Abstract: A client device is configured to receive user-input and provide user-output to a client-user. A service provider is configured to serve a network-provided service for authorized users. An identity provider is configured to: maintain authorization information for the network-provided service and generate a permission-object that i) specifies that the client-user is an authorized user of the network-provided service and ii) may include an access-override field that specifies a network address of a remote browser isolation (RBI) host. The system also includes the RBI host configured to access the network-provided service; run the network-provided service in an isolation environment to generate a graphic user interface (GUI); provide a visual reproduction of the GUI to the client device; receive browser-input from the client device; and apply the browser-input to the running network-provided service.

Abstract: A method for automatically encrypting files is disclosed. In some cases, the method may be performed by computer hardware comprising one or more processors. The method can include detecting access to a first file, which may be stored in a primary storage system. Further, the method can include determining whether the access comprises a write access. In response to determining that the access comprises a write access, the method can include accessing file metadata associated with the first file and accessing a set of encryption rules. In addition, the method can include determining whether the file metadata satisfies the set of encryption rules. In response to determining that the file metadata satisfies the set of encryption rules, the method can include encrypting the first file to obtain a first encrypted file and modifying an extension of the first encrypted file to include an encryption extension.

Abstract: A secure token (ST) system including at least one ST computing device to provision data using secure tokens over a network is provided. The ST computing device is configured to receive first customer data from a credit issuer computing device, the first customer data including at least one or more account identifiers associated with a customer and a social security number (SSN) associated with the customer. The ST computing device is also configured to hash the SSN, wherein the hashed SSN includes a hash value, assign a unique identifier to each of the one or more account identifiers, and generate a secure token by associating the hash value to each unique identifier. The ST computing device is further configured to store the secure token within the database, and transmit the secure token to at least one of the credit issuer computing device and a third party computing device.

Abstract: A system may receive, via a web browser plugin on a user device, a first timestamp associated with first click data at a website associated with a merchant, a referring uniform resource location (URL), a current URL, and first user identification data. The system may also receive transaction data including a second timestamp, second user identification data, and a first merchant name associated with a transaction with the merchant. The system may determine whether the first timestamp is within a predetermined period of the second timestamp and determine whether the first user identification data corresponds with the second user identification data. When the system determines that the first timestamp is within the predetermined period of the second timestamp and the first user identification data corresponds with the second user identification data, the system may store the referring URL and the current URL with the first merchant name in a database.

Abstract: The application provides an example user interface switching method and an example terminal. The method includes, after the terminal triggers a trusted user interface (TUI) display request of a client application (CA) according to a first operation on a CA interface by a user, the terminal switches a display environment of the CA from a rich execution environment (REE) to a trusted execution environment (TEE) according to the TUI display request, and then displays a trusted application (TA) interface that is of the CA and that is in the TEE. The method also includes performing, by the user, an operation of inputting sensitive information on the TA interface.

Abstract: There are provided systems and methods for user specific error detection for accepting authentication credential errors. A service provider, such as an authentication server and/or transaction processor, may require credentials for a user to utilize a specific service, such as an account and account services. The user may establish an authentication credential, such as a password or other secret, that allows the user to use the account. The user may then attempt to utilize the credentials with the service provider but may perform a typo in entering the authentication credential. The service provider may reject an authentication of the user but may allow the user to reenter the authentication credential. If the user correctly enters the authentication credential at this stage, the service provider may perform analysis of the incorrect and correct authentication credential to determine whether to allow the incorrect authentication credential for future authentications.

Abstract: Subsequent to registration of a client device with a server device such that credentials by which the client device is authenticated are securely stored at the client device, the client device provides a user device and a server device a recovery identifier and a recovery secret key associated with the client device. Upon the credentials no longer being stored at the client device such that the client device has to be reregistered with the server device to store new credentials by which the client device is authenticated, the user device generates and provides a recovery code to the client device, which provides the recovery code to the server device. Upon validating the recovery code based on the recovery identifier and the recovery secret key, the server device reregisters the client device with the server device such that the new credentials are securely stored at the client device.

