Abstract: A wearable device (“WD”) stores a token after its wearer completes a successful strong authentication on a primary protected device (“primary PD”). Other protected devices (“secondary PDs”) recognize the stored token as representing a strong authentication and grant the user access while the user continues to wear the WD within a “digital leash-length” proximity. The WD constantly monitors whether the user continues to wear the device. Upon sensing that the user has removed the WD, the WD deletes, disables, or invalidates the token, The user must then repeat the strong authentication to gain further access to the protected devices.

Abstract: A non-transitory computer-readable medium storing instructions readable by a mobile terminal including a memory, an input interface, a first communication interface and a second communication interface, the instructions causing the mobile terminal to perform processes comprising: a storage processing of storing workflow information including device identification information and action identification information; a specifying processing of specifying the image processing apparatus, as a designated device; an information reception processing of receiving connection information from the designated device through the first communication interface; an extraction processing of extracting the workflow information coinciding with a first condition, among the workflow information; and an execution instruction processing of transmitting execution instruction information to the designated device through the second communication interface by using the connection information, wherein the execution instruction information

Abstract: A system and method for facilitating users to obfuscate user credentials in credential responses for user authentication are disclosed. A string sequence may be presented to a user for prompting the user to input credential characters sequentially but not continuously. The string sequence may comprise a set of prompt strings containing a prompt character sequence associated with the user and a set of noise strings that do not contain the prompt character sequence. The individual prompt strings in the set of prompt strings may be composed by obfuscating the prompt sequence among noise characters. A user credential response may be received and a user provided credential may be extracted from the received user credential for user authentication.

Abstract: A method for maintaining a prepaid payment system comprises a user account that can be utilized to complete a purchase transaction with a merchant. A delayed processing window is introduced between a time when the merchant receives a payment approval notification from the payment system and a time when the payment system transmits a payment request to an issuer of a funding account associated with the user's payment system account. The payment system utilizes a user's stored value account maintained by the payment system to satisfy the requirements of a prepaid program, and therefore processes the payment request received from the merchant and transmits the payment approval notification without obtaining prior authorization from the issuer of the funding account. The payment system submits one or more payment requests for the funding transaction at a time after the completion of the purchase transaction between the user and the merchant.

Abstract: An electronic book distribution system includes electronic devices that reset their passcodes after specified authentication failures. The passcodes of an individual electronic device is reset to a value that is generated using a predefined function of a randomly generated support code. The support code is displayed to the user, and the user is instructed to contact a support service in order to obtain the new passcode. The support service independently authenticates the user, calculates the new device passcode using the same predefined function used by the electronic device, and provides the new passcode to the user.

Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.

Abstract: The present disclosure provides methods and apparatuses for loading program data on to an unpowered electronic device, such as an RFID tag that includes volatile memory. Initially, the tag is unpowered. Thus, the volatile memory in the tag will not have any stored data. In order to load data into the memory of the tag, a reader can power the tag wirelessly. The reader includes an antenna configured to transmit electromagnetic radiation and receive backscatter electromagnetic radiation. The reader also includes a processing unit. The processing unit is configured to analyze the backscatter electromagnetic radiation. The processing unit may analyze the backscatter radiation to determine a supply voltage induced in the tag. In response to the induced voltage being greater than a threshold, the processing unit may alter the transmitted electromagnetic radiation to communicate tag data.

Abstract: An extranet includes a network which couples a plurality of non-related participants and a server coupled to the network. The server stores a plurality of applications including workgroup applicants, transaction applications, security applications and transport circuits and equipment. The server is programmed to load particular ones of the plurality of applications onto the network for use by the plurality of participants in response to a request by one of the participants for a particular application.

Abstract: Embodiments of the invention relate to methods of generating and using an image-based derived key. In various embodiments, the image-based derived key may be used to facilitate user authentication and data encryption. For some embodiments, a method is disclosed comprising determining an image-based derived key, wherein the image-based derived key is generated from a selection of authentication images chosen by a user, encrypting data using the image-based derived key, and transmitting the encrypted data.

