Abstract: A system performs mobile biometric identification system enrollment using a known biometric. The system receives a digital representation of a first biometric for a person. Prior to using the digital representation of the first biometric to identify the person, the system compares a received digital representation of a second biometric for the person to known biometric data for the person. When the digital representation of the first biometric has been thus verified, the system is operative to identify the person using the digital representation of the first biometric.

Abstract: An authentication device includes: a wearing position determination unit that determines a wearing position, the wearing position being a position at which a wearable article comprising a sensor is being worn on a body; and an authentication unit that performs authentication by using biometric information of the body, the biometric information being detected by the sensor at the wearing position.

Abstract: A method for protected communication is provided. The method comprises defining master keys for different service domains within the scope of influence of a vehicle manufacturer generating a master key reference for the vehicle within the range of influence of the vehicle manufacturer, securely introducing one or more of the cryptographic keys derived from at least one of the defined master keys and the associated master key reference into the vehicle, and transmitting to an external server a message signed with one of the derived cryptographic keys, which is additionally provided with the master key reference and the current status of the vehicle. The method further comprises deriving the at least one cryptographic key in the external server from the master key identified by the master key reference depending on the key status of the vehicle, and checking the authenticity of the signed message with the derived cryptographic key.

Abstract: A system that uses a client's behavioral biometrics—mouse dynamics, keystrokes, and mouse click patterns—to create a Machine Learning (ML) based customized security model for each client/user to secure website log-ins. The ML model can differentiate the user of interest from an impersonator—human or non-human (robot). The model collects relevant behavioral biometric data from the client when a new account is created by the client/user on a website or when the client initially logs-in to the website. The collected biometric data are used to train an ensemble of ML-based classifiers—a Multilayer Perceptron (MLP) classifier, a Support Vector Machine (SVM) classifier, and an Adaptive Boosting (AdaBoost) classifier—in the model. The trained versions of these classifiers are polled to give an optimal prediction in real-time (while the user is logging in). As a result, real-time fraud detection can be accomplished without impacting the log-in performance of the website.

Abstract: Example implementations relate to transposed passwords. A computing device may comprise a processing resource; and a memory resource storing machine-readable instructions to cause the processing resource to: receive an entered password; generate, based on the entered password, a transposed version of the entered password; compare the transposed version of the password to a stored password; and grant access based on the comparison.

Abstract: A card includes a secure element hosting applications instances. An external interface receive, from an external card reader, an application selection command selecting one application instance from a set of one or more selectable application instances. A biometric interface is configured to acquire biometrics of a user via biometric sensor. A processor compares the acquired biometric data to reference biometric data stored in the card and set the selectable application instance set depending on the outcome of the biometric data comparison. An instance of a non-biometric application is provided in the set only in case of positive comparison. A non-biometric application is thus now biometric-secured. Personalized parameters configuring the instance of a same application may be determined based on the acquired biometrics, allowing configurations of the card to be proposed for several different users.

Abstract: There is provided a computer implemented method of authenticating a user, comprising: receiving a sequence of key-related events of a manually typed text by a user using a keyboard, extracting a plurality of sub-features from the sequence of key-related events, for each instance of a plurality of instances of a respective n-gram of a plurality of n-grams extracted from the text, computing a plurality of statistical features for each respective n-gram from the plurality of sub-features extracted for the plurality of instances of the respective n-grams, feeding the plurality of statistical features computed for each of the plurality of n-grams into a trained machine learning (ML) model, and triggering a security process when the ML model outputs an indication of non-authentication of the user.

Abstract: A method comprises an authentication agent receiving a communications protocol message from a login agent of a client attempting to login to a target system. The authentication agent determines a login metric associated with the protocol message. The login metric comprises a latency, network, and/or data entry metric. The authentication agent receives credentials associated with an authentic client of the target system and compares the login metric with a registered metric associated with the authentic client. Based on the login metric comporting with the registered metric, the authentication agent continues login processing or performs a non-comporting metric action. Another method comprises the authentication agent sending a training request to the login agent, receiving a training response, determining a login metric associated with the training response, and recording the login metric among registered metrics of an authentic client. A computing system can implement the methods.