Abstract: A user may provide a financial card to an automated teller machine (ATM) or point of sale (POS) terminal and may be authenticated by providing a gesture and/or an image selection via a mobile device to the ATM or the POS. The gesture and/or image selection may be provided using a touchscreen of the mobile device. The gesture and/or image provided by the user via the mobile device may be compared to a stored gesture and/or image provided by the user during an earlier registration of the financial card. If there is a match between the gesture and/or image provided by the user via the mobile device and the previously stored gesture and/or image, then the user is authenticated and may access an account associated with the financial card.

Abstract: IHSs (Information Handling Systems) may include connectors, such as an XDP connector, that support couplings by diagnostic tools that utilize a debugging interface that is supported by the IHS, such as JTAG interface. These connectors provide a useful debugging mechanism but may be exploited to access protected information and to install malicious software. Detecting when these debugging capabilities have been compromised is very difficult. In embodiments, a remote access controller of the IHS disables the JTAG interface prior to initialization of the IHS processor by maintaining the interface in reset state. The remote access controller does not include instructions necessary for releasing the JTAG interface from this reset state until its firmware has been updated. If the remote access controller detects debugging activity while the JTAG interface is still in a reset state, the remote access controller signals an attempt to conduct an unauthorized debug session.

Abstract: A data using device includes: a data storage part storing pieces of data used for the predetermined process; a user storage part storing a first user identification information; an authentication data acquisition part; a user acquisition part acquiring a second user identification information from the external apparatus; a user determination part; an authentication storage processing part storing the authentication data such that the authentication data is available for the predetermined process when the user determination part determines that the first and second user identification information match each other or when the first user identification information is not stored; a user deletion part deleting or instructing a user to delete the first user identification information when the first and second user identification information do not match each other; and a data use prohibition part prohibiting use of the authentication data when the first user identification information is deleted.

Abstract: Devices and methods for preventing unauthorized access to memory devices are disclosed. A one-time programmable (OTP) memory is included in both a memory device and a processing device. The OTP memories store encryption keys and the encryption and decryption of messages between the two devices are used as a heartbeat to determine that the memory device has not been separated from the processing device and, in some instances, connected to a malicious processing device.

Abstract: The present disclosure describes exemplary methods and systems of protecting an integrated circuit. One exemplary method comprises receiving a plurality of key inputs for enabling operation of the integrated circuit; determining whether the received key inputs are correct key inputs for enabling operation of the integrated circuit; and if the received key inputs are determined to be incorrect key inputs, locking sequential logic and combinational logic of the integrated circuit until correct key inputs are received.

Abstract: In aspects of user authentication facilitated by an additional device, a computing device can maintain authentication data usable to authenticate a user to use the computing device. The computing device implements an authentication control module that can determine an additional device is equipped to facilitate authentication of a user to the computing device. The authentication control module can then receive additional authentication data associated with the user from the additional device, and authenticate the user to use the computing device based in part on the additional authentication data received from the additional device.

Abstract: A method for generating a dynamic username includes receiving a static component of a dynamic username and a selection of a dynamic parameter component of the dynamic username from a user. The static component and the selected dynamic parameter component are combined in a predetermined order, based on a user selected option. The dynamic username is produced from the combined static component and the selected dynamic parameter component based on the predetermined order. A rule for producing the dynamic username is generated. The rule defines the predetermined order of the static component and the selected dynamic parameter component. The static component and the rule are stored in a credential database with the rule being associated with the static component.

Abstract: Embodiments of the present application provide a network access authentication method, apparatus, and system. The network access authentication method mainly comprises: obtaining a user name by a network access management client through encryption using a device ID of a terminal device, and obtaining a dynamic password through encryption using the device ID and a time value within a time step, so that the terminal device performs network access authentication using the user name and the dynamic password. The device ID is uniquely assigned by an authentication server to the terminal device, and thus functions to identify the identity of the terminal device, so that network access authentication can be independent of digital certificates, thereby solving the problem that the terminal device cannot accomplish network access authentication for unsupported use of or unavailability of a digital certificate, while meeting network access security requirements.