Abstract: Methods and systems, related to a biometrically secured user input device for conducting a transaction are described. The user input device may comprise a biometric authentication device. At the biometrically secured user input device, a biometric sample may be received from a user. The biometrically secured user input device may transmit the biometric sample, provided by the user, to a host computer system. The host computer system may compare the biometric sample provided by the user to another biometric sample. Handwriting data from the user may then be received by the user input device. The handwriting data may be transmitted to a computer system by the user input device. Transaction data based on the handwriting data may be transmitted from the computer system to a host computer system. The financial transaction may be conducted using the transaction data transmitted to the host computer system from the computer system.

Abstract: Generating a seed and/or a key from live biometric indicia, such that all the information necessary for generating the seed and/or the key is not stored, is provided. A method comprises receiving and enrolling a biometric template from a user; assigning an optimization value to the enrolled biometric template; encrypting an item of test data using the optimization value, such that the optimization value is an encryption seed; storing the encrypted item of test data on the storage medium; destroying the encryption seed after encrypting the item of test data; receiving a live biometric template; comparing the templates and determining an interval based on a probability that the templates are specific to the same user; iteratively testing values within the interval to identify the value in the interval for decrypting the encrypted item of test data; and generating the key using the seed.

Abstract: A virtual universe system has a system and method for identifying spam avatars based upon the avatar's behavior characteristics through the use of Turing tests. The system may provide a Turing test unit for performing Turing tests and an analysis unit that compares the behavior characteristics of new or newly changed avatars against the behavior characteristics of known spam avatars to determine if the avatar has known spam avatar characteristics. It may further have a scoring system to calculate a spam score based upon similarities of the comparison and identifying the avatar as a spam avatar based upon the calculated spam score. It may further compare the calculated spam score with a spam score threshold wherein the avatar is identified as a spam avatar if the calculated spam score is equal to or greater than the calculated spam score.

Abstract: A system and method in a virtual universe (VU) system for identifying spam avatars based upon the avatars' multimedia characteristics may have a table that stores multimedia characteristics of known spam avatars. It further may have an analysis unit that compares the multimedia characteristics of avatars against the multimedia characteristics of known spam avatars to determine if the avatar has known spam avatar characteristics. It may further have a scoring system to calculate a spam score based upon the similarities of the comparison and identifying the avatar as a spam avatar based upon the calculated spam score. It may further compare the calculated spam score with a spam score threshold wherein the avatar is identified as a spam avatar if the calculated spam score is equal to or greater than the calculated spam score. Multimedia characteristics include graphics, audio, movement, interactivity, voice, etc.

Abstract: A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table.

Abstract: A password creating device and method is provided. In this method, two keyboard layouts are employed. Each key location of each layout is mapped onto an information unit comprising a plurality of information elements. The information units are different from each other among a specific layout. The two keyboard layouts are displayed, and two series of key location selections based on the respective keyboard layouts are received to obtain two information unit sequences. The two series of information units are compared with each other in accordance with the order of occurrence of each information element, an information element shared by two corresponding information units associated with a same key location is taken as an information element selected by the user as part of his password, and a password is created by joining all of the shared information elements together in sequence.

Abstract: The invention is directed towards methods, systems and apparatuses, see FIG. 1, (100) for providing secure and private interactions. The invention provides capability for verifying the identity of a party initiating an electronic interaction with another party through data input module (140) which is verified by the identity verification module (150), which further includes a self-destruct mechanism (153). Embodiments of the invention include secure methods for conducting transactions and for limiting the transfer and distribution of personal data to only those data that are absolutely necessary for the completion of the transactions. The invention facilitates the transfer of additional personal data contingent upon an agreement that appropriately compensates the provider of the personal data.