Abstract: Techniques are provided for using tokenization in conjunction with “behind-the-wall” JWT authentication. “Behind-the-wall” JWT authentication refers to JWT authentication techniques in which the JWT stays exclusively within the private network that is controlled by the web application provider. Because the JWT stays within the private network, the security risk posed by posting the JWT in a client cookie is avoided. However, because JWT is used behind-the-wall to authenticate a user with the services requested by the user, the authentication-related overhead is significantly reduced.

Abstract: A method of facilitating the exchange of data between a user having a computing device, and a remote entity, where a first connection has been established between the user and the remote entity, and where the user has associated data exchange information with an application on the computing device, the data exchange information defining properties of the data to be exchanged between the user and the remote entity.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: A method may include transmitting, at a mobile device executing a keyboard application, a request for a user specific data value to a computing device; receiving, from the computing device, an authentication request with a challenge message; encrypting the challenge message with a private key associated with the keyboard application; transmitting the encrypted challenge message to the computing device for authentication by the computing device; receiving the user specific data value from the server based on the server successfully authenticating the encrypted challenge message; and presenting the user specific data value in the keyboard application on the mobile device.

Abstract: Methods, apparatus, systems, and articles of manufacture to deconflict malware or content remediation are disclosed. An example apparatus includes at least one processor and memory including instructions that, when executed, cause the at least one processor to at least identify data to be encoded into a token, compute a hashed string based on the data to be encoded, determine a number of characters to be included in the token, select a subset of characters from the hashed string, and generate the token using the subset of characters from the hashed string.

Abstract: Embodiments disclosed herein are related to the deauthorization of a private key associated with a decentralized identifier. While a user of a computing system is authenticated as a decentralized identifier, the system detects user input, and determines based on that user input that the private key associated with the decentralized identity is to be revoked. In response to this determination, the private key is deauthorized so that the private key cannot be used to perform actions for the decentralized identity at least until the private key is restored.

Abstract: Certain aspects of the present disclosure provide techniques for privacy-preserving execution of a workflow in a software application. Embodiments include generally includes receiving homomorphically encrypted inputs from a client device corresponding to user-provided data needed to calculate a result for a step of a workflow in the software application. A result is calculated for the step of the workflow using the received homomorphically encrypted inputs. The calculated result is returned to the client device. The calculated result is homomorphically encrypted as a result of calculating the result using the received homomorphically encrypted inputs.

Abstract: A system, apparatuses, and methods for device and network security are discussed herein. In an example, a security device for providing security to user-entered inputs includes a universal serial bus (“USB”) port configured to receive a connector of an input device and a USB connector configured to connect to a port of a user device. The apparatus also includes a processor configured to receive a string of characters from the input device that correspond to inputs made by a user into a web browser or application on the user device. The processor adds at least one security character to the string of characters to generate a watermark string, and transmits the watermark string to the user device. The processor is configured to format the at least one security character such that only the string of characters are displayed in the web browser or the application at the user device.

Abstract: A computer-implemented method is described for enabling recovery of one or more digital assets held on a blockchain by a user under a public key Pk after a corresponding private key Sk for accessing the one or more digital assets is lost. The computer implemented method comprises setting access for the one or more digital assets held on the blockchain under the public key Pk and accessible using the corresponding private key Sk of the user such that the one or more digital assets are also accessible using a private key x shared by a congress on the blockchain network, the congress comprising a group of users on the blockchain network, each member of the congress having a private key share xi, the private key share xi to be used in a threshold signature scheme in which at least a threshold of private key shares must be used to generate a valid signature through the combination of partial signatures of the congress to access the one or more digital assets on behalf of the user.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.

