Abstract: Embodiments are directed to establishing separate security identities for a shared service and shared service instances, and to managing shared and service instance credentials. In one scenario, a computer system establishes a shared credential for a shared service that includes multiple shared service instances, where the shared credential uniquely identifies the shared service. The computer system establishes a service instance credential for each shared service instance that uniquely identifies each shared service instance and maintains a relationship between the service instance and the shared service. The relationship provides service instance access to the shared credentials as the shared credentials are updated over time. Then, upon determining that the shared credentials have been updated and are no longer valid, the shared service instance accesses the updated shared credentials using the established relationship.

Abstract: A method for protecting a password of a computer having a non-volatile memory is disclosed. A password is stored in a non-volatile memory of a computer. The computer is then transitioned to a power saving state. In response to a detection of an unauthorized access to the non-volatile memory during the power saving state transition, a password input is requested from a user. The computer returns to a power-on state from the power saving state when there is a success in authentication of the input password.

Abstract: Provided are a method, system, and computer program product for a local authorization extension to provide access authorization for a module to access a computing system. A memory stores information on a first validity range comprising position coordinates for a module seeking to access the computing system and a second validity range comprising position coordinates for a location authorization extension for a computing system. A determination is made of a first position signal from a first receiver of the module and of a second position signal from a second receiver of the location authorization module. Determinations are made as to whether the first position signal is within the first validity range and whether the second position signal is within the second validity range. The module is granted access to the computing system in response to determining that the first position signal is within the first validity range and the second position signal is within the second validity range.

Abstract: A processing device comprises a processor coupled to a memory and is configured to receive authentication information from a user, to generate a message authentication code based at least in part on the received authentication information, to generate a credential for a particular access control interval based at least in part on the message authentication code and an intermediate value of a hash chain, and to provide the credential to a user in order to allow the user to access a protected resource in the particular access control interval. The message authentication code may be generated over a message payload that includes a password provided by the user. The credential may comprise a combination of the message authentication code and the intermediate value of the hash chain.

Abstract: A computer-implemented method for compliance with a privacy requirement. The method comprises analyzing, using one or more processors, an access log related to a history of users accessing records; deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users; and deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs. The method further comprises generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs.

Abstract: A method and an apparatus are provided for operating an electronic device. The electronic device recognizes biometric data of a user that is input to the electronic device. Information related to an input error of the biometric data based on the recognition of the biometric data is presented to the user.

Abstract: One-time password (OTP) generation apparatus and method using virtual input means are provided. Reference information generated by a reference information generation unit is compared with identification information. When the reference information is identical to the identification information, a value corresponding to indication information is generated as an OTP.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: A biometrics authentication device utilizes biometrics information and performs individual authentication enables secure modification of authorization details for an authorized agent other than the principal. A verification device verifies biometrics information registered on an IC card against biometrics information detected by a detection unit. When results in satisfactory biometrics authentication, modification of authorization details of an authorized agent, registered on the IC card, is permitted. Authorization details for an authorized agent can be securely modified on a card on which biometrics information for the principal and the authorized agent is registered.

Abstract: An authentication system by which character strings in squares are selected by a rule determined by a user out of a table in which character strings are assigned to obtain a one-time password. The user memorizes a rule of successively selecting three out of the positions of the squares in a table having five rows and five columns, for example. To each square (402) in the table (401) to be presented to the user, a randomly generated two-digit number is assigned. The table (401) is presented to the user, who arranges the numbers in the squares (402) on the basis of the user's own rule to generate a six-digit number used as a one-time password for authenticating the user. Therefore, the rule for obtaining a one-time password is easy for the user to memorize and a long one-time password can be obtained.

Abstract: Methods and systems reduce exposure to a dictionary attack while verifying whether data transmitted over a computer network is a password. In one aspect, a method includes performing a search of network traffic based, at least in part, on a weak validation using a Bloom filter based on an organizational password file, determining the existence of a password in the network traffic based only on the weak validation, and determining whether to block, alert, or quarantine the network traffic based at least in part on the existence of the password in the network traffic.

