Abstract: According to examples, a host device may be instructed to pre-spawn a number of first host processes and a number of second host processes, in which the number of first host processes and the number of second host processes are defined in a first scaling constraint and are each greater than or equal to one. The host device may pre-spawn the second host processes in one or more computing nodes through identification of a host process of the first host processes that is unbound from a client session, termination of the identified host process, and pre-spawning of a second host process that provides a second version of the service based on the termination. The host device may also decrease the number of first host processes and increase the number of second host processes in the one or more computing nodes as defined in a second scaling constraint.

Abstract: A method of authenticating a user via a galvanic skin response on electric computing device is described. The method includes receiving a request for user authentication from a second electronic computing device. The electronic computing device measures a change in the galvanic skin response associated with the user, and the change in the galvanic skin response is indicative of the user creating a physical connection between the electronic computing device and the second electronic computing device. The electronic computing device compares the galvanic skin response to a threshold skin conductance level. When the comparison of the galvanic skin response indicates, an authentication confirmation is sent to the second electronic computing device.

Abstract: A batteryless device is disclosed. According to certain embodiments, the batteryless device may include a first communication system and a second communication system, the second communication system being a near-field-communication (NFC) system. The batteryless device may also include a power receiver coupled to the first communication system and configured to wirelessly receive power from an external device for powering the first communication system. The batteryless device may further include a controller configured to: when the first communication system is powered, establish, via the first communication system, a first wireless connection with a user device; receive, through the first wireless communication, a token from the user device; establish, via the second communication system, a second wireless connection with a terminal; and transmit, through the second wireless connection, the token to the terminal.

Abstract: A permissions management system and a method for managing permissions in a multiplatform environment. A centralized permissions management system is communicably coupled to a gateway service that receives API calls and requests for content from edge devices, such as user devices. The gateway forwards permissions requests to the centralized permissions management system that determines whether a given user identifier is permitted to access content referenced by a given content identifier. In response, the centralized permissions management system returns an authorization response that, in turn, is forwarded to an identified or determined platform which, in response, can serve content and/or service an API call.

Abstract: Examples of detecting whether a device meets an enrollment level are disclosed. In one case, a method for providing access to an application on a client device includes receiving a request to access an application from the client device, determining an enrollment level associated with the application, and determining that multi-factor authentication is required for access to the application on the client device based on the enrollment level associated with the application. The method can also include initiating multi-factor authentication on the client device before access to the application is permitted. The method can also include determining that multi-factor authentication is successful on the client device, transmitting a management component to the client device, and installing the management component on the client device for enrollment as a managed device with a management service.

Abstract: In a method of controlling account user access to transaction information for a joint account, a set of control criteria is stored in a control database. Information for a new transaction is received and stored in a transaction information database. An information limitation request to prevent access to the transaction information by a second account user for a withholding time interval is received from a first account user. An access limitation record including identification of the second account user and the withholding time interval is stored in the information control database. Upon receiving from a second account user a request for account information including the transaction information, a determination may be made as to whether the transaction information should be withheld from the second account user. Responsive to a determination that the transaction information should be withheld, a response excluding the transaction information is transmitted to the second user device.

Abstract: Devices and methods for backing up digital data on storage devices which are automatically selected on an individual basis for digital connection, data exchange and data storage on a scheduled basis and each kept digitally disconnected when not selected and connected for backup data transfer and storage. Devices and methods which backup data on one of a number of an offline storage devices by connecting a selected storage device, backup data onto an offline storage device and then disconnecting the offline storage device, in order to isolate the backed-up data and optionally allow a different storage device to be used for the next back up event.

Abstract: An application for dynamic, granular access permissions can include a database interface, a user interface, a login process, an administrator, an event handler and an authorization process. The database interface can be an interface to an access control permissions database that stores roles, actions, or policies for users of the application. The login process can authenticate a user and determine a default set of access control permissions for that user when they are using the user interface. The administrator can provide access control permissions for a user by using the database interface. The event handler can dynamically modify access to functionality in the user interface based on an event. The authorization process can determine whether a request from the user interface is authorized before process the request. The authorization process can use access control permissions from the administrator and either a scope limited or a temporally limited access permission.

