accordingly, the conventional problem can be solved in which information on contents cannot be determined by using a Contents IDentifier (CID) if the RO does not exist together with the contents.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: Systems and methods for a secure soft token solution applicable to multiple platforms and usage scenarios are provided. According to one embodiment a method is provided for soft token management. A mobile device of a user of a secure network resource receives and installs a soft token application. A unique device ID of the mobile device is programmatically obtained by the soft token application. A seed for generating a soft token for accessing the secure network resource is requested by the soft token application. Responsive to receipt of the seed by the soft token application, the soft token is generated based on the seed and the soft token is bound to the mobile device by encrypting the seed with the unique device ID and a hardcoded pre-shared key.

Abstract: A system can control whether a recipient of an electronic message (e.g., a text message, a multimedia message, an e-mail message, etc.) with a forwarding-restricted attachment is permitted to forward the attachment to third parties can be implemented on the network without specialized hardware or software for the client devices. The sender of a text message may limit the downstream distribution of that text message through text message forwarding by associating a forwarding restriction flag with the message.

Abstract: A virtualization system is described herein that facilitates communication between a virtualized application and a host operating system to allow the application to correctly access resources referenced by the application. When the operating system creates a virtualized application process, the virtualization system annotates a data structure associated with the process with an identifier that identifies the virtualized application environment associated with the process. When operating system components make requests on behalf of the originating virtual process, a virtualization driver checks the data structure associated with the process to determine that the helper process is doing work on behalf of the virtualized application process. Upon discovering that the thread is doing virtual process work, the virtualization driver directs the helper process's thread to the virtual application's resources, allowing the helper process to accomplish the requested work with the correct data.

Abstract: A device or “dongle” (30) is provided for controlling communications between a Subscriber Identity Module (or SIM) (12), such as of the type used in a GSM cellular telephone system, and a computer, such as a WINDOWS® operating system-based PC (10). The SIM (12) can be authenticated by the telephone network, in the same way as for authenticating SIMs of telephone handset users in the network, and can in this way authenticate the user of the PC (10) or the PC (10) itself. Such authentication can, for example, permit use of the PC (10) for a time-limited session in relation to a particular application which is released to the PC (10) after the authentication is satisfactorily completed. The application may be released to the PC (10) by a third party after and in response to the satisfactory completion of the authentication process. A charge for the session can be debited to the user by the telecommunications network and then passed on to the third party.

Abstract: This application is directed to a system for remotely directing a host device to perform an operation using a key. The key may include a communications circuitry for transmitting data, for example a key identifier or an instruction to perform an operation, within a personal area network created by the communications circuitry. When a host device is within the personal area network, the key may transmit data received by a transceiver on the host device. In response to receiving the data, the host device may perform an operation (e.g., an authentication operation). In some embodiments, the key may transmit data identifying an operation for the host device to perform. In some embodiments, the host device may store in memory key identification information and an associated operation which may be retrieved when the key is brought in proximity of the host device.

Abstract: Embodiments of the invention generally relate to thwarting fraud perpetrated with a computer by receiving a request from a computer to perform a transaction. Embodiments of the invention may include receiving the request together with transaction data and a cookie, where the transaction data are separate from the cookie; determining in accordance with predefined validation criteria whether the cookie includes a valid representation of the transaction data; and performing the transaction only if the cookie includes a valid representation of the transaction data.

Abstract: The invention provides an easy to use credential management mechanism for multi-factor out-of-band multi-channel authentication process to protect a large number of documents without the need to remember all the document passwords. When opened, the secure document application generates a multi-dimensional code. The user scans the multi-dimensional code and validates the secure document application and triggers an out-of-band outbound mechanism. The portable mobile device invokes the authentication server to get authenticated. The authentication server authenticates the user based on shared secret key and is automatically allowed access to the secure document. The process of the invention includes an authentication server, a secure document application to generate an authentication vehicle or an embodiment (i.e. multi-dimensional bar code) and handle incoming requests, secret keys and a portable communication device with a smartphone application.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for accessing services from a virtual machine. One of the methods includes receiving requests for long-term security tokens from a host machine, each request comprising authentication information for a respective service account. The method include providing long-term security tokens to the host machine, wherein the long-term security tokens can be used to generate short-term security tokens for a virtual machine executing on the host machine. The method also includes generating by a process executing in a host operating system of the host machines a short-term security token based on a long-term security token of the long-term security tokens for use by a virtual machine executing on the host machine to access one of the respective service accounts, wherein the short-term security token is useable for a pre-determined amount of time.