Abstract: A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities.

Abstract: Methods, systems, and apparatus for voice authentication and command. In an aspect, a method comprises: receiving, by a data processing apparatus that is operating in a locked mode, audio data that encodes an utterance of a user, wherein the locked mode prevents the data processing apparatus from performing at least one action; providing, while the data processing apparatus is operating in the locked mode, the audio data to a voice biometric engine and a voice action engine; receiving, while the data processing apparatus is operating in the locked mode, an indication from the voice biometric engine that the user has been biometrically authenticated; and in response to receiving the indication, triggering the voice action engine to process a voice action that is associated with the utterance.

Abstract: A method for composing an authentication password associated with an electronic device is implemented by a password composing system including a display, a receiving unit, and a processing unit. In the method, the display is configured to display a start point, and a plurality of displayed paths. The receiving unit is configured to detect a set of user-input movements of a contact point at the display. The processing unit is configured to determine whether the user-input movements conform with a predefined valid user-input gesture, store a plurality of codes corresponding to the valid user-input gestures, and to compose the authentication password according to valid ones of the series of the user-input movements.

Abstract: A method, server and system for obtaining a licensed application is provided. In one example embodiment, the method comprises: receiving an application download request from a user of the electronic device by way of an input mechanism associated with the electronic; transmitting a download request from the electronic device to an application delivery server; receiving an application from the application delivery server at the electronic device; receiving a license key from the application delivery server; and automatically injecting the license key into the application.

Abstract: A method for secure authentication is provided which includes having a user who wishes to gain access to a computer or computer network select from among a plurality of randomly displayed images, having different background colors, the correct image and background color which correspond to the user's computer account. In one advantageous form, in addition to selecting the correct image, the user must first enter a username and password. In an alternative form, if a user is seeking access to a computer network by using a preapproved access point or computer having an approved IP address, a user is allowed to gain access to the computer network without being prompted to select a correct image.

Abstract: A method and apparatus for managing the expiration of a password. In one embodiment, the method comprises determining whether a behavior anomaly associated with an account has occurred. In response to a determination that the behavior anomaly has occurred, the method expires a password associated with the account and forces the password be changed the next time the password is presented for accessing the account.

Abstract: A technique for user identification based on a user input. As to one aspect of the technique, a device (100) comprises a pattern generator (102), a user interface (104), and a transmitter (106). The pattern generator (102) is adapted to generate a pattern (Y0, Y1, . . . , Yn). The user interface (104) is adapted to correlate the pattern and the user input. The transmitter (106) is adapted to transmit a signal (X0, X1, . . . , Xm) indicative of a result of the correlation to a receiver (108).

Abstract: A method which controls modification of passwords. An end user designates, in advance, a universe of social media contacts such as friends on social media web sites such as Facebook and LinkedIn. Contacts so identified are used as a set of potential identity verifiers. In order to enable a reset or modification of an account password, a subset of the universe is required to assert that they have verified the identity of the user requesting to reset a password. Such verification can be accomplished by varying means by those to whom an inquiry has been directed.

Abstract: Apparatus which control modification of passwords by implementing a procedure by which end user designates, in advance, a universe of social media contacts such as friends on social media web sites such as Facebook and Linkedln. Contacts so identified are used as a set of potential identity verifiers. In order to enable a reset or modification of an account password, a subset of the universe is required to assert that they have verified the identity of the user requesting to reset a password. Such verification can be accomplished by varying means by those to whom an inquiry has been directed. Te apparatus may be in the form of a computer system or a computer readable storage medium.

Abstract: The present disclosure discloses an upper-order computer, a lower-order computer, a monitoring system and a monitoring method, so as to eliminate the disadvantages of low standardization level and small scale in manually setting and adjusting performance parameters. The upper-order computer includes a central control module and an information interacting module, the information interacting module including a human-computer interacting unit, and the central control module including a processing unit, a display control unit and a parameter configuring unit, wherein the processing unit is adapted for controlling a lower-order computer by sending control commands; the display control unit is adapted for processing effective operating data acquired from the lower-order computer, and is adapted for instructing the human-computer interacting unit to perform presenting; and the parameter configuring unit is adapted for configuring parameters of the lower-order computer by sending parameter configuring commands.