Abstract: A communication adapter includes: an input unit receiving an operation for requesting transition to a setting mode; a mode setting unit setting a communication mode to the setting mode when the input unit receives the operation for requesting transition to the setting mode; a character string generation unit generating a random character string when receiving a connection start request from a terminal in the setting mode; an image generation unit converting the random character string into image data indicating an image that is difficult for a machine to recognize; an encryption processing unit encrypting transmission data to be transmitted to the terminal using the random character string as an encryption key, and decrypting reception data received from the terminal using the random character string; and a communication processing unit transmitting the image data and the encrypted transmission data to the terminal, and receiving the reception data from the terminal.

Abstract: A system and method for of temporary password management may include: obtaining, by a password management entity, a request to login a local device into an authentication authority; generating, by the password management entity, a temporary password; sending, by the password management entity, the temporary password to the authentication authority; sending, by the password management entity, the temporary password to a user device; obtaining, at the authentication authority the temporary password from the local device; comparing, by the authentication authority, the temporary password obtained from the local device with the temporary password obtained from the password management entity; and authorizing the login if a match is found.

Abstract: A near field communication device included in a secure transaction card provides an addition and/or transitional communication link for communicating secure transaction information. The near field communication device may be selectively engaged or disengaged and, when engaged, either active or passive modes of operation of the near field communication device can be selected. in the active mode, secure transaction information is transmitted upon establishment of a communication link with a complementary near field communication device. In the passive mode, secure transaction information is transmitted upon interrogation from a complementary near field communication device. Secure transaction information is generated and stored for transmission in a memory and at least a portion of the memory is erased or nulled upon transmission or upon expiration of a selected period of time.

Abstract: A method, apparatus, and computer program product are disclosed for facilitating two-way email communication in manner that obfuscates sender and recipient email addresses. The method includes receiving a correspondence request indication; assigning a first transaction address to a sender and a second transaction address to a recipient; receiving a message from the sender; associating the message from the sender with the first transaction address; and causing a transmission of the message from the sender to the recipient using the first transaction address. A corresponding apparatus and computer program product are also provided.

Abstract: There is provided a computer-implemented method for securing a transaction. The method comprises receiving or determining 193 a plurality of sub-charges associated with the transaction; and determining 195 a password to secure completion of the transaction based on the plurality of the sub-charges.

Abstract: This specification provides techniques for secure authentication. One example method includes receiving a login request from a computing device, wherein the login request includes a variable apparatus identifier (ID) associated with the computing device; in response to receiving the login request, determining that the variable apparatus ID corresponds to a user account; in response to determining that the variable apparatus ID corresponds to a user account, determining that an update of the variable apparatus ID is requested based on a timestamp included in the variable apparatus ID and a current time; in response to determining that the update of the variable apparatus ID is requested, generating an updated variable apparatus ID associated with the computing device; and transmitting an account login permission instruction and the updated variable apparatus ID to the computing device.

Abstract: The disclosed systems and techniques enable an enterprise system to store contact emails for users while avoiding storing and managing personal email addresses for the user. For example, the enterprise system may forward personal email addresses to an aliasing server configured to generate alias email addresses based on the personal email addresses. The aliasing server may operate as a “middle man” that receives emails directed to the email addresses and that forwards the emails to the personal email addresses (when appropriate). The enterprise system may store and maintain the alias email addresses in lieu of storing the personal email addresses.

Abstract: A system and method is provided to register a user; assign a primary account number (PAN) to the user; create an account; create a unique cipher with keys; link, by a trusted source of identification, the PAN to an attribute of the user and to the account; receive the keys at a user device; remove the keys; generate data by a third-party to request the user to perform a transaction; present the PAN to the third-party; receive a transaction request detail; receive the data at a transaction processor based on a unique identifier of the PAN; identify the user using the unique identifier; authenticate the user; request, by the transaction processor, the device to release a key associated with the transaction request detail; decrypt stored information; and send a response, including the decrypted stored information, from the transaction processor to the third-party, thereby identifying the user.

Abstract: The present disclosure relates generally to computer security and human-computer interaction, and, more particularly, to systems and methods for providing improved user authentication and verification techniques by way of credential-less or near credential-less user input.

