Abstract: A device determines that a data breach of an application has been reported and determines that an individual has an account with the application based on identifying an association between an application identifier and a username the individual uses to access the application. The device receives, from a user device associated with the individual, password information used to access the application. The device uses the password information and usernames for a group of applications with which the individual has accounts to perform a login procedure for the group of applications to determine that login information for one or more of the applications includes the password information used to access the application affected by the data breach. The device provides, to the user device or another device, a recommendation to change the password information used to access the application and the one or more applications.

Abstract: A security system can provide monitoring and vulnerability testing of networks within a vehicle and perform patching or take other remedial action when vulnerabilities are found. Monitoring can comprise maintaining and enforcing security policies on use of the networks of the vehicle, performing anti-virus and/or anti-malware monitoring and/or scanning on messages and use of the networks of the vehicle, monitoring in real-time for certain conditions or on certain aspects of operation of the networks, or performing one or more of a number of different types of automated vulnerability scans on the networks of the vehicle. Patching or take other remedial action can comprise, blocking access to one or more of the networks of the vehicle by an application, component, user, etc. when a threat is detected or a vulnerability is found, reporting a detected threat or vulnerability, obtaining and applying a patch or automatically taking other corrective action as needed.

Abstract: A method for authenticating to a network comprising a plurality of Internet of Things (“IoT”) devices is provided. The method may include using a mobile telephone apparatus, a wrist-worn apparatus and a head-worn apparatus to monitor the level of at least one of a wearer's pulse, body temperature, voice, gait and/or other biorhythmic indicator. One of the aforementioned apparatus may operate as a hub apparatus. The method may further include using the hub apparatus to assign a federated biometric marker based at least in part on the first, second and third biometric markers. The method may also include using artificial intelligence to monitor for one or more outliers with respect to historical monitoring. Each of the one or more outliers may include a magnitude that exceeds a security threshold difference between the current magnitude and the historically monitored magnitude.

Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: A password recovery technique for access to a system includes receiving a request from a first party to recover the first party's password to access the system, receiving a selection of a second party from the first party, sending a message to the second party requesting that the second party authorize the request to recover the first party's password, receiving authorization from the second party for the request to recover the first party's password, and resetting the first party's password responsive to receiving authorization from the second party.

Abstract: Exclusive threads for multiple queues is described. A computing system adds a first event associated with a first entity to a first queue in response to receiving the first event. The computing system adds a second event associated with a second entity to a second queue in response to receiving the second event. The computing system adds a third event associated with the second entity to the second queue in response to receiving the third event. A first thread in the computing system removes the first event from the first queue, wherein any event in the first queue is removed exclusively by the first thread. The first thread processes the first event.

Abstract: A system includes hardware processors and a token exchange module configured to create a uniquely identified first digital token including an owner ID field identifying the current possessor of the digital token, associate the first digital token with digital content presented to the first user in a mixed reality environment, present the digital within the MR environment, make the first digital token available for acquisition, receive a request to acquire the first digital token, assign possession of the first digital token, via the owner ID field, to the first unique user ID of the first user based on the request to acquire the first digital token, receive a request to transfer the first digital token from the first user to the second user, the second user having a second unique user ID, and changing the owner ID field to the second unique user ID based on the request to transfer.

Abstract: Devices and methods for managing a mobile communications profile stored in a nonvolatile memory of a secure element and performed by the secure element are disclosed. The devices and methods may include operations such as reading the state of a flag stored in the nonvolatile memory of the secure element and indicating whether the profile may be deleted; determining the active or inactive state of the profile; and if the flag indicates that the profile may be deleted and if it is determined that the profile is inactive, then deleting the profile.

Abstract: Described herein are embodiments for managing policies of a mobile device. In embodiments, a mobile device receives policy containers from a plurality of disparate management agents. Each policy container has one or more policies. Each policy corresponds to a particular category that governs various aspects of the device. The policies described herein may be device wide policies corresponding to various features on the device. The policies may also be data specific policies which dictate how data is stored on and transferred to and from the device. Once the policies are received, a determination is made as to which policy in each category is the most secure policy. The most secure policy for each category is merged to create a global policy that is applied to the mobile device.