Abstract: An apparatus and method for transmitting and receiving information related to multimedia data in a hybrid network and a structure thereof are provided. The transmission method includes generating transmission characteristic information about the media data, and transmitting the transmission characteristic information. The transmission characteristic information includes valid range information about the transmission characteristic information.

Abstract: A data storage device includes: a housing integrating a control logic, a data protection logic, and a non-volatile storage; and a network interface connector integrated to the housing and is configured to be directly inserted into a network switch. The control logic is configured to store a vehicle data including a video stream in the non-volatile storage. The video stream is received from a video camera that is connected to the network switch. The data protection logic is configured to detect a vehicle event and change an operating mode of the data storage device to a read-only mode prohibiting the vehicle data stored in the non-volatile storage from being erased or tampered.

Abstract: A social networking system performs account recovery for a user with the help of the user's connections (e.g., friends). The social networking system selects connections of the user based on information indicating likelihood of real-world interactions between the user and the selected connections. Access codes are sent to the selected connections and the user instructed to obtain access codes from the selected connections via a communication that is outside the social networking system, for example, via phone. The user provides the access codes obtained from the selected connections to the social networking system. If the access codes provided by the user match the access codes sent to the selected connections, the user is granted access to the account. Real-world interactions between two users are determined based on sharing of devices between the users or information indicating presence of the users in the same place during same time interval.

Abstract: A system for authentication for a user device associated with a user, said system comprising: a processing system to generate a first user interface running on a screen of said user device, said first user interface comprising one or more components, wherein said one or more components comprises a first icon, which when activated, directs a user to a second user interface to select a secret pattern, a second icon, which when activated, generates a current randomly populated keyboard, further wherein said processing system provides a current Personal Identification Number (PIN) to said user by correlating said secret pattern with the current randomly populated keyboard, and a regular keyboard for said user to enter a PIN for authentication.

Abstract: A system and method for allowing a plurality of consumers or users to be individually authenticated in a Virtual Reality (VR) environment conducted throughout a VR session accessing a gaming server that dispenses outcomes. The consumer authentications are made possible through the VR device, thereby authorizing continued access to controlled or restricted VR environments.

Abstract: Enhanced techniques for communicating with an integrated circuit chip card are disclosed. An integrated circuit chip card may include a processor, a memory storing a plurality applications executable by the processor, an input/output (I/O) interface, and a network interface coupled to the (I/O) interface. The network interface may implement a plurality of logical ports, and the network interface can be configurable to select between multiple communication protocols to communicate with an external device in a socket communication mode. The network interface can be configured to establish a plurality of communication channels between the external device the integrated circuit chip card using the plurality of logical ports, and each of the communication channels may support communication with one of the plurality of applications.

Abstract: A system, apparatus, method, and machine-readable medium are described for fast authentication. For example, one embodiment of a system comprises: a local challenge generator of a client apparatus to generate a challenge on a client device using a derivation function; an authentication engine of the client apparatus to generate a challenge response as defined by a specified challenge-response protocol; the authentication engine to transmit the challenge response to a server, and the server to validate the challenge response, at least in part, by determining whether the challenge was generated within a specified time window.

Abstract: Systems, devices, and methods for secure data management and transfer for secure data transactions are provided. For example, disclosed herein are secure & tamper resistant smart cards configured to immutably store data and securely exchange at least a portion of the data via, for example, wireless networks and/or peer-to-peer networks. The smart cards comprise a plurality of dedicated hardware circuit blocks electrically coupled via a bus interconnection, the plurality of dedicated hardware circuit blocks configured to authenticate users, verify trust amongst the smart card and external devices, and encrypt sensitive data for secure transmission.

Abstract: Systems and methods including notification techniques for sharing information related to detected dialogs on secondary computing devices associated with a user are provided. For example, a system can include a user interface (UI) monitor on a first client computing device configured to detect a dialog and send an indication of the dialog to a workspace backend. The workspace backend can facilitate communication between the first client computing device and one or more secondary computing devices associated with the user such that the user receives notifications of dialogs displayed on the first client computing device on the one or more secondary computing devices. The user has the option of responding to the dialog on a secondary computing device, and the workspace backend facilitates transmission of the user response on the secondary computing device back to the first client computing device.