Abstract: Systems and methods for end-to-end encryption are disclosed. According to one embodiment, a method for device registration includes (1) an application executed by a computer processor receiving a user password from a user; (2) using the computer processor, the application combining the user password and a password extension; (3) using the computer processor, the application cryptographically processing the combined user password and password extension, resulting cryptographic public information; and (4) providing the cryptographic public information to a server. The user password is not provided to the server. In another embodiment, a method for user authentication includes (1) using a computer processor, receiving a login page from a server; (2) sending a Hash-based Message Authentication Code to the server; and (3) receiving an authentication from the server. In one embodiment, the login page may include a transkey and a value B.

Abstract: Instrumented networks, computer systems and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Methods and systems are disclosed for calculating security risks by determining subject reputation scores. In an embodiment, a system receives a query for a reputation score of a subject, initiates directed queries to external information management systems to interrogate attributes associated with the subject, and analyzes responses. The system receives a hierarchical subject reputation score based on a calculus of risk and returns a reputation token.

Abstract: In a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, the resource owner detects an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence. The resource owner sends an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence.

Abstract: Certain embodiments provide a user notification such as a cue in a media content player. The notification or cue indicates that there is additional content available for a piece of media being played or about to be played. The notification or cue may be superimposed on content or provided separate from the media content being provided. In certain embodiments, the notification may provide a link for accessing the additional content the notification identifies. For example, the user may click on a notification to link to a dynamically-generated webpage comprising information retrieved about the media content being presented.

Abstract: A technique that enables a portable device to be automatically associated with a plurality of computers. Information that a computer can use to authenticate a portable device and establish a trusted relationship prior to creating an association with the portable device is created and stored in a data store that is accessible by a plurality of computers and is associated with a user of the portable device. When a computer discovers such a portable device with which it is not yet associated, the computer can identify a user logged into the computer and use information identifying the user to retrieve authentication information that is device independent and is expected to be presented by the portable device to authenticate it and allow automatic association.

Abstract: There is presented a system and method for associating a domain transcendent identification (ID) of a user and a domain specific ID of the user, the system comprising an ID association server accessible by a plurality of secure domains over a network. The system also includes an ID associator application that when executed by ID association server is configured to receive a domain specific ID that associates the user to the secure domain, enter the domain specific ID in a domain transcendent ID record created for the user, generate a unique data associated with the domain transcendent ID record and identify a network location for submission of the unique data, send the unique data and the network location to the user, and associate the domain transcendent ID and the domain specific ID.

Abstract: Token detection at a single computing platform may be linked with a user identification to unlock content and/or effectuate modifications in virtual space instances presented via multiple computing platforms, in accordance with one or more implementations. Exemplary implementations may enhance consistency in a user's experiences of a virtual space across multiple computing platforms.

Abstract: Systems and methods of authentication according to the invention are provided comprising a user, a service client, a service server, a portable communications device and an authentication server, wherein the method comprises use of one time passwords and out-of-band outbound communication channels. This system gives access to authentication seekers based on OTP out of band outbound authentication mechanism. The authentication seeker or system user scans a multi-dimensional barcode or another like encoding mechanism and validates the client and triggers the out of band outbound mechanism. The portable mobile device invokes the client server to request authentication. The client server authenticates the user based on a shared secret key and the user is automatically traversed to the next page.