Abstract: A device, information processing system, and control method that perform authentication to determine whether a user is an authorized user, permit both an authentication-type application program that performs user authentication and a non-authentication-type application program that does not perform user authentication to access an authentication device when an authentication result indicates that the user is an authorized user, and permit each application program to access the authentication device when an authentication result indicates that the user is an authorized user for the each application program.

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; identifying a user identity associated with the secure request; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting and/or blocking the secure request based at least in part on determining that the secure request is directed to the domain name and based at least in part on the user identity associated with the secure request.

Abstract: Methods for enabling pattern-based user authentication are described. During a registration phase for establishing user credentials, an end user of a computing device may select a matrix size for a matrix and select a shape of a shape size. The matrix of the matrix size may then be displayed and the shape of the shape size may be displayed such that the shape appears to overlay the matrix. The end user may move the shape over the matrix and as the shape is moved, the symbols of the matrix may be updated such that symbols arranged inside the boundary of the shape are not repeated, while one or more symbols arranged outside of the boundary of the shape are repeated. The order of symbols selected by the end user inside the boundary of the shape may be used to determine a pattern-based password.

Abstract: A method for preventing unauthorized access to and/or modification of a page of a device and/or system according to one embodiment includes presenting a question via a graphical user interface; receiving a response to the question; allowing access to and/or modification of the page when the response to the question includes the answer; and not allowing access to and/or modification of the page when the response to the question does not include the answer. An answer to the question includes a characteristic of the device and/or system.

Abstract: A method of secured passcode entry is disclosed. The method, in one embodiment, includes: receiving a request to authenticate a user; in response to receiving the request, generating a passcode entry interface that includes a plurality of buttons for the user to compose a passcode entry, each button representing a character of a set of characters, the set of characters having a natural sequence, wherein said generating includes displaying the buttons on a touchscreen of the electronic device in an arrangement that does not reflect the natural sequence of the set of characters; detecting a touch event, represented as a coordinate on the touchscreen, interacting with the touchscreen while the passcode entry interface is displayed, wherein the touch event is indicative of at least a portion of a passcode entry by the user; and verifying an authenticity of the passcode entry based at least partly on the touch event.

Abstract: We propose a method that uses formatting options of Font, Font Size, Font Color, Shading, Font Style, Font Effects, Font Underline, Character Effects, Picture coloring, as a part of user passwords, credentials, electronic signature, challenge for user authentication and captcha verification. User personalizes user name and or password or text by choosing combination of proposed factors for each character or word in password. Method includes optional time range where user would have different password and factor combinations for each time range. We also propose a method to use these factors for multi-factor authentication where user is required to format given text as per remotely sent instructions. We propose variation of proposed method that would send text and the instruction to format it using different factors through separate communication channels. For user verification, our method asks user to format the given text or given picture as instructed using different formatting options.

Abstract: The present disclosure provides a more accurate and secure for verification of presence which comprises: reading an identifier which is associated with a location from a NFC tag fixedly coupled to a location by a NFC-enabled device; verifying the received identifier against an identifier database to verify the location corresponding to the received identifier; generating a query based on the verified location to solicit a user input entered by a user in charge of the location; receiving the user input by the NFC-enabled device; recording a check-in time according to the time of reading the identifier; and recording a check-out time according to the time of receiving the user input.

Abstract: A motion-based authentication method is operative in a mobile computing device having a display interface and that includes an accelerometer. Normally, the device software includes a locking mechanism that automatically locks the display interface after a configurable timeout. The authentication method operates to un-lock the display interface (and thus allow the user access to the device) by movement of the device in a predetermined series of physical movements and without display-based entry of a password or other access code on the display itself. In this manner, the user can un-lock the device without display-based entry of a password (on the display itself) by simply holding the device and performing the necessary movement(s) to generate the unique code.