Abstract: A system for granting access to an account at an access device includes a computer server having a hardware processor and a memory storing a software code. The hardware processor executes the software code to receive a login request from the access device through a first communications socket, open a second communications socket between the access device and the computer server, transmit a verification request message including a required call-to-action to a verification device through a third communications socket, and receive a verification response message verifying that the required call-to-action has been completed at the verification device. Upon receiving the verification response message, the software code sends an access token for accessing the account to the access device through the second communications socket, receives the access token from the access device, and grants the access device access to the account.

Abstract: There are provided systems and methods for biometric authentication during voice data transfers. A user may initiate voice communications with a service provider endpoint that provides automated services to the user through the voice or audio communications, such as an interactive voice response (IVR) system where a user may navigate menus through audio commands. The user may by required to authenticate their identity during the phone call or other voice data transfer, which may be done by entering a biometric, such as a fingerprint. The biometric may be converted to biometric feature data and provided to one or more token service providers. The token service providers may provide one or more tokens for the biometric, which may be used as the authentication token. This token may then be transmitted to the IVR system through the user's endpoint using a dialer feature of the endpoint.

Abstract: A robot for data logging is described as a module of a portable data transfer system for use in physically transferring very big amounts of data in secure, fast and cheap way. The data logger logs and optionally analyzes sensory and operation data by statistically correlating and combining data, events, and control data from a variety of system modules, user actions, and sensors used to track system transit, handling, operation, and events. The data logger allows forensic analysis and comparison against a mission description to identify system location, transit path, mishandling, tampering, security breaches and problems arising from environmental conditions, design problems, etc. As a result, persons or events causing problems can be identified, retrained, and rectified, and system debugging can solve problems with error in hardware and software.

Abstract: The invention relates to blockchain technologies such as the Bitcoin blockchain. The invention uses a novel technique to decompose the functionality of a blockchain transaction script into several chunks or functional parts, and to use the output of a chunk as the input of the next chunk. Advantageously, this allows the blockchain to be used for ever complex tasks and computations while minimising script size, and also provides a novel architecture for the distributed execution of computational processes.

Abstract: A method of managing a non-volatile memory includes during a data writing process, selecting, by a program triggering the data writing process, an error detection and correction code from among two codes depending on a type of information being written. The information is written into the non-volatile memory, where the information is associated with the selected error detection and correction code.

Abstract: Application-manager software authenticates a user of a client device over a channel. The authentication operation is performed using a directory service. The application-manager software presents a plurality of applications in a GUI displayed by the client device. The plurality of applications depends on the authentication, the client device, and the channel. And the plurality of applications includes a thin application and a software-as-a-service (SaaS) application. The application-manager software receives a selection as to an application from the user. If the selection is for the SaaS application, the application-manager software provisions the SaaS application. The provision includes automatically logging the user onto an account with a provider of the SaaS application using a single sign-on and connecting the user to the account so that the user can interact with the SaaS application. If the selection is for the thin application, the application manager software launches the thin application.

Abstract: Location-based validation of a wireless authentication device. A request is received by a security hardware computing device for an action requiring authentication in connection with security hardware. A security hardware location is received or accessed. A wireless authentication device location of a wireless authentication device in possession of a requester is received by security hardware computing device. The security hardware computing device receives a mobile device location for a mobile device in possession of the requester. The security hardware computing device determines whether the security hardware location, the mobile device location, and the wireless authentication device location are in a proximity. The security hardware computing device performs the action requiring authentication in connection with the security hardware.

Abstract: Provided is an unobtrusive client verification system with one verification devices having processors that are configured to receive a first request from an unverified client device, generate a random number in response to receiving the first request from the unverified client device, define a set of expressions as a browser challenge problem that evaluates to an answer specified by the random number, encrypt the answer within an answer token, provide the browser challenge problem with the answer token to the unverified client device, receive a second request with a solution to the browser challenge problem and the answer token from the unverified client device, and verify the unverified client device in response to the solution matching the answer that is decrypted from the answer token provided with the second request.