Abstract: Systems and methods for securing or encrypting data or other information arising from a user's interaction with software and/or hardware, resulting in transformation of original data into ciphertext. Generally, the ciphertext is generated using context-based keys that depend on the environment in which the original data originated and/or was accessed. The ciphertext can be stored in a user's storage device or in an enterprise database (e.g., at-rest encryption) or shared with other users (e.g., cryptographic communication). The system generally allows for secure federation across organizations, including mechanisms to ensure that the system itself and any other actor with pervasive access to the network cannot compromise the confidentially of the protected data.

Abstract: Techniques are provided for client-side security key generation. An initial request is received from an application executing on a client device. The application includes a security component includes security code. In response to the initial request, a key component is generated. The key component includes one or more parameters from which a valid security key can be generated at the client device by executing the security code. The key component is provided to the client device. A security key associated with a request from the client device to an application server is received. The security key is checked for validity. In response to determining that the security key is valid, processing of the request by the application server is caused.

Abstract: A central server configured with an Attribute Authority (“AA”) acting as a Trusted Third Party mediating service provider and using X.509-compatible PKI and PMI, VPN technology, device-side thin client applications, security hardware (HSM, Network), cloud hosting, authentication, Active Directory and other solutions. This ecosystem results in real time management of credentials, identity profiles, communication lines, and keys. It is not centrally managed, rather distributes rights to users. Using its Inviter-Invitee protocol suite, Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. Users establish and respond to authorization requests and other real-time verifications pertaining to accessing each communication line (not end point) and sharing encrypted digital files.

Abstract: A system and method of managing multiple identities using a multiple identity management system includes receiving a user authentication signal from a user terminal, transmitting the user authentication signal to a first service server, the first service server matching the user authentication signal with a particular user ID associated with the first service server, receiving an authorization signal corresponding to the user authentication signal from the first service server, transmitting the authorization signal to the user terminal, receiving a request for validation of a user identification number corresponding to the authorization signal from a second service server, the second service server receiving the authorization signal transmitted via a user input from the user terminal, and transmitting the user identification number corresponding to the authorization signal to the second service server.

Abstract: A method of rendering email includes receiving with a networked computing device at least one filter criterion; receiving with the networked computing device an email message; and, responsive to a determination by the networked computing device that the email message meets the at least one filter criterion, diverting the email message from delivery to an inbox and providing an immediate display of the email message in its entirety to a user.

Abstract: An approach is provided for establishing a vendor portal configured to provide remote control and management of one or more devices of a customer by a plurality of vendors. The device can then be remotely controlled, accessed, or operated upon via the vendor portal.

Abstract: A system, method, and computer-readable storage medium configured to facilitate user purpose in a computing architecture.

Abstract: In one example, a cloud exchange comprises an interconnection platform of a network data center to configure a plurality of interconnection assets of the network data center to interconnect customer networks of a plurality of customer networks co-located in the network data center, the interconnection platform comprising: a network event unit controller configured to receive an indication of a network event of an interconnection asset of the plurality of interconnection assets; generate, in response to the network device report message, one or more network event messages based on the network event, wherein each of the network event messages includes an indication of the network event; and send the one or more network event messages to one or more customer systems for respective customer networks of the plurality of customer networks, wherein the one or more customer systems are affected by the network event.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.

Abstract: In an embodiment, a system for asserting a mobile identity to users and devices in an enterprise authentication system includes a communication interface and a processor coupled to the interface. The processor is configured to receive, via the communication interface and from a first device, a request to authenticate a user to a service using a unique identity associated with a second device. The processor is configured to determine, based at least in part on the unique identity, an identity certificate associated with the request, generate an identity assertion based at least in part on the identity certificate, and provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated.