Abstract: Techniques are disclosed for mitigating against malicious login attempts. In some examples, a computer system receives a plurality of login attempts to the system, the plurality of login attempts being originated from an Internet Protocol (IP) subnet. The computer system determines a ratio of successful login attempts to unsuccessful login attempts of the plurality of login attempts. Then, in response to determining that the ratio of a number of successful login attempts to total login attempts is below a predetermined threshold, the computer system denies a future login attempt to the system that is associated with the IP subnet for a first time period.

Abstract: The invention is notably directed to a method for encoding information. This method first comprises generating an encryption key according to polymorphic features of nucleic acids from one or more entities. Next, information is encrypted based on the generated key. Finally, the encrypted information is encoded into synthetic DNA. Another aspect concerns a method for retrieving information. Consistently with the above encoding scheme, synthetic DNA in provided, which encodes encrypted information. Such information is read by sequencing the synthetic DNA and by decrypting the information read using a decryption key. The latter is generated according to polymorphic features of nucleic acids from one or more entities (e.g., from the legitimate individual(s) requesting access to information). Thus, the encoded information cannot be interpreted unless a suitable decryption key is available. The invention is further directed to related DNA samples and systems, including DNA vaults.

Abstract: A method comprises receiving an image of an update for a software module, a rate parameter, an index parameter, and a public key, generating a 32-byte aligned string, computing a state parameter using the 32-byte aligned string, generating a modified message representative, computing a Merkle Tree root node, and in response to a determination that the Merkle Tree root node matches the public key, forwarding, to a remote device, the image of the update for a software module, the state parameter; and the modified message representative.

Abstract: A method, a communication device and a computer program product for protecting communication devices from access by unauthorized users. The method includes retrieving, from a memory, a biometric sensor disable time range and determining, via a processor of the communication device, if a current time is within the biometric sensor disable time range. In response to determining that the current time is within the biometric sensor disable time range, the method further includes determining if the communication device is in a sleep mode and in response to determining that the communication device is in the sleep mode, disabling at least one biometric sensor.

Abstract: Systems and methods may be used for providing more secure authentication attempts by implementing authentication systems with credentials that include interspersed noise symbols in positions selected, for example by a user. These systems and methods secure against eavesdroppers such as shoulder-surfers or man-in-the middle attacks as it is difficult for an eavesdropper to separate the noise symbols from legitimate credential symbols. Some systems and methods may use a subset of a credential with the interspersed noise symbols.

Abstract: Described herein are methods, systems, and software to handle verification information in a content node. In one example, a method of operating a content node includes receiving a secure content request from an end user device and determining the availability of verification information stored on the content node to service the secure content request. The method further provides, if the verification information is available, verifying the end user device based on the verification information. The method also includes, if the verification information is unavailable, querying an origin server to verify the end user device.

Abstract: A secure token (ST) system including at least one ST computing device to provision data using secure tokens over a network is provided. The ST computing device is configured to receive first customer data from a credit issuer computing device, the first customer data including at least one or more account identifiers associated with a customer and a social security number (SSN) associated with the customer. The ST computing device is also configured to hash the SSN, wherein the hashed SSN includes a hash value, assign a unique identifier to each of the one or more account identifiers, and generate a secure token by associating the hash value to each unique identifier. The ST computing device is further configured to store the secure token within the database, and transmit the secure token to at least one of the credit issuer computing device and a third party computing device.

Abstract: Tangible, non-transitory, machine-readable media include instructions that cause a processor to receive a first indication that a user is attempting to communicate with a provider, and intercept communication between the user and the provider based on the first indication being received. The instructions also cause the processor to send user information to a provider application server based on the first indication being received, and display a visual interface that establishes communication with the relevant provider department or performs a transaction based on the first indication being received. The instructions further cause the processor to receive a second indication associated with performing the action associated with the provider via the visual interface; and performing the action based on the second indication being received.