Abstract: In some examples, an embedded controller of a computing device may detect, when the computing device is in a low-power state, that a smartcard has been connected to a port of the computing device or that data has been received from an input device (e.g., keyboard or biometric input device) connected to the computing device. For the smartcard, the embedded controller may use a card driver to read data stored on the smartcard. The embedded controller may compute a hash value based on the data read from the smartcard or received from the input device. If the hash value matches a previously stored hash value, then the embedded controller may initiate a boot-up process of the computing device. If the hash value does not match the previously stored hash value, then the embedded controller may cause the computing device to remain in the low-power state.

Abstract: Disclosed are various approaches for facilitating single sign-on (SSO) for third-party services that are accessible through messages (e.g., email) received by a user. A user can receive a message that includes an embedded URL or link that opens in a third-party service that requires authentication. Instead of requiring the user to enter authentication credentials for accessing the third-party service, a tunnel service can be used to intercept requests for authentication and redirect the requests to an identity manager that can issue a SSO token following an authentication of the user and device. Upon supplying the third-party service with the SSO token, the user can access the content associated with the third-party service without entering authentication credentials.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: A device diagnostic web system that diagnoses a device locally connected to an information processing apparatus. In order to confirm whether or not access by the browser is to be permitted by connecting the device to the information processing apparatus via a local connection such as USB or Bluetooth, and executing a device diagnostic web application by a browser installed on this information processing apparatus, a confirmation screen for prompting a user to perform an operation of the information processing apparatus is displayed on the information processing apparatus, if the user permits the access, the device is communicatively connected to the browser to access the device and predetermined device information is acquired and diagnostic information is generated by using the acquired device information.

Abstract: Improved systems and methods of authenticating a user using a mobile device to access a secure electronic portal are provided. A user may be enabled to quickly and securely log onto a website or other electronic portal using a handheld electronic device. In certain embodiments, multifactor authentication is utilized to improve the security of the authentication process.

Abstract: According to examples, a method for upgrading a version of a service across a plurality of computing nodes may include instructing a host device to pre-spawn a number of first host processes configured to provide a first version of the service in the computing nodes and to pre-spawn a number of second host processes configured to provide a second version of the service according to a first scaling constraint in the computing nodes. The method may also include, in response to receiving an indication that each of the second host processes is operating properly in the computing nodes, instructing the host device to decrease the number of first host processes and to increase the number of second host processes in the computing nodes as defined in a second scaling constraint.

Abstract: Backup data equivalent to the maximum number of generations to be held can be secured even when backup data is locked. When locking of prohibiting overwrite of one or more storage areas is performed, a backup server prepares a new backup management table and uses the backup management table and an archive management table, which is the past backup management table, to store the backup data equivalent to the maximum number of generations to be held into a storage system.

Abstract: A physical card has a body with dynamic region(s) configured to appear opaque for human viewing in a first phase and translucent for human viewing in a second phase. The card also has a computer readable chip, a power supply configured to power the one or more dynamic regions, a communication device, one or more processors, and memory storing instructions that, when executed, are configured to cause the card to perform a method. The card may receive an authorization signal from a recognized user device associated with a cardholder, direct dynamic region(s) to transition from being opaque in the first phase to being translucent in the second phase, and direct the dynamic region(s) to transition from being translucent in the second phase to being opaque in the first phase upon hitting a predetermined time threshold in the second phase.

Abstract: A system and method for monitoring vehicle performance and updating engine control parameters, which provides a solution to the problem of tuning engine control parameters for a vehicle. The core components of the invention are an engine controller coupled to an interface device which communicates with a remote device. Generally speaking, the components are configured as follows: the engine controller receives signals from various sensors in a vehicle and the engine controller controls the engine based on engine control parameters and the signals from the sensors. The interface device monitors the engine control and sensor signals and transmits information to the remote device. The remote device receives the information and sends back updated engine control parameters. The interface device receives the updated engine control parameters and communicates with the engine controller to update the engine control parameters using the updated engine control parameters.