Abstract: Systems and methods for changing database passwords are described. A first server computing system receives an indication to perform a password change process for an administrative account of an associated database. The server generates a vault configured to store a password change status and a password secret associated with the account. The server sets the password change status to a first value to indicate that the server is performing the password change process and then performs the password change process for the account. The server then sets the password change status to a second value to enable a second server computing system to perform a second password change process for a second administrative account of a database associated with the second server system. The database associated with the second server computing system is a standby database of the database associated with the first server system.

Abstract: A system and method for monitoring operating conditions of an industrial installation system including a plurality industrial assets. A plurality of transponders or beacons is located in a facility or location, where each of the transponders defines a zone in which some of the industrial assets are located. One or more mobile devices is configured to identify assets located within one or more of the zones to provide information to a data acquisition and processing system, which monitors the operating conditions of each of the industrial assets. Each of the one or more mobile devices is authorized depending on a location within the facility, the identity of a user, or based on a time of day. Industrial assets that require support, such as maintenance or replacement, are identified. Authorized mobile devices are configured to transmit information to and to receive information from the data acquisition and processing system.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, a method for detecting, by a first device including a least one processor and a first Universal Integrated Circuit Card (UICC), a second device having a second UICC, detecting, by the first device, that the second UICC is unprovisioned, selecting, by the first device, one of a plurality of selectable options, where the selection identifies a first Mobile Network Operator (MNO) selected from a plurality of MNOs, receiving, by the first device, first credential information of the first MNO, and transmitting, by the first device, to the second device the first credential information for enabling the second device to facilitate establishment of communication services with network equipment of the first MNO according to the first credential information. Other embodiments are disclosed.

Abstract: Technologies are disclosed herein for resource tagging, grouping and associated functionality. A resource tagging service allows resource tags to be created and associated with computing resources in a service provider network. The resource tags can be utilized to search, collect, filter, organize and otherwise manage computing resources in the service provider network having matching tags, and/or to perform other types of functionality. A resource groups service allows customers and/or other users of the service provider network to view and access collections of computing resources that share common resource tags and/or other attributes. Resource groups can also be evaluated in order to identify computing resources in a service provider network for which certain types of actions or other functionality is to be performed. Membership of resource groups can also be evaluated over time and inferences can be drawn from the membership and from operational information associated with the member computing resources.

Abstract: A directional display apparatus including a directional display device that is capable of directing a displayed image into a viewing window of variable width is provided with a privacy control function. A control system detects the presence of one or more secondary viewers in addition to a primary viewer, and decides whether the one or more secondary viewers is permitted to view the displayed image. The control system directs a displayed image into a viewing window which is adjusted, for example by decreasing the width, in dependence on that detection. In addition, the control system detects relative movement between the primary viewer and the display device, and the width of the viewing window is increased in response to detection of said relative movement.

Abstract: The present disclosure relates to a platform that manages activity taken with respect to cloud-based software services. The platform manages data objects processed by software services and/or those entities that initiate processing events. The platform uses various identifiers such as, for example, a persistence identifier (PID) to track processing events. The platform implements rules and/or permissions related to the managed data objects and/or managed entities to determine whether processing events are in compliance. The platform may update database records, send alerts, send data graphs, or provide a real-time stream related to the managed data objects and/or managed entities.

Abstract: A system for providing a user with access to different services of at least one service provider in a network considering privacy and security via a user-related unique digital identifier (D-ID). The system includes: a D-ID middleware; and a D-ID-agent. The D-ID agent is at least partly run on a terminal device of a user and is configured to: generate the D-ID, at least one pseudonym for the user, and a user-defined and pseudonym-specific number of secrets; compute, using the number of secrets and a cryptographic hash function, a root value of a pseudonym-specific Merkle-tree having the secrets as its leafs; transmit the at least one pseudonym and the corresponding root value, both encrypted, to the D-ID middleware; and use a secret of the number of secrets as needed to access a desired service of the different services of the at least one service provider.