Abstract: An access management system including a server is provided. The server receives, from a client device, a request to log into the server with first information specifying identifying a user that has logged into the client device and second information specifying the client device. The server authenticates the client device using the second information and accesses a service provided by an external apparatus and receive a token for accessing the service. The server associates, in memory, the first information with the received token to enable subsequent access to the service, by the server.

Abstract: A signature generation method performed by an electronic apparatus is provided. A message abstract is generated according to a to-be-signed message and eigenvalues of a plurality of signature parties, an eigenvalue of a signature party being based on a random number of the signature party. Public keys and sub signatures of the plurality of signature parties are obtained, and a sub signature of the signature party is based on the random number of the signature party, the message abstract, and private keys of the plurality of signature parties. An aggregation public key is generated according to the public keys of the plurality of signature parties, and a length of the aggregation public key is less than a length of the plurality of public keys after splicing. An aggregation signature is generated according to a sum value of the plurality of sub signatures and the message abstract.

Abstract: A management device (181) calculates, from access information transmitted from a token terminal (121) and a site seed assigned to a server (161), a user seed, and registers the user seed in the token terminal (121). The token terminal (121) obtains a share seed to be shared with the server (161) independently therefrom, calculates a key code from the share seed and the user seed, and presents the key code to the user. When the user enters the key code to an access terminal (141), the access terminal (141) transmits, to the server (161), a request having the key code specified. The server (161) obtains access information relating to the transmitted request, calculates a checkup seed from the access information and the site seed assigned to the server (161), obtains a share seed independently from the token terminal (121), calculates a checkup code from the share seed and the checkup seed, and sets a necessary condition for sign-in that is consistent between the key code and the checkup code.

Abstract: System(s), method(s), and device(s) that generate and use single-use financial account card numbers (SUFACNs) to facilitate secure processing of financial transactions are presented. A user registers a financial account(s) with a financial transaction platform (FTP), a user profile comprising user-related information is created, and a personal identification number (PIN) is associated with the user. When making a purchase locally or online, the user's portable communication device (PCD) accesses the FTP via an application or web site, the PCD synchronizes with the FTP, and the PCD and FTP each respectively generate the same SUFACN(s) based in part on time of generation and PIN. The SUFACN is presented to the seller's register component via scanning (e.g., when SUFACN is a barcode) or entering the SUFACN. The register component sends the SUFACN to the FTP, which interacts with the user's financial account(s) to facilitate payment.

Abstract: A dual-factor PIN based authentication system and method uses a cryptogram provided by a contactless card associated with the client in association with a PIN stored by the contactless card to authenticate the client. In some embodiments, cryptogram authentication may be preconditioned upon a PIN match determination by the contactless card. In other embodiments, the cryptogram may be formed at least in part using the personal identification number (PIN) stored on the contactless card encoded using a dynamic key stored by the contactless card and uniquely associated with the client. Authentication may be achieved by comparing the cryptogram formed using the PIN against an expected cryptogram generated an expected PIN and an expected dynamic key.

Abstract: A method and apparatus is disclosed for password/passcode pattern recognition based authentication on a computer virtual screen, which hides passcodes in plain view, visually camouflaged and disguised in a manner that makes them easily and quickly recognizable only to authorized passcode owners. The user proves recognition by selecting patterns of multi-character passcode fragments, in a specific order, from one or more visually challenging, constantly changing dynamic menus. Myriad selection patterns are possible involving all fragments or subsets of fragments. The invention leverages innate human pattern recognition abilities which are superior to machine computational methods. Fragment selection can involve gestures like touching, tapping, or tracing or drawing of fragment connecting paths, or navigation of spring loaded menus; selection can be also be accomplished by biometric measurement of unconscious user recognition. Passcodes can include graphics and images.

Abstract: An intelligent tracking system generally includes one or more tracking devices, some of which may be passive tracking devices. Each passive tracking device includes one or more transceivers and is energized by an energizing signal. Some of these passive tracking devices may operate in a first communication mode or a second communication mode based on the energizing signal. Some tracking devices may include encryption modules or authentication modules. Some of these devices may incorporate a bulk acoustic wave oscillator.