Abstract: A computer system includes an information processing system configured to authenticate a user using one of multiple login methods and a terminal configured to request the information processing system to authenticate the user. The terminal includes a processor programmed to determine a login method based on a previously-used login method and display a login screen corresponding to the determined login method.

Abstract: A system and method for routing IP-based messaging, voice and video calling, comprising detecting network parameters of a network that a device is connected to, detecting a location of the device and routing the call based on the network parameters and the location.

Abstract: A method and system for provisioning credentials is disclosed. The method includes receiving an encrypted data packet including a first passcode and credentials in encrypted form, and a second passcode. The second passcode is compared to a first passcode. If the passcodes match, then a server computer can transmit a token associated with the credentials to a service provider computer.

Abstract: A system is provided for managing booting of an OS that includes a UEFI controller comprising embedded application code instructions and a pre-loaded signed certificate, a boot process controller comprising application code instructions for the OS, pre-loaded signed certificates, and a plurality of application hash identifiers. The boot process controller receives signed communications from the UEFI controller and determines if the UEFI controller is authorized to manage the OS. The UEFI controller manages the OS in response to a positive authorization. The boot process controller determines if the UEFI controller is authorized to manage the OS in response to installation or execution of the OS. The UEFI controller receives a signed communication from the boot loader program, compares the signed communications with the plurality of application identifiers, and executes the boot loader program in response to the pre-loaded signed certificate matching an application identifier from the plurality.

Abstract: A method for real-time management of chat session data is disclosed. The method includes: receiving data from a client device via a web-based form; receiving, from the client device, a request to initiate a chat session between the client device and the computing system; in response to receiving the request to initiate the chat session, providing a chat interface for a new chat session on a display of the client device; populating a form with select data from the received data; and transmitting an encrypted version of the form via the chat interface to the client device.

Abstract: Provided herein are system, devices and methods for applying Multi-Party Computation (MPC) to authenticate a user accessing a secure resource using a plurality of computing nodes. The computing nodes, each receiving a respective one of a plurality of encrypted shares created using a plurality of keys to encrypt private data captured by a client device used by the user accessing the secure resource, engage in a secure MPC to compare between the encrypted shares and reference encrypted private data copies also encrypted using the plurality of keys without decrypting the private data since the keys are not available to the computing nodes. The computing nodes compute a match score based on the comparison and transmit it to a controller of the secure resource configured to grant or deny the client device access to the secure resource based on the match score.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for secure authentication using puncturing. An authentication system receives an encoded obfuscated authentication credential as part of an authentication request and accesses a stored authentication credential. The authentication system performs a puncturing of the encoded obfuscated authentication credential. The resulting punctured authentication credential includes a subset of individual values from the encoded obfuscated authentication credential. The authentication determines whether the punctured encoded data input corresponds to at least a portion of the stored authentication credential. In response to determining that the punctured encoded data input corresponds to at least a portion of the stored authentication credential, the authentication system approves the authentication request.

Abstract: The current embodiments offer a method to generate, send, and authenticate users through validations codes without the need for data retention. Codes are generated each time they are sent and received based on original and identifiable inputs. They are then compared to authenticate a user. Eliminating the need for data retention or persistence removes the risks associated with keeping data on the service provider's storage as can be maliciously accessed.

Abstract: Systems and methods are disclosed for analyzing a plurality of failed login records that correspond to failed login attempts detected by a computing system, to identify suspicious patterns of activity that can facilitate the supplementation of password blacklists for improving account security. To accomplish the foregoing, failed login records that include information associated with failed login attempts are obtained for analysis. The failed login records are analyzed to identify a set of failed login records that show initial characteristics of a suspicious pattern of activity. The information included in the set of failed login records are further analyzed to determine whether a suspicious pattern of activity is actually present. When a suspicious pattern of activity is identified in the set of failed login records, the passwords used in the failed login attempts are stored in password blacklists associated with the account identifier(s) with which the passwords were used.