Abstract: A mobile device is provided that allows a user to generate and present a unique code/token to a service provider for customer identity validation. The service provider may use the unique code/token to retrieve or verify identity information/documents from a central depository to validate the identity of the customer to meet a Know-Your-Customer (KYC), or other identification requirements. The central depository or a central database may facilitate customer identity validation from multiple participants. Information related to proofs of customer identity may be collected and aggregated from multiple verification points and may be used to provide customer identity validation. As such, customers do not have to provide the same proofs of identity again when registering with a new service provider.

Abstract: A system includes one or more memory devices storing instructions, and one or more processors configured to execute the instructions to perform the steps of a method for providing a credentialless login for a user. The system may receive a request for credentialless login from a user of a mobile computing device. The system may then receive an authentication of a user accessing a software application running on a mobile computing device. Responsive to the receipt of the authentication, the system may generate a random one-time passcode associated with an account of the authenticated user and transmit the passcode to the mobile computing device for display to the user. The system may then receive the passcode from a second computing device and responsive to verifying the validity of the access code, grant the second computing device access to the account of the user.

Abstract: An application service system receives, from a merchant service system, an application program code comprising identifying information. The identifying information is extracted and the application is distributed for operation on a user device. A user interacts with the application, creating an access request that is transmitted to the application service system along with the extracted identifying information. The application service system transmits an access token to the user device comprising the received identifying information. The user device transmits the access token with a service request to the application service system. The application service system compares the identifying information from the access token to the identifying information extracted from the application program code received from the merchant services system. If the identifying information matches, the service request is processed.

Abstract: Systems and methods for managing provisioning of keys prior to a key rotation are provided. A license server generates a license that is associated with a renewal time. The renewal time is a time that is prior to a key rotation time, and triggers a receiver device to send a renewal request prior to the key rotation time. The renewal time may be a randomized time prior to the key rotation time that differs for different receiver devices. The license is transmitted to the receiver device. The license server then receives a renewal request from the receiver device that is triggered at the renewal time. The license server generates a next license that comprises a next key, whereby the next key is a decryption key for decrypting the encrypted signal after the key rotation time. The next license is transmitted to the receiver device prior to the key rotation time.

Abstract: An app of a mobile device registers the mobile device for a remote credential server (RCS) and receives a device token. When a credential for a remote asset is supplied on the mobile device it is routed to the RCS and stored external to the mobile device but referenced on the mobile device via an asset token. When the credential is needed, the device token and the asset token permit the RCS to authenticate and return the credential to or on behalf of the mobile device so that the mobile device can authenticate to and access the remote asset.

Abstract: An apparatus for use as a single sign on entity (100) for controlling access to one or more devices (104a-d) in a computer network, the devices accessible with a device access password; the apparatus comprises a password generator configured to generate current and future device access passwords, a back-up controller configured to store a back-up comprising the current and future device access passwords at the time of the back-up in a memory, a password changer configured to change the current device password to one of the future device access passwords and to control a transmitter to transmit data implementing the change to the device, wherein the back-up controller is configured to restore the device access password from the backed-up future device access passwords, losing the current device access password.

Abstract: A method, computer program product, and computer system for creating a dynamic directory of objects. A request to modify a dynamic directory of a plurality of objects is received. Each of the plurality of objects is associated with one or more attribute-value pairs. One or more first object attribute-value pairs is determined for a first object. The dynamic directory is searched for the one or more first object attribute-value pairs. A first attribute-value pair is identified from the one or more first object attribute-value pairs. The first attribute-value pair is different than the one or more attribute-value pairs associated with the plurality of objects. The dynamic directory is modified based on the first attribute-value pair. Modifying the dynamic directory includes at least one of adding the first object to the dynamic directory, deleting the first object from the dynamic directory, and modifying an attribute-value pair of the first object.