Abstract: The present disclosure relates generally to computer security and human-computer interaction, and, more particularly, to systems and methods for providing improved user authentication and verification techniques by way of credential-less or near credential-less user input.

Abstract: A system and method are described in which a document transaction management platform coordinates performance of trust actions across a plurality of trust service providers. For example, a method can include operations executing on a connector module in communication with a digital transaction management platform and a trust service provider, such as the following. Receiving, from the digital transaction management platform, a transaction request including a token and a requested trust action. Accessing user information for a recipient involved in the requested trust action using the token. Obtaining, from the digital transaction management platform, transaction data associated with the requested trust action. Coordinating, with the trust service provider, performance of the trust action on at least a portion of the transaction data. Transmitting, to the digital transaction management platform, a proof received from the trust service provider confirming performance of the trust action.

Abstract: A novel computerized method for authenticating a client computer is disclosed. The method for authenticating the client computer does not utilize any stored usernames, passwords, or tokens. The process stores a series of algorithmic functions on the client computer. When the user desires to login to a server computer the server computer provides multiple sets of variables to the client computer. The variables are input into the algorithmic functions. The functions generate an output. The output is sent to the server computer. The server computer utilizes the client generated output to authenticate the client device. Each time the user desires to login different variables are utilized to prevent prediction and hacking of the system.

Abstract: Examples and techniques pertaining to a security mechanism for multi-client access to a single storage device through a single controller are described. A controller receives a request from a first client of a plurality of clients to access a storage device which stores data associated with the plurality of clients. The controller determines one or more aspects with respect to the first client. The controller then performs one of a plurality of operations including: (a) granting the first client access the storage device responsive to a positive result of the determining, and (b) rejecting the request responsive to a negative result of the determining. The storage device is divided into a plurality of partitions to store respective data associated with each of the plurality of clients in one or more respective partitions of the plurality of partitions.

Abstract: Systems and techniques for bi-directional voice authentication are described herein. A first audio segment and a first description of the first audio segment may be received. An authentication token may be created using the first audio segment and the first description. An authentication request may be received from the user. The first audio segment may be transmitted to the user. A second description of the first audio segment may be received from a device of the user in response to the transmission of the first audio segment. The second description may be compared to the first description. The authentication token may be selected based on the comparison. The authentication token may be transmitted to the device. Requests of the user for secure information may be authenticated using the authentication token for a duration of an interaction session between the user and the device.

Abstract: The present invention relates to a method to authenticate a subscriber (IMSIi) within a local network (LNj) comprising preliminary step of deriving a subscriber key (SMKi) in local keys (LKi), one local key (LKiLNj) for each local network (LNj) the subscriber (IMSIi) is authorized to access, provisioning each local network (LNj) the subscriber (IMSIi) is authorized to access with its own local key (LKiLNj). When an authentication is required in a given local network (LNj), an UICC application derives a local key (LKiLNj) in the UICC application of the subscriber (IMSIi) using the network identifier (LNj), the key derivation function (KDF) and the subscriber key (SMKi) and use the derived local key (LKiLNj) in the algorithm to perform local authentication in the local network (LNj).

Abstract: A cryptographic device comprises a processor coupled to a memory and is configured to maintain an event counter characterizing a number of successful administrative accesses to the cryptographic device. The cryptographic device is further configured to receive an event-based one-time passcode for a given administrative access attempt, to compare the received event-based one-time passcode to an expected event-based one-time passcode determined as a function of a current value of the event counter, and to grant or deny the given administrative access attempt based at least in part on a result of the comparing. The cryptographic device may store an administrative seed value, with the expected event-based one-time passcode being determined as a function of the administrative seed value and the current value of the event counter.

Abstract: An apparatus into which security information is provisioned through communication with a server may include: a communication interface receiving security data from the server; and a secure component including a secure storage and a controller storing the security information in the secure storage based on the security data. The communication interface may include a presentation layer handler performing mutual authentication between the apparatus and the server according to a first encryption protocol based on unique information assigned to the secure component, and an application layer handler requesting and receiving the security data to and from the server according to a second encryption protocol.