Abstract: An information recording system includes a recording medium capable of limiting a function by password and an information recording device for controlling the recording medium. The recording medium stores an input password, counts updating event(s) of a password, stores the update count of the password, outputs information stored in the password related information storage according to a READ request issued from the information recording device, compares a input password with a password stored in the password register, limits a predetermined function of the recording medium according to the comparison result from the password comparator. The information recording device stores a password and a password identification ID which is associated with the update count of the password, selects a password with reference to the update count of the password and the password identification ID and outputs the selected password into the recording medium to compare the passwords.

Abstract: Systems, methods, and apparatus are disclosed for electronically sharing data using authentication variables, such as biometrics and contextual data. Example contextual data includes machine identifications (IDs) and data collected from sensors of computing devices.

Abstract: In some examples, a contents providing apparatus that provides contents to multiple devices may include a user information management unit, a contents management unit, a contents usage information management unit, and a contents usage information searching unit.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for storing a password recovery secret on a peripheral such as a power adapter by receiving a password recovery secret at the power adapter via an interface with the computing device, and storing the password recovery secret on a memory in the power adapter. The password recovery secret can be recovered by requesting the password recovery secret from the power adapter, wherein the password recovery secret is associated with a computing device, receiving the password recovery secret from the memory of the power adapter, and recovering a password based on the password recovery secret. The power adapter can include an electrical source interface, an electronic device interface, an intermediate module to adapt electricity between the interfaces, a memory, and a memory interface through which a password recovery secret is received for storage in the memory.

Abstract: Methods and systems for disrupting password attacks using compression are described. A user password may be stored on a mobile computing device. The password may be compressed, for example, using a Huffman compression algorithm, and may be subsequently encrypted using a short secret as a key. The user password may be stored as the compressed and encrypted key. The compressed and encrypted password may be stored such that a brute force password attack, for example, using every possible short secret, would reveal too may possible matches to allow an attacker to select the real password.

Abstract: In an embodiment, a method enables authentication of devices connected to a network. The method also enables the devices to digitally sign communication on the network with private keys. When a new device is added to the network, a mobile device may be connected to the new device. The mobile device receives identification from the new device and sends the identification to an authorization server, over a public network. The mobile device also sends a request for a private key to the authorization server. The authorization server contains an inventory of the devices authorized to communicate over the network. If the identification of the new device exists in the inventory, the authorization server sends a private key to the mobile device, over the public network. The mobile device forwards the private key to the new device.

Abstract: A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.

Abstract: Techniques for secure message offloading are presented. An intermediary is transparently situated between a user's local messaging client and an external and remote messaging client. The user authenticates to the local client for access and the intermediary authenticates the user for access to the remote client using different credentials unknown to the user. Messages sent from the local client are transparently encrypted by the intermediary before being passed to the remote client and messages received from the remote client are transparently decrypted before being delivered to the local client.

Abstract: A method of validating a user, comprises the steps of:—storing for a user data representative of a validation code for the user comprising a combination of symbols selected from a set of symbols; presenting a displayed image including a plurality of designatable areas in which said set of symbols is distributed between said designatable areas such that each designatable area contains a plurality of said symbols; varying the image between subsequent presentations such that the distribution of said symbols between said designatable areas changes between subsequent presentations, validating a user in an validation routine by detecting designation by a user of a combination of said designatable areas in a presented image, and determining whether the combination of designated designatable areas contains the combination of symbols making up the validation code for said user.

Abstract: A network system for implementing a cloud platform within a network to which a device defining a computing environment for a user has access comprises an application management module, a community management module, and a user enrollment portal. The application management module enables access to an abstract application associated with a concrete application defining an implementation of the abstract application for the computing environment. The community management module manages a community comprised of a user credential and the abstract application, the community defines at least one of: a policy, a management process, and a service, under which the user can access the abstract application. The user enrollment portal supports an enrollment of the user in the community from the device and orchestrates a policy management mechanism to support an enforcement of the policy under which the user has access to the concrete application from the device.