Abstract: A configuration management device for vendor-independent network device configuration includes a network interface unit for communicating with network devices over a communications network and a data storage unit. The network interface unit can include a unified device network interface and a device-specific driver unit, where the unified device network interface can: retrieve a device profile; to identify a network device which belongs to a network device type corresponding to the device profile; retrieve information on a device-specific configuration protocol to be used during configuration of the network device; and download values for the vendor-independent configuration parameters to the network device.

Abstract: Multiple profiles are received in association with a first user account in an asynchronous messaging system. One or more of the profiles are associated with other user accounts. The associated profiles are transmitted to user clients associated with the other user accounts for storage as a local copy. The association may include inclusion in a contact list of the first user, or a contact list of the other users. The associated profiles are transmitted when messages are sent from the first account to the other user clients, or the profiles are created or updated. A public profile may include a version identifier which is updated when the public profile is updated. Updates to local copies of the public profile at other user clients may occur only when a local copy of the associated version identifier indicates that the local profile is outdated, thereby reducing network traffic.

Abstract: The disclosed embodiments relate to a system that facilitates making a copy of a profile store while the profile store is being updated. During operation, the system retrieves profiles from a profile snapshot queue, wherein the profile snapshot queue is periodically populated by accessing each profile in the profile store, and recording a snapshot of each accessed profile in the profile snapshot queue. The system then stores the profiles retrieved from the profile snapshot queue into the copy of the profile store. Next, the system retrieves updates to profiles from a live update queue, which contains a sequential list of updates to profiles in the profile store, wherein the updates are retrieved starting with a first update that occurred after the process of sequentially accessing the profiles was commenced up to a most recent update. Finally, the system uses the retrieved updates to update corresponding profiles in the copy of the profile store.

Abstract: Technologies for depth-based user authentication include a mobile computing device to display a login image including a depth channel on a display of the mobile computing device. The mobile computing device determines a selection of a plurality of objects of the login image made by a user of the mobile computing device, generates a user-selected password based on a relative depth of each object of the plurality of objects selected by the user, and permits access to the mobile computing device in response to a determination that the user-selected password matches a device login password.

Abstract: A method and is provided for obtaining a vetted certificate for a microservice in an elastic cloud environment. The microservice receives a one-time authentication credential. The microservice utilizes the one-time authentication credential to obtain a client secret. The microservice obtains an access token and CSR (Certificate Signing Request) attributes using the client secret and constructs a CSR utilizing the CSR attributes. The microservice requests a vetted certificate from a Certificate Authority (CA) and includes the access token and the CSR in the request. If the access token and the CSR pass vetting at the CA, the CA sends a vetted certificate to the microservice.

Abstract: In accordance with embodiments of the present disclosure, an information handling system may include a processor, a directory service application comprising a program of instructions embodied in computer-readable media accessible to the processor, the directory service application configured to enumerate a plurality of management controller categories for management controllers of a plurality of information handling systems communicatively coupled to one another via a network and create a directory service device object for each of the plurality of management controller categories.

Abstract: A complex authentication method includes identifying a user based on at least one image of a face image and a fingerprint image; identifying a first pattern associated with at least one of a feature point extracted from the face image and a first input to a display of an electronic device; and performing an operation assigned to the identified user and the identified first pattern.

Abstract: A management server, a service server, and a plurality of user terminals are connected to each other via a network so as to be capable of transmitting and receiving data. The management server includes a user information storage unit that stores user identification information for identifying users belonging to a group, and an identification information notification processor that, each time a service to be provided to the users of the group is newly added, transmits the user identification information of the plurality of users belonging to the group to the service server by cryptographic communication, corresponding to the newly added service. The service server includes a service information storage unit for storing the user identification information of the plurality of users corresponding to the service, received from the identification information notification processor.