Abstract: Disclosed herein are systems and methods allowing provider server and an analytics server to communicate confidential information but not compromise the anonymity of the customers if the data transmitted in either direction were to be intercepted or otherwise viewed by an unauthorized party, each server is configured to transmit the data records of the customers without any personally identifying information (PII) associated with the customers. The databases may “link” the data records by separately generating customer key identifiers for each unique customer having data in the one or both of the databases, according to predefined parameters and a predetermined one-way hashing algorithm. The unique customer key identifier may then be concatenated to, appended to, or otherwise associated with each data record for a particular customer that is being communicated between the servers.

Abstract: A method, apparatus, and computer program product are disclosed for facilitating two-way email communication in manner that obfuscates sender and recipient email addresses. The method includes receiving a correspondence request indication; assigning a first transaction address to a sender and a second transaction address to a recipient; receiving a message from the sender; associating the message from the sender with the first transaction address; and causing a transmission of the message from the sender to the recipient using the first transaction address. A corresponding apparatus and computer program product are also provided.

Abstract: Techniques are described for cryptographic key generation based on biometric data associated with a user. Biometric data, such as fingerprint(s) and/or heartbeat data, may be collected using one or more sensors in proximity to the user. The biometric data may be analyzed to generate a cryptographic key. In some implementations, the key may be employed by the user to access data, access certain (e.g., secure) feature(s) of an application, authenticate the user, digitally sign document(s), and/or for other purpose(s). In some implementations, the key may be re-generated for each access request or authentication instance, based on the user's fingerprint or other biometric data.

Abstract: An indication of a change to an operating mode of a device may be received. A cryptographic item stored at a memory of the device may be identified. In response to receiving the indication of the change to the operating mode of the device, the cryptographic item stored at the memory may be modified. The device may operate in the changed operating mode based on the modified cryptographic item.

Abstract: An information processing apparatus includes a touch panel and a control unit. The control unit includes a processor that executes a control program. The control unit functions as a first setting section that, when a number of character types in a password for registration is more than a predetermined number of character types, sets a number of times of password re-entry to be more than that of a case where the number of character types in the password for registration is less than or equal to the predetermined number of character types. In addition, the control unit functions as a display control section that performs display control of a display unit, and as a practice mode execution section that causes the display unit to display a password re-entry screen on which a plurality of keys are arranged for the number of times set by the first setting section.

Abstract: A device includes a processor having a trusted security zone and trusted memory communicatively coupled to the trusted security zone to form a trusted execution environment (TEE) in which trusted applications operate. The trusted memory has a common repository. The device includes memory storing instructions that cause the processor to effectuate operations. The operations include receiving, from a first trusted application of the trusted applications, a first application data and storing the first application data in the common repository. The operations include determining that a second trusted application of the trusted applications has permission to access the first application data based on a policy module of the TEE and allowing the second trusted application to access the first application data.

Abstract: It is determined whether the URL of a screen displayed by a web browser matches the URL included in a response to an obtainment request. If the URL of the screen displayed by the web browser is determined to match the URL included in the response to the obtainment request, a user currently using an information processing apparatus is a user permitted to use an autocomplete function, and the screen displayed in the web browser can be trusted, a script is loaded in the web browser and executed. The web browser carries out the autocomplete through this script.

Abstract: A CAN controller safe against a CAN-communication-based hacking attack includes each CAN controller that filters a message to be transmitted to a CAN bus. A corresponding CAN controller filters only a message having a valid transmission ID to be transmitted. The CAN controller safe includes a transmission buffer, a transmission filter unit, a protection memory and a filter value setting unit. The transmission buffer unit temporarily stores transmission data to be transmitted to a CAN bus. The transmission filter unit has message IDs allowed to be transmitted as a transmission filter, configured to search for a message ID of the transmission data in the transmission filter, and filter the transmission data. The protection memory stores one or more filter values of the transmission filter and the filter value setting unit is configured to fetch the filter value stored in the protection memory.