Abstract: Techniques for sharing data between users in a manner that maintains anonymity of the users. Tokens are generated and provided to users for sharing data. A token comprises information encoding an identifier and an encryption key. A user may use a token to upload data that is to be shared. The data to be shared is encrypted using the encryption key associated with the token and the encrypted data is stored such that it can be accessed using the identifier associated with the token. A user may then use a token to access the shared data. The identifier associated with the token being used to access the shared data is used to access the data and the encryption key associated with the token is used to decrypt the data. Data is shared anonymously without revealing the identity of the users using the tokens.

Abstract: Methods, apparatuses, and articles for receiving, by a server, a plurality of identifiers associated with a client device are described herein. The server may also encrypt a plurality of encoding values associated with the plurality of identifiers using a first key of a key pair of the server, and generate a token uniquely identifying the client device, a body of the token including the encrypted plurality of encoding values. In other embodiments, the server may receive a token along with the plurality of identifiers. In such embodiments, the server may further verify the validity of the received token, including attempting to decrypt a body of the received token with a key associated with a second server, the second server having generated the received token, and, if decryption succeeds, comparing ones of the plurality of identifiers with second identifiers found in the decrypted body to check for inconsistencies.

Abstract: A method of securely operating a computerized system includes forming a connection to a user-removable physical security device (PSD) which is uniquely paired with the computerized system and which stories cryptographically secured data required for performing a protected function on the computerized system. The PSD may be realized as a USB or similar peripheral device containing security-related data and potentially security processing capability as well. The protected function could be decrypting of encrypted data encryption keys used to encrypt/decrypt user data for example. A user who has an established association with the PSD (e.g. by some preceding registration process) is authenticated, resulting in activation of the PSD on the computerized system. Upon such activation of the PSD, the computerized system engages in a security operation using the cryptographically secured data from the PSD to enable the protected function to be performed under control of the user on the computerized system.

Abstract: Systems and methods for providing an expedited login process that is relatively fast and that still provides a reasonable level of security and a reasonable method for mitigating compromised login information are described. In one configuration, a web server sends an anonymous unique machine readable login identifier code to a browser display of a client computer. A server account holding user then uses his smartphone to scan the code and send a message including the login identifier code and a smartphone identifier code to the server. The server obtains the identity of the user and authenticates the user by determining possession of the smartphone using the smartphone identifier. The server then uses the login identifier code to log the user into the server and into the user account at the client computer.

Abstract: A networked computer device can be customized to contain provisioning and/or authorization logic in its firmware or the firmware of one of its subcomponents. The computer device is thus configured to provision itself from a provisioning server that is identified within the firmware, and to periodically query an operations authority for continued authorization to operate with the received provisioning. Upon failure to receive authorization, the firmware may implement various security measures, such as storage protection, boot protection, communications protection, and so forth. The firmware may also implement remote reporting, to assist an investigator when a device has been lost or stolen.

Abstract: A data storage device that can be reversibly associated with one or more of a plurality of hosts. A “trusted” host on which the device is mounted is allowed access to a secure data area of the device automatically, without the user having to enter a password. Ways in which a host is designated as “trusted” include storing the host's ID in a trusted host list of the device, storing a representation of the host's ID that was encrypted using a trust key of the device in a cookie in the host, or storing a storage password of the device in a password list of the host. Alternatively, an untrusted host is allowed access to the secure data area if a user enters a correct user password.

Abstract: A method and system of authenticating a computer resource such as an application or data on a mobile device uses a contactless token to provide multi-factor user authentication. User credentials are stored on the token in the form of private keys, and encrypted data and passwords are stored on the device. When application user requires access to the resource an encrypted password is transmitted to and decrypted on the token using a stored private key. An unencrypted data encryption key or password is then transmitted back to the device under the protection of a cryptographic session key which is generated as a result of strong mutual authentication between the device and the token.