Abstract: An electronic device includes a biometric sensor, such as a fingerprint sensor, that identifies biometric input received at the biometric sensor. One or more processors operable with the biometric sensor identify one or more companion devices operating within a wireless communication radius of the electronic device. Where multiple companion devices are within the wireless communication radius, a user can make a selection of one or more of them. One or more gesture sensors identify a predefined gesture input, such as a key turn simulation. A wireless communication circuit responsive to the one or more processors, delivers an actuation credential to at least one companion device to control the companion device.

Abstract: Systems and methods for providing services are disclosed. One aspect comprises authenticating a user associated with a first service, receiving a selection of a second service, generating an opaque identifier associated with the user and the first service, wherein the opaque identifier facilitates the anonymous collection of data relating to the second service. Another aspect can comprise transmitting the opaque identifier to the second service, and receiving data relating to the second service.

Abstract: This application discloses a method implemented at a server to facilitate secure offline transactions. The server receives, from a client device, an authorization request that includes a user identifier, first financial account information and a secure code. The server authenticates the authorization request, and sends a first transaction approval to the client device. Then, in accordance with the information received in the authorization request, the server facilitates a secure transaction between the client device and a point-of-sale (POS) machine while the client device is offline. Specifically, the server receives, from the POS machine, a transaction request that includes at least the user identifier and the security code. The server retrieves the first financial account information from a memory according to the user identifier and the security code, performs a transaction operation associated with the first financial account information, and sends a second transaction approval to the POS machine.

Abstract: A method of obtaining a virtual SIM for a mobile device comprises sending, to a TTA for authentication, a request for a virtual SIM for a mobile device associated with the TTA. The authenticated request is sent from the mobile device to an NRS application (or to a combined NRS/PCSS application). The mobile device subsequently receives information identifying a PCSS application (or a combined NRS/PCSS application) in a computing environment that provides a virtual SIM for the mobile device.

Abstract: Embodiments of a mobile device and method for secure on-line sign-up and provisioning of credentials for Wi-Fi hotspots are generally described herein. In some embodiments, the mobile device may be configured to establish a transport-layer security (TLS) session with a sign-up server through a Wi-Fi Hotspot to receive a certificate of the sign-up server. When the certificate is validated, the mobile device may be configured to exchange device management messages with the sign-up server to sign-up for a Wi-Fi subscription and provisioning of credentials, and retrieve a subscription management object (MO) that includes a reference to the provisioned credentials for storage in a device management tree. The credentials are transferred/provisioned securely to the mobile device. In some embodiments, an OMA-DM protocol may be used.

Abstract: Authentication methods for recognition of a candidate person. During authentication, a previously stored enrollment image is presented on a display to a candidate person. The candidate person is instructed to present a reproduced image of the same scene and/or object to a camera while holding the camera (mobile camera for example) unsupported in free space with respect to the viewed scene or object. Alternatively the candidate person can hold the object unsupported in free space with respect the camera. Using the camera, a candidate image of the viewed scene or object is captured and presented with the previously stored enrollment image. The candidate person aligns the candidate image with the previously stored enrollment image. Upon alignment, the candidate image is verified as an authentic image of the user and the candidate person is authenticated as the user previously enrolled.

Abstract: An identification system that may be used in heterogeneous computing environments provides a fail-free path to providing identifiers from a single canonical namespace. Objects or gateways requiring an identifier for access are accessed using an identifier for the canonical namespace. If an entity requests access using an identifier from another namespace, an external database is consulted to determine if a mapping exists for the identifier to another identifier the canonical namespace. If no mapping exists, or the external database is unavailable, then an identifier is automatically generated in the canonical namespace and is used for the access. An internal database is updated with the automatically generated identifier, providing a mechanism to add mappings without administrative intervention. To access resources requiring an identifier from another particular namespace, a canonical namespace identifier may be mapped to another identifier in the particular namespace, or a generic identifier may be used.

Abstract: Provided are techniques for populating a new text index. In response to determining that a limit for indexing a set of documents to the new text index has been reached, a commit is performed, a restart key is updated to identify a next document to be indexed, and the next document is indexed in a next commit cycle.