Abstract: Systems and methods are disclosed herein for a user to use a trusted device to provide sensitive information to an identity provider via QR (Quick Response) code for the identity provider to broker a website login or to collect information for the website. A user may securely transact with the website from unsecured devices by entering sensitive information into the trusted device. The identity provider may generate the QR code for display by the website on an unsecured device. A user running an application from the identity provider on the trusted device may scan the QR code to transmit the QR code to the identity provider. The identity provider may validate the QR code and may receive credential information to authenticate the user or may collect information for the website. Advantageously, the user may perform a safe login to the website from untrusted devices using the trusted device.

Abstract: Information and data stored by a mobile device is protected by comprising applying password-protection to the locally-stored information without persistently storing the corresponding password locally. Rather, the corresponding password is stored by a remote password server. In response to a trigger event on the mobile device, such as an unlocking action by the user, a request is sent by the mobile device to the password server to retrieve the corresponding server, and the corresponding password is returned to the mobile device. The mobile device can then use the password to access the protected information. If the user determines that the mobile device is lost, stolen, or out of the user's physical control, the user may access the password server and disable the sending of the password to the mobile device, thereby thwarting attempts to access the protected data on the mobile device.

Abstract: A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU.

Abstract: A method and system for controlling the execution of a function protected by authentication of a user and which is provided for example for the access to a resource. The method includes inputting, by the user, of personal data using an input device, authenticating the user with the input personal data for authorizing or not authorizing the execution of the function; in a secure card connected to the input device, storing limited validity authentication data dependant on the input data; when the card is connected to a processing device by which the user generates a message whose processing implements the function, using the stored data, taking into account the limited validity, to authorize or not authorize the execution of that function.

Abstract: A notebook computer includes a main body and a display device. The main body includes a first touch layer sensing a touch track of a user, a memory pre-storing an authorizing track, and a processor connected between the first touch layer and the memory. The processor compares the touch track with the authorizing track to determine if the user is authorized. The display device is jointed to be pivoted to the main body, wherein the display device is turn on when the user is authorized.

Abstract: Networked based methods for remotely locking and unlocking designated features on a user's electronic computing device (e.g. internet, games, SMS, email) while keeping other software functioning for the user to perform selected activities (e.g. quizzes). Unlocking the device may be based upon a condition, such as the user achieving an objective (e.g. answered quiz questions, received a high class grade, etc.), or the passage of time (e.g. duration of a test), or detecting the device GPS coordinates. The device may be locked/unlocked remotely via a gateway server communicating via a network with the device, or directly via a passcode utilizing a software module loaded on the device. The lock may be overridden, such as in emergency situations to allow the user to call 911 or their emergency contacts, wherein a third party is electronically notified; or, unlocked by the user with the passcode when a selected activity is successfully completed.

Abstract: A method for unlocking an electronic device detects unlocking touch operations of unlocking the electronic device on a touchscreen of the electronic device when the electronic device is locked. A number of touch points corresponding to each of the unlocking touch operations is confirm. The method further generates an input password according to the confirmed numbers of each of the unlocking touch operations and a touch sequence of the unlocking touch operations. When the input password matches an unlocking password prestored in a storage device of the electronic device, the electronic device is unlocked.

Abstract: A technique of authenticating a person involves obtaining, during a current authentication session to authenticate the person, a first authentication factor from the person and a second authentication factor from the person, at least one of the first and second authentication factors being a biometric input. The technique further involves performing an authentication operation which cross references the first authentication factor with the second authentication factor. The technique further involves outputting, as a result of the authentication operation, an authentication result signal indicating whether the authentication operation has determined the person in the current authentication session likely to be legitimate or an imposter. Such authentication, which cross references authentication factors to leverage off of their interdependency, provides stronger authentication than conventional naïve authentication.