Abstract: Described are various embodiments of a system for monitoring a physical user presence during an authenticated user access session at an access point. In one embodiment, the system comprises a wireless digital user authentication device (UAD) operable to wirelessly establish the authenticated user access session, periodically communicate an authenticated presence code to actively maintain the session and acquire motion-related data during the session to capture a UAD departure motion representative of the user departing from the access point. The system further comprises a digital application operatively associated with the access point and operable to wirelessly establish the session with the UAD upon arrival at the access point, and periodically receive the authenticated presence code to maintain the authenticated user access session. The authenticated user session is terminated upon identifying the UAD departure motion from said the motion-related data.

Abstract: A method, of authenticating a user with a service and a server having means to enable a user to be authenticated with a service. The method having the steps of, the user requesting a session with the service on a first device. The server requesting a unique code from a host server, the host server generating the unique code, associating it with a session-identifier. The session-identifier containing information relating to the code request. The host server then sending the unique code, which does not contain the session-identifier, to the service. The server then optically presents the unique code to the user on a display of the first device. The code is then acquired by a verification application running on a second device. Optionally the first device and the second device may be the same device. The second device is previously registered with the host server. The verification application sends the unique code, and device-identifying information of the second device, to the host server.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an email client executed in a client device. The identity provider service can then detect a platform associated with the client device. The device and the user's identity can be authenticated so that an IT administrator can specify that only authorized devices can access email using the email client.

Abstract: A computing device remote control system includes a remote-control device, a remote-control adapter that is communicatively coupled to the remote-control device, and a computing device including a computing device Universal Serial Bus (USB) connector that is connected to the remote-control adapter. A function controller in the computing device is coupled to the computing device USB connector and operates to receive a remote-control message from the remote-control device via the computing device USB connector and the remote-control adapter and, in response, change a control function state stored in the function controller, and generate and transmit an alert. A system controller in the computing device is coupled to the function controller and operates to receive the alert from the function controller and, in response, access the function controller to identify the control function state stored in the function controller, and perform at least one control operation based on the control function state.

Abstract: An apparatus and method for transmitting and receiving information related to multimedia data in a hybrid network and a structure thereof are provided. The transmission method includes generating transmission characteristic information about the media data, and transmitting the transmission characteristic information. The transmission characteristic information includes valid range information about the transmission characteristic information.

Abstract: A method for a security system includes receiving a first location and a first time period, retrieving an access control tree having nodes associated with locations and edges coupling nodes, wherein a first node represents the first location and a second node represents a building entry, traversing the access control tree from the second node to the first node to determine an ordered list of nodes and associated time periods, storing the ordered list of nodes and an identifier associated with a user, providing to a smart device a token associated with a requested access control point, when a requested node is within the first ordered list of nodes, and authorizing with the requested access control point a physical action visible to the user in response to the requested token.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for signing digital transactions from multiple client devices using secured encrypted private keys associated with electronic accounts. One of the operations is performed by storing multiple encrypted private keys in a memory cache accessible by a primary device. Each of the stored encrypted private keys are associated with an electronic account. An electronic transaction which is associated with an electronic account is received from a secondary device. A particular encrypted private key from the stored multiple encrypted private keys is identified. The identified encrypted private key is transmitted to a decrypting service where the encrypted private key is decrypted. The electronic transaction is then digitally signed based on the unencrypted private key. Then the digitally signed electronic transaction is transmitted to the requesting secondary device.

Abstract: A method, access control system, and readers for use in an access control system are described. One example of the disclosed method providers the ability to securely augment an existing physical access control system that relies on access control tokens (e.g., credentials) with a secure mobile-based solution allowing the secure local offline exchange of a new access control token for another that can be used with the existing installed access control system.

Abstract: A computing apparatus includes a processor coupled to a memory. The memory stores a set of permission chains, and each permission chain indicates a prior process accessed a current process and the current process requested access to a next process. The processor receives a permission request including a request for an access permission to allow a first current process to access a first next process and an indication that the first current process was accessed from a first prior process. The processor searches the set of permission chains for a matching permission chain, and when the matching permission chain is not found, the processor receives an input granting or denying the requested permission, and when granted updates the set of permission chains to include the granted permission chain and returns a granted indication.