Abstract: An apparatus, system, and method are disclosed for context-sensitive password generation. The inspection module may accept entry of at least a new portion of a password by a user into a security mechanism and determine a dynamic parameter candidate within the password. The analysis module may recommend to the user a context-sensitive interpretation of the dynamic parameter candidate. The confirmation module may receive a selection by the user of the context-sensitive interpretation.

Abstract: A computer server receives a login request message sent by a remote terminal to access a user account. If the message includes a first login key, the server then generates a second login key and executes a user account login process after confirming that the second login key corresponds to the first login key. If the message includes no login key, the server generates a verification code and returns the verification code to the remote terminal. The remote terminal then prompts a user to return the verification code to the computer server in a predefined format. If the returned verification code corresponds to the server-generated verification code, the server then executes the user account login process. The server also generates a third login key and returns the third login key to the remote terminal. The remote terminal then stores a correspondence relationship between the username and the third login key.

Abstract: A system and an apparatus (41) for reliably authenticating an appliance (42) involves a challenge message (C) being linked to the examination apparatus (40) by an examiner context information item (K). It is therefore more difficult for an attacker to feign an identity of an appliance. The application can be used in authentication scenarios, particularly in telecommunication, in which sensitive messages are interchanged.

Abstract: Disclosed herein is a human verification system, method and architecture, which make use of sensing components built into a user's computing device, or otherwise coupled to the user's device, to receive a response to a challenge-response verification test, which may comprise a pattern-based and/or an image-based challenge-response.

Abstract: Methods and credential systems for use in controlling access to a computer system are disclosed. One example method includes receiving a request for a temporary single-factor credential associated with a user account, modifying the user account to allow single-factor authentication to permit access to the computer system, issuing the temporary single-factor credential, wherein the password includes a lifetime, disabling the temporary single-factor credential, when the lifetime ends, such that access to the computer system via the temporary single-factor credential is terminated, and modifying the user account associated to require multi-factor authentication for access to the computer system.

Abstract: A method and system for authenticating an account holder using multi-factor authentication. An account holder is associated with a token device configured to supply the account holder with a dynamic password. The dynamic password has a current value that is synchronously stored at an aggregator service and at the token device. The dynamic password is changed periodically. The aggregator service also associates the account holder with at least one account maintained by the account providers. The aggregator service receives an authorization request from either the user or from one of the account providers. The aggregator service performs an authorization operation for determining if a proffered dynamic password submitted by the user during an attempt to login matches the current value of the dynamic password stored at the aggregator service.

Abstract: A password recovery technique for access to a system includes receiving a request from a first party to recover the first party's password to access the system, receiving a selection of a second party from the first party, sending a message to the second party requesting that the second party authorize the request to recover the first party's password, receiving authorization from the second party for the request to recover the first party's password, and resetting the first party's password responsive to receiving authorization from the second party.

Abstract: An apparatus, program product, and method are disclosed for receiving a password entered by a user, the password not conforming to one or more requirements of a password policy, manipulating the password to create one or more compliant passwords conforming to the one or more requirements of the password policy, and presenting a list of the one or more compliant passwords to the user wherein a compliant password is selectable by the user.

Abstract: A customer initiated password reset system resets user passwords on a variety of network entities, such as internal systems, allowing simultaneous reset with a minimum number of user specified passwords that nonetheless satisfy the password specifications of these internal systems. Thereby, the user avoids the tedium of logging into each of these systems, changing their password, logging out, etc., for each system with the likelihood of creating unique passwords for each system that have to be remembered. By further incorporating a score metric based upon how many character sets are touched, a required degree of complexity can be measured and enforced against the password specifications. Advantageously, a table-based approach to enforcing password reset against the multiple password specifications facilitates making and fielding updates.

Abstract: Methods for the authentication of a web site. A dynamic identification string and a one-time password are calculated by a device. The dynamic identification string is sent to a service provider, such as a certification service server associated with the web site. In response, the server computes a one-time password. The device computed one-time password can then be compared to the server computed one-time password in order to authenticate the web site.