Abstract: A method of using an access manager server to establish a communication session between a resource and a user device may include receiving a request from the user device to access the resource, determining that the client system is registered as a trusted partner, sending the client system a first encrypted token that includes a resource identifier where the client system has access to a first cryptographic key that decrypts the first encrypted token. The method may also include receiving a second encrypted token that signifies that access to the resource has been granted by the client system where the second token comprises a user identifier and the access manager server has access to a second cryptographic key that decrypts the second token. The method may additionally include decrypting the second token and establishing the communication session between the user device and the resource using the user identifier.

Abstract: Systems and methods for remotely loading encryption keys in card reader systems are provided. One such method includes storing, at a card reader, a device identification number for identifying the card reader, a first magnetic fingerprint of a data card, and a second magnetic fingerprint of the data card, wherein each of the first and second fingerprints includes an intrinsic magnetic characteristic of the data card, encrypting, using a first encryption key derived from the second fingerprint, information including the device identification number and first fingerprint, sending the encrypted information to an authentication server, receiving, from the authentication server, a score indicative of a degree of correlation between the first fingerprint and second fingerprint, and receiving, when the score is above a preselected threshold, a second encryption key from the authentication server, the second encryption key encrypted using a third encryption key derived from the first fingerprint.

Abstract: An information processing apparatus of the present invention converts user authentication information based on a second one-way function into a second converted value if authentication with a first converted value obtained by converting the user authentication information based on the first one-way function is successful.

Abstract: Supplemental content such as electronic advertisements may be previewed in situ. That is, supplemental content may be previewed in a context of a live and/or production environment along with the primary content available in that environment. In particular, electronic advertising that is still under development, that still requires testing and/or quality control, and/or electronic advertising that is unpublished may be incorporated into electronic pages by live and/or production electronic page generation computer systems. Furthermore, electronic advertising may be previewed in situ in a controlled and/or restricted manner.

Abstract: Systems and methods are disclosed for preventing tampering of a programmable integrated circuit device. Generally, programmable devices, such as FPGAs, have two stages of operation; a configuration stage and a user mode stage. To prevent tampering and/or reverse engineering of a programmable device, various anti-tampering techniques may be employed during either stage of operation to disable the device and/or erase sensitive information stored on the device once tampering is suspected. One type of tampering involves bombarding the device with a number of false configuration attempts in order to decipher encrypted data. By utilizing a dirty bit and a sticky error counter, the device can keep track of the number of failed configuration attempts that have occurred and initiate anti-tampering operations when tampering is suspected while the device is still in the configuration stage of operation.

Abstract: An apparatus, system, and method are disclosed for securely authorizing changes to a transaction restriction. A security module securely stores encryption keys for a payment instrument. The payment instrument electronically transacts payments and includes a transaction restriction. An authentication module receives an authentication from a user of the payment instrument. The security module validates the authentication with a first encryption key. In addition, the security module authorizes a change to the transaction restriction using a second encryption key if the authentication is valid. The security module resides on a computer that the user designates as authorized to validate the authentication.

Abstract: Secure access to a wireless network access can be provided in a system where wireless devices access a wireless network through a wireless access point (WAP). For example, a plurality of pre-shared keys (PSKs) may be generated and distributed to the WAP and the wireless device. The wireless device may automatically rotate an active one of the plurality of PSKs, while the WAP receives one or more rotation signals identifying the active one of the plurality of PSKs. The wireless device and the WAP may encrypt information relating to the active one of the PSKs within communications between them, thus securing the communications.

Abstract: A first cryptographic device is configured to store secret information that is refreshed in each of a plurality of epochs. The first cryptographic device receives an epoch control signal, and adjusts at least one epoch responsive to the received epoch control signal. Refreshed secret information associated with an adjusted epoch is utilized to authenticate the first cryptographic device to at least a second cryptographic device, where the second cryptographic device and one or more additional cryptographic devices store respective portions of the secret information in a distributed manner. By way of example, the epoch control signal may comprise an epoch advance signal directing that the first cryptographic device advance from a current one of the epochs to a subsequent one of the epochs. In an illustrative embodiment, the first cryptographic device comprises an authentication token and the second cryptographic device comprises an authentication server.

Abstract: Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface filed data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.