Abstract: Techniques are described herein for establishing two wireless networks at a premises, a dedicated network configured to be used by devices of an automation and security system of the premises and a user network configured to be used by devices associated with users. The dedicated network may be more rigorously secured than the user network. The dedicated network may be secured in such a way that computing devices associated with users are not permitted to access the dedicated network. In this manner, the dedicated network may be prevented from becoming compromised. In some examples, a contention management entity may mediate network traffic scheduling between the dedicated network and the user network. The dedicated network may be configured to give deference to traffic being communicated across the user network to maintain a quality of service for end users of the user network.

Abstract: Systems and methods are described for authenticating a user accessing a user account. A behavior event associated with a current user using the user account during a session is obtained. The behavior event comprises of keystroke events and mouse events. The obtained behavior event of the current user is compared with a behavior profile of a registered user associated with the user account. The behavior profile comprises keystroke events and mouse events associated with the registered user. The current user is authenticated during the session, when the current user is determined to be the same as the registered user based on the comparison.

Abstract: The present invention discloses a tamper-proof ERP (Enterprise Resource Planning) system against a database server administrator, and a Logbook is setup for the database server administrator on the database server level in the ERP system. A reliable Logbook is created for the database server administrator on the database server level outside an ERP Application. Additionally, the Logbook also contains the needed information to restore the SQL database completely. This solution can be realized together with selection of a suitable SQL database server which prevents full unrestricted administrator access by using a two-factor authentication, wherein a first factor is known/selectable by end user only, and a second factor is managed by the ERP Application only.

Abstract: Described herein includes a data controller that secures personal data and efficiency and reliably records data access events using blockchain. The system may include a data controller for: receiving a request to access data stored in a database on the data controller, the request including a web token; verifying the web token of the request; providing access to the data stored in the database; generating a data access event indicating that the data stored in the database has been accessed; and recording the data access event on a blockchain platform in accordance with blockchain.

Abstract: A method implemented on an augmented reality electronic device includes establishing a wireless connection with an automated teller machine (ATM). The AR electronic device is used to authenticate a user of the AR electronic device at the ATM. An initiation is permitted of a financial transaction through user interface functionality for the ATM that is displayed on the AR electronic device. Financial information for the financial transaction is displayed on a display screen of the AR electronic device, instead of displaying the financial information at the ATM.

Abstract: Method and system are provided for security credentials management for client applications. The method includes: detecting a user is entering security credentials for authentication of a client application; hashing at least a portion of the entered credentials to obtain current hashed credentials and storing the current hashed credentials; and comparing the current hashed credentials to previously stored hashed credentials for the client application. If the current hashed credentials and the previously stored hashed credentials match, the method may store the credentials for automatic completion of the credentials for the client application.

Abstract: Distributed systems and methods for encrypting data on a blockchain network are disclosed. One system comprises at least one injector coupled to a node on the blockchain, a controller coupled to the injector, and a generator coupled to the controller. The injector intercepts messages bound for the blockchain and encrypts data in the messages using encryption information received from the controller. The controller acquires encryption information from the generator, which generates encryption keys and derives encryption information from those encryption keys. The encryption information may be divided into multiple parts and distributed between a plurality of injectors. As a result, to assemble an encryption key for encrypting or decrypting data, an injector may have to cooperate with other injectors to acquire sufficient encryption information to re-assemble the encryption key.

Abstract: A method can include obtaining access code data corresponding to an access code transmitted to a user device. The method can further include monitoring the user device. The method can further include determining, based on the monitoring, that the access code is shared. The method can further include initiating, in response to the determining that the access code is shared, an invalidation of the access code.