Abstract: A non-transitory computer-readable storage medium includes instructions stored thereon. When executed by at least one processor, the instructions may be configured to cause a computing system to at least generate a graphical user interface (GUI), receive selections of characters and directional input, and compare the selections of the characters and the directional input to a stored passcode combination. The GUI may include at least one face and a plurality of buttons inside the at least one face. At least some of the plurality of buttons may include characters in a random or pseudorandom sequence. The GUI may be configured to receive selections of the characters and directional input to the at least one face.

Abstract: An authorization system and associated method for selectively authorizing a host system to use one or more items of protected information associated with the host system. The authorization system includes a portable authorization device that is removably couplable to the host system. The portable authorization device is capable of receiving and storing multiple items of authorization information associated with a plurality of respective items of protected information from one or more information authorities. Preferably, the portable authorization device is capable of communicating with multiple types of information authorities. The portable authorization device selectively authorizes the host system to use the one or more respective items of protected information based upon the respective authorization information stored therein.

Abstract: This invention is a method and system for tokenless biometric authorization of an electronic communication, using a biometric sample, a master electronic identicator, and a public communications network, wherein the method includes: an electronic communication formation step, wherein at least one communication comprising electronic data is formed; a user registration step, wherein a user electronically submits a registration biometric sample taken directly from the person of the user; a public network data transmittal step, wherein the registration biometric sample is electronically transmitted to a master electronic identicator via a public communications network, said master electronic identicator comprising a computer database which electronically stores all of the registration biometric samples from all of the registered users; a user registration biometric storage step, wherein the registration biometric sample is electronically stored within the master electronic identicator; a bid biometric transmittal

Abstract: Methods, systems, and devices are described for providing mobile device transaction approvals utilizing multiple forms of tender. An identifier of a mobile device and a request for a transaction authorization may be transmitted from a mobile device and received at a payment authority system. The payment authority system may generate a payment code for transmission to the mobile device. The payment code may be provided to a point of sale (POS) system. The POS system may transmit a transaction amount, an identifier of a merchant, and the payment code to the payment authority system. A number of forms of tender may be applied to the transaction amount. The payment authority system may generate a unified approval code applying the multiple forms of tender to the transaction. The unified approval code may be transmitted to the POS system and applied to a transaction.

Abstract: There is provided an information processing apparatus including a non-contact communication section that performs non-contact communication with a communication device which stores at least two pieces of software outputting information necessary for enjoying a predetermined service provided by a server, an obtaining section that obtains connection target information for connecting to the server and identification information indicating the software corresponding to the connection target information, and a control section that performs control of, via the non-contact communication section, issuing an instruction to the communication device to execute the software indicated by the identification information, obtaining an execution result of the software executed in accordance with the instruction, and transmitting the execution result to the server.

Abstract: The present invention describes a method for authenticating a user of a mobile device by a verification authority, by making use of at least a personal identification number (PIN) and at least one cryptographic key, such that the PIN and the cryptographic key is known only to the user and the verification authority. The cryptographic key has at least one session key. Firstly, the user encodes the PIN by using at least one session key and then transfers the encoded PIN to a predefined address of the verification authority via the mobile device. Next, the verification authority decodes the PIN by using the cryptographic key authenticates the user if the decoded PIN matches a PIN stored corresponding to the user.

Abstract: A method of identifying a user as an authorized user from free test text typed by that user into an input device. From the received test text, features associated with the typed text are extracted, such as timing data associated with alphanumeric letter pairs. These extracted features are compared to previously stored series of authorized user profiles, where the authorized user profiles were generated from a trial typing sample of alphanumeric data from each associated authorized user. The comparison identifies one of the authorized users with the user, and a score is derived to measure the strength of the comparison. If the score exceeds a threshold level, the user is identified as that authorized user.