Abstract: Described embodiments provide systems and methods performing header protection. A device can receive from a client, a request relating to a first resource, for a second resource. The device can determine, using an identifier for the session, whether an address of the first resource has been previously accessed by the client during the session. The device can verify, using an address of the second resource, whether the address of the second resource is mapped to the address of the first resource for the session between the client and the device. The device can determine whether to provide access to the second resource responsive to the address of the first resource being previously accessed by the client during the session and the address of the second resource being mapped to the address of the first resource for the session.

Abstract: An apparatus for retrieving a remote media content owned by a user to a vehicle or an aircraft, includes an authorization controller for obtaining an access authorization from the user, the access authorization indicating that the authorization controller is authorized to access the remote media content; a detector for detecting whether the user is located at or in the vehicle or the aircraft and for generating a detection result; and a media content retriever for retrieving the remote media content using the access authorization when the detection result indicates that the user is located at or in the vehicle or the aircraft and for not retrieving the remote media content when the detection result indicates that the user is not located at or in the vehicle or aircraft.

Abstract: Techniques for providing secured, automatic log-in and authentication of a user to a website via a browser executing at the user's personal electronic device (PED) include generating a token based on an identifier of the PED and a user identifier, and storing the token at the user's PED for use in validating and authenticating the user and device credentials against those stored at back-end system and/or in another memory location at the device. Based on the persisted token (and optionally on a user preference), the user may be automatically logged in as the user navigates across restricted and unrestricted portions of the website, and/or to other websites (e.g., without the user's knowledge). At least these features enable automatic log-in and authentication to be performed on an as-needed basis, and/or on a per-device basis, thereby providing significantly more secure access as compared to known techniques.

Abstract: A method may include receiving, from a first application installed in an electronic device, a first request for accessing a first set of contents associated with a second application. The method may include obtaining a request time stamp and a content pointer associated with the first set of contents. The method may include placing the link information to a predetermined storage space in the electronic device. The method may include invoking the second application based on the content pointer and obtain an invoking time stamp. The method may include comparing a time interval between the request time stamp and the invoking time stamp to a predetermined time threshold. The method may include accessing the first set of contents in the second application according to the content pointer in response to a determination that the time interval is less than the predetermined time threshold.

Abstract: An apparatus to facilitate broadcast remote sealing for scalable trusted execution environment provisioning is disclosed. The apparatus includes one or more processors to: request a group status report to confirm a status of a group of trusted execution platforms from a cloud service provider (CSP) providing scalable runtime validation for on-device design rule checks; validate, by a tenant, a minimum trusted computing base (TCB) declared with the group status report; determine, based on validation of the minimum TCB, whether a set of group members of the group of trusted execution platforms satisfies security requirements of the tenant; responsive to the set of group members satisfying the security requirement, utilize a group public key to encrypt a workload of the tenant; and send the encrypted workload to the CSP for storage by the CSP and subsequent execution by an execution platform of the group using a private group key.

Abstract: An Internet of Things (IoT) network includes an orchestrator to issue service management requests, a service coordinator to identify components to participate in the service, and a component to perform a network service element. An IoT network includes an IoT device with service enumerator, contract enumerator, and join contract function. An IoT network apparatus includes permissions guide drafter for discovered peers, and permissions guide action executor. An IoT network apparatus includes floating service permissions guide drafter for discovered hosts, host hardware selector, floating service permissions guide executor, and service wallet value transferor. An IoT network apparatus includes permissions guide drafter for first and second discovered peers, parameter weight calculator, permissions guide term generator, and permissions guide action executor.

Abstract: A memory device includes a non-volatile memory block, a protection unit arranged for connecting to a communication bus, and a sequencer arranged to receive commands from the protection unit. A logic circuit is arranged to output an enabling signal, and includes first and second logic subcircuits, and a combiner logic circuit.