Abstract: An administration server is capable of authenticating a user. The administration server includes a communication unit for receiving a user authentication request including user identification information and apparatus identification information from an external device; and a server control unit for authenticating the user according to the user identification information to obtain a first result. The server control unit is provided for determining a usage permitted function according to the user identification information to obtain a second result, and for determining whether an apparatus corresponding to the apparatus identification information can be used according to user identification information and the apparatus identification information to obtain a third result. The communication unit is configured to transmit the first result, the second result, and the third result to the external device.

Abstract: Methods for setting and verifying a password in a password protected device. Setting a password includes receiving a configuration password entered via a keyboard, wherein the configuration password includes position information of at least one key on the keyboard, and symbol information of at least one key on the keyboard, and storing the configuration password. Verifying a password includes receiving an entered password on the keyboard, obtaining a stored configuration password, wherein the configuration password includes position information of at least one key on the keyboard and symbol information of at least one key on the keyboard, and verifying the entered password based on the configuration password. The keyboard may be a randomly arranged keyboard. Even if nearby persons can see the selection of symbols displayed on the keys for a password, they cannot determine the real content of the password, and thus cannot access the password-protected device.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A method and device for controlling access to a specific type of services among a plurality of type of services proposed by a service supplier. The method includes entering, into an authentication device of the user, a personal identification code specific to the user, the personal identification code being identical for at least two different types of services proposed by the service supplier; and indicating, by said user, said specific type of services for which the access is required, the indication being made in the authentication device.

Abstract: An authentication system includes an apparatus and an authentication apparatus configured to perform authentication of a user of the apparatus. The apparatus includes an identification information obtaining unit configured to obtain identification information of the user and an authentication requesting unit configured to send the obtained identification information and group information indicating a group to which the user belongs to the authentication apparatus to request authentication of the user. The authentication apparatus includes an authentication unit configured to search records of identification information associated with the group information to find matching identification information matching the obtained identification information of the user.

Abstract: A mobile device is presented including an input module for receiving a plurality of breath samples from a user and a breath analysis module for performing a chemical analysis of the plurality of breath samples, the chemical analysis involving identification and selection of a plurality of uncommon molecules and uncommon organic compounds for deriving distinguishing breath characteristics and using such breath information to create an initial chemical breath profile associated with the user. The mobile device further includes a breath authorization module for allowing or preventing access to the mobile device in response to a comparison result derived from comparing at least one subsequently created chemical breath profile with the initial chemical breath profile.

Abstract: A social CAPTCHA is presented to authenticate a member of the social network. The social CAPTCHA includes one or more challenge questions based on information available in the social network, such as the user's activities and/or connections in the social network. The social information selected for the social CAPTCHA may be determined based on affinity scores associated with the member's connections, so that the challenge question relates to information that the user is more likely to be familiar with. A degree of difficulty of challenge questions may be determined and used for selecting the CAPTCHA based on a degree of suspicion.

Abstract: A computing device receives a feature name or key name for an integrated circuit comprising a security manager core and an additional component. At least one of a) the additional component is associated with the key name or b) a feature provided by the additional component is associated with the feature name. The computing device receives a specified number of bits associated with the feature name or the key name, and maps the feature name to a feature address space or the key name to a key interface of the security manager core based at on the specified number of bits. The computing device generates at least one hardware description logic (HDL) module based on the mapping, wherein the at least one HDL module is usable to configure the security manager core for delivery of payloads associated with the feature name or the key name to the additional component.

Abstract: An image processing apparatus which is capable of realizing security improvements without degrading the usability. A user is authenticated, and an operation screen accepting an operation input from the user is displayed. A job is executed according to an instruction of the user authenticated by the user authenticating unit. It is determined whether or not the job of which execution is instructed by the user, is being executed when the user authenticating unit authenticates the user. A first operation screen through which the user inputs an instruction for the job in execution is displayed when the job executing unit is executing the job, of which execution is instructed by the user, whereas another operation screen through which another user inputs an instruction for another job is displayed when not.

Abstract: An authentication method and system to combat confirmation bias provides for an authentication system that upon matching an access request to a record for a given user in an authentication system further interrogates a set of secondary sources to determine that the individual requesting access is in fact the correct user.