Abstract: A method comprises establishing a network connection between the first processing device and the second processing device for transfer of data associated with a software authenticator from the first processing device to the second processing device, encrypting the software authenticator data with encryption that is separate from encryption used for the network connection, and transferring the encrypted software authenticator data from the first processing device to the second processing device.

Abstract: A method and an apparatus for generating a security token carrier, which belong to the field of data security, are disclosed. The method may include: generating multiple pieces of token information, establishing a relation which associates the token information with location information of a pre-set interactive security token carrier; obtaining security data which is set by a user for protecting the interactive security token carrier; and generating the interactive security token carrier by using the token information, the relation, the security data and public information of the interactive security token carrier. The apparatus may include: a token information processing module, a security data obtaining module and an interactive security token carrier generating module.

Abstract: A system and method for generating a One Time Password (OTP) based upon a value TEC that can change based both upon the occurrence of an event and the passage of time. The OTP can be computed at a token and sent to a verifier. The verifier stores exact or estimated parameters necessary to compute one or more expected OTPs from the token, including TEC. The value TEC can be synchronized between the token and the verifier.

Abstract: A method for accessing e-mail messages from a control system includes requesting access to e-mail message contents of a user stored in the control system, determining whether the user is enrolled in and activated by the control system, and authenticating the user when the user is enrolled in and activated by the control system. Moreover, the method includes permitting the user to view a list of e-mail messages when the user is successfully authenticated. The e-mail messages included in the list are associated with the user. Furthermore, the method includes permitting the user to access the contents of e-mail messages in the list having a security level equal to or less than a security level associated with the successful authentication.

Abstract: A personal digital ID device provides a digital identifier to a service for a predetermined duration in response to user interaction. The user interaction may include a button press. The personal digital ID device may be in the form of a bracelet, a key fob, or other form factor. The service may be provided by a mobile device, in the cloud, or elsewhere.

Abstract: Improved techniques involve flagging anomalous behavior in a current session when there is sufficient difference between an observed distribution of Markov events in the current session and an observed distribution of Markov events in a global session. Here, “Markov events” refer to events such as web page transitions and web page addresses. During a user session, a testing server generates a frequency distribution of a set of Markov events of the user session. The testing server also obtains a frequency distribution of previously observed Markov events of a global session, i.e., sets of sessions of previous user sessions or training sessions. The testing server then computes an anomaly statistic depending on the Markov events that indicates a difference between the user session and the global session. The testing server may produce an alert if the anomaly statistic differs significantly from some nominal value.

Abstract: A system, apparatus, method, and machine readable medium are described for transparently requesting a new random challenge from a server within an authentication framework. For example, one embodiment of a method comprises: transmitting a random challenge and an indication of a timeout period associated with the random challenge from a server to a client within the context of a network registration or authentication process using authentication devices communicatively coupled to the client; automatically detecting that the random challenge is no longer valid based on the timeout period; and responsively transmitting a request for a new random challenge from the client to a server, wherein transmitting is performed transparently to a user of the client.

Abstract: An RFID reader comprises a memory having a first data for identifying the reader and a second data associated with the first data stored therein; a communication interface; and a microcontroller unit. The microcontroller unit is configured to transmit the first data via the communication interface; receive a first request for transmitting the second data; transmit the second data via the communication interface; receive a third data via the communication interface; overwrite the second data stored in the memory with third data.

Abstract: This disclosure is directed to, in part, determining an expiration of a password or other security data based on a measured complexity of the password or the security data. A user may enter a password to be associated with an account or a resource (e.g., a login for a user account, etc.). The password may be analyzed to determine an entropy value of the password, which is a measure of complexity of the password. A password manager may then determine an expiration of the password based on the entropy value of the password. Thus, a more complex password may be assigned an expiration date that is longer than an expiration date assigned to a less complex password. In some aspects, the expiration date may be dynamically updated as a user continues to enter inputs for a new password.