Abstract: A user may provide a financial card to an automated teller machine (ATM) or point of sale (POS) terminal and may be authenticated by providing a gesture and/or an image selection via a mobile device to the ATM or the POS. The gesture and/or image selection may be provided using a touchscreen of the mobile device. The gesture and/or image provided by the user via the mobile device may be compared to a stored gesture and/or image provided by the user during an earlier registration of the financial card. If there is a match between the gesture and/or image provided by the user via the mobile device and the previously stored gesture and/or image, then the user is authenticated and may access an account associated with the financial card.

Abstract: A method for generating a dynamic username includes receiving a static component of a dynamic username and a selection of a dynamic parameter component of the dynamic username from a user. The static component and the selected dynamic parameter component are combined in a predetermined order, based on a user selected option. The dynamic username is produced from the combined static component and the selected dynamic parameter component based on the predetermined order. A rule for producing the dynamic username is generated. The rule defines the predetermined order of the static component and the selected dynamic parameter component. The static component and the rule are stored in a credential database with the rule being associated with the static component.

Abstract: An authentication management system receives a resource request directed to a software service, which may require password-based authentication. The system redirects the resource request to an authentication identity provider (IdP), and receives an authentication token generated by the authentication IdP. The redirecting of the resource request comprises transmission of an authentication request, which includes user identity information that can be authenticated by the IdP but does not include a password for the software service. In response to receiving the authentication token, the system causes a shadow account to be created with the software service. For password-based authentication, this may include setting a temporary, random password for the shadow account. The system is then able to generate authenticated connection information (e.g.

Abstract: Automating discovery server configuration as part of a discovery process includes determining one or more subnets selected from multiple subnets. Each of the one or more subnets selected is associated with a respective scheduled task. In response to determining the one or more subnets selected, one or more available discovery servers are identified from multiple discovery servers. The one or more discovery servers are configured based at least in part on the one or more subnets selected. In response to the automatic configuration, network discovery is initiated to perform the respective scheduled task.

Abstract: Methods, non-transitory computer readable media, and access policy manager apparatus that assists with enforcing an access control list based on one or more managed applications includes receiving a request to access a web application from an enrolled mobile device. An access control for the received request is identified based on data associated with the enrolled mobile device and a user using the enrolled mobile device. The identified access control list is enforced on the enrolled mobile device to determine when to provide access to the requested web application. Access to the requested web application is provided to the enrolled mobile device when enforced access control list comprises data to allow the enrolled mobile device access to the requested web application.

Abstract: An information handling system with improved data security has a signal detector circuit to receive a signal interrupt from a plurality of signal interrupt sources, and an authentication timer circuit that starts measuring a configured time duration based upon the received signal interrupt. A scrambler module initiates data scrambling upon completion of the configured time duration.

Abstract: A computer-implement method of processing resource exchange information includes the following steps: obtaining a data package including a user card identifier and a social network application identifier from a mobile phone; establishing a correspondence between the user card identifier and the social network application identifier and storing the correspondence in the computer system; obtaining user card data and resource exchange information from a payment terminal, wherein the user card data includes the user card identifier; performing security verification to the user card data and obtaining the corresponding social network application identifier when the security verification succeeds; processing a resource transfer request according to the social network application identifier and the resource exchange information and generating corresponding processing state information; and returning the corresponding processing state information to the payment terminal.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: An example operation may include one or more of creating a proposed transaction including one or more assets, transmitting the proposed transaction to a user device for authorization, receiving authorization from the user device via an asynchronous one-time password to authorize the proposed transaction, and creating a blockchain transaction including the asynchronous one-time password and content of the proposed transaction responsive to receiving the authorization.

Abstract: A method includes: training a prediction model with sample data; obtaining user information of a user as an input feature to the prediction model; predicting, using the prediction model according to a set of determination conditions, whether the user has forgotten a payment password associated with a payment application; and in response to predicting that the user has forgotten the payment password and detecting the user logging in the payment application with a login password different from the payment password, displaying a user interface for directing the user to a payment password resetting interface for resetting the payment password.